From 2e632d47ca8627e421f1929769a4bd7992aa420e Mon Sep 17 00:00:00 2001 From: Dan Berindei Date: Sat, 18 May 2019 12:21:49 +0300 Subject: [PATCH] ISPN-9599 Require ADMIN permission for getGlobalComponentRegistry * Deprecate getGlobalComponentRegistry and getComponentRegistry * Require ADMIN permission for both * Require ADMIN permission for configuration getters (getCacheManagerConfiguration, getDefaultCacheConfiguration, getCacheConfiguration) * Remove some internal usages of the configuration getters * Trust org.jboss.as.clustering.infinispan.* packages --- .../cli/interpreter/Interpreter.java | 12 +- .../interpreter/session/SecurityActions.java | 66 ---- .../cli/interpreter/session/SessionImpl.java | 14 +- .../interpreter/statement/DenyStatement.java | 3 +- .../interpreter/statement/GrantStatement.java | 3 +- .../interpreter/statement/InfoStatement.java | 2 +- .../interpreter/statement/RolesStatement.java | 3 +- .../statement/SecurityActions.java | 38 +++ .../interpreter/statement/SiteStatement.java | 3 +- .../cli/interpreter/SessionTest.java | 5 +- .../client/hotrod/SecurityActions.java | 100 ------ .../impl/transport/netty/SecurityActions.java | 16 - .../java/org/infinispan/AdvancedCache.java | 3 +- .../commands/CommandsFactoryImpl.java | 6 +- .../commands/CreateCacheCommand.java | 9 +- .../commands/RemoteCommandsFactory.java | 4 +- .../commands/RemoveCacheCommand.java | 14 +- .../configuration/cache/SecurityActions.java | 33 -- .../container/versioning/SecurityActions.java | 47 --- .../infinispan/distexec/SecurityActions.java | 7 - .../factories/GlobalComponentRegistry.java | 6 +- .../infinispan/factories/SecurityActions.java | 15 - .../impl/GlobalConfigurationManagerImpl.java | 39 ++- .../OverlayLocalConfigurationStorage.java | 9 +- .../globalstate/impl/SecurityActions.java | 27 +- .../VolatileLocalConfigurationStorage.java | 10 +- .../health/impl/ClusterHealthImpl.java | 4 +- .../infinispan/health/impl/HealthImpl.java | 8 +- .../interceptors/impl/SecurityActions.java | 31 -- .../org/infinispan/jmx/SecurityActions.java | 42 +-- .../manager/DefaultCacheManager.java | 31 +- .../manager/DefaultCacheManagerAdmin.java | 9 +- .../manager/EmbeddedCacheManager.java | 7 +- .../marshall/exts/SecurityActions.java | 5 - .../cachelistener/SecurityActions.java | 13 - .../ClusterListenerReplicateCallable.java | 5 +- .../cluster/SecurityActions.java | 7 + .../impl/InternalCacheRegistryImpl.java | 7 +- .../transport/jgroups/SecurityActions.java | 36 --- .../org/infinispan/security/Security.java | 4 +- .../actions/AddCacheDependencyAction.java | 27 ++ ...etCacheConfigurationFromManagerAction.java | 25 ++ .../GetCacheManagerConfigurationAction.java | 23 ++ .../impl/AuthorizationManagerImpl.java | 2 +- .../security/impl/ClusterRoleMapper.java | 5 +- .../security/impl/SecureCacheImpl.java | 3 +- .../security/impl/SecurityActions.java | 44 +++ .../stats/impl/CacheContainerStatsImpl.java | 8 +- .../stats/impl/SecurityActions.java | 8 - .../topology/ClusterTopologyManagerImpl.java | 8 +- .../xsite/BackupReceiverRepositoryImpl.java | 12 +- .../factories/ComponentRegistryTest.java | 3 +- .../health/ClusterHealthImplTest.java | 10 +- .../test/MultipleCacheManagersTest.java | 2 +- .../org/infinispan/test/SecurityActions.java | 51 +++ .../java/org/infinispan/test/TestingUtil.java | 34 +- .../ClusterTopologyManagerImplTest.java | 7 +- .../infinispan/util/PersistenceMockUtil.java | 3 +- .../EmbeddedCounterManagerFactory.java | 10 +- .../infinispan/counter/SecurityActions.java | 33 ++ .../manager/CounterConfigurationManager.java | 4 +- .../impl/manager/EmbeddedCounterManager.java | 2 +- .../counter/impl/manager/SecurityActions.java | 39 +++ .../EmbeddedClusteredLockManagerFactory.java | 3 +- .../org/infinispan/lock/SecurityActions.java | 33 ++ .../spi/InfinispanDirectoryProvider.java | 1 + .../AffinityShardIdentifierProvider.java | 7 +- .../query/backend/QueryKnownClasses.java | 6 +- .../query/backend/SecurityActions.java | 6 + .../impl/IckleFilterAndConverter.java | 6 +- .../query/impl/LifecycleManager.java | 9 +- .../query/impl/SecurityActions.java | 12 +- .../CompatibilityProtoStreamMarshaller.java | 13 +- .../query/remote/SecurityActions.java | 33 ++ .../impl/GetSerializationContextAction.java | 23 ++ .../remote/impl/ObjectRemoteQueryManager.java | 2 +- .../impl/ProtobufMetadataManagerImpl.java | 3 +- .../query/remote/impl/SecurityActions.java | 13 +- ...IckleBinaryProtobufFilterAndConverter.java | 3 +- .../IckleProtobufFilterAndConverter.java | 9 +- .../remote/impl/filter/SecurityActions.java | 32 ++ .../ProtobufValueWrapperFieldBridge.java | 3 +- .../remote/impl/indexing/SecurityActions.java | 32 ++ .../NettyTransportConnectionStats.java | 4 +- .../core/transport/SecurityActions.java | 39 +++ .../server/hotrod/HotRodServer.java | 28 +- .../server/hotrod/LifecycleCallbacks.java | 17 +- .../server/hotrod/SecurityActions.java | 16 +- .../hotrod/TransactionRequestProcessor.java | 10 +- .../BaseCompleteTransactionOperation.java | 5 +- .../hotrod/tx/operation/SecurityActions.java | 40 +++ .../endpoint/subsystem/SecurityActions.java | 88 ----- .../server/infinispan/SecurityActions.java | 291 ----------------- .../task/DistributedServerTask.java | 2 +- .../task/LocalServerTaskRunner.java | 2 +- .../infinispan/task/SecurityActions.java | 44 +++ .../infinispan/task/ServerTaskEngine.java | 2 +- .../task/ServerTaskRegistryImpl.java | 2 +- .../AbstractCacheConfigurationService.java | 3 +- .../CacheAvailabilityAttributeHandler.java | 1 - .../infinispan/subsystem/CacheCommands.java | 1 - .../subsystem/CacheConfigurationService.java | 4 +- .../subsystem/CacheContainerBuilder.java | 7 +- .../subsystem/CacheContainerCommands.java | 21 +- .../CacheContainerMetricsHandler.java | 3 +- .../subsystem/CacheMetricsHandler.java | 1 - .../CacheRebalanceAttributeHandler.java | 1 - ...acheRebalancingStatusAttributeHandler.java | 1 - .../infinispan/subsystem/CacheService.java | 7 +- .../subsystem/CliInterpreterHandler.java | 3 +- .../ClusterRebalanceAttributeHandler.java | 1 - .../infinispan/subsystem/CounterResource.java | 1 - .../GetProtoSchemaErrorsHandler.java | 2 +- .../subsystem/GetProtobufSchemaHandler.java | 2 +- .../GetProtobufSchemaNamesHandler.java | 2 +- .../GetProtobufSchemasWithErrorsHandler.java | 2 +- .../RegisterProtoSchemasOperationHandler.java | 2 +- .../infinispan/subsystem/SecurityActions.java | 302 ++++++++++++++++++ ...nregisterProtoSchemasOperationHandler.java | 2 +- .../UploadProtoFileOperationHandler.java | 2 +- .../java/org/infinispan/rest/RestServer.java | 4 +- .../rest/cachemanager/RestCacheManager.java | 2 +- .../rest/cachemanager/SecurityActions.java | 5 + .../org/infinispan/tasks/SecurityActions.java | 31 -- .../tasks/impl/TaskManagerImpl.java | 6 +- .../scripting/impl/ScriptingManagerImpl.java | 9 +- .../scripting/impl/SecurityActions.java | 7 - .../scripting/utils/ScriptingUtils.java | 6 +- .../migrator/rocksdb/RocksDBReaderTest.java | 2 +- 129 files changed, 1235 insertions(+), 1113 deletions(-) create mode 100644 cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/SecurityActions.java delete mode 100644 client/hotrod-client/src/main/java/org/infinispan/client/hotrod/SecurityActions.java delete mode 100644 core/src/main/java/org/infinispan/configuration/cache/SecurityActions.java delete mode 100644 core/src/main/java/org/infinispan/container/versioning/SecurityActions.java delete mode 100644 core/src/main/java/org/infinispan/interceptors/impl/SecurityActions.java delete mode 100644 core/src/main/java/org/infinispan/remoting/transport/jgroups/SecurityActions.java create mode 100644 core/src/main/java/org/infinispan/security/actions/AddCacheDependencyAction.java create mode 100644 core/src/main/java/org/infinispan/security/actions/GetCacheConfigurationFromManagerAction.java create mode 100644 core/src/main/java/org/infinispan/security/actions/GetCacheManagerConfigurationAction.java create mode 100644 core/src/main/java/org/infinispan/security/impl/SecurityActions.java create mode 100644 core/src/test/java/org/infinispan/test/SecurityActions.java create mode 100644 counter/src/main/java/org/infinispan/counter/SecurityActions.java create mode 100644 counter/src/main/java/org/infinispan/counter/impl/manager/SecurityActions.java create mode 100644 lock/src/main/java/org/infinispan/lock/SecurityActions.java create mode 100644 remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/SecurityActions.java create mode 100644 remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/GetSerializationContextAction.java create mode 100644 remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/filter/SecurityActions.java create mode 100644 remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/indexing/SecurityActions.java create mode 100644 server/core/src/main/java/org/infinispan/server/core/transport/SecurityActions.java create mode 100644 server/hotrod/src/main/java/org/infinispan/server/hotrod/tx/operation/SecurityActions.java delete mode 100644 server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/SecurityActions.java create mode 100644 server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/SecurityActions.java create mode 100644 server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/SecurityActions.java delete mode 100644 tasks/api/src/main/java/org/infinispan/tasks/SecurityActions.java diff --git a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/Interpreter.java b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/Interpreter.java index 006ac0b7a9c6..07a75d8d9ee1 100644 --- a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/Interpreter.java +++ b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/Interpreter.java @@ -26,6 +26,8 @@ import org.infinispan.cli.interpreter.session.SessionImpl; import org.infinispan.cli.interpreter.statement.Statement; import org.infinispan.commons.api.BasicCacheContainer; +import org.infinispan.commons.time.TimeService; +import org.infinispan.configuration.ConfigurationManager; import org.infinispan.factories.annotations.Inject; import org.infinispan.factories.annotations.Start; import org.infinispan.factories.annotations.Stop; @@ -35,7 +37,6 @@ import org.infinispan.jmx.annotations.ManagedAttribute; import org.infinispan.jmx.annotations.ManagedOperation; import org.infinispan.manager.EmbeddedCacheManager; -import org.infinispan.commons.time.TimeService; import org.infinispan.util.logging.LogFactory; @Scope(Scopes.GLOBAL) @@ -49,6 +50,8 @@ public class Interpreter { private EmbeddedCacheManager cacheManager; @Inject private TimeService timeService; + @Inject + private ConfigurationManager configurationManager; private ScheduledExecutorService executor; private long sessionReaperWakeupInterval = DEFAULT_SESSION_REAPER_WAKEUP_INTERVAL; @@ -79,7 +82,7 @@ public void stop() { @ManagedOperation(description = "Creates a new interpreter session") public String createSessionId(String cacheName) { String sessionId = UUID.randomUUID().toString(); - SessionImpl session = new SessionImpl(codecRegistry, cacheManager, sessionId, timeService); + SessionImpl session = new SessionImpl(codecRegistry, cacheManager, sessionId, timeService, configurationManager); sessions.put(sessionId, session); if (cacheName != null) { session.setCurrentCache(cacheName); @@ -119,7 +122,8 @@ void expireSessions() { @ManagedOperation(description = "Parses and executes IspnCliQL statements") public Map execute(final String sessionId, final String s) throws Exception { Session session = null; - ClassLoader oldCL = SecurityActions.setThreadContextClassLoader(cacheManager.getCacheManagerConfiguration().classLoader()); + ClassLoader classLoader = configurationManager.getGlobalConfiguration().classLoader(); + ClassLoader oldCL = SecurityActions.setThreadContextClassLoader(classLoader); Map response = new HashMap<>(); try { session = validateSession(sessionId); @@ -165,7 +169,7 @@ public Map execute(final String sessionId, final String s) throw private Session validateSession(final String sessionId) { if (sessionId == null) { - Session session = new SessionImpl(codecRegistry, cacheManager, null, timeService); + Session session = new SessionImpl(codecRegistry, cacheManager, null, timeService, configurationManager); cacheManager.getCacheManagerConfiguration().defaultCacheName().ifPresent(session::setCurrentCache); return session; } diff --git a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/session/SecurityActions.java b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/session/SecurityActions.java index 5bfea833173d..6b0d7b2e9e25 100644 --- a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/session/SecurityActions.java +++ b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/session/SecurityActions.java @@ -37,70 +37,4 @@ static void endBatch(final AdvancedCache cache) { return null; }); } - - interface SetThreadContextClassLoaderAction { - - ClassLoader setThreadContextClassLoader(Class cl); - - ClassLoader setThreadContextClassLoader(ClassLoader cl); - - SetThreadContextClassLoaderAction NON_PRIVILEGED = new SetThreadContextClassLoaderAction() { - @Override - public ClassLoader setThreadContextClassLoader(Class cl) { - ClassLoader old = Thread.currentThread().getContextClassLoader(); - Thread.currentThread().setContextClassLoader(cl.getClassLoader()); - return old; - } - - @Override - public ClassLoader setThreadContextClassLoader(ClassLoader cl) { - ClassLoader old = Thread.currentThread().getContextClassLoader(); - Thread.currentThread().setContextClassLoader(cl); - return old; - } - }; - - SetThreadContextClassLoaderAction PRIVILEGED = new SetThreadContextClassLoaderAction() { - - @Override - public ClassLoader setThreadContextClassLoader(final Class cl) { - return AccessController.doPrivileged(new PrivilegedAction() { - @Override - public ClassLoader run() { - ClassLoader old = Thread.currentThread().getContextClassLoader(); - Thread.currentThread().setContextClassLoader(cl.getClassLoader()); - return old; - } - }); - } - - @Override - public ClassLoader setThreadContextClassLoader(final ClassLoader cl) { - return AccessController.doPrivileged(new PrivilegedAction() { - @Override - public ClassLoader run() { - ClassLoader old = Thread.currentThread().getContextClassLoader(); - Thread.currentThread().setContextClassLoader(cl); - return old; - } - }); - } - }; - } - - public static ClassLoader setThreadContextClassLoader(Class cl) { - if (System.getSecurityManager() == null) { - return SetThreadContextClassLoaderAction.NON_PRIVILEGED.setThreadContextClassLoader(cl); - } else { - return SetThreadContextClassLoaderAction.PRIVILEGED.setThreadContextClassLoader(cl); - } - } - - public static ClassLoader setThreadContextClassLoader(ClassLoader cl) { - if (System.getSecurityManager() == null) { - return SetThreadContextClassLoaderAction.NON_PRIVILEGED.setThreadContextClassLoader(cl); - } else { - return SetThreadContextClassLoaderAction.PRIVILEGED.setThreadContextClassLoader(cl); - } - } } diff --git a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/session/SessionImpl.java b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/session/SessionImpl.java index 7e32c3414016..badfaa822fe7 100644 --- a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/session/SessionImpl.java +++ b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/session/SessionImpl.java @@ -3,7 +3,6 @@ import static org.infinispan.commons.dataconversion.MediaType.APPLICATION_OBJECT; import java.util.Collection; - import javax.transaction.TransactionManager; import org.infinispan.AdvancedCache; @@ -18,11 +17,12 @@ import org.infinispan.commons.api.BasicCacheContainer; import org.infinispan.commons.dataconversion.IdentityEncoder; import org.infinispan.commons.dataconversion.MediaType; +import org.infinispan.commons.time.TimeService; +import org.infinispan.configuration.ConfigurationManager; import org.infinispan.configuration.cache.Configuration; import org.infinispan.configuration.cache.ConfigurationBuilder; import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.remoting.rpc.RpcManager; -import org.infinispan.commons.time.TimeService; import org.infinispan.util.logging.LogFactory; public class SessionImpl implements Session { @@ -33,19 +33,21 @@ public class SessionImpl implements Session { private final CodecRegistry codecRegistry; private final String id; private final TimeService timeService; + private ConfigurationManager configurationManager; private Cache cache = null; private String cacheName = null; private long timestamp; private Codec codec; public SessionImpl(final CodecRegistry codecRegistry, final EmbeddedCacheManager cacheManager, final String id, - TimeService timeService) { + TimeService timeService, ConfigurationManager configurationManager) { if (timeService == null) { throw new IllegalArgumentException("TimeService cannot be null"); } this.codecRegistry = codecRegistry; this.cacheManager = cacheManager; this.timeService = timeService; + this.configurationManager = configurationManager; this.id = id; timestamp = timeService.time(); codec = this.codecRegistry.getCodec("none"); @@ -95,7 +97,7 @@ public void setCurrentCache(final String cacheName) { public void createCache(String cacheName, String baseCacheName) { Configuration configuration; if (baseCacheName != null) { - configuration = cacheManager.getCacheConfiguration(baseCacheName); + configuration = configurationManager.getConfiguration(baseCacheName, true); if (configuration == null) { throw log.nonExistentCache(baseCacheName); } @@ -114,7 +116,7 @@ public void createCache(String cacheName, String baseCacheName) { CreateCacheCommand ccc = factory.buildCreateCacheCommand(cacheName, baseCacheName); try { rpc.invokeRemotely(null, ccc, rpc.getDefaultRpcOptions(true)); - ccc.init(cacheManager); + ccc.init(cacheManager, configurationManager); ccc.invoke(); } catch (Throwable e) { throw log.cannotCreateClusteredCaches(e, cacheName); @@ -129,7 +131,7 @@ public void createCache(String cacheName, String baseCacheName) { @Override public void reset() { - if (cacheManager.getCacheManagerConfiguration().defaultCacheName().isPresent()) + if (configurationManager.getGlobalConfiguration().defaultCacheName().isPresent()) resetCache(cacheManager.getCache()); for (String cacheName : cacheManager.getCacheNames()) { resetCache(cacheManager.getCache(cacheName)); diff --git a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/DenyStatement.java b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/DenyStatement.java index d0c70dc7744e..04b00b09e697 100644 --- a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/DenyStatement.java +++ b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/DenyStatement.java @@ -29,7 +29,8 @@ public DenyStatement(String roleName, String principalName) { @Override public Result execute(Session session) throws StatementException { - GlobalAuthorizationConfiguration gac = session.getCacheManager().getCacheManagerConfiguration().security().authorization(); + GlobalAuthorizationConfiguration gac = + SecurityActions.getCacheManagerConfiguration(session.getCacheManager()).security().authorization(); if (!gac.enabled()) { throw log.authorizationNotEnabledOnContainer(); } diff --git a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/GrantStatement.java b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/GrantStatement.java index fca59f4b9787..2982024eaf33 100644 --- a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/GrantStatement.java +++ b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/GrantStatement.java @@ -29,7 +29,8 @@ public GrantStatement(String roleName, String principalName) { @Override public Result execute(Session session) throws StatementException { - GlobalAuthorizationConfiguration gac = session.getCacheManager().getCacheManagerConfiguration().security().authorization(); + GlobalAuthorizationConfiguration gac = + SecurityActions.getCacheManagerConfiguration(session.getCacheManager()).security().authorization(); if (!gac.enabled()) { throw log.authorizationNotEnabledOnContainer(); } diff --git a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/InfoStatement.java b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/InfoStatement.java index 2f587e5517e8..7078c66ab21f 100644 --- a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/InfoStatement.java +++ b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/InfoStatement.java @@ -35,7 +35,7 @@ public Result execute(final Session session) throws StatementException { private Result cacheManagerInfo(Session session) { EmbeddedCacheManager cacheManager = session.getCacheManager(); - GlobalConfiguration globalConfiguration = cacheManager.getCacheManagerConfiguration(); + GlobalConfiguration globalConfiguration = SecurityActions.getCacheManagerConfiguration(cacheManager); return new StringResult(globalConfiguration.toString()); } diff --git a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/RolesStatement.java b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/RolesStatement.java index 959180aac0a1..7b18038b5911 100644 --- a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/RolesStatement.java +++ b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/RolesStatement.java @@ -27,7 +27,8 @@ public RolesStatement(String principalName) { @Override public Result execute(Session session) throws StatementException { - GlobalAuthorizationConfiguration gac = session.getCacheManager().getCacheManagerConfiguration().security().authorization(); + GlobalAuthorizationConfiguration gac = + SecurityActions.getCacheManagerConfiguration(session.getCacheManager()).security().authorization(); if (!gac.enabled()) { throw log.authorizationNotEnabledOnContainer(); } diff --git a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/SecurityActions.java b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/SecurityActions.java new file mode 100644 index 000000000000..eadb1dab86f5 --- /dev/null +++ b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/SecurityActions.java @@ -0,0 +1,38 @@ +package org.infinispan.cli.interpreter.statement; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +import org.infinispan.configuration.global.GlobalConfiguration; +import org.infinispan.factories.GlobalComponentRegistry; +import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.security.Security; +import org.infinispan.security.actions.GetCacheManagerConfigurationAction; +import org.infinispan.security.actions.GetGlobalComponentRegistryAction; + +/** + * SecurityActions for package org.infinispan.cli.interpreter.statement + * + * Do not move. Do not change class and method visibility to avoid being called from other + * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. + * + * @author Tristan Tarrant + * @since 7.0 + */ +final class SecurityActions { + private static T doPrivileged(PrivilegedAction action) { + if (System.getSecurityManager() != null) { + return AccessController.doPrivileged(action); + } else { + return Security.doPrivileged(action); + } + } + + static GlobalConfiguration getCacheManagerConfiguration(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetCacheManagerConfigurationAction(cacheManager)); + } + + static GlobalComponentRegistry getGlobalComponentRegistry(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetGlobalComponentRegistryAction(cacheManager)); + } +} diff --git a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/SiteStatement.java b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/SiteStatement.java index 15ddb548a24a..efc0ddc7c4b5 100644 --- a/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/SiteStatement.java +++ b/cli/cli-interpreter/src/main/java/org/infinispan/cli/interpreter/statement/SiteStatement.java @@ -99,7 +99,8 @@ private Result executeCacheOperation(Options option, Session session) throws Sta private Result executeContainerOperation(Options option, Session session) throws StatementException { EmbeddedCacheManager cacheManager = session.getCacheManager(); - GlobalXSiteAdminOperations xSiteAdmin = cacheManager.getGlobalComponentRegistry().getComponent(GlobalXSiteAdminOperations.class); + GlobalXSiteAdminOperations xSiteAdmin = SecurityActions.getGlobalComponentRegistry(cacheManager) + .getComponent(GlobalXSiteAdminOperations.class); String siteName = siteData != null ? siteData.getSiteName() : null; requireSiteName(siteName); diff --git a/cli/cli-interpreter/src/test/java/org/infinispan/cli/interpreter/SessionTest.java b/cli/cli-interpreter/src/test/java/org/infinispan/cli/interpreter/SessionTest.java index 9ac016458cbd..783fcb9f843f 100644 --- a/cli/cli-interpreter/src/test/java/org/infinispan/cli/interpreter/SessionTest.java +++ b/cli/cli-interpreter/src/test/java/org/infinispan/cli/interpreter/SessionTest.java @@ -2,6 +2,7 @@ import java.util.Map; +import org.infinispan.configuration.ConfigurationManager; import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.test.SingleCacheManagerTest; import org.infinispan.test.TestingUtil; @@ -13,7 +14,9 @@ public class SessionTest extends SingleCacheManagerTest { public void testSessionExpiration() throws Exception { Interpreter interpreter = new Interpreter(); - TestingUtil.inject(interpreter, cacheManager, TIME_SERVICE); + ConfigurationManager configurationManager = + TestingUtil.extractGlobalComponent(cacheManager, ConfigurationManager.class); + TestingUtil.inject(interpreter, cacheManager, TIME_SERVICE, configurationManager); interpreter.setSessionTimeout(500); interpreter.setSessionReaperWakeupInterval(1000); interpreter.start(); diff --git a/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/SecurityActions.java b/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/SecurityActions.java deleted file mode 100644 index 3ad5707c45ce..000000000000 --- a/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/SecurityActions.java +++ /dev/null @@ -1,100 +0,0 @@ -package org.infinispan.client.hotrod; - -import java.security.AccessController; -import java.security.PrivilegedAction; - -/** - * Privileged actions for package org.infinispan.client.hotrod - * - * Do not move. Do not change class and method visibility to avoid being called from other - * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. - * - * @author Scott.Stark@jboss.org - * @since 4.2 - */ -final class SecurityActions { - - interface SysProps { - - SysProps NON_PRIVILEGED = new SysProps() { - @Override - public String getProperty(final String name, final String defaultValue) { - return System.getProperty(name, defaultValue); - } - - @Override - public String getProperty(final String name) { - return System.getProperty(name); - } - - @Override - public String setProperty(String name, String value) { - return System.setProperty(name, value); - } - }; - - SysProps PRIVILEGED = new SysProps() { - @Override - public String getProperty(final String name, final String defaultValue) { - PrivilegedAction action = new PrivilegedAction() { - @Override - public String run() { - return System.getProperty(name, defaultValue); - } - }; - return AccessController.doPrivileged(action); - } - - @Override - public String getProperty(final String name) { - PrivilegedAction action = new PrivilegedAction() { - @Override - public String run() { - return System.getProperty(name); - } - }; - return AccessController.doPrivileged(action); - } - - @Override - public String setProperty(final String name, final String value) { - PrivilegedAction action = new PrivilegedAction() { - @Override - public String run() { - return System.setProperty(name, value); - } - }; - return AccessController.doPrivileged(action); - } - }; - - String getProperty(String name, String defaultValue); - - String getProperty(String name); - - String setProperty(String name, String value); - } - - static String getProperty(String name, String defaultValue) { - if (System.getSecurityManager() == null) - return SysProps.NON_PRIVILEGED.getProperty(name, defaultValue); - - return SysProps.PRIVILEGED.getProperty(name, defaultValue); - } - - static String getProperty(String name) { - if (System.getSecurityManager() == null) - return SysProps.NON_PRIVILEGED.getProperty(name); - - return SysProps.PRIVILEGED.getProperty(name); - } - - static String setProperty(String name, String value) { - if (System.getSecurityManager() == null) { - return SysProps.NON_PRIVILEGED.setProperty(name, value); - } else { - return SysProps.PRIVILEGED.setProperty(name, value); - } - - } -} diff --git a/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/impl/transport/netty/SecurityActions.java b/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/impl/transport/netty/SecurityActions.java index 776081d4a9a1..dd70c37af2c8 100644 --- a/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/impl/transport/netty/SecurityActions.java +++ b/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/impl/transport/netty/SecurityActions.java @@ -75,13 +75,6 @@ public String run() { String setProperty(String name, String value); } - static String getProperty(String name, String defaultValue) { - if (System.getSecurityManager() == null) - return SysProps.NON_PRIVILEGED.getProperty(name, defaultValue); - - return SysProps.PRIVILEGED.getProperty(name, defaultValue); - } - static int getIntProperty(String name, int defaultValue) { String value = getProperty(name); if (value != null) { @@ -100,13 +93,4 @@ static String getProperty(String name) { return SysProps.PRIVILEGED.getProperty(name); } - - static String setProperty(String name, String value) { - if (System.getSecurityManager() == null) { - return SysProps.NON_PRIVILEGED.setProperty(name, value); - } else { - return SysProps.PRIVILEGED.setProperty(name, value); - } - - } } diff --git a/core/src/main/java/org/infinispan/AdvancedCache.java b/core/src/main/java/org/infinispan/AdvancedCache.java index de54e7212768..01d6fda8bac2 100644 --- a/core/src/main/java/org/infinispan/AdvancedCache.java +++ b/core/src/main/java/org/infinispan/AdvancedCache.java @@ -9,7 +9,6 @@ import java.util.concurrent.TimeUnit; import java.util.function.BiFunction; import java.util.function.Function; - import javax.security.auth.Subject; import javax.transaction.xa.XAResource; @@ -203,7 +202,9 @@ default AdvancedCache transform(Function, ? extends Ad /** * @return the component registry for this cache instance + * @deprecated Since 10.0, with no public API replacement */ + @Deprecated ComponentRegistry getComponentRegistry(); /** diff --git a/core/src/main/java/org/infinispan/commands/CommandsFactoryImpl.java b/core/src/main/java/org/infinispan/commands/CommandsFactoryImpl.java index 8529bdb6a2aa..5a5657152359 100644 --- a/core/src/main/java/org/infinispan/commands/CommandsFactoryImpl.java +++ b/core/src/main/java/org/infinispan/commands/CommandsFactoryImpl.java @@ -87,8 +87,10 @@ import org.infinispan.commons.marshall.LambdaExternalizer; import org.infinispan.commons.marshall.SerializeFunctionWith; import org.infinispan.commons.marshall.StreamingMarshaller; +import org.infinispan.commons.time.TimeService; import org.infinispan.commons.util.EnumUtil; import org.infinispan.commons.util.IntSet; +import org.infinispan.configuration.ConfigurationManager; import org.infinispan.configuration.cache.Configuration; import org.infinispan.conflict.impl.StateReceiver; import org.infinispan.container.impl.InternalDataContainer; @@ -140,7 +142,6 @@ import org.infinispan.transaction.xa.GlobalTransaction; import org.infinispan.transaction.xa.recovery.RecoveryManager; import org.infinispan.util.ByteString; -import org.infinispan.commons.time.TimeService; import org.infinispan.util.concurrent.CommandAckCollector; import org.infinispan.util.concurrent.locks.LockManager; import org.infinispan.util.logging.Log; @@ -203,6 +204,7 @@ public class CommandsFactoryImpl implements CommandsFactory { @Inject private VersionGenerator versionGenerator; @Inject private KeyPartitioner keyPartitioner; @Inject private TimeService timeService; + @Inject private ConfigurationManager configurationManager; private ByteString cacheName; private boolean transactional; @@ -475,7 +477,7 @@ public void initializeReplicableCommand(ReplicableCommand c, boolean isRemote) { break; case CreateCacheCommand.COMMAND_ID: CreateCacheCommand createCacheCommand = (CreateCacheCommand)c; - createCacheCommand.init(cacheManager); + createCacheCommand.init(cacheManager, configurationManager); break; case XSiteAdminCommand.COMMAND_ID: XSiteAdminCommand xSiteAdminCommand = (XSiteAdminCommand)c; diff --git a/core/src/main/java/org/infinispan/commands/CreateCacheCommand.java b/core/src/main/java/org/infinispan/commands/CreateCacheCommand.java index 33481e48560d..d96e0d18a56d 100644 --- a/core/src/main/java/org/infinispan/commands/CreateCacheCommand.java +++ b/core/src/main/java/org/infinispan/commands/CreateCacheCommand.java @@ -9,6 +9,8 @@ import org.infinispan.Cache; import org.infinispan.commands.remote.BaseRpcCommand; +import org.infinispan.commons.time.TimeService; +import org.infinispan.configuration.ConfigurationManager; import org.infinispan.configuration.cache.Configuration; import org.infinispan.distribution.DistributionManager; import org.infinispan.factories.ComponentRegistry; @@ -16,7 +18,6 @@ import org.infinispan.statetransfer.StateTransferLock; import org.infinispan.topology.CacheTopology; import org.infinispan.util.ByteString; -import org.infinispan.commons.time.TimeService; import org.infinispan.util.concurrent.CompletableFutures; import org.infinispan.util.logging.Log; import org.infinispan.util.logging.LogFactory; @@ -35,6 +36,7 @@ public class CreateCacheCommand extends BaseRpcCommand { private String cacheNameToCreate; private String cacheConfigurationName; private int expectedMembers; + private ConfigurationManager configurationManager; private CreateCacheCommand() { super(null); @@ -56,8 +58,9 @@ public CreateCacheCommand(ByteString cacheName, String cacheNameToCreate, String this.expectedMembers = expectedMembers; } - public void init(EmbeddedCacheManager cacheManager) { + public void init(EmbeddedCacheManager cacheManager, ConfigurationManager configurationManager) { this.cacheManager = cacheManager; + this.configurationManager = configurationManager; } @Override @@ -66,7 +69,7 @@ public CompletableFuture invokeAsync() throws Throwable { throw new NullPointerException("Cache configuration name is required"); } - Configuration cacheConfig = cacheManager.getCacheConfiguration(cacheConfigurationName); + Configuration cacheConfig = configurationManager.getConfiguration(cacheConfigurationName, true); if (cacheConfig == null) { throw new IllegalStateException( "Cache configuration " + cacheConfigurationName + " is not defined on node " + diff --git a/core/src/main/java/org/infinispan/commands/RemoteCommandsFactory.java b/core/src/main/java/org/infinispan/commands/RemoteCommandsFactory.java index abb668b3a808..d54305c70bf4 100644 --- a/core/src/main/java/org/infinispan/commands/RemoteCommandsFactory.java +++ b/core/src/main/java/org/infinispan/commands/RemoteCommandsFactory.java @@ -59,6 +59,7 @@ import org.infinispan.commands.write.RemoveExpiredCommand; import org.infinispan.commands.write.ReplaceCommand; import org.infinispan.commons.CacheException; +import org.infinispan.factories.GlobalComponentRegistry; import org.infinispan.factories.KnownComponentNames; import org.infinispan.factories.annotations.ComponentName; import org.infinispan.factories.annotations.Inject; @@ -98,6 +99,7 @@ @Scope(Scopes.GLOBAL) public class RemoteCommandsFactory { @Inject private EmbeddedCacheManager cacheManager; + @Inject private GlobalComponentRegistry globalComponentRegistry; @Inject @ComponentName(KnownComponentNames.MODULE_COMMAND_FACTORIES) private Map commandFactories; @@ -275,7 +277,7 @@ public CacheRpcCommand fromStream(byte id, byte type, ByteString cacheName) { command = new StateResponseCommand(cacheName); break; case RemoveCacheCommand.COMMAND_ID: - command = new RemoveCacheCommand(cacheName, cacheManager); + command = new RemoveCacheCommand(cacheName, globalComponentRegistry); break; case TxCompletionNotificationCommand.COMMAND_ID: command = new TxCompletionNotificationCommand(cacheName); diff --git a/core/src/main/java/org/infinispan/commands/RemoveCacheCommand.java b/core/src/main/java/org/infinispan/commands/RemoveCacheCommand.java index f36008806269..54f479d44f8c 100644 --- a/core/src/main/java/org/infinispan/commands/RemoveCacheCommand.java +++ b/core/src/main/java/org/infinispan/commands/RemoveCacheCommand.java @@ -14,7 +14,6 @@ import org.infinispan.factories.ComponentRegistry; import org.infinispan.factories.GlobalComponentRegistry; import org.infinispan.jmx.CacheJmxRegistration; -import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.persistence.manager.PersistenceManager; import org.infinispan.util.ByteString; import org.infinispan.util.DependencyGraph; @@ -33,31 +32,30 @@ public class RemoveCacheCommand extends BaseRpcCommand { public static final byte COMMAND_ID = 18; - private EmbeddedCacheManager cacheManager; + private GlobalComponentRegistry globalComponentRegistry; private RemoveCacheCommand() { super(null); // For command id uniqueness test } - public RemoveCacheCommand(ByteString cacheName, EmbeddedCacheManager cacheManager) { + public RemoveCacheCommand(ByteString cacheName, GlobalComponentRegistry globalComponentRegistry) { super(cacheName); - this.cacheManager = cacheManager; + this.globalComponentRegistry = globalComponentRegistry; } @Override public CompletableFuture invokeAsync() throws Throwable { - removeCache(cacheManager, cacheName.toString()); + removeCache(globalComponentRegistry, cacheName.toString()); return CompletableFutures.completedNull(); } - public static void removeCache(EmbeddedCacheManager cacheManager, String cacheName) { - GlobalComponentRegistry globalComponentRegistry = cacheManager.getGlobalComponentRegistry(); + public static void removeCache(GlobalComponentRegistry globalComponentRegistry, String cacheName) { ComponentRegistry cacheComponentRegistry = globalComponentRegistry.getNamedComponentRegistry(cacheName); if (cacheComponentRegistry != null) { cacheComponentRegistry.getComponent(PersistenceManager.class).setClearOnStop(true); cacheComponentRegistry.getComponent(CacheJmxRegistration.class).setUnregisterCacheMBean(true); cacheComponentRegistry.getComponent(PassivationManager.class).skipPassivationOnStop(true); - Cache cache = cacheManager.getCache(cacheName, false); + Cache cache = cacheComponentRegistry.getComponent(Cache.class); if (cache != null) { cache.stop(); } diff --git a/core/src/main/java/org/infinispan/configuration/cache/SecurityActions.java b/core/src/main/java/org/infinispan/configuration/cache/SecurityActions.java deleted file mode 100644 index f3e836002749..000000000000 --- a/core/src/main/java/org/infinispan/configuration/cache/SecurityActions.java +++ /dev/null @@ -1,33 +0,0 @@ -package org.infinispan.configuration.cache; - -import java.security.AccessController; -import java.security.PrivilegedAction; - -import org.infinispan.security.Security; -import org.infinispan.security.actions.GetSystemPropertyAction; - -/** - * SecurityActions for the org.infinispan.configuration.cache package. - * - * Do not move. Do not change class and method visibility to avoid being called from other - * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. - * - * @author Tristan Tarrant - * @since 8.0 - */ -final class SecurityActions { - private static T doPrivileged(PrivilegedAction action) { - if (System.getSecurityManager() != null) { - return AccessController.doPrivileged(action); - } else { - return Security.doPrivileged(action); - } - } - - static String getSystemProperty(String propertyName) { - GetSystemPropertyAction action = new GetSystemPropertyAction(propertyName); - return doPrivileged(action); - } - - -} diff --git a/core/src/main/java/org/infinispan/container/versioning/SecurityActions.java b/core/src/main/java/org/infinispan/container/versioning/SecurityActions.java deleted file mode 100644 index a4385020f5ab..000000000000 --- a/core/src/main/java/org/infinispan/container/versioning/SecurityActions.java +++ /dev/null @@ -1,47 +0,0 @@ -package org.infinispan.container.versioning; - -import java.security.AccessController; -import java.security.PrivilegedAction; - -import org.infinispan.AdvancedCache; -import org.infinispan.configuration.cache.Configuration; -import org.infinispan.factories.ComponentRegistry; -import org.infinispan.manager.EmbeddedCacheManager; -import org.infinispan.security.Security; -import org.infinispan.security.actions.AddCacheManagerListenerAction; -import org.infinispan.security.actions.GetCacheComponentRegistryAction; -import org.infinispan.security.actions.GetCacheConfigurationAction; - -/** - * SecurityActions for the org.infinispan.container.versioning package. - * - * Do not move. Do not change class and method visibility to avoid being called from other - * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. - * - * @author Tristan Tarrant - * @since 7.0 - */ -final class SecurityActions { - private static T doPrivileged(PrivilegedAction action) { - if (System.getSecurityManager() != null) { - return AccessController.doPrivileged(action); - } else { - return Security.doPrivileged(action); - } - } - - static void addCacheManagerListener(final EmbeddedCacheManager cache, final Object listener) { - AddCacheManagerListenerAction action = new AddCacheManagerListenerAction(cache, listener); - doPrivileged(action); - } - - static Configuration getCacheConfiguration(final AdvancedCache cache) { - GetCacheConfigurationAction action = new GetCacheConfigurationAction(cache); - return doPrivileged(action); - } - - static ComponentRegistry getCacheComponentRegistry(final AdvancedCache cache) { - GetCacheComponentRegistryAction action = new GetCacheComponentRegistryAction(cache); - return doPrivileged(action); - } -} diff --git a/core/src/main/java/org/infinispan/distexec/SecurityActions.java b/core/src/main/java/org/infinispan/distexec/SecurityActions.java index fa812ca736f6..90c25559331f 100644 --- a/core/src/main/java/org/infinispan/distexec/SecurityActions.java +++ b/core/src/main/java/org/infinispan/distexec/SecurityActions.java @@ -9,14 +9,12 @@ import org.infinispan.configuration.cache.Configuration; import org.infinispan.factories.ComponentRegistry; import org.infinispan.interceptors.AsyncInterceptor; -import org.infinispan.remoting.rpc.RpcManager; import org.infinispan.security.AuthorizationManager; import org.infinispan.security.Security; import org.infinispan.security.actions.GetCacheAuthorizationManagerAction; import org.infinispan.security.actions.GetCacheComponentRegistryAction; import org.infinispan.security.actions.GetCacheConfigurationAction; import org.infinispan.security.actions.GetCacheInterceptorChainAction; -import org.infinispan.security.actions.GetCacheRpcManagerAction; /** * SecurityActions for the org.infinispan.distexec package. @@ -46,11 +44,6 @@ static AuthorizationManager getCacheAuthorizationManager(final AdvancedCache cache) { - GetCacheRpcManagerAction action = new GetCacheRpcManagerAction(cache); - return doPrivileged(action); - } - static Configuration getCacheConfiguration(final AdvancedCache cache) { GetCacheConfigurationAction action = new GetCacheConfigurationAction(cache); return doPrivileged(action); diff --git a/core/src/main/java/org/infinispan/factories/GlobalComponentRegistry.java b/core/src/main/java/org/infinispan/factories/GlobalComponentRegistry.java index d6c8e024eb58..87dfc8f98852 100644 --- a/core/src/main/java/org/infinispan/factories/GlobalComponentRegistry.java +++ b/core/src/main/java/org/infinispan/factories/GlobalComponentRegistry.java @@ -22,6 +22,7 @@ import org.infinispan.commons.time.TimeService; import org.infinispan.commons.util.uberjar.ManifestUberJarDuplicatedJarsWarner; import org.infinispan.commons.util.uberjar.UberJarDuplicatedJarsWarner; +import org.infinispan.configuration.ConfigurationManager; import org.infinispan.configuration.global.GlobalConfiguration; import org.infinispan.configuration.global.ShutdownHookBehavior; import org.infinispan.conflict.EntryMergePolicyFactoryRegistry; @@ -94,10 +95,12 @@ public class GlobalComponentRegistry extends AbstractComponentRegistry { * Creates an instance of the component registry. The configuration passed in is automatically registered. * * @param configuration configuration with which this is created + * @param configurationManager */ public GlobalComponentRegistry(GlobalConfiguration configuration, EmbeddedCacheManager cacheManager, - Set createdCaches) { + Set createdCaches, + ConfigurationManager configurationManager) { super(new ComponentMetadataRepo(), configuration.classLoader(), Scopes.GLOBAL, null); ClassLoader configuredClassLoader = configuration.classLoader(); @@ -116,6 +119,7 @@ public GlobalComponentRegistry(GlobalConfiguration configuration, registerComponent(this, GlobalComponentRegistry.class); registerComponent(configuration, GlobalConfiguration.class); registerComponent(cacheManager, EmbeddedCacheManager.class); + basicComponentRegistry.registerComponent(ConfigurationManager.class.getName(), configurationManager, true); basicComponentRegistry.registerComponent(CacheManagerJmxRegistration.class.getName(), new CacheManagerJmxRegistration(), true); basicComponentRegistry.registerComponent(CacheManagerNotifier.class.getName(), new CacheManagerNotifierImpl(), true); basicComponentRegistry.registerComponent(InternalCacheRegistry.class.getName(), new InternalCacheRegistryImpl(), true); diff --git a/core/src/main/java/org/infinispan/factories/SecurityActions.java b/core/src/main/java/org/infinispan/factories/SecurityActions.java index b8db8a474f79..aa91c732f863 100644 --- a/core/src/main/java/org/infinispan/factories/SecurityActions.java +++ b/core/src/main/java/org/infinispan/factories/SecurityActions.java @@ -6,7 +6,6 @@ import java.util.Map.Entry; import java.util.Properties; -import org.infinispan.security.Security; import org.infinispan.util.logging.Log; import org.infinispan.util.logging.LogFactory; @@ -60,18 +59,4 @@ static void applyProperties(Object o, Properties p) { setValue(o, (String) entry.getKey(), entry.getValue()); } } - - static void run(Runnable runnable) { - if (System.getSecurityManager() != null) { - AccessController.doPrivileged((PrivilegedAction) () -> { - runnable.run(); - return null; - }); - } else { - Security.doPrivileged((PrivilegedAction) () -> { - runnable.run(); - return null; - }); - } - } } diff --git a/core/src/main/java/org/infinispan/globalstate/impl/GlobalConfigurationManagerImpl.java b/core/src/main/java/org/infinispan/globalstate/impl/GlobalConfigurationManagerImpl.java index 9e239694ad5a..a0b7096013a1 100644 --- a/core/src/main/java/org/infinispan/globalstate/impl/GlobalConfigurationManagerImpl.java +++ b/core/src/main/java/org/infinispan/globalstate/impl/GlobalConfigurationManagerImpl.java @@ -3,14 +3,16 @@ import java.lang.invoke.MethodHandles; import java.util.EnumSet; import java.util.Map; +import java.util.Optional; import org.infinispan.Cache; import org.infinispan.commons.api.CacheContainerAdmin; +import org.infinispan.configuration.ConfigurationManager; import org.infinispan.configuration.cache.Configuration; import org.infinispan.configuration.cache.ConfigurationBuilder; -import org.infinispan.configuration.global.GlobalConfiguration; import org.infinispan.configuration.parsing.ConfigurationBuilderHolder; import org.infinispan.configuration.parsing.ParserRegistry; +import org.infinispan.factories.GlobalComponentRegistry; import org.infinispan.factories.annotations.Inject; import org.infinispan.factories.annotations.Start; import org.infinispan.globalstate.GlobalConfigurationManager; @@ -35,17 +37,19 @@ public class GlobalConfigurationManagerImpl implements GlobalConfigurationManage public static final String CACHE_SCOPE = "cache"; - private EmbeddedCacheManager cacheManager; + @Inject private EmbeddedCacheManager cacheManager; + @Inject private LocalTopologyManager localTopologyManager; + @Inject private ConfigurationManager configurationManager; + @Inject private InternalCacheRegistry internalCacheRegistry; + @Inject private GlobalComponentRegistry globalComponentRegistry; + private Cache stateCache; private ParserRegistry parserRegistry; private LocalConfigurationStorage localConfigurationManager; - private LocalTopologyManager localTopologyManager; - @Inject - public void inject(GlobalConfiguration globalConfiguration, EmbeddedCacheManager cacheManager, LocalTopologyManager ltm) { - this.cacheManager = cacheManager; - this.localTopologyManager = ltm; - switch(globalConfiguration.globalState().configurationStorage()) { + @Start + public void start() { + switch(configurationManager.getGlobalConfiguration().globalState().configurationStorage()) { case IMMUTABLE: this.localConfigurationManager = new ImmutableLocalConfigurationStorage(); break; @@ -56,20 +60,16 @@ public void inject(GlobalConfiguration globalConfiguration, EmbeddedCacheManager this.localConfigurationManager = new OverlayLocalConfigurationStorage(); break; default: - this.localConfigurationManager = globalConfiguration.globalState().configurationStorageClass().get(); + this.localConfigurationManager = configurationManager.getGlobalConfiguration().globalState().configurationStorageClass().get(); break; } - } - @Start - public void start() { - InternalCacheRegistry internalCacheRegistry = cacheManager.getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class); internalCacheRegistry.registerInternalCache( CONFIG_STATE_CACHE_NAME, new ConfigurationBuilder().build(), EnumSet.of(InternalCacheRegistry.Flag.GLOBAL)); parserRegistry = new ParserRegistry(); - cacheManager.getGlobalComponentRegistry().wireDependencies(localConfigurationManager); + globalComponentRegistry.wireDependencies(localConfigurationManager); localConfigurationManager.initialize(cacheManager); // Initialize caches which are present in the initial state. We do this before installing the listener. @@ -124,15 +124,20 @@ public Configuration getOrCreateCache(String cacheName, String template, EnumSet if (template == null) { // The user has not specified a template, if a cache already exists just return it without checking for compatibility if (cacheManager.cacheExists(cacheName)) - return cacheManager.getCacheConfiguration(cacheName); + return configurationManager.getConfiguration(cacheName, true); else { - configuration = cacheManager.getDefaultCacheConfiguration(); + Optional defaultCacheName = configurationManager.getGlobalConfiguration().defaultCacheName(); + if (defaultCacheName.isPresent()) { + configuration = configurationManager.getConfiguration(defaultCacheName.get(), true); + } else { + configuration = null; + } } if (configuration == null) { configuration = new ConfigurationBuilder().build(); } } else { - configuration = cacheManager.getCacheConfiguration(template); + configuration = configurationManager.getConfiguration(template, true); if (configuration == null) { throw log.undeclaredConfiguration(template, cacheName); } diff --git a/core/src/main/java/org/infinispan/globalstate/impl/OverlayLocalConfigurationStorage.java b/core/src/main/java/org/infinispan/globalstate/impl/OverlayLocalConfigurationStorage.java index b9bb4f35b074..ed6a00e769ab 100644 --- a/core/src/main/java/org/infinispan/globalstate/impl/OverlayLocalConfigurationStorage.java +++ b/core/src/main/java/org/infinispan/globalstate/impl/OverlayLocalConfigurationStorage.java @@ -17,6 +17,7 @@ import org.infinispan.commons.util.concurrent.ConcurrentHashSet; import org.infinispan.configuration.cache.Configuration; import org.infinispan.configuration.cache.ConfigurationBuilder; +import org.infinispan.configuration.global.GlobalConfiguration; import org.infinispan.configuration.global.GlobalStateConfiguration; import org.infinispan.configuration.parsing.ConfigurationBuilderHolder; import org.infinispan.globalstate.LocalConfigurationStorage; @@ -37,6 +38,7 @@ public class OverlayLocalConfigurationStorage extends VolatileLocalConfiguration @Override public void validateFlags(EnumSet flags) { + GlobalConfiguration globalConfiguration = configurationManager.getGlobalConfiguration(); if (flags.contains(CacheContainerAdmin.AdminFlag.PERMANENT) && !globalConfiguration.globalState().enabled()) throw log.globalStateDisabled(); } @@ -78,12 +80,13 @@ public Map loadAll() { private void storeAll() { try { + GlobalConfiguration globalConfiguration = configurationManager.getGlobalConfiguration(); File sharedDirectory = new File(globalConfiguration.globalState().sharedPersistentLocation()); sharedDirectory.mkdirs(); File temp = File.createTempFile("caches", null, sharedDirectory); Map configurationMap = new HashMap<>(); for (String cacheName : persistentCaches) { - configurationMap.put(cacheName, cacheManager.getCacheConfiguration(cacheName)); + configurationMap.put(cacheName, configurationManager.getConfiguration(cacheName, true)); } try (FileOutputStream f = new FileOutputStream(temp)) { parserRegistry.serialize(f, null, configurationMap); @@ -100,10 +103,10 @@ private void storeAll() { } private File getPersistentFile() { - return new File(globalConfiguration.globalState().sharedPersistentLocation(), "caches.xml"); + return new File(configurationManager.getGlobalConfiguration().globalState().sharedPersistentLocation(), "caches.xml"); } private File getPersistentFileLock() { - return new File(globalConfiguration.globalState().sharedPersistentLocation(), "caches.xml.lck"); + return new File(configurationManager.getGlobalConfiguration().globalState().sharedPersistentLocation(), "caches.xml.lck"); } } diff --git a/core/src/main/java/org/infinispan/globalstate/impl/SecurityActions.java b/core/src/main/java/org/infinispan/globalstate/impl/SecurityActions.java index 46292245e057..e6d8c26fb175 100644 --- a/core/src/main/java/org/infinispan/globalstate/impl/SecurityActions.java +++ b/core/src/main/java/org/infinispan/globalstate/impl/SecurityActions.java @@ -4,13 +4,16 @@ import java.security.PrivilegedAction; import org.infinispan.configuration.cache.Configuration; +import org.infinispan.factories.GlobalComponentRegistry; import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.security.Security; import org.infinispan.security.actions.DefineConfigurationAction; import org.infinispan.security.actions.GetCacheAction; +import org.infinispan.security.actions.GetCacheConfigurationFromManagerAction; +import org.infinispan.security.actions.GetGlobalComponentRegistryAction; /** - * SecurityActions for the org.infinispan.globalstate.impl package. + * SecurityActions for the org.infinispan.cli.interpreter.session package. * * Do not move. Do not change class and method visibility to avoid being called from other * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. @@ -28,20 +31,18 @@ private static T doPrivileged(PrivilegedAction action) { } static void defineConfiguration(final EmbeddedCacheManager cacheManager, final String cacheName, final Configuration configurationOverride) { - DefineConfigurationAction action = new DefineConfigurationAction(cacheManager, cacheName, configurationOverride); - if (System.getSecurityManager() != null) { - AccessController.doPrivileged(action); - } else { - Security.doPrivileged(action); - } + doPrivileged(new DefineConfigurationAction(cacheManager, cacheName, configurationOverride)); } static void getCache(final EmbeddedCacheManager cacheManager, final String cacheName) { - GetCacheAction action = new GetCacheAction(cacheManager, cacheName); - if (System.getSecurityManager() != null) { - AccessController.doPrivileged(action); - } else { - Security.doPrivileged(action); - } + doPrivileged(new GetCacheAction(cacheManager, cacheName)); + } + + static GlobalComponentRegistry getGlobalComponentRegistry(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetGlobalComponentRegistryAction(cacheManager)); + } + + static Configuration getCacheConfiguration(EmbeddedCacheManager cacheManager, String name) { + return doPrivileged(new GetCacheConfigurationFromManagerAction(cacheManager, name)); } } diff --git a/core/src/main/java/org/infinispan/globalstate/impl/VolatileLocalConfigurationStorage.java b/core/src/main/java/org/infinispan/globalstate/impl/VolatileLocalConfigurationStorage.java index b5b7ac2754f2..776e6332e6c8 100644 --- a/core/src/main/java/org/infinispan/globalstate/impl/VolatileLocalConfigurationStorage.java +++ b/core/src/main/java/org/infinispan/globalstate/impl/VolatileLocalConfigurationStorage.java @@ -11,7 +11,6 @@ import org.infinispan.commons.api.CacheContainerAdmin; import org.infinispan.configuration.ConfigurationManager; import org.infinispan.configuration.cache.Configuration; -import org.infinispan.configuration.global.GlobalConfiguration; import org.infinispan.configuration.parsing.ParserRegistry; import org.infinispan.eviction.PassivationManager; import org.infinispan.factories.ComponentRegistry; @@ -36,10 +35,11 @@ public class VolatileLocalConfigurationStorage implements LocalConfigurationStor protected static Log log = LogFactory.getLog(MethodHandles.lookup().lookupClass()); protected EmbeddedCacheManager cacheManager; protected ParserRegistry parserRegistry; - protected GlobalConfiguration globalConfiguration; + protected ConfigurationManager configurationManager; public void initialize(EmbeddedCacheManager cacheManager) { - this.globalConfiguration = cacheManager.getCacheManagerConfiguration(); + this.configurationManager = + SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(ConfigurationManager.class); this.cacheManager = cacheManager; this.parserRegistry = new ParserRegistry(); } @@ -51,7 +51,7 @@ public void validateFlags(EnumSet flags) { } public void createCache(String name, String template, Configuration configuration, EnumSet flags) { - Configuration existing = cacheManager.getCacheConfiguration(name); + Configuration existing = SecurityActions.getCacheConfiguration(cacheManager, name); if (existing == null) { SecurityActions.defineConfiguration(cacheManager, name, configuration); log.debugf("Defined cache '%s' on '%s' using %s", name, cacheManager.getAddress(), configuration); @@ -68,7 +68,7 @@ public void createCache(String name, String template, Configuration configuratio public void removeCache(String name, EnumSet flags) { log.debugf("Remove cache %s", name); - GlobalComponentRegistry globalComponentRegistry = cacheManager.getGlobalComponentRegistry(); + GlobalComponentRegistry globalComponentRegistry = SecurityActions.getGlobalComponentRegistry(cacheManager); ComponentRegistry cacheComponentRegistry = globalComponentRegistry.getNamedComponentRegistry(name); if (cacheComponentRegistry != null) { cacheComponentRegistry.getComponent(PersistenceManager.class).setClearOnStop(true); diff --git a/core/src/main/java/org/infinispan/health/impl/ClusterHealthImpl.java b/core/src/main/java/org/infinispan/health/impl/ClusterHealthImpl.java index e8fa4f034eb4..714f8339b763 100644 --- a/core/src/main/java/org/infinispan/health/impl/ClusterHealthImpl.java +++ b/core/src/main/java/org/infinispan/health/impl/ClusterHealthImpl.java @@ -18,9 +18,9 @@ public class ClusterHealthImpl implements ClusterHealth { private final EmbeddedCacheManager cacheManager; private final InternalCacheRegistry internalCacheRegistry; - public ClusterHealthImpl(EmbeddedCacheManager cacheManager) { + public ClusterHealthImpl(EmbeddedCacheManager cacheManager, InternalCacheRegistry internalCacheRegistry) { this.cacheManager = cacheManager; - internalCacheRegistry = cacheManager.getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class); + this.internalCacheRegistry = internalCacheRegistry; } @Override diff --git a/core/src/main/java/org/infinispan/health/impl/HealthImpl.java b/core/src/main/java/org/infinispan/health/impl/HealthImpl.java index 53158195448b..13659b4249d4 100644 --- a/core/src/main/java/org/infinispan/health/impl/HealthImpl.java +++ b/core/src/main/java/org/infinispan/health/impl/HealthImpl.java @@ -8,18 +8,22 @@ import org.infinispan.health.Health; import org.infinispan.health.HostInfo; import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.registry.InternalCacheRegistry; public class HealthImpl implements Health { private final EmbeddedCacheManager embeddedCacheManager; + private InternalCacheRegistry internalCacheRegistry; - public HealthImpl(EmbeddedCacheManager embeddedCacheManager) { + public HealthImpl(EmbeddedCacheManager embeddedCacheManager, + InternalCacheRegistry internalCacheRegistry) { this.embeddedCacheManager = embeddedCacheManager; + this.internalCacheRegistry = internalCacheRegistry; } @Override public ClusterHealth getClusterHealth() { - return new ClusterHealthImpl(embeddedCacheManager); + return new ClusterHealthImpl(embeddedCacheManager, internalCacheRegistry); } @Override diff --git a/core/src/main/java/org/infinispan/interceptors/impl/SecurityActions.java b/core/src/main/java/org/infinispan/interceptors/impl/SecurityActions.java deleted file mode 100644 index 6fca17201ccb..000000000000 --- a/core/src/main/java/org/infinispan/interceptors/impl/SecurityActions.java +++ /dev/null @@ -1,31 +0,0 @@ -package org.infinispan.interceptors.impl; - -import java.security.AccessController; -import java.security.PrivilegedAction; - -import org.infinispan.security.Security; -import org.infinispan.security.actions.GetSystemPropertyAsBooleanAction; - -/** - * Privileged actions for the package - * - * Do not move. Do not change class and method visibility to avoid being called from other - * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. - * - * @author Dan Berindei - * @since 9.0 - */ -final class SecurityActions { - private static T doPrivileged(PrivilegedAction action) { - if (System.getSecurityManager() != null) { - return AccessController.doPrivileged(action); - } else { - return Security.doPrivileged(action); - } - } - - - static boolean getBooleanProperty(String name) { - return doPrivileged(new GetSystemPropertyAsBooleanAction(name)); - } -} diff --git a/core/src/main/java/org/infinispan/jmx/SecurityActions.java b/core/src/main/java/org/infinispan/jmx/SecurityActions.java index 7a16ff0c90b0..3cd7f69b555f 100644 --- a/core/src/main/java/org/infinispan/jmx/SecurityActions.java +++ b/core/src/main/java/org/infinispan/jmx/SecurityActions.java @@ -1,15 +1,13 @@ package org.infinispan.jmx; -import org.infinispan.security.Security; - -import javax.management.MBeanServer; -import javax.management.ObjectName; -import javax.management.QueryExp; import java.security.AccessController; import java.security.PrivilegedAction; -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; import java.util.Set; +import javax.management.MBeanServer; +import javax.management.ObjectName; +import javax.management.QueryExp; + +import org.infinispan.security.Security; /** * SecurityActions for the org.infinispan.jmx package. @@ -25,37 +23,7 @@ private static T doPrivileged(PrivilegedAction action) { return (System.getSecurityManager() != null) ? AccessController.doPrivileged(action) : Security.doPrivileged(action); } - private static void doPrivileged(PrivilegedExceptionAction action) throws Exception { - try { - if (System.getSecurityManager() != null) { - AccessController.doPrivileged(action); - } else { - Security.doPrivileged(action); - } - } catch (PrivilegedActionException e) { - throw e.getException(); - } - } - - static void registerMBean(Object mbean, ObjectName objectName, MBeanServer mBeanServer) throws Exception { - doPrivileged(() -> { - mBeanServer.registerMBean(mbean, objectName); - return null; - }); - } - - static void unregisterMBean(ObjectName objectName, MBeanServer mBeanServer) throws Exception { - doPrivileged(() -> { - mBeanServer.unregisterMBean(objectName); - return null; - }); - } - static Set queryNames(ObjectName target, QueryExp query, MBeanServer mBeanServer) { return doPrivileged(() -> mBeanServer.queryNames(target, query)); } - - private SecurityActions() { - // Hide - } } diff --git a/core/src/main/java/org/infinispan/manager/DefaultCacheManager.java b/core/src/main/java/org/infinispan/manager/DefaultCacheManager.java index 64f0ed1a0a2c..4214263e598c 100644 --- a/core/src/main/java/org/infinispan/manager/DefaultCacheManager.java +++ b/core/src/main/java/org/infinispan/manager/DefaultCacheManager.java @@ -52,6 +52,7 @@ import org.infinispan.factories.annotations.SurvivesRestarts; import org.infinispan.factories.scopes.Scope; import org.infinispan.factories.scopes.Scopes; +import org.infinispan.globalstate.GlobalConfigurationManager; import org.infinispan.health.Health; import org.infinispan.health.impl.HealthImpl; import org.infinispan.health.impl.jmx.HealthJMXExposerImpl; @@ -254,17 +255,18 @@ public DefaultCacheManager(GlobalConfiguration globalConfiguration, Configuratio defaultCacheName = null; } } - this.globalComponentRegistry = new GlobalComponentRegistry(globalConfiguration, this, caches.keySet()); - this.globalComponentRegistry.registerComponent(configurationManager, ConfigurationManager.class); + this.globalComponentRegistry = new GlobalComponentRegistry(globalConfiguration, this, caches.keySet(), configurationManager); this.globalComponentRegistry.registerComponent(cacheDependencyGraph, CACHE_DEPENDENCY_GRAPH, false); this.authzHelper = new AuthorizationHelper(globalConfiguration.security(), AuditContext.CACHEMANAGER, globalConfiguration.globalJmxStatistics().cacheManagerName()); this.globalComponentRegistry.registerComponent(authzHelper, AuthorizationHelper.class); this.stats = new CacheContainerStatsImpl(this); - health = new HealthImpl(this); + globalComponentRegistry.registerComponent(stats, CacheContainerStats.class); + this.health = new HealthImpl(this, globalComponentRegistry.getComponent(InternalCacheRegistry.class)); globalComponentRegistry.registerComponent(new HealthJMXExposerImpl(health), HealthJMXExposer.class); - this.cacheManagerAdmin = new DefaultCacheManagerAdmin(this, authzHelper, EnumSet.noneOf(CacheContainerAdmin.AdminFlag.class)); + this.cacheManagerAdmin = new DefaultCacheManagerAdmin(this, authzHelper, EnumSet.noneOf(CacheContainerAdmin.AdminFlag.class), + globalComponentRegistry.getComponent(GlobalConfigurationManager.class)); if (start) start(); } @@ -329,18 +331,19 @@ public DefaultCacheManager(ConfigurationBuilderHolder holder, boolean start) { configurationManager = new ConfigurationManager(holder); GlobalConfiguration globalConfiguration = configurationManager.getGlobalConfiguration(); defaultCacheName = globalConfiguration.defaultCacheName().orElse(null); - globalComponentRegistry = new GlobalComponentRegistry(globalConfiguration, this, caches.keySet()); - globalComponentRegistry.registerComponent(configurationManager, ConfigurationManager.class); + this.globalComponentRegistry = new GlobalComponentRegistry(globalConfiguration, this, caches.keySet(), configurationManager); globalComponentRegistry.registerComponent(cacheDependencyGraph, CACHE_DEPENDENCY_GRAPH, false); stats = new CacheContainerStatsImpl(this); - health = new HealthImpl(this); + globalComponentRegistry.registerComponent(this, CacheContainerStats.class); + this.health = new HealthImpl(this, globalComponentRegistry.getComponent(InternalCacheRegistry.class)); globalComponentRegistry.registerComponent(new HealthJMXExposerImpl(health), HealthJMXExposer.class); authzHelper = new AuthorizationHelper(globalConfiguration.security(), AuditContext.CACHEMANAGER, globalConfiguration.globalJmxStatistics().cacheManagerName()); this.globalComponentRegistry.registerComponent(authzHelper, AuthorizationHelper.class); - cacheManagerAdmin = new DefaultCacheManagerAdmin(this, authzHelper, EnumSet.noneOf(CacheContainerAdmin.AdminFlag.class)); + cacheManagerAdmin = new DefaultCacheManagerAdmin(this, authzHelper, EnumSet.noneOf(CacheContainerAdmin.AdminFlag.class), + globalComponentRegistry.getComponent(GlobalConfigurationManager.class)); } catch (CacheConfigurationException ce) { throw ce; } catch (RuntimeException re) { @@ -410,7 +413,7 @@ public void undefineConfiguration(String configurationName) { } } configurationManager.removeConfiguration(configurationName); - this.getGlobalComponentRegistry().removeCache(configurationName); + globalComponentRegistry.removeCache(configurationName); } } @@ -742,6 +745,10 @@ private void terminate(String cacheName) { public void stop() { authzHelper.checkPermission(AuthorizationPermission.LIFECYCLE); + internalStop(); + } + + private void internalStop() { lifecycleLock.lock(); try { while (status == ComponentStatus.STOPPING) { @@ -826,17 +833,18 @@ public Set getListeners() { @Override public ComponentStatus getStatus() { - authzHelper.checkPermission(AuthorizationPermission.LIFECYCLE); return status; } @Override public GlobalConfiguration getCacheManagerConfiguration() { + authzHelper.checkPermission(AuthorizationPermission.ADMIN); return configurationManager.getGlobalConfiguration(); } @Override public org.infinispan.configuration.cache.Configuration getDefaultCacheConfiguration() { + authzHelper.checkPermission(AuthorizationPermission.ADMIN); if (defaultCacheName != null) { return configurationManager.getConfiguration(defaultCacheName, true); } else { @@ -846,6 +854,7 @@ public org.infinispan.configuration.cache.Configuration getDefaultCacheConfigura @Override public Configuration getCacheConfiguration(String name) { + authzHelper.checkPermission(AuthorizationPermission.ADMIN); Configuration configuration = configurationManager.getConfiguration(name, true); if (configuration == null && cacheExists(name)) { return getDefaultCacheConfiguration(); @@ -1031,11 +1040,13 @@ public Transport getTransport() { @Override public GlobalComponentRegistry getGlobalComponentRegistry() { + authzHelper.checkPermission(AuthorizationPermission.ADMIN); return globalComponentRegistry; } @Override public void addCacheDependency(String from, String to) { + authzHelper.checkPermission(AuthorizationPermission.ADMIN); cacheDependencyGraph.addDependency(from, to); } diff --git a/core/src/main/java/org/infinispan/manager/DefaultCacheManagerAdmin.java b/core/src/main/java/org/infinispan/manager/DefaultCacheManagerAdmin.java index 22a86b405e5e..c73d5ebbc253 100644 --- a/core/src/main/java/org/infinispan/manager/DefaultCacheManagerAdmin.java +++ b/core/src/main/java/org/infinispan/manager/DefaultCacheManagerAdmin.java @@ -21,10 +21,11 @@ public class DefaultCacheManagerAdmin implements EmbeddedCacheManagerAdmin { private final AuthorizationHelper authzHelper; private final EnumSet flags; - DefaultCacheManagerAdmin(EmbeddedCacheManager cm, AuthorizationHelper authzHelper, EnumSet flags) { + DefaultCacheManagerAdmin(EmbeddedCacheManager cm, AuthorizationHelper authzHelper, EnumSet flags, + GlobalConfigurationManager clusterConfigurationManager) { this.cacheManager = cm; this.authzHelper = authzHelper; - this.clusterConfigurationManager = cm.getGlobalComponentRegistry().getComponent(GlobalConfigurationManager.class); + this.clusterConfigurationManager = clusterConfigurationManager; this.flags = flags; } @@ -66,13 +67,13 @@ public void removeCache(String cacheName) { public EmbeddedCacheManagerAdmin withFlags(AdminFlag... flags) { EnumSet newFlags = EnumSet.copyOf(this.flags); for(AdminFlag flag : flags) newFlags.add((flag)); - return new DefaultCacheManagerAdmin(cacheManager, authzHelper, newFlags); + return new DefaultCacheManagerAdmin(cacheManager, authzHelper, newFlags, clusterConfigurationManager); } @Override public EmbeddedCacheManagerAdmin withFlags(EnumSet flags) { EnumSet newFlags = EnumSet.copyOf(this.flags); newFlags.addAll(flags); - return new DefaultCacheManagerAdmin(cacheManager, authzHelper, newFlags); + return new DefaultCacheManagerAdmin(cacheManager, authzHelper, newFlags, clusterConfigurationManager); } } diff --git a/core/src/main/java/org/infinispan/manager/EmbeddedCacheManager.java b/core/src/main/java/org/infinispan/manager/EmbeddedCacheManager.java index 6fa961bd005f..c15ba60eba14 100644 --- a/core/src/main/java/org/infinispan/manager/EmbeddedCacheManager.java +++ b/core/src/main/java/org/infinispan/manager/EmbeddedCacheManager.java @@ -280,10 +280,9 @@ default Set getCacheConfigurationNames() { * memory and in any backing cache store. * * @param cacheName name of cache to remove - * @deprecated obtain a {@link org.infinispan.commons.api.CacheContainerAdmin} instance using {@link #administration()} and invoke the {@link org.infinispan.commons.api.CacheContainerAdmin#removeCache(String)} method + * @deprecated Since 9.2, obtain a {@link org.infinispan.commons.api.CacheContainerAdmin} instance using {@link #administration()} and invoke the {@link org.infinispan.commons.api.CacheContainerAdmin#removeCache(String)} method */ @Deprecated - // since 9.2 void removeCache(String cacheName); /** @@ -291,6 +290,10 @@ default Set getCacheConfigurationNames() { */ Transport getTransport(); + /** + * @deprecated Since 10.0, with no public API replacement + */ + @Deprecated GlobalComponentRegistry getGlobalComponentRegistry(); /** diff --git a/core/src/main/java/org/infinispan/marshall/exts/SecurityActions.java b/core/src/main/java/org/infinispan/marshall/exts/SecurityActions.java index a9ef0c8c9833..cf802645c357 100644 --- a/core/src/main/java/org/infinispan/marshall/exts/SecurityActions.java +++ b/core/src/main/java/org/infinispan/marshall/exts/SecurityActions.java @@ -5,9 +5,6 @@ import java.security.AccessController; import java.security.PrivilegedAction; -import org.infinispan.util.logging.Log; -import org.infinispan.util.logging.LogFactory; - /** * SecurityActions for the org.infinispan.marshall.exts package. * @@ -18,8 +15,6 @@ * @since 8.2 */ final class SecurityActions { - private static final Log log = LogFactory.getLog(SecurityActions.class); - private static Field getDeclaredField(Class c, String fieldName) { try { return c.getDeclaredField(fieldName); diff --git a/core/src/main/java/org/infinispan/notifications/cachelistener/SecurityActions.java b/core/src/main/java/org/infinispan/notifications/cachelistener/SecurityActions.java index ecfc234bf12f..8b652f8645e0 100644 --- a/core/src/main/java/org/infinispan/notifications/cachelistener/SecurityActions.java +++ b/core/src/main/java/org/infinispan/notifications/cachelistener/SecurityActions.java @@ -2,14 +2,10 @@ import java.security.AccessController; import java.security.PrivilegedAction; -import java.util.List; import org.infinispan.Cache; import org.infinispan.distexec.DefaultExecutorService; -import org.infinispan.interceptors.AsyncInterceptor; -import org.infinispan.interceptors.AsyncInterceptorChain; import org.infinispan.security.Security; -import org.infinispan.security.actions.GetCacheInterceptorChainAction; import org.infinispan.security.actions.GetDefaultExecutorServiceAction; /** @@ -34,13 +30,4 @@ static DefaultExecutorService getDefaultExecutorService(final Cache cache) GetDefaultExecutorServiceAction action = new GetDefaultExecutorServiceAction(cache); return doPrivileged(action); } - - static List getInterceptorChain(final Cache cache) { - GetCacheInterceptorChainAction action = new GetCacheInterceptorChainAction(cache.getAdvancedCache()); - return doPrivileged(action); - } - - static AsyncInterceptorChain getAsyncInterceptorChain(final Cache cache) { - return doPrivileged(() -> cache.getAdvancedCache().getAsyncInterceptorChain()); - } } diff --git a/core/src/main/java/org/infinispan/notifications/cachelistener/cluster/ClusterListenerReplicateCallable.java b/core/src/main/java/org/infinispan/notifications/cachelistener/cluster/ClusterListenerReplicateCallable.java index f0288c1a7318..f2b246f61ebd 100644 --- a/core/src/main/java/org/infinispan/notifications/cachelistener/cluster/ClusterListenerReplicateCallable.java +++ b/core/src/main/java/org/infinispan/notifications/cachelistener/cluster/ClusterListenerReplicateCallable.java @@ -79,11 +79,10 @@ public ClusterListenerReplicateCallable(UUID identifier, Address origin, CacheEv public void setEnvironment(Cache cache, Set inputKeys) { cacheManager = cache.getCacheManager(); - ComponentRegistry componentRegistry = cache.getAdvancedCache().getComponentRegistry(); + ComponentRegistry componentRegistry = SecurityActions.getComponentRegistry(cache.getAdvancedCache()); cacheNotifier = componentRegistry.getComponent(CacheNotifier.class); - cacheManagerNotifier = cache.getCacheManager().getGlobalComponentRegistry().getComponent( - CacheManagerNotifier.class); + cacheManagerNotifier = componentRegistry.getComponent(CacheManagerNotifier.class); distExecutor = SecurityActions.getDefaultExecutorService(cache); ourAddress = cache.getCacheManager().getAddress(); eventManager = componentRegistry.getComponent(ClusterEventManager.class); diff --git a/core/src/main/java/org/infinispan/notifications/cachelistener/cluster/SecurityActions.java b/core/src/main/java/org/infinispan/notifications/cachelistener/cluster/SecurityActions.java index aaf72bf39994..3f8f4e65dae3 100644 --- a/core/src/main/java/org/infinispan/notifications/cachelistener/cluster/SecurityActions.java +++ b/core/src/main/java/org/infinispan/notifications/cachelistener/cluster/SecurityActions.java @@ -3,9 +3,12 @@ import java.security.AccessController; import java.security.PrivilegedAction; +import org.infinispan.AdvancedCache; import org.infinispan.Cache; import org.infinispan.distexec.DefaultExecutorService; +import org.infinispan.factories.ComponentRegistry; import org.infinispan.security.Security; +import org.infinispan.security.actions.GetCacheComponentRegistryAction; import org.infinispan.security.actions.GetDefaultExecutorServiceAction; /** @@ -30,4 +33,8 @@ static DefaultExecutorService getDefaultExecutorService(final Cache cache) GetDefaultExecutorServiceAction action = new GetDefaultExecutorServiceAction(cache); return doPrivileged(action); } + + static ComponentRegistry getComponentRegistry(AdvancedCache cache) { + return doPrivileged(new GetCacheComponentRegistryAction(cache)); + } } diff --git a/core/src/main/java/org/infinispan/registry/impl/InternalCacheRegistryImpl.java b/core/src/main/java/org/infinispan/registry/impl/InternalCacheRegistryImpl.java index f33ab3b9145c..876a244585c7 100644 --- a/core/src/main/java/org/infinispan/registry/impl/InternalCacheRegistryImpl.java +++ b/core/src/main/java/org/infinispan/registry/impl/InternalCacheRegistryImpl.java @@ -8,6 +8,7 @@ import org.infinispan.Cache; import org.infinispan.commons.util.concurrent.ConcurrentHashSet; +import org.infinispan.configuration.ConfigurationManager; import org.infinispan.configuration.cache.CacheMode; import org.infinispan.configuration.cache.Configuration; import org.infinispan.configuration.cache.ConfigurationBuilder; @@ -27,8 +28,10 @@ */ public class InternalCacheRegistryImpl implements InternalCacheRegistry { private static final Log log = LogFactory.getLog(MethodHandles.lookup().lookupClass()); + @Inject private EmbeddedCacheManager cacheManager; @Inject private CacheManagerJmxRegistration cacheManagerJmxRegistration; + @Inject private ConfigurationManager configurationManager; private final ConcurrentMap> internalCaches = new ConcurrentHashMap<>(); private final Set privateCaches = new ConcurrentHashSet<>(); @@ -40,7 +43,7 @@ public void registerInternalCache(String name, Configuration configuration) { // Synchronized to prevent users from registering the same configuration at the same time @Override public synchronized void registerInternalCache(String name, Configuration configuration, EnumSet flags) { - boolean configPresent = cacheManager.getCacheConfiguration(name) != null; + boolean configPresent = configurationManager.getConfiguration(name, true) != null; // check if it already has been defined. Currently we don't support existing user-defined configuration. if ((flags.contains(Flag.EXCLUSIVE) || !internalCaches.containsKey(name)) && configPresent) { throw log.existingConfigForInternalCache(name); @@ -51,7 +54,7 @@ public synchronized void registerInternalCache(String name, Configuration config } ConfigurationBuilder builder = new ConfigurationBuilder().read(configuration); builder.jmxStatistics().disable(); // Internal caches must not be included in stats counts - GlobalConfiguration globalConfiguration = cacheManager.getCacheManagerConfiguration(); + GlobalConfiguration globalConfiguration = configurationManager.getGlobalConfiguration(); if (flags.contains(Flag.GLOBAL) && globalConfiguration.isClustered()) { // TODO: choose a merge policy builder.clustering() diff --git a/core/src/main/java/org/infinispan/remoting/transport/jgroups/SecurityActions.java b/core/src/main/java/org/infinispan/remoting/transport/jgroups/SecurityActions.java deleted file mode 100644 index 16cec865b474..000000000000 --- a/core/src/main/java/org/infinispan/remoting/transport/jgroups/SecurityActions.java +++ /dev/null @@ -1,36 +0,0 @@ -package org.infinispan.remoting.transport.jgroups; - -import java.security.AccessController; -import java.security.PrivilegedAction; - -import org.infinispan.security.Security; -import org.infinispan.security.actions.GetSystemPropertyAsBooleanAction; -import org.infinispan.security.actions.GetSystemPropertyAsIntegerAction; - -/** - * Privileged actions for the package - * - * Do not move. Do not change class and method visibility to avoid being called from other - * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. - * - * @author Dan Berindei - * @since 8.2 - */ -final class SecurityActions { - private static T doPrivileged(PrivilegedAction action) { - if (System.getSecurityManager() != null) { - return AccessController.doPrivileged(action); - } else { - return Security.doPrivileged(action); - } - } - - - static boolean getBooleanProperty(String name) { - return doPrivileged(new GetSystemPropertyAsBooleanAction(name)); - } - - static int getIntProperty(String name, int defaultValue) { - return doPrivileged(new GetSystemPropertyAsIntegerAction(name, defaultValue)); - } -} diff --git a/core/src/main/java/org/infinispan/security/Security.java b/core/src/main/java/org/infinispan/security/Security.java index e351913df9f2..9740d6713611 100644 --- a/core/src/main/java/org/infinispan/security/Security.java +++ b/core/src/main/java/org/infinispan/security/Security.java @@ -34,7 +34,9 @@ public final class Security { private static boolean isTrustedClass(Class klass) { // TODO: implement a better way - return klass.getPackage().getName().startsWith("org.infinispan."); + String packageName = klass.getPackage().getName(); + return packageName.startsWith("org.infinispan") || + packageName.startsWith("org.jboss.as.clustering.infinispan"); } public static T doPrivileged(PrivilegedAction action) { diff --git a/core/src/main/java/org/infinispan/security/actions/AddCacheDependencyAction.java b/core/src/main/java/org/infinispan/security/actions/AddCacheDependencyAction.java new file mode 100644 index 000000000000..8cc8f3bd1c0b --- /dev/null +++ b/core/src/main/java/org/infinispan/security/actions/AddCacheDependencyAction.java @@ -0,0 +1,27 @@ +package org.infinispan.security.actions; + +import org.infinispan.manager.EmbeddedCacheManager; + +/** + * AddCacheDependencyAction. + * + * @author Dan Berindei + * @since 10.0 + */ +public class AddCacheDependencyAction extends AbstractEmbeddedCacheManagerAction { + + private final String from; + private final String to; + + public AddCacheDependencyAction(EmbeddedCacheManager cacheManager, String from, String to) { + super(cacheManager); + this.from = from; + this.to = to; + } + + @Override + public Void run() { + cacheManager.addCacheDependency(from, to); + return null; + } +} diff --git a/core/src/main/java/org/infinispan/security/actions/GetCacheConfigurationFromManagerAction.java b/core/src/main/java/org/infinispan/security/actions/GetCacheConfigurationFromManagerAction.java new file mode 100644 index 000000000000..ab183870c955 --- /dev/null +++ b/core/src/main/java/org/infinispan/security/actions/GetCacheConfigurationFromManagerAction.java @@ -0,0 +1,25 @@ +package org.infinispan.security.actions; + +import org.infinispan.configuration.cache.Configuration; +import org.infinispan.manager.EmbeddedCacheManager; + +/** + * GetCacheManagerConfigurationAction. + * + * @author Dan Berindei + * @since 10.0 + */ +public class GetCacheConfigurationFromManagerAction extends AbstractEmbeddedCacheManagerAction { + private final String name; + + public GetCacheConfigurationFromManagerAction(EmbeddedCacheManager cacheManager, String name) { + super(cacheManager); + this.name = name; + } + + @Override + public Configuration run() { + return cacheManager.getCacheConfiguration(name); + } + +} diff --git a/core/src/main/java/org/infinispan/security/actions/GetCacheManagerConfigurationAction.java b/core/src/main/java/org/infinispan/security/actions/GetCacheManagerConfigurationAction.java new file mode 100644 index 000000000000..83e1e0c65cad --- /dev/null +++ b/core/src/main/java/org/infinispan/security/actions/GetCacheManagerConfigurationAction.java @@ -0,0 +1,23 @@ +package org.infinispan.security.actions; + +import org.infinispan.configuration.global.GlobalConfiguration; +import org.infinispan.manager.EmbeddedCacheManager; + +/** + * GetCacheManagerConfigurationAction. + * + * @author Tristan Tarrant + * @since 7.0 + */ +public class GetCacheManagerConfigurationAction extends AbstractEmbeddedCacheManagerAction { + + public GetCacheManagerConfigurationAction(EmbeddedCacheManager cacheManager) { + super(cacheManager); + } + + @Override + public GlobalConfiguration run() { + return cacheManager.getCacheManagerConfiguration(); + } + +} diff --git a/core/src/main/java/org/infinispan/security/impl/AuthorizationManagerImpl.java b/core/src/main/java/org/infinispan/security/impl/AuthorizationManagerImpl.java index d5eced7933d2..462a349f442b 100644 --- a/core/src/main/java/org/infinispan/security/impl/AuthorizationManagerImpl.java +++ b/core/src/main/java/org/infinispan/security/impl/AuthorizationManagerImpl.java @@ -38,7 +38,7 @@ public void init(@ComponentName(KnownComponentNames.CACHE_NAME) String cacheName this.authzHelper = new AuthorizationHelper(globalConfiguration.security(), AuditContext.CACHE, cacheName, globalACLCache); if (globalACLCache != null) { - cacheManager.addCacheDependency(cacheName, globalACLCache.getName()); + SecurityActions.addCacheDependency(cacheManager, cacheName, globalACLCache.getName()); } } diff --git a/core/src/main/java/org/infinispan/security/impl/ClusterRoleMapper.java b/core/src/main/java/org/infinispan/security/impl/ClusterRoleMapper.java index 3bb4a6bea980..e62702fa3318 100644 --- a/core/src/main/java/org/infinispan/security/impl/ClusterRoleMapper.java +++ b/core/src/main/java/org/infinispan/security/impl/ClusterRoleMapper.java @@ -48,14 +48,15 @@ public Set principalToRoles(Principal principal) { @Override public void setContext(PrincipalRoleMapperContext context) { this.cacheManager = context.getCacheManager(); - GlobalConfiguration globalConfiguration = cacheManager.getGlobalComponentRegistry().getGlobalConfiguration(); + GlobalConfiguration globalConfiguration = SecurityActions.getCacheManagerConfiguration(cacheManager); CacheMode cacheMode = globalConfiguration.isClustered() ? CacheMode.REPL_SYNC : CacheMode.LOCAL; ConfigurationBuilder cfg = new ConfigurationBuilder(); cfg.clustering().cacheMode(cacheMode).sync() .stateTransfer().fetchInMemoryState(true).awaitInitialTransfer(false) .security().authorization().disable(); - InternalCacheRegistry internalCacheRegistry = cacheManager.getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class); + InternalCacheRegistry internalCacheRegistry = + SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(InternalCacheRegistry.class); internalCacheRegistry.registerInternalCache(CLUSTER_ROLE_MAPPER_CACHE, cfg.build(), EnumSet.of(InternalCacheRegistry.Flag.PERSISTENT)); } diff --git a/core/src/main/java/org/infinispan/security/impl/SecureCacheImpl.java b/core/src/main/java/org/infinispan/security/impl/SecureCacheImpl.java index 3633754f7dd3..c98930d79cf2 100644 --- a/core/src/main/java/org/infinispan/security/impl/SecureCacheImpl.java +++ b/core/src/main/java/org/infinispan/security/impl/SecureCacheImpl.java @@ -9,7 +9,6 @@ import java.util.concurrent.TimeUnit; import java.util.function.BiFunction; import java.util.function.Function; - import javax.security.auth.Subject; import javax.transaction.TransactionManager; import javax.transaction.xa.XAResource; @@ -1097,6 +1096,6 @@ public int hashCode() { @Override public String toString() { - return String.format("SecureCache '%s'", delegate.getName()); + return "Secure " + delegate; } } diff --git a/core/src/main/java/org/infinispan/security/impl/SecurityActions.java b/core/src/main/java/org/infinispan/security/impl/SecurityActions.java new file mode 100644 index 000000000000..c18ad9056df2 --- /dev/null +++ b/core/src/main/java/org/infinispan/security/impl/SecurityActions.java @@ -0,0 +1,44 @@ +package org.infinispan.security.impl; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +import org.infinispan.configuration.global.GlobalConfiguration; +import org.infinispan.factories.GlobalComponentRegistry; +import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.security.Security; +import org.infinispan.security.actions.AddCacheDependencyAction; +import org.infinispan.security.actions.GetCacheManagerConfigurationAction; +import org.infinispan.security.actions.GetGlobalComponentRegistryAction; + +/** + * SecurityActions for the org.infinispan.security.impl package. + * + * Do not move. Do not change class and method visibility to avoid being called from other + * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. + * + * @author Dan Berindei + * @since 10.0 + */ +final class SecurityActions { + private static T doPrivileged(PrivilegedAction action) { + if (System.getSecurityManager() != null) { + return AccessController.doPrivileged(action); + } else { + return Security.doPrivileged(action); + } + } + + static GlobalComponentRegistry getGlobalComponentRegistry(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetGlobalComponentRegistryAction(cacheManager)); + } + + static GlobalConfiguration getCacheManagerConfiguration(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetCacheManagerConfigurationAction(cacheManager)); + } + + static void addCacheDependency(EmbeddedCacheManager cacheManager, String dependantCacheName, + String protobufMetadataCacheName) { + doPrivileged(new AddCacheDependencyAction(cacheManager, dependantCacheName, protobufMetadataCacheName)); + } +} diff --git a/core/src/main/java/org/infinispan/stats/impl/CacheContainerStatsImpl.java b/core/src/main/java/org/infinispan/stats/impl/CacheContainerStatsImpl.java index 59c966318705..efa332734bb3 100644 --- a/core/src/main/java/org/infinispan/stats/impl/CacheContainerStatsImpl.java +++ b/core/src/main/java/org/infinispan/stats/impl/CacheContainerStatsImpl.java @@ -6,8 +6,10 @@ import java.util.concurrent.atomic.AtomicLong; import org.infinispan.AdvancedCache; +import org.infinispan.commons.time.TimeService; import org.infinispan.configuration.cache.Configuration; import org.infinispan.factories.annotations.Inject; +import org.infinispan.factories.annotations.Start; import org.infinispan.jmx.JmxStatisticsExposer; import org.infinispan.jmx.annotations.DataType; import org.infinispan.jmx.annotations.DisplayType; @@ -18,7 +20,6 @@ import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.stats.CacheContainerStats; import org.infinispan.stats.Stats; -import org.infinispan.commons.time.TimeService; /** @@ -38,7 +39,10 @@ public class CacheContainerStatsImpl implements CacheContainerStats, JmxStatisti public CacheContainerStatsImpl(EmbeddedCacheManager cm) { this.cm = cm; - cm.getGlobalComponentRegistry().registerComponent(this, CacheContainerStats.class); + } + + @Start + public void start() { boolean globalJmxStatsEnabled = cm.getCacheManagerConfiguration().globalJmxStatistics().enabled(); setStatisticsEnabled(globalJmxStatsEnabled); } diff --git a/core/src/main/java/org/infinispan/stats/impl/SecurityActions.java b/core/src/main/java/org/infinispan/stats/impl/SecurityActions.java index 550bb2ac530a..0e5659d9df72 100644 --- a/core/src/main/java/org/infinispan/stats/impl/SecurityActions.java +++ b/core/src/main/java/org/infinispan/stats/impl/SecurityActions.java @@ -3,12 +3,9 @@ import java.security.AccessController; import java.security.PrivilegedAction; -import org.infinispan.AdvancedCache; import org.infinispan.Cache; -import org.infinispan.configuration.cache.Configuration; import org.infinispan.manager.ClusterExecutor; import org.infinispan.security.Security; -import org.infinispan.security.actions.GetCacheConfigurationAction; import org.infinispan.security.actions.GetClusterExecutorAction; import org.infinispan.security.impl.SecureCacheImpl; @@ -35,11 +32,6 @@ static ClusterExecutor getClusterExecutor(final Cache cache) { return doPrivileged(action); } - static Configuration getCacheConfiguration(final AdvancedCache cache) { - GetCacheConfigurationAction action = new GetCacheConfigurationAction(cache); - return doPrivileged(action); - } - static Cache getUnwrappedCache(final Cache cache) { if (cache instanceof SecureCacheImpl) { return doPrivileged(() -> ((SecureCacheImpl)cache).getDelegate() ); diff --git a/core/src/main/java/org/infinispan/topology/ClusterTopologyManagerImpl.java b/core/src/main/java/org/infinispan/topology/ClusterTopologyManagerImpl.java index fa76ebbc8080..789246af1e6a 100644 --- a/core/src/main/java/org/infinispan/topology/ClusterTopologyManagerImpl.java +++ b/core/src/main/java/org/infinispan/topology/ClusterTopologyManagerImpl.java @@ -34,6 +34,7 @@ import org.infinispan.commons.util.InfinispanCollections; import org.infinispan.commons.util.ProcessorInfo; import org.infinispan.commons.util.Util; +import org.infinispan.configuration.ConfigurationManager; import org.infinispan.configuration.cache.CacheMode; import org.infinispan.configuration.cache.Configuration; import org.infinispan.configuration.global.GlobalConfiguration; @@ -95,6 +96,7 @@ public class ClusterTopologyManagerImpl implements ClusterTopologyManager { @Inject private Transport transport; @Inject private GlobalConfiguration globalConfiguration; + @Inject private ConfigurationManager configurationManager; @Inject private GlobalComponentRegistry gcr; @Inject private CacheManagerNotifier cacheManagerNotifier; @Inject private EmbeddedCacheManager cacheManager; @@ -407,8 +409,9 @@ private ClusterCacheStatus initCacheStatusIfAbsent(String cacheName, CacheMode c } else { lostDataCheck = ClusterTopologyManagerImpl::distLostDataCheck; } + // TODO Partition handling config should be part of the join info AvailabilityStrategy availabilityStrategy; - Configuration config = cacheManager.getCacheConfiguration(cacheName); + Configuration config = configurationManager.getConfiguration(cacheName, true); PartitionHandling partitionHandling = config != null ? config.clustering().partitionHandling().whenSplit() : null; boolean resolveConflictsOnMerge = resolveConflictsOnMerge(config, cacheMode); if (partitionHandling != null && partitionHandling != PartitionHandling.ALLOW_READ_WRITES) { @@ -733,7 +736,8 @@ public void broadcastShutdownCache(String cacheName, CacheTopology cacheTopology @Override public void setInitialCacheTopologyId(String cacheName, int topologyId) { - Configuration configuration = cacheManager.getCacheConfiguration(cacheName); + // TODO Include cache mode in join info + Configuration configuration = configurationManager.getConfiguration(cacheName, true); ClusterCacheStatus cacheStatus = initCacheStatusIfAbsent(cacheName, configuration.clustering().cacheMode()); cacheStatus.setInitialTopologyId(topologyId); } diff --git a/core/src/main/java/org/infinispan/xsite/BackupReceiverRepositoryImpl.java b/core/src/main/java/org/infinispan/xsite/BackupReceiverRepositoryImpl.java index 7cd70c507545..395aa46c247b 100644 --- a/core/src/main/java/org/infinispan/xsite/BackupReceiverRepositoryImpl.java +++ b/core/src/main/java/org/infinispan/xsite/BackupReceiverRepositoryImpl.java @@ -5,6 +5,7 @@ import java.util.concurrent.ConcurrentMap; import org.infinispan.Cache; +import org.infinispan.configuration.ConfigurationManager; import org.infinispan.configuration.cache.Configuration; import org.infinispan.factories.annotations.Inject; import org.infinispan.factories.annotations.Start; @@ -28,8 +29,9 @@ public class BackupReceiverRepositoryImpl implements BackupReceiverRepository { private final ConcurrentMap backupReceivers = new ConcurrentHashMap<>(); - @Inject public EmbeddedCacheManager cacheManager; - @Inject public CacheManagerNotifier cacheManagerNotifier; + @Inject EmbeddedCacheManager cacheManager; + @Inject CacheManagerNotifier cacheManagerNotifier; + @Inject ConfigurationManager configurationManager; @Start public void start() { @@ -66,8 +68,8 @@ public BackupReceiver getBackupReceiver(String remoteSite, String remoteCache) { BackupReceiver backupManager = backupReceivers.get(toLookFor); if (backupManager != null) return backupManager; - //check the default cache first - Configuration dcc = cacheManager.getDefaultCacheConfiguration(); + //check the default cache first, because it's not included in getCacheNames + Configuration dcc = configurationManager.getConfiguration(EmbeddedCacheManager.DEFAULT_CACHE_NAME, true); if (dcc != null && isBackupForRemoteCache(remoteSite, remoteCache, dcc, EmbeddedCacheManager.DEFAULT_CACHE_NAME)) { Cache cache = cacheManager.getCache(); backupReceivers.putIfAbsent(toLookFor, createBackupReceiver(cache)); @@ -77,7 +79,7 @@ public BackupReceiver getBackupReceiver(String remoteSite, String remoteCache) { Set cacheNames = cacheManager.getCacheNames(); for (String name : cacheNames) { - Configuration cacheConfiguration = cacheManager.getCacheConfiguration(name); + Configuration cacheConfiguration = configurationManager.getConfiguration(name, false); if (cacheConfiguration != null && isBackupForRemoteCache(remoteSite, remoteCache, cacheConfiguration, name)) { Cache cache = cacheManager.getCache(name); toLookFor.setLocalCacheName(name); diff --git a/core/src/test/java/org/infinispan/factories/ComponentRegistryTest.java b/core/src/test/java/org/infinispan/factories/ComponentRegistryTest.java index fcf5a8961e51..0b6ccf836f2d 100644 --- a/core/src/test/java/org/infinispan/factories/ComponentRegistryTest.java +++ b/core/src/test/java/org/infinispan/factories/ComponentRegistryTest.java @@ -11,6 +11,7 @@ import java.util.concurrent.Future; import org.infinispan.AdvancedCache; +import org.infinispan.configuration.ConfigurationManager; import org.infinispan.configuration.cache.Configuration; import org.infinispan.configuration.cache.ConfigurationBuilder; import org.infinispan.configuration.global.GlobalConfiguration; @@ -41,7 +42,7 @@ public void setUp() throws InterruptedException, ExecutionException { EmbeddedCacheManager cm = mock(EmbeddedCacheManager.class); AdvancedCache cache = mock(AdvancedCache.class); - gcr = new GlobalComponentRegistry(gc, cm, cachesSet); + gcr = new GlobalComponentRegistry(gc, cm, cachesSet, mock(ConfigurationManager.class)); cr1 = new ComponentRegistry("cache", c, cache, gcr, ComponentRegistryTest.class.getClassLoader()); cr2 = new ComponentRegistry("cache", c, cache, gcr, ComponentRegistryTest.class.getClassLoader()); diff --git a/core/src/test/java/org/infinispan/health/ClusterHealthImplTest.java b/core/src/test/java/org/infinispan/health/ClusterHealthImplTest.java index af782ea776f5..d55638543ef4 100644 --- a/core/src/test/java/org/infinispan/health/ClusterHealthImplTest.java +++ b/core/src/test/java/org/infinispan/health/ClusterHealthImplTest.java @@ -41,7 +41,7 @@ public class ClusterHealthImplTest extends AbstractInfinispanTest { private void init() { cacheManager = TestCacheManagerFactory.createClusteredCacheManager(); internalCacheRegistry = cacheManager.getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class); - clusterHealth = new ClusterHealthImpl(cacheManager); + clusterHealth = new ClusterHealthImpl(cacheManager, cacheManager.getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class)); } @BeforeMethod @@ -114,7 +114,7 @@ public void testRebalancingStatusWhenUserCacheIsRebalancing() throws Exception { mockRehashInProgress(CACHE_NAME, mockedCache, mockedAdvancedCache, mockedDistributionManager); - ClusterHealth clusterHealth = new ClusterHealthImpl(mockedCacheManager); + ClusterHealth clusterHealth = new ClusterHealthImpl(mockedCacheManager, mockedCacheManager.getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class)); assertEquals(HealthStatus.REBALANCING, clusterHealth.getHealthStatus()); } @@ -140,7 +140,7 @@ public void testRebalancingStatusWhenInternalCacheIsRebalancing() throws Excepti when(mockedCacheManager.getCacheNames()).thenReturn(Collections.emptySet()); mockRehashInProgress(INTERNAL_CACHE_NAME, mockedCache, mockedAdvancedCache, mockedDistributionManager); - ClusterHealth clusterHealth = new ClusterHealthImpl(mockedCacheManager); + ClusterHealth clusterHealth = new ClusterHealthImpl(mockedCacheManager, mockedCacheManager.getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class)); assertEquals(HealthStatus.REBALANCING, clusterHealth.getHealthStatus()); } @@ -154,13 +154,13 @@ public void testGetNumberOfNodes() throws Exception { } public void testGetNumberOfNodesWithNullTransport() throws Exception { - ClusterHealth clusterHealth = new ClusterHealthImpl(mockedCacheManager); + ClusterHealth clusterHealth = new ClusterHealthImpl(mockedCacheManager, mockedCacheManager.getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class)); assertEquals(0, clusterHealth.getNumberOfNodes()); } public void testGetNodeNamesWithNullTransport() throws Exception { - ClusterHealth clusterHealth = new ClusterHealthImpl(mockedCacheManager); + ClusterHealth clusterHealth = new ClusterHealthImpl(mockedCacheManager, mockedCacheManager.getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class)); assertTrue(clusterHealth.getNodeNames().isEmpty()); } diff --git a/core/src/test/java/org/infinispan/test/MultipleCacheManagersTest.java b/core/src/test/java/org/infinispan/test/MultipleCacheManagersTest.java index 7aef0436e11c..becf1ecc0bf7 100644 --- a/core/src/test/java/org/infinispan/test/MultipleCacheManagersTest.java +++ b/core/src/test/java/org/infinispan/test/MultipleCacheManagersTest.java @@ -139,7 +139,7 @@ protected void destroy() { } for (EmbeddedCacheManager cm : cacheManagers) { - String nodeName = cm.getCacheManagerConfiguration().transport().nodeName(); + String nodeName = SecurityActions.getCacheManagerConfiguration(cm).transport().nodeName(); assertTrue("Invalid node name for test " + getCurrentTestShortName() + ": " + nodeName, nodeName != null && nodeName.contains(getCurrentTestShortName())); } diff --git a/core/src/test/java/org/infinispan/test/SecurityActions.java b/core/src/test/java/org/infinispan/test/SecurityActions.java new file mode 100644 index 000000000000..eb2e11ce230e --- /dev/null +++ b/core/src/test/java/org/infinispan/test/SecurityActions.java @@ -0,0 +1,51 @@ +package org.infinispan.test; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +import org.infinispan.Cache; +import org.infinispan.configuration.global.GlobalConfiguration; +import org.infinispan.factories.ComponentRegistry; +import org.infinispan.factories.GlobalComponentRegistry; +import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.security.Security; +import org.infinispan.security.actions.GetCacheManagerConfigurationAction; +import org.infinispan.security.actions.GetGlobalComponentRegistryAction; + +/** + * SecurityActions for the org.infinispan.test.fwk package. + *

+ * Do not move. Do not change class and method visibility to avoid being called from other + * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. + * + * @author Dan Berindei + * @since 10.0 + */ +final class SecurityActions { + private static T doPrivileged(PrivilegedAction action) { + if (System.getSecurityManager() != null) { + return AccessController.doPrivileged(action); + } else { + return Security.doPrivileged(action); + } + } + + static void stopManager(EmbeddedCacheManager cacheManager) { + doPrivileged(() -> { + cacheManager.stop(); + return null; + }); + } + + static GlobalComponentRegistry getGlobalComponentRegistry(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetGlobalComponentRegistryAction(cacheManager)); + } + + static ComponentRegistry getComponentRegistry(Cache cache) { + return doPrivileged(() -> cache.getAdvancedCache().getComponentRegistry()); + } + + static GlobalConfiguration getCacheManagerConfiguration(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetCacheManagerConfigurationAction(cacheManager)); + } +} diff --git a/core/src/test/java/org/infinispan/test/TestingUtil.java b/core/src/test/java/org/infinispan/test/TestingUtil.java index 132bf727c598..dfafe8a143cc 100644 --- a/core/src/test/java/org/infinispan/test/TestingUtil.java +++ b/core/src/test/java/org/infinispan/test/TestingUtil.java @@ -78,6 +78,7 @@ import org.infinispan.commons.util.ReflectionUtil; import org.infinispan.configuration.cache.CacheMode; import org.infinispan.configuration.cache.Configuration; +import org.infinispan.configuration.global.GlobalConfiguration; import org.infinispan.container.DataContainer; import org.infinispan.container.entries.CacheEntry; import org.infinispan.container.entries.InternalCacheEntry; @@ -381,7 +382,8 @@ public static void waitForNoRebalance(Cache... caches) { if (cacheTopology != null) { rebalanceInProgress = cacheTopology.getPhase() != CacheTopology.Phase.NO_REBALANCE; ConsistentHash currentCH = cacheTopology.getCurrentCH(); - ConsistentHashFactory chf = StateTransferManagerImpl.pickConsistentHashFactory(c.getCacheManager().getCacheManagerConfiguration(), c.getCacheConfiguration()); + ConsistentHashFactory chf = StateTransferManagerImpl.pickConsistentHashFactory( + extractGlobalConfiguration(c.getCacheManager()), c.getCacheConfiguration()); chContainsAllMembers = currentCH.getMembers().size() == caches.length; currentChIsBalanced = true; @@ -843,8 +845,9 @@ public static void killCacheManagers(List cacheM for (int i = cacheManagers.size() - 1; i >= 0; i--) { EmbeddedCacheManager cm = cacheManagers.get(i); try { - if (cm != null) - cm.stop(); + if (cm != null) { + SecurityActions.stopManager(cm); + } } catch (Throwable e) { log.warn("Problems killing cache manager " + cm, e); } @@ -904,7 +907,7 @@ private static Set getRunningCaches(EmbeddedCacheManager cacheContainer) Set running = new LinkedHashSet<>(getOrderedCacheNames(cacheContainer)); extractGlobalComponent(cacheContainer, InternalCacheRegistry.class).filterPrivateCaches(running); running.addAll(cacheContainer.getCacheNames()); - running.add(cacheContainer.getCacheManagerConfiguration().defaultCacheName().orElse(DEFAULT_CACHE_NAME)); + running.add(extractGlobalConfiguration(cacheContainer).defaultCacheName().orElse(DEFAULT_CACHE_NAME)); return running.stream() .map(s -> cacheContainer.getCache(s, false)) @@ -913,6 +916,10 @@ private static Set getRunningCaches(EmbeddedCacheManager cacheContainer) .collect(Collectors.toCollection(LinkedHashSet::new)); } + private static GlobalConfiguration extractGlobalConfiguration(EmbeddedCacheManager cacheContainer) { + return SecurityActions.getCacheManagerConfiguration(cacheContainer); + } + private static void clearRunningTx(Cache cache) { if (cache != null) { TransactionManager txm = TestingUtil.getTransactionManager(cache); @@ -933,14 +940,7 @@ public static List> cachestores(List> cache } private static void removeInMemoryData(Cache cache) { - EmbeddedCacheManager mgr = cache.getCacheManager(); - Address a = mgr.getAddress(); - String str; - if (a == null) - str = "a non-clustered cache manager"; - else - str = "a cache manager at address " + a; - log.debugf("Cleaning data for cache '%s' on %s", cache.getName(), str); + log.debugf("Cleaning data for cache %s", cache); InternalDataContainer dataContainer = TestingUtil.extractComponent(cache, InternalDataContainer.class); if (log.isDebugEnabled()) log.debugf("Data container size before clear: %d", dataContainer.sizeIncludingExpired()); dataContainer.clear(); @@ -1031,11 +1031,11 @@ public static void killTransactions(Cache... caches) { * @return component registry */ public static ComponentRegistry extractComponentRegistry(Cache cache) { - return cache.getAdvancedCache().getComponentRegistry(); + return SecurityActions.getComponentRegistry(cache); } public static GlobalComponentRegistry extractGlobalComponentRegistry(CacheContainer cacheContainer) { - return ((EmbeddedCacheManager) cacheContainer).getGlobalComponentRegistry(); + return SecurityActions.getGlobalComponentRegistry((EmbeddedCacheManager) cacheContainer); } public static LockManager extractLockManager(Cache cache) { @@ -1043,16 +1043,14 @@ public static LockManager extractLockManager(Cache cache) { } public static GlobalMarshaller extractGlobalMarshaller(EmbeddedCacheManager cm) { - GlobalComponentRegistry gcr = extractField(cm, "globalComponentRegistry"); + GlobalComponentRegistry gcr = extractGlobalComponentRegistry(cm); return (GlobalMarshaller) gcr.getComponent(StreamingMarshaller.class); } /** * Add a hook to cache startup sequence that will allow to replace existing component with a mock. - * @param cacheContainer - * @param consumer */ - public static void addCacheStartingHook(CacheContainer cacheContainer, BiConsumer consumer) { + public static void addCacheStartingHook(EmbeddedCacheManager cacheContainer, BiConsumer consumer) { GlobalComponentRegistry gcr = extractGlobalComponentRegistry(cacheContainer); extractField(gcr, "moduleLifecycles"); TestingUtil.>replaceField(gcr, "moduleLifecycles", moduleLifecycles -> { diff --git a/core/src/test/java/org/infinispan/topology/ClusterTopologyManagerImplTest.java b/core/src/test/java/org/infinispan/topology/ClusterTopologyManagerImplTest.java index 40727758e33b..bae4d7ab8f9c 100644 --- a/core/src/test/java/org/infinispan/topology/ClusterTopologyManagerImplTest.java +++ b/core/src/test/java/org/infinispan/topology/ClusterTopologyManagerImplTest.java @@ -15,6 +15,7 @@ import java.util.concurrent.TimeUnit; import org.infinispan.commons.hash.MurmurHash3; +import org.infinispan.configuration.ConfigurationManager; import org.infinispan.configuration.cache.CacheMode; import org.infinispan.configuration.global.GlobalConfiguration; import org.infinispan.configuration.global.GlobalConfigurationBuilder; @@ -62,7 +63,8 @@ public void testClusterStartupWith2Nodes() throws Exception { // Create global component registry with dependencies GlobalConfiguration gc = GlobalConfigurationBuilder.defaultClusteredBuilder().build(); EmbeddedCacheManager cacheManager = mock(EmbeddedCacheManager.class); - GlobalComponentRegistry gcr = new GlobalComponentRegistry(gc, cacheManager, Collections.emptySet()); + GlobalComponentRegistry gcr = new GlobalComponentRegistry(gc, cacheManager, Collections.emptySet(), + mock(ConfigurationManager.class)); BasicComponentRegistry gbcr = gcr.getComponent(BasicComponentRegistry.class); CacheManagerNotifierImpl managerNotifier = new CacheManagerNotifierImpl(); @@ -138,7 +140,8 @@ public void testCoordinatorLostDuringRebalance() throws Exception { // Create global component registry with dependencies GlobalConfiguration gc = GlobalConfigurationBuilder.defaultClusteredBuilder().build(); EmbeddedCacheManager cacheManager = mock(EmbeddedCacheManager.class); - GlobalComponentRegistry gcr = new GlobalComponentRegistry(gc, cacheManager, Collections.emptySet()); + GlobalComponentRegistry gcr = new GlobalComponentRegistry(gc, cacheManager, Collections.emptySet(), + mock(ConfigurationManager.class)); BasicComponentRegistry gbcr = gcr.getComponent(BasicComponentRegistry.class); CacheManagerNotifierImpl managerNotifier = new CacheManagerNotifierImpl(); diff --git a/core/src/test/java/org/infinispan/util/PersistenceMockUtil.java b/core/src/test/java/org/infinispan/util/PersistenceMockUtil.java index 53b8c1258f2f..1b854cb7a5ad 100644 --- a/core/src/test/java/org/infinispan/util/PersistenceMockUtil.java +++ b/core/src/test/java/org/infinispan/util/PersistenceMockUtil.java @@ -12,6 +12,7 @@ import org.infinispan.commons.io.ByteBufferFactoryImpl; import org.infinispan.commons.marshall.StreamingMarshaller; import org.infinispan.commons.time.TimeService; +import org.infinispan.configuration.ConfigurationManager; import org.infinispan.configuration.cache.Configuration; import org.infinispan.configuration.global.GlobalConfiguration; import org.infinispan.configuration.global.GlobalConfigurationBuilder; @@ -59,7 +60,7 @@ private static Cache mockCache(String nodeName, Configuration configuration, Tim Set cachesSet = new HashSet<>(); EmbeddedCacheManager cm = mock(EmbeddedCacheManager.class); when(cm.getCacheManagerConfiguration()).thenReturn(gc); - GlobalComponentRegistry gcr = new GlobalComponentRegistry(gc, cm, cachesSet); + GlobalComponentRegistry gcr = new GlobalComponentRegistry(gc, cm, cachesSet, mock(ConfigurationManager.class)); BasicComponentRegistry gbcr = gcr.getComponent(BasicComponentRegistry.class); gbcr.replaceComponent(TimeService.class.getName(), timeService, true); ComponentRegistry registry = new ComponentRegistry(cacheName, configuration, cache, gcr, diff --git a/counter/src/main/java/org/infinispan/counter/EmbeddedCounterManagerFactory.java b/counter/src/main/java/org/infinispan/counter/EmbeddedCounterManagerFactory.java index bb24f270f2d2..1d88d55ad24f 100644 --- a/counter/src/main/java/org/infinispan/counter/EmbeddedCounterManagerFactory.java +++ b/counter/src/main/java/org/infinispan/counter/EmbeddedCounterManagerFactory.java @@ -21,10 +21,10 @@ private EmbeddedCounterManagerFactory() { * @return the {@link CounterManager} associated to the {@link EmbeddedCacheManager}. */ public static CounterManager asCounterManager(EmbeddedCacheManager cacheManager) { - return requireNonNull(cacheManager, "EmbeddedCacheManager can't be null.") - .getGlobalComponentRegistry() - .getComponent(BasicComponentRegistry.class) - .getComponent(CounterManager.class) - .running(); + requireNonNull(cacheManager, "EmbeddedCacheManager can't be null."); + return SecurityActions.getGlobalComponentRegistry(cacheManager) + .getComponent(BasicComponentRegistry.class) + .getComponent(CounterManager.class) + .running(); } } diff --git a/counter/src/main/java/org/infinispan/counter/SecurityActions.java b/counter/src/main/java/org/infinispan/counter/SecurityActions.java new file mode 100644 index 000000000000..f9c50c0b65df --- /dev/null +++ b/counter/src/main/java/org/infinispan/counter/SecurityActions.java @@ -0,0 +1,33 @@ +package org.infinispan.counter; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +import org.infinispan.factories.GlobalComponentRegistry; +import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.security.Security; +import org.infinispan.security.actions.GetGlobalComponentRegistryAction; + +/** + * SecurityActions for the org.infinispan.counter package. + *

+ * Do not move. Do not change class and method visibility to avoid being called from other + * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. + * + * @author Dan Berindei + * @since 10.0 + */ +final class SecurityActions { + + private SecurityActions() { + } + + private static T doPrivileged(PrivilegedAction action) { + return System.getSecurityManager() != null ? + AccessController.doPrivileged(action) : Security.doPrivileged(action); + } + + static GlobalComponentRegistry getGlobalComponentRegistry(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetGlobalComponentRegistryAction(cacheManager)); + } +} diff --git a/counter/src/main/java/org/infinispan/counter/impl/manager/CounterConfigurationManager.java b/counter/src/main/java/org/infinispan/counter/impl/manager/CounterConfigurationManager.java index c459ebaf9a2c..11c18ca80a2a 100644 --- a/counter/src/main/java/org/infinispan/counter/impl/manager/CounterConfigurationManager.java +++ b/counter/src/main/java/org/infinispan/counter/impl/manager/CounterConfigurationManager.java @@ -60,7 +60,7 @@ public class CounterConfigurationManager { CounterConfigurationManager(EmbeddedCacheManager cacheManager, CounterConfigurationStorage storage) { this.cacheManager = cacheManager; this.storage = storage; - GlobalConfiguration globalConfig = cacheManager.getGlobalComponentRegistry().getGlobalConfiguration(); + GlobalConfiguration globalConfig = SecurityActions.getCacheManagerConfiguration(cacheManager); CounterManagerConfiguration counterManagerConfig = globalConfig.module(CounterManagerConfiguration.class); this.configuredCounters = counterManagerConfig == null ? Collections.emptyList() : @@ -221,7 +221,7 @@ private void validateConfiguration(CounterConfiguration configuration) { private void startCounterCache() { if (counterCacheStarted.compareAndSet(false, true)) { - cacheManager.getGlobalComponentRegistry() + SecurityActions.getGlobalComponentRegistry(cacheManager) .getComponent(Executor.class, KnownComponentNames.ASYNC_OPERATIONS_EXECUTOR) .execute(() -> { String oldName = Thread.currentThread().getName(); diff --git a/counter/src/main/java/org/infinispan/counter/impl/manager/EmbeddedCounterManager.java b/counter/src/main/java/org/infinispan/counter/impl/manager/EmbeddedCounterManager.java index e1a4ddf6c76d..ad82aea395fc 100644 --- a/counter/src/main/java/org/infinispan/counter/impl/manager/EmbeddedCounterManager.java +++ b/counter/src/main/java/org/infinispan/counter/impl/manager/EmbeddedCounterManager.java @@ -76,7 +76,7 @@ public EmbeddedCounterManager(EmbeddedCacheManager cacheManager) { } private static boolean isGlobalStateEnabled(EmbeddedCacheManager cacheManager) { - return cacheManager.getGlobalComponentRegistry().getGlobalConfiguration().globalState().enabled(); + return SecurityActions.getCacheManagerConfiguration(cacheManager).globalState().enabled(); } @Start diff --git a/counter/src/main/java/org/infinispan/counter/impl/manager/SecurityActions.java b/counter/src/main/java/org/infinispan/counter/impl/manager/SecurityActions.java new file mode 100644 index 000000000000..f1f00532556d --- /dev/null +++ b/counter/src/main/java/org/infinispan/counter/impl/manager/SecurityActions.java @@ -0,0 +1,39 @@ +package org.infinispan.counter.impl.manager; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +import org.infinispan.configuration.global.GlobalConfiguration; +import org.infinispan.factories.GlobalComponentRegistry; +import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.security.Security; +import org.infinispan.security.actions.GetCacheManagerConfigurationAction; +import org.infinispan.security.actions.GetGlobalComponentRegistryAction; + +/** + * SecurityActions for the org.infinispan.counter package. + *

+ * Do not move. Do not change class and method visibility to avoid being called from other + * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. + * + * @author Dan Berindei + * @since 10.0 + */ +final class SecurityActions { + + private SecurityActions() { + } + + private static T doPrivileged(PrivilegedAction action) { + return System.getSecurityManager() != null ? + AccessController.doPrivileged(action) : Security.doPrivileged(action); + } + + static GlobalComponentRegistry getGlobalComponentRegistry(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetGlobalComponentRegistryAction(cacheManager)); + } + + static GlobalConfiguration getCacheManagerConfiguration(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetCacheManagerConfigurationAction(cacheManager)); + } +} diff --git a/lock/src/main/java/org/infinispan/lock/EmbeddedClusteredLockManagerFactory.java b/lock/src/main/java/org/infinispan/lock/EmbeddedClusteredLockManagerFactory.java index dc5ef0b458f9..e4d53012ec5e 100644 --- a/lock/src/main/java/org/infinispan/lock/EmbeddedClusteredLockManagerFactory.java +++ b/lock/src/main/java/org/infinispan/lock/EmbeddedClusteredLockManagerFactory.java @@ -28,8 +28,7 @@ public static ClusteredLockManager from(EmbeddedCacheManager cacheManager) { if (!cacheManager.getCacheManagerConfiguration().isClustered()) { throw log.requireClustered(); } - return cacheManager - .getGlobalComponentRegistry() + return SecurityActions.getGlobalComponentRegistry(cacheManager) .getComponent(ClusteredLockManager.class); } } diff --git a/lock/src/main/java/org/infinispan/lock/SecurityActions.java b/lock/src/main/java/org/infinispan/lock/SecurityActions.java new file mode 100644 index 000000000000..eea5e7c4e2bf --- /dev/null +++ b/lock/src/main/java/org/infinispan/lock/SecurityActions.java @@ -0,0 +1,33 @@ +package org.infinispan.lock; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +import org.infinispan.factories.GlobalComponentRegistry; +import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.security.Security; +import org.infinispan.security.actions.GetGlobalComponentRegistryAction; + +/** + * SecurityActions for the org.infinispan.counter package. + *

