Google Git
Sign in
apache / qpid-dispatch / e30c8502110c61e050ae054f7ddf4d958b0662af / . / python / qpid_dispatch_internal / policy / policy_local.py
blob: 52339ca3c92a5fb1bedbd1864f0b4d06135b77e4 [file] [log] [blame]
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License
#
"""
"""
import json
from policy_util import PolicyError, HostStruct, HostAddr, PolicyAppConnectionMgr
"""
Entity implementing the business logic of user connection/access policy.
"""
#
#
class PolicyKeys(object):
"""
String constants
"""
# Common key words
KW_IGNORED_NAME = "name"
KW_IGNORED_IDENTITY = "identity"
KW_IGNORED_TYPE = "type"
KW_APPLICATION_NAME = "applicationName"
# Policy ruleset key words
KW_MAXCONN = "maxConnections"
KW_MAXCONNPERHOST = "maxConnPerHost"
KW_MAXCONNPERUSER = "maxConnPerUser"
KW_USER_GROUPS = "userGroups"
KW_INGRESS_HOST_GROUPS = "ingressHostGroups"
KW_INGRESS_POLICIES = "ingressPolicies"
KW_CONNECTION_ALLOW_DEFAULT = "connectionAllowDefault"
KW_SETTINGS = "settings"
# Policy settings key words
KW_USER_GROUP_NAME = "userGroupName"
KW_MAX_FRAME_SIZE = "maxFrameSize"
KW_MAX_MESSAGE_SIZE = "maxMessageSize"
KW_MAX_SESSION_WINDOW = "maxSessionWindow"
KW_MAX_SESSIONS = "maxSessions"
KW_MAX_SENDERS = "maxSenders"
KW_MAX_RECEIVERS = "maxReceivers"
KW_ALLOW_DYNAMIC_SRC = "allowDynamicSrc"
KW_ALLOW_ANONYMOUS_SENDER = "allowAnonymousSender"
KW_SOURCES = "sources"
KW_TARGETS = "targets"
# Policy stats key words
KW_CONNECTIONS_APPROVED = "connectionsApproved"
KW_CONNECTIONS_DENIED = "connectionsDenied"
KW_CONNECTIONS_CURRENT = "connectionsCurrent"
KW_PER_USER_STATE = "perUserState"
KW_PER_HOST_STATE = "perHostState"
# What settings does a user get when allowed to connect but
# not restricted by a user group?
KW_DEFAULT_SETTINGS = "default"
# Config file separator character for two IP addresses in a range
KC_CONFIG_IP_SEP = "-"
# Config file separator character for names in a list
KC_CONFIG_LIST_SEP = ","
# user-to-group computed map in compiled ruleset
RULESET_U2G_MAP = "U2G"
# policy stats controlled by C code but referenced by settings
KW_CSTATS = "denialCounts"
#
#
class PolicyCompiler(object):
"""
Validate incoming configuration for legal schema.
- Warn about section options that go unused.
- Disallow negative max connection numbers.
- Check that connectionOrigins resolve to IP hosts.
