diff options
| author | Robert Gemmell <robbie@apache.org> | 2010-05-31 16:07:01 +0000 |
|---|---|---|
| committer | Robert Gemmell <robbie@apache.org> | 2010-05-31 16:07:01 +0000 |
| commit | 3a575db71a1de1a06d8f1d1dbb517ad8e9decf9b (patch) | |
| tree | 30359796988995f52798936da845db2d5825e707 /java | |
| parent | cbeecb0e4e6ef1200ffc6afed4e1100828312850 (diff) | |
| download | qpid-python-3a575db71a1de1a06d8f1d1dbb517ad8e9decf9b.tar.gz | |
QPID-2573: Implement the Firewall functionality as an OSGi plugin
Applied patch from Andrew Kennedy <andrew.international@gmail.com>
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@949785 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'java')
10 files changed, 925 insertions, 328 deletions
diff --git a/java/broker-plugins/firewall/MANIFEST.MF b/java/broker-plugins/firewall/MANIFEST.MF new file mode 100644 index 0000000000..6ceea119da --- /dev/null +++ b/java/broker-plugins/firewall/MANIFEST.MF @@ -0,0 +1,36 @@ +Manifest-Version: 1.0 +Bundle-ManifestVersion: 2 +Bundle-Name: Qpid Broker-Plugins Firewall +Bundle-SymbolicName: broker-plugins-firewall +Bundle-Description: Firewall plugin for Qpid. +Bundle-License: http://www.apache.org/licenses/LICENSE-2.0.txt +Bundle-DocURL: http://www.apache.org/ +Bundle-Version: 1.0.0 +Bundle-Activator: org.apache.qpid.server.security.access.plugins.FirewallActivator +Bundle-RequiredExecutionEnvironment: JavaSE-1.6 +Bundle-ClassPath: . +Bundle-ActivationPolicy: lazy +Import-Package: org.apache.qpid, + org.apache.qpid.framing, + org.apache.qpid.junit.extensions.util, + org.apache.qpid.protocol, + org.apache.qpid.server.configuration, + org.apache.qpid.server.configuration.plugins, + org.apache.qpid.server.exchange, + org.apache.qpid.server.management, + org.apache.qpid.server.plugins, + org.apache.qpid.server.queue, + org.apache.qpid.server.security, + org.apache.qpid.server.security.access, + org.apache.qpid.server.virtualhost, + org.apache.qpid.util, + org.apache.commons.configuration;version=1.0.0, + org.apache.commons.lang;version=1.0.0, + org.apache.commons.lang.builder;version=1.0.0, + org.apache.log4j;version=1.0.0, + javax.management;version=1.0.0, + javax.management.openmbean;version=1.0.0, + org.osgi.util.tracker;version=1.0.0, + org.osgi.framework;version=1.3 +Private-Package: org.apache.qpid.server.security.access.config +Export-Package: org.apache.qpid.server.security.access.plugins;uses:="org.osgi.framework" diff --git a/java/broker-plugins/firewall/build.xml b/java/broker-plugins/firewall/build.xml new file mode 100644 index 0000000000..2be844e1fc --- /dev/null +++ b/java/broker-plugins/firewall/build.xml @@ -0,0 +1,29 @@ +<!-- + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + --> +<project name="Qpid Broker-Plugins Firewall" default="build"> + <property name="module.depends" value="common management/common broker broker-plugins" /> + <property name="module.test.depends" value="junit-toolkit broker/test common/test" /> + + <property name="module.manifest" value="MANIFEST.MF" /> + <property name="module.plugin" value="true" /> + + <import file="../../module.xml" /> + + <target name="bundle" depends="bundle-tasks" /> +</project>
\ No newline at end of file diff --git a/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java new file mode 100644 index 0000000000..a7395e40b4 --- /dev/null +++ b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java @@ -0,0 +1,30 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.config; + +/** + * Firewall plugin exception. + */ +public class FirewallException extends Exception +{ + /** serialVersionUID */ + private static final long serialVersionUID = -1L; +}
\ No newline at end of file diff --git a/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallRule.java b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallRule.java new file mode 100644 index 0000000000..d6281f9382 --- /dev/null +++ b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallRule.java @@ -0,0 +1,143 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.config; + +import java.net.InetAddress; +import java.util.List; +import java.util.concurrent.atomic.AtomicBoolean; +import java.util.regex.Pattern; + +import org.apache.qpid.server.security.Result; +import org.apache.qpid.util.NetMatcher; + +public class FirewallRule +{ + public static final String ALLOW = "ALLOW"; + public static final String DENY = "DENY"; + + private static final long DNS_TIMEOUT = 30000; + private Result _access; + private NetMatcher _network; + private Pattern[] _hostnamePatterns; + + public FirewallRule(String access, List networks, List hostnames) + { + _access = (access.equalsIgnoreCase(ALLOW)) ? Result.ALLOWED : Result.DENIED; + + if (networks != null && networks.size() > 0) + { + String[] networkStrings = objListToStringArray(networks); + _network = new NetMatcher(networkStrings); + } + + if (hostnames != null && hostnames.size() > 0) + { + int i = 0; + _hostnamePatterns = new Pattern[hostnames.size()]; + for (String hostname : objListToStringArray(hostnames)) + { + _hostnamePatterns[i++] = Pattern.compile(hostname); + } + } + } + + private String[] objListToStringArray(List objList) + { + String[] networkStrings = new String[objList.size()]; + int i = 0; + for (Object network : objList) + { + networkStrings[i++] = (String) network; + } + return networkStrings; + } + + public boolean match(InetAddress remote) throws FirewallException + { + if (_hostnamePatterns != null) + { + String hostname = getHostname(remote); + if (hostname == null) + { + throw new FirewallException(); + } + for (Pattern pattern : _hostnamePatterns) + { + if (pattern.matcher(hostname).matches()) + { + return true; + } + } + return false; + } + else + { + return _network.matchInetNetwork(remote); + } + } + + /** + * @param remote the InetAddress to look up + * @return the hostname, null if not found or takes longer than 30s to find + */ + private String getHostname(final InetAddress remote) + { + final String[] hostname = new String[]{null}; + final AtomicBoolean done = new AtomicBoolean(false); + // Spawn thread + Thread thread = new Thread(new Runnable() + { + public void run() + { + hostname[0] = remote.getCanonicalHostName(); + done.getAndSet(true); + synchronized (done) + { + done.notifyAll(); + } + } + }); + + thread.run(); + long endTime = System.currentTimeMillis() + DNS_TIMEOUT; + + while (System.currentTimeMillis() < endTime && !done.get()) + { + try + { + synchronized (done) + { + done.wait(endTime - System.currentTimeMillis()); + } + } + catch (InterruptedException e) + { + // Check the time and if necessary sleep for a bit longer + } + } + return hostname[0]; + } + + public Result getAccess() + { + return _access; + } +}
\ No newline at end of file diff --git a/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java new file mode 100644 index 0000000000..acd74d49f5 --- /dev/null +++ b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java @@ -0,0 +1,166 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.plugins; + +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.util.List; + +import org.apache.commons.configuration.CompositeConfiguration; +import org.apache.commons.configuration.ConfigurationException; +import org.apache.commons.configuration.XMLConfiguration; +import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin; +import org.apache.qpid.server.security.AbstractPlugin; +import org.apache.qpid.server.security.Result; +import org.apache.qpid.server.security.SecurityPluginFactory; +import org.apache.qpid.server.security.access.ObjectProperties; +import org.apache.qpid.server.security.access.ObjectType; +import org.apache.qpid.server.security.access.Operation; +import org.apache.qpid.server.security.access.config.FirewallException; +import org.apache.qpid.server.security.access.config.FirewallRule; + +public class Firewall extends AbstractPlugin +{ + public static final SecurityPluginFactory<Firewall> FACTORY = new SecurityPluginFactory<Firewall>() + { + public Firewall newInstance(ConfigurationPlugin config) throws ConfigurationException + { + Firewall plugin = new Firewall(config); + plugin.configure(); + return plugin; + } + + public Class<Firewall> getPluginClass() + { + return Firewall.class; + } + + public String getPluginName() + { + return Firewall.class.getName(); + } + }; + + private Result _default = Result.ABSTAIN; + private FirewallRule[] _rules; + + public Result getDefault() + { + return _default; + } + + public Result authorise(Operation operation, ObjectType objectType, ObjectProperties properties) + { + return Result.ABSTAIN; // We only deal with access requests + } + + public Result access(ObjectType objectType, Object instance) + { + if (objectType != ObjectType.VIRTUALHOST) + { + return Result.ABSTAIN; // We are only interested in access to virtualhosts + } + + // TODO alter 0-10 code path to expose the SocketAddress object? + String address = (String) instance; + + if (address == null || address.trim().length() == 0) + { + return Result.ABSTAIN; // We need an address + } + + try + { + int slash = address.indexOf('/'); + int colon = address.indexOf(':'); + InetAddress addr = InetAddress.getByName(address.substring(slash == -1 ? 0 : slash + 1, colon == -1 ? address.length() : colon)); + if (addr == null) + { + return Result.ABSTAIN; // Not a real address + } + + for (FirewallRule rule : _rules) + { + boolean match = rule.match(addr); + if (match) + { + return rule.getAccess(); + } + } + return getDefault(); + } + catch (UnknownHostException uhe) + { + _logger.error("Address format invalid: " + address, uhe); + return Result.DENIED; + } + catch (FirewallException fe) + { + return Result.DENIED; + } + } + + public Firewall(ConfigurationPlugin config) + { + _config = config.getConfiguration(FirewallConfiguration.class); + } + + public void configure() throws ConfigurationException + { + FirewallConfiguration config = (FirewallConfiguration) _config; + + if (isConfigured()) + { + // Get default action + String defaultAction = config.getConfiguration().getString("[@default-action]"); + if (defaultAction == null) + { + _default = Result.ABSTAIN; + } + else if (defaultAction.equalsIgnoreCase(FirewallRule.ALLOW)) + { + _default = Result.ALLOWED; + } + else + { + _default = Result.DENIED; + } + + CompositeConfiguration finalConfig = new CompositeConfiguration(config.getConfiguration()); + List subFiles = config.getConfiguration().getList("xml[@fileName]"); + for (Object subFile : subFiles) + { + finalConfig.addConfiguration(new XMLConfiguration((String) subFile)); + } + + // all rules must have an