/*
*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
*/
package org.apache.qpid.server.security.access.plugins;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.configuration.ConfigurationException;
import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin;
import org.apache.qpid.server.security.AbstractPlugin;
import org.apache.qpid.server.security.Result;
import org.apache.qpid.server.security.SecurityPluginFactory;
import org.apache.qpid.server.security.access.ObjectProperties;
import org.apache.qpid.server.security.access.ObjectType;
import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.access.config.FirewallException;
import org.apache.qpid.server.security.access.config.FirewallRule;
import java.net.InetAddress;
import java.net.InetSocketAddress;
public class Firewall extends AbstractPlugin
{
public static final SecurityPluginFactory<Firewall> FACTORY = new SecurityPluginFactory<Firewall>()
{
public Firewall newInstance(ConfigurationPlugin config) throws ConfigurationException
{
FirewallConfiguration configuration = config.getConfiguration(FirewallConfiguration.class.getName());
// If there is no configuration for this plugin then don't load it.
if (configuration == null)
{
return null;
}
Firewall plugin = new Firewall();
plugin.configure(configuration);
return plugin;
}
public Class<Firewall> getPluginClass()
{
return Firewall.class;
}
public String getPluginName()
{
return Firewall.class.getName();
}
};
private Result _default = Result.ABSTAIN;
private FirewallRule[] _rules;
public Result getDefault()
{
return _default;
}
public Result authorise(Operation operation, ObjectType objectType, ObjectProperties properties)
{
return Result.ABSTAIN; // We only deal with access requests
}
public Result access(ObjectType objectType, Object instance)
{
if (objectType != ObjectType.VIRTUALHOST)
{
return Result.ABSTAIN; // We are only interested in access to virtualhosts
}
if (!(instance instanceof InetSocketAddress))
{
return Result.ABSTAIN; // We need an internet address
}
InetAddress address = ((InetSocketAddress) instance).getAddress();
try
{
for (FirewallRule rule : _rules)
{
boolean match = rule.match(address);
if (match)
{
return rule.getAccess();
}
}
return getDefault();
}
catch (FirewallException fe)
{
return Result.DENIED;
}
}
public void configure(ConfigurationPlugin config)
{
super.configure(config);
FirewallConfiguration firewallConfiguration = (FirewallConfiguration) getConfig();
// Get default action
_default = firewallConfiguration.getDefaultAction();
Configuration finalConfig = firewallConfiguration.getConfiguration();
// all rules must have an access attribute
int numRules = finalConfig.getList("rule[@access]").size();
_rules = new FirewallRule[numRules];
for (int i = 0; i < numRules; i++)
{
FirewallRule rule = new FirewallRule(finalConfig.getString("rule(" + i + ")[@access]"),
finalConfig.getList("rule(" + i + ")[@network]"),
finalConfig.getList("rule(" + i + ")[@hostname]"));
_rules[i] = rule;
}
}
}