This is an automated email from the ASF dual-hosted git repository.
rotty3000 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/aries-cdi.git
The following commit(s) were added to refs/heads/master by this push:
new 6a80ae5 ARIES-1910 Aries CDI does not properly handle security checks
6a80ae5 is described below
commit 6a80ae58b485f8c4b3a762219c37747740a40056
Author: Raymond Auge <[email protected]>
AuthorDate: Mon Apr 1 09:29:58 2019 -0400
ARIES-1910 Aries CDI does not properly handle security checks
Signed-off-by: Raymond Auge <[email protected]>
---
.../internal/container/ExtensionPhase.java | 5 ++
.../internal/container/LoggerExtension.java | 4 ++
.../internal/container/ReferenceSync.java | 5 ++
.../internal/container/RuntimeExtension.java | 50 +++++++++++------
.../aries/cdi/container/internal/util/Logs.java | 2 +-
.../aries/cdi/container/internal/util/Perms.java | 65 ++++++++++++++++++++++
6 files changed, 112 insertions(+), 19 deletions(-)
diff --git
a/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/ExtensionPhase.java
b/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/ExtensionPhase.java
index f59f467..401139b 100644
---
a/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/ExtensionPhase.java
+++
b/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/ExtensionPhase.java
@@ -28,6 +28,7 @@ import
org.apache.aries.cdi.container.internal.container.Op.Type;
import org.apache.aries.cdi.container.internal.model.ExtendedExtensionDTO;
import
org.apache.aries.cdi.container.internal.model.ExtendedExtensionTemplateDTO;
import org.apache.aries.cdi.container.internal.util.Conversions;
+import org.apache.aries.cdi.container.internal.util.Perms;
import org.apache.aries.cdi.container.internal.util.SRs;
import org.apache.aries.cdi.container.internal.util.Syncro;
import org.apache.aries.cdi.container.internal.util.Throw;
@@ -159,6 +160,10 @@ public class ExtensionPhase extends Phase {
@Override
public ExtendedExtensionDTO
addingService(ServiceReference<Extension> reference) {
+ if
(!Perms.hasExtensionServicePermission(containerState.bundleContext())) {
+ return null;
+ }
+
ExtendedExtensionTemplateDTO template =
extensionTemplates().stream().map(
t -> (ExtendedExtensionTemplateDTO)t
).filter(
diff --git
a/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/LoggerExtension.java
b/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/LoggerExtension.java
index d340d1f..5e6dab6 100644
---
a/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/LoggerExtension.java
+++
b/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/LoggerExtension.java
@@ -33,6 +33,10 @@ public class LoggerExtension implements Extension {
void afterBeanDiscovery(@Observes AfterBeanDiscovery abd) {
final LoggerFactory lf =
_containerState.containerLogs().getLoggerFactory();
+ if (lf == null) {
+ return;
+ }
+
BeanConfigurator<FormatterLogger> formatterLoggerBean =
abd.addBean();
formatterLoggerBean.addType(FormatterLogger.class);
formatterLoggerBean.produceWith(
diff --git
a/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/ReferenceSync.java
b/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/ReferenceSync.java
index ff8dd6c..a4ef0dc 100644
---
a/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/ReferenceSync.java
+++
b/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/ReferenceSync.java
@@ -23,6 +23,7 @@ import
org.apache.aries.cdi.container.internal.model.ExtendedReferenceTemplateDT
import org.apache.aries.cdi.container.internal.model.InstanceActivator;
import org.apache.aries.cdi.container.internal.util.Conversions;
import org.apache.aries.cdi.container.internal.util.Maps;
+import org.apache.aries.cdi.container.internal.util.Perms;
import org.apache.aries.cdi.container.internal.util.SRs;
import org.apache.aries.cdi.container.internal.util.Syncro;
