1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
23 package com.att.cadi.taf.dos;
\r
25 import java.io.BufferedReader;
\r
26 import java.io.File;
\r
27 import java.io.FileOutputStream;
\r
28 import java.io.FileReader;
\r
29 import java.io.IOException;
\r
30 import java.io.PrintStream;
\r
31 import java.util.ArrayList;
\r
32 import java.util.Date;
\r
33 import java.util.HashMap;
\r
34 import java.util.List;
\r
35 import java.util.Map;
\r
37 import javax.servlet.http.HttpServletRequest;
\r
38 import javax.servlet.http.HttpServletResponse;
\r
40 import com.att.cadi.Access;
\r
41 import com.att.cadi.CachedPrincipal;
\r
42 import com.att.cadi.CachedPrincipal.Resp;
\r
43 import com.att.cadi.CadiException;
\r
44 import com.att.cadi.Taf.LifeForm;
\r
45 import com.att.cadi.taf.HttpTaf;
\r
46 import com.att.cadi.taf.PuntTafResp;
\r
47 import com.att.cadi.taf.TafResp;
\r
48 import com.att.cadi.taf.TafResp.RESP;
\r
50 public class DenialOfServiceTaf implements HttpTaf {
\r
51 private static Map<String, Counter> deniedIP=null, deniedID=null;
\r
52 private Access access;
\r
53 private static File dosIP, dosID;
\r
59 * @throws CadiException
\r
61 public DenialOfServiceTaf(Access access) throws CadiException {
\r
62 this.access = access;
\r
63 if(dosIP==null || dosID == null) {
\r
65 if((dirStr = access.getProperty("aaf_data_dir", null))!=null) {
\r
66 dosIP = new File(dirStr+"/dosIP");
\r
68 dosID = new File(dirStr+"/dosID");
\r
74 public TafResp validate(LifeForm reading, HttpServletRequest req, final HttpServletResponse resp) {
\r
75 // Performance, when not needed
\r
76 if(deniedIP != null) {
\r
78 Counter c = deniedIP.get(ip=req.getRemoteAddr());
\r
81 return respDenyIP(access,ip);
\r
85 // Note: Can't process Principal, because this is the first TAF, and no Principal is created.
\r
86 // Other TAFs use "isDenied()" on this Object to validate.
\r
87 return PuntTafResp.singleton();
\r
90 public Resp revalidate(CachedPrincipal prin) {
\r
91 // We always return NOT MINE, because DOS Taf does not ever validate
\r
92 return Resp.NOT_MINE;
\r
96 * for use in Other TAFs, before they attempt backend validation of
\r
98 public static Counter isDeniedID(String identity) {
\r
99 if(deniedID!=null) {
\r
100 return deniedID.get(identity);
\r
108 public static Counter isDeniedIP(String ipvX) {
\r
109 if(deniedID!=null) {
\r
110 return deniedID.get(ipvX);
\r
116 * Return of "True" means IP has been added.
\r
117 * Return of "False" means IP already added.
\r
122 public static synchronized boolean denyIP(String ip) {
\r
123 boolean rv = false;
\r
124 if(deniedIP==null) {
\r
125 deniedIP = new HashMap<String,Counter>();
\r
126 deniedIP.put(ip, new Counter(ip)); // Noted duplicated for minimum time spent
\r
128 } else if(deniedIP.get(ip)==null) {
\r
129 deniedIP.put(ip, new Counter(ip));
\r
138 private static void writeIP() {
\r
139 if(dosIP!=null && deniedIP!=null) {
\r
140 if(deniedIP.isEmpty()) {
\r
141 if(dosIP.exists()) {
\r
147 fos = new PrintStream(new FileOutputStream(dosIP,false));
\r
149 for(String ip: deniedIP.keySet()) {
\r
155 } catch (IOException e) {
\r
156 e.printStackTrace(System.err);
\r
162 private static void readIP() {
\r
163 if(dosIP!=null && dosIP.exists()) {
\r
166 br = new BufferedReader(new FileReader(dosIP));
\r
167 if(deniedIP==null) {
\r
168 deniedIP=new HashMap<String,Counter>();
\r
173 while((line=br.readLine())!=null) {
\r
174 deniedIP.put(line, new Counter(line));
\r
179 } catch (IOException e) {
\r
180 e.printStackTrace(System.err);
\r
187 * Return of "True" means IP has was removed.
