Search in sources :

Example 1 with Permission

use of java.security.Permission in project elasticsearch by elastic.

the class BootstrapForTesting method getPluginPermissions.

/**
     * we don't know which codesources belong to which plugin, so just remove the permission from key codebases
     * like core, test-framework, etc. this way tests fail if accesscontroller blocks are missing.
     */
@SuppressForbidden(reason = "accesses fully qualified URLs to configure security")
static Map<String, Policy> getPluginPermissions() throws Exception {
    List<URL> pluginPolicies = Collections.list(BootstrapForTesting.class.getClassLoader().getResources(PluginInfo.ES_PLUGIN_POLICY));
    if (pluginPolicies.isEmpty()) {
        return Collections.emptyMap();
    }
    // compute classpath minus obvious places, all other jars will get the permission.
    Set<URL> codebases = new HashSet<>(Arrays.asList(parseClassPathWithSymlinks()));
    Set<URL> excluded = new HashSet<>(Arrays.asList(// es core
    Bootstrap.class.getProtectionDomain().getCodeSource().getLocation(), // es test framework
    BootstrapForTesting.class.getProtectionDomain().getCodeSource().getLocation(), // lucene test framework
    LuceneTestCase.class.getProtectionDomain().getCodeSource().getLocation(), // randomized runner
    RandomizedRunner.class.getProtectionDomain().getCodeSource().getLocation(), // junit library
    Assert.class.getProtectionDomain().getCodeSource().getLocation()));
    codebases.removeAll(excluded);
    // parse each policy file, with codebase substitution from the classpath
    final List<Policy> policies = new ArrayList<>();
    for (URL policyFile : pluginPolicies) {
        policies.add(Security.readPolicy(policyFile, codebases.toArray(new URL[codebases.size()])));
    }
    // consult each policy file for those codebases
    Map<String, Policy> map = new HashMap<>();
    for (URL url : codebases) {
        map.put(url.getFile(), new Policy() {

            @Override
            public boolean implies(ProtectionDomain domain, Permission permission) {
                // implements union
                for (Policy p : policies) {
                    if (p.implies(domain, permission)) {
                        return true;
                    }
                }
                return false;
            }
        });
    }
    return Collections.unmodifiableMap(map);
}
Also used : Policy(java.security.Policy) ProtectionDomain(java.security.ProtectionDomain) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) URL(java.net.URL) FilePermission(java.io.FilePermission) SocketPermission(java.net.SocketPermission) Permission(java.security.Permission) HashSet(java.util.HashSet) SuppressForbidden(org.elasticsearch.common.SuppressForbidden)

Example 2 with Permission

use of java.security.Permission in project elasticsearch by elastic.

the class PluginSecurityTests method testFormatUnresolvedPermission.

/** Test that we can format an unresolved permission properly */
public void testFormatUnresolvedPermission() throws Exception {
    assumeTrue("test cannot run with security manager enabled", System.getSecurityManager() == null);
    Path scratch = createTempDir();
    Path testFile = this.getDataPath("security/unresolved-plugin-security.policy");
    PermissionCollection actual = PluginSecurity.parsePermissions(Terminal.DEFAULT, testFile, scratch);
    List<Permission> permissions = Collections.list(actual.elements());
    assertEquals(1, permissions.size());
    assertEquals("org.fake.FakePermission fakeName", PluginSecurity.formatPermission(permissions.get(0)));
}
Also used : Path(java.nio.file.Path) PermissionCollection(java.security.PermissionCollection) Permission(java.security.Permission)

Example 3 with Permission

use of java.security.Permission in project elasticsearch by elastic.

the class ESPolicyUnitTests method testNullCodeSource.

/**
     * Test policy with null codesource.
     * <p>
     * This can happen when restricting privileges with doPrivileged,
     * even though ProtectionDomain's ctor javadocs might make you think
     * that the policy won't be consulted.
     */
public void testNullCodeSource() throws Exception {
    assumeTrue("test cannot run with security manager", System.getSecurityManager() == null);
    // create a policy with AllPermission
    Permission all = new AllPermission();
    PermissionCollection allCollection = all.newPermissionCollection();
    allCollection.add(all);
    ESPolicy policy = new ESPolicy(allCollection, Collections.emptyMap(), true);
    // restrict ourselves to NoPermission
    PermissionCollection noPermissions = new Permissions();
    assertFalse(policy.implies(new ProtectionDomain(null, noPermissions), new FilePermission("foo", "read")));
}
Also used : PermissionCollection(java.security.PermissionCollection) ProtectionDomain(java.security.ProtectionDomain) Permission(java.security.Permission) FilePermission(java.io.FilePermission) SocketPermission(java.net.SocketPermission) AllPermission(java.security.AllPermission) Permissions(java.security.Permissions) AllPermission(java.security.AllPermission) FilePermission(java.io.FilePermission)

Example 4 with Permission

use of java.security.Permission in project hadoop by apache.

the class TestDFSShell method testPut.

@Test(timeout = 30000)
public void testPut() throws IOException {
    // remove left over crc files:
    new File(TEST_ROOT_DIR, ".f1.crc").delete();
    new File(TEST_ROOT_DIR, ".f2.crc").delete();
    final File f1 = createLocalFile(new File(TEST_ROOT_DIR, "f1"));
    final File f2 = createLocalFile(new File(TEST_ROOT_DIR, "f2"));
    final Path root = mkdir(dfs, new Path("/testPut"));
    final Path dst = new Path(root, "dst");
    show("begin");
    final Thread copy2ndFileThread = new Thread() {

        @Override
        public void run() {
            try {
                show("copy local " + f2 + " to remote " + dst);
                dfs.copyFromLocalFile(false, false, new Path(f2.getPath()), dst);
            } catch (IOException ioe) {
                show("good " + StringUtils.stringifyException(ioe));
                return;
            }
            //should not be here, must got IOException
            assertTrue(false);
        }
    };
    //use SecurityManager to pause the copying of f1 and begin copying f2
    SecurityManager sm = System.getSecurityManager();
    System.out.println("SecurityManager = " + sm);
    System.setSecurityManager(new SecurityManager() {

        private boolean firstTime = true;

        @Override
        public void checkPermission(Permission perm) {
            if (firstTime) {
                Thread t = Thread.currentThread();
                if (!t.toString().contains("DataNode")) {
                    String s = "" + Arrays.asList(t.getStackTrace());
                    if (s.contains("FileUtil.copyContent")) {
                        //pause at FileUtil.copyContent
                        firstTime = false;
                        copy2ndFileThread.start();
                        try {
                            Thread.sleep(5000);
                        } catch (InterruptedException e) {
                        }
                    }
                }
            }
        }
    });
    show("copy local " + f1 + " to remote " + dst);
    dfs.copyFromLocalFile(false, false, new Path(f1.getPath()), dst);
    show("done");
    try {
        copy2ndFileThread.join();
    } catch (InterruptedException e) {
    }
    System.setSecurityManager(sm);
    // copy multiple files to destination directory
    final Path destmultiple = mkdir(dfs, new Path(root, "putmultiple"));
    Path[] srcs = new Path[2];
    srcs[0] = new Path(f1.getPath());
    srcs[1] = new Path(f2.getPath());
    dfs.copyFromLocalFile(false, false, srcs, destmultiple);
    srcs[0] = new Path(destmultiple, "f1");
    srcs[1] = new Path(destmultiple, "f2");
    assertTrue(dfs.exists(srcs[0]));
    assertTrue(dfs.exists(srcs[1]));
    // move multiple files to destination directory
    final Path destmultiple2 = mkdir(dfs, new Path(root, "movemultiple"));
    srcs[0] = new Path(f1.getPath());
    srcs[1] = new Path(f2.getPath());
    dfs.moveFromLocalFile(srcs, destmultiple2);
    assertFalse(f1.exists());
    assertFalse(f2.exists());
    srcs[0] = new Path(destmultiple2, "f1");
    srcs[1] = new Path(destmultiple2, "f2");
    assertTrue(dfs.exists(srcs[0]));
    assertTrue(dfs.exists(srcs[1]));
    f1.delete();
    f2.delete();
}
Also used : FsPermission(org.apache.hadoop.fs.permission.FsPermission) Permission(java.security.Permission) StringContains.containsString(org.hamcrest.core.StringContains.containsString) SequenceFile(org.apache.hadoop.io.SequenceFile) Test(org.junit.Test)

Example 5 with Permission

use of java.security.Permission in project joda-time by JodaOrg.

the class TestDateTimeZone method testZoneInfoProviderResourceLoading.

public void testZoneInfoProviderResourceLoading() {
    final Set<String> ids = new HashSet<String>(DateTimeZone.getAvailableIDs());
    ids.remove(DateTimeZone.getDefault().getID());
    final String id = ids.toArray(new String[ids.size()])[new Random().nextInt(ids.size())];
    try {
        Policy.setPolicy(new Policy() {

            @Override
            public PermissionCollection getPermissions(CodeSource codesource) {
                Permissions p = new Permissions();
                // enable everything
                p.add(new AllPermission());
                return p;
            }

            @Override
            public void refresh() {
            }

            @Override
            public boolean implies(ProtectionDomain domain, Permission permission) {
                return !(permission instanceof FilePermission) && !permission.getName().contains(id);
            }
        });
        System.setSecurityManager(new SecurityManager());
        // will throw IllegalArgumentException if the resource can
        // not be loaded
        final DateTimeZone zone = DateTimeZone.forID(id);
        assertNotNull(zone);
    } finally {
        System.setSecurityManager(null);
        Policy.setPolicy(ALLOW);
    }
}
Also used : Policy(java.security.Policy) PermissionCollection(java.security.PermissionCollection) ProtectionDomain(java.security.ProtectionDomain) CodeSource(java.security.CodeSource) FilePermission(java.io.FilePermission) Random(java.util.Random) Permissions(java.security.Permissions) AllPermission(java.security.AllPermission) FilePermission(java.io.FilePermission) Permission(java.security.Permission) AllPermission(java.security.AllPermission) HashSet(java.util.HashSet)

Aggregations

Permission (java.security.Permission)236 Test (org.junit.Test)55 PermissionCollection (java.security.PermissionCollection)39 FilePermission (java.io.FilePermission)38 Permissions (java.security.Permissions)31 ProtectionDomain (java.security.ProtectionDomain)27 IOException (java.io.IOException)20 AllPermission (java.security.AllPermission)20 QuickTest (com.hazelcast.test.annotation.QuickTest)17 File (java.io.File)17 URL (java.net.URL)16 AccessControlException (java.security.AccessControlException)14 Principal (java.security.Principal)14 PropertyPermission (java.util.PropertyPermission)14 Policy (java.security.Policy)13 MBeanPermission (javax.management.MBeanPermission)13 AccessControlContext (java.security.AccessControlContext)12 CodeSource (java.security.CodeSource)11 SecurityPermission (java.security.SecurityPermission)11 ArrayList (java.util.ArrayList)10