Added session servant locator to secure access to session servants.

author: Benoit Foucher <benoit@zeroc.com> 2006-05-22 16:06:20 +0000
committer: Benoit Foucher <benoit@zeroc.com> 2006-05-22 16:06:20 +0000
commit: c97c4be950e6b9b37b3cedbf521e285bfd6e0b08 (patch)
tree: a0e80a132ef496811babcd5d37550d9e708323db /cpp
parent: LiveDeployment now shown using tables (diff)
download: ice-c97c4be950e6b9b37b3cedbf521e285bfd6e0b08.tar.bz2
ice-c97c4be950e6b9b37b3cedbf521e285bfd6e0b08.tar.xz
ice-c97c4be950e6b9b37b3cedbf521e285bfd6e0b08.zip
12 files changed, 469 insertions, 44 deletions
diff --git a/cpp/src/IceGrid/AdminSessionI.cpp b/cpp/src/IceGrid/AdminSessionI.cpp
index 7d0f2e30424..32b9ef5e70f 100644
--- a/cpp/src/IceGrid/AdminSessionI.cpp
+++ b/cpp/src/IceGrid/AdminSessionI.cpp
@@ -285,9 +285,23 @@ Glacier2::SessionPrx
 AdminSSLSessionManagerI::create(const Glacier2::SSLInfo& info, const Glacier2::SessionControlPrx&, 
 				const Ice::Current& current)
 {
-    IceSSL::CertificatePtr cert = IceSSL::Certificate::decode(info.certs[0]);
-    string id = cert->getSubjectDN();
-    AdminSessionIPtr session = new AdminSessionI(id, _database, _timeout, _registryObserverTopic, _nodeObserverTopic);
-    return Glacier2::SessionPrx::uncheckedCast(current.adapter->addWithUUID(session));
-}
+    string userDN;
+    if(!info.certs.empty()) // TODO: Require userDN?
+    {
+	try
+	{
+	    IceSSL::CertificatePtr cert = IceSSL::Certificate::decode(info.certs[0]);
+	    userDN = cert->getSubjectDN();
+	}
+	catch(const Ice::Exception& ex)
+	{
+	    // This shouldn't happen, the SSLInfo is supposed to be encoded by Glacier2.
+	    Ice::Error out(_database->getTraceLevels()->logger);
+	    out << "SSL session manager couldn't decode SSL certificates";
+	    return 0;
+	}
+    }
 
+    AdminSessionIPtr s = new AdminSessionI(userDN, _database, _timeout, _registryObserverTopic, _nodeObserverTopic);
+    return Glacier2::SessionPrx::uncheckedCast(current.adapter->addWithUUID(s));
+}
diff --git a/cpp/src/IceGrid/Makefile b/cpp/src/IceGrid/Makefile
index ca304cde6ab..b71c23c3edc 100644
--- a/cpp/src/IceGrid/Makefile
+++ b/cpp/src/IceGrid/Makefile
@@ -71,6 +71,7 @@ REGISTRY_OBJS   = RegistryI.o \
 		  ReapThread.o \
 		  SessionI.o \
 		  AdminSessionI.o \
+		  SessionServantLocatorI.o \
 		  Topics.o \
 		  QueryI.o \
 		  WaitQueue.o
diff --git a/cpp/src/IceGrid/RegistryI.cpp b/cpp/src/IceGrid/RegistryI.cpp
index cca8d641311..8f0cf36eace 100644
--- a/cpp/src/IceGrid/RegistryI.cpp
+++ b/cpp/src/IceGrid/RegistryI.cpp
@@ -29,6 +29,7 @@
 #include <IceGrid/SessionI.h>
 #include <IceGrid/AdminSessionI.h>
 #include <IceGrid/InternalRegistryI.h>
+#include <IceGrid/SessionServantLocatorI.h>
 
 #include <fstream>
 
@@ -255,6 +256,15 @@ RegistryI::start(bool nowarn)
     registryAdapter->activate();
 
     //
+    // Add a default servant locator to the client object adapter. The
+    // default servant ensure that request on session objects are from
+    // the same connection as the connection that created the session.
+    //
+    _sessionServantLocator = new SessionServantLocatorI(clientAdapter);
+    clientAdapter->addServantLocator(_sessionServantLocator, "");
+    
+
+    //
     // Start the reaper threads.
     //
     int nodeSessionTimeout = properties->getPropertyAsIntWithDefault("IceGrid.Registry.NodeSessionTimeout", 10);
@@ -376,7 +386,8 @@ RegistryI::start(bool nowarn)
 					     internalLocatorPrx,
 					     properties->getProperty("IceGrid.Registry.PermissionsVerifier"),
 					     properties->getPropertyWithDefault("IceGrid.Registry.CryptPasswords", 
-										"passwords"));
+										"passwords"),
+					     nowarn);
     if(!_clientVerifier)
     {
 	return false;
@@ -386,16 +397,17 @@ RegistryI::start(bool nowarn)
 					    internalLocatorPrx,
 					    properties->getProperty("IceGrid.Registry.AdminPermissionsVerifier"),
 					    properties->getPropertyWithDefault("IceGrid.Registry.AdminCryptPasswords", 
-									       "admin-passwords"));
+									       "admin-passwords"),
+					    nowarn);
     if(!_adminVerifier)
     {
 	return false;
     }
 
