1. /*

  2.  * @(#)DelegationPermission.java	1.9 03/12/19

  3.  *

  4.  * Copyright 2004 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. package javax.security.auth.kerberos;

  9. 

  10. import java.util.*;

  11. import java.security.Permission;

  12. import java.security.BasicPermission;

  13. import java.security.PermissionCollection;

  14. import java.io.ObjectStreamField;

  15. import java.io.ObjectOutputStream;

  16. import java.io.ObjectInputStream;

  17. import java.io.IOException;

  18. 

  19. /**

  20.  * This class is used to restrict the usage of the Kerberos

  21.  * delegation model, ie: forwardable and proxiable tickets.

  22.  * <p>

  23.  * The target name of this <code>Permission</code> specifies a pair of 

  24.  * kerberos service principals. The first is the subordinate service principal 

  25.  * being entrusted to use the TGT. The second service principal designates

  26.  * the target service the subordinate service principal is to

  27.  * interact with on behalf of the initiating KerberosPrincipal. This

  28.  * latter service principal is specified to restrict the use of a

  29.  * proxiable ticket.

  30.  * <p>

  31.  * For example, to specify the "host" service use of a forwardable TGT the

  32.  * target permission is specified as follows:

  33.  * <p> 

  34.  * <pre>

  35.  *  DelegationPermission("\"host/foo.example.com@EXAMPLE.COM\" \"krbtgt/EXAMPLE.COM@EXAMPLE.COM\"");

  36.  * </pre>

  37.  * <p>

  38.  * To give the "backup" service a proxiable nfs service ticket the target permission

  39.  * might be specified:

  40.  * <p>

  41.  * <pre>

  42.  *  DelegationPermission("\"backup/bar.example.com@EXAMPLE.COM\" \"nfs/home.EXAMPLE.COM@EXAMPLE.COM\"");

  43.  * </pre>

  44.  *

  45.  * @since JDK1.4

  46.  */

  47. 

  48. public final class DelegationPermission extends BasicPermission 

  49.     implements java.io.Serializable {

  50. 

  51.     private static final long serialVersionUID = 883133252142523922L;

  52. 

  53.     private transient String subordinate, service;

  54. 

  55.     /**

  56.      * Create a new <code>DelegationPermission</code>

  57.      * with the specified subordinate and target principals.

  58.      *

  59.      * <p>

  60.      *

  61.      * @param principals the name of the subordinate and target principals

  62.      */

  63.     public DelegationPermission(String principals) {

  64. 	super(principals);

  65. 	init(principals);

  66.     }

  67. 

  68.     /**

  69.      * Create a new <code>DelegationPermission</code>

  70.      * with the specified subordinate and target principals.

  71.      * <p>

  72.      *

  73.      * @param principals the name of the subordinate and target principals 

  74.      * <p>

  75.      * @param actions should be null.

  76.      */

  77.     public DelegationPermission(String principals, String actions) {

  78. 	super(principals, actions);

  79. 	init(principals);

  80.     }

  81. 

  82. 

  83.     /**

  84.      * Initialize the DelegationPermission object.

  85.      */

  86.     private void init(String target) {

  87. 

  88. 	StringTokenizer t = null;

  89. 	if (!target.startsWith("\"")) {

  90. 	    throw new IllegalArgumentException

  91. 		("service principal [" + target +

  92. 		 "] syntax invalid: " +

  93. 		 "improperly quoted");

  94. 	} else {

  95. 	    t = new StringTokenizer(target, "\"", false);

  96. 	    subordinate = t.nextToken();

  97. 	    if (t.countTokens() == 2) {

  98. 		t.nextToken();	// bypass whitespace

  99. 		service = t.nextToken();

  100. 	    } else if (t.countTokens() > 0) {

  101. 		throw new IllegalArgumentException

  102. 		    ("service principal [" + t.nextToken() +

  103. 		     "] syntax invalid: " +

  104. 		     "improperly quoted");

  105. 	    }

  106. 	}

  107.     }

  108. 	    

  109.     /**

  110.      * Checks if this Kerberos delegation permission object "implies" the 

  111.      * specified permission.

  112.      * <P>

  113.      * If none of the above are true, <code>implies</code> returns false.

  114.      * @param p the permission to check against.

  115.      *

  116.      * @return true if the specified permission is implied by this object,

  117.      * false if not.  

  118.      */

  119.     public boolean implies(Permission p) {

  120. 	if (!(p instanceof DelegationPermission))

  121. 	    return false;

  122. 

