hacky state
This commit is contained in:
parent
a0be20137d
commit
fe046df125
Binary file not shown.
6
pom.xml
6
pom.xml
|
@ -37,12 +37,13 @@
|
||||||
<testframework.version>2.1.14</testframework.version>
|
<testframework.version>2.1.14</testframework.version>
|
||||||
<tests.jvms>auto</tests.jvms>
|
<tests.jvms>auto</tests.jvms>
|
||||||
<tests.shuffle>true</tests.shuffle>
|
<tests.shuffle>true</tests.shuffle>
|
||||||
<tests.output>onerror</tests.output>
|
<tests.output>always</tests.output>
|
||||||
<tests.client.ratio></tests.client.ratio>
|
<tests.client.ratio></tests.client.ratio>
|
||||||
<tests.bwc.path>${project.basedir}/backwards</tests.bwc.path>
|
<tests.bwc.path>${project.basedir}/backwards</tests.bwc.path>
|
||||||
<tests.locale>random</tests.locale>
|
<tests.locale>random</tests.locale>
|
||||||
<tests.timezone>random</tests.timezone>
|
<tests.timezone>random</tests.timezone>
|
||||||
<tests.slow>false</tests.slow>
|
<tests.slow>false</tests.slow>
|
||||||
|
<tests.security.manager>true</tests.security.manager>
|
||||||
<es.logger.level>ERROR</es.logger.level>
|
<es.logger.level>ERROR</es.logger.level>
|
||||||
<tests.heap.size>512m</tests.heap.size>
|
<tests.heap.size>512m</tests.heap.size>
|
||||||
<tests.heapdump.path>${basedir}/logs/</tests.heapdump.path>
|
<tests.heapdump.path>${basedir}/logs/</tests.heapdump.path>
|
||||||
|
@ -583,6 +584,7 @@
|
||||||
<param>-Des.logger.prefix=</param>
|
<param>-Des.logger.prefix=</param>
|
||||||
<param>-XX:+HeapDumpOnOutOfMemoryError</param>
|
<param>-XX:+HeapDumpOnOutOfMemoryError</param>
|
||||||
<param>-XX:HeapDumpPath=${tests.heapdump.path}</param>
|
<param>-XX:HeapDumpPath=${tests.heapdump.path}</param>
|
||||||
|
<param>-Djava.security.debug=access:failure,policy</param>
|
||||||
</jvmArgs>
|
</jvmArgs>
|
||||||
<shuffleOnSlave>${tests.shuffle}</shuffleOnSlave>
|
<shuffleOnSlave>${tests.shuffle}</shuffleOnSlave>
|
||||||
<sysouts>${tests.verbose}</sysouts>
|
<sysouts>${tests.verbose}</sysouts>
|
||||||
|
@ -638,8 +640,6 @@
|
||||||
<!-- true if we are running tests from maven (as opposed to IDE, etc).
|
<!-- true if we are running tests from maven (as opposed to IDE, etc).
|
||||||
allows us to assert certain things work, like libsigar -->
|
allows us to assert certain things work, like libsigar -->
|
||||||
<tests.maven>true</tests.maven>
|
<tests.maven>true</tests.maven>
|
||||||
<!-- security manager / test.policy -->
|
|
||||||
<java.security.policy>${basedir}/src/main/resources/org/elasticsearch/bootstrap/security.policy</java.security.policy>
|
|
||||||
</systemProperties>
|
</systemProperties>
|
||||||
</configuration>
|
</configuration>
|
||||||
</execution>
|
</execution>
|
||||||
|
|
|
@ -0,0 +1,53 @@
|
||||||
|
/*
|
||||||
|
* Licensed to Elasticsearch under one or more contributor
|
||||||
|
* license agreements. See the NOTICE file distributed with
|
||||||
|
* this work for additional information regarding copyright
|
||||||
|
* ownership. Elasticsearch licenses this file to you under
|
||||||
|
* the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.elasticsearch.bootstrap;
|
||||||
|
|
||||||
|
import org.elasticsearch.common.SuppressForbidden;
|
||||||
|
|
||||||
|
import java.net.URI;
|
||||||
|
import java.security.Permission;
|
||||||
|
import java.security.PermissionCollection;
|
||||||
|
import java.security.Policy;
|
||||||
|
import java.security.ProtectionDomain;
|
||||||
|
import java.security.URIParameter;
|
||||||
|
|
||||||
|
/** custom policy for union of static and dynamic permissions */
|
||||||
|
public class ESPolicy extends Policy {
|
||||||
|
|
||||||
|
/** template policy file, the one used in tests */
|
||||||
|
static final String POLICY_RESOURCE = "security.policy";
|
||||||
|
|
||||||
|
final Policy template;
|
||||||
|
final PermissionCollection dynamic;
|
||||||
|
|
||||||
|
@SuppressForbidden(reason = "ok")
|
||||||
|
public ESPolicy(PermissionCollection dynamic) throws Exception {
|
||||||
|
URI uri = getClass().getResource(POLICY_RESOURCE).toURI();
|
||||||
|
System.out.println("temp=" + System.getProperty("java.io.tmpdir"));
|
||||||
|
this.template = Policy.getInstance("JavaPolicy", new URIParameter(uri));
|
||||||
|
this.dynamic = dynamic;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override @SuppressForbidden(reason = "ok")
|
||||||
|
public boolean implies(ProtectionDomain domain, Permission permission) {
|
||||||
|
//System.out.println("domain=" + domain);
|
||||||
|
return template.implies(domain, permission) || dynamic.implies(permission);
|
||||||
|
}
|
||||||
|
}
|
|
@ -25,12 +25,8 @@ import java.io.*;
|
||||||
import java.net.URI;
|
import java.net.URI;
|
||||||
import java.nio.file.Files;
|
import java.nio.file.Files;
|
||||||
import java.nio.file.Path;
|
import java.nio.file.Path;
|
||||||
import java.security.Permission;
|
|
||||||
import java.security.PermissionCollection;
|
|
||||||
import java.security.Permissions;
|
import java.security.Permissions;
|
||||||
import java.security.Policy;
|
import java.security.Policy;
|
||||||
import java.security.ProtectionDomain;
|
|
||||||
import java.security.URIParameter;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Initializes securitymanager with necessary permissions.
|
* Initializes securitymanager with necessary permissions.
|
||||||
|
@ -39,18 +35,14 @@ import java.security.URIParameter;
|
||||||
* permissions based on the environment (data paths, etc)
|
* permissions based on the environment (data paths, etc)
|
||||||
*/
|
*/
|
||||||
class Security {
|
class Security {
|
||||||
|
|
||||||
/** template policy file, the one used in tests */
|
|
||||||
static final String POLICY_RESOURCE = "security.policy";
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Initializes securitymanager for the environment
|
* Initializes securitymanager for the environment
|
||||||
* Can only happen once!
|
* Can only happen once!
|
||||||
*/
|
*/
|
||||||
static void configure(Environment environment) throws Exception {
|
static void configure(Environment environment) throws Exception {
|
||||||
// enable security policy: union of template and environment-based paths.
|
// enable security policy: union of template and environment-based paths.
|
||||||
URI template = Security.class.getResource(POLICY_RESOURCE).toURI();
|
Policy.setPolicy(new ESPolicy(createPermissions(environment)));
|
||||||
Policy.setPolicy(new ESPolicy(template, createPermissions(environment)));
|
|
||||||
|
|
||||||
// enable security manager
|
// enable security manager
|
||||||
System.setSecurityManager(new SecurityManager());
|
System.setSecurityManager(new SecurityManager());
|
||||||
|
@ -98,20 +90,4 @@ class Security {
|
||||||
throw new SecurityException("Security misconfiguration: cannot access java.io.tmpdir", problem);
|
throw new SecurityException("Security misconfiguration: cannot access java.io.tmpdir", problem);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** custom policy for union of static and dynamic permissions */
|
|
||||||
static class ESPolicy extends Policy {
|
|
||||||
final Policy template;
|
|
||||||
final PermissionCollection dynamic;
|
|
||||||
|
|
||||||
ESPolicy(URI template, PermissionCollection dynamic) throws Exception {
|
|
||||||
this.template = Policy.getInstance("JavaPolicy", new URIParameter(template));
|
|
||||||
this.dynamic = dynamic;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public boolean implies(ProtectionDomain domain, Permission permission) {
|
|
||||||
return template.implies(domain, permission) || dynamic.implies(permission);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,6 +21,10 @@ package org.elasticsearch.test;
|
||||||
|
|
||||||
import org.apache.lucene.util.TestSecurityManager;
|
import org.apache.lucene.util.TestSecurityManager;
|
||||||
import org.elasticsearch.bootstrap.Bootstrap;
|
import org.elasticsearch.bootstrap.Bootstrap;
|
||||||
|
import org.elasticsearch.bootstrap.ESPolicy;
|
||||||
|
|
||||||
|
import java.security.Permissions;
|
||||||
|
import java.security.Policy;
|
||||||
|
|
||||||
import static com.carrotsearch.randomizedtesting.RandomizedTest.systemPropertyAsBoolean;
|
import static com.carrotsearch.randomizedtesting.RandomizedTest.systemPropertyAsBoolean;
|
||||||
|
|
||||||
|
@ -36,10 +40,14 @@ class SecurityHack {
|
||||||
static {
|
static {
|
||||||
// just like bootstrap, initialize natives, then SM
|
// just like bootstrap, initialize natives, then SM
|
||||||
Bootstrap.initializeNatives(true, true);
|
Bootstrap.initializeNatives(true, true);
|
||||||
// for IDEs, we check that security.policy is set
|
// install security manager if requested
|
||||||
if (systemPropertyAsBoolean("tests.security.manager", true) &&
|
if (systemPropertyAsBoolean("tests.security.manager", false)) {
|
||||||
System.getProperty("java.security.policy") != null) {
|
try {
|
||||||
System.setSecurityManager(new TestSecurityManager());
|
Policy.setPolicy(new ESPolicy(new Permissions()));
|
||||||
|
System.setSecurityManager(new TestSecurityManager());
|
||||||
|
} catch (Exception e) {
|
||||||
|
throw new RuntimeException("unable to install test security manager", e);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue