ExternalComponentManager.java 22.6 KB
Newer Older
1 2 3 4
/**
 * $Revision: $
 * $Date: $
 *
5
 * Copyright (C) 2005-2008 Jive Software. All rights reserved.
6
 *
7 8 9 10 11 12 13 14 15 16 17
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
18 19
 */

20
package org.jivesoftware.openfire.component;
21

22
import java.sql.Connection;
23 24 25 26 27 28 29 30
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.concurrent.CopyOnWriteArrayList;

31
import org.jivesoftware.database.DbConnectionManager;
32
import org.jivesoftware.openfire.ConnectionManager;
33 34 35 36 37
import org.jivesoftware.openfire.SessionManager;
import org.jivesoftware.openfire.XMPPServer;
import org.jivesoftware.openfire.component.ExternalComponentConfiguration.Permission;
import org.jivesoftware.openfire.session.ComponentSession;
import org.jivesoftware.openfire.session.Session;
38
import org.jivesoftware.util.JiveGlobals;
39
import org.jivesoftware.util.ModificationNotAllowedException;
40 41
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
42 43 44 45 46 47 48 49 50 51 52

/**
 * Manages the connection permissions for external components. When an external component is
 * allowed to connect to this server then a special configuration for the component will be kept.
 * The configuration holds information such as the shared secret that the component should use
 * when authenticating with the server.
 *
 * @author Gaston Dombiak
 */
public class ExternalComponentManager {

53 54
	private static final Logger Log = LoggerFactory.getLogger(ExternalComponentManager.class);

55
    private static final String ADD_CONFIGURATION =
56
        "INSERT INTO ofExtComponentConf (subdomain,wildcard,secret,permission) VALUES (?,?,?,?)";
57
    private static final String DELETE_CONFIGURATION =
58
        "DELETE FROM ofExtComponentConf WHERE subdomain=? and wildcard=?";
59
    private static final String LOAD_CONFIGURATION =
60 61 62
        "SELECT secret,permission FROM ofExtComponentConf where subdomain=? AND wildcard=0";
    private static final String LOAD_WILDCARD_CONFIGURATION =
        "SELECT secret,permission FROM ofExtComponentConf where ? like subdomain AND wildcard=1";
63
    private static final String LOAD_CONFIGURATIONS =
64
        "SELECT subdomain,wildcard,secret FROM ofExtComponentConf where permission=?";
65

66 67 68 69 70 71
    /**
     * List of listeners that will be notified when vCards are created, updated or deleted.
     */
    private static List<ExternalComponentManagerListener> listeners =
            new CopyOnWriteArrayList<ExternalComponentManagerListener>();

72
    public static void setServiceEnabled(boolean enabled) throws ModificationNotAllowedException {
73 74 75 76 77 78 79 80 81 82 83 84 85
        // Alert listeners about this event
        for (ExternalComponentManagerListener listener : listeners) {
            listener.serviceEnabled(enabled);
        }
        ConnectionManager connectionManager = XMPPServer.getInstance().getConnectionManager();
        connectionManager.enableComponentListener(enabled);
    }

    public static boolean isServiceEnabled() {
        ConnectionManager connectionManager = XMPPServer.getInstance().getConnectionManager();
        return connectionManager.isComponentListenerEnabled();
    }

86
    public static void setServicePort(int port) throws ModificationNotAllowedException {
87 88 89 90 91 92 93 94 95 96 97 98 99
        // Alert listeners about this event
        for (ExternalComponentManagerListener listener : listeners) {
            listener.portChanged(port);
        }
        ConnectionManager connectionManager = XMPPServer.getInstance().getConnectionManager();
        connectionManager.setComponentListenerPort(port);
    }

    public static int getServicePort() {
        ConnectionManager connectionManager = XMPPServer.getInstance().getConnectionManager();
        return connectionManager.getComponentListenerPort();
    }

100 101 102 103
    /**
     * Allows an external component to connect to the local server with the specified configuration.
     *
     * @param configuration the configuration for the external component.
104
     * @throws ModificationNotAllowedException if the operation was denied.
105
     */
106
    public static void allowAccess(ExternalComponentConfiguration configuration) throws ModificationNotAllowedException {
107 108
        // Alert listeners about this event
        for (ExternalComponentManagerListener listener : listeners) {
109
            listener.componentAllowed(configuration.getSubdomain(), configuration);
110
        }
111
        // Remove any previous configuration for this external component
112
        deleteConfigurationFromDB(configuration);
113 114 115 116 117 118 119 120 121 122
        // Update the database with the new granted permission and configuration
        configuration.setPermission(Permission.allowed);
        addConfiguration(configuration);
    }

    /**
     * Blocks an external component from connecting to the local server. If the component was
     * connected when the permission was revoked then the connection of the entity will be closed.
     *
     * @param subdomain the subdomain of the external component that is not allowed to connect.
123
     * @throws ModificationNotAllowedException if the operation was denied.
124
     */
125
    public static void blockAccess(String subdomain) throws ModificationNotAllowedException {
126 127 128 129
        // Alert listeners about this event
        for (ExternalComponentManagerListener listener : listeners) {
            listener.componentBlocked(subdomain);
        }
130
        // Remove any previous configuration for this external component
131
        deleteConfigurationFromDB(getConfiguration(subdomain, false));
132
        // Update the database with the new revoked permission
133
        ExternalComponentConfiguration config = new ExternalComponentConfiguration(subdomain, false, Permission.blocked, null);
134 135
        addConfiguration(config);
        // Check if the component was connected and proceed to close the connection
136
        String domain = subdomain + "." + XMPPServer.getInstance().getServerInfo().getXMPPDomain();
137 138
        Session session = SessionManager.getInstance().getComponentSession(domain);
        if (session != null) {
139
            session.close();
140 141 142 143 144 145 146 147 148 149 150 151 152 153 154
        }
    }

    /**
     * Returns true if the external component with the specified subdomain can connect to the
     * local server.
     *
     * @param subdomain the subdomain of the external component.
     * @return true if the external component with the specified subdomain can connect to the
     *         local server.
     */
    public static boolean canAccess(String subdomain) {
        // By default there is no permission defined for the XMPP entity
        Permission permission = null;

155
        ExternalComponentConfiguration config = getConfiguration(subdomain, true);
156 157 158 159 160 161
        if (config != null) {
            permission = config.getPermission();
        }

        if (PermissionPolicy.blacklist == getPermissionPolicy()) {
            // Anyone can access except those entities listed in the blacklist
162
            return Permission.blocked != permission;
163 164 165
        }
        else {
            // Access is limited to those present in the whitelist
166
            return Permission.allowed == permission;
167 168 169
        }
    }

170 171 172 173 174 175 176 177 178 179 180 181
    /**
     * Returns true if there is a configuration for the specified subdomain. This
     * checking can be used as an indirect way of checking that the specified
     * subdomain belongs to an external component.
     *
     * @param subdomain the subdomain of the external component.
     * @return true if there is a configuration for the specified subdomain.
     */
    public static boolean hasConfiguration(String subdomain) {
        return getConfiguration(subdomain, true) != null;
    }

182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203
    /**
     * Returns the list of registered external components that are allowed to connect to this
     * server when using a whitelist policy. However, when using a blacklist policy (i.e. anyone
     * may connect to the server) the returned list of configurations will be used for obtaining
     * the shared secret specific for each component.
     *
     * @return the configuration of the registered external components.
     */
    public static Collection<ExternalComponentConfiguration> getAllowedComponents() {
        return getConfigurations(Permission.allowed);
    }

    /**
     * Returns the list of external components that are NOT allowed to connect to this
     * server.
     *
     * @return the configuration of the blocked external components.
     */
    public static Collection<ExternalComponentConfiguration> getBlockedComponents() {
        return getConfigurations(Permission.blocked);
    }

204
    public static void updateComponentSecret(String subdomain, String secret) throws ModificationNotAllowedException {
205 206 207 208
        // Alert listeners about this event
        for (ExternalComponentManagerListener listener : listeners) {
            listener.componentSecretUpdated(subdomain, secret);
        }
209
        ExternalComponentConfiguration configuration = getConfiguration(subdomain, false);
210 211 212 213
        if (configuration != null) {
            configuration.setPermission(Permission.allowed);
            configuration.setSecret(secret);
            // Remove any previous configuration for this external component
214
            deleteConfigurationFromDB(configuration);
215 216
        }
        else {
217
            configuration = new ExternalComponentConfiguration(subdomain, false, Permission.allowed, secret);
218 219 220 221
        }
        addConfiguration(configuration);
    }

222 223 224 225 226
    /**
     * Removes any existing defined permission and configuration for the specified
     * external component.
     *
     * @param subdomain the subdomain of the external component.
227
     * @throws ModificationNotAllowedException if the operation was denied.
228
     */
229
    public static void deleteConfiguration(String subdomain) throws ModificationNotAllowedException {
230 231 232 233
        // Alert listeners about this event
        for (ExternalComponentManagerListener listener : listeners) {
            listener.componentConfigurationDeleted(subdomain);
        }
234

235
        // Proceed to delete the configuration of the component
236
        deleteConfigurationFromDB(getConfiguration(subdomain, false));
237 238 239 240 241 242
    }

    /**
     * Removes any existing defined permission and configuration for the specified
     * external component from the database.
     *
243
     * @param configuration the external component configuration to delete.
244
     */
245 246 247 248 249
    private static void deleteConfigurationFromDB(ExternalComponentConfiguration configuration) {
        if (configuration == null) {
            // Do nothing
            return;
        }
250
        // Remove the permission for the entity from the database
251
        Connection con = null;
252 253 254 255
        PreparedStatement pstmt = null;
        try {
            con = DbConnectionManager.getConnection();
            pstmt = con.prepareStatement(DELETE_CONFIGURATION);
256
            pstmt.setString(1, configuration.getSubdomain() + (configuration.isWildcard() ? "%" : ""));
257
            pstmt.setInt(2, configuration.isWildcard() ? 1 : 0);
258 259 260
            pstmt.executeUpdate();
        }
        catch (SQLException sqle) {
261
            Log.error(sqle.getMessage(), sqle);
262 263
        }
        finally {
264
            DbConnectionManager.closeConnection(pstmt, con);
265 266 267 268 269
        }
    }

    /**
     * Adds a new permission for the specified external component.
270 271
     *
     * @param configuration the new configuration for a component.
272 273 274
     */
    private static void addConfiguration(ExternalComponentConfiguration configuration) {
        // Remove the permission for the entity from the database
275
        Connection con = null;
276 277 278 279
        PreparedStatement pstmt = null;
        try {
            con = DbConnectionManager.getConnection();
            pstmt = con.prepareStatement(ADD_CONFIGURATION);
280 281 282 283
            pstmt.setString(1, configuration.getSubdomain() + (configuration.isWildcard() ? "%" : ""));
            pstmt.setInt(2, configuration.isWildcard() ? 1 : 0);
            pstmt.setString(3, configuration.getSecret());
            pstmt.setString(4, configuration.getPermission().toString());
284 285 286
            pstmt.executeUpdate();
        }
        catch (SQLException sqle) {
287
            Log.error(sqle.getMessage(), sqle);
288 289
        }
        finally {
290
            DbConnectionManager.closeConnection(pstmt, con);
291 292 293 294
        }
    }

    /**
295 296 297
     * Returns the configuration for an external component. A query for the exact requested
     * subdomain will be made. If nothing was found and using wildcards is requested then
     * another query will be made but this time using wildcards.
298 299
     *
     * @param subdomain the subdomain of the external component.
300
     * @param useWildcard true if an attempt to find a subdomain with wildcards should be attempted.
301 302
     * @return the configuration for an external component.
     */
303
    private static ExternalComponentConfiguration getConfiguration(String subdomain, boolean useWildcard) {
304
        ExternalComponentConfiguration configuration = null;
305
        Connection con = null;
306
        PreparedStatement pstmt = null;
307
        ResultSet rs = null;
308
        try {
309
            // Check if there is a configuration for the subdomain
310 311 312
            con = DbConnectionManager.getConnection();
            pstmt = con.prepareStatement(LOAD_CONFIGURATION);
            pstmt.setString(1, subdomain);
313
            rs = pstmt.executeQuery();
314 315

            while (rs.next()) {
316
                configuration = new ExternalComponentConfiguration(subdomain, false, Permission.valueOf(rs.getString(2)),
317
                        rs.getString(1));
318 319 320
            }
        }
        catch (SQLException sqle) {
321
            Log.error(sqle.getMessage(), sqle);
322 323
        }
        finally {
324
            DbConnectionManager.closeConnection(rs, pstmt, con);
325
        }
326 327 328 329 330 331 332 333

        if (configuration == null && useWildcard) {
            // Check if there is a configuration that is using wildcards for domains
            try {
                // Check if there is a configuration for the subdomain
                con = DbConnectionManager.getConnection();
                pstmt = con.prepareStatement(LOAD_WILDCARD_CONFIGURATION);
                pstmt.setString(1, subdomain);
334
                rs = pstmt.executeQuery();
335 336 337 338 339 340 341

                while (rs.next()) {
                    configuration = new ExternalComponentConfiguration(subdomain, true, Permission.valueOf(rs.getString(2)),
                            rs.getString(1));
                }
            }
            catch (SQLException sqle) {
342
                Log.error(sqle.getMessage(), sqle);
343 344
            }
            finally {
345 346
                DbConnectionManager.closeConnection(rs, pstmt, con);
           }
347
        }
348 349 350 351 352 353 354
        return configuration;
    }

    private static Collection<ExternalComponentConfiguration> getConfigurations(
            Permission permission) {
        Collection<ExternalComponentConfiguration> answer =
                new ArrayList<ExternalComponentConfiguration>();
355
        Connection con = null;
356
        PreparedStatement pstmt = null;
357
        ResultSet rs = null;
358 359 360 361
        try {
            con = DbConnectionManager.getConnection();
            pstmt = con.prepareStatement(LOAD_CONFIGURATIONS);
            pstmt.setString(1, permission.toString());
362
            rs = pstmt.executeQuery();
363 364
            ExternalComponentConfiguration configuration;
            while (rs.next()) {
365 366 367 368 369 370
                String subdomain = rs.getString(1);
                boolean wildcard = rs.getInt(2) == 1;
                // Remove the trailing % if using wildcards
                subdomain = wildcard ? subdomain.substring(0, subdomain.length()-1) : subdomain;
                configuration = new ExternalComponentConfiguration(subdomain, wildcard, permission,
                        rs.getString(3));
371 372 373 374
                answer.add(configuration);
            }
        }
        catch (SQLException sqle) {
375
            Log.error(sqle.getMessage(), sqle);
376 377
        }
        finally {
378
            DbConnectionManager.closeConnection(rs, pstmt, con);
379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399
        }
        return answer;
    }

    /**
     * Returns the default secret key to use for those external components that don't have an
     * individual configuration.
     *
     * @return the default secret key to use for those external components that don't have an
     *         individual configuration.
     */
    public static String getDefaultSecret() {
        return JiveGlobals.getProperty("xmpp.component.defaultSecret");
    }

    /**
     * Sets the default secret key to use for those external components that don't have an
     * individual configuration.
     *
     * @param defaultSecret the default secret key to use for those external components that
     *         don't have an individual configuration.
400
     * @throws ModificationNotAllowedException if the operation was denied.
401
     */
402
    public static void setDefaultSecret(String defaultSecret) throws ModificationNotAllowedException {
403 404 405 406
        // Alert listeners about this event
        for (ExternalComponentManagerListener listener : listeners) {
            listener.defaultSecretChanged(defaultSecret);
        }
407 408 409 410 411 412 413 414 415 416 417 418 419 420 421
        JiveGlobals.setProperty("xmpp.component.defaultSecret", defaultSecret);
    }

    /**
     * Returns the shared secret with the specified external component. If no shared secret was
     * defined then use the default shared secret.
     *
     * @param subdomain the subdomain of the external component to get his shared secret.
     *        (e.g. conference)
     * @return the shared secret with the specified external component or the default shared secret.
     */
    public static String getSecretForComponent(String subdomain) {
        // By default there is no shared secret defined for the XMPP entity
        String secret = null;

422
        ExternalComponentConfiguration config = getConfiguration(subdomain, true);
423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450
        if (config != null) {
            secret = config.getSecret();
        }

        secret = (secret == null ? getDefaultSecret() : secret);
        if (secret == null) {
            Log.error("Setup for external components is incomplete. Property " +
                    "xmpp.component.defaultSecret does not exist.");
        }
        return secret;
    }

    /**
     * Returns the permission policy being used for new XMPP entities that are trying to
     * connect to the server. There are two types of policies: 1) blacklist: where any entity
     * is allowed to connect to the server except for those listed in the black list and
     * 2) whitelist: where only the entities listed in the white list are allowed to connect to
     * the server.
     *
     * @return the permission policy being used for new XMPP entities that are trying to
     *         connect to the server.
     */
    public static PermissionPolicy getPermissionPolicy() {
        try {
            return PermissionPolicy.valueOf(JiveGlobals.getProperty("xmpp.component.permission",
                    PermissionPolicy.blacklist.toString()));
        }
        catch (Exception e) {
451
            Log.error(e.getMessage(), e);
452 453 454 455 456 457 458 459 460 461 462 463
            return PermissionPolicy.blacklist;
        }
    }

    /**
     * Sets the permission policy being used for new XMPP entities that are trying to
     * connect to the server. There are two types of policies: 1) blacklist: where any entity
     * is allowed to connect to the server except for those listed in the black list and
     * 2) whitelist: where only the entities listed in the white list are allowed to connect to
     * the server.
     *
     * @param policy the new PermissionPolicy to use.
464
     * @throws ModificationNotAllowedException if the operation was denied.
465
     */
466
    public static void setPermissionPolicy(PermissionPolicy policy) throws ModificationNotAllowedException {
467 468 469 470
        // Alert listeners about this event
        for (ExternalComponentManagerListener listener : listeners) {
            listener.permissionPolicyChanged(policy);
        }
471
        JiveGlobals.setProperty("xmpp.component.permission", policy.toString());
472
        // Check if connected components can remain connected to the server
473
        for (ComponentSession session : SessionManager.getInstance().getComponentSessions()) {
474 475
            for (String domain : session.getExternalComponent().getSubdomains()) {
                if (!canAccess(domain)) {
476
                    session.close();
477 478
                    break;
                }
479 480 481 482 483 484 485 486 487 488 489 490
            }
        }
    }

    /**
     * Sets the permission policy being used for new XMPP entities that are trying to
     * connect to the server. There are two types of policies: 1) blacklist: where any entity
     * is allowed to connect to the server except for those listed in the black list and
     * 2) whitelist: where only the entities listed in the white list are allowed to connect to
     * the server.
     *
     * @param policy the new policy to use.
491
     * @throws ModificationNotAllowedException if the operation was denied.
492
     */
493
    public static void setPermissionPolicy(String policy) throws ModificationNotAllowedException {
494 495 496
        setPermissionPolicy(PermissionPolicy.valueOf(policy));
    }

497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518
    /**
     * Registers a listener to receive events when a configuration change happens. Listeners
     * have the chance to deny the operation from happening.
     *
     * @param listener the listener.
     */
    public static void addListener(ExternalComponentManagerListener listener) {
        if (listener == null) {
            throw new NullPointerException();
        }
        listeners.add(listener);
    }

    /**
     * Unregisters a listener to receive events.
     *
     * @param listener the listener.
     */
    public static void removeListener(ExternalComponentManagerListener listener) {
        listeners.remove(listener);
    }

519 520 521 522 523 524 525 526 527 528 529
    public enum PermissionPolicy {
        /**
         * Any XMPP entity is allowed to connect to the server except for those listed in
         * the <b>not allowed list</b>.
         */
        blacklist,

        /**
         * Only the XMPP entities listed in the <b>allowed list</b> are able to connect to
         * the server.
         */
530
        whitelist
531 532
    }
}