Removed use of deprecated Jetty IPAccessHandler for client filtering.

Upgraded to InetAccessHandler. Added InetPathAccessHandler extension to InetAccessHandler to maintain path patterns capability previously available in IPAccessHandler but lost in InetAccessHandler. Filtering on IPv6 addresses is now supported. Support for deprecated pattern formats such as "192.168." and "192.168.1.1/path" has been removed, but startup automated migration should convert such patterns eventually present in serverClient.
yacy · Dec 8, 2017 · d95b288 · d95b288
1 parent cc7a93e
commit d95b288
Show file tree

Hide file tree

Showing 10 changed files with 759 additions and 41 deletions.
diff --git a/defaults/yacy.init b/defaults/yacy.init
@@ -391,9 +391,9 @@ proxyClient=localhost,127\.0\.0\.1,192\.168\..*,10\..*,0:0:0:0:0:0:0:1.*
 # to prevent that the asked peer knows which peer asks.
 YaCyHop=true
 
-# serverClient: client-ip's that may connect to the web server,
+# serverClient: comma separated client-ip's that may connect to the web server,
 # thus are allowed to use the search service
-# if you set this to another value, search requst from others
+# if you set this to another value, search requests from others
 # are blocked, but you will also be blocked from using others
 # search services.
 serverClient=*

diff --git a/htroot/SettingsAck_p.java b/htroot/SettingsAck_p.java
@@ -35,6 +35,7 @@
 
 import net.yacy.cora.order.Digest;
 import net.yacy.cora.protocol.RequestHeader;
+import net.yacy.http.InetPathAccessHandler;
 import net.yacy.kelondro.util.Formatter;
 import net.yacy.peers.Network;
 import net.yacy.peers.Seed;
@@ -231,14 +232,14 @@ else if (!filter.equals("*")){
                 // testing proxy filter
                 int patternCount = 0;
                 String patternStr = null;
+                final StringTokenizer st = new StringTokenizer(filter,",");
                 try {
-                    final StringTokenizer st = new StringTokenizer(filter,",");
                     while (st.hasMoreTokens()) {
                         patternCount++;
                         patternStr = st.nextToken();
-                        Pattern.compile(patternStr);
+                        InetPathAccessHandler.checkPattern(patternStr);
                     }
-                } catch (final PatternSyntaxException e) {
+                } catch (final IllegalArgumentException e) {
                     prop.put("info", "27");
                     prop.putHTML("info_filter", filter);
                     prop.put("info_nr", patternCount);

diff --git a/htroot/Settings_ServerAccess.inc b/htroot/Settings_ServerAccess.inc
@@ -10,9 +10,9 @@
            from using other peers' indexes for search service.
            However, blocking access may be correct in enterprise environments where you only want to index your
            company's own web pages.<br />
-           Filter have to be entered as IP, IP range or first part of allowed IP's separated by comma (e.g. 10.100.0-100.0-100, 127. ) 
+           Filter have to be entered as IP, IP range or using CIDR notation separated by comma (e.g. 192.168.1.1,2001:db8::ff00:42:8329,192.168.1.10-192.168.1.20,192.168.1.30-40,192.168.2.0/24) 
            further details on format see Jetty 
-           <a href="http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/handler/IPAccessHandler.html" target="_blank">IPAccessHandler</a> docu.
+           <a href="http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/util/InetAddressSet.html" target="_blank">InetAddressSet</a> documentation.
     </td>
   </tr>
   <tr valign="top">

diff --git a/locales/ru.lng b/locales/ru.lng
@@ -3117,9 +3117,8 @@ If you block access to your server (setting anything else than '*'), then you wi
 from using other peers' indexes for search service.==использование поиска индексов другими узлами.
 However, blocking access may be correct in enterprise environments where you only want to index your==Ограничение доступа может быть полезным в корпоративной сети, где требуется только индексирование 
 company's own web pages.==вэб-страниц компаний.
-Filter have to be entered as IP, IP range or first part of allowed IP's separated by comma (e.g. 10.100.0-100.0-100, 127. )== Фильтр возможен по ip-адресу, по диапазону ip-адресов или по первым числам ip-адреса через запятую, (например  10.100.0-100.0-100, 127.)
-further details on format see Jetty ==Подробную информацию об IPAccessHandler смотрите
-<a href="http://download.eclipse.org/jetty/8.1.14.v20131031/apidocs/org/eclipse/jetty/server/handler/IPAccessHandler.html" target="_blank">IPAccessHandler</a> docu.==<a href="http://download.eclipse.org/jetty/8.1.14.v20131031/apidocs/org/eclipse/jetty/server/handler/IPAccessHandler.html" target="_blank">здесь</a>.
+further details on format see Jetty ==Подробную информацию об InetAddressSet смотрите
+<a href="http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/util/InetAddressSet.html" target="_blank">InetAddressSet</a> documentation.==<a href="http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/util/InetAddressSet.html" target="_blank">здесь</a>.
 fileHost:==Размещение файлов:
 staticIP (optional):==Постоянный IP-адрес (необязательно):
 <strong>The staticIP can help that your peer can be reached by other peers in case that your==<strong>Использование постоянного IP-адреса может помочь вашему узлу соединиться с другиму узлами

diff --git a/source/net/yacy/http/InetPathAccessHandler.java b/source/net/yacy/http/InetPathAccessHandler.java
@@ -0,0 +1,173 @@
+// InetPathAccessHandler.java
+// Copyright 2017 by luccioman; https://github.com/luccioman
+//
+// This is a part of YaCy, a peer-to-peer based web search engine
+//
+// LICENSE
+//
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; either version 2 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program; if not, write to the Free Software
+// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+package net.yacy.http;
+
+import java.io.IOException;
+import java.net.InetAddress;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.eclipse.jetty.http.pathmap.MappedResource;
+import org.eclipse.jetty.http.pathmap.PathMappings;
+import org.eclipse.jetty.http.pathmap.PathSpec;
+import org.eclipse.jetty.server.handler.InetAccessHandler;
+import org.eclipse.jetty.util.InetAddressSet;
+
+/**
+ * InetPathAccessHandler Access Handler
+ * <p>
+ * Extends {@link InetAccessHandler} by adding path patterns capabilities as
+ * previously available in the deprecated IPAccessHandler.
+ * </p>
+ *
+ */
+public class InetPathAccessHandler extends InetAccessHandler {
+
+	/** List of white listed paths mapped to adresses sets */
+	private final PathMappings<InetAddressSet> white = new PathMappings<>();
+
+	/** List of black listed paths mapped to adresses sets */
+	private final PathMappings<InetAddressSet> black = new PathMappings<>();
+
+	/**
+	 * @throws IllegalArgumentException when the pattern is malformed
+	 */
+	@Override
+	public void include(final String pattern) throws IllegalArgumentException {
+		addPattern(pattern, this.white);
+	}
+
+	/**
+	 * @throws IllegalArgumentException when a pattern is malformed
+	 */
+	@Override
+	public void include(final String... patterns) throws IllegalArgumentException  {
+		for (final String pattern : patterns) {
+			include(pattern);
+		}
+	}
+
+	/**
+	 * @throws IllegalArgumentException when the pattern is malformed
+	 */
+	@Override
+	public void exclude(final String pattern) throws IllegalArgumentException {
+		addPattern(pattern, this.black);
+	}
+
+	/**
+	 * @throws IllegalArgumentException when a pattern is malformed
+	 */
+	@Override
+	public void exclude(final String... patterns) throws IllegalArgumentException {
+		for (final String pattern : patterns) {
+			exclude(pattern);
+		}
+	}
+
+	/**
+	 * Helper method to parse the new pattern and add it to the specified mapping.
+	 *
+	 * @param pattern
+	 *            a new pattern to process
+	 * @param pathMappings
+	 *            target mapping from paths to addresses sets. Must not be null.
+	 * @throws IllegalArgumentException
+	 *             when the pattern is malformed
+	 */
+	protected void addPattern(final String pattern, final PathMappings<InetAddressSet> pathMappings)
+			throws IllegalArgumentException {
+		if (pattern != null && !pattern.isEmpty()) {
+			final int idx = pattern.indexOf('|');
+
+			final String addr = idx > 0 ? pattern.substring(0, idx) : pattern;
+			final String path = (idx > 0 && (pattern.length() > idx + 1)) ? pattern.substring(idx + 1) : "/*";
+
+			if (!addr.isEmpty()) {
+				final PathSpec pathSpec = PathMappings.asPathSpec(path);
+				InetAddressSet addresses = pathMappings.get(pathSpec);
+				if (addresses == null) {
+					addresses = new InetAddressSet();
+					pathMappings.put(pathSpec, addresses);
+				}
+				addresses.add(addr);
+
+			}
+		}
+	}
+
+	/**
+	 * Helper method to check pattern syntax.
+	 *
+	 * @param pattern pattern to check for syntax errors
+	 * @throws IllegalArgumentException
+	 *             when the pattern is malformed
+	 */
+	public static void checkPattern(final String pattern) throws IllegalArgumentException {
+		new InetPathAccessHandler().include(pattern);
+	}
+
+	@Override
+	protected boolean isAllowed(final InetAddress address, final HttpServletRequest request) {
+		return isAllowed(address, request.getPathInfo());
+	}
+
+	/**
+	 * Check whether the given address and path are allowed by current rules.
+	 * 
+	 * @param address
+	 *            the address to check
+	 * @param path
+	 *            an eventual path string starting with "/"
+	 * @return true when allowed
+	 */
+	protected boolean isAllowed(final InetAddress address, final String path) {
+		boolean allowed = true;
+		final String nonNullPath = path != null ? path : "/";
+		if (this.white.size() > 0) {
+			/* Non empty white list patterns : MUST match at least one of it */
+			allowed = false;
+			for (final MappedResource<InetAddressSet> mapping : this.white.getMatches(nonNullPath)) {
+				if (mapping.getResource().test(address)) {
+					allowed = true;
+					break;
+				}
+			}
+		}
+		if (allowed) {
+			/* Finally check against black list patterns even when the first step passed */
+			for (final MappedResource<InetAddressSet> mapping : this.black.getMatches(nonNullPath)) {
+				if (mapping.getResource().test(address)) {
+					allowed = false;
+					break;
+				}
+			}
+		}
+		return allowed;
+	}
+
+	@Override
+	public void dump(final Appendable out, final String indent) throws IOException {
+		this.dumpBeans(out, indent, this.white.getMappings(), this.black.getMappings());
+	}
+
+}
diff --git a/source/net/yacy/http/Jetty9HttpServerImpl.java b/source/net/yacy/http/Jetty9HttpServerImpl.java
@@ -27,15 +27,13 @@
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.net.InetAddress;
 import java.security.KeyStore;
 import java.util.StringTokenizer;
+
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
-import net.yacy.cora.util.ConcurrentLog;
-import net.yacy.http.servlets.YaCyDefaultServlet;
-import net.yacy.search.Switchboard;
-import net.yacy.search.SwitchboardConstants;
-import net.yacy.utils.PKCS12Tool;
+
 import org.eclipse.jetty.http.HttpVersion;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.Handler;
@@ -49,12 +47,18 @@
 import org.eclipse.jetty.server.handler.ContextHandlerCollection;
 import org.eclipse.jetty.server.handler.DefaultHandler;
 import org.eclipse.jetty.server.handler.HandlerList;
-import org.eclipse.jetty.server.handler.IPAccessHandler;
+import org.eclipse.jetty.server.handler.InetAccessHandler;
 import org.eclipse.jetty.servlet.ServletHolder;
 import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.eclipse.jetty.webapp.WebAppContext;
 
