From c9964d17bf7db7e07e37acbb651d8b54fe644d44 Mon Sep 17 00:00:00 2001 From: Ryan Ernst Date: Wed, 6 Sep 2017 18:57:10 -0700 Subject: [PATCH] Internal: Add versionless alias for rest client codebase in policy files (#26521) Security manager policy files contains grants for specific codebases, where a codebase is a jar file. We use a system property containing the name of the jar file to resolve the jar file location when parsing the policy file. However, this means the version of the jars must be modified when versions of dependencies change. This is particularly messy for elasticsearch, where we now have a dependency on the rest client, and need to support both a snapshot version for testing and non snapshot for release. This commit adds an alias for the elasticsearch rest client without a version to be used in policy files. That allows the policy files to not care whether the rest client is a snapshot or release. --- .../org/elasticsearch/bootstrap/Security.java | 30 ++++++++++++++----- .../bootstrap/test-framework.policy | 2 +- .../plugin-metadata/plugin-security.policy | 2 +- 3 files changed, 25 insertions(+), 9 deletions(-) diff --git a/core/src/main/java/org/elasticsearch/bootstrap/Security.java b/core/src/main/java/org/elasticsearch/bootstrap/Security.java index e5c326b8ee1..a1ce20a0e27 100644 --- a/core/src/main/java/org/elasticsearch/bootstrap/Security.java +++ b/core/src/main/java/org/elasticsearch/bootstrap/Security.java @@ -19,7 +19,9 @@ package org.elasticsearch.bootstrap; +import org.elasticsearch.Build; import org.elasticsearch.SecureSM; +import org.elasticsearch.Version; import org.elasticsearch.common.SuppressForbidden; import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.common.network.NetworkModule; @@ -43,10 +45,12 @@ import java.security.NoSuchAlgorithmException; import java.security.Permissions; import java.security.Policy; import java.security.URIParameter; +import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.LinkedHashSet; +import java.util.List; import java.util.Map; import java.util.Set; @@ -191,6 +195,7 @@ final class Security { @SuppressForbidden(reason = "accesses fully qualified URLs to configure security") static Policy readPolicy(URL policyFile, Set codebases) { try { + List propertiesSet = new ArrayList<>(); try { // set codebase properties for (URL url : codebases) { @@ -198,7 +203,22 @@ final class Security { if (shortName.endsWith(".jar") == false) { continue; // tests :( } - String previous = System.setProperty("codebase." + shortName, url.toString()); + String property = "codebase." + shortName; + if (shortName.startsWith("elasticsearch-rest-client")) { + // The rest client is currently the only example where we have an elasticsearch built artifact + // which needs special permissions in policy files when used. This temporary solution is to + // pass in an extra system property that omits the -version.jar suffix the other properties have. + // That allows the snapshots to reference snapshot builds of the client, and release builds to + // referenced release builds of the client, all with the same grant statements. + final String esVersion = Version.CURRENT + (Build.CURRENT.isSnapshot() ? "-SNAPSHOT" : ""); + final int index = property.indexOf("-" + esVersion + ".jar"); + assert index >= 0; + String restClientAlias = property.substring(0, index); + propertiesSet.add(restClientAlias); + System.setProperty(restClientAlias, url.toString()); + } + propertiesSet.add(property); + String previous = System.setProperty(property, url.toString()); if (previous != null) { throw new IllegalStateException("codebase property already set: " + shortName + "->" + previous); } @@ -206,12 +226,8 @@ final class Security { return Policy.getInstance("JavaPolicy", new URIParameter(policyFile.toURI())); } finally { // clear codebase properties - for (URL url : codebases) { - String shortName = PathUtils.get(url.toURI()).getFileName().toString(); - if (shortName.endsWith(".jar") == false) { - continue; // tests :( - } - System.clearProperty("codebase." + shortName); + for (String property : propertiesSet) { + System.clearProperty(property); } } } catch (NoSuchAlgorithmException | URISyntaxException e) { diff --git a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy index 79cb42214dd..5b94f28254e 100644 --- a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy +++ b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy @@ -63,7 +63,7 @@ grant codeBase "${codebase.mocksocket-1.2.jar}" { permission java.net.SocketPermission "*", "accept,connect"; }; -grant codeBase "${codebase.elasticsearch-rest-client-7.0.0-alpha1-SNAPSHOT.jar}" { +grant codeBase "${codebase.elasticsearch-rest-client}" { // rest makes socket connections for rest tests permission java.net.SocketPermission "*", "connect"; // rest client uses system properties which gets the default proxy diff --git a/modules/reindex/src/main/plugin-metadata/plugin-security.policy b/modules/reindex/src/main/plugin-metadata/plugin-security.policy index 39c1d772771..70fb51b845c 100644 --- a/modules/reindex/src/main/plugin-metadata/plugin-security.policy +++ b/modules/reindex/src/main/plugin-metadata/plugin-security.policy @@ -22,7 +22,7 @@ grant { permission java.net.SocketPermission "*", "connect"; }; -grant codeBase "${codebase.elasticsearch-rest-client-7.0.0-alpha1-SNAPSHOT.jar}" { +grant codeBase "${codebase.elasticsearch-rest-client}" { // rest client uses system properties which gets the default proxy permission java.net.NetPermission "getProxySelector"; };