Shuyi Chen | d7955ce | 2013-05-22 14:51:55 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Licensed to the Apache Software Foundation (ASF) under one or more |
| 3 | * contributor license agreements. See the NOTICE file distributed with |
| 4 | * this work for additional information regarding copyright ownership. |
| 5 | * The ASF licenses this file to You under the Apache License, Version 2.0 |
| 6 | * (the "License"); you may not use this file except in compliance with |
| 7 | * the License. You may obtain a copy of the License at |
| 8 | * |
| 9 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | * |
| 11 | * Unless required by applicable law or agreed to in writing, software |
| 12 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | * See the License for the specific language governing permissions and |
| 15 | * limitations under the License. |
| 16 | */ |
| 17 | |
| 18 | package org.apache.harmony.javax.security.auth; |
| 19 | |
| 20 | import java.io.IOException; |
| 21 | import java.io.ObjectInputStream; |
| 22 | import java.io.Serializable; |
| 23 | import java.security.Permission; |
| 24 | import java.security.PermissionCollection; |
| 25 | import java.security.Principal; |
| 26 | import java.util.Set; |
| 27 | |
| 28 | |
| 29 | |
| 30 | /** |
| 31 | * Protects private credential objects belonging to a {@code Subject}. It has |
| 32 | * only one action which is "read". The target name of this permission has a |
| 33 | * special syntax: |
| 34 | * |
| 35 | * <pre> |
| 36 | * targetName = CredentialClass {PrincipalClass "PrincipalName"}* |
| 37 | * </pre> |
| 38 | * |
| 39 | * First it states a credential class and is followed then by a list of one or |
| 40 | * more principals identifying the subject. |
| 41 | * <p> |
| 42 | * The principals on their part are specified as the name of the {@code |
| 43 | * Principal} class followed by the principal name in quotes. For example, the |
| 44 | * following file may define permission to read the private credentials of a |
| 45 | * principal named "Bob": "com.sun.PrivateCredential com.sun.Principal \"Bob\"" |
| 46 | * <p> |
| 47 | * The syntax also allows the use of the wildcard "*" in place of {@code |
| 48 | * CredentialClass} or {@code PrincipalClass} and/or {@code PrincipalName}. |
| 49 | * |
| 50 | * @see Principal |
| 51 | */ |
| 52 | public final class PrivateCredentialPermission extends Permission { |
| 53 | |
| 54 | private static final long serialVersionUID = 5284372143517237068L; |
| 55 | |
| 56 | // allowed action |
| 57 | private static final String READ = "read"; //$NON-NLS-1$ |
| 58 | |
| 59 | private String credentialClass; |
| 60 | |
| 61 | // current offset |
| 62 | private transient int offset; |
| 63 | |
| 64 | // owners set |
| 65 | private transient CredOwner[] set; |
| 66 | |
| 67 | /** |
| 68 | * Creates a new permission for private credentials specified by the target |
| 69 | * name {@code name} and an {@code action}. The action is always |
| 70 | * {@code "read"}. |
| 71 | * |
| 72 | * @param name |
| 73 | * the target name of the permission. |
| 74 | * @param action |
| 75 | * the action {@code "read"}. |
| 76 | */ |
| 77 | public PrivateCredentialPermission(String name, String action) { |
| 78 | super(name); |
| 79 | if (READ.equalsIgnoreCase(action)) { |
| 80 | initTargetName(name); |
| 81 | } else { |