     _sslClientVerifier = getSSLPermissionsVerifier(
-	internalLocatorPrx, properties->getProperty("IceGrid.Registry.SSLPermissionsVerifier"));
+	internalLocatorPrx, properties->getProperty("IceGrid.Registry.SSLPermissionsVerifier"), nowarn);
     _sslAdminVerifier = getSSLPermissionsVerifier(
-	internalLocatorPrx, properties->getProperty("IceGrid.Registry.AdminSSLPermissionsVerifier"));
+	internalLocatorPrx, properties->getProperty("IceGrid.Registry.AdminSSLPermissionsVerifier"), nowarn);
 
     //
     // Register well known objects with the object registry.
@@ -473,7 +485,8 @@ RegistryI::createSession(const string& user, const string& password, const Ice::
     }
 
     SessionIPtr session = _clientSessionManager->create(user, 0);
-    SessionPrx proxy = SessionPrx::uncheckedCast(current.adapter->addWithUUID(session));
+    session->setServantLocator(_sessionServantLocator);
+    SessionPrx proxy = SessionPrx::uncheckedCast(_sessionServantLocator->add(session, current.con));
     _clientReaper->add(new SessionReapable(current.adapter, session, proxy));
     return proxy;    
 }
@@ -505,7 +518,8 @@ RegistryI::createAdminSession(const string& user, const string& password, const
     }
 
     AdminSessionIPtr session = _adminSessionManager->create(user);
-    AdminSessionPrx proxy = AdminSessionPrx::uncheckedCast(current.adapter->addWithUUID(session));
+    session->setServantLocator(_sessionServantLocator);
+    AdminSessionPrx proxy = AdminSessionPrx::uncheckedCast(_sessionServantLocator->add(session, current.con));
     _clientReaper->add(new SessionReapable(current.adapter, session, proxy));
     return proxy;    
 }
@@ -520,7 +534,8 @@ RegistryI::createSessionFromSecureConnection(const Ice::Current& current)
 	throw exc;
     }
 
-    Glacier2::SSLInfo info = getSSLInfo(current.con);
+    string userDN;
+    Glacier2::SSLInfo info = getSSLInfo(current.con, userDN);
     try
     {
 	string reason;
@@ -544,11 +559,11 @@ RegistryI::createSessionFromSecureConnection(const Ice::Current& current)
 	throw exc;
     }
 
-    IceSSL::CertificatePtr cert = IceSSL::Certificate::decode(info.certs[0]);
-    SessionIPtr session = _clientSessionManager->create(cert->getSubjectDN(), 0);
-    SessionPrx proxy = SessionPrx::uncheckedCast(current.adapter->addWithUUID(session));
+    SessionIPtr session = _clientSessionManager->create(userDN, 0);
+    session->setServantLocator(_sessionServantLocator);
+    SessionPrx proxy = SessionPrx::uncheckedCast(_sessionServantLocator->add(session, current.con));
     _clientReaper->add(new SessionReapable(current.adapter, session, proxy));
-    return proxy;    
+    return proxy;
 }
 
 AdminSessionPrx
@@ -561,7 +576,8 @@ RegistryI::createAdminSessionFromSecureConnection(const Ice::Current& current)
 	throw exc;
     }
 
-    Glacier2::SSLInfo info = getSSLInfo(current.con);
+    string userDN;
+    Glacier2::SSLInfo info = getSSLInfo(current.con, userDN);
     try
     {
 	string reason;
@@ -584,10 +600,10 @@ RegistryI::createAdminSessionFromSecureConnection(const Ice::Current& current)
 	exc.reason = "internal server error";
 	throw exc;
     }
-
-    IceSSL::CertificatePtr cert = IceSSL::Certificate::decode(info.certs[0]);
-    AdminSessionIPtr session = _adminSessionManager->create(cert->getSubjectDN());
-    AdminSessionPrx proxy = AdminSessionPrx::uncheckedCast(current.adapter->addWithUUID(session));
+    
+    AdminSessionIPtr session = _adminSessionManager->create(userDN);
+    session->setServantLocator(_sessionServantLocator);
+    AdminSessionPrx proxy = AdminSessionPrx::uncheckedCast(_sessionServantLocator->add(session, current.con));
     _clientReaper->add(new SessionReapable(current.adapter, session, proxy));
     return proxy;    
 }
@@ -646,7 +662,8 @@ Glacier2::PermissionsVerifierPrx
 RegistryI::getPermissionsVerifier(const Ice::ObjectAdapterPtr& adapter, 
 				  const Ice::LocatorPrx& locator,
 				  const string& verifierProperty,
-				  const string& passwordsProperty)
+				  const string& passwordsProperty,
+				  bool nowarn)
 {
     //
     // Get the permissions verifier, or create a default one if no
@@ -723,14 +740,18 @@ RegistryI::getPermissionsVerifier(const Ice::ObjectAdapterPtr& adapter,
     }
     catch(const Ice::LocalException& ex)
     {
-	Warning out(_communicator->getLogger());
-	out << "couldn't contact permissions verifier `" + verifierProperty + "':" << ex;	
+	if(!nowarn)
+	{
+	    Warning out(_communicator->getLogger());
+	    out << "couldn't contact permissions verifier `" + verifierProperty + "':\n" << ex;
+	}
+	verifierPrx = Glacier2::PermissionsVerifierPrx::uncheckedCast(verifier->ice_locator(locator));
     }
     return verifierPrx;
 }
 
