1 /*
   2  * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package java.security;
  27 
  28 import java.lang.ref.Reference;
  29 import java.lang.ref.ReferenceQueue;
  30 import java.lang.ref.SoftReference;
  31 import java.lang.ref.WeakReference;
  32 import java.util.ArrayList;
  33 import java.util.Enumeration;
  34 import java.util.List;
  35 import java.util.Map;
  36 import java.util.concurrent.ConcurrentHashMap;
  37 import jdk.internal.misc.JavaSecurityAccess;
  38 import jdk.internal.misc.JavaSecurityProtectionDomainAccess;
  39 import static jdk.internal.misc.JavaSecurityProtectionDomainAccess.ProtectionDomainCache;
  40 import jdk.internal.misc.SharedSecrets;
  41 import sun.security.util.Debug;
  42 import sun.security.util.SecurityConstants;
  43 
  44 /**
  45  * The ProtectionDomain class encapsulates the characteristics of a domain,
  46  * which encloses a set of classes whose instances are granted a set
  47  * of permissions when being executed on behalf of a given set of Principals.
  48  * <p>
  49  * A static set of permissions can be bound to a ProtectionDomain when it is
  50  * constructed; such permissions are granted to the domain regardless of the
  51  * Policy in force. However, to support dynamic security policies, a
  52  * ProtectionDomain can also be constructed such that it is dynamically
  53  * mapped to a set of permissions by the current Policy whenever a permission
  54  * is checked.
  55  *
  56  * @author Li Gong
  57  * @author Roland Schemers
  58  * @author Gary Ellison
  59  */
  60 
  61 public class ProtectionDomain {
  62 
  63     private static class JavaSecurityAccessImpl implements JavaSecurityAccess {
  64 
  65         private JavaSecurityAccessImpl() {
  66         }
  67 
  68         @Override
  69         public <T> T doIntersectionPrivilege(
  70                 PrivilegedAction<T> action,
  71                 final AccessControlContext stack,
  72                 final AccessControlContext context) {
  73             if (action == null) {
  74                 throw new NullPointerException();
  75             }
  76 
  77             return AccessController.doPrivileged(
  78                 action,
  79                 getCombinedACC(context, stack)
  80             );
  81         }
  82 
  83         @Override
  84         public <T> T doIntersectionPrivilege(
  85                 PrivilegedAction<T> action,
  86                 AccessControlContext context) {
  87             return doIntersectionPrivilege(action,
  88                 AccessController.getContext(), context);
  89         }
  90 
  91         private static AccessControlContext getCombinedACC(
  92             AccessControlContext context, AccessControlContext stack) {
  93             AccessControlContext acc =
  94                 new AccessControlContext(context, stack.getCombiner(), true);
  95 
  96             return new AccessControlContext(stack.getContext(), acc).optimize();
  97         }
  98     }
  99 
 100     static {
 101         // setup SharedSecrets to allow access to doIntersectionPrivilege
 102         // methods and ProtectionDomain cache
 103         SharedSecrets.setJavaSecurityAccess(new JavaSecurityAccessImpl());
 104         SharedSecrets.setJavaSecurityProtectionDomainAccess(
 105             new JavaSecurityProtectionDomainAccess() {
 106                 @Override
 107                 public ProtectionDomainCache getProtectionDomainCache() {
 108                     return new PDCache();
 109                 }
 110             });
 111     }
 112 
 113     /**
 114      * Used for storing ProtectionDomains as keys in a Map.
 115      */
 116     static final class Key {}
 117 
 118     /* CodeSource */
 119     private CodeSource codesource ;
 120 
 121     /* ClassLoader the protection domain was consed from */
 122     private ClassLoader classloader;
 123 
 124     /* Principals running-as within this protection domain */
 125     private Principal[] principals;
 126 
 127     /* the rights this protection domain is granted */
 128     private PermissionCollection permissions;
 129 
 130     /* if the permissions object has AllPermission */
 131     private boolean hasAllPerm = false;
 132 
 133     /* the PermissionCollection is static (pre 1.4 constructor)
 134        or dynamic (via a policy refresh) */
 135     private boolean staticPermissions;
 136 
 137     /*
 138      * An object used as a key when the ProtectionDomain is stored in a Map.
