Record Class SecurityPolicy

java.lang.Object
java.lang.Record
cloud.opencode.base.expression.sandbox.SecurityPolicy
Record Components:
allowedClasses - the set of allowed class names | 允许的类名集合
deniedClasses - the set of denied class names | 拒绝的类名集合
allowedMethods - the set of allowed method names | 允许的方法名集合
deniedMethods - the set of denied method names | 拒绝的方法名集合
allowedFunctions - the set of allowed function names | 允许的函数名集合
deniedFunctions - the set of denied function names | 拒绝的函数名集合
timeoutMillis - the maximum execution time in milliseconds | 最大执行时间(毫秒)
maxIterations - the maximum number of iterations | 最大迭代次数
maxExpressionLength - the maximum expression length | 最大表达式长度
public record SecurityPolicy(Set<Class<?>> allowedClasses, Set<String> deniedClasses, Set<String> allowedMethods, Set<String> deniedMethods, Set<String> allowedFunctions, Set<String> deniedFunctions, long timeoutMillis, int maxIterations, int maxExpressionLength) extends Record
Security Policy 安全策略

Defines security constraints for expression evaluation including allowed classes, methods, timeout limits, and iteration limits.

定义表达式求值的安全约束,包括允许的类、方法、超时限制和迭代限制。

Features | 主要功能:

  • Class, method, and function allow/deny lists - 类、方法和函数的允许/拒绝列表
  • Timeout, iteration, and expression length limits - 超时、迭代和表达式长度限制
  • Preset policies: strict and lenient - 预设策略: 严格和宽松
  • Builder pattern for custom policies - 构建器模式用于自定义策略

Usage Examples | 使用示例:

// Use strict policy
SecurityPolicy policy = SecurityPolicy.strict();
boolean allowed = policy.isClassAllowed(String.class);  // true
boolean denied = policy.isMethodAllowed("getClass");  // false

// Custom policy
SecurityPolicy custom = SecurityPolicy.builder()
    .allowClass(String.class, Integer.class)
    .denyMethod("getClass", "forName")
    .timeout(10000)
    .build();

Security | 安全性:

  • Thread-safe: Yes, immutable record - 线程安全: 是,不可变记录
  • Null-safe: Yes, null class returns false - 空值安全: 是,null类返回false
  • Deny takes priority over allow - 拒绝优先于允许
Since:
JDK 25, opencode-base-expression V1.0.0
Author:
Leon Soo www.LeonSoo.com
See Also:

  • Constructor Details

    • SecurityPolicy

      public SecurityPolicy(Set<Class<?>> allowedClasses, Set<String> deniedClasses, Set<String> allowedMethods, Set<String> deniedMethods, Set<String> allowedFunctions, Set<String> deniedFunctions, long timeoutMillis, int maxIterations, int maxExpressionLength)
      Creates an instance of a SecurityPolicy record class.
      Parameters:
      allowedClasses - the value for the allowedClasses record component
      deniedClasses - the value for the deniedClasses record component
      allowedMethods - the value for the allowedMethods record component
      deniedMethods - the value for the deniedMethods record component
      allowedFunctions - the value for the allowedFunctions record component
      deniedFunctions - the value for the deniedFunctions record component
      timeoutMillis - the value for the timeoutMillis record component
      maxIterations - the value for the maxIterations record component
      maxExpressionLength - the value for the maxExpressionLength record component

  • Method Details

    • strict

      public static SecurityPolicy strict()
      Create a strict security policy 创建严格安全策略

      Only allows basic types and common operations.

      仅允许基本类型和常见操作。

      Returns:
      the strict policy | 严格策略

    • lenient

      public static SecurityPolicy lenient()
      Create a lenient security policy 创建宽松安全策略

      Allows most operations with minimal restrictions.

      允许大多数操作,限制最小。

      Returns:
      the lenient policy | 宽松策略

    • builder

      public static SecurityPolicy.Builder builder()
      Create a custom security policy using builder 使用构建器创建自定义安全策略
      Returns:
      the builder | 构建器

    • isClassAllowed

      public boolean isClassAllowed(Class<?> clazz)
      Check if a class is allowed 检查类是否被允许
      Parameters:
      clazz - the class | 类
      Returns:
      true if allowed | 如果允许返回 true

    • isMethodAllowed

      public boolean isMethodAllowed(String methodName)
      Check if a method is allowed 检查方法是否被允许
      Parameters:
      methodName - the method name | 方法名
      Returns:
      true if allowed | 如果允许返回 true

    • isFunctionAllowed

      public boolean isFunctionAllowed(String functionName)
      Check if a function is allowed 检查函数是否被允许
      Parameters:
      functionName - the function name | 函数名
      Returns:
      true if allowed | 如果允许返回 true

    • toString

      public final String toString()
      Returns a string representation of this record class. The representation contains the name of the class, followed by the name and value of each of the record components.
      Specified by:
      toString in class Record
      Returns:
      a string representation of this object

    • hashCode

      public final int hashCode()
      Returns a hash code value for this object. The value is derived from the hash code of each of the record components.
      Specified by:
      hashCode in class Record
      Returns:
      a hash code value for this object

    • equals

      public final boolean equals(Object o)
      Indicates whether some other object is "equal to" this one. The objects are equal if the other object is of the same class and if all the record components are equal. Reference components are compared with Objects::equals(Object,Object); primitive components are compared with the compare method from their corresponding wrapper classes.
      Specified by:
      equals in class Record
      Parameters:
      o - the object with which to compare
      Returns:
      true if this object is the same as the o argument; false otherwise.

    • allowedClasses

      public Set<Class<?>> allowedClasses()
      Returns the value of the allowedClasses record component.
      Returns:
      the value of the allowedClasses record component

    • deniedClasses

      public Set<String> deniedClasses()
      Returns the value of the deniedClasses record component.
      Returns:
      the value of the deniedClasses record component

    • allowedMethods

      public Set<String> allowedMethods()
      Returns the value of the allowedMethods record component.
      Returns:
      the value of the allowedMethods record component

    • deniedMethods

      public Set<String> deniedMethods()
      Returns the value of the deniedMethods record component.
      Returns:
      the value of the deniedMethods record component

    • allowedFunctions

      public Set<String> allowedFunctions()
      Returns the value of the allowedFunctions record component.
      Returns:
      the value of the allowedFunctions record component

    • deniedFunctions

      public Set<String> deniedFunctions()
      Returns the value of the deniedFunctions record component.
      Returns:
      the value of the deniedFunctions record component

    • timeoutMillis

      public long timeoutMillis()
      Returns the value of the timeoutMillis record component.
      Returns:
      the value of the timeoutMillis record component

    • maxIterations

      public int maxIterations()
      Returns the value of the maxIterations record component.
      Returns:
      the value of the maxIterations record component

    • maxExpressionLength

      public int maxExpressionLength()
      Returns the value of the maxExpressionLength record component.
      Returns:
      the value of the maxExpressionLength record component