Examples with FilePermission java.io.FilePermission used on opensource projects

Search in sources :

Example 1 with FilePermission

use of java.io.FilePermission in project elasticsearch by elastic.

the class EvilSecurityTests method testEnvironmentPaths.

/** test generated permissions for all configured paths */
// needs to check settings for deprecated path
@SuppressWarnings("deprecation")
public void testEnvironmentPaths() throws Exception {
    Path path = createTempDir();
    // make a fake ES home and ensure we only grant permissions to that.
    Path esHome = path.resolve("esHome");
    Settings.Builder settingsBuilder = Settings.builder();
    settingsBuilder.put(Environment.PATH_HOME_SETTING.getKey(), esHome.resolve("home").toString());
    settingsBuilder.put(Environment.PATH_CONF_SETTING.getKey(), esHome.resolve("conf").toString());
    settingsBuilder.put(Environment.PATH_SCRIPTS_SETTING.getKey(), esHome.resolve("scripts").toString());
    settingsBuilder.putArray(Environment.PATH_DATA_SETTING.getKey(), esHome.resolve("data1").toString(), esHome.resolve("data2").toString());
    settingsBuilder.put(Environment.PATH_SHARED_DATA_SETTING.getKey(), esHome.resolve("custom").toString());
    settingsBuilder.put(Environment.PATH_LOGS_SETTING.getKey(), esHome.resolve("logs").toString());
    settingsBuilder.put(Environment.PIDFILE_SETTING.getKey(), esHome.resolve("test.pid").toString());
    Settings settings = settingsBuilder.build();
    Path fakeTmpDir = createTempDir();
    String realTmpDir = System.getProperty("java.io.tmpdir");
    Permissions permissions;
    Environment environment;
    try {
        System.setProperty("java.io.tmpdir", fakeTmpDir.toString());
        environment = new Environment(settings);
        permissions = Security.createPermissions(environment);
    } finally {
        System.setProperty("java.io.tmpdir", realTmpDir);
    }
    // the fake es home
    assertNoPermissions(esHome, permissions);
    // its parent
    assertNoPermissions(esHome.getParent(), permissions);
    // some other sibling
    assertNoPermissions(esHome.getParent().resolve("other"), permissions);
    // double check we overwrote java.io.tmpdir correctly for the test
    assertNoPermissions(PathUtils.get(realTmpDir), permissions);
    // check that all directories got permissions:
    // bin file: ro
    assertExactPermissions(new FilePermission(environment.binFile().toString(), "read,readlink"), permissions);
    // lib file: ro
    assertExactPermissions(new FilePermission(environment.libFile().toString(), "read,readlink"), permissions);
    // modules file: ro
    assertExactPermissions(new FilePermission(environment.modulesFile().toString(), "read,readlink"), permissions);
    // config file: ro
    assertExactPermissions(new FilePermission(environment.configFile().toString(), "read,readlink"), permissions);
    // scripts file: ro
    assertExactPermissions(new FilePermission(environment.scriptsFile().toString(), "read,readlink"), permissions);
    // plugins: ro
    assertExactPermissions(new FilePermission(environment.pluginsFile().toString(), "read,readlink"), permissions);
    // data paths: r/w
    for (Path dataPath : environment.dataFiles()) {
        assertExactPermissions(new FilePermission(dataPath.toString(), "read,readlink,write,delete"), permissions);
    }
    for (Path dataPath : environment.dataWithClusterFiles()) {
        assertExactPermissions(new FilePermission(dataPath.toString(), "read,readlink,write,delete"), permissions);
    }
    assertExactPermissions(new FilePermission(environment.sharedDataFile().toString(), "read,readlink,write,delete"), permissions);
    // logs: r/w
    assertExactPermissions(new FilePermission(environment.logsFile().toString(), "read,readlink,write,delete"), permissions);
    // temp dir: r/w
    assertExactPermissions(new FilePermission(fakeTmpDir.toString(), "read,readlink,write,delete"), permissions);
    // PID file: delete only (for the shutdown hook)
    assertExactPermissions(new FilePermission(environment.pidFile().toString(), "delete"), permissions);
}
Also used : Path(java.nio.file.Path) Permissions(java.security.Permissions) Environment(org.elasticsearch.env.Environment) FilePermission(java.io.FilePermission) Settings(org.elasticsearch.common.settings.Settings)

Example 2 with FilePermission

use of java.io.FilePermission in project elasticsearch by elastic.

the class Security method addPathIfExists.

/**
     * Add access to a directory iff it exists already
     * @param policy current policy to add permissions to
     * @param configurationName the configuration name associated with the path (for error messages only)
     * @param path the path itself
     * @param permissions set of file permissions to grant to the path
     */
static void addPathIfExists(Permissions policy, String configurationName, Path path, String permissions) {
    if (Files.isDirectory(path)) {
        // add each path twice: once for itself, again for files underneath it
        policy.add(new FilePermission(path.toString(), permissions));
        policy.add(new FilePermission(path.toString() + path.getFileSystem().getSeparator() + "-", permissions));
        try {
            path.getFileSystem().provider().checkAccess(path.toRealPath(), AccessMode.READ);
        } catch (IOException e) {
            throw new IllegalStateException("Unable to access '" + configurationName + "' (" + path + ")", e);
        }
    }
}
Also used : IOException(java.io.IOException) FilePermission(java.io.FilePermission)

Example 3 with FilePermission

use of java.io.FilePermission in project elasticsearch by elastic.

the class Security method addFilePermissions.

/**
     * Adds access to all configurable paths.
     */
static void addFilePermissions(Permissions policy, Environment environment) {
    // read-only dirs
    addPath(policy, Environment.PATH_HOME_SETTING.getKey(), environment.binFile(), "read,readlink");
    addPath(policy, Environment.PATH_HOME_SETTING.getKey(), environment.libFile(), "read,readlink");
    addPath(policy, Environment.PATH_HOME_SETTING.getKey(), environment.modulesFile(), "read,readlink");
    addPath(policy, Environment.PATH_HOME_SETTING.getKey(), environment.pluginsFile(), "read,readlink");
    addPath(policy, Environment.PATH_CONF_SETTING.getKey(), environment.configFile(), "read,readlink");
    addPath(policy, Environment.PATH_SCRIPTS_SETTING.getKey(), environment.scriptsFile(), "read,readlink");
    // read-write dirs
    addPath(policy, "java.io.tmpdir", environment.tmpFile(), "read,readlink,write,delete");
    addPath(policy, Environment.PATH_LOGS_SETTING.getKey(), environment.logsFile(), "read,readlink,write,delete");
    if (environment.sharedDataFile() != null) {
        addPath(policy, Environment.PATH_SHARED_DATA_SETTING.getKey(), environment.sharedDataFile(), "read,readlink,write,delete");
    }
    for (Path path : environment.dataFiles()) {
        addPath(policy, Environment.PATH_DATA_SETTING.getKey(), path, "read,readlink,write,delete");
    }
    for (Path path : environment.repoFiles()) {
        addPath(policy, Environment.PATH_REPO_SETTING.getKey(), path, "read,readlink,write,delete");
    }
    if (environment.pidFile() != null) {
        // we just need permission to remove the file if its elsewhere.
        policy.add(new FilePermission(environment.pidFile().toString(), "delete"));
    }
}
Also used : Path(java.nio.file.Path) FilePermission(java.io.FilePermission)

Example 4 with FilePermission

use of java.io.FilePermission in project elasticsearch by elastic.

the class Security method addClasspathPermissions.

/** Adds access to classpath jars/classes for jar hell scan, etc */
@SuppressForbidden(reason = "accesses fully qualified URLs to configure security")
static void addClasspathPermissions(Permissions policy) throws IOException {
    // really it should be covered by lib/, but there could be e.g. agents or similar configured)
    for (URL url : JarHell.parseClassPath()) {
        Path path;
        try {
            path = PathUtils.get(url.toURI());
        } catch (URISyntaxException e) {
            throw new RuntimeException(e);
        }
        // resource itself
        policy.add(new FilePermission(path.toString(), "read,readlink"));
        // classes underneath
        if (Files.isDirectory(path)) {
            policy.add(new FilePermission(path.toString() + path.getFileSystem().getSeparator() + "-", "read,readlink"));
        }
    }
}
Also used : Path(java.nio.file.Path) URISyntaxException(java.net.URISyntaxException) FilePermission(java.io.FilePermission) URL(java.net.URL) SuppressForbidden(org.elasticsearch.common.SuppressForbidden)

Example 5 with FilePermission

use of java.io.FilePermission in project elasticsearch by elastic.

the class ESPolicyUnitTests method testNullCodeSource.

/**
     * Test policy with null codesource.
     * <p>
     * This can happen when restricting privileges with doPrivileged,
     * even though ProtectionDomain's ctor javadocs might make you think
     * that the policy won't be consulted.
     */
public void testNullCodeSource() throws Exception {
    assumeTrue("test cannot run with security manager", System.getSecurityManager() == null);
    // create a policy with AllPermission
    Permission all = new AllPermission();
    PermissionCollection allCollection = all.newPermissionCollection();
    allCollection.add(all);
    ESPolicy policy = new ESPolicy(allCollection, Collections.emptyMap(), true);
    // restrict ourselves to NoPermission
    PermissionCollection noPermissions = new Permissions();
    assertFalse(policy.implies(new ProtectionDomain(null, noPermissions), new FilePermission("foo", "read")));
}
Also used : PermissionCollection(java.security.PermissionCollection) ProtectionDomain(java.security.ProtectionDomain) Permission(java.security.Permission) FilePermission(java.io.FilePermission) SocketPermission(java.net.SocketPermission) AllPermission(java.security.AllPermission) Permissions(java.security.Permissions) AllPermission(java.security.AllPermission) FilePermission(java.io.FilePermission)

Aggregations

FilePermission (java.io.FilePermission)143 Deployment (org.jboss.arquillian.container.test.api.Deployment)38 StringAsset (org.jboss.shrinkwrap.api.asset.StringAsset)29 JavaArchive (org.jboss.shrinkwrap.api.spec.JavaArchive)29 PropertyPermission (java.util.PropertyPermission)23 IOException (java.io.IOException)22 RemotingPermission (org.jboss.remoting3.security.RemotingPermission)21 Permission (java.security.Permission)20 File (java.io.File)19 URL (java.net.URL)19 PermissionCollection (java.security.PermissionCollection)19 SocketPermission (java.net.SocketPermission)18 WebArchive (org.jboss.shrinkwrap.api.spec.WebArchive)16 ReflectPermission (java.lang.reflect.ReflectPermission)12 Test (org.junit.Test)12 Permissions (java.security.Permissions)11 CodeSource (java.security.CodeSource)9 Path (java.nio.file.Path)8 SecurityPermission (java.security.SecurityPermission)8 Policy (java.security.Policy)7
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial