Add documentation and pluginmanager support

Author: rmuir

core/src/main/java/org/elasticsearch/bootstrap/Security.java

@@ -21,9 +21,9 @@
 
 import org.elasticsearch.common.SuppressForbidden;
 import org.elasticsearch.env.Environment;
+import org.elasticsearch.plugins.PluginInfo;
 
 import java.io.*;
-import java.net.URI;
 import java.net.URL;
 import java.nio.file.AccessMode;
 import java.nio.file.DirectoryStream;
@@ -169,7 +169,7 @@ static Map<String,PermissionCollection> getPluginPermissions(Environment environ
         if (Files.exists(environment.pluginsFile())) {
             try (DirectoryStream<Path> stream = Files.newDirectoryStream(environment.pluginsFile())) {
                 for (Path plugin : stream) {
-                    Path policyFile = plugin.resolve("plugin-security.policy");
+                    Path policyFile = plugin.resolve(PluginInfo.ES_PLUGIN_POLICY);
                     if (Files.exists(policyFile)) {
                         // parse the plugin's policy file into a set of permissions
                         Policy policy = Policy.getInstance("JavaPolicy", new URIParameter(policyFile.toUri()));
@@ -191,7 +191,7 @@ static Map<String,PermissionCollection> getPluginPermissions(Environment environ
                 }
             }
         }
-        return map;
+        return Collections.unmodifiableMap(map);
     }
 
     /** returns dynamic Permissions to configured paths */

core/src/main/java/org/elasticsearch/plugins/PluginInfo.java

@@ -36,6 +36,7 @@
 public class PluginInfo implements Streamable, ToXContent {
 
     public static final String ES_PLUGIN_PROPERTIES = "plugin-descriptor.properties";
+    public static final String ES_PLUGIN_POLICY = "plugin-security.policy";
 
     static final class Fields {
         static final XContentBuilderString NAME = new XContentBuilderString("name");

core/src/main/java/org/elasticsearch/plugins/PluginManager.java

@@ -100,7 +100,7 @@ public PluginManager(Environment environment, URL url, OutputMode outputMode, Ti
         this.timeout = timeout;
     }
 
-    public void downloadAndExtract(String name, Terminal terminal) throws IOException {
+    public void downloadAndExtract(String name, Terminal terminal, boolean batch) throws IOException {
         if (name == null && url == null) {
             throw new IllegalArgumentException("plugin name or url must be supplied with install.");
         }
@@ -124,7 +124,7 @@ public void downloadAndExtract(String name, Terminal terminal) throws IOExceptio
         }
 
         Path pluginFile = download(pluginHandle, terminal);
-        extract(pluginHandle, terminal, pluginFile);
+        extract(pluginHandle, terminal, pluginFile, batch);
     }
 
     private Path download(PluginHandle pluginHandle, Terminal terminal) throws IOException {
@@ -207,7 +207,7 @@ private Path download(PluginHandle pluginHandle, Terminal terminal) throws IOExc
         return pluginFile;
     }
 
-    private void extract(PluginHandle pluginHandle, Terminal terminal, Path pluginFile) throws IOException {
+    private void extract(PluginHandle pluginHandle, Terminal terminal, Path pluginFile, boolean batch) throws IOException {
         // unzip plugin to a staging temp dir, named for the plugin
         Path tmp = Files.createTempDirectory(environment.tmpFile(), null);
         Path root = tmp.resolve(pluginHandle.name);
@@ -220,6 +220,13 @@ private void extract(PluginHandle pluginHandle, Terminal terminal, Path pluginFi
         PluginInfo info = PluginInfo.readFromProperties(root);
         terminal.println(VERBOSE, "%s", info);
 
+        // read optional security policy (extra permissions)
+        // if it exists, confirm or warn the user
+        Path policy = root.resolve(PluginInfo.ES_PLUGIN_POLICY);
+        if (Files.exists(policy)) {
+            PluginSecurity.readPolicy(policy, terminal, environment, batch);
+        }
+
         // check for jar hell before any copying
         if (info.isJvm()) {
             jarHellCheck(root, info.isIsolated());
@@ -335,7 +342,7 @@ private static void setPosixFileAttributes(Path path, UserPrincipal owner, Group
         fileAttributeView.setPermissions(permissions);
     }
 
-    private void tryToDeletePath(Terminal terminal, Path ... paths) {
+    static void tryToDeletePath(Terminal terminal, Path ... paths) {
         for (Path path : paths) {
             try {
                 IOUtils.rm(path);

core/src/main/java/org/elasticsearch/plugins/PluginManagerCliParser.java

@@ -180,6 +180,7 @@ static class Install extends Command {
 
         private static final CliToolConfig.Cmd CMD = cmd(NAME, Install.class)
                 .options(option("t", "timeout").required(false).hasArg(false))
+                .options(option("b", "batch").required(false))
                 .build();
 
         static Command parse(Terminal terminal, CommandLine cli) {
@@ -210,21 +211,28 @@ static Command parse(Terminal terminal, CommandLine cli) {
             if (cli.hasOption("v")) {
                 outputMode = OutputMode.VERBOSE;
             }
+            
+            boolean batch = System.console() == null;
+            if (cli.hasOption("b")) {
+                batch = true;
+            }
 
-            return new Install(terminal, name, outputMode, optionalPluginUrl, timeout);
+            return new Install(terminal, name, outputMode, optionalPluginUrl, timeout, batch);
         }
 
         final String name;
         private OutputMode outputMode;
         final URL url;
         final TimeValue timeout;
+        final boolean batch;
 
-        Install(Terminal terminal, String name, OutputMode outputMode, URL url, TimeValue timeout) {
+        Install(Terminal terminal, String name, OutputMode outputMode, URL url, TimeValue timeout, boolean batch) {
             super(terminal);
             this.name = name;
             this.outputMode = outputMode;
             this.url = url;
             this.timeout = timeout;
+            this.batch = batch;
         }
 
         @Override
@@ -235,7 +243,7 @@ public ExitStatus execute(Settings settings, Environment env) throws Exception {
             } else {
                 terminal.println("-> Installing from " + URLDecoder.decode(url.toString(), "UTF-8") + "...");
             }
-            pluginManager.downloadAndExtract(name, terminal);
+            pluginManager.downloadAndExtract(name, terminal, batch);
             return ExitStatus.OK;
         }
     }

core/src/main/java/org/elasticsearch/plugins/PluginSecurity.java

@@ -0,0 +1,177 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.plugins;
+
+import org.elasticsearch.common.cli.Terminal;
+import org.elasticsearch.common.cli.Terminal.Verbosity;
+import org.elasticsearch.env.Environment;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.NoSuchAlgorithmException;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.security.Permissions;
+import java.security.Policy;
+import java.security.URIParameter;
+import java.security.UnresolvedPermission;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.List;
+
+class PluginSecurity {
+    
+    /**
+     * Reads plugin policy, prints/confirms exceptions
+     */
+    static void readPolicy(Path file, Terminal terminal, Environment environment, boolean batch) throws IOException {
+        PermissionCollection permissions = parsePermissions(terminal, file, environment.tmpFile());
+        List<Permission> requested = Collections.list(permissions.elements());
+        if (requested.isEmpty()) {
+            terminal.print(Verbosity.VERBOSE, "plugin has a policy file with no additional permissions");
+            return;
+        }
+        
+        // sort permissions in a reasonable order
+        Collections.sort(requested, new Comparator<Permission>() {
+            @Override
+            public int compare(Permission o1, Permission o2) {
+                int cmp = o1.getClass().getName().compareTo(o2.getClass().getName());
+                if (cmp == 0) {
+                    String name1 = o1.getName();
+                    String name2 = o2.getName();
+                    if (name1 == null) {
+                        name1 = "";
+                    }
+                    if (name2 == null) {
+                        name2 = "";
+                    }
+                    cmp = name1.compareTo(name2);
+                    if (cmp == 0) {
+                        String actions1 = o1.getActions();
+                        String actions2 = o2.getActions();
+                        if (actions1 == null) {
+                            actions1 = "";
+                        }
+                        if (actions2 == null) {
+                            actions2 = "";
+                        }
+                        cmp = actions1.compareTo(actions2);
+                    }
+                }
+                return cmp;
+            }
+        });
+        
+        terminal.println(Verbosity.NORMAL, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+        terminal.println(Verbosity.NORMAL, "@     WARNING: plugin requires additional permissions     @");
+        terminal.println(Verbosity.NORMAL, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+        // print all permissions:
+        for (Permission permission : requested) {
+            terminal.println(Verbosity.NORMAL, "* %s", formatPermission(permission));
+        }
+        terminal.println(Verbosity.NORMAL, "See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html");
+        terminal.println(Verbosity.NORMAL, "for descriptions of what these permissions allow and the associated risks.");
+        if (!batch) {
+            terminal.println(Verbosity.NORMAL);
+            String text = terminal.readText("Continue with installation? [y/N]");
+            if (!text.equalsIgnoreCase("y")) {
+                throw new RuntimeException("installation aborted by user");
+            }
+        }
+    }
+    
+    /** Format permission type, name, and actions into a string */
+    static String formatPermission(Permission permission) {
+        StringBuilder sb = new StringBuilder();
+        
+        String clazz = null;
+        if (permission instanceof UnresolvedPermission) {
+            clazz = ((UnresolvedPermission) permission).getUnresolvedType();
+        } else {
+            clazz = permission.getClass().getName();
+        }
+        sb.append(clazz);
+        
+        String name = null;
+        if (permission instanceof UnresolvedPermission) {
+            name = ((UnresolvedPermission) permission).getUnresolvedName();
+        } else {
+            name = permission.getName();
+        }
+        if (name != null && name.length() > 0) {
+            sb.append(' ');
+            sb.append(name);
+        }
+        
+        String actions = null;
+        if (permission instanceof UnresolvedPermission) {
+            actions = ((UnresolvedPermission) permission).getUnresolvedActions();
+        } else {
+            actions = permission.getActions();
+        }
+        if (actions != null && actions.length() > 0) {
+            sb.append(' ');
+            sb.append(actions);
+        }
+        return sb.toString();
+    }
+    
+    /**
+     * Parses plugin policy into a set of permissions
+     */
+    static PermissionCollection parsePermissions(Terminal terminal, Path file, Path tmpDir) throws IOException {
+        // create a zero byte file for "comparison"
+        // this is necessary because the default policy impl automatically grants two permissions:
+        // 1. permission to exitVM (which we ignore)
+        // 2. read permission to the code itself (e.g. jar file of the code)
+
+        Path emptyPolicyFile = Files.createTempFile(tmpDir, "empty", "tmp");
+        final Policy emptyPolicy;
+        try {
+            emptyPolicy = Policy.getInstance("JavaPolicy", new URIParameter(emptyPolicyFile.toUri()));
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException(e);
+        }
+        PluginManager.tryToDeletePath(terminal, emptyPolicyFile);
+        
+        // parse the plugin's policy file into a set of permissions
+        final Policy policy;
+        try {
+            policy = Policy.getInstance("JavaPolicy", new URIParameter(file.toUri()));
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException(e);
+        }
+        PermissionCollection permissions = policy.getPermissions(PluginSecurity.class.getProtectionDomain());
+        // this method is supported with the specific implementation we use, but just check for safety.
+        if (permissions == Policy.UNSUPPORTED_EMPTY_COLLECTION) {
+            throw new UnsupportedOperationException("JavaPolicy implementation does not support retrieving permissions");
+        }
+        PermissionCollection actualPermissions = new Permissions();
+        for (Permission permission : Collections.list(permissions.elements())) {
+            if (!emptyPolicy.implies(PluginSecurity.class.getProtectionDomain(), permission)) {
+                actualPermissions.add(permission);
+            }
+        }
+        actualPermissions.setReadOnly();
+        return actualPermissions;
+    }
+}

