diff --git a/modules/lang-expression/src/main/java/org/opensearch/script/expression/ExpressionScriptEngine.java b/modules/lang-expression/src/main/java/org/opensearch/script/expression/ExpressionScriptEngine.java index d75146ad8a5e7..ffc93eac10368 100644 --- a/modules/lang-expression/src/main/java/org/opensearch/script/expression/ExpressionScriptEngine.java +++ b/modules/lang-expression/src/main/java/org/opensearch/script/expression/ExpressionScriptEngine.java @@ -48,7 +48,6 @@ import org.opensearch.script.AggregationScript; import org.opensearch.script.BucketAggregationScript; import org.opensearch.script.BucketAggregationSelectorScript; -import org.opensearch.script.ClassPermission; import org.opensearch.script.FieldScript; import org.opensearch.script.FilterScript; import org.opensearch.script.NumberSortScript; @@ -58,12 +57,10 @@ import org.opensearch.script.ScriptException; import org.opensearch.script.TermsSetQueryScript; import org.opensearch.search.lookup.SearchLookup; +import org.opensearch.secure_sm.AccessController; import java.io.IOException; import java.io.UncheckedIOException; -import java.security.AccessControlContext; -import java.security.AccessController; -import java.security.PrivilegedAction; import java.text.ParseException; import java.util.ArrayList; import java.util.Collections; @@ -172,37 +169,16 @@ public String getType() { return NAME; } - @SuppressWarnings("removal") @Override public T compile(String scriptName, String scriptSource, ScriptContext context, Map params) { // classloader created here - final SecurityManager sm = System.getSecurityManager(); SpecialPermission.check(); - Expression expr = AccessController.doPrivileged(new PrivilegedAction() { - @Override - public Expression run() { - try { - // snapshot our context here, we check on behalf of the expression - AccessControlContext engineContext = AccessController.getContext(); - ClassLoader loader = getClass().getClassLoader(); - if (sm != null) { - loader = new ClassLoader(loader) { - @Override - protected Class loadClass(String name, boolean resolve) throws ClassNotFoundException { - try { - engineContext.checkPermission(new ClassPermission(name)); - } catch (SecurityException e) { - throw new ClassNotFoundException(name, e); - } - return super.loadClass(name, resolve); - } - }; - } - // NOTE: validation is delayed to allow runtime vars, and we don't have access to per index stuff here - return JavascriptCompiler.compile(scriptSource, JavascriptCompiler.DEFAULT_FUNCTIONS); - } catch (ParseException e) { - throw convertToScriptException("compile error", scriptSource, scriptSource, e); - } + Expression expr = AccessController.doPrivileged(() -> { + try { + // NOTE: validation is delayed to allow runtime vars, and we don't have access to per index stuff here + return JavascriptCompiler.compile(scriptSource, JavascriptCompiler.DEFAULT_FUNCTIONS); + } catch (ParseException e) { + throw convertToScriptException("compile error", scriptSource, scriptSource, e); } }); if (contexts.containsKey(context) == false) { diff --git a/modules/lang-mustache/src/main/java/org/opensearch/script/mustache/MustacheScriptEngine.java b/modules/lang-mustache/src/main/java/org/opensearch/script/mustache/MustacheScriptEngine.java index 842353fdba336..2ade67c96b25a 100644 --- a/modules/lang-mustache/src/main/java/org/opensearch/script/mustache/MustacheScriptEngine.java +++ b/modules/lang-mustache/src/main/java/org/opensearch/script/mustache/MustacheScriptEngine.java @@ -46,12 +46,11 @@ import org.opensearch.script.ScriptEngine; import org.opensearch.script.ScriptException; import org.opensearch.script.TemplateScript; +import org.opensearch.secure_sm.AccessController; import java.io.Reader; import java.io.StringReader; import java.io.StringWriter; -import java.security.AccessController; -import java.security.PrivilegedAction; import java.util.Collections; import java.util.Map; import java.util.Set; @@ -128,17 +127,13 @@ private class MustacheExecutableScript extends TemplateScript { this.params = params; } - @SuppressWarnings("removal") @Override public String execute() { final StringWriter writer = new StringWriter(); try { // crazy reflection here SpecialPermission.check(); - AccessController.doPrivileged((PrivilegedAction) () -> { - template.execute(writer, params); - return null; - }); + AccessController.doPrivileged(() -> template.execute(writer, params)); } catch (Exception e) { logger.error((Supplier) () -> new ParameterizedMessage("Error running {}", template), e); throw new GeneralScriptException("Error running " + template, e); diff --git a/modules/lang-painless/spi/src/main/java/org/opensearch/painless/spi/AllowlistLoader.java b/modules/lang-painless/spi/src/main/java/org/opensearch/painless/spi/AllowlistLoader.java index f18a7fb3ba1a9..c2ba64d3fc169 100644 --- a/modules/lang-painless/spi/src/main/java/org/opensearch/painless/spi/AllowlistLoader.java +++ b/modules/lang-painless/spi/src/main/java/org/opensearch/painless/spi/AllowlistLoader.java @@ -33,6 +33,7 @@ package org.opensearch.painless.spi; import org.opensearch.painless.spi.annotation.AllowlistAnnotationParser; +import org.opensearch.secure_sm.AccessController; import java.io.InputStreamReader; import java.io.LineNumberReader; @@ -40,8 +41,6 @@ import java.lang.reflect.Field; import java.lang.reflect.Method; import java.nio.charset.StandardCharsets; -import java.security.AccessController; -import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; @@ -513,8 +512,7 @@ public static Allowlist loadFromResourceFiles(Class resource, Map) resource::getClassLoader); + ClassLoader loader = AccessController.doPrivileged(resource::getClassLoader); return new Allowlist(loader, allowlistClasses, allowlistStatics, allowlistClassBindings, Collections.emptyList()); } diff --git a/modules/lang-painless/src/main/java/org/opensearch/painless/LambdaBootstrap.java b/modules/lang-painless/src/main/java/org/opensearch/painless/LambdaBootstrap.java index 2bf70882a501b..2b5502d971bcd 100644 --- a/modules/lang-painless/src/main/java/org/opensearch/painless/LambdaBootstrap.java +++ b/modules/lang-painless/src/main/java/org/opensearch/painless/LambdaBootstrap.java @@ -32,6 +32,7 @@ package org.opensearch.painless; +import org.opensearch.secure_sm.AccessController; import org.objectweb.asm.ClassWriter; import org.objectweb.asm.FieldVisitor; import org.objectweb.asm.Handle; @@ -45,8 +46,6 @@ import java.lang.invoke.MethodHandle; import java.lang.invoke.MethodHandles; import java.lang.invoke.MethodType; -import java.security.AccessController; -import java.security.PrivilegedAction; import static java.lang.invoke.MethodHandles.Lookup; import static org.opensearch.painless.WriterConstants.CLASS_VERSION; @@ -501,15 +500,12 @@ private static void endLambdaClass(ClassWriter cw) { * Defines the {@link Class} for the lambda class using the same {@link Compiler.Loader} * that originally defined the class for the Painless script. */ - @SuppressWarnings("removal") private static Class createLambdaClass(Compiler.Loader loader, ClassWriter cw, Type lambdaClassType) { byte[] classBytes = cw.toByteArray(); // DEBUG: // new ClassReader(classBytes).accept(new TraceClassVisitor(new PrintWriter(System.out)), ClassReader.SKIP_DEBUG); - return AccessController.doPrivileged( - (PrivilegedAction>) () -> loader.defineLambda(lambdaClassType.getClassName(), classBytes) - ); + return AccessController.doPrivileged(() -> loader.defineLambda(lambdaClassType.getClassName(), classBytes)); } /** diff --git a/modules/lang-painless/src/main/java/org/opensearch/painless/PainlessScriptEngine.java b/modules/lang-painless/src/main/java/org/opensearch/painless/PainlessScriptEngine.java index 257687bfb98c5..5067df7063437 100644 --- a/modules/lang-painless/src/main/java/org/opensearch/painless/PainlessScriptEngine.java +++ b/modules/lang-painless/src/main/java/org/opensearch/painless/PainlessScriptEngine.java @@ -42,6 +42,7 @@ import org.opensearch.script.ScriptContext; import org.opensearch.script.ScriptEngine; import org.opensearch.script.ScriptException; +import org.opensearch.secure_sm.AccessController; import org.objectweb.asm.ClassWriter; import org.objectweb.asm.Opcodes; import org.objectweb.asm.Type; @@ -49,11 +50,6 @@ import java.lang.invoke.MethodType; import java.lang.reflect.Method; -import java.security.AccessControlContext; -import java.security.AccessController; -import java.security.Permissions; -import java.security.PrivilegedAction; -import java.security.ProtectionDomain; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; @@ -75,20 +71,6 @@ public final class PainlessScriptEngine implements ScriptEngine { */ public static final String NAME = "painless"; - /** - * Permissions context used during compilation. - */ - private static final AccessControlContext COMPILATION_CONTEXT; - - /* - * Setup the allowed permissions. - */ - static { - final Permissions none = new Permissions(); - none.setReadOnly(); - COMPILATION_CONTEXT = new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, none) }); - } - /** * Default compiler settings to be used. Note that {@link CompilerSettings} is mutable but this instance shouldn't be mutated outside * of {@link PainlessScriptEngine#PainlessScriptEngine(Settings, Map)}. @@ -144,12 +126,7 @@ public T compile(String scriptName, String scriptSource, ScriptContext co SpecialPermission.check(); // Create our loader (which loads compiled code with no permissions). - final Loader loader = AccessController.doPrivileged(new PrivilegedAction() { - @Override - public Loader run() { - return compiler.createLoader(getClass().getClassLoader()); - } - }); + final Loader loader = AccessController.doPrivileged(() -> compiler.createLoader(getClass().getClassLoader())); ScriptScope scriptScope = compile(contextsToCompilers.get(context), loader, scriptName, scriptSource, params); @@ -451,14 +428,10 @@ ScriptScope compile(Compiler compiler, Loader loader, String scriptName, String final CompilerSettings compilerSettings = buildCompilerSettings(params); try { - // Drop all permissions to actually compile the code itself. - return AccessController.doPrivileged(new PrivilegedAction() { - @Override - public ScriptScope run() { - String name = scriptName == null ? source : scriptName; - return compiler.compile(loader, name, source, compilerSettings); - } - }, COMPILATION_CONTEXT); + return AccessController.doPrivileged(() -> { + String name = scriptName == null ? source : scriptName; + return compiler.compile(loader, name, source, compilerSettings); + }); // Note that it is safe to catch any of the following errors since Painless is stateless. } catch (OutOfMemoryError | StackOverflowError | VerifyError | Exception e) { throw convertToScriptException(source, e); diff --git a/modules/lang-painless/src/main/java/org/opensearch/painless/lookup/PainlessLookupBuilder.java b/modules/lang-painless/src/main/java/org/opensearch/painless/lookup/PainlessLookupBuilder.java index e2291754a26e4..4c6910d16f8e6 100644 --- a/modules/lang-painless/src/main/java/org/opensearch/painless/lookup/PainlessLookupBuilder.java +++ b/modules/lang-painless/src/main/java/org/opensearch/painless/lookup/PainlessLookupBuilder.java @@ -45,6 +45,7 @@ import org.opensearch.painless.spi.AllowlistMethod; import org.opensearch.painless.spi.annotation.InjectConstantAnnotation; import org.opensearch.painless.spi.annotation.NoImportAnnotation; +import org.opensearch.secure_sm.AccessController; import org.objectweb.asm.ClassWriter; import org.objectweb.asm.Opcodes; import org.objectweb.asm.commons.GeneratorAdapter; @@ -58,9 +59,7 @@ import java.lang.reflect.Modifier; import java.net.MalformedURLException; import java.net.URI; -import java.security.AccessController; import java.security.CodeSource; -import java.security.PrivilegedAction; import java.security.SecureClassLoader; import java.security.cert.Certificate; import java.util.ArrayList; @@ -2189,13 +2188,9 @@ private void generateBridgeMethod(PainlessClassBuilder painlessClassBuilder, Pai bridgeClassWriter.visitEnd(); try { - @SuppressWarnings("removal") - BridgeLoader bridgeLoader = AccessController.doPrivileged(new PrivilegedAction() { - @Override - public BridgeLoader run() { - return new BridgeLoader(javaMethod.getDeclaringClass().getClassLoader()); - } - }); + BridgeLoader bridgeLoader = AccessController.doPrivileged( + () -> new BridgeLoader(javaMethod.getDeclaringClass().getClassLoader()) + ); Class bridgeClass = bridgeLoader.defineBridge(bridgeClassName.replace('/', '.'), bridgeClassWriter.toByteArray()); Method bridgeMethod = bridgeClass.getMethod( diff --git a/modules/lang-painless/src/test/java/org/opensearch/painless/DocFieldsPhaseTests.java b/modules/lang-painless/src/test/java/org/opensearch/painless/DocFieldsPhaseTests.java index 691e84176dce3..d80419f026151 100644 --- a/modules/lang-painless/src/test/java/org/opensearch/painless/DocFieldsPhaseTests.java +++ b/modules/lang-painless/src/test/java/org/opensearch/painless/DocFieldsPhaseTests.java @@ -32,15 +32,13 @@ package org.opensearch.painless; -import org.opensearch.painless.Compiler.Loader; import org.opensearch.painless.lookup.PainlessLookup; import org.opensearch.painless.lookup.PainlessLookupBuilder; import org.opensearch.painless.spi.Allowlist; import org.opensearch.painless.symbol.ScriptScope; import org.opensearch.script.ScriptContext; +import org.opensearch.secure_sm.AccessController; -import java.security.AccessController; -import java.security.PrivilegedAction; import java.util.Collections; import java.util.List; import java.util.Map; @@ -48,7 +46,6 @@ public class DocFieldsPhaseTests extends ScriptTestCase { PainlessLookup lookup = PainlessLookupBuilder.buildFromAllowlists(Allowlist.BASE_ALLOWLISTS); - @SuppressWarnings("removal") ScriptScope compile(String script) { Compiler compiler = new Compiler( MockDocTestScript.CONTEXT.instanceClazz, @@ -58,12 +55,7 @@ ScriptScope compile(String script) { ); // Create our loader (which loads compiled code with no permissions). - final Compiler.Loader loader = AccessController.doPrivileged(new PrivilegedAction() { - @Override - public Compiler.Loader run() { - return compiler.createLoader(getClass().getClassLoader()); - } - }); + final Compiler.Loader loader = AccessController.doPrivileged(() -> compiler.createLoader(getClass().getClassLoader())); return compiler.compile(loader, "test", script, new CompilerSettings()); } diff --git a/modules/repository-url/src/main/java/org/opensearch/common/blobstore/url/URLBlobContainer.java b/modules/repository-url/src/main/java/org/opensearch/common/blobstore/url/URLBlobContainer.java index 395f741c67133..305f610d0c020 100644 --- a/modules/repository-url/src/main/java/org/opensearch/common/blobstore/url/URLBlobContainer.java +++ b/modules/repository-url/src/main/java/org/opensearch/common/blobstore/url/URLBlobContainer.java @@ -38,6 +38,7 @@ import org.opensearch.common.blobstore.BlobPath; import org.opensearch.common.blobstore.DeleteResult; import org.opensearch.common.blobstore.support.AbstractBlobContainer; +import org.opensearch.secure_sm.AccessController; import java.io.BufferedInputStream; import java.io.FileNotFoundException; @@ -46,9 +47,6 @@ import java.net.URISyntaxException; import java.net.URL; import java.nio.file.NoSuchFileException; -import java.security.AccessController; -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; import java.util.List; import java.util.Map; @@ -160,14 +158,9 @@ public void writeBlobAtomic(String blobName, InputStream inputStream, long blobS throw new UnsupportedOperationException("URL repository doesn't support this operation"); } - @SuppressWarnings("removal") @SuppressForbidden(reason = "We call connect in doPrivileged and provide SocketPermission") private static InputStream getInputStream(URL url) throws IOException { - try { - return AccessController.doPrivileged((PrivilegedExceptionAction) url::openStream); - } catch (PrivilegedActionException e) { - throw (IOException) e.getCause(); - } + return AccessController.doPrivilegedChecked(url::openStream); } } diff --git a/modules/systemd/src/main/java/org/opensearch/systemd/Libsystemd.java b/modules/systemd/src/main/java/org/opensearch/systemd/Libsystemd.java index 05c6222d3d89a..b8342359898cc 100644 --- a/modules/systemd/src/main/java/org/opensearch/systemd/Libsystemd.java +++ b/modules/systemd/src/main/java/org/opensearch/systemd/Libsystemd.java @@ -34,20 +34,15 @@ import com.sun.jna.Native; -import java.security.AccessController; -import java.security.PrivilegedAction; +import org.opensearch.secure_sm.AccessController; /** * Provides access to the native method sd_notify from libsystemd. */ -@SuppressWarnings("removal") class Libsystemd { static { - AccessController.doPrivileged((PrivilegedAction) () -> { - Native.register(Libsystemd.class, "libsystemd.so.0"); - return null; - }); + AccessController.doPrivileged(() -> Native.register(Libsystemd.class, "libsystemd.so.0")); } /** diff --git a/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java b/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java index 90a9194d3cfd7..a9285b1d637f7 100644 --- a/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java +++ b/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java @@ -43,6 +43,7 @@ import org.opensearch.core.indices.breaker.CircuitBreakerService; import org.opensearch.plugins.SecureTransportSettingsProvider; import org.opensearch.plugins.TransportExceptionHandler; +import org.opensearch.secure_sm.AccessController; import org.opensearch.telemetry.tracing.Tracer; import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.SharedGroupFactory; @@ -55,8 +56,6 @@ import java.net.InetSocketAddress; import java.net.SocketAddress; -import java.security.AccessController; -import java.security.PrivilegedAction; import io.netty.channel.Channel; import io.netty.channel.ChannelHandler; @@ -256,7 +255,6 @@ protected class SSLClientChannelInitializer extends Netty4Transport.ClientChanne private final DiscoveryNode node; private SSLConnectionTestResult connectionTestResult; - @SuppressWarnings("removal") public SSLClientChannelInitializer(DiscoveryNode node) { this.node = node; @@ -272,9 +270,7 @@ public SSLClientChannelInitializer(DiscoveryNode node) { node.getAddress().getAddress(), node.getAddress().getPort() ); - connectionTestResult = AccessController.doPrivileged( - (PrivilegedAction) sslConnectionTestUtil::testConnection - ); + connectionTestResult = AccessController.doPrivileged(sslConnectionTestUtil::testConnection); } }