From d97cca822c40c983d560e606577af4019827b9a5 Mon Sep 17 00:00:00 2001 From: Terry Quigley <77437788+terryquigleysas@users.noreply.github.com> Date: Tue, 30 Jul 2024 15:59:41 +0100 Subject: [PATCH] Refactor security provider instantiation (#4605) Signed-off-by: Terry Quigley --- .../security/OpenSearchSecurityPlugin.java | 39 ++++++++++++------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 811c72f51e..509b98f12e 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -36,6 +36,7 @@ import java.security.AccessController; import java.security.MessageDigest; import java.security.PrivilegedAction; +import java.security.Provider; import java.security.Security; import java.util.ArrayList; import java.util.Arrays; @@ -63,7 +64,6 @@ import org.apache.logging.log4j.Logger; import org.apache.lucene.search.QueryCachingPolicy; import org.apache.lucene.search.Weight; -import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.opensearch.OpenSearchException; import org.opensearch.OpenSearchSecurityException; @@ -385,18 +385,7 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath) demoCertHashes.add("ba9c5a61065f7f6115188128ffbdaa18fca34562b78b811f082439e2bef1d282"); // esnode-key demoCertHashes.add("bcd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6"); // root-ca - final SecurityManager sm = System.getSecurityManager(); - - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } - - AccessController.doPrivileged((PrivilegedAction) () -> { - if (Security.getProvider("BC") == null) { - Security.addProvider(new BouncyCastleProvider()); - } - return null; - }); + tryAddSecurityProvider(); final String advancedModulesEnabledKey = ConfigConstants.SECURITY_ADVANCED_MODULES_ENABLED; if (settings.hasValue(advancedModulesEnabledKey)) { @@ -2128,6 +2117,30 @@ public Optional getSecureSettingFactory(Settings settings return Optional.of(new OpenSearchSecureSettingsFactory(threadPool, sks, sslExceptionHandler, securityRestHandler)); } + @SuppressWarnings("removal") + private void tryAddSecurityProvider() { + final SecurityManager sm = System.getSecurityManager(); + + if (sm != null) { + sm.checkPermission(new SpecialPermission()); + } + + // Add provider if on the classpath. + AccessController.doPrivileged((PrivilegedAction) () -> { + if (Security.getProvider("BC") == null) { + try { + Class providerClass = Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider"); + Provider provider = (Provider) providerClass.getDeclaredConstructor().newInstance(); + Security.addProvider(provider); + log.debug("Bouncy Castle Provider added"); + } catch (Exception e) { + log.debug("Bouncy Castle Provider could not be added", e); + } + } + return null; + }); + } + public static class GuiceHolder implements LifecycleComponent { private static RepositoriesService repositoriesService;