 Glacier2::SSLPermissionsVerifierPrx
-RegistryI::getSSLPermissionsVerifier(const Ice::LocatorPrx& locator, const string& verifierProperty)
+RegistryI::getSSLPermissionsVerifier(const Ice::LocatorPrx& locator, const string& verifierProperty, bool nowarn)
 {
     //
     // Get the permissions verifier, or create a default one if no
@@ -772,14 +793,18 @@ RegistryI::getSSLPermissionsVerifier(const Ice::LocatorPrx& locator, const strin
     }
     catch(const Ice::LocalException& ex)
     {
-	Warning out(_communicator->getLogger());
-	out << "couldn't contact permissions verifier `" + verifierProperty + "':" << ex;	
+	if(!nowarn)
+	{
+	    Warning out(_communicator->getLogger());
+	    out << "couldn't contact permissions verifier `" + verifierProperty + "':\n" << ex;	
+	}
+	verifierPrx = Glacier2::SSLPermissionsVerifierPrx::uncheckedCast(verifier->ice_locator(locator));
     }
     return verifierPrx;
 }
 
 Glacier2::SSLInfo
-RegistryI::getSSLInfo(const Ice::ConnectionPtr& connection)
+RegistryI::getSSLInfo(const Ice::ConnectionPtr& connection, string& userDN)
 {
     Glacier2::SSLInfo sslinfo;
     try
@@ -792,13 +817,14 @@ RegistryI::getSSLInfo(const Ice::ConnectionPtr& connection)
 
 	sslinfo.cipher = info.cipher;
 
-	if(info.certs.size() > 0)
+	if(!info.certs.empty())
 	{
 	    sslinfo.certs.resize(info.certs.size());
 	    for(unsigned int i = 0; i < info.certs.size(); ++i)
 	    {
 		sslinfo.certs[i] = info.certs[i]->encode();
 	    }
+	    userDN = info.certs[0]->getSubjectDN();
 	}
     }
     catch(const IceSSL::ConnectionInvalidException&)
diff --git a/cpp/src/IceGrid/RegistryI.h b/cpp/src/IceGrid/RegistryI.h
index 0b31ed10738..0a82bcdf39c 100644
--- a/cpp/src/IceGrid/RegistryI.h
+++ b/cpp/src/IceGrid/RegistryI.h
@@ -30,6 +30,9 @@ typedef IceUtil::Handle<ReapThread> ReapThreadPtr;
 class WaitQueue;
 typedef IceUtil::Handle<WaitQueue> WaitQueuePtr;    
 
+class SessionServantLocatorI;
+typedef IceUtil::Handle<SessionServantLocatorI> SessionServantLocatorIPtr;    
+
 class ClientSessionManagerI;
 typedef IceUtil::Handle<ClientSessionManagerI> ClientSessionManagerIPtr;    
 
@@ -59,10 +62,10 @@ private:
     void addWellKnownObject(const Ice::ObjectPrx&, const std::string&);
     void setupThreadPool(const Ice::PropertiesPtr&, const std::string&, int, int = 0);
     Glacier2::PermissionsVerifierPrx getPermissionsVerifier(const Ice::ObjectAdapterPtr&, const Ice::LocatorPrx&,
-							    const std::string&, const std::string&);
+							    const std::string&, const std::string&, bool);
 
-    Glacier2::SSLPermissionsVerifierPrx getSSLPermissionsVerifier(const Ice::LocatorPrx&, const std::string&);
-    Glacier2::SSLInfo getSSLInfo(const Ice::ConnectionPtr&);
+    Glacier2::SSLPermissionsVerifierPrx getSSLPermissionsVerifier(const Ice::LocatorPrx&, const std::string&, bool);
+    Glacier2::SSLInfo getSSLInfo(const Ice::ConnectionPtr&, std::string&);
 
