View Javadoc
1   /*
2    * Portions of this software was developed by employees of the National Institute
3    * of Standards and Technology (NIST), an agency of the Federal Government and is
4    * being made available as a public service. Pursuant to title 17 United States
5    * Code Section 105, works of NIST employees are not subject to copyright
6    * protection in the United States. This software may be subject to foreign
7    * copyright. Permission in the United States and in foreign countries, to the
8    * extent that NIST may hold copyright, to use, copy, modify, create derivative
9    * works, and distribute this software and its documentation without fee is hereby
10   * granted on a non-exclusive basis, provided that this notice and disclaimer
11   * of warranty appears in all copies.
12   *
13   * THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, EITHER
14   * EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY
15   * THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF
16   * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM
17   * INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE
18   * SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE.  IN NO EVENT
19   * SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT,
20   * INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM,
21   * OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY,
22   * CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR
23   * PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT
24   * OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER.
25   */
26  
27  package gov.nist.secauto.metaschema.core.model.xml;
28  
29  import gov.nist.secauto.metaschema.core.model.IModule;
30  import gov.nist.secauto.metaschema.core.model.MetaschemaException;
31  import gov.nist.secauto.metaschema.core.model.constraint.IConstraintSet;
32  import gov.nist.secauto.metaschema.core.model.xml.xmlbeans.METASCHEMADocument;
33  import gov.nist.secauto.metaschema.core.model.xml.xmlbeans.MetaschemaImportType;
34  import gov.nist.secauto.metaschema.core.util.CollectionUtil;
35  import gov.nist.secauto.metaschema.core.util.ObjectUtils;
36  
37  import org.apache.xmlbeans.XmlException;
38  import org.apache.xmlbeans.XmlOptions;
39  import org.xml.sax.EntityResolver;
40  import org.xml.sax.InputSource;
41  import org.xml.sax.SAXException;
42  import org.xml.sax.XMLReader;
43  
44  import java.io.IOException;
45  import java.net.URI;
46  import java.util.ArrayList;
47  import java.util.Collection;
48  import java.util.Collections;
49  import java.util.Deque;
50  import java.util.LinkedHashMap;
51  import java.util.List;
52  import java.util.Map;
53  import java.util.Set;
54  
55  import javax.xml.XMLConstants;
56  import javax.xml.parsers.ParserConfigurationException;
57  import javax.xml.parsers.SAXParser;
58  import javax.xml.parsers.SAXParserFactory;
59  
60  import edu.umd.cs.findbugs.annotations.NonNull;
61  
62  /**
63   * Provides methods to load a Metaschema expressed in XML.
64   * <p>
65   * Loaded Metaschema instances are cached to avoid the need to load them for
66   * every use. Any Metaschema imported is also loaded and cached automatically.
67   */
68  public class ModuleLoader
69      extends AbstractLoader<IModule> {
70    private boolean resolveEntities; // = false;
71  
72    @NonNull
73    private final Set<IConstraintSet> registeredConstraintSets;
74  
75    /**
76     * Construct a new Metaschema loader.
77     */
78    public ModuleLoader() {
79      this(CollectionUtil.emptySet());
80    }
81  
82    /**
83     * Construct a new Metaschema loader, which will incorporate the additional
84     * provided constraints into matching loaded definitions.
85     *
86     * @param additionalConstraintSets
87     *          additional constraints to associate with loaded definitions
88     */
89    public ModuleLoader(@NonNull Set<IConstraintSet> additionalConstraintSets) {
90      this.registeredConstraintSets = CollectionUtil.unmodifiableSet(additionalConstraintSets);
91    }
92  
93    /**
94     * Get the set of additional constraints associated with this loader.
95     *
96     * @return the set of constraints
97     */
98    @NonNull
99    protected Set<IConstraintSet> getRegisteredConstraintSets() {
100     return registeredConstraintSets;
101   }
102 
103   /**
104    * Enable a mode that allows XML entity resolution. This may be needed to parse
105    * some resource files that contain entities. Enabling entity resolution is a
106    * less secure, which requires trust in the resource content being parsed.
107    */
108   public void allowEntityResolution() {
109     resolveEntities = true;
110   }
111 
112   /**
113    * Parse the {@code resource} based on the provided {@code xmlObject}.
114    *
115    * @param resource
116    *          the URI of the resource being parsed
117    * @param xmlObject
118    *          the XML beans object to parse
119    * @param importedModules
120    *          previously parsed Metaschema modules imported by the provided
121    *          {@code resource}
122    * @return the parsed resource as a Metaschema module
123    * @throws MetaschemaException
124    *           if an error occurred while parsing the XML beans object
125    */
126   protected IModule newXmlMetaschema(
127       @NonNull URI resource,
128       @NonNull METASCHEMADocument xmlObject,
129       @NonNull List<IModule> importedModules) throws MetaschemaException {
130     IModule retval = new XmlModule(resource, xmlObject, importedModules);
131 
132     IConstraintSet.applyConstraintSetToModule(getRegisteredConstraintSets(), retval);
133 
134     return retval;
135   }
136 
137   @Override
138   protected IModule parseResource(@NonNull URI resource, @NonNull Deque<URI> visitedResources)
139       throws IOException {
140     // parse this Metaschema module
141     METASCHEMADocument xmlObject = parseModule(resource);
142 
143     // now check if this Metaschema imports other metaschema
144     int size = xmlObject.getMETASCHEMA().sizeOfImportArray();
145     @NonNull Map<URI, IModule> importedModules;
146     if (size == 0) {
147       importedModules = ObjectUtils.notNull(Collections.emptyMap());
148     } else {
149       try {
150         importedModules = new LinkedHashMap<>();
151         for (MetaschemaImportType imported : xmlObject.getMETASCHEMA().getImportList()) {
152           URI importedResource = URI.create(imported.getHref());
153           importedResource = ObjectUtils.notNull(resource.resolve(importedResource));
154           importedModules.put(importedResource, loadInternal(importedResource, visitedResources));
155         }
156       } catch (MetaschemaException ex) {
157         throw new IOException(ex);
158       }
159     }
160 
161     // now create this metaschema
162     Collection<IModule> values = importedModules.values();
163     try {
164       return newXmlMetaschema(resource, xmlObject, new ArrayList<>(values));
165     } catch (MetaschemaException ex) {
166       throw new IOException(ex);
167     }
168   }
169 
170   /**
171    * Parse the provided XML resource as a Metaschema module.
172    *
173    * @param resource
174    *          the resource to parse
175    * @return the XMLBeans representation of the Metaschema module
176    * @throws IOException
177    *           if a parsing error occurred
178    */
179   protected METASCHEMADocument parseModule(@NonNull URI resource) throws IOException {
180     METASCHEMADocument metaschemaXml;
181     try {
182       XmlOptions options = new XmlOptions();
183       if (resolveEntities) {
184         SAXParserFactory factory = SAXParserFactory.newInstance();
185 
186         try {
187           // factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
188           factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
189           factory.setFeature("http://xml.org/sax/features/external-general-entities", true);
190           factory.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
191           SAXParser parser = factory.newSAXParser();
192           parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "file"); // ,jar:file
193           XMLReader reader = parser.getXMLReader();
194           reader.setEntityResolver(new EntityResolver() {
195 
196             @Override
197             public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
198               return null;
199             }
200 
201           });
202           options.setLoadUseXMLReader(reader);
203         } catch (SAXException | ParserConfigurationException ex) {
204           throw new IOException(ex);
205         }
206         // options.setLoadEntityBytesLimit(204800);
207         // options.setLoadUseDefaultResolver();
208         options.setEntityResolver(new EntityResolver() {
209 
210           @Override
211           public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
212             String effectiveSystemId = systemId;
213             // TODO: It's very odd that the system id looks like this. Need to investigate.
214             if (effectiveSystemId.startsWith("file://file://")) {
215               effectiveSystemId = effectiveSystemId.substring(14);
216             }
217             URI resolvedSystemId = resource.resolve(effectiveSystemId);
218             return new InputSource(resolvedSystemId.toString());
219           }
220 
221         });
222         options.setLoadDTDGrammar(true);
223       }
224       options.setBaseURI(resource);
225       options.setLoadLineNumbers();
226       metaschemaXml = METASCHEMADocument.Factory.parse(resource.toURL(), options);
227     } catch (XmlException ex) {
228       throw new IOException(ex);
229     }
230     return metaschemaXml;
231   }
232 
233 }