]> git.argeo.org Git - lgpl/argeo-commons.git/blob - org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix automated Kerberos config
[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / internal / kernel / SecurityProfile.java
1 package org.argeo.cms.internal.kernel;
2
3 import java.io.FilePermission;
4 import java.lang.reflect.ReflectPermission;
5 import java.net.SocketPermission;
6 import java.security.AllPermission;
7 import java.util.PropertyPermission;
8
9 import javax.management.MBeanPermission;
10 import javax.management.MBeanServerPermission;
11 import javax.management.MBeanTrustPermission;
12 import javax.security.auth.AuthPermission;
13
14 import org.osgi.framework.AdminPermission;
15 import org.osgi.framework.Bundle;
16 import org.osgi.framework.BundleContext;
17 import org.osgi.framework.FrameworkUtil;
18 import org.osgi.framework.ServicePermission;
19 import org.osgi.service.cm.ConfigurationPermission;
20 import org.osgi.service.condpermadmin.BundleLocationCondition;
21 import org.osgi.service.condpermadmin.ConditionInfo;
22 import org.osgi.service.condpermadmin.ConditionalPermissionAdmin;
23 import org.osgi.service.condpermadmin.ConditionalPermissionInfo;
24 import org.osgi.service.condpermadmin.ConditionalPermissionUpdate;
25 import org.osgi.service.permissionadmin.PermissionInfo;
26
27 import bitronix.tm.BitronixTransactionManager;
28
29 public interface SecurityProfile {
30 BundleContext bc = FrameworkUtil.getBundle(SecurityProfile.class).getBundleContext();
31
32 default void applySystemPermissions(ConditionalPermissionAdmin permissionAdmin) {
33 ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate();
34 // Self
35 update.getConditionalPermissionInfos()
36 .add(permissionAdmin.newConditionalPermissionInfo(null,
37 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
38 new String[] { locate(SecurityProfile.class) }) },
39 new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) },
40 ConditionalPermissionInfo.ALLOW));
41 update.getConditionalPermissionInfos()
42 .add(permissionAdmin.newConditionalPermissionInfo(null,
43 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
44 new String[] { bc.getBundle(0).getLocation() }) },
45 new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) },
46 ConditionalPermissionInfo.ALLOW));
47 // All
48 // FIXME understand why Jetty and Jackrabbit require that
49 update.getConditionalPermissionInfos()
50 .add(permissionAdmin.newConditionalPermissionInfo(null, null, new PermissionInfo[] {
51 new PermissionInfo(SocketPermission.class.getName(), "localhost:7070", "listen,resolve"),
52 new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"),
53 new PermissionInfo(PropertyPermission.class.getName(), "DEBUG", "read"),
54 new PermissionInfo(PropertyPermission.class.getName(), "STOP.*", "read"),
55 new PermissionInfo(PropertyPermission.class.getName(), "org.apache.jackrabbit.*", "read"),
56 new PermissionInfo(RuntimePermission.class.getName(), "*", "*"), },
57 ConditionalPermissionInfo.ALLOW));
58
59 // Eclipse
60 // update.getConditionalPermissionInfos()
61 // .add(permissionAdmin.newConditionalPermissionInfo(null,
62 // new ConditionInfo[] { new
63 // ConditionInfo(BundleLocationCondition.class.getName(),
64 // new String[] { "*/org.eclipse.*" }) },
65 // new PermissionInfo[] { new
66 // PermissionInfo(RuntimePermission.class.getName(), "*", "*"),
67 // new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
68 // new PermissionInfo(ServicePermission.class.getName(), "*", "get"),
69 // new PermissionInfo(ServicePermission.class.getName(), "*",
70 // "register"),
71 // new PermissionInfo(TopicPermission.class.getName(), "*", "publish"),
72 // new PermissionInfo(TopicPermission.class.getName(), "*",
73 // "subscribe"),
74 // new PermissionInfo(PropertyPermission.class.getName(), "osgi.*",
75 // "read"),
76 // new PermissionInfo(PropertyPermission.class.getName(), "eclipse.*",
77 // "read"),
78 // new PermissionInfo(PropertyPermission.class.getName(),
79 // "org.eclipse.*", "read"),
80 // new PermissionInfo(PropertyPermission.class.getName(), "equinox.*",
81 // "read"),
82 // new PermissionInfo(PropertyPermission.class.getName(), "xml.*",
83 // "read"),
84 // new PermissionInfo("org.eclipse.equinox.log.LogPermission", "*",
85 // "log"), },
86 // ConditionalPermissionInfo.ALLOW));
87 update.getConditionalPermissionInfos()
88 .add(permissionAdmin.newConditionalPermissionInfo(null,
89 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
90 new String[] { "*/org.eclipse.*" }) },
91 new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null), },
92 ConditionalPermissionInfo.ALLOW));
93 update.getConditionalPermissionInfos()
94 .add(permissionAdmin.newConditionalPermissionInfo(null,
95 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
96 new String[] { "*/org.apache.felix.*" }) },
97 new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null), },
98 ConditionalPermissionInfo.ALLOW));
99
100 // Configuration admin