core/src/main/resources/org/elasticsearch/plugins/plugin-install.help

@@ -61,3 +61,5 @@ OPTIONS
     -v,--verbose                 Verbose output
 
     -h,--help                    Shows this message
+    
+    -b,--batch                   Enable batch mode explicitly, automatic confirmation of security permissions

core/src/test/java/org/elasticsearch/bootstrap/BootstrapForTesting.java

@@ -25,6 +25,7 @@
 import org.elasticsearch.bootstrap.Security;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.io.PathUtils;
+import org.elasticsearch.plugins.PluginInfo;
 
 import java.io.FilePermission;
 import java.io.InputStream;
@@ -123,7 +124,7 @@ public class BootstrapForTesting {
                 final Policy policy;
                 // if its a plugin with special permissions, we use a wrapper policy impl to try
                 // to simulate what happens with a real distribution
-                List<URL> pluginPolicies = Collections.list(BootstrapForTesting.class.getClassLoader().getResources("plugin-security.policy"));
+                List<URL> pluginPolicies = Collections.list(BootstrapForTesting.class.getClassLoader().getResources(PluginInfo.ES_PLUGIN_POLICY));
                 if (!pluginPolicies.isEmpty()) {
                     Permissions extra = new Permissions();
                     for (URL url : pluginPolicies) {
@@ -149,7 +150,7 @@ public class BootstrapForTesting {
 
                 // guarantee plugin classes are initialized first, in case they have one-time hacks.
                 // this just makes unit testing more realistic
-                for (URL url : Collections.list(BootstrapForTesting.class.getClassLoader().getResources("plugin-descriptor.properties"))) {
+                for (URL url : Collections.list(BootstrapForTesting.class.getClassLoader().getResources(PluginInfo.ES_PLUGIN_PROPERTIES))) {
                     Properties properties = new Properties();
                     try (InputStream stream = url.openStream()) {
                         properties.load(stream);