| Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Licensed to the Apache Software Foundation (ASF) under one |
| 3 | * or more contributor license agreements. See the NOTICE file |
| 4 | * distributed with this work for additional information |
| 5 | * regarding copyright ownership. The ASF licenses this file |
| 6 | * to you under the Apache License, Version 2.0 (the |
| 7 | * "License"); you may not use this file except in compliance |
| 8 | * with the License. You may obtain a copy of the License at |
| 9 | * |
| 10 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 11 | * |
| 12 | * Unless required by applicable law or agreed to in writing, |
| 13 | * software distributed under the License is distributed on an |
| 14 | * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| 15 | * KIND, either express or implied. See the License for the |
| 16 | * specific language governing permissions and limitations |
| 17 | * under the License. |
| 18 | */ |
| 19 | package org.apache.felix.framework; |
| 20 | |
| 21 | import java.security.Permission; |
| 22 | import java.security.ProtectionDomain; |
| 23 | |
| 24 | import org.apache.felix.framework.ext.SecurityProvider; |
| 25 | import org.apache.felix.framework.security.condpermadmin.ConditionalPermissionAdminImpl; |
| 26 | import org.apache.felix.framework.security.permissionadmin.PermissionAdminImpl; |
| 27 | import org.apache.felix.framework.security.util.TrustManager; |
| 28 | import org.apache.felix.framework.security.verifier.BundleDNParser; |
| 29 | import org.apache.felix.framework.security.verifier.SignerMatcher; |
| 30 | import org.apache.felix.framework.util.SecureAction; |
| 31 | import org.osgi.framework.Bundle; |
| 32 | |
| 33 | /** |
| 34 | * This class is the entry point to the security. It is used to determine whether |
| 35 | * a given bundle is signed correctely and has permissions based on |
| 36 | * PermissionAdmin or ConditionalPermissionAdmin. |
| 37 | */ |
| 38 | public final class SecurityProviderImpl implements SecurityProvider |
| 39 | { |
| 40 | private final BundleDNParser m_parser; |
| 41 | private final PermissionAdminImpl m_pai; |
| 42 | private final ConditionalPermissionAdminImpl m_cpai; |
| 43 | private final SecureAction m_action; |
| 44 | |
| 45 | SecurityProviderImpl(String crlList, String typeList, |
| 46 | String passwdList, String storeList, PermissionAdminImpl pai, |
| 47 | ConditionalPermissionAdminImpl cpai, SecureAction action) |
| 48 | { |
| 49 | m_pai = pai; |
| 50 | m_cpai = cpai; |
| 51 | m_action = action; |
| 52 | m_parser = |
| 53 | new BundleDNParser(new TrustManager(crlList, typeList, passwdList, |
| 54 | storeList, m_action)); |
| 55 | } |
| 56 | |
| 57 | BundleDNParser getParser() |
| 58 | { |
| 59 | return m_parser; |
| 60 | } |
| 61 | |
| 62 | /** |
| 63 | * If the given bundle is signed but can not be verified (e.g., missing files) |
| 64 | * then throw an exception. |
| 65 | */ |
| 66 | public void checkBundle(Bundle bundle) throws Exception |
| 67 | { |
| 68 | BundleInfo info = ((FelixBundle) bundle).getInfo(); |
| 69 | |
| 70 | m_parser.checkDNChains( |
| Karl Pauls | 17bd0b7 | 2008-11-17 21:08:35 +0000 | [diff] [blame] | 71 | (Long.toString(bundle.getBundleId()) + "-" + info.getLastModified()), |
| 72 | info.getCurrentModule().getContentLoader()); |
| Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 73 | } |
| 74 | |
| 75 | /** |
| 76 | * Get a signer matcher that can be used to match digital signed bundles. |
| 77 | */ |
| 78 | public Object getSignerMatcher(final Bundle bundle) |
| 79 | { |
| Karl Pauls | 17bd0b7 | 2008-11-17 21:08:35 +0000 | [diff] [blame] | 80 | return new SignerMatcher(Long.toString(bundle.getBundleId()), |
| 81 | ((FelixBundle) bundle).getInfo().getLastModified(), |
| 82 | ((FelixBundle) bundle).getInfo().getCurrentModule().getContentLoader(), |
| 83 | m_parser); |
| Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 84 | } |
| 85 | |
| 86 | /** |
| 87 | * If we have a permissionadmin then ask that one first and have it |
| 88 | * decide in case there is a location bound. If not then either use its |
| 89 | * default permission in case there is no conditional permission admin |
| 90 | * or else ask that one. |
| 91 | */ |
| 92 | public boolean hasBundlePermission(ProtectionDomain bundleProtectionDomain, |
| 93 | Permission permission, boolean direct) |
| 94 | { |
| 95 | BundleProtectionDomain pd = |
| 96 | (BundleProtectionDomain) bundleProtectionDomain; |
| 97 | FelixBundle bundle = pd.getBundle(); |
| 98 | BundleInfo info = bundle.getInfo(); |
| 99 | |
| 100 | if (info.getBundleId() == 0) |
| 101 | { |
| 102 | return true; |
| 103 | } |
| 104 | |
| Karl Pauls | 35c1c34 | 2008-03-19 17:39:16 +0000 | [diff] [blame] | 105 | // System.out.println(info.getBundleId() + " - " + permission); |
| Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 106 | // TODO: using true, false, or null seems a bit awkward. Improve this. |
| 107 | Boolean result = null; |
| 108 | if (m_pai != null) |
| 109 | { |
| 110 | result = |
| 111 | m_pai.hasPermission(info.getLocation(), pd.getBundle(), |
| 112 | permission, m_cpai, pd); |
| 113 | } |
| 114 | |
| 115 | if (result != null) |
| 116 | { |
| 117 | return result.booleanValue(); |
| 118 | } |
| 119 | |
| 120 | if (m_cpai != null) |
| 121 | { |
| 122 | try |
| 123 | { |
| 124 | return m_cpai.hasPermission(bundle, |
| 125 | info.getCurrentModule().getContentLoader(), |
| 126 | bundle.getBundleId() + "-" + |
| Karl Pauls | 17bd0b7 | 2008-11-17 21:08:35 +0000 | [diff] [blame] | 127 | info.getLastModified(),null, pd, |
| Karl Pauls | 35c1c34 | 2008-03-19 17:39:16 +0000 | [diff] [blame] | 128 | permission, direct, m_pai); |
| Karl Pauls | 3640732 | 2008-03-07 00:37:30 +0000 | [diff] [blame] | 129 | } |
| 130 | catch (Exception e) |
| 131 | { |
| 132 | // TODO Auto-generated catch block |
| 133 | e.printStackTrace(); |
| 134 | } |
| 135 | } |
| 136 | |
| 137 | return false; |
| 138 | } |
| 139 | } |