SAML 4.3.0 addition persmission

[willyborankin]

Description

Added addition permissions for new version of SAML in the policy file.

  permission java.util.PropertyPermission "*" "read,write";
  permission org.opensearch.secure_sm.ThreadPermission "modifyArbitraryThread";

Issues Resolved

[List any issues this PR will resolve]

Is this a backport? If so, please add backport PR # and/or commits #

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Merging #2987 (87e5e2d) into main (e5348eb) will decrease coverage by 2.02%.
The diff coverage is 100.00%.

@@             Coverage Diff              @@
##               main    #2987      +/-   ##
============================================
- Coverage     62.47%   60.45%   -2.02%     
+ Complexity     3380     3294      -86     
============================================
  Files           267      267              
  Lines         19772    19772              
  Branches       3356     3355       -1     
============================================
- Hits          12352    11954     -398     
- Misses         5780     6188     +408     
+ Partials       1640     1630      -10     

Impacted Files	Coverage Δ
...ch/security/securityconf/DynamicConfigModelV7.java	65.14% <100.00%> (ø)

... and 25 files with indirect coverage changes

[reta]

Hm ... could we enumerate the properties that needs to be accessed instead? And why the write is needed?

[willyborankin]

mmm no. It is up to the library which permissions it wants to use and how AFAIU :-( this permission is about access to OpenSAML XML mapping objects... I took a look in the code of OpenSAML so I do not think that this is critical.

[cwperks]

@willyborankin I approved this PR to fix the CI issues in security-dashboards-plugin, but I agree that it would be nice to have a test to prove that this change fixes the issue in this repo. Should we wait to backport the SAML bump to 2.x until automated tests to verify the upgrade are developed?

[cwperks]

FYI The issue is reproducible by trying to call on the API to update the config directly and trying to add a SAML Authenticator: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/test/jest_integration/saml_auth.test.ts#L159-L175

[willyborankin]

@willyborankin I approved this PR to fix the CI issues in security-dashboards-plugin, but I agree that it would be nice to have a test to prove that this change fixes the issue in this repo. Should we wait to backport the SAML bump to 2.x until automated tests to verify the upgrade are developed?

This is good question. I'm thinking about https://testcontainers.com/ so we can test both SAML and real OpenSearch together just to verify that simple integration works but it will take sometime. Alternative is to to enable SecurityManager for our local/integration tests but it needs investigation as well.

[willyborankin]

@cwperks nd @reta btw CodeQL complains abut log4j2 version 2.20 vs 2.17. I will fix it in this PR as well in four of OpenSearch versions.*.

[reta]

@cwperks nd @reta btw CodeQL complains abut log4j2 version 2.20 vs 2.17. I will fix it in this PR as well in four of OpenSearch versions.*.

The change change went into main

[reta]

Why is this one?

[reta]

    permission java.lang.RuntimePermission "modifyThread";

Should be sufficient

[cwperks]

Testing this out to confirm

[willyborankin]

Created an issue for investigation #2989

[cwperks]

@reta That permission did not work for me testing this locally.

[cwperks]

I also tried with

permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";

but that also doesn't work

[reta]

but that also doesn't work

Thanks @cwperks could we have a test for it that manifests the issue? Could you please share stack traces as well?

[reta]

We think we identified the problem with @willyborankin , that is related to Cleaners however the worrying part is that this is not really specific to OpenSAML or security plugin and could manifest anywhere. That would mean granting that permission to possibly every module and plugin.

[cwperks]

The full stack trace is:

ttp.saml.HTTPSamlAuthenticator_2: Error occurred while attempting to refresh metadata from 'http://localhost:7000/metadata'
java.lang.NoClassDefFoundError: Could not initialize class org.opensaml.xmlsec.signature.impl.X509CertificateImpl
	at org.opensaml.xmlsec.signature.impl.X509CertificateBuilder.buildObject(X509CertificateBuilder.java:40) ~[opensaml-xmlsec-impl-4.3.0.jar:?]
	at org.opensaml.xmlsec.signature.impl.X509CertificateBuilder.buildObject(X509CertificateBuilder.java:28) ~[opensaml-xmlsec-impl-4.3.0.jar:?]
	at org.opensaml.core.xml.AbstractXMLObjectBuilder.buildObject(AbstractXMLObjectBuilder.java:58) ~[opensaml-core-4.3.0.jar:?]
	at org.opensaml.core.xml.AbstractXMLObjectBuilder.buildObject(AbstractXMLObjectBuilder.java:73) ~[opensaml-core-4.3.0.jar:?]
	at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.buildXMLObject(AbstractXMLObjectUnmarshaller.java:182) ~[opensaml-core-4.3.0.jar:?]
	at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:104) ~[opensaml-core-4.3.0.jar:?]
	at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshallChildElement(AbstractXMLObjectUnmarshaller.java:337) ~[opensaml-core-4.3.0.jar:?]
	at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:128) ~[opensaml-core-4.3.0.jar:?]
	at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshallChildElement(AbstractXMLObjectUnmarshaller.java:337) ~[opensaml-core-4.3.0.jar:?]
	at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:128) ~[opensaml-core-4.3.0.jar:?]
	at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshallChildElement(AbstractXMLObjectUnmarshaller.java:337) ~[opensaml-core-4.3.0.jar:?]
	at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:128) ~[opensaml-core-4.3.0.jar:?]
	at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshallChildElement(AbstractXMLObjectUnmarshaller.java:337) ~[opensaml-core-4.3.0.jar:?]
	at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:128) ~[opensaml-core-4.3.0.jar:?]
	at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshallChildElement(AbstractXMLObjectUnmarshaller.java:337) ~[opensaml-core-4.3.0.jar:?]
	at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:128) ~[opensaml-core-4.3.0.jar:?]
	at org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver.unmarshallMetadata(AbstractMetadataResolver.java:353) ~[opensaml-saml-impl-4.3.0.jar:?]
	at org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver.unmarshallMetadata(AbstractReloadingMetadataResolver.java:458) ~[opensaml-saml-impl-4.3.0.jar:?]
	at org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver.processNewMetadata(AbstractReloadingMetadataResolver.java:499) ~[opensaml-saml-impl-4.3.0.jar:?]
	at org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver.refresh(AbstractReloadingMetadataResolver.java:370) [opensaml-saml-impl-4.3.0.jar:?]
	at org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver.initMetadataResolver(AbstractReloadingMetadataResolver.java:325) [opensaml-saml-impl-4.3.0.jar:?]
	at org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver.doInitialize(AbstractMetadataResolver.java:289) [opensaml-saml-impl-4.3.0.jar:?]
	at net.shibboleth.utilities.java.support.component.AbstractInitializableComponent.initialize(AbstractInitializableComponent.java:65) [java-support-8.4.0.jar:?]
	at com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator$2.run(HTTPSamlAuthenticator.java:340) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator$2.run(HTTPSamlAuthenticator.java:337) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at java.security.AccessController.doPrivileged(AccessController.java:569) [?:?]
	at com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.createMetadataResolver(HTTPSamlAuthenticator.java:337) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.<init>(HTTPSamlAuthenticator.java:126) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:67) ~[?:?]
	at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:484) ~[?:?]
	at org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:62) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at org.opensearch.security.securityconf.DynamicConfigModelV7$1.run(DynamicConfigModelV7.java:408) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at java.security.AccessController.doPrivileged(AccessController.java:318) [?:?]
	at org.opensearch.security.securityconf.DynamicConfigModelV7.newInstance(DynamicConfigModelV7.java:405) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at org.opensearch.security.securityconf.DynamicConfigModelV7.buildAAA(DynamicConfigModelV7.java:314) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at org.opensearch.security.securityconf.DynamicConfigModelV7.<init>(DynamicConfigModelV7.java:91) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at org.opensearch.security.securityconf.DynamicConfigFactory.onChange(DynamicConfigFactory.java:274) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at org.opensearch.security.configuration.ConfigurationRepository.notifyAboutChanges(ConfigurationRepository.java:406) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at org.opensearch.security.configuration.ConfigurationRepository.reloadConfiguration0(ConfigurationRepository.java:395) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at org.opensearch.security.configuration.ConfigurationRepository.reloadConfiguration(ConfigurationRepository.java:379) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at org.opensearch.security.action.configupdate.TransportConfigUpdateAction.nodeOperation(TransportConfigUpdateAction.java:128) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at org.opensearch.security.action.configupdate.TransportConfigUpdateAction.nodeOperation(TransportConfigUpdateAction.java:52) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at org.opensearch.action.support.nodes.TransportNodesAction.nodeOperation(TransportNodesAction.java:200) [opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.action.support.nodes.TransportNodesAction$NodeTransportHandler.messageReceived(TransportNodesAction.java:328) [opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.security.ssl.transport.SecuritySSLRequestHandler.messageReceivedDecorate(SecuritySSLRequestHandler.java:215) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at org.opensearch.security.transport.SecurityRequestHandler.messageReceivedDecorate(SecurityRequestHandler.java:208) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at org.opensearch.security.ssl.transport.SecuritySSLRequestHandler.messageReceived(SecuritySSLRequestHandler.java:100) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at org.opensearch.security.OpenSearchSecurityPlugin$7$1.messageReceived(OpenSearchSecurityPlugin.java:760) [opensearch-security-3.0.0.0-SNAPSHOT.jar:3.0.0.0-SNAPSHOT]
	at org.opensearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:106) [opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.transport.TransportService$8.doRun(TransportService.java:1063) [opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908) [opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52) [opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
	at java.lang.Thread.run(Thread.java:1589) [?:?]
Caused by: java.lang.ExceptionInInitializerError: Exception java.security.AccessControlException: access denied ("org.opensearch.secure_sm.ThreadPermission" "modifyArbitraryThread") [in thread "opensearch[smoketestnode][management][T#1]"]
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:485) ~[?:?]
	at java.security.AccessController.checkPermission(AccessController.java:1068) ~[?:?]
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:411) ~[?:?]
	at org.opensearch.secure_sm.SecureSM.checkThreadAccess(SecureSM.java:228) ~[opensearch-secure-sm-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.secure_sm.SecureSM.checkAccess(SecureSM.java:179) ~[opensearch-secure-sm-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at java.lang.Thread.checkAccess(Thread.java:2360) ~[?:?]
	at java.lang.Thread.setDaemon(Thread.java:2308) ~[?:?]
	at jdk.internal.ref.CleanerImpl.start(CleanerImpl.java:111) ~[?:?]
	at java.lang.ref.Cleaner.create(Cleaner.java:179) ~[?:?]
	at net.shibboleth.utilities.java.support.primitive.CleanerSupport.getInstance(CleanerSupport.java:49) ~[?:?]
	at org.opensaml.xmlsec.signature.impl.X509CertificateImpl.<clinit>(X509CertificateImpl.java:42) ~[?:?]
	... 56 more

[cwperks]

I am manually running the frontend tests in saml_auth.test.ts and it fails when calling the endpoint to update the security configuration and to add a SAML Authenticator. These lines in particular: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/test/jest_integration/saml_auth.test.ts#L159-L175

[scrawfor99]

Approving to unblock ci

[cwperks]

@scrawfor99 This will not be for 2.9.0. This unblocks the CI for main for the security-dashboards-plugin, but we should aim to get an automated test in for verifying the SAML authenticator initialization before backporting to 2.x

[willyborankin]

@scrawfor99 This will not be for 2.9.0. This unblocks the CI for main for the security-dashboards-plugin, but we should aim to get an automated test in for verifying the SAML authenticator initialization before backporting to 2.x

And @reta raised a valid question about the internal permission. I crated an issue #2989

[reta]

To clarify the problem, it comes from the way X509CertificateImpl is initializing Cleaner instance:

public class X509CertificateImpl extends AbstractXMLObject implements X509Certificate {
    /** The {@link Cleaner} instance to use. */
    private static final Cleaner CLEANER = CleanerSupport.getInstance(X509CertificateImpl.class);

The JDK's cleaners are managed from the dedicated threads and the standard library allows to provide the thread factory to be used, in case of OpenSearch:

return Cleaner.create(OpenSearchExecutors.daemonThreadFactory("cleaners"));

But the class CleanerSupport does not use this method (it uses default Cleaner.create()) and that violates the OpenSearch SecurityManager checks.

[reta]

@peternied do you know if AWS is a member of Shibboleth Consortium (https://www.shibboleth.net/) so we could submit an issue against JavaSupport project.

[peternied]

@reta No membership AFAIK, I've created a couple of outreach threads including (opensearch#dev) that link out to this issue. Maybe we will get lucky?

[peternied]

Circling back, I haven't gotten any leads. If something comes my way latter, I'll update on the tracking issue [1]

• [BUG] Somehow security plugin rewrites permissions for other plugins which use Bouncy Castle #3213

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-2987-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 df07bea02f529cf498c7a360c30784a863523a8c
# Push it to GitHub
git push --set-upstream origin backport/backport-2987-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-2987-to-2.x.

[DarshitChanpura]

@willyborankin @reta I believe this change should be backported to 2.x? Please correct me if I'm wrong

[willyborankin]

@DarshitChanpura so far no sorry. The problem is permission org.opensearch.secure_sm.ThreadPermission "modifyArbitraryThread"; which we can not use. OpenSAML 5.0 was released Im preparing PR with it. Lets see additionla permissions the library need.