/*

 * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package java.security;

import java.lang.ref.Reference;

import java.lang.ref.ReferenceQueue;

import java.lang.ref.SoftReference;

import java.lang.ref.WeakReference;

import java.util.ArrayList;

import java.util.Enumeration;

import java.util.List;

import java.util.Objects;

import java.util.concurrent.ConcurrentHashMap;

import jdk.internal.misc.JavaSecurityAccess;

import jdk.internal.misc.JavaSecurityProtectionDomainAccess;

import static jdk.internal.misc.JavaSecurityProtectionDomainAccess.ProtectionDomainCache;

import jdk.internal.misc.SharedSecrets;

import sun.security.action.GetPropertyAction;

import sun.security.provider.PolicyFile;

import sun.security.util.Debug;

import sun.security.util.FilePermCompat;

import sun.security.util.SecurityConstants;

/**

 * The ProtectionDomain class encapsulates the characteristics of a domain,

 * which encloses a set of classes whose instances are granted a set

 * of permissions when being executed on behalf of a given set of Principals.

 * <p>

 * A static set of permissions can be bound to a ProtectionDomain when it is

 * constructed; such permissions are granted to the domain regardless of the

 * Policy in force. However, to support dynamic security policies, a

 * ProtectionDomain can also be constructed such that it is dynamically

 * mapped to a set of permissions by the current Policy whenever a permission

 * is checked.

 *

 * @author Li Gong

 * @author Roland Schemers

 * @author Gary Ellison

 * @since 1.2

 */

public class ProtectionDomain {

    /**

     * If true, {@link #impliesWithAltFilePerm} will try to be compatible on

     * FilePermission checking even if a 3rd-party Policy implementation is set.

     */

    private static final boolean filePermCompatInPD =

            "true".equals(GetPropertyAction.privilegedGetProperty(

                "jdk.security.filePermCompat"));

    private static class JavaSecurityAccessImpl implements JavaSecurityAccess {

        private JavaSecurityAccessImpl() {

        }

        @Override

        public <T> T doIntersectionPrivilege(

                PrivilegedAction<T> action,

                final AccessControlContext stack,

                final AccessControlContext context) {

            if (action == null) {

                throw new NullPointerException();

            }

            return AccessController.doPrivileged(

                action,

                getCombinedACC(context, stack)

            );

        }

        @Override

        public <T> T doIntersectionPrivilege(

                PrivilegedAction<T> action,

                AccessControlContext context) {

            return doIntersectionPrivilege(action,

                AccessController.getContext(), context);

        }

        @Override

        public ProtectionDomain[] getProtectDomains(AccessControlContext context) {

            return context.getContext();

        }

        private static AccessControlContext getCombinedACC(

            AccessControlContext context, AccessControlContext stack) {

            AccessControlContext acc =

                new AccessControlContext(context, stack.getCombiner(), true);

            return new AccessControlContext(stack.getContext(), acc).optimize();

        }

    }

    static {

        // setup SharedSecrets to allow access to doIntersectionPrivilege

        // methods and ProtectionDomain cache

        SharedSecrets.setJavaSecurityAccess(new JavaSecurityAccessImpl());

        SharedSecrets.setJavaSecurityProtectionDomainAccess(

            new JavaSecurityProtectionDomainAccess() {

                @Override

                public ProtectionDomainCache getProtectionDomainCache() {

                    return new PDCache();

                }

            });

    }

    /**

     * Used for storing ProtectionDomains as keys in a Map.

     */

    static final class Key {}

    /* CodeSource */

    private CodeSource codesource ;

    /* ClassLoader the protection domain was consed from */

    private ClassLoader classloader;

    /* Principals running-as within this protection domain */

    private Principal[] principals;

    /* the rights this protection domain is granted */

    private PermissionCollection permissions;

    /* if the permissions object has AllPermission */

    private boolean hasAllPerm = false;

    /* the PermissionCollection is static (pre 1.4 constructor)

       or dynamic (via a policy refresh) */

    private final boolean staticPermissions;

    /*

     * An object used as a key when the ProtectionDomain is stored in a Map.

     */

    final Key key = new Key();

    /**

     * Creates a new ProtectionDomain with the given CodeSource and

     * Permissions. If the permissions object is not null, then

     *  {@code setReadOnly()} will be called on the passed in

     * Permissions object.

     * <p>

     * The permissions granted to this domain are static, i.e.

     * invoking the {@link #staticPermissionsOnly()} method returns true.

     * They contain only the ones passed to this constructor and

     * the current Policy will not be consulted.

