55985
|
1 |
/*
|
|
2 |
* To change this license header, choose License Headers in Project Properties.
|
|
3 |
* To change this template file, choose Tools | Templates
|
|
4 |
* and open the template in the editor.
|
|
5 |
*/
|
|
6 |
package javax.management.remote.rest;
|
|
7 |
|
|
8 |
import com.oracle.jmx.remote.rest.http.PostRequestHandler;
|
|
9 |
import com.oracle.jmx.remote.rest.http.GetRequestHandler;
|
|
10 |
import com.sun.jmx.remote.security.JMXPluggableAuthenticator;
|
|
11 |
import com.sun.jmx.remote.security.JMXSubjectDomainCombiner;
|
|
12 |
import com.sun.jmx.remote.security.SubjectDelegator;
|
|
13 |
import com.sun.net.httpserver.*;
|
|
14 |
|
|
15 |
import javax.management.*;
|
|
16 |
import javax.management.relation.MBeanServerNotificationFilter;
|
|
17 |
import javax.management.remote.JMXAuthenticator;
|
|
18 |
import com.oracle.jmx.remote.rest.json.JSONArray;
|
|
19 |
import com.oracle.jmx.remote.rest.json.JSONObject;
|
|
20 |
import com.oracle.jmx.remote.rest.json.JSONPrimitive;
|
|
21 |
import com.oracle.jmx.remote.rest.mapper.JSONMappingFactory;
|
|
22 |
import javax.security.auth.Subject;
|
|
23 |
import java.io.*;
|
|
24 |
import java.lang.reflect.InvocationHandler;
|
|
25 |
import java.lang.reflect.Method;
|
|
26 |
import java.lang.reflect.Proxy;
|
|
27 |
import java.net.*;
|
|
28 |
import java.security.AccessControlContext;
|
|
29 |
import java.security.AccessController;
|
|
30 |
import java.security.PrivilegedAction;
|
|
31 |
import java.util.*;
|
|
32 |
import com.sun.net.httpserver.Authenticator;
|
|
33 |
|
|
34 |
/**
|
|
35 |
* @author harsha
|
|
36 |
*/
|
|
37 |
public final class JmxRestAdapterImpl implements JmxRestAdapter, NotificationListener {
|
|
38 |
|
|
39 |
// TODO: These should be wrapped in ReadWriteLock
|
|
40 |
private static final Map<String, MBeanServer> authMBeanServer = new HashMap<>();
|
|
41 |
final List<String> allowedMbeans = new ArrayList<>();
|
|
42 |
private final HttpServer httpServer;
|
|
43 |
private final String contextStr;
|
|
44 |
private final Map<String, ?> env;
|
|
45 |
private final MBeanServer mbeanServer;
|
|
46 |
private final String realm = "";
|
|
47 |
private final GetRequestHandler getHandler;
|
|
48 |
private final PostRequestHandler postHandler;
|
|
49 |
private HttpContext httpContext;
|
|
50 |
private JMXAuthenticator authenticator = null;
|
|
51 |
private boolean started = false;
|
|
52 |
|
|
53 |
JmxRestAdapterImpl(HttpServer hServer, String context, Map<String, ?> env, MBeanServer mbeanServer) {
|
|
54 |
httpServer = hServer;
|
|
55 |
this.contextStr = context;
|
|
56 |
this.env = env;
|
|
57 |
this.mbeanServer = mbeanServer;
|
|
58 |
if (env.get("jmx.remote.x.authentication") != null) {
|
|
59 |
authenticator = (JMXAuthenticator) env.get(JmxRestAdapterImpl.AUTHENTICATOR);
|
|
60 |
if (authenticator == null) {
|
|
61 |
if (env.get("jmx.remote.x.password.file") != null
|
|
62 |
|| env.get("jmx.remote.x.login.config") != null) {
|
|
63 |
authenticator = new JMXPluggableAuthenticator(env);
|
|
64 |
} else {
|
|
65 |
// Throw exception for invalid authentication config
|
|
66 |
}
|
|
67 |
}
|
|
68 |
}
|
|
69 |
introspectMBeanTypes(mbeanServer);
|
|
70 |
MBeanServerNotificationFilter filter = new MBeanServerNotificationFilter();
|
|
71 |
filter.enableAllObjectNames();
|
|
72 |
try {
|
|
