1. /*

  2.  * @(#)DelegationPermission.java	1.6 03/01/23

  3.  *

  4.  * Copyright 2003 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. package javax.security.auth.kerberos;

  9. 

  10. import java.util.*;

  11. import java.security.Permission;

  12. import java.security.BasicPermission;

  13. import java.security.PermissionCollection;

  14. import java.io.ObjectStreamField;

  15. import java.io.ObjectOutputStream;

  16. import java.io.ObjectInputStream;

  17. import java.io.IOException;

  18. 

  19. /**

  20.  * This class is used to restrict the usage of the Kerberos

  21.  * delegation model, ie: forwardable and proxiable tickets.

  22.  * <p>

  23.  * The target name of this <code>Permission</code> specifies a pair of 

  24.  * kerberos service principals. The first is the subordinate service principal 

  25.  * being entrusted to use the TGT. The second service principal designates

  26.  * the target service the subordinate service principal is to

  27.  * interact with on behalf of the initiating KerberosPrincipal. This

  28.  * latter service principal is specified to restrict the use of a

  29.  * proxiable ticket.

  30.  * <p>

  31.  * For example, to specify the "host" service use of a forwardable TGT the

  32.  * target permission is specified as follows:

  33.  * <p> 

  34.  * <pre>

  35.  *  DelegationPermission("\"host/foo.example.com@EXAMPLE.COM\" \"krbtgt/EXAMPLE.COM@EXAMPLE.COM\"");

  36.  * </pre>

  37.  * <p>

  38.  * To give the "backup" service a proxiable nfs service ticket the target permission

  39.  * might be specified:

  40.  * <p>

  41.  * <pre>

  42.  *  DelegationPermission("\"backup/bar.example.com@EXAMPLE.COM\" \"nfs/home.EXAMPLE.COM@EXAMPLE.COM\"");

  43.  * </pre>

  44.  *

  45.  * @since JDK1.4

  46.  */

  47. 

  48. public final class DelegationPermission extends BasicPermission 

  49.     implements java.io.Serializable {

  50. 

  51.     private transient String subordinate, service;

  52. 

  53.     /**

  54.      * Create a new <code>DelegationPermission</code>

  55.      * with the specified subordinate and target principals.

  56.      *

  57.      * <p>

  58.      *

  59.      * @param principals the name of the subordinate and target principals

  60.      */

  61.     public DelegationPermission(String principals) {

  62. 	super(principals);

  63. 	init(principals);

  64.     }

  65. 

  66.     /**

  67.      * Create a new <code>DelegationPermission</code>

  68.      * with the specified subordinate and target principals.

  69.      * <p>

  70.      *

  71.      * @param principals the name of the subordinate and target principals 

  72.      * <p>

  73.      * @param actions should be null.

  74.      */

  75.     public DelegationPermission(String principals, String actions) {

  76. 	super(principals, actions);

  77. 	init(principals);

  78.     }

  79. 

  80. 

  81.     /**

  82.      * Initialize the DelegationPermission object.

  83.      */

  84.     private void init(String target) {

  85. 

  86. 	StringTokenizer t = null;

  87. 	if (!target.startsWith("\"")) {

  88. 	    throw new IllegalArgumentException

  89. 		("service principal [" + target +

  90. 		 "] syntax invalid: " +

  91. 		 "improperly quoted");

  92. 	} else {

  93. 	    t = new StringTokenizer(target, "\"", false);

  94. 	    subordinate = t.nextToken();

  95. 	    if (t.countTokens() == 2) {

  96. 		t.nextToken();	// bypass whitespace

  97. 		service = t.nextToken();

  98. 	    } else if (t.countTokens() > 0) {

  99. 		throw new IllegalArgumentException

  100. 		    ("service principal [" + t.nextToken() +

  101. 		     "] syntax invalid: " +

  102. 		     "improperly quoted");

  103. 	    }

  104. 	}

  105.     }

  106. 	    

  107.     /**

  108.      * Checks if this Kerberos delegation permission object "implies" the 

  109.      * specified permission.

  110.      * <P>

  111.      * If none of the above are true, <code>implies</code> returns false.

  112.      * @param p the permission to check against.

  113.      *

  114.      * @return true if the specified permission is implied by this object,

  115.      * false if not.  

  116.      */

  117.     public boolean implies(Permission p) {

  118. 	if (!(p instanceof DelegationPermission))

  119. 	    return false;

  120. 

  121. 	DelegationPermission that = (DelegationPermission) p;

  122. 	if (this.subordinate.equals(that.subordinate) &&

  123. 	    this.service.equals(that.service))

  124. 	    return true;

  125. 

  126. 	return false;

  127.     }

  128.     

  129.     

  130.     /**

  131.      * Checks two DelegationPermission objects for equality. 

  132.      * <P>

  133.      * @param obj the object to test for equality with this object.

  134.      * 

  135.      * @return true if <i>obj</i> is a DelegationPermission, and

  136.      *  has the same subordinate and service principal as this.

  137.      *  DelegationPermission object.

  138.      */

  139.     public boolean equals(Object obj) {

  140. 	if (obj == this)

  141. 	    return true;

  142. 

  143. 	if (! (obj instanceof DelegationPermission))

  144. 	    return false;

  145. 

  146. 	DelegationPermission that = (DelegationPermission) obj;

  147. 	return implies(that);

  148.     }

  149. 

  150.     /**

  151.      * Returns the hash code value for this object.

  152.      *

  153.      * @return a hash code value for this object.

  154.      */

  155. 

  156.     public int hashCode() {

  157. 	return getName().hashCode();

  158.     }

  159.     

  160. 

  161.     /**

  162.      * Returns a PermissionCollection object for storing

  163.      * DelegationPermission objects.

  164.      * <br>

  165.      * DelegationPermission objects must be stored in a manner that

  166.      * allows them to be inserted into the collection in any order, but

  167.      * that also enables the PermissionCollection implies method to

  168.      * be implemented in an efficient (and consistent) manner.

  169.      *

  170.      * @return a new PermissionCollection object suitable for storing

  171.      * DelegationPermissions.

  172.      */

  173. 

  174.     public PermissionCollection newPermissionCollection() {

  175. 	return new KrbDelegationPermissionCollection();

  176.     }

  177. 

  178.     /**

  179.      * WriteObject is called to save the state of the DelegationPermission 

  180.      * to a stream. The actions are serialized, and the superclass

  181.      * takes care of the name.

  182.      */

  183.     private synchronized void writeObject(java.io.ObjectOutputStream s)

  184.         throws IOException

  185.     {

  186. 	s.defaultWriteObject();

  187.     }

  188. 

  189.     /**

  190.      * readObject is called to restore the state of the

  191.      * DelegationPermission from a stream.

  192.      */

  193.     private synchronized void readObject(java.io.ObjectInputStream s)

  194.          throws IOException, ClassNotFoundException

  195.     {

  196. 	// Read in the action, then initialize the rest

  197. 	s.defaultReadObject();

  198. 	init(getName());

  199.     }

  200. 

  201.     /*

  202.       public static void main(String args[]) throws Exception {

  203.       DelegationPermission this_ =

  204.       new DelegationPermission(args[0]);

  205.       DelegationPermission that_ =

  206.       new DelegationPermission(args[1]);

  207.       System.out.println("-----\n");

  208.       System.out.println("this.implies(that) = " + this_.implies(that_));

  209.       System.out.println("-----\n");

  210.       System.out.println("this = "+this_);

  211.       System.out.println("-----\n");

  212.       System.out.println("that = "+that_);

  213.       System.out.println("-----\n");

  214.       

  215.       KrbDelegationPermissionCollection nps =

  216.       new KrbDelegationPermissionCollection();

  217.       nps.add(this_);

  218.       nps.add(new DelegationPermission("\"host/foo.example.com@EXAMPLE.COM\" \"CN=Gary Ellison/OU=JSN/O=SUNW/L=Palo Alto/ST=CA/C=US\""));

  219.       try {

  220.       nps.add(new DelegationPermission("host/foo.example.com@EXAMPLE.COM \"CN=Gary Ellison/OU=JSN/O=SUNW/L=Palo Alto/ST=CA/C=US\""));

  221.       } catch (Exception e) {

  222.       System.err.println(e);

  223.       }

  224.       

  225.       System.out.println("nps.implies(that) = " + nps.implies(that_));

  226.       System.out.println("-----\n");

  227.       

  228.       Enumeration e = nps.elements();

  229.       

  230.       while (e.hasMoreElements()) {

  231.       DelegationPermission x =

  232.       (DelegationPermission) e.nextElement();

  233.       System.out.println("nps.e = " + x);

  234.       }

  235.       }

  236.     */    

  237. }

  238. 

