15 * |
15 * |
16 */ |
16 */ |
17 |
17 |
18 package com.nokia.mj.impl.security.midp.authorization; |
18 package com.nokia.mj.impl.security.midp.authorization; |
19 |
19 |
20 import com.nokia.mj.impl.utils.Id; |
|
21 import com.nokia.mj.impl.utils.Uid; |
20 import com.nokia.mj.impl.utils.Uid; |
22 import com.nokia.mj.impl.utils.exception.InvalidAttributeException; |
21 import com.nokia.mj.impl.utils.exception.InvalidAttributeException; |
23 import com.nokia.mj.impl.security.midp.common.MIDPPermission; |
22 import com.nokia.mj.impl.security.midp.common.MIDPPermission; |
24 import com.nokia.mj.impl.security.midp.common.UserSecuritySettings; |
23 import com.nokia.mj.impl.security.midp.common.UserSecuritySettings; |
25 import com.nokia.mj.impl.security.midp.common.UserSecuritySettingsImpl; |
24 import com.nokia.mj.impl.security.midp.common.UserSecuritySettingsImpl; |
172 * SecurityAttributes.getPermissionAttributes() |
168 * SecurityAttributes.getPermissionAttributes() |
173 * called after calling |
169 * called after calling |
174 * SecurityAttributes.addManifestAttributes()) |
170 * SecurityAttributes.addManifestAttributes()) |
175 */ |
171 */ |
176 public void grantJarPermissions( |
172 public void grantJarPermissions( |
|
173 StorageSession storageSession, |
177 Uid msUID, |
174 Uid msUID, |
178 Uid oldMSUID, |
175 Uid oldMSUID, |
179 PermissionAttribute[] requestedPermissions, |
176 PermissionAttribute[] requestedPermissions) |
180 AuthenticationCredentials[] authCredentials) |
177 { |
181 { |
178 if (storageSession == null |
182 if (msUID == null) |
179 || msUID == null) |
183 { |
180 { |
184 return; |
181 return; |
185 } |
182 } |
186 |
183 |
|
184 // take the domain from storage |
|
185 SecurityStorage storage = new SecurityStorage(storageSession); |
|
186 String protectionDomainName = storage.readProtectionDomain(msUID); |
187 // filter the already granted permissions |
187 // filter the already granted permissions |
188 String protectionDomainName = authCredentials[0].getProtectionDomainName(); |
|
189 Object o = iGrantedPermissions.remove( |
188 Object o = iGrantedPermissions.remove( |
190 msUID.getStringValue() |
189 msUID.getStringValue() + protectionDomainName); |
191 + protectionDomainName); |
|
192 |
|
193 Vector preGrantedPermissions = null; |
190 Vector preGrantedPermissions = null; |
194 if (o != null) |
191 if (o != null) |
195 { |
192 { |
196 if (o instanceof InvalidAttributeException) |
193 if (o instanceof InvalidAttributeException) |
197 { |
194 { |
215 resolvedPermissions.addElement( |
212 resolvedPermissions.addElement( |
216 preGrantedPermissions.elementAt(i)); |
213 preGrantedPermissions.elementAt(i)); |
217 } |
214 } |
218 } |
215 } |
219 } |
216 } |
220 // in case of update preserve the settings of the "old" suite |
217 storage.writeGrantedPermissions( |
221 if (oldMSUID != null) |
218 msUID, |
222 { |
219 oldMSUID, |
223 updateGrantedPermissions( |
220 resolvedPermissions); |
224 msUID, |
|
225 oldMSUID, |
|
226 resolvedPermissions); |
|
227 } |
|
228 |
|
229 // update the cache with the full set of permissions |
221 // update the cache with the full set of permissions |
230 iGrantedPermissions.put(msUID.getStringValue() + protectionDomainName, |
222 iGrantedPermissions.put(msUID.getStringValue() + protectionDomainName, |
231 resolvedPermissions); |
223 resolvedPermissions); |
232 Logger.logGrantedPermissions(resolvedPermissions); |
224 Logger.logGrantedPermissions(resolvedPermissions); |
233 } |
225 } |
269 Vector resolvedPermissions = resolvePermissions( |
262 Vector resolvedPermissions = resolvePermissions( |
270 uid, |
263 uid, |
271 protectionDomain.getName(), |
264 protectionDomain.getName(), |
272 securityAttributes.getPermissionAttributes(), |
265 securityAttributes.getPermissionAttributes(), |
273 true /* add the assigned permissions */); |
266 true /* add the assigned permissions */); |
274 // in case of update preserve the settings |
267 |
275 if (oldUid != null) |
268 // store the permissions |
276 { |
269 SecurityStorage storage = new SecurityStorage(storageSession); |
277 updateGrantedPermissions( |
270 storage.writeGrantedPermissions( |
278 uid, |
271 uid, |
279 oldUid, |
272 oldUid, |
280 resolvedPermissions); |
273 resolvedPermissions); |
281 } |
|
282 |
|
283 // update the cache with the full set of permissions |
274 // update the cache with the full set of permissions |
284 iGrantedPermissions.put(uid.getStringValue() + protectionDomain.getName(), |
275 iGrantedPermissions.put(uid.getStringValue() + protectionDomain, |
285 resolvedPermissions); |
276 resolvedPermissions); |
286 Logger.logGrantedPermissions(resolvedPermissions); |
277 Logger.logGrantedPermissions(resolvedPermissions); |
287 } |
278 } |
288 |
279 |
289 /** |
280 /** |
321 e.hasMoreElements() ;) |
312 e.hasMoreElements() ;) |
322 { |
313 { |
323 String key = (String)e.nextElement(); |
314 String key = (String)e.nextElement(); |
324 if (key.startsWith(msUidKey)) |
315 if (key.startsWith(msUidKey)) |
325 { |
316 { |
326 grantedPermissions = (Vector)iGrantedPermissions.get(key); |
317 grantedPermissions = (Vector)iGrantedPermissions.remove(key); |
327 if (key.endsWith("UnidentifiedThirdParty")) |
318 if (key.endsWith("UnidentifiedThirdParty")) |
328 { |
319 { |
329 // if the suite is not signed, there is no blanket |
320 // if the suite is not signed, there is no blanket |
330 // permissions concept either |
321 // permissions concept either |
331 Logger.log("Suite " + msUID.toString() + " is not signed, therefore there are no blanket permissions returned"); |
322 Logger.log("Suite " + msUID.toString() + " is not signed, therefore there are no blanket permissions returned"); |
366 { |
357 { |
367 PolicyBasedPermission permission = |
358 PolicyBasedPermission permission = |
368 ((PolicyBasedPermission)grantedPermissions.elementAt(i)); |
359 ((PolicyBasedPermission)grantedPermissions.elementAt(i)); |
369 UserSecuritySettings settings = |
360 UserSecuritySettings settings = |
370 permission.getUserSecuritySettings(); |
361 permission.getUserSecuritySettings(); |
371 if (permission.getType() != PolicyBasedPermission.USER_TYPE |
362 if (permission.getType() != PolicyBasedPermission.USER_TYPE |
372 || settings == null) |
363 || settings == null) |
373 { |
364 { |
374 // not a user permission -> move on to the next permission |
365 // not a user permission -> move on to the next permission |
375 Logger.log("Permission " + permission.getName() + " is not a user permission, therefore is is not returned as part of the group of blanket permissions"); |
366 Logger.log("Permission " + permission.getName() + " is not a user permission, therefore is is not returned as part of the group of blanket permissions"); |
376 continue; |
367 continue; |
464 } |
455 } |
465 // check for sensitive combinations |
456 // check for sensitive combinations |
466 if (permissions_from_sensitive_combination_list_1 |
457 if (permissions_from_sensitive_combination_list_1 |
467 && permissions_from_sensitive_combination_list_2) |
458 && permissions_from_sensitive_combination_list_2) |
468 { |
459 { |
469 /*String blanketPermissionsDetails = ( |
460 String blanketPermissionsDetails = ( |
470 ((call_control == true && multimedia == true) |
461 ((call_control == true && multimedia == true) |
471 || (call_control == true && read_user_data == true) |
462 || (call_control == true && read_user_data == true) |
472 || (net_access == true && multimedia == true) |
463 || (net_access == true && multimedia == true) |
473 || (net_access == true && read_user_data == true) |
464 || (net_access == true && read_user_data == true) |
474 || (messaging == true && multimedia == true) |
465 || (messaging == true && multimedia == true) |
475 || (messaging == true && read_user_data == true)) ? |
466 || (messaging == true && read_user_data == true)) ? |
476 "settings_inst_query_perm_net" : |
467 "settings_inst_query_perm_net" : |
477 "settings_inst_query_perm_sec");*/ |
468 "settings_inst_query_perm_sec"); |
478 |
|
479 Id blanketPermissionsDetails = ( |
|
480 ((call_control == true && multimedia == true) |
|
481 || (call_control == true && read_user_data == true) |
|
482 || (net_access == true && multimedia == true) |
|
483 || (net_access == true && read_user_data == true) |
|
484 || (messaging == true && multimedia == true) |
|
485 || (messaging == true && read_user_data == true)) ? |
|
486 new Id("settings_inst_query_perm_net", "N/A") : |
|
487 new Id("settings_inst_query_perm_sec", "N/A")); |
|
488 |
|
489 iBlanketPermissionsDetails.put(msUidKey, |
469 iBlanketPermissionsDetails.put(msUidKey, |
490 UserSecuritySettingsImpl.getLocalizedString( |
470 UserSecuritySettingsImpl.getLocalizedString( |
491 blanketPermissionsDetails)); |
471 blanketPermissionsDetails)); |
492 } |
472 } |
493 if (blanketPermissions.size() > 0) |
473 if (blanketPermissions.size() > 0) |
538 Logger.log("The granted permissions are all set to Blanket, therefore there won't be any runtime security prompts"); |
518 Logger.log("The granted permissions are all set to Blanket, therefore there won't be any runtime security prompts"); |
539 SecurityStorage storage = new SecurityStorage(storageSession); |
519 SecurityStorage storage = new SecurityStorage(storageSession); |
540 storage.writeUserSecuritySettings(msUID, |
520 storage.writeUserSecuritySettings(msUID, |
541 UserSecuritySettings.BLANKET_INTERACTION_MODE, |
521 UserSecuritySettings.BLANKET_INTERACTION_MODE, |
542 true /* blanket prompt shown */); |
522 true /* blanket prompt shown */); |
543 // cleanup the cache as well |
|
544 cleanup(msUID); |
|
545 } |
523 } |
546 |
524 |
547 /** |
525 /** |
548 * Performs a cleanup (e.g. on cached data) |
526 * Performs a cleanup (e.g. on cached data) |
549 * |
527 * |
567 { |
545 { |
568 Logger.log("Remove granted permissions"); |
546 Logger.log("Remove granted permissions"); |
569 SecurityStorage storage = new SecurityStorage(storageSession); |
547 SecurityStorage storage = new SecurityStorage(storageSession); |
570 storage.removeGrantedPermissions(msUID); |
548 storage.removeGrantedPermissions(msUID); |
571 // clear the cache |
549 // clear the cache |
572 cleanup(msUID); |
|
573 } |
|
574 |
|
575 /** |
|
576 * Writes to storage all the security data related to a certain MIDlet suite |
