honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Elevate privileges fetching metadata for SAML 

We have to elevate privileges here as these invocations happen in a run
loop that will not have the correct privileges for socket connections.

Relates elastic/x-pack-elasticsearch#3671

Original commit: elastic/x-pack-elasticsearch@eab9f47583
This commit is contained in:
Jason Tedor 2018-01-24 08:59:01 -05:00 committed by GitHub
parent 3932635f98
commit e385b7dab4
1 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java
View File

@ -9,6 +9,7 @@ import net.shibboleth.utilities.java.support.component.ComponentInitializationEx
import net.shibboleth.utilities.java.support.resolver.CriteriaSet; import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException; import net.shibboleth.utilities.java.support.resolver.ResolverException;
import net.shibboleth.utilities.java.support.xml.BasicParserPool; import net.shibboleth.utilities.java.support.xml.BasicParserPool;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ssl.DefaultHostnameVerifier; import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
@ -457,7 +458,7 @@ public final class SamlRealm extends Realm implements Releasable {
SSLConnectionSocketFactory factory = new SSLConnectionSocketFactory(sslService.sslSocketFactory(sslSettings), verifier); SSLConnectionSocketFactory factory = new SSLConnectionSocketFactory(sslService.sslSocketFactory(sslSettings), verifier);
builder.setSSLSocketFactory(factory); builder.setSSLSocketFactory(factory);
HTTPMetadataResolver resolver = new HTTPMetadataResolver(builder.build(), metadataUrl); HTTPMetadataResolver resolver = new PrivilegedHTTPMetadataResolver(builder.build(), metadataUrl);
TimeValue refresh = IDP_METADATA_HTTP_REFRESH.get(config.settings()); TimeValue refresh = IDP_METADATA_HTTP_REFRESH.get(config.settings());
resolver.setMinRefreshDelay(refresh.millis()); resolver.setMinRefreshDelay(refresh.millis());
resolver.setMaxRefreshDelay(refresh.millis()); resolver.setMaxRefreshDelay(refresh.millis());
@ -476,6 +477,24 @@ public final class SamlRealm extends Realm implements Releasable {
}); });
} }
private static final class PrivilegedHTTPMetadataResolver extends HTTPMetadataResolver {
PrivilegedHTTPMetadataResolver(final HttpClient client, final String metadataURL) throws ResolverException {
super(client, metadataURL);
}
@Override
protected byte[] fetchMetadata() throws ResolverException {
try {
return AccessController.doPrivileged(
(PrivilegedExceptionAction<byte[]>) () -> PrivilegedHTTPMetadataResolver.super.fetchMetadata());
} catch (final PrivilegedActionException e) {
throw (ResolverException) e.getCause();
}
}
}
@SuppressForbidden(reason = "uses toFile") @SuppressForbidden(reason = "uses toFile")
private static Tuple<AbstractReloadingMetadataResolver, Supplier<EntityDescriptor>> parseFileSystemMetadata( private static Tuple<AbstractReloadingMetadataResolver, Supplier<EntityDescriptor>> parseFileSystemMetadata(
Logger logger, String metadataPath, RealmConfig config, ResourceWatcherService watcherService) Logger logger, String metadataPath, RealmConfig config, ResourceWatcherService watcherService)