From 3a575db71a1de1a06d8f1d1dbb517ad8e9decf9b Mon Sep 17 00:00:00 2001
From: Robert Gemmell <robbie@apache.org>
Date: Mon, 31 May 2010 16:07:01 +0000
Subject: QPID-2573: Implement the Firewall functionality as an OSGi plugin

Applied patch from Andrew Kennedy <andrew.international@gmail.com>


git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@949785 13f79535-47bb-0310-9956-ffa450edef68
---
 .../security/access/FirewallConfigurationTest.java | 374 +++++++++++++++++++++
 .../server/security/access/FirewallPluginTest.java | 299 ++++++++++++++++
 2 files changed, 673 insertions(+)
 create mode 100644 java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallConfigurationTest.java
 create mode 100644 java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallPluginTest.java

(limited to 'java/broker-plugins/firewall/src/test')

diff --git a/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallConfigurationTest.java b/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallConfigurationTest.java
new file mode 100644
index 0000000000..e688114461
--- /dev/null
+++ b/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallConfigurationTest.java
@@ -0,0 +1,374 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security.access;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.RandomAccessFile;
+
+import junit.framework.TestCase;
+
+import org.apache.qpid.server.protocol.AMQProtocolEngine;
+import org.apache.qpid.server.protocol.AMQProtocolSession;
+import org.apache.qpid.server.registry.ApplicationRegistry;
+import org.apache.qpid.server.registry.ConfigurationFileApplicationRegistry;
+import org.apache.qpid.server.virtualhost.VirtualHost;
+import org.apache.qpid.server.virtualhost.VirtualHostRegistry;
+import org.apache.qpid.transport.TestNetworkDriver;
+
+public class FirewallConfigurationTest extends TestCase
+{
+    @Override
+    public void setUp()
+    {
+        //Highlight that this test will cause a new AR to be created
+        //ApplicationRegistry.getInstance();
+    }
+
+    @Override
+    public void tearDown() throws Exception
+    {
+        //Correctly Close the AR we created
+        //ApplicationRegistry.remove();
+    }
+
+    public void testFirewallConfiguration() throws Exception
+    {
+        // Write out config
+        File mainFile = File.createTempFile(getClass().getName(), null);
+        mainFile.deleteOnExit();
+        writeConfigFile(mainFile, false);
+
+        // Load config
+        ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile);
+        try
+        {
+            ApplicationRegistry.initialise(reg, 1);
+
+            // Test config
+            assertFalse(reg.getSecurityManager().accessVirtualhost("test", "127.0.0.1"));
+            assertTrue(reg.getSecurityManager().accessVirtualhost("test", "127.1.2.3"));
+        }
+        finally
+        {
+            ApplicationRegistry.remove(1);
+        }
+    }
+
+    public void testCombinedConfigurationFirewall() throws Exception
+    {
+        // Write out config
+        File mainFile = File.createTempFile(getClass().getName(), null);
+        File fileA = File.createTempFile(getClass().getName(), null);
+        File fileB = File.createTempFile(getClass().getName(), null);
+
+        mainFile.deleteOnExit();
+        fileA.deleteOnExit();
+        fileB.deleteOnExit();
+
+        FileWriter out = new FileWriter(mainFile);
+        out.write("<configuration><system/>");
+        out.write("<xml fileName=\"" + fileA.getAbsolutePath() + "\"/>");
+        out.write("</configuration>");
+        out.close();
+
+        out = new FileWriter(fileA);
+        out.write("<broker>\n");
