implement hostname whitelist and blacklist

Author: d-shapiro

dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/HostnameWhitelist.java

@@ -0,0 +1,74 @@
+package com.acuity.iot.dsa.dslink.sys.cert;
+
+import org.iot.dsa.node.DSBool;
+import org.iot.dsa.node.DSElement;
+import org.iot.dsa.node.DSIValue;
+import org.iot.dsa.node.DSInfo;
+import org.iot.dsa.node.DSJavaEnum;
+import org.iot.dsa.node.DSMap;
+import org.iot.dsa.node.DSNode;
+import org.iot.dsa.node.DSValueType;
+import org.iot.dsa.node.action.ActionInvocation;
+import org.iot.dsa.node.action.ActionResult;
+import org.iot.dsa.node.action.DSAbstractAction;
+
+public class HostnameWhitelist extends DSNode {
+    
+    public static enum WhitelistValue {
+        ALLOWED, FORBIDDEN;
+    }
+    
+    private static final String ENABLED = "Enabled";
+    private static final String ADD_HOSTNAME = "Add Hostname";
+    
+    private DSInfo enabled = getInfo(ENABLED);
+    
+    @Override
+    protected void declareDefaults() {
+        super.declareDefaults();
+        declareDefault(ENABLED, DSBool.FALSE);
+        declareDefault(ADD_HOSTNAME, getAddHostnameAction());
+    }
+    
+    public boolean isEnabled() {
+        return enabled.getElement().toBoolean();
+    }
+
+    private DSAbstractAction getAddHostnameAction() {
+        DSAbstractAction act = new DSAbstractAction() {
+            
+            @Override
+            public void prepareParameter(DSInfo info, DSMap parameter) {
+            }
+            
+            @Override
+            public ActionResult invoke(DSInfo info, ActionInvocation invocation) {
+                ((HostnameWhitelist) info.getParent()).addHostname(invocation.getParameters());
+                return null;
+            }
+        };
+        act.addParameter("Hostname", DSValueType.STRING, null);
+        act.addParameter("Status", DSJavaEnum.valueOf(WhitelistValue.ALLOWED), "Whether this hostname should be whitelisted or blacklisted");
+        return act;
+    }
+    
+    private void addHostname(DSMap parameters) {
+        String hostname = parameters.getString("Hostname");
+        DSElement status = parameters.get("Status");
+        put(hostname, status).setRemovable(true);
+    }
+    
+    public WhitelistValue checkHostname(String hostname) {
+        DSIValue value = getValue(hostname);
+        String str = null;
+        if (value != null) {
+            str = value.toElement().toString();
+        }
+        try {
+            return WhitelistValue.valueOf(str);
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+}

dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/SysCertManager.java

@@ -23,6 +23,7 @@
 //import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
 import org.iot.dsa.node.DSBool;
 import org.iot.dsa.node.DSInfo;
+import org.iot.dsa.node.DSList;
 import org.iot.dsa.node.DSMap;
 import org.iot.dsa.node.DSNode;
 import org.iot.dsa.node.DSString;
@@ -34,6 +35,7 @@
 import org.iot.dsa.node.action.DSActionValues;
 import org.iot.dsa.security.DSPasswordAes128;
 import org.iot.dsa.util.DSException;
+import com.acuity.iot.dsa.dslink.sys.cert.HostnameWhitelist.WhitelistValue;
 
 /**
  * Certificate management for the whole process.  This is basically a stub for future
@@ -51,6 +53,7 @@ public class SysCertManager extends DSNode {
     private static final String ALLOW_CLIENTS = "Allow_Anonymous_Clients";
     private static final String ALLOW_SERVERS = "Allow_Anonymous_Servers";
     private static final String VERIFY_HOSTNAMES = "Enable Hostname Verification";
+    private static final String HOSTNAME_WHITELIST = "Hostname Whitelist";
     private static final String CERTFILE = "Cert_File";
     private static final String CERTFILE_PASS = "Cert_File_Pass";
     private static final String CERTFILE_TYPE = "Cert_File_Type";
@@ -74,6 +77,7 @@ public class SysCertManager extends DSNode {
     private DSInfo keystoreType = getInfo(CERTFILE_TYPE);
     private CertCollection localTruststore; 
     private CertCollection quarantine;
+    private HostnameWhitelist whitelist;
     private static SysCertManager inst;
 
     private static HostnameVerifier oldHostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier();
@@ -104,6 +108,13 @@ private CertCollection getQuarantine() {
         return quarantine;
     }
 
+    private HostnameWhitelist getHostnameWhitelist() {
+        if (whitelist == null) {
+            whitelist = (HostnameWhitelist) getInfo(HOSTNAME_WHITELIST).getObject();
+        }
+        return whitelist;
+    }
+    
     // Methods
     // -------
 
@@ -130,6 +141,7 @@ public void declareDefaults() {
         declareDefault(ALLOW_CLIENTS, DSBool.FALSE);
         declareDefault(ALLOW_SERVERS, DSBool.TRUE);
         declareDefault(VERIFY_HOSTNAMES, DSBool.TRUE);
+        declareDefault(HOSTNAME_WHITELIST, new HostnameWhitelist());
         declareDefault(CERTFILE, DSString.valueOf("dslink.jks"));
         declareDefault(CERTFILE_TYPE, DSString.valueOf("JKS"));
         declareDefault(CERTFILE_PASS, DSPasswordAes128.valueOf("dsarocks"));
@@ -343,8 +355,18 @@ public void allow(DSInfo certInfo) {
     private class SysHostnameVerifier implements HostnameVerifier {
         @Override
         public boolean verify(String hostname, SSLSession session) {
+            if (getHostnameWhitelist().isEnabled()) {
+                WhitelistValue wlval = getHostnameWhitelist().checkHostname(hostname);
+                if (wlval != null) {
+                    switch (wlval) {
+                        case ALLOWED:
+                            return true;
+                        case FORBIDDEN:
+                            return false;
+                    }
+                }
+            }
             if (hostnameVerificationEnabled()) {
-                //TODO implement whitelist
                 return oldHostnameVerifier.verify(hostname, session);
             } else {
                 return true;