  239. 

  240. final class KrbDelegationPermissionCollection extends PermissionCollection 

  241.     implements java.io.Serializable {

  242. 

  243.     // Not serialized; see serialization section at end of class.

  244.     private transient List perms;

  245. 

  246.     public KrbDelegationPermissionCollection() {

  247. 	perms = new ArrayList();

  248.     }

  249. 

  250.     

  251.     /**

  252.      * Check and see if this collection of permissions implies the permissions 

  253.      * expressed in "permission".

  254.      *

  255.      * @param p the Permission object to compare

  256.      *

  257.      * @return true if "permission" is a proper subset of a permission in 

  258.      * the collection, false if not.

  259.      */

  260. 

  261.     public boolean implies(Permission permission) {

  262. 	if (! (permission instanceof DelegationPermission))

  263.    		return false;

  264. 

  265. 	DelegationPermission np = (DelegationPermission) permission;

  266. 	int len = perms.size();

  267. 	for (int i = 0; i < len; i++) {

  268. 	    DelegationPermission x = (DelegationPermission) perms.get(i);

  269. 	    if (x.implies(np))

  270. 		return true;

  271. 	}

  272. 	return false;

  273. 

  274.     }

  275. 

  276.     /**

  277.      * Adds a permission to the DelegationPermissions. The key for

  278.      * the hash is the name.

  279.      *

  280.      * @param permission the Permission object to add.

  281.      *

  282.      * @exception IllegalArgumentException - if the permission is not a

  283.      *                                       DelegationPermission

  284.      *

  285.      * @exception SecurityException - if this PermissionCollection object

  286.      *                                has been marked readonly

  287.      */

  288. 

  289.     public void add(Permission permission) {

  290. 	if (! (permission instanceof DelegationPermission))

  291. 	    throw new IllegalArgumentException("invalid permission: "+

  292. 					       permission);

  293. 	if (isReadOnly())

  294. 	    throw new SecurityException("attempt to add a Permission to a readonly PermissionCollection");

  295. 

  296. 	perms.add(0, permission);

  297.     }

  298. 

  299.     /**

  300.      * Returns an enumeration of all the DelegationPermission objects

  301.      * in the container.

  302.      *

  303.      * @return an enumeration of all the DelegationPermission objects.

  304.      */

  305. 

  306.     public Enumeration elements() {

  307.         // Convert Iterator into Enumeration

  308. 	return Collections.enumeration(perms);

  309.     }

  310. 

  311.     private static final long serialVersionUID = -3383936936589966948L;

  312. 

  313.     // Need to maintain serialization interoperability with earlier releases,

  314.     // which had the serializable field:

  315.     //    private Vector permissions;

  316.     /**

  317.      * @serialField permissions java.util.Vector

  318.      *     A list of DelegationPermission objects.

  319.      */

  320.     private static final ObjectStreamField[] serialPersistentFields = {

  321.         new ObjectStreamField("permissions", Vector.class),

  322.     };

  323. 

  324.     /**

  325.      * @serialData "permissions" field (a Vector containing the DelegationPermissions).

  326.      */

  327.     /*

  328.      * Writes the contents of the perms field out as a Vector for

  329.      * serialization compatibility with earlier releases.

  330.      */

  331.     private void writeObject(ObjectOutputStream out) throws IOException {

  332. 	// Don't call out.defaultWriteObject()

  333. 

  334. 	// Write out Vector

  335. 	Vector permissions = new Vector(perms.size());

  336. 	permissions.addAll(perms);

  337. 

  338.         ObjectOutputStream.PutField pfields = out.putFields();

  339.         pfields.put("permissions", permissions);

  340.         out.writeFields();

  341.     }

  342. 

  343.     /*

  344.      * Reads in a Vector of DelegationPermissions and saves them in the perms field.

  345.      */

  346.     private void readObject(ObjectInputStream in) throws IOException, 

  347.     ClassNotFoundException {

  348. 	// Don't call defaultReadObject()

  349. 

  350. 	// Read in serialized fields

  351. 	ObjectInputStream.GetField gfields = in.readFields();

  352. 

  353. 	// Get the one we want

  354. 	Vector permissions = (Vector)gfields.get("permissions", null);

  355. 	perms = new ArrayList(permissions.size());

  356. 	perms.addAll(permissions);

  357.     }

  358. }