src/java.base/share/classes/sun/security/provider/ConfigFile.java
author erikj
Tue, 12 Sep 2017 19:03:39 +0200
changeset 47216 71c04702a3d5
parent 43243 jdk/src/java.base/share/classes/sun/security/provider/ConfigFile.java@a48dab17a356
child 53018 8bf9268df0e2
permissions -rw-r--r--
8187443: Forest Consolidation: Move files to unified layout Reviewed-by: darcy, ihse

/*
 * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package sun.security.provider;

import java.io.*;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.Security;
import java.security.URIParameter;
import java.text.MessageFormat;
import java.util.*;
import javax.security.auth.AuthPermission;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.ConfigurationSpi;
import sun.security.util.Debug;
import sun.security.util.PropertyExpander;
import sun.security.util.ResourcesMgr;

/**
 * This class represents a default implementation for
 * {@code javax.security.auth.login.Configuration}.
 *
 * <p> This object stores the runtime login configuration representation,
 * and is the amalgamation of multiple static login configurations that
 * resides in files. The algorithm for locating the login configuration
 * file(s) and reading their information into this {@code Configuration}
 * object is:
 *
 * <ol>
 * <li>
 *   Loop through the security properties,
 *   <i>login.config.url.1</i>, <i>login.config.url.2</i>, ...,
 *   <i>login.config.url.X</i>.
 *   Each property value specifies a {@code URL} pointing to a
 *   login configuration file to be loaded.  Read in and load
 *   each configuration.
 *
 * <li>
 *   The {@code java.lang.System} property
 *   <i>java.security.auth.login.config</i>
 *   may also be set to a {@code URL} pointing to another
 *   login configuration file
 *   (which is the case when a user uses the -D switch at runtime).
 *   If this property is defined, and its use is allowed by the
 *   security property file (the Security property,
 *   <i>policy.allowSystemProperty</i> is set to <i>true</i>),
 *   also load that login configuration.
 *
 * <li>
 *   If the <i>java.security.auth.login.config</i> property is defined using
 *   "==" (rather than "="), then ignore all other specified
 *   login configurations and only load this configuration.
 *
 * <li>
 *   If no system or security properties were set, try to read from the file,
 *   ${user.home}/.java.login.config, where ${user.home} is the value
 *   represented by the "user.home" System property.
 * </ol>
 *
 * <p> The configuration syntax supported by this implementation
 * is exactly that syntax specified in the
 * {@code javax.security.auth.login.Configuration} class.
 *
 * @see javax.security.auth.login.LoginContext
 * @see java.security.Security security properties
 */
public final class ConfigFile extends Configuration {

    private final Spi spi;

    public ConfigFile() {
        spi = new Spi();
    }

    @Override
    public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
        return spi.engineGetAppConfigurationEntry(appName);
    }

    @Override
    public synchronized void refresh() {
        spi.engineRefresh();
    }

    public static final class Spi extends ConfigurationSpi {

        private URL url;
        private boolean expandProp = true;
        private Map<String, List<AppConfigurationEntry>> configuration;
        private int linenum;
        private StreamTokenizer st;
        private int lookahead;

        private static Debug debugConfig = Debug.getInstance("configfile");
        private static Debug debugParser = Debug.getInstance("configparser");

        /**
         * Creates a new {@code ConfigurationSpi} object.
         *
         * @throws SecurityException if the {@code ConfigurationSpi} can not be
         *                           initialized
         */
        public Spi() {
            try {
                init();
            } catch (IOException ioe) {
                throw new SecurityException(ioe);
            }
        }

        /**
         * Creates a new {@code ConfigurationSpi} object from the specified
         * {@code URI}.
         *
         * @param uri the {@code URI}
         * @throws SecurityException if the {@code ConfigurationSpi} can not be
         *                           initialized
         * @throws NullPointerException if {@code uri} is null
         */
        public Spi(URI uri) {
            // only load config from the specified URI
            try {
                url = uri.toURL();
                init();
            } catch (IOException ioe) {
                throw new SecurityException(ioe);
            }
        }

        public Spi(final Configuration.Parameters params) throws IOException {

            // call in a doPrivileged
            //
            // we have already passed the Configuration.getInstance
            // security check.  also this class is not freely accessible
            // (it is in the "sun" package).

            try {
                AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
                    public Void run() throws IOException {
                        if (params == null) {
                            init();
                        } else {
                            if (!(params instanceof URIParameter)) {
                                throw new IllegalArgumentException
                                        ("Unrecognized parameter: " + params);
                            }
                            URIParameter uriParam = (URIParameter)params;
                            url = uriParam.getURI().toURL();
                            init();
                        }
                        return null;
                    }
                });
            } catch (PrivilegedActionException pae) {
                throw (IOException)pae.getException();
            }

            // if init() throws some other RuntimeException,
            // let it percolate up naturally.
        }

        /**
         * Read and initialize the entire login Configuration from the
         * configured URL.
         *
         * @throws IOException if the Configuration can not be initialized
         * @throws SecurityException if the caller does not have permission
         *                           to initialize the Configuration
         */
        private void init() throws IOException {

            boolean initialized = false;

            // For policy.expandProperties, check if either a security or system
            // property is set to false (old code erroneously checked the system
            // prop so we must check both to preserve compatibility).
            String expand = Security.getProperty("policy.expandProperties");
            if (expand == null) {
                expand = System.getProperty("policy.expandProperties");
            }
            if ("false".equals(expand)) {
                expandProp = false;
            }

            // new configuration
            Map<String, List<AppConfigurationEntry>> newConfig = new HashMap<>();

            if (url != null) {
                /**
                 * If the caller specified a URI via Configuration.getInstance,
                 * we only read from that URI
                 */
                if (debugConfig != null) {
                    debugConfig.println("reading " + url);
                }
                init(url, newConfig);
                configuration = newConfig;
                return;
            }

            /**
             * Caller did not specify URI via Configuration.getInstance.
             * Read from URLs listed in the java.security properties file.
             */
            String allowSys = Security.getProperty("policy.allowSystemProperty");

            if ("true".equalsIgnoreCase(allowSys)) {
                String extra_config = System.getProperty
                                      ("java.security.auth.login.config");
                if (extra_config != null) {
                    boolean overrideAll = false;
                    if (extra_config.startsWith("=")) {
                        overrideAll = true;
                        extra_config = extra_config.substring(1);
                    }
                    try {
                        extra_config = PropertyExpander.expand(extra_config);
                    } catch (PropertyExpander.ExpandException peee) {
                        throw ioException("Unable.to.properly.expand.config",
                                          extra_config);
                    }

                    URL configURL = null;
                    try {
                        configURL = new URL(extra_config);
                    } catch (MalformedURLException mue) {
                        File configFile = new File(extra_config);
                        if (configFile.exists()) {
                            configURL = configFile.toURI().toURL();
                        } else {
                            throw ioException(
                                "extra.config.No.such.file.or.directory.",
                                extra_config);
                        }
                    }

                    if (debugConfig != null) {
                        debugConfig.println("reading "+configURL);
                    }
                    init(configURL, newConfig);
                    initialized = true;
                    if (overrideAll) {
                        if (debugConfig != null) {
                            debugConfig.println("overriding other policies!");
                        }
                        configuration = newConfig;
                        return;
                    }
                }
            }

            int n = 1;
            String config_url;
            while ((config_url = Security.getProperty
                                     ("login.config.url."+n)) != null) {
                try {
                    config_url = PropertyExpander.expand
                        (config_url).replace(File.separatorChar, '/');
                    if (debugConfig != null) {
                        debugConfig.println("\tReading config: " + config_url);
                    }
                    init(new URL(config_url), newConfig);
                    initialized = true;
                } catch (PropertyExpander.ExpandException peee) {
                    throw ioException("Unable.to.properly.expand.config",
                                      config_url);
                }
                n++;
            }

            if (initialized == false && n == 1 && config_url == null) {

                // get the config from the user's home directory
                if (debugConfig != null) {
                    debugConfig.println("\tReading Policy " +
                                "from ~/.java.login.config");
                }
                config_url = System.getProperty("user.home");
                String userConfigFile = config_url + File.separatorChar +
                                        ".java.login.config";

                // No longer throws an exception when there's no config file
                // at all. Returns an empty Configuration instead.
                if (new File(userConfigFile).exists()) {
                    init(new File(userConfigFile).toURI().toURL(), newConfig);
                }
            }

            configuration = newConfig;
        }

        private void init(URL config,
                          Map<String, List<AppConfigurationEntry>> newConfig)
                          throws IOException {

            try (InputStreamReader isr
                    = new InputStreamReader(getInputStream(config), "UTF-8")) {
                readConfig(isr, newConfig);
            } catch (FileNotFoundException fnfe) {
                if (debugConfig != null) {
                    debugConfig.println(fnfe.toString());
                }
                throw new IOException(ResourcesMgr.getAuthResourceString
                    ("Configuration.Error.No.such.file.or.directory"));
            }
        }

        /**
         * Retrieve an entry from the Configuration using an application name
         * as an index.
         *
         * @param applicationName the name used to index the Configuration.
         * @return an array of AppConfigurationEntries which correspond to
         *         the stacked configuration of LoginModules for this
         *         application, or null if this application has no configured
         *         LoginModules.
         */
        @Override
        public AppConfigurationEntry[] engineGetAppConfigurationEntry
            (String applicationName) {

            List<AppConfigurationEntry> list = null;
            synchronized (configuration) {
                list = configuration.get(applicationName);
            }

            if (list == null || list.size() == 0) {
                return null;
            }

            AppConfigurationEntry[] entries =
                                    new AppConfigurationEntry[list.size()];
            Iterator<AppConfigurationEntry> iterator = list.iterator();
            for (int i = 0; iterator.hasNext(); i++) {
                AppConfigurationEntry e = iterator.next();
                entries[i] = new AppConfigurationEntry(e.getLoginModuleName(),
                                                       e.getControlFlag(),
                                                       e.getOptions());
            }
            return entries;
        }

        /**
         * Refresh and reload the Configuration by re-reading all of the
         * login configurations.
         *
         * @throws SecurityException if the caller does not have permission
         *                           to refresh the Configuration.
         */
        @Override
        public synchronized void engineRefresh() {

            SecurityManager sm = System.getSecurityManager();
            if (sm != null) {
                sm.checkPermission(
                    new AuthPermission("refreshLoginConfiguration"));
            }

            AccessController.doPrivileged(new PrivilegedAction<Void>() {
                public Void run() {
                    try {
                        init();
                    } catch (IOException ioe) {
                        throw new SecurityException(ioe.getLocalizedMessage(),
                                                    ioe);
                    }
                    return null;
                }
            });
        }

        private void readConfig(Reader reader,
            Map<String, List<AppConfigurationEntry>> newConfig)
            throws IOException {

            linenum = 1;

            if (!(reader instanceof BufferedReader)) {
                reader = new BufferedReader(reader);
            }

            st = new StreamTokenizer(reader);
            st.quoteChar('"');
            st.wordChars('$', '$');
            st.wordChars('_', '_');
            st.wordChars('-', '-');
            st.wordChars('*', '*');
            st.lowerCaseMode(false);
            st.slashSlashComments(true);
            st.slashStarComments(true);
            st.eolIsSignificant(true);

            lookahead = nextToken();
            while (lookahead != StreamTokenizer.TT_EOF) {
                parseLoginEntry(newConfig);
            }
        }

        private void parseLoginEntry(
            Map<String, List<AppConfigurationEntry>> newConfig)
            throws IOException {

            List<AppConfigurationEntry> configEntries = new LinkedList<>();

            // application name
            String appName = st.sval;
            lookahead = nextToken();

            if (debugParser != null) {
                debugParser.println("\tReading next config entry: " + appName);
            }

            match("{");

            // get the modules
            while (peek("}") == false) {
                // get the module class name
                String moduleClass = match("module class name");

                // controlFlag (required, optional, etc)
                LoginModuleControlFlag controlFlag;
                String sflag = match("controlFlag").toUpperCase(Locale.ENGLISH);
                switch (sflag) {
                    case "REQUIRED":
                        controlFlag = LoginModuleControlFlag.REQUIRED;
                        break;
                    case "REQUISITE":
                        controlFlag = LoginModuleControlFlag.REQUISITE;
                        break;
                    case "SUFFICIENT":
                        controlFlag = LoginModuleControlFlag.SUFFICIENT;
                        break;
                    case "OPTIONAL":
                        controlFlag = LoginModuleControlFlag.OPTIONAL;
                        break;
                    default:
                        throw ioException(
                            "Configuration.Error.Invalid.control.flag.flag",
                            sflag);
                }

                // get the args
                Map<String, String> options = new HashMap<>();
                while (peek(";") == false) {
                    String key = match("option key");
                    match("=");
                    try {
                        options.put(key, expand(match("option value")));
                    } catch (PropertyExpander.ExpandException peee) {
                        throw new IOException(peee.getLocalizedMessage());
                    }
                }

                lookahead = nextToken();

                // create the new element
                if (debugParser != null) {
                    debugParser.println("\t\t" + moduleClass + ", " + sflag);
                    for (String key : options.keySet()) {
                        debugParser.println("\t\t\t" + key +
                                            "=" + options.get(key));
                    }
                }
                configEntries.add(new AppConfigurationEntry(moduleClass,
                                                            controlFlag,
                                                            options));
            }

            match("}");
            match(";");

