Remove two permissions from server security policy and change extensi…

…on reading Signed-off-by: Ryan Bogan <rbogan@amazon.com>
opensearch-project · Jan 9, 2023 · 61c617d · 61c617d
1 parent 6a7a9a1
commit 61c617d
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 10 deletions.
diff --git a/server/src/main/java/org/opensearch/extensions/ExtensionsManager.java b/server/src/main/java/org/opensearch/extensions/ExtensionsManager.java
@@ -15,6 +15,7 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -61,11 +62,9 @@
 import org.opensearch.transport.TransportResponse;
 import org.opensearch.transport.TransportResponseHandler;
 import org.opensearch.transport.TransportService;
+import org.yaml.snakeyaml.Yaml;
 import org.opensearch.env.EnvironmentSettingsResponse;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
-
 /**
  * The main class for managing Extension communication with the OpenSearch Node.
  *
@@ -556,10 +555,35 @@ public String executor() {
     }
 
     private ExtensionsSettings readFromExtensionsYml(Path filePath) throws IOException {
-        ObjectMapper objectMapper = new ObjectMapper(new YAMLFactory());
-        InputStream input = Files.newInputStream(filePath);
-        ExtensionsSettings extensionSettings = objectMapper.readValue(input, ExtensionsSettings.class);
-        return extensionSettings;
+        Yaml yaml = new Yaml();
+        InputStream inputStream = Files.newInputStream(filePath);
+        Map<String, Object> obj = yaml.load(inputStream);
+        if (obj == null) {
+            inputStream.close();
+            throw new IOException("extensions.yml is empty");
+        }
+        List<HashMap<String, ?>> unreadExtensions = new ArrayList<>((Collection<HashMap<String, ?>>) obj.get("extensions"));
+        List<Extension> readExtensions = new ArrayList<Extension>();
+        for (HashMap<String, ?> extensionMap : unreadExtensions) {
+            readExtensions.add(
+                new Extension(
+                    extensionMap.get("name").toString(),
+                    extensionMap.get("uniqueId").toString(),
+                    extensionMap.get("hostName").toString(),
+                    extensionMap.get("hostAddress").toString(),
+                    extensionMap.get("port").toString(),
+                    extensionMap.get("version").toString(),
+                    extensionMap.get("description").toString(),
+                    extensionMap.get("opensearchVersion").toString(),
+                    extensionMap.get("javaVersion").toString(),
+                    extensionMap.get("className").toString(),
+                    extensionMap.get("customFolderName").toString(),
+                    extensionMap.get("hasNativeController").toString()
+                )
+            );
+        }
+        inputStream.close();
+        return new ExtensionsSettings(readExtensions);
     }
 
     public static String getRequestExtensionActionName() {

diff --git a/server/src/main/java/org/opensearch/extensions/ExtensionsSettings.java b/server/src/main/java/org/opensearch/extensions/ExtensionsSettings.java
@@ -21,6 +21,10 @@ public class ExtensionsSettings {
 
     private List<Extension> extensions;
 
+    public ExtensionsSettings(List<Extension> extensions) {
+        this.extensions = extensions;
+    }
+
     public ExtensionsSettings() {
         extensions = new ArrayList<Extension>();
     }
@@ -46,6 +50,34 @@ public static class Extension {
         private String hasNativeController;
         private List<ExtensionDependency> dependencies = Collections.emptyList();
 
+        public Extension(
+            String name,
+            String uniqueId,
+            String hostName,
+            String hostAddress,
+            String port,
+            String version,
+            String description,
+            String opensearchVersion,
+            String jvmVersion,
+            String className,
+            String customFolderName,
+            String hasNativeController
+        ) {
+            this.name = name;
+            this.uniqueId = uniqueId;
+            this.hostName = hostName;
+            this.hostAddress = hostAddress;
+            this.port = port;
+            this.version = version;
+            this.description = description;
+            this.opensearchVersion = opensearchVersion;
+            this.jvmVersion = jvmVersion;
+            this.className = className;
+            this.customFolderName = customFolderName;
+            this.hasNativeController = hasNativeController;
+        }
+
         public Extension() {
             name = "";
             uniqueId = "";

diff --git a/server/src/main/resources/org/opensearch/bootstrap/security.policy b/server/src/main/resources/org/opensearch/bootstrap/security.policy
@@ -99,9 +99,6 @@ grant {
   permission jdk.net.NetworkPermission "setOption.TCP_KEEPINTERVAL";
   permission jdk.net.NetworkPermission "getOption.TCP_KEEPCOUNT";
   permission jdk.net.NetworkPermission "setOption.TCP_KEEPCOUNT";
-
-  permission java.lang.RuntimePermission "accessDeclaredMembers";
-  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
 
   // Allow read access to all system properties
   permission java.util.PropertyPermission "*", "read";