access attribute + int numRules = finalConfig.getList("rule[@access]").size(); + _rules = new FirewallRule[numRules]; + for (int i = 0; i < numRules; i++) + { + FirewallRule rule = new FirewallRule(finalConfig.getString("rule(" + i + ")[@access]"), + finalConfig.getList("rule(" + i + ")[@network]"), + finalConfig.getList("rule(" + i + ")[@hostname]")); + _rules[i] = rule; + } + } + } +} diff --git a/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallActivator.java b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallActivator.java new file mode 100644 index 0000000000..22d34b676e --- /dev/null +++ b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallActivator.java @@ -0,0 +1,22 @@ +package org.apache.qpid.server.security.access.plugins; + +import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory; +import org.apache.qpid.server.security.SecurityPluginActivator; +import org.apache.qpid.server.security.SecurityPluginFactory; +import org.osgi.framework.BundleActivator; + +/** + * The OSGi {@link BundleActivator} for {@link Firewall}. + */ +public class FirewallActivator extends SecurityPluginActivator +{ + public SecurityPluginFactory getFactory() + { + return Firewall.FACTORY; + } + + public ConfigurationPluginFactory getConfigurationFactory() + { + return FirewallConfiguration.FACTORY; + } +} diff --git a/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallConfiguration.java b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallConfiguration.java new file mode 100644 index 0000000000..fe9f48f950 --- /dev/null +++ b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallConfiguration.java @@ -0,0 +1,57 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.plugins; + +import java.util.Arrays; +import java.util.List; + +import org.apache.commons.configuration.Configuration; +import org.apache.commons.configuration.ConfigurationException; +import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin; +import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory; + +public class FirewallConfiguration extends ConfigurationPlugin +{ + public static final ConfigurationPluginFactory FACTORY = new ConfigurationPluginFactory() + { + public ConfigurationPlugin newInstance(String path, Configuration config) throws ConfigurationException + { + ConfigurationPlugin instance = new FirewallConfiguration(); + instance.setConfiguration(path, config); + return instance; + } + + public List<String> getParentPaths() + { + return Arrays.asList("security", "virtualhosts.virtualhost.security"); + } + }; + + public String[] getElementsProcessed() + { + return new String[] { "firewall" }; + } + + public Configuration getConfiguration() + { + return _configuration.subset("firewall"); + } +} diff --git a/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallConfigurationTest.java b/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallConfigurationTest.java new file mode 100644 index 0000000000..e688114461 --- /dev/null +++ b/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallConfigurationTest.java @@ -0,0 +1,374 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access; + +import java.io.File; +import java.io.FileWriter; +import java.io.IOException; +import java.io.RandomAccessFile; + +import junit.framework.TestCase; + +import org.apache.qpid.server.protocol.AMQProtocolEngine; +import org.apache.qpid.server.protocol.AMQProtocolSession; +import org.apache.qpid.server.registry.ApplicationRegistry; +import org.apache.qpid.server.registry.ConfigurationFileApplicationRegistry; +import org.apache.qpid.server.virtualhost.VirtualHost; +import org.apache.qpid.server.virtualhost.VirtualHostRegistry; +import org.apache.qpid.transport.TestNetworkDriver; + +public class FirewallConfigurationTest extends TestCase +{ + @Override + public void setUp() + { + //Highlight that this test will cause a new AR to be created + //ApplicationRegistry.getInstance(); + } + + @Override + public void tearDown() throws Exception + { + //Correctly Close the AR we created + //ApplicationRegistry.remove(); + } + + public void testFirewallConfiguration() throws Exception + { + // Write out config + File mainFile = File.createTempFile(getClass().getName(), null); + mainFile.deleteOnExit(); + writeConfigFile(mainFile, false); + + // Load config + ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile); + try + { + ApplicationRegistry.initialise(reg, 1); + + // Test config + assertFalse(reg.getSecurityManager().accessVirtualhost("test", "127.0.0.1")); + assertTrue(reg.getSecurityManager().accessVirtualhost("test", "127.1.2.3")); + } + finally + { + ApplicationRegistry.remove(1); + } + } + + public void testCombinedConfigurationFirewall() throws Exception + { + // Write out config + File mainFile = File.createTempFile(getClass().getName(), null); + File fileA = File.createTempFile(getClass().getName(), null); + File fileB = File.createTempFile(getClass().getName(), null); + + mainFile.deleteOnExit(); + fileA.deleteOnExit(); + fileB.deleteOnExit(); + + FileWriter out = new FileWriter(mainFile); + out.write("<configuration><system/>"); + out.write("<xml fileName=\"" + fileA.getAbsolutePath() + "\"/>"); + out.write("</configuration>"); + out.close(); + + out = new FileWriter(fileA); + out.write("<broker>\n"); + out.write("\t<plugin-directory>${QPID_HOME}/lib/plugins</plugin-directory>\n"); + out.write("\t<management><enabled>false</enabled></management>\n"); + out.write("\t<security>\n"); + out.write("\t\t<principal-databases>\n"); + out.write("\t\t\t<principal-database>\n"); + out.write("\t\t\t\t<name>passwordfile</name>\n"); + out.write("\t\t\t\t<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>\n"); + out.write("\t\t\t\t<attributes>\n"); + out.write("\t\t\t\t\t<attribute>\n"); + out.write("\t\t\t\t\t\t<name>passwordFile</name>\n"); + out.write("\t\t\t\t\t\t<value>/dev/null</value>\n"); + out.write("\t\t\t\t\t</attribute>\n"); + out.write("\t\t\t\t</attributes>\n"); + out.write("\t\t\t</principal-database>\n"); + out.write("\t\t</principal-databases>\n"); + out.write("\t\t<jmx>\n"); + out.write("\t\t\t<access>/dev/null</access>\n"); + out.write("\t\t\t<principal-database>passwordfile</principal-database>\n"); + out.write("\t\t</jmx>\n"); + out.write("\t\t<firewall>\n"); + out.write("\t\t\t<xml fileName=\"" + fileB.getAbsolutePath() + "\"/>"); + out.write("\t\t</firewall>\n"); + out.write("\t</security>\n"); + out.write("\t<virtualhosts>\n"); + out.write("\t\t<virtualhost>\n"); + out.write("\t\t\t<name>test</name>\n"); + out.write("\t\t</virtualhost>\n"); + out.write("\t</virtualhosts>\n"); + out.write("</broker>\n"); + out.close(); + + out = new FileWriter(fileB); + out.write("<firewall>\n"); + out.write("\t<rule access=\"deny\" network=\"127.0.0.1\"/>"); + out.write("</firewall>\n"); + out.close(); + + // Load config + ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile); + try + { + ApplicationRegistry.initialise(reg, 1); + + // Test config + assertFalse(reg.getSecurityManager().accessVirtualhost("test", "127.0.0.1")); + } + finally + { + ApplicationRegistry.remove(1); + } + } + + public void testConfigurationFirewallReload() throws Exception + { + // Write out config + File mainFile = File.createTempFile(getClass().getName(), null); + + mainFile.deleteOnExit(); + writeConfigFile(mainFile, false); + + // Load config + ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile); + try + { + ApplicationRegistry.initialise(reg, 1); + + // Test config + assertFalse(reg.getSecurityManager().accessVirtualhost("test", "127.0.0.1")); + + // Switch to deny the connection + writeConfigFile(mainFile, true); + + reg.getConfiguration().reparseConfigFileSecuritySections(); + + assertTrue(reg.getSecurityManager().accessVirtualhost("test", "127.0.0.1")); + } + finally + { + ApplicationRegistry.remove(1); + } + } + + public void testCombinedConfigurationFirewallReload() throws Exception + { + // Write out config + File mainFile = File.createTempFile(getClass().getName(), null); + File fileA = File.createTempFile(getClass().getName(), null); + File fileB = File.createTempFile(getClass().getName(), null); + + mainFile.deleteOnExit(); + fileA.deleteOnExit(); + fileB.deleteOnExit(); + + FileWriter out = new FileWriter(mainFile); + out.write("<configuration><system/>"); + out.write("<xml fileName=\"" + fileA.getAbsolutePath() + "\"/>"); + out.write("</configuration>"); + out.close(); + + out = new FileWriter(fileA); + out.write("<broker>\n"); + out.write("\t<plugin-directory>${QPID_HOME}/lib/plugins</plugin-directory>\n"); + out.write("\t<management><enabled>false</enabled></management>\n"); + out.write("\t<security>\n"); + out.write("\t\t<principal-databases>\n"); + out.write("\t\t\t<principal-database>\n"); + out.write("\t\t\t\t<name>passwordfile</name>\n"); + out.write("\t\t\t\t<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>\n"); + out.write("\t\t\t\t<attributes>\n"); + out.write("\t\t\t\t\t<attribute>\n"); + out.write("\t\t\t\t\t\t<name>passwordFile</name>\n"); + out.write("\t\t\t\t\t\t<value>/dev/null</value>\n"); + out.write("\t\t\t\t\t</attribute>\n"); + out.write("\t\t\t\t</attributes>\n"); + out.write("\t\t\t</principal-database>\n"); + out.write("\t\t</principal-databases>\n"); + out.write("\t\t<jmx>\n"); + out.write("\t\t\t<access>/dev/null</access>\n"); + out.write("\t\t\t<principal-database>passwordfile</principal-database>\n"); + out.write("\t\t</jmx>\n"); + out.write("\t\t<firewall>\n"); + out.write("\t\t\t<xml fileName=\"" + fileB.getAbsolutePath() + "\"/>"); + out.write("\t\t</firewall>\n"); + out.write("\t</security>\n"); + out.write("\t<virtualhosts>\n"); + out.write("\t\t<virtualhost>\n"); + out.write("\t\t\t<name>test</name>\n"); + out.write("\t\t</virtualhost>\n"); + out.write("\t</virtualhosts>\n"); + out.write("</broker>\n"); + out.close(); + + out = new FileWriter(fileB); + out.write("<firewall>\n"); + out.write("\t<rule access=\"deny\" network=\"127.0.0.1\"/>"); + out.write("</firewall>\n"); + out.close(); + + // Load config + ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile); + try + { + ApplicationRegistry.initialise(reg, 1); + + // Test config + assertFalse(reg.getSecurityManager().accessVirtualhost("test", "127.0.0.1")); + + RandomAccessFile fileBRandom = new RandomAccessFile(fileB, "rw"); + fileBRandom.setLength(0); + fileBRandom.seek(0); + fileBRandom.close(); + + out = new FileWriter(fileB); + out.write("<firewall>\n"); + out.write("\t<rule access=\"allow\" network=\"127.0.0.1\"/>"); + out.write("</firewall>\n"); + out.close(); + + reg.getConfiguration().reparseConfigFileSecuritySections(); + + assertTrue(reg.getSecurityManager().accessVirtualhost("test", "127.0.0.1")); + + fileBRandom = new RandomAccessFile(fileB, "rw"); + fileBRandom.setLength(0); + fileBRandom.seek(0); + fileBRandom.close(); + + out = new FileWriter(fileB); + out.write("<firewall>\n"); + out.write("\t<rule access=\"deny\" network=\"127.0.0.1\"/>"); + out.write("</firewall>\n"); + out.close(); + + reg.getConfiguration().reparseConfigFileSecuritySections(); + + assertFalse(reg.getSecurityManager().accessVirtualhost("test", "127.0.0.1")); + } + finally + { + ApplicationRegistry.remove(1); + } + } + + private void writeFirewallVhostsFile(File vhostsFile, boolean allow) throws IOException + { + FileWriter out = new FileWriter(vhostsFile); + String ipAddr = "127.0.0.1"; // FIXME: get this from InetAddress.getLocalHost().getAddress() ? + out.write("<virtualhosts><virtualhost>"); + out.write("<name>test</name>"); + out.write("<test>"); + out.write("<security><firewall>"); + out.write("<rule access=\""+((allow) ? "allow" : "deny")+"\" network=\""+ipAddr +"\"/>"); + out.write("</firewall></security>"); + out.write("</test>"); + out.write("</virtualhost></virtualhosts>"); + out.close(); + } + + private void writeConfigFile(File mainFile, boolean allow) throws IOException { + writeConfigFile(mainFile, allow, true, null, "test"); + } + + /* + XMLConfiguration config = new XMLConfiguration(mainFile); + PluginManager pluginManager = new MockPluginManager(""); + SecurityManager manager = new SecurityManager(config, pluginManager, Firewall.FACTORY); + + */ + private void writeConfigFile(File mainFile, boolean allow, boolean includeVhosts, File vhostsFile, String name) throws IOException { + FileWriter out = new FileWriter(mainFile); + out.write("<broker>\n"); + out.write("\t<plugin-directory>${QPID_HOME}/lib/plugins</plugin-directory>\n"); + out.write("\t<management><enabled>false</enabled></management>\n"); + out.write("\t<security>\n"); + out.write("\t\t<principal-databases>\n"); + out.write("\t\t\t<principal-database>\n"); + out.write("\t\t\t\t<name>passwordfile</name>\n"); + out.write("\t\t\t\t<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>\n"); + out.write("\t\t\t\t<attributes>\n"); + out.write("\t\t\t\t\t<attribute>\n"); + out.write("\t\t\t\t\t\t<name>passwordFile</name>\n"); + out.write("\t\t\t\t\t\t<value>/dev/null</value>\n"); + out.write("\t\t\t\t\t</attribute>\n"); + out.write("\t\t\t\t</attributes>\n"); + out.write("\t\t\t</principal-database>\n"); + out.write("\t\t</principal-databases>\n"); + out.write("\t\t<jmx>\n"); + out.write("\t\t\t<access>/dev/null</access>\n"); + out.write("\t\t\t<principal-database>passwordfile</principal-database>\n"); + out.write("\t\t</jmx>\n"); + out.write("\t\t<firewall>\n"); + out.write("\t\t\t<rule access=\""+ ((allow) ? "allow" : "deny") +"\" network=\"127.0.0.1\"/>"); + out.write("\t\t</firewall>\n"); + out.write("\t</security>\n"); + if (includeVhosts) + { + out.write("\t<virtualhosts>\n"); + out.write("\t\t<default>test</default>\n"); + out.write("\t\t<virtualhost>\n"); + out.write(String.format("\t\t\t<name>%s</name>\n", name)); + out.write("\t\t</virtualhost>\n"); + out.write("\t</virtualhosts>\n"); + } + if (vhostsFile != null) + { + out.write("\t<virtualhosts>"+vhostsFile.getAbsolutePath()+"</virtualhosts>\n"); + } + out.write("</broker>\n"); + out.close(); + } + + /** + * Test that configuration loads correctly when virtual hosts are specified in an external + * configuration file only. + * <p> + * Test for QPID-2360 + */ + public void testExternalFirewallVirtualhostXMLFile() throws Exception + { + // Write out config + File mainFile = File.createTempFile(getClass().getName(), "config"); + mainFile.deleteOnExit(); + File vhostsFile = File.createTempFile(getClass().getName(), "vhosts"); + vhostsFile.deleteOnExit(); + writeConfigFile(mainFile, false, false, vhostsFile, null); + writeFirewallVhostsFile(vhostsFile, false); + + // Load config + ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile); + ApplicationRegistry.initialise(reg, 1); + + // Test config + VirtualHostRegistry virtualHostRegistry = reg.getVirtualHostRegistry(); + VirtualHost virtualHost = virtualHostRegistry.getVirtualHost("test"); + + assertEquals("Incorrect virtualhost count", 1, virtualHostRegistry.getVirtualHosts().size()); + assertEquals("Incorrect virtualhost name", "test", virtualHost.getName()); + } +} diff --git a/java/broker/src/test/java/org/apache/qpid/server/security/access/plugins/network/FirewallPluginTest.java b/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallPluginTest.java index 5d3335c001..f94443228e 100644 --- a/java/broker/src/test/java/org/apache/qpid/server/security/access/plugins/network/FirewallPluginTest.java +++ b/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallPluginTest.java @@ -1,5 +1,4 @@ /* - * * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -16,10 +15,8 @@ * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. - * */ - -package org.apache.qpid.server.security.access.plugins.network; +package org.apache.qpid.server.security.access; import java.io.BufferedWriter; import java.io.File; @@ -33,15 +30,14 @@ import org.apache.commons.configuration.ConfigurationException; import org.apache.commons.configuration.XMLConfiguration; import