- Enforce internal consistency,
"""
allowed_ruleset_options = [
PolicyKeys.KW_IGNORED_NAME,
PolicyKeys.KW_IGNORED_IDENTITY,
PolicyKeys.KW_IGNORED_TYPE,
PolicyKeys.KW_APPLICATION_NAME,
PolicyKeys.KW_MAXCONN,
PolicyKeys.KW_MAXCONNPERHOST,
PolicyKeys.KW_MAXCONNPERUSER,
PolicyKeys.KW_USER_GROUPS,
PolicyKeys.KW_INGRESS_HOST_GROUPS,
PolicyKeys.KW_INGRESS_POLICIES,
PolicyKeys.KW_CONNECTION_ALLOW_DEFAULT,
PolicyKeys.KW_SETTINGS
]
allowed_settings_options = [
PolicyKeys.KW_MAX_FRAME_SIZE,
PolicyKeys.KW_MAX_MESSAGE_SIZE,
PolicyKeys.KW_MAX_SESSION_WINDOW,
PolicyKeys.KW_MAX_SESSIONS,
PolicyKeys.KW_MAX_SENDERS,
PolicyKeys.KW_MAX_RECEIVERS,
PolicyKeys.KW_ALLOW_DYNAMIC_SRC,
PolicyKeys.KW_ALLOW_ANONYMOUS_SENDER,
PolicyKeys.KW_SOURCES,
PolicyKeys.KW_TARGETS
]
def __init__(self):
"""
Create a validator
"""
pass
def validateNumber(self, val, v_min, v_max, errors):
"""
Range check a numeric int policy value
@param[in] val policy value to check
@param[in] v_min minumum value
@param[in] v_max maximum value. zero disables check
@param[out] errors failure message
@return v_min <= val <= v_max
"""
try:
v_int = int(val)
except Exception, e:
errors.append("Value '%s' does not resolve to an integer." % val)
return False
if v_int < v_min:
errors.append("Value '%s' is below minimum '%s'." % (val, v_min))
return False
if v_max > 0 and v_int > v_max:
errors.append("Value '%s' is above maximum '%s'." % (val, v_max))
return False
return True
def compile_connection_groups(self, name, submap_in, submap_out, warnings, errors):
"""
Handle an ingressHostGroups submap.
Each origin value is verified. On a successful run the submap
is replaced parsed lists of HostAddr objects.
@param[in] name application name
@param[in] submap_in user input origin list as text strings
@param[out] submap_out user inputs replaced with HostAddr objects
@param[out] warnings nonfatal irregularities observed
@param[out] errors descriptions of failure
@return - origins is usable. If True then warnings[] may contain useful
information about fields that are ignored. If False then
warnings[] may contain info and errors[0] will hold the
description of why the origin was rejected.
"""
key = PolicyKeys.KW_INGRESS_HOST_GROUPS
for coname in submap_in:
try:
ostr = str(submap_in[coname])
olist = [x.strip(' ') for x in ostr.split(PolicyKeys.KC_CONFIG_LIST_SEP)]
submap_out[coname] = []
for co in olist:
coha = HostAddr(co, PolicyKeys.KC_CONFIG_IP_SEP)
submap_out[coname].append(coha)
except Exception, e:
errors.append("Application '%s' option '%s' connectionOption '%s' failed to translate: '%s'." %
(name, key, coname, e))
return False
return True
def compile_app_settings(self, appname, usergroup, policy_in, policy_out, warnings, errors):
"""
Compile a schema from processed json format to local internal format.
@param[in] name application name
@param[in] policy_in user config settings
@param[out] policy_out validated Internal format
@param[out] warnings nonfatal irregularities observed
@param[out] errors descriptions of failure
@return - settings are usable. If True then warnings[] may contain useful
information about fields that are ignored. If False then
warnings[] may contain info and errors[0] will hold the
description of why the policy was rejected.
"""
# rulesets may not come through standard config so make nice defaults
policy_out[PolicyKeys.KW_MAX_FRAME_SIZE] = 65536
policy_out[PolicyKeys.KW_MAX_MESSAGE_SIZE] = 0
policy_out[PolicyKeys.KW_MAX_SESSION_WINDOW] = 2147483647
policy_out[PolicyKeys.KW_MAX_SESSIONS] = 10
policy_out[PolicyKeys.KW_MAX_SENDERS] = 10
policy_out[PolicyKeys.KW_MAX_RECEIVERS] = 10
