brooklyn-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From henev...@apache.org
Subject [1/2] git commit: accept a broader definition for localhost when determining whether a password is needed (e.g. using the public ip is now accepted)
Date Fri, 19 Sep 2014 11:37:51 GMT
Repository: incubator-brooklyn
Updated Branches:
  refs/heads/master 6ca7d456f -> c9fe10e4c


accept a broader definition for localhost when determining whether a password is needed (e.g.
using the public ip is now accepted)


Project: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/commit/088c642c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/tree/088c642c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/diff/088c642c

Branch: refs/heads/master
Commit: 088c642c8712d4f2ad4964a9849fa7c063ba91e2
Parents: bf78f56
Author: Alex Heneveld <alex.heneveld@cloudsoftcorp.com>
Authored: Fri Sep 19 12:36:51 2014 +0100
Committer: Alex Heneveld <alex.heneveld@cloudsoftcorp.com>
Committed: Fri Sep 19 12:36:51 2014 +0100

----------------------------------------------------------------------
 ...nUserWithRandomPasswordSecurityProvider.java | 13 +++++++--
 .../main/java/brooklyn/util/net/Networking.java | 30 +++++++++++++++-----
 2 files changed, 33 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/088c642c/usage/rest-server/src/main/java/brooklyn/rest/security/provider/BrooklynUserWithRandomPasswordSecurityProvider.java
----------------------------------------------------------------------
diff --git a/usage/rest-server/src/main/java/brooklyn/rest/security/provider/BrooklynUserWithRandomPasswordSecurityProvider.java
b/usage/rest-server/src/main/java/brooklyn/rest/security/provider/BrooklynUserWithRandomPasswordSecurityProvider.java
index 7034c61..a7c3052 100644
--- a/usage/rest-server/src/main/java/brooklyn/rest/security/provider/BrooklynUserWithRandomPasswordSecurityProvider.java
+++ b/usage/rest-server/src/main/java/brooklyn/rest/security/provider/BrooklynUserWithRandomPasswordSecurityProvider.java
@@ -45,16 +45,23 @@ public class BrooklynUserWithRandomPasswordSecurityProvider extends AbstractSecu
 
     @Override
     public boolean authenticate(HttpSession session, String user, String password) {
-        if (isRemoteAddressLocalhost(session) || (USER.equals(user) && this.password.equals(password)))
{
+        if ((USER.equals(user) && this.password.equals(password)) || isRemoteAddressLocalhost(session))
{
             return allow(session, user);
+        } else {
+            return false;
         }
-        return false;
     }
 
     private boolean isRemoteAddressLocalhost(HttpSession session) {
         Object remoteAddress = session.getAttribute(BrooklynPropertiesSecurityFilter.REMOTE_ADDRESS_SESSION_ATTRIBUTE);
         if (!(remoteAddress instanceof String)) return false;
-        return Networking.isLocalhost((String)remoteAddress);
+        if (Networking.isLocalhost((String)remoteAddress)) {
+            LOG.debug(this+": granting passwordless access to "+session+" originating from
"+remoteAddress);
+            return true;
+        } else {
+            LOG.debug(this+": password required for "+session+" originating from "+remoteAddress);
+            return false;
+        }
     }
 
 }

http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/088c642c/utils/common/src/main/java/brooklyn/util/net/Networking.java
----------------------------------------------------------------------
diff --git a/utils/common/src/main/java/brooklyn/util/net/Networking.java b/utils/common/src/main/java/brooklyn/util/net/Networking.java
index fed78b0..6b26463 100644
--- a/utils/common/src/main/java/brooklyn/util/net/Networking.java
+++ b/utils/common/src/main/java/brooklyn/util/net/Networking.java
@@ -36,6 +36,7 @@ import java.util.regex.Pattern;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import brooklyn.util.exceptions.Exceptions;
 import brooklyn.util.text.Identifiers;
 
 import com.google.common.base.Preconditions;
@@ -369,21 +370,36 @@ public class Networking {
         return true;
     }
 
-    public static boolean isLocalhost(String remoteIp) {
-        if ("127.0.0.1".equals(remoteIp)) return true;
+    /** returns true if the supplied string matches any known IP (v4 or v6) for this machine,
+     * or if it can be resolved to any such address */
+    public static boolean isLocalhost(String remoteAddress) {
+        Map<String, InetAddress> addresses = getLocalAddresses();
+        if (addresses.containsKey(remoteAddress)) return true;
         
+        if ("127.0.0.1".equals(remoteAddress)) return true;
         
+        String modifiedIpV6Address = remoteAddress;
         // IPv6 localhost "ip" strings may vary;
         // comes back as 0:0:0:0:0:0:0:1%1 for me.
         // following deals with the cases which seem likely.
         // (svet suggests using InetAddress parsing but I -- Alex -- am not sure if that's
going to have it's own bugs)
-        
-        if (remoteIp.contains("%")) {
+        if (modifiedIpV6Address.contains("%")) {
             // trim any description %dex
-            remoteIp = remoteIp.substring(0, remoteIp.indexOf("%"));
+            modifiedIpV6Address = modifiedIpV6Address.substring(0, modifiedIpV6Address.indexOf("%"));
+        }
+        if ("0:0:0:0:0:0:0:1".equals(modifiedIpV6Address)) return true;
+        if ("::1".equals(modifiedIpV6Address)) return true;
+        if (addresses.containsKey(remoteAddress) || addresses.containsKey(modifiedIpV6Address))
+            return true;
+        
+        try {
+            InetAddress remote = InetAddress.getByName(remoteAddress);
+            if (addresses.values().contains(remote))
+                return true;
+        } catch (Exception e) {
+            Exceptions.propagateIfFatal(e);
+            log.debug("Error resolving address "+remoteAddress+" when checking if it is local
(assuming not: "+e, e);
         }
-        if ("0:0:0:0:0:0:0:1".equals(remoteIp)) return true;
-        if ("::1".equals(remoteIp)) return true;
         
         return false;
     }


Mime
View raw message