diff --git a/build.gradle b/build.gradle index 835386ea1979b..7de8368a590c4 100644 --- a/build.gradle +++ b/build.gradle @@ -266,9 +266,7 @@ allprojects { } // See please https://bugs.openjdk.java.net/browse/JDK-8209058 - if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_11) { - compile.options.compilerArgs << '-Werror' - } + compile.options.compilerArgs << '-Werror' compile.options.compilerArgs << '-Xlint:auxiliaryclass' compile.options.compilerArgs << '-Xlint:cast' compile.options.compilerArgs << '-Xlint:classfile' diff --git a/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchJavaPlugin.java b/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchJavaPlugin.java index 018781c7b30c4..c4f3f16dce2db 100644 --- a/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchJavaPlugin.java +++ b/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchJavaPlugin.java @@ -175,9 +175,7 @@ public static void configureCompile(Project project) { compileTask.getConventionMapping().map("sourceCompatibility", () -> java.getSourceCompatibility().toString()); compileTask.getConventionMapping().map("targetCompatibility", () -> java.getTargetCompatibility().toString()); // The '--release is available from JDK-9 and above - if (BuildParams.getRuntimeJavaVersion().compareTo(JavaVersion.VERSION_1_8) > 0) { - compileOptions.getRelease().set(releaseVersionProviderFromCompileTask(project, compileTask)); - } + compileOptions.getRelease().set(releaseVersionProviderFromCompileTask(project, compileTask)); }); // also apply release flag to groovy, which is used in build-tools project.getTasks().withType(GroovyCompile.class).configureEach(compileTask -> { @@ -271,9 +269,7 @@ private static void configureJavadoc(Project project) { * that the default will change to html5 in the future. */ CoreJavadocOptions javadocOptions = (CoreJavadocOptions) javadoc.getOptions(); - if (BuildParams.getRuntimeJavaVersion().compareTo(JavaVersion.VERSION_1_8) > 0) { - javadocOptions.addBooleanOption("html5", true); - } + javadocOptions.addBooleanOption("html5", true); }); TaskProvider javadoc = project.getTasks().withType(Javadoc.class).named("javadoc"); diff --git a/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java b/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java index 59caf37f522b3..fc32300cda397 100644 --- a/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java +++ b/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java @@ -40,7 +40,6 @@ import org.opensearch.gradle.test.ErrorReportingTestListener; import org.opensearch.gradle.util.Util; import org.gradle.api.Action; -import org.gradle.api.JavaVersion; import org.gradle.api.Plugin; import org.gradle.api.Project; import org.gradle.api.Task; @@ -107,14 +106,7 @@ public void execute(Task t) { mkdirs(test.getWorkingDir().toPath().resolve("temp").toFile()); // TODO remove once jvm.options are added to test system properties - if (BuildParams.getRuntimeJavaVersion() == JavaVersion.VERSION_1_8) { - test.systemProperty("java.locale.providers", "SPI,JRE"); - } else { - test.systemProperty("java.locale.providers", "SPI,CLDR"); - if (test.getJavaVersion().compareTo(JavaVersion.VERSION_17) < 0) { - test.jvmArgs("--illegal-access=warn"); - } - } + test.systemProperty("java.locale.providers", "SPI,CLDR"); } }); test.getJvmArgumentProviders().add(nonInputProperties); diff --git a/client/rest/build.gradle b/client/rest/build.gradle index ed5eedb65e140..a8a02cc8b32f3 100644 --- a/client/rest/build.gradle +++ b/client/rest/build.gradle @@ -35,8 +35,8 @@ apply plugin: 'opensearch.publish' apply from: "$rootDir/gradle/fips.gradle" java { - targetCompatibility = JavaVersion.VERSION_1_8 - sourceCompatibility = JavaVersion.VERSION_1_8 + targetCompatibility = JavaVersion.VERSION_21 + sourceCompatibility = JavaVersion.VERSION_21 } base { @@ -45,6 +45,7 @@ base { } dependencies { + api project(':libs:opensearch-secure-sm') api "org.apache.httpcomponents.client5:httpclient5:${versions.httpclient5}" api "org.apache.httpcomponents.core5:httpcore5:${versions.httpcore5}" api "org.apache.httpcomponents.core5:httpcore5-h2:${versions.httpcore5}" diff --git a/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java b/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java index 3e38f9ae95dec..1b72e4a073508 100644 --- a/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java +++ b/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java @@ -48,13 +48,12 @@ import org.apache.hc.core5.http.nio.ssl.TlsStrategy; import org.apache.hc.core5.reactor.ssl.TlsDetails; import org.apache.hc.core5.util.Timeout; +import org.opensearch.secure_sm.AccessController; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; -import java.security.AccessController; import java.security.NoSuchAlgorithmException; -import java.security.PrivilegedAction; import java.util.List; import java.util.Objects; import java.util.Optional; @@ -269,9 +268,7 @@ public RestClient build() { if (failureListener == null) { failureListener = new RestClient.FailureListener(); } - CloseableHttpAsyncClient httpClient = AccessController.doPrivileged( - (PrivilegedAction) this::createHttpClient - ); + CloseableHttpAsyncClient httpClient = AccessController.doPrivileged(this::createHttpClient); RestClient restClient = null; @@ -341,7 +338,7 @@ public TlsDetails create(final SSLEngine sslEngine) { } final HttpAsyncClientBuilder finalBuilder = httpClientBuilder; - return AccessController.doPrivileged((PrivilegedAction) finalBuilder::build); + return AccessController.doPrivileged(finalBuilder::build); } catch (NoSuchAlgorithmException e) { throw new IllegalStateException("could not create the default ssl context", e); } diff --git a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java index 3ad32d1595f13..7c67d7f16c2e7 100644 --- a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java +++ b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java @@ -39,6 +39,7 @@ import org.apache.hc.core5.http.HttpHost; import org.apache.hc.core5.ssl.SSLContextBuilder; +import org.opensearch.secure_sm.AccessController; import org.junit.AfterClass; import org.junit.BeforeClass; @@ -51,9 +52,7 @@ import java.io.InputStream; import java.net.InetAddress; import java.net.InetSocketAddress; -import java.security.AccessController; import java.security.KeyStore; -import java.security.PrivilegedAction; import java.security.SecureRandom; import static org.hamcrest.Matchers.instanceOf; @@ -155,7 +154,7 @@ private static SSLContext getSslContext(boolean server) throws Exception { * 12.0.1 so we pin to TLSv1.2 when running on an earlier JDK. */ private static String getProtocol() { - String version = AccessController.doPrivileged((PrivilegedAction) () -> System.getProperty("java.version")); + String version = AccessController.doPrivileged(() -> System.getProperty("java.version")); String[] parts = version.split("-"); String[] numericComponents; if (parts.length == 1) { diff --git a/client/rest/src/test/java/org/opensearch/client/nio/HeapBufferedAsyncEntityConsumerTests.java b/client/rest/src/test/java/org/opensearch/client/nio/HeapBufferedAsyncEntityConsumerTests.java index fdfe49ca901c9..6a4b176edd011 100644 --- a/client/rest/src/test/java/org/opensearch/client/nio/HeapBufferedAsyncEntityConsumerTests.java +++ b/client/rest/src/test/java/org/opensearch/client/nio/HeapBufferedAsyncEntityConsumerTests.java @@ -35,34 +35,34 @@ public void tearDown() { } public void testConsumerAllocatesBufferLimit() throws IOException { - consumer.consume((ByteBuffer) randomByteBufferOfLength(1000).flip()); + consumer.consume(randomByteBufferOfLength(1000).flip()); assertThat(consumer.getBuffer().capacity(), equalTo(1000)); } public void testConsumerAllocatesEmptyBuffer() throws IOException { - consumer.consume((ByteBuffer) ByteBuffer.allocate(0).flip()); + consumer.consume(ByteBuffer.allocate(0).flip()); assertThat(consumer.getBuffer().capacity(), equalTo(0)); } public void testConsumerExpandsBufferLimits() throws IOException { - consumer.consume((ByteBuffer) randomByteBufferOfLength(1000).flip()); - consumer.consume((ByteBuffer) randomByteBufferOfLength(2000).flip()); - consumer.consume((ByteBuffer) randomByteBufferOfLength(3000).flip()); + consumer.consume(randomByteBufferOfLength(1000).flip()); + consumer.consume(randomByteBufferOfLength(2000).flip()); + consumer.consume(randomByteBufferOfLength(3000).flip()); assertThat(consumer.getBuffer().capacity(), equalTo(6000)); } public void testConsumerAllocatesLimit() throws