From 914cee213e148f1e61fbca3b201f9dd093a28d72 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Tue, 10 Nov 2015 22:51:33 -0500 Subject: [PATCH] Upgrade to aws 1.10.33 Security issues have been fixed. This removes our hacks. --- .../org/elasticsearch/bootstrap/ESPolicy.java | 28 ------------------- plugins/discovery-ec2/build.gradle | 2 +- .../aws-java-sdk-core-1.10.19.jar.sha1 | 1 - .../aws-java-sdk-core-1.10.33.jar.sha1 | 1 + .../aws-java-sdk-ec2-1.10.19.jar.sha1 | 1 - .../aws-java-sdk-ec2-1.10.33.jar.sha1 | 1 + .../discovery/ec2/Ec2DiscoveryPlugin.java | 24 ---------------- .../plugin-metadata/plugin-security.policy | 23 --------------- .../discovery/ec2/AmazonEC2Mock.java | 5 ++++ plugins/repository-s3/build.gradle | 2 +- .../aws-java-sdk-core-1.10.19.jar.sha1 | 1 - .../aws-java-sdk-core-1.10.33.jar.sha1 | 1 + .../aws-java-sdk-kms-1.10.19.jar.sha1 | 1 - .../aws-java-sdk-kms-1.10.33.jar.sha1 | 1 + .../licenses/aws-java-sdk-s3-1.10.19.jar.sha1 | 1 - .../licenses/aws-java-sdk-s3-1.10.33.jar.sha1 | 1 + .../repository/s3/S3RepositoryPlugin.java | 24 ---------------- .../plugin-metadata/plugin-security.policy | 23 --------------- .../cloud/aws/AmazonS3Wrapper.java | 5 ++++ 19 files changed, 17 insertions(+), 129 deletions(-) delete mode 100644 plugins/discovery-ec2/licenses/aws-java-sdk-core-1.10.19.jar.sha1 create mode 100644 plugins/discovery-ec2/licenses/aws-java-sdk-core-1.10.33.jar.sha1 delete mode 100644 plugins/discovery-ec2/licenses/aws-java-sdk-ec2-1.10.19.jar.sha1 create mode 100644 plugins/discovery-ec2/licenses/aws-java-sdk-ec2-1.10.33.jar.sha1 delete mode 100644 plugins/discovery-ec2/src/main/plugin-metadata/plugin-security.policy delete mode 100644 plugins/repository-s3/licenses/aws-java-sdk-core-1.10.19.jar.sha1 create mode 100644 plugins/repository-s3/licenses/aws-java-sdk-core-1.10.33.jar.sha1 delete mode 100644 plugins/repository-s3/licenses/aws-java-sdk-kms-1.10.19.jar.sha1 create mode 100644 plugins/repository-s3/licenses/aws-java-sdk-kms-1.10.33.jar.sha1 delete mode 100644 plugins/repository-s3/licenses/aws-java-sdk-s3-1.10.19.jar.sha1 create mode 100644 plugins/repository-s3/licenses/aws-java-sdk-s3-1.10.33.jar.sha1 delete mode 100644 plugins/repository-s3/src/main/plugin-metadata/plugin-security.policy diff --git a/core/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java b/core/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java index a4e88fc5685..474ec755d46 100644 --- a/core/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java +++ b/core/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java @@ -74,18 +74,6 @@ final class ESPolicy extends Policy { } } - // Special handling for broken AWS code which destroys all SSL security - // REMOVE THIS when https://github.com/aws/aws-sdk-java/pull/432 is fixed - if (permission instanceof RuntimePermission && "accessClassInPackage.sun.security.ssl".equals(permission.getName())) { - for (StackTraceElement element : Thread.currentThread().getStackTrace()) { - if ("com.amazonaws.http.conn.ssl.SdkTLSSocketFactory".equals(element.getClassName()) && - "verifyMasterSecret".equals(element.getMethodName())) { - // we found the horrible method: the hack begins! - // force the aws code to back down, by throwing an exception that it catches. - rethrow(new IllegalAccessException("no amazon, you cannot do this.")); - } - } - } // otherwise defer to template + dynamic file permissions return template.implies(domain, permission) || dynamic.implies(permission); } @@ -104,20 +92,4 @@ final class ESPolicy extends Policy { // return UNSUPPORTED_EMPTY_COLLECTION since it is safe. return super.getPermissions(codesource); } - - /** - * Classy puzzler to rethrow any checked exception as an unchecked one. - */ - private static class Rethrower { - private void rethrow(Throwable t) throws T { - throw (T) t; - } - } - - /** - * Rethrows t (identical object). - */ - private void rethrow(Throwable t) { - new Rethrower().rethrow(t); - } } diff --git a/plugins/discovery-ec2/build.gradle b/plugins/discovery-ec2/build.gradle index 3601e248d78..25706619c15 100644 --- a/plugins/discovery-ec2/build.gradle +++ b/plugins/discovery-ec2/build.gradle @@ -23,7 +23,7 @@ esplugin { } versions << [ - 'aws': '1.10.19' + 'aws': '1.10.33' ] dependencies { diff --git a/plugins/discovery-ec2/licenses/aws-java-sdk-core-1.10.19.jar.sha1 b/plugins/discovery-ec2/licenses/aws-java-sdk-core-1.10.19.jar.sha1 deleted file mode 100644 index 66e418e6fb2..00000000000 --- a/plugins/discovery-ec2/licenses/aws-java-sdk-core-1.10.19.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -b53f650323b7242dcced25b679f3e9aa4b494da5 diff --git a/plugins/discovery-ec2/licenses/aws-java-sdk-core-1.10.33.jar.sha1 b/plugins/discovery-ec2/licenses/aws-java-sdk-core-1.10.33.jar.sha1 new file mode 100644 index 00000000000..332a8f01035 --- /dev/null +++ b/plugins/discovery-ec2/licenses/aws-java-sdk-core-1.10.33.jar.sha1 @@ -0,0 +1 @@ +fabedbbe2b834b1add150b6a38395c5ef7380168 \ No newline at end of file diff --git a/plugins/discovery-ec2/licenses/aws-java-sdk-ec2-1.10.19.jar.sha1 b/plugins/discovery-ec2/licenses/aws-java-sdk-ec2-1.10.19.jar.sha1 deleted file mode 100644 index 26fa78d2fd4..00000000000 --- a/plugins/discovery-ec2/licenses/aws-java-sdk-ec2-1.10.19.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -50ba7eb31719be1260bdae51cf69340df2d91ec4 diff --git a/plugins/discovery-ec2/licenses/aws-java-sdk-ec2-1.10.33.jar.sha1 b/plugins/discovery-ec2/licenses/aws-java-sdk-ec2-1.10.33.jar.sha1 new file mode 100644 index 00000000000..4737b80b3f2 --- /dev/null +++ b/plugins/discovery-ec2/licenses/aws-java-sdk-ec2-1.10.33.jar.sha1 @@ -0,0 +1 @@ +202f6b5dbc196e355d50c131b0fd34969bfd89e6 \ No newline at end of file diff --git a/plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java b/plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java index 6b73a71e0be..a95d1a73a75 100644 --- a/plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java +++ b/plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java @@ -19,7 +19,6 @@ package org.elasticsearch.plugin.discovery.ec2; -import org.elasticsearch.SpecialPermission; import org.elasticsearch.cloud.aws.AwsEc2ServiceImpl; import org.elasticsearch.cloud.aws.Ec2Module; import org.elasticsearch.common.component.LifecycleComponent; @@ -32,8 +31,6 @@ import org.elasticsearch.discovery.ec2.AwsEc2UnicastHostsProvider; import org.elasticsearch.discovery.ec2.Ec2Discovery; import org.elasticsearch.plugins.Plugin; -import java.security.AccessController; -import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.Collection; @@ -41,27 +38,6 @@ import java.util.Collection; * */ public class Ec2DiscoveryPlugin extends Plugin { - - static { - // This internal config is deserialized but with wrong access modifiers, - // cannot work without suppressAccessChecks permission right now. We force - // a one time load with elevated privileges as a workaround. - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } - AccessController.doPrivileged(new PrivilegedAction() { - @Override - public Void run() { - try { - Class.forName("com.amazonaws.internal.config.InternalConfig$Factory"); - } catch (ClassNotFoundException e) { - throw new RuntimeException("Unable to initialize internal aws config", e); - } - return null; - } - }); - } private final Settings settings; protected final ESLogger logger = Loggers.getLogger(Ec2DiscoveryPlugin.class); diff --git a/plugins/discovery-ec2/src/main/plugin-metadata/plugin-security.policy b/plugins/discovery-ec2/src/main/plugin-metadata/plugin-security.policy deleted file mode 100644 index 66810451688..00000000000 --- a/plugins/discovery-ec2/src/main/plugin-metadata/plugin-security.policy +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Licensed to Elasticsearch under one or more contributor - * license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright - * ownership. Elasticsearch licenses this file to you under - * the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -grant { - // needed because of problems in aws-sdk - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; -}; diff --git a/plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/AmazonEC2Mock.java b/plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/AmazonEC2Mock.java index 7213a3ace6d..47e2554dcd4 100644 --- a/plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/AmazonEC2Mock.java +++ b/plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/AmazonEC2Mock.java @@ -1355,4 +1355,9 @@ public class AmazonEC2Mock implements AmazonEC2 { public ResponseMetadata getCachedResponseMetadata(AmazonWebServiceRequest request) { throw new UnsupportedOperationException("Not supported in mock"); } + + @Override + public ModifySpotFleetRequestResult modifySpotFleetRequest(ModifySpotFleetRequestRequest modifySpotFleetRequestRequest) throws AmazonServiceException, AmazonClientException { + throw new UnsupportedOperationException("Not supported in mock"); + } } diff --git a/plugins/repository-s3/build.gradle b/plugins/repository-s3/build.gradle index f30d5833cdc..32ad37530c2 100644 --- a/plugins/repository-s3/build.gradle +++ b/plugins/repository-s3/build.gradle @@ -23,7 +23,7 @@ esplugin { } versions << [ - 'aws': '1.10.19' + 'aws': '1.10.33' ] dependencies { diff --git a/plugins/repository-s3/licenses/aws-java-sdk-core-1.10.19.jar.sha1 b/plugins/repository-s3/licenses/aws-java-sdk-core-1.10.19.jar.sha1 deleted file mode 100644 index 66e418e6fb2..00000000000 --- a/plugins/repository-s3/licenses/aws-java-sdk-core-1.10.19.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -b53f650323b7242dcced25b679f3e9aa4b494da5 diff --git a/plugins/repository-s3/licenses/aws-java-sdk-core-1.10.33.jar.sha1 b/plugins/repository-s3/licenses/aws-java-sdk-core-1.10.33.jar.sha1 new file mode 100644 index 00000000000..332a8f01035 --- /dev/null +++ b/plugins/repository-s3/licenses/aws-java-sdk-core-1.10.33.jar.sha1 @@ -0,0 +1 @@ +fabedbbe2b834b1add150b6a38395c5ef7380168 \ No newline at end of file diff --git a/plugins/repository-s3/licenses/aws-java-sdk-kms-1.10.19.jar.sha1 b/plugins/repository-s3/licenses/aws-java-sdk-kms-1.10.19.jar.sha1 deleted file mode 100644 index 1328451c1c0..00000000000 --- a/plugins/repository-s3/licenses/aws-java-sdk-kms-1.10.19.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -c8764f3e61a3c420db429870ec22b31fe755d81d diff --git a/plugins/repository-s3/licenses/aws-java-sdk-kms-1.10.33.jar.sha1 b/plugins/repository-s3/licenses/aws-java-sdk-kms-1.10.33.jar.sha1 new file mode 100644 index 00000000000..0d7ab9f8381 --- /dev/null +++ b/plugins/repository-s3/licenses/aws-java-sdk-kms-1.10.33.jar.sha1 @@ -0,0 +1 @@ +35881245894ecc4d893c074eacdf2e6b56820fda \ No newline at end of file diff --git a/plugins/repository-s3/licenses/aws-java-sdk-s3-1.10.19.jar.sha1 b/plugins/repository-s3/licenses/aws-java-sdk-s3-1.10.19.jar.sha1 deleted file mode 100644 index 9932c4676c4..00000000000 --- a/plugins/repository-s3/licenses/aws-java-sdk-s3-1.10.19.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -a23dc60d56d54126250c23cab1d01328b1e83678 diff --git a/plugins/repository-s3/licenses/aws-java-sdk-s3-1.10.33.jar.sha1 b/plugins/repository-s3/licenses/aws-java-sdk-s3-1.10.33.jar.sha1 new file mode 100644 index 00000000000..3328f01c658 --- /dev/null +++ b/plugins/repository-s3/licenses/aws-java-sdk-s3-1.10.33.jar.sha1 @@ -0,0 +1 @@ +5665cf77102a932a16e99ebf41d197e03ddbf25c \ No newline at end of file diff --git a/plugins/repository-s3/src/main/java/org/elasticsearch/plugin/repository/s3/S3RepositoryPlugin.java b/plugins/repository-s3/src/main/java/org/elasticsearch/plugin/repository/s3/S3RepositoryPlugin.java index d014613dc3e..2911e278c38 100644 --- a/plugins/repository-s3/src/main/java/org/elasticsearch/plugin/repository/s3/S3RepositoryPlugin.java +++ b/plugins/repository-s3/src/main/java/org/elasticsearch/plugin/repository/s3/S3RepositoryPlugin.java @@ -19,7 +19,6 @@ package org.elasticsearch.plugin.repository.s3; -import org.elasticsearch.SpecialPermission; import org.elasticsearch.cloud.aws.S3Module; import org.elasticsearch.common.component.LifecycleComponent; import org.elasticsearch.common.inject.Module; @@ -28,8 +27,6 @@ import org.elasticsearch.plugins.Plugin; import org.elasticsearch.repositories.RepositoriesModule; import org.elasticsearch.repositories.s3.S3Repository; -import java.security.AccessController; -import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -38,27 +35,6 @@ import java.util.Collections; * */ public class S3RepositoryPlugin extends Plugin { - - static { - // This internal config is deserialized but with wrong access modifiers, - // cannot work without suppressAccessChecks permission right now. We force - // a one time load with elevated privileges as a workaround. - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } - AccessController.doPrivileged(new PrivilegedAction() { - @Override - public Void run() { - try { - Class.forName("com.amazonaws.internal.config.InternalConfig$Factory"); - } catch (ClassNotFoundException e) { - throw new RuntimeException("Unable to initialize internal aws config", e); - } - return null; - } - }); - } @Override public String name() { diff --git a/plugins/repository-s3/src/main/plugin-metadata/plugin-security.policy b/plugins/repository-s3/src/main/plugin-metadata/plugin-security.policy deleted file mode 100644 index 66810451688..00000000000 --- a/plugins/repository-s3/src/main/plugin-metadata/plugin-security.policy +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Licensed to Elasticsearch under one or more contributor - * license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright - * ownership. Elasticsearch licenses this file to you under - * the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -grant { - // needed because of problems in aws-sdk - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; -}; diff --git a/plugins/repository-s3/src/test/java/org/elasticsearch/cloud/aws/AmazonS3Wrapper.java b/plugins/repository-s3/src/test/java/org/elasticsearch/cloud/aws/AmazonS3Wrapper.java index 846892b8704..0c9e7535db0 100644 --- a/plugins/repository-s3/src/test/java/org/elasticsearch/cloud/aws/AmazonS3Wrapper.java +++ b/plugins/repository-s3/src/test/java/org/elasticsearch/cloud/aws/AmazonS3Wrapper.java @@ -628,4 +628,9 @@ public class AmazonS3Wrapper implements AmazonS3 { public BucketReplicationConfiguration getBucketReplicationConfiguration(GetBucketReplicationConfigurationRequest getBucketReplicationConfigurationRequest) throws AmazonServiceException, AmazonClientException { return delegate.getBucketReplicationConfiguration(getBucketReplicationConfigurationRequest); } + + @Override + public HeadBucketResult headBucket(HeadBucketRequest headBucketRequest) throws AmazonClientException, AmazonServiceException { + return delegate.headBucket(headBucketRequest); + } }