1 |
tdb |
1.1 |
//---PACKAGE DECLARATION--- |
2 |
|
|
//package uk.org.iscream.cms.server.util; |
3 |
|
|
|
4 |
|
|
//---IMPORTS--- |
5 |
|
|
import uk.org.iscream.cms.server.util.*; |
6 |
tdb |
1.3 |
import java.util.ArrayList; |
7 |
tdb |
1.7 |
import java.util.StringTokenizer; |
8 |
tdb |
1.1 |
import java.net.InetAddress; |
9 |
tdb |
1.4 |
import java.io.Serializable; |
10 |
tdb |
1.1 |
|
11 |
|
|
/** |
12 |
tdb |
1.2 |
* Access Control List for use primarily |
13 |
|
|
* with the ACLServerSocket. It could, however |
14 |
|
|
* have other uses as it has a fairly generic |
15 |
|
|
* behaviour. Rules are added using the add |
16 |
|
|
* method, and then checks can be made using |
17 |
|
|
* the relevant check method. |
18 |
tdb |
1.1 |
* |
19 |
tdb |
1.6 |
* @author $Author: tdb $ |
20 |
tdb |
1.11 |
* @version $Id: ACL.java,v 1.10 2001/12/31 19:25:39 tdb Exp $ |
21 |
tdb |
1.1 |
*/ |
22 |
tdb |
1.4 |
public class ACL implements Serializable { |
23 |
tdb |
1.1 |
|
24 |
|
|
//---FINAL ATTRIBUTES--- |
25 |
|
|
|
26 |
|
|
/** |
27 |
|
|
* The current CVS revision of this class |
28 |
|
|
*/ |
29 |
tdb |
1.11 |
public static final String REVISION = "$Revision: 1.10 $"; |
30 |
tdb |
1.2 |
|
31 |
|
|
/** |
32 |
|
|
* static to be used when adding an ALLOW rule to the ACL. |
33 |
|
|
*/ |
34 |
tdb |
1.1 |
public static final boolean ALLOW = true; |
35 |
tdb |
1.2 |
|
36 |
|
|
/** |
37 |
|
|
* static to be used when adding a DENY rule to the ACL. |
38 |
|
|
*/ |
39 |
tdb |
1.1 |
public static final boolean DENY = false; |
40 |
|
|
|
41 |
|
|
//---STATIC METHODS--- |
42 |
|
|
|
43 |
|
|
//---CONSTRUCTORS--- |
44 |
|
|
|
45 |
tdb |
1.2 |
/** |
46 |
|
|
* Construct a new Access Control List. The default |
47 |
|
|
* mode is to ALLOW anything that isn't explicitly |
48 |
|
|
* blocked by a rule. |
49 |
|
|
*/ |
50 |
tdb |
1.1 |
public ACL() { |
51 |
|
|
// default to ACL.ALLOW |
52 |
|
|
this(ACL.ALLOW); |
53 |
|
|
} |
54 |
|
|
|
55 |
tdb |
1.2 |
/** |
56 |
|
|
* Construct a new Access Control List with a given |
57 |
|
|
* default mode. This mode specifies what should |
58 |
|
|
* happen if a check does not match any rules. |
59 |
|
|
* |
60 |
|
|
* @param defaultMode the default mode for non-matched checks |
61 |
|
|
*/ |
62 |
tdb |
1.1 |
public ACL(boolean defaultMode) { |
63 |
|
|
_defaultMode = defaultMode; |
64 |
|
|
} |
65 |
|
|
|
66 |
|
|
//---PUBLIC METHODS--- |
67 |
|
|
|
68 |
tdb |
1.2 |
/** |
69 |
|
|
* Add a new rule to the ACL immediately after the |
70 |
|
|
* previous rule. The rule can either be an ACL.ALLOW |
71 |
|
|
* rule, or an ACL.DENY rule. The expression can |
72 |
|
|
* contain a wildcard (a * only). Rules can only be |
73 |
|
|
* added to the end of the list. |
74 |
|
|
* |
75 |
|
|
* param allow whether this is an ALLOW or DENY rule |
76 |
|
|
* param expression what this rule matches using wildcards |
77 |
|
|
*/ |
78 |
tdb |
1.1 |
public void add(boolean allow, String expression) { |
79 |
tdb |
1.7 |
// default to expecting it to be an IP |
80 |
|
|
// we will try to disprove this :) |
81 |
|
|
boolean ip = true; |
82 |
|
|
short[] ipaddr = {-1, -1, -1, -1}; |
83 |
|
|
int i = 0; |
84 |
|
|
String s = ""; |
85 |
|
|
// tokenize the expression on fullstops, so we can break |
86 |
|
|
// up the quads of an IP (if it's an IP!) |
87 |
|
|
StringTokenizer st = new StringTokenizer(expression, "."); |
