From 187be808c390a19a16f0e32b4aef07d00ddecd04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenzo=20Dematt=C3=A9?= Date: Sat, 8 Mar 2025 16:17:30 +0100 Subject: [PATCH 1/2] Make NotEntitledException inherit from AccessControlException for compatibility purposes (#124321) Even if the contract for JDK methods using the SecurityManager states that the exception throw is of type SecurityException, many libraries (including our own, apparently!) violates that and use the type actually thrown by SecurityManager, AccessControlException. A prime example is the GCS/CSP libraries. In order to maintain compatibility for them, we need to inherit from the more specific AccessControlException; this is less desirable, as AccessControlException is marked as deprecated for removal alongside the other SecurityManager classes, but we discussed and found this is the best short term solution. More work will be needed -- again, this is a short term solution. Replaces #123984 --- .../entitlement/runtime/api/NotEntitledException.java | 8 +++----- .../xpack/core/ssl/SSLConfigurationReloader.java | 4 +--- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/NotEntitledException.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/NotEntitledException.java index daccd198ab922..8366bd7448544 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/NotEntitledException.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/NotEntitledException.java @@ -9,12 +9,10 @@ package org.elasticsearch.entitlement.runtime.api; -public class NotEntitledException extends SecurityException { +import java.security.AccessControlException; + +public class NotEntitledException extends AccessControlException { public NotEntitledException(String message) { super(message); } - - public NotEntitledException(String message, Throwable cause) { - super(message, cause); - } } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloader.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloader.java index 8d77852c88ac8..e75fe0ab26f35 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloader.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloader.java @@ -12,7 +12,6 @@ import org.elasticsearch.action.support.PlainActionFuture; import org.elasticsearch.common.ssl.SslConfiguration; import org.elasticsearch.core.TimeValue; -import org.elasticsearch.entitlement.runtime.api.NotEntitledException; import org.elasticsearch.watcher.FileChangesListener; import org.elasticsearch.watcher.FileWatcher; import org.elasticsearch.watcher.ResourceWatcherService; @@ -20,7 +19,6 @@ import java.io.IOException; import java.nio.file.Path; -import java.security.AccessControlException; import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; @@ -110,7 +108,7 @@ private static void startWatching( fileWatcher.addListener(changeListener); try { resourceWatcherService.add(fileWatcher, Frequency.HIGH); - } catch (IOException | AccessControlException | NotEntitledException e) { + } catch (IOException | SecurityException e) { logger.error("failed to start watching directory [{}] for ssl configurations [{}] - {}", path, configurations, e); } }); From b99585defb42603e801beb88f7974939a7f895d1 Mon Sep 17 00:00:00 2001 From: Lorenzo Dematte Date: Sat, 8 Mar 2025 17:49:57 +0100 Subject: [PATCH 2/2] cleanup exceptions --- .../java/org/elasticsearch/common/ssl/PemKeyConfig.java | 8 ++------ .../java/org/elasticsearch/common/ssl/PemTrustConfig.java | 7 +------ .../main/java/org/elasticsearch/common/ssl/PemUtils.java | 6 +----- .../java/org/elasticsearch/common/ssl/SslFileUtil.java | 3 +-- .../java/org/elasticsearch/common/ssl/StoreKeyConfig.java | 6 +----- .../org/elasticsearch/common/ssl/StoreTrustConfig.java | 7 +------ 6 files changed, 7 insertions(+), 30 deletions(-) diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemKeyConfig.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemKeyConfig.java index b1ddb89cdee7c..069f042521902 100644 --- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemKeyConfig.java +++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemKeyConfig.java @@ -10,11 +10,9 @@ package org.elasticsearch.common.ssl; import org.elasticsearch.core.Tuple; -import org.elasticsearch.entitlement.runtime.api.NotEntitledException; import java.io.IOException; import java.nio.file.Path; -import java.security.AccessControlException; import java.security.GeneralSecurityException; import java.security.KeyStore; import java.security.PrivateKey; @@ -126,10 +124,8 @@ private PrivateKey getPrivateKey(Path path) { throw new SslConfigException("could not load ssl private key file [" + path + "]"); } return privateKey; - } catch (AccessControlException e) { + } catch (SecurityException e) { throw SslFileUtil.accessControlFailure(KEY_FILE_TYPE, List.of(path), e, configBasePath); - } catch (NotEntitledException e) { - throw SslFileUtil.notEntitledFailure(KEY_FILE_TYPE, List.of(path), e, configBasePath); } catch (IOException e) { throw SslFileUtil.ioException(KEY_FILE_TYPE, List.of(path), e); } catch (GeneralSecurityException e) { @@ -140,7 +136,7 @@ private PrivateKey getPrivateKey(Path path) { private List getCertificates(Path path) { try { return PemUtils.readCertificates(Collections.singleton(path)); - } catch (AccessControlException e) { + } catch (SecurityException e) { throw SslFileUtil.accessControlFailure(CERT_FILE_TYPE, List.of(path), e, configBasePath); } catch (IOException e) { throw SslFileUtil.ioException(CERT_FILE_TYPE, List.of(path), e); diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemTrustConfig.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemTrustConfig.java index 04ea83ce6fa11..16aa02ef694d8 100644 --- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemTrustConfig.java +++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemTrustConfig.java @@ -9,12 +9,9 @@ package org.elasticsearch.common.ssl; -import org.elasticsearch.entitlement.runtime.api.NotEntitledException; - import java.io.IOException; import java.io.InputStream; import java.nio.file.Path; -import java.security.AccessControlException; import java.security.GeneralSecurityException; import java.security.KeyStore; import java.security.cert.Certificate; @@ -99,10 +96,8 @@ private Path resolveFile(String other) { private List readCertificates(List paths) { try { return PemUtils.readCertificates(paths); - } catch (AccessControlException e) { + } catch (SecurityException e) { throw SslFileUtil.accessControlFailure(CA_FILE_TYPE, paths, e, basePath); - } catch (NotEntitledException e) { - throw SslFileUtil.notEntitledFailure(CA_FILE_TYPE, paths, e, basePath); } catch (IOException e) { throw SslFileUtil.ioException(CA_FILE_TYPE, paths, e); } catch (GeneralSecurityException e) { diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemUtils.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemUtils.java index bb9c8d69513ba..8b11356d26fcd 100644 --- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemUtils.java +++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemUtils.java @@ -10,7 +10,6 @@ package org.elasticsearch.common.ssl; import org.elasticsearch.core.CharArrays; -import org.elasticsearch.entitlement.runtime.api.NotEntitledException; import java.io.BufferedReader; import java.io.IOException; @@ -19,7 +18,6 @@ import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; -import java.security.AccessControlException; import java.security.AlgorithmParameters; import java.security.GeneralSecurityException; import java.security.KeyFactory; @@ -111,10 +109,8 @@ public static PrivateKey readPrivateKey(Path path, Supplier passwordSupp throw new SslConfigException("could not load ssl private key file [" + path + "]"); } return privateKey; - } catch (AccessControlException e) { + } catch (SecurityException e) { throw SslFileUtil.accessControlFailure("PEM private key", List.of(path), e, null); - } catch (NotEntitledException e) { - throw SslFileUtil.notEntitledFailure("PEM private key", List.of(path), e, null); } catch (IOException e) { throw SslFileUtil.ioException("PEM private key", List.of(path), e); } catch (GeneralSecurityException e) { diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslFileUtil.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslFileUtil.java index e94ef627ec36f..e715b86d6cfb5 100644 --- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslFileUtil.java +++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslFileUtil.java @@ -16,7 +16,6 @@ import java.nio.file.AccessDeniedException; import java.nio.file.NoSuchFileException; import java.nio.file.Path; -import java.security.AccessControlException; import java.security.GeneralSecurityException; import java.security.UnrecoverableKeyException; import java.util.List; @@ -84,7 +83,7 @@ static SslConfigException notEntitledFailure(String fileType, List paths, return innerAccessControlFailure(fileType, paths, cause, basePath); } - static SslConfigException accessControlFailure(String fileType, List paths, AccessControlException cause, Path basePath) { + static SslConfigException accessControlFailure(String fileType, List paths, SecurityException cause, Path basePath) { return innerAccessControlFailure(fileType, paths, cause, basePath); } diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/StoreKeyConfig.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/StoreKeyConfig.java index af400d5dce6f1..d1583297599d4 100644 --- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/StoreKeyConfig.java +++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/StoreKeyConfig.java @@ -11,11 +11,9 @@ import org.elasticsearch.core.Nullable; import org.elasticsearch.core.Tuple; -import org.elasticsearch.entitlement.runtime.api.NotEntitledException; import java.io.IOException; import java.nio.file.Path; -import java.security.AccessControlException; import java.security.GeneralSecurityException; import java.security.KeyStore; import java.security.KeyStoreException; @@ -167,10 +165,8 @@ private KeyStore processKeyStore(KeyStore keyStore) { private KeyStore readKeyStore(Path path) { try { return KeyStoreUtil.readKeyStore(path, type, storePassword); - } catch (AccessControlException e) { + } catch (SecurityException e) { throw SslFileUtil.accessControlFailure("[" + type + "] keystore", List.of(path), e, configBasePath); - } catch (NotEntitledException e) { - throw SslFileUtil.notEntitledFailure("[" + type + "] keystore", List.of(path), e, configBasePath); } catch (IOException e) { throw SslFileUtil.ioException("[" + type + "] keystore", List.of(path), e); } catch (GeneralSecurityException e) { diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/StoreTrustConfig.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/StoreTrustConfig.java index 16c57f7dfc821..52850ba6a0030 100644 --- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/StoreTrustConfig.java +++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/StoreTrustConfig.java @@ -9,11 +9,8 @@ package org.elasticsearch.common.ssl; -import org.elasticsearch.entitlement.runtime.api.NotEntitledException; - import java.io.IOException; import java.nio.file.Path; -import java.security.AccessControlException; import java.security.GeneralSecurityException; import java.security.KeyStore; import java.security.cert.X509Certificate; @@ -95,10 +92,8 @@ public X509ExtendedTrustManager createTrustManager() { private KeyStore readKeyStore(Path path) { try { return KeyStoreUtil.readKeyStore(path, type, password); - } catch (AccessControlException e) { + } catch (SecurityException e) { throw SslFileUtil.accessControlFailure(fileTypeForException(), List.of(path), e, configBasePath); - } catch (NotEntitledException e) { - throw SslFileUtil.notEntitledFailure(fileTypeForException(), List.of(path), e, configBasePath); } catch (IOException e) { throw SslFileUtil.ioException(fileTypeForException(), List.of(path), e, getAdditionalErrorDetails()); } catch (GeneralSecurityException e) {