Skip to content

Commit

Permalink
SAML 4.3.0 addition persmission (opensearch-project#2987)
Browse files Browse the repository at this point in the history
* SAML 4.3.0 addition persmission

Added addition permissions for new version of SAML.

Signed-off-by: Andrey Pleskach <ples@aiven.io>

* Fix log4j version

Signed-off-by: Andrey Pleskach <ples@aiven.io>

---------

Signed-off-by: Andrey Pleskach <ples@aiven.io>
  • Loading branch information
willyborankin authored Jul 11, 2023
1 parent e5348eb commit df07bea
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 13 deletions.
8 changes: 4 additions & 4 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -548,7 +548,7 @@ dependencies {
runtimeOnly 'org.lz4:lz4-java:1.8.0'
runtimeOnly 'io.dropwizard.metrics:metrics-core:3.1.2'
runtimeOnly 'org.slf4j:slf4j-api:1.7.30'
runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.1'
runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.1'
runtimeOnly 'org.codehaus.woodstox:stax2-api:4.2.1'
runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}"
Expand All @@ -570,7 +570,7 @@ dependencies {
testImplementation "org.opensearch.plugin:lang-mustache-client:${opensearch_version}"
testImplementation "org.opensearch.plugin:parent-join-client:${opensearch_version}"
testImplementation "org.opensearch.plugin:aggs-matrix-stats-client:${opensearch_version}"
testImplementation 'org.apache.logging.log4j:log4j-core:2.17.1'
testImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
testImplementation 'javax.servlet:servlet-api:2.5'
testImplementation 'com.unboundid:unboundid-ldapsdk:4.0.9'
testImplementation 'com.github.stephenc.jcip:jcip-annotations:1.0-1'
Expand Down Expand Up @@ -618,8 +618,8 @@ dependencies {
integrationTestImplementation "org.opensearch.plugin:reindex-client:${opensearch_version}"
integrationTestImplementation "org.opensearch.plugin:percolator-client:${opensearch_version}"
integrationTestImplementation 'commons-io:commons-io:2.11.0'
integrationTestImplementation 'org.apache.logging.log4j:log4j-core:2.17.1'
integrationTestImplementation 'org.apache.logging.log4j:log4j-jul:2.17.1'
integrationTestImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
integrationTestImplementation "org.apache.logging.log4j:log4j-jul:${versions.log4j}"
integrationTestImplementation 'org.hamcrest:hamcrest:2.2'
integrationTestImplementation "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
integrationTestImplementation "org.bouncycastle:bcutil-jdk15to18:${versions.bouncycastle}"
Expand Down
5 changes: 4 additions & 1 deletion plugin-security.policy
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,6 @@ grant {
permission java.security.SecurityPermission "putProviderProperty.BC";
permission java.security.SecurityPermission "insertProvider.BC";
permission java.security.SecurityPermission "removeProviderProperty.BC";
permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write";

permission java.lang.RuntimePermission "accessUserInformation";

Expand All @@ -74,6 +73,10 @@ grant {

//Enable this permission to debug unauthorized de-serialization attempt
//permission java.io.SerializablePermission "enableSubstitution";

//SAML policy
permission java.util.PropertyPermission "*", "read,write";
permission org.opensearch.secure_sm.ThreadPermission "modifyArbitraryThread";
};

grant codeBase "${codebase.netty-common}" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@

import java.net.InetAddress;
import java.nio.file.Path;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
Expand All @@ -44,6 +46,7 @@
import com.google.common.collect.Multimap;
import com.google.common.collect.Multimaps;

import org.opensearch.SpecialPermission;
import org.opensearch.common.settings.Settings;
import org.opensearch.common.xcontent.XContentType;
import org.opensearch.security.auth.AuthDomain;
Expand Down Expand Up @@ -396,14 +399,11 @@ private void destroyDestroyables(List<Destroyable> destroyableComponents) {
}

private <T> T newInstance(final String clazzOrShortcut, String type, final Settings settings, final Path configPath) {

String clazz = clazzOrShortcut;

if (authImplMap.containsKey(clazz + "_" + type)) {
clazz = authImplMap.get(clazz + "_" + type);
}

return ReflectionHelper.instantiateAAA(clazz, settings, configPath);
final String clazz = authImplMap.computeIfAbsent(clazzOrShortcut + "_" + type, k -> clazzOrShortcut);
return AccessController.doPrivileged((PrivilegedAction<T>) () -> {
SpecialPermission.check();
return ReflectionHelper.instantiateAAA(clazz, settings, configPath);
});
}

private String translateShortcutToClassName(final String clazzOrShortcut, final String type) {
Expand Down

0 comments on commit df07bea

Please sign in to comment.