org.opensearch.script.ClassPermission Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of opensearch Show documentation
Show all versions of opensearch Show documentation
OpenSearch subproject :server
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*/
/*
* Licensed to Elasticsearch under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
/*
* Modifications Copyright OpenSearch Contributors. See
* GitHub history for details.
*/
package org.opensearch.script;
import java.security.BasicPermission;
import java.security.Permission;
import java.security.PermissionCollection;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Set;
/**
* Checked by scripting engines to allow loading a java class.
*
* Examples:
*
* Allow permission to {@code java.util.List}
*
permission org.opensearch.script.ClassPermission "java.util.List";
* Allow permission to classes underneath {@code java.util} (and its subpackages such as {@code java.util.zip})
* permission org.opensearch.script.ClassPermission "java.util.*";
* Allow permission to standard predefined list of basic classes (see list below)
* permission org.opensearch.script.ClassPermission "<<STANDARD>>";
* Allow permission to all classes
* permission org.opensearch.script.ClassPermission "*";
*
* Set of classes (allowed by special value <<STANDARD>>):
*
* - {@link java.lang.Boolean}
* - {@link java.lang.Byte}
* - {@link java.lang.Character}
* - {@link java.lang.Double}
* - {@link java.lang.Integer}
* - {@link java.lang.Long}
* - {@link java.lang.Math}
* - {@link java.lang.Object}
* - {@link java.lang.Short}
* - {@link java.lang.String}
* - {@link java.math.BigDecimal}
* - {@link java.util.ArrayList}
* - {@link java.util.Arrays}
* - {@link java.util.Date}
* - {@link java.util.HashMap}
* - {@link java.util.HashSet}
* - {@link java.util.Iterator}
* - {@link java.util.List}
* - {@link java.util.Map}
* - {@link java.util.Set}
* - {@link java.util.UUID}
* - {@link org.joda.time.DateTime}
* - {@link org.joda.time.DateTimeUtils}
* - {@link org.joda.time.DateTimeZone}
* - {@link org.joda.time.Instant}
* - {@link org.joda.time.ReadableDateTime}
* - {@link org.joda.time.ReadableInstant}
*
*
* @opensearch.internal
*/
public final class ClassPermission extends BasicPermission {
public static final String STANDARD = "<>";
/** Typical set of classes for scripting: basic data types, math, dates, and simple collections */
// this is the list from the old grovy sandbox impl (+ some things like String, Iterator, etc that were missing)
public static final Set STANDARD_CLASSES = Collections.unmodifiableSet(
new HashSet<>(
Arrays.asList(
// jdk classes
java.lang.Boolean.class.getName(),
java.lang.Byte.class.getName(),
java.lang.Character.class.getName(),
java.lang.Double.class.getName(),
java.lang.Integer.class.getName(),
java.lang.Long.class.getName(),
java.lang.Math.class.getName(),
java.lang.Object.class.getName(),
java.lang.Short.class.getName(),
java.lang.String.class.getName(),
java.math.BigDecimal.class.getName(),
java.util.ArrayList.class.getName(),
java.util.Arrays.class.getName(),
java.util.Date.class.getName(),
java.util.HashMap.class.getName(),
java.util.HashSet.class.getName(),
java.util.Iterator.class.getName(),
java.util.List.class.getName(),
java.util.Map.class.getName(),
java.util.Set.class.getName(),
java.util.UUID.class.getName(),
// joda-time
org.joda.time.DateTime.class.getName(),
org.joda.time.DateTimeUtils.class.getName(),
org.joda.time.DateTimeZone.class.getName(),
org.joda.time.Instant.class.getName(),
org.joda.time.ReadableDateTime.class.getName(),
org.joda.time.ReadableInstant.class.getName()
)
)
);
/**
* Creates a new ClassPermission object.
*
* @param name class to grant permission to
*/
public ClassPermission(String name) {
super(name);
}
/**
* Creates a new ClassPermission object.
* This constructor exists for use by the {@code Policy} object to instantiate new Permission objects.
*
* @param name class to grant permission to
* @param actions ignored
*/
public ClassPermission(String name, String actions) {
this(name);
}
@Override
public boolean implies(Permission p) {
// check for a special value of STANDARD to imply the basic set
if (p != null && p.getClass() == getClass()) {
ClassPermission other = (ClassPermission) p;
if (STANDARD.equals(getName()) && STANDARD_CLASSES.contains(other.getName())) {
return true;
}
}
return super.implies(p);
}
@Override
public PermissionCollection newPermissionCollection() {
// BasicPermissionCollection only handles wildcards, we expand <> here
PermissionCollection impl = super.newPermissionCollection();
return new PermissionCollection() {
@Override
public void add(Permission permission) {
if (permission instanceof ClassPermission && STANDARD.equals(permission.getName())) {
for (String clazz : STANDARD_CLASSES) {
impl.add(new ClassPermission(clazz));
}
} else {
impl.add(permission);
}
}
@Override
public boolean implies(Permission permission) {
return impl.implies(permission);
}
@Override
public Enumeration elements() {
return impl.elements();
}
};
}
}