]> git.argeo.org Git - lgpl/argeo-commons.git/blob - org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Test of ident client (commented out for the time being)
[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / internal / kernel / SecurityProfile.java
1 package org.argeo.cms.internal.kernel;
2
3 import java.io.FilePermission;
4 import java.lang.reflect.ReflectPermission;
5 import java.net.SocketPermission;
6 import java.security.AllPermission;
7 import java.util.PropertyPermission;
8
9 import javax.security.auth.AuthPermission;
10
11 import org.osgi.framework.AdminPermission;
12 import org.osgi.framework.Bundle;
13 import org.osgi.framework.BundleContext;
14 import org.osgi.framework.FrameworkUtil;
15 import org.osgi.framework.ServicePermission;
16 import org.osgi.service.cm.ConfigurationPermission;
17 import org.osgi.service.condpermadmin.BundleLocationCondition;
18 import org.osgi.service.condpermadmin.ConditionInfo;
19 import org.osgi.service.condpermadmin.ConditionalPermissionAdmin;
20 import org.osgi.service.condpermadmin.ConditionalPermissionInfo;
21 import org.osgi.service.condpermadmin.ConditionalPermissionUpdate;
22 import org.osgi.service.permissionadmin.PermissionInfo;
23
24 public interface SecurityProfile {
25 BundleContext bc = FrameworkUtil.getBundle(SecurityProfile.class).getBundleContext();
26
27 default void applySystemPermissions(ConditionalPermissionAdmin permissionAdmin) {
28 ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate();
29 // Self
30 update.getConditionalPermissionInfos()
31 .add(permissionAdmin.newConditionalPermissionInfo(null,
32 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
33 new String[] { locate(SecurityProfile.class) }) },
34 new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) },
35 ConditionalPermissionInfo.ALLOW));
36 update.getConditionalPermissionInfos()
37 .add(permissionAdmin.newConditionalPermissionInfo(null,
38 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
39 new String[] { bc.getBundle(0).getLocation() }) },
40 new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) },
41 ConditionalPermissionInfo.ALLOW));
42 // All
43 // FIXME understand why Jetty and Jackrabbit require that
44 update.getConditionalPermissionInfos()
45 .add(permissionAdmin.newConditionalPermissionInfo(null, null, new PermissionInfo[] {
46 new PermissionInfo(SocketPermission.class.getName(), "localhost:7070", "listen,resolve"),
47 new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"),
48 new PermissionInfo(PropertyPermission.class.getName(), "DEBUG", "read"),
49 new PermissionInfo(PropertyPermission.class.getName(), "STOP.*", "read"),
50 new PermissionInfo(PropertyPermission.class.getName(), "org.apache.jackrabbit.*", "read"),
51 new PermissionInfo(RuntimePermission.class.getName(), "*", "*"), },
52 ConditionalPermissionInfo.ALLOW));
53
54 // Eclipse
55 // update.getConditionalPermissionInfos()
56 // .add(permissionAdmin.newConditionalPermissionInfo(null,
57 // new ConditionInfo[] { new
58 // ConditionInfo(BundleLocationCondition.class.getName(),
59 // new String[] { "*/org.eclipse.*" }) },
60 // new PermissionInfo[] { new
61 // PermissionInfo(RuntimePermission.class.getName(), "*", "*"),
62 // new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
63 // new PermissionInfo(ServicePermission.class.getName(), "*", "get"),
64 // new PermissionInfo(ServicePermission.class.getName(), "*",
65 // "register"),
66 // new PermissionInfo(TopicPermission.class.getName(), "*", "publish"),
67 // new PermissionInfo(TopicPermission.class.getName(), "*",
68 // "subscribe"),
69 // new PermissionInfo(PropertyPermission.class.getName(), "osgi.*",
70 // "read"),
71 // new PermissionInfo(PropertyPermission.class.getName(), "eclipse.*",
72 // "read"),
73 // new PermissionInfo(PropertyPermission.class.getName(),
74 // "org.eclipse.*", "read"),
75 // new PermissionInfo(PropertyPermission.class.getName(), "equinox.*",
76 // "read"),
77 // new PermissionInfo(PropertyPermission.class.getName(), "xml.*",
78 // "read"),
79 // new PermissionInfo("org.eclipse.equinox.log.LogPermission", "*",
80 // "log"), },
81 // ConditionalPermissionInfo.ALLOW));
82 update.getConditionalPermissionInfos()
83 .add(permissionAdmin.newConditionalPermissionInfo(null,
84 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
85 new String[] { "*/org.eclipse.*" }) },
86 new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null), },
87 ConditionalPermissionInfo.ALLOW));
88 update.getConditionalPermissionInfos()
89 .add(permissionAdmin.newConditionalPermissionInfo(null,
90 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
91 new String[] { "*/org.apache.felix.*" }) },
92 new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null), },
93 ConditionalPermissionInfo.ALLOW));
94
95 // Configuration admin
96 // update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
97 // new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