     Ice::CommunicatorPtr _communicator;
     DatabasePtr _database;
@@ -70,9 +73,12 @@ private:
     ReapThreadPtr _nodeReaper;
     ReapThreadPtr _clientReaper;
     WaitQueuePtr _waitQueue;
+    SessionServantLocatorIPtr _sessionServantLocator;
+
     ClientSessionManagerIPtr _clientSessionManager;
     Glacier2::PermissionsVerifierPrx _clientVerifier;
     Glacier2::SSLPermissionsVerifierPrx _sslClientVerifier;
+
     AdminSessionManagerIPtr _adminSessionManager;
     Glacier2::PermissionsVerifierPrx _adminVerifier;
     Glacier2::SSLPermissionsVerifierPrx _sslAdminVerifier;
diff --git a/cpp/src/IceGrid/ServerI.cpp b/cpp/src/IceGrid/ServerI.cpp
index a8ae661536c..bd310ac4ca9 100644
--- a/cpp/src/IceGrid/ServerI.cpp
+++ b/cpp/src/IceGrid/ServerI.cpp
@@ -57,8 +57,6 @@ chownRecursive(const string& path, uid_t uid, gid_t gid)
 	string name = namelist[i]->d_name;
 	assert(!name.empty());
 
-	free(namelist[i]);
-
 	if(name != ".." && name != ".")
 	{
 	    name = path + "/" + name;
@@ -71,6 +69,8 @@ chownRecursive(const string& path, uid_t uid, gid_t gid)
 		chownRecursive(name, uid, gid);
 	    }
 	}
+
+	free(namelist[i]);
     }
 
     free(namelist);
diff --git a/cpp/src/IceGrid/SessionI.cpp b/cpp/src/IceGrid/SessionI.cpp
index b00854091d8..362ed766e65 100644
--- a/cpp/src/IceGrid/SessionI.cpp
+++ b/cpp/src/IceGrid/SessionI.cpp
@@ -123,7 +123,11 @@ BaseSessionI::destroy(const Ice::Current& current)
     }
     _destroyed = true;
 
-    if(current.adapter)
+    if(_servantLocator)
+    {
+	_servantLocator->remove(current.id);
+    }
+    else if(current.adapter)
     {
 	try
 	{
@@ -148,6 +152,15 @@ BaseSessionI::timestamp() const
     return _timestamp;
 }
 
+void
+BaseSessionI::setServantLocator(const SessionServantLocatorIPtr& servantLocator)
+{
+    //
+    // This is supposed to be called after creation only.
+    //
+    const_cast<SessionServantLocatorIPtr&>(_servantLocator) = servantLocator;
+}
+
 SessionI::SessionI(const string& id, 
 		   const DatabasePtr& database, 
 		   int timeout,
@@ -307,7 +320,23 @@ Glacier2::SessionPrx
 ClientSSLSessionManagerI::create(const Glacier2::SSLInfo& info, const Glacier2::SessionControlPrx& ctl, 
 				 const Ice::Current& current)
 {
-    IceSSL::CertificatePtr cert = IceSSL::Certificate::decode(info.certs[0]);
-    SessionIPtr session = new SessionI(cert->getSubjectDN(), _database, _timeout, _waitQueue, ctl);
+    string userDN;
+    if(!info.certs.empty()) // TODO: Require userDN?
+    {
+	try
+	{
+	    IceSSL::CertificatePtr cert = IceSSL::Certificate::decode(info.certs[0]);
+	    userDN = cert->getSubjectDN();
+	}
+	catch(const Ice::Exception& ex)
+	{
+	    // This shouldn't happen, the SSLInfo is supposed to be encoded by Glacier2.
+	    Ice::Error out(_database->getTraceLevels()->logger);
+	    out << "SSL session manager couldn't decode SSL certificates";
+	    return 0;
+	}
+    }
+	
+    SessionIPtr session = new SessionI(userDN, _database, _timeout, _waitQueue, ctl);
     return Glacier2::SessionPrx::uncheckedCast(current.adapter->addWithUUID(session));
 }
diff --git a/cpp/src/IceGrid/SessionI.h b/cpp/src/IceGrid/SessionI.h
index 998f1f8e8ea..927f1e8a026 100644
--- a/cpp/src/IceGrid/SessionI.h
+++ b/cpp/src/IceGrid/SessionI.h
@@ -12,6 +12,7 @@
 
 #include <IceUtil/Mutex.h>
 #include <IceGrid/Session.h>
+#include <IceGrid/SessionServantLocatorI.h>
 
 namespace IceGrid
 {
@@ -48,6 +49,7 @@ public:
     virtual void destroy(const Ice::Current&);
 
     IceUtil::Time timestamp() const;
+    void setServantLocator(const SessionServantLocatorIPtr&);
 
 protected:
 
@@ -58,6 +60,7 @@ protected:
     const int _timeout;
     const TraceLevelsPtr _traceLevels;
     const DatabasePtr _database;
+    const SessionServantLocatorIPtr _servantLocator;
     bool _destroyed;
     IceUtil::Time _timestamp;
 };
diff --git a/cpp/src/IceGrid/SessionServantLocatorI.cpp b/cpp/src/IceGrid/SessionServantLocatorI.cpp
new file mode 100644
index 00000000000..725e866b130
--- /dev/null
+++ b/cpp/src/IceGrid/SessionServantLocatorI.cpp
@@ -0,0 +1,62 @@
+// **********************************************************************
+//
+// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved.
+//
+// This copy of Ice is licensed to you under the terms described in the
+// ICE_LICENSE file included in this distribution.
+//
+// **********************************************************************
+
+#include <IceUtil/UUID.h>
+#include <Ice/LocalException.h>
+#include <Ice/ObjectAdapter.h>
+#include <IceGrid/SessionServantLocatorI.h>
+
+using namespace std;
+using namespace IceGrid;
+
+SessionServantLocatorI::SessionServantLocatorI(const Ice::ObjectAdapterPtr& adapter) : _adapter(adapter)
+{
+}
+
+Ice::ObjectPtr
+SessionServantLocatorI::locate(const Ice::Current& current, Ice::LocalObjectPtr&)
+{
+    Lock sync(*this);
+    map<Ice::Identity, SessionServant>::const_iterator p = _servants.find(current.id);
+    if(p == _servants.end() || p->second.connection != current.con)
+    {
+	return 0;
+    }
+    return p->second.servant;
+}
+
+void
+SessionServantLocatorI::finished(const Ice::Current&, const Ice::ObjectPtr&, const Ice::LocalObjectPtr&)
+{
+}
+
+void
+SessionServantLocatorI::deactivate(const std::string&)
+{
+}
+
+Ice::ObjectPrx
+SessionServantLocatorI::add(const Ice::ObjectPtr& servant, const Ice::ConnectionPtr& con)
+{
+    Lock sync(*this);
+    Ice::Identity id;
+    id.name = IceUtil::generateUUID();
+    if(!_servants.insert(make_pair(id, SessionServant(servant, con))).second)
+    {
+	throw Ice::AlreadyRegisteredException(__FILE__, __LINE__, "servant", id.name);
+    }
+    return _adapter->createProxy(id);
+}
+
+void
+SessionServantLocatorI::remove(const Ice::Identity& id)
+{
+    Lock sync(*this);
+    _servants.erase(id);
+}
diff --git a/cpp/src/IceGrid/SessionServantLocatorI.h b/cpp/src/IceGrid/SessionServantLocatorI.h
new file mode 100644
index 00000000000..8f7da5ab972
--- /dev/null
+++ b/cpp/src/IceGrid/SessionServantLocatorI.h
@@ -0,0 +1,49 @@
+// **********************************************************************
+//
+// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved.
+//
+// This copy of Ice is licensed to you under the terms described in the
+// ICE_LICENSE file included in this distribution.
+//
+// **********************************************************************
+
+#ifndef ICE_GRID_SESSIONSERVANTLOCATOR_H
+#define ICE_GRID_SESSIONSERVANTLOCATOR_H
+
+#include <IceUtil/Mutex.h>
+#include <Ice/ServantLocator.h>
+
+namespace IceGrid
+{
+
+class SessionServantLocatorI : public Ice::ServantLocator, public IceUtil::Mutex
+{
+public:
+
+    SessionServantLocatorI(const Ice::ObjectAdapterPtr&);
+
+    Ice::ObjectPtr locate(const Ice::Current&, Ice::LocalObjectPtr&);
+    void finished(const Ice::Current&, const Ice::ObjectPtr&, const Ice::LocalObjectPtr&);
+    void deactivate(const std::string&);
+
+    Ice::ObjectPrx add(const Ice::ObjectPtr&, const Ice::ConnectionPtr&);
+    void remove(const Ice::Identity&);
+
+private:
+
+    struct SessionServant
+    {
+	SessionServant(const Ice::ObjectPtr& s, const Ice::ConnectionPtr& con) : servant(s), connection(con) { }
+
+	const Ice::ObjectPtr servant;
+	const Ice::ConnectionPtr connection;
+    };
+
+    const Ice::ObjectAdapterPtr _adapter;
+    std::map<Ice::Identity, SessionServant> _servants;
+};
+typedef IceUtil::Handle<SessionServantLocatorI> SessionServantLocatorIPtr;
+
+};
+
+#endif
diff --git a/cpp/test/IceGrid/session/AllTests.cpp b/cpp/test/IceGrid/session/AllTests.cpp
index 9ee1b0dd9e2..2e1fb87e250 100644
--- a/cpp/test/IceGrid/session/AllTests.cpp
+++ b/cpp/test/IceGrid/session/AllTests.cpp
@@ -12,11 +12,54 @@
 #include <IceGrid/Registry.h>
 #include <IceGrid/Query.h>
 #include <IceGrid/Admin.h>
+#include <Glacier2/PermissionsVerifier.h>
+#include <IceSSL/Plugin.h>
 #include <TestCommon.h>
 
 using namespace std;
 using namespace IceGrid;
 
+class ClientPermissionsVerifierI : public Glacier2::PermissionsVerifier
+{
+public:
+
+    virtual bool
+    checkPermissions(const string& userId, const string& passwd, string&, const Ice::Current&) const
+    {
+	return userId == "client1" && passwd == "test1" || userId == "client2" && passwd == "test2";
+    }
+};
+
+class AdminPermissionsVerifierI : public Glacier2::PermissionsVerifier
+{
+public:
+
+    virtual bool
+    checkPermissions(const string& userId, const string& passwd, string&, const Ice::Current&) const
+    {
+	return userId == "admin1" && passwd == "test1" || userId == "admin2" && passwd == "test2";
+    }
+};
+
+class SSLPermissionsVerifierI : public Glacier2::SSLPermissionsVerifier
+{
+public:
+
+    virtual bool
+    authorize(const Glacier2::SSLInfo& info, string&, const Ice::Current& current) const
+    {
+	IceSSL::CertificatePtr cert = IceSSL::Certificate::decode(info.certs[0]);
+	test(cert->getIssuerDN() ==
+	     "/C=US/ST=Florida/L=Palm Beach Gardens/O=ZeroC, Inc."
+	     "/OU=Ice/CN=ZeroC Test CA/emailAddress=info@zeroc.com");
+	test(cert->getSubjectDN() ==
+	     "/C=US/ST=Florida/O=ZeroC, Inc./OU=Ice/emailAddress=info@zeroc.com/CN=Client");
+	test(cert->checkValidity());
+
+	return true;
+    }
+};
+
 void 
 addProperty(const CommunicatorDescriptorPtr& communicator, const string& name, const string& value)
 {
@@ -387,16 +430,202 @@ allTests(const Ice::CommunicatorPtr& communicator)
     AdminPrx admin = AdminPrx::checkedCast(communicator->stringToProxy("IceGrid/Admin"));
     test(admin);
 
+    communicator->getProperties()->setProperty("VerifierAdapter.Endpoints", "default -t 10000");
+    Ice::ObjectAdapterPtr adapter = communicator->createObjectAdapter("VerifierAdapter");
+    Ice::ObjectPrx obj;
+    obj = adapter->add(new ClientPermissionsVerifierI(), communicator->stringToIdentity("ClientPermissionsVerifier"));
+    admin->addObjectWithType(obj, Glacier2::PermissionsVerifier::ice_staticId());
+    obj = adapter->add(new AdminPermissionsVerifierI(), communicator->stringToIdentity("AdminPermissionsVerifier"));
+    admin->addObjectWithType(obj, Glacier2::PermissionsVerifier::ice_staticId());
+    obj = adapter->add(new SSLPermissionsVerifierI(), communicator->stringToIdentity("SSLPermissionsVerifier"));
+    admin->addObjectWithType(obj, Glacier2::PermissionsVerifier::ice_staticId());
+    adapter->activate();
+
     Ice::PropertiesPtr properties = communicator->getProperties();
 
     SessionKeepAliveThreadPtr keepAlive;
     keepAlive = new SessionKeepAliveThread(communicator->getLogger(), IceUtil::Time::seconds(5));
     keepAlive->start();
 
