1
/*
2
 * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
/*
25
 * @test
26
 * @bug 8055206
27
 * @summary Check that each module loaded by the platform loader has the
28
 *          proper "accessClassInPackage" RuntimePermissions to access its
29
 *          qualified exports.
30
 * @run main CheckAccessClassInPackagePermissions
31
 */
32

33
import java.lang.module.ModuleDescriptor;
34
import java.lang.module.ModuleDescriptor.Exports;
35
import java.net.URL;
36
import java.security.CodeSigner;
37
import java.security.CodeSource;
38
import java.security.Policy;
39
import java.security.ProtectionDomain;
40
import java.util.ArrayList;
41
import java.util.Arrays;
42
import java.util.HashMap;
43
import java.util.List;
44
import java.util.Map;
45
import java.util.Map.Entry;
46
import java.util.Optional;
47
import java.util.Set;
48
import java.util.stream.Collectors;
49
import java.util.stream.Stream;
50

51
public class CheckAccessClassInPackagePermissions {
52

53
    private static final String[] deployModules = {
54
        "jdk.javaws", "jdk.plugin", "jdk.plugin.server", "jdk.deploy" };
55

56
    public static void main(String[] args) throws Exception {
57

58
        // Get the modules in the boot layer loaded by the boot or platform
59
        // loader
60
        ModuleLayer bootLayer = ModuleLayer.boot();
61
        Set<Module> modules = bootLayer.modules()
62
            .stream()
63
            .filter(CheckAccessClassInPackagePermissions::isBootOrPlatformMod)
64
            .collect(Collectors.toSet());
65

66
        // Create map of target module's qualified export packages
67
        Map<String, List<String>> map = new HashMap<>();
68
        Set<Exports> qualExports =
69
            modules.stream()
70
                   .map(Module::getDescriptor)
71
                   .map(ModuleDescriptor::exports)
72
                   .flatMap(Set::stream)
73
                   .filter(Exports::isQualified)
74
                   .collect(Collectors.toSet());
75
        for (Exports e : qualExports) {
76
            Set<String> targets = e.targets();
77
            for (String t : targets) {
78
                map.compute(t, (k, ov) -> {
79
                    if (ov == null) {
80
                        List<String> v = new ArrayList<>();
81
                        v.add(e.source());
82
                        return v;
83
                    } else {
84
                        ov.add(e.source());
85
                        return ov;
86
                    }
87
                });
88
            }
89
        }
90

91
        // Check if each target module has the right permissions to access
92
        // its qualified exports
93
        Policy policy = Policy.getPolicy();
94
        List<String> deployMods = Arrays.asList(deployModules);
95
        for (Map.Entry<String, List<String>> me : map.entrySet()) {
96
            String moduleName = me.getKey();
97

98
            // skip deploy modules since they are granted permissions in
99
            // deployment policy file
100
            if (deployMods.contains(moduleName)) {
101
                continue;
102
            }
103

104
            // is this a module loaded by the platform loader?
105
            Optional<Module> module = bootLayer.findModule(moduleName);
106
            if (!module.isPresent()) {
107
                continue;
108
            }
109
            Module mod = module.get();
110
            if (mod.getClassLoader() != ClassLoader.getPlatformClassLoader()) {
111
                continue;
112
            }
113

114
            // create ProtectionDomain simulating module
115
            URL url = new URL("jrt:/" + moduleName);
116
            CodeSource cs = new CodeSource(url, (CodeSigner[])null);
117
            ProtectionDomain pd = new ProtectionDomain(cs, null, null, null);
118

119
            List<String> pkgs = me.getValue();
120
            for (String p : pkgs) {
121
                RuntimePermission rp =
122
                    new RuntimePermission("accessClassInPackage." + p);
123
                if (!policy.implies(pd, rp)) {
124
                    throw new Exception("Module " + mod + " has not been " +
125
                                        "granted " + rp);
126
                }
127
            }
128
        }
129
    }
130

131
    /**
132
     * Returns true if the module's loader is the boot or platform loader.
133
     */
134
    private static boolean isBootOrPlatformMod(Module m) {
135
        return m.getClassLoader() == null ||
136
               m.getClassLoader() == ClassLoader.getPlatformClassLoader();
137
    }
138
}
139

140