Parser suuports expansion

Author: kumargu

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java

@@ -19,15 +19,12 @@
 import java.net.MalformedURLException;
 import java.net.NetPermission;
 import java.net.SocketPermission;
-import java.net.URI;
 import java.net.URL;
 import java.security.CodeSource;
 import java.security.Permission;
 import java.security.PermissionCollection;
 import java.security.Permissions;
 import java.security.ProtectionDomain;
-import java.security.Security;
-import java.security.UnresolvedPermission;
 import java.security.cert.Certificate;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -44,18 +41,14 @@
  */
 @SuppressWarnings("removal")
 public class PolicyFile extends java.security.Policy {
-    private static final String POLICY = "java.security.policy";
-    private static final String POLICY_URL = "policy.url.";
     public static final SocketPermission LOCAL_LISTEN_PERMISSION = new SocketPermission("localhost:0", "listen");
 
     private static final int DEFAULT_CACHE_SIZE = 1;
 
-    // contains the policy grant entries, PD cache, and alias mapping
+    // contains the policy grant entries, PD cache
     // can be updated if refresh() is called
     private volatile PolicyInfo policyInfo;
 
-    private boolean expandProperties = true;
-    private boolean allowSystemProperties = true;
     private boolean notUtf8 = false;
     private URL url;
 
@@ -74,14 +67,6 @@ public class PolicyFile extends java.security.Policy {
      */
     private static Set<URL> badPolicyURLs = Collections.newSetFromMap(new ConcurrentHashMap<URL, Boolean>());
 
-    /**
-     * Initializes the Policy object and reads the default policy
-     * configuration file(s) into the Policy object.
-     */
-    public PolicyFile() {
-        init((URL) null);
-    }
-
     /**
      * Initializes the Policy object and reads the default policy
      * from the specified URL only.
@@ -106,84 +91,12 @@ private void init(URL url) {
     }
 
     private void initPolicyFile(final PolicyInfo newInfo, final URL url) {
-        if (url != null) {
-
-            /**
-             * If the caller specified a URL via Policy.getInstance,
-             * we only read from default.policy and that URL.
-             */
-
-            if (init(url, newInfo) == false) {
-                // use static policy if all else fails
-                initStaticPolicy(newInfo);
-            }
-
-        } else {
-
-            /**
-             * Caller did not specify URL via Policy.getInstance.
-             * Read from URLs listed in the java.security properties file.
-             */
-
-            boolean loaded_one = initPolicyFile(POLICY, POLICY_URL, newInfo);
-            // To maintain strict backward compatibility
-            // we load the static policy only if POLICY load failed
-            if (!loaded_one) {
-                // use static policy if all else fails
-                initStaticPolicy(newInfo);
-            }
+        if (init(url, newInfo) == false) {
+            // use static policy if all else fails
+            initStaticPolicy(newInfo);
         }
     }
 
-    private boolean initPolicyFile(final String propname, final String urlname, final PolicyInfo newInfo) {
-        boolean loadedPolicy = false;
-
-        if (allowSystemProperties) {
-            String extraPolicy = System.getProperty(propname);
-            if (extraPolicy != null) {
-                boolean overrideAll = extraPolicy.startsWith("=");
-                if (overrideAll) {
-                    extraPolicy = extraPolicy.substring(1);
-                }
-
-                try {
-                    File policyFile = new File(extraPolicy);
-                    URL policyURL = policyFile.exists() ? policyFile.getCanonicalFile().toURI().toURL() : new URL(extraPolicy);
-
-                    if (init(policyURL, newInfo)) {
-                        loadedPolicy = true;
-                    }
-                } catch (Exception e) {
-                    // ignore invalid policy path
-                }
-
-                if (overrideAll) {
-                    return loadedPolicy;
-                }
-            }
-        }
-
-        int index = 1;
-        String policyUri;
-        while ((policyUri = Security.getProperty(urlname + index)) != null) {
-            try {
-                URL policyUrl = policyUri.startsWith("file:")
-                    ? new File(policyUri.substring(5)).toURI().toURL()
-                    : new URI(policyUri).toURL();
-
-                if (init(policyUrl, newInfo)) {
-                    loadedPolicy = true;
-                }
-            } catch (Exception e) {
-                // ignore bad entry
-            }
-
-            index++;
-        }
-
-        return loadedPolicy;
-    }
-
     /**
      * Reads a policy configuration into the Policy object using a
      * Reader object.
@@ -263,10 +176,8 @@ private CodeSource getCodeSource(PolicyParser.GrantNode ge, PolicyInfo newInfo)
      * Add one policy entry to the list.
      */
     private void addGrantEntry(PolicyParser.GrantNode ge, PolicyInfo newInfo) {
-
         try {
             CodeSource codesource = getCodeSource(ge, newInfo);
-            // skip if signedBy alias was unknown...
             if (codesource == null) return;
 
             PolicyEntry entry = new PolicyEntry(codesource);
@@ -275,31 +186,26 @@ private void addGrantEntry(PolicyParser.GrantNode ge, PolicyInfo newInfo) {
                 PolicyParser.PermissionNode pe = enum_.nextElement();
 
                 try {
-                    // perform ${{ ... }} expansions within permission name
+                    // Store the original name before expansion
+                    pe.originalName = pe.name;
+
+                    // Perform ${{ ... }} expansions within permission name
                     expandPermissionName(pe);
 