policy_out[PolicyKeys.KW_ALLOW_DYNAMIC_SRC] = False
policy_out[PolicyKeys.KW_ALLOW_ANONYMOUS_SENDER] = False
policy_out[PolicyKeys.KW_SOURCES] = ''
policy_out[PolicyKeys.KW_TARGETS] = ''
cerror = []
for key, val in policy_in.iteritems():
if key not in self.allowed_settings_options:
warnings.append("Application '%s' user group '%s' option '%s' is ignored." %
(appname, usergroup, key))
if key in [PolicyKeys.KW_MAX_FRAME_SIZE,
PolicyKeys.KW_MAX_MESSAGE_SIZE,
PolicyKeys.KW_MAX_RECEIVERS,
PolicyKeys.KW_MAX_SENDERS,
PolicyKeys.KW_MAX_SESSION_WINDOW,
PolicyKeys.KW_MAX_SESSIONS
]:
if not self.validateNumber(val, 0, 0, cerror):
errors.append("Application '%s' user group '%s' option '%s' has error '%s'." %
(appname, usergroup, key, cerror[0]))
return False
policy_out[key] = val
elif key in [PolicyKeys.KW_ALLOW_ANONYMOUS_SENDER,
PolicyKeys.KW_ALLOW_DYNAMIC_SRC
]:
if not type(val) is bool:
errors.append("Application '%s' user group '%s' option '%s' has illegal boolean value '%s'." %
(appname, usergroup, key, val))
return False
policy_out[key] = val
elif key in [PolicyKeys.KW_SOURCES,
PolicyKeys.KW_TARGETS
]:
# accept a string or list
if type(val) is str:
# 'abc, def, mytarget'
val = [x.strip(' ') for x in val.split(PolicyKeys.KC_CONFIG_LIST_SEP)]
elif type(val) is list:
# ['abc', 'def', 'mytarget']
pass
elif type(val) is unicode:
# u'abc, def, mytarget'
val = [x.strip(' ') for x in str(val).split(PolicyKeys.KC_CONFIG_LIST_SEP)]
else:
errors.append("Application '%s' user group '%s' option '%s' has illegal value '%s'. Type must be 'str' or 'list' but is '%s;" %
(appname, usergroup, key, val, type(val)))
# deduplicate address lists
val = list(set(val))
# output result is CSV string with no white space between values: 'abc,def,mytarget'
policy_out[key] = ','.join(val)
return True
def compile_access_ruleset(self, name, policy_in, policy_out, warnings, errors):
"""
Compile a schema from processed json format to local internal format.
@param[in] name application name
@param[in] policy_in raw policy to be validated
@param[out] policy_out validated Internal format
@param[out] warnings nonfatal irregularities observed
@param[out] errors descriptions of failure
@return - policy is usable. If True then warnings[] may contain useful
information about fields that are ignored. If False then
warnings[] may contain info and errors[0] will hold the
description of why the policy was rejected.
"""
cerror = []
# rulesets may not come through standard config so make nice defaults
policy_out[PolicyKeys.KW_MAXCONN] = 0
policy_out[PolicyKeys.KW_MAXCONNPERHOST] = 0
policy_out[PolicyKeys.KW_MAXCONNPERUSER] = 0
policy_out[PolicyKeys.KW_USER_GROUPS] = {}
policy_out[PolicyKeys.KW_INGRESS_HOST_GROUPS] = {}
policy_out[PolicyKeys.KW_INGRESS_POLICIES] = {}
policy_out[PolicyKeys.KW_CONNECTION_ALLOW_DEFAULT] = False
policy_out[PolicyKeys.KW_SETTINGS] = {}
# validate the options
for key, val in policy_in.iteritems():
if key not in self.allowed_ruleset_options:
warnings.append("Application '%s' option '%s' is ignored." %
(name, key))
if key in [PolicyKeys.KW_MAXCONN,
PolicyKeys.KW_MAXCONNPERHOST,
PolicyKeys.KW_MAXCONNPERUSER
]:
if not self.validateNumber(val, 0, 65535, cerror):
msg = ("Application '%s' option '%s' has error '%s'." %
(name, key, cerror[0]))
errors.append(msg)
return False
policy_out[key] = val
elif key in [PolicyKeys.KW_USER_GROUPS,
PolicyKeys.KW_INGRESS_HOST_GROUPS,
PolicyKeys.KW_INGRESS_POLICIES
]:
try:
if not type(val) is dict:
errors.append("Application '%s' option '%s' must be of type 'dict' but is '%s'" %
(name, key, type(val)))
return False
if key == PolicyKeys.KW_INGRESS_HOST_GROUPS:
# Conection groups are lists of IP addresses that need to be
# converted into binary structures for comparisons.
val_out = {}
if not self.compile_connection_groups(name, val, val_out, warnings, errors):
return False
policy_out[key] = {}
policy_out[key].update(val_out)
else:
# deduplicate ingressPolicy and userGroups lists
for k,v in val.iteritems():
v = [x.strip(' ') for x in v.split(PolicyKeys.KC_CONFIG_LIST_SEP)]
v = list(set(v))
val[k] = v
policy_out[key] = val
except Exception, e:
errors.append("Application '%s' option '%s' error processing map: %s" %
(name, key, e))
return False
elif key in [PolicyKeys.KW_CONNECTION_ALLOW_DEFAULT]:
if not type(val) is bool:
errors.append("Application '%s' option '%s' must be of type 'bool' but is '%s'" %
(name, key, type(val)))
return False
policy_out[key] = val
elif key in [PolicyKeys.KW_SETTINGS]:
if not type(val) is dict:
errors.append("Application '%s' option '%s' must be of type 'dict' but is '%s'" %
(name, key, type(val)))
return False
for skey, sval in val.iteritems():
newsettings = {}
if not self.compile_app_settings(name, skey, sval, newsettings, warnings, errors):
return False
policy_out[key][skey] = {}
policy_out[key][skey].update(newsettings)
# Verify that each user is in only one group.
# Verify that each user group has defined settings
# Create user-to-group map for looking up user's group
policy_out[PolicyKeys.RULESET_U2G_MAP] = {}
if PolicyKeys.KW_USER_GROUPS in policy_out:
for group, userlist in policy_out[PolicyKeys.KW_USER_GROUPS].iteritems():
for user in userlist:
if user in policy_out[PolicyKeys.RULESET_U2G_MAP]:
errors.append("Application '%s' user '%s' is in multiple user groups '%s' and '%s'" %
(name, user, policy_out[PolicyKeys.RULESET_U2G_MAP][user], group))
return False
else:
policy_out[PolicyKeys.RULESET_U2G_MAP][user] = group
if not group in policy_out[PolicyKeys.KW_SETTINGS]:
errors.append("Application '%s' user group '%s' has no defined settings" %
(name, group))
return False
# Default connections require a default settings
if policy_out[PolicyKeys.KW_CONNECTION_ALLOW_DEFAULT]:
if not PolicyKeys.KW_DEFAULT_SETTINGS in policy_out[PolicyKeys.KW_SETTINGS]:
errors.append("Application '%s' allows connections by default but default settings are not defined" %
(name))
return False
# Each ingress policy name reference must exist in ingressHostGroups
for cipname, cip in policy_out[PolicyKeys.KW_INGRESS_POLICIES].iteritems():
for co in cip:
if not co in policy_out[PolicyKeys.KW_INGRESS_HOST_GROUPS]:
errors.append("Application '%s' connection ingress policy '%s' references ingress host group '%s' but that group does not exist"
(name, cipname, co))
return False
return True
#
#
class AppStats(object):
"""
Maintain live state and statistics for an application.
"""
def __init__(self, id, manager, ruleset):
self.my_id = id
self._manager = manager
self.conn_mgr = PolicyAppConnectionMgr(
ruleset[PolicyKeys.KW_MAXCONN],
ruleset[PolicyKeys.KW_MAXCONNPERUSER],
ruleset[PolicyKeys.KW_MAXCONNPERHOST])
self._cstats = self._manager.get_agent().qd.qd_dispatch_policy_c_counts_alloc()
self._manager.get_agent().add_implementation(self, "policyStats")
def update_ruleset(self, ruleset):
"""
The parent ruleset has changed.
Propagate settings into the connection manager.
@param ruleset: new ruleset
@return:
"""
self.conn_mgr.update(
ruleset[PolicyKeys.KW_MAXCONN],
ruleset[PolicyKeys.KW_MAXCONNPERHOST],
ruleset[PolicyKeys.KW_MAXCONNPERUSER])
def refresh_entity(self, attributes):
"""Refresh management attributes"""
entitymap = {}
entitymap[PolicyKeys.KW_APPLICATION_NAME] = self.my_id
entitymap[PolicyKeys.KW_CONNECTIONS_APPROVED] = self.conn_mgr.connections_approved
entitymap[PolicyKeys.KW_CONNECTIONS_DENIED] = self.conn_mgr.connections_denied
entitymap[PolicyKeys.KW_CONNECTIONS_CURRENT] = self.conn_mgr.connections_active
entitymap[PolicyKeys.KW_PER_USER_STATE] = self.conn_mgr.per_user_state
entitymap[PolicyKeys.KW_PER_HOST_STATE] = self.conn_mgr.per_host_state
self._manager.get_agent().qd.qd_dispatch_policy_c_counts_refresh(self._cstats, entitymap)
attributes.update(entitymap)
def can_connect(self, conn_id, user, host, diags):
return self.conn_mgr.can_connect(conn_id, user, host, diags)
def disconnect(self, conn_id, user, host):
self.conn_mgr.disconnect(conn_id, user, host)
def count_other_denial(self):
self.conn_mgr.count_other_denial()
def get_cstats(self):
return self._cstats
#
#
class ConnectionFacts:
def __init__(self, user, host, app, conn_name):
self.user = user
self.host = host
self.app = app
self.conn_name = conn_name
#
#
class PolicyLocal(object):
"""
The local policy database.
"""
def __init__(self, manager):
"""
Create instance
@params manager policy manager class
"""
# manager is a class
# It provides access the dispatch system functions
self._manager = manager
# rulesetdb is a map
# key : application name
# val : ruleset for this app
# created by configuration
# augmented by policy compiler
self.rulesetdb = {}
# settingsdb is a map
# key : <application name>
# val : a map
# key : <user group name>
# val : settings to use for user's connection
# created by configuration
self.settingsdb = {}
# statsdb is a map
# key : <application name>
# val : AppStats object
self.statsdb = {}
# _policy_compiler is a function
# validates incoming policy and readies it for internal use
self._policy_compiler = PolicyCompiler()
# _connections is a map
# key : numeric connection id
# val : ConnectionFacts
# Entries created as connection AMQP Opens arrive
# Entries destroyed as sockets closed
self._connections = {}
# _default_vhost is a string
# holds the name of the vhost to use when the
# open.hostname is not found in the rulesetdb
self._default_vhost = ""
#
# Service interfaces
#
def create_ruleset(self, attributes):
"""
Create named policy ruleset
@param[in] attributes: from config
"""
warnings = []
diag = []
candidate = {}
name = attributes[PolicyKeys.KW_APPLICATION_NAME]
result = self._policy_compiler.compile_access_ruleset(name, attributes, candidate, warnings, diag)
if not result:
raise PolicyError( "Policy '%s' is invalid: %s" % (name, diag[0]) )
if len(warnings) > 0:
for warning in warnings:
self._manager.log_warning(warning)
if name not in self.rulesetdb:
self.statsdb[name] = AppStats(name, self._manager, candidate)
self._manager.log_info("Created policy rules for application %s" % name)
else:
self.statsdb[name].update_ruleset(candidate)
self._manager.log_info("Updated policy rules for application %s" % name)
self.rulesetdb[name] = {}
self.rulesetdb[name].update(candidate)
def policy_read(self, name):
"""
Read policy for named application
@param[in] name application name
@return policy data in raw user format
"""
return self.rulesetdb[name]
def policy_update(self, name, policy):
"""
Update named policy
@param[in] name application name
@param[in] policy data in raw user input
"""
if not name in self.rulesetdb:
raise PolicyError("Policy '%s' does not exist" % name)
self.policy_create(name, policy)
def policy_delete(self, name):
"""
Delete named policy
@param[in] name application name
"""
if not name in self.rulesetdb:
raise PolicyError("Policy '%s' does not exist" % name)
del self.rulesetdb[name]
#
# db enumerator
#
def policy_db_get_names(self):
"""
Return a list of application names in this policy
"""
return self.rulesetdb.keys()
def set_default_vhost(self, name):
"""
Set the default vhost name.
@param name: the name of the default application
@return: none
"""
self._default_vhost = name
self._manager.log_info("Policy fallback defaultVhost is enabled: '%s'" % name)
def default_vhost_enabled(self):
"""
The default vhost is enabled if the name is not blank and
the vhost is defined in rulesetdb.
