/*

 * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.provider;

import java.io.*;

import java.lang.reflect.*;

import java.net.MalformedURLException;

import java.net.URL;

import java.net.URI;

import java.nio.file.Path;

import java.util.*;

import java.security.*;

import java.security.cert.Certificate;

import java.security.cert.X509Certificate;

import javax.security.auth.Subject;

import javax.security.auth.x500.X500Principal;

import java.io.FilePermission;

import java.net.SocketPermission;

import java.net.NetPermission;

import java.util.concurrent.ConcurrentHashMap;

import jdk.internal.misc.JavaSecurityAccess;

import static jdk.internal.misc.JavaSecurityAccess.ProtectionDomainCache;

import jdk.internal.misc.SharedSecrets;

import jdk.internal.util.StaticProperty;

import sun.security.util.*;

import sun.net.www.ParseUtil;

/**

 * This class represents a default Policy implementation for the

 * "JavaPolicy" type.

 *

 * <p> This object stores the policy for the entire Java runtime,

 * and is the amalgamation of multiple static policy

 * configurations that resides in files.

 * The algorithm for locating the policy file(s) and reading their

 * information into this <code>Policy</code> object is:

 *

 * <ol>

 * <li>

 *   Read in and load the default policy file named

 *   <JAVA_HOME>/lib/security/default.policy. <JAVA_HOME> refers

 *   to the value of the java.home system property, and specifies the directory

 *   where the JRE is installed. This policy file grants permissions to the

 *   modules loaded by the platform class loader. If the default policy file

 *   cannot be loaded, a fatal InternalError is thrown as these permissions

 *   are needed in order for the runtime to operate correctly.

 * <li>

 *   Loop through the <code>java.security.Security</code> properties,

 *   and <i>policy.url.1</i>, <i>policy.url.2</i>, ...,

 *   <i>policy.url.X</i>".  These properties are set

 *   in the Java security properties file, which is located in the file named

 *   <JAVA_HOME>/conf/security/java.security.

 *   Each property value specifies a <code>URL</code> pointing to a

 *   policy file to be loaded.  Read in and load each policy.

 *

 *   If none of these could be loaded, use a builtin static policy

 *   equivalent to the conf/security/java.policy file.

 *

 * <li>

 *   The <code>java.lang.System</code> property <i>java.security.policy</i>

 *   may also be set to a <code>URL</code> pointing to another policy file

 *   (which is the case when a user uses the -D switch at runtime).

 *   If this property is defined, and its use is allowed by the

 *   security property file (the Security property,

 *   <i>policy.allowSystemProperty</i> is set to <i>true</i>),

 *   also load that policy.

 *

 *   If the <i>java.security.policy</i> property is defined using

 *   "==" (rather than "="), then load the specified policy file and ignore

 *   all other configured policies. Note, that the default.policy file is

 *   also loaded, as specified in the first step of the algorithm above.

 *   If the specified policy file cannot be loaded, use a builtin static policy

 *   equivalent to the default conf/security/java.policy file.

 * </ol>

 *

 * Each policy file consists of one or more grant entries, each of

 * which consists of a number of permission entries.

 *

 * <pre>

 *   grant signedBy "<b>alias</b>", codeBase "<b>URL</b>",

 *         principal <b>principalClass</b> "<b>principalName</b>",

 *         principal <b>principalClass</b> "<b>principalName</b>",

 *         ... {

 *

 *     permission <b>Type</b> "<b>name</b> "<b>action</b>",

 *         signedBy "<b>alias</b>";

 *     permission <b>Type</b> "<b>name</b> "<b>action</b>",

 *         signedBy "<b>alias</b>";

 *     ....

 *   };

 * </pre>

 *

 * All non-bold items above must appear as is (although case

 * doesn't matter and some are optional, as noted below).

 * principal entries are optional and need not be present.

 * Italicized items represent variable values.

 *

 * <p> A grant entry must begin with the word <code>grant</code>.

 * The <code>signedBy</code>,<code>codeBase</code> and <code>principal</code>

 * name/value pairs are optional.

 * If they are not present, then any signer (including unsigned code)

 * will match, and any codeBase will match.

 * Note that the <i>principalClass</i>

 * may be set to the wildcard value, *, which allows it to match

 * any <code>Principal</code> class.  In addition, the <i>principalName</i>

 * may also be set to the wildcard value, *, allowing it to match

 * any <code>Principal</code> name.  When setting the <i>principalName</i>

 * to the *, do not surround the * with quotes.

 *

 * <p> A permission entry must begin with the word <code>permission</code>.

 * The word <code><i>Type</i></code> in the template above is

 * a specific permission type, such as <code>java.io.FilePermission</code>

 * or <code>java.lang.RuntimePermission</code>.

 *

 * <p> The "<i>action</i>" is required for

 * many permission types, such as <code>java.io.FilePermission</code>

 * (where it specifies what type of file access that is permitted).

 * It is not required for categories such as

 * <code>java.lang.RuntimePermission</code>

 * where it is not necessary - you either have the

 * permission specified by the <code>"<i>name</i>"</code>

 * value following the type name or you don't.

 *

 * <p> The <code>signedBy</code> name/value pair for a permission entry

 * is optional. If present, it indicates a signed permission. That is,

 * the permission class itself must be signed by the given alias in

 * order for it to be granted. For example,

 * suppose you have the following grant entry:

 *

 * <pre>

 *   grant principal foo.com.Principal "Duke" {

 *     permission Foo "foobar", signedBy "FooSoft";

 *   }

 * </pre>

 *

 * <p> Then this permission of type <i>Foo</i> is granted if the

 * <code>Foo.class</code> permission has been signed by the

 * "FooSoft" alias, or if XXX <code>Foo.class</code> is a

 * system class (i.e., is found on the CLASSPATH).

 *

 * <p> Items that appear in an entry must appear in the specified order

 * (<code>permission</code>, <i>Type</i>, "<i>name</i>", and

 * "<i>action</i>"). An entry is terminated with a semicolon.

 *

 * <p> Case is unimportant for the identifiers (<code>permission</code>,

 * <code>signedBy</code>, <code>codeBase</code>, etc.) but is

 * significant for the <i>Type</i>

 * or for any string that is passed in as a value.

 *

 * <p> An example of two entries in a policy configuration file is

 * <pre>

 *   // if the code is comes from "foo.com" and is running as "Duke",

 *   // grant it read/write to all files in /tmp.

 *

 *   grant codeBase "foo.com", principal foo.com.Principal "Duke" {

 *              permission java.io.FilePermission "/tmp/*", "read,write";

 *   };

 *

 *   // grant any code running as "Duke" permission to read

 *   // the "java.vendor" Property.

 *

 *   grant principal foo.com.Principal "Duke" {

 *         permission java.util.PropertyPermission "java.vendor";

 *

 *

 * </pre>

 *  This Policy implementation supports special handling of any

 *  permission that contains the string, "<b>${{self}}</b>", as part of

 *  its target name.  When such a permission is evaluated

 *  (such as during a security check), <b>${{self}}</b> is replaced

 *  with one or more Principal class/name pairs.  The exact

 *  replacement performed depends upon the contents of the

 *  grant clause to which the permission belongs.

 * <p>

 *

 *  If the grant clause does not contain any principal information,

 *  the permission will be ignored (permissions containing

 *  <b>${{self}}</b> in their target names are only valid in the context

 *  of a principal-based grant clause).  For example, BarPermission

 *  will always be ignored in the following grant clause:

 *

 * <pre>

 *    grant codebase "www.foo.com", signedby "duke" {

 *      permission BarPermission "... ${{self}} ...";

 *    };

 * </pre>

 *

 *  If the grant clause contains principal information, <b>${{self}}</b>

 *  will be replaced with that same principal information.

 *  For example, <b>${{self}}</b> in BarPermission will be replaced by

 *  <b>javax.security.auth.x500.X500Principal "cn=Duke"</b>

 *  in the following grant clause:

 *

 *  <pre>

 *    grant principal javax.security.auth.x500.X500Principal "cn=Duke" {

 *      permission BarPermission "... ${{self}} ...";

 *    };

 *  </pre>

 *

 *  If there is a comma-separated list of principals in the grant

 *  clause, then <b>${{self}}</b> will be replaced by the same

 *  comma-separated list or principals.

 *  In the case where both the principal class and name are

 *  wildcarded in the grant clause, <b>${{self}}</b> is replaced

 *  with all the principals associated with the <code>Subject</code>

 *  in the current <code>AccessControlContext</code>.

 *

 * <p> For PrivateCredentialPermissions, you can also use "<b>self</b>"

 * instead of "<b>${{self}}</b>". However the use of "<b>self</b>" is

 * deprecated in favour of "<b>${{self}}</b>".

 *

 * @see java.security.CodeSource

 * @see java.security.Permissions

 * @see java.security.ProtectionDomain

 */

public class PolicyFile extends java.security.Policy {

    private static final Debug debug = Debug.getInstance("policy");

    private static final String SELF = "${{self}}";

    private static final String X500PRINCIPAL =

                        "javax.security.auth.x500.X500Principal";

    private static final String POLICY = "java.security.policy";

    private static final String POLICY_URL = "policy.url.";

    private static final int DEFAULT_CACHE_SIZE = 1;

    // contains the policy grant entries, PD cache, and alias mapping

    // can be updated if refresh() is called

    private volatile PolicyInfo policyInfo;

    private boolean expandProperties = true;

    private boolean allowSystemProperties = true;

    private boolean notUtf8 = false;

    private URL url;

    // for use with the reflection API

    private static final Class<?>[] PARAMS0 = { };

    private static final Class<?>[] PARAMS1 = { String.class };

    private static final Class<?>[] PARAMS2 = { String.class, String.class };

    /**

     * When a policy file has a syntax error, the exception code may generate

     * another permission check and this can cause the policy file to be parsed

     * repeatedly, leading to a StackOverflowError or ClassCircularityError.

     * To avoid this, this set is populated with policy files that have been

     * previously parsed and have syntax errors, so that they can be

     * subsequently ignored.

     */

    private static Set<URL> badPolicyURLs =

        Collections.newSetFromMap(new ConcurrentHashMap<URL,Boolean>());

    // The default.policy file

    private static final URL DEFAULT_POLICY_URL =

        AccessController.doPrivileged(new PrivilegedAction<>() {

            @Override

            public URL run() {

                String sep = File.separator;

                try {

                    return Path.of(StaticProperty.javaHome(),

                                     "lib", "security",

                                     "default.policy").toUri().toURL();

                } catch (MalformedURLException mue) {

                    // should not happen

                    throw new Error("Malformed default.policy URL: " + mue);

                }

            }

        });

    /**

     * Initializes the Policy object and reads the default policy

     * configuration file(s) into the Policy object.

     */

    public PolicyFile() {

        init((URL)null);

    }

    /**

     * Initializes the Policy object and reads the default policy

     * from the specified URL only.

     */

    public PolicyFile(URL url) {

        this.url = url;

        init(url);

    }

    /**

     * Initializes the Policy object and reads the default policy

     * configuration file(s) into the Policy object.

     *

     * See the class description for details on the algorithm used to

     * initialize the Policy object.

     */

    private void init(URL url) {

        // Properties are set once for each init(); ignore changes between

        // between diff invocations of initPolicyFile(policy, url, info).

        String numCacheStr =

          AccessController.doPrivileged(new PrivilegedAction<>() {

            @Override

            public String run() {

                expandProperties = "true".equalsIgnoreCase

                    (Security.getProperty("policy.expandProperties"));

                allowSystemProperties = "true".equalsIgnoreCase

                    (Security.getProperty("policy.allowSystemProperty"));

                notUtf8 = "false".equalsIgnoreCase

                    (System.getProperty("sun.security.policy.utf8"));

                return System.getProperty("sun.security.policy.numcaches");

            }});

        int numCaches;

        if (numCacheStr != null) {

            try {

                numCaches = Integer.parseInt(numCacheStr);

            } catch (NumberFormatException e) {

                numCaches = DEFAULT_CACHE_SIZE;

            }

        } else {

            numCaches = DEFAULT_CACHE_SIZE;

        }

        // System.out.println("number caches=" + numCaches);

        PolicyInfo newInfo = new PolicyInfo(numCaches);

        initPolicyFile(newInfo, url);

        policyInfo = newInfo;

    }

    private void initPolicyFile(final PolicyInfo newInfo, final URL url) {

        // always load default.policy

        if (debug != null) {

            debug.println("reading " + DEFAULT_POLICY_URL);

        }

        AccessController.doPrivileged(new PrivilegedAction<>() {

            @Override

            public Void run() {

                init(DEFAULT_POLICY_URL, newInfo, true);

                return null;

            }

        });

        if (url != null) {

            /**

             * If the caller specified a URL via Policy.getInstance,

             * we only read from default.policy and that URL.

             */

            if (debug != null) {

                debug.println("reading " + url);

            }

            AccessController.doPrivileged(new PrivilegedAction<>() {

                @Override

                public Void run() {

                    if (init(url, newInfo, false) == false) {

                        // use static policy if all else fails

                        initStaticPolicy(newInfo);

                    }

                    return null;

                }

            });

        } else {

            /**

             * Caller did not specify URL via Policy.getInstance.

             * Read from URLs listed in the java.security properties file.

             */

            boolean loaded_one = initPolicyFile(POLICY, POLICY_URL, newInfo);

            // To maintain strict backward compatibility

            // we load the static policy only if POLICY load failed

            if (!loaded_one) {

                // use static policy if all else fails

                initStaticPolicy(newInfo);

            }

        }

    }

    private boolean initPolicyFile(final String propname, final String urlname,

                                   final PolicyInfo newInfo) {

        boolean loadedPolicy =

            AccessController.doPrivileged(new PrivilegedAction<>() {

            @Override

            public Boolean run() {

                boolean loaded_policy = false;

                if (allowSystemProperties) {

                    String extra_policy = System.getProperty(propname);

                    if (extra_policy != null) {

                        boolean overrideAll = false;

                        if (extra_policy.startsWith("=")) {

                            overrideAll = true;

                            extra_policy = extra_policy.substring(1);

                        }

                        try {

                            extra_policy =

                                PropertyExpander.expand(extra_policy);

                            URL policyURL;

                            File policyFile = new File(extra_policy);

                            if (policyFile.exists()) {

                                policyURL = ParseUtil.fileToEncodedURL

                                    (new File(policyFile.getCanonicalPath()));

                            } else {

                                policyURL = new URL(extra_policy);

                            }

                            if (debug != null) {

                                debug.println("reading "+policyURL);

                            }

                            if (init(policyURL, newInfo, false)) {

                                loaded_policy = true;

                            }

                        } catch (Exception e) {

                            // ignore.

                            if (debug != null) {

                                debug.println("caught exception: "+e);

                            }

                        }

                        if (overrideAll) {

                            if (debug != null) {

                                debug.println("overriding other policies!");

                            }

                            return Boolean.valueOf(loaded_policy);

                        }

                    }

                }

                int n = 1;

                String policy_uri;

                while ((policy_uri = Security.getProperty(urlname+n)) != null) {

                    try {

                        URL policy_url = null;

                        String expanded_uri = PropertyExpander.expand

                                (policy_uri).replace(File.separatorChar, '/');

                        if (policy_uri.startsWith("file:${java.home}/") ||

                            policy_uri.startsWith("file:${user.home}/")) {

                            // this special case accommodates

                            // the situation java.home/user.home

                            // expand to a single slash, resulting in

                            // a file://foo URI

                            policy_url = new File

                                (expanded_uri.substring(5)).toURI().toURL();

                        } else {

                            policy_url = new URI(expanded_uri).toURL();

                        }

                        if (debug != null) {

                            debug.println("reading " + policy_url);

                        }

                        if (init(policy_url, newInfo, false)) {

                            loaded_policy = true;

                        }

                    } catch (Exception e) {

                        if (debug != null) {

                            debug.println(

                                "Debug info only. Error reading policy " +e);

                            e.printStackTrace();

                        }

                        // ignore that policy

                    }

                    n++;

                }

                return Boolean.valueOf(loaded_policy);

            }

        });

        return loadedPolicy;

    }

    /**

     * Reads a policy configuration into the Policy object using a

     * Reader object.

     */

    private boolean init(URL policy, PolicyInfo newInfo, boolean defPolicy) {

        // skip parsing policy file if it has been previously parsed and

        // has syntax errors

        if (badPolicyURLs.contains(policy)) {

            if (debug != null) {

                debug.println("skipping bad policy file: " + policy);

            }

            return false;

        }

        try (InputStreamReader isr =

                 getInputStreamReader(PolicyUtil.getInputStream(policy))) {

            PolicyParser pp = new PolicyParser(expandProperties);

            pp.read(isr);