|
|||||||||||||||||||
| 30 day Evaluation Version distributed via the Maven Jar Repository. Clover is not free. You have 30 days to evaluate it. Please visit http://www.thecortex.net/clover to obtain a licensed version of Clover | |||||||||||||||||||
| Source file | Conditionals | Statements | Methods | TOTAL | |||||||||||||||
| PolicyBuilder.java | 0% | 0% | 0% | 0% |
|
||||||||||||||
| 1 |
/*
|
|
| 2 |
* Copyright (C) The Spice Group. All rights reserved.
|
|
| 3 |
*
|
|
| 4 |
* This software is published under the terms of the Spice
|
|
| 5 |
* Software License version 1.1, a copy of which has been included
|
|
| 6 |
* with this distribution in the LICENSE.txt file.
|
|
| 7 |
*/
|
|
| 8 |
package org.codehaus.spice.xmlpolicy.builder;
|
|
| 9 |
|
|
| 10 |
import java.io.InputStream;
|
|
| 11 |
import java.lang.reflect.Constructor;
|
|
| 12 |
import java.net.MalformedURLException;
|
|
| 13 |
import java.net.URL;
|
|
| 14 |
import java.security.CodeSource;
|
|
| 15 |
import java.security.KeyStore;
|
|
| 16 |
import java.security.KeyStoreException;
|
|
| 17 |
import java.security.Permission;
|
|
| 18 |
import java.security.Policy;
|
|
| 19 |
import java.security.UnresolvedPermission;
|
|
| 20 |
import java.security.cert.Certificate;
|
|
| 21 |
import java.util.ArrayList;
|
|
| 22 |
import java.util.HashMap;
|
|
| 23 |
import java.util.List;
|
|
| 24 |
import java.util.Map;
|
|
| 25 |
import java.util.PropertyPermission;
|
|
| 26 |
import java.util.StringTokenizer;
|
|
| 27 |
import org.codehaus.spice.xmlpolicy.metadata.GrantMetaData;
|
|
| 28 |
import org.codehaus.spice.xmlpolicy.metadata.KeyStoreMetaData;
|
|
| 29 |
import org.codehaus.spice.xmlpolicy.metadata.PermissionMetaData;
|
|
| 30 |
import org.codehaus.spice.xmlpolicy.metadata.PolicyMetaData;
|
|
| 31 |
|
|
| 32 |
/**
|
|
| 33 |
* A Utility class that builds a Policy object from a specified
|
|
| 34 |
* PolicyMetaData.
|
|
| 35 |
*
|
|
| 36 |
* @author Peter Donald
|
|
| 37 |
* @version $Revision: 1.1 $ $Date: 2003/12/02 09:16:06 $
|
|
| 38 |
*/
|
|
| 39 |
public class PolicyBuilder |
|
| 40 |
{
|
|
| 41 |
/**
|
|
| 42 |
* Build a policy for a specified meta data.
|
|
| 43 |
*
|
|
| 44 |
* @param policy the policy metadata
|
|
| 45 |
* @return the Policy object
|
|
| 46 |
* @throws Exception if unable to create Policy object
|
|
| 47 |
*/
|
|
| 48 | 0 |
public Policy buildPolicy( final PolicyMetaData policy,
|
| 49 |
final PolicyResolver resolver ) |
|
| 50 |
throws Exception
|
|
| 51 |
{
|
|
| 52 | 0 |
if( null == policy ) |
| 53 |
{
|
|
| 54 | 0 |
throw new NullPointerException( "policy" ); |
| 55 |
} |
|
| 56 | 0 |
if( null == resolver ) |
| 57 |
{
|
|
| 58 | 0 |
throw new NullPointerException( "resolver" ); |
| 59 |
} |
|
| 60 |
|
|
| 61 | 0 |
final Map keyStores = |
| 62 |
createKeyStores( policy.getKeyStores(), resolver ); |
|
| 63 | 0 |
final Map grants = new HashMap();
|
| 64 | 0 |
processGrants( policy.getGrants(), keyStores, grants, resolver ); |
| 65 |
|
|
| 66 | 0 |
final CodeSource codeSource = createDefaultCodeSource(); |
| 67 | 0 |
final Permission[] permissions = getDefaultPermissions(); |
| 68 | 0 |
grants.put( codeSource, permissions ); |
| 69 |
|
|
| 70 | 0 |
return resolver.createPolicy( grants );
|
| 71 |
} |
|
| 72 |
|
|
| 73 |
/**
|
|
| 74 |
* Porcess all the grants and build up a grant map.
|
|
| 75 |
*
|
|
| 76 |
* @param metaDatas the metadata
|
|
| 77 |
* @param keyStores the configured keystores
|
|
| 78 |
* @param grants the grant map
|
|
| 79 |
* @param resolver the resolver to use to resolve locations etc
|
|
| 80 |
* @throws Exception if unable to create grant map
|
|
| 81 |
*/
|
|
| 82 | 0 |
private void processGrants( final GrantMetaData[] metaDatas, |
| 83 |
final Map keyStores, |
|
| 84 |
final Map grants, |
|
| 85 |
final PolicyResolver resolver ) |
|
| 86 |
throws Exception
|
|
| 87 |
{
|
|
| 88 | 0 |
for( int i = 0; i < metaDatas.length; i++ ) |
| 89 |
{
|
|
| 90 | 0 |
processGrant( metaDatas[ i ], keyStores, grants, resolver ); |
| 91 |
} |
|
| 92 |
} |
|
| 93 |
|
|
| 94 |
/**
|
|
| 95 |
* Porcess a grants and add to the grant map.
|
|
| 96 |
*
|
|
| 97 |
* @param metaData the metadata
|
|
| 98 |
* @param keyStores the configured keystores
|
|
| 99 |
* @param grants the grant map
|
|
| 100 |
* @param resolver the resolver to use to resolve locations etc
|
|
| 101 |
* @throws Exception if unable to create grant map
|
|
| 102 |
*/
|
|
| 103 | 0 |
private void processGrant( final GrantMetaData metaData, |
| 104 |
final Map keyStores, |
|
| 105 |
final Map grants, |
|
| 106 |
final PolicyResolver resolver ) |
|
| 107 |
throws Exception
|
|
| 108 |
{
|
|
| 109 | 0 |
final URL url = |
| 110 |
resolver.resolveLocation( metaData.getCodebase() ); |
|
| 111 |
|
|
| 112 | 0 |
final Certificate[] signers = |
| 113 |
getSigners( metaData.getSignedBy(), |
|
| 114 |
metaData.getKeyStore(), |
|
| 115 |
keyStores ); |
|
| 116 | 0 |
final CodeSource codeSource = new CodeSource( url, signers );
|
| 117 |
|
|
| 118 | 0 |
final Permission[] permissions = |
| 119 |
createPermissions( metaData.getPermissions(), |
|
| 120 |
keyStores ); |
|
| 121 | 0 |
grants.put( codeSource, permissions ); |
| 122 |
} |
|
| 123 |
|
|
| 124 |
/**
|
|
| 125 |
* Create all permissions for specified metadata.
|
|
| 126 |
*
|
|
| 127 |
* @param metaDatas the metadata
|
|
| 128 |
* @param keyStores the keystores to use when loading signers
|
|
| 129 |
* @return the created permissions
|
|
| 130 |
* @throws Exception if unabel to create permissions
|
|
| 131 |
*/
|
|
| 132 | 0 |
private Permission[] createPermissions( final PermissionMetaData[] metaDatas,
|
| 133 |
final Map keyStores ) |
|
| 134 |
throws Exception
|
|
| 135 |
{
|
|
| 136 | 0 |
final List set = new ArrayList();
|
| 137 |
|
|
| 138 | 0 |
for( int i = 0; i < metaDatas.length; i++ ) |
| 139 |
{
|
|
| 140 | 0 |
final Permission permission = |
| 141 |
createPermission( metaDatas[ i ], keyStores ); |
|
| 142 | 0 |
set.add( permission ); |
| 143 |
} |
|
| 144 |
|
|
| 145 | 0 |
return (Permission[])set.toArray( new Permission[ set.size() ] ); |
| 146 |
} |
|
| 147 |
|
|
| 148 |
/**
|
|
| 149 |
* Create a permission for metadata.
|
|
| 150 |
*
|
|
| 151 |
* @param metaData the permission metadata
|
|
| 152 |
* @param keyStores the keystore to use (if needed)
|
|
| 153 |
* @return the created permission
|
|
| 154 |
* @throws Exception if unable to create permission
|
|
| 155 |
*/
|
|
| 156 | 0 |
private Permission createPermission( final PermissionMetaData metaData,
|
| 157 |
final Map keyStores ) |
|
| 158 |
throws Exception
|
|
| 159 |
{
|
|
| 160 | 0 |
final String type = metaData.getClassname(); |
| 161 | 0 |
final String actions = metaData.getAction(); |
| 162 | 0 |
final String signedBy = metaData.getSignedBy(); |
| 163 | 0 |
final String keyStoreName = metaData.getKeyStore(); |
| 164 | 0 |
final String target = metaData.getTarget(); |
| 165 |
|
|
| 166 | 0 |
final Certificate[] signers = |
| 167 |
getSigners( signedBy, keyStoreName, keyStores ); |
|
| 168 | 0 |
return createPermission( type, target, actions, signers );
|
| 169 |
} |
|
| 170 |
|
|
| 171 |
/**
|
|
| 172 |
* Create a mpa of keystores from specified metadata.
|
|
| 173 |
*
|
|
| 174 |
* @param metaDatas the metadata
|
|
| 175 |
* @return the keystore map
|
|
| 176 |
* @throws Exception if unable to create all keystores
|
|
| 177 |
*/
|
|
| 178 | 0 |
private Map createKeyStores( final KeyStoreMetaData[] metaDatas,
|
| 179 |
final PolicyResolver resolver ) |
|
| 180 |
throws Exception
|
|
| 181 |
{
|
|
| 182 | 0 |
final Map keyStores = new HashMap();
|
| 183 |
|
|
| 184 | 0 |
for( int i = 0; i < metaDatas.length; i++ ) |
| 185 |
{
|
|
| 186 | 0 |
final KeyStoreMetaData metaData = metaDatas[ i ]; |
| 187 | 0 |
final String name = metaData.getName(); |
| 188 |
|
|
| 189 | 0 |
try
|
| 190 |
{
|
|
| 191 | 0 |
final URL url = |
| 192 |
resolver.resolveLocation( metaData.getLocation() ); |
|
| 193 | 0 |
final KeyStore keyStore = |
| 194 |
createKeyStore( metaData.getType(), url ); |
|
| 195 |
|
|
| 196 | 0 |
keyStores.put( name, keyStore ); |
| 197 |
} |
|
| 198 |
catch( final Exception e )
|
|
| 199 |
{
|
|
| 200 | 0 |
final String message = |
| 201 |
"Error creating keystore " + name + ". Due to " + e; |
|
| 202 | 0 |
throw new Exception( message ); |
| 203 |
} |
|
| 204 |
} |
|
| 205 |
|
|
| 206 | 0 |
return keyStores;
|
| 207 |
} |
|
| 208 |
|
|
| 209 |
/**
|
|
| 210 |
* Create a permission of specified class and
|
|
| 211 |
* with specified target, action and signers.
|
|
| 212 |
*
|
|
| 213 |
* @param type the classname of Permission object
|
|
| 214 |
* @param target the target of permission
|
|
| 215 |
* @param actions the actions allowed on permission (if any)
|
|
| 216 |
* @param signers the signers (if any)
|
|
| 217 |
* @return the created Permission object
|
|
| 218 |
* @throws Exception if unable to create permission
|
|
| 219 |
*/
|
|
| 220 | 0 |
private final Permission createPermission( final String type,
|
| 221 |
final String target, |
|
| 222 |
final String actions, |
|
| 223 |
final Certificate[] signers ) |
|
| 224 |
throws Exception
|
|
| 225 |
{
|
|
| 226 | 0 |
if( null != signers ) |
| 227 |
{
|
|
| 228 | 0 |
return new UnresolvedPermission( type, target, actions, signers ); |
| 229 |
} |
|
| 230 |
|
|
| 231 | 0 |
try
|
| 232 |
{
|
|
| 233 | 0 |
final Class clazz = Class.forName( type ); |
| 234 |
|
|
| 235 | 0 |
Class paramClasses[] = null;
|
| 236 | 0 |
Object params[] = null;
|
| 237 |
|
|
| 238 | 0 |
if( null == actions && null == target ) |
| 239 |
{
|
|
| 240 | 0 |
paramClasses = new Class[ 0 ];
|
| 241 | 0 |
params = new Object[ 0 ];
|
| 242 |
} |
|
| 243 | 0 |
else if( null == actions ) |
| 244 |
{
|
|
| 245 | 0 |
paramClasses = new Class[ 1 ];
|
| 246 | 0 |
paramClasses[ 0 ] = String.class;
|
| 247 | 0 |
params = new Object[ 1 ];
|
| 248 | 0 |
params[ 0 ] = target; |
| 249 |
} |
|
| 250 |
else
|
|
| 251 |
{
|
|
| 252 | 0 |
paramClasses = new Class[ 2 ];
|
| 253 | 0 |
paramClasses[ 0 ] = String.class;
|
| 254 | 0 |
paramClasses[ 1 ] = String.class;
|
| 255 | 0 |
params = new Object[ 2 ];
|
| 256 | 0 |
params[ 0 ] = target; |
| 257 | 0 |
params[ 1 ] = actions; |
| 258 |
} |
|
| 259 |
|
|
| 260 | 0 |
final Constructor constructor = clazz.getConstructor( paramClasses ); |
| 261 | 0 |
return (Permission)constructor.newInstance( params );
|
| 262 |
} |
|
| 263 |
catch( final ClassNotFoundException cnfe )
|
|
| 264 |
{
|
|
| 265 | 0 |
return new UnresolvedPermission( type, target, actions, signers ); |
| 266 |
} |
|
| 267 |
} |
|
| 268 |
|
|
| 269 |
/**
|
|
| 270 |
* Create a keystore of specified type and loading from specified url.
|
|
| 271 |
*
|
|
| 272 |
* @param type the type of key store
|
|
| 273 |
* @param url the location of key store data
|
|
| 274 |
* @return the create and configured keystore
|
|
| 275 |
* @throws Exception if unable to create or load keystore
|
|
| 276 |
*/
|
|
| 277 | 0 |
protected KeyStore createKeyStore( final String type,
|
| 278 |
final URL url ) |
|
| 279 |
throws Exception
|
|
| 280 |
{
|
|
| 281 | 0 |
final KeyStore keyStore = KeyStore.getInstance( type ); |
| 282 | 0 |
final InputStream ins = url.openStream(); |
| 283 | 0 |
keyStore.load( ins, null );
|
| 284 | 0 |
return keyStore;
|
| 285 |
} |
|
| 286 |
|
|
| 287 |
/**
|
|
| 288 |
* Retrieve Certificates for specified signers
|
|
| 289 |
* as loaded from keyStore.
|
|
| 290 |
*
|
|
| 291 |
* @param signedBy the signers
|
|
| 292 |
* @param keyStoreName the name of keystore
|
|
| 293 |
* @param keyStores the list of keystores to lookup
|
|
| 294 |
* @return the certificates
|
|
| 295 |
* @throws Exception if unable to get signers
|
|
| 296 |
*/
|
|
| 297 | 0 |
private Certificate[] getSigners( final String signedBy,
|
| 298 |
final String keyStoreName, |
|
| 299 |
final Map keyStores ) |
|
| 300 |
throws Exception
|
|
| 301 |
{
|
|
| 302 | 0 |
if( null == signedBy ) |
| 303 |
{
|
|
| 304 | 0 |
return null; |
| 305 |
} |
|
| 306 |
else
|
|
| 307 |
{
|
|
| 308 | 0 |
final KeyStore keyStore = getKeyStore( keyStoreName, keyStores ); |
| 309 | 0 |
return getCertificates( signedBy, keyStore );
|
| 310 |
} |
|
| 311 |
} |
|
| 312 |
|
|
| 313 |
/**
|
|
| 314 |
* Retrieve the set of Ceritificates for all signers.
|
|
| 315 |
*
|
|
| 316 |
* @param signedBy the comma separated list of signers
|
|
| 317 |
* @param keyStore the keystore to look for signers certificates in
|
|
| 318 |
* @return the certificate set
|
|
| 319 |
* @throws Exception if unabel to create certificates
|
|
| 320 |
*/
|
|
| 321 | 0 |
private Certificate[] getCertificates( final String signedBy,
|
| 322 |
final KeyStore keyStore ) |
|
| 323 |
throws Exception
|
|
| 324 |
{
|
|
| 325 | 0 |
final List certificateSet = new ArrayList();
|
| 326 |
|
|
| 327 | 0 |
final StringTokenizer st = new StringTokenizer( signedBy, "," ); |
| 328 | 0 |
while( st.hasMoreTokens() )
|
| 329 |
{
|
|
| 330 | 0 |
final String alias = st.nextToken().trim(); |
| 331 | 0 |
Certificate certificate = null;
|
| 332 |
|
|
| 333 | 0 |
try
|
| 334 |
{
|
|
| 335 | 0 |
certificate = keyStore.getCertificate( alias ); |
| 336 |
} |
|
| 337 |
catch( final KeyStoreException kse )
|
|
| 338 |
{
|
|
| 339 | 0 |
final String message = |
| 340 |
"Unable to get certificate for alias " +
|
|
| 341 |
alias + " due to " + kse;
|
|
| 342 | 0 |
throw new Exception( message ); |
| 343 |
} |
|
| 344 |
|
|
| 345 | 0 |
if( null == certificate ) |
| 346 |
{
|
|
| 347 | 0 |
final String message = |
| 348 |
"Missing certificate for alias " + alias;
|
|
| 349 | 0 |
throw new Exception( message ); |
| 350 |
} |
|
| 351 |
|
|
| 352 | 0 |
if( !certificateSet.contains( certificate ) )
|
| 353 |
{
|
|
| 354 | 0 |
certificateSet.add( certificate ); |
| 355 |
} |
|
| 356 |
} |
|
| 357 |
|
|
| 358 | 0 |
return (Certificate[])certificateSet.toArray( new Certificate[ certificateSet.size() ] ); |
| 359 |
} |
|
| 360 |
|
|
| 361 |
/**
|
|
| 362 |
* Retrieve keystore with specified name from map.
|
|
| 363 |
* If missing throw an exception.
|
|
| 364 |
*
|
|
| 365 |
* @param keyStoreName the name of key store
|
|
| 366 |
* @param keyStores the map of stores
|
|
| 367 |
* @return the keystore
|
|
| 368 |
* @throws Exception thrown if unable to locate keystore
|
|
| 369 |
*/
|
|
| 370 | 0 |
private KeyStore getKeyStore( final String keyStoreName, final Map keyStores ) throws Exception |
| 371 |
{
|
|
| 372 | 0 |
final KeyStore keyStore = (KeyStore)keyStores.get( keyStoreName ); |
| 373 | 0 |
if( null == keyStore ) |
| 374 |
{
|
|
| 375 | 0 |
final String message = "Missing keystore named: " + keyStoreName;
|
| 376 | 0 |
throw new Exception( message ); |
| 377 |
} |
|
| 378 |
else
|
|
| 379 |
{
|
|
| 380 | 0 |
return keyStore;
|
| 381 |
} |
|
| 382 |
} |
|
| 383 |
|
|
| 384 |
/**
|
|
| 385 |
* A utility method to get a default codesource
|
|
| 386 |
* that covers all files on fielsystem
|
|
| 387 |
*
|
|
| 388 |
* @return the code source
|
|
| 389 |
*/
|
|
| 390 | 0 |
private CodeSource createDefaultCodeSource()
|
| 391 |
{
|
|
| 392 |
//Create a URL that covers whole file system.
|
|
| 393 | 0 |
final URL url; |
| 394 | 0 |
try
|
| 395 |
{
|
|
| 396 | 0 |
url = new URL( "file:/-" ); |
| 397 |
} |
|
| 398 |
catch( final MalformedURLException mue )
|
|
| 399 |
{
|
|
| 400 |
//will never happen
|
|
| 401 | 0 |
throw new IllegalStateException( mue.getMessage() ); |
| 402 |
} |
|
| 403 | 0 |
final CodeSource codeSource = new CodeSource( url, null ); |
| 404 | 0 |
return codeSource;
|
| 405 |
} |
|
| 406 |
|
|
| 407 |
/**
|
|
| 408 |
* A utility method to get all the default permissions.
|
|
| 409 |
*/
|
|
| 410 | 0 |
private Permission[] getDefaultPermissions()
|
| 411 |
{
|
|
| 412 | 0 |
final ArrayList list = new ArrayList();
|
| 413 |
//these properties straight out ot ${java.home}/lib/security/java.policy
|
|
| 414 | 0 |
list.add( new PropertyPermission( "os.name", "read" ) ); |
| 415 | 0 |
list.add( new PropertyPermission( "os.arch", "read" ) ); |
| 416 | 0 |
list.add( new PropertyPermission( "os.version", "read" ) ); |
| 417 | 0 |
list.add( new PropertyPermission( "file.separator", "read" ) ); |
| 418 | 0 |
list.add( new PropertyPermission( "path.separator", "read" ) ); |
| 419 | 0 |
list.add( new PropertyPermission( "line.separator", "read" ) ); |
| 420 |
|
|
| 421 | 0 |
list.add( new PropertyPermission( "java.version", "read" ) ); |
| 422 | 0 |
list.add( new PropertyPermission( "java.vendor", "read" ) ); |
| 423 | 0 |
list.add( new PropertyPermission( "java.vendor.url", "read" ) ); |
| 424 |
|
|
| 425 | 0 |
list.add( new PropertyPermission( "java.class.version", "read" ) ); |
| 426 | 0 |
list.add( new PropertyPermission( "java.vm.version", "read" ) ); |
| 427 | 0 |
list.add( new PropertyPermission( "java.vm.vendor", "read" ) ); |
| 428 | 0 |
list.add( new PropertyPermission( "java.vm.name", "read" ) ); |
| 429 |
|
|
| 430 | 0 |
list.add( new PropertyPermission( "java.specification.version", "read" ) ); |
| 431 | 0 |
list.add( new PropertyPermission( "java.specification.vendor", "read" ) ); |
| 432 | 0 |
list.add( new PropertyPermission( "java.specification.name", "read" ) ); |
| 433 | 0 |
list.add( new PropertyPermission( "java.vm.specification.version", "read" ) ); |
| 434 | 0 |
list.add( new PropertyPermission( "java.vm.specification.vendor", "read" ) ); |
| 435 | 0 |
list.add( new PropertyPermission( "java.vm.specification.name", "read" ) ); |
| 436 |
|
|
| 437 | 0 |
return (Permission[])list.toArray( new Permission[ list.size() ] ); |
| 438 |
} |
|
| 439 |
} |
|
| 440 |
|
|
||||||||||