From f29320f6e6aca6d3c1b1deca1276930189fd3a60 Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Sun, 8 Sep 2019 10:18:44 +0200
Subject: [PATCH] Work on hardening.

---
 .../argeo/cms/internal/kernel/Activator.java  | 12 ++++
 .../cms/internal/kernel/SecurityProfile.java  | 56 ++++++++++++++++---
 2 files changed, 61 insertions(+), 7 deletions(-)

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java
index 62c140efd..d7b953b53 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java
@@ -105,6 +105,18 @@ public class Activator implements BundleActivator {
 								new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) },
 						new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) },
 						ConditionalPermissionInfo.ALLOW));
+				// TODO data admin permission
+//				PermissionInfo dataAdminPerm = new PermissionInfo(AuthPermission.class.getName(),
+//						"createLoginContext." + NodeConstants.LOGIN_CONTEXT_DATA_ADMIN, null);
+//				update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+//						new ConditionInfo[] {
+//								new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) },
+//						new PermissionInfo[] { dataAdminPerm }, ConditionalPermissionInfo.DENY));
+//				update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+//						new ConditionInfo[] {
+//								new ConditionInfo(BundleSignerCondition.class.getName(), new String[] { "CN=\"Eclipse.org Foundation, Inc.\", OU=IT, O=\"Eclipse.org Foundation, Inc.\", L=Nepean, ST=Ontario, C=CA" }) },
+//						new PermissionInfo[] { dataAdminPerm }, ConditionalPermissionInfo.ALLOW));
+				update.commit();
 			} else {
 				SecurityProfile securityProfile = new SecurityProfile() {
 				};
diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java
index e2683af67..9e6e3b96b 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java
@@ -8,6 +8,7 @@ import java.util.PropertyPermission;
 
 import javax.security.auth.AuthPermission;
 
+import org.argeo.node.NodeUtils;
 import org.osgi.framework.AdminPermission;
 import org.osgi.framework.Bundle;
 import org.osgi.framework.BundleContext;
@@ -29,16 +30,25 @@ public interface SecurityProfile {
 	default void applySystemPermissions(ConditionalPermissionAdmin permissionAdmin) {
 		ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate();
 		// Self
+		String nodeAPiBundleLocation = locate(NodeUtils.class);
 		update.getConditionalPermissionInfos()
 				.add(permissionAdmin.newConditionalPermissionInfo(null,
 						new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
-								new String[] { locate(SecurityProfile.class) }) },
+								new String[] { nodeAPiBundleLocation }) },
 						new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) },
 						ConditionalPermissionInfo.ALLOW));
+		String cmsBundleLocation = locate(SecurityProfile.class);
 		update.getConditionalPermissionInfos()
 				.add(permissionAdmin.newConditionalPermissionInfo(null,
 						new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
-								new String[] { bc.getBundle(0).getLocation() }) },
+								new String[] { cmsBundleLocation }) },
+						new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) },
+						ConditionalPermissionInfo.ALLOW));
+		String frameworkBundleLocation = bc.getBundle(0).getLocation();
+		update.getConditionalPermissionInfos()
+				.add(permissionAdmin.newConditionalPermissionInfo(null,
+						new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
+								new String[] { frameworkBundleLocation }) },
 						new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) },
 						ConditionalPermissionInfo.ALLOW));
 		// All
@@ -139,6 +149,22 @@ public interface SecurityProfile {
 				new PermissionInfo[] {
 						new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"), },
 				ConditionalPermissionInfo.ALLOW));
+		Bundle servletBundle = findBundle("javax.servlet");
+		update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+				new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
+						new String[] { servletBundle.getLocation() }) },
+				new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(),
+						"org.glassfish.web.rfc2109_cookie_names_enforced", "read") },
+				ConditionalPermissionInfo.ALLOW));
+
+		// required to be able to get the BundleContext in the customizer
+		Bundle jettyCustomizerBundle = findBundle("org.argeo.ext.equinox.jetty");
+		update.getConditionalPermissionInfos()
+				.add(permissionAdmin.newConditionalPermissionInfo(null,
+						new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
+								new String[] { jettyCustomizerBundle.getLocation() }) },
+						new PermissionInfo[] { new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
+						ConditionalPermissionInfo.ALLOW));
 
 		// Blueprint
 //		Bundle blueprintBundle = findBundle("org.eclipse.gemini.blueprint.core");
@@ -235,24 +261,40 @@ public interface SecurityProfile {
 				new PermissionInfo[] {
 						new PermissionInfo(FilePermission.class.getName(), "<<ALL FILES>>", "read,write,delete"),
 						new PermissionInfo(PropertyPermission.class.getName(), "*", "read,write"),
+						new PermissionInfo(AuthPermission.class.getName(), "getSubject", null),
 						new PermissionInfo(AuthPermission.class.getName(), "getLoginConfiguration", null),
 						new PermissionInfo(AuthPermission.class.getName(), "createLoginContext.Jackrabbit", null), },
 				ConditionalPermissionInfo.ALLOW));
+		Bundle jackrabbitDataBundle = findBundle("org.apache.jackrabbit.data");
+		update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+				new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
+						new String[] { jackrabbitDataBundle.getLocation() }) },
+				new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "*", "read,write") },
+				ConditionalPermissionInfo.ALLOW));
 		Bundle jackrabbitCommonBundle = findBundle("org.apache.jackrabbit.jcr.commons");
 		update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
 				new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
 						new String[] { jackrabbitCommonBundle.getLocation() }) },
-				new PermissionInfo[] {
+				new PermissionInfo[] { new PermissionInfo(AuthPermission.class.getName(), "getSubject", null),
 						new PermissionInfo(AuthPermission.class.getName(), "createLoginContext.Jackrabbit", null), },
 				ConditionalPermissionInfo.ALLOW));
-		Bundle tikaCoreBundle = findBundle("org.apache.tika.core");
+
+		Bundle jackrabbitExtBundle = findBundle("org.argeo.ext.jackrabbit");
 		update.getConditionalPermissionInfos()
 				.add(permissionAdmin.newConditionalPermissionInfo(null,
 						new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
-								new String[] { tikaCoreBundle.getLocation() }) },
-						new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "*", "read"),
-								new PermissionInfo(AdminPermission.class.getName(), "*", "*") },
+								new String[] { jackrabbitExtBundle.getLocation() }) },
+						new PermissionInfo[] { new PermissionInfo(AuthPermission.class.getName(), "*", "*"), },
 						ConditionalPermissionInfo.ALLOW));
+
+		// Tika
+		Bundle tikaCoreBundle = findBundle("org.apache.tika.core");
+		update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+				new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
+						new String[] { tikaCoreBundle.getLocation() }) },
+				new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "*", "read,write"),
+						new PermissionInfo(AdminPermission.class.getName(), "*", "*") },
+				ConditionalPermissionInfo.ALLOW));
 		Bundle luceneBundle = findBundle("org.apache.lucene");
 		update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
 				new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
-- 
2.30.2