88 |
|
|
while(st.hasMoreTokens() && i++ < 4) { |
89 |
|
|
s = st.nextToken(); |
90 |
|
|
// if it's a wildcard, we'll skip to the next one |
91 |
|
|
// as no more checks are required |
92 |
|
|
if(s.equals("*")) { |
93 |
|
|
continue; |
94 |
|
|
} |
95 |
|
|
// attempt to parse it into a short |
96 |
|
|
try { |
97 |
|
|
short n = Short.parseShort(s); |
98 |
|
|
// if it's an int but outside of the |
99 |
|
|
// valid range, it can't be an IP |
100 |
|
|
if(n < 0 || n > 255) { |
101 |
|
|
ip = false; |
102 |
|
|
// give up checking further |
103 |
|
|
break; |
104 |
|
|
} |
105 |
|
|
ipaddr[i-1] = n; |
106 |
|
|
} |
107 |
|
|
// if it didn't parse as an int it can't be an IP |
108 |
|
|
catch (NumberFormatException e) { |
109 |
|
|
ip = false; |
110 |
|
|
// give up checking further |
111 |
|
|
break; |
112 |
|
|
} |
113 |
|
|
} |
114 |
|
|
// we've done 4 parts, so if there's any |
115 |
|
|
// more this can't be an IP |
116 |
|
|
if(st.hasMoreTokens()) { |
117 |
|
|
ip = false; |
118 |
|
|
} |
119 |
|
|
// if we've done less than 4, see if the last one |
120 |
|
|
// was a wildcard - if it isn't then it's not an IP |
121 |
|
|
// -- this allows 129.12.* |
122 |
|
|
if(i < 4 && !s.equals("*")) { |
123 |
|
|
ip = false; |
124 |
|
|
} |
125 |
|
|
// if we had one or less entries it can't be an IP |
126 |
|
|
// -- this disallows * matching as an IP due |
127 |
|
|
// to the rule above |
128 |
|
|
if(i <= 1) { |
129 |
|
|
ip = false; |
130 |
|
|
} |
131 |
tdb |
1.9 |
// add the rule to our array |
132 |
tdb |
1.7 |
_acl.add(new ACLRule(allow, expression, ipaddr, ip)); |
133 |
tdb |
1.1 |
} |
134 |
|
|
|
135 |
tdb |
1.2 |
/** |
136 |
|
|
* Check to see if a string is permitted by the |
137 |
|
|
* ACL. Useful for testing, and non-Socket uses |
138 |
|
|
* of this class. |
139 |
|
|
* |
140 |
|
|
* @param address the string to check |
141 |
|
|
* @return whether the address was permitted by the ACL |
142 |
|
|
*/ |
143 |
tdb |
1.1 |
public boolean check(String address) { |
144 |
tdb |
1.3 |
for(int i=0; i < _acl.size(); i++) { |
145 |
|
|
ACLRule rule = (ACLRule) _acl.get(i); |
146 |
|
|
if(StringUtils.wildcardCheck(address, rule._expression)) { |
147 |
|
|
return rule._allow; |
148 |
tdb |
1.1 |
} |
149 |
|
|
} |
150 |
|
|
return _defaultMode; |
151 |
|
|
} |
152 |
|
|
|
153 |
tdb |
1.2 |
/** |
154 |
|
|
* Check to see if an InetAddress is permitted |
155 |
|
|
* by the ACL. Perfect for Socket uses of this |
156 |
tdb |
1.9 |
* class. A rule will either be for a name, or |
157 |
|
|
* an IP address (this is determined in the add |
158 |
|
|
* method), and the appropriate comparison will |
159 |
|
|
* be performed. |
160 |
tdb |
1.2 |
* |
161 |
|
|
* @param address the InetAddress to check |
162 |
|
|
* @return whether the InetAddress was permitted by the ACL |
163 |
|
|
*/ |
164 |
tdb |
1.1 |
public boolean check(InetAddress address) { |
165 |
tdb |
1.9 |
// gather the details first |
166 |
tdb |
1.7 |
String hostname = address.getHostName(); |
167 |
|
|
String ip = address.getHostAddress(); |
168 |
|
|
short[] ipaddr = ipStringToShort(ip); |
169 |
tdb |
1.9 |
// check each rule against this InetAddress |
170 |
tdb |
1.3 |
for(int i=0; i < _acl.size(); i++) { |
171 |
|
|
ACLRule rule = (ACLRule) _acl.get(i); |
172 |
tdb |
1.7 |
if(rule._iprule) { |
173 |
tdb |
1.9 |
// if this is an IP rule do a short comparison |
174 |
tdb |
1.11 |
// must specify the wildcarded rule first |
175 |
|
|
if(compareShorts(rule._ipaddr, ipaddr)) { |
176 |
tdb |
1.7 |
return rule._allow; |
177 |
|
|
} |
178 |
tdb |
1.1 |
} |
179 |
tdb |
1.7 |
else { |
180 |
tdb |
1.9 |
// if not do a full blown String comparsion |
181 |
tdb |
1.7 |
if(StringUtils.wildcardCheck(hostname, rule._expression)) { |
182 |
|
|
return rule._allow; |
183 |
|
|
} |
184 |
tdb |
1.1 |
} |
185 |
tdb |
1.7 |
|
186 |
tdb |
1.1 |
} |
187 |
tdb |
1.9 |
// if we haven't matched a rule, return the default |
188 |
tdb |
1.1 |
return _defaultMode; |
189 |
|
|
} |
190 |
|
|
|
191 |
tdb |
1.2 |
/** |
192 |
tdb |
1.5 |
* Gives a String representation of this ACL. |
193 |
tdb |
1.2 |
* |
194 |
|
|
* @return A String representation of this ACL. |
195 |
|
|
*/ |
196 |
tdb |
1.5 |
public String toString() { |
197 |
|
|
StringBuffer acl = new StringBuffer(); |
198 |
tdb |
1.9 |
// put in the i-scream toString code |
199 |
tdb |
1.8 |
acl.append(FormatName.getName(_name, getClass().getName(), REVISION)); |
200 |
tdb |
1.5 |
acl.append("{"); |
201 |
tdb |
1.9 |
// put the value of each Rule in the result |
202 |
tdb |
1.3 |
for(int i=0; i < _acl.size(); i++) { |
203 |
tdb |
1.6 |
acl.append((ACLRule) _acl.get(i)); |
204 |
tdb |
1.5 |
acl.append(","); |
205 |
tdb |
1.1 |
} |
206 |
tdb |
1.9 |
// put the default mode in the result |
207 |
tdb |
1.3 |
if(_defaultMode) { |
208 |
tdb |
1.5 |
acl.append("DEFAULT=ALLOW"); |
209 |
tdb |
1.3 |
} |
210 |
|
|
else { |
211 |
tdb |
1.5 |
acl.append("DEFAULT=DENY"); |
212 |
tdb |
1.3 |
} |
213 |
tdb |
1.5 |
acl.append("}"); |
214 |
|
|
return acl.toString(); |
215 |
tdb |
1.1 |
} |
216 |
|
|
|
217 |
|
|
//---PRIVATE METHODS--- |
218 |
|
|
|
219 |
tdb |
1.9 |
/** |
220 |
|
|
* Converts an IP address in String format into |
221 |
|
|
* a short array of length 4. Any wildcards, *, |
222 |
|
|
* found in the IP address are represented by |
223 |
|
|
* a -1. |
224 |
|
|
* |
225 |
|
|
* @param ip The IP address in String format |
226 |
|
|
* @return The IP address in a short[] |
227 |
|
|
*/ |
228 |
tdb |
1.7 |
private short[] ipStringToShort(String ip) { |
229 |
|
|
short[] ipaddr = {-1, -1, -1, -1}; |
230 |
|
|
StringTokenizer st = new StringTokenizer(ip, "."); |
231 |
|
|
for(int i=0; i < 4 && st.hasMoreTokens(); i++) { |
232 |
|
|
try { |
233 |
|
|
ipaddr[i] = Short.parseShort(st.nextToken()); |
234 |
|
|
} |
235 |
|
|
catch(NumberFormatException e) { |
236 |
tdb |
1.11 |
// do nothing... |
237 |
tdb |
1.9 |
// we just want to leave it as -1 |
238 |
|
|
// -- actually, maybe we want to do more checks in here? |
239 |
|
|
// although in this code context it'll probably be ok, |
240 |
|
|
// it might be worth verifying wildcards and that the |
241 |
|
|
// number is in range... |
242 |
tdb |
1.7 |
} |
243 |
|
|
} |
244 |
|
|
return ipaddr; |
245 |
|
|
} |
246 |
|
|
|
247 |
tdb |
1.9 |
/** |
248 |
tdb |
1.11 |
* Compares two short arrays. The first array can contain a -1, |
249 |
|
|
* which will always match any value -- it's a wildcard. |
250 |
|
|
* They must be the same length to match. |
251 |
tdb |
1.9 |
* |
252 |
tdb |
1.11 |
* @param first The first array to compare (with -1 wildcard if required) |
253 |
tdb |
1.9 |
* @param second The second array to compare |
254 |
|
|
* @result the result of the comparison |
255 |
|
|
*/ |
256 |
tdb |
1.7 |
private boolean compareShorts(short[] first, short[] second) { |
257 |
|
|
if(first.length != second.length) { |
258 |
|
|
return false; |
259 |
|
|
} |
260 |
|
|
for(int i=0; i < first.length; i++) { |
261 |
tdb |
1.11 |
if(first[i] == -1) { |
262 |
tdb |
1.7 |
continue; |
263 |
|
|
} |
264 |
|
|
if(first[i] != second[i]) { |
265 |
|
|
return false; |
266 |
|
|
} |
267 |
tdb |
1.10 |
} |
268 |
tdb |
1.7 |
return true; |
269 |
|
|
} |
270 |
|
|
|
271 |
tdb |
1.1 |
//---ACCESSOR/MUTATOR METHODS--- |
272 |
|
|
|
273 |
|
|
//---ATTRIBUTES--- |
274 |
|
|
|
275 |
|
|
/** |
276 |
|
|
* This is the friendly identifier of the |
277 |
|
|
* component this class is running in. |
278 |
|
|
* eg, a Filter may be called "filter1", |
279 |
|
|
* If this class does not have an owning |
280 |
|
|
* component, a name from the configuration |
281 |
|
|
* can be placed here. This name could also |
282 |
|
|
* be changed to null for utility classes. |
283 |
|
|
*/ |
284 |
|
|
private String _name = null; |
285 |
tdb |
1.2 |
|
286 |
|
|
/** |
287 |
tdb |
1.3 |
* The ACL is stored in this ArrayList. |
288 |
tdb |
1.2 |
*/ |
289 |
tdb |
1.3 |
private ArrayList _acl = new ArrayList(); |
290 |
tdb |
1.2 |
|
291 |
|
|
/** |
292 |
|
|
* The default mode of this ACL. |
293 |
|
|
*/ |
294 |
tdb |
1.1 |
private boolean _defaultMode; |
295 |
|
|
|
296 |
|
|
//---STATIC ATTRIBUTES--- |
297 |
|
|
|
298 |
|
|
//---INNER CLASSES--- |
299 |
|
|
|
300 |
tdb |
1.2 |
/** |
301 |
|
|
* Wrapper class for an ACL rule. |
302 |
|
|
*/ |
303 |
tdb |
1.4 |
private class ACLRule implements Serializable { |
304 |
tdb |
1.1 |
|
305 |
tdb |
1.2 |
/** |
306 |
|
|
* Construct an ACL rule. |
307 |
|
|
* |
308 |
|
|
* @param allow whether this is an ALLOW or DENY rule |
309 |
|
|
* @param expression what this rule matches |
310 |
tdb |
1.9 |
* @param ipaddr the IP address wildcard this rule matches if it's an IP rule |
311 |
tdb |
1.7 |
* @param iprule whether this is an IP rule |
312 |
tdb |
1.2 |
*/ |
313 |
tdb |
1.7 |
private ACLRule(boolean allow, String expression, short[] ipaddr, boolean iprule) { |
314 |
tdb |
1.1 |
_allow = allow; |
315 |
|
|
_expression = expression; |
316 |
tdb |
1.7 |
_ipaddr = ipaddr; |
317 |
|
|
_iprule = iprule; |
318 |
tdb |
1.6 |
} |
319 |
|
|
|
320 |
|
|
/** |
321 |
|
|
* Returns a String representation of this rule. |
322 |
|
|
* |
323 |
|
|
* @return A String representation of this rule. |
324 |
|
|
*/ |
325 |
|
|
public String toString() { |
326 |
|
|
if(_allow) { |
327 |
|
|
return _expression + "=ALLOW"; |
328 |
|
|
} |
329 |
|
|
else { |
330 |
|
|
return _expression + "=DENY"; |
331 |
|
|
} |
332 |
tdb |
1.1 |
} |
333 |
|
|
|
334 |
tdb |
1.2 |
/** |
335 |
|
|
* Whether this is an ALLOW or DENY rule. |
336 |
|
|
*/ |
337 |
tdb |
1.1 |
private boolean _allow; |
338 |
tdb |
1.2 |
|
339 |
|
|
/** |
340 |
|
|
* What this rule matches. |
341 |
|
|
*/ |
342 |
tdb |
1.1 |
private String _expression; |
343 |
tdb |
1.7 |
|
344 |
tdb |
1.9 |
/** |
345 |
|
|
* The IP wildcard, only valid if this |
346 |
|
|
* is an IP rule. |
347 |
|
|
*/ |
348 |
tdb |
1.7 |
private short[] _ipaddr; |
349 |
|
|
|
350 |
|
|
/** |
351 |
|
|
* Whether this is an IP rule. |
352 |
|
|
*/ |
353 |
|
|
private boolean _iprule; |
354 |
tdb |
1.1 |
|
355 |
|
|
} |
356 |
|
|
|
357 |
|
|
} |