Merge pull request #4301 from darranl/WFCORE-5087

[WFCORE-5087] Add support for the -secmgr command line argument,

bootable-jar/boot/src/main/java/org/wildfly/core/jar/boot/BootablePolicy.java

@@ -0,0 +1,84 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2014 Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * This is a direct copy of org.jboss.modules.ModulesPolicy from jboss-modules as the bootstrap of
+ * bootable jar is very similar to a jboss-modules bootstrap.
+ */
+
+package org.wildfly.core.jar.boot;
+
+import java.security.AllPermission;
+import java.security.CodeSource;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.security.Permissions;
+import java.security.Policy;
+import java.security.ProtectionDomain;
+import java.security.Provider;
+
+final class BootablePolicy extends Policy {
+
+    private static final AllPermission ALL_PERMISSION = new AllPermission();
+
+    static final Permissions DEFAULT_PERMISSION_COLLECTION = getAllPermission();
+
+    private static final CodeSource ourCodeSource = BootablePolicy.class.getProtectionDomain().getCodeSource();
+
+    private final Policy policy;
+
+    private static Permissions getAllPermission() {
+        final Permissions permissions = new Permissions();
+        permissions.add(ALL_PERMISSION);
+        return permissions;
+    }
+
+    BootablePolicy(final Policy policy) {
+        this.policy = policy;
+    }
+
+    public Provider getProvider() {
+        return policy.getProvider();
+    }
+
+    public String getType() {
+        return policy.getType();
+    }
+
+    public Parameters getParameters() {
+        return policy.getParameters();
+    }
+
+    public PermissionCollection getPermissions(final CodeSource codesource) {
+        return codesource != null && codesource.equals(ourCodeSource) ? getAllPermission() : policy.getPermissions(codesource);
+    }
+
+    public PermissionCollection getPermissions(final ProtectionDomain domain) {
+        final CodeSource codeSource = domain.getCodeSource();
+        return codeSource != null && codeSource.equals(ourCodeSource) ? getAllPermission() : policy.getPermissions(domain);
+    }
+
+    public boolean implies(final ProtectionDomain domain, final Permission permission) {
+        final CodeSource codeSource = domain.getCodeSource();
+        return codeSource != null && codeSource.equals(ourCodeSource) || policy.implies(domain, permission);
+    }
+
+    public void refresh() {
+        policy.refresh();
+    }
+}

bootable-jar/boot/src/main/java/org/wildfly/core/jar/boot/Main.java

@@ -23,7 +23,9 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.nio.file.StandardCopyOption;
+import java.security.Policy;
 import java.util.ArrayList;
+import java.util.Iterator;
 import java.util.List;
 import java.util.ServiceLoader;
 import java.util.zip.ZipEntry;
@@ -52,6 +54,7 @@ public final class Main {
     private static final String BOOTABLE_JAR_RUN_METHOD = "run";
 
     private static final String INSTALL_DIR = "--install-dir";
+    private static final String SECMGR = "-secmgr";
 
     private static final String WILDFLY_RESOURCE = "/wildfly.zip";
 
@@ -61,14 +64,22 @@ public static void main(String[] args) throws Exception {
 
         List<String> filteredArgs = new ArrayList<>();
         Path installDir = null;
+        boolean securityManager = false;
         for (String arg : args) {
             if (arg.startsWith(INSTALL_DIR)) {
                 installDir = Paths.get(getValue(arg));
+            } else if (SECMGR.equals(arg)) {
+                securityManager = true;
             } else {
                 filteredArgs.add(arg);
             }
         }
 
+        final SecurityManager existingSecMgr = System.getSecurityManager();
+        if (existingSecMgr != null) {
+            throw new Exception("An existing security manager was detected.  You must use the -secmgr switch to start with a security manager.");
+        }
+
         installDir = installDir == null ? Files.createTempDirectory(WILDFLY_BOOTABLE_TMP_DIR_PREFIX) : installDir;
         long t = System.currentTimeMillis();
         try (InputStream wf = Main.class.getResourceAsStream(WILDFLY_RESOURCE)) {
@@ -84,7 +95,7 @@ public static void main(String[] args) throws Exception {
             extension.boot(filteredArgs, installDir);
         }
 
-        runBootableJar(installDir, filteredArgs, System.currentTimeMillis() - t);
+        runBootableJar(installDir, filteredArgs, System.currentTimeMillis() - t, securityManager);
     }
 
     private static String getValue(String arg) {
@@ -95,7 +106,7 @@ private static String getValue(String arg) {
         return arg.substring(sep + 1);
     }
 
-    private static void runBootableJar(Path jbossHome, List<String> arguments, Long unzipTime) throws Exception {
+    private static void runBootableJar(Path jbossHome, List<String> arguments, Long unzipTime, boolean securityManager) throws Exception {
         final String modulePath = jbossHome.resolve(JBOSS_MODULES_DIR_NAME).toAbsolutePath().toString();
         ModuleLoader moduleLoader = setupModuleLoader(modulePath);
         final Module bootableJarModule;
@@ -118,6 +129,20 @@ private static void runBootableJar(Path jbossHome, List<String> arguments, Long
         } catch (final NoSuchMethodException nsme) {
             throw new Exception(nsme);
         }
+
+        // Wait until the last moment and install the SecurityManager.
+        if (securityManager) {
+            final BootablePolicy policy = new BootablePolicy(Policy.getPolicy());
+            Policy.setPolicy(policy);
+
+            final Iterator<SecurityManager> iterator = bootableJarModule.loadService(SecurityManager.class).iterator();
+            if (iterator.hasNext()) {
+                System.setSecurityManager(iterator.next());
+            } else {
+                throw new IllegalStateException("No SecurityManager found to install.");
+            }
+        }
+
         runMethod.invoke(null, jbossHome, arguments, moduleLoader, moduleCL, unzipTime);
     }
 

bootable-jar/runtime/src/main/java/org/wildfly/core/jar/runtime/CmdUsage.java

@@ -50,6 +50,9 @@ public static void init() {
         addArguments(CommandLineConstants.PROPERTIES + "=<url>");
         instructions.add(BootableJarLogger.ROOT_LOGGER.argProperties());
 
+        addArguments(CommandLineConstants.SECMGR);
+        instructions.add(BootableJarLogger.ROOT_LOGGER.argSecurityManager());
+
         addArguments(CommandLineConstants.SECURITY_PROP + "<name>[=<value>]");
         instructions.add(BootableJarLogger.ROOT_LOGGER.argSecurityProperty());
 

bootable-jar/runtime/src/main/java/org/wildfly/core/jar/runtime/_private/BootableJarLogger.java

@@ -133,6 +133,9 @@ public interface BootableJarLogger extends BasicLogger {
     @Message(id = Message.NONE, value = "Print version and exit")
     String argVersion();
 
+    @Message(id = Message.NONE, value = "Activate the SecurityManager")
+    String argSecurityManager();
+
     @Message(id = Message.NONE, value = "Set a security property")
     String argSecurityProperty();
 

core-feature-pack/common/src/main/resources/modules/system/layers/base/org/wildfly/bootable-jar/main/module.xml

@@ -47,6 +47,7 @@
         <module name="org.jboss.threads"/>
         <module name="org.jboss.dmr"/>
         <module name="org.jboss.as.process-controller"/>
+        <module name="org.wildfly.security.elytron-private" services="import"/>
     </dependencies>
 
 </module>