/**
* Copyright (C) 2013-2016 The Rythm Engine project
* for LICENSE and other details see:
* https://github.com/rythmengine/rythmengine
*/
package org.rythmengine;
import org.rythmengine.logger.ILogger;
import org.rythmengine.logger.Logger;
import org.rythmengine.sandbox.RythmSecurityManager;
import org.rythmengine.sandbox.SandboxExecutingService;
import java.io.File;
import java.util.Map;
import java.util.Stack;
/**
* A wrapper of Rythm engine and make sure the rendering is happen in Sandbox mode
*/
public class Sandbox {
private static final ILogger logger = Logger.get(Sandbox.class);
private static final InheritableThreadLocal<Boolean> sandboxMode = new InheritableThreadLocal<Boolean>();
static boolean sandboxMode() {
Boolean mode = sandboxMode.get();
return null == mode ? false : mode;
}
RythmEngine engine;
SandboxExecutingService secureExecutor = null;
private static boolean sandboxLive = false;
/**
* Turn off sandbox mode. Used by Rythm unit testing program
* @param code
*/
public static void turnOffSandbox(String code) {
if (!sandboxLive) return;
rsm().forbiddenIfCodeNotMatch(code);
sandboxLive = false;
System.setSecurityManager(null);
}
public Sandbox(RythmEngine engine, SandboxExecutingService executor) {
this.engine = engine;
this.secureExecutor = executor;
sandboxLive = true;
restrictedZone.set(new Stack<Boolean>());
}
private static RythmSecurityManager rsm() {
return (RythmSecurityManager)System.getSecurityManager();
}
private RythmEngine engine() {
if (null != engine) return engine;
return Rythm.engine();
}
private Map<String, Object> userContext;
public Sandbox setUserContext(Map<String, Object> context) {
this.userContext = context;
return this;
}
public String render(String template, Object... args) {
sandboxMode.set(true);
try {
return secureExecutor.execute(userContext, template, args);
} finally {
sandboxMode.remove();
}
}
public String render(File file, Object... args) {
sandboxMode.set(true);
try {
return secureExecutor.execute(userContext,file, args);
} finally {
sandboxMode.remove();
}
}
public static String hasAccessToRestrictedClasses(RythmEngine engine, String code) {
for (String s : engine.conf().restrictedClasses()) {
if (code.contains(s)) return s;
}
return null;
}
private final static ThreadLocal<Stack<Boolean>> restrictedZone = new ThreadLocal<Stack<Boolean>>(){
@Override
protected Stack<Boolean> initialValue() {
return new Stack<Boolean>();
}
};
public final static void enterRestrictedZone(String code) {
if (!sandboxLive || !sandboxMode()) return;
rsm().forbiddenIfCodeNotMatch(code);
restrictedZone.get().push(true);
}
public final static void enterSafeZone(String code) {
if (!sandboxLive || !sandboxMode()) return;
rsm().forbiddenIfCodeNotMatch(code);
restrictedZone.get().push(false);
}
public final static void leaveCurZone(String code) {
if (!sandboxLive || !sandboxMode()) return;
rsm().forbiddenIfCodeNotMatch(code);
Stack<Boolean> stack = restrictedZone.get();
if (stack.isEmpty()) {
throw new IllegalStateException("EMPTY ZONE");
}
stack.pop();
}
public final static boolean isRestricted() {
if (!sandboxLive || !sandboxMode()) return false;
Stack<Boolean> stack = restrictedZone.get();
if (stack.isEmpty()) return false;
return stack.peek();
}
}