/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.qpid.server.security.access.config;
import java.net.InetAddress;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumMap;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.SortedMap;
import java.util.TreeMap;
import java.util.WeakHashMap;
import javax.security.auth.Subject;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.qpid.server.logging.actors.CurrentActor;
import org.apache.qpid.server.security.Result;
import org.apache.qpid.server.security.access.ObjectProperties;
import org.apache.qpid.server.security.access.ObjectType;
import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.access.Permission;
import org.apache.qpid.server.security.access.logging.AccessControlMessages;
/**
* Models the rule configuration for the access control plugin.
*
* The access control rule definitions are loaded from an external configuration file, passed in as the
* target to the {@link load(ConfigurationFile)} method. The file specified
*/
public class RuleSet
{
private static final Logger _logger = Logger.getLogger(RuleSet.class);
private static final String AT = "@";
private static final String SLASH = "/";
public static final String DEFAULT_ALLOW = "defaultallow";
public static final String DEFAULT_DENY = "defaultdeny";
public static final List<String> CONFIG_PROPERTIES = Arrays.asList(DEFAULT_ALLOW, DEFAULT_DENY);
private static final Integer _increment = 10;
private final SortedMap<Integer, Rule> _rules = new TreeMap<Integer, Rule>();
private final Map<Subject, Map<Operation, Map<ObjectType, List<Rule>>>> _cache =
new WeakHashMap<Subject, Map<Operation, Map<ObjectType, List<Rule>>>>();
private final Map<String, Boolean> _config = new HashMap<String, Boolean>();
public RuleSet()
{
// set some default configuration properties
configure(DEFAULT_DENY, Boolean.TRUE);
}
/**
* Clear the contents, including acl rules and configuration.
*/
public void clear()
{
_rules.clear();
_cache.clear();
_config.clear();
}
public int getRuleCount()
{
return _rules.size();
}
/**
* Filtered rules list based on a subject and operation.
*
* Allows only enabled rules with identity equal to all, the same, or a group with identity as a member,
* and operation is either all or the same operation.
*/
public List<Rule> getRules(final Subject subject, final Operation operation, final ObjectType objectType)
{
final Map<ObjectType, List<Rule>> objects = getObjectToRuleCache(subject, operation);
// Lookup object type rules for the operation
if (!objects.containsKey(objectType))
{
final Set<Principal> principals = subject.getPrincipals();
boolean controlled = false;
List<Rule> filtered = new LinkedList<Rule>();
for (Rule rule : _rules.values())
{
final Action ruleAction = rule.getAction();
if (rule.isEnabled()
&& (ruleAction.getOperation() == Operation.ALL || ruleAction.getOperation() == operation)
&& (ruleAction.getObjectType() == ObjectType.ALL || ruleAction.getObjectType() == objectType))
{
controlled = true;
if (isRelevant(principals,rule))
{
filtered.add(rule);
}
}
}
// Return null if there are no rules at all for this operation and object type
if (filtered.isEmpty() && controlled == false)
{
filtered = null;
}
// Save the rules we selected
objects.put(objectType, filtered);
if(_logger.isDebugEnabled())
{
_logger.debug("Cached " + objectType + " RulesList: " + filtered);
}
}
// Return the cached rules
List<Rule> rules = objects.get(objectType);
if(_logger.isDebugEnabled())
{
_logger.debug("Returning RuleList: " + rules);
}
return rules;
}
public boolean isValidNumber(Integer number)
{
return !_rules.containsKey(number);
}
public void grant(Integer number, String identity, Permission permission, Operation operation)
{
AclAction action = new AclAction(operation);
addRule(number, identity, permission, action);
}
public void grant(Integer number, String identity, Permission permission, Operation operation, ObjectType object, ObjectProperties properties)
{
AclAction action = new AclAction(operation, object, properties);
addRule(number, identity, permission, action);
}
public void grant(Integer number, String identity, Permission permission, Operation operation, ObjectType object, AclRulePredicates predicates)
{
AclAction aclAction = new AclAction(operation, object, predicates);
addRule(number, identity, permission, aclAction);
}
public boolean ruleExists(String identity, AclAction action)
{
for (Rule rule : _rules.values())
{
if (rule.getIdentity().equals(identity) && rule.getAclAction().equals(action))
{
return true;
}
}
return false;
}
public void addRule(Integer number, String identity, Permission permission, AclAction action)
{
_cache.clear();
if (!action.isAllowed())
{
throw new IllegalArgumentException("Action is not allowed: " + action);
}
if (ruleExists(identity, action))
{
return;
}
// set rule number if needed
Rule rule = new Rule(number, identity, action, permission);
if (rule.getNumber() == null)
{
if (_rules.isEmpty())
{
rule.setNumber(0);
}
else
{
rule.setNumber(_rules.lastKey() + _increment);
}
}
// save rule
_cache.remove(identity);
_rules.put(rule.getNumber(), rule);
}
public void enableRule(int ruleNumber)
{
_rules.get(Integer.valueOf(ruleNumber)).enable();
}
public void disableRule(int ruleNumber)
{
_rules.get(Integer.valueOf(ruleNumber)).disable();
}
/** Return true if the name is well-formed (contains legal characters). */
protected boolean checkName(String name)
{
for (int i = 0; i < name.length(); i++)
{
Character c = name.charAt(i);
if (!Character.isLetterOrDigit(c) && c != '-' && c != '_' && c != '@' && c != '.' && c != '/')
{
return false;
}
}
return true;
}
/** Returns true if a username has the name[@domain][/realm] format */
protected boolean isvalidUserName(String name)
{
// check for '@' and '/' in namne
int atPos = name.indexOf(AT);
int slashPos = name.indexOf(SLASH);
boolean atFound = atPos != StringUtils.INDEX_NOT_FOUND && atPos == name.lastIndexOf(AT);
boolean slashFound = slashPos != StringUtils.INDEX_NOT_FOUND && slashPos == name.lastIndexOf(SLASH);
// must be at least one character after '@' or '/'
if (atFound && atPos > name.length() - 2)
{
return false;
}
if (slashFound && slashPos > name.length() - 2)
{
return false;
}
// must be at least one character between '@' and '/'
if (atFound && slashFound)
{
return (atPos < (slashPos - 1));
}
// otherwise all good
return true;
}
/**
* Checks for the case when the client's address is not known.
*
* @see #check(Subject, Operation, ObjectType, ObjectProperties, InetAddress)
*/
public Result check(Subject subject, Operation operation, ObjectType objectType, ObjectProperties properties)
{
return check(subject, operation, objectType, properties, null);
}
/**
* Check the authorisation granted to a particular identity for an operation on an object type with
* specific properties.
*
* Looks up the entire ruleset, which may be cached, for the user and operation and goes through the rules
* in order to find the first one that matches. Either defers if there are no rules, returns the result of
* the first match found, or denies access if there are no matching rules. Normally, it would be expected
* to have a default deny or allow rule at the end of an access configuration however.
*/
public Result check(Subject subject, Operation operation, ObjectType objectType, ObjectProperties properties, InetAddress addressOfClient)
{
ClientAction action = new ClientAction(operation, objectType, properties);
if(_logger.isDebugEnabled())
{
_logger.debug("Checking action: " + action);
}
// get the list of rules relevant for this request
List<Rule> rules = getRules(subject, operation, objectType);
if (rules == null)
{
if(_logger.isDebugEnabled())
{
_logger.debug("No rules found, returning default result");
}
return getDefault();
}
// Iterate through a filtered set of rules dealing with this identity and operation
for (Rule rule : rules)
{
if(_logger.isDebugEnabled())
{
_logger.debug("Checking against rule: " + rule);
}
if (action.matches(rule.getAclAction(), addressOfClient))
{
Permission permission = rule.getPermission();
switch (permission)
{
case ALLOW_LOG:
CurrentActor.get().message(AccessControlMessages.ALLOWED(
action.getOperation().toString(),
action.getObjectType().toString(),
action.getProperties().toString()));
case ALLOW:
return Result.ALLOWED;
case DENY_LOG:
CurrentActor.get().message(AccessControlMessages.DENIED(
action.getOperation().toString(),
action.getObjectType().toString(),
action.getProperties().toString()));
case DENY:
return Result.DENIED;
}
return Result.DENIED;
}
}
// Defer to the next plugin of this type, if it exists
return Result.DEFER;
}
/** Default deny. */
public Result getDefault()
{
if (isSet(DEFAULT_ALLOW))
{
return Result.ALLOWED;
}
if (isSet(DEFAULT_DENY))
{
return Result.DENIED;
}
return Result.ABSTAIN;
}
/**
* Check if a configuration property is set.
*/
protected boolean isSet(String key)
{
return BooleanUtils.isTrue(_config.get(key));
}
/**
* Configure properties for the plugin instance.
*
* @param properties
*/
public void configure(Map<String, Boolean> properties)
{
_config.putAll(properties);
}
/**
* Configure a single property for the plugin instance.
*
* @param key
* @param value
*/
public void configure(String key, Boolean value)
{
_config.put(key, value);
}
/**
* Returns all rules in the {@link RuleSet}. Primarily intended to support unit-testing.
* @return map of rules
*/
public Map<Integer, Rule> getAllRules()
{
return Collections.unmodifiableMap(_rules);
}
private boolean isRelevant(final Set<Principal> principals, final Rule rule)
{
if (rule.getIdentity().equalsIgnoreCase(Rule.ALL))
{
return true;
}
else
{
for (Iterator<Principal> iterator = principals.iterator(); iterator.hasNext();)
{
final Principal principal = iterator.next();
if (rule.getIdentity().equalsIgnoreCase(principal.getName()))
{
return true;
}
}
}
return false;
}
private Map<ObjectType, List<Rule>> getObjectToRuleCache(final Subject subject, final Operation operation)
{
// Lookup identity in cache and create empty operation map if required
Map<Operation, Map<ObjectType, List<Rule>>> operations = _cache.get(subject);
if (operations == null)
{
operations = new EnumMap<Operation, Map<ObjectType, List<Rule>>>(Operation.class);
_cache.put(subject, operations);
}
// Lookup operation and create empty object type map if required
Map<ObjectType, List<Rule>> objects = operations.get(operation);
if (objects == null)
{
objects = new EnumMap<ObjectType, List<Rule>>(ObjectType.class);
operations.put(operation, objects);
}
return objects;
}
}