@return:
"""
return not self._default_vhost == "" and self._default_vhost in self.rulesetdb
#
# Runtime query interface
#
def lookup_user(self, user, host, app_in, conn_name, conn_id):
"""
Lookup function called from C.
Determine if a user on host accessing app through AMQP Open is allowed
according to the policy access rules.
If allowed then return the policy settings name. If stats.can_connect
returns true then it has registered and counted the connection.
@param[in] user connection authId
@param[in] host connection remote host numeric IP address as string
@param[in] app_in application user is accessing
@param[in] conn_name connection name used for tracking reports
@param[in] conn_id internal connection id
@return settings user-group name if allowed; "" if not allowed
"""
try:
app = app_in
if not app_in in self.rulesetdb:
if self.default_vhost_enabled():
app = self._default_vhost
else:
self._manager.log_info(
"DENY AMQP Open for user '%s', host '%s', application '%s': "
"No policy defined for application" % (user, host, app))
return ""
ruleset = self.rulesetdb[app]
if not app in self.statsdb:
msg = (
"DENY AMQP Open for user '%s', host '%s', application '%s': "
"INTERNAL: Policy is defined but stats are missing" % (user, host, app))
raise PolicyError(msg)
stats = self.statsdb[app]
# User in a group or default?
if user in ruleset[PolicyKeys.RULESET_U2G_MAP]:
usergroup = ruleset[PolicyKeys.RULESET_U2G_MAP][user]
else:
if ruleset[PolicyKeys.KW_CONNECTION_ALLOW_DEFAULT]:
usergroup = PolicyKeys.KW_DEFAULT_SETTINGS
else:
self._manager.log_info(
"DENY AMQP Open for user '%s', host '%s', application '%s': "
"User is not in a user group and default users are denied" % (user, host, app))
stats.count_other_denial()
return ""
# User in usergroup allowed to connect from host?
if usergroup in ruleset[PolicyKeys.KW_INGRESS_POLICIES]:
# User's usergroup is restricted to connecting from a host
# defined by the group's ingress policy
allowed = False
uhs = HostStruct(host)
cglist = ruleset[PolicyKeys.KW_INGRESS_POLICIES][usergroup]
for cg in cglist:
for cohost in ruleset[PolicyKeys.KW_INGRESS_HOST_GROUPS][cg]:
if cohost.match_bin(uhs):
allowed = True
break
if allowed:
break
else:
# User's usergroup has no ingress policy so allow
allowed = True
if not allowed:
self._manager.log_info(
"DENY AMQP Open for user '%s', host '%s', application '%s': "
"User is not allowed to connect from this network host" % (user, host, app))
stats.count_other_denial()
return ""
# This user passes administrative approval.
# Now check live connection counts
diags = []
if not stats.can_connect(conn_name, user, host, diags):
for diag in diags:
self._manager.log_info(
"DENY AMQP Open for user '%s', host '%s', application '%s': "
"%s" % (user, host, app, diag))
return ""
# Record facts about this connection to use during teardown
facts = ConnectionFacts(user, host, app, conn_name)
self._connections[conn_id] = facts
# Return success
return usergroup
except Exception, e:
self._manager.log_info(
"DENY AMQP Open lookup_user failed for user '%s', host '%s', application '%s': "
"Internal error: %s" % (user, host, app, e))
# return failure
return ""
def lookup_settings(self, appname_in, name, upolicy):
"""
Given a settings name, return the aggregated policy blob.
@param[in] appname: application user is accessing
@param[in] name: user group name
@param[out] upolicy: dict holding policy values - the settings blob
TODO: make this a c struct
@return if lookup worked
# Note: the upolicy output is a non-nested dict with settings of interest
"""
try:
appname = appname_in
if not appname in self.rulesetdb:
if self.default_vhost_enabled():
appname = self._default_vhost
if not appname in self.rulesetdb:
self._manager.log_info(
"lookup_settings fail for application '%s', user group '%s': "
"No policy defined for this application" % (appname, name))
return False
ruleset = self.rulesetdb[appname]
if not name in ruleset[PolicyKeys.KW_SETTINGS]:
self._manager.log_trace(
"lookup_settings fail for application '%s', user group '%s': "
"This application has no settings for the user group" % (appname, name))
return False
upolicy.update(ruleset[PolicyKeys.KW_SETTINGS][name])
upolicy[PolicyKeys.KW_CSTATS] = self.statsdb[appname].get_cstats()
return True
except Exception, e:
return False
def close_connection(self, conn_id):
"""
Close the connection.
