001    /* MBeanPermission.java -- Permissions controlling server access.
002       Copyright (C) 2006 Free Software Foundation, Inc.
003    
004    This file is part of GNU Classpath.
005    
006    GNU Classpath is free software; you can redistribute it and/or modify
007    it under the terms of the GNU General Public License as published by
008    the Free Software Foundation; either version 2, or (at your option)
009    any later version.
010    
011    GNU Classpath is distributed in the hope that it will be useful, but
012    WITHOUT ANY WARRANTY; without even the implied warranty of
013    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
014    General Public License for more details.
015    
016    You should have received a copy of the GNU General Public License
017    along with GNU Classpath; see the file COPYING.  If not, write to the
018    Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
019    02110-1301 USA.
020    
021    Linking this library statically or dynamically with other modules is
022    making a combined work based on this library.  Thus, the terms and
023    conditions of the GNU General Public License cover the whole
024    combination.
025    
026    As a special exception, the copyright holders of this library give you
027    permission to link this library with independent modules to produce an
028    executable, regardless of the license terms of these independent
029    modules, and to copy and distribute the resulting executable under
030    terms of your choice, provided that you also meet, for each linked
031    independent module, the terms and conditions of the license of that
032    module.  An independent module is a module which is not derived from
033    or based on this library.  If you modify this library, you may extend
034    this exception to your version of the library, but you are not
035    obligated to do so.  If you do not wish to do so, delete this
036    exception statement from your version. */
037    
038    package javax.management;
039    
040    import gnu.java.lang.CPStringBuilder;
041    
042    import java.security.Permission;
043    
044    import java.io.IOException;
045    import java.io.ObjectInputStream;
046    
047    import java.util.HashSet;
048    import java.util.Iterator;
049    import java.util.Set;
050    import java.util.TreeSet;
051    
052    /**
053     * <p>
054     * Represents the permissions required to perform
055     * operations using the {@link MBeanServer}.  As with
056     * all {@link java.security.Permission} objects, an
057     * instance of this class either represents a permission
058     * already held or one that is required to access a
059     * particular service.  In the case of {@link MBeanPermission}s,
060     * implication checks are made using an instance of this class
061     * when a user requests an operation from the server, and a
062     * {@link SecurityManager} is in place.
063     * </p>
064     * <p>
065     * An {@link MBeanPermission} consists of four elements,
066     * which all have to match for the permission to be implied.
067     * These are as follows:
068     * </p>
069     * <ol>
070     * <li><strong>The action</strong>.  For a required permission,
071     * this is a single value.  For a permission held by the user,
072     * this is a list of comma-separated actions (with spaces allowed),
073     * or <code>*</code> (representing all actions).  {@link #getActions()}
074     * returns this value.</li>
075     * <li><strong>The class name</strong>.  For a required permission,
076     * this is the class name of the bean being accessed, if any.  If
077     * a bean isn't involved in this action, the value is <code>null</code>.
078     * For a permission held by the user, it has one of three values:
079     * <ol>
080     * <li>The empty string, implying any class.</li>
081     * <li><code>*</code>, also implying any class.</li>
082     * <li>A class name pattern, which may specify a single class
083     * (e.g. <code>java.lang.Object</code>) or a series of classes
084     * using the wildcard character <code>*</code> (e.g.
085     * <code>javax.swing.*</code>.)</li>
086     * </ol></li>
087     * <li><strong>The member</strong>.  For a required permission,
088     * this is the member of the bean being accessed (an attribute
089     * or operation), if any.  If a member of the bean isn't involved
090     * in this action, the value is <code>null</code>.
091     * For a permission held by the user, it has one of three values:
092     * <ol>
093     * <li>The empty string, implying any member.</li>
094     * <li><code>*</code>, also implying any member.</li>
095     * <li>The name of a member.</li>
096     * </ol></li>
097     * <li>The object name</strong>.  For a required permission,
098     * this is the {@link ObjectName} of the bean being accessed, if
099     * any.  If a bean isn't involved in this action, the value is
100     * <code>null</code>.  The name may not be a pattern.
101     * For a permission held by the user, it may be the empty
102     * string (allowing everything) or an {@link ObjectName}
103     * pattern.
104     * </li></ol>
105     * {@link #getName()} returns the latter three of these as a
106     * single string:
107     * </p>
108     * <p><code>className#member[objectName]</code></p>
109     * <p>
110     * where <code>""</code> is disallowed, as, although any of
111     * the elements may be omitted, not all of them should be
112     * left out simultaneously.  <code>"-"</code> is used to
113     * represent <code>null</code>.  When this occurs in a
114     * required permission, anything may match it.  When this
115     * forms part of a permission held by the user, it only
116     * matches another <code>null</code> value. 
117     * </p>
118     * <p>The list of valid actions is as follows:</p>
119     * <ul>
120     * <li>addNotificationListener</li>
121     * <li>getAttribute</li>
122     * <li>getClassLoader</li>
123     * <li>getClassLoaderFor</li>
124     * <li>getClassLoaderRepository</li>
125     * <li>getDomains</li>
126     * <li>getMBeanInfo</li>
127     * <li>getObjectInstance</li>
128     * <li>instantiate</li>
129     * <li>invoke</li>
130     * <li>isInstanceOf</li>
131     * <li>queryMBeans</li>
132     * <li>queryNames</li>
133     * <li>registerMBean</li>
134     * <li>removeNotificationListener</li>
135     * <li>setAttribute</li>
136     * <li>unregisterMBean</li>
137     * </ul>
138     *
139     * @author Andrew John Hughes (gnu_andrew@member.fsf.org)
140     * @since 1.5
141     */
142    public class MBeanPermission
143      extends Permission
144    {
145    
146      /**
147       * Compatible with JDK 1.5
148       */
149      private static final long serialVersionUID = -2416928705275160661L;
150    
151      /**
152       * The list of actions associated with this permission.
153       */
154      private String actions;
155      
156      /**
157       * The list of actions as an ordered set.
158       */
159      private transient Set<String> actionSet;
160    
161      /**
162       * The set of valid actions.
163       */
164      private static final Set<String> validSet;
165    
166      /**
167       * Initialise the set of valid actions.
168       */
169      static 
170      {
171        validSet = new HashSet<String>();
172        validSet.add("addNotificationListener");
173        validSet.add("getAttribute");
174        validSet.add("getClassLoader");
175        validSet.add("getClassLoaderFor");
176        validSet.add("getClassLoaderRepository");
177        validSet.add("getDomains");
178        validSet.add("getMBeanInfo");
179        validSet.add("getObjectInstance");
180        validSet.add("instantiate");
181        validSet.add("invoke");
182        validSet.add("isInstanceOf");
183        validSet.add("queryMBeans");
184        validSet.add("queryNames");
185        validSet.add("registerMBean");
186        validSet.add("removeNotificationListener");
187        validSet.add("setAttribute");
188        validSet.add("unregisterMBean");
189      }
190    
191      /**
192       * Constructs a new {@link MBeanPermission} with the specified name
193       * and actions.  The name is of the form <code>className#member[objectName]</code>,
194       * where each element is optional, but a completely empty or <code>null</code>
195       * name is disallowed.  Actions are specified as a comma-separated list
196       * and may also not be empty or <code>null</code>.
197       *
198       * @param name the name of the permission.
199       * @param actions the actions associated with this permission.
200       * @throws IllegalArgumentException if the name or actions are invalid.
201       */
202      public MBeanPermission(String name, String actions)
203      {
204        super(name);
205        if (name == null || name.length() == 0)
206          throw new IllegalArgumentException("The supplied name was null or empty.");
207        if (actions == null || actions.length() == 0)
208          throw new IllegalArgumentException("The supplied action list was null or empty.");
209        this.actions = actions;
210        updateActionSet();
211      }
212    
213      /**
214       * Constructs a new {@link MBeanPermission} with the specified class name,
215       * member, object name and actions.  The name of the permission is created
216       * using the form <code>className#member[objectName]</code>,
217       * where each element is optional, but an empty or <code>null</code>
218       * name is disallowed.  Actions are specified as a comma-separated list
219       * and may also not be empty or <code>null</code>.
220       *
221       * @param className the name of the class to which this permission applies,
222       *                  or either <code>null</code> or <code>"-"</code> for a
223       *                  value which may be implied by any class name, but not
224       *                  imply any class name itself.
225       * @param member the member of the class to which this permission applies,
226       *               or either <code>null</code> or <code>"-"</code> for a
227       *               value which may be implied by any member, but not
228       *               imply any member itself.
229       * @param name the {@link ObjectName} to which this permission applies,
230       *                  or <code>null</code> for a value which may be implied by
231       *                  any object name, but not imply any object name itself.
232       * @param actions the actions associated with this permission.
233       */
234      public MBeanPermission(String className, String member,
235                             ObjectName name, String actions)
236      {
237        this((className == null ? "-" : className) + "#" 
238             + (member == null ? "-" : member) + "[" 
239             + (name == null ? "-" : name.toString()) + "]", actions);
240      }
241    
242      /**
243       * Returns true if the given object is also an {@link MBeanPermission}
244       * with the same name and actions.
245       *
246       * @param obj the object to test.
247       * @return true if the object is an {@link MBeanPermission} with
248       *         the same name and actions.
249       */
250      public boolean equals(Object obj)
251      {
252        if (obj instanceof MBeanPermission)
253          {
254            MBeanPermission p = (MBeanPermission) obj;
255            return (p.getName().equals(getName()) &&
256                    p.getActions().equals(actions));
257          }
258        return false;
259      }
260    
261      /**
262       * Returns the list of actions in alphabetical order.
263       *
264       * @return the list of actions.
265       */
266      public String getActions()
267      {
268        Iterator<String> it = actionSet.iterator();
269        CPStringBuilder builder = new CPStringBuilder();
270        while (it.hasNext())
271          {
272            builder.append(it.next());
273            if (it.hasNext())
274              builder.append(",");
275          }
276        return builder.toString();
277      }
278    
279      /**
280       * Returns the hashcode of the permission as the sum
281       * of the hashcodes of the name and actions.
282       *
283       * @return the hashcode of the permission.
284       */
285      public int hashCode()
286      {
287        return getName().hashCode() + actions.hashCode();
288      }
289    
290      /**
291       * <p>
292       * Returns true if this permission implies the supplied permission.
293       * This happens if the following holds:
294       * </p>
295       * <ul>
296       * <li>The supplied permission is an {@link MBeanPermission}</li>
297       * <li>The supplied permission has either a <code>null</code> classname
298       * or its classname matches the classname of this permission.  A
299       * classname of <code>"*"</code> for this permission always matches
300       * the classname of the supplied permission.  Generally, <code>'*'</code>
301       * acts as a wildcard, so <code>".*"</code> matches <code>'.'</code>
302       * followed by anything.</li>
303       * <li>The supplied permission has either a <code>null</code> member
304       * or its member matches the member of this permission.  A member of
305       * <code>"*"</code> for this permission always matches the member
306       * of the supplied permission.</li>
307       * <li>The supplied permission has either a <code>null</code> object name
308       * or its object name matches the object name of this permission.  If the
309       * object name of this permission is a pattern, {@link ObjectName#apply(ObjectName)}
310       * may be used as well.</li>
311       * <li>The supplied permission's actions are a subset of the actions
312       * of this permission.  If the <code>queryMBeans</code> action is presented,
313       * the <code>queryNames</code> action is implied.</li>
314       * </ul>
315       * 
316       * @param p the permission to check that this permission implies.
317       * @return true if this permission implies <code>p</code>.
318       */
319      public boolean implies(Permission p)
320      {
321        if (p instanceof MBeanPermission)
322          {
323            MBeanPermission mp = (MBeanPermission) p;
324            NameHolder pName = new NameHolder(mp.getName());
325            NameHolder name = new NameHolder(getName());
326            if (!(name.equals(pName)))
327              return false;
328            for (String nextAction : mp.actionSet)
329              {
330                boolean found = actions.contains(nextAction);
331                if (!found)
332                  if (nextAction.equals("queryNames"))
333                    found = actions.contains("queryMBeans");
334                if (!found)
335                  return false;
336              }
337            return true;
338          }
339        return false;
340      }
341    
342      /**
343       * Small helper class to handle deconstruction of the name.
344       *
345       * @author Andrew John Hughes (gnu_andrew@member.fsf.org)
346       */
347      private class NameHolder
348      {
349    
350        /**
351         * The class name.
352         */
353        private String className;
354    
355        /**
356         * The member.
357         */
358        private String member;
359    
360        /**
361         * The object name.
362         */
363        private ObjectName objectName;
364    
365        /**
366         * Constructs a broken-down name from a given name.
367         *
368         * @param name the name to break down.
369         */
370        public NameHolder(String name)
371        {
372          String objectName = null;
373          int memberIndex = name.indexOf("#");
374          int onIndex = name.indexOf("[");
375          if (onIndex == -1)
376            {
377              if (memberIndex == -1)
378                className = name;
379              else
380                {
381                  className = name.substring(0, memberIndex);
382                  member = name.substring(memberIndex + 1);
383                }
384            }
385          else
386            {
387              if (memberIndex == -1)
388                {
389                  className = name.substring(0, onIndex);
390                  objectName = name.substring(onIndex + 1,
391                                              name.length() - 1);
392                }
393              else
394                {
395                  className = name.substring(0, memberIndex);
396                  member = name.substring(memberIndex + 1, onIndex);
397                  objectName = name.substring(onIndex + 1,
398                                              name.length() - 1);
399                }
400            }      
401          if (className.equals("-"))
402            className = null;
403          if (member.equals("-"))
404            member = null;
405          if (objectName == null || objectName.equals("-"))
406            this.objectName = null;
407          else
408            try
409              {
410                this.objectName = new ObjectName(objectName);
411              }
412            catch (MalformedObjectNameException e)
413              {
414                throw (Error) 
415                  (new InternalError("Invalid object name.").initCause(e));
416              }
417        }
418    
419        /**
420         * <p>
421         * Returns true if the supplied object is also a
422         * {@link NameHolder} and the following holds:
423         * </p>
424         * <ul>
425         * <li>The supplied classname is <code>null</code> or the two match.  A
426         * classname of <code>"*"</code> for this holder always matches
427         * the classname of the supplied holder.  Generally, <code>'*'</code>
428         * acts as a wildcard, so <code>".*"</code> matches <code>'.'</code>
429         * followed by anything.</li>
430         * <li>The supplied name holder has either a <code>null</code> member
431         * or its member matches the member of this name holder.  A member of
432         * <code>"*"</code> for this name holder always matches the member
433         * of the supplied name holder.</li>
434         * <li>The supplied name holder has either a <code>null</code> object name
435         * or its object name matches the object name of this name holder.  If the
436         * object name of this name holder is a pattern,
437         * {@link ObjectName#apply(ObjectName)} may be used as well.</li>
438         * </ul>
439         * 
440         * @param obj the object to compare with this.
441         * @return true if the above holds.
442         */
443        public boolean equals(Object obj)
444        {
445          if (obj instanceof NameHolder)
446            {
447              NameHolder nh = (NameHolder) obj;
448              boolean cn = false;
449              String ocn = nh.getClassName();
450              if (ocn == null || className.equals("*"))
451                cn = true;
452              else
453                {
454                  int wcIndex = className.indexOf("*");
455                  if (wcIndex != -1)
456                    cn = ocn.startsWith(className.substring(0, wcIndex));
457                  else
458                    cn = ocn.equals(className);
459                }
460              boolean m = false;
461              String om = nh.getMember();
462              if (om == null || member.equals("*")) 
463                m = true;
464              else
465                m = om.equals(member);
466              boolean on = false;
467              ObjectName oon = nh.getObjectName();
468              if (oon == null)
469                on = true;
470              else if (objectName.isPattern())
471                on = objectName.apply(oon);
472              else
473                on = oon.equals(objectName);
474              return (cn && m && on);    
475            }
476          return false;
477        }
478        
479        /**
480         * Returns the class name.
481         */
482        public String getClassName()
483        {
484          return className;
485        }
486    
487        /**
488         * Returns the member.
489         */
490        public String getMember()
491        {
492          return member;
493        }
494    
495        /**
496         * Returns the object name.
497         */
498        public ObjectName getObjectName()
499        {
500          return objectName;
501        }
502      }
503    
504      /**
505       * Updates the action set from the current value of
506       * the actions string.
507       */
508      private void updateActionSet()
509      {
510        String[] actionsArray = actions.split(",");
511        actionSet = new TreeSet<String>();
512        for (int a = 0; a < actionsArray.length; ++a)
513          actionSet.add(actionsArray[a].trim());
514      }
515    
516      /**
517       * Reads the object from a stream and ensures the incoming
518       * data is valid.
519       *
520       * @param in the input stream.
521       * @throws IOException if an I/O error occurs.
522       * @throws ClassNotFoundException if a class used by the object
523       *                                can not be found.
524       */
525      private void readObject(ObjectInputStream in)
526        throws IOException, ClassNotFoundException
527      {
528        in.defaultReadObject();
529        updateActionSet();
530        checkActions();
531      }
532    
533      /**
534       * Checks that the actions used in this permission
535       * are from the valid set.
536       *
537       * @throws IllegalArgumentException if the name or actions are invalid.
538       */
539      private void checkActions()
540      {
541        for (String action : actionSet)
542          {
543            if (!(validSet.contains(action)))
544              throw new IllegalArgumentException("Invalid action " 
545                                                 + action + " found.");
546          }
547      }
548    
549    }
550