|
577 * |
|
578 * @param sessionID the JavaStorage session to be used when |
|
579 * writing the security data into storage |
|
580 * @param msUID the UID if the MIDlet suite whose security data is |
|
581 * being written |
|
582 */ |
|
583 public void addSecurityData(StorageSession storageSession, Uid msUID, Uid oldMsUID) |
|
584 { |
|
585 Logger.log("Write granted permissions to storage"); |
|
586 if (storageSession == null || msUID == null) |
|
587 { |
|
588 return; |
|
589 } |
|
590 SecurityStorage storage = new SecurityStorage(storageSession); |
|
591 String msUidKey = msUID.getStringValue(); |
550 String msUidKey = msUID.getStringValue(); |
592 for (Enumeration e = iGrantedPermissions.keys() ; |
551 for (Enumeration e = iGrantedPermissions.keys() ; |
593 e.hasMoreElements() ;) |
552 e.hasMoreElements() ;) |
594 { |
553 { |
595 String key = (String)e.nextElement(); |
554 String key = (String)e.nextElement(); |
596 if (key.startsWith(msUidKey)) |
555 if (key.startsWith(msUidKey)) |
597 { |
556 { |
598 storage.writeGrantedPermissions( |
557 iGrantedPermissions.remove(key); |
599 msUID, |
558 break; |
600 oldMsUID, |
559 } |
601 (Vector)iGrantedPermissions.remove(key)); |
560 } |
602 return; |
561 iBlanketPermissionsDetails.remove(msUidKey); |
603 } |
|
604 } |
|
605 } |
562 } |
606 |
563 |
607 private Vector resolvePermissions(Uid msUID, |
564 private Vector resolvePermissions(Uid msUID, |
608 String protectionDomainName, |
565 String protectionDomainName, |
609 PermissionAttribute[] requestedPermissions, |
566 PermissionAttribute[] requestedPermissions, |
628 if (policyPermissions != null) |
585 if (policyPermissions != null) |
629 { |
586 { |
630 for (int i=0; i<policyPermissions.length; i++) |
587 for (int i=0; i<policyPermissions.length; i++) |
631 { |
588 { |
632 if (policyPermissions[i].getType() |
589 if (policyPermissions[i].getType() |
633 == PolicyBasedPermission.ASSIGNED_TYPE |
590 == PolicyBasedPermission.ASSIGNED_TYPE |
634 || policyPermissions[i].getType() |
591 || policyPermissions[i].getType() |
635 == PolicyBasedPermission.USER_ASSIGNED_TYPE) |
592 == PolicyBasedPermission.USER_ASSIGNED_TYPE) |
636 { |
593 { |
637 PolicyBasedPermissionImpl p1 = new PolicyBasedPermissionImpl( |
594 PolicyBasedPermissionImpl p1 = new PolicyBasedPermissionImpl( |
638 policyPermissions[i]); |
595 policyPermissions[i]); |
639 // add it only if not contained already |
596 // add it only if not contained already |
670 PermissionAttribute[] requestedPermissions) |
627 PermissionAttribute[] requestedPermissions) |
671 { |
628 { |
672 return resolvePermissions(msUID, protectionDomainName, |
629 return resolvePermissions(msUID, protectionDomainName, |
673 requestedPermissions, true /* add assigned permissions */); |
630 requestedPermissions, true /* add assigned permissions */); |
674 } |
631 } |
675 |
|
676 private void cleanup(Uid msUID) |
|
677 { |
|
678 // clear the cache |
|
679 String msUidKey = msUID.getStringValue(); |
|
680 for (Enumeration e = iGrantedPermissions.keys() ; |
|
681 e.hasMoreElements() ;) |
|
682 { |
|
683 String key = (String)e.nextElement(); |
|
684 if (key.startsWith(msUidKey)) |
|
685 { |
|
686 iGrantedPermissions.remove(key); |
|
687 break; |
|
688 } |
|
689 } |
|
690 iBlanketPermissionsDetails.remove(msUidKey); |
|
691 } |
|
692 |
|
693 private void updateGrantedPermissions(Uid newAppUID, Uid oldAppUID, Vector grantedPermissions) |
|
694 { |
|
695 // the vector containing the newGrantedPermissions |
|
696 Vector newGrantedPermissions = new Vector(); |
|
697 |
|
698 // get the old permissions & settings |
|
699 SecurityStorage storage = new SecurityStorage(); |
|
700 Vector oldPermissions = storage.readGrantedPermissions(oldAppUID); |
|
701 storage.close(); |
|
702 |
|
703 // filter out the the brand new permissions |
|
704 // (permissions which are not found among the old permissions) |
|
705 if (oldPermissions != null) |
|
706 { |
|
707 int index=0; |
|
708 while (index < grantedPermissions.size()) |
|
709 { |
|
710 // instead of calling Vector.removeElement(p) we will do the |
|
711 // remove manually, since the search is to be based on |
|
712 // the permission without the settings |
|
713 PolicyBasedPermission p = (PolicyBasedPermission) |
|
714 grantedPermissions.elementAt(index); |
|
715 int status = removeElement(oldPermissions, p); |
|
716 switch (status) |
|
717 { |
|
718 case REMOVED: |
|
719 case NOT_FOUND: |
|
720 index++; |
|
721 break; |
|
722 default: |
|
723 // different settings |
|
724 UserSecuritySettings oldSettings |
|
725 = ((PolicyBasedPermission)oldPermissions |
|
726 .elementAt(status)).getUserSecuritySettings(); |
|
727 UserSecuritySettings newSettings |
|
728 = p.getUserSecuritySettings(); |
|
729 if (oldSettings != null |
|
730 && newSettings != null) |
|
731 { |
|
732 boolean activeSettings = false; |
|
733 if (oldSettings.isActive() |
|
734 || newSettings.isActive()) |
|
735 { |
|
736 activeSettings = true; |
|
737 } |
|
738 newGrantedPermissions.addElement( |
|
739 new PolicyBasedPermissionImpl( |
|
740 p.getName(), |
|
741 p.getTarget(), |
|
742 p.getActionList(), |
|
743 p.getType(), |
|
744 new UserSecuritySettingsImpl( |
|
745 newSettings.getName(), |
|
746 oldSettings.getCurrentInteractionMode(), |
|
747 newSettings.getAllowedInteractionModes(), |
|
748 oldSettings.getBlanketPrompt(), |
|
749 activeSettings))); |
|
750 } |
|
751 else |
|
752 { |
|
753 newGrantedPermissions.addElement(p); |
|
754 } |
|
755 grantedPermissions.removeElementAt(index); |
|
756 break; |
|
757 } |
|
758 } |
|
759 } |
|
760 // write what's left from the granted permissions |
|
761 for (int i=0; i<newGrantedPermissions.size(); i++) |
|
762 { |
|
763 grantedPermissions.addElement(newGrantedPermissions.elementAt(i)); |
|
764 } |
|
765 } |
|
766 |
|
767 private int removeElement(Vector elements, PolicyBasedPermission element) |
|
768 { |
|
769 PolicyBasedPermissionImpl p1 = new PolicyBasedPermissionImpl( |
|
770 element.getName(), |
|
771 element.getTarget(), |
|
772 element.getActionList(), |
|
773 null); |
|
774 for (int i=0; i<elements.size(); i++) |
|
775 { |
|
776 PolicyBasedPermission tmp = (PolicyBasedPermission)elements |
|
777 .elementAt(i); |
|
778 PolicyBasedPermissionImpl p2 = new PolicyBasedPermissionImpl( |
|
779 tmp.getName(), |
|
780 tmp.getTarget(), |
|
781 tmp.getActionList(), |
|
782 null); |
|
783 if (p1.equals(p2)) |
|
784 { |
|
785 UserSecuritySettings s1 = element.getUserSecuritySettings(); |
|
786 UserSecuritySettings s2 = tmp.getUserSecuritySettings(); |
|
787 if ((s1 == null && s2 == null) |
|
788 || (s1 != null |
|
789 && s2 != null |
|
790 && s1.equals(s2))) |
|
791 { |
|
792 // identical permissions |
|
793 elements.removeElementAt(i); |
|
794 return REMOVED; |
|
795 } |
|
796 return i; |
|
797 } |
|
798 } |
|
799 return NOT_FOUND; |
|
800 } |
|
801 } |
632 } |