core/api/src/main/java/org/onosproject/security/AppGuard.java - onos - Gitiles

 /*
  * Copyright 2015 Open Networking Laboratory
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.onosproject.security;

 import java.security.AccessController;
 import java.security.AccessControlContext;
 import java.security.PrivilegedAction;
 import java.security.ProtectionDomain;

 import com.google.common.annotations.Beta;
 import com.google.common.cache.Cache;
 import com.google.common.cache.CacheBuilder;

 import java.lang.reflect.Field;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;

 /**
  * Aids SM-ONOS to perform API-level permission checking.
  */
 @Beta
 public final class AppGuard {
     private AppGuard() {
     }

     /**
      * Checks if the caller has the required permission only when security-mode is enabled.
      *
      * @param permission permission to be checked
      */
     public static void checkPermission(AppPermission.Type permission) {

         SecurityManager sm = System.getSecurityManager();
         if (sm == null) {
             return;
         }

         Object result = AccessController.doPrivileged((PrivilegedAction<Object>) () -> {
             int contextHash = 0;
             AccessControlContext context = AccessController.getContext();
             Field f = null;
             try {
                 f = context.getClass().getDeclaredField("context");

                 f.setAccessible(true);
                 ProtectionDomain[] domain = (ProtectionDomain[]) f.get(context);
                 for (ProtectionDomain pd : domain) {
                     if (pd.getCodeSource() != null) {
                         contextHash = contextHash ^ pd.getCodeSource().getLocation().hashCode();
                     } else {
                         return null;
                     }
                 }
                 return contextHash;
             } catch (NoSuchFieldException e) {
                 return null;
             } catch (IllegalAccessException e) {
                 return null;
             }
         });

         if (result == null) {
             sm.checkPermission(new AppPermission(permission));
         } else {
             AppPermission perm = new AppPermission(permission);
             int hash = ((int) result) ^ perm.hashCode();
             PermissionCheckCache.getInstance().checkCache(hash, perm);
         }
     }


     private static final class PermissionCheckCache {

         private static final Cache<Integer, Boolean> CACHE = CacheBuilder.newBuilder()
                 .maximumSize(1000)
                 .expireAfterAccess(10, TimeUnit.MINUTES)
                 .build();

         private PermissionCheckCache() {
         }

         private static class SingletonHelper {
             private static final PermissionCheckCache INSTANCE = new PermissionCheckCache();
         }

         public static PermissionCheckCache getInstance() {
             return SingletonHelper.INSTANCE;
         }

         public static void checkCache(int key, AppPermission perm) {
             try {
                 CACHE.get(key, () -> {
                     System.getSecurityManager().checkPermission(perm);
                     return true;
                 });
             } catch (ExecutionException e) {
                 System.getSecurityManager().checkPermission(perm);
             }
         }
     }

 }
	/*
	* Copyright 2015 Open Networking Laboratory
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.onosproject.security;

	import java.security.AccessController;
	import java.security.AccessControlContext;
	import java.security.PrivilegedAction;
	import java.security.ProtectionDomain;

	import com.google.common.annotations.Beta;
	import com.google.common.cache.Cache;
	import com.google.common.cache.CacheBuilder;

	import java.lang.reflect.Field;
	import java.util.concurrent.ExecutionException;
	import java.util.concurrent.TimeUnit;

	/**
	* Aids SM-ONOS to perform API-level permission checking.
	*/
	@Beta
	public final class AppGuard {
	private AppGuard() {
	}

	/**
	* Checks if the caller has the required permission only when security-mode is enabled.
	*
	* @param permission permission to be checked
	*/
	public static void checkPermission(AppPermission.Type permission) {

	SecurityManager sm = System.getSecurityManager();
	if (sm == null) {
	return;
	}

	Object result = AccessController.doPrivileged((PrivilegedAction<Object>) () -> {
	int contextHash = 0;
	AccessControlContext context = AccessController.getContext();
	Field f = null;
	try {
	f = context.getClass().getDeclaredField("context");

	f.setAccessible(true);
	ProtectionDomain[] domain = (ProtectionDomain[]) f.get(context);
	for (ProtectionDomain pd : domain) {
	if (pd.getCodeSource() != null) {
	contextHash = contextHash ^ pd.getCodeSource().getLocation().hashCode();
	} else {
	return null;
	}
	}
	return contextHash;
	} catch (NoSuchFieldException e) {
	return null;
	} catch (IllegalAccessException e) {
	return null;
	}
	});

	if (result == null) {
	sm.checkPermission(new AppPermission(permission));
	} else {
	AppPermission perm = new AppPermission(permission);
	int hash = ((int) result) ^ perm.hashCode();
	PermissionCheckCache.getInstance().checkCache(hash, perm);
	}
	}


	private static final class PermissionCheckCache {

	private static final Cache<Integer, Boolean> CACHE = CacheBuilder.newBuilder()
	.maximumSize(1000)
	.expireAfterAccess(10, TimeUnit.MINUTES)
	.build();

	private PermissionCheckCache() {
	}

	private static class SingletonHelper {
	private static final PermissionCheckCache INSTANCE = new PermissionCheckCache();
	}

	public static PermissionCheckCache getInstance() {
	return SingletonHelper.INSTANCE;
	}

	public static void checkCache(int key, AppPermission perm) {
	try {
	CACHE.get(key, () -> {
	System.getSecurityManager().checkPermission(perm);
	return true;
	});
	} catch (ExecutionException e) {
	System.getSecurityManager().checkPermission(perm);
	}
	}
	}

	}