98 // new String[] { locate(configurationAdmin.getService().getClass()) }) },
99 // new PermissionInfo[] { new PermissionInfo(ConfigurationPermission.class.getName(), "*", "configure"),
100 // new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
101 // new PermissionInfo(PropertyPermission.class.getName(), "osgi.*", "read"), },
102 // ConditionalPermissionInfo.ALLOW));
103
104 // Bitronix
105 // update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
106 // new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
107 // new String[] { locate(BitronixTransactionManager.class) }) },
108 // new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "bitronix.tm.*", "read"),
109 // new PermissionInfo(RuntimePermission.class.getName(), "getClassLoader", null),
110 // new PermissionInfo(MBeanServerPermission.class.getName(), "createMBeanServer", null),
111 // new PermissionInfo(MBeanPermission.class.getName(), "bitronix.tm.*", "registerMBean"),
112 // new PermissionInfo(MBeanTrustPermission.class.getName(), "register", null) },
113 // ConditionalPermissionInfo.ALLOW));
114
115 // DS
116 Bundle dsBundle = findBundle("org.eclipse.equinox.ds");
117 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
118 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
119 new String[] { dsBundle.getLocation() }) },
120 new PermissionInfo[] { new PermissionInfo(ConfigurationPermission.class.getName(), "*", "configure"),
121 new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
122 new PermissionInfo(ServicePermission.class.getName(), "*", "get"),
123 new PermissionInfo(ServicePermission.class.getName(), "*", "register"),
124 new PermissionInfo(PropertyPermission.class.getName(), "osgi.*", "read"),
125 new PermissionInfo(PropertyPermission.class.getName(), "xml.*", "read"),
126 new PermissionInfo(PropertyPermission.class.getName(), "equinox.*", "read"),
127 new PermissionInfo(RuntimePermission.class.getName(), "accessDeclaredMembers", null),
128 new PermissionInfo(RuntimePermission.class.getName(), "getClassLoader", null),
129 new PermissionInfo(ReflectPermission.class.getName(), "suppressAccessChecks", null), },
130 ConditionalPermissionInfo.ALLOW));
131
132 // Jetty
133 // Bundle jettyUtilBundle = findBundle("org.eclipse.equinox.http.jetty");
134 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
135 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
136 new String[] { "*/org.eclipse.jetty.*" }) },
137 new PermissionInfo[] {
138 new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
139 ConditionalPermissionInfo.ALLOW));
140
141 // Blueprint
142 Bundle blueprintBundle = findBundle("org.eclipse.gemini.blueprint.core");
143 update.getConditionalPermissionInfos()
144 .add(permissionAdmin.newConditionalPermissionInfo(null,
145 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
146 new String[] { blueprintBundle.getLocation() }) },
147 new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
148 new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
149 ConditionalPermissionInfo.ALLOW));
150 Bundle blueprintExtenderBundle = findBundle("org.eclipse.gemini.blueprint.extender");
151 update.getConditionalPermissionInfos()
152 .add(permissionAdmin
153 .newConditionalPermissionInfo(null,
154 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
155 new String[] { blueprintExtenderBundle.getLocation() }) },
156 new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
157 new PermissionInfo(PropertyPermission.class.getName(), "org.eclipse.gemini.*",
158 "read"),
159 new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
160 new PermissionInfo(ServicePermission.class.getName(), "*", "register"), },
161 ConditionalPermissionInfo.ALLOW));
162 Bundle springCoreBundle = findBundle("org.springframework.core");
163 update.getConditionalPermissionInfos()
164 .add(permissionAdmin.newConditionalPermissionInfo(null,
165 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
166 new String[] { springCoreBundle.getLocation() }) },
167 new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
168 new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
169 ConditionalPermissionInfo.ALLOW));
170 Bundle blueprintIoBundle = findBundle("org.eclipse.gemini.blueprint.io");
171 update.getConditionalPermissionInfos()
172 .add(permissionAdmin.newConditionalPermissionInfo(null,
173 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
174 new String[] { blueprintIoBundle.getLocation() }) },
175 new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
176 new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
177 ConditionalPermissionInfo.ALLOW));
178
179 // Equinox
180 Bundle registryBundle = findBundle("org.eclipse.equinox.registry");
181 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
182 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
183 new String[] { registryBundle.getLocation() }) },
