1 package org
.argeo
.cms
.internal
.kernel
;
3 import java
.io
.FilePermission
;
4 import java
.lang
.reflect
.ReflectPermission
;
5 import java
.net
.SocketPermission
;
6 import java
.security
.AllPermission
;
7 import java
.util
.PropertyPermission
;
9 import javax
.management
.MBeanPermission
;
10 import javax
.management
.MBeanServerPermission
;
11 import javax
.management
.MBeanTrustPermission
;
12 import javax
.security
.auth
.AuthPermission
;
14 import org
.osgi
.framework
.AdminPermission
;
15 import org
.osgi
.framework
.Bundle
;
16 import org
.osgi
.framework
.BundleContext
;
17 import org
.osgi
.framework
.FrameworkUtil
;
18 import org
.osgi
.framework
.ServicePermission
;
19 import org
.osgi
.service
.cm
.ConfigurationPermission
;
20 import org
.osgi
.service
.condpermadmin
.BundleLocationCondition
;
21 import org
.osgi
.service
.condpermadmin
.ConditionInfo
;
22 import org
.osgi
.service
.condpermadmin
.ConditionalPermissionAdmin
;
23 import org
.osgi
.service
.condpermadmin
.ConditionalPermissionInfo
;
24 import org
.osgi
.service
.condpermadmin
.ConditionalPermissionUpdate
;
25 import org
.osgi
.service
.permissionadmin
.PermissionInfo
;
27 import bitronix
.tm
.BitronixTransactionManager
;
29 public interface SecurityProfile
{
30 BundleContext bc
= FrameworkUtil
.getBundle(SecurityProfile
.class).getBundleContext();
32 default void applySystemPermissions(ConditionalPermissionAdmin permissionAdmin
) {
33 ConditionalPermissionUpdate update
= permissionAdmin
.newConditionalPermissionUpdate();
35 update
.getConditionalPermissionInfos()
36 .add(permissionAdmin
.newConditionalPermissionInfo(null,
37 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
38 new String
[] { locate(SecurityProfile
.class) }) },
39 new PermissionInfo
[] { new PermissionInfo(AllPermission
.class.getName(), null, null) },
40 ConditionalPermissionInfo
.ALLOW
));
41 update
.getConditionalPermissionInfos()
42 .add(permissionAdmin
.newConditionalPermissionInfo(null,
43 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
44 new String
[] { bc
.getBundle(0).getLocation() }) },
45 new PermissionInfo
[] { new PermissionInfo(AllPermission
.class.getName(), null, null) },
46 ConditionalPermissionInfo
.ALLOW
));
48 // FIXME understand why Jetty and Jackrabbit require that
49 update
.getConditionalPermissionInfos()
50 .add(permissionAdmin
.newConditionalPermissionInfo(null, null, new PermissionInfo
[] {
51 new PermissionInfo(SocketPermission
.class.getName(), "localhost:7070", "listen,resolve"),
52 new PermissionInfo(FilePermission
.class.getName(), "<<ALL FILES>>", "read,write,delete"),
53 new PermissionInfo(PropertyPermission
.class.getName(), "DEBUG", "read"),
54 new PermissionInfo(PropertyPermission
.class.getName(), "STOP.*", "read"),
55 new PermissionInfo(PropertyPermission
.class.getName(), "org.apache.jackrabbit.*", "read"),
56 new PermissionInfo(RuntimePermission
.class.getName(), "*", "*"), },
57 ConditionalPermissionInfo
.ALLOW
));
60 // update.getConditionalPermissionInfos()
61 // .add(permissionAdmin.newConditionalPermissionInfo(null,
62 // new ConditionInfo[] { new
63 // ConditionInfo(BundleLocationCondition.class.getName(),
64 // new String[] { "*/org.eclipse.*" }) },
65 // new PermissionInfo[] { new
66 // PermissionInfo(RuntimePermission.class.getName(), "*", "*"),
67 // new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
68 // new PermissionInfo(ServicePermission.class.getName(), "*", "get"),
69 // new PermissionInfo(ServicePermission.class.getName(), "*",
71 // new PermissionInfo(TopicPermission.class.getName(), "*", "publish"),
72 // new PermissionInfo(TopicPermission.class.getName(), "*",
74 // new PermissionInfo(PropertyPermission.class.getName(), "osgi.*",
76 // new PermissionInfo(PropertyPermission.class.getName(), "eclipse.*",
