Commit c8ab27b0 authored by Guus der Kinderen's avatar Guus der Kinderen

OF-1007: Reduce code duplication

The code that verifies if an IP is on an (anonymous) whitelist is duplicated. That
code should be centralized, similar to its non-anonymous cousin in LocalClientSession.
parent 5b422b94
...@@ -330,24 +330,7 @@ public class IQAuthHandler extends IQHandler implements IQAuthInfo { ...@@ -330,24 +330,7 @@ public class IQAuthHandler extends IQHandler implements IQAuthInfo {
IQ response = IQ.createResultIQ(packet); IQ response = IQ.createResultIQ(packet);
if (anonymousAllowed) { if (anonymousAllowed) {
// Verify that client can connect from his IP address // Verify that client can connect from his IP address
boolean forbidAccess = false; boolean forbidAccess = !LocalClientSession.isAllowedAnonymous( session.getConnection() );
try {
String hostAddress = session.getConnection().getHostAddress();
if (!LocalClientSession.getWhitelistedAnonymousIPs().isEmpty() && !LocalClientSession.getWhitelistedAnonymousIPs().contains( hostAddress )) {
byte[] address = session.getConnection().getAddress();
String range1 = (address[0] & 0xff) + "." + (address[1] & 0xff) + "." + (address[2] & 0xff) + ".*";
String range2 = (address[0] & 0xff) + "." + (address[1] & 0xff) + ".*.*";
String range3 = (address[0] & 0xff) + ".*.*.*";
if (!LocalClientSession.getWhitelistedAnonymousIPs().contains(range1) &&
!LocalClientSession.getWhitelistedAnonymousIPs().contains(range2) &&
!LocalClientSession.getWhitelistedAnonymousIPs().contains(range3))
{
forbidAccess = true;
}
}
} catch (UnknownHostException e) {
forbidAccess = true;
}
if (forbidAccess) { if (forbidAccess) {
// Connection forbidden from that IP address // Connection forbidden from that IP address
response.setChildElement(packet.getChildElement().createCopy()); response.setChildElement(packet.getChildElement().createCopy());
......
...@@ -472,25 +472,7 @@ public class SASLAuthentication { ...@@ -472,25 +472,7 @@ public class SASLAuthentication {
private static Status doAnonymousAuthentication(LocalSession session) { private static Status doAnonymousAuthentication(LocalSession session) {
if (XMPPServer.getInstance().getIQAuthHandler().isAnonymousAllowed()) { if (XMPPServer.getInstance().getIQAuthHandler().isAnonymousAllowed()) {
// Verify that client can connect from his IP address // Verify that client can connect from his IP address
boolean forbidAccess = false; boolean forbidAccess = !LocalClientSession.isAllowedAnonymous( session.getConnection() );
try {
String hostAddress = session.getConnection().getHostAddress();
if (!LocalClientSession.getWhitelistedAnonymousIPs().isEmpty() &&
!LocalClientSession.getWhitelistedAnonymousIPs().contains(hostAddress)) {
byte[] address = session.getConnection().getAddress();
String range1 = (address[0] & 0xff) + "." + (address[1] & 0xff) + "." + (address[2] & 0xff) + ".*";
String range2 = (address[0] & 0xff) + "." + (address[1] & 0xff) + ".*.*";
String range3 = (address[0] & 0xff) + ".*.*.*";
if (!LocalClientSession.getWhitelistedAnonymousIPs().contains(range1) &&
!LocalClientSession.getWhitelistedAnonymousIPs().contains(range2) &&
!LocalClientSession.getWhitelistedAnonymousIPs().contains(range3))
{
forbidAccess = true;
}
}
} catch (UnknownHostException e) {
forbidAccess = true;
}
if (forbidAccess) { if (forbidAccess) {
authenticationFailed(session, Failure.NOT_AUTHORIZED); authenticationFailed(session, Failure.NOT_AUTHORIZED);
return Status.failed; return Status.failed;
......