IOException { - consumer.consume((ByteBuffer) randomByteBufferOfLength(BUFFER_LIMIT).flip()); + consumer.consume(randomByteBufferOfLength(BUFFER_LIMIT).flip()); assertThat(consumer.getBuffer().capacity(), equalTo(BUFFER_LIMIT)); } public void testConsumerFailsToAllocateOverLimit() throws IOException { - assertThrows(ContentTooLongException.class, () -> consumer.consume((ByteBuffer) randomByteBufferOfLength(BUFFER_LIMIT + 1).flip())); + assertThrows(ContentTooLongException.class, () -> consumer.consume(randomByteBufferOfLength(BUFFER_LIMIT + 1).flip())); } public void testConsumerFailsToExpandOverLimit() throws IOException { - consumer.consume((ByteBuffer) randomByteBufferOfLength(BUFFER_LIMIT).flip()); - assertThrows(ContentTooLongException.class, () -> consumer.consume((ByteBuffer) randomByteBufferOfLength(1).flip())); + consumer.consume(randomByteBufferOfLength(BUFFER_LIMIT).flip()); + assertThrows(ContentTooLongException.class, () -> consumer.consume(randomByteBufferOfLength(1).flip())); } private static ByteBuffer randomByteBufferOfLength(int length) { diff --git a/client/sniffer/build.gradle b/client/sniffer/build.gradle index 4b50a996d1f9f..bc03393c228fc 100644 --- a/client/sniffer/build.gradle +++ b/client/sniffer/build.gradle @@ -31,8 +31,8 @@ apply plugin: 'opensearch.build' apply plugin: 'opensearch.publish' java { - targetCompatibility = JavaVersion.VERSION_11 - sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_21 + sourceCompatibility = JavaVersion.VERSION_21 } base { diff --git a/client/test/build.gradle b/client/test/build.gradle index 41a4b1545e84a..03cef3eea541a 100644 --- a/client/test/build.gradle +++ b/client/test/build.gradle @@ -31,8 +31,8 @@ apply plugin: 'opensearch.build' apply from: "$rootDir/gradle/fips.gradle" java { - targetCompatibility = JavaVersion.VERSION_1_8 - sourceCompatibility = JavaVersion.VERSION_1_8 + targetCompatibility = JavaVersion.VERSION_21 + sourceCompatibility = JavaVersion.VERSION_21 } base { diff --git a/distribution/tools/java-version-checker/build.gradle b/distribution/tools/java-version-checker/build.gradle index 7fd16b910b293..32a9e16b4d2b0 100644 --- a/distribution/tools/java-version-checker/build.gradle +++ b/distribution/tools/java-version-checker/build.gradle @@ -12,8 +12,8 @@ apply plugin: 'opensearch.build' java { - sourceCompatibility = JavaVersion.VERSION_11 - targetCompatibility = JavaVersion.VERSION_11 + sourceCompatibility = JavaVersion.VERSION_21 + targetCompatibility = JavaVersion.VERSION_21 } // targetting very old java versions enables a warning by default on newer JDK: disable it. diff --git a/distribution/tools/plugin-cli/src/main/java/org/opensearch/tools/cli/plugin/PluginSecurity.java b/distribution/tools/plugin-cli/src/main/java/org/opensearch/tools/cli/plugin/PluginSecurity.java index 2707c05268c08..986a33d30b9c7 100644 --- a/distribution/tools/plugin-cli/src/main/java/org/opensearch/tools/cli/plugin/PluginSecurity.java +++ b/distribution/tools/plugin-cli/src/main/java/org/opensearch/tools/cli/plugin/PluginSecurity.java @@ -38,6 +38,7 @@ import org.opensearch.cli.UserException; import org.opensearch.common.SuppressForbidden; import org.opensearch.common.util.io.IOUtils; +import org.opensearch.secure_sm.policy.Policy; import org.opensearch.secure_sm.policy.PolicyFile; import java.io.IOException; @@ -46,7 +47,6 @@ import java.security.Permission; import java.security.PermissionCollection; import java.security.Permissions; -import java.security.Policy; import java.security.UnresolvedPermission; import java.util.ArrayList; import java.util.Collections; @@ -136,7 +136,6 @@ static String formatPermission(Permission permission) { /** * Parses plugin policy into a set of permissions. Each permission is formatted for output to users. */ - @SuppressWarnings("removal") static Set parsePermissions(Path file, Path tmpDir) throws IOException { // create a zero byte file for "comparison" // this is necessary because the default policy impl automatically grants two permissions: @@ -151,7 +150,7 @@ static Set parsePermissions(Path file, Path tmpDir) throws IOException { final Policy policy = new PolicyFile(file.toUri().toURL()); final PermissionCollection permissions = policy.getPermissions(PluginSecurity.class.getProtectionDomain()); // this method is supported with the specific implementation we use, but just check for safety. - if (permissions == Policy.UNSUPPORTED_EMPTY_COLLECTION) { + if (permissions == Policy.EMPTY_PERMISSION_COLLECTION) { throw new UnsupportedOperationException("JavaPolicy implementation does not support retrieving permissions"); } PermissionCollection actualPermissions = new Permissions(); diff --git a/libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/Policy.java b/libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/Policy.java new file mode 100644 index 0000000000000..4809e841b3210 --- /dev/null +++ b/libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/Policy.java @@ -0,0 +1,419 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +package org.opensearch.secure_sm.policy; + +import org.opensearch.secure_sm.AccessController; + +import java.nio.file.Files; +import java.nio.file.Path; +import java.security.CodeSource; +import java.security.Permission; +import java.security.PermissionCollection; +import java.security.Permissions; +import java.security.ProtectionDomain; +import java.util.Enumeration; +import java.util.WeakHashMap; + +/** + * A {@code Policy} object is responsible for determining whether code executing + * in the Java runtime environment has permission to perform a + * security-sensitive operation. + * + *

There is only one {@code Policy} object installed in the runtime at any + * given time. A {@code Policy} object can be installed by calling the + * {@code setPolicy} method. The installed {@code Policy} object can be + * obtained by calling the {@code getPolicy} method. + * + *

If no {@code Policy} object has been installed in the runtime, a call to + * {@code getPolicy} installs an instance of the default {@code Policy} + * implementation (a default subclass implementation of this abstract class). + * The default {@code Policy} implementation can be changed by setting the value + * of the {@code policy.provider} security property to the fully qualified + * name of the desired {@code Policy} subclass implementation. The system + * class loader is used to load this class. + * + *

Application code can directly subclass {@code Policy} to provide a custom + * implementation. In addition, an instance of a {@code Policy} object can be + * constructed by invoking one of the {@code getInstance} factory methods + * with a standard type. The default policy type is "JavaPolicy". + * + *

Once a {@code Policy} instance has been installed (either by default, + * or by calling {@code setPolicy}), the Java runtime invokes its + * {@code implies} method when it needs to + * determine whether executing code (encapsulated in a ProtectionDomain) + * can perform SecurityManager-protected operations. How a {@code Policy} + * object retrieves its policy data is up to the {@code Policy} implementation + * itself. The policy data may be stored, for example, in a flat ASCII file, + * in a serialized binary file of the {@code Policy} class, or in a database. + * + *

The {@code refresh} method causes the policy object to + * refresh/reload its data. This operation is implementation-dependent. + * For example, if the policy object stores its data in configuration files, + * calling {@code refresh} will cause it to re-read the configuration + * policy files. If a refresh operation is not supported, this method does + * nothing. Note that refreshed policy may not have an effect on classes + * in a particular ProtectionDomain. This is dependent on the policy + * provider's implementation of the {@code implies} + * method and its PermissionCollection caching strategy. + * + * @author Roland Schemers + * @author Gary Ellison + * @see java.security.ProtectionDomain + * @see java.security.Permission + * @see java.security.Security security properties + */ + +public abstract class Policy { + + /** + * Constructor for subclasses to call. + */ + public Policy() {} + + /** + * A read-only empty PermissionCollection instance. + */ + public static final PermissionCollection EMPTY_PERMISSION_COLLECTION = new EmptyPermissionCollection(); + + // Information about the system-wide policy. + private static class PolicyInfo { + // the system-wide policy + final Policy policy; + // a flag indicating if the system-wide policy has been initialized + final boolean initialized; + + PolicyInfo(Policy policy, boolean initialized) { + this.policy = policy; + this.initialized = initialized; + } + } + + // PolicyInfo is volatile since we apply DCL during initialization. + // For correctness, care must be taken to read the field only once and only + // write to it after any other initialization action has taken place. + private static volatile Policy.PolicyInfo policyInfo = new Policy.PolicyInfo(null, false); + + // Cache mapping ProtectionDomain.Key to PermissionCollection + private WeakHashMap pdMapping; + + /** + * Returns the installed {@code Policy} object. + * + * @return the installed Policy. + * + * @see #setPolicy(Policy) + */ + public static Policy getPolicy() { + Policy.PolicyInfo pi = policyInfo; + + if (pi.initialized == false || pi.policy == null) { + try { + Path emptyPolicyFile = Files.createTempFile("empty", ".tmp"); + final Policy emptyPolicy = new PolicyFile(emptyPolicyFile.toUri().toURL()); + pi = new PolicyInfo(emptyPolicy, true); + // IOUtils.rm(emptyPolicyFile); + } catch (Exception e) { + // ignore + } + } + return pi.policy; + } + + /** + * Sets the system-wide {@code Policy} object. + * + * @param p the new system {@code Policy} object. + * + * @see #getPolicy() + * + */ + public static void setPolicy(Policy p) { + if (p != null) { + initPolicy(p); + } + synchronized (Policy.class) { + policyInfo = new Policy.PolicyInfo(p, p != null); + } + } + + /** + * Initialize superclass state such that a legacy provider can + * handle queries for itself. + */ + private static void initPolicy(final Policy p) { + /* + * A policy provider not on the bootclasspath could trigger + * security checks fulfilling a call to either Policy.implies + * or Policy.getPermissions. If this does occur the provider + * must be able to answer for it's own ProtectionDomain + * without triggering additional security checks, otherwise + * the policy implementation will end up in an infinite + * recursion. + * + * To mitigate this, the provider can collect it's own + * ProtectionDomain and associate a PermissionCollection while + * it is being installed. The currently installed policy + * provider (if there is one) will handle calls to + * Policy.implies or Policy.getPermissions during this + * process. + * + * This Policy superclass caches away the ProtectionDomain and + * statically binds permissions so that legacy Policy + * implementations will continue to function. + */ + + ProtectionDomain policyDomain = AccessController.doPrivileged(() -> p.getClass().getProtectionDomain()); + + /* + * Collect the permissions granted to this protection domain + * so that the provider can be security checked while processing + * calls to Policy.implies or Policy.getPermissions. + */ + PermissionCollection policyPerms = null; + synchronized (p) { + if (p.pdMapping == null) { + p.pdMapping = new WeakHashMap<>(); + } + } + + if (policyDomain.getCodeSource() != null) { + Policy pol = policyInfo.policy; + if (pol != null) { + policyPerms = pol.getPermissions(policyDomain); + } + + synchronized (p.pdMapping) { + // cache of pd to permissions + p.pdMapping.put(policyDomain.getCodeSource().hashCode(), policyPerms); + } + } + } + + /** + * Return a PermissionCollection object containing the set of + * permissions granted to the specified CodeSource. + * + *

Applications are discouraged from calling this method + * since this operation may not be supported by all policy implementations. + * Applications should solely rely on the {@code implies} method + * to perform policy checks. If an application absolutely must call + * a getPermissions method, it should call + * {@code getPermissions(ProtectionDomain)}. + * + *

The default implementation of this method returns + * Policy.EMPTY_PERMISSION_COLLECTION. This method can be + * overridden if the policy implementation can return a set of + * permissions granted to a CodeSource. + * + * @param codesource the CodeSource to which the returned + * PermissionCollection has been granted. + * + * @return a set of permissions granted to the specified CodeSource. + * If this operation is supported, the returned + * set of permissions must be a new mutable instance + * and it must support heterogeneous Permission types. + * If this operation is not supported, + * Policy.EMPTY_PERMISSION_COLLECTION is returned. + */ + public PermissionCollection getPermissions(CodeSource codesource) { + return Policy.EMPTY_PERMISSION_COLLECTION; + } + + /** + * Return a PermissionCollection object containing the set of + * permissions granted to the specified ProtectionDomain. + * + *

Applications are discouraged from calling this method + * since this operation may not be supported by all policy implementations. + * Applications should rely on the {@code implies} method + * to perform policy checks. + * + *

The default implementation of this method first retrieves + * the permissions returned via {@code getPermissions(CodeSource)} + * (the CodeSource is taken from the specified ProtectionDomain), + * as well as the permissions located inside the specified ProtectionDomain. + * All of these permissions are then combined and returned in a new + * PermissionCollection object. If {@code getPermissions(CodeSource)} + * returns Policy.EMPTY_PERMISSION_COLLECTION, then this method + * returns the permissions contained inside the specified ProtectionDomain + * in a new PermissionCollection object. + * + *

This method can be overridden if the policy implementation + * supports returning a set of permissions granted to a ProtectionDomain. + * + * @param domain the ProtectionDomain to which the returned + * PermissionCollection has been granted. + * + * @return a set of permissions granted to the specified ProtectionDomain. + * If this operation is supported, the returned + * set of permissions must be a new mutable instance + * and it must support heterogeneous Permission types. + * If this operation is not supported, + * Policy.EMPTY_PERMISSION_COLLECTION is returned. + */ + public PermissionCollection getPermissions(ProtectionDomain domain) { + PermissionCollection pc = null; + + if (domain == null) return new Permissions(); + + if (pdMapping == null) { + initPolicy(this); + } + + synchronized (pdMapping) { + pc = pdMapping.get(domain.getCodeSource().hashCode()); + } + + if (pc != null) { + Permissions perms = new Permissions(); + synchronized (pc) { + for (Enumeration e = pc.elements(); e.hasMoreElements();) { + perms.add(e.nextElement()); + } + } + return perms; + } + + pc = getPermissions(domain.getCodeSource()); + if (pc == null || pc == EMPTY_PERMISSION_COLLECTION) { + pc = new Permissions(); + } + + addStaticPerms(pc, domain.getPermissions()); + return pc; + } + + /** + * add static permissions to provided permission collection + */ + private void addStaticPerms(PermissionCollection perms, PermissionCollection statics) { + if (statics != null) { + synchronized (statics) { + Enumeration e = statics.elements(); + while (e.hasMoreElements()) { + perms.add(e.nextElement()); + } + } + } + } + + /** + * Evaluates the global policy for the permissions granted to + * the ProtectionDomain and tests whether the permission is + * granted. + * + * @param domain the ProtectionDomain to test + * @param permission the Permission object to be tested for implication. + * + * @return {@code true} if "permission" is a proper subset of a permission + * granted to this ProtectionDomain. + * + * @see java.security.ProtectionDomain + */ + public boolean implies(ProtectionDomain domain, Permission permission) { + PermissionCollection pc; + + if (pdMapping == null) { + initPolicy(this); + } + + synchronized (pdMapping) { + pc = pdMapping.get(domain.getCodeSource().hashCode()); + } + + if (pc != null) { + return pc.implies(permission); + } + + pc = getPermissions(domain); + if (pc == null) { + return false; + } + + synchronized (pdMapping) { + // cache it + pdMapping.put(domain.getCodeSource().hashCode(), pc); + } + + return pc.implies(permission); + } + + /** + * Refreshes/reloads the policy configuration. The behavior of this method + * depends on the implementation. For example, calling {@code refresh} + * on a file-based policy will cause the file to be re-read. + * + *

The default implementation of this method does nothing. + * This method should be overridden if a refresh operation is supported + * by the policy implementation. + */ + public void refresh() {} + + /** + * This class represents a read-only empty PermissionCollection object that + * is returned from the {@code getPermissions(CodeSource)} and + * {@code getPermissions(ProtectionDomain)} + * methods in the {@code Policy} class when those operations are not + * supported by the Policy implementation. + */ + private static class EmptyPermissionCollection extends PermissionCollection { + + @java.io.Serial + private static final long serialVersionUID = -8492269157353014774L; + + private Permissions perms; + + /** + * Create a read-only empty PermissionCollection object. + */ + public EmptyPermissionCollection() { + this.perms = new Permissions(); + perms.setReadOnly(); + } + + /** + * Adds a permission object to the current collection of permission + * objects. + * + * @param permission the Permission object to add. + * + * @throws SecurityException if this PermissionCollection object + * has been marked readonly + */ + @Override + public void add(Permission permission) { + perms.add(permission); + } + + /** + * Checks to see if the specified permission is implied by the + * collection of Permission objects held in this PermissionCollection. + * + * @param permission the Permission object to compare. + * + * @return {@code true} if "permission" is implied by the permissions in + * the collection, {@code false} if not. + */ + @Override + public boolean implies(Permission permission) { + return perms.implies(permission); + } + + /** + * Returns an enumeration of all the Permission objects in the + * collection. + * + * @return an enumeration of all the Permissions. + */ + @Override + public Enumeration elements() { + return perms.elements(); + } + } +} diff --git a/libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java b/libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java index b45e54c679d7a..158594c385b00 100644 --- a/libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java +++ b/libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java @@ -40,8 +40,7 @@ import java.util.concurrent.ConcurrentHashMap; import java.util.function.Function; -@SuppressWarnings("removal") -public class PolicyFile extends java.security.Policy { +public class PolicyFile extends Policy { public static final Set PERM_CLASSES_TO_SKIP = Set.of( "org.opensearch.secure_sm.ThreadContextPermission", "org.opensearch.secure_sm.ThreadPermission", diff --git a/libs/agent-sm/agent/build.gradle b/libs/agent-sm/agent/build.gradle index c495067d45ebb..db7423c71515d 100644 --- a/libs/agent-sm/agent/build.gradle +++ b/libs/agent-sm/agent/build.gradle @@ -10,11 +10,11 @@ configurations { } dependencies { + implementation project(":libs:agent-sm:agent-policy") implementation project(":libs:agent-sm:bootstrap") implementation "net.bytebuddy:byte-buddy:${versions.bytebuddy}" compileOnly "com.google.code.findbugs:jsr305:3.0.2" - testImplementation project(":libs:agent-sm:agent-policy") testImplementation "junit:junit:${versions.junit}" testImplementation "org.hamcrest:hamcrest:${versions.hamcrest}" } diff --git a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/FileInterceptor.java b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/FileInterceptor.java index 455be2a83f840..ec406b792e479 100644 --- a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/FileInterceptor.java +++ b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/FileInterceptor.java @@ -9,6 +9,7 @@ package org.opensearch.javaagent; import org.opensearch.javaagent.bootstrap.AgentPolicy; +import org.opensearch.secure_sm.policy.Policy; import java.io.FilePermission; import java.lang.reflect.Method; @@ -18,7 +19,6 @@ import java.nio.file.Paths; import java.nio.file.StandardOpenOption; import java.nio.file.spi.FileSystemProvider; -import java.security.Policy; import java.security.ProtectionDomain; import java.util.Collection; import java.util.Set; @@ -42,7 +42,7 @@ public FileInterceptor() {} * @throws Exception exceptions */ @Advice.OnMethodEnter - @SuppressWarnings({ "removal", "deprecation" }) + @SuppressWarnings({ "deprecation" }) public static void intercept(@Advice.AllArguments Object[] args, @Advice.Origin Method method) throws Exception { final Policy policy = AgentPolicy.getPolicy(); if (policy == null) { diff --git a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/RuntimeHaltInterceptor.java b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/RuntimeHaltInterceptor.java index 9f879a744f45f..92f68e8f6afe5 100644 --- a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/RuntimeHaltInterceptor.java +++ b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/RuntimeHaltInterceptor.java @@ -9,9 +9,9 @@ package org.opensearch.javaagent; import org.opensearch.javaagent.bootstrap.AgentPolicy; +import org.opensearch.secure_sm.policy.Policy; import java.lang.StackWalker.Option; -import java.security.Policy; import java.util.Collection; import net.bytebuddy.asm.Advice; @@ -31,7 +31,6 @@ public RuntimeHaltInterceptor() {} * @throws Exception exceptions */ @Advice.OnMethodEnter - @SuppressWarnings("removal") public static void intercept(int code) throws Exception { final Policy policy = AgentPolicy.getPolicy(); if (policy == null) { diff --git a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SocketChannelInterceptor.java b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SocketChannelInterceptor.java index 93daeccb6503f..030f6286c3a44 100644 --- a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SocketChannelInterceptor.java +++ b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SocketChannelInterceptor.java @@ -9,13 +9,13 @@ package org.opensearch.javaagent; import org.opensearch.javaagent.bootstrap.AgentPolicy; +import org.opensearch.secure_sm.policy.Policy; import java.lang.reflect.Method; import java.net.InetSocketAddress; import java.net.NetPermission; import java.net.SocketPermission; import java.net.UnixDomainSocketAddress; -import java.security.Policy; import java.security.ProtectionDomain; import java.util.Collection; @@ -38,7 +38,6 @@ public SocketChannelInterceptor() {} * @throws Exception exceptions */ @Advice.OnMethodEnter - @SuppressWarnings("removal") public static void intercept(@Advice.AllArguments Object[] args, @Origin Method method) throws Exception { final Policy policy = AgentPolicy.getPolicy(); if (policy == null) { diff --git a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SystemExitInterceptor.java b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SystemExitInterceptor.java index 6ba4f59e00942..0f6d76cb48a81 100644 --- a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SystemExitInterceptor.java +++ b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SystemExitInterceptor.java @@ -9,9 +9,9 @@ package org.opensearch.javaagent; import org.opensearch.javaagent.bootstrap.AgentPolicy; +import org.opensearch.secure_sm.policy.Policy; import java.lang.StackWalker.Option; -import java.security.Policy; import java.util.Collection; import net.bytebuddy.asm.Advice; @@ -31,7 +31,6 @@ public SystemExitInterceptor() {} * @throws Exception exceptions */ @Advice.OnMethodEnter() - @SuppressWarnings("removal") public static void intercept(int code) throws Exception { final Policy policy = AgentPolicy.getPolicy(); if (policy == null) { diff --git a/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/AgentTestCase.java b/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/AgentTestCase.java index f15d310b8f388..c7131bd38bec6 100644 --- a/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/AgentTestCase.java +++ b/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/AgentTestCase.java @@ -9,9 +9,9 @@ package org.opensearch.javaagent; import org.opensearch.javaagent.bootstrap.AgentPolicy; +import org.opensearch.secure_sm.policy.Policy; import org.junit.BeforeClass; -import java.security.Policy; import java.util.Set; public abstract class AgentTestCase { diff --git a/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/FileInterceptorIntegTests.java b/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/FileInterceptorIntegTests.java index 701442e517cf7..168e77727a677 100644 --- a/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/FileInterceptorIntegTests.java +++ b/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/FileInterceptorIntegTests.java @@ -9,6 +9,7 @@ package org.opensearch.javaagent; import org.opensearch.javaagent.bootstrap.AgentPolicy; +import