 139      */
 140     final Key key = new Key();
 141 
 142     /**
 143      * Creates a new ProtectionDomain with the given CodeSource and
 144      * Permissions. If the permissions object is not null, then
 145      *  {@code setReadOnly())} will be called on the passed in
 146      * Permissions object. The only permissions granted to this domain
 147      * are the ones specified; the current Policy will not be consulted.
 148      *
 149      * @param codesource the codesource associated with this domain
 150      * @param permissions the permissions granted to this domain
 151      */
 152     public ProtectionDomain(CodeSource codesource,
 153                             PermissionCollection permissions) {
 154         this.codesource = codesource;
 155         if (permissions != null) {
 156             this.permissions = permissions;
 157             this.permissions.setReadOnly();
 158             if (permissions instanceof Permissions &&
 159                 ((Permissions)permissions).allPermission != null) {
 160                 hasAllPerm = true;
 161             }
 162         }
 163         this.classloader = null;
 164         this.principals = new Principal[0];
 165         staticPermissions = true;
 166     }
 167 
 168     /**
 169      * Creates a new ProtectionDomain qualified by the given CodeSource,
 170      * Permissions, ClassLoader and array of Principals. If the
 171      * permissions object is not null, then {@code setReadOnly()}
 172      * will be called on the passed in Permissions object.
 173      * The permissions granted to this domain are dynamic; they include
 174      * both the static permissions passed to this constructor, and any
 175      * permissions granted to this domain by the current Policy at the
 176      * time a permission is checked.
 177      * <p>
 178      * This constructor is typically used by
 179      * {@link SecureClassLoader ClassLoaders}
 180      * and {@link DomainCombiner DomainCombiners} which delegate to
 181      * {@code Policy} to actively associate the permissions granted to
 182      * this domain. This constructor affords the
 183      * Policy provider the opportunity to augment the supplied
 184      * PermissionCollection to reflect policy changes.
 185      *
 186      * @param codesource the CodeSource associated with this domain
 187      * @param permissions the permissions granted to this domain
 188      * @param classloader the ClassLoader associated with this domain
 189      * @param principals the array of Principals associated with this
 190      * domain. The contents of the array are copied to protect against
 191      * subsequent modification.
 192      * @see Policy#refresh
 193      * @see Policy#getPermissions(ProtectionDomain)
 194      * @since 1.4
 195      */
 196     public ProtectionDomain(CodeSource codesource,
 197                             PermissionCollection permissions,
 198                             ClassLoader classloader,
 199                             Principal[] principals) {
 200         this.codesource = codesource;
 201         if (permissions != null) {
 202             this.permissions = permissions;
 203             this.permissions.setReadOnly();
 204             if (permissions instanceof Permissions &&
 205                 ((Permissions)permissions).allPermission != null) {
 206                 hasAllPerm = true;
 207             }
 208         }
 209         this.classloader = classloader;
 210         this.principals = (principals != null ? principals.clone():
 211                            new Principal[0]);
 212         staticPermissions = false;
 213     }
 214 
 215     /**
 216      * Returns the CodeSource of this domain.
 217      * @return the CodeSource of this domain which may be null.
 218      * @since 1.2
 219      */
 220     public final CodeSource getCodeSource() {
 221         return this.codesource;
 222     }
 223 
 224 
 225     /**
 226      * Returns the ClassLoader of this domain.
 227      * @return the ClassLoader of this domain which may be null.
 228      *
 229      * @since 1.4
 230      */
 231     public final ClassLoader getClassLoader() {
 232         return this.classloader;
 233     }
 234 
 235 
 236     /**
 237      * Returns an array of principals for this domain.
 238      * @return a non-null array of principals for this domain.
 239      * Returns a new array each time this method is called.
 240      *
 241      * @since 1.4
 242      */
 243     public final Principal[] getPrincipals() {
 244         return this.principals.clone();
 245     }
 246 
 247     /**
 248      * Returns the static permissions granted to this domain.
