You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
306 lines
11 KiB
306 lines
11 KiB
/*
|
|
* Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* - Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
*
|
|
* - Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* - Neither the name of Oracle nor the names of its
|
|
* contributors may be used to endorse or promote products derived
|
|
* from this software without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
|
|
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
|
|
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
/*
|
|
* This source code is provided to illustrate the usage of a given feature
|
|
* or technique and has been deliberately simplified. Additional steps
|
|
* required for a production-quality application, such as security checks,
|
|
* input validation and proper error handling, might not be present in
|
|
* this sample code.
|
|
*/
|
|
|
|
|
|
import java.nio.file.*;
|
|
import java.nio.file.attribute.*;
|
|
import java.io.IOException;
|
|
import java.util.*;
|
|
import java.util.regex.Pattern;
|
|
|
|
/**
|
|
* Sample utility for editing a file's ACL.
|
|
*/
|
|
|
|
public class AclEdit {
|
|
|
|
// parse string as list of ACE permissions separated by /
|
|
static Set<AclEntryPermission> parsePermissions(String permsString) {
|
|
Set<AclEntryPermission> perms = new HashSet<AclEntryPermission>();
|
|
String[] result = permsString.split("/");
|
|
for (String s : result) {
|
|
if (s.equals(""))
|
|
continue;
|
|
try {
|
|
perms.add(AclEntryPermission.valueOf(s.toUpperCase()));
|
|
} catch (IllegalArgumentException x) {
|
|
System.err.format("Invalid permission '%s'\n", s);
|
|
System.exit(-1);
|
|
}
|
|
}
|
|
return perms;
|
|
}
|
|
|
|
// parse string as list of ACE flags separated by /
|
|
static Set<AclEntryFlag> parseFlags(String flagsString) {
|
|
Set<AclEntryFlag> flags = new HashSet<AclEntryFlag>();
|
|
String[] result = flagsString.split("/");
|
|
for (String s : result) {
|
|
if (s.equals(""))
|
|
continue;
|
|
try {
|
|
flags.add(AclEntryFlag.valueOf(s.toUpperCase()));
|
|
} catch (IllegalArgumentException x) {
|
|
System.err.format("Invalid flag '%s'\n", s);
|
|
System.exit(-1);
|
|
}
|
|
}
|
|
return flags;
|
|
}
|
|
|
|
// parse ACE type
|
|
static AclEntryType parseType(String typeString) {
|
|
// FIXME: support audit and alarm types in the future
|
|
if (typeString.equalsIgnoreCase("allow"))
|
|
return AclEntryType.ALLOW;
|
|
if (typeString.equalsIgnoreCase("deny"))
|
|
return AclEntryType.DENY;
|
|
System.err.format("Invalid type '%s'\n", typeString);
|
|
System.exit(-1);
|
|
return null; // keep compiler happy
|
|
}
|
|
|
|
/**
|
|
* Parse string of the form:
|
|
* [user|group:]<username|groupname>:<perms>[:flags]:<allow|deny>
|
|
*/
|
|
static AclEntry parseAceString(String s,
|
|
UserPrincipalLookupService lookupService)
|
|
{
|
|
String[] result = s.split(":");
|
|
|
|
// must have at least 3 components (username:perms:type)
|
|
if (result.length < 3)
|
|
usage();
|
|
|
|
int index = 0;
|
|
int remaining = result.length;
|
|
|
|
// optional first component can indicate user or group type
|
|
boolean isGroup = false;
|
|
if (result[index].equalsIgnoreCase("user") ||
|
|
result[index].equalsIgnoreCase("group"))
|
|
{
|
|
if (--remaining < 3)
|
|
usage();
|
|
isGroup = result[index++].equalsIgnoreCase("group");
|
|
}
|
|
|
|
// user and permissions required
|
|
String userString = result[index++]; remaining--;
|
|
String permsString = result[index++]; remaining--;
|
|
|
|
// flags are optional
|
|
String flagsString = "";
|
|
String typeString = null;
|
|
if (remaining == 1) {
|
|
typeString = result[index++];
|
|
} else {
|
|
if (remaining == 2) {
|
|
flagsString = result[index++];
|
|
typeString = result[index++];
|
|
} else {
|
|
usage();
|
|
}
|
|
}
|
|
|
|
// lookup UserPrincipal
|
|
UserPrincipal user = null;
|
|
try {
|
|
user = (isGroup) ?
|
|
lookupService.lookupPrincipalByGroupName(userString) :
|
|
lookupService.lookupPrincipalByName(userString);
|
|
} catch (UserPrincipalNotFoundException x) {
|
|
System.err.format("Invalid %s '%s'\n",
|
|
((isGroup) ? "group" : "user"),
|
|
userString);
|
|
System.exit(-1);
|
|
} catch (IOException x) {
|
|
System.err.format("Lookup of '%s' failed: %s\n", userString, x);
|
|
System.exit(-1);
|
|
}
|
|
|
|
// map string representation of permissions, flags, and type
|
|
Set<AclEntryPermission> perms = parsePermissions(permsString);
|
|
Set<AclEntryFlag> flags = parseFlags(flagsString);
|
|
AclEntryType type = parseType(typeString);
|
|
|
|
// build the ACL entry
|
|
return AclEntry.newBuilder()
|
|
.setType(type)
|
|
.setPrincipal(user)
|
|
.setPermissions(perms).setFlags(flags).build();
|
|
}
|
|
|
|
static void usage() {
|
|
System.err.println("usage: java AclEdit [ACL-operation] file");
|
|
System.err.println("");
|
|
System.err.println("Example 1: Prepends access control entry to the begining of the myfile's ACL");
|
|
System.err.println(" java AclEdit A+alice:read_data/read_attributes:allow myfile");
|
|
System.err.println("");
|
|
System.err.println("Example 2: Remove the entry at index 6 of myfile's ACL");
|
|
System.err.println(" java AclEdit A6- myfile");
|
|
System.err.println("");
|
|
System.err.println("Example 3: Replace the entry at index 2 of myfile's ACL");
|
|
System.err.println(" java AclEdit A2=bob:write_data/append_data:deny myfile");
|
|
System.exit(-1);
|
|
}
|
|
|
|
static enum Action {
|
|
PRINT,
|
|
ADD,
|
|
REMOVE,
|
|
REPLACE;
|
|
}
|
|
|
|
/**
|
|
* Main class: parses arguments and prints or edits ACL
|
|
*/
|
|
public static void main(String[] args) throws IOException {
|
|
Action action = null;
|
|
int index = -1;
|
|
String entryString = null;
|
|
|
|
// parse arguments
|
|
if (args.length < 1 || args[0].equals("-help") || args[0].equals("-?"))
|
|
usage();
|
|
|
|
if (args.length == 1) {
|
|
action = Action.PRINT;
|
|
} else {
|
|
String s = args[0];
|
|
|
|
// A[index]+entry
|
|
if (Pattern.matches("^A[0-9]*\\+.*", s)) {
|
|
String[] result = s.split("\\+", 2);
|
|
if (result.length == 2) {
|
|
if (result[0].length() < 2) {
|
|
index = 0;
|
|
} else {
|
|
index = Integer.parseInt(result[0].substring(1));
|
|
}
|
|
entryString = result[1];
|
|
action = Action.ADD;
|
|
}
|
|
}
|
|
|
|
// Aindex-
|
|
if (Pattern.matches("^A[0-9]+\\-", s)) {
|
|
String[] result = s.split("\\-", 2);
|
|
if (result.length == 2) {
|
|
index = Integer.parseInt(result[0].substring(1));
|
|
entryString = result[1];
|
|
action = Action.REMOVE;
|
|
}
|
|
}
|
|
|
|
// Aindex=entry
|
|
if (Pattern.matches("^A[0-9]+=.*", s)) {
|
|
String[] result = s.split("=", 2);
|
|
if (result.length == 2) {
|
|
index = Integer.parseInt(result[0].substring(1));
|
|
entryString = result[1];
|
|
action = Action.REPLACE;
|
|
}
|
|
}
|
|
}
|
|
if (action == null)
|
|
usage();
|
|
|
|
int fileArg = (action == Action.PRINT) ? 0 : 1;
|
|
Path file = Paths.get(args[fileArg]);
|
|
|
|
// read file's ACL
|
|
AclFileAttributeView view =
|
|
Files.getFileAttributeView(file, AclFileAttributeView.class);
|
|
if (view == null) {
|
|
System.err.println("ACLs not supported on this platform");
|
|
System.exit(-1);
|
|
}
|
|
List<AclEntry> acl = view.getAcl();
|
|
|
|
switch (action) {
|
|
// print ACL
|
|
case PRINT : {
|
|
for (int i=0; i<acl.size(); i++) {
|
|
System.out.format("%5d: %s\n", i, acl.get(i));
|
|
}
|
|
break;
|
|
}
|
|
|
|
// add ACE to existing ACL
|
|
case ADD: {
|
|
AclEntry entry = parseAceString(entryString, file
|
|
.getFileSystem().getUserPrincipalLookupService());
|
|
if (index >= acl.size()) {
|
|
acl.add(entry);
|
|
} else {
|
|
acl.add(index, entry);
|
|
}
|
|
view.setAcl(acl);
|
|
break;
|
|
}
|
|
|
|
// remove ACE
|
|
case REMOVE: {
|
|
if (index >= acl.size()) {
|
|
System.err.format("Index '%d' is invalid", index);
|
|
System.exit(-1);
|
|
}
|
|
acl.remove(index);
|
|
view.setAcl(acl);
|
|
break;
|
|
}
|
|
|
|
// replace ACE
|
|
case REPLACE: {
|
|
if (index >= acl.size()) {
|
|
System.err.format("Index '%d' is invalid", index);
|
|
System.exit(-1);
|
|
}
|
|
AclEntry entry = parseAceString(entryString, file
|
|
.getFileSystem().getUserPrincipalLookupService());
|
|
acl.set(index, entry);
|
|
view.setAcl(acl);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|