-
Notifications
You must be signed in to change notification settings - Fork 440
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2133 from Avishka-Shamendra/script-meidator-java-…
…access-control [APIM] Add Support to Config Java Access Control through JS in Script Mediator
- Loading branch information
Showing
10 changed files
with
484 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
31 changes: 31 additions & 0 deletions
31
...src/main/java/org/apache/synapse/mediators/bsf/access/control/AccessControlConstants.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
/* | ||
* Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). | ||
* | ||
* WSO2 LLC. licenses this file to you under the Apache License, | ||
* Version 2.0 (the "License"); you may not use this file except | ||
* in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
package org.apache.synapse.mediators.bsf.access.control; | ||
|
||
/** | ||
* Constants related to Script Mediator access control. | ||
*/ | ||
public class AccessControlConstants { | ||
public static String LIMIT_CLASS_ACCESS_PREFIX = "limit_java_class_access_in_scripts."; | ||
public static String LIMIT_NATIVE_OBJECT_ACCESS_PREFIX = "limit_java_native_object_access_in_scripts."; | ||
public static String ENABLE = "enable"; | ||
public static String LIST_TYPE = "list_type"; | ||
public static String CLASS_PREFIXES = "class_prefixes"; | ||
public static String OBJECT_NAMES = "object_names"; | ||
} |
66 changes: 66 additions & 0 deletions
66
...ons/src/main/java/org/apache/synapse/mediators/bsf/access/control/AccessControlUtils.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
/* | ||
* Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). | ||
* | ||
* WSO2 LLC. licenses this file to you under the Apache License, | ||
* Version 2.0 (the "License"); you may not use this file except | ||
* in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
package org.apache.synapse.mediators.bsf.access.control; | ||
|
||
import org.apache.synapse.mediators.bsf.access.control.config.AccessControlConfig; | ||
import org.apache.synapse.mediators.bsf.access.control.config.AccessControlListType; | ||
|
||
import java.util.Comparator; | ||
import java.util.List; | ||
|
||
/** | ||
* Utility methods related to Script Mediator access control. | ||
*/ | ||
public class AccessControlUtils { | ||
|
||
/** | ||
* Returns whether the provided string which represents a Java class or native object is accessible or not. | ||
* The allowing/blocking will be determined by the provided AccessControlConfig, based on the matching/comparing | ||
* done as specified in the comparator. | ||
* @param string Java class name or native object name. | ||
* @param accessControlConfig Access control config of the Script Mediator. | ||
* @param comparator The comparator based on which, the provided Java class/native object name is | ||
* matched against the provided access control config. | ||
* @return Whether the access is allowed or not. | ||
*/ | ||
public static boolean isAccessAllowed(String string, AccessControlConfig accessControlConfig, | ||
Comparator<String> comparator) { | ||
if (accessControlConfig == null || !accessControlConfig.isAccessControlEnabled()) { | ||
return true; // Access control is not applicable | ||
} | ||
|
||
List<String> accessControlList = accessControlConfig.getAccessControlList(); | ||
boolean doesMatchExist = false; | ||
for (String item : accessControlList) { | ||
if (comparator.compare(string, item) > -1) { | ||
doesMatchExist = true; | ||
break; | ||
} | ||
} | ||
|
||
if (accessControlConfig.getAccessControlListType() == AccessControlListType.BLOCK_LIST) { | ||
return !doesMatchExist; | ||
} | ||
if (accessControlConfig.getAccessControlListType() == AccessControlListType.ALLOW_LIST) { | ||
return doesMatchExist; | ||
} | ||
return true; // Ideally we won't reach here | ||
} | ||
} | ||
|
42 changes: 42 additions & 0 deletions
42
.../src/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxContextFactory.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
/* | ||
* Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). | ||
* | ||
* WSO2 LLC. licenses this file to you under the Apache License, | ||
* Version 2.0 (the "License"); you may not use this file except | ||
* in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
package org.apache.synapse.mediators.bsf.access.control; | ||
|
||
import org.apache.synapse.mediators.bsf.access.control.config.AccessControlConfig; | ||
import org.mozilla.javascript.Context; | ||
import org.mozilla.javascript.ContextFactory; | ||
|
||
/** | ||
* Represents the sandbox context factory - which is used with access control of the Script Mediator. | ||
*/ | ||
public class SandboxContextFactory extends ContextFactory { | ||
private AccessControlConfig nativeObjectAccessControlConfig; | ||
|
||
public SandboxContextFactory(AccessControlConfig nativeObjectAccessControlConfig) { | ||
this.nativeObjectAccessControlConfig = nativeObjectAccessControlConfig; | ||
} | ||
|
||
@Override | ||
protected Context makeContext() { | ||
Context cx = super.makeContext(); | ||
cx.setWrapFactory(new SandboxWrapFactory(nativeObjectAccessControlConfig)); | ||
return cx; | ||
} | ||
} | ||
|
57 changes: 57 additions & 0 deletions
57
...rc/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxNativeJavaObject.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
/* | ||
* Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). | ||
* | ||
* WSO2 LLC. licenses this file to you under the Apache License, | ||
* Version 2.0 (the "License"); you may not use this file except | ||
* in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
package org.apache.synapse.mediators.bsf.access.control; | ||
|
||
import org.apache.synapse.mediators.bsf.access.control.config.AccessControlConfig; | ||
import org.mozilla.javascript.NativeJavaObject; | ||
import org.mozilla.javascript.Scriptable; | ||
|
||
import java.util.Comparator; | ||
|
||
/** | ||
* Provides native Java objects to the sandbox, after necessary access control filtering. | ||
*/ | ||
public class SandboxNativeJavaObject extends NativeJavaObject { | ||
private AccessControlConfig nativeObjectAccessControlConfig; | ||
|
||
public SandboxNativeJavaObject(Scriptable scope, Object javaObject, Class staticType, | ||
AccessControlConfig nativeObjectAccessControlConfig) { | ||
super(scope, javaObject, staticType); | ||
this.nativeObjectAccessControlConfig = nativeObjectAccessControlConfig; | ||
} | ||
|
||
@Override | ||
public Object get(String name, Scriptable start) { | ||
Comparator<String> equalsComparator = new Comparator<String>() { | ||
@Override | ||
public int compare(String o1, String o2) { | ||
if (o1 != null && o1.equals(o2)) { | ||
return 0; | ||
} | ||
return -1; | ||
} | ||
}; | ||
if (AccessControlUtils.isAccessAllowed(name, nativeObjectAccessControlConfig, equalsComparator)) { | ||
return super.get(name, start); | ||
} | ||
return NOT_FOUND; | ||
} | ||
|
||
} | ||
|
42 changes: 42 additions & 0 deletions
42
...ons/src/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxWrapFactory.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
/* | ||
* Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). | ||
* | ||
* WSO2 LLC. licenses this file to you under the Apache License, | ||
* Version 2.0 (the "License"); you may not use this file except | ||
* in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
package org.apache.synapse.mediators.bsf.access.control; | ||
|
||
import org.apache.synapse.mediators.bsf.access.control.config.AccessControlConfig; | ||
import org.mozilla.javascript.Context; | ||
import org.mozilla.javascript.Scriptable; | ||
import org.mozilla.javascript.WrapFactory; | ||
|
||
/** | ||
* Wraps sandbox native Java objects that are used in Script Mediator access control. | ||
*/ | ||
public class SandboxWrapFactory extends WrapFactory { | ||
private AccessControlConfig nativeObjectAccessControlConfig; | ||
|
||
public SandboxWrapFactory(AccessControlConfig nativeObjectAccessControlConfig) { | ||
this.nativeObjectAccessControlConfig = nativeObjectAccessControlConfig; | ||
} | ||
|
||
@Override | ||
public Scriptable wrapAsJavaObject(Context cx, Scriptable scope, Object javaObject, Class staticType) { | ||
return new SandboxNativeJavaObject(scope, javaObject, staticType, nativeObjectAccessControlConfig); | ||
} | ||
} | ||
|
||
|
Oops, something went wrong.