  123. 	DelegationPermission that = (DelegationPermission) p;

  124. 	if (this.subordinate.equals(that.subordinate) &&

  125. 	    this.service.equals(that.service))

  126. 	    return true;

  127. 

  128. 	return false;

  129.     }

  130.     

  131.     

  132.     /**

  133.      * Checks two DelegationPermission objects for equality. 

  134.      * <P>

  135.      * @param obj the object to test for equality with this object.

  136.      * 

  137.      * @return true if <i>obj</i> is a DelegationPermission, and

  138.      *  has the same subordinate and service principal as this.

  139.      *  DelegationPermission object.

  140.      */

  141.     public boolean equals(Object obj) {

  142. 	if (obj == this)

  143. 	    return true;

  144. 

  145. 	if (! (obj instanceof DelegationPermission))

  146. 	    return false;

  147. 

  148. 	DelegationPermission that = (DelegationPermission) obj;

  149. 	return implies(that);

  150.     }

  151. 

  152.     /**

  153.      * Returns the hash code value for this object.

  154.      *

  155.      * @return a hash code value for this object.

  156.      */

  157. 

  158.     public int hashCode() {

  159. 	return getName().hashCode();

  160.     }

  161.     

  162. 

  163.     /**

  164.      * Returns a PermissionCollection object for storing

  165.      * DelegationPermission objects.

  166.      * <br>

  167.      * DelegationPermission objects must be stored in a manner that

  168.      * allows them to be inserted into the collection in any order, but

  169.      * that also enables the PermissionCollection implies method to

  170.      * be implemented in an efficient (and consistent) manner.

  171.      *

  172.      * @return a new PermissionCollection object suitable for storing

  173.      * DelegationPermissions.

  174.      */

  175. 

  176.     public PermissionCollection newPermissionCollection() {

  177. 	return new KrbDelegationPermissionCollection();

  178.     }

  179. 

  180.     /**

  181.      * WriteObject is called to save the state of the DelegationPermission 

  182.      * to a stream. The actions are serialized, and the superclass

  183.      * takes care of the name.

  184.      */

  185.     private synchronized void writeObject(java.io.ObjectOutputStream s)

  186.         throws IOException

  187.     {

  188. 	s.defaultWriteObject();

  189.     }

  190. 

  191.     /**

  192.      * readObject is called to restore the state of the

  193.      * DelegationPermission from a stream.

  194.      */

  195.     private synchronized void readObject(java.io.ObjectInputStream s)

  196.          throws IOException, ClassNotFoundException

  197.     {

  198. 	// Read in the action, then initialize the rest

  199. 	s.defaultReadObject();

  200. 	init(getName());

  201.     }

  202. 

  203.     /*

  204.       public static void main(String args[]) throws Exception {

  205.       DelegationPermission this_ =

  206.       new DelegationPermission(args[0]);

  207.       DelegationPermission that_ =

  208.       new DelegationPermission(args[1]);

  209.       System.out.println("-----\n");

  210.       System.out.println("this.implies(that) = " + this_.implies(that_));

  211.       System.out.println("-----\n");

  212.       System.out.println("this = "+this_);

  213.       System.out.println("-----\n");

  214.       System.out.println("that = "+that_);

  215.       System.out.println("-----\n");

  216.       

  217.       KrbDelegationPermissionCollection nps =

  218.       new KrbDelegationPermissionCollection();

  219.       nps.add(this_);

  220.       nps.add(new DelegationPermission("\"host/foo.example.com@EXAMPLE.COM\" \"CN=Gary Ellison/OU=JSN/O=SUNW/L=Palo Alto/ST=CA/C=US\""));

  221.       try {

  222.       nps.add(new DelegationPermission("host/foo.example.com@EXAMPLE.COM \"CN=Gary Ellison/OU=JSN/O=SUNW/L=Palo Alto/ST=CA/C=US\""));

  223.       } catch (Exception e) {

  224.       System.err.println(e);

  225.       }

  226.       

  227.       System.out.println("nps.implies(that) = " + nps.implies(that_));

  228.       System.out.println("-----\n");

  229.       

  230.       Enumeration e = nps.elements();

  231.       

  232.       while (e.hasMoreElements()) {

  233.       DelegationPermission x =

  234.       (DelegationPermission) e.nextElement();

  235.       System.out.println("nps.e = " + x);

  236.       }

  237.       }

  238.     */    

  239. }

  240. 

  241. 

  242. final class KrbDelegationPermissionCollection extends PermissionCollection 

  243.     implements java.io.Serializable {

  244. 

  245.     // Not serialized; see serialization section at end of class.

  246.     private transient List perms;

  247. 

  248.     public KrbDelegationPermissionCollection() {

  249. 	perms = new ArrayList();

  250.     }

  251. 

  252.     

  253.     /**

  254.      * Check and see if this collection of permissions implies the permissions 

  255.      * expressed in "permission".

  256.      *

  257.      * @param p the Permission object to compare

  258.      *

  259.      * @return true if "permission" is a proper subset of a permission in 

  260.      * the collection, false if not.

  261.      */

  262. 

  263.     public boolean implies(Permission permission) {

  264. 	if (! (permission instanceof DelegationPermission))

  265.    		return false;

  266. 

  267. 	DelegationPermission np = (DelegationPermission) permission;

  268. 	synchronized (this) {

  269. 	    int len = perms.size();

  270. 	    for (int i = 0; i < len; i++) {

  271. 		DelegationPermission x = (DelegationPermission) perms.get(i);

  272. 		if (x.implies(np))

  273. 		    return true;

  274. 	    }

  275. 	}

  276. 	return false;

  277. 

  278.     }

  279. 

  280.     /**

  281.      * Adds a permission to the DelegationPermissions. The key for

  282.      * the hash is the name.

  283.      *

  284.      * @param permission the Permission object to add.

  285.      *

  286.      * @exception IllegalArgumentException - if the permission is not a

  287.      *                                       DelegationPermission

  288.      *

  289.      * @exception SecurityException - if this PermissionCollection object

  290.      *                                has been marked readonly

  291.      */

  292. 

  293.     public void add(Permission permission) {

  294. 	if (! (permission instanceof DelegationPermission))

  295. 	    throw new IllegalArgumentException("invalid permission: "+

  296. 					       permission);

  297. 	if (isReadOnly())

  298. 	    throw new SecurityException("attempt to add a Permission to a readonly PermissionCollection");

  299. 

  300. 	synchronized (this) {

  301. 	    perms.add(0, permission);

  302. 	}

  303.     }

  304. 

  305.     /**

  306.      * Returns an enumeration of all the DelegationPermission objects

  307.      * in the container.

  308.      *

  309.      * @return an enumeration of all the DelegationPermission objects.

  310.      */

  311. 

  312.     public Enumeration elements() {

  313.         // Convert Iterator into Enumeration

  314. 	synchronized (this) {

  315. 	    return Collections.enumeration(perms);

  316. 	}

  317.     }

  318. 

  319.     private static final long serialVersionUID = -3383936936589966948L;

  320. 

  321.     // Need to maintain serialization interoperability with earlier releases,

  322.     // which had the serializable field:

  323.     //    private Vector permissions;

  324.     /**

  325.      * @serialField permissions java.util.Vector

  326.      *     A list of DelegationPermission objects.

  327.      */

  328.     private static final ObjectStreamField[] serialPersistentFields = {

  329.         new ObjectStreamField("permissions", Vector.class),

  330.     };

  331. 

  332.     /**

  333.      * @serialData "permissions" field (a Vector containing the DelegationPermissions).

  334.      */

  335.     /*

  336.      * Writes the contents of the perms field out as a Vector for

  337.      * serialization compatibility with earlier releases.

  338.      */

  339.     private void writeObject(ObjectOutputStream out) throws IOException {

  340. 	// Don't call out.defaultWriteObject()

  341. 

  342. 	// Write out Vector

  343. 	Vector permissions = new Vector(perms.size());

  344. 

  345. 	synchronized (this) {

  346. 	    permissions.addAll(perms);

  347. 	}

  348. 

  349.         ObjectOutputStream.PutField pfields = out.putFields();

  350.         pfields.put("permissions", permissions);

  351.         out.writeFields();

  352.     }

  353. 

  354.     /*

  355.      * Reads in a Vector of DelegationPermissions and saves them in the perms field.

  356.      */

  357.     private void readObject(ObjectInputStream in) throws IOException, 

  358.     ClassNotFoundException {

  359. 	// Don't call defaultReadObject()

  360. 

  361. 	// Read in serialized fields

  362. 	ObjectInputStream.GetField gfields = in.readFields();

  363. 

  364. 	// Get the one we want

  365. 	Vector permissions = (Vector)gfields.get("permissions", null);

  366. 	perms = new ArrayList(permissions.size());

  367. 	perms.addAll(permissions);

  368.     }

  369. }