            // add this configuration entry
            if (newConfig.containsKey(appName)) {
                throw ioException(
                    "Configuration.Error.Can.not.specify.multiple.entries.for.appName",
                    appName);
            }
            newConfig.put(appName, configEntries);
        }

        private String match(String expect) throws IOException {

            String value = null;

            switch(lookahead) {
            case StreamTokenizer.TT_EOF:
                throw ioException(
                    "Configuration.Error.expected.expect.read.end.of.file.",
                    expect);

            case '"':
            case StreamTokenizer.TT_WORD:
                if (expect.equalsIgnoreCase("module class name") ||
                    expect.equalsIgnoreCase("controlFlag") ||
                    expect.equalsIgnoreCase("option key") ||
                    expect.equalsIgnoreCase("option value")) {
                    value = st.sval;
                    lookahead = nextToken();
                } else {
                    throw ioException(
                        "Configuration.Error.Line.line.expected.expect.found.value.",
                        linenum, expect, st.sval);
                }
                break;

            case '{':
                if (expect.equalsIgnoreCase("{")) {
                    lookahead = nextToken();
                } else {
                    throw ioException(
                        "Configuration.Error.Line.line.expected.expect.",
                        linenum, expect, st.sval);
                }
                break;

            case ';':
                if (expect.equalsIgnoreCase(";")) {
                    lookahead = nextToken();
                } else {
                    throw ioException(
                        "Configuration.Error.Line.line.expected.expect.",
                        linenum, expect, st.sval);
                }
                break;

            case '}':
                if (expect.equalsIgnoreCase("}")) {
                    lookahead = nextToken();
                } else {
                    throw ioException(
                        "Configuration.Error.Line.line.expected.expect.",
                        linenum, expect, st.sval);
                }
                break;

            case '=':
                if (expect.equalsIgnoreCase("=")) {
                    lookahead = nextToken();
                } else {
                    throw ioException(
                        "Configuration.Error.Line.line.expected.expect.",
                        linenum, expect, st.sval);
                }
                break;

            default:
                throw ioException(
                    "Configuration.Error.Line.line.expected.expect.found.value.",
                    linenum, expect, st.sval);
            }
            return value;
        }

        private boolean peek(String expect) {
            switch (lookahead) {
                case ',':
                    return expect.equalsIgnoreCase(",");
                case ';':
                    return expect.equalsIgnoreCase(";");
                case '{':
                    return expect.equalsIgnoreCase("{");
                case '}':
                    return expect.equalsIgnoreCase("}");
                default:
                    return false;
            }
        }

        private int nextToken() throws IOException {
            int tok;
            while ((tok = st.nextToken()) == StreamTokenizer.TT_EOL) {
                linenum++;
            }
            return tok;
        }

        private InputStream getInputStream(URL url) throws IOException {
            if ("file".equalsIgnoreCase(url.getProtocol())) {
                // Compatibility notes:
                //
                // Code changed from
                //   String path = url.getFile().replace('/', File.separatorChar);
                //   return new FileInputStream(path);
                //
                // The original implementation would search for "/tmp/a%20b"
                // when url is "file:///tmp/a%20b". This is incorrect. The
                // current codes fix this bug and searches for "/tmp/a b".
                // For compatibility reasons, when the file "/tmp/a b" does
                // not exist, the file named "/tmp/a%20b" will be tried.
                //
                // This also means that if both file exists, the behavior of
                // this method is changed, and the current codes choose the
                // correct one.
                try {
                    return url.openStream();
                } catch (Exception e) {
                    String file = url.getPath();
                    if (url.getHost().length() > 0) {  // For Windows UNC
                        file = "//" + url.getHost() + file;
                    }
                    if (debugConfig != null) {
                        debugConfig.println("cannot read " + url +
                                            ", try " + file);
                    }
                    return new FileInputStream(file);
                }
            } else {
                return url.openStream();
            }
        }

        private String expand(String value)
            throws PropertyExpander.ExpandException, IOException {

            if (value.isEmpty()) {
                return value;
            }

            if (!expandProp) {
                return value;
            }
            String s = PropertyExpander.expand(value);
            if (s == null || s.length() == 0) {
                throw ioException(
                    "Configuration.Error.Line.line.system.property.value.expanded.to.empty.value",
                    linenum, value);
            }
            return s;
        }

        private IOException ioException(String resourceKey, Object... args) {
            MessageFormat form = new MessageFormat(
                ResourcesMgr.getAuthResourceString(resourceKey));
            return new IOException(form.format(args));
        }
    }
}