QPID-2573: Implement the Firewall functionality as an OSGi plugin

Applied patch from Andrew Kennedy <andrew.international@gmail.com> git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@949785 13f79535-47bb-0310-9956-ffa450edef68
author: Robert Gemmell <robbie@apache.org> 2010-05-31 16:07:01 +0000
committer: Robert Gemmell <robbie@apache.org> 2010-05-31 16:07:01 +0000
commit: 3a575db71a1de1a06d8f1d1dbb517ad8e9decf9b (patch)
tree: 30359796988995f52798936da845db2d5825e707 /java/broker-plugins/firewall/src/main
parent: cbeecb0e4e6ef1200ffc6afed4e1100828312850 (diff)
download: qpid-python-3a575db71a1de1a06d8f1d1dbb517ad8e9decf9b.tar.gz
5 files changed, 418 insertions, 0 deletions
diff --git a/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java
new file mode 100644
index 0000000000..a7395e40b4
--- /dev/null
+++ b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java
@@ -0,0 +1,30 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security.access.config;
+
+/**
+ * Firewall plugin exception.
+ */
+public class FirewallException extends Exception
+{
+    /** serialVersionUID */
+    private static final long serialVersionUID = -1L;
+}
+\ No newline at end of file
diff --git a/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallRule.java b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallRule.java
new file mode 100644
index 0000000000..d6281f9382
--- /dev/null
+++ b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallRule.java
@@ -0,0 +1,143 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security.access.config;
+
+import java.net.InetAddress;
+import java.util.List;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.regex.Pattern;
+
+import org.apache.qpid.server.security.Result;
+import org.apache.qpid.util.NetMatcher;
+
+public class FirewallRule 
+{
+	public static final String ALLOW = "ALLOW";
+	public static final String DENY = "DENY";
+	
+    private static final long DNS_TIMEOUT = 30000;
+    private Result _access;
+    private NetMatcher _network;
+    private Pattern[] _hostnamePatterns;
+
+    public FirewallRule(String access, List networks, List hostnames)
+    {
+        _access = (access.equalsIgnoreCase(ALLOW)) ? Result.ALLOWED : Result.DENIED;
+
+        if (networks != null && networks.size() > 0)
+        {
+            String[] networkStrings = objListToStringArray(networks);
+            _network = new NetMatcher(networkStrings);
+        }
+
+        if (hostnames != null && hostnames.size() > 0)
+        {
+            int i = 0;
+            _hostnamePatterns = new Pattern[hostnames.size()];
+            for (String hostname : objListToStringArray(hostnames))
+            {
+                _hostnamePatterns[i++] = Pattern.compile(hostname);
+            }
+        }
+    }
+
+    private String[] objListToStringArray(List objList)
+    {
+        String[] networkStrings = new String[objList.size()];
+        int i = 0;
+        for (Object network : objList)
+        {
+            networkStrings[i++] = (String) network;
+        }
+        return networkStrings;
+    }
+
+    public boolean match(InetAddress remote) throws FirewallException
+    {
+        if (_hostnamePatterns != null)
+        {
+            String hostname = getHostname(remote);
+            if (hostname == null)
+            {
+                throw new FirewallException();
+            }
+            for (Pattern pattern : _hostnamePatterns)
+            {
+                if (pattern.matcher(hostname).matches())
+                {
+                    return true;
+                }
+            }
+            return false;
+        }
+        else
+        {
+            return _network.matchInetNetwork(remote);
+        }
+    }
+
+    /**
+     * @param remote the InetAddress to look up
+     * @return the hostname, null if not found or takes longer than 30s to find
+     */
+    private String getHostname(final InetAddress remote)
+    {
+        final String[] hostname = new String[]{null};
+        final AtomicBoolean done = new AtomicBoolean(false);
+        // Spawn thread
+        Thread thread = new Thread(new Runnable()
+        {
+           public void run()
+           {
+               hostname[0] = remote.getCanonicalHostName();
+               done.getAndSet(true);
+               synchronized (done)
+               {
+                   done.notifyAll();
+               }
+           }
+        });
