diff --git a/build.gradle b/build.gradle index 7fdb6facd1..c974091966 100644 --- a/build.gradle +++ b/build.gradle @@ -548,7 +548,7 @@ dependencies { runtimeOnly 'org.lz4:lz4-java:1.8.0' runtimeOnly 'io.dropwizard.metrics:metrics-core:3.1.2' runtimeOnly 'org.slf4j:slf4j-api:1.7.30' - runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.1' + runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}" runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.1' runtimeOnly 'org.codehaus.woodstox:stax2-api:4.2.1' runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}" @@ -570,7 +570,7 @@ dependencies { testImplementation "org.opensearch.plugin:lang-mustache-client:${opensearch_version}" testImplementation "org.opensearch.plugin:parent-join-client:${opensearch_version}" testImplementation "org.opensearch.plugin:aggs-matrix-stats-client:${opensearch_version}" - testImplementation 'org.apache.logging.log4j:log4j-core:2.17.1' + testImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}" testImplementation 'javax.servlet:servlet-api:2.5' testImplementation 'com.unboundid:unboundid-ldapsdk:4.0.9' testImplementation 'com.github.stephenc.jcip:jcip-annotations:1.0-1' @@ -618,8 +618,8 @@ dependencies { integrationTestImplementation "org.opensearch.plugin:reindex-client:${opensearch_version}" integrationTestImplementation "org.opensearch.plugin:percolator-client:${opensearch_version}" integrationTestImplementation 'commons-io:commons-io:2.11.0' - integrationTestImplementation 'org.apache.logging.log4j:log4j-core:2.17.1' - integrationTestImplementation 'org.apache.logging.log4j:log4j-jul:2.17.1' + integrationTestImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}" + integrationTestImplementation "org.apache.logging.log4j:log4j-jul:${versions.log4j}" integrationTestImplementation 'org.hamcrest:hamcrest:2.2' integrationTestImplementation "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}" integrationTestImplementation "org.bouncycastle:bcutil-jdk15to18:${versions.bouncycastle}" diff --git a/plugin-security.policy b/plugin-security.policy index 7bb18f76c9..04643df0f3 100644 --- a/plugin-security.policy +++ b/plugin-security.policy @@ -60,7 +60,6 @@ grant { permission java.security.SecurityPermission "putProviderProperty.BC"; permission java.security.SecurityPermission "insertProvider.BC"; permission java.security.SecurityPermission "removeProviderProperty.BC"; - permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write"; permission java.lang.RuntimePermission "accessUserInformation"; @@ -74,6 +73,10 @@ grant { //Enable this permission to debug unauthorized de-serialization attempt //permission java.io.SerializablePermission "enableSubstitution"; + + //SAML policy + permission java.util.PropertyPermission "*", "read,write"; + permission org.opensearch.secure_sm.ThreadPermission "modifyArbitraryThread"; }; grant codeBase "${codebase.netty-common}" { diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java index f6bbcc2161..60637e4b8c 100644 --- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java +++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java @@ -29,6 +29,8 @@ import java.net.InetAddress; import java.nio.file.Path; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.Collections; import java.util.HashSet; @@ -44,6 +46,7 @@ import com.google.common.collect.Multimap; import com.google.common.collect.Multimaps; +import org.opensearch.SpecialPermission; import org.opensearch.common.settings.Settings; import org.opensearch.common.xcontent.XContentType; import org.opensearch.security.auth.AuthDomain; @@ -396,14 +399,11 @@ private void destroyDestroyables(List destroyableComponents) { } private T newInstance(final String clazzOrShortcut, String type, final Settings settings, final Path configPath) { - - String clazz = clazzOrShortcut; - - if (authImplMap.containsKey(clazz + "_" + type)) { - clazz = authImplMap.get(clazz + "_" + type); - } - - return ReflectionHelper.instantiateAAA(clazz, settings, configPath); + final String clazz = authImplMap.computeIfAbsent(clazzOrShortcut + "_" + type, k -> clazzOrShortcut); + return AccessController.doPrivileged((PrivilegedAction) () -> { + SpecialPermission.check(); + return ReflectionHelper.instantiateAAA(clazz, settings, configPath); + }); } private String translateShortcutToClassName(final String clazzOrShortcut, final String type) {