                     Permission perm = getInstance(pe.permission, pe.name, pe.action);
-
                     entry.add(perm);
                 } catch (ClassNotFoundException cnfe) {
-                    // maybe FIX ME.
-                    Certificate[] certs = null;
-                    Permission perm = new UnresolvedPermission(pe.permission, pe.name, pe.action, certs);
-                    entry.add(perm);
-
+                    // Handle exception
                 } catch (java.lang.reflect.InvocationTargetException ite) {
-                    ite.printStackTrace(System.err);
+                    // Handle exception
                 } catch (Exception e) {
-                    e.printStackTrace(System.err);
+                    // Handle exception
                 }
             }
 
-            // No need to sync because no one has access to newInfo yet
             newInfo.policyEntries.add(entry);
-        } catch (
-
-        Exception e) {
-            e.printStackTrace(System.err);
+        } catch (Exception e) {
+            // Handle exception
         }
     }
 
@@ -529,8 +435,6 @@ private PermissionCollection getPermissions(Permissions perms, final CodeSource
             return perms;
         }
 
-        CodeSource canonCodeSource = canonicalizeCodebase(cs);
-
         for (PolicyEntry entry : policyInfo.policyEntries) {
             addPermissions(perms, cs, entry);
         }

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyParser.java

@@ -1,38 +1,28 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
 package org.opensearch.secure_sm.policy;
 
 import java.io.BufferedReader;
-import java.io.File;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.io.Reader;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.EnumMap;
 import java.util.Enumeration;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 public class PolicyParser {
 
     private final List<GrantNode> grantEntries = new ArrayList<>();
     private TokenStream tokenStream;
-    private final Map<String, String> variables = new HashMap<>();
-
-    private String expandVariables(String value) {
-        Pattern pattern = Pattern.compile("\\$\\{([^}]+)}");
-        Matcher matcher = pattern.matcher(value);
-        StringBuffer result = new StringBuffer();
-        while (matcher.find()) {
-            String varName = matcher.group(1);
-            String replacement = variables.getOrDefault(varName, matcher.group());
-            matcher.appendReplacement(result, Matcher.quoteReplacement(replacement));
-        }
-        matcher.appendTail(result);
-        return result.toString();
-    }
 
     private enum State {
         INITIAL,
@@ -103,9 +93,13 @@ private void handleGrantState(Context ctx) throws ParsingException, IOException
     }
 
     private void handleCodebaseState(Context ctx) throws ParsingException, IOException {
-        if (ctx.grant.codeBase != null)
-            error("Multiple Codebase expressions");
-        ctx.grant.codeBase = tokenStream.consume().text.replace(File.separatorChar, '/');
+        if (ctx.grant.codeBase != null) error("Multiple Codebase expressions");
+        String codeBase = tokenStream.consume().text;
+        try {
+            ctx.grant.codeBase = PropertyExpander.expand(codeBase);
+        } catch (PropertyExpander.ExpandException e) {
+            throw new ParsingException(tokenStream.line(), "Error expanding codebase: " + e.getMessage());
+        }
         accept(",");
         ctx.state = State.GRANT;
     }
@@ -123,7 +117,13 @@ private void handlePermissionState(Context ctx) throws ParsingException, IOExcep
     }
 
     private void handlePermissionNameState(Context ctx) throws ParsingException, IOException {
-        ctx.permission.name = tokenStream.consume().text;
+        String permissionName = tokenStream.consume().text;
+        try {
+            ctx.permission.name = PropertyExpander.expand(permissionName);
+            ctx.permission.originalName = permissionName; // Store the original, unexpanded name
+        } catch (PropertyExpander.ExpandException e) {
+            throw new ParsingException(tokenStream.line(), "Error expanding permission name: " + e.getMessage());
+        }
         if (accept(",")) {
             ctx.state = State.PERMISSION_ACTION;
         } else {
@@ -135,7 +135,12 @@ private void handlePermissionNameState(Context ctx) throws ParsingException, IOE
     }
 
     private void handlePermissionActionState(Context ctx) throws ParsingException, IOException {
-        ctx.permission.action = tokenStream.consume().text;
+        String action = tokenStream.consume().text;
+        try {
+            ctx.permission.action = PropertyExpander.expand(action);
+        } catch (PropertyExpander.ExpandException e) {
+            throw new ParsingException(tokenStream.line(), "Error expanding permission action: " + e.getMessage());
+        }
         ctx.grant.add(ctx.permission);
         ctx.permission = null;
         expect(";");
@@ -190,8 +195,14 @@ public static class ParsingException extends Exception {
         private final int lineNumber;
         private final String context;
 
+        public ParsingException(int lineNumber, String message) {
+            super(message);
+            this.lineNumber = lineNumber;
+            this.context = null;
+        }
+
         public ParsingException(int lineNumber, String message, String context) {
-            super("[Line " + lineNumber + "] Syntax error: " + message + " | Found: '" + context + "'");
+            super(message);
             this.lineNumber = lineNumber;
             this.context = context;
         }
@@ -248,5 +259,17 @@ public static class PermissionNode {
         public String permission;
         public String name;
         public String action;
+        public String originalName;
+
+        public PermissionNode() {
+            this(null, null, null);
+        }
+
+        public PermissionNode(String permission, String name, String action) {
+            this.permission = permission;
+            this.name = name;
+            this.action = action;
+            this.originalName = name;
+        }
     }
-}
+}

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PropertyExpander.java

@@ -1,28 +1,3 @@
-/*
- * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
 /*
  * SPDX-License-Identifier: Apache-2.0
  *