Skip to content

Commit

Permalink
Merge pull request #70 from KostasTsiounis/block_properties
Browse files Browse the repository at this point in the history
Block all properties that can be set by profile
  • Loading branch information
keithc-ca authored Nov 6, 2024
2 parents 1abde43 + 58dc8bf commit 3317f54
Showing 1 changed file with 10 additions and 10 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -404,8 +404,8 @@ private static void checkFIPSCompatibility() {
/**
* Check whether a security property can be set.
*
* A security property that is set by a RestrictedSecurity profile,
* while FIPS security mode is enabled, cannot be reset programmatically.
* A security property that is FIPS-related and can be set by a RestrictedSecurity
* profile, while FIPS security mode is enabled, cannot be reset programmatically.
*
* Every time an attempt to set a security property is made, a check is
* performed. If the above scenario holds true, a SecurityException is
Expand All @@ -426,7 +426,7 @@ public static void checkSetSecurityProperty(String key) {
}

/*
* Only disallow setting of security properties that are set by the active profile,
* Only disallow setting of security properties that are FIPS-related,
* if FIPS has been enabled.
*
* Allow any change, if the 'semeru.fips.allowsetproperties' flag is set to true.
Expand All @@ -438,8 +438,8 @@ public static void checkSetSecurityProperty(String key) {
+ "properties to be set, use '-Dsemeru.fips.allowsetproperties=true'.");
debug.println("BEWARE: You might not be FIPS compliant if you select to override!");
}
throw new SecurityException("FIPS mode: User-specified '" + key
+ "' cannot override profile definition.");
throw new SecurityException("Property '" + key
+ "' cannot be set programmatically when in FIPS mode");
}

if (debug != null) {
Expand Down Expand Up @@ -556,15 +556,15 @@ private static void setProperties(Properties props) {
printStackTraceAndExit("Property com.ibm.fips.mode is incompatible with semeru.customprofile and semeru.fips properties");
}

if (userEnabledFIPS && !allowSetProperties) {
// Add all properties that cannot be modified.
unmodifiableProperties.addAll(propsMapping.keySet());
}

for (Map.Entry<String, String> entry : propsMapping.entrySet()) {
String jdkPropsName = entry.getKey();
String propsNewValue = entry.getValue();

if ((propsNewValue != null) && userEnabledFIPS && !allowSetProperties) {
// Add to set of properties set by the active profile.
unmodifiableProperties.add(jdkPropsName);
}

if (!isNullOrBlank(propsNewValue)) {
props.setProperty(jdkPropsName, propsNewValue);
if (debug != null) {
Expand Down

0 comments on commit 3317f54

Please sign in to comment.