+import net.yacy.cora.util.ConcurrentLog;
+import net.yacy.http.servlets.YaCyDefaultServlet;
+import net.yacy.search.Switchboard;
+import net.yacy.search.SwitchboardConstants;
+import net.yacy.utils.PKCS12Tool;
+
 /**
  * class to embedded Jetty 9 http server into YaCy
  */
@@ -196,33 +200,44 @@ public Jetty9HttpServerImpl(int port) {
 
         // wrap all handlers
         Handler crashHandler = new CrashProtectionHandler(server, allrequesthandlers);
-        // check server access restriction and add IPAccessHandler if restrictions are needed
+        // check server access restriction and add InetAccessHandler if restrictions are needed
         // otherwise don't (to save performance)
-        String white = sb.getConfig("serverClient", "*");
-        if (!white.equals("*")) { // full ip (allowed ranges 0-255 or prefix  10.0-255,0,0-100  or 127.)
+        final String white = sb.getConfig("serverClient", "*");
+        if (!white.equals("*")) { // full ip (allowed ranges 0-255 or prefix  10.0-255,0,0-100  or CIDR notation 192.168.1.0/24)
             final StringTokenizer st = new StringTokenizer(white, ",");
-            IPAccessHandler iphandler = new IPAccessHandler();
-            int i=0;
+            final InetAccessHandler whiteListHandler;
+			if (white.contains("|")) {
+				/*
+				 * At least one pattern includes a path definition : we must use the
+				 * InetPathAccessHandler as InetAccessHandler doesn't support path patterns
+				 */
+				whiteListHandler = new InetPathAccessHandler();
+			} else {
+				whiteListHandler = new InetAccessHandler();
+			}
+            int i = 0;
             while (st.hasMoreTokens()) {
-                String ip = st.nextToken();
+                final String pattern = st.nextToken();
                 try {
-                    iphandler.addWhite(ip); // accepts only ipv4
-                } catch (IllegalArgumentException nex) { // catch number format exception on non ipv4 input
+                	whiteListHandler.include(pattern);
+                } catch (final IllegalArgumentException nex) { // catch format exception on wrong ip address pattern
                     ConcurrentLog.severe("SERVER", "Server Access Settings - IP filter: " + nex.getMessage());
                     continue;
                 }
                 i++;
             }          
             if (i > 0) {
-                iphandler.addWhite("127.0.0.1"); // allow localhost (loopback addr)
-                iphandler.setHandler(crashHandler);
-                server.setHandler(iphandler);
-                ConcurrentLog.info("SERVER","activated IP access restriction to: [127.0.0.1," + white +"] (this works only correct with start parameter -Djava.net.preferIPv4Stack=true)");
+            	final String loopbackAddress = InetAddress.getLoopbackAddress().getHostAddress();
+            	whiteListHandler.include(loopbackAddress);
+                whiteListHandler.setHandler(crashHandler);
+                this.server.setHandler(whiteListHandler);
+
+                ConcurrentLog.info("SERVER","activated IP access restriction to: [" + loopbackAddress + "," + white +"]");
             } else {
-                server.setHandler(crashHandler); // iphandler not needed
+                server.setHandler(crashHandler); // InetAccessHandler not needed
             }
         } else {
-            server.setHandler(crashHandler); // iphandler not needed
+            server.setHandler(crashHandler); // InetAccessHandler not needed
         }        
     }