From d9572cbdff869801cecc5bf653c3449062de07bc Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Sat, 17 Mar 2007 22:29:12 +0000
Subject: [PATCH] Update the dseecompat access control implementation to provide a mechanism for detecting and warning administrators about the use of non-canonical hostnames in the "dns" bind rule. The dns bind rule requires that all addresses be provided in canonical form or they will not match the intended target.
---
opends/src/server/org/opends/server/authorization/dseecompat/DNS.java | 69 ++++++++++++++++++++++++++++++++++
1 files changed, 69 insertions(+), 0 deletions(-)
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/DNS.java b/opends/src/server/org/opends/server/authorization/dseecompat/DNS.java
index 9bb3171..a2856ff 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/DNS.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/DNS.java
@@ -29,10 +29,17 @@
import static org.opends.server.authorization.dseecompat.AciMessages.*;
import static org.opends.server.authorization.dseecompat.Aci.*;
+import static org.opends.server.loggers.Error.*;
+import static org.opends.server.loggers.debug.DebugLogger.*;
import static org.opends.server.messages.MessageHandler.getMessage;
+import static org.opends.server.util.StaticUtils.*;
+import java.net.InetAddress;
import java.util.LinkedList;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import org.opends.server.types.DebugLogLevel;
+import org.opends.server.types.ErrorLogCategory;
+import org.opends.server.types.ErrorLogSeverity;
/**
* This class implements the dns bind rule keyword.
@@ -101,6 +108,68 @@
throw new AciException(msgID, message);
}
}
+
+ // If the provided hostname does not contain any wildcard
+ // characters, then it must be the canonical hostname for the
+ // associated IP address. If it is not, then it will not match the
+ // intended target, and we should generate a warning message to let
+ // the administrator know about it. If the provided value does not
+ // match the canonical name for the associated IP address, and the
+ // given hostname is "localhost", then we should treat it specially
+ // and also match the canonical hostname. This is necessary because
+ // "localhost" is likely to be very commonly used in these kinds of
+ // rules and on some systems the canonical representation is
+ // configured to be "localhost.localdomain" which may not be known
+ // to the administrator.
+ if (hn.indexOf("*") < 0)
+ {
+ try
+ {
+ for (InetAddress addr : InetAddress.getAllByName(hn))
+ {
+ String canonicalName = addr.getCanonicalHostName();
+ if (! hn.equalsIgnoreCase(canonicalName))
+ {
+ if (hn.equalsIgnoreCase("localhost") &&
+ (! dns.contains(canonicalName)))
+ {
+ dns.add(canonicalName);
+
+ int msgID =
+ MSGID_ACI_LOCALHOST_DOESNT_MATCH_CANONICAL_VALUE;
+ String message = getMessage(msgID, expr, hn,
+ canonicalName);
+ logError(ErrorLogCategory.ACCESS_CONTROL,
+ ErrorLogSeverity.SEVERE_WARNING, message, msgID);
+ }
+ else
+ {
+ int msgID =
+ MSGID_ACI_HOSTNAME_DOESNT_MATCH_CANONICAL_VALUE;
+ String message = getMessage(msgID, expr,
+ hn, addr.getHostAddress(),
+ addr.getCanonicalHostName());
+ logError(ErrorLogCategory.ACCESS_CONTROL,
+ ErrorLogSeverity.SEVERE_WARNING, message, msgID);
+ }
+ }
+ }
+ }
+ catch (Exception e)
+ {
+ if (debugEnabled())
+ {
+ debugCaught(DebugLogLevel.ERROR, e);
+ }
+
+ int msgID = MSGID_ACI_ERROR_CHECKING_CANONICAL_HOSTNAME;
+ String message = getMessage(msgID, hn, expr,
+ stackTraceToSingleLineString(e));
+ logError(ErrorLogCategory.ACCESS_CONTROL,
+ ErrorLogSeverity.SEVERE_WARNING, message, msgID);
+ }
+ }
+
dns.add(hn);
}
return new DNS(dns, type);
--
Gitblit v1.10.0