SAML 4.3.0 addition persmission

Added addition permissions for new version of SAML. Signed-off-by: Andrey Pleskach <[email protected]>
opensearch-project · Jul 11, 2023 · 7765f28 · 7765f28
1 parent e5348eb
commit 7765f28
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 9 deletions.
diff --git a/plugin-security.policy b/plugin-security.policy
@@ -60,7 +60,6 @@ grant {
   permission java.security.SecurityPermission "putProviderProperty.BC";
   permission java.security.SecurityPermission "insertProvider.BC";
   permission java.security.SecurityPermission "removeProviderProperty.BC";
-  permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write";
 
   permission java.lang.RuntimePermission "accessUserInformation";
 
@@ -74,6 +73,10 @@ grant {
 
   //Enable this permission to debug unauthorized de-serialization attempt
   //permission java.io.SerializablePermission "enableSubstitution";
+
+  //SAML policy
+  permission java.util.PropertyPermission "*", "read,write";
+  permission org.opensearch.secure_sm.ThreadPermission "modifyArbitraryThread";
 };
 
 grant codeBase "${codebase.netty-common}" {

diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java
@@ -29,6 +29,8 @@
 
 import java.net.InetAddress;
 import java.nio.file.Path;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashSet;
@@ -44,6 +46,7 @@
 import com.google.common.collect.Multimap;
 import com.google.common.collect.Multimaps;
 
+import org.opensearch.SpecialPermission;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.security.auth.AuthDomain;
@@ -396,14 +399,11 @@ private void destroyDestroyables(List<Destroyable> destroyableComponents) {
     }
 
     private <T> T newInstance(final String clazzOrShortcut, String type, final Settings settings, final Path configPath) {
-
-        String clazz = clazzOrShortcut;
-
-        if (authImplMap.containsKey(clazz + "_" + type)) {
-            clazz = authImplMap.get(clazz + "_" + type);
-        }
-
-        return ReflectionHelper.instantiateAAA(clazz, settings, configPath);
+        final String clazz = authImplMap.computeIfAbsent(clazzOrShortcut + "_" + type, k -> clazzOrShortcut);
+        return AccessController.doPrivileged((PrivilegedAction<T>) () -> {
+            SpecialPermission.check();
+            return ReflectionHelper.instantiateAAA(clazz, settings, configPath);
+        });
     }
 
     private String translateShortcutToClassName(final String clazzOrShortcut, final String type) {