Examples with Permissions java.security.Permissions used on opensource projects

Search in sources :

Example 21 with Permissions

use of java.security.Permissions in project elasticsearch by elastic.

the class TikaImpl method getRestrictedPermissions.

// compute some minimal permissions for parsers. they only get r/w access to the java temp directory,
// the ability to load some resources from JARs, and read sysprops
static PermissionCollection getRestrictedPermissions() {
    Permissions perms = new Permissions();
    // property/env access needed for parsing
    perms.add(new PropertyPermission("*", "read"));
    perms.add(new RuntimePermission("getenv.TIKA_CONFIG"));
    // add permissions for resource access:
    // classpath
    addReadPermissions(perms, JarHell.parseClassPath());
    // plugin jars
    if (TikaImpl.class.getClassLoader() instanceof URLClassLoader) {
        addReadPermissions(perms, ((URLClassLoader) TikaImpl.class.getClassLoader()).getURLs());
    }
    // jvm's java.io.tmpdir (needs read/write)
    perms.add(new FilePermission(System.getProperty("java.io.tmpdir") + System.getProperty("file.separator") + "-", "read,readlink,write,delete"));
    // current hacks needed for POI/PDFbox issues:
    perms.add(new SecurityPermission("putProviderProperty.BC"));
    perms.add(new SecurityPermission("insertProvider"));
    perms.add(new ReflectPermission("suppressAccessChecks"));
    // xmlbeans, use by POI, needs to get the context classloader
    perms.add(new RuntimePermission("getClassLoader"));
    perms.setReadOnly();
    return perms;
}
Also used : PropertyPermission(java.util.PropertyPermission) URLClassLoader(java.net.URLClassLoader) Permissions(java.security.Permissions) ReflectPermission(java.lang.reflect.ReflectPermission) FilePermission(java.io.FilePermission) SecurityPermission(java.security.SecurityPermission)

Example 22 with Permissions

use of java.security.Permissions in project elasticsearch by elastic.

the class EvilSecurityTests method testSymlinkPermissions.

/** When a configured dir is a symlink, test that permissions work on link target */
public void testSymlinkPermissions() throws IOException {
    // see https://github.com/elastic/elasticsearch/issues/12170
    assumeFalse("windows does not automatically grant permission to the target of symlinks", Constants.WINDOWS);
    Path dir = createTempDir();
    Path target = dir.resolve("target");
    Files.createDirectory(target);
    // symlink
    Path link = dir.resolve("link");
    try {
        Files.createSymbolicLink(link, target);
    } catch (UnsupportedOperationException | IOException e) {
        assumeNoException("test requires filesystem that supports symbolic links", e);
    } catch (SecurityException e) {
        assumeNoException("test cannot create symbolic links with security manager enabled", e);
    }
    Permissions permissions = new Permissions();
    Security.addPath(permissions, "testing", link, "read");
    assertExactPermissions(new FilePermission(link.toString(), "read"), permissions);
    assertExactPermissions(new FilePermission(link.resolve("foo").toString(), "read"), permissions);
    assertExactPermissions(new FilePermission(target.toString(), "read"), permissions);
    assertExactPermissions(new FilePermission(target.resolve("foo").toString(), "read"), permissions);
}
Also used : Path(java.nio.file.Path) Permissions(java.security.Permissions) IOException(java.io.IOException) FilePermission(java.io.FilePermission)

Example 23 with Permissions

use of java.security.Permissions in project elasticsearch by elastic.

the class ESPolicyUnitTests method testListen.

public void testListen() {
    assumeTrue("test cannot run with security manager", System.getSecurityManager() == null);
    final PermissionCollection noPermissions = new Permissions();
    final ESPolicy policy = new ESPolicy(noPermissions, Collections.emptyMap(), true);
    assertFalse(policy.implies(new ProtectionDomain(ESPolicyUnitTests.class.getProtectionDomain().getCodeSource(), noPermissions), new SocketPermission("localhost:" + randomFrom(0, randomIntBetween(49152, 65535)), "listen")));
}
Also used : PermissionCollection(java.security.PermissionCollection) ProtectionDomain(java.security.ProtectionDomain) SocketPermission(java.net.SocketPermission) Permissions(java.security.Permissions)

Example 24 with Permissions

use of java.security.Permissions in project elasticsearch by elastic.

the class PluginSecurityTests method testParseTwoPermissions.

/** Test that we can parse the set of permissions correctly for a complex policy */
public void testParseTwoPermissions() throws Exception {
    assumeTrue("test cannot run with security manager enabled", System.getSecurityManager() == null);
    Path scratch = createTempDir();
    Path testFile = this.getDataPath("security/complex-plugin-security.policy");
    Permissions expected = new Permissions();
    expected.add(new RuntimePermission("getClassLoader"));
    expected.add(new RuntimePermission("closeClassLoader"));
    PermissionCollection actual = PluginSecurity.parsePermissions(Terminal.DEFAULT, testFile, scratch);
    assertEquals(expected, actual);
}
Also used : Path(java.nio.file.Path) PermissionCollection(java.security.PermissionCollection) Permissions(java.security.Permissions)

Example 25 with Permissions

use of java.security.Permissions in project flink by apache.

the class SerializedThrowableTest method testSerialization.