184 new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "eclipse.*", "read"),
185 new PermissionInfo(PropertyPermission.class.getName(), "osgi.*", "read"),
186 new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
187 ConditionalPermissionInfo.ALLOW));
188
189 Bundle equinoxUtilBundle = findBundle("org.eclipse.equinox.util");
190 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
191 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
192 new String[] { equinoxUtilBundle.getLocation() }) },
193 new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "equinox.*", "read"),
194 new PermissionInfo(ServicePermission.class.getName(), "*", "get"),
195 new PermissionInfo(ServicePermission.class.getName(), "*", "register"), },
196 ConditionalPermissionInfo.ALLOW));
197 Bundle equinoxCommonBundle = findBundle("org.eclipse.equinox.common");
198 update.getConditionalPermissionInfos()
199 .add(permissionAdmin.newConditionalPermissionInfo(null,
200 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
201 new String[] { equinoxCommonBundle.getLocation() }) },
202 new PermissionInfo[] { new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
203 ConditionalPermissionInfo.ALLOW));
204
205 Bundle consoleBundle = findBundle("org.eclipse.equinox.console");
206 update.getConditionalPermissionInfos()
207 .add(permissionAdmin.newConditionalPermissionInfo(null,
208 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
209 new String[] { consoleBundle.getLocation() }) },
210 new PermissionInfo[] { new PermissionInfo(ServicePermission.class.getName(), "*", "register"),
211 new PermissionInfo(AdminPermission.class.getName(), "*", "listener") },
212 ConditionalPermissionInfo.ALLOW));
213 Bundle preferencesBundle = findBundle("org.eclipse.equinox.preferences");
214 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
215 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
216 new String[] { preferencesBundle.getLocation() }) },
217 new PermissionInfo[] {
218 new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
219 ConditionalPermissionInfo.ALLOW));
220 Bundle appBundle = findBundle("org.eclipse.equinox.app");
221 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
222 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
223 new String[] { appBundle.getLocation() }) },
224 new PermissionInfo[] {
225 new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
226 ConditionalPermissionInfo.ALLOW));
227
228 // Jackrabbit
229 Bundle jackrabbitCoreBundle = findBundle("org.apache.jackrabbit.core");
230 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
231 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
232 new String[] { jackrabbitCoreBundle.getLocation() }) },
233 new PermissionInfo[] {
234 new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"),
235 new PermissionInfo(PropertyPermission.class.getName(), "*", "read,write"),
236 new PermissionInfo(AuthPermission.class.getName(), "getLoginConfiguration", null),
237 new PermissionInfo(AuthPermission.class.getName(), "createLoginContext.Jackrabbit", null), },
238 ConditionalPermissionInfo.ALLOW));
239 Bundle jackrabbitCommonBundle = findBundle("org.apache.jackrabbit.jcr.commons");
240 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
241 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
242 new String[] { jackrabbitCommonBundle.getLocation() }) },
243 new PermissionInfo[] {
244 new PermissionInfo(AuthPermission.class.getName(), "createLoginContext.Jackrabbit", null), },
245 ConditionalPermissionInfo.ALLOW));
246 Bundle tikaCoreBundle = findBundle("org.apache.tika.core");
247 update.getConditionalPermissionInfos()
248 .add(permissionAdmin.newConditionalPermissionInfo(null,
249 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
250 new String[] { tikaCoreBundle.getLocation() }) },
251 new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "*", "read"),
252 new PermissionInfo(AdminPermission.class.getName(), "*", "*") },
253 ConditionalPermissionInfo.ALLOW));
254 Bundle luceneBundle = findBundle("org.apache.lucene");
255 update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
256 new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
257 new String[] { luceneBundle.getLocation() }) },
258 new PermissionInfo[] {
259 new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"),
260 new PermissionInfo(PropertyPermission.class.getName(), "*", "read"),
261 new PermissionInfo(AdminPermission.class.getName(), "*", "*") },
262 ConditionalPermissionInfo.ALLOW));
263
264 // COMMIT
265 update.commit();
266 }
267
268 /** @return bundle location */
269 default String locate(Class<?> clzz) {
270 return FrameworkUtil.getBundle(clzz).getLocation();
271 }
272
273 /** Can be null */
274 default Bundle findBundle(String symbolicName) {
275 for (Bundle b : bc.getBundles())
276 if (b.getSymbolicName().equals(symbolicName))
277 return b;
278 return null;
279 }
280
281 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi