1*647a425cSAndrew Rist /**************************************************************
2cdf0e10cSrcweir *
3*647a425cSAndrew Rist * Licensed to the Apache Software Foundation (ASF) under one
4*647a425cSAndrew Rist * or more contributor license agreements. See the NOTICE file
5*647a425cSAndrew Rist * distributed with this work for additional information
6*647a425cSAndrew Rist * regarding copyright ownership. The ASF licenses this file
7*647a425cSAndrew Rist * to you under the Apache License, Version 2.0 (the
8*647a425cSAndrew Rist * "License"); you may not use this file except in compliance
9*647a425cSAndrew Rist * with the License. You may obtain a copy of the License at
10*647a425cSAndrew Rist *
11*647a425cSAndrew Rist * http://www.apache.org/licenses/LICENSE-2.0
12*647a425cSAndrew Rist *
13*647a425cSAndrew Rist * Unless required by applicable law or agreed to in writing,
14*647a425cSAndrew Rist * software distributed under the License is distributed on an
15*647a425cSAndrew Rist * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16*647a425cSAndrew Rist * KIND, either express or implied. See the License for the
17*647a425cSAndrew Rist * specific language governing permissions and limitations
18*647a425cSAndrew Rist * under the License.
19*647a425cSAndrew Rist *
20*647a425cSAndrew Rist *************************************************************/
21*647a425cSAndrew Rist
22*647a425cSAndrew Rist
23cdf0e10cSrcweir
24cdf0e10cSrcweir // MARKER(update_precomp.py): autogen include statement, do not remove
25cdf0e10cSrcweir #include "precompiled_stoc.hxx"
26cdf0e10cSrcweir
27cdf0e10cSrcweir #include <stdio.h>
28cdf0e10cSrcweir
29cdf0e10cSrcweir #include <sal/main.h>
30cdf0e10cSrcweir #include <osl/diagnose.h>
31cdf0e10cSrcweir #include <osl/socket.hxx>
32cdf0e10cSrcweir #include <rtl/string.hxx>
33cdf0e10cSrcweir #include <rtl/ustrbuf.hxx>
34cdf0e10cSrcweir #include <uno/current_context.hxx>
35cdf0e10cSrcweir
36cdf0e10cSrcweir #include <cppuhelper/implbase1.hxx>
37cdf0e10cSrcweir #include <cppuhelper/bootstrap.hxx>
38cdf0e10cSrcweir #include <cppuhelper/access_control.hxx>
39cdf0e10cSrcweir
40cdf0e10cSrcweir #include <com/sun/star/lang/XComponent.hpp>
41cdf0e10cSrcweir #include <com/sun/star/uno/XCurrentContext.hpp>
42cdf0e10cSrcweir
43cdf0e10cSrcweir #include <com/sun/star/io/FilePermission.hpp>
44cdf0e10cSrcweir
45cdf0e10cSrcweir #define USER_CREDS "access-control.user-credentials"
46cdf0e10cSrcweir #define OUSTR(x) ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM(x) )
47cdf0e10cSrcweir
48cdf0e10cSrcweir
49cdf0e10cSrcweir using namespace ::osl;
50cdf0e10cSrcweir using namespace ::rtl;
51cdf0e10cSrcweir using namespace ::cppu;
52cdf0e10cSrcweir using namespace ::com::sun::star;
53cdf0e10cSrcweir using namespace ::com::sun::star::uno;
54cdf0e10cSrcweir
55cdf0e10cSrcweir //--------------------------------------------------------------------------------------------------
localhost(OUString const & addition)56cdf0e10cSrcweir static OUString localhost( OUString const & addition ) SAL_THROW( () )
57cdf0e10cSrcweir {
58cdf0e10cSrcweir static OUString ip;
59cdf0e10cSrcweir if (! ip.getLength())
60cdf0e10cSrcweir {
61cdf0e10cSrcweir // dns lookup
62cdf0e10cSrcweir SocketAddr addr;
63cdf0e10cSrcweir SocketAddr::resolveHostname( OUSTR("localhost"), addr );
64cdf0e10cSrcweir ::oslSocketResult rc = ::osl_getDottedInetAddrOfSocketAddr( addr.getHandle(), &ip.pData );
65cdf0e10cSrcweir if (::osl_Socket_Ok != rc)
66cdf0e10cSrcweir fprintf(stdout, "### cannot resolve localhost!" );
67cdf0e10cSrcweir }
68cdf0e10cSrcweir OUStringBuffer buf( 48 );
69cdf0e10cSrcweir buf.append( ip );
70cdf0e10cSrcweir buf.append( addition );
71cdf0e10cSrcweir return buf.makeStringAndClear();
72cdf0e10cSrcweir }
73cdf0e10cSrcweir
74cdf0e10cSrcweir //--------------------------------------------------------------------------------------------------
dispose(Reference<XInterface> const & x)75cdf0e10cSrcweir static inline void dispose( Reference< XInterface > const & x )
76cdf0e10cSrcweir SAL_THROW( (RuntimeException) )
77cdf0e10cSrcweir {
78cdf0e10cSrcweir Reference< lang::XComponent > xComp( x, UNO_QUERY );
79cdf0e10cSrcweir if (xComp.is())
80cdf0e10cSrcweir {
81cdf0e10cSrcweir xComp->dispose();
82cdf0e10cSrcweir }
83cdf0e10cSrcweir }
84cdf0e10cSrcweir //==================================================================================================
85cdf0e10cSrcweir class user_CurrentContext
86cdf0e10cSrcweir : public ImplHelper1< XCurrentContext >
87cdf0e10cSrcweir {
88cdf0e10cSrcweir oslInterlockedCount m_refcount;
89cdf0e10cSrcweir
90cdf0e10cSrcweir Reference< XCurrentContext > m_xDelegate;
91cdf0e10cSrcweir Any m_userId;
92cdf0e10cSrcweir
93cdf0e10cSrcweir public:
user_CurrentContext(Reference<XCurrentContext> const & xDelegate,OUString const & userId)94cdf0e10cSrcweir inline user_CurrentContext(
95cdf0e10cSrcweir Reference< XCurrentContext > const & xDelegate,
96cdf0e10cSrcweir OUString const & userId )
97cdf0e10cSrcweir SAL_THROW( () )
98cdf0e10cSrcweir : m_refcount( 0 )
99cdf0e10cSrcweir , m_xDelegate( xDelegate )
100cdf0e10cSrcweir , m_userId( makeAny( userId ) )
101cdf0e10cSrcweir {}
102cdf0e10cSrcweir
103cdf0e10cSrcweir // XInterface impl
104cdf0e10cSrcweir virtual void SAL_CALL acquire()
105cdf0e10cSrcweir throw ();
106cdf0e10cSrcweir virtual void SAL_CALL release()
107cdf0e10cSrcweir throw ();
108cdf0e10cSrcweir
109cdf0e10cSrcweir // XCurrentContext impl
110cdf0e10cSrcweir virtual Any SAL_CALL getValueByName( OUString const & name )
111cdf0e10cSrcweir throw (RuntimeException);
112cdf0e10cSrcweir };
113cdf0e10cSrcweir //__________________________________________________________________________________________________
acquire()114cdf0e10cSrcweir void user_CurrentContext::acquire()
115cdf0e10cSrcweir throw ()
116cdf0e10cSrcweir {
117cdf0e10cSrcweir ::osl_incrementInterlockedCount( &m_refcount );
118cdf0e10cSrcweir }
119cdf0e10cSrcweir //__________________________________________________________________________________________________
release()120cdf0e10cSrcweir void user_CurrentContext::release()
121cdf0e10cSrcweir throw ()
122cdf0e10cSrcweir {
123cdf0e10cSrcweir if (! ::osl_decrementInterlockedCount( &m_refcount ))
124cdf0e10cSrcweir {
125cdf0e10cSrcweir delete this;
126cdf0e10cSrcweir }
127cdf0e10cSrcweir }
128cdf0e10cSrcweir //__________________________________________________________________________________________________
getValueByName(OUString const & name)129cdf0e10cSrcweir Any user_CurrentContext::getValueByName( OUString const & name )
130cdf0e10cSrcweir throw (RuntimeException)
131cdf0e10cSrcweir {
132cdf0e10cSrcweir if (name.equalsAsciiL( RTL_CONSTASCII_STRINGPARAM(USER_CREDS ".id") ))
133cdf0e10cSrcweir {
134cdf0e10cSrcweir return m_userId;
135cdf0e10cSrcweir }
136cdf0e10cSrcweir else if (m_xDelegate.is())
137cdf0e10cSrcweir {
138cdf0e10cSrcweir return m_xDelegate->getValueByName( name );
139cdf0e10cSrcweir }
140cdf0e10cSrcweir else
141cdf0e10cSrcweir {
142cdf0e10cSrcweir return Any();
143cdf0e10cSrcweir }
144cdf0e10cSrcweir }
145cdf0e10cSrcweir
146cdf0e10cSrcweir // prepends line number
147cdf0e10cSrcweir #define CHECK( check, negative_test ) \
148cdf0e10cSrcweir { \
149cdf0e10cSrcweir try \
150cdf0e10cSrcweir { \
151cdf0e10cSrcweir if (negative_test) \
152cdf0e10cSrcweir { \
153cdf0e10cSrcweir bool thrown = true; \
154cdf0e10cSrcweir try \
155cdf0e10cSrcweir { \
156cdf0e10cSrcweir check; \
157cdf0e10cSrcweir thrown = false; \
158cdf0e10cSrcweir } \
159cdf0e10cSrcweir catch (RuntimeException &) \
160cdf0e10cSrcweir { \
161cdf0e10cSrcweir } \
162cdf0e10cSrcweir if (! thrown) \
163cdf0e10cSrcweir { \
164cdf0e10cSrcweir throw RuntimeException( \
165cdf0e10cSrcweir OUSTR("expected RuntimeException upon check!"), Reference< XInterface >() ); \
166cdf0e10cSrcweir } \
167cdf0e10cSrcweir } \
168cdf0e10cSrcweir else \
169cdf0e10cSrcweir { \
170cdf0e10cSrcweir check; \
171cdf0e10cSrcweir } \
172cdf0e10cSrcweir } \
173cdf0e10cSrcweir catch (RuntimeException & exc) \
174cdf0e10cSrcweir { \
175cdf0e10cSrcweir OUStringBuffer buf( 64 ); \
176cdf0e10cSrcweir buf.appendAscii( RTL_CONSTASCII_STRINGPARAM("[line ") ); \
177cdf0e10cSrcweir buf.append( (sal_Int32)__LINE__ ); \
178cdf0e10cSrcweir buf.appendAscii( RTL_CONSTASCII_STRINGPARAM("] ") ); \
179cdf0e10cSrcweir buf.append( exc.Message ); \
180cdf0e10cSrcweir throw RuntimeException( buf.makeStringAndClear(), Reference< XInterface >() ); \
181cdf0e10cSrcweir } \
182cdf0e10cSrcweir }
183cdf0e10cSrcweir
184cdf0e10cSrcweir /*
185cdf0e10cSrcweir grant
186cdf0e10cSrcweir {
187cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///usr/bin/ *", "read";
188cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///tmp/-", "read,write";
189cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///etc/profile", "read";
190cdf0e10cSrcweir
191cdf0e10cSrcweir permission com.sun.star.security.RuntimePermission "DEF";
192cdf0e10cSrcweir
193cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "127.0.0.1:-1023", "resolve, connect, listen";
194cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "localhost:1024-", "accept, connect, listen, resolve,";
195cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "*.sun.com:1024-", "resolve";
196cdf0e10cSrcweir };
197cdf0e10cSrcweir */
check_defaults_pos(AccessControl & ac,bool invert=false)198cdf0e10cSrcweir static void check_defaults_pos( AccessControl & ac, bool invert = false )
199cdf0e10cSrcweir {
200cdf0e10cSrcweir // positive tests
201cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/bla"), OUSTR("read") ), invert );
202cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tmp/bla"), OUSTR("read,write") ), invert );
203cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tmp/path/path/bla"), OUSTR("write") ), invert );
204cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/profile"), OUSTR("read") ), invert );
205cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("DEF") ), invert );
206cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:1024"), OUSTR("connect") ), invert );
207cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:65535"), OUSTR("resolve") ), invert );
208cdf0e10cSrcweir CHECK( ac.checkSocketPermission( localhost(OUSTR(":2048")), OUSTR("accept,listen") ), invert );
209cdf0e10cSrcweir CHECK( ac.checkSocketPermission( localhost(OUSTR(":1024-")), OUSTR("accept,connect,listen,resolve") ), invert );
210cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:-1023"), OUSTR("resolve,listen,connect") ), invert );
211cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jl-1036.germany.sun.com:1024-"), OUSTR("resolve") ), invert );
212cdf0e10cSrcweir }
check_defaults_neg(AccessControl & ac,bool invert=false)213cdf0e10cSrcweir static void check_defaults_neg( AccessControl & ac, bool invert = false )
214cdf0e10cSrcweir {
215cdf0e10cSrcweir // negative tests
216cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/tmp"), OUSTR("read") ), !invert );
217cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///"), OUSTR("read") ), !invert );
218cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin"), OUSTR("read") ), !invert );
219cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/bla"), OUSTR("write") ), !invert );
220cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/bla"), OUSTR("execute") ), !invert );
221cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/path/bla"), OUSTR("read") ), !invert );
222cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tmp"), OUSTR("read") ), !invert );
223cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tmp/"), OUSTR("read") ), !invert );
224cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tm"), OUSTR("read") ), !invert );
225cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/profile"), OUSTR("write") ), !invert );
226cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/profile/bla"), OUSTR("read") ), !invert );
227cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/blabla"), OUSTR("read,write,execute") ), !invert );
228cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/root"), OUSTR("read,write,execute") ), !invert );
229cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUSTR("read,write,execute") ), !invert );
230cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUSTR("delete") ), !invert );
231cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUString() ), !invert );
232cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("ROOT") ), !invert );
233cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:1023"), OUSTR("accept") ), !invert );
234cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:123-"), OUSTR("accept") ), !invert );
235cdf0e10cSrcweir CHECK( ac.checkSocketPermission( localhost(OUSTR(":-1023")), OUSTR("accept") ), !invert );
236cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:-1023"), OUSTR("accept,resolve") ), !invert );
237cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("sun.com:1024-"), OUSTR("resolve") ), !invert );
238cdf0e10cSrcweir }
239cdf0e10cSrcweir
240cdf0e10cSrcweir /*
241cdf0e10cSrcweir grant user "dbo"
242cdf0e10cSrcweir {
243cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///home/dbo/-", "read,write";
244cdf0e10cSrcweir permission com.sun.star.io.FilePermission "-", "read,write";
245cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///usr/local/dbo/ *", "read";
246cdf0e10cSrcweir
247cdf0e10cSrcweir permission com.sun.star.security.RuntimePermission "DBO";
248cdf0e10cSrcweir
249cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-1:1024-", "listen";
250cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-11081:-1023", "resolve";
251cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-11081:18", "listen";
252cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-11081:20-24", "listen";
253cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-11081", "connect";
254cdf0e10cSrcweir };
255cdf0e10cSrcweir */
check_dbo_pos(AccessControl & ac,bool invert=false)256cdf0e10cSrcweir static void check_dbo_pos( AccessControl & ac, bool invert = false )
257cdf0e10cSrcweir {
258cdf0e10cSrcweir check_defaults_pos( ac, invert );
259cdf0e10cSrcweir // positive tests
260cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read") ), invert );
261cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("write") ), invert );
262cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write") ), invert );
263cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/bla"), OUSTR("read,write") ), invert );
264cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/path/bla"), OUSTR("read,write") ), invert );
265cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/*"), OUSTR("read") ), invert );
266cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/bla"), OUSTR("read") ), invert );
267cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("DBO") ), invert );
268cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-1:1024-"), OUSTR("listen") ), invert );
269cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-1:2048-3122"), OUSTR("listen") ), invert );
270cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-1:2048-"), OUSTR("listen") ), invert );
271cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:-1023"), OUSTR("resolve") ), invert );
272cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:20-1023"), OUSTR("resolve") ), invert );
273cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:18"), OUSTR("listen") ), invert );
274cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:20-24"), OUSTR("listen") ), invert );
275cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:22"), OUSTR("listen") ), invert );
276cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081"), OUSTR("connect") ), invert );
277cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:22"), OUSTR("connect") ), invert );
278cdf0e10cSrcweir }
check_dbo_neg(AccessControl & ac,bool invert=false)279cdf0e10cSrcweir static void check_dbo_neg( AccessControl & ac, bool invert = false )
280cdf0e10cSrcweir {
281cdf0e10cSrcweir check_defaults_neg( ac, invert );
282cdf0e10cSrcweir // negative tests
283cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/-"), OUSTR("read") ), !invert );
284cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read") ), !invert );
285cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("write") ), !invert );
286cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read,write") ), !invert );
287cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/path/bla"), OUSTR("read") ), !invert );
288cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/path/bla"), OUSTR("read,execute") ), !invert );
289cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/-"), OUSTR("read") ), !invert );
290cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/path/bla"), OUSTR("read") ), !invert );
291cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/path/path/bla"), OUSTR("read") ), !invert );
292cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("JBU") ), !invert );
293cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081"), OUSTR("listen") ), !invert );
294cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:22"), OUSTR("accept") ), !invert );
295cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jbu-11096:22"), OUSTR("resolve") ), !invert );
296cdf0e10cSrcweir }
297cdf0e10cSrcweir
298cdf0e10cSrcweir /*
299cdf0e10cSrcweir grant user "jbu"
300cdf0e10cSrcweir {
301cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///home/jbu/-", "read,write";
302cdf0e10cSrcweir permission com.sun.star.io.FilePermission "*", "read,write";
303cdf0e10cSrcweir
304cdf0e10cSrcweir permission com.sun.star.security.RuntimePermission "JBU";
305cdf0e10cSrcweir
306cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "jbu-11096","resolve";
307cdf0e10cSrcweir };
308cdf0e10cSrcweir */
check_jbu_pos(AccessControl & ac,bool invert=false)309cdf0e10cSrcweir static void check_jbu_pos( AccessControl & ac, bool invert = false )
310cdf0e10cSrcweir {
311cdf0e10cSrcweir check_defaults_pos( ac, invert );
312cdf0e10cSrcweir // positive tests
313cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read") ), invert );
314cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("write") ), invert );
315cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read,write") ), invert );
316cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/path/bla"), OUSTR("read,write") ), invert );
317cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/path/path/bla"), OUSTR("read,write") ), invert );
318cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("JBU") ), invert );
319cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jbu-11096"), OUSTR("resolve") ), invert );
320cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jbu-11096:20-24"), OUSTR("resolve") ), invert );
321cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081.germany.sun.com:2048"), OUSTR("resolve") ), invert );
322cdf0e10cSrcweir }
check_jbu_neg(AccessControl & ac,bool invert=false)323cdf0e10cSrcweir static void check_jbu_neg( AccessControl & ac, bool invert = false )
324cdf0e10cSrcweir {
325cdf0e10cSrcweir check_defaults_neg( ac, invert );
326cdf0e10cSrcweir // negative tests
327cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/-"), OUSTR("read") ), !invert );
328cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/bla"), OUSTR("read") ), !invert );
329cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/path/bla"), OUSTR("read") ), !invert );
330cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read") ), !invert );
331cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("write") ), !invert );
332cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write") ), !invert );
333cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/-"), OUSTR("read") ), !invert );
334cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/bla"), OUSTR("read") ), !invert );
335cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/path/path/bla"), OUSTR("read") ), !invert );
336cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("DBO") ), !invert );
337cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jbu-11096:20-24"), OUSTR("accept") ), !invert );
338cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081"), OUSTR("connect") ), !invert );
339cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081.germany.sun.com"), OUSTR("connect") ), !invert );
340cdf0e10cSrcweir }
341cdf0e10cSrcweir
342cdf0e10cSrcweir /*
343cdf0e10cSrcweir grant principal "root"
344cdf0e10cSrcweir {
345cdf0e10cSrcweir permission com.sun.star.security.AllPermission;
346cdf0e10cSrcweir };
347cdf0e10cSrcweir */
348cdf0e10cSrcweir //==================================================================================================
check_root_pos(AccessControl & ac,bool invert=false)349cdf0e10cSrcweir static void check_root_pos( AccessControl & ac, bool invert = false )
350cdf0e10cSrcweir {
351cdf0e10cSrcweir check_defaults_pos( ac, invert );
352cdf0e10cSrcweir check_defaults_neg( ac, !invert );
353cdf0e10cSrcweir check_dbo_pos( ac, invert );
354cdf0e10cSrcweir check_dbo_neg( ac, !invert );
355cdf0e10cSrcweir check_jbu_pos( ac, invert );
356cdf0e10cSrcweir check_jbu_neg( ac, !invert );
357cdf0e10cSrcweir // some more root positive
358cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/blabla"), OUSTR("read,write,execute") ), invert );
359cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/root"), OUSTR("read,write,execute") ), invert );
360cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUSTR("read,write,execute") ), invert );
361cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("ROOT") ), invert );
362cdf0e10cSrcweir }
363cdf0e10cSrcweir
364cdf0e10cSrcweir //==================================================================================================
365cdf0e10cSrcweir class acc_Restr
366cdf0e10cSrcweir : public WeakImplHelper1< security::XAccessControlContext >
367cdf0e10cSrcweir {
368cdf0e10cSrcweir Any m_perm;
369cdf0e10cSrcweir
370cdf0e10cSrcweir public:
371cdf0e10cSrcweir inline acc_Restr( Any const & perm = Any() ) SAL_THROW( () )
372cdf0e10cSrcweir : m_perm( perm )
373cdf0e10cSrcweir {}
374cdf0e10cSrcweir
375cdf0e10cSrcweir // XAccessControlContext impl
376cdf0e10cSrcweir virtual void SAL_CALL checkPermission( Any const & perm )
377cdf0e10cSrcweir throw (RuntimeException);
378cdf0e10cSrcweir };
379cdf0e10cSrcweir //__________________________________________________________________________________________________
checkPermission(Any const & perm)380cdf0e10cSrcweir void acc_Restr::checkPermission( Any const & perm )
381cdf0e10cSrcweir throw (RuntimeException)
382cdf0e10cSrcweir {
383cdf0e10cSrcweir if (perm != m_perm)
384cdf0e10cSrcweir {
385cdf0e10cSrcweir throw security::AccessControlException(
386cdf0e10cSrcweir OUSTR("dyn violation!"), Reference< XInterface >(), perm );
387cdf0e10cSrcweir }
388cdf0e10cSrcweir }
389cdf0e10cSrcweir
390cdf0e10cSrcweir typedef void (* t_action)( AccessControl &, Any const & arg );
391cdf0e10cSrcweir
392cdf0e10cSrcweir //==================================================================================================
393cdf0e10cSrcweir class Action
394cdf0e10cSrcweir : public WeakImplHelper1< security::XAction >
395cdf0e10cSrcweir {
396cdf0e10cSrcweir t_action m_action;
397cdf0e10cSrcweir AccessControl & m_ac;
398cdf0e10cSrcweir Any m_arg;
399cdf0e10cSrcweir
400cdf0e10cSrcweir public:
Action(t_action action,AccessControl & ac,Any const & arg=Any ())401cdf0e10cSrcweir inline Action( t_action action, AccessControl & ac, Any const & arg = Any() ) SAL_THROW( () )
402cdf0e10cSrcweir : m_action( action )
403cdf0e10cSrcweir , m_ac( ac )
404cdf0e10cSrcweir , m_arg( arg )
405cdf0e10cSrcweir {}
406cdf0e10cSrcweir
407cdf0e10cSrcweir // XAction impl
408cdf0e10cSrcweir virtual Any SAL_CALL run()
409cdf0e10cSrcweir throw (Exception);
410cdf0e10cSrcweir };
411cdf0e10cSrcweir //__________________________________________________________________________________________________
run()412cdf0e10cSrcweir Any Action::run()
413cdf0e10cSrcweir throw (Exception)
414cdf0e10cSrcweir {
415cdf0e10cSrcweir (*m_action)( m_ac, m_arg );
416cdf0e10cSrcweir return Any();
417cdf0e10cSrcweir }
418cdf0e10cSrcweir
419cdf0e10cSrcweir //==================================================================================================
420cdf0e10cSrcweir // static void restr_file_permissions( AccessControl & ac )
421cdf0e10cSrcweir // {
422cdf0e10cSrcweir // // running in dbo's domain
423cdf0e10cSrcweir // /* permission com.sun.star.io.FilePermission "file:///home/dbo/-", ",,read , write "; */
424cdf0e10cSrcweir // CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write,execute") ), true );
425cdf0e10cSrcweir // CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write") ), false );
426cdf0e10cSrcweir // }
427cdf0e10cSrcweir //==================================================================================================
all_dbo_permissions(AccessControl & ac,Any const &)428cdf0e10cSrcweir static void all_dbo_permissions( AccessControl & ac, Any const & )
429cdf0e10cSrcweir {
430cdf0e10cSrcweir check_dbo_pos( ac );
431cdf0e10cSrcweir check_dbo_neg( ac );
432cdf0e10cSrcweir }
433cdf0e10cSrcweir //==================================================================================================
no_permissions(AccessControl & ac,Any const & arg)434cdf0e10cSrcweir static void no_permissions( AccessControl & ac, Any const & arg )
435cdf0e10cSrcweir {
436cdf0e10cSrcweir check_dbo_pos( ac, true );
437cdf0e10cSrcweir check_dbo_neg( ac );
438cdf0e10cSrcweir // set privs to old dbo restr
439cdf0e10cSrcweir Reference< security::XAccessControlContext > xContext;
440cdf0e10cSrcweir OSL_VERIFY( arg >>= xContext );
441cdf0e10cSrcweir ac->doPrivileged(
442cdf0e10cSrcweir new Action( all_dbo_permissions, ac ),
443cdf0e10cSrcweir xContext );
