honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-03-01 16:39:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

x-plugins security changes for elastic/elasticsearch#14311

Browse Source 
* watcher needs setFactory at least for now
* fix watcher build to include security.policy (it duplicates too much build logic, this is hard)
* fix watcher build to respect test logging parameters.

Original commit: elastic/x-pack-elasticsearch@d2dc5f82e7
This commit is contained in:
Robert Muir 2015-10-27 20:07:38 -04:00
parent 70ed74cd7d
commit 8aa8d88d3d
8 changed files with 57 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pom.xml
View File

@ -73,7 +73,7 @@
<dependency> <dependency>
<groupId>org.elasticsearch</groupId> <groupId>org.elasticsearch</groupId>
<artifactId>securemock</artifactId> <artifactId>securemock</artifactId>
<version>1.1</version> <version>${securemock.version}</version>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
</dependencies> </dependencies>

11
watcher/pom.xml
View File

@ -162,6 +162,17 @@
<include>test/**/*.yaml</include> <include>test/**/*.yaml</include>
</includes> </includes>
</testResource> </testResource>
<!-- copied from plugins parent module, because watcher resources are insane -->
<!-- shared test resources like log4j.properties -->
<testResource>
<directory>${elasticsearch.tools.directory}/shared-test-resources</directory>
<filtering>false</filtering>
</testResource>
<!-- plugin metadata as a test resource -->
<testResource>
<directory>${basedir}/target/metadata-test-resources</directory>
<filtering>false</filtering>
</testResource>
</testResources> </testResources>
<plugins> <plugins>
<plugin> <plugin>

8
watcher/src/main/assemblies/plugin.xml
View File

@ -11,6 +11,14 @@
<directory>bin/watcher</directory> <directory>bin/watcher</directory>
<outputDirectory>bin</outputDirectory> <outputDirectory>bin</outputDirectory>
</fileSet> </fileSet>
<fileSet>
<directory>${project.basedir}/src/main/plugin-metadata</directory>
<includes>
<include>plugin-security.policy</include>
</includes>
<outputDirectory></outputDirectory>
<filtered>false</filtered>
</fileSet>
</fileSets> </fileSets>
<dependencySets> <dependencySets>
<dependencySet> <dependencySet>

16
watcher/src/main/java/org/elasticsearch/watcher/actions/email/service/Account.java
View File

@ -5,6 +5,7 @@
*/ */
package org.elasticsearch.watcher.actions.email.service; package org.elasticsearch.watcher.actions.email.service;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.logging.ESLogger; import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.settings.SettingsException; import org.elasticsearch.common.settings.SettingsException;
@ -17,6 +18,9 @@ import javax.mail.Session;
import javax.mail.Transport; import javax.mail.Transport;
import javax.mail.internet.InternetAddress; import javax.mail.internet.InternetAddress;
import javax.mail.internet.MimeMessage; import javax.mail.internet.MimeMessage;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Map; import java.util.Map;
import java.util.Properties; import java.util.Properties;
@ -29,13 +33,23 @@ public class Account {
static { static {
// required as java doesn't always find the correct mailcap to properly handle mime types // required as java doesn't always find the correct mailcap to properly handle mime types
MailcapCommandMap mailcap = (MailcapCommandMap) CommandMap.getDefaultCommandMap(); final MailcapCommandMap mailcap = (MailcapCommandMap) CommandMap.getDefaultCommandMap();
mailcap.addMailcap("text/html;; x-java-content-handler=com.sun.mail.handlers.text_html"); mailcap.addMailcap("text/html;; x-java-content-handler=com.sun.mail.handlers.text_html");
mailcap.addMailcap("text/xml;; x-java-content-handler=com.sun.mail.handlers.text_xml"); mailcap.addMailcap("text/xml;; x-java-content-handler=com.sun.mail.handlers.text_xml");
mailcap.addMailcap("text/plain;; x-java-content-handler=com.sun.mail.handlers.text_plain"); mailcap.addMailcap("text/plain;; x-java-content-handler=com.sun.mail.handlers.text_plain");
mailcap.addMailcap("multipart/*;; x-java-content-handler=com.sun.mail.handlers.multipart_mixed"); mailcap.addMailcap("multipart/*;; x-java-content-handler=com.sun.mail.handlers.multipart_mixed");
mailcap.addMailcap("message/rfc822;; x-java-content-handler=com.sun.mail.handlers.message_rfc822"); mailcap.addMailcap("message/rfc822;; x-java-content-handler=com.sun.mail.handlers.message_rfc822");
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
CommandMap.setDefaultCommandMap(mailcap); CommandMap.setDefaultCommandMap(mailcap);
return null;
}
});
} }
private final Config config; private final Config config;

18
watcher/src/main/java/org/elasticsearch/watcher/support/http/HttpClient.java
View File

@ -8,6 +8,7 @@ package org.elasticsearch.watcher.support.http;
import org.elasticsearch.ElasticsearchException; import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchTimeoutException; import org.elasticsearch.ElasticsearchTimeoutException;
import org.elasticsearch.ExceptionsHelper; import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.Strings; import org.elasticsearch.common.Strings;
import org.elasticsearch.common.component.AbstractLifecycleComponent; import org.elasticsearch.common.component.AbstractLifecycleComponent;
import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.inject.Inject;
@ -29,7 +30,9 @@ import java.net.URL;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import java.security.AccessController;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.PrivilegedAction;
import java.security.SecureRandom; import java.security.SecureRandom;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
@ -158,8 +161,19 @@ public class HttpClient extends AbstractLifecycleComponent<HttpClient> {
HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection(proxyToUse.proxy()); HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection(proxyToUse.proxy());
if (urlConnection instanceof HttpsURLConnection && sslSocketFactory != null) { if (urlConnection instanceof HttpsURLConnection && sslSocketFactory != null) {
HttpsURLConnection httpsConn = (HttpsURLConnection) urlConnection; final HttpsURLConnection httpsConn = (HttpsURLConnection) urlConnection;
httpsConn.setSSLSocketFactory(sslSocketFactory); final SSLSocketFactory factory = sslSocketFactory;
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
httpsConn.setSSLSocketFactory(factory);
return null;
}
});
} }
urlConnection.setRequestMethod(request.method().method()); urlConnection.setRequestMethod(request.method().method());

4
watcher/src/main/plugin-metadata/plugin-security.policy Normal file
View File

@ -0,0 +1,4 @@
grant {
// needed to set expert SSL options, etc
permission java.lang.RuntimePermission "setFactory";
};

2
watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/support/EmailServer.java
View File

@ -52,7 +52,7 @@ public class EmailServer {
@Override @Override
public void deliver(String from, String recipient, InputStream data) throws TooMuchDataException, IOException { public void deliver(String from, String recipient, InputStream data) throws TooMuchDataException, IOException {
try { try {
Session session = Session.getDefaultInstance(new Properties()); Session session = Session.getInstance(new Properties());
MimeMessage msg = new MimeMessage(session, data); MimeMessage msg = new MimeMessage(session, data);
for (Listener listener : listeners) { for (Listener listener : listeners) {
try { try {

42
watcher/src/test/resources/log4j.xml
View File

@ -1,42 +0,0 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!-- Licensed to Elasticsearch under one or more contributor
license agreements. See the NOTICE file distributed with this work for additional
information regarding copyright ownership. ElasticSearch licenses this file to you
under the Apache License, Version 2.0 (the "License"); you may not use this
file except in compliance with the License. You may obtain a copy of the
License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by
applicable law or agreed to in writing, software distributed under the License
is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the specific language
governing permissions and limitations under the License. -->
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/">
<appender name="console" class="org.apache.log4j.ConsoleAppender">
<param name="Target" value="System.out" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{1} - %m%n" />
</layout>
</appender>
<logger name="org.elasticsearch">
<level value="info" />
</logger>
<logger name="org.elasticsearch.cloud.aws">
<level value="trace" />
</logger>
<logger name="org.elasticsearch.discovery.aws">
<level value="trace" />
</logger>
<logger name="org.elasticsearch.repositories.aws">
<level value="trace" />
</logger>
<root>
<priority value="info" />
<appender-ref ref="console" />
</root>
</log4j:configuration>