 249      *
 250      * @return the static set of permissions for this domain which may be null.
 251      * @see Policy#refresh
 252      * @see Policy#getPermissions(ProtectionDomain)
 253      */
 254     public final PermissionCollection getPermissions() {
 255         return permissions;
 256     }
 257 
 258     /**
 259      * Check and see if this ProtectionDomain implies the permissions
 260      * expressed in the Permission object.
 261      * <p>
 262      * The set of permissions evaluated is a function of whether the
 263      * ProtectionDomain was constructed with a static set of permissions
 264      * or it was bound to a dynamically mapped set of permissions.
 265      * <p>
 266      * If the ProtectionDomain was constructed to a
 267      * {@link #ProtectionDomain(CodeSource, PermissionCollection)
 268      * statically bound} PermissionCollection then the permission will
 269      * only be checked against the PermissionCollection supplied at
 270      * construction.
 271      * <p>
 272      * However, if the ProtectionDomain was constructed with
 273      * the constructor variant which supports
 274      * {@link #ProtectionDomain(CodeSource, PermissionCollection,
 275      * ClassLoader, java.security.Principal[]) dynamically binding}
 276      * permissions, then the permission will be checked against the
 277      * combination of the PermissionCollection supplied at construction and
 278      * the current Policy binding.
 279      *
 280      * @param permission the Permission object to check.
 281      *
 282      * @return true if "permission" is implicit to this ProtectionDomain.
 283      */
 284     public boolean implies(Permission permission) {
 285 
 286         if (hasAllPerm) {
 287             // internal permission collection already has AllPermission -
 288             // no need to go to policy
 289             return true;
 290         }
 291 
 292         if (!staticPermissions &&
 293             Policy.getPolicyNoCheck().implies(this, permission))
 294             return true;
 295         if (permissions != null)
 296             return permissions.implies(permission);
 297 
 298         return false;
 299     }
 300 
 301     // called by the VM -- do not remove
 302     boolean impliesCreateAccessControlContext() {
 303         return implies(SecurityConstants.CREATE_ACC_PERMISSION);
 304     }
 305 
 306     /**
 307      * Convert a ProtectionDomain to a String.
 308      */
 309     @Override public String toString() {
 310         String pals = "<no principals>";
 311         if (principals != null && principals.length > 0) {
 312             StringBuilder palBuf = new StringBuilder("(principals ");
 313 
 314             for (int i = 0; i < principals.length; i++) {
 315                 palBuf.append(principals[i].getClass().getName() +
 316                             " \"" + principals[i].getName() +
 317                             "\"");
 318                 if (i < principals.length-1)
 319                     palBuf.append(",\n");
 320                 else
 321                     palBuf.append(")\n");
 322             }
 323             pals = palBuf.toString();
