You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by si...@apache.org on 2019/10/30 16:18:19 UTC
[sling-org-apache-sling-feature-apiregions] 01/01: SLING-8815 -
[API Regions] Prevent from resolving to customer-provided bundles
This is an automated email from the ASF dual-hosted git repository.
simonetripodi pushed a commit to branch SLING-8815
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-feature-apiregions.git
commit ae15a0cf388d88926f5690526cd8663a0373ca8e
Author: Simo Tripodi <st...@adobe.com>
AuthorDate: Wed Oct 30 17:18:03 2019 +0100
SLING-8815 - [API Regions] Prevent from resolving to customer-provided
bundles
initial checkin
---
.../impl/AbstractResolverHookFactory.java | 70 ++++++++++++++++
.../apiregions/impl/PlatformIsolationEnforcer.java | 78 ++++++++++++++++++
.../apiregions/impl/PlatformIsolationHook.java | 93 ++++++++++++++++++++++
.../feature/apiregions/impl/RegionEnforcer.java | 48 ++---------
4 files changed, 248 insertions(+), 41 deletions(-)
diff --git a/src/main/java/org/apache/sling/feature/apiregions/impl/AbstractResolverHookFactory.java b/src/main/java/org/apache/sling/feature/apiregions/impl/AbstractResolverHookFactory.java
new file mode 100644
index 0000000..dcab1d1
--- /dev/null
+++ b/src/main/java/org/apache/sling/feature/apiregions/impl/AbstractResolverHookFactory.java
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sling.feature.apiregions.impl;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.hooks.resolver.ResolverHookFactory;
+
+abstract class AbstractResolverHookFactory implements ResolverHookFactory {
+
+ static final String CLASSLOADER_PSEUDO_PROTOCOL = "classloader://";
+
+ static final String PROPERTIES_RESOURCE_PREFIX = "sling.feature.apiregions.resource.";
+
+ static final String PROPERTIES_FILE_LOCATION = "sling.feature.apiregions.location";
+
+ static final String IDBSNVER_FILENAME = "idbsnver.properties";
+
+ protected final URI getDataFileURI(BundleContext ctx, String name) throws IOException, URISyntaxException {
+ String fn = ctx.getProperty(PROPERTIES_RESOURCE_PREFIX + name);
+ if (fn == null) {
+ String loc = ctx.getProperty(PROPERTIES_FILE_LOCATION);
+ if (loc != null) {
+ fn = loc + "/" + name;
+ }
+ }
+
+ if (fn == null) {
+ throw new IOException("API Region Enforcement enabled, but no configuration found to find "
+ + "region definition resource: " + name);
+ }
+
+ if (fn.contains(":")) {
+ if (fn.startsWith(CLASSLOADER_PSEUDO_PROTOCOL)) {
+ // It's using the 'classloader:' protocol looks up the location from the classloader
+ String loc = fn.substring(CLASSLOADER_PSEUDO_PROTOCOL.length());
+ if (!loc.startsWith("/")) {
+ loc = "/" + loc;
+ }
+ fn = getClass().getResource(loc).toString();
+ }
+ // It's already a URL
+ return new URI(fn);
+ }
+
+ // It's a file location
+ return new File(fn).toURI();
+ }
+
+}
diff --git a/src/main/java/org/apache/sling/feature/apiregions/impl/PlatformIsolationEnforcer.java b/src/main/java/org/apache/sling/feature/apiregions/impl/PlatformIsolationEnforcer.java
new file mode 100644
index 0000000..04b30a3
--- /dev/null
+++ b/src/main/java/org/apache/sling/feature/apiregions/impl/PlatformIsolationEnforcer.java
@@ -0,0 +1,78 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sling.feature.apiregions.impl;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Properties;
+
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.Version;
+import org.osgi.framework.hooks.resolver.ResolverHook;
+import org.osgi.framework.wiring.BundleRevision;
+
+public class PlatformIsolationEnforcer extends AbstractResolverHookFactory {
+
+ final Map<String, Version> bsnVerMap;
+
+ PlatformIsolationEnforcer(BundleContext context) throws IOException, URISyntaxException {
+ bsnVerMap = readBsnVerMap(context);
+ }
+
+ private Map<String, Version> readBsnVerMap(BundleContext context) throws IOException, URISyntaxException {
+ final Map<String, Version> bsnVerMap = new HashMap<>();
+
+ URI idbsnverFile = getDataFileURI(context, IDBSNVER_FILENAME);
+
+ Properties p = new Properties();
+ try (InputStream is = idbsnverFile.toURL().openStream()) {
+ p.load(is);
+ }
+
+ for (Object valueObject : p.values()) {
+ if (valueObject != null) { // it shouldn't happen, but...
+ String value = valueObject.toString();
+
+ int splitIndex = value.indexOf('~');
+ if (splitIndex != -1) { // again, it shouldn't happen...
+ String bundleSymbolicName = value.substring(0, splitIndex);
+ String bundleVersion = value.substring(splitIndex + 1);
+ Version version = Version.valueOf(bundleVersion);
+
+ bsnVerMap.put(bundleSymbolicName, version);
+ }
+ }
+ }
+
+ return Collections.unmodifiableMap(bsnVerMap);
+ }
+
+ @Override
+ public ResolverHook begin(Collection<BundleRevision> triggers) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+}
diff --git a/src/main/java/org/apache/sling/feature/apiregions/impl/PlatformIsolationHook.java b/src/main/java/org/apache/sling/feature/apiregions/impl/PlatformIsolationHook.java
new file mode 100644
index 0000000..0c7ef48
--- /dev/null
+++ b/src/main/java/org/apache/sling/feature/apiregions/impl/PlatformIsolationHook.java
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sling.feature.apiregions.impl;
+
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.Map;
+
+import org.osgi.framework.Version;
+import org.osgi.framework.hooks.resolver.ResolverHook;
+import org.osgi.framework.wiring.BundleCapability;
+import org.osgi.framework.wiring.BundleRequirement;
+import org.osgi.framework.wiring.BundleRevision;
+
+public class PlatformIsolationHook implements ResolverHook {
+
+ protected static final String OSGI_WIRING_PACKAGE_NAMESPACE = "osgi.wiring.package";
+
+ private final Map<String, Version> bsnVerMap;
+
+ PlatformIsolationHook(Map<String, Version> bsnVerMap) {
+ this.bsnVerMap = bsnVerMap;
+ }
+
+ @Override
+ public void filterResolvable(Collection<BundleRevision> candidates) {
+ // not used in this version
+ }
+
+ @Override
+ public void filterSingletonCollisions(BundleCapability singleton, Collection<BundleCapability> collisionCandidates) {
+ // not used in this version
+ }
+
+ @Override
+ public void filterMatches(BundleRequirement requirement, Collection<BundleCapability> candidates) {
+ for (Iterator<BundleCapability> it = candidates.iterator(); it.hasNext();) {
+ BundleCapability candidate = it.next();
+
+ BundleRevision rev = candidate.getRevision();
+
+ // bundle is allowed to wire to itself
+ if (requirement.getRevision().getBundle().getBundleId() == rev.getBundle().getBundleId()) {
+ continue;
+ }
+
+ // is it a restricted bundle?
+ if (filter(requirement, candidate)) {
+ it.remove();
+ // LOG.info("Prevented {} from resolving to {}", requirement, candidate);
+ }
+ }
+ }
+
+ private boolean filter(BundleRequirement requirement, BundleCapability candidate) {
+ String requirementNamespace = requirement.getNamespace();
+ String candidateNamespace = candidate.getNamespace();
+ if (!OSGI_WIRING_PACKAGE_NAMESPACE.equals(requirementNamespace)
+ || !requirementNamespace.equals(candidateNamespace)) {
+ return false; // checking wiring packages only
+ }
+
+ BundleRevision candidateRevision = candidate.getRevision();
+ String candidateSymbolicName = candidateRevision.getSymbolicName();
+ Version candidateVersion = candidateRevision.getVersion();
+
+ Version expectedVersion = bsnVerMap.get(candidateSymbolicName);
+
+ return expectedVersion != null && expectedVersion.equals(candidateVersion);
+ }
+
+ @Override
+ public void end() {
+ // not used in this version
+ }
+
+}
diff --git a/src/main/java/org/apache/sling/feature/apiregions/impl/RegionEnforcer.java b/src/main/java/org/apache/sling/feature/apiregions/impl/RegionEnforcer.java
index a2dd9f8..468a66a 100644
--- a/src/main/java/org/apache/sling/feature/apiregions/impl/RegionEnforcer.java
+++ b/src/main/java/org/apache/sling/feature/apiregions/impl/RegionEnforcer.java
@@ -18,13 +18,6 @@
*/
package org.apache.sling.feature.apiregions.impl;
-import org.osgi.framework.BundleContext;
-import org.osgi.framework.Version;
-import org.osgi.framework.hooks.resolver.ResolverHook;
-import org.osgi.framework.hooks.resolver.ResolverHookFactory;
-import org.osgi.framework.wiring.BundleRevision;
-
-import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
@@ -45,15 +38,17 @@ import java.util.Properties;
import java.util.Set;
import java.util.logging.Logger;
-class RegionEnforcer implements ResolverHookFactory {
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.Version;
+import org.osgi.framework.hooks.resolver.ResolverHook;
+import org.osgi.framework.wiring.BundleRevision;
+
+class RegionEnforcer extends AbstractResolverHookFactory {
public static final String GLOBAL_REGION = "global";
- static final String CLASSLOADER_PSEUDO_PROTOCOL = "classloader://";
static final String APIREGIONS_JOINGLOBAL = "sling.feature.apiregions.joinglobal";
- static final String PROPERTIES_RESOURCE_PREFIX = "sling.feature.apiregions.resource.";
- static final String PROPERTIES_FILE_LOCATION = "sling.feature.apiregions.location";
- static final String IDBSNVER_FILENAME = "idbsnver.properties";
+
static final String BUNDLE_FEATURE_FILENAME = "bundles.properties";
static final String FEATURE_REGION_FILENAME = "features.properties";
static final String REGION_PACKAGE_FILENAME = "regions.properties";
@@ -199,35 +194,6 @@ class RegionEnforcer implements ResolverHookFactory {
bf.addAll(values);
}
- private URI getDataFileURI(BundleContext ctx, String name) throws IOException, URISyntaxException {
- String fn = ctx.getProperty(PROPERTIES_RESOURCE_PREFIX + name);
- if (fn == null) {
- String loc = ctx.getProperty(PROPERTIES_FILE_LOCATION);
- if (loc != null) {
- fn = loc + "/" + name;
- }
- }
-
- if (fn == null)
- throw new IOException("API Region Enforcement enabled, but no configuration found to find "
- + "region definition resource: " + name);
-
- if (fn.contains(":")) {
- if (fn.startsWith(CLASSLOADER_PSEUDO_PROTOCOL)) {
- // It's using the 'classloader:' protocol looks up the location from the classloader
- String loc = fn.substring(CLASSLOADER_PSEUDO_PROTOCOL.length());
- if (!loc.startsWith("/"))
- loc = "/" + loc;
- fn = getClass().getResource(loc).toString();
- }
- // It's already a URL
- return new URI(fn);
- } else {
- // It's a file location
- return new File(fn).toURI();
- }
- }
-
@Override
public ResolverHook begin(Collection<BundleRevision> triggers) {
if (enabledRegions.isEmpty())