444cdf0e10cSrcweir }
445cdf0e10cSrcweir //==================================================================================================
check_dbo_dynamic(AccessControl & ac)446cdf0e10cSrcweir static void check_dbo_dynamic( AccessControl & ac )
447cdf0e10cSrcweir {
448cdf0e10cSrcweir Any arg( makeAny( ac->getContext() ) );
449cdf0e10cSrcweir ac->doRestricted(
450cdf0e10cSrcweir new Action( no_permissions, ac, arg ),
451cdf0e10cSrcweir new acc_Restr() );
452cdf0e10cSrcweir }
453cdf0e10cSrcweir
SAL_IMPLEMENT_MAIN()454cdf0e10cSrcweir SAL_IMPLEMENT_MAIN()
455cdf0e10cSrcweir {
456cdf0e10cSrcweir try
457cdf0e10cSrcweir {
458cdf0e10cSrcweir // single-user test
459cdf0e10cSrcweir Reference< XComponentContext > xContext( defaultBootstrap_InitialComponentContext(
460cdf0e10cSrcweir OUSTR("../../test/security/test_security_singleuser.ini") ) );
461cdf0e10cSrcweir {
462cdf0e10cSrcweir ::fprintf( stderr, "[security test] single-user checking dbo..." );
463cdf0e10cSrcweir AccessControl ac( xContext );
464cdf0e10cSrcweir check_dbo_pos( ac );
465cdf0e10cSrcweir check_dbo_neg( ac );
466cdf0e10cSrcweir check_dbo_dynamic( ac );
467cdf0e10cSrcweir ::fprintf( stderr, "dbo checked.\n" );
468cdf0e10cSrcweir }
469cdf0e10cSrcweir
470cdf0e10cSrcweir // multi-user test
471cdf0e10cSrcweir dispose( xContext );
472cdf0e10cSrcweir xContext = defaultBootstrap_InitialComponentContext(
473cdf0e10cSrcweir OUSTR("../../test/security/test_security.ini") ); // UNO_AC=on
474cdf0e10cSrcweir AccessControl ac( xContext );
475cdf0e10cSrcweir
476cdf0e10cSrcweir {
477cdf0e10cSrcweir // set up dbo current context
478cdf0e10cSrcweir ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("dbo") ) );
479cdf0e10cSrcweir ::fprintf( stderr, "[security test] multi-user checking dbo..." );
480cdf0e10cSrcweir check_dbo_pos( ac );
481cdf0e10cSrcweir check_dbo_neg( ac );
482cdf0e10cSrcweir check_dbo_dynamic( ac );
483cdf0e10cSrcweir ::fprintf( stderr, "dbo checked.\n" );
484cdf0e10cSrcweir }
485cdf0e10cSrcweir {
486cdf0e10cSrcweir // set up jbu current context
487cdf0e10cSrcweir ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("jbu") ) );
488cdf0e10cSrcweir ::fprintf( stderr, "[security test] multi-user checking jbu..." );
489cdf0e10cSrcweir check_jbu_pos( ac );
490cdf0e10cSrcweir check_jbu_neg( ac );
491cdf0e10cSrcweir ::fprintf( stderr, "jbu checked.\n" );
492cdf0e10cSrcweir }
493cdf0e10cSrcweir {
494cdf0e10cSrcweir // set up root current context
495cdf0e10cSrcweir ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("root") ) );
496cdf0e10cSrcweir ::fprintf( stderr, "[security test] multi-user checking root..." );
497cdf0e10cSrcweir check_root_pos( ac );
498cdf0e10cSrcweir ::fprintf( stderr, "root checked.\n" );
499cdf0e10cSrcweir }
500cdf0e10cSrcweir {
501cdf0e10cSrcweir // set up unknown guest user current context => default permissions
502cdf0e10cSrcweir ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("guest") ) );
503cdf0e10cSrcweir ::fprintf( stderr, "[security test] multi-user checking guest..." );
504cdf0e10cSrcweir check_defaults_pos( ac );
505cdf0e10cSrcweir check_defaults_neg( ac );
506cdf0e10cSrcweir ::fprintf( stderr, "guest checked.\n" );
507cdf0e10cSrcweir }
508cdf0e10cSrcweir
509cdf0e10cSrcweir dispose( xContext );
510cdf0e10cSrcweir ::fprintf( stderr, "security test succeeded.\n" );
511cdf0e10cSrcweir return 0;
512cdf0e10cSrcweir }
513cdf0e10cSrcweir catch (Exception & exc)
514cdf0e10cSrcweir {
515cdf0e10cSrcweir OString str( OUStringToOString( exc.Message, RTL_TEXTENCODING_ASCII_US ) );
516cdf0e10cSrcweir ::fprintf( stderr, "[security test] error: %s!\n", str.getStr() );
517cdf0e10cSrcweir return 1;
518cdf0e10cSrcweir }
519cdf0e10cSrcweir }
520