001 /*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements. See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership. The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License. You may obtain a copy of the License at
009 *
010 * http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing,
013 * software distributed under the License is distributed on an
014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 * KIND, either express or implied. See the License for the
016 * specific language governing permissions and limitations
017 * under the License.
018 */
019
020 package org.apache.commons.logging.security;
021
022 import java.io.FilePermission;
023 import java.security.Permission;
024 import java.security.Permissions;
025
026
027 /**
028 * Custom implementation of a security manager, so we can control the
029 * security environment for tests in this package.
030 */
031 public class MockSecurityManager extends SecurityManager {
032
033 private Permissions permissions = new Permissions();
034 private static final Permission setSecurityManagerPerm =
035 new RuntimePermission("setSecurityManager");
036
037 private int untrustedCodeCount = 0;
038
039 public MockSecurityManager() {
040 permissions.add(setSecurityManagerPerm);
041 }
042
043 /**
044 * Define the set of permissions to be granted to classes in the o.a.c.l package,
045 * but NOT to unit-test classes in o.a.c.l.security package.
046 */
047 public void addPermission(Permission p) {
048 permissions.add(p);
049 }
050
051 /**
052 * This returns the number of times that a check of a permission failed
053 * due to stack-walking tracing up into untrusted code. Any non-zero
054 * value indicates a bug in JCL, ie a situation where code was not
055 * correctly wrapped in an AccessController block. The result of such a
056 * bug is that signing JCL is not sufficient to allow JCL to perform
057 * the operation; the caller would need to be signed too.
058 */
059 public int getUntrustedCodeCount() {
060 return untrustedCodeCount;
061 }
062
063 public void checkPermission(Permission p) throws SecurityException {
064 if (setSecurityManagerPerm.implies(p)) {
065 // ok, allow this; we don't want to block any calls to setSecurityManager
066 // otherwise this custom security manager cannot be reset to the original.
067 // System.out.println("setSecurityManager: granted");
068 return;
069 }
070
071 // Allow read-only access to files, as this is needed to load classes!
072 // Ideally, we would limit this to just .class and .jar files.
073 if (p instanceof FilePermission) {
074 FilePermission fp = (FilePermission) p;
075 if (fp.getActions().equals("read")) {
076 // System.out.println("Permit read of files");
077 return;
078 }
079 }
080
081 System.out.println("\n\ntesting permission:" + p.getClass() + ":"+ p);
082
083 Exception e = new Exception();
084 e.fillInStackTrace();
085 StackTraceElement[] stack = e.getStackTrace();
086
087 // scan the call stack from most recent to oldest.
088 // start at 1 to skip the entry in the stack for this method
089 for(int i=1; i<stack.length; ++i) {
090 String cname = stack[i].getClassName();
091 System.out.println("" + i + ":" + stack[i].getClassName() +
092 "." + stack[i].getMethodName());
093
094 if (cname.equals("java.security.AccessController")) {
095 // Presumably method name equals "doPrivileged"
096 //
097 // The previous iteration of this loop verified that the
098 // PrivilegedAction.run method associated with this
099 // doPrivileged method call had the right permissions,
100 // so we just return here. Effectively, the method invoking
101 // doPrivileged asserted that it checked the input params
102 // and found them safe, and that code is trusted, so we
103 // don't need to check the trust level of code higher in
104 // the call stack.
105 System.out.println("Access controller found: returning");
106 return;
107 } else if (cname.startsWith("java.")
108 || cname.startsWith("javax.")
109 || cname.startsWith("junit.")
110 || cname.startsWith("org.apache.tools.ant.")
111 || cname.startsWith("sun.")) {
112 // Code in these packages is trusted if the caller is trusted.
113 //
114 // TODO: maybe check class is loaded via system loader or similar rather
115 // than checking name? Trusted domains may be different in alternative
116 // jvms..
117 } else if (cname.startsWith("org.apache.commons.logging.security")) {
118 // this is the unit test code; treat this like an untrusted client
119 // app that is using JCL
120 ++untrustedCodeCount;
121 System.out.println("Untrusted code [testcase] found");
122 throw new SecurityException("Untrusted code [testcase] found");
123 } else if (cname.startsWith("org.apache.commons.logging.")) {
124 if (permissions.implies(p)) {
125 // Code here is trusted if the caller is trusted
126 System.out.println("Permission in allowed set for JCL class");
127 } else {
128 System.out.println("Permission refused:" + p.getClass() + ":" + p);
129 throw new SecurityException("Permission refused:" + p.getClass() + ":" + p);
130 }
131 } else {
132 // we found some code that is not trusted to perform this operation.
133 System.out.println("Unexpected code: permission refused:" + p.getClass() + ":" + p);
134 throw new SecurityException("Unexpected code: permission refused:" + p.getClass() + ":" + p);
135 }
136 }
137 }
138 }