mozilla
/
pjs
зеркало из https://github.com/mozilla/pjs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Added AskPermission and SetPermission API calls for OJI. Added the CertChain Principal support for JavaSoft.

This commit is contained in:
raman%netscape.com 1998-09-16 18:39:48 +00:00
Родитель 0917343e83
Коммит 6ad633d515
5 изменённых файлов: 199 добавлений и 94 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

6
caps/include/nsCapsEnums.h
Просмотреть файл

@ -53,7 +53,11 @@ typedef enum nsPrincipalType {
nsPrincipalType_CodebaseRegexp,
nsPrincipalType_Cert,
nsPrincipalType_CertFingerPrint,
nsPrincipalType_CertKey
nsPrincipalType_CertKey,
/* CertChain principal is being added for Javasoft's JVM. They will pass the
* whole chain to the nsPrincipal constructor.
*/
nsPrincipalType_CertChain
} nsPrincipalType;
#endif /* _NS_CAPS_ENUMS_H_ */

4
caps/include/nsPrincipal.h
Просмотреть файл

@ -40,6 +40,10 @@ public:
virtual ~nsPrincipal();
nsPrincipal(nsPrincipalType type, void * key, PRUint32 key_len, void *zigObject);
nsPrincipal(nsPrincipalType type, void **certChain,
PRUint32 *certChainLengths,
PRUint32 noOfCerts);
PRBool equals(nsPrincipal *principal);
char * getVendor(void);

71
caps/include/nsPrivilegeManager.h
Просмотреть файл

@ -58,15 +58,19 @@ public:
PRBool isPrivilegeEnabled(nsTarget *target, PRInt32 callerDepth);
PRBool isPrivilegeEnabled(void* context, nsTarget *target, PRInt32 callerDepth);
PRBool isPrivilegeEnabled(void* context, nsTarget *target,
PRInt32 callerDepth);
PRBool enablePrivilege(nsTarget *target, PRInt32 callerDepth);
PRBool enablePrivilege(void* context, nsTarget *target, PRInt32 callerDepth);
PRBool enablePrivilege(nsTarget *target, nsPrincipal *preferredPrincipal, PRInt32 callerDepth);
PRBool enablePrivilege(nsTarget *target, nsPrincipal *preferredPrincipal,
PRInt32 callerDepth);
PRBool enablePrivilege(void* context, nsTarget *target, nsPrincipal *preferredPrincipal, PRInt32 callerDepth);
PRBool enablePrivilege(void* context, nsTarget *target,
nsPrincipal *preferredPrincipal,
PRInt32 callerDepth);
PRBool revertPrivilege(nsTarget *target, PRInt32 callerDepth);
@ -76,15 +80,35 @@ public:
PRBool disablePrivilege(void* context, nsTarget *target, PRInt32 callerDepth);
PRBool enablePrincipalPrivilegeHelper(nsTarget *target, PRInt32 callerDepth, nsPrincipal *preferredPrin, void * data, nsTarget *impersonator);
PRBool enablePrincipalPrivilegeHelper(nsTarget *target, PRInt32 callerDepth,
nsPrincipal *preferredPrin, void * data,
nsTarget *impersonator);
PRBool enablePrincipalPrivilegeHelper(void* context, nsTarget *target, PRInt32 callerDepth, nsPrincipal *preferredPrin, void * data, nsTarget *impersonator);
PRBool enablePrincipalPrivilegeHelper(void* context, nsTarget *target,
PRInt32 callerDepth,
nsPrincipal *preferredPrin,
void * data,
nsTarget *impersonator);
nsPrivilegeTable *enableScopePrivilegeHelper(nsTarget *target, PRInt32 callerDepth, void *data, PRBool helpingSetScopePrivilege, nsPrincipal *prefPrin);
nsPrivilegeTable *enableScopePrivilegeHelper(nsTarget *target,
PRInt32 callerDepth,
void *data,
PRBool helpingSetScopePrivilege,
nsPrincipal *prefPrin);
nsPrivilegeTable *enableScopePrivilegeHelper(void* context, nsTarget *target, PRInt32 callerDepth, void *data, PRBool helpingSetScopePrivilege, nsPrincipal *prefPrin);
nsPrivilegeTable *enableScopePrivilegeHelper(void* context, nsTarget *target,
PRInt32 callerDepth, void *data,
PRBool helpingSetScopePrivilege,
nsPrincipal *prefPrin);
void registerPrincipalAndSetPrivileges(nsPrincipal *principal, nsTarget *target, nsPrivilege *newPrivilege);
PRBool AskPermission(nsPrincipal* useThisPrin, nsTarget* target, void* data);
void SetPermission(nsPrincipal *useThisPrin, nsTarget *target,
nsPrivilege *newPrivilege);
void registerPrincipalAndSetPrivileges(nsPrincipal *principal,
nsTarget *target,
nsPrivilege *newPrivilege);
void updatePrivilegeTable(nsTarget *target,
nsPrivilegeTable *privTable,
@ -92,16 +116,20 @@ public:
PRBool checkPrivilegeGranted(nsTarget *target, PRInt32 callerDepth);
PRBool checkPrivilegeGranted(void* context, nsTarget *target, PRInt32 callerDepth);
PRBool checkPrivilegeGranted(void* context, nsTarget *target,
PRInt32 callerDepth);
PRBool checkPrivilegeGranted(nsTarget *target, nsPrincipal *principal, void *data);
PRBool checkPrivilegeGranted(nsTarget *target, PRInt32 callerDepth, void *data);
PRBool checkPrivilegeGranted(void* context, nsTarget *target, PRInt32 callerDepth,
PRBool checkPrivilegeGranted(nsTarget *target, nsPrincipal *principal,
void *data);
nsPrivilege *getPrincipalPrivilege(nsTarget *target, nsPrincipal *prin, void *data);
PRBool checkPrivilegeGranted(nsTarget *target, PRInt32 callerDepth,
void *data);
PRBool checkPrivilegeGranted(void* context, nsTarget *target,
PRInt32 callerDepth, void *data);
nsPrivilege *getPrincipalPrivilege(nsTarget *target, nsPrincipal *prin,
void *data);
static nsPrivilegeManager * getPrivilegeManager(void);
@ -128,7 +156,8 @@ public:
PRBool checkMatchPrincipal(nsPrincipal *principal, PRInt32 callerDepth);
PRBool checkMatchPrincipal(void* context, nsPrincipal *principal, PRInt32 callerDepth);
PRBool checkMatchPrincipal(void* context, nsPrincipal *principal,
PRInt32 callerDepth);
/* Helper functions for ADMIN UI */
const char * getAllPrincipalsString(void);
@ -153,12 +182,14 @@ public:
nsPrincipalArray* getClassPrincipalsFromStack(PRInt32 callerDepth);
nsPrincipalArray* getClassPrincipalsFromStack(void* context, PRInt32 callerDepth);
nsPrincipalArray* getClassPrincipalsFromStack(void* context,
PRInt32 callerDepth);
nsPrivilegeTable * getPrivilegeTableFromStack(PRInt32 callerDepth,
PRBool createIfNull);
nsPrivilegeTable * getPrivilegeTableFromStack(void* context, PRInt32 callerDepth,
nsPrivilegeTable * getPrivilegeTableFromStack(void* context,
PRInt32 callerDepth,
PRBool createIfNull);
/* End of native methods */
@ -189,7 +220,9 @@ private:
nsPrincipalArray* callerPrinArray,
void *data);
PRBool isPermissionGranted(nsTarget *target, nsPrincipalArray* callerPrinArray, void *data);
PRBool isPermissionGranted(nsTarget *target,
nsPrincipalArray* callerPrinArray,
void *data);
/* The following methods are used to save and load the persistent store */

53
caps/src/nsPrincipal.cpp
Просмотреть файл

@ -156,12 +156,30 @@ nsPrincipal::nsPrincipal(nsPrincipalType type, void * key, PRUint32 key_len, cha
itsString = stringRep;
}
nsPrincipal::nsPrincipal(nsPrincipalType type,
void **certChain,
PRUint32 *certChainLengths,
PRUint32 noOfCerts)
{
/* We will store the signers certificate as the key */
init(type, certChain[0], certChainLengths[0]);
for (PRUint32 i = noOfCerts; i < noOfCerts; i--) {
void* cert = certChain[i];
PRUint32 cert_len = certChainLengths[i];
/*
SOB_ImportCert(cert, cert_len);
SOB_ValidateCert(cert, cert_len);
SOB_GetCertAttributes(cert, cert_len);
*/
}
}
nsPrincipal::~nsPrincipal(void)
{
if (itsKey) {
#ifdef DEBUG_raman
fprintf(stderr, "Deleting principal %s\n", itsKey);
#endif /* DEBUG_raman */
if (itsKey) {
delete []itsKey;
}
if (itsCompanyName) {
@ -189,8 +207,8 @@ PRBool nsPrincipal::equals(nsPrincipal *prin)
if (prin == this)
return PR_TRUE;
if ((itsKeyLen != prin->itsKeyLen) ||
(itsType != prin->itsType))
if ((itsType != prin->itsType) ||
(itsKeyLen != prin->itsKeyLen))
return PR_FALSE;
if (0 == memcmp(itsKey, prin->itsKey, itsKeyLen))
@ -204,6 +222,7 @@ char * nsPrincipal::getVendor(void)
case nsPrincipalType_Cert:
case nsPrincipalType_CertKey:
case nsPrincipalType_CertFingerPrint:
case nsPrincipalType_CertChain:
return getNickname();
default:
@ -276,6 +295,7 @@ char * nsPrincipal::getFingerPrint(void)
return toString();
case nsPrincipalType_CertKey:
case nsPrincipalType_CertChain:
if (itsAsciiFingerPrint == NULL)
itsAsciiFingerPrint = getCertAttribute(ZIG_C_FP);
return itsAsciiFingerPrint;
@ -299,6 +319,11 @@ char * nsPrincipal::getNickname(void)
return "Classes for whom we don't the principal";
}
if (nsPrincipalType_CertChain == itsType) {
/* XXX: We should get the first certificate's nickname */
return "Javasoft's principal";
}
if (nsPrincipalType_CertKey != itsType)
return itsKey;
@ -360,6 +385,8 @@ PRBool nsPrincipal::isSecurePrincipal(void)
if (!isCodebase())
return PR_TRUE;
PR_ASSERT(itsKey != NULL);
if ((0 == memcmp("https:", itsKey, strlen("https:"))) ||
(0 == memcmp("file:", itsKey, strlen("file:"))))
return PR_TRUE;
@ -384,7 +411,8 @@ PRBool nsPrincipal::isCert(void)
PRBool nsPrincipal::isCertFingerprint(void)
{
if ((itsType == nsPrincipalType_CertFingerPrint) ||
(itsType == nsPrincipalType_CertKey))
(itsType == nsPrincipalType_CertKey) ||
(itsType == nsPrincipalType_CertChain))
return PR_TRUE;
return PR_FALSE;
}
@ -396,16 +424,19 @@ char * nsPrincipal::toString(void)
switch(itsType) {
case nsPrincipalType_CertKey:
case nsPrincipalType_CertChain:
str = getNickname();
break;
case nsPrincipalType_Cert:
case nsPrincipalType_CertFingerPrint:
case nsPrincipalType_CodebaseExact:
if (itsString != NULL)
if (itsString != NULL) {
str = itsString;
else
} else {
PR_ASSERT(itsKey != NULL);
str = itsKey;
}
break;
default:
str = "Unknown Principal";
@ -499,6 +530,7 @@ void nsPrincipal::init(nsPrincipalType type, void * key, PRUint32 key_len)
switch(type) {
case nsPrincipalType_Cert:
case nsPrincipalType_CertKey:
case nsPrincipalType_CertChain:
case nsPrincipalType_CertFingerPrint:
case nsPrincipalType_CodebaseExact:
break;
@ -546,6 +578,7 @@ PRInt32 nsPrincipal::computeHashCode(void)
case nsPrincipalType_Cert:
case nsPrincipalType_CertFingerPrint:
case nsPrincipalType_CertKey:
case nsPrincipalType_CertChain:
case nsPrincipalType_CodebaseExact:
return computeHashCode(itsKey, itsKeyLen);
default:
@ -557,7 +590,8 @@ PRInt32 nsPrincipal::computeHashCode(void)
char * nsPrincipal::saveCert(void)
{
int result;
if ((!itsZig)) {
/* XXX: Implement CertChain principal */
if ((!itsZig) || (!itsKey)) {
return NULL;
}
@ -580,6 +614,11 @@ nsPrincipal::getCertAttribute(int attrib)
if (itsZig != NULL) {
zig = (ZIG *)itsZig;
}
if (itsType == nsPrincipalType_CertChain) {
/* XXX: Implement CertChain Principal */
return "Javasoft's cert chain principal";
}
if (SOB_cert_attribute(attrib, zig,
itsKeyLen, itsKey,

159
caps/src/nsPrivilegeManager.cpp
Просмотреть файл

@ -358,9 +358,6 @@ PRBool nsPrivilegeManager::enablePrincipalPrivilegeHelper(void *context,
if (isPermissionGranted(target, callerPrinArray, data))
return PR_TRUE;
// Do a user dialog
nsPrivilege *newPrivilege;
//
// before we do the user dialog, we need to figure out which principal
// gets the user's blessing. The applet is allowed to bias this
@ -382,64 +379,11 @@ PRBool nsPrivilegeManager::enablePrincipalPrivilegeHelper(void *context,
useThisPrin = (nsPrincipal *)callerPrinArray->Get(0);
}
/* Get the Lock to display the dialog */
nsCaps_lock();
PRBool ret_val=PR_FALSE;
if (PR_TRUE == isPermissionGranted(target, callerPrinArray, data)) {
ret_val = PR_TRUE;
goto done;
}
newPrivilege = target->enablePrivilege(useThisPrin, data);
// Forbidden for session is equivelent to decide later.
// If the privilege is DECIDE_LATER then throw exception.
// That is user should be prompted again when this applet
// performs the same privileged operation
//
if ((!newPrivilege->isAllowed()) &&
(newPrivilege->getDuration() == nsDurationState_Session)) {
// "User didn't grant the " + target->getName() + " privilege.";
ret_val = PR_FALSE;
goto done;
}
registerPrincipalAndSetPrivileges(useThisPrin, target, newPrivilege);
//System.out.println("Privilege table modified for: " +
// useThisPrin.toVerboseString() + " for target " +
// target + " Privilege " + newPrivilege);
// Save the signed applet's ACL to the persistence store
err = useThisPrin->savePrincipalPermanently();
if ((err == NULL) &&
(newPrivilege->getDuration() == nsDurationState_Forever)) {
//XXX: How do we save permanent access for unsigned principals
///
if (!useThisPrin->equals(theUnsignedPrincipal)) {
save(useThisPrin, target, newPrivilege);
}
}
// if newPrivilege is FORBIDDEN then throw an exception
if (newPrivilege->isForbidden()) {
// "User didn't grant the " + target->getName() + " privilege.";
ret_val = PR_FALSE;
goto done;
}
ret_val = PR_TRUE;
done:
nsCaps_unlock();
return PR_TRUE;
// Do a user dialog
return AskPermission(useThisPrin, target, data);
}
nsPrivilegeTable *
nsPrivilegeManager::enableScopePrivilegeHelper(nsTarget *target,
PRInt32 callerDepth,
@ -449,7 +393,7 @@ nsPrivilegeManager::enableScopePrivilegeHelper(nsTarget *target,
{
return enableScopePrivilegeHelper(NULL, target, callerDepth, data,
helpingSetScopePrivilege, prefPrin);
}
}
nsPrivilegeTable *
@ -491,6 +435,82 @@ nsPrivilegeManager::enableScopePrivilegeHelper(void* context, nsTarget *target,
}
PRBool nsPrivilegeManager::AskPermission(nsPrincipal* useThisPrin,
nsTarget* target,
void* data)
{
PRBool ret_val = PR_FALSE;
nsPrivilege* newPrivilege = NULL;
/* Get the Lock to display the dialog */
nsCaps_lock();
nsPrincipalArray* callerPrinArray = new nsPrincipalArray();
callerPrinArray->Add(useThisPrin);
if (PR_TRUE == isPermissionGranted(target, callerPrinArray, data)) {
ret_val = PR_TRUE;
goto done;
}
// Do a user dialog
newPrivilege = target->enablePrivilege(useThisPrin, data);
// Forbidden for session is equivelent to decide later.
// If the privilege is DECIDE_LATER then throw exception.
// That is user should be prompted again when this applet
// performs the same privileged operation
//
if ((!newPrivilege->isAllowed()) &&
(newPrivilege->getDuration() == nsDurationState_Session)) {
// "User didn't grant the " + target->getName() + " privilege.";
ret_val = PR_FALSE;
goto done;
}
SetPermission(useThisPrin, target, newPrivilege);
// if newPrivilege is FORBIDDEN then throw an exception
if (newPrivilege->isForbidden()) {
// "User didn't grant the " + target->getName() + " privilege.";
ret_val = PR_FALSE;
goto done;
}
ret_val = PR_TRUE;
done:
delete callerPrinArray;
nsCaps_unlock();
return PR_TRUE;
}
void
nsPrivilegeManager::SetPermission(nsPrincipal *useThisPrin,
nsTarget *target,
nsPrivilege *newPrivilege)
{
registerPrincipalAndSetPrivileges(useThisPrin, target, newPrivilege);
//System.out.println("Privilege table modified for: " +
// useThisPrin.toVerboseString() + " for target " +
// target + " Privilege " + newPrivilege);
// Save the signed applet's ACL to the persistence store
char* err = useThisPrin->savePrincipalPermanently();
if ((err == NULL) &&
(newPrivilege->getDuration() == nsDurationState_Forever)) {
//XXX: How do we save permanent access for unsigned principals
///
if (!useThisPrin->equals(theUnsignedPrincipal)) {
save(useThisPrin, target, newPrivilege);
}
}
}
void
nsPrivilegeManager::registerPrincipalAndSetPrivileges(nsPrincipal *prin,
nsTarget *target,
@ -761,7 +781,8 @@ PRBool nsPrivilegeManager::checkMatchPrincipal(void* context, nsPrincipal *prin,
{
nsPrincipalArray *prinArray = new nsPrincipalArray();
prinArray->Add(prin);
nsPrincipalArray *classPrinArray = getClassPrincipalsFromStack(context, callerDepth);
nsPrincipalArray *classPrinArray = getClassPrincipalsFromStack(context,
callerDepth);
return (comparePrincipalArray(prinArray, classPrinArray) != nsSetComparisonType_NoSubset) ? PR_TRUE : PR_FALSE;
}
@ -960,8 +981,8 @@ PRBool nsPrivilegeManager::enablePrivilegePrivate(void* context, nsTarget *targe
}
// default "data" as null
if (NULL == enableScopePrivilegeHelper(context, target, callerDepth, NULL, PR_FALSE,
prefPrin))
if (NULL == enableScopePrivilegeHelper(context, target, callerDepth, NULL,
PR_FALSE, prefPrin))
return PR_FALSE;
return PR_TRUE;
}
@ -1014,7 +1035,8 @@ nsPrivilege *nsPrivilegeManager::getPrincipalPrivilege(nsTarget *target,
}
PrincipalKey prinKey(prin);
nsPrivilegeTable *privTable = (nsPrivilegeTable *) itsPrinToPrivTable->Get(&prinKey);
nsPrivilegeTable *privTable =
(nsPrivilegeTable *) itsPrinToPrivTable->Get(&prinKey);
if (privTable == NULL) {
// the principal isn't registered, so ignore it
return NULL;
@ -1111,8 +1133,10 @@ nsPrivilegeManager::checkPrivilegeEnabled(void *context,
goto done;
}
annotation = (nsPrivilegeTable *) (*nsCapsGetAnnotationCallback)(wrapper);
prinArray = (nsPrincipalArray *) (*nsCapsGetPrincipalArrayCallback)(wrapper);
annotation =
(nsPrivilegeTable *) (*nsCapsGetAnnotationCallback)(wrapper);
prinArray =
(nsPrincipalArray *) (*nsCapsGetPrincipalArrayCallback)(wrapper);
/*
* frame->annotation holds a PrivilegeTable, describing
* the scope privileges of this frame. We'll check
@ -1218,7 +1242,8 @@ nsPrivilegeManager::getClassPrincipalsFromStack(void* context, PRInt32 callerDep
) {
if ((*nsCapsIsValidFrameCallback)(wrapper)) {
if (depth >= callerDepth) {
principalArray = (nsPrincipalArray *) (*nsCapsGetPrincipalArrayCallback)(wrapper);
principalArray =
(nsPrincipalArray *) (*nsCapsGetPrincipalArrayCallback)(wrapper);
break;
}
}