use of org.opensearch.SpecialPermission in project security by opensearch-project.
the class DefaultPrincipalExtractor method extractPrincipal.
@Override
@SuppressWarnings("removal")
public String extractPrincipal(final X509Certificate x509Certificate, final Type type) {
if (x509Certificate == null) {
return null;
}
final SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}
String dnString = AccessController.doPrivileged(new PrivilegedAction<String>() {
@Override
public String run() {
final X500Principal principal = x509Certificate.getSubjectX500Principal();
return principal.toString();
}
});
// remove whitespaces
try {
final LdapName ln = new LdapName(dnString);
final List<Rdn> rdns = new ArrayList<>(ln.getRdns());
Collections.reverse(rdns);
dnString = String.join(",", rdns.stream().map(r -> r.toString()).collect(Collectors.toList()));
} catch (InvalidNameException e) {
log.error("Unable to parse: {}", dnString, e);
}
if (log.isTraceEnabled()) {
log.trace("principal: {}", dnString);
}
return dnString;
}
use of org.opensearch.SpecialPermission in project security by opensearch-project.
the class HTTPSpnegoAuthenticator method extractCredentials.
@Override
@SuppressWarnings("removal")
public AuthCredentials extractCredentials(final RestRequest request, ThreadContext threadContext) {
final SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}
AuthCredentials creds = AccessController.doPrivileged(new PrivilegedAction<AuthCredentials>() {
@Override
public AuthCredentials run() {
return extractCredentials0(request);
}
});
return creds;
}
use of org.opensearch.SpecialPermission in project security by opensearch-project.
the class SnapshotRestoreHelper method setCurrentThreadName.
@SuppressWarnings("removal")
private static void setCurrentThreadName(final String name) {
final SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}
AccessController.doPrivileged(new PrivilegedAction<Object>() {
@Override
public Object run() {
Thread.currentThread().setName(name);
return null;
}
});
}
use of org.opensearch.SpecialPermission in project security by opensearch-project.
the class SSLRequestHelper method getSSLInfo.
@SuppressWarnings("removal")
public static SSLInfo getSSLInfo(final Settings settings, final Path configPath, final RestRequest request, PrincipalExtractor principalExtractor) throws SSLPeerUnverifiedException {
if (request == null || request.getHttpChannel() == null || !(request.getHttpChannel() instanceof Netty4HttpChannel)) {
return null;
}
final SslHandler sslhandler = (SslHandler) ((Netty4HttpChannel) request.getHttpChannel()).getNettyChannel().pipeline().get("ssl_http");
if (sslhandler == null) {
return null;
}
final SSLEngine engine = sslhandler.engine();
final SSLSession session = engine.getSession();
X509Certificate[] x509Certs = null;
final String protocol = session.getProtocol();
final String cipher = session.getCipherSuite();
String principal = null;
boolean validationFailure = false;
if (engine.getNeedClientAuth() || engine.getWantClientAuth()) {
try {
final Certificate[] certs = session.getPeerCertificates();
if (certs != null && certs.length > 0 && certs[0] instanceof X509Certificate) {
x509Certs = Arrays.copyOf(certs, certs.length, X509Certificate[].class);
final X509Certificate[] x509CertsF = x509Certs;
final SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}
validationFailure = AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
@Override
public Boolean run() {
return !validate(x509CertsF, settings, configPath);
}
});
if (validationFailure) {
throw new SSLPeerUnverifiedException("Unable to validate certificate (CRL)");
}
principal = principalExtractor == null ? null : principalExtractor.extractPrincipal(x509Certs[0], Type.HTTP);
} else if (engine.getNeedClientAuth()) {
final OpenSearchException ex = new OpenSearchException("No client certificates found but such are needed (SG 9).");
throw ex;
}
} catch (final SSLPeerUnverifiedException e) {
if (engine.getNeedClientAuth() || validationFailure) {
throw e;
}
}
}
Certificate[] localCerts = session.getLocalCertificates();
return new SSLInfo(x509Certs, principal, protocol, cipher, localCerts == null ? null : Arrays.copyOf(localCerts, localCerts.length, X509Certificate[].class));
}
use of org.opensearch.SpecialPermission in project security by opensearch-project.
the class DefaultSecurityKeyStore method buildSSLContext0.
@SuppressWarnings("removal")
private SslContext buildSSLContext0(final SslContextBuilder sslContextBuilder) throws SSLException {
final SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}
SslContext sslContext = null;
try {
sslContext = AccessController.doPrivileged(new PrivilegedExceptionAction<SslContext>() {
@Override
public SslContext run() throws Exception {
return sslContextBuilder.build();
}
});
} catch (final PrivilegedActionException e) {
throw (SSLException) e.getCause();
}
return sslContext;
}
Aggregations