db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d..@apache.org
Subject svn commit: r636435 - in /db/derby/code/trunk/java: drda/org/apache/derby/impl/drda/ engine/org/apache/derby/impl/services/jmx/ engine/org/apache/derby/jdbc/ engine/org/apache/derby/security/ testing/org/apache/derbyTesting/unitTests/junit/
Date Wed, 12 Mar 2008 17:47:37 GMT
Author: djd
Date: Wed Mar 12 10:47:20 2008
New Revision: 636435

URL: http://svn.apache.org/viewvc?rev=636435&view=rev
Log:
DERBY-3491 Change Derby's SystemPermission to be a two argument permission with:

target-name: jmx|server|engine
action: control|monitor|shutdown

Modified:
    db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
    db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java
    db/derby/code/trunk/java/engine/org/apache/derby/jdbc/InternalDriver.java
    db/derby/code/trunk/java/engine/org/apache/derby/security/SystemPermission.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/unitTests/junit/SystemPrivilegesPermissionTest.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/unitTests/junit/SystemPrivilegesPermissionTest.policy

Modified: db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java?rev=636435&r1=636434&r2=636435&view=diff
==============================================================================
--- db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
(original)
+++ db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
Wed Mar 12 10:47:20 2008
@@ -1078,8 +1078,8 @@
 
         // the check
         try {
-            final Permission sp
-                = new SystemPermission(SystemPermission.SHUTDOWN);
+            final Permission sp  = new SystemPermission(
+                  SystemPermission.SERVER, SystemPermission.SHUTDOWN);
             // For porting the network server to J2ME/CDC, consider calling
             // abstract method InternalDriver.checkShutdownPrivileges(user)
             // instead of static SecurityUtil.checkUserHasPermission().

Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java?rev=636435&r1=636434&r2=636435&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java
(original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java
Wed Mar 12 10:47:20 2008
@@ -375,18 +375,20 @@
             mbeanServer = null;
         }
     }
+    
+    private final static SystemPermission CONTROL =
+        new SystemPermission(
+                SystemPermission.JMX, SystemPermission.CONTROL);
 
     private void checkJMXControl() {
-        /* FUTURE DERBY-3462
         try {
-            AccessController.checkPermission(new SystemPermission("jmxControl"));
+            // AccessController.checkPermission(CONTROL);
         } catch (AccessControlException e) {
             // Need to throw a simplified version as AccessControlException
             // will have a reference to Derby's SystemPermission which most likely
             // will not be available on the client.
             throw new SecurityException(e.getMessage());
         }
-        */
     }
 
     public synchronized String getSystemIdentifier() {

Modified: db/derby/code/trunk/java/engine/org/apache/derby/jdbc/InternalDriver.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/jdbc/InternalDriver.java?rev=636435&r1=636434&r2=636435&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/jdbc/InternalDriver.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/jdbc/InternalDriver.java Wed Mar 12 10:47:20
2008
@@ -302,8 +302,8 @@
 
         // the check
         try {
-            final Permission sp
-                = new SystemPermission(SystemPermission.SHUTDOWN);
+            final Permission sp = new SystemPermission(
+                SystemPermission.ENGINE, SystemPermission.SHUTDOWN);
             checkSystemPrivileges(user, sp);
         } catch (AccessControlException ace) {
             throw Util.generateCsSQLException(

Modified: db/derby/code/trunk/java/engine/org/apache/derby/security/SystemPermission.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/security/SystemPermission.java?rev=636435&r1=636434&r2=636435&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/security/SystemPermission.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/security/SystemPermission.java Wed Mar
12 10:47:20 2008
@@ -22,46 +22,80 @@
 package org.apache.derby.security;
 
 import java.security.BasicPermission;
-import java.util.Set;
+import java.security.Permission;
+import java.util.ArrayList;
 import java.util.HashSet;
+import java.util.List;
+import java.util.Locale;
+import java.util.Set;
+import java.util.StringTokenizer;
 
 /**
  * This class represents access to system-wide Derby privileges.
  */
 final public class SystemPermission extends BasicPermission {
+    
+    /**
+     * Permission target name for actions applicable
+     * to the network server.
+     */
+    public static final String SERVER = "server";
+    /**
+     * Permission target name for actions applicable
+     * to the core database engine.
+     */
+    public static final String ENGINE = "engine";
+    /**
+     * Permission target name for actions applicable
+     * to management of Derby's JMX MBeans.
+     */
+    public static final String JMX = "jmx";
 
     /**
-     * The server and engine shutdown permission.
+     * The server and engine shutdown action.
      */
     static public final String SHUTDOWN = "shutdown";
+    
+    /**
+     * Permission to perform control actions through JMX
+     * on engine, server or jmx.
+     */
+    public static final String CONTROL = "control";
+    
+    /**
+     * Permission to perform monitoring actions through JMX
+     * on engine and server.
+     */
+    public static final String MONITOR = "monitor";
 
     /**
      * The legal system permission names.
      */
-    static protected final Set LEGAL_PERMISSIONS = new HashSet();    
+    static private final Set LEGAL_NAMES = new HashSet();    
     static {
         // when adding new permissions, check whether to override inherited
         // method: implies(Permission)
-        LEGAL_PERMISSIONS.add(SHUTDOWN);
+        LEGAL_NAMES.add(SERVER);
+        LEGAL_NAMES.add(ENGINE);
+        LEGAL_NAMES.add(JMX);
     };
-
+    
     /**
-     * Checks a name for denoting a legal SystemPermission.
-     *
-     * @param name the name of a SystemPermission
-     * @throws IllegalArgumentException if name is not a legal SystemPermission
+     * Set of legal actions in their canonical form.
      */
-    static protected void checkPermission(String name) {
-        // superclass BasicPermission has checked that name isn't null
-        // (NullPointerException) or empty (IllegalArgumentException)
-        //assert(name != null);
-        //assert(!name.equals(""));
-        if (!LEGAL_PERMISSIONS.contains(name)) {
-            throw new IllegalArgumentException("Unknown permission " + name);
-        }
+    static private final List LEGAL_ACTIONS = new ArrayList();
+    static {
+        LEGAL_ACTIONS.add(CONTROL);
+        LEGAL_ACTIONS.add(MONITOR);
+        LEGAL_ACTIONS.add(SHUTDOWN);
     }
     
     /**
+     * Actions for this permission.
+     */
+    private final String actions;
+    
+    /**
      * Creates a new SystemPermission with the specified name.
      *
      * @param name the name of the SystemPermission
@@ -69,8 +103,106 @@
      * @throws IllegalArgumentException if name is empty or not a legal SystemPermission
      * @see BasicPermission#BasicPermission(String)
      */
-    public SystemPermission(String name) {
+    public SystemPermission(String name, String actions) {
         super(name);
-        checkPermission(name);
+            
+        // superclass BasicPermission has checked that name isn't null
+        // (NullPointerException) or empty (IllegalArgumentException)
+
+        if (!LEGAL_NAMES.contains(name) ) {
+            throw new IllegalArgumentException("Unknown permission " + name);
+        }
+      
+        this.actions = getCanonicalForm(actions);   
+    }
+    
+    /**
+     * Return the permission's actions in a canonical form.
+     */
+    public String getActions() {
+        return actions;
+    }
+    
+    /**
+     * Return a canonical form of the passed in actions.
+     * Actions are lower-cased, in the order of LEGAL_ACTIONS
+     * and on;ly appear once.
+     */
+    private static String getCanonicalForm(String actions) {
+        actions = actions.trim().toLowerCase(Locale.ENGLISH);
+        
+        boolean[] seenAction = new boolean[LEGAL_ACTIONS.size()];
+        StringTokenizer st = new StringTokenizer(actions);
+        while (st.hasMoreTokens()) {
+            int validAction = LEGAL_ACTIONS.indexOf(st.nextElement());
+            if (validAction != -1)
+                seenAction[validAction] = true;
+        }
+        
+        StringBuffer sb = new StringBuffer();
+        for (int sa = 0; sa < seenAction.length; sa++)
+        {
+            if (seenAction[sa]) {
+                if (sb.length() != 0)
+                    sb.append(",");
+                sb.append(LEGAL_ACTIONS.get(sa));
+            }
+        }
+        
+        return sb.toString();
+    }
+
+    /**
+     * Does this permission equal another object.
+     * True if its and identical class with same
+     * name and (canonical) actions.
+     */
+    public boolean equals(Object other) {
+        
+        if (!super.equals(other))
+            return false;
+        
+        SystemPermission osp = (SystemPermission) other;
+        return getActions().equals(osp.getActions());
+    }
+    
+    /**
+     * Does this permission imply another. Only true
+     * if the other permission is a SystemPermission
+     * with the same name and all the actions
+     * of the permission are present in this.
+     * Note that none of the actions imply any other
+     * with this SystemPermission.
+     */
+    public boolean implies(Permission permission)
+    {
+        if (!super.implies(permission))
+            return false;
+        
+        int myActionMask = getActionMask(getActions());
+        int permissionMask = getActionMask(permission.getActions());
+        
+        return
+            (myActionMask & permissionMask) == permissionMask;
     }
+    
+    /**
+     * Get a mask of bits that represents the actions
+     * and can be used for the implies method.
+     */
+    private static int getActionMask(String actions) {
+        actions = actions.trim().toLowerCase(Locale.ENGLISH);
+        
+        int mask = 0;
+        StringTokenizer st = new StringTokenizer(actions);
+        while (st.hasMoreTokens()) {
+            int validAction = LEGAL_ACTIONS.indexOf(st.nextElement());
+            if (validAction != -1)
+                mask |= 1 << validAction;
+        }
+        
+        return mask;
+    }
+    
+    
 }

