diff options
Diffstat (limited to 'qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java')
-rw-r--r-- | qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java b/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java new file mode 100644 index 0000000000..a6ea9d261e --- /dev/null +++ b/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java @@ -0,0 +1,136 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.plugins; + +import java.net.InetAddress; +import java.net.InetSocketAddress; + +import org.apache.commons.configuration.Configuration; +import org.apache.commons.configuration.ConfigurationException; +import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin; +import org.apache.qpid.server.security.AbstractPlugin; +import org.apache.qpid.server.security.Result; +import org.apache.qpid.server.security.SecurityPluginFactory; +import org.apache.qpid.server.security.access.ObjectProperties; +import org.apache.qpid.server.security.access.ObjectType; +import org.apache.qpid.server.security.access.Operation; +import org.apache.qpid.server.security.access.config.FirewallException; +import org.apache.qpid.server.security.access.config.FirewallRule; + +public class Firewall extends AbstractPlugin +{ + public static final SecurityPluginFactory<Firewall> FACTORY = new SecurityPluginFactory<Firewall>() + { + public Firewall newInstance(ConfigurationPlugin config) throws ConfigurationException + { + FirewallConfiguration configuration = config.getConfiguration(FirewallConfiguration.class.getName()); + + // If there is no configuration for this plugin then don't load it. + if (configuration == null) + { + return null; + } + + Firewall plugin = new Firewall(); + plugin.configure(configuration); + return plugin; + } + + public Class<Firewall> getPluginClass() + { + return Firewall.class; + } + + public String getPluginName() + { + return Firewall.class.getName(); + } + }; + + private Result _default = Result.ABSTAIN; + private FirewallRule[] _rules; + + public Result getDefault() + { + return _default; + } + + public Result authorise(Operation operation, ObjectType objectType, ObjectProperties properties) + { + return Result.ABSTAIN; // We only deal with access requests + } + + public Result access(ObjectType objectType, Object instance) + { + if (objectType != ObjectType.VIRTUALHOST) + { + return Result.ABSTAIN; // We are only interested in access to virtualhosts + } + + if (!(instance instanceof InetSocketAddress)) + { + return Result.ABSTAIN; // We need an internet address + } + + InetAddress address = ((InetSocketAddress) instance).getAddress(); + + try + { + for (FirewallRule rule : _rules) + { + boolean match = rule.match(address); + if (match) + { + return rule.getAccess(); + } + } + return getDefault(); + } + catch (FirewallException fe) + { + return Result.DENIED; + } + } + + + public void configure(ConfigurationPlugin config) + { + super.configure(config); + FirewallConfiguration firewallConfiguration = (FirewallConfiguration) _config; + + // Get default action + _default = firewallConfiguration.getDefaultAction(); + + Configuration finalConfig = firewallConfiguration.getConfiguration(); + + // all rules must have an access attribute + int numRules = finalConfig.getList("rule[@access]").size(); + _rules = new FirewallRule[numRules]; + for (int i = 0; i < numRules; i++) + { + FirewallRule rule = new FirewallRule(finalConfig.getString("rule(" + i + ")[@access]"), + finalConfig.getList("rule(" + i + ")[@network]"), + finalConfig.getList("rule(" + i + ")[@hostname]")); + _rules[i] = rule; + } + + } +} |