Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Licensed to the Apache Software Foundation (ASF) under one |
| 3 | * or more contributor license agreements. See the NOTICE file |
| 4 | * distributed with this work for additional information |
| 5 | * regarding copyright ownership. The ASF licenses this file |
| 6 | * to you under the Apache License, Version 2.0 (the |
| 7 | * "License"); you may not use this file except in compliance |
| 8 | * with the License. You may obtain a copy of the License at |
| 9 | * |
| 10 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 11 | * |
| 12 | * Unless required by applicable law or agreed to in writing, |
| 13 | * software distributed under the License is distributed on an |
| 14 | * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| 15 | * KIND, either express or implied. See the License for the |
| 16 | * specific language governing permissions and limitations |
| 17 | * under the License. |
| 18 | */ |
| 19 | package org.apache.felix.framework; |
| 20 | |
| 21 | import java.security.Permission; |
| 22 | import java.security.ProtectionDomain; |
| 23 | |
| 24 | import org.apache.felix.framework.ext.SecurityProvider; |
| 25 | import org.apache.felix.framework.security.condpermadmin.ConditionalPermissionAdminImpl; |
| 26 | import org.apache.felix.framework.security.permissionadmin.PermissionAdminImpl; |
| 27 | import org.apache.felix.framework.security.util.TrustManager; |
| 28 | import org.apache.felix.framework.security.verifier.BundleDNParser; |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 29 | import org.apache.felix.framework.util.SecureAction; |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 30 | import org.apache.felix.moduleloader.IModule; |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 31 | import org.osgi.framework.Bundle; |
| 32 | |
| 33 | /** |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 34 | * This class is the entry point to the security. It is used to determine |
| 35 | * whether a given bundle is signed correctely and has permissions based on |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 36 | * PermissionAdmin or ConditionalPermissionAdmin. |
| 37 | */ |
| 38 | public final class SecurityProviderImpl implements SecurityProvider |
| 39 | { |
| 40 | private final BundleDNParser m_parser; |
| 41 | private final PermissionAdminImpl m_pai; |
| 42 | private final ConditionalPermissionAdminImpl m_cpai; |
| 43 | private final SecureAction m_action; |
| 44 | |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 45 | SecurityProviderImpl(String crlList, String typeList, String passwdList, |
| 46 | String storeList, PermissionAdminImpl pai, |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 47 | ConditionalPermissionAdminImpl cpai, SecureAction action) |
| 48 | { |
| 49 | m_pai = pai; |
| 50 | m_cpai = cpai; |
| 51 | m_action = action; |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 52 | m_parser = new BundleDNParser(new TrustManager(crlList, typeList, |
| 53 | passwdList, storeList, m_action)); |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 54 | } |
| 55 | |
| 56 | /** |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 57 | * If the given bundle is signed but can not be verified (e.g., missing |
| 58 | * files) then throw an exception. |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 59 | */ |
| 60 | public void checkBundle(Bundle bundle) throws Exception |
| 61 | { |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 62 | IModule module = ((BundleImpl) bundle).getCurrentModule(); |
| 63 | m_parser.checkDNChains(module, module.getContent(), |
| 64 | Bundle.SIGNERS_TRUSTED); |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 65 | } |
| 66 | |
| 67 | /** |
| 68 | * Get a signer matcher that can be used to match digital signed bundles. |
| 69 | */ |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 70 | public Object getSignerMatcher(final Bundle bundle, int signersType) |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 71 | { |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 72 | IModule module = ((BundleImpl) bundle).getCurrentModule(); |
| 73 | return m_parser.getDNChains(module, module.getContent(), signersType); |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 74 | } |
| 75 | |
| 76 | /** |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 77 | * If we have a permissionadmin then ask that one first and have it decide |
| 78 | * in case there is a location bound. If not then either use its default |
| 79 | * permission in case there is no conditional permission admin or else ask |
| 80 | * that one. |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 81 | */ |
| 82 | public boolean hasBundlePermission(ProtectionDomain bundleProtectionDomain, |
| 83 | Permission permission, boolean direct) |
| 84 | { |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 85 | BundleProtectionDomain pd = (BundleProtectionDomain) bundleProtectionDomain; |
Karl Pauls | d093f2d | 2009-11-24 23:23:26 +0000 | [diff] [blame] | 86 | BundleImpl bundle = pd.getBundle(); |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 87 | IModule module = pd.getModule(); |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 88 | |
Karl Pauls | d093f2d | 2009-11-24 23:23:26 +0000 | [diff] [blame] | 89 | if (bundle.getBundleId() == 0) |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 90 | { |
| 91 | return true; |
| 92 | } |
| 93 | |
Karl Pauls | 35c1c34 | 2008-03-19 17:39:16 +0000 | [diff] [blame] | 94 | // System.out.println(info.getBundleId() + " - " + permission); |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 95 | // TODO: using true, false, or null seems a bit awkward. Improve this. |
| 96 | Boolean result = null; |
| 97 | if (m_pai != null) |
| 98 | { |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 99 | result = m_pai.hasPermission(bundle._getLocation(), pd.getBundle(), |
| 100 | permission, m_cpai, pd, bundle.getCurrentModule().getContent()); |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 101 | } |
| 102 | |
| 103 | if (result != null) |
| 104 | { |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 105 | if ((m_cpai != null) && !direct) |
| 106 | { |
| 107 | boolean allow = result.booleanValue(); |
| 108 | if (!allow) |
| 109 | { |
| 110 | m_cpai.clearPD(); |
| 111 | return false; |
| 112 | } |
| 113 | return m_cpai.handlePAHandle(pd); |
| 114 | } |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 115 | return result.booleanValue(); |
| 116 | } |
| 117 | |
| 118 | if (m_cpai != null) |
| 119 | { |
| 120 | try |
| 121 | { |
Karl Pauls | 23287bd | 2010-01-10 22:11:27 +0000 | [diff] [blame] | 122 | return m_cpai.hasPermission(module, module.getContent(), pd, |
Karl Pauls | 35c1c34 | 2008-03-19 17:39:16 +0000 | [diff] [blame] | 123 | permission, direct, m_pai); |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 124 | } |
| 125 | catch (Exception e) |
| 126 | { |
| 127 | // TODO Auto-generated catch block |
| 128 | e.printStackTrace(); |
| 129 | } |
| 130 | } |
| 131 | |
| 132 | return false; |
Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 133 | } |
| 134 | } |