diff options
Diffstat (limited to 'qpid/java/broker-plugins/firewall/src/main')
5 files changed, 463 insertions, 0 deletions
diff --git a/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java b/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java new file mode 100644 index 0000000000..a9e3fdc242 --- /dev/null +++ b/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java @@ -0,0 +1,46 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.config; + +/** + * Firewall plugin exception. + */ +public class FirewallException extends Exception +{ + /** serialVersionUID */ + private static final long serialVersionUID = 4526157149690917805L; + + public FirewallException() { + super(); + } + + public FirewallException(String message) { + super(message); + } + + public FirewallException(String message, Throwable cause) { + super(message, cause); + } + + public FirewallException(Throwable cause) { + super(cause); + } +}
\ No newline at end of file diff --git a/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallRule.java b/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallRule.java new file mode 100644 index 0000000000..f257b58867 --- /dev/null +++ b/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallRule.java @@ -0,0 +1,137 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.config; + +import java.net.InetAddress; +import java.util.List; +import java.util.concurrent.Callable; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; +import java.util.concurrent.FutureTask; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.TimeoutException; +import java.util.regex.Pattern; + +import org.apache.qpid.server.security.Result; +import org.apache.qpid.util.NetMatcher; + +public class FirewallRule +{ + public static final String ALLOW = "ALLOW"; + public static final String DENY = "DENY"; + + private static final long DNS_TIMEOUT = 30000; + private static final ExecutorService DNS_LOOKUP = Executors.newCachedThreadPool(); + + private Result _access; + private NetMatcher _network; + private Pattern[] _hostnamePatterns; + + public FirewallRule(String access, List networks, List hostnames) + { + _access = (access.equalsIgnoreCase(ALLOW)) ? Result.ALLOWED : Result.DENIED; + + if (networks != null && networks.size() > 0) + { + String[] networkStrings = objListToStringArray(networks); + _network = new NetMatcher(networkStrings); + } + + if (hostnames != null && hostnames.size() > 0) + { + int i = 0; + _hostnamePatterns = new Pattern[hostnames.size()]; + for (String hostname : objListToStringArray(hostnames)) + { + _hostnamePatterns[i++] = Pattern.compile(hostname); + } + } + } + + private String[] objListToStringArray(List objList) + { + String[] networkStrings = new String[objList.size()]; + int i = 0; + for (Object network : objList) + { + networkStrings[i++] = (String) network; + } + return networkStrings; + } + + public boolean match(InetAddress remote) throws FirewallException + { + if (_hostnamePatterns != null) + { + String hostname = getHostname(remote); + if (hostname == null) + { + throw new FirewallException("DNS lookup failed"); + } + for (Pattern pattern : _hostnamePatterns) + { + if (pattern.matcher(hostname).matches()) + { + return true; + } + } + return false; + } + else + { + return _network.matchInetNetwork(remote); + } + } + + /** + * @param remote the InetAddress to look up + * @return the hostname, null if not found, takes longer than 30s to find or otherwise fails + */ + private String getHostname(final InetAddress remote) throws FirewallException + { + FutureTask<String> lookup = new FutureTask<String>(new Callable<String>() + { + public String call() + { + return remote.getCanonicalHostName(); + } + }); + DNS_LOOKUP.execute(lookup); + + try + { + return lookup.get(DNS_TIMEOUT, TimeUnit.MILLISECONDS); + } + catch (Exception e) + { + return null; + } + finally + { + lookup.cancel(true); + } + } + + public Result getAccess() + { + return _access; + } +}
\ No newline at end of file diff --git a/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java b/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java new file mode 100644 index 0000000000..a6ea9d261e --- /dev/null +++ b/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java @@ -0,0 +1,136 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.plugins; + +import java.net.InetAddress; +import java.net.InetSocketAddress; + +import org.apache.commons.configuration.Configuration; +import org.apache.commons.configuration.ConfigurationException; +import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin; +import org.apache.qpid.server.security.AbstractPlugin; +import org.apache.qpid.server.security.Result; +import org.apache.qpid.server.security.SecurityPluginFactory; +import org.apache.qpid.server.security.access.ObjectProperties; +import org.apache.qpid.server.security.access.ObjectType; +import org.apache.qpid.server.security.access.Operation; +import org.apache.qpid.server.security.access.config.FirewallException; +import org.apache.qpid.server.security.access.config.FirewallRule; + +public class Firewall extends AbstractPlugin +{ + public static final SecurityPluginFactory<Firewall> FACTORY = new SecurityPluginFactory<Firewall>() + { + public Firewall newInstance(ConfigurationPlugin config) throws ConfigurationException + { + FirewallConfiguration configuration = config.getConfiguration(FirewallConfiguration.class.getName()); + + // If there is no configuration for this plugin then don't load it. + if (configuration == null) + { + return null; + } + + Firewall plugin = new Firewall(); + plugin.configure(configuration); + return plugin; + } + + public Class<Firewall> getPluginClass() + { + return Firewall.class; + } + + public String getPluginName() + { + return Firewall.class.getName(); + } + }; + + private Result _default = Result.ABSTAIN; + private FirewallRule[] _rules; + + public Result getDefault() + { + return _default; + } + + public Result authorise(Operation operation, ObjectType objectType, ObjectProperties properties) + { + return Result.ABSTAIN; // We only deal with access requests + } + + public Result access(ObjectType objectType, Object instance) + { + if (objectType != ObjectType.VIRTUALHOST) + { + return Result.ABSTAIN; // We are only interested in access to virtualhosts + } + + if (!