Upgrade to aws 1.10.33

Security issues have been fixed. This removes our hacks.
This commit is contained in:
Robert Muir 2015-11-10 22:51:33 -05:00
parent 83f3a981b7
commit 914cee213e
19 changed files with 17 additions and 129 deletions

View File

@ -74,18 +74,6 @@ final class ESPolicy extends Policy {
} }
} }
// Special handling for broken AWS code which destroys all SSL security
// REMOVE THIS when https://github.com/aws/aws-sdk-java/pull/432 is fixed
if (permission instanceof RuntimePermission && "accessClassInPackage.sun.security.ssl".equals(permission.getName())) {
for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
if ("com.amazonaws.http.conn.ssl.SdkTLSSocketFactory".equals(element.getClassName()) &&
"verifyMasterSecret".equals(element.getMethodName())) {
// we found the horrible method: the hack begins!
// force the aws code to back down, by throwing an exception that it catches.
rethrow(new IllegalAccessException("no amazon, you cannot do this."));
}
}
}
// otherwise defer to template + dynamic file permissions // otherwise defer to template + dynamic file permissions
return template.implies(domain, permission) || dynamic.implies(permission); return template.implies(domain, permission) || dynamic.implies(permission);
} }
@ -104,20 +92,4 @@ final class ESPolicy extends Policy {
// return UNSUPPORTED_EMPTY_COLLECTION since it is safe. // return UNSUPPORTED_EMPTY_COLLECTION since it is safe.
return super.getPermissions(codesource); return super.getPermissions(codesource);
} }
/**
* Classy puzzler to rethrow any checked exception as an unchecked one.
*/
private static class Rethrower<T extends Throwable> {
private void rethrow(Throwable t) throws T {
throw (T) t;
}
}
/**
* Rethrows <code>t</code> (identical object).
*/
private void rethrow(Throwable t) {
new Rethrower<Error>().rethrow(t);
}
} }

View File

@ -23,7 +23,7 @@ esplugin {
} }
versions << [ versions << [
'aws': '1.10.19' 'aws': '1.10.33'
] ]
dependencies { dependencies {

View File

@ -1 +0,0 @@
b53f650323b7242dcced25b679f3e9aa4b494da5

View File

@ -0,0 +1 @@
fabedbbe2b834b1add150b6a38395c5ef7380168

View File

@ -1 +0,0 @@
50ba7eb31719be1260bdae51cf69340df2d91ec4

View File

@ -0,0 +1 @@
202f6b5dbc196e355d50c131b0fd34969bfd89e6

View File

@ -19,7 +19,6 @@
package org.elasticsearch.plugin.discovery.ec2; package org.elasticsearch.plugin.discovery.ec2;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.cloud.aws.AwsEc2ServiceImpl; import org.elasticsearch.cloud.aws.AwsEc2ServiceImpl;
import org.elasticsearch.cloud.aws.Ec2Module; import org.elasticsearch.cloud.aws.Ec2Module;
import org.elasticsearch.common.component.LifecycleComponent; import org.elasticsearch.common.component.LifecycleComponent;
@ -32,8 +31,6 @@ import org.elasticsearch.discovery.ec2.AwsEc2UnicastHostsProvider;
import org.elasticsearch.discovery.ec2.Ec2Discovery; import org.elasticsearch.discovery.ec2.Ec2Discovery;
import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.Plugin;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
@ -42,27 +39,6 @@ import java.util.Collection;
*/ */
public class Ec2DiscoveryPlugin extends Plugin { public class Ec2DiscoveryPlugin extends Plugin {
static {
// This internal config is deserialized but with wrong access modifiers,
// cannot work without suppressAccessChecks permission right now. We force
// a one time load with elevated privileges as a workaround.
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
try {
Class.forName("com.amazonaws.internal.config.InternalConfig$Factory");
} catch (ClassNotFoundException e) {
throw new RuntimeException("Unable to initialize internal aws config", e);
}
return null;
}
});
}
private final Settings settings; private final Settings settings;
protected final ESLogger logger = Loggers.getLogger(Ec2DiscoveryPlugin.class); protected final ESLogger logger = Loggers.getLogger(Ec2DiscoveryPlugin.class);

View File

@ -1,23 +0,0 @@
/*
* Licensed to Elasticsearch under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
grant {
// needed because of problems in aws-sdk
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

View File

@ -1355,4 +1355,9 @@ public class AmazonEC2Mock implements AmazonEC2 {
public ResponseMetadata getCachedResponseMetadata(AmazonWebServiceRequest request) { public ResponseMetadata getCachedResponseMetadata(AmazonWebServiceRequest request) {
throw new UnsupportedOperationException("Not supported in mock"); throw new UnsupportedOperationException("Not supported in mock");
} }
@Override
public ModifySpotFleetRequestResult modifySpotFleetRequest(ModifySpotFleetRequestRequest modifySpotFleetRequestRequest) throws AmazonServiceException, AmazonClientException {
throw new UnsupportedOperationException("Not supported in mock");
}
} }

View File

@ -23,7 +23,7 @@ esplugin {
} }
versions << [ versions << [
'aws': '1.10.19' 'aws': '1.10.33'
] ]
dependencies { dependencies {

View File

@ -1 +0,0 @@
b53f650323b7242dcced25b679f3e9aa4b494da5

View File

@ -0,0 +1 @@
fabedbbe2b834b1add150b6a38395c5ef7380168

View File

@ -1 +0,0 @@
c8764f3e61a3c420db429870ec22b31fe755d81d

View File

@ -0,0 +1 @@
35881245894ecc4d893c074eacdf2e6b56820fda

View File

@ -1 +0,0 @@
a23dc60d56d54126250c23cab1d01328b1e83678

View File

@ -0,0 +1 @@
5665cf77102a932a16e99ebf41d197e03ddbf25c

View File

@ -19,7 +19,6 @@
package org.elasticsearch.plugin.repository.s3; package org.elasticsearch.plugin.repository.s3;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.cloud.aws.S3Module; import org.elasticsearch.cloud.aws.S3Module;
import org.elasticsearch.common.component.LifecycleComponent; import org.elasticsearch.common.component.LifecycleComponent;
import org.elasticsearch.common.inject.Module; import org.elasticsearch.common.inject.Module;
@ -28,8 +27,6 @@ import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.repositories.RepositoriesModule; import org.elasticsearch.repositories.RepositoriesModule;
import org.elasticsearch.repositories.s3.S3Repository; import org.elasticsearch.repositories.s3.S3Repository;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
@ -39,27 +36,6 @@ import java.util.Collections;
*/ */
public class S3RepositoryPlugin extends Plugin { public class S3RepositoryPlugin extends Plugin {
static {
// This internal config is deserialized but with wrong access modifiers,
// cannot work without suppressAccessChecks permission right now. We force
// a one time load with elevated privileges as a workaround.
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
try {
Class.forName("com.amazonaws.internal.config.InternalConfig$Factory");
} catch (ClassNotFoundException e) {
throw new RuntimeException("Unable to initialize internal aws config", e);
}
return null;
}
});
}
@Override @Override
public String name() { public String name() {
return "repository-s3"; return "repository-s3";

View File

@ -1,23 +0,0 @@
/*
* Licensed to Elasticsearch under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
grant {
// needed because of problems in aws-sdk
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

View File

@ -628,4 +628,9 @@ public class AmazonS3Wrapper implements AmazonS3 {
public BucketReplicationConfiguration getBucketReplicationConfiguration(GetBucketReplicationConfigurationRequest getBucketReplicationConfigurationRequest) throws AmazonServiceException, AmazonClientException { public BucketReplicationConfiguration getBucketReplicationConfiguration(GetBucketReplicationConfigurationRequest getBucketReplicationConfigurationRequest) throws AmazonServiceException, AmazonClientException {
return delegate.getBucketReplicationConfiguration(getBucketReplicationConfigurationRequest); return delegate.getBucketReplicationConfiguration(getBucketReplicationConfigurationRequest);
} }
@Override
public HeadBucketResult headBucket(HeadBucketRequest headBucketRequest) throws AmazonClientException, AmazonServiceException {
return delegate.headBucket(headBucketRequest);
}
} }