+ * Do not move. Do not change class and method visibility to avoid being called from other + * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. + * + * @author Dan Berindei + * @since 10.0 + */ +final class SecurityActions { + + private SecurityActions() { + } + + private static T doPrivileged(PrivilegedAction action) { + return System.getSecurityManager() != null ? + AccessController.doPrivileged(action) : Security.doPrivileged(action); + } + + static GlobalComponentRegistry getGlobalComponentRegistry(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetGlobalComponentRegistryAction(cacheManager)); + } +} diff --git a/lucene/directory-provider/src/main/java/org/infinispan/hibernate/search/spi/InfinispanDirectoryProvider.java b/lucene/directory-provider/src/main/java/org/infinispan/hibernate/search/spi/InfinispanDirectoryProvider.java index cfbd997c343a..4d660efa8229 100644 --- a/lucene/directory-provider/src/main/java/org/infinispan/hibernate/search/spi/InfinispanDirectoryProvider.java +++ b/lucene/directory-provider/src/main/java/org/infinispan/hibernate/search/spi/InfinispanDirectoryProvider.java @@ -70,6 +70,7 @@ public void initialize(String directoryProviderName, Properties properties, Buil this.directoryProviderName = directoryProviderName; this.serviceManager = context.getServiceManager(); this.cacheManager = serviceManager.requestService(CacheManagerService.class).getEmbeddedCacheManager(); + this. metadataCacheName = InfinispanIntegration.getMetadataCacheName(properties); dataCacheName = InfinispanIntegration.getDataCacheName(properties); lockingCacheName = InfinispanIntegration.getLockingCacheName(properties); diff --git a/query/src/main/java/org/infinispan/query/affinity/AffinityShardIdentifierProvider.java b/query/src/main/java/org/infinispan/query/affinity/AffinityShardIdentifierProvider.java index 431716366a33..9a837d50d66b 100644 --- a/query/src/main/java/org/infinispan/query/affinity/AffinityShardIdentifierProvider.java +++ b/query/src/main/java/org/infinispan/query/affinity/AffinityShardIdentifierProvider.java @@ -13,10 +13,10 @@ import org.hibernate.search.store.ShardIdentifierProvider; import org.infinispan.commons.logging.LogFactory; import org.infinispan.configuration.cache.ClusteringConfiguration; +import org.infinispan.configuration.cache.Configuration; import org.infinispan.distribution.DistributionManager; import org.infinispan.factories.ComponentRegistry; import org.infinispan.hibernate.search.spi.CacheManagerService; -import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.query.backend.ComponentRegistryService; import org.infinispan.query.backend.KeyTransformationHandler; import org.infinispan.query.backend.QueryInterceptor; @@ -53,11 +53,8 @@ public void initialize(Properties properties, BuildContext buildContext) { ComponentRegistryService componentRegistryService = serviceManager.requestService(ComponentRegistryService.class); this.componentRegistry = componentRegistryService.getComponentRegistry(); CacheManagerService cacheManagerService = serviceManager.requestService(CacheManagerService.class); - EmbeddedCacheManager embeddedCacheManager = cacheManagerService.getEmbeddedCacheManager(); rpcManager = componentRegistry.getComponent(RpcManager.class); - String cacheName = componentRegistry.getCacheName(); - ClusteringConfiguration clusteringConfiguration = - embeddedCacheManager.getCacheConfiguration(cacheName).clustering(); + ClusteringConfiguration clusteringConfiguration = componentRegistry.getComponent(Configuration.class).clustering(); int numberOfShards = getNumberOfShards(properties); shardAllocatorManager = this.componentRegistry.getComponent(ShardAllocatorManager.class); shardAllocatorManager.initialize(numberOfShards, clusteringConfiguration.hash().numSegments()); diff --git a/query/src/main/java/org/infinispan/query/backend/QueryKnownClasses.java b/query/src/main/java/org/infinispan/query/backend/QueryKnownClasses.java index 23a854158a9a..a75d42a88ca8 100644 --- a/query/src/main/java/org/infinispan/query/backend/QueryKnownClasses.java +++ b/query/src/main/java/org/infinispan/query/backend/QueryKnownClasses.java @@ -7,9 +7,9 @@ import java.util.Map; import java.util.Set; import java.util.concurrent.atomic.AtomicReference; - import javax.transaction.Transaction; +import net.jcip.annotations.ThreadSafe; import org.infinispan.AdvancedCache; import org.infinispan.Cache; import org.infinispan.configuration.cache.CacheMode; @@ -23,8 +23,6 @@ import org.infinispan.util.logging.Log; import org.infinispan.util.logging.LogFactory; -import net.jcip.annotations.ThreadSafe; - // TODO [anistor] This class must be removed in 10.0 after we remove autodetection. /** @@ -223,7 +221,7 @@ private Configuration getInternalCacheConfig() { ConfigurationBuilder configurationBuilder = new ConfigurationBuilder(); // allow the registry to work for local caches as well as clustered caches - CacheMode cacheMode = cacheManager.getGlobalComponentRegistry().getGlobalConfiguration().isClustered() + CacheMode cacheMode = SecurityActions.getCacheManagerConfiguration(cacheManager).isClustered() ? CacheMode.REPL_SYNC : CacheMode.LOCAL; configurationBuilder.clustering().cacheMode(cacheMode); diff --git a/query/src/main/java/org/infinispan/query/backend/SecurityActions.java b/query/src/main/java/org/infinispan/query/backend/SecurityActions.java index 1b4927b80649..121a1e69b93b 100644 --- a/query/src/main/java/org/infinispan/query/backend/SecurityActions.java +++ b/query/src/main/java/org/infinispan/query/backend/SecurityActions.java @@ -4,8 +4,10 @@ import java.security.PrivilegedAction; import org.infinispan.Cache; +import org.infinispan.configuration.global.GlobalConfiguration; import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.security.Security; +import org.infinispan.security.actions.GetCacheManagerConfigurationAction; /** * SecurityActions for the org.infinispan.query.backend package. @@ -29,4 +31,8 @@ private static T doPrivileged(PrivilegedAction action) { static Cache getCache(EmbeddedCacheManager cacheManager, String cacheName) { return doPrivileged(() -> cacheManager.getCache(cacheName)); } + + static GlobalConfiguration getCacheManagerConfiguration(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetCacheManagerConfigurationAction(cacheManager)); + } } diff --git a/query/src/main/java/org/infinispan/query/dsl/embedded/impl/IckleFilterAndConverter.java b/query/src/main/java/org/infinispan/query/dsl/embedded/impl/IckleFilterAndConverter.java index 10d835dfa63a..504346b32335 100644 --- a/query/src/main/java/org/infinispan/query/dsl/embedded/impl/IckleFilterAndConverter.java +++ b/query/src/main/java/org/infinispan/query/dsl/embedded/impl/IckleFilterAndConverter.java @@ -9,7 +9,6 @@ import java.util.Set; import java.util.function.Function; -import org.infinispan.Cache; import org.infinispan.commons.CacheException; import org.infinispan.commons.io.UnsignedNumeric; import org.infinispan.commons.marshall.AbstractExternalizer; @@ -71,9 +70,8 @@ public IckleFilterAndConverter(String queryString, Map namedPara * Acquires a Matcher instance from the ComponentRegistry of the given Cache object. */ @Inject - protected void injectDependencies(Cache cache) { - this.queryCache = cache.getCacheManager().getGlobalComponentRegistry().getComponent(QueryCache.class); - ComponentRegistry componentRegistry = cache.getAdvancedCache().getComponentRegistry(); + protected void injectDependencies(ComponentRegistry componentRegistry, QueryCache queryCache) { + this.queryCache = queryCache; matcher = componentRegistry.getComponent(matcherImplClass); if (matcher == null) { throw new CacheException("Expected component not found in registry: " + matcherImplClass.getName()); diff --git a/query/src/main/java/org/infinispan/query/impl/LifecycleManager.java b/query/src/main/java/org/infinispan/query/impl/LifecycleManager.java index db331ecd9a6c..5d34b8d35dc4 100644 --- a/query/src/main/java/org/infinispan/query/impl/LifecycleManager.java +++ b/query/src/main/java/org/infinispan/query/impl/LifecycleManager.java @@ -12,7 +12,6 @@ import java.util.Set; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; - import javax.management.MBeanServer; import javax.management.ObjectName; @@ -161,16 +160,16 @@ private void addCacheDependencyIfNeeded(String cacheStarting, EmbeddedCacheManag if (indexingConfiguration.indexedEntities().isEmpty()) { // todo [anistor] remove dependency on QueryKnownClasses in Infinispan 10.0 // indexed classes are autodetected and propagated across cluster via this cache - cacheManager.addCacheDependency(cacheStarting, QueryKnownClasses.QUERY_KNOWN_CLASSES_CACHE_NAME); + SecurityActions.addCacheDependency(cacheManager, cacheStarting, QueryKnownClasses.QUERY_KNOWN_CLASSES_CACHE_NAME); } if (hasInfinispanDirectory(indexingConfiguration.properties())) { String metadataCacheName = getMetadataCacheName(indexingConfiguration.properties()); String lockingCacheName = getLockingCacheName(indexingConfiguration.properties()); String dataCacheName = getDataCacheName(indexingConfiguration.properties()); if (!cacheStarting.equals(metadataCacheName) && !cacheStarting.equals(lockingCacheName) && !cacheStarting.equals(dataCacheName)) { - cacheManager.addCacheDependency(cacheStarting, metadataCacheName); - cacheManager.addCacheDependency(cacheStarting, lockingCacheName); - cacheManager.addCacheDependency(cacheStarting, dataCacheName); + SecurityActions.addCacheDependency(cacheManager, cacheStarting, metadataCacheName); + SecurityActions.addCacheDependency(cacheManager, cacheStarting, lockingCacheName); + SecurityActions.addCacheDependency(cacheManager, cacheStarting, dataCacheName); } } } diff --git a/query/src/main/java/org/infinispan/query/impl/SecurityActions.java b/query/src/main/java/org/infinispan/query/impl/SecurityActions.java index f32aa7095acf..2a404d594e4c 100644 --- a/query/src/main/java/org/infinispan/query/impl/SecurityActions.java +++ b/query/src/main/java/org/infinispan/query/impl/SecurityActions.java @@ -8,7 +8,11 @@ import org.infinispan.configuration.cache.Configuration; import org.infinispan.factories.ComponentRegistry; import org.infinispan.factories.GlobalComponentRegistry; +import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.security.Security; +import org.infinispan.security.actions.AddCacheDependencyAction; +import org.infinispan.security.actions.GetCacheComponentRegistryAction; +import org.infinispan.security.actions.GetCacheGlobalComponentRegistryAction; /** * SecurityActions for the org.infinispan.query.impl package. @@ -38,10 +42,14 @@ static Configuration getCacheConfiguration(Cache cache) { } static ComponentRegistry getCacheComponentRegistry(AdvancedCache cache) { - return doPrivileged(cache::getComponentRegistry); + return doPrivileged(new GetCacheComponentRegistryAction(cache)); } static GlobalComponentRegistry getCacheGlobalComponentRegistry(AdvancedCache cache) { - return doPrivileged(() -> cache.getCacheManager().getGlobalComponentRegistry()); + return doPrivileged(new GetCacheGlobalComponentRegistryAction(cache)); + } + + static void addCacheDependency(EmbeddedCacheManager cacheManager, String cacheStarting, String queryKnownClassesCacheName) { + doPrivileged(new AddCacheDependencyAction(cacheManager, cacheStarting, queryKnownClassesCacheName)); } } diff --git a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/CompatibilityProtoStreamMarshaller.java b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/CompatibilityProtoStreamMarshaller.java index 1daabb2211d4..6ddc1032b73e 100644 --- a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/CompatibilityProtoStreamMarshaller.java +++ b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/CompatibilityProtoStreamMarshaller.java @@ -1,10 +1,10 @@ package org.infinispan.query.remote; import org.infinispan.factories.annotations.Inject; +import org.infinispan.factories.annotations.Start; import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.protostream.SerializationContext; import org.infinispan.query.remote.client.BaseProtoStreamMarshaller; -import org.infinispan.query.remote.impl.ProtobufMetadataManagerImpl; /** * A per {@link EmbeddedCacheManager} marshaller that should be used as compatibility mode marshaller in server. An @@ -17,14 +17,15 @@ public class CompatibilityProtoStreamMarshaller extends BaseProtoStreamMarshalle @Inject protected EmbeddedCacheManager cacheManager; - public CompatibilityProtoStreamMarshaller() { + private SerializationContext serCtx; + + @Start + void start() { + serCtx = SecurityActions.getSerializationContext(cacheManager); } @Override protected SerializationContext getSerializationContext() { - if (cacheManager == null) { - throw new IllegalStateException("cacheManager not set"); - } - return ProtobufMetadataManagerImpl.getSerializationContext(cacheManager); + return serCtx; } } diff --git a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/SecurityActions.java b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/SecurityActions.java new file mode 100644 index 000000000000..c2584fbacaa0 --- /dev/null +++ b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/SecurityActions.java @@ -0,0 +1,33 @@ +package org.infinispan.query.remote; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.protostream.SerializationContext; +import org.infinispan.query.remote.impl.GetSerializationContextAction; +import org.infinispan.security.Security; + +/** + * SecurityActions for the org.infinispan.query.remote.impl.indexing package. + * + * Do not move and do not change class and method visibility! + * + * @author Dan Berindei + * @since 10.0 + */ +final class SecurityActions { + + private SecurityActions() { + } + + private static T doPrivileged(PrivilegedAction action) { + return System.getSecurityManager() != null ? + AccessController.doPrivileged(action) : Security.doPrivileged(action); + } + + static SerializationContext getSerializationContext(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetSerializationContextAction(cacheManager)); + } + +} diff --git a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/GetSerializationContextAction.java b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/GetSerializationContextAction.java new file mode 100644 index 000000000000..19a85e6866b4 --- /dev/null +++ b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/GetSerializationContextAction.java @@ -0,0 +1,23 @@ +package org.infinispan.query.remote.impl; + +import java.security.PrivilegedAction; + +import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.protostream.SerializationContext; + +/** + * @author Dan Berindei + * @since 10.0 + */ +public class GetSerializationContextAction implements PrivilegedAction { + private final EmbeddedCacheManager cacheManager; + + public GetSerializationContextAction(EmbeddedCacheManager cacheManager) { + this.cacheManager = cacheManager; + } + + @Override + public SerializationContext run() { + return ProtobufMetadataManagerImpl.getSerializationContext(cacheManager); + } +} diff --git a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/ObjectRemoteQueryManager.java b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/ObjectRemoteQueryManager.java index 335f5130a79f..3bdf2d746799 100644 --- a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/ObjectRemoteQueryManager.java +++ b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/ObjectRemoteQueryManager.java @@ -34,7 +34,7 @@ class ObjectRemoteQueryManager extends BaseRemoteQueryManager { super(cr, querySerializers); this.cr = cr; this.isIndexed = cache.getCacheConfiguration().indexing().index().isEnabled(); - this.serCtx = ProtobufMetadataManagerImpl.getSerializationContext(cache.getCacheManager()); + this.serCtx = SecurityActions.getSerializationContext(cache.getCacheManager()); } @Override diff --git a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/ProtobufMetadataManagerImpl.java b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/ProtobufMetadataManagerImpl.java index 46545fc5c4e0..2da32f8eba56 100644 --- a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/ProtobufMetadataManagerImpl.java +++ b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/ProtobufMetadataManagerImpl.java @@ -8,7 +8,6 @@ import java.util.HashMap; import java.util.List; import java.util.Map; - import javax.management.MBeanException; import javax.management.ObjectName; @@ -89,7 +88,7 @@ protected void init(EmbeddedCacheManager cacheManager, InternalCacheRegistry int protected void addCacheDependency(String dependantCacheName) { protobufSchemaCache = (Cache) SecurityActions.getUnwrappedCache(cacheManager, PROTOBUF_METADATA_CACHE_NAME).getAdvancedCache().withEncoding(IdentityEncoder.class); // add stop dependency - cacheManager.addCacheDependency(dependantCacheName, ProtobufMetadataManagerImpl.PROTOBUF_METADATA_CACHE_NAME); + SecurityActions.addCacheDependency(cacheManager, dependantCacheName, ProtobufMetadataManagerImpl.PROTOBUF_METADATA_CACHE_NAME); } /** diff --git a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/SecurityActions.java b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/SecurityActions.java index e6df193732d0..d4f536c62a0d 100644 --- a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/SecurityActions.java +++ b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/SecurityActions.java @@ -6,8 +6,11 @@ import org.infinispan.AdvancedCache; import org.infinispan.Cache; import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.protostream.SerializationContext; import org.infinispan.security.AuthorizationManager; import org.infinispan.security.Security; +import org.infinispan.security.actions.AddCacheDependencyAction; +import org.infinispan.security.actions.GetCacheComponentRegistryAction; import org.infinispan.security.impl.SecureCacheImpl; /** @@ -28,7 +31,7 @@ private static T doPrivileged(PrivilegedAction action) { } static RemoteQueryManager getRemoteQueryManager(AdvancedCache cache) { - return doPrivileged(() -> cache.getComponentRegistry().getComponent(RemoteQueryManager.class)); + return doPrivileged(new GetCacheComponentRegistryAction(cache)).getComponent(RemoteQueryManager.class); } static AuthorizationManager getCacheAuthorizationManager(AdvancedCache cache) { @@ -44,6 +47,14 @@ static Cache getUnwrappedCache(EmbeddedCacheManager cacheManager, S return cache; } }); + } + + static SerializationContext getSerializationContext(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetSerializationContextAction(cacheManager)); + } + static void addCacheDependency(EmbeddedCacheManager cacheManager, String dependantCacheName, + String protobufMetadataCacheName) { + doPrivileged(new AddCacheDependencyAction(cacheManager, dependantCacheName, protobufMetadataCacheName)); } } diff --git a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/filter/IckleBinaryProtobufFilterAndConverter.java b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/filter/IckleBinaryProtobufFilterAndConverter.java index ed8404e4128c..6be8bbd7ee74 100644 --- a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/filter/IckleBinaryProtobufFilterAndConverter.java +++ b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/filter/IckleBinaryProtobufFilterAndConverter.java @@ -20,7 +20,6 @@ import org.infinispan.protostream.ProtobufUtil; import org.infinispan.protostream.SerializationContext; import org.infinispan.query.remote.impl.ExternalizerIds; -import org.infinispan.query.remote.impl.ProtobufMetadataManagerImpl; /** * Adapter for {@link IckleProtobufFilterAndConverter} that produces binary values as a result of filter/conversion. @@ -37,7 +36,7 @@ public final class IckleBinaryProtobufFilterAndConverter extends AbstractK @Inject void injectDependencies(ComponentRegistry componentRegistry, EmbeddedCacheManager cacheManager) { componentRegistry.wireDependencies(delegate); - serCtx = ProtobufMetadataManagerImpl.getSerializationContext(cacheManager); + serCtx = SecurityActions.getSerializationContext(cacheManager); } IckleBinaryProtobufFilterAndConverter(String queryString, Map namedParameters) { diff --git a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/filter/IckleProtobufFilterAndConverter.java b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/filter/IckleProtobufFilterAndConverter.java index 7a4c4abe463b..769059227afe 100644 --- a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/filter/IckleProtobufFilterAndConverter.java +++ b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/filter/IckleProtobufFilterAndConverter.java @@ -8,12 +8,13 @@ import java.util.Map; import java.util.Set; -import org.infinispan.Cache; import org.infinispan.commons.dataconversion.MediaType; import org.infinispan.commons.io.UnsignedNumeric; import org.infinispan.commons.marshall.AbstractExternalizer; +import org.infinispan.factories.ComponentRegistry; import org.infinispan.objectfilter.impl.ProtobufMatcher; import org.infinispan.query.dsl.embedded.impl.IckleFilterAndConverter; +import org.infinispan.query.dsl.embedded.impl.QueryCache; import org.infinispan.query.remote.impl.ExternalizerIds; import org.infinispan.query.remote.impl.RemoteQueryManager; @@ -31,10 +32,10 @@ public IckleProtobufFilterAndConverter(String queryString, Map n } @Override - protected void injectDependencies(Cache cache) { - RemoteQueryManager remoteQueryManager = cache.getAdvancedCache().getComponentRegistry().getComponent(RemoteQueryManager.class); + protected void injectDependencies(ComponentRegistry componentRegistry, QueryCache queryCache) { + RemoteQueryManager remoteQueryManager = componentRegistry.getComponent(RemoteQueryManager.class); matcherImplClass = remoteQueryManager.getMatcherClass(MediaType.APPLICATION_PROTOSTREAM); - super.injectDependencies(cache); + super.injectDependencies(componentRegistry, queryCache); } public static final class Externalizer extends AbstractExternalizer { diff --git a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/filter/SecurityActions.java b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/filter/SecurityActions.java new file mode 100644 index 000000000000..a88a08205559 --- /dev/null +++ b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/filter/SecurityActions.java @@ -0,0 +1,32 @@ +package org.infinispan.query.remote.impl.filter; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.protostream.SerializationContext; +import org.infinispan.query.remote.impl.GetSerializationContextAction; +import org.infinispan.security.Security; + +/** + * SecurityActions for the org.infinispan.query.remote.impl.filter package. + * + * Do not move and do not change class and method visibility! + * + * @author Dan Berindei + * @since 10.0 + */ +final class SecurityActions { + + private SecurityActions() { + } + + private static T doPrivileged(PrivilegedAction action) { + return System.getSecurityManager() != null ? + AccessController.doPrivileged(action) : Security.doPrivileged(action); + } + + static SerializationContext getSerializationContext(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetSerializationContextAction(cacheManager)); + } +} diff --git a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/indexing/ProtobufValueWrapperFieldBridge.java b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/indexing/ProtobufValueWrapperFieldBridge.java index 1220f3c73ce5..3bbeb59765e1 100644 --- a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/indexing/ProtobufValueWrapperFieldBridge.java +++ b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/indexing/ProtobufValueWrapperFieldBridge.java @@ -12,7 +12,6 @@ import org.infinispan.protostream.SerializationContext; import org.infinispan.protostream.WrappedMessage; import org.infinispan.protostream.descriptors.Descriptor; -import org.infinispan.query.remote.impl.ProtobufMetadataManagerImpl; import org.infinispan.query.remote.impl.logging.Log; /** @@ -59,7 +58,7 @@ public void set(String name, Object value, Document document, LuceneOptions luce private void decodeAndIndex(ProtobufValueWrapper valueWrapper, Document document, LuceneOptions luceneOptions) { if (serializationContext == null) { - serializationContext = ProtobufMetadataManagerImpl.getSerializationContext(cache.getCacheManager()); + serializationContext = SecurityActions.getSerializationContext(cache.getCacheManager()); wrapperDescriptor = serializationContext.getMessageDescriptor(WrappedMessage.PROTOBUF_TYPE_NAME); } diff --git a/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/indexing/SecurityActions.java b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/indexing/SecurityActions.java new file mode 100644 index 000000000000..dcdbfcc38fe7 --- /dev/null +++ b/remote-query/remote-query-server/src/main/java/org/infinispan/query/remote/impl/indexing/SecurityActions.java @@ -0,0 +1,32 @@ +package org.infinispan.query.remote.impl.indexing; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.protostream.SerializationContext; +import org.infinispan.query.remote.impl.GetSerializationContextAction; +import org.infinispan.security.Security; + +/** + * SecurityActions for the org.infinispan.query.remote.impl.indexing package. + * + * Do not move and do not change class and method visibility! + * + * @author Dan Berindei + * @since 10.0 + */ +final class SecurityActions { + + private SecurityActions() { + } + + private static T doPrivileged(PrivilegedAction action) { + return System.getSecurityManager() != null ? + AccessController.doPrivileged(action) : Security.doPrivileged(action); + } + + static SerializationContext getSerializationContext(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetSerializationContextAction(cacheManager)); + } +} diff --git a/server/core/src/main/java/org/infinispan/server/core/transport/NettyTransportConnectionStats.java b/server/core/src/main/java/org/infinispan/server/core/transport/NettyTransportConnectionStats.java index 42e8c7822f6a..fd62b91f6213 100644 --- a/server/core/src/main/java/org/infinispan/server/core/transport/NettyTransportConnectionStats.java +++ b/server/core/src/main/java/org/infinispan/server/core/transport/NettyTransportConnectionStats.java @@ -39,7 +39,7 @@ class NettyTransportConnectionStats { public NettyTransportConnectionStats(EmbeddedCacheManager cacheManager, ChannelGroup acceptedChannels, String threadNamePrefix) { this.cacheManager = cacheManager; - this.isGlobalStatsEnabled = cacheManager != null && cacheManager.getCacheManagerConfiguration().globalJmxStatistics().enabled(); + this.isGlobalStatsEnabled = cacheManager != null && SecurityActions.getCacheManagerConfiguration(cacheManager).globalJmxStatistics().enabled(); this.acceptedChannels = acceptedChannels; this.threadNamePrefix = threadNamePrefix; } @@ -109,7 +109,7 @@ public void setEnvironment(Cache cache, Set inputKeys) { @Override public Integer call() throws Exception { - GlobalJmxStatisticsConfiguration globalCfg = cache.getCacheManager().getCacheManagerConfiguration().globalJmxStatistics(); + GlobalJmxStatisticsConfiguration globalCfg = SecurityActions.getCacheManagerConfiguration(cache).globalJmxStatistics(); String jmxDomain = globalCfg.domain(); MBeanServer mbeanServer = JmxUtil.lookupMBeanServer(globalCfg.mbeanServerLookup(), globalCfg.properties()); try { diff --git a/server/core/src/main/java/org/infinispan/server/core/transport/SecurityActions.java b/server/core/src/main/java/org/infinispan/server/core/transport/SecurityActions.java new file mode 100644 index 000000000000..d2fa13963813 --- /dev/null +++ b/server/core/src/main/java/org/infinispan/server/core/transport/SecurityActions.java @@ -0,0 +1,39 @@ +package org.infinispan.server.core.transport; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +import org.infinispan.Cache; +import org.infinispan.configuration.global.GlobalConfiguration; +import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.security.Security; +import org.infinispan.security.actions.GetCacheManagerConfigurationAction; +import org.infinispan.security.actions.GetClusterExecutorAction; + +/** + * SecurityActions for the org.infinispan.query.backend package. + *