+
+        thread.run();
+        long endTime = System.currentTimeMillis() + DNS_TIMEOUT;
+
+        while (System.currentTimeMillis() < endTime && !done.get())
+        {
+            try
+            {
+                synchronized (done)
+                {
+                    done.wait(endTime - System.currentTimeMillis());
+                }
+            }
+            catch (InterruptedException e)
+            {
+                // Check the time and if necessary sleep for a bit longer
+            }
+        }
+        return hostname[0];
+    }
+
+    public Result getAccess()
+    {
+        return _access;
+    }
+}
+\ No newline at end of file
diff --git a/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java
new file mode 100644
index 0000000000..acd74d49f5
--- /dev/null
+++ b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java
@@ -0,0 +1,166 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security.access.plugins;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.List;
+
+import org.apache.commons.configuration.CompositeConfiguration;
+import org.apache.commons.configuration.ConfigurationException;
+import org.apache.commons.configuration.XMLConfiguration;
+import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin;
+import org.apache.qpid.server.security.AbstractPlugin;
+import org.apache.qpid.server.security.Result;
+import org.apache.qpid.server.security.SecurityPluginFactory;
+import org.apache.qpid.server.security.access.ObjectProperties;
+import org.apache.qpid.server.security.access.ObjectType;
+import org.apache.qpid.server.security.access.Operation;
+import org.apache.qpid.server.security.access.config.FirewallException;
+import org.apache.qpid.server.security.access.config.FirewallRule;
+
+public class Firewall extends AbstractPlugin
+{
+    public static final SecurityPluginFactory<Firewall> FACTORY = new SecurityPluginFactory<Firewall>()
+    {
+        public Firewall newInstance(ConfigurationPlugin config) throws ConfigurationException
+        {
+            Firewall plugin = new Firewall(config);
+            plugin.configure();
+            return plugin;
+        }
+        
+        public Class<Firewall> getPluginClass()
+        {
+            return Firewall.class;
+        }
+
+        public String getPluginName()
+        {
+            return Firewall.class.getName();
+        }
+    };
+	
+    private Result _default = Result.ABSTAIN;
+    private FirewallRule[] _rules;
+    
+	public Result getDefault()
+	{
+		return _default;
+	}
+
+    public Result authorise(Operation operation, ObjectType objectType, ObjectProperties properties)
+    {
+        return Result.ABSTAIN; // We only deal with access requests
+    }
+
+    public Result access(ObjectType objectType, Object instance)
+    {
+        if (objectType != ObjectType.VIRTUALHOST)
+        {
+            return Result.ABSTAIN; // We are only interested in access to virtualhosts
+        }
+        
+        // TODO alter 0-10 code path to expose the SocketAddress object?
+        String address = (String) instance;
+        
+        if (address == null || address.trim().length() == 0)
+        {
+            return Result.ABSTAIN; // We need an address
+        }
+
+        try
+        {
+            int slash = address.indexOf('/');
+            int colon = address.indexOf(':');
+	        InetAddress addr = InetAddress.getByName(address.substring(slash == -1 ? 0 : slash + 1, colon == -1 ? address.length() : colon));
+            if (addr == null)
+            {
+                return Result.ABSTAIN; // Not a real address
+            }
+    
+            for (FirewallRule rule : _rules)
+            {
+                boolean match = rule.match(addr);
+                if (match)
+                {
+                    return rule.getAccess();
+                }
+            }
+            return getDefault();
+        }
+        catch (UnknownHostException uhe)
+        {
+            _logger.error("Address format invalid: " + address, uhe);
+            return Result.DENIED;
+        }
+        catch (FirewallException fe)
+        {
+            return Result.DENIED;
+        }
+    }
+    
+    public Firewall(ConfigurationPlugin config)
+    {
+        _config = config.getConfiguration(FirewallConfiguration.class);
+    }
+
+    public void configure() throws ConfigurationException
+    {