| 82 | throw new IllegalArgumentException("auth.11"); //$NON-NLS-1$ |
| 83 | } |
| 84 | } |
| 85 | |
| 86 | /** |
| 87 | * Creates a {@code PrivateCredentialPermission} from the {@code Credential} |
| 88 | * class and set of principals. |
| 89 | * |
| 90 | * @param credentialClass |
| 91 | * the credential class name. |
| 92 | * @param principals |
| 93 | * the set of principals. |
| 94 | */ |
| 95 | PrivateCredentialPermission(String credentialClass, Set<Principal> principals) { |
| 96 | super(credentialClass); |
| 97 | this.credentialClass = credentialClass; |
| 98 | |
| 99 | set = new CredOwner[principals.size()]; |
| 100 | for (Principal p : principals) { |
| 101 | CredOwner element = new CredOwner(p.getClass().getName(), p.getName()); |
| 102 | // check for duplicate elements |
| 103 | boolean found = false; |
| 104 | for (int ii = 0; ii < offset; ii++) { |
| 105 | if (set[ii].equals(element)) { |
| 106 | found = true; |
| 107 | break; |
| 108 | } |
| 109 | } |
| 110 | if (!found) { |
| 111 | set[offset++] = element; |
| 112 | } |
| 113 | } |
| 114 | } |
| 115 | |
| 116 | /** |
| 117 | * Initialize a PrivateCredentialPermission object and checks that a target |
| 118 | * name has a correct format: CredentialClass 1*(PrincipalClass |
| 119 | * "PrincipalName") |
| 120 | */ |
| 121 | private void initTargetName(String name) { |
| 122 | |
| 123 | if (name == null) { |
| 124 | throw new NullPointerException("auth.0E"); //$NON-NLS-1$ |
| 125 | } |
| 126 | |
| 127 | // check empty string |
| 128 | name = name.trim(); |
| 129 | if (name.length() == 0) { |
| 130 | throw new IllegalArgumentException("auth.0F"); //$NON-NLS-1$ |
| 131 | } |
| 132 | |
| 133 | // get CredentialClass |
| 134 | int beg = name.indexOf(' '); |
| 135 | if (beg == -1) { |
| 136 | throw new IllegalArgumentException("auth.10"); //$NON-NLS-1$ |
| 137 | } |
| 138 | credentialClass = name.substring(0, beg); |
| 139 | |
| 140 | // get a number of pairs: PrincipalClass "PrincipalName" |
| 141 | beg++; |
| 142 | int count = 0; |
| 143 | int nameLength = name.length(); |
| 144 | for (int i, j = 0; beg < nameLength; beg = j + 2, count++) { |
| 145 | i = name.indexOf(' ', beg); |
| 146 | j = name.indexOf('"', i + 2); |
| 147 | |
| 148 | if (i == -1 || j == -1 || name.charAt(i + 1) != '"') { |
| 149 | throw new IllegalArgumentException("auth.10"); //$NON-NLS-1$ |
| 150 | } |
| 151 | } |
| 152 | |
| 153 | // name MUST have one pair at least |
| 154 | if (count < 1) { |
| 155 | throw new IllegalArgumentException("auth.10"); //$NON-NLS-1$ |
| 156 | } |
| 157 | |
| 158 | beg = name.indexOf(' '); |
| 159 | beg++; |
| 160 | |
| 161 | // populate principal set with instances of CredOwner class |
| 162 | String principalClass; |
| 163 | String principalName; |
| 164 | |
| 165 | set = new CredOwner[count]; |
| 166 | for (int index = 0, i, j; index < count; beg = j + 2, index++) { |
| 167 | i = name.indexOf(' ', beg); |
| 168 | j = name.indexOf('"', i + 2); |
| 169 | |
| 170 | principalClass = name.substring(beg, i); |
| 171 | principalName = name.substring(i + 2, j); |
| 172 | |
| 173 | CredOwner element = new CredOwner(principalClass, principalName); |
| 174 | // check for duplicate elements |
| 175 | boolean found = false; |
| 176 | for (int ii = 0; ii < offset; ii++) { |
| 177 | if (set[ii].equals(element)) { |
| 178 | found = true; |
| 179 | break; |
| 180 | } |
| 181 | } |
