+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.cadi.taf.dos;\r
-\r
-import java.io.BufferedReader;\r
-import java.io.File;\r
-import java.io.FileOutputStream;\r
-import java.io.FileReader;\r
-import java.io.IOException;\r
-import java.io.PrintStream;\r
-import java.util.ArrayList;\r
-import java.util.Date;\r
-import java.util.HashMap;\r
-import java.util.List;\r
-import java.util.Map;\r
-\r
-import javax.servlet.http.HttpServletRequest;\r
-import javax.servlet.http.HttpServletResponse;\r
-\r
-import org.onap.aaf.cadi.Access;\r
-import org.onap.aaf.cadi.CachedPrincipal;\r
-import org.onap.aaf.cadi.CadiException;\r
-import org.onap.aaf.cadi.CachedPrincipal.Resp;\r
-import org.onap.aaf.cadi.Taf.LifeForm;\r
-import org.onap.aaf.cadi.taf.HttpTaf;\r
-import org.onap.aaf.cadi.taf.PuntTafResp;\r
-import org.onap.aaf.cadi.taf.TafResp;\r
-import org.onap.aaf.cadi.taf.TafResp.RESP;\r
-\r
-public class DenialOfServiceTaf implements HttpTaf {\r
- private static Map<String, Counter> deniedIP=null, deniedID=null;\r
- private Access access;\r
- private static File dosIP, dosID;\r
- \r
- /**\r
- * \r
- * @param hostname\r
- * @param prod\r
- * @throws CadiException\r
- */\r
- public DenialOfServiceTaf(Access access) throws CadiException {\r
- this.access = access;\r
- if(dosIP==null || dosID == null) {\r
- String dirStr;\r
- if((dirStr = access.getProperty("aaf_data_dir", null))!=null) {\r
- dosIP = new File(dirStr+"/dosIP");\r
- readIP();\r
- dosID = new File(dirStr+"/dosID");\r
- readID();\r
- }\r
- }\r
- }\r
-\r
- public TafResp validate(LifeForm reading, HttpServletRequest req, final HttpServletResponse resp) {\r
- // Performance, when not needed\r
- if(deniedIP != null) {\r
- String ip;\r
- Counter c = deniedIP.get(ip=req.getRemoteAddr());\r
- if(c!=null) {\r
- c.inc();\r
- return respDenyIP(access,ip);\r
- }\r
- }\r
- \r
- // Note: Can't process Principal, because this is the first TAF, and no Principal is created.\r
- // Other TAFs use "isDenied()" on this Object to validate.\r
- return PuntTafResp.singleton();\r
- }\r
-\r
- public Resp revalidate(CachedPrincipal prin) {\r
- // We always return NOT MINE, because DOS Taf does not ever validate\r
- return Resp.NOT_MINE;\r
- }\r
-\r
- /*\r
- * for use in Other TAFs, before they attempt backend validation of \r
- */\r
- public static Counter isDeniedID(String identity) {\r
- if(deniedID!=null) {\r
- return deniedID.get(identity);\r
- }\r
- return null;\r
- }\r
- \r
- /**\r
- * \r
- */\r
- public static Counter isDeniedIP(String ipvX) {\r
- if(deniedID!=null) {\r
- return deniedID.get(ipvX);\r
- }\r
- return null;\r
- }\r
-\r
- /**\r
- * Return of "True" means IP has been added.\r
- * Return of "False" means IP already added.\r
- * \r
- * @param ip\r
- * @return\r
- */\r
- public static synchronized boolean denyIP(String ip) {\r
- boolean rv = false;\r
- if(deniedIP==null) {\r
- deniedIP = new HashMap<String,Counter>();\r
- deniedIP.put(ip, new Counter(ip)); // Noted duplicated for minimum time spent\r
- rv= true;\r
- } else if(deniedIP.get(ip)==null) {\r
- deniedIP.put(ip, new Counter(ip));\r
- rv = true;\r
- }\r
- if(rv) {\r
- writeIP();\r
- }\r
- return rv;\r
- }\r
- \r
- private static void writeIP() {\r
- if(dosIP!=null && deniedIP!=null) {\r
- if(deniedIP.isEmpty()) {\r
- if(dosIP.exists()) {\r
- dosIP.delete();\r
- }\r
- } else {\r
- PrintStream fos;\r
- try {\r
- fos = new PrintStream(new FileOutputStream(dosIP,false));\r
- try {\r
- for(String ip: deniedIP.keySet()) {\r
- fos.println(ip);\r
- }\r
- } finally {\r
- fos.close();\r
- }\r
- } catch (IOException e) {\r
- e.printStackTrace(System.err);\r
- }\r
- }\r
- }\r
- }\r
- \r
- private static void readIP() {\r
- if(dosIP!=null && dosIP.exists()) {\r
- BufferedReader br;\r
- try {\r
- br = new BufferedReader(new FileReader(dosIP));\r
- if(deniedIP==null) {\r
- deniedIP=new HashMap<String,Counter>();\r
- }\r
-\r
- try {\r
- String line;\r
- while((line=br.readLine())!=null) {\r
- deniedIP.put(line, new Counter(line));\r
- }\r
- } finally {\r
- br.close();\r
- }\r
- } catch (IOException e) {\r
- e.printStackTrace(System.err);\r
- }\r
- }\r
- }\r
-\r
-\r
- /**\r
- * Return of "True" means IP has was removed.\r
- * Return of "False" means IP wasn't being denied.\r
- * \r
- * @param ip\r
- * @return\r
- */\r
- public static synchronized boolean removeDenyIP(String ip) {\r
- if(deniedIP!=null && deniedIP.remove(ip)!=null) {\r
- writeIP();\r
- if(deniedIP.isEmpty()) {\r
- deniedIP=null;\r
- }\r
- return true;\r
- }\r
- return false;\r
- }\r
-\r
- /**\r
- * Return of "True" means ID has been added.\r
- * Return of "False" means ID already added.\r
- * \r
- * @param ip\r
- * @return\r
- */\r
- public static synchronized boolean denyID(String id) {\r
- boolean rv = false;\r
- if(deniedID==null) {\r
- deniedID = new HashMap<String,Counter>();\r
- deniedID.put(id, new Counter(id)); // Noted duplicated for minimum time spent\r
- rv = true;\r
- } else if(deniedID.get(id)==null) {\r
- deniedID.put(id, new Counter(id));\r
- rv = true;\r
- }\r
- if(rv) {\r
- writeID();\r
- }\r
- return rv;\r
-\r
- }\r
-\r
- private static void writeID() {\r
- if(dosID!=null && deniedID!=null) {\r
- if(deniedID.isEmpty()) {\r
- if(dosID.exists()) {\r
- dosID.delete();\r
- }\r
- } else {\r
- PrintStream fos;\r
- try {\r
- fos = new PrintStream(new FileOutputStream(dosID,false));\r
- try {\r
- for(String ip: deniedID.keySet()) {\r
- fos.println(ip);\r
- }\r
- } finally {\r
- fos.close();\r
- }\r
- } catch (IOException e) {\r
- e.printStackTrace(System.err);\r
- }\r
- }\r
- }\r
- }\r
-\r
- private static void readID() {\r
- if(dosID!=null && dosID.exists()) {\r
- BufferedReader br;\r
- try {\r
- br = new BufferedReader(new FileReader(dosID));\r
- if(deniedID==null) {\r
- deniedID=new HashMap<String,Counter>();\r
- }\r
- try {\r
- String line;\r
- while((line=br.readLine())!=null) {\r
- deniedID.put(line, new Counter(line));\r
- }\r
- } finally {\r
- br.close();\r
- }\r
- } catch (IOException e) {\r
- e.printStackTrace(System.err);\r
- }\r
- }\r
- }\r
-\r
- /**\r
- * Return of "True" means ID has was removed.\r
- * Return of "False" means ID wasn't being denied.\r
- * \r
- * @param ip\r
- * @return\r
- */\r
- public static synchronized boolean removeDenyID(String id) {\r
- if(deniedID!=null && deniedID.remove(id)!=null) { \r
- writeID();\r
- if(deniedID.isEmpty()) {\r
- deniedID=null;\r
- }\r
-\r
- return true;\r
- }\r
- return false;\r
- }\r
- \r
- public List<String> report() {\r
- int initSize = 0;\r
- if(deniedIP!=null)initSize+=deniedIP.size();\r
- if(deniedID!=null)initSize+=deniedID.size();\r
- ArrayList<String> al = new ArrayList<String>(initSize);\r
- if(deniedID!=null) {\r
- for(Counter c : deniedID.values()) {\r
- al.add(c.toString());\r
- }\r
- }\r
- if(deniedIP!=null) {\r
- for(Counter c : deniedIP.values()) {\r
- al.add(c.toString());\r
- }\r
- }\r
- return al;\r
- }\r
- \r
- public static class Counter {\r
- private final String name; \r
- private int count = 0;\r
- private Date first;\r
- private long last; // note, we use "last" as long, to avoid popping useless dates on Heap.\r
- \r
- public Counter(String name) {\r
- this.name = name;\r
- first = null;\r
- last = 0L;\r
- count = 0;\r
- }\r
- \r
- public String getName() {\r
- return name;\r
- }\r
- \r
- public int getCount() {\r
- return count;\r
- }\r
-\r
- public long getLast() {\r
- return last;\r
- }\r
- \r
- /*\r
- * Only allow Denial of ServiceTaf to increment\r
- */\r
- private synchronized void inc() {\r
- ++count;\r
- last = System.currentTimeMillis();\r
- if(first==null) {\r
- first = new Date(last);\r
- }\r
- }\r
- \r
- public String toString() {\r
- if(count==0) \r
- return name + " is on the denied list, but has not attempted Access"; \r
- else \r
- return \r
- name +\r
- " has been denied " +\r
- count +\r
- " times since " +\r
- first +\r
- ". Last denial was " +\r
- new Date(last);\r
- }\r
- }\r
-\r
- public static TafResp respDenyID(Access access, String identity) {\r
- return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, identity + " is on the Identity Denial list");\r
- }\r
- \r
- public static TafResp respDenyIP(Access access, String ip) {\r
- return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, ip + " is on the IP Denial list");\r
- }\r
-\r
-}\r