101 // update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
102 // new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
103 // new String[] { locate(configurationAdmin.getService().getClass()) }) },
104 // new PermissionInfo[] { new PermissionInfo(ConfigurationPermission.class.getName(), "*", "configure"),
105 // new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
106 // new PermissionInfo(PropertyPermission.class.getName(), "osgi.*", "read"), },
107 // ConditionalPermissionInfo.ALLOW));
108
109 // Bitronix
110 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
111 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
112 new String[] { locate(BitronixTransactionManager.class) }) },
113 new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "bitronix.tm.*", "read"),
114 new PermissionInfo(RuntimePermission.class.getName(), "getClassLoader", null),
115 new PermissionInfo(MBeanServerPermission.class.getName(), "createMBeanServer", null),
116 new PermissionInfo(MBeanPermission.class.getName(), "bitronix.tm.*", "registerMBean"),
117 new PermissionInfo(MBeanTrustPermission.class.getName(), "register", null) },
118 ConditionalPermissionInfo.ALLOW));
119
120 // DS
121 Bundle dsBundle = findBundle("org.eclipse.equinox.ds");
122 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
123 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
124 new String[] { dsBundle.getLocation() }) },
125 new PermissionInfo[] { new PermissionInfo(ConfigurationPermission.class.getName(), "*", "configure"),
126 new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
127 new PermissionInfo(ServicePermission.class.getName(), "*", "get"),
128 new PermissionInfo(ServicePermission.class.getName(), "*", "register"),
129 new PermissionInfo(PropertyPermission.class.getName(), "osgi.*", "read"),
130 new PermissionInfo(PropertyPermission.class.getName(), "xml.*", "read"),
131 new PermissionInfo(PropertyPermission.class.getName(), "equinox.*", "read"),
132 new PermissionInfo(RuntimePermission.class.getName(), "accessDeclaredMembers", null),
133 new PermissionInfo(RuntimePermission.class.getName(), "getClassLoader", null),
134 new PermissionInfo(ReflectPermission.class.getName(), "suppressAccessChecks", null), },
135 ConditionalPermissionInfo.ALLOW));
136
137 // Jetty
138 Bundle jettyUtilBundle = findBundle("org.eclipse.equinox.http.jetty");
139 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
140 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
141 new String[] { "*/org.eclipse.jetty.*" }) },
142 new PermissionInfo[] {
143 new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
144 ConditionalPermissionInfo.ALLOW));
145
146 // Blueprint
147 Bundle blueprintBundle = findBundle("org.eclipse.gemini.blueprint.core");
148 update.getConditionalPermissionInfos()
149 .add(permissionAdmin.newConditionalPermissionInfo(null,
150 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
151 new String[] { blueprintBundle.getLocation() }) },
152 new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
153 new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
154 ConditionalPermissionInfo.ALLOW));
155 Bundle blueprintExtenderBundle = findBundle("org.eclipse.gemini.blueprint.extender");
156 update.getConditionalPermissionInfos()
157 .add(permissionAdmin
158 .newConditionalPermissionInfo(null,
159 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
160 new String[] { blueprintExtenderBundle.getLocation() }) },
161 new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
162 new PermissionInfo(PropertyPermission.class.getName(), "org.eclipse.gemini.*",
163 "read"),
164 new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
165 new PermissionInfo(ServicePermission.class.getName(), "*", "register"), },
166 ConditionalPermissionInfo.ALLOW));
167 Bundle springCoreBundle = findBundle("org.springframework.core");
168 update.getConditionalPermissionInfos()
169 .add(permissionAdmin.newConditionalPermissionInfo(null,
170 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
171 new String[] { springCoreBundle.getLocation() }) },
172 new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
173 new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
174 ConditionalPermissionInfo.ALLOW));
175 Bundle blueprintIoBundle = findBundle("org.eclipse.gemini.blueprint.io");
176 update.getConditionalPermissionInfos()
177 .add(permissionAdmin.newConditionalPermissionInfo(null,
178 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
179 new String[] { blueprintIoBundle.getLocation() }) },
180 new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
181 new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
182 ConditionalPermissionInfo.ALLOW));
183
184 // Equinox
185 Bundle registryBundle = findBundle("org.eclipse.equinox.registry");
186 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
187 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
188 new String[] { registryBundle.getLocation() }) },
