From 3b93ccb1402059450251bbed919fe291f93cb814 Mon Sep 17 00:00:00 2001
From: Ryan Ernst <ryan@iernst.net>
Date: Thu, 25 Feb 2021 16:31:36 -0800
Subject: [PATCH] Allow file read permissions in plugins

This commit adds back allowing FilePermission for reading files in
plugins. This is a temporary measure until plugins are automatically
granted read permissions for files within their own configuration
directory.

closes #69464
---
 .../java/org/elasticsearch/bootstrap/PolicyUtilTests.java     | 4 +++-
 .../src/main/java/org/elasticsearch/bootstrap/PolicyUtil.java | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/qa/evil-tests/src/test/java/org/elasticsearch/bootstrap/PolicyUtilTests.java b/qa/evil-tests/src/test/java/org/elasticsearch/bootstrap/PolicyUtilTests.java
index 870b0d216f968..712f050e024bb 100644
--- a/qa/evil-tests/src/test/java/org/elasticsearch/bootstrap/PolicyUtilTests.java
+++ b/qa/evil-tests/src/test/java/org/elasticsearch/bootstrap/PolicyUtilTests.java
@@ -210,6 +210,9 @@ void assertIllegalPermissions(List<String> illegalPermissions, PolicyParser pars
     }
 
     static final List<String> PLUGIN_TEST_PERMISSIONS = List.of(
+        // TODO: move this back to module test permissions, see https://github.com/elastic/elasticsearch/issues/69464
+        "java.io.FilePermission /foo/bar read",
+
         "java.lang.reflect.ReflectPermission suppressAccessChecks",
         "java.lang.RuntimePermission createClassLoader",
         "java.lang.RuntimePermission getClassLoader",
@@ -270,7 +273,6 @@ public void testPrivateCredentialPermissionAllowed() throws Exception {
     }
 
     static final List<String> MODULE_TEST_PERMISSIONS = List.of(
-        "java.io.FilePermission /foo/bar read",
         "java.io.FilePermission /foo/bar write",
         "java.lang.RuntimePermission getFileStoreAttributes",
         "java.lang.RuntimePermission accessUserInformation"
diff --git a/server/src/main/java/org/elasticsearch/bootstrap/PolicyUtil.java b/server/src/main/java/org/elasticsearch/bootstrap/PolicyUtil.java
index 63079825ed5ed..8b80a26be523b 100644
--- a/server/src/main/java/org/elasticsearch/bootstrap/PolicyUtil.java
+++ b/server/src/main/java/org/elasticsearch/bootstrap/PolicyUtil.java
@@ -91,6 +91,9 @@ public boolean test(Permission permission) {
     private static final PermissionMatcher ALLOWED_MODULE_PERMISSIONS;
     static {
         List<Permission> namedPermissions = List.of(
+            // TODO: remove read permission, see https://github.com/elastic/elasticsearch/issues/69464
+            createFilePermission("<<ALL FILES>>", "read"),
+
             new ReflectPermission("suppressAccessChecks"),
             new RuntimePermission("createClassLoader"),
             new RuntimePermission("getClassLoader"),