Implemented IP whitelisting

pom.xml

@@ -6,14 +6,14 @@
 
     <groupId>com.ryanmichela</groupId>
     <artifactId>SSHD</artifactId>
-    <version>1.3.1</version>
+    <version>1.2</version>
     <url>http://dev.bukkit.org/server-mods/sshd/</url>
 
     <!-- Repositories -->
     <repositories>
         <repository>
-            <id>spigot-repo</id>
+            <id>bukkit-repo</id>
-            <url>https://hub.spigotmc.org/nexus/content/groups/public</url>
+            <url>http://repo.bukkit.org/content/groups/public/</url>
         </repository>
     </repositories>
 
@@ -30,71 +30,27 @@
         <dependency>
             <groupId>org.bukkit</groupId>
             <artifactId>craftbukkit</artifactId>
-            <version>1.12.2-R0.1-SNAPSHOT</version>
+            <version>1.7.9-R0.2</version>
-            <scope>system</scope>
+            <scope>provided</scope>
             <type>jar</type>
-            <systemPath>${basedir}/bukkit-build/bukkit.jar</systemPath>
         </dependency>
-
         <dependency>
             <groupId>org.apache.sshd</groupId>
             <artifactId>sshd-core</artifactId>
-            <version>1.6.0</version>
+            <version>0.9.0</version>
             <scope>compile</scope>
             <type>jar</type>
         </dependency>
-        
-        <dependency>
-            <groupId>org.apache.mina</groupId>
-            <artifactId>mina-core</artifactId>
-            <version>2.0.16</version>
-        </dependency>
-
-        <dependency>
-            <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-api</artifactId>
-            <version>1.7.25</version>
-        </dependency>
-        
-        <dependency>
-            <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-jdk14</artifactId>
-            <version>1.7.25</version>
-        </dependency>
-
-        <dependency>
-            <groupId>jline</groupId>
-            <artifactId>jline</artifactId>
-            <version>2.12.1</version>
-        </dependency>
-
     </dependencies>
 
     <!-- Build -->
     <build>
         <plugins>
-            <plugin>
-                <artifactId>maven-assembly-plugin</artifactId>
-                <executions>
-                    <execution>
-                        <phase>package</phase>
-                        <goals>
-                            <goal>single</goal>
-                        </goals>
-                    </execution>
-                </executions>
-                <configuration>
-                    <descriptorRefs>
-                        <descriptorRef>jar-with-dependencies</descriptorRef>
-                    </descriptorRefs>
-                </configuration>
-            </plugin>
-            
             <!-- Shade plugin -->
-            <!-- <plugin>
+            <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-shade-plugin</artifactId>
-                <version>1.7</version>
+                <version>1.5</version>
                 <executions>
                     <execution>
                         <phase>package</phase>
@@ -116,16 +72,15 @@
                     </filters>
                     <minimizeJar>true</minimizeJar>
                 </configuration>
-            </plugin>  -->
+            </plugin>
-            
             <!-- Compile plugin -->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
                 <version>3.0</version>
                 <configuration>
-                    <source>1.8</source>
+                    <source>1.6</source>
-                    <target>1.8</target>
+                    <target>1.6</target>
                     <showDeprecation>true</showDeprecation>
                 </configuration>
             </plugin>

src/main/java/com/ryanmichela/sshd/CidrUtils.java

@@ -0,0 +1,142 @@
+/*
+* The MIT License
+*
+* Copyright (c) 2013 Edin Dazdarevic (edin.dazdarevic@gmail.com)
+
+* Permission is hereby granted, free of charge, to any person obtaining a copy
+* of this software and associated documentation files (the "Software"), to deal
+* in the Software without restriction, including without limitation the rights
+* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+* copies of the Software, and to permit persons to whom the Software is
+* furnished to do so, subject to the following conditions:
+
+* The above copyright notice and this permission notice shall be included in
+* all copies or substantial portions of the Software.
+
+* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+* THE SOFTWARE.
+*
+* */
+
+package com.ryanmichela.sshd;
+
+import java.math.BigInteger;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.nio.ByteBuffer;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * A class that enables to get an IP range from CIDR specification. It supports
+ * both IPv4 and IPv6.
+ */
+public class CIDRUtils {
+    private final String cidr;
+
+    private InetAddress inetAddress;
+    private InetAddress startAddress;
+    private InetAddress endAddress;
+    private final int prefixLength;
+
+
+    public CIDRUtils(String cidr) throws UnknownHostException {
+
+        this.cidr = cidr;
+
+        /* split CIDR to address and prefix part */
+        if (this.cidr.contains("/")) {
+            int index = this.cidr.indexOf("/");
+            String addressPart = this.cidr.substring(0, index);
+            String networkPart = this.cidr.substring(index + 1);
+
+            inetAddress = InetAddress.getByName(addressPart);
+            prefixLength = Integer.parseInt(networkPart);
+
+            calculate();
+        } else {
+            throw new IllegalArgumentException("not an valid CIDR format!");
+        }
+    }
+
+
+    private void calculate() throws UnknownHostException {
+
+        ByteBuffer maskBuffer;
+        int targetSize;
+        if (inetAddress.getAddress().length == 4) {
+            maskBuffer =
+                    ByteBuffer
+                            .allocate(4)
+                            .putInt(-1);
+            targetSize = 4;
+        } else {
+            maskBuffer = ByteBuffer.allocate(16)
+                    .putLong(-1L)
+                    .putLong(-1L);
+            targetSize = 16;
+        }
+
+        BigInteger mask = (new BigInteger(1, maskBuffer.array())).not().shiftRight(prefixLength);
+
+        ByteBuffer buffer = ByteBuffer.wrap(inetAddress.getAddress());
+        BigInteger ipVal = new BigInteger(1, buffer.array());
+
+        BigInteger startIp = ipVal.and(mask);
+        BigInteger endIp = startIp.add(mask.not());
+
+        byte[] startIpArr = toBytes(startIp.toByteArray(), targetSize);
+        byte[] endIpArr = toBytes(endIp.toByteArray(), targetSize);
+
+        this.startAddress = InetAddress.getByAddress(startIpArr);
+        this.endAddress = InetAddress.getByAddress(endIpArr);
+
+    }
+
+    private byte[] toBytes(byte[] array, int targetSize) {
+        int counter = 0;
+        List<Byte> newArr = new ArrayList<Byte>();
+        while (counter < targetSize && (array.length - 1 - counter >= 0)) {
+            newArr.add(0, array[array.length - 1 - counter]);
+            counter++;
+        }
+
+        int size = newArr.size();
+        for (int i = 0; i < (targetSize - size); i++) {
+
+            newArr.add(0, (byte) 0);
+        }
+
+        byte[] ret = new byte[newArr.size()];
+        for (int i = 0; i < newArr.size(); i++) {
+            ret[i] = newArr.get(i);
+        }
+        return ret;
+    }
+
+    public String getNetworkAddress() {
+
+        return this.startAddress.getHostAddress();
+    }
+
+    public String getBroadcastAddress() {
+        return this.endAddress.getHostAddress();
+    }
+
+    public boolean isInRange(String ipAddress) throws UnknownHostException {
+        InetAddress address = InetAddress.getByName(ipAddress);
+        BigInteger start = new BigInteger(1, this.startAddress.getAddress());
+        BigInteger end = new BigInteger(1, this.endAddress.getAddress());
+        BigInteger target = new BigInteger(1, address.getAddress());
+
+        int st = start.compareTo(target);
+        int te = target.compareTo(end);
+
+        return (st == -1 || st == 0) && (te == -1 || te == 0);
+    }
+}

src/main/java/com/ryanmichela/sshd/ConfigPasswordAuthenticator.java

@@ -1,6 +1,6 @@
 package com.ryanmichela.sshd;
 
-import org.apache.sshd.server.auth.password.PasswordAuthenticator;
+import org.apache.sshd.server.PasswordAuthenticator;
 import org.apache.sshd.server.session.ServerSession;
 
 import java.util.HashMap;
@@ -9,11 +9,13 @@ import java.util.Map;
 /**
  * Copyright 2013 Ryan Michela
  */
-public class ConfigPasswordAuthenticator implements PasswordAuthenticator {
+public class ConfigPasswordAuthenticator extends IpFilteredAuthenticator implements PasswordAuthenticator {
     private Map<String, Integer> failCounts = new HashMap<String, Integer>();
 
     @Override
     public boolean authenticate(String username, String password, ServerSession serverSession) {
+        if (!ipAddressIsApproved(serverSession)) return false;
+
         if (SshdPlugin.instance.getConfig().getString("credentials." + username).equals(password)) {
             failCounts.put(username, 0);
             return true;

src/main/java/com/ryanmichela/sshd/ConsoleCommandCompleter.java

@@ -6,7 +6,7 @@ package com.ryanmichela.sshd;
 
 import org.bukkit.Bukkit;
 import org.bukkit.command.CommandMap;
-import jline.console.completer.Completer;
+import org.bukkit.craftbukkit.libs.jline.console.completer.Completer;
 
 import java.util.List;
 import java.util.concurrent.ExecutionException;

src/main/java/com/ryanmichela/sshd/ConsoleShellFactory.java

@@ -1,6 +1,5 @@
 package com.ryanmichela.sshd;
 
-import jline.console.ConsoleReader;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.core.Logger;
 import org.apache.sshd.common.Factory;
@@ -8,6 +7,7 @@ import org.apache.sshd.server.Command;
 import org.apache.sshd.server.Environment;
 import org.apache.sshd.server.ExitCallback;
 import org.bukkit.Bukkit;
+import org.bukkit.craftbukkit.libs.jline.console.ConsoleReader;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -15,9 +15,6 @@ import java.io.OutputStream;
 import java.util.logging.StreamHandler;
 
 public class ConsoleShellFactory implements Factory<Command> {
-    public Command get() {
-        return this.create();
-    }
 
     public Command create() {
         return new ConsoleShell();
@@ -92,18 +89,17 @@ public class ConsoleShellFactory implements Factory<Command> {
         }
 
         public void run() {
+            String command;
             try {
                 printPreamble(consoleReader);
-                while (true) {
+                while(true) {
-                    String command = consoleReader.readLine("\r>", null);
+                    command = consoleReader.readLine("\r>", null);
                     if (command != null) {
                         if (command.equals("exit")) {
                             break;
                         }
                         SshdPlugin.instance.getLogger().info("<" + environment.getEnv().get(Environment.ENV_USER) + "> " + command);
-                        Bukkit.getScheduler().runTask(SshdPlugin.instance, () -> {
                         Bukkit.dispatchCommand(Bukkit.getConsoleSender(), command);
-                        });
                     }
                 }
             } catch (IOException e) {
@@ -113,7 +109,7 @@ public class ConsoleShellFactory implements Factory<Command> {
             }
         }
 
-        private void printPreamble(ConsoleReader consoleReader) throws IOException {
+        private void printPreamble(ConsoleReader consoleReader) throws IOException{
             consoleReader.println("  _____ _____ _    _ _____");
             consoleReader.println(" / ____/ ____| |  | |  __ \\");
             consoleReader.println("| (___| (___ | |__| | |  | |");

src/main/java/com/ryanmichela/sshd/FlushyStreamHandler.java

@@ -1,8 +1,7 @@
 package com.ryanmichela.sshd;
 
 import org.apache.sshd.common.SshException;
-import jline.console.ConsoleReader;
+import org.bukkit.craftbukkit.libs.jline.console.ConsoleReader;
-
 
 import java.io.IOException;
 import java.io.OutputStream;

src/main/java/com/ryanmichela/sshd/IpFilteredAuthenticator.java

@@ -0,0 +1,28 @@
+package com.ryanmichela.sshd;
+
+import org.apache.sshd.server.session.ServerSession;
+
+import java.net.InetSocketAddress;
+import java.util.List;
+
+/**
+ * Copyright 2014 Ryan Michela
+ */
+public class IpFilteredAuthenticator {
+    private NetworkAddressValidator addressValidator;
+
+    public IpFilteredAuthenticator() {
+        List<String> whitelist = SshdPlugin.instance.getConfig().getStringList("whitelist");
+        if (whitelist.size() > 0) {
+            addressValidator = new NetworkAddressValidator(whitelist);
+        }
+    }
+
+    public boolean ipAddressIsApproved(ServerSession serverSession) {
+        if (addressValidator != null) {
+            String ip = ((InetSocketAddress)serverSession.getIoSession().getRemoteAddress()).getAddress().getHostAddress();
+            return addressValidator.isApproved(ip);
+        }
+        return true;
+    }
+}

