Improve FactoryFinder Validation

Also modernizes with generics and adds improved testing

Author: cshannon

activemq-broker/src/main/java/org/apache/activemq/broker/BrokerFactory.java

@@ -31,14 +31,15 @@
  */
 public final class BrokerFactory {
 
-    private static final FactoryFinder BROKER_FACTORY_HANDLER_FINDER = new FactoryFinder("META-INF/services/org/apache/activemq/broker/");
+    private static final FactoryFinder<BrokerFactoryHandler> BROKER_FACTORY_HANDLER_FINDER
+            = new FactoryFinder<>("META-INF/services/org/apache/activemq/broker/", BrokerFactoryHandler.class);
 
     private BrokerFactory() {        
     }
 
     public static BrokerFactoryHandler createBrokerFactoryHandler(String type) throws IOException {
         try {
-            return (BrokerFactoryHandler)BROKER_FACTORY_HANDLER_FINDER.newInstance(type);
+            return BROKER_FACTORY_HANDLER_FINDER.newInstance(type);
         } catch (Throwable e) {
             throw IOExceptionSupport.create("Could not load " + type + " factory:" + e, e);
         }

activemq-broker/src/main/java/org/apache/activemq/broker/region/group/GroupFactoryFinder.java

@@ -25,7 +25,8 @@
 import org.apache.activemq.util.URISupport;
 
 public class GroupFactoryFinder {
-    private static final FactoryFinder GROUP_FACTORY_FINDER = new FactoryFinder("META-INF/services/org/apache/activemq/groups/");
+    private static final FactoryFinder<MessageGroupMapFactory> GROUP_FACTORY_FINDER =
+            new FactoryFinder<>("META-INF/services/org/apache/activemq/groups/", MessageGroupMapFactory.class);
 
     private GroupFactoryFinder() {
     }
@@ -40,7 +41,7 @@ public static MessageGroupMapFactory createMessageGroupMapFactory(String type) t
                 factoryType = factoryType.substring(0,p);
                 properties = URISupport.parseQuery(propertiesString);
             }
-            MessageGroupMapFactory result =  (MessageGroupMapFactory)GROUP_FACTORY_FINDER.newInstance(factoryType);
+            MessageGroupMapFactory result = GROUP_FACTORY_FINDER.newInstance(factoryType);
             if (properties != null && result != null){
                 IntrospectionSupport.setProperties(result,properties);
             }

activemq-broker/src/main/java/org/apache/activemq/transport/auto/AutoTcpTransportServer.java

@@ -80,15 +80,17 @@ public class AutoTcpTransportServer extends TcpTransportServer {
     protected int maxConnectionThreadPoolSize = Integer.MAX_VALUE;
     protected int protocolDetectionTimeOut = 30000;
 
-    private static final FactoryFinder TRANSPORT_FACTORY_FINDER = new FactoryFinder("META-INF/services/org/apache/activemq/transport/");
+    private static final FactoryFinder<TransportFactory> TRANSPORT_FACTORY_FINDER =
+            new FactoryFinder<>("META-INF/services/org/apache/activemq/transport/", TransportFactory.class);
     private final ConcurrentMap<String, TransportFactory> transportFactories = new ConcurrentHashMap<String, TransportFactory>();
 
-    private static final FactoryFinder WIREFORMAT_FACTORY_FINDER = new FactoryFinder("META-INF/services/org/apache/activemq/wireformat/");
+    private static final FactoryFinder<WireFormatFactory> WIREFORMAT_FACTORY_FINDER =
+            new FactoryFinder<>("META-INF/services/org/apache/activemq/wireformat/", WireFormatFactory.class);
 
     public WireFormatFactory findWireFormatFactory(String scheme, Map<String, Map<String, Object>> options) throws IOException {
         WireFormatFactory wff = null;
         try {
-            wff = (WireFormatFactory)WIREFORMAT_FACTORY_FINDER.newInstance(scheme);
+            wff = WIREFORMAT_FACTORY_FINDER.newInstance(scheme);
             if (options != null) {
                 final Map<String, Object> wfOptions = new HashMap<>();
                 if (options.get(AutoTransportUtils.ALL) != null) {
@@ -117,7 +119,7 @@ public TransportFactory findTransportFactory(String scheme, Map<String, ?> optio
         if (tf == null) {
             // Try to load if from a META-INF property.
             try {
-                tf = (TransportFactory)TRANSPORT_FACTORY_FINDER.newInstance(scheme);
+                tf = TRANSPORT_FACTORY_FINDER.newInstance(scheme);
                 if (options != null) {
                     IntrospectionSupport.setProperties(tf, options);
                 }

activemq-broker/src/main/java/org/apache/activemq/util/osgi/Activator.java

@@ -172,7 +172,15 @@ protected void unregister(long bundleId) {
     // ================================================================
 
     @Override
-    public Object create(String path) throws IllegalAccessException, InstantiationException, IOException, ClassNotFoundException {
+    public Object create(String path)
+            throws IllegalAccessException, InstantiationException, IOException, ClassNotFoundException {
+        throw new UnsupportedOperationException("Create is not supported without requiredType and allowed impls");
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public <T> T create(String path, Class<T> requiredType, Set<Class<? extends T>> allowedImpls)
+            throws IllegalAccessException, InstantiationException, IOException, ClassNotFoundException {
         Class<?> clazz = serviceCache.get(path);
         if (clazz == null) {
             StringBuilder warnings = new StringBuilder();
@@ -199,6 +207,10 @@ public Object create(String path) throws IllegalAccessException, InstantiationEx
                     continue;
                 }
 
+                // no reason to cache if invalid so validate before caching
+                // the class inside of serviceCache
+                FactoryFinder.validateClass(clazz, requiredType, allowedImpls);
+
                 // Yay.. the class was found.  Now cache it.
                 serviceCache.put(path, clazz);
                 wrapper.cachedServices.add(path);
@@ -214,10 +226,17 @@ public Object create(String path) throws IllegalAccessException, InstantiationEx
                 }
                 throw new IOException(msg);
             }
+        } else {
+            // Validate again (even for previously cached classes) in case
+            // a path is re-used with a different requiredType.
+            // This object factory is shared by all factory finder instances, so it would be
+            // possible (although probably a mistake) to use the same
+            // path again with a different requiredType in a different FactoryFinder
+            FactoryFinder.validateClass(clazz, requiredType, allowedImpls);
         }
 
         try {
-            return clazz.getConstructor().newInstance();
+            return (T) clazz.getConstructor().newInstance();
         } catch (InvocationTargetException | NoSuchMethodException e) {
         	throw new InstantiationException(e.getMessage());
         }

activemq-client/src/main/java/org/apache/activemq/transport/TransportFactory.java

@@ -36,8 +36,10 @@
 
 public abstract class TransportFactory {
 
-    private static final FactoryFinder TRANSPORT_FACTORY_FINDER = new FactoryFinder("META-INF/services/org/apache/activemq/transport/");
-    private static final FactoryFinder WIREFORMAT_FACTORY_FINDER = new FactoryFinder("META-INF/services/org/apache/activemq/wireformat/");
+    private static final FactoryFinder<TransportFactory> TRANSPORT_FACTORY_FINDER
+            = new FactoryFinder<>("META-INF/services/org/apache/activemq/transport/", TransportFactory.class);
+    private static final FactoryFinder<WireFormatFactory> WIREFORMAT_FACTORY_FINDER
+            = new FactoryFinder<>("META-INF/services/org/apache/activemq/wireformat/", WireFormatFactory.class);
     private static final ConcurrentMap<String, TransportFactory> TRANSPORT_FACTORYS = new ConcurrentHashMap<String, TransportFactory>();
 
     private static final String WRITE_TIMEOUT_FILTER = "soWriteTimeout";
@@ -179,7 +181,7 @@ public static TransportFactory findTransportFactory(URI location) throws IOExcep
         if (tf == null) {
             // Try to load if from a META-INF property.
             try {
-                tf = (TransportFactory)TRANSPORT_FACTORY_FINDER.newInstance(scheme);
+                tf = TRANSPORT_FACTORY_FINDER.newInstance(scheme);
                 TRANSPORT_FACTORYS.put(scheme, tf);
             } catch (Throwable e) {
                 throw IOExceptionSupport.create("Transport scheme NOT recognized: [" + scheme + "]", e);
@@ -201,7 +203,7 @@ protected WireFormatFactory createWireFormatFactory(Map<String, String> options)
         }
 
         try {
-            WireFormatFactory wff = (WireFormatFactory)WIREFORMAT_FACTORY_FINDER.newInstance(wireFormat);
+            WireFormatFactory wff = WIREFORMAT_FACTORY_FINDER.newInstance(wireFormat);
             IntrospectionSupport.setProperties(wff, options, "wireFormat.");
             return wff;
         } catch (Throwable e) {

activemq-client/src/main/java/org/apache/activemq/transport/discovery/DiscoveryAgentFactory.java

@@ -26,7 +26,8 @@
 
 public abstract class DiscoveryAgentFactory {
 
-    private static final FactoryFinder DISCOVERY_AGENT_FINDER = new FactoryFinder("META-INF/services/org/apache/activemq/transport/discoveryagent/");
+    private static final FactoryFinder<DiscoveryAgentFactory> DISCOVERY_AGENT_FINDER =
+            new FactoryFinder<>("META-INF/services/org/apache/activemq/transport/discoveryagent/", DiscoveryAgentFactory.class);
     private static final ConcurrentMap<String, DiscoveryAgentFactory> DISCOVERY_AGENT_FACTORYS = new ConcurrentHashMap<String, DiscoveryAgentFactory>();
 
     /**
@@ -43,7 +44,7 @@ private static DiscoveryAgentFactory findDiscoveryAgentFactory(URI uri) throws I
         if (daf == null) {
             // Try to load if from a META-INF property.
             try {
-                daf = (DiscoveryAgentFactory)DISCOVERY_AGENT_FINDER.newInstance(scheme);
+                daf = DISCOVERY_AGENT_FINDER.newInstance(scheme);
                 DISCOVERY_AGENT_FACTORYS.put(scheme, daf);
             } catch (Throwable e) {
                 throw IOExceptionSupport.create("DiscoveryAgent scheme NOT recognized: [" + scheme + "]", e);

activemq-client/src/main/java/org/apache/activemq/util/FactoryFinder.java

@@ -20,14 +20,22 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.lang.reflect.InvocationTargetException;
+import java.net.UnknownServiceException;
+import java.nio.file.Path;
+import java.security.Security;
+import java.util.Arrays;
+import java.util.Objects;
+import java.util.Optional;
 import java.util.Properties;
+import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
+import java.util.stream.Collectors;
 
 /**
  *
  */
-public class FactoryFinder {
+public class FactoryFinder<T> {
 
     /**
      * The strategy that the FactoryFinder uses to find load and instantiate Objects
@@ -44,51 +52,54 @@ public interface ObjectFactory {
          * @param path the full service path
          * @return
          */
-        public Object create(String path) throws IllegalAccessException, InstantiationException, IOException, ClassNotFoundException;
+        Object create(String path) throws IllegalAccessException, InstantiationException, IOException, ClassNotFoundException;
 
+        @SuppressWarnings("unchecked")
+        default <T> T create(String path, Class<T> requiredType, Set<Class<? extends T>> allowedImpls)
+                throws IllegalAccessException, InstantiationException, IOException, ClassNotFoundException {
+            return (T) create(path);
+        }
     }
 
     /**
      * The default implementation of Object factory which works well in standalone applications.
      */
     protected static class StandaloneObjectFactory implements ObjectFactory {
-        final ConcurrentMap<String, Class> classMap = new ConcurrentHashMap<String, Class>();
+        final ConcurrentMap<String, Class<?>> classMap = new ConcurrentHashMap<>();
 
         @Override
-        public Object create(final String path) throws InstantiationException, IllegalAccessException, ClassNotFoundException, IOException {
-            Class clazz = classMap.get(path);
+        public Object create(final String path)
+                throws IllegalAccessException, InstantiationException, IOException, ClassNotFoundException {
+            throw new UnsupportedOperationException("Create is not supported without requiredType and allowed impls");
+        }
+
+        @SuppressWarnings("unchecked")
+        @Override
+        public <T> T create(String path, Class<T> requiredType, Set<Class<? extends T>> allowedImpls) throws InstantiationException, IllegalAccessException, ClassNotFoundException, IOException {
+            Class<?> clazz = classMap.get(path);
             if (clazz == null) {
                 clazz = loadClass(loadProperties(path));
+                // no reason to cache if invalid so validate before caching
+                validateClass(clazz, requiredType, allowedImpls);
                 classMap.put(path, clazz);
+            } else {
+                // Validate again (even for previously cached classes) in case
+                // a path is re-used with a different requiredType.
+                // This object factory is static and shared by all factory finder instances by default,
+                // so it would be possible (although probably a mistake) to use the same
+                // path again with a different requiredType in a different FactoryFinder
+                validateClass(clazz, requiredType, allowedImpls);
             }
-            
+
             try {
-               return clazz.getConstructor().newInstance();
+               return (T) clazz.getConstructor().newInstance();
             } catch (NoSuchMethodException | InvocationTargetException e) {
                throw new InstantiationException(e.getMessage());
             }
         }
 
-        static public Class loadClass(Properties properties) throws ClassNotFoundException, IOException {
-
-            String className = properties.getProperty("class");
-            if (className == null) {
-                throw new IOException("Expected property is missing: class");
-            }
-            Class clazz = null;
-            ClassLoader loader = Thread.currentThread().getContextClassLoader();
-            if (loader != null) {
-                try {
-                    clazz = loader.loadClass(className);
-                } catch (ClassNotFoundException e) {
-                    // ignore
-                }
-            }
-            if (clazz == null) {
-                clazz = FactoryFinder.class.getClassLoader().loadClass(className);
-            }
-
-            return clazz;
+        static Class<?> loadClass(Properties properties) throws ClassNotFoundException, IOException {
+            return FactoryFinder.loadClass(properties.getProperty("class"));
         }
 
         static public Properties loadProperties(String uri) throws IOException {
@@ -138,21 +149,114 @@ public static void setObjectFactory(ObjectFactory objectFactory) {
     // Instance methods and properties
     // ================================================================
     private final String path;
+    private final Class<T> requiredType;
+    private final Set<Class<? extends T>> allowedImpls;
+
+    public FactoryFinder(String path, Class<T> requiredType) {
+        this(path, requiredType, null);
+    }
 
-    public FactoryFinder(String path) {
-        this.path = path;
+    public FactoryFinder(String path, Class<T> requiredType, String allowedImpls) {
+        this.path = Objects.requireNonNull(path);
+        this.requiredType = Objects.requireNonNull(requiredType);
+        this.allowedImpls = loadAllowedImpls(requiredType, allowedImpls);
     }
 
+    @SuppressWarnings("unchecked")
+    private static <T> Set<Class<? extends T>> loadAllowedImpls(Class<T> requiredType, String allowedImpls) {
+        // If allowedImpls is either null or an asterisk (allow all wild card) then set to null so we don't filter
+        // If allowedImpls is only an empty string we return an empty set meaning allow none
+        // Otherwise split/trim all values
+        return allowedImpls != null && !allowedImpls.equals("*") ?
+            Arrays.stream(allowedImpls.split("\\s*,\\s*"))
+                .filter(s -> !s.isEmpty())
+                .map(s -> {
+                    try {
+                        final Class<?> clazz = FactoryFinder.loadClass(s);
+                        if (!requiredType.isAssignableFrom(clazz)) {
+                            throw new IllegalArgumentException(
+                                    "Class " + clazz + " is not assignable to " + requiredType);
+                        }
+                        return (Class<? extends T>)clazz;
+                    } catch (ClassNotFoundException | IOException e) {
+                        throw new IllegalArgumentException(e);
+                    }
+                }).collect(Collectors.toUnmodifiableSet()) : null;
+    }
+
+
     /**
      * Creates a new instance of the given key
      *
      * @param key is the key to add to the path to find a text file containing
      *                the factory name
      * @return a newly created instance
      */
-    public Object newInstance(String key) throws IllegalAccessException, InstantiationException, IOException, ClassNotFoundException {
-        return objectFactory.create(path+key);
+    public T newInstance(String key) throws IllegalAccessException, InstantiationException, IOException, ClassNotFoundException {
+        return objectFactory.create(resolvePath(key), requiredType, allowedImpls);
+    }
+
+    Set<Class<? extends T>> getAllowedImpls() {
+        return allowedImpls;
     }
 
+    Class<T> getRequiredType() {
+        return requiredType;
+    }
+
+    private String resolvePath(final String key) throws InstantiationException {
+        // Normalize the base path with the given key. This
+        // will resolve/remove any relative ".." sections of the path.
+        // Example: "/dir1/dir2/dir3/../file" becomes "/dir1/dir2/file"
+        final Path resolvedPath = Path.of(path).resolve(key).normalize();
+
+        // Validate the resoled path is still within the original defined
+        // root path and throw an error of it is not.
+        if (!resolvedPath.startsWith(path)) {
+            throw new InstantiationException("Provided key escapes the FactoryFinder configured directory");
+        }
+
+        return resolvedPath.toString();
+    }
+
+    public static String buildAllowedImpls(Class<?>...classes) {
+        return Arrays.stream(Objects.requireNonNull(classes, "List of allowed classes may not be null"))
+                .map(Class::getName).collect(Collectors.joining(","));
+    }
+
+    public static <T> void validateClass(Class<?> clazz, Class<T> requiredType,
+            Set<Class<? extends T>> allowedImpls) throws InstantiationException {
+        // Validate the loaded class is an allowed impl
+        if (allowedImpls != null && !allowedImpls.contains(clazz)) {
+            throw new InstantiationException("Class " + clazz + " is not an allowed implementation "
+                    + "of type " + requiredType);
+        }
+        // Validate the loaded class is a subclass of the right type
+        // The allowedImpls may not be used so also check requiredType. Even if set
+        // generics can be erased and this is an extra safety check
+        if (!requiredType.isAssignableFrom(clazz)) {
+            throw new InstantiationException("Class " + clazz + " is not assignable to " + requiredType);
+        }
+    }
+
+    static Class<?> loadClass(String className) throws ClassNotFoundException, IOException {
+        if (className == null) {
+            throw new IOException("Expected property is missing: class");
+        }
+        Class<?> clazz = null;
+        ClassLoader loader = Thread.currentThread().getContextClassLoader();
+        if (loader != null) {
+            try {
+                clazz = loader.loadClass(className);
+            } catch (ClassNotFoundException e) {
+                // ignore
+            }
+        }
+        if (clazz == null) {
+            clazz = FactoryFinder.class.getClassLoader().loadClass(className);
+        }
+
+        return clazz;
+    }
 
 }