mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-05 20:48:22 +00:00
d31e10a87d
We sign our official plugins yet this is not well-advertised and not at all consumed during plugin installation. For plugins that are installed over the intertubes, verifying that the downloaded artifact is signed by our signing key would establish both integrity and validity of the downloaded artifact. The chain of trust here is simple: our installable artifacts (archive and package distributions) so that if a user trusts our packages via their signatures, and our plugin installer (which would be executing trusted code) verifies the downloaded plugin, then the user can trust the downloaded plugin too. This commit adds verification of official plugins downloaded during installation. We do not add verification for offline plugin installs; a user can download our signatures and verify the artifacts themselves. This commit also needs to solve a few interesting challenges. One of these is that we want the bouncy castle JARs on the classpath only for the plugin installer, but not for the runtime Elasticsearch. Additionally, we want these JARs to not be present for the JAR hell checks. To address this, we shift these JARs into a sub-directory of lib (lib/tools/plugin-cli) that is only loaded for the plugin installer, and in the plugin installer we filter any JARs in this directory from the JAR hell check.
42 lines
1.4 KiB
Groovy
42 lines
1.4 KiB
Groovy
/*
|
|
* Licensed to Elasticsearch under one or more contributor
|
|
* license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright
|
|
* ownership. Elasticsearch licenses this file to you under
|
|
* the Apache License, Version 2.0 (the "License"); you may
|
|
* not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing,
|
|
* software distributed under the License is distributed on an
|
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
* KIND, either express or implied. See the License for the
|
|
* specific language governing permissions and limitations
|
|
* under the License.
|
|
*/
|
|
|
|
apply plugin: 'elasticsearch.build'
|
|
|
|
archivesBaseName = 'elasticsearch-plugin-cli'
|
|
|
|
dependencies {
|
|
compileOnly "org.elasticsearch:elasticsearch:${version}"
|
|
compileOnly "org.elasticsearch:elasticsearch-cli:${version}"
|
|
compile "org.bouncycastle:bcpg-jdk15on:1.59"
|
|
compile "org.bouncycastle:bcprov-jdk15on:1.59"
|
|
testCompile "org.elasticsearch.test:framework:${version}"
|
|
testCompile 'com.google.jimfs:jimfs:1.1'
|
|
testCompile 'com.google.guava:guava:18.0'
|
|
}
|
|
|
|
dependencyLicenses {
|
|
mapping from: /bc.*/, to: 'bouncycastle'
|
|
}
|
|
|
|
test {
|
|
// TODO: find a way to add permissions for the tests in this module
|
|
systemProperty 'tests.security.manager', 'false'
|
|
}
|