Skip to content

Commit

Permalink
Refactor security provider instantiation (opensearch-project#4605)
Browse files Browse the repository at this point in the history
Signed-off-by: Terry Quigley <[email protected]>
  • Loading branch information
terryquigleysas authored Jul 30, 2024
1 parent c5ebb99 commit d97cca8
Showing 1 changed file with 26 additions and 13 deletions.
39 changes: 26 additions & 13 deletions src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
import java.security.AccessController;
import java.security.MessageDigest;
import java.security.PrivilegedAction;
import java.security.Provider;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
Expand Down Expand Up @@ -63,7 +64,6 @@
import org.apache.logging.log4j.Logger;
import org.apache.lucene.search.QueryCachingPolicy;
import org.apache.lucene.search.Weight;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

import org.opensearch.OpenSearchException;
import org.opensearch.OpenSearchSecurityException;
Expand Down Expand Up @@ -385,18 +385,7 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath)
demoCertHashes.add("ba9c5a61065f7f6115188128ffbdaa18fca34562b78b811f082439e2bef1d282"); // esnode-key
demoCertHashes.add("bcd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6"); // root-ca

final SecurityManager sm = System.getSecurityManager();

if (sm != null) {
sm.checkPermission(new SpecialPermission());
}

AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
if (Security.getProvider("BC") == null) {
Security.addProvider(new BouncyCastleProvider());
}
return null;
});
tryAddSecurityProvider();

final String advancedModulesEnabledKey = ConfigConstants.SECURITY_ADVANCED_MODULES_ENABLED;
if (settings.hasValue(advancedModulesEnabledKey)) {
Expand Down Expand Up @@ -2128,6 +2117,30 @@ public Optional<SecureSettingsFactory> getSecureSettingFactory(Settings settings
return Optional.of(new OpenSearchSecureSettingsFactory(threadPool, sks, sslExceptionHandler, securityRestHandler));
}

@SuppressWarnings("removal")
private void tryAddSecurityProvider() {
final SecurityManager sm = System.getSecurityManager();

if (sm != null) {
sm.checkPermission(new SpecialPermission());
}

// Add provider if on the classpath.
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
if (Security.getProvider("BC") == null) {
try {
Class<?> providerClass = Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider");
Provider provider = (Provider) providerClass.getDeclaredConstructor().newInstance();
Security.addProvider(provider);
log.debug("Bouncy Castle Provider added");
} catch (Exception e) {
log.debug("Bouncy Castle Provider could not be added", e);
}
}
return null;
});
}

public static class GuiceHolder implements LifecycleComponent {

private static RepositoriesService repositoriesService;
Expand Down

0 comments on commit d97cca8

Please sign in to comment.