+ * Do not move. Do not change class and method visibility to avoid being called from other + * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. + * + * @author anistor@redhat.com + * @since 8.2 + */ +final class SecurityActions { + + private SecurityActions() { + } + + private static T doPrivileged(PrivilegedAction action) { + return System.getSecurityManager() != null ? + AccessController.doPrivileged(action) : Security.doPrivileged(action); + } + + static GlobalConfiguration getCacheManagerConfiguration(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetCacheManagerConfigurationAction(cacheManager)); + } + + static GlobalConfiguration getCacheManagerConfiguration(Cache cache) { + return doPrivileged(() -> cache.getCacheManager().getCacheManagerConfiguration()); + } +} diff --git a/server/hotrod/src/main/java/org/infinispan/server/hotrod/HotRodServer.java b/server/hotrod/src/main/java/org/infinispan/server/hotrod/HotRodServer.java index 9d1f25d5a912..12735efb8361 100644 --- a/server/hotrod/src/main/java/org/infinispan/server/hotrod/HotRodServer.java +++ b/server/hotrod/src/main/java/org/infinispan/server/hotrod/HotRodServer.java @@ -24,10 +24,13 @@ import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicBoolean; import java.util.function.BiConsumer; - import javax.security.auth.Subject; import javax.security.sasl.SaslServerFactory; +import com.github.benmanes.caffeine.cache.Caffeine; +import io.netty.channel.Channel; +import io.netty.channel.ChannelInitializer; +import io.netty.channel.ChannelOutboundHandler; import org.infinispan.AdvancedCache; import org.infinispan.Cache; import org.infinispan.commons.CacheException; @@ -96,12 +99,6 @@ import org.infinispan.upgrade.RollingUpgradeManager; import org.infinispan.util.KeyValuePair; -import com.github.benmanes.caffeine.cache.Caffeine; - -import io.netty.channel.Channel; -import io.netty.channel.ChannelInitializer; -import io.netty.channel.ChannelOutboundHandler; - /** * Hot Rod server, in charge of defining its encoder/decoder and, if clustered, update the topology information on * startup and shutdown. @@ -234,7 +231,7 @@ protected void startInternal(HotRodServerConfiguration configuration, EmbeddedCa // These are also initialized by super.startInternal, but we need them before this.configuration = configuration; this.cacheManager = cacheManager; - this.iterationManager = new DefaultIterationManager(cacheManager.getGlobalComponentRegistry().getTimeService()); + this.iterationManager = new DefaultIterationManager(SecurityActions.getGlobalComponentRegistry(cacheManager).getTimeService()); // populate the sasl factories based on the required mechs setupSasl(); @@ -242,7 +239,7 @@ protected void startInternal(HotRodServerConfiguration configuration, EmbeddedCa // Initialize query-specific stuff List queryFacades = loadQueryFacades(); queryFacade = queryFacades.size() > 0 ? queryFacades.get(0) : null; - clientListenerRegistry = new ClientListenerRegistry(cacheManager.getGlobalComponentRegistry().getComponent(EncoderRegistry.class)); + clientListenerRegistry = new ClientListenerRegistry(SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(EncoderRegistry.class)); clientCounterNotificationManager = new ClientCounterManagerNotificationManager(asCounterManager(cacheManager)); addKeyValueFilterConverterFactory(ToEmptyBytesKeyValueFilterConverter.class.getName(), new ToEmptyBytesFactory()); @@ -263,7 +260,7 @@ protected void startInternal(HotRodServerConfiguration configuration, EmbeddedCa super.startInternal(configuration, cacheManager); // Add self to topology cache last, after everything is initialized - if (Configurations.isClustered(cacheManager.getCacheManagerConfiguration())) { + if (Configurations.isClustered(SecurityActions.getCacheManagerConfiguration(cacheManager))) { defineTopologyCacheConfig(cacheManager); if (log.isDebugEnabled()) log.debugf("Externally facing address is %s:%d", configuration.proxyHost(), configuration.proxyPort()); @@ -312,7 +309,7 @@ protected void startDefaultCache() { private void preStartCaches() { // Start defined caches to avoid issues with lazily started caches. Skip internal caches if authorization is not // enabled - InternalCacheRegistry icr = cacheManager.getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class); + InternalCacheRegistry icr = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(InternalCacheRegistry.class); boolean authz = cacheManager.getCacheManagerConfiguration().security().authorization().enabled(); for (String cacheName : cacheManager.getCacheNames()) { getCacheInstance(UNKNOWN_TYPES, null, cacheName, cacheManager, false, (!icr.internalCacheHasFlag(cacheName, InternalCacheRegistry.Flag.PROTECTED) || authz)); @@ -339,7 +336,7 @@ private void addSelfToTopologyView(EmbeddedCacheManager cacheManager) { } private void defineTopologyCacheConfig(EmbeddedCacheManager cacheManager) { - InternalCacheRegistry internalCacheRegistry = cacheManager.getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class); + InternalCacheRegistry internalCacheRegistry = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(InternalCacheRegistry.class); internalCacheRegistry.registerInternalCache(configuration.topologyCacheName(), createTopologyCacheConfig(cacheManager.getCacheManagerConfiguration().transport().distributedSyncTimeout()).build(), EnumSet.of(InternalCacheRegistry.Flag.EXCLUSIVE)); @@ -378,7 +375,7 @@ public AdvancedCache cache(HotRodHeader header, Subject subject, KeyValuePair requestMediaTypes = getRequestMediaTypes(header, getCacheConfiguration(cacheName)); AdvancedCache cache = knownCaches.get(getDecoratedCacheKey(cacheName, requestMediaTypes)); if (cache == null) { - InternalCacheRegistry icr = cacheManager.getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class); + InternalCacheRegistry icr = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(InternalCacheRegistry.class); if (icr.isPrivateCache(cacheName)) { throw new RequestParsingException( String.format("Remote requests are not allowed to private caches. Do no send remote requests to cache '%s'", cacheName), @@ -580,8 +577,9 @@ public void stop() { if (topologyChangeListener != null) { SecurityActions.removeListener(addressCache, topologyChangeListener); } - if (cacheManager != null && Configurations.isClustered(cacheManager.getCacheManagerConfiguration())) { - InternalCacheRegistry internalCacheRegistry = cacheManager.getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class); + if (cacheManager != null && Configurations.isClustered(SecurityActions.getCacheManagerConfiguration(cacheManager))) { + InternalCacheRegistry internalCacheRegistry = + SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(InternalCacheRegistry.class); if (internalCacheRegistry != null) internalCacheRegistry.unregisterInternalCache(configuration.topologyCacheName()); } diff --git a/server/hotrod/src/main/java/org/infinispan/server/hotrod/LifecycleCallbacks.java b/server/hotrod/src/main/java/org/infinispan/server/hotrod/LifecycleCallbacks.java index 849893dc524a..7035415495c4 100644 --- a/server/hotrod/src/main/java/org/infinispan/server/hotrod/LifecycleCallbacks.java +++ b/server/hotrod/src/main/java/org/infinispan/server/hotrod/LifecycleCallbacks.java @@ -65,9 +65,13 @@ public class LifecycleCallbacks implements ModuleLifecycle { @GuardedBy("this") private boolean registered = false; + private GlobalComponentRegistry globalComponentRegistry; + private GlobalConfiguration globalCfg; @Override public void cacheManagerStarting(GlobalComponentRegistry gcr, GlobalConfiguration globalCfg) { + this.globalComponentRegistry = gcr; + this.globalCfg = globalCfg; Map> externalizers = globalCfg.serialization().advancedExternalizers(); externalizers.put(SERVER_ADDRESS, new ServerAddress.Externalizer()); externalizers.put(KEY_VALUE_VERSION_CONVERTER, new KeyValueVersionConverter.Externalizer()); @@ -84,7 +88,7 @@ public void cacheManagerStarting(GlobalComponentRegistry gcr, GlobalConfiguratio externalizers.put(XID_PREDICATE, XidPredicate.EXTERNALIZER); externalizers.put(CONDITIONAL_MARK_ROLLBACK_FUNCTION, ConditionalMarkAsRollbackFunction.EXTERNALIZER); - registerGlobalTxTable(gcr); + registerGlobalTxTable(); } @Override @@ -106,8 +110,7 @@ private void registerServerTransactionTable(ComponentRegistry componentRegistry, !componentRegistry.getComponent(Configuration.class).transaction().transactionMode().isTransactional()) { return; } - EmbeddedCacheManager cacheManager = componentRegistry.getGlobalComponentRegistry() - .getComponent(EmbeddedCacheManager.class); + EmbeddedCacheManager cacheManager = globalComponentRegistry.getComponent(EmbeddedCacheManager.class); createGlobalTxTable(cacheManager); // TODO We need a way for a module to install a factory before the default implementation is instantiated BasicComponentRegistry basicComponentRegistry = componentRegistry.getComponent(BasicComponentRegistry.class); @@ -119,11 +122,11 @@ private void registerServerTransactionTable(ComponentRegistry componentRegistry, /** * Creates the global transaction internal cache. */ - private void registerGlobalTxTable(GlobalComponentRegistry globalComponentRegistry) { + private void registerGlobalTxTable() { InternalCacheRegistry registry = globalComponentRegistry.getComponent(InternalCacheRegistry.class); ConfigurationBuilder builder = new ConfigurationBuilder(); //we can't lose transactions. distributed cache can lose data is num_owner nodes crash at the same time - builder.clustering().cacheMode(globalComponentRegistry.getGlobalConfiguration().isClustered() ? + builder.clustering().cacheMode(globalCfg.isClustered() ? CacheMode.REPL_SYNC : CacheMode.LOCAL); builder.transaction().transactionMode(TransactionMode.NON_TRANSACTIONAL); @@ -135,8 +138,8 @@ private void registerGlobalTxTable(GlobalComponentRegistry globalComponentRegist private synchronized void createGlobalTxTable(EmbeddedCacheManager cacheManager) { if (!registered) { Cache cache = cacheManager.getCache(GLOBAL_TX_TABLE_CACHE_NAME); - GlobalTxTable txTable = new GlobalTxTable(cache, cacheManager.getGlobalComponentRegistry()); - cacheManager.getGlobalComponentRegistry().registerComponent(txTable, GlobalTxTable.class); + GlobalTxTable txTable = new GlobalTxTable(cache, globalComponentRegistry); + globalComponentRegistry.registerComponent(txTable, GlobalTxTable.class); registered = true; } diff --git a/server/hotrod/src/main/java/org/infinispan/server/hotrod/SecurityActions.java b/server/hotrod/src/main/java/org/infinispan/server/hotrod/SecurityActions.java index 299b7ff1f5fa..e665994687ca 100644 --- a/server/hotrod/src/main/java/org/infinispan/server/hotrod/SecurityActions.java +++ b/server/hotrod/src/main/java/org/infinispan/server/hotrod/SecurityActions.java @@ -5,6 +5,7 @@ import org.infinispan.AdvancedCache; import org.infinispan.configuration.cache.Configuration; +import org.infinispan.configuration.global.GlobalConfiguration; import org.infinispan.factories.ComponentRegistry; import org.infinispan.factories.GlobalComponentRegistry; import org.infinispan.manager.EmbeddedCacheManager; @@ -14,7 +15,7 @@ import org.infinispan.security.actions.GetCacheAction; import org.infinispan.security.actions.GetCacheComponentRegistryAction; import org.infinispan.security.actions.GetCacheConfigurationAction; -import org.infinispan.security.actions.GetCacheGlobalComponentRegistryAction; +import org.infinispan.security.actions.GetCacheManagerConfigurationAction; import org.infinispan.security.actions.GetGlobalComponentRegistryAction; import org.infinispan.security.actions.RemoveListenerAction; import org.infinispan.security.impl.SecureCacheImpl; @@ -53,23 +54,22 @@ static org.infinispan.Cache getCache(final EmbeddedCacheManager cac return (org.infinispan.Cache) doPrivileged(action); } - static GlobalComponentRegistry getCacheGlobalComponentRegistry(final AdvancedCache cache) { - GetCacheGlobalComponentRegistryAction action = new GetCacheGlobalComponentRegistryAction(cache); - return doPrivileged(action); - } - static GlobalComponentRegistry getGlobalComponentRegistry(final EmbeddedCacheManager cacheManager) { GetGlobalComponentRegistryAction action = new GetGlobalComponentRegistryAction(cacheManager); return doPrivileged(action); } + static GlobalConfiguration getCacheManagerConfiguration(final EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetCacheManagerConfigurationAction(cacheManager)); + } + static void addListener(EmbeddedCacheManager cacheManager, Object listener) { doPrivileged(new AddCacheManagerListenerAction(cacheManager, listener)); } - static Void removeListener(Listenable listenable, Object listener) { + static void removeListener(Listenable listenable, Object listener) { RemoveListenerAction action = new RemoveListenerAction(listenable, listener); - return doPrivileged(action); + doPrivileged(action); } static AdvancedCache getUnwrappedCache(final AdvancedCache cache) { diff --git a/server/hotrod/src/main/java/org/infinispan/server/hotrod/TransactionRequestProcessor.java b/server/hotrod/src/main/java/org/infinispan/server/hotrod/TransactionRequestProcessor.java index e986880df3e8..fa19db44030c 100644 --- a/server/hotrod/src/main/java/org/infinispan/server/hotrod/TransactionRequestProcessor.java +++ b/server/hotrod/src/main/java/org/infinispan/server/hotrod/TransactionRequestProcessor.java @@ -3,12 +3,13 @@ import java.util.Collection; import java.util.List; import java.util.concurrent.Executor; - import javax.security.auth.Subject; import javax.transaction.xa.XAException; import javax.transaction.xa.XAResource; import javax.transaction.xa.Xid; +import io.netty.buffer.ByteBuf; +import io.netty.channel.Channel; import org.infinispan.AdvancedCache; import org.infinispan.commons.tx.XidImpl; import org.infinispan.configuration.cache.Configuration; @@ -25,9 +26,6 @@ import org.infinispan.util.concurrent.IsolationLevel; import org.infinispan.util.logging.LogFactory; -import io.netty.buffer.ByteBuf; -import io.netty.channel.Channel; - class TransactionRequestProcessor extends CacheRequestProcessor { private static final Log log = LogFactory.getLog(TransactionRequestProcessor.class, Log.class); private static final boolean isTrace = log.isTraceEnabled(); @@ -70,7 +68,7 @@ void prepareTransaction(HotRodHeader header, Subject subject, XidImpl xid, boole void forgetTransaction(HotRodHeader header, Subject subject, XidImpl xid) { //TODO authentication? - GlobalTxTable txTable = server.getCacheManager().getGlobalComponentRegistry().getComponent(GlobalTxTable.class); + GlobalTxTable txTable = SecurityActions.getGlobalComponentRegistry(server.getCacheManager()).getComponent(GlobalTxTable.class); executor.execute(() -> { try { txTable.forgetTransaction(xid); @@ -88,7 +86,7 @@ void getPreparedTransactions(HotRodHeader header, Subject subject) { } executor.execute(() -> { try { - GlobalTxTable txTable = server.getCacheManager().getGlobalComponentRegistry() + GlobalTxTable txTable = SecurityActions.getGlobalComponentRegistry(server.getCacheManager()) .getComponent(GlobalTxTable.class); Collection preparedTx = txTable.getPreparedTransactions(); writeResponse(header, createRecoveryResponse(header, preparedTx)); diff --git a/server/hotrod/src/main/java/org/infinispan/server/hotrod/tx/operation/BaseCompleteTransactionOperation.java b/server/hotrod/src/main/java/org/infinispan/server/hotrod/tx/operation/BaseCompleteTransactionOperation.java index 72653c582f23..24f97099ac43 100644 --- a/server/hotrod/src/main/java/org/infinispan/server/hotrod/tx/operation/BaseCompleteTransactionOperation.java +++ b/server/hotrod/src/main/java/org/infinispan/server/hotrod/tx/operation/BaseCompleteTransactionOperation.java @@ -11,7 +11,6 @@ import java.util.concurrent.atomic.AtomicInteger; import java.util.function.BiConsumer; import java.util.function.BiFunction; - import javax.security.auth.Subject; import javax.transaction.xa.XAException; @@ -68,7 +67,7 @@ abstract class BaseCompleteTransactionOperation implements CacheNameCollector, R BaseCompleteTransactionOperation(HotRodHeader header, HotRodServer server, Subject subject, XidImpl xid, BiConsumer reply) { - GlobalComponentRegistry gcr = server.getCacheManager().getGlobalComponentRegistry(); + GlobalComponentRegistry gcr = SecurityActions.getGlobalComponentRegistry(server.getCacheManager()); this.globalTxTable = gcr.getComponent(GlobalTxTable.class); this.asyncExecutor = gcr.getComponent(ExecutorService.class, KnownComponentNames.ASYNC_OPERATIONS_EXECUTOR); this.header = header; @@ -201,7 +200,7 @@ private CompletableFuture completeCache(ByteString cacheName) throws Throw private CompletableFuture completeWithRemoteCommand(AdvancedCache cache, RpcManager rpcManager, TxState state) throws Throwable { - CommandsFactory commandsFactory = cache.getComponentRegistry().getCommandsFactory(); + CommandsFactory commandsFactory = SecurityActions.getComponentRegistry(cache).getCommandsFactory(); CacheRpcCommand command = buildRemoteCommand(cache.getCacheConfiguration(), commandsFactory, state); CompletableFuture remote = rpcManager .invokeCommandOnAll(command, validOnly(), rpcManager.getSyncRpcOptions()) diff --git a/server/hotrod/src/main/java/org/infinispan/server/hotrod/tx/operation/SecurityActions.java b/server/hotrod/src/main/java/org/infinispan/server/hotrod/tx/operation/SecurityActions.java new file mode 100644 index 000000000000..bad8e7c9517e --- /dev/null +++ b/server/hotrod/src/main/java/org/infinispan/server/hotrod/tx/operation/SecurityActions.java @@ -0,0 +1,40 @@ +package org.infinispan.server.hotrod.tx.operation; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +import org.infinispan.AdvancedCache; +import org.infinispan.factories.ComponentRegistry; +import org.infinispan.factories.GlobalComponentRegistry; +import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.security.Security; +import org.infinispan.security.actions.GetCacheComponentRegistryAction; +import org.infinispan.security.actions.GetGlobalComponentRegistryAction; + +/** + * SecurityActions for the org.infinispan.server.hotrod.tx.operation package. + *

+ * Do not move. Do not change class and method visibility to avoid being called from other + * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. + * + * @author Dan Berindei + * @since 10.0 + */ +final class SecurityActions { + + private SecurityActions() { + } + + private static T doPrivileged(PrivilegedAction action) { + return System.getSecurityManager() != null ? + AccessController.doPrivileged(action) : Security.doPrivileged(action); + } + + static GlobalComponentRegistry getGlobalComponentRegistry(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetGlobalComponentRegistryAction(cacheManager)); + } + + public static ComponentRegistry getComponentRegistry(AdvancedCache cache) { + return doPrivileged(new GetCacheComponentRegistryAction(cache)); + } +} diff --git a/server/integration/endpoint/src/main/java/org/infinispan/server/endpoint/subsystem/SecurityActions.java b/server/integration/endpoint/src/main/java/org/infinispan/server/endpoint/subsystem/SecurityActions.java index a823a3a6c522..f9a058a01f11 100644 --- a/server/integration/endpoint/src/main/java/org/infinispan/server/endpoint/subsystem/SecurityActions.java +++ b/server/integration/endpoint/src/main/java/org/infinispan/server/endpoint/subsystem/SecurityActions.java @@ -25,8 +25,6 @@ import org.infinispan.security.Security; import org.infinispan.server.core.ProtocolServer; import org.infinispan.server.core.configuration.ProtocolServerConfiguration; -import org.jboss.security.SecurityContext; -import org.jboss.security.SecurityContextAssociation; /** * Privileged Actions @@ -42,92 +40,6 @@ private static T doPrivileged(PrivilegedAction action) { return Security.doPrivileged(action); } } - /** - * Set the {@code SecurityContext} on the {@code SecurityContextAssociation} - * - * @param sc - * the security context - */ - static void setSecurityContextOnAssociation(final SecurityContext sc) { - AccessController.doPrivileged(new PrivilegedAction() { - - @Override - public Void run() { - SecurityContextAssociation.setSecurityContext(sc); - return null; - } - }); - } - - /** - * Get the current {@code SecurityContext} - * - * @return an instance of {@code SecurityContext} - */ - static SecurityContext getSecurityContext() { - return AccessController.doPrivileged(new PrivilegedAction() { - @Override - public SecurityContext run() { - return SecurityContextAssociation.getSecurityContext(); - } - }); - } - - /** - * Clears current {@code SecurityContext} - */ - static void clearSecurityContext() { - AccessController.doPrivileged(new PrivilegedAction() { - @Override - public Void run() { - SecurityContextAssociation.clearSecurityContext(); - return null; - } - }); - } - - public static final String AUTH_EXCEPTION_KEY = "org.jboss.security.exception"; - - static void clearAuthException() { - if (System.getSecurityManager() != null) { - AccessController.doPrivileged(new PrivilegedAction() { - - @Override - public Void run() { - SecurityContext sc = getSecurityContext(); - if (sc != null) - sc.getData().put(AUTH_EXCEPTION_KEY, null); - return null; - } - }); - } else { - SecurityContext sc = getSecurityContext(); - if (sc != null) - sc.getData().put(AUTH_EXCEPTION_KEY, null); - } - } - - static Throwable getAuthException() { - if (System.getSecurityManager() != null) { - return AccessController.doPrivileged(new PrivilegedAction() { - - @Override - public Throwable run() { - SecurityContext sc = getSecurityContext(); - Throwable exception = null; - if (sc != null) - exception = (Throwable) sc.getData().get(AUTH_EXCEPTION_KEY); - return exception; - } - }); - } else { - SecurityContext sc = getSecurityContext(); - Throwable exception = null; - if (sc != null) - exception = (Throwable) sc.getData().get(AUTH_EXCEPTION_KEY); - return exception; - } - } static void startProtocolServer(final ProtocolServer server, final ProtocolServerConfiguration configuration, final EmbeddedCacheManager cacheManager) { PrivilegedAction action = new PrivilegedAction() { diff --git a/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/SecurityActions.java b/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/SecurityActions.java deleted file mode 100644 index 3151276e3c93..000000000000 --- a/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/SecurityActions.java +++ /dev/null @@ -1,291 +0,0 @@ -package org.infinispan.server.infinispan; - -import java.security.AccessController; -import java.security.PrivilegedAction; -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; -import java.util.List; -import java.util.Map; -import java.util.Optional; -import java.util.Set; - -import org.infinispan.AdvancedCache; -import org.infinispan.Cache; -import org.infinispan.cli.interpreter.Interpreter; -import org.infinispan.configuration.cache.Configuration; -import org.infinispan.counter.EmbeddedCounterManagerFactory; -import org.infinispan.counter.api.CounterManager; -import org.infinispan.factories.ComponentRegistry; -import org.infinispan.factories.GlobalComponentRegistry; -import org.infinispan.interceptors.AsyncInterceptor; -import org.infinispan.interceptors.base.CommandInterceptor; -import org.infinispan.jmx.JmxStatisticsExposer; -import org.infinispan.lifecycle.ComponentStatus; -import org.infinispan.manager.EmbeddedCacheManager; -import org.infinispan.query.SearchManager; -import org.infinispan.remoting.rpc.RpcManager; -import org.infinispan.remoting.transport.Address; -import org.infinispan.security.Security; -import org.infinispan.security.actions.GetCacheComponentRegistryAction; -import org.infinispan.security.actions.GetCacheInterceptorChainAction; -import org.infinispan.security.actions.GetCacheLockManagerAction; -import org.infinispan.security.actions.GetCacheManagerAddress; -import org.infinispan.security.actions.GetCacheManagerClusterAvailabilityAction; -import org.infinispan.security.actions.GetCacheManagerClusterNameAction; -import org.infinispan.security.actions.GetCacheManagerCoordinatorAddress; -import org.infinispan.security.actions.GetCacheManagerIsCoordinatorAction; -import org.infinispan.security.actions.GetCacheManagerStatusAction; -import org.infinispan.security.actions.GetCacheRpcManagerAction; -import org.infinispan.security.actions.GetCacheStatusAction; -import org.infinispan.security.actions.GetGlobalComponentRegistryAction; -import org.infinispan.server.infinispan.actions.ClearCacheAction; -import org.infinispan.server.infinispan.actions.FlushCacheAction; -import org.infinispan.server.infinispan.actions.GetCacheVersionAction; -import org.infinispan.server.infinispan.actions.GetCreatedCacheCountAction; -import org.infinispan.server.infinispan.actions.GetDefinedCacheCountAction; -import org.infinispan.server.infinispan.actions.GetDefinedCacheNamesAction; -import org.infinispan.server.infinispan.actions.GetMembersAction; -import org.infinispan.server.infinispan.actions.GetRunningCacheCountAction; -import org.infinispan.server.infinispan.actions.GetSearchManagerAction; -import org.infinispan.server.infinispan.actions.GetSitesViewAction; -import org.infinispan.server.infinispan.actions.ResetComponentJmxStatisticsAction; -import org.infinispan.server.infinispan.actions.ResetInterceptorJmxStatisticsAction; -import org.infinispan.server.infinispan.actions.StartCacheAction; -import org.infinispan.server.infinispan.actions.StopCacheAction; -import org.infinispan.util.concurrent.locks.LockManager; -import org.jboss.as.clustering.infinispan.DefaultCacheContainer; - -/** - * SecurityActions for the org.infinispan.server.infinispan package - * - * @author Tristan Tarrant - * @since 7.0 - */ -public final class SecurityActions { - private static T doPrivileged(PrivilegedAction action) { - if (System.getSecurityManager() != null) { - return AccessController.doPrivileged(action); - } else { - return Security.doPrivileged(action); - } - } - - private static T doPrivileged(PrivilegedExceptionAction action) throws PrivilegedActionException { - if (System.getSecurityManager() != null) { - return AccessController.doPrivileged(action); - } else { - return Security.doPrivileged(action); - } - } - - public static void registerAndStartContainer(final EmbeddedCacheManager container, final Object listener) { - PrivilegedAction action = () -> { - container.addListener(listener); - container.start(); - return null; - }; - doPrivileged(action); - } - - public static boolean stopAndUnregisterContainer(final EmbeddedCacheManager container, final Object listener) { - PrivilegedAction action = () -> { - if (container.getStatus().allowInvocations()) { - container.removeListener(listener); - container.stop(); - return true; - } else { - return false; - } - }; - return doPrivileged(action); - } - - public static void defineContainerConfiguration(final EmbeddedCacheManager container, final String name, - final Configuration config) { - PrivilegedAction action = () -> { - container.defineConfiguration(name, config); - return null; - }; - doPrivileged(action); - } - - public static void undefineContainerConfiguration(final EmbeddedCacheManager container, final String name) { - PrivilegedAction action = () -> { - container.undefineConfiguration(name); - return null; - }; - doPrivileged(action); - } - - public static Cache startCache(final EmbeddedCacheManager container, final String name, final String configurationName) { - PrivilegedAction> action = () -> { - Cache cache = container.getCache(name, configurationName); - cache.start(); - return cache; - }; - return doPrivileged(action); - } - - public static void stopCache(final Cache cache) { - PrivilegedAction action = () -> { - cache.stop(); - return null; - }; - doPrivileged(action); - } - - public static void shutdownCache(final Cache cache) { - PrivilegedAction action = () -> { - cache.shutdown(); - return null; - }; - doPrivileged(action); - } - - public static LockManager getLockManager(final AdvancedCache cache) { - GetCacheLockManagerAction action = new GetCacheLockManagerAction(cache); - return doPrivileged(action); - } - - public static List getInterceptorChain(final AdvancedCache cache) { - GetCacheInterceptorChainAction action = new GetCacheInterceptorChainAction(cache); - return doPrivileged(action); - } - - public static RpcManager getRpcManager(final AdvancedCache cache) { - GetCacheRpcManagerAction action = new GetCacheRpcManagerAction(cache); - return doPrivileged(action); - } - - public static ComponentRegistry getComponentRegistry(final AdvancedCache cache) { - GetCacheComponentRegistryAction action = new GetCacheComponentRegistryAction(cache); - return doPrivileged(action); - } - - public static ComponentStatus getCacheStatus(AdvancedCache cache) { - GetCacheStatusAction action = new GetCacheStatusAction(cache); - return doPrivileged(action); - } - - public static String getCacheVersion(AdvancedCache cache) { - GetCacheVersionAction action = new GetCacheVersionAction(cache); - return doPrivileged(action); - } - - public static ComponentStatus getCacheManagerStatus(EmbeddedCacheManager cacheManager) { - GetCacheManagerStatusAction action = new GetCacheManagerStatusAction(cacheManager); - return doPrivileged(action); - } - - public static Address getCacheManagerLocalAddress(DefaultCacheContainer cacheManager) { - GetCacheManagerAddress action = new GetCacheManagerAddress(cacheManager); - return doPrivileged(action); - } - - public static Address getCacheManagerCoordinatorAddress(DefaultCacheContainer cacheManager) { - GetCacheManagerCoordinatorAddress action = new GetCacheManagerCoordinatorAddress(cacheManager); - return doPrivileged(action); - } - - public static boolean getCacheManagerIsCoordinator(DefaultCacheContainer cacheManager) { - GetCacheManagerIsCoordinatorAction action = new GetCacheManagerIsCoordinatorAction(cacheManager); - return doPrivileged(action); - } - - public static String getCacheManagerClusterName(DefaultCacheContainer cacheManager) { - GetCacheManagerClusterNameAction action = new GetCacheManagerClusterNameAction(cacheManager); - return doPrivileged(action); - } - - public static String getCacheManagerClusterAvailability(DefaultCacheContainer cacheManager) { - GetCacheManagerClusterAvailabilityAction action = new GetCacheManagerClusterAvailabilityAction(cacheManager); - return doPrivileged(action); - } - - public static String getDefinedCacheNames(DefaultCacheContainer cacheManager) { - GetDefinedCacheNamesAction action = new GetDefinedCacheNamesAction(cacheManager); - return doPrivileged(action); - } - - public static String getCacheCreatedCount(DefaultCacheContainer cacheManager) { - GetCreatedCacheCountAction action = new GetCreatedCacheCountAction(cacheManager); - return doPrivileged(action); - } - - public static String getDefinedCacheCount(DefaultCacheContainer cacheManager) { - GetDefinedCacheCountAction action = new GetDefinedCacheCountAction(cacheManager); - return doPrivileged(action); - } - - public static String getRunningCacheCount(DefaultCacheContainer cacheManager) { - GetRunningCacheCountAction action = new GetRunningCacheCountAction(cacheManager); - return doPrivileged(action); - } - - public static List

getMembers(DefaultCacheContainer cacheManager) { - GetMembersAction action = new GetMembersAction(cacheManager); - return doPrivileged(action); - } - - public static Void clearCache(AdvancedCache cache) { - ClearCacheAction action = new ClearCacheAction(cache); - doPrivileged(action); - return null; - } - - public static Void flushCache(AdvancedCache cache) { - FlushCacheAction action = new FlushCacheAction(cache); - doPrivileged(action); - return null; - } - - public static Void stopCache(AdvancedCache cache) { - StopCacheAction action = new StopCacheAction(cache); - doPrivileged(action); - return null; - } - - public static Void startCache(AdvancedCache cache) { - StartCacheAction action = new StartCacheAction(cache); - doPrivileged(action); - return null; - } - - public static Void resetStatistics(AdvancedCache cache, - Class jmxClass) { - PrivilegedAction action; - if (jmxClass.isAssignableFrom(CommandInterceptor.class)) { - action = new ResetInterceptorJmxStatisticsAction(cache, jmxClass); - } else { - action = new ResetComponentJmxStatisticsAction(cache, jmxClass); - } - doPrivileged(action); - return null; - } - - public static Map executeInterpreter(final Interpreter interpreter, final String sessionId, - final String command) throws Exception { - PrivilegedExceptionAction> action = () -> interpreter.execute(sessionId, command); - return doPrivileged(action); - } - - public static SearchManager getSearchManager(AdvancedCache cache) { - GetSearchManagerAction action = new GetSearchManagerAction(cache); - return doPrivileged(action); - } - - public static GlobalComponentRegistry getGlobalComponentRegistry(final EmbeddedCacheManager cacheManager) { - GetGlobalComponentRegistryAction action = new GetGlobalComponentRegistryAction(cacheManager); - return doPrivileged(action); - } - - public static Set getSitesView(DefaultCacheContainer cacheManager) { - GetSitesViewAction action = new GetSitesViewAction(cacheManager); - return doPrivileged(action); - } - - public static Optional findCounterManager(EmbeddedCacheManager cacheManager) { - return Optional.ofNullable(doPrivileged((PrivilegedAction) () -> EmbeddedCounterManagerFactory.asCounterManager(cacheManager))); - } - -} diff --git a/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/DistributedServerTask.java b/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/DistributedServerTask.java index 35dfe26c8f23..f15a9d6fa9e9 100644 --- a/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/DistributedServerTask.java +++ b/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/DistributedServerTask.java @@ -35,7 +35,7 @@ public DistributedServerTask(String taskName, Optional> parameter public void setEnvironment(Cache cache, Set inputKeys) { this.cache = cache; // todo inject global component registry to be independent of existence of cache. - GlobalComponentRegistry componentRegistry = cache.getCacheManager().getGlobalComponentRegistry(); + GlobalComponentRegistry componentRegistry = SecurityActions.getGlobalComponentRegistry(cache); taskRegistry = componentRegistry.getComponent(ServerTaskRegistry.class); marshaller = componentRegistry.getComponent(StreamingMarshaller.class); } diff --git a/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/LocalServerTaskRunner.java b/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/LocalServerTaskRunner.java index 3ecf431774c5..33e73baadf15 100644 --- a/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/LocalServerTaskRunner.java +++ b/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/LocalServerTaskRunner.java @@ -27,6 +27,6 @@ public CompletableFuture execute(String taskName, TaskContext context) { private ServerTaskRegistry getRegistry(TaskContext context) { Cache cache = context.getCache().get(); - return cache.getCacheManager().getGlobalComponentRegistry().getComponent(ServerTaskRegistry.class); + return SecurityActions.getComponentRegistry(cache.getAdvancedCache()).getComponent(ServerTaskRegistry.class); } } diff --git a/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/SecurityActions.java b/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/SecurityActions.java new file mode 100644 index 000000000000..62a3c55edcdc --- /dev/null +++ b/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/SecurityActions.java @@ -0,0 +1,44 @@ +package org.infinispan.server.infinispan.task; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +import org.infinispan.AdvancedCache; +import org.infinispan.Cache; +import org.infinispan.factories.ComponentRegistry; +import org.infinispan.factories.GlobalComponentRegistry; +import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.security.Security; +import org.infinispan.security.actions.GetCacheComponentRegistryAction; +import org.infinispan.security.actions.GetCacheGlobalComponentRegistryAction; +import org.infinispan.security.actions.GetGlobalComponentRegistryAction; + +/** + * SecurityActions for the org.infinispan.server.infinispan package + * + * @author Tristan Tarrant + * @since 7.0 + */ +public final class SecurityActions { + private static T doPrivileged(PrivilegedAction action) { + if (System.getSecurityManager() != null) { + return AccessController.doPrivileged(action); + } else { + return Security.doPrivileged(action); + } + } + + static ComponentRegistry getComponentRegistry(final AdvancedCache cache) { + GetCacheComponentRegistryAction action = new GetCacheComponentRegistryAction(cache); + return doPrivileged(action); + } + + static GlobalComponentRegistry getGlobalComponentRegistry(final EmbeddedCacheManager cacheManager) { + GetGlobalComponentRegistryAction action = new GetGlobalComponentRegistryAction(cacheManager); + return doPrivileged(action); + } + + public static GlobalComponentRegistry getGlobalComponentRegistry(Cache cache) { + return doPrivileged(new GetCacheGlobalComponentRegistryAction(cache.getAdvancedCache())); + } +} diff --git a/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/ServerTaskEngine.java b/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/ServerTaskEngine.java index 3f1838008ee5..6bddd20d4eba 100644 --- a/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/ServerTaskEngine.java +++ b/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/ServerTaskEngine.java @@ -31,7 +31,7 @@ public class ServerTaskEngine implements TaskEngine { public ServerTaskEngine(ServerTaskRegistry manager, EmbeddedCacheManager cacheManager, ScriptConversions scriptConversions) { this.registry = manager; - this.globalAuthzHelper = cacheManager.getGlobalComponentRegistry().getComponent(AuthorizationHelper.class); + this.globalAuthzHelper = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(AuthorizationHelper.class); this.scriptConversions = scriptConversions; } diff --git a/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/ServerTaskRegistryImpl.java b/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/ServerTaskRegistryImpl.java index 72272b9d73ba..c1abb045fe77 100644 --- a/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/ServerTaskRegistryImpl.java +++ b/server/integration/infinispan/src/main/java/org/infinispan/server/infinispan/task/ServerTaskRegistryImpl.java @@ -28,7 +28,7 @@ public class ServerTaskRegistryImpl implements ServerTaskRegistry { @Inject public void init(TaskManager taskManager, EmbeddedCacheManager cacheManager) { - EncoderRegistry encoderRegistry = cacheManager.getGlobalComponentRegistry().getComponent(EncoderRegistry.class); + EncoderRegistry encoderRegistry = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(EncoderRegistry.class); ServerTaskEngine engine = new ServerTaskEngine(this, cacheManager, new ScriptConversions(encoderRegistry)); taskManager.registerTaskEngine(engine); } diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/AbstractCacheConfigurationService.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/AbstractCacheConfigurationService.java index 9a2c6e29ed1f..5160feb2268b 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/AbstractCacheConfigurationService.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/AbstractCacheConfigurationService.java @@ -25,7 +25,6 @@ import org.infinispan.configuration.cache.Configuration; import org.infinispan.configuration.cache.ConfigurationBuilder; import org.infinispan.manager.EmbeddedCacheManager; -import org.infinispan.server.infinispan.SecurityActions; import org.jboss.as.clustering.infinispan.InfinispanMessages; import org.jboss.logging.Logger; import org.jboss.msc.service.Service; @@ -70,7 +69,7 @@ public void start(StartContext context) throws StartException { EmbeddedCacheManager container = this.getCacheContainer(); CacheMode mode = this.config.clustering().cacheMode(); - if (mode.isClustered() && (container.getCacheManagerConfiguration().transport().transport() == null)) { + if (mode.isClustered() && (SecurityActions.getCacheManagerConfiguration(container).transport().transport() == null)) { throw InfinispanMessages.MESSAGES.transportRequired(mode, this.name, container.getCacheManagerConfiguration().globalJmxStatistics().cacheManagerName()); } diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheAvailabilityAttributeHandler.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheAvailabilityAttributeHandler.java index 4026cd50c818..6353a4e35913 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheAvailabilityAttributeHandler.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheAvailabilityAttributeHandler.java @@ -26,7 +26,6 @@ import org.infinispan.Cache; import org.infinispan.factories.ComponentRegistry; import org.infinispan.partitionhandling.AvailabilityMode; -import org.infinispan.server.infinispan.SecurityActions; import org.infinispan.server.infinispan.spi.service.CacheServiceName; import org.infinispan.topology.LocalTopologyManager; import org.infinispan.topology.LocalTopologyManagerImpl; diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheCommands.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheCommands.java index bf9ce43c2c09..41fcb5dcacfa 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheCommands.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheCommands.java @@ -40,7 +40,6 @@ import org.infinispan.query.SearchManager; import org.infinispan.remoting.rpc.RpcManager; import org.infinispan.remoting.rpc.RpcManagerImpl; -import org.infinispan.server.infinispan.SecurityActions; import org.infinispan.server.infinispan.spi.InfinispanSubsystem; import org.infinispan.server.infinispan.spi.service.CacheServiceName; import org.infinispan.topology.LocalTopologyManager; diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheConfigurationService.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheConfigurationService.java index 91d3e53f059b..7be681e6e839 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheConfigurationService.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheConfigurationService.java @@ -71,7 +71,9 @@ protected ConfigurationBuilder getConfigurationBuilder() { builder.read(configuration); builder.template(configuration.isTemplate()); - builder.jmxStatistics().enabled(this.dependencies.getCacheContainer().getCacheManagerConfiguration().globalJmxStatistics().enabled()); + boolean jmxEnabled = SecurityActions.getCacheManagerConfiguration(this.dependencies.getCacheContainer()) + .globalJmxStatistics().enabled(); + builder.jmxStatistics().enabled(jmxEnabled); TransactionManager tm = this.dependencies.getTransactionManager(); if (tm != null) { builder.transaction().transactionManagerLookup(new TransactionManagerProvider()); diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheContainerBuilder.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheContainerBuilder.java index e93b06be7994..3df0dfab2e90 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheContainerBuilder.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheContainerBuilder.java @@ -32,7 +32,6 @@ import org.infinispan.notifications.cachemanagerlistener.event.CacheStoppedEvent; import org.infinispan.registry.InternalCacheRegistry; import org.infinispan.server.commons.service.Builder; -import org.infinispan.server.infinispan.SecurityActions; import org.infinispan.server.infinispan.spi.CacheContainer; import org.infinispan.server.infinispan.spi.service.CacheContainerServiceName; import org.infinispan.server.infinispan.task.ServerTaskRegistry; @@ -101,7 +100,7 @@ public CacheContainer getValue() { public void start(StartContext context) { GlobalConfiguration config = this.configuration.getValue(); this.container = new DefaultCacheContainer(config, this.defaultCache); - this.container.getGlobalComponentRegistry().registerComponent(this.serverTaskRegistry.getValue(), ServerTaskRegistry.class); + SecurityActions.getGlobalComponentRegistry(this.container).registerComponent(this.serverTaskRegistry.getValue(), ServerTaskRegistry.class); SecurityActions.registerAndStartContainer(this.container, this); InfinispanLogger.ROOT_LOGGER.cacheContainerStarted(this.name); } @@ -118,13 +117,13 @@ public void stop(StopContext context) { @CacheStarted public void cacheStarted(CacheStartedEvent event) { - if (!event.getCacheManager().getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class).isInternalCache(event.getCacheName())) + if (!SecurityActions.getGlobalComponentRegistry(event.getCacheManager()).getComponent(InternalCacheRegistry.class).isInternalCache(event.getCacheName())) InfinispanLogger.ROOT_LOGGER.cacheStarted(event.getCacheName(), this.name); } @CacheStopped public void cacheStopped(CacheStoppedEvent event) { - if (!event.getCacheManager().getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class).isInternalCache(event.getCacheName())) + if (!SecurityActions.getGlobalComponentRegistry(event.getCacheManager()).getComponent(InternalCacheRegistry.class).isInternalCache(event.getCacheName())) InfinispanLogger.ROOT_LOGGER.cacheStopped(event.getCacheName(), this.name); } } diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheContainerCommands.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheContainerCommands.java index 9e8781e2713a..06704c35e58c 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheContainerCommands.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheContainerCommands.java @@ -14,7 +14,6 @@ import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.scripting.ScriptingManager; -import org.infinispan.server.infinispan.SecurityActions; import org.infinispan.server.infinispan.spi.service.CacheContainerServiceName; import org.infinispan.tasks.Task; import org.infinispan.tasks.TaskContext; @@ -96,7 +95,7 @@ public BackupTakeSiteOfflineCommand() { protected ModelNode invokeCommand(EmbeddedCacheManager cacheManager, OperationContext context, ModelNode operation) { final String siteNameParameter = CacheContainerResource.SITE_NAME.getName(); final ModelNode siteName = operation.require(siteNameParameter); - GlobalXSiteAdminOperations xsiteAdminOperations = cacheManager.getGlobalComponentRegistry().getComponent(GlobalXSiteAdminOperations.class); + GlobalXSiteAdminOperations xsiteAdminOperations = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(GlobalXSiteAdminOperations.class); return toOperationResult(xsiteAdminOperations.takeSiteOffline(siteName.asString())); } } @@ -112,7 +111,7 @@ public BackupBringSiteOnlineCommand() { protected ModelNode invokeCommand(EmbeddedCacheManager cacheManager, OperationContext context, ModelNode operation) { final String siteNameParameter = CacheContainerResource.SITE_NAME.getName(); final ModelNode siteName = operation.require(siteNameParameter); - GlobalXSiteAdminOperations xsiteAdminOperations = cacheManager.getGlobalComponentRegistry().getComponent(GlobalXSiteAdminOperations.class); + GlobalXSiteAdminOperations xsiteAdminOperations = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(GlobalXSiteAdminOperations.class); return toOperationResult(xsiteAdminOperations.bringSiteOnline(siteName.asString())); } } @@ -128,7 +127,7 @@ public BackupPushStateCommand() { protected ModelNode invokeCommand(EmbeddedCacheManager cacheManager, OperationContext context, ModelNode operation) { final String siteNameParameter = CacheContainerResource.SITE_NAME.getName(); final ModelNode siteName = operation.require(siteNameParameter); - GlobalXSiteAdminOperations xsiteAdminOperations = cacheManager.getGlobalComponentRegistry().getComponent(GlobalXSiteAdminOperations.class); + GlobalXSiteAdminOperations xsiteAdminOperations = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(GlobalXSiteAdminOperations.class); return toOperationResult(xsiteAdminOperations.pushState(siteName.asString())); } } @@ -144,7 +143,7 @@ public BackupCancelPushStateCommand() { protected ModelNode invokeCommand(EmbeddedCacheManager cacheManager, OperationContext context, ModelNode operation) { final String siteNameParameter = CacheContainerResource.SITE_NAME.getName(); final ModelNode siteName = operation.require(siteNameParameter); - GlobalXSiteAdminOperations xsiteAdminOperations = cacheManager.getGlobalComponentRegistry().getComponent(GlobalXSiteAdminOperations.class); + GlobalXSiteAdminOperations xsiteAdminOperations = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(GlobalXSiteAdminOperations.class); return toOperationResult(xsiteAdminOperations.cancelPushState(siteName.asString())); } } @@ -192,7 +191,7 @@ public TaskListCommand() { @Override protected ModelNode invokeCommand(EmbeddedCacheManager cacheManager, OperationContext context, ModelNode operation) { - TaskManager taskManager = cacheManager.getGlobalComponentRegistry().getComponent(TaskManager.class); + TaskManager taskManager = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(TaskManager.class); List tasks = taskManager.getTasks(); tasks.sort(Comparator.comparing(Task::getName)); final ModelNode result = new ModelNode().setEmptyList(); @@ -219,7 +218,7 @@ public TaskExecuteCommand() { protected ModelNode invokeCommand(EmbeddedCacheManager cacheManager, OperationContext context, ModelNode operation) throws Exception { String taskName = CacheContainerResource.TASK_NAME.resolveModelAttribute(context, operation).asString(); boolean taskAsync = CacheContainerResource.TASK_ASYNC.resolveModelAttribute(context, operation).asBoolean(); - TaskManager taskManager = cacheManager.getGlobalComponentRegistry().getComponent(TaskManager.class); + TaskManager taskManager = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(TaskManager.class); TaskContext taskContext = new TaskContext(); ModelNode cacheNameNode = CacheContainerResource.TASK_CACHE_NAME.resolveModelAttribute(context, operation); if (cacheNameNode.isDefined()) { @@ -249,7 +248,7 @@ public TaskStatusCommand() { @Override protected ModelNode invokeCommand(EmbeddedCacheManager cacheManager, OperationContext context, ModelNode operation) { - TaskManager taskManager = cacheManager.getGlobalComponentRegistry().getComponent(TaskManager.class); + TaskManager taskManager = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(TaskManager.class); List taskExecutions = taskManager.getCurrentTasks(); taskExecutions.sort(Comparator.comparing(TaskExecution::getStart)); final ModelNode result = new ModelNode().setEmptyList(); @@ -274,7 +273,7 @@ public ScriptAddCommand() { @Override protected ModelNode invokeCommand(EmbeddedCacheManager cacheManager, OperationContext context, ModelNode operation) throws Exception { - ScriptingManager scriptManager = cacheManager.getGlobalComponentRegistry().getComponent(ScriptingManager.class); + ScriptingManager scriptManager = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(ScriptingManager.class); String scriptName = CacheContainerResource.SCRIPT_NAME.resolveModelAttribute(context, operation).asString(); String scriptCode = CacheContainerResource.SCRIPT_CODE.resolveModelAttribute(context, operation).asString(); scriptManager.addScript(scriptName, scriptCode); @@ -291,7 +290,7 @@ public ScriptCatCommand() { @Override protected ModelNode invokeCommand(EmbeddedCacheManager cacheManager, OperationContext context, ModelNode operation) throws Exception { - ScriptingManager scriptManager = cacheManager.getGlobalComponentRegistry().getComponent(ScriptingManager.class); + ScriptingManager scriptManager = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(ScriptingManager.class); String scriptName = CacheContainerResource.SCRIPT_NAME.resolveModelAttribute(context, operation).asString(); String scriptCode = scriptManager.getScript(scriptName); return scriptCode != null ? new ModelNode().set(scriptCode) : null; @@ -307,7 +306,7 @@ public ScriptRemoveCommand() { @Override protected ModelNode invokeCommand(EmbeddedCacheManager cacheManager, OperationContext context, ModelNode operation) throws Exception { - ScriptingManager scriptManager = cacheManager.getGlobalComponentRegistry().getComponent(ScriptingManager.class); + ScriptingManager scriptManager = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(ScriptingManager.class); String scriptName = CacheContainerResource.SCRIPT_NAME.resolveModelAttribute(context, operation).asString(); scriptManager.removeScript(scriptName); return null; diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheContainerMetricsHandler.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheContainerMetricsHandler.java index d504d753ceb9..5ed1402baa39 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheContainerMetricsHandler.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheContainerMetricsHandler.java @@ -36,7 +36,6 @@ import org.infinispan.Version; import org.infinispan.factories.GlobalComponentRegistry; import org.infinispan.remoting.transport.Address; -import org.infinispan.server.infinispan.SecurityActions; import org.infinispan.server.infinispan.spi.service.CacheContainerServiceName; import org.infinispan.stats.CacheContainerStats; import org.infinispan.stats.ClusterContainerStats; @@ -180,7 +179,7 @@ protected void executeRuntimeStep(OperationContext context, ModelNode operation) context.getFailureDescription().set(String.format("Unavailable cache container %s", attrName)); } else { CacheContainerStats stats = cacheManager.getStats(); - ClusterContainerStats clusterContainerStats = cacheManager.getGlobalComponentRegistry().getComponent(ClusterContainerStats.class); + ClusterContainerStats clusterContainerStats = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(ClusterContainerStats.class); switch (metric) { case CACHE_MANAGER_STATUS: result.set(SecurityActions.getCacheManagerStatus(cacheManager).toString()); diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheMetricsHandler.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheMetricsHandler.java index 71ce64ae73a9..a9d72de7aa01 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheMetricsHandler.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheMetricsHandler.java @@ -47,7 +47,6 @@ import org.infinispan.lifecycle.ComponentStatus; import org.infinispan.remoting.inboundhandler.BasePerCacheInboundInvocationHandler; import org.infinispan.remoting.rpc.RpcManagerImpl; -import org.infinispan.server.infinispan.SecurityActions; import org.infinispan.server.infinispan.spi.service.CacheServiceName; import org.infinispan.util.concurrent.locks.impl.DefaultLockManager; import org.infinispan.xsite.XSiteAdminOperations; diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheRebalanceAttributeHandler.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheRebalanceAttributeHandler.java index d0291dbdea9e..60441b33aa76 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheRebalanceAttributeHandler.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheRebalanceAttributeHandler.java @@ -25,7 +25,6 @@ import org.infinispan.Cache; import org.infinispan.factories.ComponentRegistry; -import org.infinispan.server.infinispan.SecurityActions; import org.infinispan.server.infinispan.spi.service.CacheServiceName; import org.infinispan.topology.LocalTopologyManager; import org.infinispan.topology.LocalTopologyManagerImpl; diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheRebalancingStatusAttributeHandler.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheRebalancingStatusAttributeHandler.java index dd3fb136fb65..241d6e0dd737 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheRebalancingStatusAttributeHandler.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheRebalancingStatusAttributeHandler.java @@ -24,7 +24,6 @@ import org.infinispan.Cache; import org.infinispan.factories.ComponentRegistry; -import org.infinispan.server.infinispan.SecurityActions; import org.infinispan.server.infinispan.spi.service.CacheServiceName; import org.infinispan.statetransfer.StateTransferManager; import org.jboss.as.controller.AbstractRuntimeOnlyHandler; diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheService.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheService.java index 2d0e43b3635c..1b2477be1420 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheService.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CacheService.java @@ -26,10 +26,10 @@ import org.infinispan.Cache; import org.infinispan.conflict.EntryMergePolicyFactoryRegistry; +import org.infinispan.factories.GlobalComponentRegistry; import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.persistence.factory.CacheStoreFactory; import org.infinispan.persistence.factory.CacheStoreFactoryRegistry; -import org.infinispan.server.infinispan.SecurityActions; import org.jboss.as.clustering.infinispan.conflict.DeployedMergePolicyFactory; import org.jboss.logging.Logger; import org.jboss.msc.service.Service; @@ -79,9 +79,10 @@ public Cache getValue() { public void start(StartContext context) { EmbeddedCacheManager container = this.dependencies.getCacheContainer(); - CacheStoreFactoryRegistry cacheStoreFactoryRegistry = container.getGlobalComponentRegistry().getComponent(CacheStoreFactoryRegistry.class); + GlobalComponentRegistry globalComponentRegistry = SecurityActions.getGlobalComponentRegistry(container); + CacheStoreFactoryRegistry cacheStoreFactoryRegistry = globalComponentRegistry.getComponent(CacheStoreFactoryRegistry.class); cacheStoreFactoryRegistry.addCacheStoreFactory(this.dependencies.getDeployedCacheStoreFactory()); - EntryMergePolicyFactoryRegistry mergePolicyRegistry = container.getGlobalComponentRegistry().getComponent(EntryMergePolicyFactoryRegistry.class); + EntryMergePolicyFactoryRegistry mergePolicyRegistry = globalComponentRegistry.getComponent(EntryMergePolicyFactoryRegistry.class); mergePolicyRegistry.addMergePolicyFactory(this.dependencies.getDeployedMergePolicyRegistry()); this.cache = SecurityActions.startCache(container, this.name, this.configurationName); diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CliInterpreterHandler.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CliInterpreterHandler.java index b15e79fa843e..91621f3f89e1 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CliInterpreterHandler.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CliInterpreterHandler.java @@ -30,7 +30,6 @@ import org.infinispan.cli.interpreter.Interpreter; import org.infinispan.cli.interpreter.result.ResultKeys; import org.infinispan.manager.EmbeddedCacheManager; -import org.infinispan.server.infinispan.SecurityActions; import org.infinispan.server.infinispan.spi.service.CacheContainerServiceName; import org.jboss.as.controller.OperationContext; import org.jboss.as.controller.OperationStepHandler; @@ -103,6 +102,6 @@ private Interpreter getInterpreter(OperationContext context, ModelNode operation return null; } - return cacheManager.getGlobalComponentRegistry().getComponent(Interpreter.class); + return SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(Interpreter.class); } } diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/ClusterRebalanceAttributeHandler.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/ClusterRebalanceAttributeHandler.java index 95659849478d..bde6106fdea5 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/ClusterRebalanceAttributeHandler.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/ClusterRebalanceAttributeHandler.java @@ -23,7 +23,6 @@ import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.VALUE; import org.infinispan.manager.EmbeddedCacheManager; -import org.infinispan.server.infinispan.SecurityActions; import org.infinispan.server.infinispan.spi.service.CacheContainerServiceName; import org.infinispan.topology.ClusterTopologyManager; import org.jboss.as.controller.AbstractRuntimeOnlyHandler; diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CounterResource.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CounterResource.java index 6c59d7ead5e7..392b9b8a8c72 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CounterResource.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/CounterResource.java @@ -10,7 +10,6 @@ import org.infinispan.counter.api.StrongCounter; import org.infinispan.counter.api.WeakCounter; import org.infinispan.manager.EmbeddedCacheManager; -import org.infinispan.server.infinispan.SecurityActions; import org.jboss.as.controller.AbstractAddStepHandler; import org.jboss.as.controller.AbstractRemoveStepHandler; import org.jboss.as.controller.AttributeDefinition; diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtoSchemaErrorsHandler.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtoSchemaErrorsHandler.java index 281d504fe203..13da1c47c5a4 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtoSchemaErrorsHandler.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtoSchemaErrorsHandler.java @@ -32,7 +32,7 @@ public void executeRuntimeStep(OperationContext context, ModelNode operation) th CacheContainerServiceName.CACHE_CONTAINER.getServiceName(cacheContainerName)); if (controller != null) { final EmbeddedCacheManager cacheManager = (EmbeddedCacheManager) controller.getValue(); - final ProtobufMetadataManager protoManager = cacheManager.getGlobalComponentRegistry().getComponent(ProtobufMetadataManager.class); + final ProtobufMetadataManager protoManager = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(ProtobufMetadataManager.class); if (protoManager != null) { try { diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtobufSchemaHandler.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtobufSchemaHandler.java index 6b01795307de..bb9ffbfbc9da 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtobufSchemaHandler.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtobufSchemaHandler.java @@ -32,7 +32,7 @@ public void executeRuntimeStep(OperationContext context, ModelNode operation) th CacheContainerServiceName.CACHE_CONTAINER.getServiceName(cacheContainerName)); if (controller != null) { final EmbeddedCacheManager cacheManager = (EmbeddedCacheManager) controller.getValue(); - final ProtobufMetadataManager protoManager = cacheManager.getGlobalComponentRegistry().getComponent(ProtobufMetadataManager.class); + final ProtobufMetadataManager protoManager = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(ProtobufMetadataManager.class); if (protoManager != null) { try { diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtobufSchemaNamesHandler.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtobufSchemaNamesHandler.java index f1c930796e84..88115e57da5a 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtobufSchemaNamesHandler.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtobufSchemaNamesHandler.java @@ -34,7 +34,7 @@ public void executeRuntimeStep(OperationContext context, ModelNode operation) th CacheContainerServiceName.CACHE_CONTAINER.getServiceName(cacheContainerName)); if (controller != null) { final EmbeddedCacheManager cacheManager = (EmbeddedCacheManager) controller.getValue(); - final ProtobufMetadataManager protoManager = cacheManager.getGlobalComponentRegistry().getComponent(ProtobufMetadataManager.class); + final ProtobufMetadataManager protoManager = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(ProtobufMetadataManager.class); if (protoManager != null) { try { diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtobufSchemasWithErrorsHandler.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtobufSchemasWithErrorsHandler.java index ec2a5fddd5ab..401544df5c14 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtobufSchemasWithErrorsHandler.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/GetProtobufSchemasWithErrorsHandler.java @@ -34,7 +34,7 @@ public void executeRuntimeStep(OperationContext context, ModelNode operation) th CacheContainerServiceName.CACHE_CONTAINER.getServiceName(cacheContainerName)); if (controller != null) { final EmbeddedCacheManager cacheManager = (EmbeddedCacheManager) controller.getValue(); - final ProtobufMetadataManager protoManager = cacheManager.getGlobalComponentRegistry().getComponent(ProtobufMetadataManager.class); + final ProtobufMetadataManager protoManager = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(ProtobufMetadataManager.class); if (protoManager != null) { try { diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/RegisterProtoSchemasOperationHandler.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/RegisterProtoSchemasOperationHandler.java index a139309a3505..9d7cab9d3ae1 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/RegisterProtoSchemasOperationHandler.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/RegisterProtoSchemasOperationHandler.java @@ -57,7 +57,7 @@ public void execute(OperationContext context, ModelNode operation) throws Operat if (controller != null) { EmbeddedCacheManager cacheManager = (EmbeddedCacheManager) controller.getValue(); - ProtobufMetadataManager protoManager = cacheManager.getGlobalComponentRegistry().getComponent(ProtobufMetadataManager.class); + ProtobufMetadataManager protoManager = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(ProtobufMetadataManager.class); if (protoManager != null) { try { String namesParameter = CacheContainerResource.PROTO_NAMES.getName(); diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/SecurityActions.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/SecurityActions.java new file mode 100644 index 000000000000..9a62172f4a4b --- /dev/null +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/SecurityActions.java @@ -0,0 +1,302 @@ +package org.jboss.as.clustering.infinispan.subsystem; + +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; +import java.util.List; +import java.util.Map; +import java.util.Optional; +import java.util.Set; + +import org.infinispan.AdvancedCache; +import org.infinispan.Cache; +import org.infinispan.cli.interpreter.Interpreter; +import org.infinispan.configuration.cache.Configuration; +import org.infinispan.configuration.global.GlobalConfiguration; +import org.infinispan.counter.EmbeddedCounterManagerFactory; +import org.infinispan.counter.api.CounterManager; +import org.infinispan.factories.ComponentRegistry; +import org.infinispan.factories.GlobalComponentRegistry; +import org.infinispan.interceptors.AsyncInterceptor; +import org.infinispan.interceptors.base.CommandInterceptor; +import org.infinispan.jmx.JmxStatisticsExposer; +import org.infinispan.lifecycle.ComponentStatus; +import org.infinispan.manager.EmbeddedCacheManager; +import org.infinispan.query.SearchManager; +import org.infinispan.remoting.rpc.RpcManager; +import org.infinispan.remoting.transport.Address; +import org.infinispan.security.Security; +import org.infinispan.security.actions.GetCacheComponentRegistryAction; +import org.infinispan.security.actions.GetCacheInterceptorChainAction; +import org.infinispan.security.actions.GetCacheLockManagerAction; +import org.infinispan.security.actions.GetCacheManagerAddress; +import org.infinispan.security.actions.GetCacheManagerClusterAvailabilityAction; +import org.infinispan.security.actions.GetCacheManagerClusterNameAction; +import org.infinispan.security.actions.GetCacheManagerConfigurationAction; +import org.infinispan.security.actions.GetCacheManagerCoordinatorAddress; +import org.infinispan.security.actions.GetCacheManagerIsCoordinatorAction; +import org.infinispan.security.actions.GetCacheManagerStatusAction; +import org.infinispan.security.actions.GetCacheRpcManagerAction; +import org.infinispan.security.actions.GetCacheStatusAction; +import org.infinispan.security.actions.GetGlobalComponentRegistryAction; +import org.infinispan.server.infinispan.actions.ClearCacheAction; +import org.infinispan.server.infinispan.actions.FlushCacheAction; +import org.infinispan.server.infinispan.actions.GetCacheVersionAction; +import org.infinispan.server.infinispan.actions.GetCreatedCacheCountAction; +import org.infinispan.server.infinispan.actions.GetDefinedCacheCountAction; +import org.infinispan.server.infinispan.actions.GetDefinedCacheNamesAction; +import org.infinispan.server.infinispan.actions.GetMembersAction; +import org.infinispan.server.infinispan.actions.GetRunningCacheCountAction; +import org.infinispan.server.infinispan.actions.GetSearchManagerAction; +import org.infinispan.server.infinispan.actions.GetSitesViewAction; +import org.infinispan.server.infinispan.actions.ResetComponentJmxStatisticsAction; +import org.infinispan.server.infinispan.actions.ResetInterceptorJmxStatisticsAction; +import org.infinispan.server.infinispan.actions.StartCacheAction; +import org.infinispan.server.infinispan.actions.StopCacheAction; +import org.infinispan.util.concurrent.locks.LockManager; +import org.jboss.as.clustering.infinispan.DefaultCacheContainer; + +/** + * SecurityActions for the org.jboss.as.clustering.infinispan.subsystem package. + *

+ * Do not move. Do not change class and method visibility to avoid being called from other + * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. + * + * @author Dan Berindei + * @since 10.0 + */ +final class SecurityActions { + + private SecurityActions() { + } + + private static T doPrivileged(PrivilegedAction action) { + return System.getSecurityManager() != null ? + AccessController.doPrivileged(action) : Security.doPrivileged(action); + } + + private static T doPrivileged(PrivilegedExceptionAction action) throws PrivilegedActionException { + if (System.getSecurityManager() != null) { + return AccessController.doPrivileged(action); + } else { + return Security.doPrivileged(action); + } + } + + static ComponentRegistry getComponentRegistry(final AdvancedCache cache) { + GetCacheComponentRegistryAction action = new GetCacheComponentRegistryAction(cache); + return doPrivileged(action); + } + + static void registerAndStartContainer(final EmbeddedCacheManager container, final Object listener) { + PrivilegedAction action = () -> { + container.addListener(listener); + container.start(); + return null; + }; + doPrivileged(action); + } + + static boolean stopAndUnregisterContainer(final EmbeddedCacheManager container, final Object listener) { + PrivilegedAction action = () -> { + if (container.getStatus().allowInvocations()) { + container.removeListener(listener); + container.stop(); + return true; + } else { + return false; + } + }; + return doPrivileged(action); + } + + static void defineContainerConfiguration(final EmbeddedCacheManager container, final String name, + final Configuration config) { + PrivilegedAction action = () -> { + container.defineConfiguration(name, config); + return null; + }; + doPrivileged(action); + } + + static void undefineContainerConfiguration(final EmbeddedCacheManager container, final String name) { + PrivilegedAction action = () -> { + container.undefineConfiguration(name); + return null; + }; + doPrivileged(action); + } + + static Cache startCache(final EmbeddedCacheManager container, final String name, final String configurationName) { + PrivilegedAction> action = () -> { + Cache cache = container.getCache(name, configurationName); + cache.start(); + return cache; + }; + return doPrivileged(action); + } + + static void stopCache(final Cache cache) { + PrivilegedAction action = () -> { + cache.stop(); + return null; + }; + doPrivileged(action); + } + + static void shutdownCache(final Cache cache) { + PrivilegedAction action = () -> { + cache.shutdown(); + return null; + }; + doPrivileged(action); + } + + static LockManager getLockManager(final AdvancedCache cache) { + GetCacheLockManagerAction action = new GetCacheLockManagerAction(cache); + return doPrivileged(action); + } + + static List getInterceptorChain(final AdvancedCache cache) { + GetCacheInterceptorChainAction action = new GetCacheInterceptorChainAction(cache); + return doPrivileged(action); + } + + static RpcManager getRpcManager(final AdvancedCache cache) { + GetCacheRpcManagerAction action = new GetCacheRpcManagerAction(cache); + return doPrivileged(action); + } + + static ComponentStatus getCacheStatus(AdvancedCache cache) { + GetCacheStatusAction action = new GetCacheStatusAction(cache); + return doPrivileged(action); + } + + static String getCacheVersion(AdvancedCache cache) { + GetCacheVersionAction action = new GetCacheVersionAction(cache); + return doPrivileged(action); + } + + static ComponentStatus getCacheManagerStatus(EmbeddedCacheManager cacheManager) { + GetCacheManagerStatusAction action = new GetCacheManagerStatusAction(cacheManager); + return doPrivileged(action); + } + + static Address getCacheManagerLocalAddress(DefaultCacheContainer cacheManager) { + GetCacheManagerAddress action = new GetCacheManagerAddress(cacheManager); + return doPrivileged(action); + } + + static Address getCacheManagerCoordinatorAddress(DefaultCacheContainer cacheManager) { + GetCacheManagerCoordinatorAddress action = new GetCacheManagerCoordinatorAddress(cacheManager); + return doPrivileged(action); + } + + static boolean getCacheManagerIsCoordinator(DefaultCacheContainer cacheManager) { + GetCacheManagerIsCoordinatorAction action = new GetCacheManagerIsCoordinatorAction(cacheManager); + return doPrivileged(action); + } + + static String getCacheManagerClusterName(DefaultCacheContainer cacheManager) { + GetCacheManagerClusterNameAction action = new GetCacheManagerClusterNameAction(cacheManager); + return doPrivileged(action); + } + + static String getCacheManagerClusterAvailability(DefaultCacheContainer cacheManager) { + GetCacheManagerClusterAvailabilityAction action = new GetCacheManagerClusterAvailabilityAction(cacheManager); + return doPrivileged(action); + } + + static String getDefinedCacheNames(DefaultCacheContainer cacheManager) { + GetDefinedCacheNamesAction action = new GetDefinedCacheNamesAction(cacheManager); + return doPrivileged(action); + } + + static String getCacheCreatedCount(DefaultCacheContainer cacheManager) { + GetCreatedCacheCountAction action = new GetCreatedCacheCountAction(cacheManager); + return doPrivileged(action); + } + + static String getDefinedCacheCount(DefaultCacheContainer cacheManager) { + GetDefinedCacheCountAction action = new GetDefinedCacheCountAction(cacheManager); + return doPrivileged(action); + } + + static String getRunningCacheCount(DefaultCacheContainer cacheManager) { + GetRunningCacheCountAction action = new GetRunningCacheCountAction(cacheManager); + return doPrivileged(action); + } + + static List

getMembers(DefaultCacheContainer cacheManager) { + GetMembersAction action = new GetMembersAction(cacheManager); + return doPrivileged(action); + } + + static Void clearCache(AdvancedCache cache) { + ClearCacheAction action = new ClearCacheAction(cache); + doPrivileged(action); + return null; + } + + static Void flushCache(AdvancedCache cache) { + FlushCacheAction action = new FlushCacheAction(cache); + doPrivileged(action); + return null; + } + + static Void stopCache(AdvancedCache cache) { + StopCacheAction action = new StopCacheAction(cache); + doPrivileged(action); + return null; + } + + static Void startCache(AdvancedCache cache) { + StartCacheAction action = new StartCacheAction(cache); + doPrivileged(action); + return null; + } + + static Void resetStatistics(AdvancedCache cache, + Class jmxClass) { + PrivilegedAction action; + if (jmxClass.isAssignableFrom(CommandInterceptor.class)) { + action = new ResetInterceptorJmxStatisticsAction(cache, jmxClass); + } else { + action = new ResetComponentJmxStatisticsAction(cache, jmxClass); + } + doPrivileged(action); + return null; + } + + static Map executeInterpreter(final Interpreter interpreter, final String sessionId, + final String command) throws Exception { + PrivilegedExceptionAction> action = () -> interpreter.execute(sessionId, command); + return doPrivileged(action); + } + + static SearchManager getSearchManager(AdvancedCache cache) { + GetSearchManagerAction action = new GetSearchManagerAction(cache); + return doPrivileged(action); + } + + static GlobalComponentRegistry getGlobalComponentRegistry(final EmbeddedCacheManager cacheManager) { + GetGlobalComponentRegistryAction action = new GetGlobalComponentRegistryAction(cacheManager); + return doPrivileged(action); + } + + static GlobalConfiguration getCacheManagerConfiguration(EmbeddedCacheManager cacheManager) { + GetCacheManagerConfigurationAction action = new GetCacheManagerConfigurationAction(cacheManager); + return doPrivileged(action); + } + + static Set getSitesView(DefaultCacheContainer cacheManager) { + GetSitesViewAction action = new GetSitesViewAction(cacheManager); + return doPrivileged(action); + } + + static Optional findCounterManager(EmbeddedCacheManager cacheManager) { + return Optional.ofNullable(doPrivileged((PrivilegedAction) () -> EmbeddedCounterManagerFactory + .asCounterManager(cacheManager))); + } +} diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/UnregisterProtoSchemasOperationHandler.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/UnregisterProtoSchemasOperationHandler.java index 53daeab80989..c74056320930 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/UnregisterProtoSchemasOperationHandler.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/UnregisterProtoSchemasOperationHandler.java @@ -32,7 +32,7 @@ public void execute(OperationContext context, ModelNode operation) throws Operat CacheContainerServiceName.CACHE_CONTAINER.getServiceName(cacheContainerName)); if (controller != null) { final EmbeddedCacheManager cacheManager = (EmbeddedCacheManager) controller.getValue(); - final ProtobufMetadataManager protoManager = cacheManager.getGlobalComponentRegistry().getComponent(ProtobufMetadataManager.class); + final ProtobufMetadataManager protoManager = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(ProtobufMetadataManager.class); if (protoManager != null) { try { ModelNode names = operation.require(CacheContainerResource.PROTO_NAMES.getName()); diff --git a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/UploadProtoFileOperationHandler.java b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/UploadProtoFileOperationHandler.java index 5fd0ea73e577..50724e708d9c 100644 --- a/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/UploadProtoFileOperationHandler.java +++ b/server/integration/infinispan/src/main/java/org/jboss/as/clustering/infinispan/subsystem/UploadProtoFileOperationHandler.java @@ -60,7 +60,7 @@ public void execute(OperationContext context, ModelNode operation) throws Operat if (controller != null) { EmbeddedCacheManager cacheManager = (EmbeddedCacheManager) controller.getValue(); - ProtobufMetadataManager protoManager = cacheManager.getGlobalComponentRegistry().getComponent(ProtobufMetadataManager.class); + ProtobufMetadataManager protoManager = SecurityActions.getGlobalComponentRegistry(cacheManager).getComponent(ProtobufMetadataManager.class); if (protoManager != null) { try { List descriptorsNames = names.asList(); diff --git a/server/rest/src/main/java/org/infinispan/rest/RestServer.java b/server/rest/src/main/java/org/infinispan/rest/RestServer.java index 3ccd875044fd..3891b5286def 100644 --- a/server/rest/src/main/java/org/infinispan/rest/RestServer.java +++ b/server/rest/src/main/java/org/infinispan/rest/RestServer.java @@ -83,8 +83,10 @@ public void setAuthenticator(Authenticator authenticator) { @Override public void stop() { + if (restCacheManager != null) { + restCacheManager.stop(); + } super.stop(); - restCacheManager.stop(); } @Override diff --git a/server/rest/src/main/java/org/infinispan/rest/cachemanager/RestCacheManager.java b/server/rest/src/main/java/org/infinispan/rest/cachemanager/RestCacheManager.java index 84c315c416a6..4633c135f7d5 100644 --- a/server/rest/src/main/java/org/infinispan/rest/cachemanager/RestCacheManager.java +++ b/server/rest/src/main/java/org/infinispan/rest/cachemanager/RestCacheManager.java @@ -46,7 +46,7 @@ public class RestCacheManager { public RestCacheManager(EmbeddedCacheManager instance, Predicate isCacheIgnored) { this.instance = instance; this.isCacheIgnored = isCacheIgnored; - this.icr = instance.getGlobalComponentRegistry().getComponent(InternalCacheRegistry.class); + this.icr = SecurityActions.getGlobalComponentRegistry(instance).getComponent(InternalCacheRegistry.class); this.allowInternalCacheAccess = instance.getCacheManagerConfiguration().security().authorization().enabled(); removeCacheListener = new RemoveCacheListener(); SecurityActions.addListener(instance, removeCacheListener); diff --git a/server/rest/src/main/java/org/infinispan/rest/cachemanager/SecurityActions.java b/server/rest/src/main/java/org/infinispan/rest/cachemanager/SecurityActions.java index 4c99002ad3d5..5d7e1a353c5d 100644 --- a/server/rest/src/main/java/org/infinispan/rest/cachemanager/SecurityActions.java +++ b/server/rest/src/main/java/org/infinispan/rest/cachemanager/SecurityActions.java @@ -9,6 +9,7 @@ import org.infinispan.container.entries.CacheEntry; import org.infinispan.distribution.DistributionManager; import org.infinispan.factories.ComponentRegistry; +import org.infinispan.factories.GlobalComponentRegistry; import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.notifications.Listenable; import org.infinispan.security.Security; @@ -17,6 +18,7 @@ import org.infinispan.security.actions.GetCacheConfigurationAction; import org.infinispan.security.actions.GetCacheDistributionManagerAction; import org.infinispan.security.actions.GetCacheEntryAction; +import org.infinispan.security.actions.GetGlobalComponentRegistryAction; import org.infinispan.security.actions.RemoveListenerAction; /** @@ -63,4 +65,7 @@ static Configuration getCacheConfiguration(final AdvancedCache cache) { GetCacheConfigurationAction action = new GetCacheConfigurationAction(cache); return doPrivileged(action); } + static GlobalComponentRegistry getGlobalComponentRegistry(EmbeddedCacheManager cacheManager) { + return doPrivileged(new GetGlobalComponentRegistryAction(cacheManager)); + } } diff --git a/tasks/api/src/main/java/org/infinispan/tasks/SecurityActions.java b/tasks/api/src/main/java/org/infinispan/tasks/SecurityActions.java deleted file mode 100644 index b5319e1b4a18..000000000000 --- a/tasks/api/src/main/java/org/infinispan/tasks/SecurityActions.java +++ /dev/null @@ -1,31 +0,0 @@ -package org.infinispan.tasks; - -import java.security.AccessController; -import java.security.PrivilegedAction; - -import org.infinispan.AdvancedCache; -import org.infinispan.configuration.cache.Configuration; -import org.infinispan.security.Security; - - -/** - * SecurityActions for the org.infinispan.tasks package. - * - * Do not move. Do not change class and method visibility to avoid being called from other - * {@link java.security.CodeSource}s, thus granting privilege escalation to external code. - * - * @since 9.2 - */ -final class SecurityActions { - private static T doPrivileged(PrivilegedAction action) { - if (System.getSecurityManager() != null) { - return AccessController.doPrivileged(action); - } else { - return Security.doPrivileged(action); - } - } - - static Configuration getCacheConfiguration(final AdvancedCache cache) { - return doPrivileged(cache::getCacheConfiguration); - } -} diff --git a/tasks/manager/src/main/java/org/infinispan/tasks/impl/TaskManagerImpl.java b/tasks/manager/src/main/java/org/infinispan/tasks/impl/TaskManagerImpl.java index 58b6053698c4..70256408d6e7 100644 --- a/tasks/manager/src/main/java/org/infinispan/tasks/impl/TaskManagerImpl.java +++ b/tasks/manager/src/main/java/org/infinispan/tasks/impl/TaskManagerImpl.java @@ -11,9 +11,9 @@ import java.util.concurrent.CompletableFuture; import java.util.concurrent.ConcurrentMap; import java.util.concurrent.ExecutorService; - import javax.security.auth.Subject; +import org.infinispan.commons.time.TimeService; import org.infinispan.commons.util.CollectionFactory; import org.infinispan.factories.KnownComponentNames; import org.infinispan.factories.annotations.ComponentName; @@ -30,7 +30,6 @@ import org.infinispan.tasks.TaskManager; import org.infinispan.tasks.logging.Log; import org.infinispan.tasks.spi.TaskEngine; -import org.infinispan.commons.time.TimeService; import org.infinispan.util.logging.LogFactory; import org.infinispan.util.logging.events.EventLogCategory; import org.infinispan.util.logging.events.EventLogManager; @@ -50,6 +49,7 @@ public class TaskManagerImpl implements TaskManager { @Inject private TimeService timeService; @Inject @ComponentName(KnownComponentNames.ASYNC_OPERATIONS_EXECUTOR) private ExecutorService asyncExecutor; + @Inject private EventLogManager eventLogManager; private List engines; private ConcurrentMap runningTasks; @@ -94,7 +94,7 @@ public CompletableFuture runTask(String name, TaskContext context) { CompletableFuture task = engine.runTask(name, context, asyncExecutor); return task.whenComplete((r, e) -> { if (context.isLogEvent()) { - EventLogger eventLog = EventLogManager.getEventLogger(cacheManager).scope(cacheManager.getAddress()); + EventLogger eventLog = eventLogManager.getEventLogger().scope(cacheManager.getAddress()); who.ifPresent(eventLog::who); context.getCache().ifPresent(eventLog::context); if (e != null) { diff --git a/tasks/scripting/src/main/java/org/infinispan/scripting/impl/ScriptingManagerImpl.java b/tasks/scripting/src/main/java/org/infinispan/scripting/impl/ScriptingManagerImpl.java index 0f943609d615..bd0a743d81e1 100644 --- a/tasks/scripting/src/main/java/org/infinispan/scripting/impl/ScriptingManagerImpl.java +++ b/tasks/scripting/src/main/java/org/infinispan/scripting/impl/ScriptingManagerImpl.java @@ -9,7 +9,6 @@ import java.util.concurrent.ConcurrentMap; import java.util.function.BiFunction; import java.util.function.Function; - import javax.script.Bindings; import javax.script.Compilable; import javax.script.CompiledScript; @@ -63,6 +62,10 @@ public class ScriptingManagerImpl implements ScriptingManager { private InternalCacheRegistry internalCacheRegistry; @Inject private EncoderRegistry encoderRegistry; + @Inject + private GlobalConfiguration globalConfiguration; + @Inject + private AuthorizationHelper globalAuthzHelper; private ScriptEngineManager scriptEngineManager; private ConcurrentMap scriptEnginesByExtension = CollectionFactory.makeConcurrentMap(2); @@ -70,7 +73,6 @@ public class ScriptingManagerImpl implements ScriptingManager { private Cache scriptCache; private ScriptConversions scriptConversions; ConcurrentMap compiledScripts = CollectionFactory.makeConcurrentMap(); - private AuthorizationHelper globalAuthzHelper; private final Function getEngineByName = this::getEngineByName; private final Function getEngineByExtension = this::getEngineByExtension; @@ -95,8 +97,6 @@ Cache getScriptCache() { } private ConfigurationBuilder getScriptCacheConfiguration() { - GlobalConfiguration globalConfiguration = cacheManager.getGlobalComponentRegistry().getGlobalConfiguration(); - ConfigurationBuilder cfg = new ConfigurationBuilder(); cfg.encoding().key().mediaType(APPLICATION_OBJECT_TYPE); cfg.encoding().value().mediaType(APPLICATION_OBJECT_TYPE); @@ -104,7 +104,6 @@ private ConfigurationBuilder getScriptCacheConfiguration() { if (globalConfiguration.security().authorization().enabled()) { globalConfiguration.security().authorization().roles().put(SCRIPT_MANAGER_ROLE, new CacheRoleImpl(SCRIPT_MANAGER_ROLE, AuthorizationPermission.ALL)); cfg.security().authorization().enable().role(SCRIPT_MANAGER_ROLE); - globalAuthzHelper = cacheManager.getGlobalComponentRegistry().getComponent(AuthorizationHelper.class); } return cfg; } diff --git a/tasks/scripting/src/main/java/org/infinispan/scripting/impl/SecurityActions.java b/tasks/scripting/src/main/java/org/infinispan/scripting/impl/SecurityActions.java index 2a8f3539270b..c4ae5efc84b1 100644 --- a/tasks/scripting/src/main/java/org/infinispan/scripting/impl/SecurityActions.java +++ b/tasks/scripting/src/main/java/org/infinispan/scripting/impl/SecurityActions.java @@ -5,14 +5,12 @@ import org.infinispan.AdvancedCache; import org.infinispan.Cache; -import org.infinispan.configuration.cache.Configuration; import org.infinispan.container.entries.CacheEntry; import org.infinispan.factories.GlobalComponentRegistry; import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.security.AuthorizationManager; import org.infinispan.security.Security; import org.infinispan.security.actions.GetCacheAuthorizationManagerAction; -import org.infinispan.security.actions.GetCacheConfigurationAction; import org.infinispan.security.actions.GetCacheEntryAction; import org.infinispan.security.actions.GetGlobalComponentRegistryAction; import org.infinispan.security.impl.SecureCacheImpl; @@ -45,11 +43,6 @@ static AuthorizationManager getAuthorizationManager(final AdvancedCache ca return doPrivileged(action); } - static Configuration getCacheConfiguration(final Cache cache) { - GetCacheConfigurationAction action = new GetCacheConfigurationAction(cache.getAdvancedCache()); - return doPrivileged(action); - } - static CacheEntry getCacheEntry(final AdvancedCache cache, K key) { GetCacheEntryAction action = new GetCacheEntryAction(cache, key); return doPrivileged(action); diff --git a/tasks/scripting/src/test/java/org/infinispan/scripting/utils/ScriptingUtils.java b/tasks/scripting/src/test/java/org/infinispan/scripting/utils/ScriptingUtils.java index 4bacaba16847..466fcc6e40e5 100644 --- a/tasks/scripting/src/test/java/org/infinispan/scripting/utils/ScriptingUtils.java +++ b/tasks/scripting/src/test/java/org/infinispan/scripting/utils/ScriptingUtils.java @@ -4,11 +4,13 @@ import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; +import java.security.PrivilegedAction; import java.util.stream.Collectors; import org.infinispan.commons.api.BasicCache; import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.scripting.ScriptingManager; +import org.infinispan.security.Security; import org.infinispan.test.TestingUtil; /** @@ -17,7 +19,9 @@ public class ScriptingUtils { public static ScriptingManager getScriptingManager(EmbeddedCacheManager manager) { - return manager.getGlobalComponentRegistry().getComponent(ScriptingManager.class); + return Security.doPrivileged((PrivilegedAction) () -> { + return manager.getGlobalComponentRegistry().getComponent(ScriptingManager.class); + }); } public static void loadData(BasicCache cache, String fileName) throws IOException { diff --git a/tools/src/test/java/org/infinispan/tools/store/migrator/rocksdb/RocksDBReaderTest.java b/tools/src/test/java/org/infinispan/tools/store/migrator/rocksdb/RocksDBReaderTest.java index 4f517f8581cb..8dfeb518fccf 100644 --- a/tools/src/test/java/org/infinispan/tools/store/migrator/rocksdb/RocksDBReaderTest.java +++ b/tools/src/test/java/org/infinispan/tools/store/migrator/rocksdb/RocksDBReaderTest.java @@ -21,7 +21,7 @@ public class RocksDBReaderTest extends AbstractReaderTest { private static final String SOURCE_DIR = "target/test-classes/leveldbstore/"; private String getTargetDirectory() { - return SOURCE_DIR + "/rocksdbstore-" + segmentCount + "/"; + return SOURCE_DIR + "rocksdbstore-" + segmentCount + "/"; } @Factory