Google Git
Sign in
android / platform / libcore / e6bac4b / . / ojluni / src / main / java / java / nio / file / SecureDirectoryStream.java
blob: 064618b86371f9db351fe838ccf467c8ae4f37bb [file] [log] [blame]
/*
* Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.nio.file;
import java.nio.file.attribute.*;
import java.nio.channels.SeekableByteChannel;
import java.util.Set;
import java.io.IOException;
/**
* A {@code DirectoryStream} that defines operations on files that are located
* relative to an open directory. A {@code SecureDirectoryStream} is intended
* for use by sophisticated or security sensitive applications requiring to
* traverse file trees or otherwise operate on directories in a race-free manner.
* Race conditions can arise when a sequence of file operations cannot be
* carried out in isolation. Each of the file operations defined by this
* interface specify a relative path. All access to the file is relative
* to the open directory irrespective of if the directory is moved or replaced
* by an attacker while the directory is open. A {@code SecureDirectoryStream}
* may also be used as a virtual <em>working directory</em>.
*
* <p> A {@code SecureDirectoryStream} requires corresponding support from the
* underlying operating system. Where an implementation supports this features
* then the {@code DirectoryStream} returned by the {@link Files#newDirectoryStream
* newDirectoryStream} method will be a {@code SecureDirectoryStream} and must
* be cast to that type in order to invoke the methods defined by this interface.
*
* <p> In the case of the default {@link java.nio.file.spi.FileSystemProvider
* provider}, and a security manager is set, then the permission checks are
* performed using the path obtained by resolving the given relative path
* against the <i>original path</i> of the directory (irrespective of if the
* directory is moved since it was opened).
*
* @since 1.7
*/
public interface SecureDirectoryStream<T>
extends DirectoryStream<T>
{
/**
* Opens the directory identified by the given path, returning a {@code
* SecureDirectoryStream} to iterate over the entries in the directory.
*
* <p> This method works in exactly the manner specified by the {@link
* Files#newDirectoryStream(Path) newDirectoryStream} method for the case that
* the {@code path} parameter is an {@link Path#isAbsolute absolute} path.
* When the parameter is a relative path then the directory to open is
* relative to this open directory. The {@link
* LinkOption#NOFOLLOW_LINKS NOFOLLOW_LINKS} option may be used to
* ensure that this method fails if the file is a symbolic link.
*
* <p> The new directory stream, once created, is not dependent upon the
* directory stream used to create it. Closing this directory stream has no
* effect upon newly created directory stream.
*
* @param path
* the path to the directory to open
* @param options
* options indicating how symbolic links are handled
*
* @return a new and open {@code SecureDirectoryStream} object
*
* @throws ClosedDirectoryStreamException
* if the directory stream is closed
* @throws NotDirectoryException
* if the file could not otherwise be opened because it is not
* a directory <i>(optional specific exception)</i>
* @throws IOException
* if an I/O error occurs
* @throws SecurityException
* In the case of the default provider, and a security manager is
* installed, the {@link SecurityManager#checkRead(String) checkRead}
* method is invoked to check read access to the directory.
*/
SecureDirectoryStream<T> newDirectoryStream(T path, LinkOption... options)
throws IOException;
/**
* Opens or creates a file in this directory, returning a seekable byte
* channel to access the file.
*
* <p> This method works in exactly the manner specified by the {@link
* Files#newByteChannel Files.newByteChannel} method for the
* case that the {@code path} parameter is an {@link Path#isAbsolute absolute}
* path. When the parameter is a relative path then the file to open or
* create is relative to this open directory. In addition to the options
* defined by the {@code Files.newByteChannel} method, the {@link
* LinkOption#NOFOLLOW_LINKS NOFOLLOW_LINKS} option may be used to
* ensure that this method fails if the file is a symbolic link.
*
* <p> The channel, once created, is not dependent upon the directory stream
* used to create it. Closing this directory stream has no effect upon the
* channel.
*
* @param path
* the path of the file to open open or create
* @param options
* options specifying how the file is opened
* @param attrs
* an optional list of attributes to set atomically when creating
* the file
*
* @return the seekable byte channel
*
* @throws ClosedDirectoryStreamException
* if the directory stream is closed
* @throws IllegalArgumentException
* if the set contains an invalid combination of options
* @throws UnsupportedOperationException
* if an unsupported open option is specified or the array contains
* attributes that cannot be set atomically when creating the file
* @throws FileAlreadyExistsException
* if a file of that name already exists and the {@link
* StandardOpenOption#CREATE_NEW CREATE_NEW} option is specified
* <i>(optional specific exception)</i>
* @throws IOException
* if an I/O error occurs
* @throws SecurityException
* In the case of the default provider, and a security manager is
* installed, the {@link SecurityManager#checkRead(String) checkRead}
* method is invoked to check read access to the path if the file
* is opened for reading. The {@link SecurityManager#checkWrite(String)
* checkWrite} method is invoked to check write access to the path
* if the file is opened for writing.
*/
SeekableByteChannel newByteChannel(T path,
Set<? extends OpenOption> options,
FileAttribute<?>... attrs)
throws IOException;
/**
* Deletes a file.
*
* <p> Unlike the {@link Files#delete delete()} method, this method does
* not first examine the file to determine if the file is a directory.
* Whether a directory is deleted by this method is system dependent and
* therefore not specified. If the file is a symbolic link, then the link
* itself, not the final target of the link, is deleted. When the
* parameter is a relative path then the file to delete is relative to
* this open directory.
*
* @param path
* the path of the file to delete
*
* @throws ClosedDirectoryStreamException
* if the directory stream is closed
* @throws NoSuchFileException
* if the file does not exist <i>(optional specific exception)</i>
* @throws IOException
* if an I/O error occurs
* @throws SecurityException
* In the case of the default provider, and a security manager is
* installed, the {@link SecurityManager#checkDelete(String) checkDelete}
* method is invoked to check delete access to the file
*/
void deleteFile(T path) throws IOException;
/**
* Deletes a directory.
*
* <p> Unlike the {@link Files#delete delete()} method, this method
* does not first examine the file to determine if the file is a directory.
* Whether non-directories are deleted by this method is system dependent and
* therefore not specified. When the parameter is a relative path then the
* directory to delete is relative to this open directory.
*
* @param path
* the path of the directory to delete
*
* @throws ClosedDirectoryStreamException
* if the directory stream is closed
* @throws NoSuchFileException
* if the directory does not exist <i>(optional specific exception)</i>
* @throws DirectoryNotEmptyException
* if the directory could not otherwise be deleted because it is
* not empty <i>(optional specific exception)</i>
* @throws IOException
* if an I/O error occurs
* @throws SecurityException
* In the case of the default provider, and a security manager is
* installed, the {@link SecurityManager#checkDelete(String) checkDelete}
* method is invoked to check delete access to the directory
*/
void deleteDirectory(T path) throws IOException;
/**
* Move a file from this directory to another directory.
*
* <p> This method works in a similar manner to {@link Files#move move}
* method when the {@link StandardCopyOption#ATOMIC_MOVE ATOMIC_MOVE} option
* is specified. That is, this method moves a file as an atomic file system
* operation. If the {@code srcpath} parameter is an {@link Path#isAbsolute
* absolute} path then it locates the source file. If the parameter is a
* relative path then it is located relative to this open directory. If
* the {@code targetpath} parameter is absolute then it locates the target
* file (the {@code targetdir} parameter is ignored). If the parameter is
* a relative path it is located relative to the open directory identified
* by the {@code targetdir} parameter. In all cases, if the target file
* exists then it is implementation specific if it is replaced or this
* method fails.
*
* @param srcpath
* the name of the file to move
* @param targetdir
* the destination directory
* @param targetpath
* the name to give the file in the destination directory
*
* @throws ClosedDirectoryStreamException
* if this or the target directory stream is closed
* @throws FileAlreadyExistsException
* if the file already exists in the target directory and cannot
* be replaced <i>(optional specific exception)</i>
* @throws AtomicMoveNotSupportedException
* if the file cannot be moved as an atomic file system operation
* @throws IOException
* if an I/O error occurs
* @throws SecurityException
* In the case of the default provider, and a security manager is
* installed, the {@link SecurityManager#checkWrite(String) checkWrite}
* method is invoked to check write access to both the source and
* target file.
*/
void move(T srcpath, SecureDirectoryStream<T> targetdir, T targetpath)
throws IOException;
/**
* Returns a new file attribute view to access the file attributes of this
* directory.
*
* <p> The resulting file attribute view can be used to read or update the
* attributes of this (open) directory. The {@code type} parameter specifies
* the type of the attribute view and the method returns an instance of that
* type if supported. Invoking this method to obtain a {@link
* BasicFileAttributeView} always returns an instance of that class that is
* bound to this open directory.
*
* <p> The state of resulting file attribute view is intimately connected
* to this directory stream. Once the directory stream is {@link #close closed},
* then all methods to read or update attributes will throw {@link
* ClosedDirectoryStreamException ClosedDirectoryStreamException}.
*
* @param <V>
* The {@code FileAttributeView} type
* @param type
* the {@code Class} object corresponding to the file attribute view
*
* @return a new file attribute view of the specified type bound to
* this directory stream, or {@code null} if the attribute view
* type is not available
*/
<V extends FileAttributeView> V getFileAttributeView(Class<V> type);
/**
* Returns a new file attribute view to access the file attributes of a file
* in this directory.
*
* <p> The resulting file attribute view can be used to read or update the
* attributes of file in this directory. The {@code type} parameter specifies
* the type of the attribute view and the method returns an instance of that
* type if supported. Invoking this method to obtain a {@link
* BasicFileAttributeView} always returns an instance of that class that is
* bound to the file in the directory.
*
* <p> The state of resulting file attribute view is intimately connected
* to this directory stream. Once the directory stream {@link #close closed},
* then all methods to read or update attributes will throw {@link
* ClosedDirectoryStreamException ClosedDirectoryStreamException}. The
* file is not required to exist at the time that the file attribute view
* is created but methods to read or update attributes of the file will
* fail when invoked and the file does not exist.
*
* @param <V>
* The {@code FileAttributeView} type
* @param path
* the path of the file
* @param type
* the {@code Class} object corresponding to the file attribute view
* @param options
* options indicating how symbolic links are handled
*
* @return a new file attribute view of the specified type bound to a
* this directory stream, or {@code null} if the attribute view
* type is not available
*
*/
<V extends FileAttributeView> V getFileAttributeView(T path,
Class<V> type,
LinkOption... options);
}