filter/plugins/SourceChecker__Plugin.java

/* 
 * i-scream central monitoring system
 * http://www.i-scream.org.uk
 * Copyright (C) 2000-2002 i-scream
 * 
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 */

//---PACKAGE DECLARATION---
package uk.org.iscream.cms.server.filter.plugins;

//---IMPORTS---
import uk.org.iscream.cms.server.filter.PluginFilter;
import uk.org.iscream.cms.server.filter.*;
import uk.org.iscream.cms.server.core.*;
import uk.org.iscream.cms.util.*;
import uk.org.iscream.cms.server.componentmanager.*;

/**
 * This plugin is designed to check the source of incoming
 * packets, and ensure the source machine is permitted to
 * send packets through the system.
 *
 * @author  $Author: tdb $
 * @version $Id: SourceChecker__Plugin.java,v 1.5 2003/02/05 16:43:47 tdb Exp $
 */
public class SourceChecker__Plugin implements PluginFilter {

//---FINAL ATTRIBUTES---

    /**
     * The current CVS revision of this class
     */
    public final String REVISION = "$Revision: 1.5 $";
    
    public final String DESC = "Checks the machine_name attribute in the packet attributes. This must machine must be permitted by the ACL to allow the packet through.";
    
//---STATIC METHODS---

//---CONSTRUCTORS---

    public SourceChecker__Plugin() {
        // setup an empty ACL defaulting to ALLOW
        _acl = new ACL(ACL.ALLOW);
    }

//---PUBLIC METHODS---

    // apply the filter and return true if successful.
    public boolean runFilter(XMLPacket packet){
        String newStringACL;
        // get hold of the ACL in the configuration
        try {
            newStringACL = ConfigurationProxy.getInstance().getProperty("Filter." + FilterMain.NAME, "Filter.SourceCheckerPluginACL");
        }
        catch(PropertyNotFoundException e) {
            // if we can't find it, we'll just use a null ACL
            newStringACL = "";
            _logger.write(toString(), Logger.WARNING, "No ACL found for SourceChecker__Plugin, using empty ACL instead : " + e);
        }
        // check to see if the ACL has changed
        if(!newStringACL.equals(_stringACL)) {
            _logger.write(toString(), Logger.SYSMSG, "Reloading Access Control List");
            // clear the ACL
            _acl.clear();
            // set the default to something sane
            _acl.setDefaultMode(ACL.ALLOW);
            // add the new ACL (this may change the default)
            _acl.add(newStringACL);
            _stringACL = newStringACL;
        }
        
        // only want to check data packets
        // any others will probably get filtered out further up the filter chain
        if(packet.getParam("packet.attributes.type").equals("data")) {
            // check the machine name against the ACL
            // we could check the IP too... but it's a lot of work for _every_ packet... maybe...
            return _acl.check(packet.getParam("packet.attributes.machine_name"));
        }
        
        // a good catchall, I guess
        // it's not a data packet, in which case it should go through
        return true;
    }

    /**
     * Overrides the {@link java.lang.Object#toString() Object.toString()}
     * method to provide clean logging (every class should have this).
     *
     * This uses the uk.org.iscream.cms.util.NameFormat class
     * to format the toString()
     *
     * @return the name of this class and its CVS revision
     */
    public String toString() {
        return FormatName.getName(
            _name,
            getClass().getName(),
            REVISION);
    }

    /**
     * return the String representation of what the filter does
     */
    public String getDescription(){
        return DESC;
    }

//---PRIVATE METHODS---

//---ACCESSOR/MUTATOR METHODS---

//---ATTRIBUTES---

    /**
     * This is the friendly identifier of the
     * component this class is running in.
     * eg, a Filter may be called "filter1",
     * If this class does not have an owning
     * component,  a name from the configuration
     * can be placed here.  This name could also
     * be changed to null for utility classes.
     */
    private String _name = FilterMain.NAME;

    /**
     * This holds a reference to the
     * system logger that is being used.
     */
    private Logger _logger = ReferenceManager.getInstance().getLogger();

    /**
     * This holds the ACL for the plugin.
     */
    private ACL _acl;
    
    /**
     * The current String representation of our ACL.
     */
    private String _stringACL = "";

//---STATIC ATTRIBUTES---

}
Revision:	1.6
Committed:	Mon Feb 24 20:18:49 2003 UTC (21 years, 3 months ago) by tdb
Branch:	MAIN
Changes since 1.5:	+5 -6 lines
Log Message:	Fairly major commit. This will break the current version of ihost, but this had to be done really to give Pete something to test the new ihost against. The main change here is removal of the TCP Heartbeat functionality from the filter. This meant the following features stopped working :- - Heartbeat testing - Configuration checking - Service checks The heartbeat testing, specifically the monitor, now looks at the presence of UDP packets instead. Before it just looked for the presence of a TCP heartbeat packet, so the change their is fairly negligible. Of course this means heartbeat testing now relies on the UDP working... but I don't see this as a problem. Configuration checking has been repositioned in to the filtermanager. This is a backwards compatible change - the filtermanager should still perform as it should for older hosts. But now there's an extra command to check the configuration is up-to-date, with a similar format to the old TCP protocol in the filter. (although we may optimise this soon) The service checks are broken. This isn't a major issue for us as they were pretty useless in the first place. The concept is good, but the checks are just far too primitive. I expect at some point I'll work on a seperate component that just monitors services, which will replace this function. Further changes in the server include removal of the key checking code, as this relied on a bolt on to the TCP heartbeat protocol to ship the key. This got more akward than originally planned, so I'm happy to drop the idea. In the long term we hope to replace this with a public key systems for signing and even encryption. Finally, general tidy up to remove other bits of code that check for TCP heartbeat packets when they don't need to any more.
#	Content
1	/*
2	* i-scream central monitoring system
3	* http://www.i-scream.org.uk
4	* Copyright (C) 2000-2002 i-scream
5	*
6	* This program is free software; you can redistribute it and/or
7	* modify it under the terms of the GNU General Public License
8	* as published by the Free Software Foundation; either version 2
9	* of the License, or (at your option) any later version.
10	*
11	* This program is distributed in the hope that it will be useful,
12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	* GNU General Public License for more details.
15	*
16	* You should have received a copy of the GNU General Public License
17	* along with this program; if not, write to the Free Software
18	* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
19	*/
20
21	//---PACKAGE DECLARATION---
22	package uk.org.iscream.cms.server.filter.plugins;
23
24	//---IMPORTS---
25	import uk.org.iscream.cms.server.filter.PluginFilter;
26	import uk.org.iscream.cms.server.filter.*;
27	import uk.org.iscream.cms.server.core.*;
28	import uk.org.iscream.cms.util.*;
29	import uk.org.iscream.cms.server.componentmanager.*;
30
31	/**
32	* This plugin is designed to check the source of incoming
33	* packets, and ensure the source machine is permitted to
34	* send packets through the system.
35	*
36	* @author $Author: tdb $
37	* @version $Id: SourceChecker__Plugin.java,v 1.5 2003/02/05 16:43:47 tdb Exp $
38	*/
39	public class SourceChecker__Plugin implements PluginFilter {
40
41	//---FINAL ATTRIBUTES---
42
43	/**
44	* The current CVS revision of this class
45	*/
46	public final String REVISION = "$Revision: 1.5 $";
47
48	public final String DESC = "Checks the machine_name attribute in the packet attributes. This must machine must be permitted by the ACL to allow the packet through.";
49
50	//---STATIC METHODS---
51
52	//---CONSTRUCTORS---
53
54	public SourceChecker__Plugin() {
55	// setup an empty ACL defaulting to ALLOW
56	_acl = new ACL(ACL.ALLOW);
57	}
58
59	//---PUBLIC METHODS---
60
61	// apply the filter and return true if successful.
62	public boolean runFilter(XMLPacket packet){
63	String newStringACL;
64	// get hold of the ACL in the configuration
65	try {
66	newStringACL = ConfigurationProxy.getInstance().getProperty("Filter." + FilterMain.NAME, "Filter.SourceCheckerPluginACL");
67	}
68	catch(PropertyNotFoundException e) {
69	// if we can't find it, we'll just use a null ACL
70	newStringACL = "";
71	_logger.write(toString(), Logger.WARNING, "No ACL found for SourceChecker__Plugin, using empty ACL instead : " + e);
72	}
73	// check to see if the ACL has changed
74	if(!newStringACL.equals(_stringACL)) {
75	_logger.write(toString(), Logger.SYSMSG, "Reloading Access Control List");
76	// clear the ACL
77	_acl.clear();
78	// set the default to something sane
79	_acl.setDefaultMode(ACL.ALLOW);
80	// add the new ACL (this may change the default)
81	_acl.add(newStringACL);
82	_stringACL = newStringACL;
83	}
84
85	// only want to check data packets
86	// any others will probably get filtered out further up the filter chain
87	if(packet.getParam("packet.attributes.type").equals("data")) {
88	// check the machine name against the ACL
89	// we could check the IP too... but it's a lot of work for _every_ packet... maybe...
90	return _acl.check(packet.getParam("packet.attributes.machine_name"));
91	}
92
93	// a good catchall, I guess
94	// it's not a data packet, in which case it should go through
95	return true;
96	}
97
98	/**
99	* Overrides the {@link java.lang.Object#toString() Object.toString()}
100	* method to provide clean logging (every class should have this).
101	*
102	* This uses the uk.org.iscream.cms.util.NameFormat class
103	* to format the toString()
104	*
105	* @return the name of this class and its CVS revision
106	*/
107	public String toString() {
108	return FormatName.getName(
109	_name,
110	getClass().getName(),
111	REVISION);
112	}
113
114	/**
115	* return the String representation of what the filter does
116	*/
117	public String getDescription(){
118	return DESC;
119	}
120
121	//---PRIVATE METHODS---
122
123	//---ACCESSOR/MUTATOR METHODS---
124
125	//---ATTRIBUTES---
126
127	/**
128	* This is the friendly identifier of the
129	* component this class is running in.
130	* eg, a Filter may be called "filter1",
131	* If this class does not have an owning
132	* component, a name from the configuration
133	* can be placed here. This name could also
134	* be changed to null for utility classes.
135	*/
136	private String _name = FilterMain.NAME;
137
138	/**
139	* This holds a reference to the
140	* system logger that is being used.
141	*/
142	private Logger _logger = ReferenceManager.getInstance().getLogger();
143
144	/**
145	* This holds the ACL for the plugin.
146	*/
147	private ACL _acl;
148
149	/**
150	* The current String representation of our ACL.
151	*/
152	private String _stringACL = "";
153
154	//---STATIC ATTRIBUTES---
155
156	}