+        out.write("\t<plugin-directory>${QPID_HOME}/lib/plugins</plugin-directory>\n");
+        out.write("\t<management><enabled>false</enabled></management>\n");
+        out.write("\t<security>\n");
+        out.write("\t\t<principal-databases>\n");
+        out.write("\t\t\t<principal-database>\n");
+        out.write("\t\t\t\t<name>passwordfile</name>\n");
+        out.write("\t\t\t\t<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>\n");
+        out.write("\t\t\t\t<attributes>\n");
+        out.write("\t\t\t\t\t<attribute>\n");
+        out.write("\t\t\t\t\t\t<name>passwordFile</name>\n");
+        out.write("\t\t\t\t\t\t<value>/dev/null</value>\n");
+        out.write("\t\t\t\t\t</attribute>\n");
+        out.write("\t\t\t\t</attributes>\n");
+        out.write("\t\t\t</principal-database>\n");
+        out.write("\t\t</principal-databases>\n");
+        out.write("\t\t<jmx>\n");
+        out.write("\t\t\t<access>/dev/null</access>\n");
+        out.write("\t\t\t<principal-database>passwordfile</principal-database>\n");
+        out.write("\t\t</jmx>\n");
+        out.write("\t\t<firewall>\n");
+        out.write("\t\t\t<xml fileName=\"" + fileB.getAbsolutePath() + "\"/>");
+        out.write("\t\t</firewall>\n");
+        out.write("\t</security>\n");
+        out.write("\t<virtualhosts>\n");
+        out.write("\t\t<virtualhost>\n");
+        out.write("\t\t\t<name>test</name>\n");
+        out.write("\t\t</virtualhost>\n");
+        out.write("\t</virtualhosts>\n");
+        out.write("</broker>\n");
+        out.close();
+
+        out = new FileWriter(fileB);
+        out.write("<firewall>\n");
+        out.write("\t<rule access=\"deny\" network=\"127.0.0.1\"/>");
+        out.write("</firewall>\n");
+        out.close();
+
+        // Load config
+        ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile);
+        try
+        {
+            ApplicationRegistry.initialise(reg, 1);
+
+            // Test config
+            assertFalse(reg.getSecurityManager().accessVirtualhost("test", "127.0.0.1"));
+        }
+        finally
+        {
+            ApplicationRegistry.remove(1);
+        }
+    }
+
+    public void testConfigurationFirewallReload() throws Exception
+    {
+        // Write out config
+        File mainFile = File.createTempFile(getClass().getName(), null);
+
+        mainFile.deleteOnExit();
+        writeConfigFile(mainFile, false);
+
+        // Load config
+        ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile);
+        try
+        {
+            ApplicationRegistry.initialise(reg, 1);
+
+            // Test config
+            assertFalse(reg.getSecurityManager().accessVirtualhost("test", "127.0.0.1"));
+
+            // Switch to deny the connection
+            writeConfigFile(mainFile, true);
+
+            reg.getConfiguration().reparseConfigFileSecuritySections();
+
+            assertTrue(reg.getSecurityManager().accessVirtualhost("test", "127.0.0.1"));
+        }
+        finally
+        {
+            ApplicationRegistry.remove(1);
+        }
+    }
+
+    public void testCombinedConfigurationFirewallReload() throws Exception
+    {
+        // Write out config
+        File mainFile = File.createTempFile(getClass().getName(), null);
+        File fileA = File.createTempFile(getClass().getName(), null);
+        File fileB = File.createTempFile(getClass().getName(), null);
+
+        mainFile.deleteOnExit();
+        fileA.deleteOnExit();
+        fileB.deleteOnExit();
+
+        FileWriter out = new FileWriter(mainFile);
+        out.write("<configuration><system/>");
+        out.write("<xml fileName=\"" + fileA.getAbsolutePath() + "\"/>");
+        out.write("</configuration>");
+        out.close();
+
+        out = new FileWriter(fileA);
+        out.write("<broker>\n");
+        out.write("\t<plugin-directory>${QPID_HOME}/lib/plugins</plugin-directory>\n");
+        out.write("\t<management><enabled>false</enabled></management>\n");
+        out.write("\t<security>\n");
+        out.write("\t\t<principal-databases>\n");
+        out.write("\t\t\t<principal-database>\n");
+        out.write("\t\t\t\t<name>passwordfile</name>\n");
+        out.write("\t\t\t\t<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>\n");
+        out.write("\t\t\t\t<attributes>\n");
+        out.write("\t\t\t\t\t<attribute>\n");
+        out.write("\t\t\t\t\t\t<name>passwordFile</name>\n");
+        out.write("\t\t\t\t\t\t<value>/dev/null</value>\n");
+        out.write("\t\t\t\t\t</attribute>\n");
+        out.write("\t\t\t\t</attributes>\n");
+        out.write("\t\t\t</principal-database>\n");
+        out.write("\t\t</principal-databases>\n");
+        out.write("\t\t<jmx>\n");
+        out.write("\t\t\t<access>/dev/null</access>\n");
+        out.write("\t\t\t<principal-database>passwordfile</principal-database>\n");
+        out.write("\t\t</jmx>\n");
+        out.write("\t\t<firewall>\n");
+        out.write("\t\t\t<xml fileName=\"" + fileB.getAbsolutePath() + "\"/>");
+        out.write("\t\t</firewall>\n");
+        out.write("\t</security>\n");
+        out.write("\t<virtualhosts>\n");
+        out.write("\t\t<virtualhost>\n");
+        out.write("\t\t\t<name>test</name>\n");
+        out.write("\t\t</virtualhost>\n");
+        out.write("\t</virtualhosts>\n");
+        out.write("</broker>\n");
+        out.close();
+
+        out = new FileWriter(fileB);
+        out.write("<firewall>\n");
+        out.write("\t<rule access=\"deny\" network=\"127.0.0.1\"/>");
+        out.write("</firewall>\n");
+        out.close();
+
+        // Load config
+        ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile);
+        try
+        {
+            ApplicationRegistry.initialise(reg, 1);
+
+            // Test config
+            assertFalse(reg.getSecurityManager().accessVirtualhost("test", "127.0.0.1"));
+
+            RandomAccessFile fileBRandom = new RandomAccessFile(fileB, "rw");
+            fileBRandom.setLength(0);
+            fileBRandom.seek(0);
+            fileBRandom.close();
+
+            out = new FileWriter(fileB);
+            out.write("<firewall>\n");
+            out.write("\t<rule access=\"allow\" network=\"127.0.0.1\"/>");
+            out.write("</firewall>\n");
+            out.close();
+
+            reg.getConfiguration().reparseConfigFileSecuritySections();
+
+            assertTrue(reg.getSecurityManager().accessVirtualhost("test", "127.0.0.1"));
+
+            fileBRandom = new RandomAccessFile(fileB, "rw");
+            fileBRandom.setLength(0);
+            fileBRandom.seek(0);
+            fileBRandom.close();
+
+            out = new FileWriter(fileB);
+            out.write("<firewall>\n");
+            out.write("\t<rule access=\"deny\" network=\"127.0.0.1\"/>");
+            out.write("</firewall>\n");
+            out.close();
+
+            reg.getConfiguration().reparseConfigFileSecuritySections();
+
+            assertFalse(reg.getSecurityManager().accessVirtualhost("test", "127.0.0.1"));
+        }
+        finally
+        {
+            ApplicationRegistry.remove(1);
+        }
+    }
+
+    private void writeFirewallVhostsFile(File vhostsFile, boolean allow) throws IOException
+    {
+        FileWriter out = new FileWriter(vhostsFile);
+        String ipAddr = "127.0.0.1"; // FIXME: get this from InetAddress.getLocalHost().getAddress() ?
+        out.write("<virtualhosts><virtualhost>");
+        out.write("<name>test</name>");
+        out.write("<test>");
+        out.write("<security><firewall>");
+        out.write("<rule access=\""+((allow) ? "allow" : "deny")+"\" network=\""+ipAddr +"\"/>");
+        out.write("</firewall></security>");
+        out.write("</test>");
+        out.write("</virtualhost></virtualhosts>");
+        out.close();
+    }
+
+    private void writeConfigFile(File mainFile, boolean allow) throws IOException {
+        writeConfigFile(mainFile, allow, true, null, "test");
+    }
+
+    /*
+        XMLConfiguration config = new XMLConfiguration(mainFile);
+        PluginManager pluginManager = new MockPluginManager("");
+        SecurityManager manager = new SecurityManager(config, pluginManager, Firewall.FACTORY);
+        
+     */
+    private void writeConfigFile(File mainFile, boolean allow, boolean includeVhosts, File vhostsFile, String name) throws IOException {
+        FileWriter out = new FileWriter(mainFile);
+        out.write("<broker>\n");
+        out.write("\t<plugin-directory>${QPID_HOME}/lib/plugins</plugin-directory>\n");
+        out.write("\t<management><enabled>false</enabled></management>\n");
+        out.write("\t<security>\n");
+        out.write("\t\t<principal-databases>\n");
+        out.write("\t\t\t<principal-database>\n");
+        out.write("\t\t\t\t<name>passwordfile</name>\n");
+        out.write("\t\t\t\t<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>\n");
+        out.write("\t\t\t\t<attributes>\n");
+        out.write("\t\t\t\t\t<attribute>\n");
+        out.write("\t\t\t\t\t\t<name>passwordFile</name>\n");
+        out.write("\t\t\t\t\t\t<value>/dev/null</value>\n");
+        out.write("\t\t\t\t\t</attribute>\n");
+        out.write("\t\t\t\t</attributes>\n");
+        out.write("\t\t\t</principal-database>\n");
+        out.write("\t\t</principal-databases>\n");
+        out.write("\t\t<jmx>\n");
+        out.write("\t\t\t<access>/dev/null</access>\n");
+        out.write("\t\t\t<principal-database>passwordfile</principal-database>\n");
+        out.write("\t\t</jmx>\n");
+        out.write("\t\t<firewall>\n");
+        out.write("\t\t\t<rule access=\""+ ((allow) ? "allow" : "deny") +"\" network=\"127.0.0.1\"/>");
+        out.write("\t\t</firewall>\n");
+        out.write("\t</security>\n");
+        if (includeVhosts)
+        {
+	        out.write("\t<virtualhosts>\n");
+            out.write("\t\t<default>test</default>\n");
+	        out.write("\t\t<virtualhost>\n");
+	        out.write(String.format("\t\t\t<name>%s</name>\n", name));
+	        out.write("\t\t</virtualhost>\n");
+	        out.write("\t</virtualhosts>\n");
+        }
+        if (vhostsFile != null)
+        {
+        	out.write("\t<virtualhosts>"+vhostsFile.getAbsolutePath()+"</virtualhosts>\n");	
+        }
+        out.write("</broker>\n");
+        out.close();
+    }
+    
+    /**
+     * Test that configuration loads correctly when virtual hosts are specified in an external
+     * configuration file only.
+     * <p>
+     * Test for QPID-2360
+     */
+    public void testExternalFirewallVirtualhostXMLFile() throws Exception
+    {
+        // Write out config
+        File mainFile = File.createTempFile(getClass().getName(), "config");
+        mainFile.deleteOnExit();
+        File vhostsFile = File.createTempFile(getClass().getName(), "vhosts");
+        vhostsFile.deleteOnExit();
+        writeConfigFile(mainFile, false, false, vhostsFile, null);    
+        writeFirewallVhostsFile(vhostsFile, false);
+
+        // Load config
+        ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile);
+        ApplicationRegistry.initialise(reg, 1);
+
+        // Test config
+        VirtualHostRegistry virtualHostRegistry = reg.getVirtualHostRegistry();
+        VirtualHost virtualHost = virtualHostRegistry.getVirtualHost("test");
+
+        assertEquals("Incorrect virtualhost count", 1, virtualHostRegistry.getVirtualHosts().size());
+        assertEquals("Incorrect virtualhost name", "test", virtualHost.getName());
+    }
+}
diff --git a/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallPluginTest.java b/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallPluginTest.java
new file mode 100644
index 0000000000..f94443228e
--- /dev/null
+++ b/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallPluginTest.java
@@ -0,0 +1,299 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access;
+
+import java.io.BufferedWriter;
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+
+import junit.framework.TestCase;
+
+import org.apache.commons.configuration.ConfigurationException;
+import org.apache.commons.configuration.XMLConfiguration;
+import org.apache.qpid.server.protocol.AMQProtocolEngine;
+import org.apache.qpid.server.registry.ApplicationRegistry;
+import org.apache.qpid.server.security.Result;
+import org.apache.qpid.server.security.access.plugins.Firewall;
+import org.apache.qpid.server.security.access.plugins.FirewallConfiguration;
+import org.apache.qpid.server.virtualhost.VirtualHostRegistry;
+import org.apache.qpid.transport.TestNetworkDriver;
+
+public class FirewallPluginTest extends TestCase
+{
+    public class RuleInfo
+    {
+        private String _access;
+        private String _network;
+        private String _hostname;
+        
+        public void setAccess(String _access)
+        {
+            this._access = _access;
+        }
+        
+        public String getAccess()
+        {
+            return _access;
+        }
+        
+        public void setNetwork(String _network)
+        {
+            this._network = _network;
+        }
+        
+        public String getNetwork()
+        {
+            return _network;
+        }
+        
+        public void setHostname(String _hostname)
+        {
+            this._hostname = _hostname;
+        }
+        
+        public String getHostname()
+        {
+            return _hostname;
+        }
+    }
+
+    // IP address
+    private String _address;
+
+    @Override
+    public void setUp() throws Exception
+    {
+        super.setUp();
+        
+        _address = "127.0.0.1";
+
+        // Create new ApplicationRegistry
+        ApplicationRegistry.getInstance();
+    }
+
+    public void tearDown() throws Exception
+    {
+        // Correctly Close the AR that we created above
+        ApplicationRegistry.remove();
+        super.tearDown();
+    }
+
+    private Firewall initialisePlugin(String defaultAction, RuleInfo[] rules) throws IOException, ConfigurationException
+    {
+        // Create sample config file
+        File confFile = File.createTempFile(getClass().getSimpleName()+"conffile", null);
+        confFile.deleteOnExit();
+        BufferedWriter buf = new BufferedWriter(new FileWriter(confFile));
+        buf.write("<security>\n");
+        buf.write("<firewall default-action=\""+defaultAction+"\">\n");
+        if (rules != null)
+        {
+            for (RuleInfo rule : rules)
+            {
+                buf.write("<rule");
+                buf.write(" access=\""+rule.getAccess()+"\"");
+                if (rule.getHostname() != null)
+                {
+                    buf.write(" hostname=\""+rule.getHostname()+"\"");
+                }
+                if (rule.getNetwork() != null)
+                {
+                    buf.write(" network=\""+rule.getNetwork()+"\"");
+                }
+                buf.write("/>\n");
+            }
+        }
+        buf.write("</firewall>");
+        buf.write("</security>\n");
+        buf.close();
+        
+        // Configure plugin
+        FirewallConfiguration config = new FirewallConfiguration();
+        config.setConfiguration("", new XMLConfiguration(confFile));
+        Firewall plugin = new Firewall(config);
+        plugin._config = config;
+        plugin.configure();
+        return plugin;
+    }
+
+    private Firewall initialisePlugin(String string) throws ConfigurationException, IOException
+    {
+        return initialisePlugin(string, null);
+    }
+    
+    public void testDefaultAction() throws Exception
+    {
+        // Test simple deny
+        Firewall plugin = initialisePlugin("deny");
+        assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address));
+
+        // Test simple allow
+        plugin = initialisePlugin("allow");
+        assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address));
+    }
+    
+
+    public void testSingleIPRule() throws Exception
+    {
+        RuleInfo rule = new RuleInfo();
+        rule.setAccess("allow");
+        rule.setNetwork("192.168.23.23");
+        
+        Firewall plugin = initialisePlugin("deny", new RuleInfo[]{rule});
+
+        assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address));
+        
+        // Set IP so that we're connected from the right address
+        _address = "192.168.23.23";
+        assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address));
+    }
+    
+    public void testSingleNetworkRule() throws Exception
+    {
+        RuleInfo rule = new RuleInfo();
+        rule.setAccess("allow");
+        rule.setNetwork("192.168.23.0/24");
+        
+        Firewall plugin = initialisePlugin("deny", new RuleInfo[]{rule});
+
+        assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address));
+        
+        // Set IP so that we're connected from the right address
