1 package org
.argeo
.cms
.internal
.osgi
;
3 import java
.io
.FilePermission
;
4 import java
.lang
.reflect
.ReflectPermission
;
5 import java
.net
.SocketPermission
;
6 import java
.security
.AllPermission
;
7 import java
.util
.PropertyPermission
;
9 import javax
.security
.auth
.AuthPermission
;
11 import org
.osgi
.framework
.AdminPermission
;
12 import org
.osgi
.framework
.Bundle
;
13 import org
.osgi
.framework
.BundleContext
;
14 import org
.osgi
.framework
.FrameworkUtil
;
15 import org
.osgi
.framework
.ServicePermission
;
16 import org
.osgi
.service
.cm
.ConfigurationPermission
;
17 import org
.osgi
.service
.condpermadmin
.BundleLocationCondition
;
18 import org
.osgi
.service
.condpermadmin
.ConditionInfo
;
19 import org
.osgi
.service
.condpermadmin
.ConditionalPermissionAdmin
;
20 import org
.osgi
.service
.condpermadmin
.ConditionalPermissionInfo
;
21 import org
.osgi
.service
.condpermadmin
.ConditionalPermissionUpdate
;
22 import org
.osgi
.service
.permissionadmin
.PermissionAdmin
;
23 import org
.osgi
.service
.permissionadmin
.PermissionInfo
;
25 /** Security profile based on OSGi {@link PermissionAdmin}. */
26 public interface SecurityProfile
{
27 BundleContext bc
= FrameworkUtil
.getBundle(SecurityProfile
.class).getBundleContext();
29 default void applySystemPermissions(ConditionalPermissionAdmin permissionAdmin
) {
30 ConditionalPermissionUpdate update
= permissionAdmin
.newConditionalPermissionUpdate();
32 // String nodeAPiBundleLocation = locate(NodeUtils.class);
33 // update.getConditionalPermissionInfos()
34 // .add(permissionAdmin.newConditionalPermissionInfo(null,
35 // new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
36 // new String[] { nodeAPiBundleLocation }) },
37 // new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) },
38 // ConditionalPermissionInfo.ALLOW));
39 String cmsBundleLocation
= locate(SecurityProfile
.class);
40 update
.getConditionalPermissionInfos()
41 .add(permissionAdmin
.newConditionalPermissionInfo(null,
42 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
43 new String
[] { cmsBundleLocation
}) },
44 new PermissionInfo
[] { new PermissionInfo(AllPermission
.class.getName(), null, null) },
45 ConditionalPermissionInfo
.ALLOW
));
46 String frameworkBundleLocation
= bc
.getBundle(0).getLocation();
47 update
.getConditionalPermissionInfos()
48 .add(permissionAdmin
.newConditionalPermissionInfo(null,
49 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
50 new String
[] { frameworkBundleLocation
}) },
51 new PermissionInfo
[] { new PermissionInfo(AllPermission
.class.getName(), null, null) },
52 ConditionalPermissionInfo
.ALLOW
));
54 // FIXME understand why Jetty and Jackrabbit require that
55 update
.getConditionalPermissionInfos()
56 .add(permissionAdmin
.newConditionalPermissionInfo(null, null, new PermissionInfo
[] {
57 new PermissionInfo(SocketPermission
.class.getName(), "localhost:7070", "listen,resolve"),
58 new PermissionInfo(FilePermission
.class.getName(), "<<ALL FILES>>", "read,write,delete"),
59 new PermissionInfo(PropertyPermission
.class.getName(), "DEBUG", "read"),
60 new PermissionInfo(PropertyPermission
.class.getName(), "STOP.*", "read"),
61 new PermissionInfo(PropertyPermission
.class.getName(), "org.apache.jackrabbit.*", "read"),
62 new PermissionInfo(RuntimePermission
.class.getName(), "*", "*"), },
63 ConditionalPermissionInfo
.ALLOW
));
66 // update.getConditionalPermissionInfos()
67 // .add(permissionAdmin.newConditionalPermissionInfo(null,
68 // new ConditionInfo[] { new
69 // ConditionInfo(BundleLocationCondition.class.getName(),
70 // new String[] { "*/org.eclipse.*" }) },
71 // new PermissionInfo[] { new
72 // PermissionInfo(RuntimePermission.class.getName(), "*", "*"),
73 // new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
74 // new PermissionInfo(ServicePermission.class.getName(), "*", "get"),
75 // new PermissionInfo(ServicePermission.class.getName(), "*",
77 // new PermissionInfo(TopicPermission.class.getName(), "*", "publish"),
78 // new PermissionInfo(TopicPermission.class.getName(), "*",
80 // new PermissionInfo(PropertyPermission.class.getName(), "osgi.*",
82 // new PermissionInfo(PropertyPermission.class.getName(), "eclipse.*",
84 // new PermissionInfo(PropertyPermission.class.getName(),
85 // "org.eclipse.*", "read"),