78 // new PermissionInfo(PropertyPermission.class.getName(),
79 // "org.eclipse.*", "read"),
80 // new PermissionInfo(PropertyPermission.class.getName(), "equinox.*",
82 // new PermissionInfo(PropertyPermission.class.getName(), "xml.*",
84 // new PermissionInfo("org.eclipse.equinox.log.LogPermission", "*",
86 // ConditionalPermissionInfo.ALLOW));
87 update
.getConditionalPermissionInfos()
88 .add(permissionAdmin
.newConditionalPermissionInfo(null,
89 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
90 new String
[] { "*/org.eclipse.*" }) },
91 new PermissionInfo
[] { new PermissionInfo(AllPermission
.class.getName(), null, null), },
92 ConditionalPermissionInfo
.ALLOW
));
93 update
.getConditionalPermissionInfos()
94 .add(permissionAdmin
.newConditionalPermissionInfo(null,
95 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
96 new String
[] { "*/org.apache.felix.*" }) },
97 new PermissionInfo
[] { new PermissionInfo(AllPermission
.class.getName(), null, null), },
98 ConditionalPermissionInfo
.ALLOW
));
100 // Configuration admin
101 // update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
102 // new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
103 // new String[] { locate(configurationAdmin.getService().getClass()) }) },
104 // new PermissionInfo[] { new PermissionInfo(ConfigurationPermission.class.getName(), "*", "configure"),
105 // new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
106 // new PermissionInfo(PropertyPermission.class.getName(), "osgi.*", "read"), },
107 // ConditionalPermissionInfo.ALLOW));
110 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
111 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
112 new String
[] { locate(BitronixTransactionManager
.class) }) },
113 new PermissionInfo
[] { new PermissionInfo(PropertyPermission
.class.getName(), "bitronix.tm.*", "read"),
114 new PermissionInfo(RuntimePermission
.class.getName(), "getClassLoader", null),
115 new PermissionInfo(MBeanServerPermission
.class.getName(), "createMBeanServer", null),
116 new PermissionInfo(MBeanPermission
.class.getName(), "bitronix.tm.*", "registerMBean"),
117 new PermissionInfo(MBeanTrustPermission
.class.getName(), "register", null) },
118 ConditionalPermissionInfo
.ALLOW
));
121 Bundle dsBundle
= findBundle("org.eclipse.equinox.ds");
122 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
123 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
124 new String
[] { dsBundle
.getLocation() }) },
125 new PermissionInfo
[] { new PermissionInfo(ConfigurationPermission
.class.getName(), "*", "configure"),
126 new PermissionInfo(AdminPermission
.class.getName(), "*", "*"),
127 new PermissionInfo(ServicePermission
.class.getName(), "*", "get"),
128 new PermissionInfo(ServicePermission
.class.getName(), "*", "register"),
129 new PermissionInfo(PropertyPermission
.class.getName(), "osgi.*", "read"),
130 new PermissionInfo(PropertyPermission
.class.getName(), "xml.*", "read"),
131 new PermissionInfo(PropertyPermission
.class.getName(), "equinox.*", "read"),
132 new PermissionInfo(RuntimePermission
.class.getName(), "accessDeclaredMembers", null),
133 new PermissionInfo(RuntimePermission
.class.getName(), "getClassLoader", null),
134 new PermissionInfo(ReflectPermission
.class.getName(), "suppressAccessChecks", null), },
135 ConditionalPermissionInfo
.ALLOW
));
138 Bundle jettyUtilBundle
= findBundle("org.eclipse.equinox.http.jetty");
139 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
140 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
141 new String
[] { "*/org.eclipse.jetty.*" }) },
142 new PermissionInfo
[] {
143 new PermissionInfo(FilePermission
.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
144 ConditionalPermissionInfo
.ALLOW
));
147 Bundle blueprintBundle
= findBundle("org.eclipse.gemini.blueprint.core");
148 update
.getConditionalPermissionInfos()
149 .add(permissionAdmin
.newConditionalPermissionInfo(null,
150 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
151 new String
[] { blueprintBundle
.getLocation() }) },
152 new PermissionInfo
[] { new PermissionInfo(RuntimePermission
.class.getName(), "*", null),
153 new PermissionInfo(AdminPermission
.class.getName(), "*", "*"), },
154 ConditionalPermissionInfo
.ALLOW
));
155 Bundle blueprintExtenderBundle
= findBundle("org.eclipse.gemini.blueprint.extender");
156 update
.getConditionalPermissionInfos()
158 .newConditionalPermissionInfo(null,
159 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
160 new String
[] { blueprintExtenderBundle
.getLocation() }) },
161 new PermissionInfo
[] { new PermissionInfo(RuntimePermission
.class.getName(), "*", null),
162 new PermissionInfo(PropertyPermission
.class.getName(), "org.eclipse.gemini.*",
164 new PermissionInfo(AdminPermission
.class.getName(), "*", "*"),
165 new PermissionInfo(ServicePermission
.class.getName(), "*", "register"), },
166 ConditionalPermissionInfo
.ALLOW
));
167 Bundle springCoreBundle
= findBundle("org.springframework.core");
168 update
.getConditionalPermissionInfos()
169 .add(permissionAdmin
.newConditionalPermissionInfo(null,
170 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
171 new String
[] { springCoreBundle
.getLocation() }) },
172 new PermissionInfo
[] { new PermissionInfo(RuntimePermission
.class.getName(), "*", null),
173 new PermissionInfo(AdminPermission
.class.getName(), "*", "*"), },
174 ConditionalPermissionInfo
.ALLOW
));
175 Bundle blueprintIoBundle
= findBundle("org.eclipse.gemini.blueprint.io");
176 update
.getConditionalPermissionInfos()
177 .add(permissionAdmin
.newConditionalPermissionInfo(null,
178 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
179 new String
[] { blueprintIoBundle
.getLocation() }) },
180 new PermissionInfo
[] { new PermissionInfo(RuntimePermission
.class.getName(), "*", null),
181 new PermissionInfo(AdminPermission
.class.getName(), "*", "*"), },
182 ConditionalPermissionInfo
.ALLOW
));
185 Bundle registryBundle
= findBundle("org.eclipse.equinox.registry");
186 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
187 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
188 new String
[] { registryBundle
.getLocation() }) },
189 new PermissionInfo
[] { new PermissionInfo(PropertyPermission
.class.getName(), "eclipse.*", "read"),
190 new PermissionInfo(PropertyPermission
.class.getName(), "osgi.*", "read"),
191 new PermissionInfo(FilePermission
.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
192 ConditionalPermissionInfo
.ALLOW
));
194 Bundle equinoxUtilBundle
= findBundle("org.eclipse.equinox.util");
195 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
196 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
197 new String
[] { equinoxUtilBundle
.getLocation() }) },
198 new PermissionInfo
[] { new PermissionInfo(PropertyPermission
.class.getName(), "equinox.*", "read"),
199 new PermissionInfo(ServicePermission
.class.getName(), "*", "get"),
200 new PermissionInfo(ServicePermission
.class.getName(), "*", "register"), },
201 ConditionalPermissionInfo
.ALLOW
));
202 Bundle equinoxCommonBundle
= findBundle("org.eclipse.equinox.common");
203 update
.getConditionalPermissionInfos()
204 .add(permissionAdmin
.newConditionalPermissionInfo(null,
205 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
206 new String
[] { equinoxCommonBundle
.getLocation() }) },
207 new PermissionInfo
[] { new PermissionInfo(AdminPermission
.class.getName(), "*", "*"), },
208 ConditionalPermissionInfo
.ALLOW
));
210 Bundle consoleBundle
= findBundle("org.eclipse.equinox.console");
211 update
.getConditionalPermissionInfos()
212 .add(permissionAdmin
.newConditionalPermissionInfo(null,
213 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
214 new String
[] { consoleBundle
.getLocation() }) },
215 new PermissionInfo
[] { new PermissionInfo(ServicePermission
.class.getName(), "*", "register"),
216 new PermissionInfo(AdminPermission
.class.getName(), "*", "listener") },
217 ConditionalPermissionInfo
.ALLOW
));
218 Bundle preferencesBundle
= findBundle("org.eclipse.equinox.preferences");
219 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
220 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
221 new String
[] { preferencesBundle
.getLocation() }) },
222 new PermissionInfo
[] {
223 new PermissionInfo(FilePermission
.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
224 ConditionalPermissionInfo
.ALLOW
));
225 Bundle appBundle
= findBundle("org.eclipse.equinox.app");
226 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
227 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
228 new String
[] { appBundle
.getLocation() }) },
229 new PermissionInfo
[] {
230 new PermissionInfo(FilePermission
.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
231 ConditionalPermissionInfo
.ALLOW
));
234 Bundle jackrabbitCoreBundle
= findBundle("org.apache.jackrabbit.core");
235 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
236 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
237 new String
[] { jackrabbitCoreBundle
.getLocation() }) },
238 new PermissionInfo
[] {
239 new PermissionInfo(FilePermission
.class.getName(), "<<ALL FILES>>", "read,write,delete"),
240 new PermissionInfo(PropertyPermission
.class.getName(), "*", "read,write"),
241 new PermissionInfo(AuthPermission
.class.getName(), "getLoginConfiguration", null),
242 new PermissionInfo(AuthPermission
.class.getName(), "createLoginContext.Jackrabbit", null), },
243 ConditionalPermissionInfo
.ALLOW
));
244 Bundle jackrabbitCommonBundle
= findBundle("org.apache.jackrabbit.jcr.commons");
245 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
246 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
247 new String
[] { jackrabbitCommonBundle
.getLocation() }) },
248 new PermissionInfo
[] {
249 new PermissionInfo(AuthPermission
.class.getName(), "createLoginContext.Jackrabbit", null), },
250 ConditionalPermissionInfo
.ALLOW
));
251 Bundle tikaCoreBundle
= findBundle("org.apache.tika.core");
252 update
.getConditionalPermissionInfos()
253 .add(permissionAdmin
.newConditionalPermissionInfo(null,
254 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
255 new String
[] { tikaCoreBundle
.getLocation() }) },
256 new PermissionInfo
[] { new PermissionInfo(PropertyPermission
.class.getName(), "*", "read"),
257 new PermissionInfo(AdminPermission
.class.getName(), "*", "*") },
258 ConditionalPermissionInfo
.ALLOW
));
259 Bundle luceneBundle
= findBundle("org.apache.lucene");
260 update
.getConditionalPermissionInfos()
261 .add(permissionAdmin
.newConditionalPermissionInfo(null,
262 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
263 new String
[] { luceneBundle
.getLocation() }) },
264 new PermissionInfo
[] {
265 new PermissionInfo(FilePermission
.class.getName(), "<<ALL FILES>>",
266 "read,write,delete"),
267 new PermissionInfo(PropertyPermission
.class.getName(), "*", "read"),
268 new PermissionInfo(AdminPermission
.class.getName(), "*", "*") },
269 ConditionalPermissionInfo
.ALLOW
));
275 /** @return bundle location */
276 default String
locate(Class
<?
> clzz
) {
277 return FrameworkUtil
.getBundle(clzz
).getLocation();
281 default Bundle
findBundle(String symbolicName
) {
282 for (Bundle b
: bc
.getBundles())
283 if (b
.getSymbolicName().equals(symbolicName
))