@Test
public void testSerialization() {
    try {
        // We need an exception whose class is not in the core class loader
        // we solve that by defining an exception class dynamically
        // an exception class, as bytes 
        final byte[] classData = { -54, -2, -70, -66, 0, 0, 0, 51, 0, 21, 10, 0, 3, 0, 18, 7, 0, 19, 7, 0, 20, 1, 0, 16, 115, 101, 114, 105, 97, 108, 86, 101, 114, 115, 105, 111, 110, 85, 73, 68, 1, 0, 1, 74, 1, 0, 13, 67, 111, 110, 115, 116, 97, 110, 116, 86, 97, 108, 117, 101, 5, -103, -52, 22, -41, -23, -36, -25, 47, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108, 101, 1, 0, 18, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 97, 98, 108, 101, 1, 0, 4, 116, 104, 105, 115, 1, 0, 61, 76, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 102, 108, 105, 110, 107, 47, 114, 117, 110, 116, 105, 109, 101, 47, 117, 116, 105, 108, 47, 84, 101, 115, 116, 69, 120, 99, 101, 112, 116, 105, 111, 110, 70, 111, 114, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 59, 1, 0, 10, 83, 111, 117, 114, 99, 101, 70, 105, 108, 101, 1, 0, 34, 84, 101, 115, 116, 69, 120, 99, 101, 112, 116, 105, 111, 110, 70, 111, 114, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 46, 106, 97, 118, 97, 12, 0, 9, 0, 10, 1, 0, 59, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 102, 108, 105, 110, 107, 47, 114, 117, 110, 116, 105, 109, 101, 47, 117, 116, 105, 108, 47, 84, 101, 115, 116, 69, 120, 99, 101, 112, 116, 105, 111, 110, 70, 111, 114, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 1, 0, 19, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 69, 120, 99, 101, 112, 116, 105, 111, 110, 0, 33, 0, 2, 0, 3, 0, 0, 0, 1, 0, 26, 0, 4, 0, 5, 0, 1, 0, 6, 0, 0, 0, 2, 0, 7, 0, 1, 0, 1, 0, 9, 0, 10, 0, 1, 0, 11, 0, 0, 0, 47, 0, 1, 0, 1, 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 21, 0, 13, 0, 0, 0, 12, 0, 1, 0, 0, 0, 5, 0, 14, 0, 15, 0, 0, 0, 1, 0, 16, 0, 0, 0, 2, 0, 17 };
        // dummy class loader that has no access to any classes
        ClassLoader loader = new URLClassLoader(new URL[0]);
        // define a class into the classloader
        Class<?> clazz = MemoryUtils.UNSAFE.defineClass("org.apache.flink.runtime.util.TestExceptionForSerialization", classData, 0, classData.length, loader, new ProtectionDomain(new CodeSource(null, (Certificate[]) null), new Permissions()));
        // create an instance of the exception (no message, no cause)
        Exception userException = clazz.asSubclass(Exception.class).newInstance();
        // check that we cannot simply copy the exception
        try {
            byte[] serialized = InstantiationUtil.serializeObject(userException);
            InstantiationUtil.deserializeObject(serialized, getClass().getClassLoader());
            fail("should fail with a class not found exception");
        } catch (ClassNotFoundException e) {
        // as we want it
        }
        // validate that the SerializedThrowable mimics the original exception
        SerializedThrowable serialized = new SerializedThrowable(userException);
        assertEquals(userException.getMessage(), serialized.getMessage());
        assertEquals(userException.toString(), serialized.toString());
        assertEquals(ExceptionUtils.stringifyException(userException), ExceptionUtils.stringifyException(serialized));
        assertArrayEquals(userException.getStackTrace(), serialized.getStackTrace());
        // copy the serialized throwable and make sure everything still works
        SerializedThrowable copy = CommonTestUtils.createCopySerializable(serialized);
        assertEquals(userException.getMessage(), copy.getMessage());
        assertEquals(userException.toString(), copy.toString());
        assertEquals(ExceptionUtils.stringifyException(userException), ExceptionUtils.stringifyException(copy));
        assertArrayEquals(userException.getStackTrace(), copy.getStackTrace());
        // deserialize the proper exception
        Throwable deserialized = copy.deserializeError(loader);
        assertEquals(clazz, deserialized.getClass());
        // deserialization with the wrong classloader does not lead to a failure
        Throwable wronglyDeserialized = copy.deserializeError(getClass().getClassLoader());
        assertEquals(ExceptionUtils.stringifyException(userException), ExceptionUtils.stringifyException(wronglyDeserialized));
    } catch (Exception e) {
        e.printStackTrace();
        fail(e.getMessage());
    }
}
Also used : ProtectionDomain(java.security.ProtectionDomain) URLClassLoader(java.net.URLClassLoader) Permissions(java.security.Permissions) URLClassLoader(java.net.URLClassLoader) CodeSource(java.security.CodeSource) Certificate(java.security.cert.Certificate) Test(org.junit.Test)

Aggregations

Permissions (java.security.Permissions)35 ProtectionDomain (java.security.ProtectionDomain)21 PermissionCollection (java.security.PermissionCollection)16 AccessControlContext (java.security.AccessControlContext)13 Permission (java.security.Permission)11 FilePermission (java.io.FilePermission)10 CodeSource (java.security.CodeSource)10 SocketPermission (java.net.SocketPermission)7 Path (java.nio.file.Path)6 Policy (java.security.Policy)6 AllPermission (java.security.AllPermission)5 Certificate (java.security.cert.Certificate)5 URLClassLoader (java.net.URLClassLoader)4 File (java.io.File)3 IOException (java.io.IOException)3 SecurityPermission (java.security.SecurityPermission)2 UnresolvedPermission (java.security.UnresolvedPermission)2 ArrayList (java.util.ArrayList)2 Settings (org.elasticsearch.common.settings.Settings)2 Environment (org.elasticsearch.env.Environment)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial