Remove support for UNO_AC* bootstrap variables
...they had effectively never been used. Change-Id: I514f2b844661e144cef758eb3ce7c4607ffad635
This commit is contained in:
Stephan Bergmann
@@ -59,7 +59,6 @@
|
||||
#define SMGR_SINGLETON "/singletons/com.sun.star.lang.theServiceManager"
|
||||
#define TDMGR_SINGLETON "/singletons/com.sun.star.reflection.theTypeDescriptionManager"
|
||||
#define AC_SINGLETON "/singletons/com.sun.star.security.theAccessController"
|
||||
#define AC_POLICY "/singletons/com.sun.star.security.thePolicy"
|
||||
#define OUSTR(x) ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM(x) )
|
||||
|
||||
|
||||
@@ -694,7 +693,7 @@ void ComponentContext::disposing()
|
||||
::fprintf( stderr, "> disposing context %p\n", this );
|
||||
#endif
|
||||
|
||||
Reference< lang::XComponent > xTDMgr, xAC, xPolicy; // to be disposed separately
|
||||
Reference< lang::XComponent > xTDMgr, xAC; // to be disposed separately
|
||||
|
||||
// dispose all context objects
|
||||
t_map::const_iterator iPos( m_map.begin() );
|
||||
@@ -731,10 +730,6 @@ void ComponentContext::disposing()
|
||||
{
|
||||
xAC = xComp;
|
||||
}
|
||||
else if ( iPos->first == AC_POLICY )
|
||||
{
|
||||
xPolicy = xComp;
|
||||
}
|
||||
else // dispose immediately
|
||||
{
|
||||
xComp->dispose();
|
||||
@@ -748,8 +743,6 @@ void ComponentContext::disposing()
|
||||
m_xSMgr.clear();
|
||||
// dispose ac
|
||||
try_dispose( xAC );
|
||||
// dispose policy
|
||||
try_dispose( xPolicy );
|
||||
// dispose tdmgr; revokes callback from cppu runtime
|
||||
try_dispose( xTDMgr );
|
||||
|
||||
|
||||
@@ -115,7 +115,7 @@ cppu::defaultBootstrap_InitialComponentContext(rtl::OUString const & iniUri)
|
||||
"/singletons/" + i->first,
|
||||
css::uno::makeAny(i->second[0]->info->name), true));
|
||||
}
|
||||
cppu::add_access_control_entries(&context_values, bs);
|
||||
cppu::add_access_control_entries(&context_values);
|
||||
assert(!context_values.empty());
|
||||
css::uno::Reference< css::uno::XComponentContext > context(
|
||||
createComponentContext(
|
||||
|
||||
@@ -40,151 +40,22 @@ using namespace ::com::sun::star::uno;
|
||||
namespace cppu
|
||||
{
|
||||
|
||||
/** bootstrap variables:
|
||||
|
||||
UNO_AC=<mode> [mandatory]
|
||||
-- mode := { on, off, dynamic-only, single-user, single-default-user }
|
||||
UNO_AC_SERVICE=<service_name> [optional]
|
||||
-- override ac singleton service name
|
||||
UNO_AC_SINGLEUSER=<user-id|nothing> [optional]
|
||||
-- run with this user id or with default user policy (<nothing>)
|
||||
set UNO_AC=single-[default-]user
|
||||
UNO_AC_USERCACHE_SIZE=<cache_size>
|
||||
-- number of user permission sets to be cached
|
||||
|
||||
UNO_AC_POLICYSERVICE=<service_name> [optional]
|
||||
-- override policy singleton service name
|
||||
UNO_AC_POLICYFILE=<file_url> [optional]
|
||||
-- read policy out of simple text file
|
||||
*/
|
||||
void add_access_control_entries(
|
||||
::std::vector< ContextEntry_Init > * values,
|
||||
Bootstrap const & bootstrap )
|
||||
void add_access_control_entries( ::std::vector< ContextEntry_Init > * values )
|
||||
SAL_THROW( (Exception) )
|
||||
{
|
||||
ContextEntry_Init entry;
|
||||
::std::vector< ContextEntry_Init > & context_values = *values;
|
||||
|
||||
OUString ac_policy;
|
||||
if (bootstrap.getFrom( OUSTR("UNO_AC_POLICYSERVICE"), ac_policy ))
|
||||
{
|
||||
// overridden service name
|
||||
// - policy singleton
|
||||
entry.bLateInitService = true;
|
||||
entry.name = OUSTR("/singletons/com.sun.star.security.thePolicy");
|
||||
entry.value <<= ac_policy;
|
||||
context_values.push_back( entry );
|
||||
}
|
||||
else if (bootstrap.getFrom( OUSTR("UNO_AC_POLICYFILE"), ac_policy ))
|
||||
{
|
||||
// check for file policy
|
||||
// - file policy prop: file-name
|
||||
if (0 != ac_policy.compareToAscii(
|
||||
RTL_CONSTASCII_STRINGPARAM("file:///") ))
|
||||
{
|
||||
// no file url
|
||||
OUString baseDir;
|
||||
if ( ::osl_getProcessWorkingDir( &baseDir.pData )
|
||||
!= osl_Process_E_None )
|
||||
{
|
||||
OSL_ASSERT( false );
|
||||
}
|
||||
OUString fileURL;
|
||||
if ( ::osl_getAbsoluteFileURL(
|
||||
baseDir.pData, ac_policy.pData, &fileURL.pData )
|
||||
!= osl_File_E_None )
|
||||
{
|
||||
OSL_ASSERT( false );
|
||||
}
|
||||
ac_policy = fileURL;
|
||||
}
|
||||
|
||||
entry.bLateInitService = false;
|
||||
entry.name =
|
||||
OUSTR("/implementations/com.sun.star.security.comp.stoc.FilePolicy/"
|
||||
"file-name");
|
||||
entry.value <<= ac_policy;
|
||||
context_values.push_back( entry );
|
||||
// - policy singleton
|
||||
entry.bLateInitService = true;
|
||||
entry.name = OUSTR("/singletons/com.sun.star.security.thePolicy");
|
||||
entry.value <<= OUSTR("com.sun.star.security.comp.stoc.FilePolicy");
|
||||
context_values.push_back( entry );
|
||||
} // else policy singleton comes from storage
|
||||
|
||||
OUString ac_mode;
|
||||
if (! bootstrap.getFrom( OUSTR("UNO_AC"), ac_mode ))
|
||||
{
|
||||
ac_mode = OUSTR("off"); // default
|
||||
}
|
||||
OUString ac_user;
|
||||
if (bootstrap.getFrom( OUSTR("UNO_AC_SINGLEUSER"), ac_user ))
|
||||
{
|
||||
// ac in single-user mode
|
||||
if (!ac_user.isEmpty())
|
||||
{
|
||||
// - ac prop: single-user-id
|
||||
entry.bLateInitService = false;
|
||||
entry.name =
|
||||
OUSTR("/services/com.sun.star.security.AccessController/"
|
||||
"single-user-id");
|
||||
entry.value <<= ac_user;
|
||||
context_values.push_back( entry );
|
||||
if ( ac_mode != "single-user" )
|
||||
{
|
||||
throw SecurityException(
|
||||
OUSTR("set UNO_AC=single-user "
|
||||
"if you set UNO_AC_SINGLEUSER=<user-id>!"),
|
||||
Reference< XInterface >() );
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
if ( ac_mode != "single-default-user" )
|
||||
{
|
||||
throw SecurityException(
|
||||
OUSTR("set UNO_AC=single-default-user "
|
||||
"if you set UNO_AC_SINGLEUSER=<nothing>!"),
|
||||
Reference< XInterface >() );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
OUString ac_service;
|
||||
if (! bootstrap.getFrom( OUSTR("UNO_AC_SERVICE"), ac_service ))
|
||||
{
|
||||
// override service name
|
||||
ac_service = OUSTR("com.sun.star.security.AccessController"); // default
|
||||
// ac = OUSTR("com.sun.star.security.comp.stoc.AccessController");
|
||||
}
|
||||
|
||||
// - ac prop: user-cache-size
|
||||
OUString ac_cache;
|
||||
if (bootstrap.getFrom( OUSTR("UNO_AC_USERCACHE_SIZE"), ac_cache ))
|
||||
{
|
||||
// ac cache size
|
||||
sal_Int32 n = ac_cache.toInt32();
|
||||
if (0 < n)
|
||||
{
|
||||
entry.bLateInitService = false;
|
||||
entry.name =
|
||||
OUSTR("/services/com.sun.star.security.AccessController/"
|
||||
"user-cache-size");
|
||||
entry.value <<= n;
|
||||
context_values.push_back( entry );
|
||||
}
|
||||
}
|
||||
|
||||
// - ac prop: mode
|
||||
// { "off", "on", "dynamic-only", "single-user", "single-default-user" }
|
||||
entry.bLateInitService = false;
|
||||
entry.name = OUSTR("/services/com.sun.star.security.AccessController/mode");
|
||||
entry.value <<= ac_mode;
|
||||
entry.value <<= OUSTR("off");
|
||||
context_values.push_back( entry );
|
||||
// - ac singleton
|
||||
entry.bLateInitService = true;
|
||||
entry.name = OUSTR("/singletons/com.sun.star.security.theAccessController");
|
||||
entry.value <<= ac_service;
|
||||
entry.value <<= OUSTR("com.sun.star.security.AccessController");
|
||||
context_values.push_back( entry );
|
||||
}
|
||||
|
||||
|
||||
@@ -28,13 +28,10 @@
|
||||
#include "sal/types.h"
|
||||
|
||||
namespace cppu { struct ContextEntry_Init; }
|
||||
namespace rtl { class Bootstrap; }
|
||||
|
||||
namespace cppu {
|
||||
|
||||
void add_access_control_entries(
|
||||
std::vector< cppu::ContextEntry_Init > * values,
|
||||
rtl::Bootstrap const & bootstrap)
|
||||
void add_access_control_entries(std::vector< cppu::ContextEntry_Init > * values)
|
||||
SAL_THROW((com::sun::star::uno::Exception));
|
||||
|
||||
}
|
||||
|
||||
@@ -472,6 +472,10 @@ AccessController::AccessController( Reference< XComponentContext > const & xComp
|
||||
{
|
||||
g_moduleCount.modCnt.acquire( &g_moduleCount.modCnt );
|
||||
|
||||
// The .../mode value had originally been set in
|
||||
// cppu::add_access_control_entries (cppuhelper/source/servicefactory.cxx)
|
||||
// to something other than "off" depending on various UNO_AC* bootstrap
|
||||
// variables that are no longer supported, so this is mostly dead code now:
|
||||
OUString mode;
|
||||
if (m_xComponentContext->getValueByName( OUSTR("/services/" SERVICE_NAME "/mode") ) >>= mode)
|
||||
{
|
||||
|
||||
@@ -438,7 +438,10 @@ PolicyReader::~PolicyReader()
|
||||
void FilePolicy::refresh()
|
||||
throw (RuntimeException)
|
||||
{
|
||||
// read out file
|
||||
// read out file (the .../file-name value had originally been set in
|
||||
// cppu::add_access_control_entries (cppuhelper/source/servicefactory.cxx)
|
||||
// depending on various UNO_AC* bootstrap variables that are no longer
|
||||
// supported, so this is effectively dead code):
|
||||
OUString fileName;
|
||||
m_xComponentContext->getValueByName(
|
||||
OUSTR("/implementations/" IMPL_NAME "/file-name") ) >>= fileName;
|
||||
|
||||
@@ -1,49 +0,0 @@
|
||||
#
|
||||
# This file is part of the LibreOffice project.
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# This file incorporates work covered by the following license notice:
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
# contributor license agreements. See the NOTICE file distributed
|
||||
# with this work for additional information regarding copyright
|
||||
# ownership. The ASF licenses this file to you under the Apache
|
||||
# License, Version 2.0 (the "License"); you may not use this file
|
||||
# except in compliance with the License. You may obtain a copy of
|
||||
# the License at http://www.apache.org/licenses/LICENSE-2.0 .
|
||||
#
|
||||
PRJ=..$/..
|
||||
|
||||
PRJNAME=stoc
|
||||
TARGET=test_security
|
||||
TARGETTYPE=CUI
|
||||
LIBTARGET=NO
|
||||
ENABLE_EXCEPTIONS=TRUE
|
||||
|
||||
# --- Settings -----------------------------------------------------
|
||||
|
||||
.INCLUDE : settings.mk
|
||||
|
||||
# --- Application 1 ------------------------------------------------
|
||||
APP1TARGET= $(TARGET)
|
||||
APP1OBJS= $(OBJ)$/test_security.obj
|
||||
|
||||
APP1STDLIBS= \
|
||||
$(CPPULIB) \
|
||||
$(CPPUHELPERLIB) \
|
||||
$(SALHELPERLIB) \
|
||||
$(SALLIB)
|
||||
|
||||
.IF "$(OS)"=="WNT"
|
||||
APP1STDLIBS+=
|
||||
# $(LIBCIMT) $(LIBCMT)
|
||||
.ENDIF
|
||||
|
||||
|
||||
# --- Target ------------------------------------------------
|
||||
|
||||
.INCLUDE : target.mk
|
||||
|
||||
@@ -1,515 +0,0 @@
|
||||
/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
|
||||
/*
|
||||
* This file is part of the LibreOffice project.
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
*
|
||||
* This file incorporates work covered by the following license notice:
|
||||
*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
* contributor license agreements. See the NOTICE file distributed
|
||||
* with this work for additional information regarding copyright
|
||||
* ownership. The ASF licenses this file to you under the Apache
|
||||
* License, Version 2.0 (the "License"); you may not use this file
|
||||
* except in compliance with the License. You may obtain a copy of
|
||||
* the License at http://www.apache.org/licenses/LICENSE-2.0 .
|
||||
*/
|
||||
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
#include <sal/main.h>
|
||||
#include <osl/diagnose.h>
|
||||
#include <osl/socket.hxx>
|
||||
#include <rtl/string.hxx>
|
||||
#include <rtl/ustrbuf.hxx>
|
||||
#include <uno/current_context.hxx>
|
||||
|
||||
#include <cppuhelper/implbase1.hxx>
|
||||
#include <cppuhelper/bootstrap.hxx>
|
||||
#include <cppuhelper/access_control.hxx>
|
||||
|
||||
#include <com/sun/star/lang/XComponent.hpp>
|
||||
#include <com/sun/star/uno/XCurrentContext.hpp>
|
||||
|
||||
#include <com/sun/star/io/FilePermission.hpp>
|
||||
|
||||
#define USER_CREDS "access-control.user-credentials"
|
||||
#define OUSTR(x) ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM(x) )
|
||||
|
||||
|
||||
using namespace ::osl;
|
||||
using namespace ::rtl;
|
||||
using namespace ::cppu;
|
||||
using namespace ::com::sun::star;
|
||||
using namespace ::com::sun::star::uno;
|
||||
|
||||
//--------------------------------------------------------------------------------------------------
|
||||
static OUString localhost( OUString const & addition ) SAL_THROW(())
|
||||
{
|
||||
static OUString ip;
|
||||
if (! ip.getLength())
|
||||
{
|
||||
// dns lookup
|
||||
SocketAddr addr;
|
||||
SocketAddr::resolveHostname( OUSTR("localhost"), addr );
|
||||
::oslSocketResult rc = ::osl_getDottedInetAddrOfSocketAddr( addr.getHandle(), &ip.pData );
|
||||
if (::osl_Socket_Ok != rc)
|
||||
fprintf(stdout, "### cannot resolve localhost!" );
|
||||
}
|
||||
OUStringBuffer buf( 48 );
|
||||
buf.append( ip );
|
||||
buf.append( addition );
|
||||
return buf.makeStringAndClear();
|
||||
}
|
||||
|
||||
//--------------------------------------------------------------------------------------------------
|
||||
static inline void dispose( Reference< XInterface > const & x )
|
||||
SAL_THROW( (RuntimeException) )
|
||||
{
|
||||
Reference< lang::XComponent > xComp( x, UNO_QUERY );
|
||||
if (xComp.is())
|
||||
{
|
||||
xComp->dispose();
|
||||
}
|
||||
}
|
||||
//==================================================================================================
|
||||
class user_CurrentContext
|
||||
: public ImplHelper1< XCurrentContext >
|
||||
{
|
||||
oslInterlockedCount m_refcount;
|
||||
|
||||
Reference< XCurrentContext > m_xDelegate;
|
||||
Any m_userId;
|
||||
|
||||
public:
|
||||
inline user_CurrentContext(
|
||||
Reference< XCurrentContext > const & xDelegate,
|
||||
OUString const & userId )
|
||||
SAL_THROW(())
|
||||
: m_refcount( 0 )
|
||||
, m_xDelegate( xDelegate )
|
||||
, m_userId( makeAny( userId ) )
|
||||
{}
|
||||
|
||||
// XInterface impl
|
||||
virtual void SAL_CALL acquire()
|
||||
throw ();
|
||||
virtual void SAL_CALL release()
|
||||
throw ();
|
||||
|
||||
// XCurrentContext impl
|
||||
virtual Any SAL_CALL getValueByName( OUString const & name )
|
||||
throw (RuntimeException);
|
||||
};
|
||||
//__________________________________________________________________________________________________
|
||||
void user_CurrentContext::acquire()
|
||||
throw ()
|
||||
{
|
||||
::osl_atomic_increment( &m_refcount );
|
||||
}
|
||||
//__________________________________________________________________________________________________
|
||||
void user_CurrentContext::release()
|
||||
throw ()
|
||||
{
|
||||
if (! ::osl_atomic_decrement( &m_refcount ))
|
||||
{
|
||||
delete this;
|
||||
}
|
||||
}
|
||||
//__________________________________________________________________________________________________
|
||||
Any user_CurrentContext::getValueByName( OUString const & name )
|
||||
throw (RuntimeException)
|
||||
{
|
||||
if ( name == USER_CREDS ".id" )
|
||||
{
|
||||
return m_userId;
|
||||
}
|
||||
else if (m_xDelegate.is())
|
||||
{
|
||||
return m_xDelegate->getValueByName( name );
|
||||
}
|
||||
else
|
||||
{
|
||||
return Any();
|
||||
}
|
||||
}
|
||||
|
||||
// prepends line number
|
||||
#define CHECK( check, negative_test ) \
|
||||
{ \
|
||||
try \
|
||||
{ \
|
||||
if (negative_test) \
|
||||
{ \
|
||||
bool thrown = true; \
|
||||
try \
|
||||
{ \
|
||||
check; \
|
||||
thrown = false; \
|
||||
} \
|
||||
catch (RuntimeException &) \
|
||||
{ \
|
||||
} \
|
||||
if (! thrown) \
|
||||
{ \
|
||||
throw RuntimeException( \
|
||||
OUSTR("expected RuntimeException upon check!"), Reference< XInterface >() ); \
|
||||
} \
|
||||
} \
|
||||
else \
|
||||
{ \
|
||||
check; \
|
||||
} \
|
||||
} \
|
||||
catch (const RuntimeException & exc) \
|
||||
{ \
|
||||
OUStringBuffer buf( 64 ); \
|
||||
buf.appendAscii( RTL_CONSTASCII_STRINGPARAM("[line ") ); \
|
||||
buf.append( (sal_Int32)__LINE__ ); \
|
||||
buf.appendAscii( RTL_CONSTASCII_STRINGPARAM("] ") ); \
|
||||
buf.append( exc.Message ); \
|
||||
throw RuntimeException( buf.makeStringAndClear(), Reference< XInterface >() ); \
|
||||
} \
|
||||
}
|
||||
|
||||
/*
|
||||
grant
|
||||
{
|
||||
permission com.sun.star.io.FilePermission "file:///usr/bin/ *", "read";
|
||||
permission com.sun.star.io.FilePermission "file:///tmp/-", "read,write";
|
||||
permission com.sun.star.io.FilePermission "file:///etc/profile", "read";
|
||||
|
||||
permission com.sun.star.security.RuntimePermission "DEF";
|
||||
|
||||
permission com.sun.star.connection.SocketPermission "127.0.0.1:-1023", "resolve, connect, listen";
|
||||
permission com.sun.star.connection.SocketPermission "localhost:1024-", "accept, connect, listen, resolve,";
|
||||
permission com.sun.star.connection.SocketPermission "*.sun.com:1024-", "resolve";
|
||||
};
|
||||
*/
|
||||
static void check_defaults_pos( AccessControl & ac, bool invert = false )
|
||||
{
|
||||
// positive tests
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/bla"), OUSTR("read") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///tmp/bla"), OUSTR("read,write") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///tmp/path/path/bla"), OUSTR("write") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///etc/profile"), OUSTR("read") ), invert );
|
||||
CHECK( ac.checkRuntimePermission( OUSTR("DEF") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("localhost:1024"), OUSTR("connect") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("localhost:65535"), OUSTR("resolve") ), invert );
|
||||
CHECK( ac.checkSocketPermission( localhost(OUSTR(":2048")), OUSTR("accept,listen") ), invert );
|
||||
CHECK( ac.checkSocketPermission( localhost(OUSTR(":1024-")), OUSTR("accept,connect,listen,resolve") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("localhost:-1023"), OUSTR("resolve,listen,connect") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("jl-1036.germany.sun.com:1024-"), OUSTR("resolve") ), invert );
|
||||
}
|
||||
static void check_defaults_neg( AccessControl & ac, bool invert = false )
|
||||
{
|
||||
// negative tests
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///usr/tmp"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/bla"), OUSTR("write") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/bla"), OUSTR("execute") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/path/bla"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///tmp"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///tmp/"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///tm"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///etc/profile"), OUSTR("write") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///etc/profile/bla"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///etc/blabla"), OUSTR("read,write,execute") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/root"), OUSTR("read,write,execute") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUSTR("read,write,execute") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUSTR("delete") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUString() ), !invert );
|
||||
CHECK( ac.checkRuntimePermission( OUSTR("ROOT") ), !invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("localhost:1023"), OUSTR("accept") ), !invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("localhost:123-"), OUSTR("accept") ), !invert );
|
||||
CHECK( ac.checkSocketPermission( localhost(OUSTR(":-1023")), OUSTR("accept") ), !invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("localhost:-1023"), OUSTR("accept,resolve") ), !invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("sun.com:1024-"), OUSTR("resolve") ), !invert );
|
||||
}
|
||||
|
||||
/*
|
||||
grant user "dbo"
|
||||
{
|
||||
permission com.sun.star.io.FilePermission "file:///home/dbo/-", "read,write";
|
||||
permission com.sun.star.io.FilePermission "-", "read,write";
|
||||
permission com.sun.star.io.FilePermission "file:///usr/local/dbo/ *", "read";
|
||||
|
||||
permission com.sun.star.security.RuntimePermission "DBO";
|
||||
|
||||
permission com.sun.star.connection.SocketPermission "dbo-1:1024-", "listen";
|
||||
permission com.sun.star.connection.SocketPermission "dbo-11081:-1023", "resolve";
|
||||
permission com.sun.star.connection.SocketPermission "dbo-11081:18", "listen";
|
||||
permission com.sun.star.connection.SocketPermission "dbo-11081:20-24", "listen";
|
||||
permission com.sun.star.connection.SocketPermission "dbo-11081", "connect";
|
||||
};
|
||||
*/
|
||||
static void check_dbo_pos( AccessControl & ac, bool invert = false )
|
||||
{
|
||||
check_defaults_pos( ac, invert );
|
||||
// positive tests
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("write") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/bla"), OUSTR("read,write") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/path/bla"), OUSTR("read,write") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/*"), OUSTR("read") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/bla"), OUSTR("read") ), invert );
|
||||
CHECK( ac.checkRuntimePermission( OUSTR("DBO") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-1:1024-"), OUSTR("listen") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-1:2048-3122"), OUSTR("listen") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-1:2048-"), OUSTR("listen") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:-1023"), OUSTR("resolve") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:20-1023"), OUSTR("resolve") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:18"), OUSTR("listen") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:20-24"), OUSTR("listen") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:22"), OUSTR("listen") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-11081"), OUSTR("connect") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:22"), OUSTR("connect") ), invert );
|
||||
}
|
||||
static void check_dbo_neg( AccessControl & ac, bool invert = false )
|
||||
{
|
||||
check_defaults_neg( ac, invert );
|
||||
// negative tests
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/-"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("write") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read,write") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/path/bla"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/path/bla"), OUSTR("read,execute") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/-"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/path/bla"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/path/path/bla"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkRuntimePermission( OUSTR("JBU") ), !invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-11081"), OUSTR("listen") ), !invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:22"), OUSTR("accept") ), !invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("jbu-11096:22"), OUSTR("resolve") ), !invert );
|
||||
}
|
||||
|
||||
/*
|
||||
grant user "jbu"
|
||||
{
|
||||
permission com.sun.star.io.FilePermission "file:///home/jbu/-", "read,write";
|
||||
permission com.sun.star.io.FilePermission "*", "read,write";
|
||||
|
||||
permission com.sun.star.security.RuntimePermission "JBU";
|
||||
|
||||
permission com.sun.star.connection.SocketPermission "jbu-11096","resolve";
|
||||
};
|
||||
*/
|
||||
static void check_jbu_pos( AccessControl & ac, bool invert = false )
|
||||
{
|
||||
check_defaults_pos( ac, invert );
|
||||
// positive tests
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("write") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read,write") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/path/bla"), OUSTR("read,write") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/path/path/bla"), OUSTR("read,write") ), invert );
|
||||
CHECK( ac.checkRuntimePermission( OUSTR("JBU") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("jbu-11096"), OUSTR("resolve") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("jbu-11096:20-24"), OUSTR("resolve") ), invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-11081.germany.sun.com:2048"), OUSTR("resolve") ), invert );
|
||||
}
|
||||
static void check_jbu_neg( AccessControl & ac, bool invert = false )
|
||||
{
|
||||
check_defaults_neg( ac, invert );
|
||||
// negative tests
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/-"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/bla"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/path/bla"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("write") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/-"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/bla"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/path/path/bla"), OUSTR("read") ), !invert );
|
||||
CHECK( ac.checkRuntimePermission( OUSTR("DBO") ), !invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("jbu-11096:20-24"), OUSTR("accept") ), !invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-11081"), OUSTR("connect") ), !invert );
|
||||
CHECK( ac.checkSocketPermission( OUSTR("dbo-11081.germany.sun.com"), OUSTR("connect") ), !invert );
|
||||
}
|
||||
|
||||
/*
|
||||
grant principal "root"
|
||||
{
|
||||
permission com.sun.star.security.AllPermission;
|
||||
};
|
||||
*/
|
||||
//==================================================================================================
|
||||
static void check_root_pos( AccessControl & ac, bool invert = false )
|
||||
{
|
||||
check_defaults_pos( ac, invert );
|
||||
check_defaults_neg( ac, !invert );
|
||||
check_dbo_pos( ac, invert );
|
||||
check_dbo_neg( ac, !invert );
|
||||
check_jbu_pos( ac, invert );
|
||||
check_jbu_neg( ac, !invert );
|
||||
// some more root positive
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///etc/blabla"), OUSTR("read,write,execute") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///home/root"), OUSTR("read,write,execute") ), invert );
|
||||
CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUSTR("read,write,execute") ), invert );
|
||||
CHECK( ac.checkRuntimePermission( OUSTR("ROOT") ), invert );
|
||||
}
|
||||
|
||||
//==================================================================================================
|
||||
class acc_Restr
|
||||
: public WeakImplHelper1< security::XAccessControlContext >
|
||||
{
|
||||
Any m_perm;
|
||||
|
||||
public:
|
||||
inline acc_Restr( Any const & perm = Any() ) SAL_THROW(())
|
||||
: m_perm( perm )
|
||||
{}
|
||||
|
||||
// XAccessControlContext impl
|
||||
virtual void SAL_CALL checkPermission( Any const & perm )
|
||||
throw (RuntimeException);
|
||||
};
|
||||
//__________________________________________________________________________________________________
|
||||
void acc_Restr::checkPermission( Any const & perm )
|
||||
throw (RuntimeException)
|
||||
{
|
||||
if (perm != m_perm)
|
||||
{
|
||||
throw security::AccessControlException(
|
||||
OUSTR("dyn violation!"), Reference< XInterface >(), perm );
|
||||
}
|
||||
}
|
||||
|
||||
typedef void (* t_action)( AccessControl &, Any const & arg );
|
||||
|
||||
//==================================================================================================
|
||||
class Action
|
||||
: public WeakImplHelper1< security::XAction >
|
||||
{
|
||||
t_action m_action;
|
||||
AccessControl & m_ac;
|
||||
Any m_arg;
|
||||
|
||||
public:
|
||||
inline Action( t_action action, AccessControl & ac, Any const & arg = Any() ) SAL_THROW(())
|
||||
: m_action( action )
|
||||
, m_ac( ac )
|
||||
, m_arg( arg )
|
||||
{}
|
||||
|
||||
// XAction impl
|
||||
virtual Any SAL_CALL run()
|
||||
throw (Exception);
|
||||
};
|
||||
//__________________________________________________________________________________________________
|
||||
Any Action::run()
|
||||
throw (Exception)
|
||||
{
|
||||
(*m_action)( m_ac, m_arg );
|
||||
return Any();
|
||||
}
|
||||
|
||||
//==================================================================================================
|
||||
// static void restr_file_permissions( AccessControl & ac )
|
||||
// {
|
||||
// // running in dbo's domain
|
||||
// /* permission com.sun.star.io.FilePermission "file:///home/dbo/-", ",,read , write "; */
|
||||
// CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write,execute") ), true );
|
||||
// CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write") ), false );
|
||||
// }
|
||||
//==================================================================================================
|
||||
static void all_dbo_permissions( AccessControl & ac, Any const & )
|
||||
{
|
||||
check_dbo_pos( ac );
|
||||
check_dbo_neg( ac );
|
||||
}
|
||||
//==================================================================================================
|
||||
static void no_permissions( AccessControl & ac, Any const & arg )
|
||||
{
|
||||
check_dbo_pos( ac, true );
|
||||
check_dbo_neg( ac );
|
||||
// set privs to old dbo restr
|
||||
Reference< security::XAccessControlContext > xContext;
|
||||
OSL_VERIFY( arg >>= xContext );
|
||||
ac->doPrivileged(
|
||||
new Action( all_dbo_permissions, ac ),
|
||||
xContext );
|
||||
}
|
||||
//==================================================================================================
|
||||
static void check_dbo_dynamic( AccessControl & ac )
|
||||
{
|
||||
Any arg( makeAny( ac->getContext() ) );
|
||||
ac->doRestricted(
|
||||
new Action( no_permissions, ac, arg ),
|
||||
new acc_Restr() );
|
||||
}
|
||||
|
||||
SAL_IMPLEMENT_MAIN()
|
||||
{
|
||||
try
|
||||
{
|
||||
// single-user test
|
||||
Reference< XComponentContext > xContext( defaultBootstrap_InitialComponentContext(
|
||||
OUSTR("../../test/security/test_security_singleuser.ini") ) );
|
||||
{
|
||||
::fprintf( stderr, "[security test] single-user checking dbo..." );
|
||||
AccessControl ac( xContext );
|
||||
check_dbo_pos( ac );
|
||||
check_dbo_neg( ac );
|
||||
check_dbo_dynamic( ac );
|
||||
::fprintf( stderr, "dbo checked.\n" );
|
||||
}
|
||||
|
||||
// multi-user test
|
||||
dispose( xContext );
|
||||
xContext = defaultBootstrap_InitialComponentContext(
|
||||
OUSTR("../../test/security/test_security.ini") ); // UNO_AC=on
|
||||
AccessControl ac( xContext );
|
||||
|
||||
{
|
||||
// set up dbo current context
|
||||
ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("dbo") ) );
|
||||
::fprintf( stderr, "[security test] multi-user checking dbo..." );
|
||||
check_dbo_pos( ac );
|
||||
check_dbo_neg( ac );
|
||||
check_dbo_dynamic( ac );
|
||||
::fprintf( stderr, "dbo checked.\n" );
|
||||
}
|
||||
{
|
||||
// set up jbu current context
|
||||
ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("jbu") ) );
|
||||
::fprintf( stderr, "[security test] multi-user checking jbu..." );
|
||||
check_jbu_pos( ac );
|
||||
check_jbu_neg( ac );
|
||||
::fprintf( stderr, "jbu checked.\n" );
|
||||
}
|
||||
{
|
||||
// set up root current context
|
||||
ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("root") ) );
|
||||
::fprintf( stderr, "[security test] multi-user checking root..." );
|
||||
check_root_pos( ac );
|
||||
::fprintf( stderr, "root checked.\n" );
|
||||
}
|
||||
{
|
||||
// set up unknown guest user current context => default permissions
|
||||
ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("guest") ) );
|
||||
::fprintf( stderr, "[security test] multi-user checking guest..." );
|
||||
check_defaults_pos( ac );
|
||||
check_defaults_neg( ac );
|
||||
::fprintf( stderr, "guest checked.\n" );
|
||||
}
|
||||
|
||||
dispose( xContext );
|
||||
::fprintf( stderr, "security test succeeded.\n" );
|
||||
return 0;
|
||||
}
|
||||
catch (const Exception & exc)
|
||||
{
|
||||
OString str( OUStringToOString( exc.Message, RTL_TEXTENCODING_ASCII_US ) );
|
||||
::fprintf( stderr, "[security test] error: %s!\n", str.getStr() );