86 // new PermissionInfo(PropertyPermission.class.getName(), "equinox.*",
88 // new PermissionInfo(PropertyPermission.class.getName(), "xml.*",
90 // new PermissionInfo("org.eclipse.equinox.log.LogPermission", "*",
92 // ConditionalPermissionInfo.ALLOW));
93 update
.getConditionalPermissionInfos()
94 .add(permissionAdmin
.newConditionalPermissionInfo(null,
95 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
96 new String
[] { "*/org.eclipse.*" }) },
97 new PermissionInfo
[] { new PermissionInfo(AllPermission
.class.getName(), null, null), },
98 ConditionalPermissionInfo
.ALLOW
));
99 update
.getConditionalPermissionInfos()
100 .add(permissionAdmin
.newConditionalPermissionInfo(null,
101 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
102 new String
[] { "*/org.apache.felix.*" }) },
103 new PermissionInfo
[] { new PermissionInfo(AllPermission
.class.getName(), null, null), },
104 ConditionalPermissionInfo
.ALLOW
));
106 // Configuration admin
107 // update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
108 // new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
109 // new String[] { locate(configurationAdmin.getService().getClass()) }) },
110 // new PermissionInfo[] { new PermissionInfo(ConfigurationPermission.class.getName(), "*", "configure"),
111 // new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
112 // new PermissionInfo(PropertyPermission.class.getName(), "osgi.*", "read"), },
113 // ConditionalPermissionInfo.ALLOW));
116 // update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
117 // new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
118 // new String[] { locate(BitronixTransactionManager.class) }) },
119 // new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "bitronix.tm.*", "read"),
120 // new PermissionInfo(RuntimePermission.class.getName(), "getClassLoader", null),
121 // new PermissionInfo(MBeanServerPermission.class.getName(), "createMBeanServer", null),
122 // new PermissionInfo(MBeanPermission.class.getName(), "bitronix.tm.*", "registerMBean"),
123 // new PermissionInfo(MBeanTrustPermission.class.getName(), "register", null) },
124 // ConditionalPermissionInfo.ALLOW));
127 Bundle dsBundle
= findBundle("org.eclipse.equinox.ds");
128 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
129 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
130 new String
[] { dsBundle
.getLocation() }) },
131 new PermissionInfo
[] { new PermissionInfo(ConfigurationPermission
.class.getName(), "*", "configure"),
132 new PermissionInfo(AdminPermission
.class.getName(), "*", "*"),
133 new PermissionInfo(ServicePermission
.class.getName(), "*", "get"),
134 new PermissionInfo(ServicePermission
.class.getName(), "*", "register"),
135 new PermissionInfo(PropertyPermission
.class.getName(), "osgi.*", "read"),
136 new PermissionInfo(PropertyPermission
.class.getName(), "xml.*", "read"),
137 new PermissionInfo(PropertyPermission
.class.getName(), "equinox.*", "read"),
138 new PermissionInfo(RuntimePermission
.class.getName(), "accessDeclaredMembers", null),
139 new PermissionInfo(RuntimePermission
.class.getName(), "getClassLoader", null),
140 new PermissionInfo(ReflectPermission
.class.getName(), "suppressAccessChecks", null), },
141 ConditionalPermissionInfo
.ALLOW
));
144 // Bundle jettyUtilBundle = findBundle("org.eclipse.equinox.http.jetty");
145 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
146 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
147 new String
[] { "*/org.eclipse.jetty.*" }) },
148 new PermissionInfo
[] {
149 new PermissionInfo(FilePermission
.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
150 ConditionalPermissionInfo
.ALLOW
));
151 Bundle servletBundle
= findBundle("javax.servlet");
152 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
153 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
154 new String
[] { servletBundle
.getLocation() }) },
155 new PermissionInfo
[] { new PermissionInfo(PropertyPermission
.class.getName(),
156 "org.glassfish.web.rfc2109_cookie_names_enforced", "read") },
157 ConditionalPermissionInfo
.ALLOW
));
159 // required to be able to get the BundleContext in the customizer
160 Bundle jettyCustomizerBundle
= findBundle("org.argeo.ext.equinox.jetty");
161 update
.getConditionalPermissionInfos()
162 .add(permissionAdmin
.newConditionalPermissionInfo(null,
