x-plugins security changes for elastic/elasticsearch#14311

* watcher needs setFactory at least for now
* fix watcher build to include security.policy (it duplicates too much build logic, this is hard)
* fix watcher build to respect test logging parameters.

Original commit: elastic/x-pack-elasticsearch@d2dc5f82e7
This commit is contained in:
Robert Muir 2015-10-27 20:07:38 -04:00
parent 70ed74cd7d
commit 8aa8d88d3d
8 changed files with 57 additions and 48 deletions

View File

@ -73,7 +73,7 @@
<dependency>
<groupId>org.elasticsearch</groupId>
<artifactId>securemock</artifactId>
<version>1.1</version>
<version>${securemock.version}</version>
<scope>test</scope>
</dependency>
</dependencies>

View File

@ -162,6 +162,17 @@
<include>test/**/*.yaml</include>
</includes>
</testResource>
<!-- copied from plugins parent module, because watcher resources are insane -->
<!-- shared test resources like log4j.properties -->
<testResource>
<directory>${elasticsearch.tools.directory}/shared-test-resources</directory>
<filtering>false</filtering>
</testResource>
<!-- plugin metadata as a test resource -->
<testResource>
<directory>${basedir}/target/metadata-test-resources</directory>
<filtering>false</filtering>
</testResource>
</testResources>
<plugins>
<plugin>

View File

@ -11,6 +11,14 @@
<directory>bin/watcher</directory>
<outputDirectory>bin</outputDirectory>
</fileSet>
<fileSet>
<directory>${project.basedir}/src/main/plugin-metadata</directory>
<includes>
<include>plugin-security.policy</include>
</includes>
<outputDirectory></outputDirectory>
<filtered>false</filtered>
</fileSet>
</fileSets>
<dependencySets>
<dependencySet>

View File

@ -5,6 +5,7 @@
*/
package org.elasticsearch.watcher.actions.email.service;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.settings.SettingsException;
@ -17,6 +18,9 @@ import javax.mail.Session;
import javax.mail.Transport;
import javax.mail.internet.InternetAddress;
import javax.mail.internet.MimeMessage;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Map;
import java.util.Properties;
@ -29,13 +33,23 @@ public class Account {
static {
// required as java doesn't always find the correct mailcap to properly handle mime types
MailcapCommandMap mailcap = (MailcapCommandMap) CommandMap.getDefaultCommandMap();
final MailcapCommandMap mailcap = (MailcapCommandMap) CommandMap.getDefaultCommandMap();
mailcap.addMailcap("text/html;; x-java-content-handler=com.sun.mail.handlers.text_html");
mailcap.addMailcap("text/xml;; x-java-content-handler=com.sun.mail.handlers.text_xml");
mailcap.addMailcap("text/plain;; x-java-content-handler=com.sun.mail.handlers.text_plain");
mailcap.addMailcap("multipart/*;; x-java-content-handler=com.sun.mail.handlers.multipart_mixed");
mailcap.addMailcap("message/rfc822;; x-java-content-handler=com.sun.mail.handlers.message_rfc822");
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
CommandMap.setDefaultCommandMap(mailcap);
return null;
}
});
}
private final Config config;

View File

@ -8,6 +8,7 @@ package org.elasticsearch.watcher.support.http;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchTimeoutException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.component.AbstractLifecycleComponent;
import org.elasticsearch.common.inject.Inject;
@ -29,7 +30,9 @@ import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.PrivilegedAction;
import java.security.SecureRandom;
import java.util.HashMap;
import java.util.List;
@ -158,8 +161,19 @@ public class HttpClient extends AbstractLifecycleComponent<HttpClient> {
HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection(proxyToUse.proxy());
if (urlConnection instanceof HttpsURLConnection && sslSocketFactory != null) {
HttpsURLConnection httpsConn = (HttpsURLConnection) urlConnection;
httpsConn.setSSLSocketFactory(sslSocketFactory);
final HttpsURLConnection httpsConn = (HttpsURLConnection) urlConnection;
final SSLSocketFactory factory = sslSocketFactory;
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
httpsConn.setSSLSocketFactory(factory);
return null;
}
});
}
urlConnection.setRequestMethod(request.method().method());

View File

@ -0,0 +1,4 @@
grant {
// needed to set expert SSL options, etc
permission java.lang.RuntimePermission "setFactory";
};

View File

@ -52,7 +52,7 @@ public class EmailServer {
@Override
public void deliver(String from, String recipient, InputStream data) throws TooMuchDataException, IOException {
try {
Session session = Session.getDefaultInstance(new Properties());
Session session = Session.getInstance(new Properties());
MimeMessage msg = new MimeMessage(session, data);
for (Listener listener : listeners) {
try {

View File

@ -1,42 +0,0 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!-- Licensed to Elasticsearch under one or more contributor
license agreements. See the NOTICE file distributed with this work for additional
information regarding copyright ownership. ElasticSearch licenses this file to you
under the Apache License, Version 2.0 (the "License"); you may not use this
file except in compliance with the License. You may obtain a copy of the
License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by
applicable law or agreed to in writing, software distributed under the License
is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the specific language
governing permissions and limitations under the License. -->
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/">
<appender name="console" class="org.apache.log4j.ConsoleAppender">
<param name="Target" value="System.out" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{1} - %m%n" />
</layout>
</appender>
<logger name="org.elasticsearch">
<level value="info" />
</logger>
<logger name="org.elasticsearch.cloud.aws">
<level value="trace" />
</logger>
<logger name="org.elasticsearch.discovery.aws">
<level value="trace" />
</logger>
<logger name="org.elasticsearch.repositories.aws">
<level value="trace" />
</logger>
<root>
<priority value="info" />
<appender-ref ref="console" />
</root>
</log4j:configuration>