2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.cadi.taf.dos;
24 import java.io.BufferedReader;
26 import java.io.FileOutputStream;
27 import java.io.FileReader;
28 import java.io.IOException;
29 import java.io.PrintStream;
30 import java.util.ArrayList;
31 import java.util.Date;
32 import java.util.HashMap;
33 import java.util.List;
36 import javax.servlet.http.HttpServletRequest;
37 import javax.servlet.http.HttpServletResponse;
39 import org.onap.aaf.cadi.Access;
40 import org.onap.aaf.cadi.CachedPrincipal;
41 import org.onap.aaf.cadi.CadiException;
42 import org.onap.aaf.cadi.CachedPrincipal.Resp;
43 import org.onap.aaf.cadi.Taf.LifeForm;
44 import org.onap.aaf.cadi.config.Config;
45 import org.onap.aaf.cadi.taf.HttpTaf;
46 import org.onap.aaf.cadi.taf.PuntTafResp;
47 import org.onap.aaf.cadi.taf.TafResp;
48 import org.onap.aaf.cadi.taf.TafResp.RESP;
50 public class DenialOfServiceTaf implements HttpTaf {
51 private static Map<String, Counter> deniedIP=null, deniedID=null;
52 private Access access;
53 private final TafResp puntNotDenied;
54 private static File dosIP, dosID;
60 * @throws CadiException
62 public DenialOfServiceTaf(Access access) throws CadiException {
63 puntNotDenied = new PuntTafResp("DenialOfServiceTaf", "This Transaction is not denied");
65 if(dosIP==null || dosID == null) {
67 if((dirStr = access.getProperty(Config.AAF_DATA_DIR, null))!=null) {
68 dosIP = new File(dirStr+"/dosIP");
70 dosID = new File(dirStr+"/dosID");
77 public TafResp validate(LifeForm reading, HttpServletRequest req, final HttpServletResponse resp) {
78 // Performance, when not needed
79 if(deniedIP != null) {
81 Counter c = deniedIP.get(ip=req.getRemoteAddr());
84 return respDenyIP(access,ip);
88 // Note: Can't process Principal, because this is the first TAF, and no Principal is created.
89 // Other TAFs use "isDenied()" on this Object to validate.
94 public Resp revalidate(CachedPrincipal prin, Object state) {
95 // We always return NOT MINE, because DOS Taf does not ever validate
100 * for use in Other TAFs, before they attempt backend validation of
102 public static Counter isDeniedID(String identity) {
104 return deniedID.get(identity);
112 public static Counter isDeniedIP(String ipvX) {
114 return deniedIP.get(ipvX);
120 * Return of "True" means IP has been added.
121 * Return of "False" means IP already added.
126 public static synchronized boolean denyIP(String ip) {
129 deniedIP = new HashMap<>();
130 deniedIP.put(ip, new Counter(ip)); // Noted duplicated for minimum time spent
132 } else if(deniedIP.get(ip)==null) {
133 deniedIP.put(ip, new Counter(ip));
142 private static void writeIP() {
143 if(dosIP!=null && deniedIP!=null) {
144 if(deniedIP.isEmpty()) {
151 fos = new PrintStream(new FileOutputStream(dosIP,false));
153 for(String ip: deniedIP.keySet()) {
159 } catch (IOException e) {
160 e.printStackTrace(System.err);
166 private static void readIP() {
167 if(dosIP!=null && dosIP.exists()) {
170 br = new BufferedReader(new FileReader(dosIP));
173 deniedIP=new HashMap<>();
177 while((line=br.readLine())!=null) {
178 deniedIP.put(line, new Counter(line));
183 } catch (IOException e) {
184 e.printStackTrace(System.err);
191 * Return of "True" means IP has was removed.
192 * Return of "False" means IP wasn't being denied.
197 public static synchronized boolean removeDenyIP(String ip) {
198 if(deniedIP!=null && deniedIP.remove(ip)!=null) {
200 if(deniedIP.isEmpty()) {
209 * Return of "True" means ID has been added.
210 * Return of "False" means ID already added.
215 public static synchronized boolean denyID(String id) {
218 deniedID = new HashMap<>();
219 deniedID.put(id, new Counter(id)); // Noted duplicated for minimum time spent
221 } else if(deniedID.get(id)==null) {
222 deniedID.put(id, new Counter(id));
232 private static void writeID() {
233 if(dosID!=null && deniedID!=null) {
234 if(deniedID.isEmpty()) {
241 fos = new PrintStream(new FileOutputStream(dosID,false));
243 for(String ip: deniedID.keySet()) {
249 } catch (IOException e) {
250 e.printStackTrace(System.err);
256 private static void readID() {
257 if(dosID!=null && dosID.exists()) {
260 br = new BufferedReader(new FileReader(dosID));
263 deniedID=new HashMap<>();
267 while((line=br.readLine())!=null) {
268 deniedID.put(line, new Counter(line));
273 } catch (IOException e) {
274 e.printStackTrace(System.err);
280 * Return of "True" means ID has was removed.
281 * Return of "False" means ID wasn't being denied.
286 public static synchronized boolean removeDenyID(String id) {
287 if(deniedID!=null && deniedID.remove(id)!=null) {
289 if(deniedID.isEmpty()) {
298 public List<String> report() {
300 if(deniedIP!=null)initSize+=deniedIP.size();
301 if(deniedID!=null)initSize+=deniedID.size();
302 ArrayList<String> al = new ArrayList<>(initSize);
304 for(Counter c : deniedID.values()) {
305 al.add(c.toString());
309 for(Counter c : deniedIP.values()) {
310 al.add(c.toString());
316 public static class Counter {
317 private final String name;
318 private int count = 0;
320 private long last; // note, we use "last" as long, to avoid popping useless dates on Heap.
322 public Counter(String name) {
329 public String getName() {
333 public int getCount() {
337 public long getLast() {
342 * Only allow Denial of ServiceTaf to increment
344 private synchronized void inc() {
346 last = System.currentTimeMillis();
348 first = new Date(last);
352 public String toString() {
354 return name + " is on the denied list, but has not attempted Access";
358 " has been denied " +
362 ". Last denial was " +
367 public static TafResp respDenyID(Access access, String identity) {
368 return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, identity + " is on the Identity Denial list");
371 public static TafResp respDenyIP(Access access, String ip) {
372 return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, ip + " is on the IP Denial list");
Code Review / aaf / authz.git / blob