163 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
164 new String
[] { jettyCustomizerBundle
.getLocation() }) },
165 new PermissionInfo
[] { new PermissionInfo(AdminPermission
.class.getName(), "*", "*"), },
166 ConditionalPermissionInfo
.ALLOW
));
169 // Bundle blueprintBundle = findBundle("org.eclipse.gemini.blueprint.core");
170 // update.getConditionalPermissionInfos()
171 // .add(permissionAdmin.newConditionalPermissionInfo(null,
172 // new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
173 // new String[] { blueprintBundle.getLocation() }) },
174 // new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
175 // new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
176 // ConditionalPermissionInfo.ALLOW));
177 // Bundle blueprintExtenderBundle = findBundle("org.eclipse.gemini.blueprint.extender");
178 // update.getConditionalPermissionInfos()
179 // .add(permissionAdmin
180 // .newConditionalPermissionInfo(null,
181 // new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
182 // new String[] { blueprintExtenderBundle.getLocation() }) },
183 // new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
184 // new PermissionInfo(PropertyPermission.class.getName(), "org.eclipse.gemini.*",
186 // new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
187 // new PermissionInfo(ServicePermission.class.getName(), "*", "register"), },
188 // ConditionalPermissionInfo.ALLOW));
189 // Bundle springCoreBundle = findBundle("org.springframework.core");
190 // update.getConditionalPermissionInfos()
191 // .add(permissionAdmin.newConditionalPermissionInfo(null,
192 // new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
193 // new String[] { springCoreBundle.getLocation() }) },
194 // new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
195 // new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
196 // ConditionalPermissionInfo.ALLOW));
197 // Bundle blueprintIoBundle = findBundle("org.eclipse.gemini.blueprint.io");
198 // update.getConditionalPermissionInfos()
199 // .add(permissionAdmin.newConditionalPermissionInfo(null,
200 // new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
201 // new String[] { blueprintIoBundle.getLocation() }) },
202 // new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
203 // new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
204 // ConditionalPermissionInfo.ALLOW));
207 Bundle registryBundle
= findBundle("org.eclipse.equinox.registry");
208 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
209 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
210 new String
[] { registryBundle
.getLocation() }) },
211 new PermissionInfo
[] { new PermissionInfo(PropertyPermission
.class.getName(), "eclipse.*", "read"),
212 new PermissionInfo(PropertyPermission
.class.getName(), "osgi.*", "read"),
213 new PermissionInfo(FilePermission
.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
214 ConditionalPermissionInfo
.ALLOW
));
216 Bundle equinoxUtilBundle
= findBundle("org.eclipse.equinox.util");
217 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
218 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
219 new String
[] { equinoxUtilBundle
.getLocation() }) },
220 new PermissionInfo
[] { new PermissionInfo(PropertyPermission
.class.getName(), "equinox.*", "read"),
221 new PermissionInfo(ServicePermission
.class.getName(), "*", "get"),
222 new PermissionInfo(ServicePermission
.class.getName(), "*", "register"), },
223 ConditionalPermissionInfo
.ALLOW
));
224 Bundle equinoxCommonBundle
= findBundle("org.eclipse.equinox.common");
225 update
.getConditionalPermissionInfos()
226 .add(permissionAdmin
.newConditionalPermissionInfo(null,
227 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
228 new String
[] { equinoxCommonBundle
.getLocation() }) },
229 new PermissionInfo
[] { new PermissionInfo(AdminPermission
.class.getName(), "*", "*"), },
230 ConditionalPermissionInfo
.ALLOW
));
232 Bundle consoleBundle
= findBundle("org.eclipse.equinox.console");
233 update
.getConditionalPermissionInfos()
234 .add(permissionAdmin
.newConditionalPermissionInfo(null,
235 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
236 new String
[] { consoleBundle
.getLocation() }) },
237 new PermissionInfo
[] { new PermissionInfo(ServicePermission
.class.getName(), "*", "register"),
238 new PermissionInfo(AdminPermission