| 182 | if (!found) { |
| 183 | set[offset++] = element; |
| 184 | } |
| 185 | } |
| 186 | } |
| 187 | |
| 188 | private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException { |
| 189 | ois.defaultReadObject(); |
| 190 | initTargetName(getName()); |
| 191 | } |
| 192 | |
| 193 | /** |
| 194 | * Returns the principal's classes and names associated with this {@code |
| 195 | * PrivateCredentialPermission} as a two dimensional array. The first |
| 196 | * dimension of the array corresponds to the number of principals. The |
| 197 | * second dimension defines either the name of the {@code PrincipalClass} |
| 198 | * [x][0] or the value of {@code PrincipalName} [x][1]. |
| 199 | * <p> |
| 200 | * This corresponds to the the target name's syntax: |
| 201 | * |
| 202 | * <pre> |
| 203 | * targetName = CredentialClass {PrincipalClass "PrincipalName"}* |
| 204 | * </pre> |
| 205 | * |
| 206 | * @return the principal classes and names associated with this {@code |
| 207 | * PrivateCredentialPermission}. |
| 208 | */ |
| 209 | public String[][] getPrincipals() { |
| 210 | |
| 211 | String[][] s = new String[offset][2]; |
| 212 | |
| 213 | for (int i = 0; i < s.length; i++) { |
| 214 | s[i][0] = set[i].principalClass; |
| 215 | s[i][1] = set[i].principalName; |
| 216 | } |
| 217 | return s; |
| 218 | } |
| 219 | |
| 220 | @Override |
| 221 | public String getActions() { |
| 222 | return READ; |
| 223 | } |
| 224 | |
| 225 | /** |
| 226 | * Returns the class name of the credential associated with this permission. |
| 227 | * |
| 228 | * @return the class name of the credential associated with this permission. |
| 229 | */ |
| 230 | public String getCredentialClass() { |
| 231 | return credentialClass; |
| 232 | } |
| 233 | |
| 234 | @Override |
| 235 | public int hashCode() { |
| 236 | int hash = 0; |
| 237 | for (int i = 0; i < offset; i++) { |
| 238 | hash = hash + set[i].hashCode(); |
| 239 | } |
| 240 | return getCredentialClass().hashCode() + hash; |
| 241 | } |
| 242 | |
| 243 | @Override |
| 244 | public boolean equals(Object obj) { |
| 245 | if (obj == this) { |
| 246 | return true; |
| 247 | } |
| 248 | |
| 249 | if (obj == null || this.getClass() != obj.getClass()) { |
| 250 | return false; |
| 251 | } |
| 252 | |
| 253 | PrivateCredentialPermission that = (PrivateCredentialPermission) obj; |
| 254 | |
| 255 | return credentialClass.equals(that.credentialClass) && (offset == that.offset) |
| 256 | && sameMembers(set, that.set, offset); |
| 257 | } |
| 258 | |
| 259 | @Override |
| 260 | public boolean implies(Permission permission) { |
| 261 | |
| 262 | if (permission == null || this.getClass() != permission.getClass()) { |
| 263 | return false; |
| 264 | } |
| 265 | |
| 266 | PrivateCredentialPermission that = (PrivateCredentialPermission) permission; |
| 267 | |
| 268 | if (!("*".equals(credentialClass) || credentialClass //$NON-NLS-1$ |
| 269 | .equals(that.getCredentialClass()))) { |
| 270 | return false; |
| 271 | } |
| 272 | |
| 273 | if (that.offset == 0) { |
| 274 | return true; |
| 275 | } |
| 276 | |
| 277 | CredOwner[] thisCo = set; |
| 278 | CredOwner[] thatCo = that.set; |
| 279 | int thisPrincipalsSize = offset; |
| 280 | int thatPrincipalsSize = that.offset; |
| 281 | for (int i = 0, j; i < thisPrincipalsSize; i++) { |
| 282 | for (j = 0; j < thatPrincipalsSize; j++) { |
| 283 | if (thisCo[i].implies(thatCo[j])) { |