73 |
mbeanServer.addNotificationListener(MBeanServerDelegate.DELEGATE_NAME, this, filter, null);
|
|
74 |
} catch (InstanceNotFoundException ex) {
|
|
75 |
}
|
|
76 |
getHandler = new GetRequestHandler(mbeanServer, allowedMbeans);
|
|
77 |
postHandler = new PostRequestHandler(mbeanServer, allowedMbeans);
|
|
78 |
}
|
|
79 |
|
|
80 |
@Override
|
|
81 |
public synchronized void start() {
|
|
82 |
if (!started) {
|
|
83 |
httpContext = httpServer.createContext("/jmx/" + contextStr + "/", new DefaultHTTPHandler());
|
|
84 |
if (env.get("jmx.remote.x.authentication") != null) {
|
|
85 |
httpContext.setAuthenticator(new BasicAuthenticator());
|
|
86 |
}
|
|
87 |
started = true;
|
|
88 |
}
|
|
89 |
}
|
|
90 |
|
|
91 |
@Override
|
|
92 |
public synchronized void stop() {
|
|
93 |
if (!started) {
|
|
94 |
throw new IllegalStateException("Rest Adapter not started yet");
|
|
95 |
}
|
|
96 |
httpServer.removeContext(httpContext);
|
|
97 |
started = false;
|
|
98 |
}
|
|
99 |
|
|
100 |
@Override
|
|
101 |
public String getBaseUrl() {
|
|
102 |
if (!started) {
|
|
103 |
throw new IllegalStateException("Adapter not started");
|
|
104 |
}
|
|
105 |
try {
|
|
106 |
if (httpServer instanceof HttpsServer) {
|
|
107 |
return "https://" + InetAddress.getLocalHost().getHostName() + ":" + httpServer.getAddress().getPort() + "/jmx/" + contextStr + "/";
|
|
108 |
}
|
|
109 |
return "http://" + InetAddress.getLocalHost().getHostName() + ":" + httpServer.getAddress().getPort() + "/jmx/" + contextStr + "/";
|
|
110 |
} catch (UnknownHostException ex) {
|
|
111 |
return "http://localhost" + ":" + httpServer.getAddress().getPort() + "/jmx/" + contextStr + "/";
|
|
112 |
}
|
|
113 |
}
|
|
114 |
|
|
115 |
@Override
|
|
116 |
public MBeanServer getMBeanServer() {
|
|
117 |
return mbeanServer;
|
|
118 |
}
|
|
119 |
|
|
120 |
private boolean isMBeanAllowed(ObjectName objName) {
|
|
121 |
try {
|
|
122 |
MBeanInfo mInfo = mbeanServer.getMBeanInfo(objName);
|
|
123 |
MBeanAttributeInfo[] attrsInfo = mInfo.getAttributes();
|
|
124 |
for (MBeanAttributeInfo attrInfo : attrsInfo) {
|
|
125 |
String type = attrInfo.getType();
|
|
126 |
if (!JSONMappingFactory.INSTANCE.isTypeMapped(type)) {
|
|
127 |
return false;
|
|
128 |
}
|
|
129 |
}
|
|
130 |
MBeanOperationInfo[] operations = mInfo.getOperations();
|
|
131 |
for (MBeanOperationInfo opInfo : operations) {
|
|
132 |
MBeanParameterInfo[] signature = opInfo.getSignature();
|
|
133 |
for (MBeanParameterInfo sig : signature) {
|
|
134 |
if (!JSONMappingFactory.INSTANCE.isTypeMapped(sig.getType())) {
|
|
135 |
return false;
|
|
136 |
}
|
|
137 |
}
|
|
138 |
if (!JSONMappingFactory.INSTANCE.isTypeMapped(opInfo.getReturnType())) {
|
|
139 |
return false;
|
|
140 |
}
|
|
141 |
}
|
|
142 |
return true;
|
|
143 |
} catch (InstanceNotFoundException | IntrospectionException | ReflectionException | ClassNotFoundException ex) {
|
|
144 |
ex.printStackTrace();
|
|
145 |
return false;
|
|
146 |
}
|
|
147 |
}
|
|
148 |
|
|
149 |
private void introspectMBeanTypes(MBeanServer server) {
|
|
150 |
if (allowedMbeans.isEmpty()) {
|
|
151 |
Set<ObjectInstance> allMBeans = server.queryMBeans(null, null); // get all Mbeans
|
|
152 |
allMBeans.stream().filter((objIns) -> (isMBeanAllowed(objIns.getObjectName())))
|
|
153 |
.forEachOrdered(objIns -> allowedMbeans.add(objIns.getObjectName().toString()));
|
|
154 |
}
|
|
155 |
}
|
|
156 |
|
|
157 |
@Override
|
|
158 |
public void handleNotification(Notification notification, Object handback) {
|
|
159 |
try {
|
|
160 |
MBeanServerNotification mbs = (MBeanServerNotification) notification;
|
|
161 |
if (MBeanServerNotification.REGISTRATION_NOTIFICATION.equals(mbs.getType())) {
|
|
162 |
ObjectName mBeanName = mbs.getMBeanName();
|
|
163 |
if (isMBeanAllowed(mBeanName)) {
|
|
164 |
allowedMbeans.add(mBeanName.toString());
|
|
165 |
}
|
|
166 |
} else if (MBeanServerNotification.UNREGISTRATION_NOTIFICATION.equals(mbs.getType())) {
|
|
167 |
if (allowedMbeans.contains(mbs.getMBeanName().toString())) {
|
|
168 |
allowedMbeans.remove(mbs.getMBeanName().toString());
|
|
169 |
}
|
|
170 |
}
|
|
171 |
} catch (Exception e) {
|
|
172 |
}
|
|
173 |
}
|
|
174 |
|
|
175 |
private MBeanServer getMBeanServerProxy(MBeanServer mbeaServer, Subject subject) {
|
|
176 |
return (MBeanServer) Proxy.newProxyInstance(MBeanServer.class.getClassLoader(),
|
|
177 |
new Class<?>[]{MBeanServer.class},
|
|
178 |
new AuthInvocationHandler(mbeaServer, subject));
|
|
179 |
}
|
|
180 |
|
|
181 |
private static class HttpUtil {
|
|
182 |
|
|
183 |
public static String getRequestCharset(HttpExchange ex) {
|
|
184 |
String charset = null;
|
|
185 |
List<String> contentType = ex.getRequestHeaders().get("Content-type");
|
|
186 |
if (contentType != null) {
|
|
187 |
for (String kv : contentType) {
|
|
188 |
for (String value : kv.split(";")) {
|
|
189 |
value = value.trim();
|
|
190 |
if (value.toLowerCase().startsWith("charset=")) {
|
|
191 |
charset = value.substring("charset=".length());
|
|
192 |
}
|
|
193 |
}
|
|
194 |
}
|
|
195 |
}
|
|
196 |
return charset;
|
|
197 |
}
|
|
198 |
|
|
199 |
public static String getAcceptCharset(HttpExchange ex) {
|
|
200 |
List<String> acceptCharset = ex.getRequestHeaders().get("Accept-Charset");
|
|
201 |
if (acceptCharset != null && acceptCharset.size() > 0) {
|
|
202 |
return acceptCharset.get(0);
|
|
203 |
}
|
|
204 |
return null;
|
|
205 |
}
|
|
206 |
|
|
207 |
public static String getGetRequestResource(HttpExchange ex, String charset) throws UnsupportedEncodingException {
|
|
208 |
String httpHandlerPath = ex.getHttpContext().getPath();
|
|
209 |
String requestURIpath = ex.getRequestURI().getPath();
|
|
210 |
String getRequestPath = requestURIpath.substring(httpHandlerPath.length());
|
|
211 |
if (charset != null) {
|
|
212 |
return URLDecoder.decode(getRequestPath, charset);
|
|
213 |
} else {
|
|
214 |
return getRequestPath;
|
|
215 |
}
|
|
216 |
}
|
|
217 |
|
|
218 |
public static String getGetRequestQuery(HttpExchange ex, String charset) throws UnsupportedEncodingException {
|
|
219 |
String query = ex.getRequestURI().getQuery();
|
|
220 |
if (charset != null && query != null) {
|
|
221 |
return URLDecoder.decode(query, charset);
|
|
222 |
} else {
|
|
223 |
return query;
|
|
224 |
}
|
|
225 |
}
|
|
226 |
}
|
|
227 |
|
|
228 |
private class BasicAuthenticator extends Authenticator {
|
|
229 |
|
|
230 |
@Override
|
|
231 |
public Authenticator.Result authenticate(HttpExchange he) {
|
|
232 |
Headers rmap = he.getRequestHeaders();
|
|
233 |
String auth = rmap.getFirst("Authorization");
|
|
234 |
if (auth == null) {
|
|
235 |
Headers map = he.getResponseHeaders();
|
|
236 |
