db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rhille...@apache.org
Subject svn commit: r1626274 - in /db/derby/code/trunk/java: engine/org/apache/derby/impl/jdbc/ engine/org/apache/derby/jdbc/ testing/org/apache/derbyTesting/functionTests/tests/lang/
Date Fri, 19 Sep 2014 16:57:04 GMT
Author: rhillegas
Date: Fri Sep 19 16:57:04 2014
New Revision: 1626274

URL: http://svn.apache.org/r1626274
Log:
DERBY-6741: Add a privilege barrier to prevent users from getting a ContextManager from an
embedded connection object; tests passed cleanly on derby-6741-01-aa-usederbyinternals.diff.

Modified:
    db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/EmbedConnection.java
    db/derby/code/trunk/java/engine/org/apache/derby/jdbc/EmbedXAResource.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/ConstraintCharacteristicsTest.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NewOptimizerOverridesTest.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NoDBInternalsPermissionTest.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/resultSetReader.policy

Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/EmbedConnection.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/EmbedConnection.java?rev=1626274&r1=1626273&r2=1626274&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/EmbedConnection.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/EmbedConnection.java Fri Sep
19 16:57:04 2014
@@ -37,6 +37,7 @@ import org.apache.derby.iapi.services.pr
 import org.apache.derby.iapi.jdbc.AuthenticationService;
 import org.apache.derby.iapi.jdbc.EngineConnection;
 import org.apache.derby.security.DatabasePermission;
+import org.apache.derby.iapi.security.SecurityUtil;
 
 import org.apache.derby.iapi.db.Database;
 import org.apache.derby.impl.db.SlaveDatabase;
@@ -2892,6 +2893,9 @@ public class EmbedConnection implements 
 	*/
 	public final ContextManager getContextManager() {
 
+        // Verify that we have permission to execute this method.
+        SecurityUtil.checkDerbyInternalsPrivilege();
+
 		if (SanityManager.DEBUG)
 			SanityManager.ASSERT(!isClosed(), "connection is closed");
 

Modified: db/derby/code/trunk/java/engine/org/apache/derby/jdbc/EmbedXAResource.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/jdbc/EmbedXAResource.java?rev=1626274&r1=1626273&r2=1626274&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/jdbc/EmbedXAResource.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/jdbc/EmbedXAResource.java Fri Sep 19
16:57:04 2014
@@ -672,9 +672,11 @@ class EmbedXAResource implements XAResou
                     throw wrapInXAException(sqle);
                 }
                 
-                tranState = new XATransactionState(
-                    con.realConnection.getContextManager(),
-                    con.realConnection, this, xid_im);
+                tranState = new XATransactionState
+                    (
+                     getContextManager( con.realConnection ),
+                     con.realConnection, this, xid_im
+                     );
                 if (!ra.addConnection(xid_im, tranState))
                     throw new XAException(XAException.XAER_DUPID);
                 
@@ -938,23 +940,34 @@ class EmbedXAResource implements XAResou
      */
     private  static  ContextService    getContextService()
     {
-        if ( System.getSecurityManager() == null )
-        {
-            return ContextService.getFactory();
-        }
-        else
-        {
-            return AccessController.doPrivileged
-                (
-                 new PrivilegedAction<ContextService>()
+        return AccessController.doPrivileged
+            (
+             new PrivilegedAction<ContextService>()
+             {
+                 public ContextService run()
                  {
-                     public ContextService run()
-                     {
-                         return ContextService.getFactory();
-                     }
+                     return ContextService.getFactory();
                  }
-                 );
-        }
+             }
+             );
+    }
+
+    /**
+     * Privileged lookup of the ContextManager. Must be private so that user code
+     * can't call this entry point.
+     */
+    private  static  ContextManager    getContextManager( final EmbedConnection conn )
+    {
+        return AccessController.doPrivileged
+            (
+             new PrivilegedAction<ContextManager>()
+             {
+                 public ContextManager run()
+                 {
+                     return conn.getContextManager();
+                 }
+             }
+             );
     }
 
 }

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/ConstraintCharacteristicsTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/ConstraintCharacteristicsTest.java?rev=1626274&r1=1626273&r2=1626274&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/ConstraintCharacteristicsTest.java
(original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/ConstraintCharacteristicsTest.java
Fri Sep 19 16:57:04 2014
@@ -21,6 +21,8 @@
 
 package org.apache.derbyTesting.functionTests.tests.lang;
 
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.sql.Connection;
 import java.sql.DatabaseMetaData;
 import java.sql.DriverManager;
@@ -408,11 +410,7 @@ public class ConstraintCharacteristicsTe
 
         s.executeUpdate("alter table t alter constraint c enforced ");
 
-        final ContextManager contextManager =
-                ((EmbedConnection)c).getContextManager();
-        final LanguageConnectionContext lcc =
-                (LanguageConnectionContext)contextManager.getContext(
-                "LanguageConnectionContext");
+        final LanguageConnectionContext lcc = getLCC( c );
         final GenericPreparedStatement derbyPs =
                 (GenericPreparedStatement)lcc.getLastActivation().
                 getPreparedStatement();
@@ -2831,5 +2829,25 @@ public class ConstraintCharacteristicsTe
         }
 
     }
+    
+    /**
+     * Privileged lookup of the LCC from a Connection.
+     */
+    public  static  LanguageConnectionContext    getLCC( final Connection conn )
+    {
+        return AccessController.doPrivileged
+            (
+             new PrivilegedAction<LanguageConnectionContext>()
+             {
+                 public LanguageConnectionContext run()
+                 {
+                     final ContextManager contextManager =
+                         ((EmbedConnection)conn).getContextManager();
+                     return (LanguageConnectionContext)
+                         contextManager.getContext( "LanguageConnectionContext" );
+                 }
+             }
+             );
+    }
 }
 

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NewOptimizerOverridesTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NewOptimizerOverridesTest.java?rev=1626274&r1=1626273&r2=1626274&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NewOptimizerOverridesTest.java
(original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NewOptimizerOverridesTest.java
Fri Sep 19 16:57:04 2014
@@ -527,8 +527,7 @@ public class NewOptimizerOverridesTest  
     /** Get an xml-based picture of the plan chosen for the last query. The query is identified
by its JDBC ResultSet */
     public  static  Document    getLastQueryPlan( Connection conn, ResultSet rs ) throws
Exception
     {
-        ContextManager      contextManager = ((EmbedConnection) conn).getContextManager();
-        LanguageConnectionContext   lcc = (LanguageConnectionContext) contextManager.getContext(
"LanguageConnectionContext" );
+        LanguageConnectionContext   lcc = ConstraintCharacteristicsTest.getLCC( conn );
         org.apache.derby.iapi.sql.ResultSet derbyRS = lcc.getLastActivation().getResultSet();
 
         Document    doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NoDBInternalsPermissionTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NoDBInternalsPermissionTest.java?rev=1626274&r1=1626273&r2=1626274&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NoDBInternalsPermissionTest.java
(original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NoDBInternalsPermissionTest.java
Fri Sep 19 16:57:04 2014
@@ -32,6 +32,7 @@ import org.apache.derbyTesting.junit.Sec
 import org.apache.derbyTesting.junit.TestConfiguration;
 
 import org.apache.derby.iapi.services.context.ContextService;
+import org.apache.derby.impl.jdbc.EmbedConnection;
 
 /**
  * <p>
@@ -124,4 +125,19 @@ public class NoDBInternalsPermissionTest
         catch (AccessControlException e) { println( "Caught an AccessControlException" );
}
     }
 
+    /**
+     * <p>
+     * Verify that user code can't call EmbedConnection.getContextManager().
+     * </p>
+     */
+    public  void    test_002_EmbedConnection()
+        throws Exception
+    {
+        Connection  conn = getConnection();
+        try {
+            ((EmbedConnection) conn).getContextManager();
+            fail( "Should have raised an AccessControlException" );
+        }
+        catch (AccessControlException e) { println( "Caught an AccessControlException" );
}
+    }
 }

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/resultSetReader.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/resultSetReader.policy?rev=1626274&r1=1626273&r2=1626274&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/resultSetReader.policy
(original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/resultSetReader.policy
Fri Sep 19 16:57:04 2014
@@ -226,6 +226,9 @@ grant codeBase "${derbyTesting.codejar}d
 grant codeBase "${derbyTesting.testjar}derbyTesting.jar" {
   // Access all properties using System.getProperties
   permission java.util.PropertyPermission "*", "read, write";
+
+  // Needed to look up the LanguageConnectionContext
+  permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";
   
   // Access all files under ${user.dir}to write the test directory structure
   permission java.io.FilePermission "${user.dir}${/}-", "read,write,delete"; 



Mime
View raw message