8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation

[AlekseiEfimov]

Summary of the change

This change introduces new system and security properties for specifying factory filters for the JNDI/LDAP and the JNDI/RMI JDK provider implementations.

These new properties allow more granular control over the set of object factories allowed to reconstruct Java objects from LDAP and RMI contexts.

The new factory filters are supplementing the existing jdk.jndi.object.factoriesFilter global factories filter to determine if a specific object factory is permitted to instantiate objects for the given protocol.

Links:

• CSR with details
• JBS issue

List of code changes

• Implementation for two new system and security properties have been added to the com.sun.naming.internal.ObjectFactoriesFilter class
• java.security and module-info.java files have been updated with a documentation for the new properties
• To keep API of javax.naming.spi.NamingManager and javax.naming.spi.DirectoryManager classes unmodified a new internal com.sun.naming.internal.NamingManagerHelper class has been introduced. All getObjectInstance calls have been updated to use the new helper class.

NamingManagerHelper changes

Changes performed to construct the NamingManagerHelper class:

• DirectoryManager.getObjectInstance -> NamingManagerHelper.getDirObjectInstance. Dependant methods were also moved to the NamingManagerHelper class
• NamingManager.getObjectInstance -> NamingManagerHelper.getObjectInstance. Methods responsible for setting/getting object factory builder were moved to the NamingManagerHelper class too.

Test changes

New tests have been added for checking that new factory filters can be used to restrict reconstruction of Java objects from LDAP and RMI contexts:

• LDAP protocol specific test: test/jdk/com/sun/jndi/ldap/objects/factory/LdapFactoriesFilterTest.java
• RMI protocol specific test: test/jdk/com/sun/jndi/rmi/registry/objects/RmiFactoriesFilterTest.java
  Existing test/jdk/javax/naming/module/RunBasic.java test has been updated to allow test-specific factories filter used to reconstruct objects from the test LDAP server.

Testing

tier1-tier3 and JNDI regression/JCK tests not showing any failures related to this change.
No failures observed for the modified regression tests.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change requires a CSR request to be approved

Issues

• JDK-8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation
• JDK-8291556: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation (CSR)

Reviewers

• Daniel Fuchs (@dfuch - Reviewer) ⚠️ Review applies to 4449dda1
• Roger Riggs (@RogerRiggs - Reviewer) ⚠️ Review applies to 528489b0
• Jaikiran Pai (@jaikiran - Reviewer) ⚠️ Review applies to 4449dda1

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/10578/head:pull/10578
$ git checkout pull/10578

Update a local copy of the PR:
$ git checkout pull/10578
$ git pull https://git.openjdk.org/jdk pull/10578/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 10578

View PR using the GUI difftool:
$ git pr show -t 10578

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/10578.diff

[bridgekeeper]

👋 Welcome back aefimov! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@AlekseiEfimov The following labels will be automatically applied to this pull request:

• core-libs
• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 06: Full - Incremental (fbc4d577)
• 05: Full - Incremental (4449dda1)
• 04: Full - Incremental (b3849168)
• 03: Full - Incremental (53806048)
• 02: Full - Incremental (528489b0)
• 01: Full - Incremental (091677e9)
• 00: Full (1a5e83e0)

[dfuch]

I am glad to see this RFE. It looks like a big change but most of it is actually reorganisation of internal code, so thanks for explaining its making off :-) It helps a lot for the review. I have looked at the code and I believe it looks good. I don't see any alternative to the reorganisation that could make the changes smaller - so I'm OK with the proposed solution. Thanks for documenting the new properties in their respective module info, as well as in the security properties file.

I had only a cursory look at the tests but they seem comprehensive. Good work.

[dfuch]

I am approving on the condition to make sure that all JNDI tests (as well as tier1, tier2, tier3) are run before integrating.

[dfuch]

Also please get an approval from a security-libs maintainer for the changes to the security properties file before integrating.

[RogerRiggs]

Nice work, but a few comments.

[RogerRiggs]

This construct in which the supplied lambda fills in the serialClass is pretty obscure.
Perhaps the variable name can be "serialClass" to match the only non-default method in ObjectInputFilter would give a better hint.

[AlekseiEfimov]

Thanks - serialClass name reads better.

[RogerRiggs]

LGTM

[jaikiran]

I think the serialClass param should be renamed to factoryClass or something like that, since I think the serialClass reference comes from serialization/deserialization usage.

[AlekseiEfimov]

The name comes from ObjectInputFilter.FilterInfo - it's been renamed from factoryClassto make it clear that the supplied lambda fills-in the non-default ObjectInputFilter.FilterInfo.serialClass() method.

[jaikiran]

Thank you for that clarification, Aleksei. This sounds fine to me then.

[jaikiran]

Hello Aleksei, as far as I can see the jdk.serialFilter allows for additional details like limits (example: maxdepth=value). Should we note here that this JNDI specific property will ignore those configurations?

[RogerRiggs]

Yes, worth noting, but I would say they are "unused", not ignored.

[jaikiran]

Should this instead say:

The default pattern value allows any object factory class belonging to the com.sun.jndi.ldap and its sub-packages of the java.naming module to be specified by the reference instance...?

[AlekseiEfimov]

I would prefer to keep a filter default value explanation sentences simpler since exact default values are listed just one line after.

[jaikiran]

What you have here is OK with me then.

[jaikiran]

Perhaps remove the synchronized from this method and the getter, now that the synchronization has moved to the NamingManagerHelper class?

[AlekseiEfimov]

Agreed - I think it is safe to remove synchronized. I doubt that there is a code that relies on synchronized (javax.naming.spi.NamingManager.class) to prevent other code setting the factory builder (also it can be set only once), therefore it should be ok to remove synchronized.

[dfuch]

It appears that for those protocols for which there is no specific filter, a factory class will be accepted only if the global filter returns ALLOWED - which contradicts what is written here (where it says that the class is allowed if it's not REJECTED). Is this something that has changed with this fix - or was the documentation wrong before?

[AlekseiEfimov]

Very good catch Daniel! It is with this fix and I believe the code needs to be change to match what is written for the global filter here:
What we've had before in checkInput:

    private static boolean checkInput(FactoryInfo factoryInfo) {
        Status result = GLOBAL.checkInput(factoryInfo);
        return result != Status.REJECTED;

What we have now:

        if (filter == GLOBAL_FILTER) {
            return globalResult == Status.ALLOWED;
        }

I think it needs to be changed to (to match the description for global filter):

        if (filter == GLOBAL_FILTER) {
            return globalResult != Status.REJECTED;
        }

[RogerRiggs]

In the general composition of filters, it is preferable that UNDECIDED is treated as REJECTED.
That keeps unintentional holes in a filter from being permissive.

[AlekseiEfimov]

In the general composition of filters, it is preferable that UNDECIDED is treated as REJECTED.
That keeps unintentional holes in a filter from being permissive.

That is a good point Roger. The "java.security" file was updated (4449dda) to match the ObjectFactoriesFilter implementation, ie the global filter treats UNDECIDED as REJECTED. Also, the CSR has been updated to highlight that.

[jaikiran]

The latest state of this PR in 4449dda looks good to me. Thank you Aleksei.

[openjdk]

@AlekseiEfimov This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation

Reviewed-by: dfuchs, rriggs, jpai

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been no new commits pushed to the master branch. If another commit should be pushed before you perform the /integrate command, your PR will be automatically rebased. If you prefer to avoid any potential automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[AlekseiEfimov]

/integrate

[openjdk]

Going to push as commit d37ce4c.
Since your change was applied there have been 2 commits pushed to the master branch:

• 21aeb9e: 8295429: Update harfbuzz md file
• 1d883c5: 8295417: Pass $AR to binutils cross-build

Your commit was automatically rebased without conflicts.

[openjdk]

@AlekseiEfimov Pushed as commit d37ce4c.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.