diff options
| author | Robert Gemmell <robbie@apache.org> | 2010-05-31 16:07:01 +0000 |
|---|---|---|
| committer | Robert Gemmell <robbie@apache.org> | 2010-05-31 16:07:01 +0000 |
| commit | 3a575db71a1de1a06d8f1d1dbb517ad8e9decf9b (patch) | |
| tree | 30359796988995f52798936da845db2d5825e707 /java/broker/src | |
| parent | cbeecb0e4e6ef1200ffc6afed4e1100828312850 (diff) | |
| download | qpid-python-3a575db71a1de1a06d8f1d1dbb517ad8e9decf9b.tar.gz | |
QPID-2573: Implement the Firewall functionality as an OSGi plugin
Applied patch from Andrew Kennedy <andrew.international@gmail.com>
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@949785 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'java/broker/src')
2 files changed, 0 insertions, 559 deletions
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java deleted file mode 100644 index 17d80c63fa..0000000000 --- a/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java +++ /dev/null @@ -1,256 +0,0 @@ -/* - * - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - * - */ -package org.apache.qpid.server.security.access.plugins.network; - -import java.net.InetAddress; -import java.net.InetSocketAddress; -import java.net.SocketAddress; -import java.util.List; -import java.util.concurrent.atomic.AtomicBoolean; -import java.util.regex.Pattern; - -import org.apache.commons.configuration.CompositeConfiguration; -import org.apache.commons.configuration.Configuration; -import org.apache.commons.configuration.ConfigurationException; -import org.apache.commons.configuration.XMLConfiguration; -import org.apache.qpid.protocol.ProtocolEngine; -import org.apache.qpid.server.security.access.ACLPlugin; -import org.apache.qpid.server.security.access.ACLPluginFactory; -import org.apache.qpid.server.security.access.plugins.AbstractACLPlugin; -import org.apache.qpid.server.security.PrincipalHolder; -import org.apache.qpid.server.virtualhost.VirtualHost; -import org.apache.qpid.util.NetMatcher; - -public class FirewallPlugin extends AbstractACLPlugin -{ - - public class FirewallPluginException extends Exception {} - - public static final ACLPluginFactory FACTORY = new ACLPluginFactory() - { - public boolean supportsTag(String name) - { - return name.startsWith("firewall"); - } - - public ACLPlugin newInstance(Configuration config) throws ConfigurationException - { - FirewallPlugin plugin = new FirewallPlugin(); - plugin.setConfiguration(config.subset("firewall")); - return plugin; - } - }; - - public class FirewallRule - { - - private static final long DNS_TIMEOUT = 30000; - private AuthzResult _access; - private NetMatcher _network; - private Pattern[] _hostnamePatterns; - - public FirewallRule(String access, List networks, List hostnames) - { - _access = (access.equals("allow")) ? AuthzResult.ALLOWED : AuthzResult.DENIED; - - if (networks != null && networks.size() > 0) - { - String[] networkStrings = objListToStringArray(networks); - _network = new NetMatcher(networkStrings); - } - - if (hostnames != null && hostnames.size() > 0) - { - int i = 0; - _hostnamePatterns = new Pattern[hostnames.size()]; - for (String hostname : objListToStringArray(hostnames)) - { - _hostnamePatterns[i++] = Pattern.compile(hostname); - } - } - - } - - private String[] objListToStringArray(List objList) - { - String[] networkStrings = new String[objList.size()]; - int i = 0; - for (Object network : objList) - { - networkStrings[i++] = (String) network; - } - return networkStrings; - } - - public boolean match(InetAddress remote) throws FirewallPluginException - { - if (_hostnamePatterns != null) - { - String hostname = getHostname(remote); - if (hostname == null) - { - throw new FirewallPluginException(); - } - for (Pattern pattern : _hostnamePatterns) - { - if (pattern.matcher(hostname).matches()) - { - return true; - } - } - return false; - } - else - { - return _network.matchInetNetwork(remote); - } - } - - /** - * @param remote the InetAddress to look up - * @return the hostname, null if not found or takes longer than 30s to find - */ - private String getHostname(final InetAddress remote) - { - final String[] hostname = new String[]{null}; - final AtomicBoolean done = new AtomicBoolean(false); - // Spawn thread - Thread thread = new Thread(new Runnable() - { - public void run() - { - hostname[0] = remote.getCanonicalHostName(); - done.getAndSet(true); - synchronized (done) - { - done.notifyAll(); - } - } - }); - - thread.run(); - long endTime = System.currentTimeMillis() + DNS_TIMEOUT; - - while (System.currentTimeMillis() < endTime && !done.get()) - { - try - { - synchronized (done) - { - done.wait(endTime - System.currentTimeMillis()); - } - } - catch (InterruptedException e) - { - // Check the time and if necessary sleep for a bit longer - } - } - return hostname[0]; - } - - public AuthzResult getAccess() - { - return _access; - } - - } - - private AuthzResult _default = AuthzResult.ABSTAIN; - private FirewallRule[] _rules; - - @Override - public AuthzResult authoriseConnect(PrincipalHolder principalHolder, VirtualHost virtualHost) - { - if(!(principalHolder instanceof ProtocolEngine)) - { - return AuthzResult.ABSTAIN; // We only deal with tcp sessions - } - - ProtocolEngine session = (ProtocolEngine) principalHolder; - - SocketAddress sockAddr = session.getRemoteAddress(); - if (!(sockAddr instanceof InetSocketAddress)) - { - return AuthzResult.ABSTAIN; // We only deal with tcp sessions - } - - InetAddress addr = ((InetSocketAddress) sockAddr).getAddress(); - - if (addr == null) - { - return AuthzResult.ABSTAIN; // Not an Inet socket on the other end - } - - boolean match = false; - for (FirewallRule rule : _rules) - { - try - { - match = rule.match(addr); - } - catch (FirewallPluginException e) - { - return AuthzResult.DENIED; - } - if (match) - { - return rule.getAccess(); - } - } - return _default; - - } - - public void setConfiguration(Configuration config) throws ConfigurationException - { - // Get default action - String defaultAction = config.getString("[@default-action]"); - if (defaultAction == null) - { - _default = AuthzResult.ABSTAIN; - } - else if (defaultAction.toLowerCase().equals("allow")) - { - _default = AuthzResult.ALLOWED; - } - else - { - _default = AuthzResult.DENIED; - } - CompositeConfiguration finalConfig = new CompositeConfiguration(config); - - List subFiles = config.getList("xml[@fileName]"); - for (Object subFile : subFiles) - { - finalConfig.addConfiguration(new XMLConfiguration((String) subFile)); - } - - // all rules must have an access attribute - int numRules = finalConfig.getList("rule[@access]").size(); - _rules = new FirewallRule[numRules]; - for (int i = 0; i < numRules; i++) - { - FirewallRule rule = new FirewallRule(finalConfig.getString("rule(" + i + ")[@access]"), finalConfig.getList("rule(" - + i + ")[@network]"), finalConfig.getList("rule(" + i + ")[@hostname]")); - _rules[i] = rule; - } - } -} diff --git a/java/broker/src/test/java/org/apache/qpid/server/security/access/plugins/network/FirewallPluginTest.java b/java/broker/src/test/java/org/apache/qpid/server/security/access/plugins/network/FirewallPluginTest.java deleted file mode 100644 index 5d3335c001..0000000000 --- a/java/broker/src/test/java/org/apache/qpid/server/security/access/plugins/network/FirewallPluginTest.java +++ /dev/null @@ -1,303 +0,0 @@ -/* - * - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - * - */ - -package org.apache.qpid.server.security.access.plugins.network; - -import java.io.BufferedWriter; -import java.io.File; -import java.io.FileWriter; -import java.io.IOException; -import java.net.InetSocketAddress; - -import junit.framework.TestCase; - -import org.apache.commons.configuration.ConfigurationException; -import org.apache.commons.configuration.XMLConfiguration; -import org.apache.qpid.server.protocol.AMQProtocolEngine; -import org.apache.qpid.server.registry.ApplicationRegistry; -import org.apache.qpid.server.security.access.ACLPlugin.AuthzResult; -import org.apache.qpid.server.store.TestableMemoryMessageStore; -import org.apache.qpid.server.virtualhost.VirtualHost; -import org.apache.qpid.server.virtualhost.VirtualHostRegistry; -import org.apache.qpid.transport.TestNetworkDriver; - -public class FirewallPluginTest extends TestCase -{ - - public class RuleInfo - { - private String _access; - private String _network; - private String _hostname; - - public void setAccess(String _access) - { - this._access = _access; - } - - public String getAccess() - { - return _access; - } - - public void setNetwork(String _network) - { - this._network = _network; - } - - public String getNetwork() - { - return _network; - } - - public void setHostname(String _hostname) - { - this._hostname = _hostname; - } - - public String getHostname() - { - return _hostname; - } - } - - private TestableMemoryMessageStore _store; - private VirtualHost _virtualHost; - private AMQProtocolEngine _session; - private TestNetworkDriver _testDriver; - - @Override - public void setUp() throws Exception - { - super.setUp(); - _store = new TestableMemoryMessageStore(); - _testDriver = new TestNetworkDriver(); - _testDriver.setRemoteAddress("127.0.0.1"); - - // Retreive VirtualHost from the Registry - VirtualHostRegistry virtualHostRegistry = ApplicationRegistry.getInstance().getVirtualHostRegistry(); - _virtualHost = virtualHostRegistry.getVirtualHost("test"); - - _session = new AMQProtocolEngine(virtualHostRegistry, _testDriver); - } - - public void tearDown() throws Exception - { - // Correctly Close the AR that we created above - ApplicationRegistry.remove(); - super.tearDown(); - } - - private FirewallPlugin initialisePlugin(String defaultAction, RuleInfo[] rules) throws IOException, ConfigurationException - { - // Create sample config file - File confFile = File.createTempFile(getClass().getSimpleName()+"conffile", null); - confFile.deleteOnExit(); - BufferedWriter buf = new BufferedWriter(new FileWriter(confFile)); - buf.write("<firewall default-action=\""+defaultAction+"\">\n"); - if (rules != null) - { - for (RuleInfo rule : rules) - { - buf.write("<rule"); - buf.write(" access=\""+rule.getAccess()+"\""); - if (rule.getHostname() != null) - { - buf.write(" hostname=\""+rule.getHostname()+"\""); - } - if (rule.getNetwork() != null) - { - buf.write(" network=\""+rule.getNetwork()+"\""); - } - buf.write("/>\n"); - } - } - buf.write("</firewall>"); - buf.close(); - - // Configure plugin - FirewallPlugin plugin = new FirewallPlugin(); - plugin.setConfiguration(new XMLConfiguration(confFile)); - return plugin; - } - - private FirewallPlugin initialisePlugin(String string) throws ConfigurationException, IOException - { - return initialisePlugin(string, null); - } - - public void testDefaultAction() throws Exception - { - // Test simple deny - FirewallPlugin plugin = initialisePlugin("deny"); - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); - - // Test simple allow - plugin = initialisePlugin("allow"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); - } - - - public void testSingleIPRule() throws Exception - { - RuleInfo rule = new RuleInfo(); - rule.setAccess("allow"); - rule.setNetwork("192.168.23.23"); - - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{rule}); - - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); - - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("192.168.23.23"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); - } - - public void testSingleNetworkRule() throws Exception - { - RuleInfo rule = new RuleInfo(); - rule.setAccess("allow"); - rule.setNetwork("192.168.23.0/24"); - - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{rule}); - - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); - - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("192.168.23.23"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); - } - - public void testSingleHostRule() throws Exception - { - RuleInfo rule = new RuleInfo(); - rule.setAccess("allow"); - rule.setHostname(new InetSocketAddress("127.0.0.1", 5672).getHostName()); - - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{rule}); - - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("127.0.0.1"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); - } - - public void testSingleHostWilcardRule() throws Exception - { - RuleInfo rule = new RuleInfo(); - rule.setAccess("allow"); - String hostname = new InetSocketAddress("127.0.0.1", 0).getHostName(); - rule.setHostname(".*"+hostname.subSequence(hostname.length() - 1, hostname.length())+"*"); - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{rule}); - - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("127.0.0.1"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); - } - - public void testSeveralFirstAllowsAccess() throws Exception - { - RuleInfo firstRule = new RuleInfo(); - firstRule.setAccess("allow"); - firstRule.setNetwork("192.168.23.23"); - - RuleInfo secondRule = new RuleInfo(); - secondRule.setAccess("deny"); - secondRule.setNetwork("192.168.42.42"); - - RuleInfo thirdRule = new RuleInfo(); - thirdRule.setAccess("deny"); - thirdRule.setHostname("localhost"); - - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{firstRule, secondRule, thirdRule}); - - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); - - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("192.168.23.23"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); - } - - public void testSeveralLastAllowsAccess() throws Exception - { - RuleInfo firstRule = new RuleInfo(); - firstRule.setAccess("deny"); - firstRule.setHostname("localhost"); - - RuleInfo secondRule = new RuleInfo(); - secondRule.setAccess("deny"); - secondRule.setNetwork("192.168.42.42"); - - RuleInfo thirdRule = new RuleInfo(); - thirdRule.setAccess("allow"); - thirdRule.setNetwork("192.168.23.23"); - - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{firstRule, secondRule, thirdRule}); - - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); - - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("192.168.23.23"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); - } - - public void testNetmask() throws Exception - { - RuleInfo firstRule = new RuleInfo(); - firstRule.setAccess("allow"); - firstRule.setNetwork("192.168.23.0/24"); - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{firstRule}); - - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); - - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("192.168.23.23"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); - } - - public void testCommaSeperatedNetmask() throws Exception - { - RuleInfo firstRule = new RuleInfo(); - firstRule.setAccess("allow"); - firstRule.setNetwork("10.1.1.1/8, 192.168.23.0/24"); - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{firstRule}); - - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); - - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("192.168.23.23"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); - } - - public void testCommaSeperatedHostnames() throws Exception - { - RuleInfo firstRule = new RuleInfo(); - firstRule.setAccess("allow"); - firstRule.setHostname("foo, bar, "+new InetSocketAddress("127.0.0.1", 5672).getHostName()); - FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{firstRule}); - _testDriver.setRemoteAddress("10.0.0.1"); - assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); - - // Set session IP so that we're connected from the right address - _testDriver.setRemoteAddress("127.0.0.1"); - assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); - } - -} |