     *

     * @param codesource the codesource associated with this domain

     * @param permissions the permissions granted to this domain

     */

    public ProtectionDomain(CodeSource codesource,

                            PermissionCollection permissions) {

        this.codesource = codesource;

        if (permissions != null) {

            this.permissions = permissions;

            this.permissions.setReadOnly();

            if (permissions instanceof Permissions &&

                ((Permissions)permissions).allPermission != null) {

                hasAllPerm = true;

            }

        }

        this.classloader = null;

        this.principals = new Principal[0];

        staticPermissions = true;

    }

    /**

     * Creates a new ProtectionDomain qualified by the given CodeSource,

     * Permissions, ClassLoader and array of Principals. If the

     * permissions object is not null, then {@code setReadOnly()}

     * will be called on the passed in Permissions object.

     * <p>

     * The permissions granted to this domain are dynamic, i.e.

     * invoking the {@link #staticPermissionsOnly()} method returns false.

     * They include both the static permissions passed to this constructor,

     * and any permissions granted to this domain by the current Policy at the

     * time a permission is checked.

     * <p>

     * This constructor is typically used by

     * {@link SecureClassLoader ClassLoaders}

     * and {@link DomainCombiner DomainCombiners} which delegate to

     * {@code Policy} to actively associate the permissions granted to

     * this domain. This constructor affords the

     * Policy provider the opportunity to augment the supplied

     * PermissionCollection to reflect policy changes.

     *

     * @param codesource the CodeSource associated with this domain

     * @param permissions the permissions granted to this domain

     * @param classloader the ClassLoader associated with this domain

     * @param principals the array of Principals associated with this

     * domain. The contents of the array are copied to protect against

     * subsequent modification.

     * @see Policy#refresh

     * @see Policy#getPermissions(ProtectionDomain)

     * @since 1.4

     */

    public ProtectionDomain(CodeSource codesource,

                            PermissionCollection permissions,

                            ClassLoader classloader,

                            Principal[] principals) {

        this.codesource = codesource;

        if (permissions != null) {

            this.permissions = permissions;

            this.permissions.setReadOnly();

            if (permissions instanceof Permissions &&

                ((Permissions)permissions).allPermission != null) {

                hasAllPerm = true;

            }

        }

        this.classloader = classloader;

        this.principals = (principals != null ? principals.clone():

                           new Principal[0]);

        staticPermissions = false;

    }

    /**

     * Returns the CodeSource of this domain.

     * @return the CodeSource of this domain which may be null.

     * @since 1.2

     */

    public final CodeSource getCodeSource() {

        return this.codesource;

    }

    /**

     * Returns the ClassLoader of this domain.

     * @return the ClassLoader of this domain which may be null.

     *

     * @since 1.4

     */

    public final ClassLoader getClassLoader() {

        return this.classloader;

    }

    /**

     * Returns an array of principals for this domain.

     * @return a non-null array of principals for this domain.

     * Returns a new array each time this method is called.

     *

     * @since 1.4

     */

    public final Principal[] getPrincipals() {

        return this.principals.clone();

    }

    /**

     * Returns the static permissions granted to this domain.

     *

     * @return the static set of permissions for this domain which may be null.

     * @see Policy#refresh

     * @see Policy#getPermissions(ProtectionDomain)

     */

    public final PermissionCollection getPermissions() {

        return permissions;

    }

    /**

     * Returns true if this domain contains only static permissions

     * and does not check the current {@code Policy} at the time of

     * permission checking.

     *

     * @return true if this domain contains only static permissions.

     *

     * @since 9

     */

    public final boolean staticPermissionsOnly() {

        return this.staticPermissions;

    }

    /**

     * Check and see if this ProtectionDomain implies the permissions

     * expressed in the Permission object.

     * <p>

     * The set of permissions evaluated is a function of whether the

     * ProtectionDomain was constructed with a static set of permissions

     * or it was bound to a dynamically mapped set of permissions.

     * <p>

     * If the {@link #staticPermissionsOnly()} method returns

     * true, then the permission will only be checked against the

     * PermissionCollection supplied at construction.

     * <p>

     * Otherwise, the permission will be checked against the combination

     * of the PermissionCollection supplied at construction and

     * the current Policy binding.

     *

     * @param perm the Permission object to check.

     *

     * @return true if {@code perm} is implied by this ProtectionDomain.

     */

    public boolean implies(Permission perm) {

        if (hasAllPerm) {

            // internal permission collection already has AllPermission -

            // no need to go to policy

            return true;

        }

        if (!staticPermissions &&

            Policy.getPolicyNoCheck().implies(this, perm)) {

            return true;

        }

        if (permissions != null) {

            return permissions.implies(perm);

        }

        return false;

    }

    /**

     * This method has almost the same logic flow as {@link #implies} but

     * it ensures some level of FilePermission compatibility after JDK-8164705.

     *

     * This method is called by {@link AccessControlContext#checkPermission}

     * and not intended to be called by an application.

