Merge branch 'QPID-1583'

Conflicts: qpid/java/common/src/main/java/org/apache/qpid/util/NetMatcher.java git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@743304 13f79535-47bb-0310-9956-ffa450edef68
author: Aidan Skinner <aidan@apache.org> 2009-02-11 11:18:58 +0000
committer: Aidan Skinner <aidan@apache.org> 2009-02-11 11:18:58 +0000
commit: d9e961d4d3c0f64784fb0ca285f8388ae8535010 (patch)
tree: 99de35d1b1f1ee0dfa3b23406ba671b0cb626879 /java/broker/src/main
parent: e520915a8161af6fb39ff3fc68924f0e4b87da85 (diff)
download: qpid-python-d9e961d4d3c0f64784fb0ca285f8388ae8535010.tar.gz
3 files changed, 289 insertions, 0 deletions
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/AbstractACLPlugin.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/AbstractACLPlugin.java
new file mode 100644
index 0000000000..682135bc25
--- /dev/null
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/AbstractACLPlugin.java
@@ -0,0 +1,99 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security.access.plugins;
+
+import org.apache.qpid.framing.AMQShortString;
+import org.apache.qpid.server.exchange.Exchange;
+import org.apache.qpid.server.protocol.AMQProtocolSession;
+import org.apache.qpid.server.queue.AMQQueue;
+import org.apache.qpid.server.security.access.ACLPlugin;
+import org.apache.qpid.server.virtualhost.VirtualHost;
+
+/**
+ * This ACLPlugin abstains from all votes. Useful if your plugin only cares about a few operations. 
+ */
+public abstract class AbstractACLPlugin implements ACLPlugin
+{
+
+    private static final AuthzResult DEFAULT_ANSWER = AuthzResult.ABSTAIN;
+
+    public AuthzResult authoriseBind(AMQProtocolSession session, Exchange exch, AMQQueue queue,
+            AMQShortString routingKey)
+    {
+        return DEFAULT_ANSWER;
+    }
+
+    public AuthzResult authoriseConnect(AMQProtocolSession session, VirtualHost virtualHost)
+    {
+        return DEFAULT_ANSWER;
+    }
+
+    public AuthzResult authoriseConsume(AMQProtocolSession session, boolean noAck, AMQQueue queue)
+    {
+        return DEFAULT_ANSWER;
+    }
+
+    public AuthzResult authoriseConsume(AMQProtocolSession session, boolean exclusive, boolean noAck, boolean noLocal,
+            boolean nowait, AMQQueue queue)
+    {
+        return DEFAULT_ANSWER;
+    }
+
+    public AuthzResult authoriseCreateExchange(AMQProtocolSession session, boolean autoDelete, boolean durable,
+            AMQShortString exchangeName, boolean internal, boolean nowait, boolean passive, AMQShortString exchangeType)
+    {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    public AuthzResult authoriseCreateQueue(AMQProtocolSession session, boolean autoDelete, boolean durable,
+            boolean exclusive, boolean nowait, boolean passive, AMQShortString queue)
+    {
+        return DEFAULT_ANSWER;
+    }
+
+    public AuthzResult authoriseDelete(AMQProtocolSession session, AMQQueue queue)
+    {
+        return DEFAULT_ANSWER;
+    }
+
+    public AuthzResult authoriseDelete(AMQProtocolSession session, Exchange exchange)
+    {
+        return DEFAULT_ANSWER;
+    }
+
+    public AuthzResult authorisePublish(AMQProtocolSession session, boolean immediate, boolean mandatory,
+            AMQShortString routingKey, Exchange e)
+    {
+        return DEFAULT_ANSWER;
+    }
+
+    public AuthzResult authorisePurge(AMQProtocolSession session, AMQQueue queue)
+    {
+        return DEFAULT_ANSWER;
+    }
+
+    public AuthzResult authoriseUnbind(AMQProtocolSession session, Exchange exch, AMQShortString routingKey,
+            AMQQueue queue)
+    {
+        return DEFAULT_ANSWER;
+    }
+}
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallFactory.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallFactory.java
new file mode 100644
index 0000000000..7fcf4a0494
--- /dev/null
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallFactory.java
@@ -0,0 +1,44 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security.access.plugins.network;
+
+import org.apache.commons.configuration.Configuration;
+import org.apache.qpid.server.security.access.ACLPlugin;
+import org.apache.qpid.server.security.access.ACLPluginFactory;
+
+public class FirewallFactory implements ACLPluginFactory
+{
+
+    @Override
+    public ACLPlugin newInstance(Configuration config)
+    {
+        FirewallPlugin plugin = new FirewallPlugin();
+        plugin.setConfiguration(config);
+        return plugin;
+    }
+
+    @Override
+    public boolean supportsTag(String name)
+    {
+        return name.equals("firewall");
+    }
+    
+}
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java
