[WFLY-4882] Validate subsystem and deployment permissions against the…

… maximum-set.
wildfly · Jan 27, 2016 · bd6ede5 · bd6ede5
1 parent 4ca733c
commit bd6ede5
Show file tree

Hide file tree

Showing 4 changed files with 136 additions and 18 deletions.
diff --git a/...ger/src/main/java/org/wildfly/extension/security/manager/SecurityManagerSubsystemAdd.java b/...ger/src/main/java/org/wildfly/extension/security/manager/SecurityManagerSubsystemAdd.java
@@ -32,6 +32,7 @@
 import static org.wildfly.extension.security.manager.Constants.PERMISSION_NAME;
 
 import java.security.AllPermission;
+import java.security.Permission;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -48,10 +49,13 @@
 import org.jboss.modules.Module;
 import org.jboss.modules.ModuleIdentifier;
 import org.jboss.modules.ModuleLoadException;
+import org.jboss.modules.security.FactoryPermissionCollection;
 import org.jboss.modules.security.ImmediatePermissionFactory;
 import org.jboss.modules.security.LoadedPermissionFactory;
 import org.jboss.modules.security.PermissionFactory;
-import org.wildfly.extension.security.manager.deployment.PermissionsParseProcessor;
+import org.wildfly.extension.security.manager.deployment.PermissionsParserProcessor;
+import org.wildfly.extension.security.manager.deployment.PermissionsValidationProcessor;
+import org.wildfly.extension.security.manager.logging.SecurityManagerLogger;
 import org.wildfly.security.manager.WildFlySecurityManager;
 
 /**
@@ -112,13 +116,27 @@ protected void launchServices(final OperationContext context, final ModelNode no
             maximumSet.add(new ImmediatePermissionFactory(new AllPermission()));
         }
 
-        // TODO validate the permission sets: the minimum-set must be implied by the maximum-set.
+        // validate the configured permissions - the mininum set must be implid by the maximum set.
+        final FactoryPermissionCollection maxPermissionCollection = new FactoryPermissionCollection(maximumSet.toArray(new PermissionFactory[maximumSet.size()]));
+        final StringBuilder failedPermissions = new StringBuilder();
+        for (PermissionFactory factory : minimumSet) {
+            Permission permission = factory.construct();
+            if (!maxPermissionCollection.implies(permission)) {
+                failedPermissions.append("\n\t\t" + permission);
+            }
+        }
+        if (failedPermissions.length() > 0) {
+            throw SecurityManagerLogger.ROOT_LOGGER.invalidSubsystemConfiguration(failedPermissions);
+        }
+
 
-        // install the DUP responsible for parsing security permissions found in META-INF/permissions.xml.
+        // install the DUPs responsible for parsing and validating security permissions found in META-INF/permissions.xml.
         context.addStep(new AbstractDeploymentChainStep() {
             protected void execute(DeploymentProcessorTarget processorTarget) {
                  processorTarget.addDeploymentProcessor(Constants.SUBSYSTEM_NAME, Phase.PARSE, Phase.PARSE_PERMISSIONS,
-                         new PermissionsParseProcessor(minimumSet, maximumSet));
+                         new PermissionsParserProcessor(minimumSet));
+                 processorTarget.addDeploymentProcessor(Constants.SUBSYSTEM_NAME, Phase.POST_MODULE, Phase.POST_MODULE_PERMISSIONS_VALIDATION,
+                         new PermissionsValidationProcessor(maximumSet));
             }
         }, OperationContext.Stage.RUNTIME);
     }

diff --git a/...deployment/PermissionsParseProcessor.java → ...eployment/PermissionsParserProcessor.java b/...deployment/PermissionsParseProcessor.java → ...eployment/PermissionsParserProcessor.java
@@ -43,7 +43,7 @@
 import org.jboss.vfs.VirtualFile;
 
 /**
- * This class implements a {@code DeploymentUnitProcessor} that parses security permission files that might be
+ * This class implements a {@link DeploymentUnitProcessor} that parses security permission files that might be
  * included in application components.
  * <p/>
  * The EE7 specification (section EE6.2.2.6) allows application components to specify required security permissions:
@@ -67,7 +67,7 @@
  *
  * @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a>
  */
-public class PermissionsParseProcessor implements DeploymentUnitProcessor {
+public class PermissionsParserProcessor implements DeploymentUnitProcessor {
 
     private static final String PERMISSIONS_XML = "META-INF/permissions.xml";
 
@@ -76,20 +76,13 @@ public class PermissionsParseProcessor implements DeploymentUnitProcessor {
     // minimum set of permissions that are to be granted to all deployments.
     private final List<PermissionFactory> minPermissions;
 
-    // maximum set of permissions deployments should have.
-    private final List<PermissionFactory> maxPermissions;
-
     /**
-     * Creates an instance of {@link PermissionsParseProcessor} with the specified minimum and maximum set of permissions.
+     * Creates an instance of {@link PermissionsParserProcessor} with the specified minimum and maximum set of permissions.
      *
      * @param minPermissions a {@link List} containing the permissions that are to be granted to all deployments.
-     * @param maxPermissions a {@link List} containing the maximum set of permissions a deployment can have. In other words,
-     *                       all permissions in the minimum set plus the permissions parsed in META-INF/permissions.xml
-     *                       must be implied by the maximum set.
      */
-    public PermissionsParseProcessor(List<PermissionFactory> minPermissions, List<PermissionFactory> maxPermissions) {
+    public PermissionsParserProcessor(List<PermissionFactory> minPermissions) {
         this.minPermissions = minPermissions;
-        this.maxPermissions = maxPermissions;
     }
 
     @Override
@@ -140,9 +133,6 @@ public void deploy(final DeploymentPhaseContext phaseContext) throws DeploymentU
                 }
             }
         }
-
-
-        // TODO validate the resulting set of permissions against the maximum set
     }
 
     @Override

diff --git a/...ava/org/wildfly/extension/security/manager/deployment/PermissionsValidationProcessor.java b/...ava/org/wildfly/extension/security/manager/deployment/PermissionsValidationProcessor.java
@@ -0,0 +1,88 @@
+/*
+* Copyright 2015 Red Hat, Inc.
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*   http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package org.wildfly.extension.security.manager.deployment;
+
+import java.security.Permission;
+import java.util.List;
+
+import org.jboss.as.server.deployment.Attachments;
+import org.jboss.as.server.deployment.DeploymentPhaseContext;
+import org.jboss.as.server.deployment.DeploymentUnit;
+import org.jboss.as.server.deployment.DeploymentUnitProcessingException;
+import org.jboss.as.server.deployment.DeploymentUnitProcessor;
+import org.jboss.modules.security.FactoryPermissionCollection;
+import org.jboss.modules.security.ImmediatePermissionFactory;
+import org.jboss.modules.security.PermissionFactory;
+import org.wildfly.extension.security.manager.logging.SecurityManagerLogger;
+
+/**
+ * This class implements a {@link DeploymentUnitProcessor} that validates the security permissions that have been granted
+ * to the deployments. The permissions granted via subsystem ({@code minimum-set}) combined with those granted via deployment
+ * descriptors ({@code permissions.xml} and {@code jboss-permissions.xml}) must be implied by the {@code maximum-set}.
+ * <p/>
+ * Permissions that are internally granted by the container are ignored as those are always granted irrespective of the
+ * {@code maximum-set} configuration.
+ * <p/>
+ * This processor must be installed into {@link org.jboss.as.server.deployment.Phase#POST_MODULE} because it needs the
+ * deployment module's {@link ClassLoader} to load the permissions from the descriptors and that is only available after
+ * the module has been created.
+ *
+ * @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a>
+ */
+public class PermissionsValidationProcessor implements DeploymentUnitProcessor {
+
+    // maximum set of permissions deployments should have.
+    private FactoryPermissionCollection maxPermissions;
+
+    /**
+     * Creates an instance of this {@link DeploymentUnitProcessor}.
+     *
+     * @param maxPermissions a {@link List} containing the maximum set of configurable permissions a deployment can have.
+     *                       In other words, all permissions in the minimum set plus the permissions parsed in
+     *                       META-INF/permissions.xml (or jboss-permissions.xml) must be implied by the maximum set.
+     */
+    public PermissionsValidationProcessor(final List<PermissionFactory> maxPermissions) {
+        this.maxPermissions = new FactoryPermissionCollection(maxPermissions.toArray(new PermissionFactory[maxPermissions.size()]));
+    }
+
+    @Override
+    public void deploy(final DeploymentPhaseContext phaseContext) throws DeploymentUnitProcessingException {
+        final DeploymentUnit deploymentUnit = phaseContext.getDeploymentUnit();
+        final List<PermissionFactory> permissionFactories = deploymentUnit.getAttachment(Attachments.MODULE_SPECIFICATION).getPermissionFactories();
+        final StringBuilder failedPermissions = new StringBuilder();
+        for (PermissionFactory factory : permissionFactories) {
+            // all permissions granted internally by the container are of type ImmediatePermissionFactory - they should
+            // not be considered when validating the permissions granted to deployments via subsystem or deployment
+            // descriptors.
+            if (!(factory instanceof ImmediatePermissionFactory)) {
+                Permission permission = factory.construct();
+                boolean implied = this.maxPermissions.implies(permission);
+                if (!implied) {
+                    failedPermissions.append("\n\t\t" + permission);
+
+                }
+            }
+        }
+        if (failedPermissions.length() > 0) {
+            throw SecurityManagerLogger.ROOT_LOGGER.invalidDeploymentConfiguration(failedPermissions);
+        }
+    }
+
+    @Override
+    public void undeploy(final DeploymentUnit context) {
+    }
+}
+
diff --git a/...r/src/main/java/org/wildfly/extension/security/manager/logging/SecurityManagerLogger.java b/...r/src/main/java/org/wildfly/extension/security/manager/logging/SecurityManagerLogger.java
@@ -26,6 +26,8 @@
 
 import javax.xml.stream.XMLStreamException;
 
+import org.jboss.as.controller.OperationFailedException;
+import org.jboss.as.server.deployment.DeploymentUnitProcessingException;
 import org.jboss.logging.BasicLogger;
 import org.jboss.logging.Logger;
 import org.jboss.logging.annotations.LogMessage;
@@ -55,4 +57,24 @@ public interface SecurityManagerLogger extends BasicLogger {
     @Message(id = 2, value = "Invalid version found in the permissions element. Found %s, expected %s")
     XMLStreamException invalidPermissionsXMLVersion(String found, String expected);
 
+    /**
+     * Creates a {@link org.jboss.as.controller.OperationFailedException} to indicate that the security manager subsystem
+     * was incorrectly configured. As a rule the minimum-set permissions must be implied by the maximum-set permissions.
+     *
+     * @param failedPermissions a list of the permissions in the minimum-set that are not implied by the maximum-set.
+     * @return the constructed {@link org.jboss.as.controller.OperationFailedException}
+     */
+    @Message(id = 3, value = "Subsystem configuration error: the following permissions are not implied by the maximum permissions set %s")
+    OperationFailedException invalidSubsystemConfiguration(StringBuilder failedPermissions);
+
+    /**
+     * Creates a {@link org.jboss.as.server.deployment.DeploymentUnitProcessingException} to indicate that the deployment
+     * was incorrectly configured. As a rule the permissions specified in the deployment descriptors (permissions.xml or
+     * jboss-permissions.xml) must be implied by the subsystem maximum-set.
+     *
+     * @param failedPermissions a list of the permissions in deployment descriptors that are not implied by the maximum-set.
+     * @return the constructed {@link org.jboss.as.server.deployment.DeploymentUnitProcessingException}
+     */
+    @Message(id = 4, value = "Deployment configuration error: the following permissions are not implied by the maximum permissions set %s")
+    DeploymentUnitProcessingException invalidDeploymentConfiguration(StringBuilder failedPermissions);
 }