Search in sources :

Example 1 with ParsedPolicyEntry

use of net.sourceforge.prograde.policyparser.ParsedPolicyEntry in project ddf by codice.

the class PermissionActivator method start.

@SuppressWarnings("squid:S1149")
@Override
public void start(BundleContext bundleContext) throws Exception {
    System.setProperty("/", File.separator);
    this.conditionalPermissionAdmin = getConditionalPermissionAdmin(bundleContext);
    String policyDir = SecurityActions.getSystemProperty("ddf.home") + File.separator + "security";
    if (policyDir.startsWith("=")) {
        policyDir = policyDir.substring(1);
    }
    File policyDirFile = new File(policyDir);
    List<ParsedPolicy> parsedPolicies = new ArrayList<>();
    for (File file : Objects.requireNonNull(policyDirFile.listFiles())) {
        ParsedPolicy parse = null;
        try {
            parse = new Parser(false).parse(file);
        } catch (Exception e) {
            systemExit(file);
        }
        parsedPolicies.add(parse);
    }
    ConditionalPermissionUpdate conditionalPermissionUpdate = conditionalPermissionAdmin.newConditionalPermissionUpdate();
    conditionalPermissionUpdate.getConditionalPermissionInfos().clear();
    this.priorityResult = null;
    List<ConditionalPermissionInfo> allGrantInfos = new ArrayList<>();
    List<ConditionalPermissionInfo> allDenyInfos = new ArrayList<>();
    for (ParsedPolicy parsedPolicy : parsedPolicies) {
        List<ParsedPolicyEntry> grantEntries = parsedPolicy.getGrantEntries();
        List<ParsedPolicyEntry> denyEntries = parsedPolicy.getDenyEntries();
        buildConditionalPermissionInfo(grantEntries, allGrantInfos, ConditionalPermissionInfo.ALLOW);
        buildConditionalPermissionInfo(denyEntries, allDenyInfos, ConditionalPermissionInfo.DENY);
        Priority priority = parsedPolicy.getPriority();
        if (priorityResult == null) {
            this.priorityResult = priority;
        } else if (priority != priorityResult) {
            // if they don't match, then we can't make a determination on the priority, so we'll
            // default to deny
            this.priorityResult = Priority.DENY;
        }
    }
    if (priorityResult == null && !allGrantInfos.isEmpty() && !allDenyInfos.isEmpty()) {
        this.priorityResult = Priority.GRANT;
    }
    if (priorityResult == Priority.GRANT) {
        conditionalPermissionUpdate.getConditionalPermissionInfos().addAll(allGrantInfos);
        conditionalPermissionUpdate.getConditionalPermissionInfos().addAll(allDenyInfos);
        conditionalPermissionUpdate.getConditionalPermissionInfos().add(getAllPermission(ConditionalPermissionInfo.ALLOW));
    } else if (priorityResult == Priority.DENY) {
        conditionalPermissionUpdate.getConditionalPermissionInfos().addAll(allDenyInfos);
        conditionalPermissionUpdate.getConditionalPermissionInfos().addAll(allGrantInfos);
        conditionalPermissionUpdate.getConditionalPermissionInfos().add(getAllPermission(ConditionalPermissionInfo.DENY));
    }
    conditionalPermissionUpdate.commit();
}
Also used : Priority(net.sourceforge.prograde.type.Priority) ArrayList(java.util.ArrayList) Parser(net.sourceforge.prograde.policyparser.Parser) ConditionalPermissionInfo(org.osgi.service.condpermadmin.ConditionalPermissionInfo) ParsedPolicy(net.sourceforge.prograde.policyparser.ParsedPolicy) ParsedPolicyEntry(net.sourceforge.prograde.policyparser.ParsedPolicyEntry) File(java.io.File) ConditionalPermissionUpdate(org.osgi.service.condpermadmin.ConditionalPermissionUpdate)

Example 2 with ParsedPolicyEntry

use of net.sourceforge.prograde.policyparser.ParsedPolicyEntry in project ddf by codice.

the class PermissionActivator method buildConditionalPermissionInfo.

/**
 * This method will allow policy entries with no permissions for the case where there are
 * pre-defined policy entries for administrators to add configuration specific permissions.
 */
private void buildConditionalPermissionInfo(List<ParsedPolicyEntry> entries, List<ConditionalPermissionInfo> infos, String type) {
    for (ParsedPolicyEntry parsedPolicyEntry : entries) {
        List<ParsedPermission> permissions = parsedPolicyEntry.getPermissions();
        if (permissions.isEmpty()) {
            // Allow policy entries with no permissions.
            continue;
        }
        PermissionInfo[] permissionInfos = new PermissionInfo[permissions.size()];
        int index = 0;
        for (ParsedPermission parsedPermission : permissions) {
            permissionInfos[index++] = new PermissionInfo(parsedPermission.getPermissionType(), replaceSystemProperties(parsedPermission.getPermissionName()), parsedPermission.getActions());
        }
        List<ConditionInfo> conditionInfos = new ArrayList<>();
        addCodebase(parsedPolicyEntry, conditionInfos);
        addSignedBy(parsedPolicyEntry, conditionInfos);
        addPrincipals(parsedPolicyEntry, conditionInfos);
        infos.add(conditionalPermissionAdmin.newConditionalPermissionInfo(null, (conditionInfos.isEmpty()) ? null : conditionInfos.toArray(new ConditionInfo[conditionInfos.size()]), permissionInfos, type));
    }
}
Also used : ConditionInfo(org.osgi.service.condpermadmin.ConditionInfo) ConditionalPermissionInfo(org.osgi.service.condpermadmin.ConditionalPermissionInfo) PermissionInfo(org.osgi.service.permissionadmin.PermissionInfo) ArrayList(java.util.ArrayList) ParsedPolicyEntry(net.sourceforge.prograde.policyparser.ParsedPolicyEntry) ParsedPermission(net.sourceforge.prograde.policyparser.ParsedPermission)

Example 3 with ParsedPolicyEntry

use of net.sourceforge.prograde.policyparser.ParsedPolicyEntry in project ddf by codice.

the class PermissionActivator method grantPermission.

public void grantPermission(String bundle, String permission) throws Exception {
    synchronized (this) {
        // use the parsed policy to make it easier to parse the permission string
        final ParsedPolicy parsedPolicy = new Parser(false).parse(new StringReader(String.format("grant codebase \"file:/%s\" { permission %s; }", bundle, permission)));
        final List<ParsedPolicyEntry> grantEntries = parsedPolicy.getGrantEntries();
        final List<ConditionalPermissionInfo> allGrantInfos = new ArrayList<>();
        final ConditionalPermissionUpdate conditionalPermissionUpdate = conditionalPermissionAdmin.newConditionalPermissionUpdate();
        buildConditionalPermissionInfo(grantEntries, allGrantInfos, ConditionalPermissionInfo.ALLOW);
        final ConditionalPermissionInfo grantInfo = allGrantInfos.get(0);
        final List<ConditionalPermissionInfo> conditionalInfos = conditionalPermissionUpdate.getConditionalPermissionInfos();
        boolean added = false;
        // brand new conditional permission
        for (final ListIterator<ConditionalPermissionInfo> i = conditionalInfos.listIterator(); i.hasNext(); ) {
            final ConditionalPermissionInfo permInfo = i.next();
            if (Objects.equals(grantInfo.getAccessDecision(), permInfo.getAccessDecision()) && Arrays.equals(grantInfo.getPermissionInfos(), permInfo.getPermissionInfos())) {
                final ConditionInfo[] conditions = permInfo.getConditionInfos();
                if ((conditions != null) && (conditions.length == 1) && BUNDLE_NAME_CONDITION.equals(conditions[0].getType())) {
                    final String[] bundles = conditions[0].getArgs();
                    final String[] newBundles = new String[bundles.length + 1];
                    System.arraycopy(bundles, 0, newBundles, 0, bundles.length);
                    newBundles[bundles.length] = bundle;
                    final ConditionalPermissionInfo newPermInfo = conditionalPermissionAdmin.newConditionalPermissionInfo(permInfo.getName(), new ConditionInfo[] { new ConditionInfo(BUNDLE_NAME_CONDITION, newBundles) }, permInfo.getPermissionInfos(), permInfo.getAccessDecision());
                    i.set(newPermInfo);
                    added = true;
                    break;
                }
            }
        }
        if (!added) {
            // if priority is to grant then insert at the top, otherwise insert before
            // the last entry which always reference an all-permission to deny
            final int index = (priorityResult == Priority.GRANT) ? 0 : conditionalInfos.size() - 1;
            conditionalInfos.add(index, grantInfo);
        }
        conditionalPermissionUpdate.commit();
    }
}
Also used : ConditionInfo(org.osgi.service.condpermadmin.ConditionInfo) ArrayList(java.util.ArrayList) Parser(net.sourceforge.prograde.policyparser.Parser) ConditionalPermissionInfo(org.osgi.service.condpermadmin.ConditionalPermissionInfo) ParsedPolicy(net.sourceforge.prograde.policyparser.ParsedPolicy) StringReader(java.io.StringReader) ParsedPolicyEntry(net.sourceforge.prograde.policyparser.ParsedPolicyEntry) ConditionalPermissionUpdate(org.osgi.service.condpermadmin.ConditionalPermissionUpdate)

Aggregations

ArrayList (java.util.ArrayList)3 ParsedPolicyEntry (net.sourceforge.prograde.policyparser.ParsedPolicyEntry)3 ConditionalPermissionInfo (org.osgi.service.condpermadmin.ConditionalPermissionInfo)3 ParsedPolicy (net.sourceforge.prograde.policyparser.ParsedPolicy)2 Parser (net.sourceforge.prograde.policyparser.Parser)2 ConditionInfo (org.osgi.service.condpermadmin.ConditionInfo)2 ConditionalPermissionUpdate (org.osgi.service.condpermadmin.ConditionalPermissionUpdate)2 File (java.io.File)1 StringReader (java.io.StringReader)1 ParsedPermission (net.sourceforge.prograde.policyparser.ParsedPermission)1 Priority (net.sourceforge.prograde.type.Priority)1 PermissionInfo (org.osgi.service.permissionadmin.PermissionInfo)1