Moved AttachmentsClassLoader out of core (#1504)

node-api/src/main/kotlin/net/corda/nodeapi/internal/AttachmentsClassLoader.kt

@@ -0,0 +1,108 @@
+package net.corda.nodeapi.internal
+
+import net.corda.core.contracts.Attachment
+import net.corda.core.crypto.SecureHash
+import net.corda.core.serialization.CordaSerializable
+import java.io.ByteArrayInputStream
+import java.io.ByteArrayOutputStream
+import java.io.FileNotFoundException
+import java.io.InputStream
+import java.net.URL
+import java.net.URLConnection
+import java.net.URLStreamHandler
+import java.security.CodeSigner
+import java.security.CodeSource
+import java.security.SecureClassLoader
+import java.util.*
+
+/**
+ * A custom ClassLoader that knows how to load classes from a set of attachments. The attachments themselves only
+ * need to provide JAR streams, and so could be fetched from a database, local disk, etc. Constructing an
+ * AttachmentsClassLoader is somewhat expensive, as every attachment is scanned to ensure that there are no overlapping
+ * file paths.
+ */
+class AttachmentsClassLoader(attachments: List<Attachment>, parent: ClassLoader = ClassLoader.getSystemClassLoader()) : SecureClassLoader(parent) {
+    private val pathsToAttachments = HashMap<String, Attachment>()
+    private val idsToAttachments = HashMap<SecureHash, Attachment>()
+
+    @CordaSerializable
+    class OverlappingAttachments(val path: String) : Exception() {
+        override fun toString() = "Multiple attachments define a file at path $path"
+    }
+
+    init {
+        for (attachment in attachments) {
+            attachment.openAsJAR().use { jar ->
+                while (true) {
+                    val entry = jar.nextJarEntry ?: break
+
+                    // We already verified that paths are not strange/game playing when we inserted the attachment
+                    // into the storage service. So we don't need to repeat it here.
+                    //
+                    // We forbid files that differ only in case, or path separator to avoid issues for Windows/Mac developers where the
+                    // filesystem tries to be case insensitive. This may break developers who attempt to use ProGuard.
+                    //
+                    // Also convert to Unix path separators as all resource/class lookups will expect this.
+                    val path = entry.name.toLowerCase().replace('\\', '/')
+                    if (path in pathsToAttachments)
+                        throw OverlappingAttachments(path)
+                    pathsToAttachments[path] = attachment
+                }
+            }
+            idsToAttachments[attachment.id] = attachment
+        }
+    }
+
+    // Example: attachment://0b4fc1327f3bbebf1bfe98330ea402ae035936c3cb6da9bd3e26eeaa9584e74d/some/file.txt
+    //
+    // We have to provide a fake stream handler to satisfy the URL class that the scheme is known. But it's not
+    // a real scheme and we don't register it. It's just here to ensure that there aren't codepaths that could
+    // lead to data loading that we don't control right here in this class (URLs can have evil security properties!)
+    private val fakeStreamHandler = object : URLStreamHandler() {
+        override fun openConnection(u: URL?): URLConnection? {
+            throw UnsupportedOperationException()
+        }
+    }
+
+    private fun Attachment.toURL(path: String?) = URL(null, "attachment://$id/" + (path ?: ""), fakeStreamHandler)
+
+    override fun findClass(name: String): Class<*> {
+        val path = name.replace('.', '/').toLowerCase() + ".class"
+        val attachment = pathsToAttachments[path] ?: throw ClassNotFoundException(name)
+        val stream = ByteArrayOutputStream()
+        try {
+            attachment.extractFile(path, stream)
+        } catch(e: FileNotFoundException) {
+            throw ClassNotFoundException(name)
+        }
+        val bytes = stream.toByteArray()
+        // We don't attempt to propagate signatures from the JAR into the codesource, because our sandbox does not
+        // depend on external policy files to specify what it can do, so the data wouldn't be useful.
+        val codesource = CodeSource(attachment.toURL(null), emptyArray<CodeSigner>())
+        // TODO: Define an empty ProtectionDomain to start enforcing the standard Java sandbox.
+        // The standard Java sandbox is insufficient for our needs and a much more sophisticated sandboxing
+        // ClassLoader will appear here in future, but it can't hurt to use the default one too: defence in depth!
+        return defineClass(name, bytes, 0, bytes.size, codesource)
+    }
+
+    override fun findResource(name: String): URL? {
+        val attachment = pathsToAttachments[name.toLowerCase()] ?: return null
+        return attachment.toURL(name)
+    }
+
+    override fun getResourceAsStream(name: String): InputStream? {
+        val url = getResource(name) ?: return null   // May check parent classloaders, for example.
+        if (url.protocol != "attachment") return null
+        val attachment = idsToAttachments[SecureHash.parse(url.host)] ?: return null
+        val path = url.path?.substring(1) ?: return null   // Chop off the leading slash.
+        try {
+            val stream = ByteArrayOutputStream()
+            attachment.extractFile(path, stream)
+            return ByteArrayInputStream(stream.toByteArray())
+        } catch(e: FileNotFoundException) {
+            return null
+        }
+    }
+}
+
+

node-api/src/main/kotlin/net/corda/nodeapi/internal/serialization/CordaClassResolver.kt

@@ -6,7 +6,7 @@ import com.esotericsoftware.kryo.io.Output
 import com.esotericsoftware.kryo.serializers.FieldSerializer
 import com.esotericsoftware.kryo.util.DefaultClassResolver
 import com.esotericsoftware.kryo.util.Util
-import net.corda.core.serialization.AttachmentsClassLoader
+import net.corda.nodeapi.internal.AttachmentsClassLoader
 import net.corda.core.serialization.ClassWhitelist
 import net.corda.core.serialization.CordaSerializable
 import net.corda.core.serialization.SerializationContext

node-api/src/main/kotlin/net/corda/nodeapi/internal/serialization/Kryo.kt

@@ -13,7 +13,7 @@ import net.corda.core.crypto.Crypto
 import net.corda.core.crypto.SecureHash
 import net.corda.core.crypto.TransactionSignature
 import net.corda.core.identity.Party
-import net.corda.core.serialization.AttachmentsClassLoader
+import net.corda.nodeapi.internal.AttachmentsClassLoader
 import net.corda.core.serialization.MissingAttachmentsException
 import net.corda.core.serialization.SerializeAsTokenContext
 import net.corda.core.serialization.SerializedBytes

node-api/src/main/kotlin/net/corda/nodeapi/internal/serialization/SerializationScheme.kt

@@ -16,6 +16,7 @@ import net.corda.core.internal.LazyPool
 import net.corda.core.serialization.*
 import net.corda.core.utilities.ByteSequence
 import net.corda.core.utilities.OpaqueBytes
+import net.corda.nodeapi.internal.AttachmentsClassLoader
 import java.io.ByteArrayOutputStream
 import java.io.NotSerializableException
 import java.util.*

node-api/src/test/kotlin/net/corda/nodeapi/AttachmentsClassLoaderTests.kt

@@ -14,6 +14,7 @@ import net.corda.core.transactions.LedgerTransaction
 import net.corda.core.transactions.TransactionBuilder
 import net.corda.core.utilities.ByteSequence
 import net.corda.core.utilities.OpaqueBytes
+import net.corda.nodeapi.internal.AttachmentsClassLoader
 import net.corda.nodeapi.internal.serialization.SerializeAsTokenContextImpl
 import net.corda.nodeapi.internal.serialization.attachmentsClassLoaderEnabledPropertyName
 import net.corda.nodeapi.internal.serialization.withTokenContext
@@ -41,11 +42,11 @@ interface DummyContractBackdoor {
     fun inspectState(state: ContractState): Int
 }
 
-class AttachmentClassLoaderTests : TestDependencyInjectionBase() {
+class AttachmentsClassLoaderTests : TestDependencyInjectionBase() {
     companion object {
-        val ISOLATED_CONTRACTS_JAR_PATH: URL = AttachmentClassLoaderTests::class.java.getResource("isolated.jar")
+        val ISOLATED_CONTRACTS_JAR_PATH: URL = AttachmentsClassLoaderTests::class.java.getResource("isolated.jar")
         private val ISOLATED_CONTRACT_CLASS_NAME = "net.corda.finance.contracts.isolated.AnotherDummyContract"
-        private val ATTACHMENT_PROGRAM_ID = "net.corda.nodeapi.AttachmentClassLoaderTests.AttachmentDummyContract"
+        private val ATTACHMENT_PROGRAM_ID = "net.corda.nodeapi.AttachmentsClassLoaderTests.AttachmentDummyContract"
 
         private fun SerializationContext.withAttachmentStorage(attachmentStorage: AttachmentStorage): SerializationContext {
             val serviceHub = mock<ServiceHub>()
@@ -195,7 +196,7 @@ class AttachmentClassLoaderTests : TestDependencyInjectionBase() {
 
     @Test
     fun `verify that contract DummyContract is in classPath`() {
-        val contractClass = Class.forName("net.corda.nodeapi.AttachmentClassLoaderTests\$AttachmentDummyContract")
+        val contractClass = Class.forName("net.corda.nodeapi.AttachmentsClassLoaderTests\$AttachmentDummyContract")
         val contract = contractClass.newInstance() as Contract
 
         assertNotNull(contract)
@@ -332,34 +333,36 @@ class AttachmentClassLoaderTests : TestDependencyInjectionBase() {
     }
 
     @Test
-    fun `test deserialize of WireTransaction where contract cannot be found`() = kryoSpecific<AttachmentClassLoaderTests>("Kryo verifies/loads attachments on deserialization, whereas AMQP currently does not") {
-        val child = ClassLoaderForTests()
-        val contractClass = Class.forName(ISOLATED_CONTRACT_CLASS_NAME, true, child)
-        val contract = contractClass.newInstance() as DummyContractBackdoor
-        val tx = contract.generateInitial(MEGA_CORP.ref(0), 42, DUMMY_NOTARY)
-        val storage = MockAttachmentStorage()
+    fun `test deserialize of WireTransaction where contract cannot be found`() {
+        kryoSpecific<AttachmentsClassLoaderTests>("Kryo verifies/loads attachments on deserialization, whereas AMQP currently does not") {
+            val child = ClassLoaderForTests()
+            val contractClass = Class.forName(ISOLATED_CONTRACT_CLASS_NAME, true, child)
+            val contract = contractClass.newInstance() as DummyContractBackdoor
+            val tx = contract.generateInitial(MEGA_CORP.ref(0), 42, DUMMY_NOTARY)
+            val storage = MockAttachmentStorage()
 
-        // todo - think about better way to push attachmentStorage down to serializer
-        val attachmentRef = importJar(storage)
-        val bytes = run {
+            // todo - think about better way to push attachmentStorage down to serializer
+            val attachmentRef = importJar(storage)
+            val bytes = run {
 
-            tx.addAttachment(storage.openAttachment(attachmentRef)!!.id)
+                tx.addAttachment(storage.openAttachment(attachmentRef)!!.id)
 
-            val wireTransaction = tx.toWireTransaction()
+                val wireTransaction = tx.toWireTransaction()
 
-            wireTransaction.serialize(context = SerializationFactory.defaultFactory.defaultContext.withAttachmentStorage(storage))
-        }
-        // use empty attachmentStorage
-
-        val e = assertFailsWith(MissingAttachmentsException::class) {
-            val mockAttStorage = MockAttachmentStorage()
-            bytes.deserialize(context = SerializationFactory.defaultFactory.defaultContext.withAttachmentStorage(mockAttStorage))
-
-            if(mockAttStorage.openAttachment(attachmentRef) == null) {
-                throw MissingAttachmentsException(listOf(attachmentRef))
+                wireTransaction.serialize(context = SerializationFactory.defaultFactory.defaultContext.withAttachmentStorage(storage))
             }
+            // use empty attachmentStorage
+
+            val e = assertFailsWith(MissingAttachmentsException::class) {
+                val mockAttStorage = MockAttachmentStorage()
+                bytes.deserialize(context = SerializationFactory.defaultFactory.defaultContext.withAttachmentStorage(mockAttStorage))
+
+                if(mockAttStorage.openAttachment(attachmentRef) == null) {
+                    throw MissingAttachmentsException(listOf(attachmentRef))
+                }
+            }
+            assertEquals(attachmentRef, e.ids.single())
         }
-        assertEquals(attachmentRef, e.ids.single())
     }
 
     @Test
@@ -371,7 +374,12 @@ class AttachmentClassLoaderTests : TestDependencyInjectionBase() {
         val attachmentRef = importJar(storage)
         val outboundContext = SerializationFactory.defaultFactory.defaultContext.withClassLoader(child)
         // We currently ignore annotations in attachments, so manually whitelist.
-        val inboundContext = SerializationFactory.defaultFactory.defaultContext.withWhitelisted(contract.javaClass).withAttachmentStorage(storage).withAttachmentsClassLoader(listOf(attachmentRef))
+        val inboundContext = SerializationFactory
+                .defaultFactory
+                .defaultContext
+                .withWhitelisted(contract.javaClass)
+                .withAttachmentStorage(storage)
+                .withAttachmentsClassLoader(listOf(attachmentRef))
 
         // Serialize with custom context to avoid populating the default context with the specially loaded class
         val serialized = contract.serialize(context = outboundContext)
@@ -393,7 +401,12 @@ class AttachmentClassLoaderTests : TestDependencyInjectionBase() {
         // Then deserialize with the attachment class loader associated with the attachment
         val e = assertFailsWith(MissingAttachmentsException::class) {
             // We currently ignore annotations in attachments, so manually whitelist.
-            val inboundContext = SerializationFactory.defaultFactory.defaultContext.withWhitelisted(contract.javaClass).withAttachmentStorage(storage).withAttachmentsClassLoader(listOf(attachmentRef))
+            val inboundContext = SerializationFactory
+                    .defaultFactory
+                    .defaultContext
+                    .withWhitelisted(contract.javaClass)
+                    .withAttachmentStorage(storage)
+                    .withAttachmentsClassLoader(listOf(attachmentRef))
             serialized.deserialize(context = inboundContext)
         }
         assertEquals(attachmentRef, e.ids.single())

node-api/src/test/kotlin/net/corda/nodeapi/internal/serialization/CordaClassResolverTests.kt

@@ -5,9 +5,13 @@ import com.esotericsoftware.kryo.io.Input
 import com.esotericsoftware.kryo.io.Output
 import com.esotericsoftware.kryo.util.MapReferenceResolver
 import net.corda.core.node.services.AttachmentStorage
-import net.corda.core.serialization.*
+import net.corda.core.serialization.CordaSerializable
+import net.corda.core.serialization.SerializationContext
+import net.corda.core.serialization.SerializationFactory
+import net.corda.core.serialization.SerializedBytes
 import net.corda.core.utilities.ByteSequence
-import net.corda.nodeapi.AttachmentClassLoaderTests
+import net.corda.nodeapi.AttachmentsClassLoaderTests
+import net.corda.nodeapi.internal.AttachmentsClassLoader
 import net.corda.testing.node.MockAttachmentStorage
 import org.junit.Rule
 import org.junit.Test
@@ -156,7 +160,7 @@ class CordaClassResolverTests {
         CordaClassResolver(emptyWhitelistContext).getRegistration(DefaultSerializable::class.java)
     }
 
-    private fun importJar(storage: AttachmentStorage) = AttachmentClassLoaderTests.ISOLATED_CONTRACTS_JAR_PATH.openStream().use { storage.importAttachment(it) }
+    private fun importJar(storage: AttachmentStorage) = AttachmentsClassLoaderTests.ISOLATED_CONTRACTS_JAR_PATH.openStream().use { storage.importAttachment(it) }
 
     @Test(expected = KryoException::class)
     fun `Annotation does not work in conjunction with AttachmentClassLoader annotation`() {