org.apache.qpid.server.protocol.AMQProtocolEngine; import org.apache.qpid.server.registry.ApplicationRegistry; -import org.apache.qpid.server.security.access.ACLPlugin.AuthzResult; -import org.apache.qpid.server.store.TestableMemoryMessageStore; -import org.apache.qpid.server.virtualhost.VirtualHost; +import org.apache.qpid.server.security.Result; +import org.apache.qpid.server.security.access.plugins.Firewall; +import org.apache.qpid.server.security.access.plugins.FirewallConfiguration; import org.apache.qpid.server.virtualhost.VirtualHostRegistry; import org.apache.qpid.transport.TestNetworkDriver; public class FirewallPluginTest extends TestCase { - public class RuleInfo { private String _access; @@ -79,24 +75,18 @@ public class FirewallPluginTest extends TestCase } } - private TestableMemoryMessageStore _store; - private VirtualHost _virtualHost; - private AMQProtocolEngine _session; - private TestNetworkDriver _testDriver; + // IP address + private String _address; @Override public void setUp() throws Exception { super.setUp(); - _store = new TestableMemoryMessageStore(); - _testDriver = new TestNetworkDriver(); - _testDriver.setRemoteAddress("127.0.0.1"); - - // Retreive VirtualHost from the Registry - VirtualHostRegistry virtualHostRegistry = ApplicationRegistry.getInstance().getVirtualHostRegistry(); - _virtualHost = virtualHostRegistry.getVirtualHost("test"); + + _address = "127.0.0.1"; - _session = new AMQProtocolEngine(virtualHostRegistry, _testDriver); + // Create new ApplicationRegistry + ApplicationRegistry.getInstance(); } public void tearDown() throws Exception @@ -106,12 +96,13 @@ public class FirewallPluginTest extends TestCase super.tearDown(); } - private FirewallPlugin initialisePlugin(String defaultAction, RuleInfo[] rules) throws IOException, ConfigurationException + private Firewall initialisePlugin(String defaultAction, RuleInfo[] rules) throws IOException, ConfigurationException { // Create sample config file File confFile = File.createTempFile(getClass().getSimpleName()+"conffile", null); confFile.deleteOnExit(); BufferedWriter buf = new BufferedWriter(new FileWriter(confFile)); + buf.write("<security>\n"); buf.write("<firewall default-action=\""+defaultAction+"\">\n"); if (rules != null) { @@ -131,15 +122,19 @@ public class FirewallPluginTest extends TestCase } } buf.write("</firewall>"); + buf.write("</security>\n"); buf.close(); // Configure plugin - FirewallPlugin plugin = new FirewallPlugin(); - plugin.setConfiguration(new XMLConfiguration(confFile)); + FirewallConfiguration config = new FirewallConfiguration(); + config.setConfiguration("", new XMLConfiguration(confFile)); + Firewall plugin = new Firewall(config); + plugin._config = config; + plugin.configure(); return plugin; } - private FirewallPlugin initialisePlugin(String string) throws ConfigurationException, IOException + private Firewall initialisePlugin(String string) throws ConfigurationException, IOException { return initialisePlugin(string, null); } @@ -147,12 +142,12 @@ public class FirewallPluginTest extends TestCase public void testDefaultAction() throws Exception { // Test simple deny - FirewallPlugin plugin = initialisePlugin("deny"); - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); + Firewall plugin = initialisePlugin("deny"); + assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); // Test simple allow plugin = initialisePlugin("allow"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); } @@ -162,13 +157,13 @@ public class FirewallPluginTest extends TestCase rule.setAccess("allow"); rule.setNetwork("192.168.23.23"); - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{rule}); + Firewall plugin = initialisePlugin("deny", new RuleInfo[]{rule}); - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); + assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("192.168.23.23"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + // Set IP so that we're connected from the right address + _address = "192.168.23.23"; + assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); } public void testSingleNetworkRule() throws Exception @@ -177,13 +172,13 @@ public class FirewallPluginTest extends TestCase rule.setAccess("allow"); rule.setNetwork("192.168.23.0/24"); - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{rule}); + Firewall plugin = initialisePlugin("deny", new RuleInfo[]{rule}); - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); + assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("192.168.23.23"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + // Set IP so that we're connected from the right address + _address = "192.168.23.23"; + assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); } public void testSingleHostRule() throws Exception @@ -192,11 +187,11 @@ public class FirewallPluginTest extends TestCase rule.setAccess("allow"); rule.setHostname(new InetSocketAddress("127.0.0.1", 5672).getHostName()); - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{rule}); + Firewall plugin = initialisePlugin("deny", new RuleInfo[]{rule}); - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("127.0.0.1"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + // Set IP so that we're connected from the right address + _address = "127.0.0.1"; + assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); } public void testSingleHostWilcardRule() throws Exception @@ -205,11 +200,11 @@ public class FirewallPluginTest extends TestCase rule.setAccess("allow"); String hostname = new InetSocketAddress("127.0.0.1", 0).getHostName(); rule.setHostname(".*"+hostname.subSequence(hostname.length() - 1, hostname.length())+"*"); - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{rule}); + Firewall plugin = initialisePlugin("deny", new RuleInfo[]{rule}); - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("127.0.0.1"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + // Set IP so that we're connected from the right address + _address = "127.0.0.1"; + assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); } public void testSeveralFirstAllowsAccess() throws Exception @@ -226,13 +221,13 @@ public class FirewallPluginTest extends TestCase thirdRule.setAccess("deny"); thirdRule.setHostname("localhost"); - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{firstRule, secondRule, thirdRule}); + Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule, secondRule, thirdRule}); - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); + assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("192.168.23.23"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + // Set IP so that we're connected from the right address + _address = "192.168.23.23"; + assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); } public void testSeveralLastAllowsAccess() throws Exception @@ -249,13 +244,13 @@ public class FirewallPluginTest extends TestCase thirdRule.setAccess("allow"); thirdRule.setNetwork("192.168.23.23"); - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{firstRule, secondRule, thirdRule}); + Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule, secondRule, thirdRule}); - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); + assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("192.168.23.23"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + // Set IP so that we're connected from the right address + _address = "192.168.23.23"; + assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); } public void testNetmask() throws Exception @@ -263,13 +258,13 @@ public class FirewallPluginTest extends TestCase RuleInfo firstRule = new RuleInfo(); firstRule.setAccess("allow"); firstRule.setNetwork("192.168.23.0/24"); - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{firstRule}); + Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule}); - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); + assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("192.168.23.23"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + // Set IP so that we're connected from the right address + _address = "192.168.23.23"; + assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); } public void testCommaSeperatedNetmask() throws Exception @@ -277,13 +272,13 @@ public class FirewallPluginTest extends TestCase RuleInfo firstRule = new RuleInfo(); firstRule.setAccess("allow"); firstRule.setNetwork("10.1.1.1/8, 192.168.23.0/24"); - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{firstRule}); + Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule}); - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); + assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("192.168.23.23"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + // Set IP so that we're connected from the right address + _address = "192.168.23.23"; + assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); } public void testCommaSeperatedHostnames() throws Exception @@ -291,13 +286,14 @@ public class FirewallPluginTest extends TestCase RuleInfo firstRule = new RuleInfo(); firstRule.setAccess("allow"); firstRule.setHostname("foo, bar, "+new InetSocketAddress("127.0.0.1", 5672).getHostName()); - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{firstRule}); - _testDriver.setRemoteAddress("10.0.0.1"); - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); + Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule}); - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("127.0.0.1"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + // Set IP so that we're connected from the right address + _address = "10.0.0.1"; + assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); + + // Set IP so that we're connected from the right address + _address = "127.0.0.1"; + assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); } - } diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java deleted file mode 100644 index 17d80c63fa..0000000000 --- a/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java +++ /dev/null @@ -1,256 +0,0 @@ -/* - * - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - * - */ -package org.apache.qpid.server.security.access.plugins.network; - -import java.net.InetAddress; -import java.net.InetSocketAddress; -import java.net.SocketAddress; -import java.util.List; -import java.util.concurrent.atomic.AtomicBoolean; -import java.util.regex.Pattern; - -import org.apache.commons.configuration.CompositeConfiguration; -import org.apache.commons.configuration.Configuration; -import org.apache.commons.configuration.ConfigurationException; -import org.apache.commons.configuration.XMLConfiguration; -import