From 7890dfb7d5192c5f752c5daaa4eb7b23d426135b Mon Sep 17 00:00:00 2001
From: Martin Ritchie <ritchiem@apache.org>
Date: Thu, 5 Apr 2007 16:47:59 +0000
Subject: QPID-416 Provided simple update to Access Control via
 FileAccessManager to allow access rights for a virtualhost to be stored in a
 separate file. Updated PrincipalDatabaseAccessManager to use the default
 AccessManager if the specified PrincipalDatabase is not an AccessManager.

git-svn-id: https://svn.apache.org/repos/asf/incubator/qpid/branches/M2@525867 13f79535-47bb-0310-9956-ffa450edef68
---
 java/broker/etc/access                             |   1 +
 .../server/security/access/FileAccessManager.java  | 162 +++++++++++++++++++++
 .../access/PrincipalDatabaseAccessManager.java     |  10 +-
 3 files changed, 172 insertions(+), 1 deletion(-)
 create mode 100644 java/broker/etc/access
 create mode 100644 java/broker/src/main/java/org/apache/qpid/server/security/access/FileAccessManager.java

(limited to 'java')

diff --git a/java/broker/etc/access b/java/broker/etc/access
new file mode 100644
index 0000000000..273c9ced41
--- /dev/null
+++ b/java/broker/etc/access
@@ -0,0 +1 @@
+guest:test
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/FileAccessManager.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/FileAccessManager.java
new file mode 100644
index 0000000000..3bf2397350
--- /dev/null
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/FileAccessManager.java
@@ -0,0 +1,162 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ *
+ */
+package org.apache.qpid.server.security.access;
+
+import org.apache.qpid.server.virtualhost.VirtualHost;
+import org.apache.log4j.Logger;
+
+import java.io.IOException;
+import java.io.BufferedReader;
+import java.io.FileReader;
+import java.io.FileNotFoundException;
+import java.io.File;
+import java.util.regex.Pattern;
+
+/**
+ * Represents a user database where the account information is stored in a simple flat file.
+ *
+ * The file is expected to be in the form: username:password username1:password1 ... usernamen:passwordn
+ *
+ * where a carriage return separates each username/password pair. Passwords are assumed to be in plain text.
+ */
+public class FileAccessManager implements AccessManager
+{
+    private static final Logger _logger = Logger.getLogger(FileAccessManager.class);
+
+    protected File _accessFile;
+
+    protected Pattern _regexp = Pattern.compile(":");
+
+    private static final short USER_INDEX = 0;
+    private static final short VIRTUALHOST_INDEX = 1;
+
+    public void setAccessFile(String accessFile) throws FileNotFoundException
+    {
+        File f = new File(accessFile);
+        _logger.info("FileAccessManager using file " + f.getAbsolutePath());
+        _accessFile = f;
+        if (!f.exists())
+        {
+            throw new FileNotFoundException("Cannot find access file " + f);
+        }
+        if (!f.canRead())
+        {
+            throw new FileNotFoundException("Cannot read access file " + f +
+                                            ". Check permissions.");
+        }
+    }
+
+    /**
+     * Looks up the virtual hosts for a specified user in the access file.
+     *
+     * @param user The user to lookup
+     *
+     * @return a list of virtualhosts
+     */
+    private String[] lookupVirtualHost(String user)
+    {
+        return lookup(user, VIRTUALHOST_INDEX);
+    }
+
+
+    private String[] lookup(String user, int index)
+    {
+        try
+        {
+            BufferedReader reader = null;
+            try
+            {
+                reader = new BufferedReader(new FileReader(_accessFile));
+                String line;
+
+                while ((line = reader.readLine()) != null)
+                {
+                    String[] result = _regexp.split(line);
+                    if (result == null || result.length < (index + 1))
+                    {
+                        continue;
+                    }
+
+                    if (user.equals(result[USER_INDEX]))
+                    {
+                        return result[index].split(",");
+                    }
+                }
+                return null;
+            }
+            finally
+            {
+                if (reader != null)
+                {
+                    reader.close();
+                }
+            }
+        }
+        catch (IOException ioe)
+        {
+            //ignore
+        }
+        return null;
+    }
+
+
+    public AccessResult isAuthorized(Accessable accessObject, String username)
+    {
+        if (accessObject instanceof VirtualHost)
+        {
+            String[] hosts = lookupVirtualHost(username);
+
+            if (hosts != null)
+            {
+                for (String host : hosts)
+                {
+                    if (accessObject.getAccessableName().equals(host))
+                    {
+                        return new AccessResult(this, AccessResult.AccessStatus.GRANTED);
+                    }
+                }
+            }
+        }
+//        else if (accessObject instanceof AMQQueue)
+//        {
+//            String[] queues = lookupQueue(username, ((AMQQueue) accessObject).getVirtualHost());
+//
+//            if (queues != null)
+//            {
+//                for (String queue : queues)
+//                {
+//                    if (accessObject.getAccessableName().equals(queue))
+//                    {
+//                        return new AccessResult(this, AccessResult.AccessStatus.GRANTED);
+//                    }
+//                }
+//            }
+//        }
+
+        return new AccessResult(this, AccessResult.AccessStatus.REFUSED);
+    }
+
+    public String getName()
+    {
+        return "FileAccessManager";
+    }
+
+}
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java
index 0e447b5744..02b3dba17d 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java
@@ -75,7 +75,15 @@ public class PrincipalDatabaseAccessManager implements AccessManager
         }
         else
         {
-            result = ((AccessManager) _database).isAuthorized(accessObject, username);
+            if (!(_database instanceof AccessManager))
+            {
+                _logger.warn("Specified PrincipalDatabase is not an AccessManager so using default AccessManager");
+                result = _default.isAuthorized(accessObject, username);
+            }
+            else
+            {
+                result = ((AccessManager) _database).isAuthorized(accessObject, username);
+            }
         }
 
         result.addAuthorizer(this);
-- 
cgit v1.2.1