+    IceGrid::RegistryPrx registry1 = IceGrid::RegistryPrx::uncheckedCast(registry->ice_connectionId("reg1"));
+    IceGrid::RegistryPrx registry2 = IceGrid::RegistryPrx::uncheckedCast(registry->ice_connectionId("reg2"));
+
+    { 
+	cout << "testing username/password sessions... " << flush;
+
+	SessionPrx session1, session2;
+
+	session1 = SessionPrx::uncheckedCast(registry1->createSession("client1", "test1")->ice_connectionId("reg1"));
+	session2 = SessionPrx::uncheckedCast(registry2->createSession("client2", "test2")->ice_connectionId("reg2"));
+	try
+	{
+	    registry1->createSession("client3", "test1");
+	}
+	catch(const IceGrid::PermissionDeniedException&)
+	{
+	}
+
+	session1->ice_ping();
+	session2->ice_ping();
+
+	try
+	{
+	    session1->ice_connectionId("")->ice_ping();
+	}
+	catch(const Ice::ObjectNotExistException&)
+	{
+	}
+	try
+	{
+	    session2->ice_connectionId("")->ice_ping();
+	}
+	catch(const Ice::ObjectNotExistException&)
+	{
+	}
+
+	session1->destroy();
+	session2->destroy();
+
+	AdminSessionPrx adminSession1, adminSession2;
+
+	adminSession1 = AdminSessionPrx::uncheckedCast(
+	    registry1->createAdminSession("admin1", "test1")->ice_connectionId("reg1"));
+	adminSession2 = AdminSessionPrx::uncheckedCast(
+	    registry2->createAdminSession("admin2", "test2")->ice_connectionId("reg2"));
+	try
+	{
+	    registry1->createAdminSession("admin3", "test1");
+	}
+	catch(const IceGrid::PermissionDeniedException&)
+	{
+	}
+
+	adminSession1->ice_ping();
+	adminSession2->ice_ping();
+
+	try
+	{
+	    adminSession1->ice_connectionId("")->ice_ping();
+	}
+	catch(const Ice::ObjectNotExistException&)
+	{
+	}
+	try
+	{
+	    adminSession2->ice_connectionId("")->ice_ping();
+	}
+	catch(const Ice::ObjectNotExistException&)
+	{
+	}
+
+	adminSession1->destroy();
+	adminSession2->destroy();
+	
+	cout << "ok" << endl;
+    }
+
+    {
+	cout << "testing Glacier2 session managers... " << flush;
+
+	Glacier2::SessionManagerPrx manager;
+
+	manager = Glacier2::SessionManagerPrx::checkedCast(communicator->stringToProxy("IceGrid/SessionManager"));
+	test(manager);
+	IceGrid::SessionPrx session = IceGrid::SessionPrx::checkedCast(manager->create("userid", 0));
+	test(session);
+	session->destroy();
+
+	manager = 
+	    Glacier2::SessionManagerPrx::checkedCast(communicator->stringToProxy("IceGrid/AdminSessionManager"));
+	test(manager);
+	IceGrid::AdminSessionPrx adminSession = IceGrid::AdminSessionPrx::checkedCast(manager->create("userid", 0));
+	test(adminSession);
+	adminSession->destroy();
+
+	Glacier2::SSLSessionManagerPrx sslManager;
+	
+	sslManager = 
+	    Glacier2::SSLSessionManagerPrx::checkedCast(communicator->stringToProxy("IceGrid/SSLSessionManager"));
+	test(sslManager);
+	session = IceGrid::SessionPrx::checkedCast(sslManager->create(Glacier2::SSLInfo(), 0));
+	test(session);
+	session->destroy();
+
+	sslManager = 
+	    Glacier2::SSLSessionManagerPrx::checkedCast(communicator->stringToProxy("IceGrid/AdminSSLSessionManager"));
+	test(sslManager);
+	adminSession = IceGrid::AdminSessionPrx::checkedCast(sslManager->create(Glacier2::SSLInfo(), 0));
+	test(adminSession);
+	adminSession->destroy();
+
+	cout << "ok" << endl;
+    }
+
+    if(properties->getProperty("Ice.Default.Protocol") == "ssl")
+    { 
+	cout << "testing sessions from secure connection... " << flush;
+
+	SessionPrx session1, session2;
+
+	session1 = SessionPrx::uncheckedCast(registry1->createSessionFromSecureConnection()->ice_connectionId("reg1"));
+	session2 = SessionPrx::uncheckedCast(registry2->createSessionFromSecureConnection()->ice_connectionId("reg2"));
+
+	session1->ice_ping();
+	session2->ice_ping();
+
+	try
+	{
+	    session1->ice_connectionId("")->ice_ping();
+	}
+	catch(const Ice::ObjectNotExistException&)
+	{
+	}
+	try
+	{
+	    session2->ice_connectionId("")->ice_ping();
+	}
+	catch(const Ice::ObjectNotExistException&)
+	{
+	}
+
+	session1->destroy();
+	session2->destroy();
+	
+	AdminSessionPrx adminSession1, adminSession2;
+
+	adminSession1 = AdminSessionPrx::uncheckedCast(
+	    registry1->createAdminSession("admin1", "test1")->ice_connectionId("reg1"));
+	adminSession2 = AdminSessionPrx::uncheckedCast(
+	    registry2->createAdminSession("admin2", "test2")->ice_connectionId("reg2"));
+
+	adminSession1->ice_ping();
+	adminSession2->ice_ping();
+
+	try
+	{
+	    adminSession1->ice_connectionId("")->ice_ping();
+	}
+	catch(const Ice::ObjectNotExistException&)
+	{
+	}
+	try
+	{
+	    adminSession2->ice_connectionId("")->ice_ping();
+	}
+	catch(const Ice::ObjectNotExistException&)
+	{
+	}
+
+	adminSession1->destroy();
+	adminSession2->destroy();
+
+	cout << "ok" << endl;
+    }
+
     {
-	cout << "testing sessions... " << flush;
-	AdminSessionPrx session1 = AdminSessionPrx::uncheckedCast(registry->createAdminSession("Observer1", ""));
-	AdminSessionPrx session2 = AdminSessionPrx::uncheckedCast(registry->createAdminSession("Observer2", ""));
+	cout << "testing updates with admin sessions... " << flush;
+	AdminSessionPrx session1 = AdminSessionPrx::uncheckedCast(registry->createAdminSession("admin1", "test1"));
+	AdminSessionPrx session2 = AdminSessionPrx::uncheckedCast(registry->createAdminSession("admin2", "test2"));
 	