+        _address = "192.168.23.23";
+        assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address));
+    }
+
+    public void testSingleHostRule() throws Exception
+    {
+        RuleInfo rule = new RuleInfo();
+        rule.setAccess("allow");
+        rule.setHostname(new InetSocketAddress("127.0.0.1", 5672).getHostName());
+        
+        Firewall plugin = initialisePlugin("deny", new RuleInfo[]{rule});
+
+        // Set IP so that we're connected from the right address
+        _address = "127.0.0.1";
+        assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address));
+    }
+
+    public void testSingleHostWilcardRule() throws Exception
+    {
+        RuleInfo rule = new RuleInfo();
+        rule.setAccess("allow");
+        String hostname = new InetSocketAddress("127.0.0.1", 0).getHostName();
+        rule.setHostname(".*"+hostname.subSequence(hostname.length() - 1, hostname.length())+"*");
+        Firewall plugin = initialisePlugin("deny", new RuleInfo[]{rule});
+
+        // Set IP so that we're connected from the right address
+        _address = "127.0.0.1";
+        assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address));
+    }
+    
+    public void testSeveralFirstAllowsAccess() throws Exception
+    {
+        RuleInfo firstRule = new RuleInfo();
+        firstRule.setAccess("allow");
+        firstRule.setNetwork("192.168.23.23");
+        
+        RuleInfo secondRule = new RuleInfo();
+        secondRule.setAccess("deny");
+        secondRule.setNetwork("192.168.42.42");
+
+        RuleInfo thirdRule = new RuleInfo();
+        thirdRule.setAccess("deny");
+        thirdRule.setHostname("localhost");
+        
+        Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule, secondRule, thirdRule});
+
+        assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address));
+        
+        // Set IP so that we're connected from the right address
+        _address = "192.168.23.23";
+        assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address));
+    }
+    
+    public void testSeveralLastAllowsAccess() throws Exception
+    {
+        RuleInfo firstRule = new RuleInfo();
+        firstRule.setAccess("deny");
+        firstRule.setHostname("localhost");
+        
+        RuleInfo secondRule = new RuleInfo();
+        secondRule.setAccess("deny");
+        secondRule.setNetwork("192.168.42.42");
+
+        RuleInfo thirdRule = new RuleInfo();
+        thirdRule.setAccess("allow");
+        thirdRule.setNetwork("192.168.23.23");
+        
+        Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule, secondRule, thirdRule});
+
+        assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address));
+        
+        // Set IP so that we're connected from the right address
+        _address = "192.168.23.23";
+        assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address));
+    }
+
+    public void testNetmask() throws Exception
+    {
+        RuleInfo firstRule = new RuleInfo();
+        firstRule.setAccess("allow");
+        firstRule.setNetwork("192.168.23.0/24");
+        Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule});
+
+        assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address));
+        
+        // Set IP so that we're connected from the right address
+        _address = "192.168.23.23";
+        assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address));
+    }
+    
+    public void testCommaSeperatedNetmask() throws Exception
+    {
+        RuleInfo firstRule = new RuleInfo();
+        firstRule.setAccess("allow");
+        firstRule.setNetwork("10.1.1.1/8, 192.168.23.0/24");
+        Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule});
+
+        assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address));
+        
+        // Set IP so that we're connected from the right address
+        _address = "192.168.23.23";
+        assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address));
+    }
+    
+    public void testCommaSeperatedHostnames() throws Exception
+    {
+        RuleInfo firstRule = new RuleInfo();
+        firstRule.setAccess("allow");
+        firstRule.setHostname("foo, bar, "+new InetSocketAddress("127.0.0.1", 5672).getHostName());
+        Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule});
+        
+        // Set IP so that we're connected from the right address
+        _address = "10.0.0.1";
+        assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address));
+        
+        // Set IP so that we're connected from the right address
+        _address = "127.0.0.1";
+        assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address));
+    }
+}
-- 
cgit v1.2.1