 324         }
 325 
 326         // Check if policy is set; we don't want to load
 327         // the policy prematurely here
 328         PermissionCollection pc = Policy.isSet() && seeAllp() ?
 329                                       mergePermissions():
 330                                       getPermissions();
 331 
 332         return "ProtectionDomain "+
 333             " "+codesource+"\n"+
 334             " "+classloader+"\n"+
 335             " "+pals+"\n"+
 336             " "+pc+"\n";
 337     }
 338 
 339     /*
 340      * holder class for the static field "debug" to delay its initialization
 341      */
 342     private static class DebugHolder {
 343         private static final Debug debug = Debug.getInstance("domain");
 344     }
 345 
 346     /**
 347      * Return true (merge policy permissions) in the following cases:
 348      *
 349      * . SecurityManager is null
 350      *
 351      * . SecurityManager is not null,
 352      *          debug is not null,
 353      *          SecurityManager impelmentation is in bootclasspath,
 354      *          Policy implementation is in bootclasspath
 355      *          (the bootclasspath restrictions avoid recursion)
 356      *
 357      * . SecurityManager is not null,
 358      *          debug is null,
 359      *          caller has Policy.getPolicy permission
 360      */
 361     private static boolean seeAllp() {
 362         SecurityManager sm = System.getSecurityManager();
 363 
 364         if (sm == null) {
 365             return true;
 366         } else {
 367             if (DebugHolder.debug != null) {
 368                 if (sm.getClass().getClassLoader() == null &&
 369                     Policy.getPolicyNoCheck().getClass().getClassLoader()
 370                                                                 == null) {
 371                     return true;
 372                 }
 373             } else {
 374                 try {
 375                     sm.checkPermission(SecurityConstants.GET_POLICY_PERMISSION);
 376                     return true;
 377                 } catch (SecurityException se) {
 378                     // fall thru and return false
 379                 }
 380             }
 381         }
 382 
 383         return false;
 384     }
 385 
 386     private PermissionCollection mergePermissions() {
 387         if (staticPermissions)
 388             return permissions;
 389 
 390         PermissionCollection perms =
 391             java.security.AccessController.doPrivileged
 392             (new java.security.PrivilegedAction<>() {
 393                     public PermissionCollection run() {
 394                         Policy p = Policy.getPolicyNoCheck();
 395                         return p.getPermissions(ProtectionDomain.this);
 396                     }
 397                 });
 398 
 399         Permissions mergedPerms = new Permissions();
 400         int swag = 32;
 401         int vcap = 8;
 402         Enumeration<Permission> e;
 403         List<Permission> pdVector = new ArrayList<>(vcap);
 404         List<Permission> plVector = new ArrayList<>(swag);
 405 
 406         //
 407         // Build a vector of domain permissions for subsequent merge
 408         if (permissions != null) {
 409             synchronized (permissions) {
 410                 e = permissions.elements();
 411                 while (e.hasMoreElements()) {
 412                     pdVector.add(e.nextElement());
 413                 }
 414             }
 415         }
 416 
 417         //
 418         // Build a vector of Policy permissions for subsequent merge
 419         if (perms != null) {
 420             synchronized (perms) {
 421                 e = perms.elements();
 422                 while (e.hasMoreElements()) {
 423                     plVector.add(e.nextElement());
 424                     vcap++;
 425                 }
 426             }
 427         }
 428 
 429         if (perms != null && permissions != null) {
 430             //
 431             // Weed out the duplicates from the policy. Unless a refresh
 432             // has occurred since the pd was consed this should result in
 433             // an empty vector.
 434             synchronized (permissions) {
 435                 e = permissions.elements();   // domain vs policy
 436                 while (e.hasMoreElements()) {
 437                     Permission pdp = e.nextElement();
 438                     Class<?> pdpClass = pdp.getClass();
 439                     String pdpActions = pdp.getActions();
 440                     String pdpName = pdp.getName();
 441                     for (int i = 0; i < plVector.size(); i++) {
 442                         Permission pp = plVector.get(i);
 443                         if (pdpClass.isInstance(pp)) {
 444                             // The equals() method on some permissions
 445                             // have some side effects so this manual
 446                             // comparison is sufficient.
 447                             if (pdpName.equals(pp.getName()) &&
 448                                 pdpActions.equals(pp.getActions())) {
 449                                 plVector.remove(i);
 450                                 break;
 451                             }
 452                         }
 453                     }
 454                 }
 455             }
 456         }
 457 
 458         if (perms !=null) {
 459             // the order of adding to merged perms and permissions
 460             // needs to preserve the bugfix 4301064
 461 
 462             for (int i = plVector.size()-1; i >= 0; i--) {
 463                 mergedPerms.add(plVector.get(i));
 464             }
 465         }
 466         if (permissions != null) {
 467             for (int i = pdVector.size()-1; i >= 0; i--) {
 468                 mergedPerms.add(pdVector.get(i));
 469             }
 470         }
 471 
 472         return mergedPerms;
 473     }
 474 
 475     /**
 476      * A cache of ProtectionDomains and their Permissions.
 477      *
 478      * This class stores ProtectionDomains as weak keys in a ConcurrentHashMap
 479      * with additional support for checking and removing weak keys that are no
 480      * longer in use. There can be cases where the permission collection may
 481      * have a chain of strong references back to the ProtectionDomain, which
 482      * ordinarily would prevent the entry from being removed from the map. To
 483      * address that, we wrap the permission collection in a SoftReference so
 484      * that it can be reclaimed by the garbage collector due to memory demand.
 485      */
 486     private static class PDCache implements ProtectionDomainCache {
 487         private final ConcurrentHashMap<WeakProtectionDomainKey,
 488                                         SoftReference<PermissionCollection>>
 489                                         pdMap = new ConcurrentHashMap<>();
 490         private final ReferenceQueue<Key> queue = new ReferenceQueue<>();
 491 
 492         @Override
 493         public void put(ProtectionDomain pd, PermissionCollection pc) {
 494             processQueue(queue, pdMap);
 495             WeakProtectionDomainKey weakPd =
 496                 new WeakProtectionDomainKey(pd, queue);
 497             pdMap.put(weakPd, new SoftReference<>(pc));
 498         }
 499 
 500         @Override
 501         public PermissionCollection get(ProtectionDomain pd) {
 502             processQueue(queue, pdMap);
 503             WeakProtectionDomainKey weakPd = new WeakProtectionDomainKey(pd);
 504             SoftReference<PermissionCollection> sr = pdMap.get(weakPd);
 505             return (sr == null) ? null : sr.get();
 506         }
 507 
 508         /**
 509          * Removes weak keys from the map that have been enqueued
 510          * on the reference queue and are no longer in use.
 511          */
 512         private static void processQueue(ReferenceQueue<Key> queue,
 513                                          ConcurrentHashMap<? extends
 514                                          WeakReference<Key>, ?> pdMap) {
 515             Reference<? extends Key> ref;
 516             while ((ref = queue.poll()) != null) {
 517                 pdMap.remove(ref);
 518             }
 519         }
 520     }
 521 
 522     /**
 523      * A weak key for a ProtectionDomain.
 524      */
 525     private static class WeakProtectionDomainKey extends WeakReference<Key> {
 526         /**
 527          * Saved value of the referent's identity hash code, to maintain
 528          * a consistent hash code after the referent has been cleared
 529          */
 530         private final int hash;
 531 
 532         /**
 533          * A key representing a null ProtectionDomain.
 534          */
 535         private static final Key NULL_KEY = new Key();
 536 
 537         /**
 538          * Create a new WeakProtectionDomain with the specified domain and
 539          * registered with a queue.
 540          */
 541         WeakProtectionDomainKey(ProtectionDomain pd, ReferenceQueue<Key> rq) {
 542             this((pd == null ? NULL_KEY : pd.key), rq);
 543         }
 544 
 545         WeakProtectionDomainKey(ProtectionDomain pd) {
 546             this(pd == null ? NULL_KEY : pd.key);
 547         }
 548 
 549         private WeakProtectionDomainKey(Key key, ReferenceQueue<Key> rq) {
 550             super(key, rq);
 551             hash = key.hashCode();
 552         }
 553 
 554         private WeakProtectionDomainKey(Key key) {
 555             super(key);
 556             hash = key.hashCode();
 557         }
 558 
 559         /**
 560          * Returns the identity hash code of the original referent.
 561          */
 562         @Override
 563         public int hashCode() {
 564             return hash;
 565         }
 566 
 567         /**
 568          * Returns true if the given object is an identical
 569          * WeakProtectionDomainKey instance, or, if this object's referent
 570          * has not been cleared and the given object is another
 571          * WeakProtectionDomainKey instance with an identical non-null
 572          * referent as this one.
 573          */
 574         @Override
 575         public boolean equals(Object obj) {
 576             if (obj == this) {
 577                 return true;
 578             }
 579 
 580             if (obj instanceof WeakProtectionDomainKey) {
 581                 Object referent = get();
 582                 return (referent != null) &&
 583                        (referent == ((WeakProtectionDomainKey)obj).get());
 584             } else {
 585                 return false;
 586             }
 587         }
 588     }
 589 }