org.opensearch.secure_sm.policy.Policy; import org.junit.BeforeClass; import org.junit.Test; @@ -25,7 +26,6 @@ import java.security.Permission; import java.security.PermissionCollection; import java.security.Permissions; -import java.security.Policy; import java.security.ProtectionDomain; import java.util.UUID; diff --git a/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/FileInterceptorNegativeIntegTests.java b/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/FileInterceptorNegativeIntegTests.java index 1827afe260ac8..2188ecd46b5b8 100644 --- a/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/FileInterceptorNegativeIntegTests.java +++ b/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/FileInterceptorNegativeIntegTests.java @@ -9,6 +9,7 @@ package org.opensearch.javaagent; import org.opensearch.javaagent.bootstrap.AgentPolicy; +import org.opensearch.secure_sm.policy.Policy; import org.junit.BeforeClass; import org.junit.Test; @@ -19,14 +20,12 @@ import java.nio.file.StandardOpenOption; import java.security.PermissionCollection; import java.security.Permissions; -import java.security.Policy; import java.security.ProtectionDomain; import java.util.UUID; import static org.junit.Assert.assertThrows; import static org.junit.Assert.assertTrue; -@SuppressWarnings("removal") public class FileInterceptorNegativeIntegTests { private static Path getTestDir() { Path baseDir = Path.of(System.getProperty("user.dir")); diff --git a/libs/agent-sm/bootstrap/build.gradle b/libs/agent-sm/bootstrap/build.gradle index 1757e3cd75c99..d1afe234cd6fc 100644 --- a/libs/agent-sm/bootstrap/build.gradle +++ b/libs/agent-sm/bootstrap/build.gradle @@ -20,5 +20,9 @@ tasks.named('forbiddenApisMain').configure { replaceSignatureFiles 'jdk-signatures' } +dependencies { + compileOnly project(":libs:agent-sm:agent-policy") +} + test.enabled = false testingConventions.enabled = false diff --git a/libs/agent-sm/bootstrap/src/main/java/org/opensearch/javaagent/bootstrap/AgentPolicy.java b/libs/agent-sm/bootstrap/src/main/java/org/opensearch/javaagent/bootstrap/AgentPolicy.java index 44042efc7f73c..f2d2de84e2544 100644 --- a/libs/agent-sm/bootstrap/src/main/java/org/opensearch/javaagent/bootstrap/AgentPolicy.java +++ b/libs/agent-sm/bootstrap/src/main/java/org/opensearch/javaagent/bootstrap/AgentPolicy.java @@ -8,10 +8,11 @@ package org.opensearch.javaagent.bootstrap; +import org.opensearch.secure_sm.policy.Policy; + import java.lang.StackWalker.Option; import java.lang.StackWalker.StackFrame; import java.security.Permission; -import java.security.Policy; import java.security.ProtectionDomain; import java.util.Collection; import java.util.Collections; diff --git a/libs/core/build.gradle b/libs/core/build.gradle index 0cf2cd0bf92b6..0b71832fa8818 100644 --- a/libs/core/build.gradle +++ b/libs/core/build.gradle @@ -66,21 +66,27 @@ tasks.named("thirdPartyAudit").configure { ignoreMissingClasses( // from log4j *[ - 'org.osgi.framework.Bundle', - 'org.osgi.framework.BundleActivator', - 'org.osgi.framework.BundleContext', - 'org.osgi.framework.BundleEvent', - 'org.osgi.framework.SynchronousBundleListener', - 'org.osgi.framework.wiring.BundleWire', - 'org.osgi.framework.wiring.BundleWiring', - ] + (BuildParams.runtimeJavaVersion < JavaVersion.VERSION_20) ? [] : [ - 'jdk.incubator.vector.ByteVector', - 'jdk.incubator.vector.FloatVector', - 'jdk.incubator.vector.IntVector', - 'jdk.incubator.vector.ShortVector', - 'jdk.incubator.vector.Vector', - 'jdk.incubator.vector.VectorOperators', - 'jdk.incubator.vector.VectorSpecies' + 'jdk.incubator.vector.ByteVector', + 'jdk.incubator.vector.DoubleVector', + 'jdk.incubator.vector.FloatVector', + 'jdk.incubator.vector.IntVector', + 'jdk.incubator.vector.LongVector', + 'jdk.incubator.vector.ShortVector', + 'jdk.incubator.vector.Vector', + 'jdk.incubator.vector.VectorMask', + 'jdk.incubator.vector.VectorOperators', + 'jdk.incubator.vector.VectorShape', + 'jdk.incubator.vector.VectorSpecies', + 'org.osgi.framework.Bundle', + 'org.osgi.framework.BundleActivator', + 'org.osgi.framework.BundleContext', + 'org.osgi.framework.BundleEvent', + 'org.osgi.framework.FrameworkUtil', + 'org.osgi.framework.ServiceReference', + 'org.osgi.framework.ServiceRegistration', + 'org.osgi.framework.SynchronousBundleListener', + 'org.osgi.framework.wiring.BundleWire', + 'org.osgi.framework.wiring.BundleWiring', ] ) } diff --git a/libs/nio/build.gradle b/libs/nio/build.gradle index 1bd0c91135330..6a1239be9de50 100644 --- a/libs/nio/build.gradle +++ b/libs/nio/build.gradle @@ -52,8 +52,6 @@ tasks.named('forbiddenApisMain').configure { } tasks.test { - if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_1_8) { - jvmArgs += ["--add-opens", "java.base/java.nio.channels=ALL-UNNAMED"] - jvmArgs += ["--add-opens", "java.base/java.net=ALL-UNNAMED"] - } + jvmArgs += ["--add-opens", "java.base/java.nio.channels=ALL-UNNAMED"] + jvmArgs += ["--add-opens", "java.base/java.net=ALL-UNNAMED"] } diff --git a/libs/ssl-config/build.gradle b/libs/ssl-config/build.gradle index f4338ce1da960..13035db809036 100644 --- a/libs/ssl-config/build.gradle +++ b/libs/ssl-config/build.gradle @@ -58,7 +58,5 @@ tasks.named("dependencyLicenses").configure { } tasks.test { - if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_1_8) { - jvmArgs += ["--add-opens", "java.base/java.security.cert=ALL-UNNAMED"] - } + jvmArgs += ["--add-opens", "java.base/java.security.cert=ALL-UNNAMED"] } diff --git a/plugins/discovery-azure-classic/build.gradle b/plugins/discovery-azure-classic/build.gradle index 65919ff4a0a45..c26af8f14d0b9 100644 --- a/plugins/discovery-azure-classic/build.gradle +++ b/plugins/discovery-azure-classic/build.gradle @@ -122,178 +122,68 @@ tasks.named("dependencyLicenses").configure { tasks.named("thirdPartyAudit").configure { ignoreMissingClasses( - 'javax.jms.Message', - 'javax.servlet.ServletContextEvent', - 'javax.servlet.ServletContextListener', - 'org.apache.avalon.framework.logger.Logger', - 'org.apache.commons.lang.StringUtils', - 'org.apache.log.Hierarchy', - 'org.apache.log.Logger', - 'org.eclipse.persistence.descriptors.ClassDescriptor', - 'org.eclipse.persistence.internal.oxm.MappingNodeValue', - 'org.eclipse.persistence.internal.oxm.TreeObjectBuilder', - 'org.eclipse.persistence.internal.oxm.XPathFragment', - 'org.eclipse.persistence.internal.oxm.XPathNode', - 'org.eclipse.persistence.internal.queries.ContainerPolicy', - 'org.eclipse.persistence.jaxb.JAXBContext', - 'org.eclipse.persistence.jaxb.JAXBHelper', - 'org.eclipse.persistence.mappings.DatabaseMapping', - 'org.eclipse.persistence.mappings.converters.TypeConversionConverter', - 'org.eclipse.persistence.mappings.foundation.AbstractCompositeDirectCollectionMapping', - 'org.eclipse.persistence.oxm.XMLContext', - 'org.eclipse.persistence.oxm.XMLDescriptor', - 'org.eclipse.persistence.oxm.XMLField', - 'org.eclipse.persistence.oxm.mappings.XMLCompositeCollectionMapping', - 'org.eclipse.persistence.sessions.DatabaseSession', - 'org.jvnet.fastinfoset.VocabularyApplicationData', - 'org.jvnet.staxex.Base64Data', - 'org.jvnet.staxex.XMLStreamReaderEx', - 'org.jvnet.staxex.XMLStreamWriterEx', - 'org.osgi.framework.Bundle', - 'org.osgi.framework.BundleActivator', - 'org.osgi.framework.BundleContext', - 'org.osgi.framework.BundleEvent', - 'org.osgi.framework.SynchronousBundleListener', - 'com.sun.xml.fastinfoset.stax.StAXDocumentParser', - 'com.sun.xml.fastinfoset.stax.StAXDocumentSerializer', - 'org.codehaus.jackson.Base64Variant', - 'org.codehaus.jackson.JsonEncoding', - 'org.codehaus.jackson.JsonFactory', - 'org.codehaus.jackson.JsonGenerator', - 'org.codehaus.jackson.JsonGenerator$Feature', - 'org.codehaus.jackson.JsonLocation', - 'org.codehaus.jackson.JsonNode', - 'org.codehaus.jackson.JsonParser', - 'org.codehaus.jackson.JsonParser$Feature', - 'org.codehaus.jackson.JsonParser$NumberType', - 'org.codehaus.jackson.JsonStreamContext', - 'org.codehaus.jackson.JsonToken', - 'org.codehaus.jackson.ObjectCodec', - 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider', - 'org.codehaus.jackson.jaxrs.JacksonJsonProvider', - 'org.codehaus.jackson.map.JsonSerializableWithType', - 'org.codehaus.jackson.map.JsonSerializer', - 'org.codehaus.jackson.map.ObjectMapper', - 'org.codehaus.jackson.map.SerializerProvider', - 'org.codehaus.jackson.map.TypeSerializer', - 'org.codehaus.jackson.type.TypeReference' -) - -// jarhell with jdk (intentionally, because jaxb was removed from default modules in java 9) -if (BuildParams.runtimeJavaVersion <= JavaVersion.VERSION_1_8) { - ignoreJarHellWithJDK( - 'javax.xml.bind.Binder', - 'javax.xml.bind.ContextFinder$1', - 'javax.xml.bind.ContextFinder', - 'javax.xml.bind.DataBindingException', - 'javax.xml.bind.DatatypeConverter', - 'javax.xml.bind.DatatypeConverterImpl$CalendarFormatter', - 'javax.xml.bind.DatatypeConverterImpl', - 'javax.xml.bind.DatatypeConverterInterface', - 'javax.xml.bind.Element', - 'javax.xml.bind.GetPropertyAction', - 'javax.xml.bind.JAXB$Cache', - 'javax.xml.bind.JAXB', - 'javax.xml.bind.JAXBContext', - 'javax.xml.bind.JAXBElement$GlobalScope', - 'javax.xml.bind.JAXBElement', - 'javax.xml.bind.JAXBException', - 'javax.xml.bind.JAXBIntrospector', - 'javax.xml.bind.JAXBPermission', - 'javax.xml.bind.MarshalException', - 'javax.xml.bind.Marshaller$Listener', - 'javax.xml.bind.Marshaller', - 'javax.xml.bind.Messages', - 'javax.xml.bind.NotIdentifiableEvent', - 'javax.xml.bind.ParseConversionEvent', - 'javax.xml.bind.PrintConversionEvent', - 'javax.xml.bind.PropertyException', - 'javax.xml.bind.SchemaOutputResolver', - 'javax.xml.bind.TypeConstraintException', - 'javax.xml.bind.UnmarshalException', - 'javax.xml.bind.Unmarshaller$Listener', - 'javax.xml.bind.Unmarshaller', - 'javax.xml.bind.UnmarshallerHandler', - 'javax.xml.bind.ValidationEvent', - 'javax.xml.bind.ValidationEventHandler', - 'javax.xml.bind.ValidationEventLocator', - 'javax.xml.bind.ValidationException', - 'javax.xml.bind.Validator', - 'javax.xml.bind.WhiteSpaceProcessor', - 'javax.xml.bind.annotation.DomHandler', - 'javax.xml.bind.annotation.W3CDomHandler', - 'javax.xml.bind.annotation.XmlAccessOrder', - 'javax.xml.bind.annotation.XmlAccessType', - 'javax.xml.bind.annotation.XmlAccessorOrder', - 'javax.xml.bind.annotation.XmlAccessorType', - 'javax.xml.bind.annotation.XmlAnyAttribute', - 'javax.xml.bind.annotation.XmlAnyElement', - 'javax.xml.bind.annotation.XmlAttachmentRef', - 'javax.xml.bind.annotation.XmlAttribute', - 'javax.xml.bind.annotation.XmlElement$DEFAULT', - 'javax.xml.bind.annotation.XmlElement', - 'javax.xml.bind.annotation.XmlElementDecl$GLOBAL', - 'javax.xml.bind.annotation.XmlElementDecl', - 'javax.xml.bind.annotation.XmlElementRef$DEFAULT', - 'javax.xml.bind.annotation.XmlElementRef', - 'javax.xml.bind.annotation.XmlElementRefs', - 'javax.xml.bind.annotation.XmlElementWrapper', - 'javax.xml.bind.annotation.XmlElements', - 'javax.xml.bind.annotation.XmlEnum', - 'javax.xml.bind.annotation.XmlEnumValue', - 'javax.xml.bind.annotation.XmlID', - 'javax.xml.bind.annotation.XmlIDREF', - 'javax.xml.bind.annotation.XmlInlineBinaryData', - 'javax.xml.bind.annotation.XmlList', - 'javax.xml.bind.annotation.XmlMimeType', - 'javax.xml.bind.annotation.XmlMixed', - 'javax.xml.bind.annotation.XmlNs', - 'javax.xml.bind.annotation.XmlNsForm', - 'javax.xml.bind.annotation.XmlRegistry', - 'javax.xml.bind.annotation.XmlRootElement', - 'javax.xml.bind.annotation.XmlSchema', - 'javax.xml.bind.annotation.XmlSchemaType$DEFAULT', - 'javax.xml.bind.annotation.XmlSchemaType', - 'javax.xml.bind.annotation.XmlSchemaTypes', - 'javax.xml.bind.annotation.XmlSeeAlso', - 'javax.xml.bind.annotation.XmlTransient', - 'javax.xml.bind.annotation.XmlType$DEFAULT', - 'javax.xml.bind.annotation.XmlType', - 'javax.xml.bind.annotation.XmlValue', - 'javax.xml.bind.annotation.adapters.CollapsedStringAdapter', - 'javax.xml.bind.annotation.adapters.HexBinaryAdapter', - 'javax.xml.bind.annotation.adapters.NormalizedStringAdapter', - 'javax.xml.bind.annotation.adapters.XmlAdapter', - 'javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter$DEFAULT', - 'javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter', - 'javax.xml.bind.annotation.adapters.XmlJavaTypeAdapters', - 'javax.xml.bind.attachment.AttachmentMarshaller', - 'javax.xml.bind.attachment.AttachmentUnmarshaller', - 'javax.xml.bind.helpers.AbstractMarshallerImpl', - 'javax.xml.bind.helpers.AbstractUnmarshallerImpl', - 'javax.xml.bind.helpers.DefaultValidationEventHandler', - 'javax.xml.bind.helpers.Messages', - 'javax.xml.bind.helpers.NotIdentifiableEventImpl', - 'javax.xml.bind.helpers.ParseConversionEventImpl', - 'javax.xml.bind.helpers.PrintConversionEventImpl', - 'javax.xml.bind.helpers.ValidationEventImpl', - 'javax.xml.bind.helpers.ValidationEventLocatorImpl', - 'javax.xml.bind.util.JAXBResult', - 'javax.xml.bind.util.JAXBSource$1', - 'javax.xml.bind.util.JAXBSource', - 'javax.xml.bind.util.Messages', - 'javax.xml.bind.util.ValidationEventCollector' + 'javax.activation.ActivationDataFlavor', + 'javax.activation.DataContentHandler', + 'javax.activation.DataHandler', + 'javax.activation.DataSource', + 'javax.activation.FileDataSource', + 'javax.activation.FileTypeMap', + 'javax.activation.MimeType', + 'javax.activation.MimeTypeParseException', + 'javax.jms.Message', + 'javax.servlet.ServletContextEvent', + 'javax.servlet.ServletContextListener', + 'org.apache.avalon.framework.logger.Logger', + 'org.apache.commons.lang.StringUtils', + 'org.apache.log.Hierarchy', + 'org.apache.log.Logger', + 'org.eclipse.persistence.descriptors.ClassDescriptor', + 'org.eclipse.persistence.internal.oxm.MappingNodeValue', + 'org.eclipse.persistence.internal.oxm.TreeObjectBuilder', + 'org.eclipse.persistence.internal.oxm.XPathFragment', + 'org.eclipse.persistence.internal.oxm.XPathNode', + 'org.eclipse.persistence.internal.queries.ContainerPolicy', + 'org.eclipse.persistence.jaxb.JAXBContext', + 'org.eclipse.persistence.jaxb.JAXBHelper', + 'org.eclipse.persistence.mappings.DatabaseMapping', + 'org.eclipse.persistence.mappings.converters.TypeConversionConverter', + 'org.eclipse.persistence.mappings.foundation.AbstractCompositeDirectCollectionMapping', + 'org.eclipse.persistence.oxm.XMLContext', + 'org.eclipse.persistence.oxm.XMLDescriptor', + 'org.eclipse.persistence.oxm.XMLField', + 'org.eclipse.persistence.oxm.mappings.XMLCompositeCollectionMapping', + 'org.eclipse.persistence.sessions.DatabaseSession', + 'org.jvnet.fastinfoset.VocabularyApplicationData', + 'org.jvnet.staxex.Base64Data', + 'org.jvnet.staxex.XMLStreamReaderEx', + 'org.jvnet.staxex.XMLStreamWriterEx', + 'org.osgi.framework.Bundle', + 'org.osgi.framework.BundleActivator', + 'org.osgi.framework.BundleContext', + 'org.osgi.framework.BundleEvent', + 'org.osgi.framework.SynchronousBundleListener', + 'com.sun.xml.fastinfoset.stax.StAXDocumentParser', + 'com.sun.xml.fastinfoset.stax.StAXDocumentSerializer', + 'org.codehaus.jackson.Base64Variant', + 'org.codehaus.jackson.JsonEncoding', + 'org.codehaus.jackson.JsonFactory', + 'org.codehaus.jackson.JsonGenerator', + 'org.codehaus.jackson.JsonGenerator$Feature', + 'org.codehaus.jackson.JsonLocation', + 'org.codehaus.jackson.JsonNode', + 'org.codehaus.jackson.JsonParser', + 'org.codehaus.jackson.JsonParser$Feature', + 'org.codehaus.jackson.JsonParser$NumberType', + 'org.codehaus.jackson.JsonStreamContext', + 'org.codehaus.jackson.JsonToken', + 'org.codehaus.jackson.ObjectCodec', + 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider', + 'org.codehaus.jackson.jaxrs.JacksonJsonProvider', + 'org.codehaus.jackson.map.JsonSerializableWithType', + 'org.codehaus.jackson.map.JsonSerializer', + 'org.codehaus.jackson.map.ObjectMapper', + 'org.codehaus.jackson.map.SerializerProvider', + 'org.codehaus.jackson.map.TypeSerializer', + 'org.codehaus.jackson.type.TypeReference' ) -} else { - ignoreMissingClasses( - 'javax.activation.ActivationDataFlavor', - 'javax.activation.DataContentHandler', - 'javax.activation.DataHandler', - 'javax.activation.DataSource', - 'javax.activation.FileDataSource', - 'javax.activation.FileTypeMap', - 'javax.activation.MimeType', - 'javax.activation.MimeTypeParseException', - ) - } } diff --git a/plugins/repository-hdfs/build.gradle b/plugins/repository-hdfs/build.gradle index 95d4efdd4d6c3..cb7059642f237 100644 --- a/plugins/repository-hdfs/build.gradle +++ b/plugins/repository-hdfs/build.gradle @@ -148,9 +148,6 @@ for (String fixtureName : ['hdfsFixture', 'haHdfsFixture', 'secureHdfsFixture', // If it's a secure fixture, then depend on Kerberos Fixture and principals + add the krb5conf to the JVM options if (fixtureName.equals('secureHdfsFixture') || fixtureName.equals('secureHaHdfsFixture')) { miniHDFSArgs.add("-Djava.security.krb5.conf=${project(':test:fixtures:krb5kdc-fixture').ext.krb5Conf("hdfs")}"); - if (BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_9) { - miniHDFSArgs.add('--add-opens=java.security.jgss/sun.security.krb5=ALL-UNNAMED') - } } // If it's an HA fixture, set a nameservice to use in the JVM options if (fixtureName.equals('haHdfsFixture') || fixtureName.equals('secureHaHdfsFixture')) { @@ -242,9 +239,7 @@ for (String integTestTaskName : ['integTestHa', 'integTestSecure', 'integTestSec } } - if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_1_8) { - jvmArgs += ["--add-opens", "java.security.jgss/sun.security.krb5=ALL-UNNAMED"] - } + jvmArgs += ["--add-opens", "java.security.jgss/sun.security.krb5=ALL-UNNAMED"] } testClusters."