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
|
||||
@@ -1,24 +0,0 @@
|
||||
#
|
||||
# This file is part of the LibreOffice project.
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# This file incorporates work covered by the following license notice:
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
# contributor license agreements. See the NOTICE file distributed
|
||||
# with this work for additional information regarding copyright
|
||||
# ownership. The ASF licenses this file to you under the Apache
|
||||
# License, Version 2.0 (the "License"); you may not use this file
|
||||
# except in compliance with the License. You may obtain a copy of
|
||||
# the License at http://www.apache.org/licenses/LICENSE-2.0 .
|
||||
#
|
||||
|
||||
UNO_TYPES=stoctest.rdb
|
||||
UNO_SERVICES=stoctest.rdb
|
||||
UNO_WRITERDB=stoctest.rdb
|
||||
UNO_AC=on
|
||||
UNO_AC_POLICYFILE=../../test/security/test_security.policy
|
||||
UNO_AC_USERCACHE_SIZE=2
|
||||
@@ -1,37 +0,0 @@
|
||||
/** dbo
|
||||
permissions
|
||||
*/
|
||||
grant user "dbo"{
|
||||
permission com.sun.star.io.FilePermission "file:///home/dbo/-", ",,read , write ";
|
||||
permission com.sun.star.io.FilePermission "-", "read ,write";
|
||||
permission com.sun.star.connection.SocketPermission "dbo-1:1024-", "listen";
|
||||
permission com.sun.star.security.RuntimePermission "DBO";
|
||||
permission com.sun.star.connection.SocketPermission "dbo-11081:-1023", "resolve";
|
||||
permission com.sun.star.connection.SocketPermission "dbo-11081:18", "listen";
|
||||
permission com.sun.star.connection.SocketPermission "dbo-11081:20-24", "listen";
|
||||
permission com.sun.star.connection.SocketPermission "dbo-11081", "connect";
|
||||
permission com.sun.star.io.FilePermission "file:///usr/local/dbo/*" , "read ";};
|
||||
grant user "jbu" {
|
||||
permission com.sun.star.security.RuntimePermission "JBU";
|
||||
permission com.sun.star.io.FilePermission "file:///home/jbu/-" ,"read,write,";
|
||||
/*jbu resolve*/permission com.sun.star.connection.SocketPermission "jbu-11096","resolve";
|
||||
permission com.sun.star.io.FilePermission "*",",read,write";}; grant user "root"{permission com.sun.star.security.AllPermission;};
|
||||
|
||||
// granted to anyone
|
||||
grant
|
||||
{
|
||||
// read out this file
|
||||
permission com.sun.star.io.FilePermission "../../test/security/test_security.policy",
|
||||
"read";
|
||||
|
||||
permission com.sun.star.security.RuntimePermission "DEF";
|
||||
permission com.sun.star.io.FilePermission "file:///usr/bin/*", "read";
|
||||
permission com.sun.star.io.FilePermission "file:///usr/bin/*", "read";
|
||||
permission com.sun.star.io.FilePermission "file:///tmp/-", "read, write";
|
||||
permission com.sun.star.io.FilePermission "file:///etc/profile", "read,,";
|
||||
permission com.sun.star.connection.SocketPermission "127.0.0.1:-1023", "resolve, connect, listen";
|
||||
permission com.sun.star.connection.SocketPermission "localhost:1024-", "accept, connect, listen, resolve,";
|
||||
permission com.sun.star.connection.SocketPermission "*.sun.com:1024-", "resolve";
|
||||
} ;
|
||||
|
||||
# eof
|
||||
@@ -1,24 +0,0 @@
|
||||
#
|
||||
# This file is part of the LibreOffice project.
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# This file incorporates work covered by the following license notice:
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
# contributor license agreements. See the NOTICE file distributed
|
||||
# with this work for additional information regarding copyright
|
||||
# ownership. The ASF licenses this file to you under the Apache
|
||||
# License, Version 2.0 (the "License"); you may not use this file
|
||||
# except in compliance with the License. You may obtain a copy of
|
||||
# the License at http://www.apache.org/licenses/LICENSE-2.0 .
|
||||
#
|
||||
|
||||
UNO_TYPES=stoctest.rdb
|
||||
UNO_SERVICES=stoctest.rdb
|
||||
UNO_WRITERDB=stoctest.rdb
|
||||
UNO_AC=single-user
|
||||
UNO_AC_SINGLEUSER=dbo
|
||||
UNO_AC_POLICYFILE=../../test/security/test_security.policy
|
||||
Reference in New Issue
Block a user