(instance instanceof InetSocketAddress)) + { + return Result.ABSTAIN; // We need an internet address + } + + InetAddress address = ((InetSocketAddress) instance).getAddress(); + + try + { + for (FirewallRule rule : _rules) + { + boolean match = rule.match(address); + if (match) + { + return rule.getAccess(); + } + } + return getDefault(); + } + catch (FirewallException fe) + { + return Result.DENIED; + } + } + + + public void configure(ConfigurationPlugin config) + { + super.configure(config); + FirewallConfiguration firewallConfiguration = (FirewallConfiguration) _config; + + // Get default action + _default = firewallConfiguration.getDefaultAction(); + + Configuration finalConfig = firewallConfiguration.getConfiguration(); + + // all rules must have an access attribute + int numRules = finalConfig.getList("rule[@access]").size(); + _rules = new FirewallRule[numRules]; + for (int i = 0; i < numRules; i++) + { + FirewallRule rule = new FirewallRule(finalConfig.getString("rule(" + i + ")[@access]"), + finalConfig.getList("rule(" + i + ")[@network]"), + finalConfig.getList("rule(" + i + ")[@hostname]")); + _rules[i] = rule; + } + + } +} diff --git a/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallActivator.java b/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallActivator.java new file mode 100644 index 0000000000..c20bba8d2c --- /dev/null +++ b/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallActivator.java @@ -0,0 +1,42 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.plugins; + +import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory; +import org.apache.qpid.server.security.SecurityPluginActivator; +import org.apache.qpid.server.security.SecurityPluginFactory; +import org.osgi.framework.BundleActivator; + +/** + * The OSGi {@link BundleActivator} for {@link Firewall}. + */ +public class FirewallActivator extends SecurityPluginActivator +{ + public SecurityPluginFactory getFactory() + { + return Firewall.FACTORY; + } + + public ConfigurationPluginFactory getConfigurationFactory() + { + return FirewallConfiguration.FACTORY; + } +} diff --git a/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallConfiguration.java b/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallConfiguration.java new file mode 100644 index 0000000000..b10656d622 --- /dev/null +++ b/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallConfiguration.java @@ -0,0 +1,102 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.plugins; + +import java.util.Arrays; +import java.util.List; + +import org.apache.commons.configuration.CompositeConfiguration; +import org.apache.commons.configuration.Configuration; +import org.apache.commons.configuration.ConfigurationException; +import org.apache.commons.configuration.XMLConfiguration; +import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin; +import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory; +import org.apache.qpid.server.security.Result; +import org.apache.qpid.server.security.access.config.FirewallRule; + +public class FirewallConfiguration extends ConfigurationPlugin +{ + CompositeConfiguration _finalConfig; + + public static final ConfigurationPluginFactory FACTORY = new ConfigurationPluginFactory() + { + public ConfigurationPlugin newInstance(String path, Configuration config) throws ConfigurationException + { + ConfigurationPlugin instance = new FirewallConfiguration(); + instance.setConfiguration(path, config); + return instance; + } + + public List<String> getParentPaths() + { + return Arrays.asList("security.firewall", "virtualhosts.virtualhost.security.firewall"); + } + }; + + public String[] getElementsProcessed() + { + return new String[] { "" }; + } + + public Configuration getConfiguration() + { + return _finalConfig; + } + + public Result getDefaultAction() + { + String defaultAction = _configuration.getString("[@default-action]"); + if (defaultAction == null) + { + return Result.ABSTAIN; + } + else if (defaultAction.equalsIgnoreCase(FirewallRule.ALLOW)) + { + return Result.ALLOWED; + } + else + { + return Result.DENIED; + } + } + + + + @Override + public void validateConfiguration() throws ConfigurationException + { + // Valid Configuration either has xml links to new files + _finalConfig = new CompositeConfiguration(_configuration); + List subFiles = _configuration.getList("xml[@fileName]"); + for (Object subFile : subFiles) + { + _finalConfig.addConfiguration(new XMLConfiguration((String) subFile)); + } + + // all rules must have an access attribute or a default value + if (_finalConfig.getList("rule[@access]").size() == 0 && + _configuration.getString("[@default-action]") == null) + { + throw new ConfigurationException("No rules or default-action found in firewall configuration."); + } + } + +} |