import org.osgi.framework.ServiceReference;
@@ -50,6 +51,10 @@ public class ReferenceSync implements
ServiceTrackerCustomizer<Object, Object> {
@Override
public Object addingService(final ServiceReference<Object> reference) {
+ if (!Perms.hasGetServicePermission(_templateDTO.serviceType,
_containerState.bundleContext())) {
+ return null;
+ }
+
boolean active = _componentInstanceDTO.active;
boolean resolved = (_referenceDTO.matches.size() >=
_templateDTO.minimumCardinality);
boolean dynamic = (_templateDTO.policy ==
ReferencePolicy.DYNAMIC);
diff --git
a/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/RuntimeExtension.java
b/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/RuntimeExtension.java
index 3e1cf40..51e795e 100644
---
a/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/RuntimeExtension.java
+++
b/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/container/RuntimeExtension.java
@@ -16,12 +16,14 @@ package org.apache.aries.cdi.container.internal.container;
import static javax.interceptor.Interceptor.Priority.PLATFORM_AFTER;
+import java.util.ArrayList;
import java.util.Dictionary;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.CopyOnWriteArrayList;
+import java.util.stream.Collectors;
import javax.annotation.Priority;
import javax.enterprise.context.ApplicationScoped;
@@ -66,6 +68,7 @@ import org.apache.aries.cdi.container.internal.model.OSGiBean;
import org.apache.aries.cdi.container.internal.model.ReferenceModel;
import org.apache.aries.cdi.container.internal.model.SingleComponent;
import org.apache.aries.cdi.container.internal.util.Annotates;
+import org.apache.aries.cdi.container.internal.util.Perms;
import org.apache.aries.cdi.container.internal.util.SRs;
import org.osgi.framework.Bundle;
import org.osgi.framework.Constants;
@@ -227,18 +230,19 @@ public class RuntimeExtension implements Extension {
).then(
s -> initComponents()
).then(s -> {
- Dictionary<String, Object> properties = new
Hashtable<>();
- properties.put(CDIConstants.CDI_CONTAINER_ID,
_containerState.id());
- properties.put(Constants.SERVICE_DESCRIPTION,
"Aries CDI - BeanManager for " + _containerState.bundle());
- properties.put(Constants.SERVICE_VENDOR,
"Apache Software Foundation");
+ Dictionary<String, Object> properties = new
Hashtable<>();
+ properties.put(CDIConstants.CDI_CONTAINER_ID,
_containerState.id());
+ properties.put(Constants.SERVICE_DESCRIPTION, "Aries
CDI - BeanManager for " + _containerState.bundle());
+ properties.put(Constants.SERVICE_VENDOR, "Apache
Software Foundation");
- registerService(
- new String[]
{BeanManager.class.getName()}, bm,
- properties);
+ List<String> serviceTypes = new ArrayList<>();
- return s;
- }
- );
+ serviceTypes.add(BeanManager.class.getName());
+
+ registerService(serviceTypes, bm, properties);
+
+ return s;
+ });
}
void beforeShutdown(@Observes BeforeShutdown bs) {
@@ -522,19 +526,29 @@ public class RuntimeExtension implements Extension {
componentInstance.componentProperties(activationTemplate.properties));
ServiceRegistration<?> serviceRegistration = registerService(
- activationTemplate.serviceClasses.toArray(new
String[0]),
+ activationTemplate.serviceClasses,
serviceObject, properties);
- ExtendedActivationDTO activationDTO = new
ExtendedActivationDTO();
- activationDTO.errors = new CopyOnWriteArrayList<>();
- activationDTO.service =
SRs.from(serviceRegistration.getReference());
- activationDTO.template = activationTemplate;
- componentInstance.activations.add(activationDTO);
+ if (serviceRegistration != null) {
+ ExtendedActivationDTO activationDTO = new
ExtendedActivationDTO();
+ activationDTO.errors = new CopyOnWriteArrayList<>();
+ activationDTO.service =
SRs.from(serviceRegistration.getReference());
+ activationDTO.template = activationTemplate;
+ componentInstance.activations.add(activationDTO);