\r
188 * Return of "False" means IP wasn't being denied.
\r
193 public static synchronized boolean removeDenyIP(String ip) {
\r
194 if(deniedIP!=null && deniedIP.remove(ip)!=null) {
\r
196 if(deniedIP.isEmpty()) {
\r
205 * Return of "True" means ID has been added.
\r
206 * Return of "False" means ID already added.
\r
211 public static synchronized boolean denyID(String id) {
\r
212 boolean rv = false;
\r
213 if(deniedID==null) {
\r
214 deniedID = new HashMap<String,Counter>();
\r
215 deniedID.put(id, new Counter(id)); // Noted duplicated for minimum time spent
\r
217 } else if(deniedID.get(id)==null) {
\r
218 deniedID.put(id, new Counter(id));
\r
228 private static void writeID() {
\r
229 if(dosID!=null && deniedID!=null) {
\r
230 if(deniedID.isEmpty()) {
\r
231 if(dosID.exists()) {
\r
237 fos = new PrintStream(new FileOutputStream(dosID,false));
\r
239 for(String ip: deniedID.keySet()) {
\r
245 } catch (IOException e) {
\r
246 e.printStackTrace(System.err);
\r
252 private static void readID() {
\r
253 if(dosID!=null && dosID.exists()) {
\r
256 br = new BufferedReader(new FileReader(dosID));
\r
257 if(deniedID==null) {
\r
258 deniedID=new HashMap<String,Counter>();
\r
262 while((line=br.readLine())!=null) {
\r
263 deniedID.put(line, new Counter(line));
\r
268 } catch (IOException e) {
\r
269 e.printStackTrace(System.err);
\r
275 * Return of "True" means ID has was removed.
\r
276 * Return of "False" means ID wasn't being denied.
\r
281 public static synchronized boolean removeDenyID(String id) {
\r
282 if(deniedID!=null && deniedID.remove(id)!=null) {
\r
284 if(deniedID.isEmpty()) {
\r
293 public List<String> report() {
\r
295 if(deniedIP!=null)initSize+=deniedIP.size();
\r
296 if(deniedID!=null)initSize+=deniedID.size();
\r
297 ArrayList<String> al = new ArrayList<String>(initSize);
\r
298 if(deniedID!=null) {
\r
299 for(Counter c : deniedID.values()) {
\r
300 al.add(c.toString());
\r
303 if(deniedIP!=null) {
\r
304 for(Counter c : deniedIP.values()) {
\r
305 al.add(c.toString());
\r
311 public static class Counter {
\r
312 private final String name;
\r
313 private int count = 0;
\r
314 private Date first;
\r
315 private long last; // note, we use "last" as long, to avoid popping useless dates on Heap.
\r
317 public Counter(String name) {
\r
324 public String getName() {
\r
328 public int getCount() {
\r
332 public long getLast() {
\r
337 * Only allow Denial of ServiceTaf to increment
\r
339 private synchronized void inc() {
\r
341 last = System.currentTimeMillis();
\r
343 first = new Date(last);
\r
347 public String toString() {
\r
349 return name + " is on the denied list, but has not attempted Access";
\r
353 " has been denied " +
\r
357 ". Last denial was " +
\r
362 public static TafResp respDenyID(Access access, String identity) {
\r
363 return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, identity + " is on the Identity Denial list");
\r
366 public static TafResp respDenyIP(Access access, String ip) {
\r
367 return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, ip + " is on the IP Denial list");
\r