Source code

001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018
019package org.apache.hadoop.security.alias;
020
021import org.apache.hadoop.classification.InterfaceAudience;
022import org.apache.hadoop.conf.Configuration;
023import org.apache.hadoop.fs.FileUtil;
024import org.apache.hadoop.fs.permission.FsPermission;
025import org.apache.hadoop.util.Shell;
026
027import java.io.File;
028import java.io.FileInputStream;
029import java.io.FileOutputStream;
030import java.io.IOException;
031import java.io.InputStream;
032import java.io.OutputStream;
033import java.net.URI;
034import java.net.URISyntaxException;
035import java.nio.file.Files;
036import java.nio.file.Path;
037import java.nio.file.Paths;
038import java.nio.file.attribute.PosixFilePermission;
039import java.nio.file.attribute.PosixFilePermissions;
040import java.util.Set;
041import java.util.StringTokenizer;
042import java.util.EnumSet;
043
044/**
045 * CredentialProvider based on Java's KeyStore file format. The file may be
046 * stored only on the local filesystem using the following name mangling:
047 * localjceks://file/home/larry/creds.jceks -> file:///home/larry/creds.jceks
048 */
049@InterfaceAudience.Private
050public final class LocalJavaKeyStoreProvider extends
051    AbstractJavaKeyStoreProvider {
052  public static final String SCHEME_NAME = "localjceks";
053  private File file;
054  private Set<PosixFilePermission> permissions;
055
056  private LocalJavaKeyStoreProvider(URI uri, Configuration conf)
057      throws IOException {
058    super(uri, conf);
059  }
060
061  @Override
062  protected String getSchemeName() {
063    return SCHEME_NAME;
064  }
065
066  @Override
067  protected OutputStream getOutputStreamForKeystore() throws IOException {
068    FileOutputStream out = new FileOutputStream(file);
069    return out;
070  }
071
072  @Override
073  protected boolean keystoreExists() throws IOException {
074    return file.exists();
075  }
076
077  @Override
078  protected InputStream getInputStreamForFile() throws IOException {
079    FileInputStream is = new FileInputStream(file);
080    return is;
081  }
082
083  @Override
084  protected void createPermissions(String perms) throws IOException {
085    int mode = 700;
086    try {
087      mode = Integer.parseInt(perms, 8);
088    } catch (NumberFormatException nfe) {
089      throw new IOException("Invalid permissions mode provided while "
090          + "trying to createPermissions", nfe);
091    }
092    permissions = modeToPosixFilePermission(mode);
093  }
094
095  @Override
096  protected void stashOriginalFilePermissions() throws IOException {
097    // save off permissions in case we need to
098    // rewrite the keystore in flush()
099    if (!Shell.WINDOWS) {
100      Path path = Paths.get(file.getCanonicalPath());
101      permissions = Files.getPosixFilePermissions(path);
102    } else {
103      // On Windows, the JDK does not support the POSIX file permission APIs.
104      // Instead, we can do a winutils call and translate.
105      String[] cmd = Shell.getGetPermissionCommand();
106      String[] args = new String[cmd.length + 1];
107      System.arraycopy(cmd, 0, args, 0, cmd.length);
108      args[cmd.length] = file.getCanonicalPath();
109      String out = Shell.execCommand(args);
110      StringTokenizer t = new StringTokenizer(out, Shell.TOKEN_SEPARATOR_REGEX);
111      // The winutils output consists of 10 characters because of the leading
112      // directory indicator, i.e. "drwx------".  The JDK parsing method expects
113      // a 9-character string, so remove the leading character.
114      String permString = t.nextToken().substring(1);
115      permissions = PosixFilePermissions.fromString(permString);
116    }
117  }
118
119  @Override
120  protected void initFileSystem(URI uri, Configuration conf)
121      throws IOException {
122    super.initFileSystem(uri, conf);
123    try {
124      file = new File(new URI(getPath().toString()));
125    } catch (URISyntaxException e) {
126      throw new IOException(e);
127    }
128  }
129
130  @Override
131  public void flush() throws IOException {
132    super.flush();
133    if (!Shell.WINDOWS) {
134      Files.setPosixFilePermissions(Paths.get(file.getCanonicalPath()),
135          permissions);
136    } else {
137      // FsPermission expects a 10-character string because of the leading
138      // directory indicator, i.e. "drwx------". The JDK toString method returns
139      // a 9-character string, so prepend a leading character.
140      FsPermission fsPermission = FsPermission.valueOf(
141          "-" + PosixFilePermissions.toString(permissions));
142      FileUtil.setPermission(file, fsPermission);
143    }
144  }
145
146  /**
147   * The factory to create JksProviders, which is used by the ServiceLoader.
148   */
149  public static class Factory extends CredentialProviderFactory {
150    @Override
151    public CredentialProvider createProvider(URI providerName,
152        Configuration conf) throws IOException {
153      if (SCHEME_NAME.equals(providerName.getScheme())) {
154        return new LocalJavaKeyStoreProvider(providerName, conf);
155      }
156      return null;
157    }
158  }
159
160  private static Set<PosixFilePermission> modeToPosixFilePermission(
161      int mode) {
162    Set<PosixFilePermission> perms = EnumSet.noneOf(PosixFilePermission.class);
163    if ((mode & 0001) != 0) {
164      perms.add(PosixFilePermission.OTHERS_EXECUTE);
165    }
166    if ((mode & 0002) != 0) {
167      perms.add(PosixFilePermission.OTHERS_WRITE);
168    }
169    if ((mode & 0004) != 0) {
170      perms.add(PosixFilePermission.OTHERS_READ);
171    }
172    if ((mode & 0010) != 0) {
173      perms.add(PosixFilePermission.GROUP_EXECUTE);
174    }
175    if ((mode & 0020) != 0) {
176      perms.add(PosixFilePermission.GROUP_WRITE);
177    }
178    if ((mode & 0040) != 0) {
179      perms.add(PosixFilePermission.GROUP_READ);
180    }
181    if ((mode & 0100) != 0) {
182      perms.add(PosixFilePermission.OWNER_EXECUTE);
183    }
184    if ((mode & 0200) != 0) {
185      perms.add(PosixFilePermission.OWNER_WRITE);
186    }
187    if ((mode & 0400) != 0) {
188      perms.add(PosixFilePermission.OWNER_READ);
189    }
190    return perms;
191  }
192}