 	keepAlive->add(session1);
 	keepAlive->add(session2);	
@@ -460,7 +689,7 @@ allTests(const Ice::CommunicatorPtr& communicator)
 	}
 	catch(const AccessDeniedException& ex)
 	{
-	    test(ex.lockUserId == "Observer1");
+	    test(ex.lockUserId == "admin1");
 	}
 
 	try
@@ -609,7 +838,7 @@ allTests(const Ice::CommunicatorPtr& communicator)
 
     {
 	cout << "testing registry observer... " << flush;
-	AdminSessionPrx session1 = AdminSessionPrx::uncheckedCast(registry->createAdminSession("Observer1", ""));
+	AdminSessionPrx session1 = AdminSessionPrx::uncheckedCast(registry->createAdminSession("admin1", "test1"));
 	
 	keepAlive->add(session1);
 	
@@ -907,7 +1136,7 @@ allTests(const Ice::CommunicatorPtr& communicator)
 
     {
 	cout << "testing node observer... " << flush;
-	AdminSessionPrx session1 = AdminSessionPrx::uncheckedCast(registry->createAdminSession("Observer1", ""));
+	AdminSessionPrx session1 = AdminSessionPrx::uncheckedCast(registry->createAdminSession("admin1", "test1"));
 	
 	keepAlive->add(session1);
 	
diff --git a/cpp/test/IceGrid/session/Makefile b/cpp/test/IceGrid/session/Makefile
index 158a65237eb..cd46696355f 100644
--- a/cpp/test/IceGrid/session/Makefile
+++ b/cpp/test/IceGrid/session/Makefile
@@ -29,7 +29,7 @@ LINKWITH	:= $(BZIP2_RPATH_LINK) -lIce -lIceUtil
 
 $(CLIENT): $(COBJS)
 	rm -f $@
-	$(CXX) $(LDFLAGS) -o $@ $(COBJS) -lIceGrid -lGlacier2 $(LIBS)
+	$(CXX) $(LDFLAGS) -o $@ $(COBJS) -lIceGrid -lGlacier2 -lIceSSL $(LIBS)
 
 $(SERVER): $(SOBJS)
 	rm -f $@
diff --git a/cpp/test/IceGrid/session/run.py b/cpp/test/IceGrid/session/run.py
index d4b1a573714..6899fe1f622 100755
--- a/cpp/test/IceGrid/session/run.py
+++ b/cpp/test/IceGrid/session/run.py
@@ -32,6 +32,12 @@ client = os.path.join(testdir, "client")
 additionalOptions = " --Ice.Default.Locator=\"IceGrid/Locator:default -p 12010\" " + \
     "--Ice.PrintAdapterReady=0 --Ice.PrintProcessId=0 --IceDir=\"" + toplevel + "\" --TestDir=\"" + testdir + "\""
 
+IceGridAdmin.registryOptions += \
+                             r' --IceGrid.Registry.PermissionsVerifier="ClientPermissionsVerifier"' + \
+                             r' --IceGrid.Registry.AdminPermissionsVerifier="AdminPermissionsVerifier"' + \
+                             r' --IceGrid.Registry.SSLPermissionsVerifier="SSLPermissionsVerifier"' + \
+                             r' --IceGrid.Registry.AdminSSLPermissionsVerifier="SSLPermissionsVerifier"'
+
 IceGridAdmin.cleanDbDir(os.path.join(testdir, "db"))
 iceGridRegistryThread = IceGridAdmin.startIceGridRegistry("12010", testdir, 1)
 iceGridNodeThread = IceGridAdmin.startIceGridNode(testdir)
author	Benoit Foucher <benoit@zeroc.com>	2006-05-22 16:06:20 +0000
committer	Benoit Foucher <benoit@zeroc.com>	2006-05-22 16:06:20 +0000
commit	c97c4be950e6b9b37b3cedbf521e285bfd6e0b08 (patch)
tree	a0e80a132ef496811babcd5d37550d9e708323db /cpp
parent	LiveDeployment now shown using tables (diff)
download	ice-c97c4be950e6b9b37b3cedbf521e285bfd6e0b08.tar.bz2 ice-c97c4be950e6b9b37b3cedbf521e285bfd6e0b08.tar.xz ice-c97c4be950e6b9b37b3cedbf521e285bfd6e0b08.zip