search

codice / acdebugger

Purpose-built debugger for determining missing OSGi bundle security permissions
Apache License 2.0
7 stars 10 forks source link

Added cli parser #16

Closed oconnormi closed 6 years ago

oconnormi commented 6 years ago

Description of the Change

This change replaces the manual string parsing with a Cli parsing library. The command line options have been updated to include both long and short options. All short flags can be combined for more concise command usage, for example: <command> -acsgw would be equivalent to <command> --admin --continuous --service --grant --wait. Additionally a single optional argument could be included as the last option in a list of short options, for example: <command> -acsgwH some.host would be equivalent to: <command> --admin --continuous --service --grant --wait --host some.host. Help text has been added for all options and a --help or -h option is now included:

Usage: acdebugger [-acdghsVw] [--wait-timeout=<timeout>] [-H=<host>]      
                  [-p=<port>] [-t=<transport>]
Purpose-built debugger for determining missing OSGi bundle security permissions.
      --wait-timeout=<timeout>
                      Only applies when the '--wait' option is used. Sets the
                        maximum number of minutes to wait. (default: 10)
  -a, --admin         Indicates the tool is being run for an admin. In such cases,
                        the analysis won't be as extensive since an administrator
                        wouldn't be able to modify the code for example. At the
                        moment, it disables analyzing solutions that involve
                        extending privileges in bundles using doPrivileged() blocks.
                        In the above example, only the second solution would have
                        been reported if this option had been provided. As such,
                        this option should not be used by developers.
  -c, --continuous    Specifies to run in continuous mode where the debugger will
                        tell the VM not to fail on any security failures detected
                        and report on all failures found.
  -d, --dump          Additional information about detected security failures such
                        as stack traces and bundle information will be printed along
                        with solutions.
  -g, --grant         When specified, the debugger will use the backdoor and a
                        registered ServicePermission service to temporarily grant
                        permissions for detected security failures which after
                        analysis yields a single solution. This is only temporary
                        and will not survive a restart of the VM but will prevent
                        any further failures that would otherwise not be if the
                        permission(s) were defined. It also tends to slow down the
                        system since the OSGi permission cache ends up being cleared
                        each time.
  -h, --help          Show this help message and exit.
  -H, --host=<host>   Specifies the host or IP where the VM to attach to is located.
                        (default: localhost)
  -p, --port=<port>   Specifies the port number the VM is awaiting debuggers to
                        connect to. (default:5005)
  -s, --service       Specifies that a breakpoint should be added in Eclipse's
                        Service Registry to detect internal security checks done for
                        given bundles before dispatching service events. These
                        failures are analyzed and reported as normal security check
                        failures. This option tends to slow down the system a bit as
                        the debugger is invoked for all checks and not just when a
                        failure is about to be reported.
  -t, --transport=<transport>
                      Specifies the transport to use when connecting to the VM.
                        (default: dt_socket)
  -V, --version       Print version information and exit.
  -w, --wait          Indicates to wait for a connection. To specify the timeout
                        value use with the '--wait-timeout' option.

Alternate Designs

Benefits

Better command line parsing, self documenting cli options.

Possible Drawbacks

Verification Process

Applicable Issues

Fixes: #7

Remaining Tasks

oconnormi commented 6 years ago

@paouelle should be all set now