${integTestTaskName}" { diff --git a/plugins/repository-s3/build.gradle b/plugins/repository-s3/build.gradle index a50f317ebbbf6..71f776192821c 100644 --- a/plugins/repository-s3/build.gradle +++ b/plugins/repository-s3/build.gradle @@ -437,6 +437,7 @@ tasks.named("check").configure { dependsOn(s3ThirdPartyTest) } thirdPartyAudit { ignoreMissingClasses( // classes are missing + 'javax.activation.DataHandler', 'javax.jms.Message', 'javax.servlet.ServletContextEvent', 'javax.servlet.ServletContextListener', @@ -578,112 +579,3 @@ thirdPartyAudit { 'io.netty.util.internal.shaded.org.jctools.util.UnsafeLongArrayAccess', ) } - -// jarhell with jdk (intentionally, because jaxb was removed from default modules in java 9) -if (BuildParams.runtimeJavaVersion <= JavaVersion.VERSION_1_8) { - thirdPartyAudit.ignoreJarHellWithJDK( - 'javax.xml.bind.Binder', - 'javax.xml.bind.ContextFinder$1', - 'javax.xml.bind.ContextFinder', - 'javax.xml.bind.DataBindingException', - 'javax.xml.bind.DatatypeConverter', - 'javax.xml.bind.DatatypeConverterImpl$CalendarFormatter', - 'javax.xml.bind.DatatypeConverterImpl', - 'javax.xml.bind.DatatypeConverterInterface', - 'javax.xml.bind.Element', - 'javax.xml.bind.GetPropertyAction', - 'javax.xml.bind.JAXB$Cache', - 'javax.xml.bind.JAXB', - 'javax.xml.bind.JAXBContext', - 'javax.xml.bind.JAXBElement$GlobalScope', - 'javax.xml.bind.JAXBElement', - 'javax.xml.bind.JAXBException', - 'javax.xml.bind.JAXBIntrospector', - 'javax.xml.bind.JAXBPermission', - 'javax.xml.bind.MarshalException', - 'javax.xml.bind.Marshaller$Listener', - 'javax.xml.bind.Marshaller', - 'javax.xml.bind.Messages', - 'javax.xml.bind.NotIdentifiableEvent', - 'javax.xml.bind.ParseConversionEvent', - 'javax.xml.bind.PrintConversionEvent', - 'javax.xml.bind.PropertyException', - 'javax.xml.bind.SchemaOutputResolver', - 'javax.xml.bind.TypeConstraintException', - 'javax.xml.bind.UnmarshalException', - 'javax.xml.bind.Unmarshaller$Listener', - 'javax.xml.bind.Unmarshaller', - 'javax.xml.bind.UnmarshallerHandler', - 'javax.xml.bind.ValidationEvent', - 'javax.xml.bind.ValidationEventHandler', - 'javax.xml.bind.ValidationEventLocator', - 'javax.xml.bind.ValidationException', - 'javax.xml.bind.Validator', - 'javax.xml.bind.WhiteSpaceProcessor', - 'javax.xml.bind.annotation.DomHandler', - 'javax.xml.bind.annotation.W3CDomHandler', - 'javax.xml.bind.annotation.XmlAccessOrder', - 'javax.xml.bind.annotation.XmlAccessType', - 'javax.xml.bind.annotation.XmlAccessorOrder', - 'javax.xml.bind.annotation.XmlAccessorType', - 'javax.xml.bind.annotation.XmlAnyAttribute', - 'javax.xml.bind.annotation.XmlAnyElement', - 'javax.xml.bind.annotation.XmlAttachmentRef', - 'javax.xml.bind.annotation.XmlAttribute', - 'javax.xml.bind.annotation.XmlElement$DEFAULT', - 'javax.xml.bind.annotation.XmlElement', - 'javax.xml.bind.annotation.XmlElementDecl$GLOBAL', - 'javax.xml.bind.annotation.XmlElementDecl', - 'javax.xml.bind.annotation.XmlElementRef$DEFAULT', - 'javax.xml.bind.annotation.XmlElementRef', - 'javax.xml.bind.annotation.XmlElementRefs', - 'javax.xml.bind.annotation.XmlElementWrapper', - 'javax.xml.bind.annotation.XmlElements', - 'javax.xml.bind.annotation.XmlEnum', - 'javax.xml.bind.annotation.XmlEnumValue', - 'javax.xml.bind.annotation.XmlID', - 'javax.xml.bind.annotation.XmlIDREF', - 'javax.xml.bind.annotation.XmlInlineBinaryData', - 'javax.xml.bind.annotation.XmlList', - 'javax.xml.bind.annotation.XmlMimeType', - 'javax.xml.bind.annotation.XmlMixed', - 'javax.xml.bind.annotation.XmlNs', - 'javax.xml.bind.annotation.XmlNsForm', - 'javax.xml.bind.annotation.XmlRegistry', - 'javax.xml.bind.annotation.XmlRootElement', - 'javax.xml.bind.annotation.XmlSchema', - 'javax.xml.bind.annotation.XmlSchemaType$DEFAULT', - 'javax.xml.bind.annotation.XmlSchemaType', - 'javax.xml.bind.annotation.XmlSchemaTypes', - 'javax.xml.bind.annotation.XmlSeeAlso', - 'javax.xml.bind.annotation.XmlTransient', - 'javax.xml.bind.annotation.XmlType$DEFAULT', - 'javax.xml.bind.annotation.XmlType', - 'javax.xml.bind.annotation.XmlValue', - 'javax.xml.bind.annotation.adapters.CollapsedStringAdapter', - 'javax.xml.bind.annotation.adapters.HexBinaryAdapter', - 'javax.xml.bind.annotation.adapters.NormalizedStringAdapter', - 'javax.xml.bind.annotation.adapters.XmlAdapter', - 'javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter$DEFAULT', - 'javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter', - 'javax.xml.bind.annotation.adapters.XmlJavaTypeAdapters', - 'javax.xml.bind.attachment.AttachmentMarshaller', - 'javax.xml.bind.attachment.AttachmentUnmarshaller', - 'javax.xml.bind.helpers.AbstractMarshallerImpl', - 'javax.xml.bind.helpers.AbstractUnmarshallerImpl', - 'javax.xml.bind.helpers.DefaultValidationEventHandler', - 'javax.xml.bind.helpers.Messages', - 'javax.xml.bind.helpers.NotIdentifiableEventImpl', - 'javax.xml.bind.helpers.ParseConversionEventImpl', - 'javax.xml.bind.helpers.PrintConversionEventImpl', - 'javax.xml.bind.helpers.ValidationEventImpl', - 'javax.xml.bind.helpers.ValidationEventLocatorImpl', - 'javax.xml.bind.util.JAXBResult', - 'javax.xml.bind.util.JAXBSource$1', - 'javax.xml.bind.util.JAXBSource', - 'javax.xml.bind.util.Messages', - 'javax.xml.bind.util.ValidationEventCollector' - ) -} else { - thirdPartyAudit.ignoreMissingClasses 'javax.activation.DataHandler' -} diff --git a/server/build.gradle b/server/build.gradle index c2b3b1b2788a1..a9a292fd7de2c 100644 --- a/server/build.gradle +++ b/server/build.gradle @@ -272,6 +272,8 @@ tasks.named("thirdPartyAudit").configure { 'com.lmax.disruptor.WaitStrategy', 'com.lmax.disruptor.dsl.Disruptor', 'com.lmax.disruptor.dsl.ProducerType', + 'com.lmax.disruptor.SequenceBarrier', + 'com.lmax.disruptor.TimeoutException', 'javax.jms.Connection', 'javax.jms.ConnectionFactory', 'javax.jms.Destination', @@ -291,12 +293,24 @@ tasks.named("thirdPartyAudit").configure { 'javax.mail.internet.MimeMessage', 'javax.mail.internet.MimeMultipart', 'javax.mail.internet.MimeUtility', + 'jdk.incubator.vector.ByteVector', + 'jdk.incubator.vector.DoubleVector', + 'jdk.incubator.vector.FloatVector', + 'jdk.incubator.vector.IntVector', + 'jdk.incubator.vector.LongVector', + 'jdk.incubator.vector.ShortVector', + 'jdk.incubator.vector.Vector', + 'jdk.incubator.vector.VectorMask', + 'jdk.incubator.vector.VectorOperators', + 'jdk.incubator.vector.VectorShape', + 'jdk.incubator.vector.VectorSpecies', 'org.apache.commons.compress.compressors.CompressorStreamFactory', 'org.apache.commons.compress.utils.IOUtils', 'org.apache.commons.csv.CSVFormat', 'org.apache.commons.csv.QuoteMode', 'org.apache.kafka.clients.producer.Producer', 'org.apache.kafka.clients.producer.RecordMetadata', + 'org.apache.kafka.common.serialization.ByteArraySerializer', 'org.codehaus.stax2.XMLStreamWriter2', 'org.jctools.queues.MpscArrayQueue', 'org.osgi.framework.Bundle', @@ -305,10 +319,16 @@ tasks.named("thirdPartyAudit").configure { 'org.osgi.framework.BundleEvent', 'org.osgi.framework.BundleReference', 'org.osgi.framework.FrameworkUtil', + 'org.osgi.framework.ServiceReference', 'org.osgi.framework.ServiceRegistration', 'org.osgi.framework.SynchronousBundleListener', 'org.osgi.framework.wiring.BundleWire', 'org.osgi.framework.wiring.BundleWiring', + 'org.zeromq.SocketType', + 'org.zeromq.ZContext', + 'org.zeromq.ZMonitor', + 'org.zeromq.ZMonitor$Event', + 'org.zeromq.ZMonitor$ZEvent', 'org.zeromq.ZMQ$Context', 'org.zeromq.ZMQ$Socket', 'org.zeromq.ZMQ', @@ -325,15 +345,59 @@ tasks.named("thirdPartyAudit").configure { 'com.google.common.geometry.S2Projections', 'com.google.common.geometry.S2Point', 'com.google.common.geometry.S2$Metric', - 'com.google.common.geometry.S2LatLng' - ] + (BuildParams.runtimeJavaVersion < JavaVersion.VERSION_20) ? [] : [ - 'jdk.incubator.vector.ByteVector', - 'jdk.incubator.vector.FloatVector', - 'jdk.incubator.vector.IntVector', - 'jdk.incubator.vector.ShortVector', - 'jdk.incubator.vector.Vector', - 'jdk.incubator.vector.VectorOperators', - 'jdk.incubator.vector.VectorSpecies' + 