src/main/java/com/ryanmichela/sshd/NetworkAddressValidator.java

@@ -0,0 +1,42 @@
+package com.ryanmichela.sshd;
+
+/**
+ * Copyright 2014 Ryan Michela
+ */
+
+import java.net.UnknownHostException;
+import java.util.List;
+
+public class NetworkAddressValidator {
+
+    private CIDRUtils[] approvedAddressList = null;
+
+    public NetworkAddressValidator(List<String> approvedAddressList) {
+        this.approvedAddressList = new CIDRUtils[approvedAddressList.size()];
+        for (int i = 0; i < approvedAddressList.size(); i++) {
+            String whitelistEntry = approvedAddressList.get(i);
+            try {
+                if (approvedAddressList.get(i).indexOf("/") > 0) {
+                    this.approvedAddressList[i] = new CIDRUtils(whitelistEntry);
+                } else {
+                    this.approvedAddressList[i] = new CIDRUtils(whitelistEntry + "/32");
+                }
+            } catch (UnknownHostException e) {
+                SshdPlugin.instance.getLogger().severe(whitelistEntry + " is not a valid IPv4 or IPv6 address or CIDR formatted address.");
+            }
+        }
+    }
+
+    public boolean isApproved(String ipAddress) {
+        try {
+            for (CIDRUtils approvedAddress : approvedAddressList) {
+                if (approvedAddress.isInRange(ipAddress)) {
+                    return true;
+                }
+            }
+            return false;
+        } catch (UnknownHostException e) {
+            return false;
+        }
+    }
+}

src/main/java/com/ryanmichela/sshd/PemDecoder.java

@@ -1,6 +1,6 @@
 package com.ryanmichela.sshd;
 
-import org.apache.commons.codec.binary.Base64;
+import org.apache.mina.util.Base64;
 
 import java.io.Reader;
 import java.math.BigInteger;
@@ -22,7 +22,7 @@ public class PemDecoder extends java.io.BufferedReader {
     }
 
     public PublicKey getPemBytes() throws Exception {
-        StringBuilder b64 = new StringBuilder();
+        StringBuffer b64 = new StringBuffer();
 
         String line = readLine();
         if (!line.matches(BEGIN)) {

src/main/java/com/ryanmichela/sshd/PublicKeyAuthenticator.java

@@ -1,7 +1,7 @@
 package com.ryanmichela.sshd;
 
 import org.apache.commons.lang.ArrayUtils;
-import org.apache.sshd.server.auth.pubkey.PublickeyAuthenticator;
+import org.apache.sshd.server.PublickeyAuthenticator;
 import org.apache.sshd.server.session.ServerSession;
 
 import java.io.File;
@@ -11,7 +11,7 @@ import java.security.PublicKey;
 /**
  * Copyright 2013 Ryan Michela
  */
-public class PublicKeyAuthenticator implements PublickeyAuthenticator {
+public class PublicKeyAuthenticator extends IpFilteredAuthenticator implements PublickeyAuthenticator {
     private File authorizedKeysDir;
 
     public PublicKeyAuthenticator(File authorizedKeysDir) {
@@ -20,6 +20,8 @@ public class PublicKeyAuthenticator implements PublickeyAuthenticator {
 
     @Override
     public boolean authenticate(String username, PublicKey key, ServerSession session) {
+        if (!ipAddressIsApproved(session)) return false;
+
         byte[] keyBytes = key.getEncoded();
         File keyFile = new File(authorizedKeysDir, username);
 

src/main/java/com/ryanmichela/sshd/ReflectionUtil.java

@@ -28,7 +28,9 @@ public class ReflectionUtil {
             modifiersField.setInt(f, f.getModifiers() & ~Modifier.FINAL);
 
             f.set(o, newValue);
-        } catch (NoSuchFieldException | IllegalAccessException ex) {
+        } catch (NoSuchFieldException ex) {
+            System.out.println("*** " + c.getName() + ":" + ex);
+        } catch (IllegalAccessException ex) {
             System.out.println("*** " + c.getName() + ":" + ex);
         }
     }

src/main/java/com/ryanmichela/sshd/SshTerminal.java

@@ -1,6 +1,6 @@
 package com.ryanmichela.sshd;
 
-import jline.TerminalSupport;
+import org.bukkit.craftbukkit.libs.jline.TerminalSupport;
 
 /**
  * Copyright 2013 Ryan Michela

src/main/java/com/ryanmichela/sshd/SshdPlugin.java

@@ -1,6 +1,6 @@
 package com.ryanmichela.sshd;
 
-import org.apache.sshd.server.SshServer;
+import org.apache.sshd.SshServer;
 import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
 import org.bukkit.plugin.java.JavaPlugin;
 
@@ -35,13 +35,11 @@ public class SshdPlugin extends JavaPlugin {
 
         sshd = SshServer.setUpDefaultServer();
         sshd.setPort(getConfig().getInt("port", 22));
-        String host = getConfig().getString("listenAddress", "all");
-        sshd.setHost(host.equals("all") ? null : host);
 
         File hostKey = new File(getDataFolder(), "hostkey");
         File authorizedKeys = new File(getDataFolder(), "authorized_keys");
 
-        sshd.setKeyPairProvider(new SimpleGeneratorHostKeyProvider(hostKey));
+        sshd.setKeyPairProvider(new SimpleGeneratorHostKeyProvider(hostKey.getPath()));
         sshd.setShellFactory(new ConsoleShellFactory());
         sshd.setPasswordAuthenticator(new ConfigPasswordAuthenticator());
         sshd.setPublickeyAuthenticator(new PublicKeyAuthenticator(authorizedKeys));

src/main/java/com/ryanmichela/sshd/StreamHandlerAppender.java

@@ -25,18 +25,15 @@ public class StreamHandlerAppender implements Appender {
     @Override
     public void append(LogEvent logEvent) {
         java.util.logging.Level level;
-
+        switch (logEvent.getLevel())
-        if(logEvent.getLevel().equals(org.apache.logging.log4j.Level.DEBUG)) {
+        {
-            level = java.util.logging.Level.FINE;
+            case DEBUG: level = java.util.logging.Level.FINE; break;
-        } else if(logEvent.getLevel().equals(org.apache.logging.log4j.Level.INFO)) {
+            case INFO: level = java.util.logging.Level.INFO; break;
-            level = java.util.logging.Level.INFO;
+            case WARN: level = java.util.logging.Level.WARNING; break;
-        } else if(logEvent.getLevel().equals(org.apache.logging.log4j.Level.WARN)) {
+            case ERROR: level = java.util.logging.Level.SEVERE; break;
-            level = java.util.logging.Level.WARNING;
+            default: level = java.util.logging.Level.INFO; break;
-        } else if(logEvent.getLevel().equals(org.apache.logging.log4j.Level.ERROR)) {
-            level = java.util.logging.Level.SEVERE;
-        } else {
-            level = java.util.logging.Level.INFO;
         }
+
         String message = logEvent.getMessage().getFormattedMessage();
 
 
@@ -69,16 +66,6 @@ public class StreamHandlerAppender implements Appender {
 
     }
 
-    @Override
-    public State getState() {
-        return State.INITIALIZED;
-    }
-
-    @Override
-    public void initialize() {
-
-    }
-
     @Override
     public void start() {
 
@@ -93,9 +80,4 @@ public class StreamHandlerAppender implements Appender {
     public boolean isStarted() {
         return true;
     }
-
-    @Override
-    public boolean isStopped() {
-        return false;
-    }
 }

src/main/java/org/slf4j/impl/PluginSlf4jFactory.java

@@ -22,7 +22,10 @@ public class PluginSlf4jFactory implements ILoggerFactory {
         private String name;
 
         private boolean isEnabled(Level level) {
-            return SshdPlugin.instance != null && SshdPlugin.instance.getLogger().isLoggable(level);
+            if (SshdPlugin.instance != null) {
+                return SshdPlugin.instance.getLogger().isLoggable(level);
+            }
+            return false;
         }
 
         private void log(Level level, String s, Object[] objects) {

src/main/resources/config.yml

@@ -1,7 +1,4 @@
-# The IP addresses(s) the SSH server will listen on. Use a comma separated list for multiple addresses.
+# This is the port the SSH server will listen on.
-# Leave as "all" for all addresses.
-listenAddress: all
-# The port the SSH server will listen on.
 port: 22
 
 # By default, only public key authentication is enabled. This is the most secure mode.
@@ -13,3 +10,10 @@ port: 22
 credentials:
 #    user1: password1
 #    user2: password2
+
+# To enable the IP whitelist, add more lines below. Whitelist entries can be expressed
+# in CIDR notation (ip address/mask) for whitelisting a range of IP addresses.
+whitelist:
+#    - ::1/128
+#    - 127.0.0.0/8
+#    - 192.168.0.0/16