.class.getName(), "*", "listener") },
239 ConditionalPermissionInfo
.ALLOW
));
240 Bundle preferencesBundle
= findBundle("org.eclipse.equinox.preferences");
241 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
242 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
243 new String
[] { preferencesBundle
.getLocation() }) },
244 new PermissionInfo
[] {
245 new PermissionInfo(FilePermission
.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
246 ConditionalPermissionInfo
.ALLOW
));
247 Bundle appBundle
= findBundle("org.eclipse.equinox.app");
248 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
249 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
250 new String
[] { appBundle
.getLocation() }) },
251 new PermissionInfo
[] {
252 new PermissionInfo(FilePermission
.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
253 ConditionalPermissionInfo
.ALLOW
));
256 Bundle jackrabbitCoreBundle
= findBundle("org.apache.jackrabbit.core");
257 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
258 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
259 new String
[] { jackrabbitCoreBundle
.getLocation() }) },
260 new PermissionInfo
[] {
261 new PermissionInfo(FilePermission
.class.getName(), "<<ALL FILES>>", "read,write,delete"),
262 new PermissionInfo(PropertyPermission
.class.getName(), "*", "read,write"),
263 new PermissionInfo(AuthPermission
.class.getName(), "getSubject", null),
264 new PermissionInfo(AuthPermission
.class.getName(), "getLoginConfiguration", null),
265 new PermissionInfo(AuthPermission
.class.getName(), "createLoginContext.Jackrabbit", null), },
266 ConditionalPermissionInfo
.ALLOW
));
267 Bundle jackrabbitDataBundle
= findBundle("org.apache.jackrabbit.data");
268 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
269 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
270 new String
[] { jackrabbitDataBundle
.getLocation() }) },
271 new PermissionInfo
[] { new PermissionInfo(PropertyPermission
.class.getName(), "*", "read,write") },
272 ConditionalPermissionInfo
.ALLOW
));
273 Bundle jackrabbitCommonBundle
= findBundle("org.apache.jackrabbit.jcr.commons");
274 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
275 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
276 new String
[] { jackrabbitCommonBundle
.getLocation() }) },
277 new PermissionInfo
[] { new PermissionInfo(AuthPermission
.class.getName(), "getSubject", null),
278 new PermissionInfo(AuthPermission
.class.getName(), "createLoginContext.Jackrabbit", null), },
279 ConditionalPermissionInfo
.ALLOW
));
281 Bundle jackrabbitExtBundle
= findBundle("org.argeo.ext.jackrabbit");
282 update
.getConditionalPermissionInfos()
283 .add(permissionAdmin
.newConditionalPermissionInfo(null,
284 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
285 new String
[] { jackrabbitExtBundle
.getLocation() }) },
286 new PermissionInfo
[] { new PermissionInfo(AuthPermission
.class.getName(), "*", "*"), },
287 ConditionalPermissionInfo
.ALLOW
));
290 Bundle tikaCoreBundle
= findBundle("org.apache.tika.core");
291 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
292 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
293 new String
[] { tikaCoreBundle
.getLocation() }) },
294 new PermissionInfo
[] { new PermissionInfo(PropertyPermission
.class.getName(), "*", "read,write"),
295 new PermissionInfo(AdminPermission
.class.getName(), "*", "*") },
296 ConditionalPermissionInfo
.ALLOW
));
297 Bundle luceneBundle
= findBundle("org.apache.lucene");
298 update
.getConditionalPermissionInfos().add(permissionAdmin
.newConditionalPermissionInfo(null,
299 new ConditionInfo
[] { new ConditionInfo(BundleLocationCondition
.class.getName(),
300 new String
[] { luceneBundle
.getLocation() }) },
301 new PermissionInfo
[] {
302 new PermissionInfo(FilePermission
.class.getName(), "<<ALL FILES>>", "read,write,delete"),
303 new PermissionInfo(PropertyPermission
.class.getName(), "*", "read"),
304 new PermissionInfo(AdminPermission
.class.getName(), "*", "*") },
305 ConditionalPermissionInfo
.ALLOW
));
311 /** @return bundle location */
312 default String
locate(Class
<?
> clzz
) {
313 return FrameworkUtil
.getBundle(clzz
).getLocation();
317 default Bundle
findBundle(String symbolicName
) {
318 for (Bundle b
: bc
.getBundles())
319 if (b
.getSymbolicName().equals(symbolicName
))