189 new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "eclipse.*", "read"),
190 new PermissionInfo(PropertyPermission.class.getName(), "osgi.*", "read"),
191 new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
192 ConditionalPermissionInfo.ALLOW));
193
194 Bundle equinoxUtilBundle = findBundle("org.eclipse.equinox.util");
195 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
196 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
197 new String[] { equinoxUtilBundle.getLocation() }) },
198 new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "equinox.*", "read"),
199 new PermissionInfo(ServicePermission.class.getName(), "*", "get"),
200 new PermissionInfo(ServicePermission.class.getName(), "*", "register"), },
201 ConditionalPermissionInfo.ALLOW));
202 Bundle equinoxCommonBundle = findBundle("org.eclipse.equinox.common");
203 update.getConditionalPermissionInfos()
204 .add(permissionAdmin.newConditionalPermissionInfo(null,
205 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
206 new String[] { equinoxCommonBundle.getLocation() }) },
207 new PermissionInfo[] { new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
208 ConditionalPermissionInfo.ALLOW));
209
210 Bundle consoleBundle = findBundle("org.eclipse.equinox.console");
211 update.getConditionalPermissionInfos()
212 .add(permissionAdmin.newConditionalPermissionInfo(null,
213 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
214 new String[] { consoleBundle.getLocation() }) },
215 new PermissionInfo[] { new PermissionInfo(ServicePermission.class.getName(), "*", "register"),
216 new PermissionInfo(AdminPermission.class.getName(), "*", "listener") },
217 ConditionalPermissionInfo.ALLOW));
218 Bundle preferencesBundle = findBundle("org.eclipse.equinox.preferences");
219 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
220 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
221 new String[] { preferencesBundle.getLocation() }) },
222 new PermissionInfo[] {
223 new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
224 ConditionalPermissionInfo.ALLOW));
225 Bundle appBundle = findBundle("org.eclipse.equinox.app");
226 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
227 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
228 new String[] { appBundle.getLocation() }) },
229 new PermissionInfo[] {
230 new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
231 ConditionalPermissionInfo.ALLOW));
232
233 // Jackrabbit
234 Bundle jackrabbitCoreBundle = findBundle("org.apache.jackrabbit.core");
235 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
236 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
237 new String[] { jackrabbitCoreBundle.getLocation() }) },
238 new PermissionInfo[] {
239 new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"),
240 new PermissionInfo(PropertyPermission.class.getName(), "*", "read,write"),
241 new PermissionInfo(AuthPermission.class.getName(), "getLoginConfiguration", null),
242 new PermissionInfo(AuthPermission.class.getName(), "createLoginContext.Jackrabbit", null), },
243 ConditionalPermissionInfo.ALLOW));
244 Bundle jackrabbitCommonBundle = findBundle("org.apache.jackrabbit.jcr.commons");
245 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
246 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
247 new String[] { jackrabbitCommonBundle.getLocation() }) },
248 new PermissionInfo[] {
249 new PermissionInfo(AuthPermission.class.getName(), "createLoginContext.Jackrabbit", null), },
250 ConditionalPermissionInfo.ALLOW));
251 Bundle tikaCoreBundle = findBundle("org.apache.tika.core");
252 update.getConditionalPermissionInfos()
253 .add(permissionAdmin.newConditionalPermissionInfo(null,
254 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
255 new String[] { tikaCoreBundle.getLocation() }) },
256 new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "*", "read"),
257 new PermissionInfo(AdminPermission.class.getName(), "*", "*") },
258 ConditionalPermissionInfo.ALLOW));
259 Bundle luceneBundle = findBundle("org.apache.lucene");
260 update.getConditionalPermissionInfos()
261 .add(permissionAdmin.newConditionalPermissionInfo(null,
262 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
263 new String[] { luceneBundle.getLocation() }) },
264 new PermissionInfo[] {
265 new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>",
266 "read,write,delete"),
267 new PermissionInfo(PropertyPermission.class.getName(), "*", "read"),
268 new PermissionInfo(AdminPermission.class.getName(), "*", "*") },
269 ConditionalPermissionInfo.ALLOW));
270
271 // COMMIT
272 update.commit();
273 }
274
275 /** @return bundle location */
276 default String locate(Class<?> clzz) {
277 return FrameworkUtil.getBundle(clzz).getLocation();
278 }
279
280 /** Can be null */
281 default Bundle findBundle(String symbolicName) {
282 for (Bundle b : bc.getBundles())
283 if (b.getSymbolicName().equals(symbolicName))
284 return b;
285 return null;
286 }
287
288 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi