From e385b7dab4b68561840855575947eb2340802ed8 Mon Sep 17 00:00:00 2001 From: Jason Tedor Date: Wed, 24 Jan 2018 08:59:01 -0500 Subject: [PATCH] Elevate privileges fetching metadata for SAML We have to elevate privileges here as these invocations happen in a run loop that will not have the correct privileges for socket connections. Relates elastic/x-pack-elasticsearch#3671 Original commit: elastic/x-pack-elasticsearch@eab9f47583f61db568b2d9be4ad3fb59fba16333 --- .../xpack/security/authc/saml/SamlRealm.java | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java b/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java index ef25a53d38a..20c42215fe5 100644 --- a/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java +++ b/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java @@ -9,6 +9,7 @@ import net.shibboleth.utilities.java.support.component.ComponentInitializationEx import net.shibboleth.utilities.java.support.resolver.CriteriaSet; import net.shibboleth.utilities.java.support.resolver.ResolverException; import net.shibboleth.utilities.java.support.xml.BasicParserPool; +import org.apache.http.client.HttpClient; import org.apache.http.conn.ssl.DefaultHostnameVerifier; import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; @@ -457,7 +458,7 @@ public final class SamlRealm extends Realm implements Releasable { SSLConnectionSocketFactory factory = new SSLConnectionSocketFactory(sslService.sslSocketFactory(sslSettings), verifier); builder.setSSLSocketFactory(factory); - HTTPMetadataResolver resolver = new HTTPMetadataResolver(builder.build(), metadataUrl); + HTTPMetadataResolver resolver = new PrivilegedHTTPMetadataResolver(builder.build(), metadataUrl); TimeValue refresh = IDP_METADATA_HTTP_REFRESH.get(config.settings()); resolver.setMinRefreshDelay(refresh.millis()); resolver.setMaxRefreshDelay(refresh.millis()); @@ -476,6 +477,24 @@ public final class SamlRealm extends Realm implements Releasable { }); } + private static final class PrivilegedHTTPMetadataResolver extends HTTPMetadataResolver { + + PrivilegedHTTPMetadataResolver(final HttpClient client, final String metadataURL) throws ResolverException { + super(client, metadataURL); + } + + @Override + protected byte[] fetchMetadata() throws ResolverException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> PrivilegedHTTPMetadataResolver.super.fetchMetadata()); + } catch (final PrivilegedActionException e) { + throw (ResolverException) e.getCause(); + } + } + + } + @SuppressForbidden(reason = "uses toFile") private static Tuple> parseFileSystemMetadata( Logger logger, String metadataPath, RealmConfig config, ResourceWatcherService watcherService)