| 284 | break; |
| 285 | } |
| 286 | } |
| 287 | if (j == thatCo.length) { |
| 288 | return false; |
| 289 | } |
| 290 | } |
| 291 | return true; |
| 292 | } |
| 293 | |
| 294 | @Override |
| 295 | public PermissionCollection newPermissionCollection() { |
| 296 | return null; |
| 297 | } |
| 298 | |
| 299 | /** |
| 300 | * Returns true if the two arrays have the same length, and every member of |
| 301 | * one array is contained in another array |
| 302 | */ |
| 303 | private boolean sameMembers(Object[] ar1, Object[] ar2, int length) { |
| 304 | if (ar1 == null && ar2 == null) { |
| 305 | return true; |
| 306 | } |
| 307 | if (ar1 == null || ar2 == null) { |
| 308 | return false; |
| 309 | } |
| 310 | boolean found; |
| 311 | for (int i = 0; i < length; i++) { |
| 312 | found = false; |
| 313 | for (int j = 0; j < length; j++) { |
| 314 | if (ar1[i].equals(ar2[j])) { |
| 315 | found = true; |
| 316 | break; |
| 317 | } |
| 318 | } |
| 319 | if (!found) { |
| 320 | return false; |
| 321 | } |
| 322 | } |
| 323 | return true; |
| 324 | } |
| 325 | |
| 326 | private static final class CredOwner implements Serializable { |
| 327 | |
| 328 | private static final long serialVersionUID = -5607449830436408266L; |
| 329 | |
| 330 | String principalClass; |
| 331 | |
| 332 | String principalName; |
| 333 | |
| 334 | // whether class name contains wildcards |
| 335 | private transient boolean isClassWildcard; |
| 336 | |
| 337 | // whether pname contains wildcards |
| 338 | private transient boolean isPNameWildcard; |
| 339 | |
| 340 | // Creates a new CredOwner with the specified Principal Class and Principal Name |
| 341 | CredOwner(String principalClass, String principalName) { |
| 342 | super(); |
| 343 | if ("*".equals(principalClass)) { //$NON-NLS-1$ |
| 344 | isClassWildcard = true; |
| 345 | } |
| 346 | |
| 347 | if ("*".equals(principalName)) { //$NON-NLS-1$ |
| 348 | isPNameWildcard = true; |
| 349 | } |
| 350 | |
| 351 | if (isClassWildcard && !isPNameWildcard) { |
| 352 | throw new IllegalArgumentException("auth.12"); //$NON-NLS-1$ |
| 353 | } |
| 354 | |
| 355 | this.principalClass = principalClass; |
| 356 | this.principalName = principalName; |
| 357 | } |
| 358 | |
| 359 | // Checks if this CredOwner implies the specified Object. |
| 360 | boolean implies(Object obj) { |
| 361 | if (obj == this) { |
| 362 | return true; |
| 363 | } |
| 364 | |
| 365 | CredOwner co = (CredOwner) obj; |
| 366 | |
| 367 | if (isClassWildcard || principalClass.equals(co.principalClass)) { |
| 368 | if (isPNameWildcard || principalName.equals(co.principalName)) { |
| 369 | return true; |
| 370 | } |
| 371 | } |
| 372 | return false; |
| 373 | } |
| 374 | |
| 375 | // Checks two CredOwner objects for equality. |
| 376 | @Override |
| 377 | public boolean equals(Object obj) { |
| 378 | if (obj == this) { |
| 379 | return true; |
| 380 | } |
| 381 | if (obj instanceof CredOwner) { |
| 382 | CredOwner that = (CredOwner) obj; |
| 383 | return principalClass.equals(that.principalClass) |
| 384 | && principalName.equals(that.principalName); |
| 385 | } |
| 386 | return false; |
| 387 | } |
| 388 | |
| 389 | // Returns the hash code value for this object. |
| 390 | @Override |
| 391 | public int hashCode() { |
| 392 | return principalClass.hashCode() + principalName.hashCode(); |
| 393 | } |
| 394 | } |
| 395 | } |