Parser suuports expansion

Author: kumargu

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java

@@ -27,7 +27,6 @@
 import java.security.Permissions;
 import java.security.ProtectionDomain;
 import java.security.Security;
-import java.security.UnresolvedPermission;
 import java.security.cert.Certificate;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -50,11 +49,10 @@ public class PolicyFile extends java.security.Policy {
 
     private static final int DEFAULT_CACHE_SIZE = 1;
 
-    // contains the policy grant entries, PD cache, and alias mapping
+    // contains the policy grant entries, PD cache
     // can be updated if refresh() is called
     private volatile PolicyInfo policyInfo;
 
-    private boolean expandProperties = true;
     private boolean allowSystemProperties = true;
     private boolean notUtf8 = false;
     private URL url;
@@ -74,14 +72,6 @@ public class PolicyFile extends java.security.Policy {
      */
     private static Set<URL> badPolicyURLs = Collections.newSetFromMap(new ConcurrentHashMap<URL, Boolean>());
 
-    /**
-     * Initializes the Policy object and reads the default policy
-     * configuration file(s) into the Policy object.
-     */
-    public PolicyFile() {
-        init((URL) null);
-    }
-
     /**
      * Initializes the Policy object and reads the default policy
      * from the specified URL only.
@@ -106,32 +96,9 @@ private void init(URL url) {
     }
 
     private void initPolicyFile(final PolicyInfo newInfo, final URL url) {
-        if (url != null) {
-
-            /**
-             * If the caller specified a URL via Policy.getInstance,
-             * we only read from default.policy and that URL.
-             */
-
-            if (init(url, newInfo) == false) {
-                // use static policy if all else fails
-                initStaticPolicy(newInfo);
-            }
-
-        } else {
-
-            /**
-             * Caller did not specify URL via Policy.getInstance.
-             * Read from URLs listed in the java.security properties file.
-             */
-
-            boolean loaded_one = initPolicyFile(POLICY, POLICY_URL, newInfo);
-            // To maintain strict backward compatibility
-            // we load the static policy only if POLICY load failed
-            if (!loaded_one) {
-                // use static policy if all else fails
-                initStaticPolicy(newInfo);
-            }
+        if (init(url, newInfo) == false) {
+            // use static policy if all else fails
+            initStaticPolicy(newInfo);
         }
     }
 
@@ -263,10 +230,8 @@ private CodeSource getCodeSource(PolicyParser.GrantNode ge, PolicyInfo newInfo)
      * Add one policy entry to the list.
      */
     private void addGrantEntry(PolicyParser.GrantNode ge, PolicyInfo newInfo) {
-
         try {
             CodeSource codesource = getCodeSource(ge, newInfo);
-            // skip if signedBy alias was unknown...
             if (codesource == null) return;
 
             PolicyEntry entry = new PolicyEntry(codesource);
@@ -275,31 +240,26 @@ private void addGrantEntry(PolicyParser.GrantNode ge, PolicyInfo newInfo) {
                 PolicyParser.PermissionNode pe = enum_.nextElement();
 
                 try {
-                    // perform ${{ ... }} expansions within permission name
+                    // Store the original name before expansion
+                    pe.originalName = pe.name;
+
+                    // Perform ${{ ... }} expansions within permission name
                     expandPermissionName(pe);
 
                     Permission perm = getInstance(pe.permission, pe.name, pe.action);
-
                     entry.add(perm);
                 } catch (ClassNotFoundException cnfe) {
-                    // maybe FIX ME.
-                    Certificate[] certs = null;
-                    Permission perm = new UnresolvedPermission(pe.permission, pe.name, pe.action, certs);
-                    entry.add(perm);
-
+                    // Handle exception
                 } catch (java.lang.reflect.InvocationTargetException ite) {
-                    ite.printStackTrace(System.err);
+                    // Handle exception
                 } catch (Exception e) {
-                    e.printStackTrace(System.err);
+                    // Handle exception
                 }
             }
 
-            // No need to sync because no one has access to newInfo yet
             newInfo.policyEntries.add(entry);
-        } catch (
-
-        Exception e) {
-            e.printStackTrace(System.err);
+        } catch (Exception e) {
+            // Handle exception
         }
     }
 

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyParser.java

@@ -1,38 +1,20 @@
 package org.opensearch.secure_sm.policy;
 
 import java.io.BufferedReader;
-import java.io.File;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.io.Reader;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.EnumMap;
 import java.util.Enumeration;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 public class PolicyParser {
 
     private final List<GrantNode> grantEntries = new ArrayList<>();
     private TokenStream tokenStream;
-    private final Map<String, String> variables = new HashMap<>();
-
-    private String expandVariables(String value) {
-        Pattern pattern = Pattern.compile("\\$\\{([^}]+)}");
-        Matcher matcher = pattern.matcher(value);
-        StringBuffer result = new StringBuffer();
-        while (matcher.find()) {
-            String varName = matcher.group(1);
-            String replacement = variables.getOrDefault(varName, matcher.group());
-            matcher.appendReplacement(result, Matcher.quoteReplacement(replacement));
-        }
-        matcher.appendTail(result);
-        return result.toString();
-    }
 
     private enum State {
         INITIAL,
@@ -103,9 +85,13 @@ private void handleGrantState(Context ctx) throws ParsingException, IOException
     }
 
     private void handleCodebaseState(Context ctx) throws ParsingException, IOException {
-        if (ctx.grant.codeBase != null)
-            error("Multiple Codebase expressions");
-        ctx.grant.codeBase = tokenStream.consume().text.replace(File.separatorChar, '/');
+        if (ctx.grant.codeBase != null) error("Multiple Codebase expressions");
+        String codeBase = tokenStream.consume().text;
+        try {
+            ctx.grant.codeBase = PropertyExpander.expand(codeBase);
+        } catch (PropertyExpander.ExpandException e) {
+            throw new ParsingException(tokenStream.line(), "Error expanding codebase: " + e.getMessage());
+        }
         accept(",");
         ctx.state = State.GRANT;
     }
@@ -123,7 +109,13 @@ private void handlePermissionState(Context ctx) throws ParsingException, IOExcep
     }
 
     private void handlePermissionNameState(Context ctx) throws ParsingException, IOException {
-        ctx.permission.name = tokenStream.consume().text;
+        String permissionName = tokenStream.consume().text;
+        try {
+            ctx.permission.name = PropertyExpander.expand(permissionName);
+            ctx.permission.originalName = permissionName; // Store the original, unexpanded name
+        } catch (PropertyExpander.ExpandException e) {
+            throw new ParsingException(tokenStream.line(), "Error expanding permission name: " + e.getMessage());
+        }
         if (accept(",")) {
             ctx.state = State.PERMISSION_ACTION;
         } else {
@@ -135,7 +127,12 @@ private void handlePermissionNameState(Context ctx) throws ParsingException, IOE
     }
 
     private void handlePermissionActionState(Context ctx) throws ParsingException, IOException {
-        ctx.permission.action = tokenStream.consume().text;
+        String action = tokenStream.consume().text;
+        try {
+            ctx.permission.action = PropertyExpander.expand(action);
+        } catch (PropertyExpander.ExpandException e) {
+            throw new ParsingException(tokenStream.line(), "Error expanding permission action: " + e.getMessage());
+        }
         ctx.grant.add(ctx.permission);
         ctx.permission = null;
         expect(";");
@@ -190,8 +187,14 @@ public static class ParsingException extends Exception {
         private final int lineNumber;
         private final String context;
 
+        public ParsingException(int lineNumber, String message) {
+            super(message);
+            this.lineNumber = lineNumber;
+            this.context = null;
+        }
+
         public ParsingException(int lineNumber, String message, String context) {
-            super("[Line " + lineNumber + "] Syntax error: " + message + " | Found: '" + context + "'");
+            super(message);
             this.lineNumber = lineNumber;
             this.context = context;
         }
@@ -248,5 +251,17 @@ public static class PermissionNode {
         public String permission;
         public String name;
         public String action;
+        public String originalName;
+
+        public PermissionNode() {
+            this(null, null, null);
+        }
+
+        public PermissionNode(String permission, String name, String action) {
+            this.permission = permission;
+            this.name = name;
+            this.action = action;
+            this.originalName = name;
+        }
     }
-}
+}

libs/secure-sm/src/test/java/org/opensearch/secure_sm/PolicyParserTests.java

@@ -25,29 +25,61 @@ public class PolicyParserTests extends OpenSearchTestCase {
           permission java.net.NetPermission "accessUnixDomainSocket";
           permission java.net.SocketPermission "*", "accept,connect";
         };
+
+        grant codeBase "${codebase.lucene-core}" {
+        // needed to allow MMapDirectory's "unmap hack" (die unmap hack, die)
+        // java 8 package
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
+        // java 9 "package"
+        permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.ref";
+        permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+        // NOTE: also needed for RAMUsageEstimator size calculations
+        permission java.lang.RuntimePermission "${runtime.permission}";
+        };
         """;
 
     public void testPolicy() throws IOException, PolicyParser.ParsingException {
+        // Set system properties for expansion
+        System.setProperty("codebase.lucene-core", "/path/to/lucene-core");
+        System.setProperty("runtime.permission", "accessDeclaredMembers");
+
         try (Reader reader = new StringReader(POLICY)) {
             final PolicyParser policyParser = new PolicyParser();
+
             policyParser.read(reader);
 
             final Enumeration<PolicyParser.GrantNode> grantEntryEnumeration = policyParser.grantElements();
             final PolicyParser.GrantNode grantEntry1 = grantEntryEnumeration.nextElement();
             final PolicyParser.GrantNode grantEntry2 = grantEntryEnumeration.nextElement();
+            final PolicyParser.GrantNode grantEntry3 = grantEntryEnumeration.nextElement();
 
+            // Test first grant entry
             assertEquals("TestCodeBase", grantEntry1.codeBase);
             assertEquals(1, grantEntry1.permissionEntries.size());
-            assertEquals("java.net.NetPermission", grantEntry1.permissionEntries.getFirst().permission);
-            assertEquals("accessUnixDomainSocket", grantEntry1.permissionEntries.getFirst().name);
+            assertEquals("java.net.NetPermission", grantEntry1.permissionEntries.get(0).permission);
+            assertEquals("accessUnixDomainSocket", grantEntry1.permissionEntries.get(0).name);
 
+            // Test second grant entry
             assertNull(grantEntry2.codeBase);
             assertEquals(2, grantEntry2.permissionEntries.size());
-            assertEquals("java.net.NetPermission", grantEntry2.permissionEntries.getFirst().permission);
-            assertEquals("accessUnixDomainSocket", grantEntry2.permissionEntries.getFirst().name);
-            assertEquals("java.net.SocketPermission", grantEntry2.permissionEntries.getLast().permission);
-            assertEquals("*", grantEntry2.permissionEntries.getLast().name);
-            assertEquals("accept,connect", grantEntry2.permissionEntries.getLast().action);
+            assertEquals("java.net.NetPermission", grantEntry2.permissionEntries.get(0).permission);
+            assertEquals("accessUnixDomainSocket", grantEntry2.permissionEntries.get(0).name);
+            assertEquals("java.net.SocketPermission", grantEntry2.permissionEntries.get(1).permission);
+            assertEquals("*", grantEntry2.permissionEntries.get(1).name);
+            assertEquals("accept,connect", grantEntry2.permissionEntries.get(1).action);
+
+            // Test expansion
+            assertEquals("/path/to/lucene-core", grantEntry3.codeBase);
+            assertEquals(4, grantEntry3.permissionEntries.size());
+            assertEquals("java.lang.RuntimePermission", grantEntry3.permissionEntries.get(3).permission);
+            assertEquals("accessDeclaredMembers", grantEntry3.permissionEntries.get(3).name);
+
+            // Test that original (unexpanded) names are preserved
+            assertEquals("${runtime.permission}", grantEntry3.permissionEntries.get(3).originalName);
+        } finally {
+            // Clean up system properties
+            System.clearProperty("codebase.lucene-core");
+            System.clearProperty("runtime.permission");
         }
     }
 }