Search in sources :

Example 26 with PermissionCollection

use of java.security.PermissionCollection in project elasticsearch by elastic.

the class PluginSecurity method parsePermissions.

/**
     * Parses plugin policy into a set of permissions
     */
static PermissionCollection parsePermissions(Terminal terminal, Path file, Path tmpDir) throws IOException {
    // create a zero byte file for "comparison"
    // this is necessary because the default policy impl automatically grants two permissions:
    // 1. permission to exitVM (which we ignore)
    // 2. read permission to the code itself (e.g. jar file of the code)
    Path emptyPolicyFile = Files.createTempFile(tmpDir, "empty", "tmp");
    final Policy emptyPolicy;
    try {
        emptyPolicy = Policy.getInstance("JavaPolicy", new URIParameter(emptyPolicyFile.toUri()));
    } catch (NoSuchAlgorithmException e) {
        throw new RuntimeException(e);
    }
    IOUtils.rm(emptyPolicyFile);
    // parse the plugin's policy file into a set of permissions
    final Policy policy;
    try {
        policy = Policy.getInstance("JavaPolicy", new URIParameter(file.toUri()));
    } catch (NoSuchAlgorithmException e) {
        throw new RuntimeException(e);
    }
    PermissionCollection permissions = policy.getPermissions(PluginSecurity.class.getProtectionDomain());
    // this method is supported with the specific implementation we use, but just check for safety.
    if (permissions == Policy.UNSUPPORTED_EMPTY_COLLECTION) {
        throw new UnsupportedOperationException("JavaPolicy implementation does not support retrieving permissions");
    }
    PermissionCollection actualPermissions = new Permissions();
    for (Permission permission : Collections.list(permissions.elements())) {
        if (!emptyPolicy.implies(PluginSecurity.class.getProtectionDomain(), permission)) {
            actualPermissions.add(permission);
        }
    }
    actualPermissions.setReadOnly();
    return actualPermissions;
}
Also used : Path(java.nio.file.Path) Policy(java.security.Policy) PermissionCollection(java.security.PermissionCollection) URIParameter(java.security.URIParameter) Permissions(java.security.Permissions) UnresolvedPermission(java.security.UnresolvedPermission) Permission(java.security.Permission) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)

Example 27 with PermissionCollection

use of java.security.PermissionCollection in project elasticsearch by elastic.

the class ClassPermissionTests method testPermissionCollection.

public void testPermissionCollection() {
    ClassPermission math = new ClassPermission("java.lang.Math");
    PermissionCollection collection = math.newPermissionCollection();
    collection.add(math);
    assertTrue(collection.implies(new ClassPermission("java.lang.Math")));
    assertFalse(collection.implies(new ClassPermission("pkg.MyClass")));
}
Also used : PermissionCollection(java.security.PermissionCollection)

Example 28 with PermissionCollection

use of java.security.PermissionCollection in project elasticsearch by elastic.

the class ClassPermissionTests method testPermissionCollectionWildcards.

public void testPermissionCollectionWildcards() {
    ClassPermission lang = new ClassPermission("java.lang.*");
    PermissionCollection collection = lang.newPermissionCollection();
    collection.add(lang);
    assertTrue(collection.implies(new ClassPermission("java.lang.Math")));
    assertFalse(collection.implies(new ClassPermission("pkg.MyClass")));
}
Also used : PermissionCollection(java.security.PermissionCollection)

Example 29 with PermissionCollection

use of java.security.PermissionCollection in project elasticsearch by elastic.

the class ESPolicyUnitTests method testListen.

public void testListen() {
    assumeTrue("test cannot run with security manager", System.getSecurityManager() == null);
    final PermissionCollection noPermissions = new Permissions();
    final ESPolicy policy = new ESPolicy(noPermissions, Collections.emptyMap(), true);
    assertFalse(policy.implies(new ProtectionDomain(ESPolicyUnitTests.class.getProtectionDomain().getCodeSource(), noPermissions), new SocketPermission("localhost:" + randomFrom(0, randomIntBetween(49152, 65535)), "listen")));
}
Also used : PermissionCollection(java.security.PermissionCollection) ProtectionDomain(java.security.ProtectionDomain) SocketPermission(java.net.SocketPermission) Permissions(java.security.Permissions)

Example 30 with PermissionCollection

use of java.security.PermissionCollection in project elasticsearch by elastic.

the class PluginSecurityTests method testParseTwoPermissions.

/** Test that we can parse the set of permissions correctly for a complex policy */
public void testParseTwoPermissions() throws Exception {
    assumeTrue("test cannot run with security manager enabled", System.getSecurityManager() == null);
    Path scratch = createTempDir();
    Path testFile = this.getDataPath("security/complex-plugin-security.policy");
    Permissions expected = new Permissions();
    expected.add(new RuntimePermission("getClassLoader"));
    expected.add(new RuntimePermission("closeClassLoader"));
    PermissionCollection actual = PluginSecurity.parsePermissions(Terminal.DEFAULT, testFile, scratch);
    assertEquals(expected, actual);
}
Also used : Path(java.nio.file.Path) PermissionCollection(java.security.PermissionCollection) Permissions(java.security.Permissions)

Aggregations

PermissionCollection (java.security.PermissionCollection)45 Permissions (java.security.Permissions)16 Permission (java.security.Permission)14 FilePermission (java.io.FilePermission)11 ProtectionDomain (java.security.ProtectionDomain)11 CodeSource (java.security.CodeSource)9 Policy (java.security.Policy)9 AllPermission (java.security.AllPermission)6 IOException (java.io.IOException)5 SocketPermission (java.net.SocketPermission)5 URL (java.net.URL)5 File (java.io.File)4 Path (java.nio.file.Path)4 AccessControlContext (java.security.AccessControlContext)4 Principal (java.security.Principal)3 ArrayList (java.util.ArrayList)3 Enumeration (java.util.Enumeration)3 Test (org.junit.Test)3 UnresolvedPermission (java.security.UnresolvedPermission)2 Certificate (java.security.cert.Certificate)2