Search in sources :

Example 1 with SpecialPermission

use of org.opensearch.SpecialPermission in project security by opensearch-project.

the class DefaultPrincipalExtractor method extractPrincipal.

@Override
@SuppressWarnings("removal")
public String extractPrincipal(final X509Certificate x509Certificate, final Type type) {
    if (x509Certificate == null) {
        return null;
    }
    final SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        sm.checkPermission(new SpecialPermission());
    }
    String dnString = AccessController.doPrivileged(new PrivilegedAction<String>() {

        @Override
        public String run() {
            final X500Principal principal = x509Certificate.getSubjectX500Principal();
            return principal.toString();
        }
    });
    // remove whitespaces
    try {
        final LdapName ln = new LdapName(dnString);
        final List<Rdn> rdns = new ArrayList<>(ln.getRdns());
        Collections.reverse(rdns);
        dnString = String.join(",", rdns.stream().map(r -> r.toString()).collect(Collectors.toList()));
    } catch (InvalidNameException e) {
        log.error("Unable to parse: {}", dnString, e);
    }
    if (log.isTraceEnabled()) {
        log.trace("principal: {}", dnString);
    }
    return dnString;
}
Also used : X509Certificate(java.security.cert.X509Certificate) LdapName(javax.naming.ldap.LdapName) X500Principal(javax.security.auth.x500.X500Principal) PrivilegedAction(java.security.PrivilegedAction) Collectors(java.util.stream.Collectors) ArrayList(java.util.ArrayList) List(java.util.List) Logger(org.apache.logging.log4j.Logger) Rdn(javax.naming.ldap.Rdn) InvalidNameException(javax.naming.InvalidNameException) SpecialPermission(org.opensearch.SpecialPermission) AccessController(java.security.AccessController) Collections(java.util.Collections) LogManager(org.apache.logging.log4j.LogManager) SpecialPermission(org.opensearch.SpecialPermission) InvalidNameException(javax.naming.InvalidNameException) ArrayList(java.util.ArrayList) X500Principal(javax.security.auth.x500.X500Principal) Rdn(javax.naming.ldap.Rdn) LdapName(javax.naming.ldap.LdapName)

Example 2 with SpecialPermission

use of org.opensearch.SpecialPermission in project security by opensearch-project.

the class HTTPSpnegoAuthenticator method extractCredentials.

@Override
@SuppressWarnings("removal")
public AuthCredentials extractCredentials(final RestRequest request, ThreadContext threadContext) {
    final SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        sm.checkPermission(new SpecialPermission());
    }
    AuthCredentials creds = AccessController.doPrivileged(new PrivilegedAction<AuthCredentials>() {

        @Override
        public AuthCredentials run() {
            return extractCredentials0(request);
        }
    });
    return creds;
}
Also used : SpecialPermission(org.opensearch.SpecialPermission) AuthCredentials(org.opensearch.security.user.AuthCredentials)

Example 3 with SpecialPermission

use of org.opensearch.SpecialPermission in project security by opensearch-project.

the class SnapshotRestoreHelper method setCurrentThreadName.

@SuppressWarnings("removal")
private static void setCurrentThreadName(final String name) {
    final SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        sm.checkPermission(new SpecialPermission());
    }
    AccessController.doPrivileged(new PrivilegedAction<Object>() {

        @Override
        public Object run() {
            Thread.currentThread().setName(name);
            return null;
        }
    });
}
Also used : SpecialPermission(org.opensearch.SpecialPermission)

Example 4 with SpecialPermission

use of org.opensearch.SpecialPermission in project security by opensearch-project.

the class SSLRequestHelper method getSSLInfo.

@SuppressWarnings("removal")
public static SSLInfo getSSLInfo(final Settings settings, final Path configPath, final RestRequest request, PrincipalExtractor principalExtractor) throws SSLPeerUnverifiedException {
    if (request == null || request.getHttpChannel() == null || !(request.getHttpChannel() instanceof Netty4HttpChannel)) {
        return null;
    }
    final SslHandler sslhandler = (SslHandler) ((Netty4HttpChannel) request.getHttpChannel()).getNettyChannel().pipeline().get("ssl_http");
    if (sslhandler == null) {
        return null;
    }
    final SSLEngine engine = sslhandler.engine();
    final SSLSession session = engine.getSession();
    X509Certificate[] x509Certs = null;
    final String protocol = session.getProtocol();
    final String cipher = session.getCipherSuite();
    String principal = null;
    boolean validationFailure = false;
    if (engine.getNeedClientAuth() || engine.getWantClientAuth()) {
        try {
            final Certificate[] certs = session.getPeerCertificates();
            if (certs != null && certs.length > 0 && certs[0] instanceof X509Certificate) {
                x509Certs = Arrays.copyOf(certs, certs.length, X509Certificate[].class);
                final X509Certificate[] x509CertsF = x509Certs;
                final SecurityManager sm = System.getSecurityManager();
                if (sm != null) {
                    sm.checkPermission(new SpecialPermission());
                }
                validationFailure = AccessController.doPrivileged(new PrivilegedAction<Boolean>() {

                    @Override
                    public Boolean run() {
                        return !validate(x509CertsF, settings, configPath);
                    }
                });
                if (validationFailure) {
                    throw new SSLPeerUnverifiedException("Unable to validate certificate (CRL)");
                }
                principal = principalExtractor == null ? null : principalExtractor.extractPrincipal(x509Certs[0], Type.HTTP);
            } else if (engine.getNeedClientAuth()) {
                final OpenSearchException ex = new OpenSearchException("No client certificates found but such are needed (SG 9).");
                throw ex;
            }
        } catch (final SSLPeerUnverifiedException e) {
            if (engine.getNeedClientAuth() || validationFailure) {
                throw e;
            }
        }
    }
    Certificate[] localCerts = session.getLocalCertificates();
    return new SSLInfo(x509Certs, principal, protocol, cipher, localCerts == null ? null : Arrays.copyOf(localCerts, localCerts.length, X509Certificate[].class));
}
Also used : SSLEngine(javax.net.ssl.SSLEngine) SSLPeerUnverifiedException(javax.net.ssl.SSLPeerUnverifiedException) SSLSession(javax.net.ssl.SSLSession) Netty4HttpChannel(org.opensearch.http.netty4.Netty4HttpChannel) SslHandler(io.netty.handler.ssl.SslHandler) X509Certificate(java.security.cert.X509Certificate) SpecialPermission(org.opensearch.SpecialPermission) PrivilegedAction(java.security.PrivilegedAction) OpenSearchException(org.opensearch.OpenSearchException) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 5 with SpecialPermission

use of org.opensearch.SpecialPermission in project security by opensearch-project.

the class DefaultSecurityKeyStore method buildSSLContext0.

@SuppressWarnings("removal")
private SslContext buildSSLContext0(final SslContextBuilder sslContextBuilder) throws SSLException {
    final SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        sm.checkPermission(new SpecialPermission());
    }
    SslContext sslContext = null;
    try {
        sslContext = AccessController.doPrivileged(new PrivilegedExceptionAction<SslContext>() {

            @Override
            public SslContext run() throws Exception {
                return sslContextBuilder.build();
            }
        });
    } catch (final PrivilegedActionException e) {
        throw (SSLException) e.getCause();
    }
    return sslContext;
}
Also used : SpecialPermission(org.opensearch.SpecialPermission) PrivilegedActionException(java.security.PrivilegedActionException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) SslContext(io.netty.handler.ssl.SslContext)

Aggregations

SpecialPermission (org.opensearch.SpecialPermission)9 AuthCredentials (org.opensearch.security.user.AuthCredentials)3 IOException (java.io.IOException)2 PrivilegedAction (java.security.PrivilegedAction)2 PrivilegedActionException (java.security.PrivilegedActionException)2 X509Certificate (java.security.cert.X509Certificate)2 AuthenticatorUnavailableException (com.amazon.dlic.auth.http.jwt.keybyoidc.AuthenticatorUnavailableException)1 BadCredentialsException (com.amazon.dlic.auth.http.jwt.keybyoidc.BadCredentialsException)1 SslContext (io.netty.handler.ssl.SslContext)1 SslHandler (io.netty.handler.ssl.SslHandler)1 Path (java.nio.file.Path)1 AccessController (java.security.AccessController)1 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)1 Certificate (java.security.cert.Certificate)1 ArrayList (java.util.ArrayList)1 Collections (java.util.Collections)1 HashMap (java.util.HashMap)1 List (java.util.List)1 Map (java.util.Map)1 Collectors (java.util.stream.Collectors)1