Source Code of org.apache.openejb.server.ServiceAccessController

/**
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.openejb.server;

import org.apache.openejb.monitoring.Event;
import org.apache.openejb.monitoring.Managed;
import org.apache.openejb.server.auth.ExactIPAddressPermission;
import org.apache.openejb.server.auth.ExactIPv6AddressPermission;
import org.apache.openejb.server.auth.IPAddressPermission;
import org.apache.openejb.server.auth.IPAddressPermissionFactory;
import org.apache.openejb.server.auth.PermitAllPermission;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Inet4Address;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
import java.util.Properties;
import java.util.StringTokenizer;

@Managed
public class ServiceAccessController extends ServerServiceFilter {

    private final Event rejections = new Event();

    private IPAddressPermission[] hostPermissions;

    public ServiceAccessController(final ServerService next) {
        super(next);
    }

    @Override
    public void service(final Socket socket) throws ServiceException, IOException {
        // Check authorization
        checkHostsAuthorization(socket.getInetAddress(), socket.getLocalAddress());

        super.service(socket);
    }

    @Override
    public void service(final InputStream in, final OutputStream out) throws ServiceException, IOException {
        throw new UnsupportedOperationException("service(in,out)");
    }

    public void checkHostsAuthorization(final InetAddress clientAddress, final InetAddress serverAddress) throws SecurityException {
        // Check the client ip against the server ip. Hosts are
        // allowed to access themselves, so if these ips
        // match, the following for loop will be skipped.
        if (clientAddress.equals(serverAddress)) {
            return;
        }

        for (final IPAddressPermission host : hostPermissions) {
            if (host.implies(clientAddress)) {
                return;
            }
        }

        rejections.record();
        throw new SecurityException("Host " + clientAddress.getHostAddress() + " is not authorized to access this service.");
    }

    private void parseAdminIPs(final Properties props) throws ServiceException {
        final LinkedList<IPAddressPermission> permissions = new LinkedList<IPAddressPermission>();

        final String ipString = props.getProperty("only_from");

        if (ipString == null) {
            permissions.add(new PermitAllPermission());
        } else {
            final String hostname = "localhost";
            addIPAddressPermissions(permissions, hostname);

            final StringTokenizer st = new StringTokenizer(ipString, ", \n\t");
            while (st.hasMoreTokens()) {
                final String mask = st.nextToken();
                try {
                    permissions.add(IPAddressPermissionFactory.getIPAddressMask(mask));
                } catch (final IllegalArgumentException iae) {
                    // it could be that it is a hostname not ip address
                    addIPAddressPermissions(permissions, mask);
                }
            }
        }

        hostPermissions = permissions.toArray(new IPAddressPermission[permissions.size()]);
    }

    private void addIPAddressPermissions(
        final LinkedList<IPAddressPermission> permissions, final String hostname)
        throws ServiceException {
        try {
            final InetAddress[] localIps = InetAddress.getAllByName(hostname);
            for (final InetAddress localIp : localIps) {
                if (localIp instanceof Inet4Address) {
                    permissions.add(new ExactIPAddressPermission(localIp.getAddress()));
                } else {
                    permissions.add(new ExactIPv6AddressPermission(localIp.getAddress()));
                }
            }
        } catch (final UnknownHostException e) {
            throw new ServiceException("Could not get " + hostname + " inet address", e);
        }
    }

    @Override
    public void init(final Properties props) throws Exception {
        parseAdminIPs(props);
        super.init(props);
    }

    @Managed
    private final Access access = new Access();

    @Managed(append = true)
    public class Access {

        @Managed
        public List<String> getHostPermissions() {
            final List<String> list = new ArrayList<String>();
            for (final IPAddressPermission hostPermission : hostPermissions) {
                list.add(hostPermission.toString());
            }

            return list;
        }

        @Managed
        public Event getRejections() {
            return rejections;
        }

    }
}