Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Licensed to the Apache Software Foundation (ASF) under one |
| 3 | * or more contributor license agreements. See the NOTICE file |
| 4 | * distributed with this work for additional information |
| 5 | * regarding copyright ownership. The ASF licenses this file |
| 6 | * to you under the Apache License, Version 2.0 (the |
| 7 | * "License"); you may not use this file except in compliance |
| 8 | * with the License. You may obtain a copy of the License at |
| 9 | * |
| 10 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 11 | * |
| 12 | * Unless required by applicable law or agreed to in writing, |
| 13 | * software distributed under the License is distributed on an |
| 14 | * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| 15 | * KIND, either express or implied. See the License for the |
| 16 | * specific language governing permissions and limitations |
| 17 | * under the License. |
| 18 | */ |
| 19 | package org.apache.felix.framework; |
| 20 | |
| 21 | import java.security.Permission; |
| 22 | import java.security.ProtectionDomain; |
| 23 | |
| 24 | import org.apache.felix.framework.ext.SecurityProvider; |
| 25 | import org.apache.felix.framework.security.condpermadmin.ConditionalPermissionAdminImpl; |
| 26 | import org.apache.felix.framework.security.permissionadmin.PermissionAdminImpl; |
| 27 | import org.apache.felix.framework.security.util.TrustManager; |
| 28 | import org.apache.felix.framework.security.verifier.BundleDNParser; |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 29 | import org.apache.felix.framework.util.SecureAction; |
Karl Pauls | fbb3257 | 2010-05-30 22:16:56 +0000 | [diff] [blame] | 30 | //import org.apache.felix.moduleloader.IModule; |
| 31 | import org.apache.felix.framework.resolver.Module; |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 32 | import org.osgi.framework.Bundle; |
| 33 | |
| 34 | /** |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 35 | * This class is the entry point to the security. It is used to determine |
| 36 | * whether a given bundle is signed correctely and has permissions based on |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 37 | * PermissionAdmin or ConditionalPermissionAdmin. |
| 38 | */ |
| 39 | public final class SecurityProviderImpl implements SecurityProvider |
| 40 | { |
| 41 | private final BundleDNParser m_parser; |
| 42 | private final PermissionAdminImpl m_pai; |
| 43 | private final ConditionalPermissionAdminImpl m_cpai; |
| 44 | private final SecureAction m_action; |
| 45 | |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 46 | SecurityProviderImpl(String crlList, String typeList, String passwdList, |
| 47 | String storeList, PermissionAdminImpl pai, |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 48 | ConditionalPermissionAdminImpl cpai, SecureAction action) |
| 49 | { |
| 50 | m_pai = pai; |
| 51 | m_cpai = cpai; |
| 52 | m_action = action; |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 53 | m_parser = new BundleDNParser(new TrustManager(crlList, typeList, |
| 54 | passwdList, storeList, m_action)); |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 55 | } |
| 56 | |
| 57 | /** |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 58 | * If the given bundle is signed but can not be verified (e.g., missing |
| 59 | * files) then throw an exception. |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 60 | */ |
| 61 | public void checkBundle(Bundle bundle) throws Exception |
| 62 | { |
Karl Pauls | fbb3257 | 2010-05-30 22:16:56 +0000 | [diff] [blame] | 63 | Module module = ((BundleImpl) bundle).getCurrentModule(); |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 64 | m_parser.checkDNChains(module, module.getContent(), |
| 65 | Bundle.SIGNERS_TRUSTED); |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 66 | } |
| 67 | |
| 68 | /** |
| 69 | * Get a signer matcher that can be used to match digital signed bundles. |
| 70 | */ |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 71 | public Object getSignerMatcher(final Bundle bundle, int signersType) |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 72 | { |
Karl Pauls | fbb3257 | 2010-05-30 22:16:56 +0000 | [diff] [blame] | 73 | Module module = ((BundleImpl) bundle).getCurrentModule(); |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 74 | return m_parser.getDNChains(module, module.getContent(), signersType); |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 75 | } |
| 76 | |
| 77 | /** |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 78 | * If we have a permissionadmin then ask that one first and have it decide |
| 79 | * in case there is a location bound. If not then either use its default |
| 80 | * permission in case there is no conditional permission admin or else ask |
| 81 | * that one. |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 82 | */ |
| 83 | public boolean hasBundlePermission(ProtectionDomain bundleProtectionDomain, |
| 84 | Permission permission, boolean direct) |
| 85 | { |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 86 | BundleProtectionDomain pd = (BundleProtectionDomain) bundleProtectionDomain; |
Karl Pauls | d093f2d | 2009-11-24 23:23:26 +0000 | [diff] [blame] | 87 | BundleImpl bundle = pd.getBundle(); |
Karl Pauls | fbb3257 | 2010-05-30 22:16:56 +0000 | [diff] [blame] | 88 | Module module = pd.getModule(); |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 89 | |
Karl Pauls | d093f2d | 2009-11-24 23:23:26 +0000 | [diff] [blame] | 90 | if (bundle.getBundleId() == 0) |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 91 | { |
| 92 | return true; |
| 93 | } |
| 94 | |
Karl Pauls | 35c1c34 | 2008-03-19 17:39:16 +0000 | [diff] [blame] | 95 | // System.out.println(info.getBundleId() + " - " + permission); |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 96 | // TODO: using true, false, or null seems a bit awkward. Improve this. |
| 97 | Boolean result = null; |
| 98 | if (m_pai != null) |
| 99 | { |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 100 | result = m_pai.hasPermission(bundle._getLocation(), pd.getBundle(), |
| 101 | permission, m_cpai, pd, bundle.getCurrentModule().getContent()); |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 102 | } |
| 103 | |
| 104 | if (result != null) |
| 105 | { |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 106 | if ((m_cpai != null) && !direct) |
| 107 | { |
| 108 | boolean allow = result.booleanValue(); |
| 109 | if (!allow) |
| 110 | { |
| 111 | m_cpai.clearPD(); |
| 112 | return false; |
| 113 | } |
| 114 | return m_cpai.handlePAHandle(pd); |
| 115 | } |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 116 | return result.booleanValue(); |
| 117 | } |
| 118 | |
| 119 | if (m_cpai != null) |
| 120 | { |
| 121 | try |
| 122 | { |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 123 | return m_cpai.hasPermission(module, module.getContent(), pd, |
Karl Pauls | 35c1c34 | 2008-03-19 17:39:16 +0000 | [diff] [blame] | 124 | permission, direct, m_pai); |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 125 | } |
| 126 | catch (Exception e) |
| 127 | { |
| 128 | // TODO Auto-generated catch block |
| 129 | e.printStackTrace(); |
| 130 | } |
| 131 | } |
| 132 | |
| 133 | return false; |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 134 | } |
Karl Pauls | fbb3257 | 2010-05-30 22:16:56 +0000 | [diff] [blame] | 135 | } |