...@@ -31,7 +31,6 @@ import org.jivesoftware.openfire.auth.AuthToken; ...@@ -31,7 +31,6 @@ import org.jivesoftware.openfire.auth.AuthToken;
import org.jivesoftware.openfire.auth.UnauthorizedException; import org.jivesoftware.openfire.auth.UnauthorizedException;
import org.jivesoftware.openfire.cluster.ClusterManager; import org.jivesoftware.openfire.cluster.ClusterManager;
import org.jivesoftware.openfire.net.SASLAuthentication; import org.jivesoftware.openfire.net.SASLAuthentication;
import org.jivesoftware.openfire.net.SocketConnection;
import org.jivesoftware.openfire.privacy.PrivacyList; import org.jivesoftware.openfire.privacy.PrivacyList;
import org.jivesoftware.openfire.privacy.PrivacyListManager; import org.jivesoftware.openfire.privacy.PrivacyListManager;
import org.jivesoftware.openfire.spi.ConnectionConfiguration; import org.jivesoftware.openfire.spi.ConnectionConfiguration;
...@@ -366,13 +365,7 @@ public class LocalClientSession extends LocalSession implements ClientSession { ...@@ -366,13 +365,7 @@ public class LocalClientSession extends LocalSession implements ClientSession {
boolean forbidAccess = false; boolean forbidAccess = false;
try { try {
if (!allowedIPs.contains(connection.getHostAddress())) { if (!allowedIPs.contains(connection.getHostAddress())) {
byte[] address = connection.getAddress(); forbidAccess = !isAddressInRange( connection.getAddress(), allowedIPs );
String range1 = (address[0] & 0xff) + "." + (address[1] & 0xff) + "." + (address[2] & 0xff) + ".*";
String range2 = (address[0] & 0xff) + "." + (address[1] & 0xff) + ".*.*";
String range3 = (address[0] & 0xff) + ".*.*.*";
if (!allowedIPs.contains(range1) && !allowedIPs.contains(range2) && !allowedIPs.contains(range3)) {
forbidAccess = true;
}
} }
} catch (UnknownHostException e) { } catch (UnknownHostException e) {
forbidAccess = true; forbidAccess = true;
...@@ -382,6 +375,31 @@ public class LocalClientSession extends LocalSession implements ClientSession { ...@@ -382,6 +375,31 @@ public class LocalClientSession extends LocalSession implements ClientSession {
return true; return true;
} }
public static boolean isAllowedAnonymous(Connection connection) {
if (!allowedAnonymIPs.isEmpty()) {
boolean forbidAccess = false;
try {
if (!allowedAnonymIPs.contains(connection.getHostAddress())) {
forbidAccess = !isAddressInRange( connection.getAddress(), allowedAnonymIPs );
}
}
catch (UnknownHostException e){
forbidAccess = true;
}
return !forbidAccess;
}
return true;
}
// TODO Add IPv6 support
public static boolean isAddressInRange( byte[] address, Set<String> ranges ) {
final String range0 = (address[0] & 0xff) + "." + (address[1] & 0xff) + "." + (address[2] & 0xff) + "." + (address[3] & 0xff);
final String range1 = (address[0] & 0xff) + "." + (address[1] & 0xff) + "." + (address[2] & 0xff) + ".*";
final String range2 = (address[0] & 0xff) + "." + (address[1] & 0xff) + ".*.*";
final String range3 = (address[0] & 0xff) + ".*.*.*";
return ranges.contains(range0) || ranges.contains(range1) || ranges.contains(range2) || ranges.contains(range3);
}
/** /**
* Sets the list of IP address that are allowed to connect to the server. If the list is * Sets the list of IP address that are allowed to connect to the server. If the list is
* empty then anyone is allowed to connect to the server except for anonymous users that are * empty then anyone is allowed to connect to the server except for anonymous users that are
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment