x-plugins security changes for elastic/elasticsearch#14311
* watcher needs setFactory at least for now * fix watcher build to include security.policy (it duplicates too much build logic, this is hard) * fix watcher build to respect test logging parameters. Original commit: elastic/x-pack-elasticsearch@d2dc5f82e7
This commit is contained in:
parent
70ed74cd7d
commit
8aa8d88d3d
2
pom.xml
2
pom.xml
|
@ -73,7 +73,7 @@
|
|||
<dependency>
|
||||
<groupId>org.elasticsearch</groupId>
|
||||
<artifactId>securemock</artifactId>
|
||||
<version>1.1</version>
|
||||
<version>${securemock.version}</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
|
|
@ -162,6 +162,17 @@
|
|||
<include>test/**/*.yaml</include>
|
||||
</includes>
|
||||
</testResource>
|
||||
<!-- copied from plugins parent module, because watcher resources are insane -->
|
||||
<!-- shared test resources like log4j.properties -->
|
||||
<testResource>
|
||||
<directory>${elasticsearch.tools.directory}/shared-test-resources</directory>
|
||||
<filtering>false</filtering>
|
||||
</testResource>
|
||||
<!-- plugin metadata as a test resource -->
|
||||
<testResource>
|
||||
<directory>${basedir}/target/metadata-test-resources</directory>
|
||||
<filtering>false</filtering>
|
||||
</testResource>
|
||||
</testResources>
|
||||
<plugins>
|
||||
<plugin>
|
||||
|
|
|
@ -11,6 +11,14 @@
|
|||
<directory>bin/watcher</directory>
|
||||
<outputDirectory>bin</outputDirectory>
|
||||
</fileSet>
|
||||
<fileSet>
|
||||
<directory>${project.basedir}/src/main/plugin-metadata</directory>
|
||||
<includes>
|
||||
<include>plugin-security.policy</include>
|
||||
</includes>
|
||||
<outputDirectory></outputDirectory>
|
||||
<filtered>false</filtered>
|
||||
</fileSet>
|
||||
</fileSets>
|
||||
<dependencySets>
|
||||
<dependencySet>
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
*/
|
||||
package org.elasticsearch.watcher.actions.email.service;
|
||||
|
||||
import org.elasticsearch.SpecialPermission;
|
||||
import org.elasticsearch.common.logging.ESLogger;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.settings.SettingsException;
|
||||
|
@ -17,6 +18,9 @@ import javax.mail.Session;
|
|||
import javax.mail.Transport;
|
||||
import javax.mail.internet.InternetAddress;
|
||||
import javax.mail.internet.MimeMessage;
|
||||
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.util.Map;
|
||||
import java.util.Properties;
|
||||
|
||||
|
@ -29,13 +33,23 @@ public class Account {
|
|||
|
||||
static {
|
||||
// required as java doesn't always find the correct mailcap to properly handle mime types
|
||||
MailcapCommandMap mailcap = (MailcapCommandMap) CommandMap.getDefaultCommandMap();
|
||||
final MailcapCommandMap mailcap = (MailcapCommandMap) CommandMap.getDefaultCommandMap();
|
||||
mailcap.addMailcap("text/html;; x-java-content-handler=com.sun.mail.handlers.text_html");
|
||||
mailcap.addMailcap("text/xml;; x-java-content-handler=com.sun.mail.handlers.text_xml");
|
||||
mailcap.addMailcap("text/plain;; x-java-content-handler=com.sun.mail.handlers.text_plain");
|
||||
mailcap.addMailcap("multipart/*;; x-java-content-handler=com.sun.mail.handlers.multipart_mixed");
|
||||
mailcap.addMailcap("message/rfc822;; x-java-content-handler=com.sun.mail.handlers.message_rfc822");
|
||||
SecurityManager sm = System.getSecurityManager();
|
||||
if (sm != null) {
|
||||
sm.checkPermission(new SpecialPermission());
|
||||
}
|
||||
AccessController.doPrivileged(new PrivilegedAction<Void>() {
|
||||
@Override
|
||||
public Void run() {
|
||||
CommandMap.setDefaultCommandMap(mailcap);
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
private final Config config;
|
||||
|
|
|
@ -8,6 +8,7 @@ package org.elasticsearch.watcher.support.http;
|
|||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.ElasticsearchTimeoutException;
|
||||
import org.elasticsearch.ExceptionsHelper;
|
||||
import org.elasticsearch.SpecialPermission;
|
||||
import org.elasticsearch.common.Strings;
|
||||
import org.elasticsearch.common.component.AbstractLifecycleComponent;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
|
@ -29,7 +30,9 @@ import java.net.URL;
|
|||
import java.nio.charset.StandardCharsets;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.security.AccessController;
|
||||
import java.security.KeyStore;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.security.SecureRandom;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
|
@ -158,8 +161,19 @@ public class HttpClient extends AbstractLifecycleComponent<HttpClient> {
|
|||
|
||||
HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection(proxyToUse.proxy());
|
||||
if (urlConnection instanceof HttpsURLConnection && sslSocketFactory != null) {
|
||||
HttpsURLConnection httpsConn = (HttpsURLConnection) urlConnection;
|
||||
httpsConn.setSSLSocketFactory(sslSocketFactory);
|
||||
final HttpsURLConnection httpsConn = (HttpsURLConnection) urlConnection;
|
||||
final SSLSocketFactory factory = sslSocketFactory;
|
||||
SecurityManager sm = System.getSecurityManager();
|
||||
if (sm != null) {
|
||||
sm.checkPermission(new SpecialPermission());
|
||||
}
|
||||
AccessController.doPrivileged(new PrivilegedAction<Void>() {
|
||||
@Override
|
||||
public Void run() {
|
||||
httpsConn.setSSLSocketFactory(factory);
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
urlConnection.setRequestMethod(request.method().method());
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
grant {
|
||||
// needed to set expert SSL options, etc
|
||||
permission java.lang.RuntimePermission "setFactory";
|
||||
};
|
|
@ -52,7 +52,7 @@ public class EmailServer {
|
|||
@Override
|
||||
public void deliver(String from, String recipient, InputStream data) throws TooMuchDataException, IOException {
|
||||
try {
|
||||
Session session = Session.getDefaultInstance(new Properties());
|
||||
Session session = Session.getInstance(new Properties());
|
||||
MimeMessage msg = new MimeMessage(session, data);
|
||||
for (Listener listener : listeners) {
|
||||
try {
|
||||
|
|
|
@ -1,42 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8" ?>
|
||||
<!-- Licensed to Elasticsearch under one or more contributor
|
||||
license agreements. See the NOTICE file distributed with this work for additional
|
||||
information regarding copyright ownership. ElasticSearch licenses this file to you
|
||||
under the Apache License, Version 2.0 (the "License"); you may not use this
|
||||
file except in compliance with the License. You may obtain a copy of the
|
||||
License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by
|
||||
applicable law or agreed to in writing, software distributed under the License
|
||||
is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
KIND, either express or implied. See the License for the specific language
|
||||
governing permissions and limitations under the License. -->
|
||||
|
||||
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
|
||||
|
||||
<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/">
|
||||
<appender name="console" class="org.apache.log4j.ConsoleAppender">
|
||||
<param name="Target" value="System.out" />
|
||||
<layout class="org.apache.log4j.PatternLayout">
|
||||
<param name="ConversionPattern" value="%d %-5p %c{1} - %m%n" />
|
||||
</layout>
|
||||
</appender>
|
||||
|
||||
<logger name="org.elasticsearch">
|
||||
<level value="info" />
|
||||
</logger>
|
||||
|
||||
<logger name="org.elasticsearch.cloud.aws">
|
||||
<level value="trace" />
|
||||
</logger>
|
||||
<logger name="org.elasticsearch.discovery.aws">
|
||||
<level value="trace" />
|
||||
</logger>
|
||||
<logger name="org.elasticsearch.repositories.aws">
|
||||
<level value="trace" />
|
||||
</logger>
|
||||
|
||||
<root>
|
||||
<priority value="info" />
|
||||
<appender-ref ref="console" />
|
||||
</root>
|
||||
|
||||
</log4j:configuration>
|
Loading…
Reference in New Issue