From fe046df12589dd4477637f26c0ca255d70aba169 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Mon, 4 May 2015 15:38:46 -0400 Subject: [PATCH 1/5] hacky state --- .pom.xml.swp | Bin 0 -> 122880 bytes pom.xml | 6 +- .../org/elasticsearch/bootstrap/ESPolicy.java | 53 ++++++++++++++++++ .../org/elasticsearch/bootstrap/Security.java | 28 +-------- .../org/elasticsearch/test/SecurityHack.java | 16 ++++-- 5 files changed, 70 insertions(+), 33 deletions(-) create mode 100644 .pom.xml.swp create mode 100644 src/main/java/org/elasticsearch/bootstrap/ESPolicy.java diff --git a/.pom.xml.swp b/.pom.xml.swp new file mode 100644 index 0000000000000000000000000000000000000000..08f99ccc7b22f6c6ffba697bf0e7754a2bf92ac1 GIT binary patch literal 122880 zcmeI52b>&7mH!7YCi+PJlWd?ZoFr>zw2~YUqXk*PmXR!-Rt}tv<=L6u-H|4FdPb|Y zEwImI6ORlg9m#~lN9Hh?Xq#|=$zcBQCmqRv;Sv})?*Dz&Rn^@y)6+d0WC`zl^waEA zSG}rwUFp4g^=f>@xtq5-r{-2?_&hL^dG6=VIOm7Oi!v)7mdUhgok~l>6F%c^(Q7Bf zk;hL}1oP94)*i1}EV+5NO2SIXbBnFgRKD4$<@VL8DF`h_S>(VX2ZrN7r#+E9?TE~( zl_M)8;bWH^<2>ZS=L|<({7CErUfkh51a$u1IiyT+gr(!~esS?{9SYX8nCZ*YgMH@YD78o4cN)+EJe!`unF{ z&mW}2*Xi%m^b0llKUjy4>hGDZ=Z0^F{~zjlexy#fUVs0o>-qoD;T!e$sBSPO|A*>u zQ@^Xao};c(pMw6rvFrK6b+}1?H{IY2{YU8MPt@P*yPiK%hnxCc)%E-+{rt)L`{u6a zn%$YR^>arzXp_GVUi@0*z#<10Ik3oqMGh=-V37lh99ZPQA_o>ZuwWc0mNS`k$Rhto z1ZadrBmaK~f%2_j68sV2^Sj{v;A(I&SObm%A4PC|DR>6(zzDbvVfSO;9pKgARp5o- zRPaRv<>!Gb!4<#*XMm%?Ul6i?3vLJB2iJk!;J)Br5#ZknE(K?Uqro>R^E<$$U<^nd zHi2JJpKHN0!13TlWU;Y+|O@MUDs%fSiYMg+7?;3vrCp9Iebmw`*cB-jC# zfxjTI-3;CXt^s?&79bxd^eNPfHFtDNr{vaMXRKaqdQ*+ISIDd2Xv|7^w5sA|y&xWe zHddkKHXB~0-Du5(0`vVsr38get2#Q>Za3HDLveDYM%kSzcD!7pHJLBuC6diSB~wLP zuVW>b+0aW}>Yy4G*F%q>GR-$zji%dbs~`!HPoeCN=e){fJy&zvQ;qUyxw&UDOF$vt z{UoCjgwu>p6sw*a#0+X#!02R8ak5gM%tb6ua?MIPSFW^1^LvY}e5+HB8m1KTN$G+@ z#Kx?4$k$W39D7+@tf@xLl_>l3O+WsCtV0Bov#&NLg9`E^Z3RubN*={?#!}}^b6OEQL-la;73dTy#xZ|5c|Rd+O3 zZIp`DEWNJP*zK0uxxH@7Bg+1)jh&U)9uXN}Y+#5)P>J1pYdJqgaU9ymUbefqx0sXK z?mzZ2$u8%)&0?#_SiK)c_k>CGLcWViK)&sIl%w5f)<;h+PLf7_ELBBCcLMW&o7UKC4XlVg6%=JgxT9^06u z;pf`>;6%)ldFPbttW)WovBpH3!Nhg8_(fdqoa;|E4n(>a|Ak0B%r9NjLZx1EoATnG zjCJ(r$`vc<7tt_PAzrmtYE@Ls(T!nyYA5S#Yr1vH)M=I6<<17f47a@8*|BkK=R~LK zj49J=XJeh!sai7!#C-C0sXDs5*b2?}KJyEvvj~q?WXH~4w|(r)Z9BU3~uU(?W zCw~kKHID7uw&qo4PF#$AUOBIlWmUW!zn6qsDhBR#Zw*=6Jf!(euTo8qw>*+Rf9sYp zRhldUL%T>bSdx)3Ox7-rN^Xp2wn}Y1QXyi@IdgN$p5#3 zo4~uk3&9R>KX5DZ|3|?a!Sg^H{2f>e?m+(k5O_A&4Yq>&fSZy1Uk>Wv4Degz{?CFJ zgWX^$_&zfK6d+Q^M4SN{e|=G@GM1#L0tw*AfDNUlrJUJ zd{54;>RJoIuAWc00Z-61$2*f=R<~rO=9@*MHQL!+t+AVx@WInsQLvP%9agRJj5Z8H zoui_TE?btDmAT&$qcRFTMQMjlM*(um>YT4%G3hdfQrve;4!!`JU$#utL4Fa2BDLFV zjhu3do1TCvM*>p{ew#n5yk~SI$Iux399TRC`VKQ-;>;slD(I+Toe~mYw%uq{y?nD) z&X+n~+drvk=?;FChU9?C4c)a?vEUyWvTNxcRVyD-Q$ZkM4Lg+h_1(R%b#T;I&xu{F zKraY-7F~tB(hK*tEHis{(UG<*AM?03q5qs10Y?w<;W>t*eHh0Cf)Z%25^j4r1J8WD zd}w>oa7*!YZ?W1jno0lfO!&F^+u!rlI^H&!mAX|PHfH|}3vs0^upNpltSClyMtfHB zsxC_JA1UGjHm9N1YGyu(X}yL&@@?h>S<{)RZ%z|a-&slI{~Y4lmt+qc`M;<|w|_+5 ze;(Kera>8O1CIs2L(cyacsF<@xC*QT_W)l&&VMI(8Mp#$14n}IA>)fpz}vt-fG2~c z;4ttL%e`$ zSJ4k#2VMo94#vPy;3wz@J_)V`&jaUzM}q%BNAP3tMet$pEHDO+26yltiQyTVH@HCilALYs+^8FThijU|(~LK4|#@bZX#wiHXD-Idxznm0yc&P_HN zlh_sMBt46TVHZGtuS~AU>fEXvHb`dKXL%%xlkhS~_Cb9knBiWHO2>i|lOJra=3!-* zwqkQ0RfTt1Yd|wxt># zN9B;P*-E)FU9UEZWn(6RjgYpyGImp5-nMlU6gJaR<}4!r%h~HsimZwJ&rkLFGIIXw zfY|?U06Fjxx+#mb`IsYc`&)_w{10w%F z8pv7pe-n8h$eDtdff5)6q6ZNBfy2P<$o|)XOTZSe6g&hx7>G{bW8eyK0XPjj2HXS4 zyZJ<%E=jJ~aa@5UKtU{N>*bN%zCupjI+ z={wB+PP^e0ow_@1jLMcfwc;Mv@jBQ$@=V2Z9jpzp*l*4_jR{9KWj7St?oO--l%>8Y zy?m=2q{?C&>C_r~IS(LYJjrWsqe`Y#*O{oe)v~7!3Q!DJ>=Ak?g?fl$yTnQ{hlk?! z42DBDAhS?jkvk=o2r$)bvON+ic_zXfQy^*e;gwWU`><3JWf>?ZYkNmdOI4Z4jyl(n zsy14l(Me1_gL3y%QmeKywsYN%oogKXoHdivo+`E-F}URzOqm9xj)MfWq!DlN&*0&4 zxLqk$BaLSOj~dFNwpi8XA@--G?eMW%i7RraY;L^a#(FZPNMGu0|O z1wX`|Pum~Pv+5w#@IU9;>UX)IHSHbb!z+_%e+@I)Dyl<;)Ht zUEnNm9QY$T0nrz{2V4z0pbd6`HQ;XGyXXTx4E_OJ4lV-|U@iC?@C)<?(mxC+87&sB!1N;E}z(>HF!JEMO;7Q;V@E{=m`oxw%&LErv z^57BR2yh2FfgWK^e> zJjXYnjxJE7qwk!mAPtCQfNa$+azw^KVaGbqoD+6}vifI?>G8@UN;@3T)={eXp@}1+ zfJ@ocQ%){3=wE8vyU*!z@*IZ-_#06FXGahl#C(;Np%)~uOjhs8A6op!NxKkGOR*eP zd8Zgbbi9<)G4IJ1+?OM13yt~-ZFwQQD&8PMUP=CRon~jeTJfeFZvSw2Kv3POF+s9e z?KJ)Myi{I3q1P2MYf(>9zKZl_F6w>EBL`&+o}l`E`|h)rjjU`kQYrZy$SSj%OC{{> zuA`+$oOJ4LTUlf0upZ8-B!gQ|M%DKKS6SY28fA`Gomjm)TWnTRR9xP)ihoePWRzFA zkyxcq=&kyz&Mf`}sJXkZ-72P$TvYT!yW+YEAy(L?DNWQ$r3YVCOC108Drn4Fa=;7o zolrou4n|qEk~t^Mel=aUv3F*OtucH2#7~*NMaUe#@$3z0)I9Pw!FJ)dfLO8OKVm@tW%axSo zp;RN+F0&<#ChGv#g^4olOH$H)wtDGAigzS6x)W-%DmTLM`P`-oMpP+Y5i@%`jcs71 zk<(G<-aCens^_rbRvK@l)y($ps?P5Yy!#k&aks9^V)?#bV*tF|5hhhr# z*%fcATD` zsK+Ve?l0p14=c)$Gr$PRK_{9`s(y!%LeKgzCw{!wqdenn+z{V?Xb*!h41cehtVr{RZ_Y9GY_NB96rk9)&OS(;-pI+ zkIFU@r~UKGa=ww83Ae=%YUX28p-&>kZcOrQMt#blX?48@A*S5{DAh8Wb4*v8m8{p4 zCg6JpP){-@U-ONpG~+`f18t_yw1;)U`z_*d> z-veF@roa=xBf#y*^`8V~AZPvGfE-@~JHb7`50KyA2Cf3*U<)`E{0{m3{a_!s06ZQX z34V^u{#o!!Fb%eWhk_pSM2*O%RseDtxk!v58h_C9siOSop_;l5~hnw zPekW;VZ_4o!rsF&xt&ujM1U=BanE|_wHno>OPoH7=Y=f74ts)UhdKo`ObL!bsgItb z;pp*~J^Om2K2vLSJV&kavE*bYzfx9P!m>v^-B=UZ`|n#b6PV0oWR?qayE_Pz7v_d3 zxOscxSr&6i^KVl$0w>u^r0 zjgcmXN%*g8VRGH5z>+B}DN?dTkMBrir7kZHhGYG{#b_Gq(puA7yF^J#VYj9I5`@CI z++upHgD1AJPOVmK&8%G_lIoI7D9XS;ReJopbiB=zbxx<0XHQ^Lu~Nk%ef9*DqGI;R zx9u_P8>;rcce}Mqj=fCYJePDRZ+H8LW?^a1PI>LT!{OfmqfBF31l_cWwezNIoBiR` zwKWZaRgzSf<)8A(uk3Qo69=ivv;%7beH3H8Zol_(O^R8m0Im_w}`_>_U3|LgHw@*Tzt^236bE~goD%} zPUtg)Mq3T%7&$5Rc6`PO8uCJOibE<&fJcX`{*I@Go?G=!UUukuo>1{aH&FEQB37j$ z1gu)c9{^Gx*i~smo4-C+QtDe&VzW6Xn~&j>CcVoLcrCZQZ0@Rij~Ygi)edv}uwk%L zToQ{2Npa+ON^4zfazIZMz1?W`{0-a{#I%v~W@_V&s=D_>DGhsbSHzQP7ckY@T<1Wr zXy=R7^{O!Fp>YhPHHq;NGLlEnCu~#L^Ke`aI_<;ctx~tv$fFKhADN!0CV+7=D3q8k zi!mLAWyEBif_Wv)+HpB7;;1uIV(-kH!oq9DDNSKBfU?vXBdA)A&x7Tf;Q%z{eJB=S z%;$Py&ZjJ?J9SY_JC*hcnDx1=TpEsI5z88Q#Ih-#zTEC2egHgfs@h%Qe2dljv0%%O zGaGqse(U;eTeolCvT;Xt<%-Ao*%YzpoOH14Zn=GlE2G058@FydccXLOnH$e`&e?v( zj&&P0uIV2ehqXAo(YK)JAN^x0Pqn@hUj5lWmalvZyXcH*hrVRyN7R4!P)r&*?Z7eY zMw#gZsk}o*G_ylEL>_u`)fjeiBK0iQvhe+_7XGlA^mzZQ5P2aLUb3%ULY;GsbL_Pqmd8*CQwtMHQLJOoFa(+! z5l=*KQLT)Ntl{`a2f`;L2ChnU8!d>=F^4r*yVgWL8_m(kYfWU0XmD}`rEsV_SQR)Y z_(V>y2LUks=N~r~IcJ@_l~oF7!9})GXM34y$17#LSvnJ~M$MV#E;6YV3yt;XZAjFK z6!dutd-dF4HWttl;WtfbGtTA;El*2mJ;4L(t5zV|6vgqAa!{V$=E&tU-g1X?xcJAG*Zs2jJgVPWCCG`C&Ockr`ZS_t5$YGmJXgG>S7+mB?zm^}gJr$Oa zY=)%^Qn2Y;^tJJZ=SpJzWMKNf6|;d{*~vX-n82vUW_R~l-gYL}7E35Pyfu2@T;6P8 zs)A{VpCmC;LmJBtW3VForE5(+5Ql>+_NdM9WKS}5`x(LvNluI#usG-TJq}}`7umOV zHYM6x+_yn#SbUqDF&r|j^)LS$wm9m2=y65etq0$%DhJVnfr85j%^{~@%c}2HWH_ju z;nv4Eh$ii6$TFT^^TO{^U3EAcD*I+hrNC@8SbCLaE(_X0+v2t>NL(FN?P!j*SuA)m z#OIU_-4Yr+zNtJzbk>cF=}xJ=Y$z(GBniuAyW^S=PZi2+&dPRexLPJWBe4d3A{)L! z!83JAMZzRcC@ZeSix}OP5;cTU)R4H6RSNdxm!p!gJs=l0aD-ARNzHAQOY9Dcs7|e{ z6kJuhKb4l$CQMVNLdxo@@w8fX(VvQbP)*-Cx`3zqoOzUy3dViV+HmxbOPKolXYNj= zX4xhwm`=Nl(qwgjyE=8wTj@P4*~A5d`fGX6>gJnPem?9{vXle@CT9oE8r2}bIAT4I3D~z>cqfl=@~0br5068ar zHCPJ1hdjR*JQRErdH$_nKe!N#f)j!G&ifYf{i}fo&IP9ck@=-Q+rYhm)Gy)FJ+heJ z{f#EgQ^pB@%YaKUD&n515Il+gH7uP$TM@xNLT|4Mo+S(*e(?^9Vp;8&y3@#r>X|45 zVRdMi!#DM3myaQSQGYp{fGd2pS|_$gwS4Q(*NU;d&8qudsNeWqKtYcvUsshooJCzAh8Hk53aXzcWex(;sngCT==fooO ze-lTl2+fpa^M;Mf9k*Rtn#=Spb|}!-Y=kZBH8YfS6A4eIgza9ImazL9TYmD{qe_xTu;$^ez>v zJM1G!N24Z_?h=k6-W3APu8$$whggCpMp}ygO3~KW|7oe|r)i0arblT9EIk`yN!pOq97L!W$GeuM{%t9m=V?pH zSz6g|we<9FOV2z{OAqZqJ13_FEJYh)Y1)v~wN@#{t9Tj~0VPV>21n`J;Ndb+>eOfk zDkw_ak2MTWA|xZkQkTz4aaKmOM0+3EEP5ZM&d@*Qw5!%A?cu+&+Rrp&L7!(f%RbLi z=jl8B$4UfY-BvFgXmbe%rY2vhw_TjJDU%CRl~9-^9tulM+c#HK+GAVtP?)713QJ8} z#$pr>W1{T0#KVD>dN?pO`Qmi3()Q5*TG}?m61E|!sd}vBEJ68UX{je^yAOvV_f&&b zkN?w>(ofS88!wjGNtB&=^ZIRwC22!a*OZAyb|)-N{o7JB&(oH&E_XtO>a2fTdgggr zdNmh2onU*_|7oe|r)h~Py|AsS`ejM^&y@ZD@d(GKi;Rr?|3ob)e+{|+z2LdP1^WE3w$5_fcV;fEw~6g7W|3&e-k_#2rt%wbRQ?-Q>g7hi)%Ew{(?wW6J<_F ztDTdS`oq#xLpeq(PNJb(&v^i~32G<_ecy66Ndv4;4aWDFZWEEX`iU<9_9{_(WKAh> z-l9tpZz3t=wAy4+>}(~ya0NSGeNu&maJ(UApyB9WgOJ9(e*~3(8XH7YZ`RP*Cb;c* zazRYli%gCu@#_tQLM;8gHMjxA?t!DrvcH8wcK@-L8GVwp57v-%Z&RaFFYnKojN-lv zl0P!@+9mxdEE(O2mEc4}BzKXeStxV#LLX~z+Qo6vq$lUXPF#D6R1B6WxFUt+iuk75 zy$>swkG)Lt4^?~#^84B)%bcVpY^tv`#1{0rWiVcEoLIknsoz#E9G_!$g<&dh_V|>^0!Lmro>NqZ zoQJ7kHxXtq=JocR3He=euEk-iQ7la(?hNpnrUbV81xl-V8#9T?t2PbCcS_o0prKKUqqWW&CCXWZ~ZQ21(4)IMfSj$M( zHE=JHSy(;FFELhDoP~-Ri^W&1EJD%(6?d^fJnQt!M z?@1n@FqJE;9dh;91~r!4W|20DLD9AOGUl|LI^k5TAbU0OHHm1TF{n1MfvYPzDbK zKZj4ktEZ>d52Vl{bPv$s-~L%9BO0rnP_6=+WKR?u>3XA$88I8NGn@~vHaSGjMy#_$ z#A!ydj@-4gB$qrg&Bg?=cik+xs_iDVDi=ANl{6cD1Dn58RaFrqY5&x_f7zF+f;|Ok zyac2&S2y{_lu&jk=B=3G?nxVVBfVp}<{U4V7{GltR+wK^keW!?nZ~$Vm(9PZD*T$e z|2A?{f*HrG3@n8)zD<(8Ff=a)QF&tz6+J(ooVeR;QoKxKYZ=3S5rI;YOJR_?0E45n zysWy2VU8z@S*)VH;RL3y-m=Oq!ZY2kTYk^edNtv|v&u=;Y<}xFr|Jb&@6+C`eb7qr zT|eOPT(5ywP^II`!H_pE9o&!zO?HcI*=gREA%e&1@4_HS{bbXvEfMr?6Bp?Yf1VBAed&1>vO+vyAmS^kc10;$(` z2hNR)R4U~r;~_99i2T145%q7i{J&m{s~yTH|;2DXBSfghs>xEfTzCXfNwqYEg5KcNG72{;M-9GU-3K>PwY;3njK@z*~B zeu;d46L=F4x&K0N6c9UrH-gK-so?v_^djfK1cNJw3tv}K#GQO6BROia=vQ%hmq zZcKSRbIHiTT1UBMJSRHz*}Y9w&w#{1TT3iHl_Trfyh~}ZJr}CTd0)RlA8f5wv?X+| zIIZrKwnI`o1!w zCCo^=xKFrP_NuQn!4+Y{6Pd&fT4x-ycigRFZI!FBori|bRa#Cdqw+a7Y;{SeW?V%8 z^{?mO_cdJc%yn67^rSdkYBNo&k?AJO;3T$L!`4Hkm8r_7;!j$`l|xw3GnD6oyRp`U zucPAJEnCr9|JtpE&nLy*45lSUTHdhr@oFeWhUI;K#+5jkY*{8hWB&a77hK4LA~rum87$ z&ET;>qGIFLBHW z5RNK;hi+)m?uL1HD0g@#DJy6XVxVrd&Rn?uGxiFV?jopSr01&WhWyu+vVg`sBqc{w zag1e$ego!breE2+!_1JFGQZFp@D~{e^9w*;Ox0Bi*swP{?G5IT4sC<3-{1YdYAfCG zV>z9)(lKvih^0y?G8WF)nuX*2IFrD7SjN7=YZobV@1Q)p0XgkjXSf}D``Q!NJ40`a zrx>Y?zor2_%0wAFCfKob043XijO2pAn^*eZypor(IkRLEa?=zNGP5ho(Qd)qm_fv6 zqX&-x5wxqT_!z434KYTV;ce8vM}@+YuirSE zJhzbU?6FxT-MVq-y6on&H|3QCpjyK4CAUOqM{`Jx3sTO4x#4dm>!vAudn_USA0p^{yg3X3vy-fHR-J4m(bIrOaU zS-w?KjkU|Z`==ZV!zn}TV6CgsD$nlKN_DlK+7Ob%D+|+#W&i&;WZ2Cj%Od}uuI1U! zA@jc-TmrU(6Tt_N`(FrFga3=X{{irPFb*CBzJk2}k6;|E1or^%L*Bm%i2eU^@O|X{ z*MSDega1X=zXgcwza1P4It zQ8gT24LW8r>L;#Sf`bi}NVhYMH zgs7ZaQqv2>6b;2JHluZDHEThQLJFRAD{^6Rf4Z7CmRUoS9=!Ch@3vd=93ZJ0FA`-f z)uANGOZ5x+ZXy{&zWe*GBfe(g%MSA{;1y3hV2uURBy!tEmN@5N<6 zm@~L~*FK9zqf;pR9t*MtkjxLLx_q(8gx|MtfBr_9Xp{MCSUF0w@84p4t|f~ahxE$P z@AY??m7~c2k3hiPFLEyO{|+teejRyVc0|Es}1@JMh2vj1zqrQj)G zE%+Po8*~6SfY*Y{!9_ss5?BTPf-XRO0K5!{4Z!)}L~w8LZS(;j0xt*q!1>@L@Mm-b z-vwe5@Xw$D&IBic`+={cCwM=Y0q27iKx_kEtn~(G@Vyi~1UwkX*@0Vu@bq%wYuu-6 zSn`+G$^!{Ezc)O4H>%bKF}md27#)|}`Q6e?$E%HTbl&1+IA3m*JYWBvtM#5P@4x+X z3_emeu(`k87y_sRJehE*P&!pR*a-A?dQm-S`-7OZT_{Fxa+Aq$S9R*;@)&!A?x;Q_ zWf!D=Xr%Zi7xO*L1}Nv#4gv|X95Q#i6ZSw^D#jX_1kd_3fY7ny(}uF&vK5}Wb2c^0 zjdPlEm4`VXXMgu?ScP(9{ghkU6U6p^_C!w7FoZfwA8tzf4aFGLol>7U^Idn&Q=3ZV z!YgPny%h+a^{KvXOe49KDI1g82Ca8$<8EslD&+&*4W*EPxEs3x$RGVs<{wv zSzH*2F|zXb(9Ol+sy}j$WC=J%kU{I?~&w9c$h85;Jad0#CyDM|6Q}$oqm{(llOJU}JDwwB!n8HlP zGRbO*VqUI^DBr{D2Zq}_QF$yXAHyt%>GP)+SX4enSsVOfeo!j!6rDgd(!1y$q`!d` zs3tQ32mAkJcNXJkE|V}kxET5WaU!Q8|F6@s>Q|BZ-vXWrE&{(n<`=*JE;tjM2<|}U z{|*qpf6oPC2k;p1LuCK!z!Y%6ACdV#4qgdXg5M+Si|_v_kON;u)_*ZL4;%%4jf{UI zcsdZd|48s1Wc!zc3dn=6BG11PTnKVNeEfYHS^gSuBKUXYc9G|=1{;B#`~N(0`wPIu z;52YJ_Fi31$@GgV4)$WEG+kriFr7>CNo&P$;oQH~enCMxw}Rc=_{&*96K zmEzNm3#{b^nJ;5{Lxej`bLpP_>2@wmAz>VkfO8ZY@&T8(-Qp9T0VZsBNC9C)SjsrlE~niB_RS=@7j zm-z8L7~7~_NaZ$+?HWTMrm@K$sqWBb|ueB4Z+4qYwC z!Uf8~6;X*}zFHQ=9?F-sfP4yE=v&`vE-Ygv;}Xrudd}Wi7J8gf31a@kbCu^cr&^35 zEa@hj97weRGWOaZgBNOrJ+9n6C+Yc%gz|fE#>7x(Ds3wH<)=(OYpJU5@104xP5ntO z6*muJ3y`EVGtBaJw+YK)|4I(o75wW_^)lMGTaD_5irk?ZdrmQ~EBRVtP8@{D^nDj- zUB?GyVD+d$A$gvXrp7GqSWj~$Tr2^;)IL%WP*C? zXb-ZX(e)chQ2bGK{vXjf^GK0(k^e`vzS-%KYgFhnYzY6REj|KmQoc~4e4`2_t8xVhga^K&%;ArqIE%S@7 zKL`9f1^qmDA(#R`N6x<*oCC7pcOv5h@$+{a_!08`2Y}f79|vwjzP}D!37!ld4Sr9( z-w$>J;lU$-|1te<(08EB(#O~2+}v_!_6ssQsi_lq%N@SleYhKAX=fkxyy1Q&EOgC4 zW_`9mD>E)3D06X&tVuj4ae9#g|5XaeM!xNMEp=^}o9Bk8cBNR)IH# zl4QDA-uLHh--9Vebm?vLUx@Xr=jcrD;yR4^5(1S*4wqQ%TzPST>ggP_?HE2o*??b& zF2F5h^12pme8N&9{SJY!%)bKSfGedF)p&Q2{grA5&jao<){NE089bK})|kBJaNv$lm|mz|F|~SA(a3lY#90e-%uC2ZCFX_umVi4CL(pACUR~6?ot% z@Ns1RNw5YS0ltR3|5ES-@H1rne*rHByFmp!5j+Om4cvz8FaG~;2JZ#?!FupWAie;u z2UmeDU3$#w)bLawI0K^BtBfxjj1-u=2U>mqU_!+u@&w`f$4;&4C22VZ- zgg37c{v5!M8D8VQ3u&CK=|~A9d9bZJ#7;u!)Lilg0{zP>zvD#_Ws)$^!<{;QEZgwu zwAqGWO#PLDczX)v@*MTkqL)s}M&d9}PX+qxKohOPGyNKZq>}qcgH*omT7~sbp?BTS z5MyQ)&9@=w2_BgG9AvxR#5QzbTGYA9gg~`5ovjHQm~a!irNH<=r?i3nlZuf+rS6X5 zdq!Q^6w?wMKB$2sQAc;t$cimYgm+cyyXuW%t2DJs8$f%zIC6u(V5sg=hUU%+QTRsF z_bpNXoH}()xV%dQy4jQOu0%|I3#BO>4{?{rr0`E2d$l1b%p(u`R>K%Ii6&z3GK9XP zJngkcH&!{RR4I9`aFRqOynhBtojtm)*~Foix|Srrxh}VxxPuK|7?$J$>v67V;5O{8 zEF;f)vQ4d<=Muuy#}F{%JMhO3#8_zu4i>f>gEOU&jZ_%^AK-Ick?ftWkFN|)+;Egs ze$@C`Buu$5TNyTfN>lBUQPyvtnQ(4{{`QTo;>n637F36{$6`_qjivfW`ZB4d`obCx z(#_jbF{4mFe#s?9G70*l1B-z!TghgnY)ld)V*0u!(N(>{TM*g|vkO933=D@RtQef~ zh4|({%$&_CGhJFsxFJm{J>`(vbK5wimPyr^V0vESQ{PvRZKMdnm7YRkH*pugat4qMk9e9rxfBQQu+j01UO@D#8b+>WgO z39uim0pbJj{h$p-z|WBN-v*|^R&Xr%GP3>~z$Wle@GIo}8^J$%p8nw6u`tr2T|GYd*c3bNZW7ZSVKwwX)%U<+t2RAf78F6s5Y)LcmD zJ+2{1m|mA+2vBXn_76F~?Y5Pv#k}{2l)Bkqs7yJ=vf{M<%ra7)exDShYq0zqAH429 zq{rci$;yFhRs)9Je%7pV6jY7~-C0dAa_VBV&N&n0K`|_fKFIWIXeKP!F4*jQytLj0 zY-_a-QW6?fHY=C``Nf#`J%-^=OC8cZVOefQJYbmlZ{SO?Z&k-0dSDIp0J9lu-=ZCT z6N@mPYuRX9o@*l?puv)il-6e68*HQsT3jEbFgc`~YuAyUS**(OI z(X7lQ>WER$$3*^j5N_2S_sIVnwV?YE{;Qm1F|GOT@*?+nJZ#|In|DOVX4=x0&z{ipMUj)P+-~r&@koS%MzZw2s z1^$A}FMj`C2^v7o1AH2Ez(#Ns_)p}1x$o~fFbPfocLU!>_Ai0e;HSv_9|X?>E;t=L z0Q?%+|K*?w#HZi=!S|5;Uk-#n+d$IC42?k>D>+yyq2mV!s_o_O zto4XpF$@@Gt=eI}m&54~Ivmo&Yh*N&yY43rRI>^#4bl#2#{T@yYLJnMSKqW64a*D~ z4uZ9DVAh^osD$>u1cNxLcr^}%#Is2#|&gW>6jawPnMH#g<%lN24v-o{<@9<~OtcT*R&+$JWI*964z<&#Q_dPBZ=WtSS!T z1%){Xbypm>H_xwr&ag6Aw8zdLLnx)wAALHc`wKg~`Y1%t(T7%rMTeExk4 zd;nYkjtAdB&c6~|1Pb7%$ocO97lZqQUm)Xu4!j_>%ptR)4^4s4xRw+4StA>{{!%8@Fq|L8-e%%{3m4n^T2Q6!|TC5 zAUsii5&H`LgO)+^%=iWv-R-qTPB~=(u7sT^R;t_T=hVGUv)O31-SSyn6KTBm_J0`L z`BaHz&!;lsw5MDLOT@Ax^c?Nh!l`&pyU}p!?(}k}+^C<>b|ec zlW3&H@c99l!I@0&PY*Qe;4pvw=nQ(M_Cq*=LfMIe9;RVyH1_t2BEqmQD$5|N11;scG?@X!OY>g+ zCQzw!;c&Hj$g}||Z^~AXu4<|oq>C!e`XJ~DEjKL_{FuqF*Dn4BNXj-&baV=Lb;Tbw zhUvpran|W7jyW65)STi;Oq@ zMt?8dxz*sr#v;=X7}G}i9#)7R_FFW&az9j8LaZuVD@7TC*!`6*G&g6Xme-85P za%5eR{|j2y{WkLcwO|DN5Ly5E;BnyI;8tY)OTc}Aocn)1csRHn8UGXD4d4>69pu3S zz}J!Y-vw&mNN@x4zWDn;9DEa5e;0TFxE?wGxu66x;HAjseu5nT86fxb$zJ|8FanMOhl9^k*B5~b*aD>PCxN6-S65I!Qww6< ziLD$q?439`#YnskM>4abm^g_nvSgWZbLv)|oNqgWbU9cq3zwMHmsv5IZs@g@ zuU!8bE5=a7*sP@(;g}+N4p`WlQY$yLenv`IExUWOC~~S^-WDj&QaT$H!8b+;eyd~y zi=~Rzm7rffiq%29;WO&0OhWaC@rSN_OSnuG+J(9UcbwfQz;cyFPB`F<u{hjA-^$v8h)p=XqsJ4X{v0g<6EJ9w@JC|^EGW}H_*onO0XLXRO~~1Llhf@(!J7(K~Y0p0jgG zEQE4i$7@PW2iaeSn@M6r9!H~Db<1PHfRZtdAnv=+od);6d$QcG$#v(P=fy6eC&Dag zc9bf0R`jGv?3_ZkJYA_)onoimsL>Ki3`jFhX{yoiT&0dyhiPdjW;k`m#co)R37-(r z#h#EtpW9vQB;NPer0dJ^`ac}VM>Wzcs@c1mZ6Wd=515)=%}BG?wM!-D{bE+x37Ds~ z%>pfJ*l=P^7xd2Z?sUfKSq}=%Z=$Mo6LqrAs>psGNuoS!M!Hv{E@X(5Pa8J zMwK{&GpF_1u*;|+hfLKgy3?rH$2Zl?HaaM~dm;>c|M4^zXS8lkCe3J}Yl39|A8|aB z6Zto^|NlAU{Zv-y@+rSd=7xVyM0M~#Eft>&U4Y~la16T+C1ATzl{qF;3 zfct{)p%-`uxEyQ-_XT3}e+>}7e}{t)qZ@cOFnj*rKo{^zum_w5?hC#JAFcs%AAs;A z3xba{!laMh*W73>PDgfN5uRc#?@QP=U5XTHJxxBoiz&w^khtcQ3K)5Qh}`^S#gg)@ zm62a*K3YHG=98-<$91!75b z^_sLzpu3kQH&3-}x0P1*8H+tGExXO@n@f+wr;=er$G_a% z)+PCRb5n(W-?P>8_M;_X-901iEACF0vPX&gs^GQGr0r7OxeXY^3)RYmTbe0V-K}`E zM@hq#WySd0S<@J8S>?SNPwi;hzsli3(-ws(Ta^W|sMW4aFzt2QN168%dB1L{T4|yv ztgS>8>~QQOMAonN*rk0TVLdd-B> z_xoEhy~AYfkn(srFD z7sk3R=Xggl;8Fp%WP<80nz(ku8F!7Icpmkh={*dXQ!#xs?r1@3D1+%c`SsPxPBuSw zQVG$xAG^$Ggj1iunN>b>%f;Wl%lqDM^7Ni+e%&}`j*J>C;L43!$*v$|9#*}Fa{j(8)W|Xf+`T7 zf8ys~LRVJNGc1ZZjPAWw*3!jxn$CJe=qiiLq)5~Rb+>H7r=2SwODNbzK|a;!iPI4N|42E z1+~m~>u3kWx8mSMf0%jl_rbFY@>QF<8tDvGyDMXUAHvgsY|PD4v8i6?0b5l0+PJ?u zQ9`P9i1i_(%#}3{=TY6MV#mwX8oL|RLoVxzQxBWo68;WroP`wwWD=485w$a`MczgJ z-=KxwTaf#&0kZ%96tDpt2E+%zD}d+%9Pk6={_DXT!E-?!6u}N~fAB|i0pA0k0nY<1 za1q!5P5|FQH}FzW1t)_4MKAC}@EPy|a3**J_#OIzSAh!nGX)m=fH#9PfZPrEDexLl z1@{K8L^p6Wcmq0trQi$b0bT_T1J6VUum$`8+5f}fg&MzN`DUf*auq2%No)lS zyAhyBI01>C4H#3h@V8a^ODUE9GNzRN?P~er*d?!$|UN|{LT&PTV2mLbfIL9ZD)N-!!t4Zs-t>u z_IJ(~KPmIYq$u@EI&O=*9%VNrfBsm7%az=}m7wh^Xdbie(z5$|AbJl$zp3+m#gJQ8 zB{;x&pUysvTdeyvR^=q+@9mHKYCBwK~U^fPJFXLQgbCbnlY zAS8@%*3nNwJQ-`uHisGs2aPeZ{i)fPYX78%c(m_Do9VE`O{o(qSjbOtEW>SWkV`r% zV#1b?Koz<>4PH&m*(t5<-Q`Ewr7r(ebaVT}je1YYj1Y|b6uP4)6i&wv6(_>PUD3k% zr>y)e;#V7~x3IK9+33pL$q9xJQr+-UboLr@D+;psNT(6kI=}w)H9Ix^pQ>UHb-4lF zfVObWEOzPAZx~zl)^dcgMsP7oH%~J{xZfu=>qDj@yTzbj^?-$azle#X+r|XTk|2L&u%Y8R`ss2GD7B{?!y}b}oGKSSIeRLl zJ)Tpk+hN<#)GQEN_ekAM1MFv0qh69$0Ccf1{3s}Hr21*wZK2$lu2&ny@|eCI%l8l4 z9hwOf5C84I&261_v(w&SFPzclNm*50UF+^ReMzS20@mniW$tkaBTsnL(Hbe=a4NN4 z)^?Lw>_NnLjM!7u!rIg_4$fGIvS>5!&9u6WArmZ-|Cb`zzFp*7z4Yh?bf1Mvg+Owa=7gU5rzz>UcKF9qTk@C+b60=|Kq|1R)!unrsneuAuj z0}x*U&j3vzwgL|Yhk>6V^M47v4?GQ=2ObZO0iQw#a2?nKo(vuj2$ub@A; z7Ca4{2Oa~&r=XlIxB{F9azK0vei>cD+km-G;L-g32l#vo5Pn}PJWu;EFR|Zuiq&A6 z4kn~Snu$JxPdM{X%>H9hG_okP6DXPl3#r2hW`V3W;U^?xa_;w?Mu#Ek7MdRz@ZjVz ztyXhLrB0lAP(Ox*!$Pxa))eqiVW_Dywr2JD=WD2;b!9Xk{0SQ6fIej>%oVv)a;tMI zSB$J0Svj&|WMl;{EX^`L6MmiHzr%Cr?qaD?YRqM|DbuJ=Ux3)DP>QT}S{3 z7@E@!IP|c8YO{|JBu#o3qL6TE;@}nIUJl!fXINE8xlX;mvxY((Z-WOtFU8;gjTHm( ztie$qw&Pyb-eR@G%W8FCq5pUP`YQ)|zJyl7KWGcS74rSP>d6AWPnH9vi-2ahhZ|8K zXh2H5@cROrgnl`Un2~cr-VktyNUa^LKxKro!i6+GmU7)viwc$(#+htn5z%UkY|>BY z7GJ(zXJSGu*04%%V7HBXQP*C%uG2(v^mA3RS0CxhmZ=ZZg{WFVX?C${88+AHPf}4OOlj%{*Vk-^0qZuK=!^%(3oVwfrn zH=mE>PR@-CIfdJki|LPRS{XR~@yvM9*FUG(H5>QW3F)!7XPOX(${)uo&fbRL~{G$ubK<01&$P6mJTGn$|1Na)I+FsO1+sWm?j36Ta??E>HUm)`TqqRKxWi9t# z!1rn3JIMC?z%&rw|L;bw-voY&EH7vO^WawG_I=zE zu{YXJ>XfykZ%C8%f_M?BUzDLvrzK~!Pg-0X{773tlP)<2r4EcH8PVrIUmy; z{hNgQWEB5~ZPFkY(I#&96`^!?|4uORUZJ-4MY*_R`&K+cY}j}@8ZhZ^L^{!P(GmN` zhCzJ-DSWAtYlA$jekaH6VeOo<#K_6Ti`8s!t&-lX*q^nrvl81QA_I&K43P*j5Mvxa zMsZx-)g*?UIjQY_d~##>k@Mtee37wwKaB1P^X)*ps08GFeR8|etdC+375dd31xdeI z?$nw&(Va7*C=a%k)_!gWp7a>q{iM-Y{b(@CUh0mXJhGBoqk=SkXb|63yqR=cxvD5E zMmO%*v26#e>I%+?{Qm`H?^VdVqqrk6_`^EqNQXqH! zy$GxYKScJIy?i#HoGw66%R>=ugJ+oY&sz2&k|?pu{gO}sWHOHQd+7h^Q83wEdRJK1R_S8b|T zZEve@@<$HaY(m3PG{WE_NBXt=pzW!!gk&?gcxnd&41H}JlPgKApCqK8qViRDTYaor a+#8%U^88>S6OAyKTAm?dU276+jQ2.1.14 auto true - onerror + always ${project.basedir}/backwards random random false + true ERROR 512m ${basedir}/logs/ @@ -583,6 +584,7 @@ -Des.logger.prefix= -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=${tests.heapdump.path} + -Djava.security.debug=access:failure,policy ${tests.shuffle} ${tests.verbose} @@ -638,8 +640,6 @@ true - - ${basedir}/src/main/resources/org/elasticsearch/bootstrap/security.policy diff --git a/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java b/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java new file mode 100644 index 00000000000..5bf7f7ce299 --- /dev/null +++ b/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java @@ -0,0 +1,53 @@ +/* + * Licensed to Elasticsearch under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.elasticsearch.bootstrap; + +import org.elasticsearch.common.SuppressForbidden; + +import java.net.URI; +import java.security.Permission; +import java.security.PermissionCollection; +import java.security.Policy; +import java.security.ProtectionDomain; +import java.security.URIParameter; + +/** custom policy for union of static and dynamic permissions */ +public class ESPolicy extends Policy { + + /** template policy file, the one used in tests */ + static final String POLICY_RESOURCE = "security.policy"; + + final Policy template; + final PermissionCollection dynamic; + + @SuppressForbidden(reason = "ok") + public ESPolicy(PermissionCollection dynamic) throws Exception { + URI uri = getClass().getResource(POLICY_RESOURCE).toURI(); + System.out.println("temp=" + System.getProperty("java.io.tmpdir")); + this.template = Policy.getInstance("JavaPolicy", new URIParameter(uri)); + this.dynamic = dynamic; + } + + @Override @SuppressForbidden(reason = "ok") + public boolean implies(ProtectionDomain domain, Permission permission) { + //System.out.println("domain=" + domain); + return template.implies(domain, permission) || dynamic.implies(permission); + } +} diff --git a/src/main/java/org/elasticsearch/bootstrap/Security.java b/src/main/java/org/elasticsearch/bootstrap/Security.java index cdb79ab9b4e..9ed66af4499 100644 --- a/src/main/java/org/elasticsearch/bootstrap/Security.java +++ b/src/main/java/org/elasticsearch/bootstrap/Security.java @@ -25,12 +25,8 @@ import java.io.*; import java.net.URI; import java.nio.file.Files; import java.nio.file.Path; -import java.security.Permission; -import java.security.PermissionCollection; import java.security.Permissions; import java.security.Policy; -import java.security.ProtectionDomain; -import java.security.URIParameter; /** * Initializes securitymanager with necessary permissions. @@ -39,18 +35,14 @@ import java.security.URIParameter; * permissions based on the environment (data paths, etc) */ class Security { - - /** template policy file, the one used in tests */ - static final String POLICY_RESOURCE = "security.policy"; - + /** * Initializes securitymanager for the environment * Can only happen once! */ static void configure(Environment environment) throws Exception { // enable security policy: union of template and environment-based paths. - URI template = Security.class.getResource(POLICY_RESOURCE).toURI(); - Policy.setPolicy(new ESPolicy(template, createPermissions(environment))); + Policy.setPolicy(new ESPolicy(createPermissions(environment))); // enable security manager System.setSecurityManager(new SecurityManager()); @@ -98,20 +90,4 @@ class Security { throw new SecurityException("Security misconfiguration: cannot access java.io.tmpdir", problem); } } - - /** custom policy for union of static and dynamic permissions */ - static class ESPolicy extends Policy { - final Policy template; - final PermissionCollection dynamic; - - ESPolicy(URI template, PermissionCollection dynamic) throws Exception { - this.template = Policy.getInstance("JavaPolicy", new URIParameter(template)); - this.dynamic = dynamic; - } - - @Override - public boolean implies(ProtectionDomain domain, Permission permission) { - return template.implies(domain, permission) || dynamic.implies(permission); - } - } } diff --git a/src/test/java/org/elasticsearch/test/SecurityHack.java b/src/test/java/org/elasticsearch/test/SecurityHack.java index 90223ce4ac2..9aa44e4f5da 100644 --- a/src/test/java/org/elasticsearch/test/SecurityHack.java +++ b/src/test/java/org/elasticsearch/test/SecurityHack.java @@ -21,6 +21,10 @@ package org.elasticsearch.test; import org.apache.lucene.util.TestSecurityManager; import org.elasticsearch.bootstrap.Bootstrap; +import org.elasticsearch.bootstrap.ESPolicy; + +import java.security.Permissions; +import java.security.Policy; import static com.carrotsearch.randomizedtesting.RandomizedTest.systemPropertyAsBoolean; @@ -36,10 +40,14 @@ class SecurityHack { static { // just like bootstrap, initialize natives, then SM Bootstrap.initializeNatives(true, true); - // for IDEs, we check that security.policy is set - if (systemPropertyAsBoolean("tests.security.manager", true) && - System.getProperty("java.security.policy") != null) { - System.setSecurityManager(new TestSecurityManager()); + // install security manager if requested + if (systemPropertyAsBoolean("tests.security.manager", false)) { + try { + Policy.setPolicy(new ESPolicy(new Permissions())); + System.setSecurityManager(new TestSecurityManager()); + } catch (Exception e) { + throw new RuntimeException("unable to install test security manager", e); + } } } From 2ed2c4f884f01e51adf396aac3496bcc0a8f14c8 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Mon, 4 May 2015 16:27:24 -0400 Subject: [PATCH 2/5] fix permissions bugs --- .pom.xml.swp | Bin 122880 -> 0 bytes pom.xml | 3 +- .../org/elasticsearch/bootstrap/ESPolicy.java | 7 +---- .../org/elasticsearch/bootstrap/Security.java | 15 +++++---- .../elasticsearch/bootstrap/security.policy | 29 +++++++++++++++--- .../bootstrap/SecurityTests.java | 7 +++-- .../test/ElasticsearchTestCase.java | 2 +- .../ElasticsearchTokenStreamTestCase.java | 2 +- ...curityHack.java => SecurityBootstrap.java} | 17 +++++++--- 9 files changed, 55 insertions(+), 27 deletions(-) delete mode 100644 .pom.xml.swp rename src/test/java/org/elasticsearch/test/{SecurityHack.java => SecurityBootstrap.java} (72%) diff --git a/.pom.xml.swp b/.pom.xml.swp deleted file mode 100644 index 08f99ccc7b22f6c6ffba697bf0e7754a2bf92ac1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 122880 zcmeI52b>&7mH!7YCi+PJlWd?ZoFr>zw2~YUqXk*PmXR!-Rt}tv<=L6u-H|4FdPb|Y zEwImI6ORlg9m#~lN9Hh?Xq#|=$zcBQCmqRv;Sv})?*Dz&Rn^@y)6+d0WC`zl^waEA zSG}rwUFp4g^=f>@xtq5-r{-2?_&hL^dG6=VIOm7Oi!v)7mdUhgok~l>6F%c^(Q7Bf zk;hL}1oP94)*i1}EV+5NO2SIXbBnFgRKD4$<@VL8DF`h_S>(VX2ZrN7r#+E9?TE~( zl_M)8;bWH^<2>ZS=L|<({7CErUfkh51a$u1IiyT+gr(!~esS?{9SYX8nCZ*YgMH@YD78o4cN)+EJe!`unF{ z&mW}2*Xi%m^b0llKUjy4>hGDZ=Z0^F{~zjlexy#fUVs0o>-qoD;T!e$sBSPO|A*>u zQ@^Xao};c(pMw6rvFrK6b+}1?H{IY2{YU8MPt@P*yPiK%hnxCc)%E-+{rt)L`{u6a zn%$YR^>arzXp_GVUi@0*z#<10Ik3oqMGh=-V37lh99ZPQA_o>ZuwWc0mNS`k$Rhto z1ZadrBmaK~f%2_j68sV2^Sj{v;A(I&SObm%A4PC|DR>6(zzDbvVfSO;9pKgARp5o- zRPaRv<>!Gb!4<#*XMm%?Ul6i?3vLJB2iJk!;J)Br5#ZknE(K?Uqro>R^E<$$U<^nd zHi2JJpKHN0!13TlWU;Y+|O@MUDs%fSiYMg+7?;3vrCp9Iebmw`*cB-jC# zfxjTI-3;CXt^s?&79bxd^eNPfHFtDNr{vaMXRKaqdQ*+ISIDd2Xv|7^w5sA|y&xWe zHddkKHXB~0-Du5(0`vVsr38get2#Q>Za3HDLveDYM%kSzcD!7pHJLBuC6diSB~wLP zuVW>b+0aW}>Yy4G*F%q>GR-$zji%dbs~`!HPoeCN=e){fJy&zvQ;qUyxw&UDOF$vt z{UoCjgwu>p6sw*a#0+X#!02R8ak5gM%tb6ua?MIPSFW^1^LvY}e5+HB8m1KTN$G+@ z#Kx?4$k$W39D7+@tf@xLl_>l3O+WsCtV0Bov#&NLg9`E^Z3RubN*={?#!}}^b6OEQL-la;73dTy#xZ|5c|Rd+O3 zZIp`DEWNJP*zK0uxxH@7Bg+1)jh&U)9uXN}Y+#5)P>J1pYdJqgaU9ymUbefqx0sXK z?mzZ2$u8%)&0?#_SiK)c_k>CGLcWViK)&sIl%w5f)<;h+PLf7_ELBBCcLMW&o7UKC4XlVg6%=JgxT9^06u z;pf`>;6%)ldFPbttW)WovBpH3!Nhg8_(fdqoa;|E4n(>a|Ak0B%r9NjLZx1EoATnG zjCJ(r$`vc<7tt_PAzrmtYE@Ls(T!nyYA5S#Yr1vH)M=I6<<17f47a@8*|BkK=R~LK zj49J=XJeh!sai7!#C-C0sXDs5*b2?}KJyEvvj~q?WXH~4w|(r)Z9BU3~uU(?W zCw~kKHID7uw&qo4PF#$AUOBIlWmUW!zn6qsDhBR#Zw*=6Jf!(euTo8qw>*+Rf9sYp zRhldUL%T>bSdx)3Ox7-rN^Xp2wn}Y1QXyi@IdgN$p5#3 zo4~uk3&9R>KX5DZ|3|?a!Sg^H{2f>e?m+(k5O_A&4Yq>&fSZy1Uk>Wv4Degz{?CFJ zgWX^$_&zfK6d+Q^M4SN{e|=G@GM1#L0tw*AfDNUlrJUJ zd{54;>RJoIuAWc00Z-61$2*f=R<~rO=9@*MHQL!+t+AVx@WInsQLvP%9agRJj5Z8H zoui_TE?btDmAT&$qcRFTMQMjlM*(um>YT4%G3hdfQrve;4!!`JU$#utL4Fa2BDLFV zjhu3do1TCvM*>p{ew#n5yk~SI$Iux399TRC`VKQ-;>;slD(I+Toe~mYw%uq{y?nD) z&X+n~+drvk=?;FChU9?C4c)a?vEUyWvTNxcRVyD-Q$ZkM4Lg+h_1(R%b#T;I&xu{F zKraY-7F~tB(hK*tEHis{(UG<*AM?03q5qs10Y?w<;W>t*eHh0Cf)Z%25^j4r1J8WD zd}w>oa7*!YZ?W1jno0lfO!&F^+u!rlI^H&!mAX|PHfH|}3vs0^upNpltSClyMtfHB zsxC_JA1UGjHm9N1YGyu(X}yL&@@?h>S<{)RZ%z|a-&slI{~Y4lmt+qc`M;<|w|_+5 ze;(Kera>8O1CIs2L(cyacsF<@xC*QT_W)l&&VMI(8Mp#$14n}IA>)fpz}vt-fG2~c z;4ttL%e`$ zSJ4k#2VMo94#vPy;3wz@J_)V`&jaUzM}q%BNAP3tMet$pEHDO+26yltiQyTVH@HCilALYs+^8FThijU|(~LK4|#@bZX#wiHXD-Idxznm0yc&P_HN zlh_sMBt46TVHZGtuS~AU>fEXvHb`dKXL%%xlkhS~_Cb9knBiWHO2>i|lOJra=3!-* zwqkQ0RfTt1Yd|wxt># zN9B;P*-E)FU9UEZWn(6RjgYpyGImp5-nMlU6gJaR<}4!r%h~HsimZwJ&rkLFGIIXw zfY|?U06Fjxx+#mb`IsYc`&)_w{10w%F z8pv7pe-n8h$eDtdff5)6q6ZNBfy2P<$o|)XOTZSe6g&hx7>G{bW8eyK0XPjj2HXS4 zyZJ<%E=jJ~aa@5UKtU{N>*bN%zCupjI+ z={wB+PP^e0ow_@1jLMcfwc;Mv@jBQ$@=V2Z9jpzp*l*4_jR{9KWj7St?oO--l%>8Y zy?m=2q{?C&>C_r~IS(LYJjrWsqe`Y#*O{oe)v~7!3Q!DJ>=Ak?g?fl$yTnQ{hlk?! z42DBDAhS?jkvk=o2r$)bvON+ic_zXfQy^*e;gwWU`><3JWf>?ZYkNmdOI4Z4jyl(n zsy14l(Me1_gL3y%QmeKywsYN%oogKXoHdivo+`E-F}URzOqm9xj)MfWq!DlN&*0&4 zxLqk$BaLSOj~dFNwpi8XA@--G?eMW%i7RraY;L^a#(FZPNMGu0|O z1wX`|Pum~Pv+5w#@IU9;>UX)IHSHbb!z+_%e+@I)Dyl<;)Ht zUEnNm9QY$T0nrz{2V4z0pbd6`HQ;XGyXXTx4E_OJ4lV-|U@iC?@C)<?(mxC+87&sB!1N;E}z(>HF!JEMO;7Q;V@E{=m`oxw%&LErv z^57BR2yh2FfgWK^e> zJjXYnjxJE7qwk!mAPtCQfNa$+azw^KVaGbqoD+6}vifI?>G8@UN;@3T)={eXp@}1+ zfJ@ocQ%){3=wE8vyU*!z@*IZ-_#06FXGahl#C(;Np%)~uOjhs8A6op!NxKkGOR*eP zd8Zgbbi9<)G4IJ1+?OM13yt~-ZFwQQD&8PMUP=CRon~jeTJfeFZvSw2Kv3POF+s9e z?KJ)Myi{I3q1P2MYf(>9zKZl_F6w>EBL`&+o}l`E`|h)rjjU`kQYrZy$SSj%OC{{> zuA`+$oOJ4LTUlf0upZ8-B!gQ|M%DKKS6SY28fA`Gomjm)TWnTRR9xP)ihoePWRzFA zkyxcq=&kyz&Mf`}sJXkZ-72P$TvYT!yW+YEAy(L?DNWQ$r3YVCOC108Drn4Fa=;7o zolrou4n|qEk~t^Mel=aUv3F*OtucH2#7~*NMaUe#@$3z0)I9Pw!FJ)dfLO8OKVm@tW%axSo zp;RN+F0&<#ChGv#g^4olOH$H)wtDGAigzS6x)W-%DmTLM`P`-oMpP+Y5i@%`jcs71 zk<(G<-aCens^_rbRvK@l)y($ps?P5Yy!#k&aks9^V)?#bV*tF|5hhhr# z*%fcATD` zsK+Ve?l0p14=c)$Gr$PRK_{9`s(y!%LeKgzCw{!wqdenn+z{V?Xb*!h41cehtVr{RZ_Y9GY_NB96rk9)&OS(;-pI+ zkIFU@r~UKGa=ww83Ae=%YUX28p-&>kZcOrQMt#blX?48@A*S5{DAh8Wb4*v8m8{p4 zCg6JpP){-@U-ONpG~+`f18t_yw1;)U`z_*d> z-veF@roa=xBf#y*^`8V~AZPvGfE-@~JHb7`50KyA2Cf3*U<)`E{0{m3{a_!s06ZQX z34V^u{#o!!Fb%eWhk_pSM2*O%RseDtxk!v58h_C9siOSop_;l5~hnw zPekW;VZ_4o!rsF&xt&ujM1U=BanE|_wHno>OPoH7=Y=f74ts)UhdKo`ObL!bsgItb z;pp*~J^Om2K2vLSJV&kavE*bYzfx9P!m>v^-B=UZ`|n#b6PV0oWR?qayE_Pz7v_d3 zxOscxSr&6i^KVl$0w>u^r0 zjgcmXN%*g8VRGH5z>+B}DN?dTkMBrir7kZHhGYG{#b_Gq(puA7yF^J#VYj9I5`@CI z++upHgD1AJPOVmK&8%G_lIoI7D9XS;ReJopbiB=zbxx<0XHQ^Lu~Nk%ef9*DqGI;R zx9u_P8>;rcce}Mqj=fCYJePDRZ+H8LW?^a1PI>LT!{OfmqfBF31l_cWwezNIoBiR` zwKWZaRgzSf<)8A(uk3Qo69=ivv;%7beH3H8Zol_(O^R8m0Im_w}`_>_U3|LgHw@*Tzt^236bE~goD%} zPUtg)Mq3T%7&$5Rc6`PO8uCJOibE<&fJcX`{*I@Go?G=!UUukuo>1{aH&FEQB37j$ z1gu)c9{^Gx*i~smo4-C+QtDe&VzW6Xn~&j>CcVoLcrCZQZ0@Rij~Ygi)edv}uwk%L zToQ{2Npa+ON^4zfazIZMz1?W`{0-a{#I%v~W@_V&s=D_>DGhsbSHzQP7ckY@T<1Wr zXy=R7^{O!Fp>YhPHHq;NGLlEnCu~#L^Ke`aI_<;ctx~tv$fFKhADN!0CV+7=D3q8k zi!mLAWyEBif_Wv)+HpB7;;1uIV(-kH!oq9DDNSKBfU?vXBdA)A&x7Tf;Q%z{eJB=S z%;$Py&ZjJ?J9SY_JC*hcnDx1=TpEsI5z88Q#Ih-#zTEC2egHgfs@h%Qe2dljv0%%O zGaGqse(U;eTeolCvT;Xt<%-Ao*%YzpoOH14Zn=GlE2G058@FydccXLOnH$e`&e?v( zj&&P0uIV2ehqXAo(YK)JAN^x0Pqn@hUj5lWmalvZyXcH*hrVRyN7R4!P)r&*?Z7eY zMw#gZsk}o*G_ylEL>_u`)fjeiBK0iQvhe+_7XGlA^mzZQ5P2aLUb3%ULY;GsbL_Pqmd8*CQwtMHQLJOoFa(+! z5l=*KQLT)Ntl{`a2f`;L2ChnU8!d>=F^4r*yVgWL8_m(kYfWU0XmD}`rEsV_SQR)Y z_(V>y2LUks=N~r~IcJ@_l~oF7!9})GXM34y$17#LSvnJ~M$MV#E;6YV3yt;XZAjFK z6!dutd-dF4HWttl;WtfbGtTA;El*2mJ;4L(t5zV|6vgqAa!{V$=E&tU-g1X?xcJAG*Zs2jJgVPWCCG`C&Ockr`ZS_t5$YGmJXgG>S7+mB?zm^}gJr$Oa zY=)%^Qn2Y;^tJJZ=SpJzWMKNf6|;d{*~vX-n82vUW_R~l-gYL}7E35Pyfu2@T;6P8 zs)A{VpCmC;LmJBtW3VForE5(+5Ql>+_NdM9WKS}5`x(LvNluI#usG-TJq}}`7umOV zHYM6x+_yn#SbUqDF&r|j^)LS$wm9m2=y65etq0$%DhJVnfr85j%^{~@%c}2HWH_ju z;nv4Eh$ii6$TFT^^TO{^U3EAcD*I+hrNC@8SbCLaE(_X0+v2t>NL(FN?P!j*SuA)m z#OIU_-4Yr+zNtJzbk>cF=}xJ=Y$z(GBniuAyW^S=PZi2+&dPRexLPJWBe4d3A{)L! z!83JAMZzRcC@ZeSix}OP5;cTU)R4H6RSNdxm!p!gJs=l0aD-ARNzHAQOY9Dcs7|e{ z6kJuhKb4l$CQMVNLdxo@@w8fX(VvQbP)*-Cx`3zqoOzUy3dViV+HmxbOPKolXYNj= zX4xhwm`=Nl(qwgjyE=8wTj@P4*~A5d`fGX6>gJnPem?9{vXle@CT9oE8r2}bIAT4I3D~z>cqfl=@~0br5068ar zHCPJ1hdjR*JQRErdH$_nKe!N#f)j!G&ifYf{i}fo&IP9ck@=-Q+rYhm)Gy)FJ+heJ z{f#EgQ^pB@%YaKUD&n515Il+gH7uP$TM@xNLT|4Mo+S(*e(?^9Vp;8&y3@#r>X|45 zVRdMi!#DM3myaQSQGYp{fGd2pS|_$gwS4Q(*NU;d&8qudsNeWqKtYcvUsshooJCzAh8Hk53aXzcWex(;sngCT==fooO ze-lTl2+fpa^M;Mf9k*Rtn#=Spb|}!-Y=kZBH8YfS6A4eIgza9ImazL9TYmD{qe_xTu;$^ez>v zJM1G!N24Z_?h=k6-W3APu8$$whggCpMp}ygO3~KW|7oe|r)i0arblT9EIk`yN!pOq97L!W$GeuM{%t9m=V?pH zSz6g|we<9FOV2z{OAqZqJ13_FEJYh)Y1)v~wN@#{t9Tj~0VPV>21n`J;Ndb+>eOfk zDkw_ak2MTWA|xZkQkTz4aaKmOM0+3EEP5ZM&d@*Qw5!%A?cu+&+Rrp&L7!(f%RbLi z=jl8B$4UfY-BvFgXmbe%rY2vhw_TjJDU%CRl~9-^9tulM+c#HK+GAVtP?)713QJ8} z#$pr>W1{T0#KVD>dN?pO`Qmi3()Q5*TG}?m61E|!sd}vBEJ68UX{je^yAOvV_f&&b zkN?w>(ofS88!wjGNtB&=^ZIRwC22!a*OZAyb|)-N{o7JB&(oH&E_XtO>a2fTdgggr zdNmh2onU*_|7oe|r)h~Py|AsS`ejM^&y@ZD@d(GKi;Rr?|3ob)e+{|+z2LdP1^WE3w$5_fcV;fEw~6g7W|3&e-k_#2rt%wbRQ?-Q>g7hi)%Ew{(?wW6J<_F ztDTdS`oq#xLpeq(PNJb(&v^i~32G<_ecy66Ndv4;4aWDFZWEEX`iU<9_9{_(WKAh> z-l9tpZz3t=wAy4+>}(~ya0NSGeNu&maJ(UApyB9WgOJ9(e*~3(8XH7YZ`RP*Cb;c* zazRYli%gCu@#_tQLM;8gHMjxA?t!DrvcH8wcK@-L8GVwp57v-%Z&RaFFYnKojN-lv zl0P!@+9mxdEE(O2mEc4}BzKXeStxV#LLX~z+Qo6vq$lUXPF#D6R1B6WxFUt+iuk75 zy$>swkG)Lt4^?~#^84B)%bcVpY^tv`#1{0rWiVcEoLIknsoz#E9G_!$g<&dh_V|>^0!Lmro>NqZ zoQJ7kHxXtq=JocR3He=euEk-iQ7la(?hNpnrUbV81xl-V8#9T?t2PbCcS_o0prKKUqqWW&CCXWZ~ZQ21(4)IMfSj$M( zHE=JHSy(;FFELhDoP~-Ri^W&1EJD%(6?d^fJnQt!M z?@1n@FqJE;9dh;91~r!4W|20DLD9AOGUl|LI^k5TAbU0OHHm1TF{n1MfvYPzDbK zKZj4ktEZ>d52Vl{bPv$s-~L%9BO0rnP_6=+WKR?u>3XA$88I8NGn@~vHaSGjMy#_$ z#A!ydj@-4gB$qrg&Bg?=cik+xs_iDVDi=ANl{6cD1Dn58RaFrqY5&x_f7zF+f;|Ok zyac2&S2y{_lu&jk=B=3G?nxVVBfVp}<{U4V7{GltR+wK^keW!?nZ~$Vm(9PZD*T$e z|2A?{f*HrG3@n8)zD<(8Ff=a)QF&tz6+J(ooVeR;QoKxKYZ=3S5rI;YOJR_?0E45n zysWy2VU8z@S*)VH;RL3y-m=Oq!ZY2kTYk^edNtv|v&u=;Y<}xFr|Jb&@6+C`eb7qr zT|eOPT(5ywP^II`!H_pE9o&!zO?HcI*=gREA%e&1@4_HS{bbXvEfMr?6Bp?Yf1VBAed&1>vO+vyAmS^kc10;$(` z2hNR)R4U~r;~_99i2T145%q7i{J&m{s~yTH|;2DXBSfghs>xEfTzCXfNwqYEg5KcNG72{;M-9GU-3K>PwY;3njK@z*~B zeu;d46L=F4x&K0N6c9UrH-gK-so?v_^djfK1cNJw3tv}K#GQO6BROia=vQ%hmq zZcKSRbIHiTT1UBMJSRHz*}Y9w&w#{1TT3iHl_Trfyh~}ZJr}CTd0)RlA8f5wv?X+| zIIZrKwnI`o1!w zCCo^=xKFrP_NuQn!4+Y{6Pd&fT4x-ycigRFZI!FBori|bRa#Cdqw+a7Y;{SeW?V%8 z^{?mO_cdJc%yn67^rSdkYBNo&k?AJO;3T$L!`4Hkm8r_7;!j$`l|xw3GnD6oyRp`U zucPAJEnCr9|JtpE&nLy*45lSUTHdhr@oFeWhUI;K#+5jkY*{8hWB&a77hK4LA~rum87$ z&ET;>qGIFLBHW z5RNK;hi+)m?uL1HD0g@#DJy6XVxVrd&Rn?uGxiFV?jopSr01&WhWyu+vVg`sBqc{w zag1e$ego!breE2+!_1JFGQZFp@D~{e^9w*;Ox0Bi*swP{?G5IT4sC<3-{1YdYAfCG zV>z9)(lKvih^0y?G8WF)nuX*2IFrD7SjN7=YZobV@1Q)p0XgkjXSf}D``Q!NJ40`a zrx>Y?zor2_%0wAFCfKob043XijO2pAn^*eZypor(IkRLEa?=zNGP5ho(Qd)qm_fv6 zqX&-x5wxqT_!z434KYTV;ce8vM}@+YuirSE zJhzbU?6FxT-MVq-y6on&H|3QCpjyK4CAUOqM{`Jx3sTO4x#4dm>!vAudn_USA0p^{yg3X3vy-fHR-J4m(bIrOaU zS-w?KjkU|Z`==ZV!zn}TV6CgsD$nlKN_DlK+7Ob%D+|+#W&i&;WZ2Cj%Od}uuI1U! zA@jc-TmrU(6Tt_N`(FrFga3=X{{irPFb*CBzJk2}k6;|E1or^%L*Bm%i2eU^@O|X{ z*MSDega1X=zXgcwza1P4It zQ8gT24LW8r>L;#Sf`bi}NVhYMH zgs7ZaQqv2>6b;2JHluZDHEThQLJFRAD{^6Rf4Z7CmRUoS9=!Ch@3vd=93ZJ0FA`-f z)uANGOZ5x+ZXy{&zWe*GBfe(g%MSA{;1y3hV2uURBy!tEmN@5N<6 zm@~L~*FK9zqf;pR9t*MtkjxLLx_q(8gx|MtfBr_9Xp{MCSUF0w@84p4t|f~ahxE$P z@AY??m7~c2k3hiPFLEyO{|+teejRyVc0|Es}1@JMh2vj1zqrQj)G zE%+Po8*~6SfY*Y{!9_ss5?BTPf-XRO0K5!{4Z!)}L~w8LZS(;j0xt*q!1>@L@Mm-b z-vwe5@Xw$D&IBic`+={cCwM=Y0q27iKx_kEtn~(G@Vyi~1UwkX*@0Vu@bq%wYuu-6 zSn`+G$^!{Ezc)O4H>%bKF}md27#)|}`Q6e?$E%HTbl&1+IA3m*JYWBvtM#5P@4x+X z3_emeu(`k87y_sRJehE*P&!pR*a-A?dQm-S`-7OZT_{Fxa+Aq$S9R*;@)&!A?x;Q_ zWf!D=Xr%Zi7xO*L1}Nv#4gv|X95Q#i6ZSw^D#jX_1kd_3fY7ny(}uF&vK5}Wb2c^0 zjdPlEm4`VXXMgu?ScP(9{ghkU6U6p^_C!w7FoZfwA8tzf4aFGLol>7U^Idn&Q=3ZV z!YgPny%h+a^{KvXOe49KDI1g82Ca8$<8EslD&+&*4W*EPxEs3x$RGVs<{wv zSzH*2F|zXb(9Ol+sy}j$WC=J%kU{I?~&w9c$h85;Jad0#CyDM|6Q}$oqm{(llOJU}JDwwB!n8HlP zGRbO*VqUI^DBr{D2Zq}_QF$yXAHyt%>GP)+SX4enSsVOfeo!j!6rDgd(!1y$q`!d` zs3tQ32mAkJcNXJkE|V}kxET5WaU!Q8|F6@s>Q|BZ-vXWrE&{(n<`=*JE;tjM2<|}U z{|*qpf6oPC2k;p1LuCK!z!Y%6ACdV#4qgdXg5M+Si|_v_kON;u)_*ZL4;%%4jf{UI zcsdZd|48s1Wc!zc3dn=6BG11PTnKVNeEfYHS^gSuBKUXYc9G|=1{;B#`~N(0`wPIu z;52YJ_Fi31$@GgV4)$WEG+kriFr7>CNo&P$;oQH~enCMxw}Rc=_{&*96K zmEzNm3#{b^nJ;5{Lxej`bLpP_>2@wmAz>VkfO8ZY@&T8(-Qp9T0VZsBNC9C)SjsrlE~niB_RS=@7j zm-z8L7~7~_NaZ$+?HWTMrm@K$sqWBb|ueB4Z+4qYwC z!Uf8~6;X*}zFHQ=9?F-sfP4yE=v&`vE-Ygv;}Xrudd}Wi7J8gf31a@kbCu^cr&^35 zEa@hj97weRGWOaZgBNOrJ+9n6C+Yc%gz|fE#>7x(Ds3wH<)=(OYpJU5@104xP5ntO z6*muJ3y`EVGtBaJw+YK)|4I(o75wW_^)lMGTaD_5irk?ZdrmQ~EBRVtP8@{D^nDj- zUB?GyVD+d$A$gvXrp7GqSWj~$Tr2^;)IL%WP*C? zXb-ZX(e)chQ2bGK{vXjf^GK0(k^e`vzS-%KYgFhnYzY6REj|KmQoc~4e4`2_t8xVhga^K&%;ArqIE%S@7 zKL`9f1^qmDA(#R`N6x<*oCC7pcOv5h@$+{a_!08`2Y}f79|vwjzP}D!37!ld4Sr9( z-w$>J;lU$-|1te<(08EB(#O~2+}v_!_6ssQsi_lq%N@SleYhKAX=fkxyy1Q&EOgC4 zW_`9mD>E)3D06X&tVuj4ae9#g|5XaeM!xNMEp=^}o9Bk8cBNR)IH# zl4QDA-uLHh--9Vebm?vLUx@Xr=jcrD;yR4^5(1S*4wqQ%TzPST>ggP_?HE2o*??b& zF2F5h^12pme8N&9{SJY!%)bKSfGedF)p&Q2{grA5&jao<){NE089bK})|kBJaNv$lm|mz|F|~SA(a3lY#90e-%uC2ZCFX_umVi4CL(pACUR~6?ot% z@Ns1RNw5YS0ltR3|5ES-@H1rne*rHByFmp!5j+Om4cvz8FaG~;2JZ#?!FupWAie;u z2UmeDU3$#w)bLawI0K^BtBfxjj1-u=2U>mqU_!+u@&w`f$4;&4C22VZ- zgg37c{v5!M8D8VQ3u&CK=|~A9d9bZJ#7;u!)Lilg0{zP>zvD#_Ws)$^!<{;QEZgwu zwAqGWO#PLDczX)v@*MTkqL)s}M&d9}PX+qxKohOPGyNKZq>}qcgH*omT7~sbp?BTS z5MyQ)&9@=w2_BgG9AvxR#5QzbTGYA9gg~`5ovjHQm~a!irNH<=r?i3nlZuf+rS6X5 zdq!Q^6w?wMKB$2sQAc;t$cimYgm+cyyXuW%t2DJs8$f%zIC6u(V5sg=hUU%+QTRsF z_bpNXoH}()xV%dQy4jQOu0%|I3#BO>4{?{rr0`E2d$l1b%p(u`R>K%Ii6&z3GK9XP zJngkcH&!{RR4I9`aFRqOynhBtojtm)*~Foix|Srrxh}VxxPuK|7?$J$>v67V;5O{8 zEF;f)vQ4d<=Muuy#}F{%JMhO3#8_zu4i>f>gEOU&jZ_%^AK-Ick?ftWkFN|)+;Egs ze$@C`Buu$5TNyTfN>lBUQPyvtnQ(4{{`QTo;>n637F36{$6`_qjivfW`ZB4d`obCx z(#_jbF{4mFe#s?9G70*l1B-z!TghgnY)ld)V*0u!(N(>{TM*g|vkO933=D@RtQef~ zh4|({%$&_CGhJFsxFJm{J>`(vbK5wimPyr^V0vESQ{PvRZKMdnm7YRkH*pugat4qMk9e9rxfBQQu+j01UO@D#8b+>WgO z39uim0pbJj{h$p-z|WBN-v*|^R&Xr%GP3>~z$Wle@GIo}8^J$%p8nw6u`tr2T|GYd*c3bNZW7ZSVKwwX)%U<+t2RAf78F6s5Y)LcmD zJ+2{1m|mA+2vBXn_76F~?Y5Pv#k}{2l)Bkqs7yJ=vf{M<%ra7)exDShYq0zqAH429 zq{rci$;yFhRs)9Je%7pV6jY7~-C0dAa_VBV&N&n0K`|_fKFIWIXeKP!F4*jQytLj0 zY-_a-QW6?fHY=C``Nf#`J%-^=OC8cZVOefQJYbmlZ{SO?Z&k-0dSDIp0J9lu-=ZCT z6N@mPYuRX9o@*l?puv)il-6e68*HQsT3jEbFgc`~YuAyUS**(OI z(X7lQ>WER$$3*^j5N_2S_sIVnwV?YE{;Qm1F|GOT@*?+nJZ#|In|DOVX4=x0&z{ipMUj)P+-~r&@koS%MzZw2s z1^$A}FMj`C2^v7o1AH2Ez(#Ns_)p}1x$o~fFbPfocLU!>_Ai0e;HSv_9|X?>E;t=L z0Q?%+|K*?w#HZi=!S|5;Uk-#n+d$IC42?k>D>+yyq2mV!s_o_O zto4XpF$@@Gt=eI}m&54~Ivmo&Yh*N&yY43rRI>^#4bl#2#{T@yYLJnMSKqW64a*D~ z4uZ9DVAh^osD$>u1cNxLcr^}%#Is2#|&gW>6jawPnMH#g<%lN24v-o{<@9<~OtcT*R&+$JWI*964z<&#Q_dPBZ=WtSS!T z1%){Xbypm>H_xwr&ag6Aw8zdLLnx)wAALHc`wKg~`Y1%t(T7%rMTeExk4 zd;nYkjtAdB&c6~|1Pb7%$ocO97lZqQUm)Xu4!j_>%ptR)4^4s4xRw+4StA>{{!%8@Fq|L8-e%%{3m4n^T2Q6!|TC5 zAUsii5&H`LgO)+^%=iWv-R-qTPB~=(u7sT^R;t_T=hVGUv)O31-SSyn6KTBm_J0`L z`BaHz&!;lsw5MDLOT@Ax^c?Nh!l`&pyU}p!?(}k}+^C<>b|ec zlW3&H@c99l!I@0&PY*Qe;4pvw=nQ(M_Cq*=LfMIe9;RVyH1_t2BEqmQD$5|N11;scG?@X!OY>g+ zCQzw!;c&Hj$g}||Z^~AXu4<|oq>C!e`XJ~DEjKL_{FuqF*Dn4BNXj-&baV=Lb;Tbw zhUvpran|W7jyW65)STi;Oq@ zMt?8dxz*sr#v;=X7}G}i9#)7R_FFW&az9j8LaZuVD@7TC*!`6*G&g6Xme-85P za%5eR{|j2y{WkLcwO|DN5Ly5E;BnyI;8tY)OTc}Aocn)1csRHn8UGXD4d4>69pu3S zz}J!Y-vw&mNN@x4zWDn;9DEa5e;0TFxE?wGxu66x;HAjseu5nT86fxb$zJ|8FanMOhl9^k*B5~b*aD>PCxN6-S65I!Qww6< ziLD$q?439`#YnskM>4abm^g_nvSgWZbLv)|oNqgWbU9cq3zwMHmsv5IZs@g@ zuU!8bE5=a7*sP@(;g}+N4p`WlQY$yLenv`IExUWOC~~S^-WDj&QaT$H!8b+;eyd~y zi=~Rzm7rffiq%29;WO&0OhWaC@rSN_OSnuG+J(9UcbwfQz;cyFPB`F<u{hjA-^$v8h)p=XqsJ4X{v0g<6EJ9w@JC|^EGW}H_*onO0XLXRO~~1Llhf@(!J7(K~Y0p0jgG zEQE4i$7@PW2iaeSn@M6r9!H~Db<1PHfRZtdAnv=+od);6d$QcG$#v(P=fy6eC&Dag zc9bf0R`jGv?3_ZkJYA_)onoimsL>Ki3`jFhX{yoiT&0dyhiPdjW;k`m#co)R37-(r z#h#EtpW9vQB;NPer0dJ^`ac}VM>Wzcs@c1mZ6Wd=515)=%}BG?wM!-D{bE+x37Ds~ z%>pfJ*l=P^7xd2Z?sUfKSq}=%Z=$Mo6LqrAs>psGNuoS!M!Hv{E@X(5Pa8J zMwK{&GpF_1u*;|+hfLKgy3?rH$2Zl?HaaM~dm;>c|M4^zXS8lkCe3J}Yl39|A8|aB z6Zto^|NlAU{Zv-y@+rSd=7xVyM0M~#Eft>&U4Y~la16T+C1ATzl{qF;3 zfct{)p%-`uxEyQ-_XT3}e+>}7e}{t)qZ@cOFnj*rKo{^zum_w5?hC#JAFcs%AAs;A z3xba{!laMh*W73>PDgfN5uRc#?@QP=U5XTHJxxBoiz&w^khtcQ3K)5Qh}`^S#gg)@ zm62a*K3YHG=98-<$91!75b z^_sLzpu3kQH&3-}x0P1*8H+tGExXO@n@f+wr;=er$G_a% z)+PCRb5n(W-?P>8_M;_X-901iEACF0vPX&gs^GQGr0r7OxeXY^3)RYmTbe0V-K}`E zM@hq#WySd0S<@J8S>?SNPwi;hzsli3(-ws(Ta^W|sMW4aFzt2QN168%dB1L{T4|yv ztgS>8>~QQOMAonN*rk0TVLdd-B> z_xoEhy~AYfkn(srFD z7sk3R=Xggl;8Fp%WP<80nz(ku8F!7Icpmkh={*dXQ!#xs?r1@3D1+%c`SsPxPBuSw zQVG$xAG^$Ggj1iunN>b>%f;Wl%lqDM^7Ni+e%&}`j*J>C;L43!$*v$|9#*}Fa{j(8)W|Xf+`T7 zf8ys~LRVJNGc1ZZjPAWw*3!jxn$CJe=qiiLq)5~Rb+>H7r=2SwODNbzK|a;!iPI4N|42E z1+~m~>u3kWx8mSMf0%jl_rbFY@>QF<8tDvGyDMXUAHvgsY|PD4v8i6?0b5l0+PJ?u zQ9`P9i1i_(%#}3{=TY6MV#mwX8oL|RLoVxzQxBWo68;WroP`wwWD=485w$a`MczgJ z-=KxwTaf#&0kZ%96tDpt2E+%zD}d+%9Pk6={_DXT!E-?!6u}N~fAB|i0pA0k0nY<1 za1q!5P5|FQH}FzW1t)_4MKAC}@EPy|a3**J_#OIzSAh!nGX)m=fH#9PfZPrEDexLl z1@{K8L^p6Wcmq0trQi$b0bT_T1J6VUum$`8+5f}fg&MzN`DUf*auq2%No)lS zyAhyBI01>C4H#3h@V8a^ODUE9GNzRN?P~er*d?!$|UN|{LT&PTV2mLbfIL9ZD)N-!!t4Zs-t>u z_IJ(~KPmIYq$u@EI&O=*9%VNrfBsm7%az=}m7wh^Xdbie(z5$|AbJl$zp3+m#gJQ8 zB{;x&pUysvTdeyvR^=q+@9mHKYCBwK~U^fPJFXLQgbCbnlY zAS8@%*3nNwJQ-`uHisGs2aPeZ{i)fPYX78%c(m_Do9VE`O{o(qSjbOtEW>SWkV`r% zV#1b?Koz<>4PH&m*(t5<-Q`Ewr7r(ebaVT}je1YYj1Y|b6uP4)6i&wv6(_>PUD3k% zr>y)e;#V7~x3IK9+33pL$q9xJQr+-UboLr@D+;psNT(6kI=}w)H9Ix^pQ>UHb-4lF zfVObWEOzPAZx~zl)^dcgMsP7oH%~J{xZfu=>qDj@yTzbj^?-$azle#X+r|XTk|2L&u%Y8R`ss2GD7B{?!y}b}oGKSSIeRLl zJ)Tpk+hN<#)GQEN_ekAM1MFv0qh69$0Ccf1{3s}Hr21*wZK2$lu2&ny@|eCI%l8l4 z9hwOf5C84I&261_v(w&SFPzclNm*50UF+^ReMzS20@mniW$tkaBTsnL(Hbe=a4NN4 z)^?Lw>_NnLjM!7u!rIg_4$fGIvS>5!&9u6WArmZ-|Cb`zzFp*7z4Yh?bf1Mvg+Owa=7gU5rzz>UcKF9qTk@C+b60=|Kq|1R)!unrsneuAuj z0}x*U&j3vzwgL|Yhk>6V^M47v4?GQ=2ObZO0iQw#a2?nKo(vuj2$ub@A; z7Ca4{2Oa~&r=XlIxB{F9azK0vei>cD+km-G;L-g32l#vo5Pn}PJWu;EFR|Zuiq&A6 z4kn~Snu$JxPdM{X%>H9hG_okP6DXPl3#r2hW`V3W;U^?xa_;w?Mu#Ek7MdRz@ZjVz ztyXhLrB0lAP(Ox*!$Pxa))eqiVW_Dywr2JD=WD2;b!9Xk{0SQ6fIej>%oVv)a;tMI zSB$J0Svj&|WMl;{EX^`L6MmiHzr%Cr?qaD?YRqM|DbuJ=Ux3)DP>QT}S{3 z7@E@!IP|c8YO{|JBu#o3qL6TE;@}nIUJl!fXINE8xlX;mvxY((Z-WOtFU8;gjTHm( ztie$qw&Pyb-eR@G%W8FCq5pUP`YQ)|zJyl7KWGcS74rSP>d6AWPnH9vi-2ahhZ|8K zXh2H5@cROrgnl`Un2~cr-VktyNUa^LKxKro!i6+GmU7)viwc$(#+htn5z%UkY|>BY z7GJ(zXJSGu*04%%V7HBXQP*C%uG2(v^mA3RS0CxhmZ=ZZg{WFVX?C${88+AHPf}4OOlj%{*Vk-^0qZuK=!^%(3oVwfrn zH=mE>PR@-CIfdJki|LPRS{XR~@yvM9*FUG(H5>QW3F)!7XPOX(${)uo&fbRL~{G$ubK<01&$P6mJTGn$|1Na)I+FsO1+sWm?j36Ta??E>HUm)`TqqRKxWi9t# z!1rn3JIMC?z%&rw|L;bw-voY&EH7vO^WawG_I=zE zu{YXJ>XfykZ%C8%f_M?BUzDLvrzK~!Pg-0X{773tlP)<2r4EcH8PVrIUmy; z{hNgQWEB5~ZPFkY(I#&96`^!?|4uORUZJ-4MY*_R`&K+cY}j}@8ZhZ^L^{!P(GmN` zhCzJ-DSWAtYlA$jekaH6VeOo<#K_6Ti`8s!t&-lX*q^nrvl81QA_I&K43P*j5Mvxa zMsZx-)g*?UIjQY_d~##>k@Mtee37wwKaB1P^X)*ps08GFeR8|etdC+375dd31xdeI z?$nw&(Va7*C=a%k)_!gWp7a>q{iM-Y{b(@CUh0mXJhGBoqk=SkXb|63yqR=cxvD5E zMmO%*v26#e>I%+?{Qm`H?^VdVqqrk6_`^EqNQXqH! zy$GxYKScJIy?i#HoGw66%R>=ugJ+oY&sz2&k|?pu{gO}sWHOHQd+7h^Q83wEdRJK1R_S8b|T zZEve@@<$HaY(m3PG{WE_NBXt=pzW!!gk&?gcxnd&41H}JlPgKApCqK8qViRDTYaor a+#8%U^88>S6OAyKTAm?dU276+jQ2.1.14 auto true - always + onerror ${project.basedir}/backwards random @@ -584,7 +584,6 @@ -Des.logger.prefix= -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=${tests.heapdump.path} - -Djava.security.debug=access:failure,policy ${tests.shuffle} ${tests.verbose} diff --git a/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java b/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java index 5bf7f7ce299..befef74251b 100644 --- a/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java +++ b/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java @@ -19,8 +19,6 @@ package org.elasticsearch.bootstrap; -import org.elasticsearch.common.SuppressForbidden; - import java.net.URI; import java.security.Permission; import java.security.PermissionCollection; @@ -37,17 +35,14 @@ public class ESPolicy extends Policy { final Policy template; final PermissionCollection dynamic; - @SuppressForbidden(reason = "ok") public ESPolicy(PermissionCollection dynamic) throws Exception { URI uri = getClass().getResource(POLICY_RESOURCE).toURI(); - System.out.println("temp=" + System.getProperty("java.io.tmpdir")); this.template = Policy.getInstance("JavaPolicy", new URIParameter(uri)); this.dynamic = dynamic; } - @Override @SuppressForbidden(reason = "ok") + @Override public boolean implies(ProtectionDomain domain, Permission permission) { - //System.out.println("domain=" + domain); return template.implies(domain, permission) || dynamic.implies(permission); } } diff --git a/src/main/java/org/elasticsearch/bootstrap/Security.java b/src/main/java/org/elasticsearch/bootstrap/Security.java index 9ed66af4499..82a6edf752f 100644 --- a/src/main/java/org/elasticsearch/bootstrap/Security.java +++ b/src/main/java/org/elasticsearch/bootstrap/Security.java @@ -19,10 +19,10 @@ package org.elasticsearch.bootstrap; +import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.env.Environment; import java.io.*; -import java.net.URI; import java.nio.file.Files; import java.nio.file.Path; import java.security.Permissions; @@ -34,7 +34,7 @@ import java.security.Policy; * We use a template file (the one we test with), and add additional * permissions based on the environment (data paths, etc) */ -class Security { +public class Security { /** * Initializes securitymanager for the environment @@ -42,7 +42,7 @@ class Security { */ static void configure(Environment environment) throws Exception { // enable security policy: union of template and environment-based paths. - Policy.setPolicy(new ESPolicy(createPermissions(environment))); + Policy.setPolicy(new ESPolicy(createPermissions(environment, true))); // enable security manager System.setSecurityManager(new SecurityManager()); @@ -52,10 +52,13 @@ class Security { } /** returns dynamic Permissions to configured paths */ - static Permissions createPermissions(Environment environment) throws IOException { + static Permissions createPermissions(Environment environment, boolean addTempDir) throws IOException { // TODO: improve test infra so we can reduce permissions where read/write // is not really needed... Permissions policy = new Permissions(); + if (addTempDir) { + addPath(policy, PathUtils.get(System.getProperty("java.io.tmpdir")), "read,readlink,write,delete"); + } addPath(policy, environment.homeFile(), "read,readlink,write,delete"); addPath(policy, environment.configFile(), "read,readlink,write,delete"); addPath(policy, environment.logsFile(), "read,readlink,write,delete"); @@ -71,7 +74,7 @@ class Security { } /** Add access to path (and all files underneath it */ - static void addPath(Permissions policy, Path path, String permissions) throws IOException { + public static void addPath(Permissions policy, Path path, String permissions) throws IOException { // paths may not exist yet Files.createDirectories(path); // add each path twice: once for itself, again for files underneath it @@ -80,7 +83,7 @@ class Security { } /** Simple checks that everything is ok */ - static void selfTest() { + public static void selfTest() { // check we can manipulate temporary files try { Files.delete(Files.createTempFile(null, null)); diff --git a/src/main/resources/org/elasticsearch/bootstrap/security.policy b/src/main/resources/org/elasticsearch/bootstrap/security.policy index ac5df915bd2..b10a2949df3 100644 --- a/src/main/resources/org/elasticsearch/bootstrap/security.policy +++ b/src/main/resources/org/elasticsearch/bootstrap/security.policy @@ -21,15 +21,36 @@ // On startup, BootStrap reads environment and adds additional permissions // for configured paths to these. +//// System code permissions: + +// These permissions apply to javac +grant codeBase "file:${java.home}/lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions +grant codeBase "file:${java.home}/jre/lib/ext/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/../lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions when +// ${java.home} points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/lib/ext/-" { + permission java.security.AllPermission; +}; + +//// Everything else: + grant { // system jar resources permission java.io.FilePermission "${java.home}${/}-", "read"; - // temporary files - permission java.io.FilePermission "${java.io.tmpdir}", "read,write"; - permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read,write,delete"; - // paths used for running tests // compiled classes permission java.io.FilePermission "${project.basedir}${/}target${/}classes${/}-", "read"; diff --git a/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java b/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java index edbcafdddbd..01f370b0037 100644 --- a/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java +++ b/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java @@ -40,11 +40,12 @@ public class SecurityTests extends ElasticsearchTestCase { Settings settings = settingsBuilder.build(); Environment environment = new Environment(settings); - Permissions permissions = Security.createPermissions(environment); + // we pass false to not include temp (or it will grant permissions to everything here) + Permissions permissions = Security.createPermissions(environment, false); // the fake es home assertTrue(permissions.implies(new FilePermission(esHome.toString(), "read"))); - // its parent + // its filesystem root assertFalse(permissions.implies(new FilePermission(path.toString(), "read"))); // some other sibling assertFalse(permissions.implies(new FilePermission(path.resolve("other").toString(), "read"))); @@ -63,7 +64,7 @@ public class SecurityTests extends ElasticsearchTestCase { Settings settings = settingsBuilder.build(); Environment environment = new Environment(settings); - Permissions permissions = Security.createPermissions(environment); + Permissions permissions = Security.createPermissions(environment, false); // check that all directories got permissions: // homefile: this is needed unless we break out rules for "lib" dir. diff --git a/src/test/java/org/elasticsearch/test/ElasticsearchTestCase.java b/src/test/java/org/elasticsearch/test/ElasticsearchTestCase.java index 02c02b2ed6e..f102087b2b4 100644 --- a/src/test/java/org/elasticsearch/test/ElasticsearchTestCase.java +++ b/src/test/java/org/elasticsearch/test/ElasticsearchTestCase.java @@ -93,7 +93,7 @@ import static com.google.common.collect.Lists.newArrayList; public abstract class ElasticsearchTestCase extends LuceneTestCase { static { - SecurityHack.ensureInitialized(); + SecurityBootstrap.ensureInitialized(); } protected final ESLogger logger = Loggers.getLogger(getClass()); diff --git a/src/test/java/org/elasticsearch/test/ElasticsearchTokenStreamTestCase.java b/src/test/java/org/elasticsearch/test/ElasticsearchTokenStreamTestCase.java index a61fe704867..8374472dba8 100644 --- a/src/test/java/org/elasticsearch/test/ElasticsearchTokenStreamTestCase.java +++ b/src/test/java/org/elasticsearch/test/ElasticsearchTokenStreamTestCase.java @@ -43,7 +43,7 @@ import org.elasticsearch.test.junit.listeners.ReproduceInfoPrinter; public abstract class ElasticsearchTokenStreamTestCase extends BaseTokenStreamTestCase { static { - SecurityHack.ensureInitialized(); + SecurityBootstrap.ensureInitialized(); } public static Version randomVersion() { diff --git a/src/test/java/org/elasticsearch/test/SecurityHack.java b/src/test/java/org/elasticsearch/test/SecurityBootstrap.java similarity index 72% rename from src/test/java/org/elasticsearch/test/SecurityHack.java rename to src/test/java/org/elasticsearch/test/SecurityBootstrap.java index 9aa44e4f5da..d5e050a0d3e 100644 --- a/src/test/java/org/elasticsearch/test/SecurityHack.java +++ b/src/test/java/org/elasticsearch/test/SecurityBootstrap.java @@ -22,6 +22,8 @@ package org.elasticsearch.test; import org.apache.lucene.util.TestSecurityManager; import org.elasticsearch.bootstrap.Bootstrap; import org.elasticsearch.bootstrap.ESPolicy; +import org.elasticsearch.bootstrap.Security; +import org.elasticsearch.common.io.PathUtils; import java.security.Permissions; import java.security.Policy; @@ -32,10 +34,13 @@ import static com.carrotsearch.randomizedtesting.RandomizedTest.systemPropertyAs * Installs test security manager (ensures it happens regardless of which * test case happens to be first, test ordering, etc). *

- * Note that this is BS, this should be done by the jvm (by passing -Djava.security.manager). - * turning it on/off needs to be the role of maven, not this stuff. + * The idea is to mimic as much as possible what happens with ES in production + * mode (e.g. assign permissions and install security manager the same way) */ -class SecurityHack { +class SecurityBootstrap { + + // TODO: can we share more code with the non-test side here + // without making things complex??? static { // just like bootstrap, initialize natives, then SM @@ -43,8 +48,12 @@ class SecurityHack { // install security manager if requested if (systemPropertyAsBoolean("tests.security.manager", false)) { try { - Policy.setPolicy(new ESPolicy(new Permissions())); + // initialize tmpdir the same exact way as bootstrap. + Permissions perms = new Permissions(); + Security.addPath(perms, PathUtils.get(System.getProperty("java.io.tmpdir")), "read,readlink,write,delete"); + Policy.setPolicy(new ESPolicy(perms)); System.setSecurityManager(new TestSecurityManager()); + Security.selfTest(); } catch (Exception e) { throw new RuntimeException("unable to install test security manager", e); } From 8e8b95faeb29d597ef932d00538f20526c688573 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Mon, 4 May 2015 16:30:42 -0400 Subject: [PATCH 3/5] fix wrong comment change --- src/test/java/org/elasticsearch/bootstrap/SecurityTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java b/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java index 01f370b0037..372bf99466e 100644 --- a/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java +++ b/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java @@ -45,7 +45,7 @@ public class SecurityTests extends ElasticsearchTestCase { // the fake es home assertTrue(permissions.implies(new FilePermission(esHome.toString(), "read"))); - // its filesystem root + // its parent assertFalse(permissions.implies(new FilePermission(path.toString(), "read"))); // some other sibling assertFalse(permissions.implies(new FilePermission(path.resolve("other").toString(), "read"))); From 072b90296aa0cea3b684cce2cba56ef459096bdc Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Mon, 4 May 2015 17:16:08 -0400 Subject: [PATCH 4/5] Use the special java.ext.dirs path instead of 4 tomcat heuristics --- .../elasticsearch/bootstrap/security.policy | 20 ++----------------- 1 file changed, 2 insertions(+), 18 deletions(-) diff --git a/src/main/resources/org/elasticsearch/bootstrap/security.policy b/src/main/resources/org/elasticsearch/bootstrap/security.policy index b10a2949df3..e6500109dc7 100644 --- a/src/main/resources/org/elasticsearch/bootstrap/security.policy +++ b/src/main/resources/org/elasticsearch/bootstrap/security.policy @@ -22,25 +22,9 @@ // for configured paths to these. //// System code permissions: +//// These permissions apply to the JDK itself: -// These permissions apply to javac -grant codeBase "file:${java.home}/lib/-" { - permission java.security.AllPermission; -}; - -// These permissions apply to all shared system extensions -grant codeBase "file:${java.home}/jre/lib/ext/-" { - permission java.security.AllPermission; -}; - -// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre -grant codeBase "file:${java.home}/../lib/-" { - permission java.security.AllPermission; -}; - -// These permissions apply to all shared system extensions when -// ${java.home} points at $JAVA_HOME/jre -grant codeBase "file:${java.home}/lib/ext/-" { +grant codeBase "file:${{java.ext.dirs}}/*" { permission java.security.AllPermission; }; From b889b3b437fd8a124ad8691d878d18339f20425b Mon Sep 17 00:00:00 2001 From: Ryan Ernst Date: Mon, 4 May 2015 15:28:08 -0700 Subject: [PATCH 5/5] Use java sys prop override in tests instead of flag to createPermissions --- .../org/elasticsearch/bootstrap/Security.java | 8 +++--- .../bootstrap/SecurityTests.java | 27 ++++++++++++++++--- 2 files changed, 27 insertions(+), 8 deletions(-) diff --git a/src/main/java/org/elasticsearch/bootstrap/Security.java b/src/main/java/org/elasticsearch/bootstrap/Security.java index 82a6edf752f..e90b162c7e3 100644 --- a/src/main/java/org/elasticsearch/bootstrap/Security.java +++ b/src/main/java/org/elasticsearch/bootstrap/Security.java @@ -42,7 +42,7 @@ public class Security { */ static void configure(Environment environment) throws Exception { // enable security policy: union of template and environment-based paths. - Policy.setPolicy(new ESPolicy(createPermissions(environment, true))); + Policy.setPolicy(new ESPolicy(createPermissions(environment))); // enable security manager System.setSecurityManager(new SecurityManager()); @@ -52,13 +52,11 @@ public class Security { } /** returns dynamic Permissions to configured paths */ - static Permissions createPermissions(Environment environment, boolean addTempDir) throws IOException { + static Permissions createPermissions(Environment environment) throws IOException { // TODO: improve test infra so we can reduce permissions where read/write // is not really needed... Permissions policy = new Permissions(); - if (addTempDir) { - addPath(policy, PathUtils.get(System.getProperty("java.io.tmpdir")), "read,readlink,write,delete"); - } + addPath(policy, PathUtils.get(System.getProperty("java.io.tmpdir")), "read,readlink,write,delete"); addPath(policy, environment.homeFile(), "read,readlink,write,delete"); addPath(policy, environment.configFile(), "read,readlink,write,delete"); addPath(policy, environment.logsFile(), "read,readlink,write,delete"); diff --git a/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java b/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java index 372bf99466e..33433f1494c 100644 --- a/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java +++ b/src/test/java/org/elasticsearch/bootstrap/SecurityTests.java @@ -40,8 +40,15 @@ public class SecurityTests extends ElasticsearchTestCase { Settings settings = settingsBuilder.build(); Environment environment = new Environment(settings); - // we pass false to not include temp (or it will grant permissions to everything here) - Permissions permissions = Security.createPermissions(environment, false); + Path fakeTmpDir = createTempDir(); + String realTmpDir = System.getProperty("java.io.tmpdir"); + Permissions permissions; + try { + System.setProperty("java.io.tmpdir", fakeTmpDir.toString()); + permissions = Security.createPermissions(environment); + } finally { + System.setProperty("java.io.tmpdir", realTmpDir); + } // the fake es home assertTrue(permissions.implies(new FilePermission(esHome.toString(), "read"))); @@ -49,6 +56,8 @@ public class SecurityTests extends ElasticsearchTestCase { assertFalse(permissions.implies(new FilePermission(path.toString(), "read"))); // some other sibling assertFalse(permissions.implies(new FilePermission(path.resolve("other").toString(), "read"))); + // double check we overwrote java.io.tmpdir correctly for the test + assertFalse(permissions.implies(new FilePermission(realTmpDir.toString(), "read"))); } /** test generated permissions for all configured paths */ @@ -64,7 +73,15 @@ public class SecurityTests extends ElasticsearchTestCase { Settings settings = settingsBuilder.build(); Environment environment = new Environment(settings); - Permissions permissions = Security.createPermissions(environment, false); + Path fakeTmpDir = createTempDir(); + String realTmpDir = System.getProperty("java.io.tmpdir"); + Permissions permissions; + try { + System.setProperty("java.io.tmpdir", fakeTmpDir.toString()); + permissions = Security.createPermissions(environment); + } finally { + System.setProperty("java.io.tmpdir", realTmpDir); + } // check that all directories got permissions: // homefile: this is needed unless we break out rules for "lib" dir. @@ -84,5 +101,9 @@ public class SecurityTests extends ElasticsearchTestCase { } // logs: r/w assertTrue(permissions.implies(new FilePermission(environment.logsFile().toString(), "read,readlink,write,delete"))); + // temp dir: r/w + assertTrue(permissions.implies(new FilePermission(fakeTmpDir.toString(), "read,readlink,write,delete"))); + // double check we overwrote java.io.tmpdir correctly for the test + assertFalse(permissions.implies(new FilePermission(realTmpDir.toString(), "read"))); } }