@param conn_id:
@return:
"""
try:
if conn_id in self._connections:
facts = self._connections[conn_id]
stats = self.statsdb[facts.app]
stats.disconnect(facts.conn_name, facts.user, facts.host)
del self._connections[conn_id]
except Exception, e:
self._manager.log_trace(
"Policy internal error closing connection id %s. %s" % (conn_id, str(e)))
#
#
def test_load_config(self):
"""
Test function to load a policy.
@return:
"""
ruleset_str = '["policyAccessRuleset", {"applicationName": "photoserver","maxConnections": 50,"maxConnPerUser": 5,"maxConnPerHost": 20,"userGroups": {"anonymous": "anonymous","users": "u1, u2","paidsubscribers": "p1, p2","test": "zeke, ynot","admin": "alice, bob","superuser": "ellen"},"ingressHostGroups": {"Ten18": "10.18.0.0-10.18.255.255","EllensWS": "72.135.2.9","TheLabs": "10.48.0.0-10.48.255.255, 192.168.100.0-192.168.100.255","localhost": "127.0.0.1, ::1","TheWorld": "*"},"ingressPolicies": {"anonymous": "TheWorld","users": "TheWorld","paidsubscribers": "TheWorld","test": "TheLabs","admin": "Ten18, TheLabs, localhost","superuser": "EllensWS, localhost"},"connectionAllowDefault": true,'
ruleset_str += '"settings": {'
ruleset_str += '"anonymous": {"maxFrameSize": 111111,"maxMessageSize": 111111,"maxSessionWindow": 111111,"maxSessions": 1,"maxSenders": 11,"maxReceivers": 11,"allowDynamicSrc": false,"allowAnonymousSender": false,"sources": "public", "targets": ""},'
ruleset_str += '"users": {"maxFrameSize": 222222,"maxMessageSize": 222222,"maxSessionWindow": 222222,"maxSessions": 2,"maxSenders": 22,"maxReceivers": 22,"allowDynamicSrc": false,"allowAnonymousSender": false,"sources": "public, private", "targets": "public"},'
ruleset_str += '"paidsubscribers":{"maxFrameSize": 333333,"maxMessageSize": 333333,"maxSessionWindow": 333333,"maxSessions": 3,"maxSenders": 33,"maxReceivers": 33,"allowDynamicSrc": true, "allowAnonymousSender": false,"sources": "public, private", "targets": "public, private"},'
ruleset_str += '"test": {"maxFrameSize": 444444,"maxMessageSize": 444444,"maxSessionWindow": 444444,"maxSessions": 4,"maxSenders": 44,"maxReceivers": 44,"allowDynamicSrc": true, "allowAnonymousSender": true, "sources": "private", "targets": "private"},'
ruleset_str += '"admin": {"maxFrameSize": 555555,"maxMessageSize": 555555,"maxSessionWindow": 555555,"maxSessions": 5,"maxSenders": 55,"maxReceivers": 55,"allowDynamicSrc": true, "allowAnonymousSender": true, "sources": "public, private, management", "targets": "public, private, management"},'
ruleset_str += '"superuser": {"maxFrameSize": 666666,"maxMessageSize": 666666,"maxSessionWindow": 666666,"maxSessions": 6,"maxSenders": 66,"maxReceivers": 66,"allowDynamicSrc": false,"allowAnonymousSender": false,"sources": "public, private, management, root","targets": "public, private, management, root"},'
ruleset_str += '"default": {"maxFrameSize": 222222,"maxMessageSize": 222222,"maxSessionWindow": 222222,"maxSessions": 2,"maxSenders": 22,"maxReceivers": 22,"allowDynamicSrc": false,"allowAnonymousSender": false,"sources": "public, private", "targets": "public"}'
ruleset_str += '}}]'
ruleset = json.loads(ruleset_str)
self.create_ruleset(ruleset[1])