Source Code of org.apache.openejb.server.ServiceAccessController$Access

/**
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.openejb.server;


import org.apache.openejb.monitoring.Event;
import org.apache.openejb.monitoring.Managed;
import org.apache.openejb.server.auth.IPAddressPermission;
import org.apache.openejb.server.auth.ExactIPAddressPermission;
import org.apache.openejb.server.auth.ExactIPv6AddressPermission;
import org.apache.openejb.server.auth.IPAddressPermissionFactory;
import org.apache.openejb.server.auth.PermitAllPermission;
import org.apache.openejb.util.Join;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Inet4Address;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
import java.util.Properties;
import java.util.StringTokenizer;

@Managed
public class ServiceAccessController extends ServerServiceFilter {

    private final Event rejections = new Event();

    private IPAddressPermission[] hostPermissions;

    public ServiceAccessController(ServerService next) {
        super(next);
    }

    public void service(Socket socket) throws ServiceException, IOException {
        // Check authorization
        checkHostsAuthorization(socket.getInetAddress(), socket.getLocalAddress());

        super.service(socket);
    }

    public void service(InputStream in, OutputStream out) throws ServiceException, IOException {
        throw new UnsupportedOperationException("service(in,out)");
    }

    public void checkHostsAuthorization(InetAddress clientAddress, InetAddress serverAddress) throws SecurityException {
        // Check the client ip against the server ip. Hosts are
        // allowed to access themselves, so if these ips
        // match, the following for loop will be skipped.
        if (clientAddress.equals(serverAddress)) {
            return;
        }

        for (IPAddressPermission host : hostPermissions) {
            if (host.implies(clientAddress)) {
                return;
            }
        }

        rejections.record();
        throw new SecurityException("Host " + clientAddress.getHostAddress() + " is not authorized to access this service.");
    }

    private void parseAdminIPs(Properties props) throws ServiceException {
        LinkedList<IPAddressPermission> permissions = new LinkedList<IPAddressPermission>();

        String ipString = props.getProperty("only_from");

        if (ipString == null) {
            permissions.add(new PermitAllPermission());
        } else {
          String hostname = "localhost";
            addIPAddressPermissions(permissions, hostname);

            StringTokenizer st = new StringTokenizer(ipString, ", \n\t");
            while (st.hasMoreTokens()) {
                String mask = st.nextToken();
                try {
                  permissions.add(IPAddressPermissionFactory.getIPAddressMask(mask));
                } catch (IllegalArgumentException iae) {
                  // it could be that it is a hostname not ip address
                  addIPAddressPermissions(permissions, mask);
                }
            }
        }

        hostPermissions = (IPAddressPermission[]) permissions.toArray(new IPAddressPermission[permissions.size()]);
    }

  private void addIPAddressPermissions(
      LinkedList<IPAddressPermission> permissions, String hostname)
      throws ServiceException {
    try {
        InetAddress[] localIps = InetAddress.getAllByName(hostname);
        for (int i = 0; i < localIps.length; i++) {
            if (localIps[i] instanceof Inet4Address) {
                permissions.add(new ExactIPAddressPermission(localIps[i].getAddress()));
            } else {
                permissions.add(new ExactIPv6AddressPermission(localIps[i].getAddress()));
            }
        }
    } catch (UnknownHostException e) {
        throw new ServiceException("Could not get " + hostname + " inet address", e);
    }
  }

    public void init(Properties props) throws Exception {
        parseAdminIPs(props);
        super.init(props);
    }

    @Managed
    private final Access access = new Access();

    @Managed(append = true)
    public class Access {

        @Managed
        public List<String> getHostPermissions() {
            List<String> list = new ArrayList<String>();
            for (IPAddressPermission hostPermission : hostPermissions) {
                list.add(hostPermission.toString());
            }

            return list;
        }

        @Managed
        public Event getRejections() {
            return rejections;
        }

    }
}