Commit c8ab27b0 authored by Guus der Kinderen's avatar Guus der Kinderen

OF-1007: Reduce code duplication

The code that verifies if an IP is on an (anonymous) whitelist is duplicated. That
code should be centralized, similar to its non-anonymous cousin in LocalClientSession.
parent 5b422b94
......@@ -330,24 +330,7 @@ public class IQAuthHandler extends IQHandler implements IQAuthInfo {
IQ response = IQ.createResultIQ(packet);
if (anonymousAllowed) {
// Verify that client can connect from his IP address
boolean forbidAccess = false;
try {
String hostAddress = session.getConnection().getHostAddress();
if (!LocalClientSession.getWhitelistedAnonymousIPs().isEmpty() && !LocalClientSession.getWhitelistedAnonymousIPs().contains( hostAddress )) {
byte[] address = session.getConnection().getAddress();
String range1 = (address[0] & 0xff) + "." + (address[1] & 0xff) + "." + (address[2] & 0xff) + ".*";
String range2 = (address[0] & 0xff) + "." + (address[1] & 0xff) + ".*.*";
String range3 = (address[0] & 0xff) + ".*.*.*";
if (!LocalClientSession.getWhitelistedAnonymousIPs().contains(range1) &&
!LocalClientSession.getWhitelistedAnonymousIPs().contains(range2) &&
!LocalClientSession.getWhitelistedAnonymousIPs().contains(range3))
{
forbidAccess = true;
}
}
} catch (UnknownHostException e) {
forbidAccess = true;
}
boolean forbidAccess = !LocalClientSession.isAllowedAnonymous( session.getConnection() );
if (forbidAccess) {
// Connection forbidden from that IP address
response.setChildElement(packet.getChildElement().createCopy());
......
......@@ -472,25 +472,7 @@ public class SASLAuthentication {
private static Status doAnonymousAuthentication(LocalSession session) {
if (XMPPServer.getInstance().getIQAuthHandler().isAnonymousAllowed()) {
// Verify that client can connect from his IP address
boolean forbidAccess = false;
try {
String hostAddress = session.getConnection().getHostAddress();
if (!LocalClientSession.getWhitelistedAnonymousIPs().isEmpty() &&
!LocalClientSession.getWhitelistedAnonymousIPs().contains(hostAddress)) {
byte[] address = session.getConnection().getAddress();
String range1 = (address[0] & 0xff) + "." + (address[1] & 0xff) + "." + (address[2] & 0xff) + ".*";
String range2 = (address[0] & 0xff) + "." + (address[1] & 0xff) + ".*.*";
String range3 = (address[0] & 0xff) + ".*.*.*";
if (!LocalClientSession.getWhitelistedAnonymousIPs().contains(range1) &&
!LocalClientSession.getWhitelistedAnonymousIPs().contains(range2) &&
!LocalClientSession.getWhitelistedAnonymousIPs().contains(range3))
{
forbidAccess = true;
}
}
} catch (UnknownHostException e) {
forbidAccess = true;
}
boolean forbidAccess = !LocalClientSession.isAllowedAnonymous( session.getConnection() );
if (forbidAccess) {
authenticationFailed(session, Failure.NOT_AUTHORIZED);
return Status.failed;
......
......@@ -31,7 +31,6 @@ import org.jivesoftware.openfire.auth.AuthToken;
import org.jivesoftware.openfire.auth.UnauthorizedException;
import org.jivesoftware.openfire.cluster.ClusterManager;
import org.jivesoftware.openfire.net.SASLAuthentication;
import org.jivesoftware.openfire.net.SocketConnection;
import org.jivesoftware.openfire.privacy.PrivacyList;
import org.jivesoftware.openfire.privacy.PrivacyListManager;
import org.jivesoftware.openfire.spi.ConnectionConfiguration;
......@@ -366,15 +365,25 @@ public class LocalClientSession extends LocalSession implements ClientSession {
boolean forbidAccess = false;
try {
if (!allowedIPs.contains(connection.getHostAddress())) {
byte[] address = connection.getAddress();
String range1 = (address[0] & 0xff) + "." + (address[1] & 0xff) + "." + (address[2] & 0xff) + ".*";
String range2 = (address[0] & 0xff) + "." + (address[1] & 0xff) + ".*.*";
String range3 = (address[0] & 0xff) + ".*.*.*";
if (!allowedIPs.contains(range1) && !allowedIPs.contains(range2) && !allowedIPs.contains(range3)) {
forbidAccess = !isAddressInRange( connection.getAddress(), allowedIPs );
}
} catch (UnknownHostException e) {
forbidAccess = true;
}
return !forbidAccess;
}
} catch (UnknownHostException e) {
return true;
}
public static boolean isAllowedAnonymous(Connection connection) {
if (!allowedAnonymIPs.isEmpty()) {
boolean forbidAccess = false;
try {
if (!allowedAnonymIPs.contains(connection.getHostAddress())) {
forbidAccess = !isAddressInRange( connection.getAddress(), allowedAnonymIPs );
}
}
catch (UnknownHostException e){
forbidAccess = true;
}
return !forbidAccess;
......@@ -382,6 +391,15 @@ public class LocalClientSession extends LocalSession implements ClientSession {
return true;
}
// TODO Add IPv6 support
public static boolean isAddressInRange( byte[] address, Set<String> ranges ) {
final String range0 = (address[0] & 0xff) + "." + (address[1] & 0xff) + "." + (address[2] & 0xff) + "." + (address[3] & 0xff);
final String range1 = (address[0] & 0xff) + "." + (address[1] & 0xff) + "." + (address[2] & 0xff) + ".*";
final String range2 = (address[0] & 0xff) + "." + (address[1] & 0xff) + ".*.*";
final String range3 = (address[0] & 0xff) + ".*.*.*";
return ranges.contains(range0) || ranges.contains(range1) || ranges.contains(range2) || ranges.contains(range3);
}
/**
* Sets the list of IP address that are allowed to connect to the server. If the list is
* empty then anyone is allowed to connect to the server except for anonymous users that are
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment