/*
 * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.InputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.net.URL;
import java.security.CodeSource;
import java.security.Key;
import java.security.KeyStoreException;
import java.security.KeyStoreSpi;
import java.security.NoSuchAlgorithmException;
import java.security.Permission;
import java.security.Policy;
import java.security.ProtectionDomain;
import java.security.Provider;
import java.security.SecureClassLoader;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.URIParameter;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import java.util.PropertyPermission;
import jdk.test.lib.net.IPSupport;

/*
 * @test
 * @bug 6826789 8131486 8130181
 * @library /test/lib
 * @build jdk.test.lib.net.IPSupport
 * @summary Make sure equivalent ProtectionDomains are granted the same
 *          permissions when the CodeSource URLs are different but resolve
 *          to the same ip address after name service resolution.
 * @run main/othervm DefineClass
 */

public class DefineClass {

    // permissions that are expected to be granted by the policy file
    private final static Permission[] GRANTED_PERMS = new Permission[] {
        new PropertyPermission("user.home", "read"),
        new PropertyPermission("user.name", "read")
    };

    // Base64 encoded bytes of simple class: "package foo; public class Foo {}"
    private final static String FOO_CLASS =
        "yv66vgAAADMADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" +
        "D0xpbmVOdW1iZXJUYWJsZQEAClNvdXJjZUZpbGUBAAhGb28uamF2YQwABAAF" +
        "AQAHZm9vL0ZvbwEAEGphdmEvbGFuZy9PYmplY3QAIQACAAMAAAAAAAEAAQAE" +
        "AAUAAQAGAAAAHQABAAEAAAAFKrcAAbEAAAABAAcAAAAGAAEAAAABAAEACAAA" +
        "AAIACQ==";

    // Base64 encoded bytes of simple class: "package bar; public class Bar {}"
    private final static String BAR_CLASS =
        "yv66vgAAADMADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" +
        "D0xpbmVOdW1iZXJUYWJsZQEAClNvdXJjZUZpbGUBAAhCYXIuamF2YQwABAAF" +
        "AQAHYmFyL0JhcgEAEGphdmEvbGFuZy9PYmplY3QAIQACAAMAAAAAAAEAAQAE" +
        "AAUAAQAGAAAAHQABAAEAAAAFKrcAAbEAAAABAAcAAAAGAAEAAAABAAEACAAA" +
        "AAIACQ==";

    // Base64 encoded bytes of simple class: "package bar2; public class Bar2 {}"
    private final static String BAR2_CLASS =
        "yv66vgAAADQADwoAAwAMBwANBwAOAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" +
        "D0xpbmVOdW1iZXJUYWJsZQEABG1haW4BABYoW0xqYXZhL2xhbmcvU3RyaW5n" +
        "OylWAQAKU291cmNlRmlsZQEACUJhcjIuamF2YQwABAAFAQAJYmFyMi9CYXIy" +
        "AQAQamF2YS9sYW5nL09iamVjdAAhAAIAAwAAAAAAAgABAAQABQABAAYAAAAd" +
        "AAEAAQAAAAUqtwABsQAAAAEABwAAAAYAAQAAAAEACQAIAAkAAQAGAAAAGQAA" +
        "AAEAAAABsQAAAAEABwAAAAYAAQAAAAEAAQAKAAAAAgAL";

    // Base64 encoded bytes of simple class: "package baz; public class Baz {}"
    private final static String BAZ_CLASS =
        "yv66vgAAADQADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" +
        "D0xpbmVOdW1iZXJUYWJsZQEAClNvdXJjZUZpbGUBAAhCYXouamF2YQwABAAF" +
        "AQAHYmF6L0JhegEAEGphdmEvbGFuZy9PYmplY3QAIQACAAMAAAAAAAEAAQAE" +
        "AAUAAQAGAAAAHQABAAEAAAAFKrcAAbEAAAABAAcAAAAGAAEAAAABAAEACAAA" +
        "AAIACQ==";

    private final static String BAZ_CERT =
        "-----BEGIN CERTIFICATE-----\n" +
        "MIIEFzCCA8OgAwIBAgIESpPf8TANBglghkgBZQMEAwIFADAOMQwwCgYDVQQDEwNG\n" +
        "b28wHhcNMTUwNzE1MTY1ODM5WhcNMTUxMDEzMTY1ODM5WjAOMQwwCgYDVQQDEwNG\n" +
        "b28wggNCMIICNQYHKoZIzjgEATCCAigCggEBAI95Ndm5qum/q+2Ies9JUbbzLsWe\n" +
        "O683GOjqxJYfPv02BudDUanEGDM5uAnnwq4cU5unR1uF0BGtuLR5h3VJhGlcrA6P\n" +
        "FLM2CCiiL/onEQo9YqmTRTQJoP5pbEZY+EvdIIGcNwmgEFexla3NACM9ulSEtikf\n" +
        "nWSO+INEhneXnOwEtDSmrC516Zhd4j2wKS/BEYyf+p2BgeczjbeStzDXueNJWS9o\n" +
        "CZhyFTkV6j1ri0ZTxjNFj4A7MqTC4PJykCVuTj+KOwg4ocRQ5OGMGimjfd9eoUPe\n" +
        "S2b/BJA+1c8WI+FY1IfGCOl/IRzYHcojy244B2X4IuNCvkhMBXY5OWAc1mcCHQC6\n" +
        "9pamhXj3397n+mfJd8eF7zKyM7rlgMC81WldAoIBABamXFggSFBwTnUCo5dXBA00\n" +
        "2jo0eMFU1OSlwC0kLuBPluYeS9CQSr2sjzfuseCfMYLSPJBDy2QviABBYO35ygmz\n" +
        "IHannDKmJ/JHPpGHm6LE50S9IIFUTLVbgCw2jR+oPtSJ6U4PoGiOMkKKXHjEeMaN\n" +
        "BSe3HJo6uwsL4SxEaJY559POdNsQGmWqK4f2TGgm2z7HL0tVmYNLtO2wL3yQ6aSW\n" +
        "06VdU1vr/EXU9hn2Pz3tu4c5JcLyJOB3MSltqIfsHkdI+H77X963VIQxayIy3uVT\n" +
        "3a8CESsNHwLaMJcyJP4nrtqLnUspItm6i+Oe2eEDpjxSgQvGiLfi7UMW4e8X294D\n" +
        "ggEFAAKCAQBsGeU8/STExzQsJ8kFM9xarA/2VAFMzyUpd3IQ2UGHQC5rEnGh/RiU\n" +
        "T20y7a2hCpQ1f/qgLnY8hku9GRVY3z8WamBzWLzCAEAx67EsS58mf4o8R3sUbkH5\n" +
        "/mRaZoNVSPUy+tXoLmTzIetU4W+JT8Rq4OcXXU9uo9TreeBehhVexS3vpVgQeUIn\n" +
        "MmMma8WHpovIJQQlp4cyjalX7Beda/tqX/HPLkAS4TRqQAz7hFr3FqFrVMKFSGo4\n" +
        "fTS06GGdQ4tw9c6NQLuQ9WF9BxYSwSk9yENQvKDZaBNarqPMnsh1Gi/QcKMRBVhM\n" +
        "RT/9vb4QUi/pOowhhKCDBLgjY60QgX3HoyEwHzAdBgNVHQ4EFgQUa787CE+3ZNAb\n" +
        "g1ql9yJVVrRCdx0wDQYJYIZIAWUDBAMCBQADPwAwPAIcCUkZIRrBlKdTzhKYBEOm\n" +
        "E1i45MMum1RuHc28agIcfHQkkjBA4FfH5UMRgKpIyRR8V/dVboxDj4hKOA==\n" +
        "-----END CERTIFICATE-----";

    public static void main(String[] args) throws Exception {

        Security.addProvider(new TestProvider());

        MySecureClassLoader scl = new MySecureClassLoader();

        File policyFile = new File(System.getProperty("test.src", "."),
                                   "DefineClass.policy");
        Policy p = Policy.getInstance("JavaPolicy",
                                      new URIParameter(policyFile.toURI()));
        Policy.setPolicy(p);

        System.setSecurityManager(new SecurityManager());
        ArrayList<Permission> perms1 = getPermissions(scl, p,
                                                      "http://localhost/",
                                                      "foo.Foo", FOO_CLASS,
                                                      null);
        checkPerms(perms1, GRANTED_PERMS);

        if (IPSupport.hasIPv4()) {
            ArrayList<Permission> perms2 = getPermissions(scl, p,
                                                          "http://127.0.0.1/",
                                                          "bar.Bar", BAR_CLASS,
                                                          null);
            checkPerms(perms2, GRANTED_PERMS);
            assert(perms1.equals(perms2));
        }
        if (IPSupport.hasIPv6()) {
            ArrayList<Permission> perms2 = getPermissions(scl, p,
                                                          "http://[::1]/",
                                                          "bar2.Bar2", BAR2_CLASS,
                                                          null);
            checkPerms(perms2, GRANTED_PERMS);
            assert(perms1.equals(perms2));
        }