'com.google.common.geometry.S2LatLng', + + // from micrometer + 'io.micrometer.context.ContextAccessor', + 'io.micrometer.context.ContextRegistry', + 'io.micrometer.context.ContextSnapshot', + 'io.micrometer.context.ContextSnapshot$Scope', + 'io.micrometer.context.ContextSnapshotFactory', + 'io.micrometer.context.ContextSnapshotFactory$Builder', + 'io.micrometer.context.ThreadLocalAccessor', + 'io.micrometer.core.instrument.Clock', + 'io.micrometer.core.instrument.Counter', + 'io.micrometer.core.instrument.Counter$Builder', + 'io.micrometer.core.instrument.DistributionSummary', + 'io.micrometer.core.instrument.DistributionSummary$Builder', + 'io.micrometer.core.instrument.Meter', + 'io.micrometer.core.instrument.MeterRegistry', + 'io.micrometer.core.instrument.Metrics', + 'io.micrometer.core.instrument.Tag', + 'io.micrometer.core.instrument.Tags', + 'io.micrometer.core.instrument.Timer', + 'io.micrometer.core.instrument.Timer$Builder', + 'io.micrometer.core.instrument.Timer$Sample', + 'io.micrometer.core.instrument.binder.jvm.ExecutorServiceMetrics', + 'io.micrometer.core.instrument.composite.CompositeMeterRegistry', + 'io.micrometer.core.instrument.search.Search', + + // from lucene facets + 'org.apache.lucene.facet.DrillDownQuery', + 'org.apache.lucene.facet.DrillSideways', + 'org.apache.lucene.facet.DrillSideways$Result', + 'org.apache.lucene.facet.FacetResult', + 'org.apache.lucene.facet.FacetsConfig', + 'org.apache.lucene.facet.FacetsConfig$DimConfig', + 'org.apache.lucene.facet.LabelAndValue', + 'org.apache.lucene.facet.MultiDoubleValuesSource', + 'org.apache.lucene.facet.MultiLongValues', + 'org.apache.lucene.facet.MultiLongValuesSource', + 'org.apache.lucene.facet.range.DoubleRange', + 'org.apache.lucene.facet.range.LongRange', + 'org.apache.lucene.facet.range.Range', + 'org.apache.lucene.facet.taxonomy.FacetLabel', + 'org.apache.lucene.facet.taxonomy.ParallelTaxonomyArrays', + 'org.apache.lucene.facet.taxonomy.ParallelTaxonomyArrays$IntArray', + 'org.apache.lucene.facet.taxonomy.TaxonomyReader', + + // from slf4j + 'org.slf4j.Logger', + 'org.slf4j.LoggerFactory', + + // from reactor blockhound + 'reactor.blockhound.BlockHound$Builder', + 'reactor.blockhound.integration.BlockHoundIntegration' ] ) ignoreViolations( diff --git a/server/src/main/java/org/opensearch/bootstrap/BootstrapChecks.java b/server/src/main/java/org/opensearch/bootstrap/BootstrapChecks.java index b484c33fda5c9..c3cdeeee3ff81 100644 --- a/server/src/main/java/org/opensearch/bootstrap/BootstrapChecks.java +++ b/server/src/main/java/org/opensearch/bootstrap/BootstrapChecks.java @@ -52,13 +52,13 @@ import org.opensearch.monitor.process.ProcessProbe; import org.opensearch.node.NodeRoleSettings; import org.opensearch.node.NodeValidationException; +import org.opensearch.secure_sm.policy.Policy; import java.io.BufferedReader; import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; import java.security.AllPermission; -import java.security.Policy; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; @@ -720,7 +720,6 @@ public final BootstrapCheckResult check(BootstrapContext context) { return BootstrapCheckResult.success(); } - @SuppressWarnings("removal") boolean isAllPermissionGranted() { final Policy policy = AgentPolicy.getPolicy(); assert policy != null; diff --git a/server/src/main/java/org/opensearch/bootstrap/OpenSearchPolicy.java b/server/src/main/java/org/opensearch/bootstrap/OpenSearchPolicy.java index 8e000e881c863..b4529a7adf5c8 100644 --- a/server/src/main/java/org/opensearch/bootstrap/OpenSearchPolicy.java +++ b/server/src/main/java/org/opensearch/bootstrap/OpenSearchPolicy.java @@ -33,16 +33,15 @@ package org.opensearch.bootstrap; import org.opensearch.common.SuppressForbidden; +import org.opensearch.secure_sm.policy.Policy; import java.io.FilePermission; import java.io.IOException; -import java.net.SocketPermission; import java.net.URL; import java.security.CodeSource; import java.security.Permission; import java.security.PermissionCollection; import java.security.Permissions; -import java.security.Policy; import java.security.ProtectionDomain; import java.util.Collections; import java.util.Map; @@ -79,11 +78,7 @@ final class OpenSearchPolicy extends Policy { this.template = Security.readPolicy(getClass().getResource(POLICY_RESOURCE), codebases); this.dataPathPermission = dataPathPermission; this.untrusted = Security.readPolicy(getClass().getResource(UNTRUSTED_RESOURCE), Collections.emptyMap()); - if (filterBadDefaults) { - this.system = new SystemPolicy(Policy.getPolicy()); - } else { - this.system = Policy.getPolicy(); - } + this.system = Policy.getPolicy(); this.dynamic = dynamic; this.plugins = plugins; } @@ -210,41 +205,4 @@ public String getActions() { } } - - // default policy file states: - // "It is strongly recommended that you either remove this permission - // from this policy file or further restrict it to code sources - // that you specify, because Thread.stop() is potentially unsafe." - // not even sure this method still works... - private static final Permission BAD_DEFAULT_NUMBER_ONE = new BadDefaultPermission(new RuntimePermission("stopThread"), p -> true); - - // default policy file states: - // "allows anyone to listen on dynamic ports" - // specified exactly because that is what we want, and fastest since it won't imply any - // expensive checks for the implicit "resolve" - private static final Permission BAD_DEFAULT_NUMBER_TWO = new BadDefaultPermission( - new SocketPermission("localhost:0", "listen"), - // we apply this pre-implies test because some SocketPermission#implies calls do expensive reverse-DNS resolves - p -> p instanceof SocketPermission && p.getActions().contains("listen") - ); - - /** - * Wraps the Java system policy, filtering out bad default permissions that - * are granted to all domains. Note, before java 8 these were even worse. - */ - static class SystemPolicy extends Policy { - final Policy delegate; - - SystemPolicy(Policy delegate) { - this.delegate = delegate; - } - - @Override - public boolean implies(ProtectionDomain domain, Permission permission) { - if (BAD_DEFAULT_NUMBER_ONE.implies(permission) || BAD_DEFAULT_NUMBER_TWO.implies(permission)) { - return false; - } - return delegate.implies(domain, permission); - } - } } diff --git a/server/src/main/java/org/opensearch/bootstrap/Security.java b/server/src/main/java/org/opensearch/bootstrap/Security.java index a8652dffa6910..ca20d65e61a01 100644 --- a/server/src/main/java/org/opensearch/bootstrap/Security.java +++ b/server/src/main/java/org/opensearch/bootstrap/Security.java @@ -44,6 +44,7 @@ import org.opensearch.javaagent.bootstrap.AgentPolicy; import org.opensearch.plugins.PluginInfo; import org.opensearch.plugins.PluginsService; +import org.opensearch.secure_sm.policy.Policy; import org.opensearch.secure_sm.policy.PolicyFile; import org.opensearch.transport.TcpTransport; @@ -59,7 +60,6 @@ import java.nio.file.Path; import java.security.NoSuchAlgorithmException; import java.security.Permissions; -import java.security.Policy; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; diff --git a/test/framework/build.gradle b/test/framework/build.gradle index 1673326ba7fb3..c25f48de7c6ce 100644 --- a/test/framework/build.gradle +++ b/test/framework/build.gradle @@ -55,6 +55,7 @@ dependencies { fipsOnly "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}" fipsOnly "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}" + implementation project(":libs:agent-sm:agent-policy") compileOnly project(":libs:agent-sm:bootstrap") compileOnly "com.github.spotbugs:spotbugs-annotations:4.9.6" diff --git a/test/framework/src/main/java/org/opensearch/bootstrap/BootstrapForTesting.java b/test/framework/src/main/java/org/opensearch/bootstrap/BootstrapForTesting.java index b7ecf379e3f97..73f97eda526bf 100644 --- a/test/framework/src/main/java/org/opensearch/bootstrap/BootstrapForTesting.java +++ b/test/framework/src/main/java/org/opensearch/bootstrap/BootstrapForTesting.java @@ -49,6 +49,7 @@ import org.opensearch.fips.FipsMode; import org.opensearch.javaagent.bootstrap.AgentPolicy; import org.opensearch.plugins.PluginInfo; +import org.opensearch.secure_sm.policy.Policy; import org.junit.Assert; import java.io.InputStream; @@ -60,7 +61,6 @@ import java.nio.file.Path; import java.security.Permission; import java.security.Permissions; -import java.security.Policy; import java.security.ProtectionDomain; import java.util.ArrayList; import java.util.Arrays;