+        FirewallConfiguration config = (FirewallConfiguration) _config;
+        
+        if (isConfigured())
+        {
+            // Get default action
+            String defaultAction = config.getConfiguration().getString("[@default-action]");
+            if (defaultAction == null)
+            {
+                _default = Result.ABSTAIN;
+            }
+            else if (defaultAction.equalsIgnoreCase(FirewallRule.ALLOW))
+            {
+                _default = Result.ALLOWED;
+            }
+            else
+            {
+                _default = Result.DENIED;
+            }
+            
+            CompositeConfiguration finalConfig = new CompositeConfiguration(config.getConfiguration());
+            List subFiles = config.getConfiguration().getList("xml[@fileName]");
+            for (Object subFile : subFiles)
+            {
+                finalConfig.addConfiguration(new XMLConfiguration((String) subFile));
+            }
+    
+            // all rules must have an access attribute
+            int numRules = finalConfig.getList("rule[@access]").size();
+            _rules = new FirewallRule[numRules];
+            for (int i = 0; i < numRules; i++)
+            {
+                FirewallRule rule = new FirewallRule(finalConfig.getString("rule(" + i + ")[@access]"),
+    												 finalConfig.getList("rule(" + i + ")[@network]"),
+    												 finalConfig.getList("rule(" + i + ")[@hostname]"));
+                _rules[i] = rule;
+            }
+        }
+    }
+}
diff --git a/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallActivator.java b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallActivator.java
new file mode 100644
index 0000000000..22d34b676e
--- /dev/null
+++ b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallActivator.java
@@ -0,0 +1,22 @@
+package org.apache.qpid.server.security.access.plugins;
+
+import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory;
+import org.apache.qpid.server.security.SecurityPluginActivator;
+import org.apache.qpid.server.security.SecurityPluginFactory;
+import org.osgi.framework.BundleActivator;
+
+/**
+ * The OSGi {@link BundleActivator} for {@link Firewall}.
+ */
+public class FirewallActivator extends SecurityPluginActivator
+{
+    public SecurityPluginFactory getFactory()
+    {
+        return Firewall.FACTORY;
+    }
+
+    public ConfigurationPluginFactory getConfigurationFactory()
+    {
+        return FirewallConfiguration.FACTORY;
+    }
+}
diff --git a/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallConfiguration.java b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallConfiguration.java
new file mode 100644
index 0000000000..fe9f48f950
--- /dev/null
+++ b/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallConfiguration.java
@@ -0,0 +1,57 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security.access.plugins;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.commons.configuration.Configuration;
+import org.apache.commons.configuration.ConfigurationException;
+import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin;
+import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory;
+
+public class FirewallConfiguration extends ConfigurationPlugin
+{
+    public static final ConfigurationPluginFactory FACTORY = new ConfigurationPluginFactory() 
+    {
+        public ConfigurationPlugin newInstance(String path, Configuration config) throws ConfigurationException
+        {
+            ConfigurationPlugin instance = new FirewallConfiguration();
+            instance.setConfiguration(path, config);
+            return instance;
+        }
+
+        public List<String> getParentPaths()
+        {
+            return Arrays.asList("security", "virtualhosts.virtualhost.security");
+        }
+    };
+
+    public String[] getElementsProcessed()
+    {
+        return new String[] { "firewall" };
+    }
+
+    public Configuration getConfiguration()
+    {
+        return _configuration.subset("firewall");
+    }
+}
author	Robert Gemmell <robbie@apache.org>	2010-05-31 16:07:01 +0000
committer	Robert Gemmell <robbie@apache.org>	2010-05-31 16:07:01 +0000
commit	3a575db71a1de1a06d8f1d1dbb517ad8e9decf9b (patch)
tree	30359796988995f52798936da845db2d5825e707 /java/broker-plugins/firewall/src/main
parent	cbeecb0e4e6ef1200ffc6afed4e1100828312850 (diff)
download	qpid-python-3a575db71a1de1a06d8f1d1dbb517ad8e9decf9b.tar.gz