map.set("WWW-Authenticate", "Basic realm=" + realm);
|
|
237 |
return new Authenticator.Retry(401);
|
|
238 |
}
|
|
239 |
int sp = auth.indexOf(' ');
|
|
240 |
if (sp == -1 || !auth.substring(0, sp).equals("Basic")) {
|
|
241 |
return new Authenticator.Failure(401);
|
|
242 |
}
|
|
243 |
byte[] b = Base64.getDecoder().decode(auth.substring(sp + 1));
|
|
244 |
String credentials = new String(b);
|
|
245 |
int colon = credentials.indexOf(':');
|
|
246 |
String uname = credentials.substring(0, colon);
|
|
247 |
String pass = credentials.substring(colon + 1);
|
|
248 |
|
|
249 |
if (authMBeanServer.containsKey(credentials)) {
|
|
250 |
return new Authenticator.Success(new HttpPrincipal(uname, realm));
|
|
251 |
} else {
|
|
252 |
Subject subject = null;
|
|
253 |
if (authenticator != null) {
|
|
254 |
String[] credential = new String[]{uname, pass};
|
|
255 |
try {
|
|
256 |
subject = authenticator.authenticate(credential);
|
|
257 |
} catch (SecurityException e) {
|
|
258 |
return new Authenticator.Failure(400);
|
|
259 |
}
|
|
260 |
}
|
|
261 |
MBeanServer proxy = getMBeanServerProxy(mbeanServer, subject);
|
|
262 |
authMBeanServer.put(credentials, proxy);
|
|
263 |
return new Authenticator.Success(new HttpPrincipal(uname, realm));
|
|
264 |
}
|
|
265 |
}
|
|
266 |
}
|
|
267 |
|
|
268 |
private class AuthInvocationHandler implements InvocationHandler {
|
|
269 |
|
|
270 |
private final MBeanServer mbeanServer;
|
|
271 |
private final AccessControlContext acc;
|
|
272 |
|
|
273 |
public AuthInvocationHandler(MBeanServer server, Subject subject) {
|
|
274 |
this.mbeanServer = server;
|
|
275 |
if (subject == null) {
|
|
276 |
this.acc = null;
|
|
277 |
} else {
|
|
278 |
if (SubjectDelegator.checkRemoveCallerContext(subject)) {
|
|
279 |
acc = JMXSubjectDomainCombiner.getDomainCombinerContext(subject);
|
|
280 |
} else {
|
|
281 |
acc = JMXSubjectDomainCombiner.getContext(subject);
|
|
282 |
}
|
|
283 |
}
|
|
284 |
}
|
|
285 |
|
|
286 |
@Override
|
|
287 |
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
|
|
288 |
if (acc == null) {
|
|
289 |
return method.invoke(mbeanServer, args);
|
|
290 |
} else {
|
|
291 |
PrivilegedAction<Object> op = () -> {
|
|
292 |
try {
|
|
293 |
return method.invoke(mbeanServer, args);
|
|
294 |
} catch (Exception ex) {
|
|
295 |
}
|
|
296 |
return null;
|
|
297 |
};
|
|
298 |
return AccessController.doPrivileged(op, acc);
|
|
299 |
}
|
|
300 |
}
|
|
301 |
}
|
|
302 |
|
|
303 |
private class DefaultHTTPHandler implements HttpHandler {
|
|
304 |
|
|
305 |
Map<String, List<String>> allowedMbeans = new HashMap<>();
|
|
306 |
|
|
307 |
DefaultHTTPHandler() {
|
|
308 |
}
|
|
309 |
|
|
310 |
@Override
|
|
311 |
public void handle(HttpExchange he) throws IOException {
|
|
312 |
MBeanServer server = mbeanServer;
|
|
313 |
if (env.get("jmx.remote.x.authentication") != null) {
|
|
314 |
Headers rmap = he.getRequestHeaders();
|
|
315 |
String auth = rmap.getFirst("Authorization");
|
|
316 |
int sp = auth.indexOf(' ');
|
|
317 |
byte[] b = Base64.getDecoder().decode(auth.substring(sp + 1));
|
|
318 |
String authCredentials = new String(b);
|
|
319 |
server = authMBeanServer.get(authCredentials);
|
|
320 |
if (server == null) {
|
|
321 |
throw new IllegalArgumentException("Invalid HTTP request Headers");
|
|
322 |
}
|
|
323 |
}
|
|
324 |
|
|
325 |
String charset = HttpUtil.getRequestCharset(he);
|
|
326 |
try {
|
|
327 |
switch (he.getRequestMethod()) {
|
|
328 |
case "GET":
|
|
329 |
JSONObject resp = getHandler.handle(HttpUtil.getGetRequestResource(he, charset),
|
|
330 |
HttpUtil.getGetRequestQuery(he, charset));
|
|
331 |
sendResponse(he, resp.toJsonString(), ((Long) (((JSONPrimitive) resp.get("status")).getValue())).intValue(), charset);
|
|
332 |
break;
|
|
333 |
case "POST":
|
|
334 |
String requestBody = readRequestBody(he, charset);
|
|
335 |
List<JSONObject> responses = postHandler.handle(requestBody);
|
|
336 |
if (responses.size() == 1) {
|
|
337 |
JSONObject jobj = responses.get(0);
|
|
338 |
sendResponse(he, jobj.toJsonString(), ((Long) (((JSONPrimitive) responses.get(0).get("status")).getValue())).intValue(), charset);
|
|
339 |
} else {
|
|
340 |
int finalCode = HttpURLConnection.HTTP_OK;
|
|
341 |
boolean isHttpOkPresent = responses.stream()
|
|
342 |
.filter(r -> ((Long) (((JSONPrimitive) responses.get(0).get("status")).getValue())).intValue() == HttpURLConnection.HTTP_OK)
|
|
343 |
.findFirst().isPresent();
|
|
344 |
if (!isHttpOkPresent) {
|
|
345 |
finalCode = ((Long) (((JSONPrimitive) responses.get(0).get("status")).getValue())).intValue();
|
|
346 |
}
|
|
347 |
|
|
348 |
JSONArray jarr = new JSONArray();
|
|
349 |
responses.forEach(r -> jarr.add(r));
|
|
350 |
JSONObject jobj = new JSONObject();
|
|
351 |
jobj.put("status", new JSONPrimitive(finalCode));
|
|
352 |
jobj.put("result", jarr);
|
|
353 |
String finalResult = jobj.toJsonString();
|
|
354 |
sendResponse(he, finalResult, finalCode, charset);
|
|
355 |
}
|
|
356 |
break;
|
|
357 |
default:
|
|
358 |
sendResponse(he, "Not supported", HttpURLConnection.HTTP_BAD_METHOD, charset);
|
|
359 |
break;
|
|
360 |
}
|
|
361 |
} catch (Throwable t) {
|
|
362 |
t.printStackTrace();
|
|
363 |
}
|
|
364 |
}
|
|
365 |
|
|
366 |
private String readRequestBody(HttpExchange he, String charset) throws IOException {
|
|
367 |
StringBuilder stringBuilder = new StringBuilder();
|
|
368 |
InputStreamReader in = charset != null ? new InputStreamReader(he.getRequestBody(), charset) : new InputStreamReader(he.getRequestBody());
|
|
369 |
BufferedReader br = new BufferedReader(in);
|
|
370 |
String line;
|
|
371 |
while ((line = br.readLine()) != null) {
|
|
372 |
String decode = charset != null ? URLDecoder.decode(line, charset) : line;
|
|
373 |
stringBuilder.append(decode);
|
|
374 |
}
|
|
375 |
return stringBuilder.toString();
|
|
376 |
}
|
|
377 |
|
|
378 |
private void sendResponse(HttpExchange exchange, String response, int code, String charset) throws IOException {
|
|
379 |
String acceptCharset = HttpUtil.getAcceptCharset(exchange);
|
|
380 |
if (acceptCharset != null) {
|
|
381 |
charset = acceptCharset;
|
|
382 |
}
|
|
383 |
|
|
384 |
// Set response headers explicitly
|
|
385 |
String msg = charset == null ? response : URLEncoder.encode(response, charset);
|
|
386 |
byte[] bytes = msg.getBytes();
|
|
387 |
Headers resHeaders = exchange.getResponseHeaders();
|
|
388 |
resHeaders.add("Content-Type", "application/json; charset=" + charset);
|
|
389 |
|
|
390 |
exchange.sendResponseHeaders(code, bytes.length);
|
|
391 |
try (OutputStream os = exchange.getResponseBody()) {
|
|
392 |
os.write(bytes);
|
|
393 |
}
|
|
394 |
}
|
|
395 |
}
|
|
396 |
}
|