1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * Copyright © 2017 Amdocs
\r
7 * * ===========================================================================
\r
8 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
9 * * you may not use this file except in compliance with the License.
\r
10 * * You may obtain a copy of the License at
\r
12 * * http://www.apache.org/licenses/LICENSE-2.0
\r
14 * * Unless required by applicable law or agreed to in writing, software
\r
15 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
16 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
17 * * See the License for the specific language governing permissions and
\r
18 * * limitations under the License.
\r
19 * * ============LICENSE_END====================================================
\r
21 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
23 ******************************************************************************/
\r
24 package com.att.cadi.taf.dos;
\r
26 import java.io.BufferedReader;
\r
27 import java.io.File;
\r
28 import java.io.FileOutputStream;
\r
29 import java.io.FileReader;
\r
30 import java.io.IOException;
\r
31 import java.io.PrintStream;
\r
32 import java.util.ArrayList;
\r
33 import java.util.Date;
\r
34 import java.util.HashMap;
\r
35 import java.util.List;
\r
36 import java.util.Map;
\r
38 import javax.servlet.http.HttpServletRequest;
\r
39 import javax.servlet.http.HttpServletResponse;
\r
41 import com.att.cadi.Access;
\r
42 import com.att.cadi.CachedPrincipal;
\r
43 import com.att.cadi.CachedPrincipal.Resp;
\r
44 import com.att.cadi.CadiException;
\r
45 import com.att.cadi.Taf.LifeForm;
\r
46 import com.att.cadi.taf.HttpTaf;
\r
47 import com.att.cadi.taf.PuntTafResp;
\r
48 import com.att.cadi.taf.TafResp;
\r
49 import com.att.cadi.taf.TafResp.RESP;
\r
51 public class DenialOfServiceTaf implements HttpTaf {
\r
52 private static Map<String, Counter> deniedIP=null, deniedID=null;
\r
53 private Access access;
\r
54 private static File dosIP, dosID;
\r
60 * @throws CadiException
\r
62 public DenialOfServiceTaf(Access access) throws CadiException {
\r
63 this.access = access;
\r
64 if(dosIP==null || dosID == null) {
\r
66 if((dirStr = access.getProperty("aaf_data_dir", null))!=null) {
\r
67 dosIP = new File(dirStr+"/dosIP");
\r
69 dosID = new File(dirStr+"/dosID");
\r
75 public TafResp validate(LifeForm reading, HttpServletRequest req, final HttpServletResponse resp) {
\r
76 // Performance, when not needed
\r
77 if(deniedIP != null) {
\r
79 Counter c = deniedIP.get(ip=req.getRemoteAddr());
\r
82 return respDenyIP(access,ip);
\r
86 // Note: Can't process Principal, because this is the first TAF, and no Principal is created.
\r
87 // Other TAFs use "isDenied()" on this Object to validate.
\r
88 return PuntTafResp.singleton();
\r
91 public Resp revalidate(CachedPrincipal prin) {
\r
92 // We always return NOT MINE, because DOS Taf does not ever validate
\r
93 return Resp.NOT_MINE;
\r
97 * for use in Other TAFs, before they attempt backend validation of
\r
99 public static Counter isDeniedID(String identity) {
\r
100 if(deniedID!=null) {
\r
101 return deniedID.get(identity);
\r
109 public static Counter isDeniedIP(String ipvX) {
\r
110 if(deniedID!=null) {
\r
111 return deniedID.get(ipvX);
\r
117 * Return of "True" means IP has been added.
\r
118 * Return of "False" means IP already added.
\r
123 public static synchronized boolean denyIP(String ip) {
\r
124 boolean rv = false;
\r
125 if(deniedIP==null) {
\r
126 deniedIP = new HashMap<String,Counter>();
\r
127 deniedIP.put(ip, new Counter(ip)); // Noted duplicated for minimum time spent
\r
129 } else if(deniedIP.get(ip)==null) {
\r
130 deniedIP.put(ip, new Counter(ip));
\r
139 private static void writeIP() {
\r
140 if(dosIP!=null && deniedIP!=null) {
\r
141 if(deniedIP.isEmpty()) {
\r
142 if(dosIP.exists()) {
\r
148 fos = new PrintStream(new FileOutputStream(dosIP,false));
\r
150 for(String ip: deniedIP.keySet()) {
\r
156 } catch (IOException e) {
\r
157 e.printStackTrace(System.err);
\r
163 private static void readIP() {
\r
164 if(dosIP!=null && dosIP.exists()) {
\r
167 br = new BufferedReader(new FileReader(dosIP));
\r
168 if(deniedIP==null) {
\r
169 deniedIP=new HashMap<String,Counter>();
\r
174 while((line=br.readLine())!=null) {
\r
175 deniedIP.put(line, new Counter(line));
\r
180 } catch (IOException e) {
\r
181 e.printStackTrace(System.err);
\r
188 * Return of "True" means IP has was removed.
\r
189 * Return of "False" means IP wasn't being denied.
\r
194 public static synchronized boolean removeDenyIP(String ip) {
\r
195 if(deniedIP!=null && deniedIP.remove(ip)!=null) {
\r
197 if(deniedIP.isEmpty()) {
\r
206 * Return of "True" means ID has been added.
\r
207 * Return of "False" means ID already added.
\r
212 public static synchronized boolean denyID(String id) {
\r
213 boolean rv = false;
\r
214 if(deniedID==null) {
\r
215 deniedID = new HashMap<String,Counter>();
\r
216 deniedID.put(id, new Counter(id)); // Noted duplicated for minimum time spent
\r
218 } else if(deniedID.get(id)==null) {
\r
219 deniedID.put(id, new Counter(id));
\r
229 private static void writeID() {
\r
230 if(dosID!=null && deniedID!=null) {
\r
231 if(deniedID.isEmpty()) {
\r
232 if(dosID.exists()) {
\r
238 fos = new PrintStream(new FileOutputStream(dosID,false));
\r
240 for(String ip: deniedID.keySet()) {
\r
246 } catch (IOException e) {
\r
247 e.printStackTrace(System.err);
\r
253 private static void readID() {
\r
254 if(dosID!=null && dosID.exists()) {
\r
257 br = new BufferedReader(new FileReader(dosID));
\r
258 if(deniedID==null) {
\r
259 deniedID=new HashMap<String,Counter>();
\r
263 while((line=br.readLine())!=null) {
\r
264 deniedID.put(line, new Counter(line));
\r
269 } catch (IOException e) {
\r
270 e.printStackTrace(System.err);
\r
276 * Return of "True" means ID has was removed.
\r
277 * Return of "False" means ID wasn't being denied.
\r
282 public static synchronized boolean removeDenyID(String id) {
\r
283 if(deniedID!=null && deniedID.remove(id)!=null) {
\r
285 if(deniedID.isEmpty()) {
\r
294 public List<String> report() {
\r
296 if(deniedIP!=null)initSize+=deniedIP.size();
\r
297 if(deniedID!=null)initSize+=deniedID.size();
\r
298 ArrayList<String> al = new ArrayList<String>(initSize);
\r
299 if(deniedID!=null) {
\r
300 for(Counter c : deniedID.values()) {
\r
301 al.add(c.toString());
\r
304 if(deniedIP!=null) {
\r
305 for(Counter c : deniedIP.values()) {
\r
306 al.add(c.toString());
\r
312 public static class Counter {
\r
313 private final String name;
\r
314 private int count = 0;
\r
315 private Date first;
\r
316 private long last; // note, we use "last" as long, to avoid popping useless dates on Heap.
\r
318 public Counter(String name) {
\r
325 public String getName() {
\r
329 public int getCount() {
\r
333 public long getLast() {
\r
338 * Only allow Denial of ServiceTaf to increment
\r
340 private synchronized void inc() {
\r
342 last = System.currentTimeMillis();
\r
344 first = new Date(last);
\r
348 public String toString() {
\r
350 return name + " is on the denied list, but has not attempted Access";
\r
354 " has been denied " +
\r
358 ". Last denial was " +
\r
363 public static TafResp respDenyID(Access access, String identity) {
\r
364 return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, identity + " is on the Identity Denial list");
\r
367 public static TafResp respDenyIP(Access access, String ip) {
\r
368 return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, ip + " is on the IP Denial list");
\r