SAML 4.3.0 addition persmission (#2987)

* SAML 4.3.0 addition persmission Added addition permissions for new version of SAML. Signed-off-by: Andrey Pleskach <ples@aiven.io> * Fix log4j version Signed-off-by: Andrey Pleskach <ples@aiven.io> --------- Signed-off-by: Andrey Pleskach <ples@aiven.io>
opensearch-project · Jul 11, 2023 · df07bea · df07bea
1 parent e5348eb
commit df07bea
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 13 deletions.
diff --git a/build.gradle b/build.gradle
@@ -548,7 +548,7 @@ dependencies {
     runtimeOnly 'org.lz4:lz4-java:1.8.0'
     runtimeOnly 'io.dropwizard.metrics:metrics-core:3.1.2'
     runtimeOnly 'org.slf4j:slf4j-api:1.7.30'
-    runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.1'
+    runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
     runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.1'
     runtimeOnly 'org.codehaus.woodstox:stax2-api:4.2.1'
     runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}"
@@ -570,7 +570,7 @@ dependencies {
     testImplementation "org.opensearch.plugin:lang-mustache-client:${opensearch_version}"
     testImplementation "org.opensearch.plugin:parent-join-client:${opensearch_version}"
     testImplementation "org.opensearch.plugin:aggs-matrix-stats-client:${opensearch_version}"
-    testImplementation 'org.apache.logging.log4j:log4j-core:2.17.1'
+    testImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
     testImplementation 'javax.servlet:servlet-api:2.5'
     testImplementation 'com.unboundid:unboundid-ldapsdk:4.0.9'
     testImplementation 'com.github.stephenc.jcip:jcip-annotations:1.0-1'
@@ -618,8 +618,8 @@ dependencies {
     integrationTestImplementation "org.opensearch.plugin:reindex-client:${opensearch_version}"
     integrationTestImplementation "org.opensearch.plugin:percolator-client:${opensearch_version}"
     integrationTestImplementation 'commons-io:commons-io:2.11.0'
-    integrationTestImplementation 'org.apache.logging.log4j:log4j-core:2.17.1'
-    integrationTestImplementation 'org.apache.logging.log4j:log4j-jul:2.17.1'
+    integrationTestImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
+    integrationTestImplementation "org.apache.logging.log4j:log4j-jul:${versions.log4j}"
     integrationTestImplementation 'org.hamcrest:hamcrest:2.2'
     integrationTestImplementation "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
     integrationTestImplementation "org.bouncycastle:bcutil-jdk15to18:${versions.bouncycastle}"

diff --git a/plugin-security.policy b/plugin-security.policy
@@ -60,7 +60,6 @@ grant {
   permission java.security.SecurityPermission "putProviderProperty.BC";
   permission java.security.SecurityPermission "insertProvider.BC";
   permission java.security.SecurityPermission "removeProviderProperty.BC";
-  permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write";
 
   permission java.lang.RuntimePermission "accessUserInformation";
 
@@ -74,6 +73,10 @@ grant {
 
   //Enable this permission to debug unauthorized de-serialization attempt
   //permission java.io.SerializablePermission "enableSubstitution";
+
+  //SAML policy
+  permission java.util.PropertyPermission "*", "read,write";
+  permission org.opensearch.secure_sm.ThreadPermission "modifyArbitraryThread";
 };
 
 grant codeBase "${codebase.netty-common}" {

diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java
@@ -29,6 +29,8 @@
 
 import java.net.InetAddress;
 import java.nio.file.Path;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashSet;
@@ -44,6 +46,7 @@
 import com.google.common.collect.Multimap;
 import com.google.common.collect.Multimaps;
 
+import org.opensearch.SpecialPermission;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.security.auth.AuthDomain;
@@ -396,14 +399,11 @@ private void destroyDestroyables(List<Destroyable> destroyableComponents) {
     }
 
     private <T> T newInstance(final String clazzOrShortcut, String type, final Settings settings, final Path configPath) {
-
-        String clazz = clazzOrShortcut;
-
-        if (authImplMap.containsKey(clazz + "_" + type)) {
-            clazz = authImplMap.get(clazz + "_" + type);
-        }
-
-        return ReflectionHelper.instantiateAAA(clazz, settings, configPath);
+        final String clazz = authImplMap.computeIfAbsent(clazzOrShortcut + "_" + type, k -> clazzOrShortcut);
+        return AccessController.doPrivileged((PrivilegedAction<T>) () -> {
+            SpecialPermission.check();
+            return ReflectionHelper.instantiateAAA(clazz, settings, configPath);
+        });
     }
 
     private String translateShortcutToClassName(final String clazzOrShortcut, final String type) {