1*cdf0e10cSrcweir /************************************************************************* 2*cdf0e10cSrcweir * 3*cdf0e10cSrcweir * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4*cdf0e10cSrcweir * 5*cdf0e10cSrcweir * Copyright 2000, 2010 Oracle and/or its affiliates. 6*cdf0e10cSrcweir * 7*cdf0e10cSrcweir * OpenOffice.org - a multi-platform office productivity suite 8*cdf0e10cSrcweir * 9*cdf0e10cSrcweir * This file is part of OpenOffice.org. 10*cdf0e10cSrcweir * 11*cdf0e10cSrcweir * OpenOffice.org is free software: you can redistribute it and/or modify 12*cdf0e10cSrcweir * it under the terms of the GNU Lesser General Public License version 3 13*cdf0e10cSrcweir * only, as published by the Free Software Foundation. 14*cdf0e10cSrcweir * 15*cdf0e10cSrcweir * OpenOffice.org is distributed in the hope that it will be useful, 16*cdf0e10cSrcweir * but WITHOUT ANY WARRANTY; without even the implied warranty of 17*cdf0e10cSrcweir * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18*cdf0e10cSrcweir * GNU Lesser General Public License version 3 for more details 19*cdf0e10cSrcweir * (a copy is included in the LICENSE file that accompanied this code). 20*cdf0e10cSrcweir * 21*cdf0e10cSrcweir * You should have received a copy of the GNU Lesser General Public License 22*cdf0e10cSrcweir * version 3 along with OpenOffice.org. If not, see 23*cdf0e10cSrcweir * <http://www.openoffice.org/license.html> 24*cdf0e10cSrcweir * for a copy of the LGPLv3 License. 25*cdf0e10cSrcweir * 26*cdf0e10cSrcweir ************************************************************************/ 27*cdf0e10cSrcweir 28*cdf0e10cSrcweir // MARKER(update_precomp.py): autogen include statement, do not remove 29*cdf0e10cSrcweir #include "precompiled_stoc.hxx" 30*cdf0e10cSrcweir 31*cdf0e10cSrcweir #include <stdio.h> 32*cdf0e10cSrcweir 33*cdf0e10cSrcweir #include <sal/main.h> 34*cdf0e10cSrcweir #include <osl/diagnose.h> 35*cdf0e10cSrcweir #include <osl/socket.hxx> 36*cdf0e10cSrcweir #include <rtl/string.hxx> 37*cdf0e10cSrcweir #include <rtl/ustrbuf.hxx> 38*cdf0e10cSrcweir #include <uno/current_context.hxx> 39*cdf0e10cSrcweir 40*cdf0e10cSrcweir #include <cppuhelper/implbase1.hxx> 41*cdf0e10cSrcweir #include <cppuhelper/bootstrap.hxx> 42*cdf0e10cSrcweir #include <cppuhelper/access_control.hxx> 43*cdf0e10cSrcweir 44*cdf0e10cSrcweir #include <com/sun/star/lang/XComponent.hpp> 45*cdf0e10cSrcweir #include <com/sun/star/uno/XCurrentContext.hpp> 46*cdf0e10cSrcweir 47*cdf0e10cSrcweir #include <com/sun/star/io/FilePermission.hpp> 48*cdf0e10cSrcweir 49*cdf0e10cSrcweir #define USER_CREDS "access-control.user-credentials" 50*cdf0e10cSrcweir #define OUSTR(x) ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM(x) ) 51*cdf0e10cSrcweir 52*cdf0e10cSrcweir 53*cdf0e10cSrcweir using namespace ::osl; 54*cdf0e10cSrcweir using namespace ::rtl; 55*cdf0e10cSrcweir using namespace ::cppu; 56*cdf0e10cSrcweir using namespace ::com::sun::star; 57*cdf0e10cSrcweir using namespace ::com::sun::star::uno; 58*cdf0e10cSrcweir 59*cdf0e10cSrcweir //-------------------------------------------------------------------------------------------------- 60*cdf0e10cSrcweir static OUString localhost( OUString const & addition ) SAL_THROW( () ) 61*cdf0e10cSrcweir { 62*cdf0e10cSrcweir static OUString ip; 63*cdf0e10cSrcweir if (! ip.getLength()) 64*cdf0e10cSrcweir { 65*cdf0e10cSrcweir // dns lookup 66*cdf0e10cSrcweir SocketAddr addr; 67*cdf0e10cSrcweir SocketAddr::resolveHostname( OUSTR("localhost"), addr ); 68*cdf0e10cSrcweir ::oslSocketResult rc = ::osl_getDottedInetAddrOfSocketAddr( addr.getHandle(), &ip.pData ); 69*cdf0e10cSrcweir if (::osl_Socket_Ok != rc) 70*cdf0e10cSrcweir fprintf(stdout, "### cannot resolve localhost!" ); 71*cdf0e10cSrcweir } 72*cdf0e10cSrcweir OUStringBuffer buf( 48 ); 73*cdf0e10cSrcweir buf.append( ip ); 74*cdf0e10cSrcweir buf.append( addition ); 75*cdf0e10cSrcweir return buf.makeStringAndClear(); 76*cdf0e10cSrcweir } 77*cdf0e10cSrcweir 78*cdf0e10cSrcweir //-------------------------------------------------------------------------------------------------- 79*cdf0e10cSrcweir static inline void dispose( Reference< XInterface > const & x ) 80*cdf0e10cSrcweir SAL_THROW( (RuntimeException) ) 81*cdf0e10cSrcweir { 82*cdf0e10cSrcweir Reference< lang::XComponent > xComp( x, UNO_QUERY ); 83*cdf0e10cSrcweir if (xComp.is()) 84*cdf0e10cSrcweir { 85*cdf0e10cSrcweir xComp->dispose(); 86*cdf0e10cSrcweir } 87*cdf0e10cSrcweir } 88*cdf0e10cSrcweir //================================================================================================== 89*cdf0e10cSrcweir class user_CurrentContext 90*cdf0e10cSrcweir : public ImplHelper1< XCurrentContext > 91*cdf0e10cSrcweir { 92*cdf0e10cSrcweir oslInterlockedCount m_refcount; 93*cdf0e10cSrcweir 94*cdf0e10cSrcweir Reference< XCurrentContext > m_xDelegate; 95*cdf0e10cSrcweir Any m_userId; 96*cdf0e10cSrcweir 97*cdf0e10cSrcweir public: 98*cdf0e10cSrcweir inline user_CurrentContext( 99*cdf0e10cSrcweir Reference< XCurrentContext > const & xDelegate, 100*cdf0e10cSrcweir OUString const & userId ) 101*cdf0e10cSrcweir SAL_THROW( () ) 102*cdf0e10cSrcweir : m_refcount( 0 ) 103*cdf0e10cSrcweir , m_xDelegate( xDelegate ) 104*cdf0e10cSrcweir , m_userId( makeAny( userId ) ) 105*cdf0e10cSrcweir {} 106*cdf0e10cSrcweir 107*cdf0e10cSrcweir // XInterface impl 108*cdf0e10cSrcweir virtual void SAL_CALL acquire() 109*cdf0e10cSrcweir throw (); 110*cdf0e10cSrcweir virtual void SAL_CALL release() 111*cdf0e10cSrcweir throw (); 112*cdf0e10cSrcweir 113*cdf0e10cSrcweir // XCurrentContext impl 114*cdf0e10cSrcweir virtual Any SAL_CALL getValueByName( OUString const & name ) 115*cdf0e10cSrcweir throw (RuntimeException); 116*cdf0e10cSrcweir }; 117*cdf0e10cSrcweir //__________________________________________________________________________________________________ 118*cdf0e10cSrcweir void user_CurrentContext::acquire() 119*cdf0e10cSrcweir throw () 120*cdf0e10cSrcweir { 121*cdf0e10cSrcweir ::osl_incrementInterlockedCount( &m_refcount ); 122*cdf0e10cSrcweir } 123*cdf0e10cSrcweir //__________________________________________________________________________________________________ 124*cdf0e10cSrcweir void user_CurrentContext::release() 125*cdf0e10cSrcweir throw () 126*cdf0e10cSrcweir { 127*cdf0e10cSrcweir if (! ::osl_decrementInterlockedCount( &m_refcount )) 128*cdf0e10cSrcweir { 129*cdf0e10cSrcweir delete this; 130*cdf0e10cSrcweir } 131*cdf0e10cSrcweir } 132*cdf0e10cSrcweir //__________________________________________________________________________________________________ 133*cdf0e10cSrcweir Any user_CurrentContext::getValueByName( OUString const & name ) 134*cdf0e10cSrcweir throw (RuntimeException) 135*cdf0e10cSrcweir { 136*cdf0e10cSrcweir if (name.equalsAsciiL( RTL_CONSTASCII_STRINGPARAM(USER_CREDS ".id") )) 137*cdf0e10cSrcweir { 138*cdf0e10cSrcweir return m_userId; 139*cdf0e10cSrcweir } 140*cdf0e10cSrcweir else if (m_xDelegate.is()) 141*cdf0e10cSrcweir { 142*cdf0e10cSrcweir return m_xDelegate->getValueByName( name ); 143*cdf0e10cSrcweir } 144*cdf0e10cSrcweir else 145*cdf0e10cSrcweir { 146*cdf0e10cSrcweir return Any(); 147*cdf0e10cSrcweir } 148*cdf0e10cSrcweir } 149*cdf0e10cSrcweir 150*cdf0e10cSrcweir // prepends line number 151*cdf0e10cSrcweir #define CHECK( check, negative_test ) \ 152*cdf0e10cSrcweir { \ 153*cdf0e10cSrcweir try \ 154*cdf0e10cSrcweir { \ 155*cdf0e10cSrcweir if (negative_test) \ 156*cdf0e10cSrcweir { \ 157*cdf0e10cSrcweir bool thrown = true; \ 158*cdf0e10cSrcweir try \ 159*cdf0e10cSrcweir { \ 160*cdf0e10cSrcweir check; \ 161*cdf0e10cSrcweir thrown = false; \ 162*cdf0e10cSrcweir } \ 163*cdf0e10cSrcweir catch (RuntimeException &) \ 164*cdf0e10cSrcweir { \ 165*cdf0e10cSrcweir } \ 166*cdf0e10cSrcweir if (! thrown) \ 167*cdf0e10cSrcweir { \ 168*cdf0e10cSrcweir throw RuntimeException( \ 169*cdf0e10cSrcweir OUSTR("expected RuntimeException upon check!"), Reference< XInterface >() ); \ 170*cdf0e10cSrcweir } \ 171*cdf0e10cSrcweir } \ 172*cdf0e10cSrcweir else \ 173*cdf0e10cSrcweir { \ 174*cdf0e10cSrcweir check; \ 175*cdf0e10cSrcweir } \ 176*cdf0e10cSrcweir } \ 177*cdf0e10cSrcweir catch (RuntimeException & exc) \ 178*cdf0e10cSrcweir { \ 179*cdf0e10cSrcweir OUStringBuffer buf( 64 ); \ 180*cdf0e10cSrcweir buf.appendAscii( RTL_CONSTASCII_STRINGPARAM("[line ") ); \ 181*cdf0e10cSrcweir buf.append( (sal_Int32)__LINE__ ); \ 182*cdf0e10cSrcweir buf.appendAscii( RTL_CONSTASCII_STRINGPARAM("] ") ); \ 183*cdf0e10cSrcweir buf.append( exc.Message ); \ 184*cdf0e10cSrcweir throw RuntimeException( buf.makeStringAndClear(), Reference< XInterface >() ); \ 185*cdf0e10cSrcweir } \ 186*cdf0e10cSrcweir } 187*cdf0e10cSrcweir 188*cdf0e10cSrcweir /* 189*cdf0e10cSrcweir grant 190*cdf0e10cSrcweir { 191*cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///usr/bin/ *", "read"; 192*cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///tmp/-", "read,write"; 193*cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///etc/profile", "read"; 194*cdf0e10cSrcweir 195*cdf0e10cSrcweir permission com.sun.star.security.RuntimePermission "DEF"; 196*cdf0e10cSrcweir 197*cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "127.0.0.1:-1023", "resolve, connect, listen"; 198*cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "localhost:1024-", "accept, connect, listen, resolve,"; 199*cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "*.sun.com:1024-", "resolve"; 200*cdf0e10cSrcweir }; 201*cdf0e10cSrcweir */ 202*cdf0e10cSrcweir static void check_defaults_pos( AccessControl & ac, bool invert = false ) 203*cdf0e10cSrcweir { 204*cdf0e10cSrcweir // positive tests 205*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/bla"), OUSTR("read") ), invert ); 206*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tmp/bla"), OUSTR("read,write") ), invert ); 207*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tmp/path/path/bla"), OUSTR("write") ), invert ); 208*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/profile"), OUSTR("read") ), invert ); 209*cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("DEF") ), invert ); 210*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:1024"), OUSTR("connect") ), invert ); 211*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:65535"), OUSTR("resolve") ), invert ); 212*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( localhost(OUSTR(":2048")), OUSTR("accept,listen") ), invert ); 213*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( localhost(OUSTR(":1024-")), OUSTR("accept,connect,listen,resolve") ), invert ); 214*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:-1023"), OUSTR("resolve,listen,connect") ), invert ); 215*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jl-1036.germany.sun.com:1024-"), OUSTR("resolve") ), invert ); 216*cdf0e10cSrcweir } 217*cdf0e10cSrcweir static void check_defaults_neg( AccessControl & ac, bool invert = false ) 218*cdf0e10cSrcweir { 219*cdf0e10cSrcweir // negative tests 220*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/tmp"), OUSTR("read") ), !invert ); 221*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///"), OUSTR("read") ), !invert ); 222*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin"), OUSTR("read") ), !invert ); 223*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/bla"), OUSTR("write") ), !invert ); 224*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/bla"), OUSTR("execute") ), !invert ); 225*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/path/bla"), OUSTR("read") ), !invert ); 226*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tmp"), OUSTR("read") ), !invert ); 227*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tmp/"), OUSTR("read") ), !invert ); 228*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tm"), OUSTR("read") ), !invert ); 229*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/profile"), OUSTR("write") ), !invert ); 230*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/profile/bla"), OUSTR("read") ), !invert ); 231*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/blabla"), OUSTR("read,write,execute") ), !invert ); 232*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/root"), OUSTR("read,write,execute") ), !invert ); 233*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUSTR("read,write,execute") ), !invert ); 234*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUSTR("delete") ), !invert ); 235*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUString() ), !invert ); 236*cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("ROOT") ), !invert ); 237*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:1023"), OUSTR("accept") ), !invert ); 238*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:123-"), OUSTR("accept") ), !invert ); 239*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( localhost(OUSTR(":-1023")), OUSTR("accept") ), !invert ); 240*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:-1023"), OUSTR("accept,resolve") ), !invert ); 241*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("sun.com:1024-"), OUSTR("resolve") ), !invert ); 242*cdf0e10cSrcweir } 243*cdf0e10cSrcweir 244*cdf0e10cSrcweir /* 245*cdf0e10cSrcweir grant user "dbo" 246*cdf0e10cSrcweir { 247*cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///home/dbo/-", "read,write"; 248*cdf0e10cSrcweir permission com.sun.star.io.FilePermission "-", "read,write"; 249*cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///usr/local/dbo/ *", "read"; 250*cdf0e10cSrcweir 251*cdf0e10cSrcweir permission com.sun.star.security.RuntimePermission "DBO"; 252*cdf0e10cSrcweir 253*cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-1:1024-", "listen"; 254*cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-11081:-1023", "resolve"; 255*cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-11081:18", "listen"; 256*cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-11081:20-24", "listen"; 257*cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-11081", "connect"; 258*cdf0e10cSrcweir }; 259*cdf0e10cSrcweir */ 260*cdf0e10cSrcweir static void check_dbo_pos( AccessControl & ac, bool invert = false ) 261*cdf0e10cSrcweir { 262*cdf0e10cSrcweir check_defaults_pos( ac, invert ); 263*cdf0e10cSrcweir // positive tests 264*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read") ), invert ); 265*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("write") ), invert ); 266*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write") ), invert ); 267*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/bla"), OUSTR("read,write") ), invert ); 268*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/path/bla"), OUSTR("read,write") ), invert ); 269*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/*"), OUSTR("read") ), invert ); 270*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/bla"), OUSTR("read") ), invert ); 271*cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("DBO") ), invert ); 272*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-1:1024-"), OUSTR("listen") ), invert ); 273*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-1:2048-3122"), OUSTR("listen") ), invert ); 274*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-1:2048-"), OUSTR("listen") ), invert ); 275*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:-1023"), OUSTR("resolve") ), invert ); 276*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:20-1023"), OUSTR("resolve") ), invert ); 277*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:18"), OUSTR("listen") ), invert ); 278*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:20-24"), OUSTR("listen") ), invert ); 279*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:22"), OUSTR("listen") ), invert ); 280*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081"), OUSTR("connect") ), invert ); 281*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:22"), OUSTR("connect") ), invert ); 282*cdf0e10cSrcweir } 283*cdf0e10cSrcweir static void check_dbo_neg( AccessControl & ac, bool invert = false ) 284*cdf0e10cSrcweir { 285*cdf0e10cSrcweir check_defaults_neg( ac, invert ); 286*cdf0e10cSrcweir // negative tests 287*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/-"), OUSTR("read") ), !invert ); 288*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read") ), !invert ); 289*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("write") ), !invert ); 290*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read,write") ), !invert ); 291*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/path/bla"), OUSTR("read") ), !invert ); 292*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/path/bla"), OUSTR("read,execute") ), !invert ); 293*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/-"), OUSTR("read") ), !invert ); 294*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/path/bla"), OUSTR("read") ), !invert ); 295*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/path/path/bla"), OUSTR("read") ), !invert ); 296*cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("JBU") ), !invert ); 297*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081"), OUSTR("listen") ), !invert ); 298*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:22"), OUSTR("accept") ), !invert ); 299*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jbu-11096:22"), OUSTR("resolve") ), !invert ); 300*cdf0e10cSrcweir } 301*cdf0e10cSrcweir 302*cdf0e10cSrcweir /* 303*cdf0e10cSrcweir grant user "jbu" 304*cdf0e10cSrcweir { 305*cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///home/jbu/-", "read,write"; 306*cdf0e10cSrcweir permission com.sun.star.io.FilePermission "*", "read,write"; 307*cdf0e10cSrcweir 308*cdf0e10cSrcweir permission com.sun.star.security.RuntimePermission "JBU"; 309*cdf0e10cSrcweir 310*cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "jbu-11096","resolve"; 311*cdf0e10cSrcweir }; 312*cdf0e10cSrcweir */ 313*cdf0e10cSrcweir static void check_jbu_pos( AccessControl & ac, bool invert = false ) 314*cdf0e10cSrcweir { 315*cdf0e10cSrcweir check_defaults_pos( ac, invert ); 316*cdf0e10cSrcweir // positive tests 317*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read") ), invert ); 318*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("write") ), invert ); 319*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read,write") ), invert ); 320*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/path/bla"), OUSTR("read,write") ), invert ); 321*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/path/path/bla"), OUSTR("read,write") ), invert ); 322*cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("JBU") ), invert ); 323*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jbu-11096"), OUSTR("resolve") ), invert ); 324*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jbu-11096:20-24"), OUSTR("resolve") ), invert ); 325*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081.germany.sun.com:2048"), OUSTR("resolve") ), invert ); 326*cdf0e10cSrcweir } 327*cdf0e10cSrcweir static void check_jbu_neg( AccessControl & ac, bool invert = false ) 328*cdf0e10cSrcweir { 329*cdf0e10cSrcweir check_defaults_neg( ac, invert ); 330*cdf0e10cSrcweir // negative tests 331*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/-"), OUSTR("read") ), !invert ); 332*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/bla"), OUSTR("read") ), !invert ); 333*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/path/bla"), OUSTR("read") ), !invert ); 334*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read") ), !invert ); 335*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("write") ), !invert ); 336*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write") ), !invert ); 337*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/-"), OUSTR("read") ), !invert ); 338*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/bla"), OUSTR("read") ), !invert ); 339*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/path/path/bla"), OUSTR("read") ), !invert ); 340*cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("DBO") ), !invert ); 341*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jbu-11096:20-24"), OUSTR("accept") ), !invert ); 342*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081"), OUSTR("connect") ), !invert ); 343*cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081.germany.sun.com"), OUSTR("connect") ), !invert ); 344*cdf0e10cSrcweir } 345*cdf0e10cSrcweir 346*cdf0e10cSrcweir /* 347*cdf0e10cSrcweir grant principal "root" 348*cdf0e10cSrcweir { 349*cdf0e10cSrcweir permission com.sun.star.security.AllPermission; 350*cdf0e10cSrcweir }; 351*cdf0e10cSrcweir */ 352*cdf0e10cSrcweir //================================================================================================== 353*cdf0e10cSrcweir static void check_root_pos( AccessControl & ac, bool invert = false ) 354*cdf0e10cSrcweir { 355*cdf0e10cSrcweir check_defaults_pos( ac, invert ); 356*cdf0e10cSrcweir check_defaults_neg( ac, !invert ); 357*cdf0e10cSrcweir check_dbo_pos( ac, invert ); 358*cdf0e10cSrcweir check_dbo_neg( ac, !invert ); 359*cdf0e10cSrcweir check_jbu_pos( ac, invert ); 360*cdf0e10cSrcweir check_jbu_neg( ac, !invert ); 361*cdf0e10cSrcweir // some more root positive 362*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/blabla"), OUSTR("read,write,execute") ), invert ); 363*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/root"), OUSTR("read,write,execute") ), invert ); 364*cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUSTR("read,write,execute") ), invert ); 365*cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("ROOT") ), invert ); 366*cdf0e10cSrcweir } 367*cdf0e10cSrcweir 368*cdf0e10cSrcweir //================================================================================================== 369*cdf0e10cSrcweir class acc_Restr 370*cdf0e10cSrcweir : public WeakImplHelper1< security::XAccessControlContext > 371*cdf0e10cSrcweir { 372*cdf0e10cSrcweir Any m_perm; 373*cdf0e10cSrcweir 374*cdf0e10cSrcweir public: 375*cdf0e10cSrcweir inline acc_Restr( Any const & perm = Any() ) SAL_THROW( () ) 376*cdf0e10cSrcweir : m_perm( perm ) 377*cdf0e10cSrcweir {} 378*cdf0e10cSrcweir 379*cdf0e10cSrcweir // XAccessControlContext impl 380*cdf0e10cSrcweir virtual void SAL_CALL checkPermission( Any const & perm ) 381*cdf0e10cSrcweir throw (RuntimeException); 382*cdf0e10cSrcweir }; 383*cdf0e10cSrcweir //__________________________________________________________________________________________________ 384*cdf0e10cSrcweir void acc_Restr::checkPermission( Any const & perm ) 385*cdf0e10cSrcweir throw (RuntimeException) 386*cdf0e10cSrcweir { 387*cdf0e10cSrcweir if (perm != m_perm) 388*cdf0e10cSrcweir { 389*cdf0e10cSrcweir throw security::AccessControlException( 390*cdf0e10cSrcweir OUSTR("dyn violation!"), Reference< XInterface >(), perm ); 391*cdf0e10cSrcweir } 392*cdf0e10cSrcweir } 393*cdf0e10cSrcweir 394*cdf0e10cSrcweir typedef void (* t_action)( AccessControl &, Any const & arg ); 395*cdf0e10cSrcweir 396*cdf0e10cSrcweir //================================================================================================== 397*cdf0e10cSrcweir class Action 398*cdf0e10cSrcweir : public WeakImplHelper1< security::XAction > 399*cdf0e10cSrcweir { 400*cdf0e10cSrcweir t_action m_action; 401*cdf0e10cSrcweir AccessControl & m_ac; 402*cdf0e10cSrcweir Any m_arg; 403*cdf0e10cSrcweir 404*cdf0e10cSrcweir public: 405*cdf0e10cSrcweir inline Action( t_action action, AccessControl & ac, Any const & arg = Any() ) SAL_THROW( () ) 406*cdf0e10cSrcweir : m_action( action ) 407*cdf0e10cSrcweir , m_ac( ac ) 408*cdf0e10cSrcweir , m_arg( arg ) 409*cdf0e10cSrcweir {} 410*cdf0e10cSrcweir 411*cdf0e10cSrcweir // XAction impl 412*cdf0e10cSrcweir virtual Any SAL_CALL run() 413*cdf0e10cSrcweir throw (Exception); 414*cdf0e10cSrcweir }; 415*cdf0e10cSrcweir //__________________________________________________________________________________________________ 416*cdf0e10cSrcweir Any Action::run() 417*cdf0e10cSrcweir throw (Exception) 418*cdf0e10cSrcweir { 419*cdf0e10cSrcweir (*m_action)( m_ac, m_arg ); 420*cdf0e10cSrcweir return Any(); 421*cdf0e10cSrcweir } 422*cdf0e10cSrcweir 423*cdf0e10cSrcweir //================================================================================================== 424*cdf0e10cSrcweir // static void restr_file_permissions( AccessControl & ac ) 425*cdf0e10cSrcweir // { 426*cdf0e10cSrcweir // // running in dbo's domain 427*cdf0e10cSrcweir // /* permission com.sun.star.io.FilePermission "file:///home/dbo/-", ",,read , write "; */ 428*cdf0e10cSrcweir // CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write,execute") ), true ); 429*cdf0e10cSrcweir // CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write") ), false ); 430*cdf0e10cSrcweir // } 431*cdf0e10cSrcweir //================================================================================================== 432*cdf0e10cSrcweir static void all_dbo_permissions( AccessControl & ac, Any const & ) 433*cdf0e10cSrcweir { 434*cdf0e10cSrcweir check_dbo_pos( ac ); 435*cdf0e10cSrcweir check_dbo_neg( ac ); 436*cdf0e10cSrcweir } 437*cdf0e10cSrcweir //================================================================================================== 438*cdf0e10cSrcweir static void no_permissions( AccessControl & ac, Any const & arg ) 439*cdf0e10cSrcweir { 440*cdf0e10cSrcweir check_dbo_pos( ac, true ); 441*cdf0e10cSrcweir check_dbo_neg( ac ); 442*cdf0e10cSrcweir // set privs to old dbo restr 443*cdf0e10cSrcweir Reference< security::XAccessControlContext > xContext; 444*cdf0e10cSrcweir OSL_VERIFY( arg >>= xContext ); 445*cdf0e10cSrcweir ac->doPrivileged( 446*cdf0e10cSrcweir new Action( all_dbo_permissions, ac ), 447*cdf0e10cSrcweir xContext ); 448*cdf0e10cSrcweir } 449*cdf0e10cSrcweir //================================================================================================== 450*cdf0e10cSrcweir static void check_dbo_dynamic( AccessControl & ac ) 451*cdf0e10cSrcweir { 452*cdf0e10cSrcweir Any arg( makeAny( ac->getContext() ) ); 453*cdf0e10cSrcweir ac->doRestricted( 454*cdf0e10cSrcweir new Action( no_permissions, ac, arg ), 455*cdf0e10cSrcweir new acc_Restr() ); 456*cdf0e10cSrcweir } 457*cdf0e10cSrcweir 458*cdf0e10cSrcweir SAL_IMPLEMENT_MAIN() 459*cdf0e10cSrcweir { 460*cdf0e10cSrcweir try 461*cdf0e10cSrcweir { 462*cdf0e10cSrcweir // single-user test 463*cdf0e10cSrcweir Reference< XComponentContext > xContext( defaultBootstrap_InitialComponentContext( 464*cdf0e10cSrcweir OUSTR("../../test/security/test_security_singleuser.ini") ) ); 465*cdf0e10cSrcweir { 466*cdf0e10cSrcweir ::fprintf( stderr, "[security test] single-user checking dbo..." ); 467*cdf0e10cSrcweir AccessControl ac( xContext ); 468*cdf0e10cSrcweir check_dbo_pos( ac ); 469*cdf0e10cSrcweir check_dbo_neg( ac ); 470*cdf0e10cSrcweir check_dbo_dynamic( ac ); 471*cdf0e10cSrcweir ::fprintf( stderr, "dbo checked.\n" ); 472*cdf0e10cSrcweir } 473*cdf0e10cSrcweir 474*cdf0e10cSrcweir // multi-user test 475*cdf0e10cSrcweir dispose( xContext ); 476*cdf0e10cSrcweir xContext = defaultBootstrap_InitialComponentContext( 477*cdf0e10cSrcweir OUSTR("../../test/security/test_security.ini") ); // UNO_AC=on 478*cdf0e10cSrcweir AccessControl ac( xContext ); 479*cdf0e10cSrcweir 480*cdf0e10cSrcweir { 481*cdf0e10cSrcweir // set up dbo current context 482*cdf0e10cSrcweir ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("dbo") ) ); 483*cdf0e10cSrcweir ::fprintf( stderr, "[security test] multi-user checking dbo..." ); 484*cdf0e10cSrcweir check_dbo_pos( ac ); 485*cdf0e10cSrcweir check_dbo_neg( ac ); 486*cdf0e10cSrcweir check_dbo_dynamic( ac ); 487*cdf0e10cSrcweir ::fprintf( stderr, "dbo checked.\n" ); 488*cdf0e10cSrcweir } 489*cdf0e10cSrcweir { 490*cdf0e10cSrcweir // set up jbu current context 491*cdf0e10cSrcweir ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("jbu") ) ); 492*cdf0e10cSrcweir ::fprintf( stderr, "[security test] multi-user checking jbu..." ); 493*cdf0e10cSrcweir check_jbu_pos( ac ); 494*cdf0e10cSrcweir check_jbu_neg( ac ); 495*cdf0e10cSrcweir ::fprintf( stderr, "jbu checked.\n" ); 496*cdf0e10cSrcweir } 497*cdf0e10cSrcweir { 498*cdf0e10cSrcweir // set up root current context 499*cdf0e10cSrcweir ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("root") ) ); 500*cdf0e10cSrcweir ::fprintf( stderr, "[security test] multi-user checking root..." ); 501*cdf0e10cSrcweir check_root_pos( ac ); 502*cdf0e10cSrcweir ::fprintf( stderr, "root checked.\n" ); 503*cdf0e10cSrcweir } 504*cdf0e10cSrcweir { 505*cdf0e10cSrcweir // set up unknown guest user current context => default permissions 506*cdf0e10cSrcweir ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("guest") ) ); 507*cdf0e10cSrcweir ::fprintf( stderr, "[security test] multi-user checking guest..." ); 508*cdf0e10cSrcweir check_defaults_pos( ac ); 509*cdf0e10cSrcweir check_defaults_neg( ac ); 510*cdf0e10cSrcweir ::fprintf( stderr, "guest checked.\n" ); 511*cdf0e10cSrcweir } 512*cdf0e10cSrcweir 513*cdf0e10cSrcweir dispose( xContext ); 514*cdf0e10cSrcweir ::fprintf( stderr, "security test succeeded.\n" ); 515*cdf0e10cSrcweir return 0; 516*cdf0e10cSrcweir } 517*cdf0e10cSrcweir catch (Exception & exc) 518*cdf0e10cSrcweir { 519*cdf0e10cSrcweir OString str( OUStringToOString( exc.Message, RTL_TEXTENCODING_ASCII_US ) ); 520*cdf0e10cSrcweir ::fprintf( stderr, "[security test] error: %s!\n", str.getStr() ); 521*cdf0e10cSrcweir return 1; 522*cdf0e10cSrcweir } 523*cdf0e10cSrcweir } 524