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/unitTests/junit/SystemPrivilegesPermissionTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/unitTests/junit/SystemPrivilegesPermissionTest.java?rev=636435&r1=636434&r2=636435&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/unitTests/junit/SystemPrivilegesPermissionTest.java
(original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/unitTests/junit/SystemPrivilegesPermissionTest.java
Wed Mar 12 10:47:20 2008
@@ -218,7 +218,7 @@
     private void checkSystemPermission() throws IOException {
         // test SystemPermission with null name argument
         try {
-            new SystemPermission(null);
+            new SystemPermission(null, null);
             fail("expected NullPointerException");
         } catch (NullPointerException ex) {
             // expected exception
@@ -226,7 +226,7 @@
 
         // test SystemPermission with empty name argument
         try {
-            new SystemPermission("");
+            new SystemPermission("", null);
             fail("expected IllegalArgumentException");
         } catch (IllegalArgumentException ex) {
             // expected exception
@@ -234,21 +234,23 @@
         
         // test SystemPermission with illegal name argument
         try {
-            new SystemPermission("illegal_name");
+            new SystemPermission("illegal_name", null);
             fail("expected IllegalArgumentException");
         } catch (IllegalArgumentException ex) {
             // expected exception
         }
 
         // test SystemPermission with legal name argument
-        final Permission sp0 = new SystemPermission(SystemPermission.SHUTDOWN);
-        final Permission sp1 = new SystemPermission(SystemPermission.SHUTDOWN);
+        final Permission sp0 = new SystemPermission(
+                SystemPermission.SERVER, SystemPermission.SHUTDOWN);
+        final Permission sp1 = new SystemPermission(
+                SystemPermission.SERVER, SystemPermission.SHUTDOWN);
 
         // test SystemPermission.getName()
-        assertEquals(sp0.getName(), SystemPermission.SHUTDOWN);
+        assertEquals(sp0.getName(), SystemPermission.SERVER);
 
         // test SystemPermission.getActions()
-        assertEquals(sp0.getActions(), "");
+        assertEquals(sp0.getActions(), SystemPermission.SHUTDOWN);
 
         // test SystemPermission.hashCode()
         assertTrue(sp0.hashCode() == sp1.hashCode());

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/unitTests/junit/SystemPrivilegesPermissionTest.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/unitTests/junit/SystemPrivilegesPermissionTest.policy?rev=636435&r1=636434&r2=636435&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/unitTests/junit/SystemPrivilegesPermissionTest.policy
(original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/unitTests/junit/SystemPrivilegesPermissionTest.policy
Wed Mar 12 10:47:20 2008
@@ -46,7 +46,7 @@
 
 // Specific test authorizations for System Privileges
 grant principal org.apache.derby.authentication.SystemPrincipal "AUTHORIZEDSYSTEMUSER" {
-  permission org.apache.derby.security.SystemPermission "shutdown";
+  permission org.apache.derby.security.SystemPermission "server", "shutdown";
   permission org.apache.derby.security.DatabasePermission "directory:*", "create";
   permission org.apache.derby.security.DatabasePermission "directory:level0/level1/-", "create";
   permission org.apache.derby.security.DatabasePermission "directory:/*", "create";
@@ -55,7 +55,7 @@
 
 // Specific test authorizations for System Privileges
 grant principal org.apache.derby.authentication.SystemPrincipal "SUPERUSER" {
-  permission org.apache.derby.security.SystemPermission "shutdown";
+  permission org.apache.derby.security.SystemPermission "server", "shutdown";
   permission org.apache.derby.security.DatabasePermission "directory:<<ALL FILES>>",
"create";
 };
 



Mime
View raw message