     */

    boolean impliesWithAltFilePerm(Permission perm) {

        // If FilePermCompat.compat is set (default value), FilePermission

        // checking compatibility should be considered.

        // If filePermCompatInPD is set, this method checks for alternative

        // FilePermission to keep compatibility for any Policy implementation.

        // When set to false (default value), implies() is called since

        // the PolicyFile implementation already supports compatibility.

        // If this is a subclass of ProtectionDomain, call implies()

        // because most likely user has overridden it.

        if (!filePermCompatInPD || !FilePermCompat.compat ||

                getClass() != ProtectionDomain.class) {

            return implies(perm);

        }

        if (hasAllPerm) {

            // internal permission collection already has AllPermission -

            // no need to go to policy

            return true;

        }

        Permission p2 = null;

        boolean p2Calculated = false;

        if (!staticPermissions) {

            Policy policy = Policy.getPolicyNoCheck();

            if (policy instanceof PolicyFile) {

                // The PolicyFile implementation supports compatibility

                // inside and it also covers the static permissions.

                return policy.implies(this, perm);

            } else {

                if (policy.implies(this, perm)) {

                    return true;

                }

                p2 = FilePermCompat.newPermUsingAltPath(perm);

                p2Calculated = true;

                if (p2 != null && policy.implies(this, p2)) {

                    return true;

                }

            }

        }

        if (permissions != null) {

            if (permissions.implies(perm)) {

                return true;

            } else {

                if (!p2Calculated) {

                    p2 = FilePermCompat.newPermUsingAltPath(perm);

                }

                if (p2 != null) {

                    return permissions.implies(p2);

                }

            }

        }

        return false;

    }

    // called by the VM -- do not remove

    boolean impliesCreateAccessControlContext() {

        return implies(SecurityConstants.CREATE_ACC_PERMISSION);

    }

    /**

     * Convert a ProtectionDomain to a String.

     */

    @Override public String toString() {

        String pals = "<no principals>";

        if (principals != null && principals.length > 0) {

            StringBuilder palBuf = new StringBuilder("(principals ");

            for (int i = 0; i < principals.length; i++) {

                palBuf.append(principals[i].getClass().getName() +

                            " \"" + principals[i].getName() +

                            "\"");

                if (i < principals.length-1)

                    palBuf.append(",\n");

                else

                    palBuf.append(")\n");

            }

            pals = palBuf.toString();

        }

        // Check if policy is set; we don't want to load

        // the policy prematurely here

        PermissionCollection pc = Policy.isSet() && seeAllp() ?

                                      mergePermissions():

                                      getPermissions();

        return "ProtectionDomain "+

            " "+codesource+"\n"+

            " "+classloader+"\n"+

            " "+pals+"\n"+

            " "+pc+"\n";

    }

    /*

     * holder class for the static field "debug" to delay its initialization

     */

    private static class DebugHolder {

        private static final Debug debug = Debug.getInstance("domain");

    }

    /**

     * Return true (merge policy permissions) in the following cases:

     *

     * . SecurityManager is null

     *

     * . SecurityManager is not null,

     *          debug is not null,

     *          SecurityManager impelmentation is in bootclasspath,

     *          Policy implementation is in bootclasspath

     *          (the bootclasspath restrictions avoid recursion)

     *

     * . SecurityManager is not null,

     *          debug is null,

     *          caller has Policy.getPolicy permission

     */

    private static boolean seeAllp() {

        SecurityManager sm = System.getSecurityManager();

        if (sm == null) {

            return true;

        } else {

            if (DebugHolder.debug != null) {

                if (sm.getClass().getClassLoader() == null &&

                    Policy.getPolicyNoCheck().getClass().getClassLoader()

                                                                == null) {

                    return true;

                }

            } else {

                try {

                    sm.checkPermission(SecurityConstants.GET_POLICY_PERMISSION);

                    return true;

                } catch (SecurityException se) {

                    // fall thru and return false

                }

            }

        }

        return false;

    }

    private PermissionCollection mergePermissions() {

        if (staticPermissions)

            return permissions;

        PermissionCollection perms =

            java.security.AccessController.doPrivileged

            (new java.security.PrivilegedAction<>() {

                    public PermissionCollection run() {

                        Policy p = Policy.getPolicyNoCheck();

                        return p.getPermissions(ProtectionDomain.this);

                    }

                });

        Permissions mergedPerms = new Permissions();

        int swag = 32;

        int vcap = 8;

        Enumeration<Permission> e;

        List<Permission> pdVector = new ArrayList<>(vcap);

        List<Permission> plVector = new ArrayList<>(swag);

        //

        // Build a vector of domain permissions for subsequent merge

        if (permissions != null) {

            synchronized (permissions) {

                e = permissions.elements();