        // check that class signed by baz is granted an additional permission
        Certificate[] chain = new Certificate[] {getCert(BAZ_CERT)};
        ArrayList<Permission> perms3 = getPermissions(scl, p,
                                                      "http://localhost/",
                                                      "baz.Baz", BAZ_CLASS,
                                                      chain);
        List<Permission> perms = new ArrayList<>(Arrays.asList(GRANTED_PERMS));
        perms.add(new PropertyPermission("user.dir", "read"));
        checkPerms(perms3, perms.toArray(new Permission[0]));
    }

    // returns the permissions granted to the codebase URL
    private static ArrayList<Permission> getPermissions(MySecureClassLoader scl,
                                                        Policy p, String url,
                                                        String className,
                                                        String classBytes,
                                                        Certificate[] chain)
                                                        throws IOException {
        CodeSource cs = new CodeSource(new URL(url), chain);
        Base64.Decoder bd = Base64.getDecoder();
        byte[] bytes = bd.decode(classBytes);
        Class<?> c = scl.defineMyClass(className, bytes, cs);
        ProtectionDomain pd = c.getProtectionDomain();
        return Collections.list(p.getPermissions(pd).elements());
    }

    private static void checkPerms(List<Permission> perms,
                                   Permission... grantedPerms)
        throws Exception
    {
        if (!perms.containsAll(Arrays.asList(grantedPerms))) {
            throw new Exception("Granted permissions not correct");
        }
    }

    private static Certificate getCert(String base64Cert) throws Exception {
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        InputStream is = new ByteArrayInputStream(base64Cert.getBytes("UTF-8"));
        return cf.generateCertificate(is);
    }

    // A SecureClassLoader that allows the test to define its own classes
    private static class MySecureClassLoader extends SecureClassLoader {
        Class<?> defineMyClass(String name, byte[] b, CodeSource cs) {
            return super.defineClass(name, b, 0, b.length, cs);
        }
    }

    private static class TestProvider extends Provider {
        TestProvider() {
            super("Test8131486", "0.0", "For testing only");
            putService(new Provider.Service(this, "KeyStore", "Test8131486",
                       "DefineClass$TestKeyStore", null, null));
        }
    }

    /**
     * A KeyStore containing a single certificate entry named "baz".
     */
    public static class TestKeyStore extends KeyStoreSpi {
        private final String baz = "baz";
        private final List<String> aliases = Collections.singletonList(baz);
        private final Certificate bazCert;

        public TestKeyStore() {
            try {
                this.bazCert = getCert(BAZ_CERT);
            } catch (Exception e) {
                throw new Error();
            }
        }

        @Override
        public Enumeration<String> engineAliases() {
            return Collections.enumeration(aliases);
        }

        @Override
        public boolean engineContainsAlias(String alias) {
            return alias.equals(baz);
        }

        @Override
        public void engineDeleteEntry(String alias) throws KeyStoreException {
            throw new KeyStoreException();
        }

        @Override
        public Certificate engineGetCertificate(String alias) {
            return alias.equals(baz) ? bazCert : null;
        }

        @Override
        public String engineGetCertificateAlias(Certificate cert) {
            return cert.equals(bazCert) ? baz : null;
        }

        @Override
        public Certificate[] engineGetCertificateChain(String alias) {
            return alias.equals(baz) ? new Certificate[] {bazCert} : null;
        }

        @Override
        public Date engineGetCreationDate(String alias) {
            return alias.equals(baz) ? new Date() : null;
        }

        @Override
        public Key engineGetKey(String alias, char[] password)
            throws NoSuchAlgorithmException, UnrecoverableKeyException {
            return null;
        }

        @Override
        public boolean engineIsCertificateEntry(String alias) {
            return alias.equals(baz);
        }

        @Override
        public boolean engineIsKeyEntry(String alias) {
            return false;
        }

        @Override
        public void engineLoad(InputStream stream, char[] password)
            throws IOException, NoSuchAlgorithmException, CertificateException {
        }

        @Override
        public void engineSetCertificateEntry(String alias, Certificate cert)
            throws KeyStoreException {
            throw new KeyStoreException();
        }

        @Override
        public void engineSetKeyEntry(String alias, byte[] key,
                                      Certificate[] chain)
            throws KeyStoreException {
            throw new KeyStoreException();
        }

        @Override
        public void engineSetKeyEntry(String alias, Key key, char[] password,
                                      Certificate[] chain)
            throws KeyStoreException {
            throw new KeyStoreException();
        }

        @Override
        public int engineSize() { return 1; }

        @Override
        public void engineStore(OutputStream stream, char[] password)
            throws IOException, NoSuchAlgorithmException, CertificateException {
        }
    }
}