1 /*
   2  * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package java.security;
  27 
  28 import java.lang.ref.Reference;
  29 import java.lang.ref.ReferenceQueue;
  30 import java.lang.ref.SoftReference;
  31 import java.lang.ref.WeakReference;
  32 import java.util.ArrayList;
  33 import java.util.Enumeration;
  34 import java.util.List;
  35 import java.util.Map;
  36 import java.util.concurrent.ConcurrentHashMap;
  37 import jdk.internal.misc.JavaSecurityAccess;
  38 import jdk.internal.misc.JavaSecurityProtectionDomainAccess;
  39 import static jdk.internal.misc.JavaSecurityProtectionDomainAccess.ProtectionDomainCache;
  40 import jdk.internal.misc.SharedSecrets;
  41 import sun.security.util.Debug;
  42 import sun.security.util.SecurityConstants;
  43 
  44 /**
  45  * The ProtectionDomain class encapsulates the characteristics of a domain,
  46  * which encloses a set of classes whose instances are granted a set
  47  * of permissions when being executed on behalf of a given set of Principals.
  48  * <p>
  49  * A static set of permissions can be bound to a ProtectionDomain when it is
  50  * constructed; such permissions are granted to the domain regardless of the
  51  * Policy in force. However, to support dynamic security policies, a
  52  * ProtectionDomain can also be constructed such that it is dynamically
  53  * mapped to a set of permissions by the current Policy whenever a permission
  54  * is checked.
  55  *
  56  * @author Li Gong
  57  * @author Roland Schemers
  58  * @author Gary Ellison
  59  */
  60 
  61 public class ProtectionDomain {
  62 
  63     private static class JavaSecurityAccessImpl implements JavaSecurityAccess {
  64 
  65         private JavaSecurityAccessImpl() {
  66         }
  67 
  68         @Override
  69         public <T> T doIntersectionPrivilege(
  70                 PrivilegedAction<T> action,
  71                 final AccessControlContext stack,
  72                 final AccessControlContext context) {
  73             if (action == null) {
  74                 throw new NullPointerException();
  75             }
  76 
  77             return AccessController.doPrivileged(
  78                 action,
  79                 getCombinedACC(context, stack)
  80             );
  81         }
  82 
  83         @Override
  84         public <T> T doIntersectionPrivilege(
  85                 PrivilegedAction<T> action,
  86                 AccessControlContext context) {
  87             return doIntersectionPrivilege(action,
  88                 AccessController.getContext(), context);
  89         }
  90 
  91         private static AccessControlContext getCombinedACC(
  92             AccessControlContext context, AccessControlContext stack) {
  93             AccessControlContext acc =
  94                 new AccessControlContext(context, stack.getCombiner(), true);
  95 
  96             return new AccessControlContext(stack.getContext(), acc).optimize();
  97         }
  98     }
  99 
 100     static {
 101         // setup SharedSecrets to allow access to doIntersectionPrivilege
 102         // methods and ProtectionDomain cache
 103         SharedSecrets.setJavaSecurityAccess(new JavaSecurityAccessImpl());
 104         SharedSecrets.setJavaSecurityProtectionDomainAccess(
 105             new JavaSecurityProtectionDomainAccess() {
 106                 @Override
 107                 public ProtectionDomainCache getProtectionDomainCache() {
 108                     return new PDCache();
 109                 }
 110             });
 111     }
 112 
 113     /**
 114      * Used for storing ProtectionDomains as keys in a Map.
 115      */
 116     static final class Key {}
 117 
 118     /* CodeSource */
 119     private CodeSource codesource ;
 120 
 121     /* ClassLoader the protection domain was consed from */
 122     private ClassLoader classloader;
 123 
 124     /* Principals running-as within this protection domain */
 125     private Principal[] principals;
 126 
 127     /* the rights this protection domain is granted */
 128     private PermissionCollection permissions;
 129 
 130     /* if the permissions object has AllPermission */
 131     private boolean hasAllPerm = false;
 132 
 133     /* the PermissionCollection is static (pre 1.4 constructor)
 134        or dynamic (via a policy refresh) */
 135     private boolean staticPermissions;
 136 
 137     /*
 138      * An object used as a key when the ProtectionDomain is stored in a Map.
 139      */
 140     final Key key = new Key();
 141 
 142     private static final Debug debug = Debug.getInstance("domain");
 143 
 144     /**
 145      * Creates a new ProtectionDomain with the given CodeSource and
 146      * Permissions. If the permissions object is not null, then
 147      *  {@code setReadOnly())} will be called on the passed in
 148      * Permissions object. The only permissions granted to this domain
 149      * are the ones specified; the current Policy will not be consulted.
 150      *
 151      * @param codesource the codesource associated with this domain
 152      * @param permissions the permissions granted to this domain
 153      */
 154     public ProtectionDomain(CodeSource codesource,
 155                             PermissionCollection permissions) {
 156         this.codesource = codesource;
 157         if (permissions != null) {
 158             this.permissions = permissions;
 159             this.permissions.setReadOnly();
 160             if (permissions instanceof Permissions &&
 161                 ((Permissions)permissions).allPermission != null) {
 162                 hasAllPerm = true;
 163             }
 164         }
 165         this.classloader = null;
 166         this.principals = new Principal[0];
 167         staticPermissions = true;
 168     }
 169 
 170     /**
 171      * Creates a new ProtectionDomain qualified by the given CodeSource,
 172      * Permissions, ClassLoader and array of Principals. If the
 173      * permissions object is not null, then {@code setReadOnly()}
 174      * will be called on the passed in Permissions object.
 175      * The permissions granted to this domain are dynamic; they include
 176      * both the static permissions passed to this constructor, and any
 177      * permissions granted to this domain by the current Policy at the
 178      * time a permission is checked.
 179      * <p>
 180      * This constructor is typically used by
 181      * {@link SecureClassLoader ClassLoaders}
 182      * and {@link DomainCombiner DomainCombiners} which delegate to
 183      * {@code Policy} to actively associate the permissions granted to
 184      * this domain. This constructor affords the
 185      * Policy provider the opportunity to augment the supplied
 186      * PermissionCollection to reflect policy changes.
 187      *
 188      * @param codesource the CodeSource associated with this domain
 189      * @param permissions the permissions granted to this domain
 190      * @param classloader the ClassLoader associated with this domain
 191      * @param principals the array of Principals associated with this
 192      * domain. The contents of the array are copied to protect against
 193      * subsequent modification.
 194      * @see Policy#refresh
 195      * @see Policy#getPermissions(ProtectionDomain)
 196      * @since 1.4
 197      */
 198     public ProtectionDomain(CodeSource codesource,
 199                             PermissionCollection permissions,
 200                             ClassLoader classloader,
 201                             Principal[] principals) {
 202         this.codesource = codesource;
 203         if (permissions != null) {
 204             this.permissions = permissions;
 205             this.permissions.setReadOnly();
 206             if (permissions instanceof Permissions &&
 207                 ((Permissions)permissions).allPermission != null) {
 208                 hasAllPerm = true;
 209             }
 210         }
 211         this.classloader = classloader;
 212         this.principals = (principals != null ? principals.clone():
 213                            new Principal[0]);
 214         staticPermissions = false;
 215     }
 216 
 217     /**
 218      * Returns the CodeSource of this domain.
 219      * @return the CodeSource of this domain which may be null.
 220      * @since 1.2
 221      */
 222     public final CodeSource getCodeSource() {
 223         return this.codesource;
 224     }
 225 
 226 
 227     /**
 228      * Returns the ClassLoader of this domain.
 229      * @return the ClassLoader of this domain which may be null.
 230      *
 231      * @since 1.4
 232      */
 233     public final ClassLoader getClassLoader() {
 234         return this.classloader;
 235     }
 236 
 237 
 238     /**
 239      * Returns an array of principals for this domain.
 240      * @return a non-null array of principals for this domain.
 241      * Returns a new array each time this method is called.
 242      *
 243      * @since 1.4
 244      */
 245     public final Principal[] getPrincipals() {
 246         return this.principals.clone();
 247     }
 248 
 249     /**
 250      * Returns the static permissions granted to this domain.
 251      *
 252      * @return the static set of permissions for this domain which may be null.
 253      * @see Policy#refresh
 254      * @see Policy#getPermissions(ProtectionDomain)
 255      */
 256     public final PermissionCollection getPermissions() {
 257         return permissions;
 258     }
 259 
 260     /**
 261      * Check and see if this ProtectionDomain implies the permissions
 262      * expressed in the Permission object.
 263      * <p>
 264      * The set of permissions evaluated is a function of whether the
 265      * ProtectionDomain was constructed with a static set of permissions
 266      * or it was bound to a dynamically mapped set of permissions.
 267      * <p>
 268      * If the ProtectionDomain was constructed to a
 269      * {@link #ProtectionDomain(CodeSource, PermissionCollection)
 270      * statically bound} PermissionCollection then the permission will
 271      * only be checked against the PermissionCollection supplied at
 272      * construction.
 273      * <p>
 274      * However, if the ProtectionDomain was constructed with
 275      * the constructor variant which supports
 276      * {@link #ProtectionDomain(CodeSource, PermissionCollection,
 277      * ClassLoader, java.security.Principal[]) dynamically binding}
 278      * permissions, then the permission will be checked against the
 279      * combination of the PermissionCollection supplied at construction and
 280      * the current Policy binding.
 281      *
 282      * @param permission the Permission object to check.
 283      *
 284      * @return true if "permission" is implicit to this ProtectionDomain.
 285      */
 286     public boolean implies(Permission permission) {
 287 
 288         if (hasAllPerm) {
 289             // internal permission collection already has AllPermission -
 290             // no need to go to policy
 291             return true;
 292         }
 293 
 294         if (!staticPermissions &&
 295             Policy.getPolicyNoCheck().implies(this, permission))
 296             return true;
 297         if (permissions != null)
 298             return permissions.implies(permission);
 299 
 300         return false;
 301     }
 302 
 303     // called by the VM -- do not remove
 304     boolean impliesCreateAccessControlContext() {
 305         return implies(SecurityConstants.CREATE_ACC_PERMISSION);
 306     }
 307 
 308     /**
 309      * Convert a ProtectionDomain to a String.
 310      */
 311     @Override public String toString() {
 312         String pals = "<no principals>";
 313         if (principals != null && principals.length > 0) {
 314             StringBuilder palBuf = new StringBuilder("(principals ");
 315 
 316             for (int i = 0; i < principals.length; i++) {
 317                 palBuf.append(principals[i].getClass().getName() +
 318                             " \"" + principals[i].getName() +
 319                             "\"");
 320                 if (i < principals.length-1)
 321                     palBuf.append(",\n");
 322                 else
 323                     palBuf.append(")\n");
 324             }
 325             pals = palBuf.toString();
 326         }
 327 
 328         // Check if policy is set; we don't want to load
 329         // the policy prematurely here
 330         PermissionCollection pc = Policy.isSet() && seeAllp() ?
 331                                       mergePermissions():
 332                                       getPermissions();
 333 
 334         return "ProtectionDomain "+
 335             " "+codesource+"\n"+
 336             " "+classloader+"\n"+
 337             " "+pals+"\n"+
 338             " "+pc+"\n";
 339     }
 340 
 341     /**
 342      * Return true (merge policy permissions) in the following cases:
 343      *
 344      * . SecurityManager is null
 345      *
 346      * . SecurityManager is not null,
 347      *          debug is not null,
 348      *          SecurityManager impelmentation is in bootclasspath,
 349      *          Policy implementation is in bootclasspath
 350      *          (the bootclasspath restrictions avoid recursion)
 351      *
 352      * . SecurityManager is not null,
 353      *          debug is null,
 354      *          caller has Policy.getPolicy permission
 355      */
 356     private static boolean seeAllp() {
 357         SecurityManager sm = System.getSecurityManager();
 358 
 359         if (sm == null) {
 360             return true;
 361         } else {
 362             if (debug != null) {
 363                 if (sm.getClass().getClassLoader() == null &&
 364                     Policy.getPolicyNoCheck().getClass().getClassLoader()
 365                                                                 == null) {
 366                     return true;
 367                 }
 368             } else {
 369                 try {
 370                     sm.checkPermission(SecurityConstants.GET_POLICY_PERMISSION);
 371                     return true;
 372                 } catch (SecurityException se) {
 373                     // fall thru and return false
 374                 }
 375             }
 376         }
 377 
 378         return false;
 379     }
 380 
 381     private PermissionCollection mergePermissions() {
 382         if (staticPermissions)
 383             return permissions;
 384 
 385         PermissionCollection perms =
 386             java.security.AccessController.doPrivileged
 387             (new java.security.PrivilegedAction<>() {
 388                     public PermissionCollection run() {
 389                         Policy p = Policy.getPolicyNoCheck();
 390                         return p.getPermissions(ProtectionDomain.this);
 391                     }
 392                 });
 393 
 394         Permissions mergedPerms = new Permissions();
 395         int swag = 32;
 396         int vcap = 8;
 397         Enumeration<Permission> e;
 398         List<Permission> pdVector = new ArrayList<>(vcap);
 399         List<Permission> plVector = new ArrayList<>(swag);
 400 
 401         //
 402         // Build a vector of domain permissions for subsequent merge
 403         if (permissions != null) {
 404             synchronized (permissions) {
 405                 e = permissions.elements();
 406                 while (e.hasMoreElements()) {
 407                     pdVector.add(e.nextElement());
 408                 }
 409             }
 410         }
 411 
 412         //
 413         // Build a vector of Policy permissions for subsequent merge
 414         if (perms != null) {
 415             synchronized (perms) {
 416                 e = perms.elements();
 417                 while (e.hasMoreElements()) {
 418                     plVector.add(e.nextElement());
 419                     vcap++;
 420                 }
 421             }
 422         }
 423 
 424         if (perms != null && permissions != null) {
 425             //
 426             // Weed out the duplicates from the policy. Unless a refresh
 427             // has occurred since the pd was consed this should result in
 428             // an empty vector.
 429             synchronized (permissions) {
 430                 e = permissions.elements();   // domain vs policy
 431                 while (e.hasMoreElements()) {
 432                     Permission pdp = e.nextElement();
 433                     Class<?> pdpClass = pdp.getClass();
 434                     String pdpActions = pdp.getActions();
 435                     String pdpName = pdp.getName();
 436                     for (int i = 0; i < plVector.size(); i++) {
 437                         Permission pp = plVector.get(i);
 438                         if (pdpClass.isInstance(pp)) {
 439                             // The equals() method on some permissions
 440                             // have some side effects so this manual
 441                             // comparison is sufficient.
 442                             if (pdpName.equals(pp.getName()) &&
 443                                 pdpActions.equals(pp.getActions())) {
 444                                 plVector.remove(i);
 445                                 break;
 446                             }
 447                         }
 448                     }
 449                 }
 450             }
 451         }
 452 
 453         if (perms !=null) {
 454             // the order of adding to merged perms and permissions
 455             // needs to preserve the bugfix 4301064
 456 
 457             for (int i = plVector.size()-1; i >= 0; i--) {
 458                 mergedPerms.add(plVector.get(i));
 459             }
 460         }
 461         if (permissions != null) {
 462             for (int i = pdVector.size()-1; i >= 0; i--) {
 463                 mergedPerms.add(pdVector.get(i));
 464             }
 465         }
 466 
 467         return mergedPerms;
 468     }
 469 
 470     /**
 471      * A cache of ProtectionDomains and their Permissions.
 472      *
 473      * This class stores ProtectionDomains as weak keys in a ConcurrentHashMap
 474      * with additional support for checking and removing weak keys that are no
 475      * longer in use. There can be cases where the permission collection may
 476      * have a chain of strong references back to the ProtectionDomain, which
 477      * ordinarily would prevent the entry from being removed from the map. To
 478      * address that, we wrap the permission collection in a SoftReference so
 479      * that it can be reclaimed by the garbage collector due to memory demand.
 480      */
 481     private static class PDCache implements ProtectionDomainCache {
 482         private final ConcurrentHashMap<WeakProtectionDomainKey,
 483                                         SoftReference<PermissionCollection>>
 484                                         pdMap = new ConcurrentHashMap<>();
 485         private final ReferenceQueue<Key> queue = new ReferenceQueue<>();
 486 
 487         @Override
 488         public void put(ProtectionDomain pd, PermissionCollection pc) {
 489             processQueue(queue, pdMap);
 490             WeakProtectionDomainKey weakPd =
 491                 new WeakProtectionDomainKey(pd, queue);
 492             pdMap.put(weakPd, new SoftReference<>(pc));
 493         }
 494 
 495         @Override
 496         public PermissionCollection get(ProtectionDomain pd) {
 497             processQueue(queue, pdMap);
 498             WeakProtectionDomainKey weakPd = new WeakProtectionDomainKey(pd);
 499             SoftReference<PermissionCollection> sr = pdMap.get(weakPd);
 500             return (sr == null) ? null : sr.get();
 501         }
 502 
 503         /**
 504          * Removes weak keys from the map that have been enqueued
 505          * on the reference queue and are no longer in use.
 506          */
 507         private static void processQueue(ReferenceQueue<Key> queue,
 508                                          ConcurrentHashMap<? extends
 509                                          WeakReference<Key>, ?> pdMap) {
 510             Reference<? extends Key> ref;
 511             while ((ref = queue.poll()) != null) {
 512                 pdMap.remove(ref);
 513             }
 514         }
 515     }
 516 
 517     /**
 518      * A weak key for a ProtectionDomain.
 519      */
 520     private static class WeakProtectionDomainKey extends WeakReference<Key> {
 521         /**
 522          * Saved value of the referent's identity hash code, to maintain
 523          * a consistent hash code after the referent has been cleared
 524          */
 525         private final int hash;
 526 
 527         /**
 528          * A key representing a null ProtectionDomain.
 529          */
 530         private static final Key NULL_KEY = new Key();
 531 
 532         /**
 533          * Create a new WeakProtectionDomain with the specified domain and
 534          * registered with a queue.
 535          */
 536         WeakProtectionDomainKey(ProtectionDomain pd, ReferenceQueue<Key> rq) {
 537             this((pd == null ? NULL_KEY : pd.key), rq);
 538         }
 539 
 540         WeakProtectionDomainKey(ProtectionDomain pd) {
 541             this(pd == null ? NULL_KEY : pd.key);
 542         }
 543 
 544         private WeakProtectionDomainKey(Key key, ReferenceQueue<Key> rq) {
 545             super(key, rq);
 546             hash = key.hashCode();
 547         }
 548 
 549         private WeakProtectionDomainKey(Key key) {
 550             super(key);
 551             hash = key.hashCode();
 552         }
 553 
 554         /**
 555          * Returns the identity hash code of the original referent.
 556          */
 557         @Override
 558         public int hashCode() {
 559             return hash;
 560         }
 561 
 562         /**
 563          * Returns true if the given object is an identical
 564          * WeakProtectionDomainKey instance, or, if this object's referent
 565          * has not been cleared and the given object is another
 566          * WeakProtectionDomainKey instance with an identical non-null
 567          * referent as this one.
 568          */
 569         @Override
 570         public boolean equals(Object obj) {
 571             if (obj == this) {
 572                 return true;
 573             }
 574 
 575             if (obj instanceof WeakProtectionDomainKey) {
 576                 Object referent = get();
 577                 return (referent != null) &&
 578                        (referent == ((WeakProtectionDomainKey)obj).get());
 579             } else {
 580                 return false;
 581             }
 582         }
 583     }
 584 }