org.apache.qpid.protocol.ProtocolEngine; -import org.apache.qpid.server.security.access.ACLPlugin; -import org.apache.qpid.server.security.access.ACLPluginFactory; -import org.apache.qpid.server.security.access.plugins.AbstractACLPlugin; -import org.apache.qpid.server.security.PrincipalHolder; -import org.apache.qpid.server.virtualhost.VirtualHost; -import org.apache.qpid.util.NetMatcher; - -public class FirewallPlugin extends AbstractACLPlugin -{ - - public class FirewallPluginException extends Exception {} - - public static final ACLPluginFactory FACTORY = new ACLPluginFactory() - { - public boolean supportsTag(String name) - { - return name.startsWith("firewall"); - } - - public ACLPlugin newInstance(Configuration config) throws ConfigurationException - { - FirewallPlugin plugin = new FirewallPlugin(); - plugin.setConfiguration(config.subset("firewall")); - return plugin; - } - }; - - public class FirewallRule - { - - private static final long DNS_TIMEOUT = 30000; - private AuthzResult _access; - private NetMatcher _network; - private Pattern[] _hostnamePatterns; - - public FirewallRule(String access, List networks, List hostnames) - { - _access = (access.equals("allow")) ? AuthzResult.ALLOWED : AuthzResult.DENIED; - - if (networks != null && networks.size() > 0) - { - String[] networkStrings = objListToStringArray(networks); - _network = new NetMatcher(networkStrings); - } - - if (hostnames != null && hostnames.size() > 0) - { - int i = 0; - _hostnamePatterns = new Pattern[hostnames.size()]; - for (String hostname : objListToStringArray(hostnames)) - { - _hostnamePatterns[i++] = Pattern.compile(hostname); - } - } - - } - - private String[] objListToStringArray(List objList) - { - String[] networkStrings = new String[objList.size()]; - int i = 0; - for (Object network : objList) - { - networkStrings[i++] = (String) network; - } - return networkStrings; - } - - public boolean match(InetAddress remote) throws FirewallPluginException - { - if (_hostnamePatterns != null) - { - String hostname = getHostname(remote); - if (hostname == null) - { - throw new FirewallPluginException(); - } - for (Pattern pattern : _hostnamePatterns) - { - if (pattern.matcher(hostname).matches()) - { - return true; - } - } - return false; - } - else - { - return _network.matchInetNetwork(remote); - } - } - - /** - * @param remote the InetAddress to look up - * @return the hostname, null if not found or takes longer than 30s to find - */ - private String getHostname(final InetAddress remote) - { - final String[] hostname = new String[]{null}; - final AtomicBoolean done = new AtomicBoolean(false); - // Spawn thread - Thread thread = new Thread(new Runnable() - { - public void run() - { - hostname[0] = remote.getCanonicalHostName(); - done.getAndSet(true); - synchronized (done) - { - done.notifyAll(); - } - } - }); - - thread.run(); - long endTime = System.currentTimeMillis() + DNS_TIMEOUT; - - while (System.currentTimeMillis() < endTime && !done.get()) - { - try - { - synchronized (done) - { - done.wait(endTime - System.currentTimeMillis()); - } - } - catch (InterruptedException e) - { - // Check the time and if necessary sleep for a bit longer - } - } - return hostname[0]; - } - - public AuthzResult getAccess() - { - return _access; - } - - } - - private AuthzResult _default = AuthzResult.ABSTAIN; - private FirewallRule[] _rules; - - @Override - public AuthzResult authoriseConnect(PrincipalHolder principalHolder, VirtualHost virtualHost) - { - if(!(principalHolder instanceof ProtocolEngine)) - { - return AuthzResult.ABSTAIN; // We only deal with tcp sessions - } - - ProtocolEngine session = (ProtocolEngine) principalHolder; - - SocketAddress sockAddr = session.getRemoteAddress(); - if (!(sockAddr instanceof InetSocketAddress)) - { - return AuthzResult.ABSTAIN; // We only deal with tcp sessions - } - - InetAddress addr = ((InetSocketAddress) sockAddr).getAddress(); - - if (addr == null) - { - return AuthzResult.ABSTAIN; // Not an Inet socket on the other end - } - - boolean match = false; - for (FirewallRule rule : _rules) - { - try - { - match = rule.match(addr); - } - catch (FirewallPluginException e) - { - return AuthzResult.DENIED; - } - if (match) - { - return rule.getAccess(); - } - } - return _default; - - } - - public void setConfiguration(Configuration config) throws ConfigurationException - { - // Get default action - String defaultAction = config.getString("[@default-action]"); - if (defaultAction == null) - { - _default = AuthzResult.ABSTAIN; - } - else if (defaultAction.toLowerCase().equals("allow")) - { - _default = AuthzResult.ALLOWED; - } - else - { - _default = AuthzResult.DENIED; - } - CompositeConfiguration finalConfig = new CompositeConfiguration(config); - - List subFiles = config.getList("xml[@fileName]"); - for (Object subFile : subFiles) - { - finalConfig.addConfiguration(new XMLConfiguration((String) subFile)); - } - - // all rules must have an access attribute - int numRules = finalConfig.getList("rule[@access]").size(); - _rules = new FirewallRule[numRules]; - for (int i = 0; i < numRules; i++) - { - FirewallRule rule = new FirewallRule(finalConfig.getString("rule(" + i + ")[@access]"), finalConfig.getList("rule(" - + i + ")[@network]"), finalConfig.getList("rule(" + i + ")[@hostname]")); - _rules[i] = rule; - } - } -} |