new file mode 100644
index 0000000000..c0089d5e12
--- /dev/null
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java
@@ -0,0 +1,146 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security.access.plugins.network;
+
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.net.SocketAddress;
+import java.util.regex.Pattern;
+
+import org.apache.commons.configuration.Configuration;
+import org.apache.qpid.server.protocol.AMQMinaProtocolSession;
+import org.apache.qpid.server.protocol.AMQProtocolSession;
+import org.apache.qpid.server.security.access.plugins.AbstractACLPlugin;
+import org.apache.qpid.server.virtualhost.VirtualHost;
+import org.apache.qpid.util.NetMatcher;
+
+import sun.net.util.IPAddressUtil;
+
+public class FirewallPlugin extends AbstractACLPlugin
+{
+
+    public class FirewallRule
+    {
+
+        private AuthzResult _access;
+        private NetMatcher _network;
+        private Pattern _hostnamePattern;
+
+        public FirewallRule(String access, String network, String hostname)
+        {
+            _access = (access.equals("allow")) ? AuthzResult.ALLOWED : AuthzResult.DENIED;
+            _network = (network != null) ? new NetMatcher(new String[]{network}) : null;
+            _hostnamePattern = (hostname != null) ? Pattern.compile(hostname) : null;
+        }
+
+        public boolean match(InetAddress remote)
+        {
+            if (_hostnamePattern != null)
+            {
+                return _hostnamePattern.matcher(remote.getCanonicalHostName()).matches();
+            }
+            else
+            {
+                return _network.matchInetNetwork(remote);
+            }
+        }
+
+        public AuthzResult getAccess()
+        {
+            return _access;
+        }
+
+    }
+
+    private AuthzResult _default = AuthzResult.ABSTAIN;
+    private FirewallRule[] _rules;
+
+    @Override
+    public AuthzResult authoriseConnect(AMQProtocolSession session, VirtualHost virtualHost)
+    {
+        if (!(session instanceof AMQMinaProtocolSession))
+        {
+            return AuthzResult.ABSTAIN; // We only deal with tcp sessions, which mean MINA right now
+        }
+
+        InetAddress addr = getInetAdressFromMinaSession((AMQMinaProtocolSession) session);
+        
+        if (addr == null)
+        {
+            return AuthzResult.ABSTAIN; // Not an Inet socket on the other end
+        }
+        
+        boolean match = false;
+        for (FirewallRule rule : _rules)
+        {
+            match = rule.match(addr);
+            if (match)
+            {
+                return rule.getAccess();
+            }
+        }
+        return _default;
+
+    }
+
+    private InetAddress getInetAdressFromMinaSession(AMQMinaProtocolSession session)
+    {
+        SocketAddress remote = session.getIOSession().getRemoteAddress();
+        if (remote instanceof InetSocketAddress)
+        {
+            return ((InetSocketAddress) remote).getAddress();
+        } 
+        else
+        {
+            return null;
+        }
+    }
+
+    @Override
+    public void setConfiguration(Configuration config)
+    {
+        // Get default action
+        String defaultAction = config.getString("[@default-action]");
+        if (defaultAction == null) {
+            _default = AuthzResult.ABSTAIN;
+        } 
+        else if (defaultAction.toLowerCase().equals("allow"))
+        {
+            _default = AuthzResult.ALLOWED;
+        }
+        else 
+        {
+            _default = AuthzResult.DENIED;
+        }
+        
+        int numRules = config.getList("rule[@access]").size(); // all rules must
+                                                               // have an access
+                                                               // attribute
+        _rules = new FirewallRule[numRules];
+        for (int i = 0; i < numRules; i++)
+        {
+            FirewallRule rule = new FirewallRule((String) config.getProperty("rule(" + i + ")[@access]"),
+                    (String) config.getProperty("rule(" + i + ")[@network]"), (String) config.getProperty("rule(" + i
+                            + ")[@hostname]"));
+            _rules[i] = rule;
+        }
+    }
+}
author	Aidan Skinner <aidan@apache.org>	2009-02-11 11:18:58 +0000
committer	Aidan Skinner <aidan@apache.org>	2009-02-11 11:18:58 +0000
commit	d9e961d4d3c0f64784fb0ca285f8388ae8535010 (patch)
tree	99de35d1b1f1ee0dfa3b23406ba671b0cb626879 /java/broker/src/main
parent	e520915a8161af6fb39ff3fc68924f0e4b87da85 (diff)
download	qpid-python-d9e961d4d3c0f64784fb0ca285f8388ae8535010.tar.gz