+ }
}
- private ServiceRegistration<?> registerService(String[] serviceTypes,
Object serviceObject, Dictionary<String, Object> properties) {
+ private ServiceRegistration<?> registerService(List<String>
serviceTypes, Object serviceObject, Dictionary<String, Object> properties) {
+ List<String> list = serviceTypes.stream().filter(serviceType ->
+ Perms.hasRegisterServicePermission(serviceType,
_containerState.bundleContext())
+ ).collect(Collectors.toList());
+
+ if (list.isEmpty()) {
+ return null;
+ }
+
ServiceRegistration<?> serviceRegistration =
_containerState.bundleContext().registerService(
- serviceTypes, serviceObject, properties);
+ serviceTypes.toArray(new String[0]), serviceObject,
properties);
_registrations.add(serviceRegistration);
diff --git
a/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/util/Logs.java
b/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/util/Logs.java
index 09f06be..a12ce38 100644
---
a/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/util/Logs.java
+++
b/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/util/Logs.java
@@ -39,7 +39,7 @@ public class Logs {
private Logs(BundleContext bundleContext) {
LoggerFactory loggerFactory = null;
- if (bundleContext != null) {
+ if ((bundleContext != null) &&
Perms.hasLoggerFactoryServicePermission(bundleContext)) {
ServiceTracker<LoggerFactory, LoggerFactory> tracker =
new ServiceTracker<>(bundleContext, LoggerFactory.class, null);
tracker.open();
diff --git
a/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/util/Perms.java
b/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/util/Perms.java
new file mode 100644
index 0000000..4f8ceec
--- /dev/null
+++
b/cdi-extender/src/main/java/org/apache/aries/cdi/container/internal/util/Perms.java
@@ -0,0 +1,65 @@
+/**
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.aries.cdi.container.internal.util;
+
+import javax.enterprise.inject.spi.BeanManager;
+import javax.enterprise.inject.spi.Extension;
+
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServicePermission;
+import org.osgi.service.log.LoggerFactory;
+
+public class Perms {
+
+ private static final ServicePermission beanManagerPermission = new
ServicePermission(BeanManager.class.getName(), ServicePermission.REGISTER);
+ private static final ServicePermission extensionPermission = new
ServicePermission(Extension.class.getName(), ServicePermission.GET);
+ private static final ServicePermission loggerFactoryPermission = new
ServicePermission(LoggerFactory.class.getName(), ServicePermission.GET);
+
+ public static boolean hasBeanManagerServicePermission(BundleContext
bundleContext) {
+ if (System.getSecurityManager() == null) return true;
+
+ return bundleContext.getBundle().hasPermission(
+ beanManagerPermission);
+ }
+
+ public static boolean hasExtensionServicePermission(BundleContext
bundleContext) {
+ if (System.getSecurityManager() == null) return true;
+
+ return bundleContext.getBundle().hasPermission(
+ extensionPermission);
+ }
+
+ public static boolean hasGetServicePermission(String serviceType,
BundleContext bundleContext) {
+ if (System.getSecurityManager() == null) return true;
+
+ return bundleContext.getBundle().hasPermission(
+ new ServicePermission(serviceType,
ServicePermission.GET));
+ }
+
+ public static boolean hasLoggerFactoryServicePermission(BundleContext
bundleContext) {
+ if (System.getSecurityManager() == null) return true;
+
+ return bundleContext.getBundle().hasPermission(
+ loggerFactoryPermission);
+ }
+
+ public static boolean hasRegisterServicePermission(String serviceType,
BundleContext bundleContext) {
+ if (System.getSecurityManager() == null) return true;
+
+ return bundleContext.getBundle().hasPermission(
+ new ServicePermission(serviceType,
ServicePermission.REGISTER));
+ }
+
+}
