From 2c4dec956de4d4864c9330af330782790d360191 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Fri, 17 May 2024 17:09:05 -0600 Subject: [PATCH 01/47] Update OAuth2 OIDC SDK --- gradle/verification-metadata.xml | 23 +++++++++++++++--- x-pack/plugin/core/build.gradle | 12 +++++----- .../core/src/main/java/module-info.java | 1 - x-pack/plugin/security/build.gradle | 24 +++++++++++-------- .../security/src/main/java/module-info.java | 1 - .../plugin-metadata/plugin-security.policy | 4 ++++ .../authc/oidc/OpenIdConnectTestCase.java | 7 +++--- 7 files changed, 48 insertions(+), 24 deletions(-) diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml index 53db6f13a31b3..0d37e423f0b89 100644 --- a/gradle/verification-metadata.xml +++ b/gradle/verification-metadata.xml @@ -881,14 +881,21 @@ + + + + + - - - + + + + + @@ -896,6 +903,11 @@ + + + + + @@ -1654,6 +1666,11 @@ + + + + + diff --git a/x-pack/plugin/core/build.gradle b/x-pack/plugin/core/build.gradle index 71dd5bed6cf11..c8494dfd1f8de 100644 --- a/x-pack/plugin/core/build.gradle +++ b/x-pack/plugin/core/build.gradle @@ -49,7 +49,7 @@ dependencies { // security deps api 'com.unboundid:unboundid-ldapsdk:6.0.3' - api "com.nimbusds:nimbus-jose-jwt:9.23" + api "com.nimbusds:nimbus-jose-jwt:9.39" implementation project(":x-pack:plugin:core:template-resources") @@ -145,11 +145,11 @@ tasks.named("thirdPartyAudit").configure { 'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo', 'org.bouncycastle.cert.X509CertificateHolder', 'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder', - 'org.bouncycastle.crypto.InvalidCipherTextException', - 'org.bouncycastle.crypto.engines.AESEngine', - 'org.bouncycastle.crypto.modes.GCMBlockCipher', - 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider', - 'org.bouncycastle.jce.provider.BouncyCastleProvider', +// 'org.bouncycastle.crypto.InvalidCipherTextException', +// 'org.bouncycastle.crypto.engines.AESEngine', +// 'org.bouncycastle.crypto.modes.GCMBlockCipher', +// 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider', +// 'org.bouncycastle.jce.provider.BouncyCastleProvider', 'org.bouncycastle.openssl.PEMKeyPair', 'org.bouncycastle.openssl.PEMParser', 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter' diff --git a/x-pack/plugin/core/src/main/java/module-info.java b/x-pack/plugin/core/src/main/java/module-info.java index 070df2efc2629..78712cf4f4a22 100644 --- a/x-pack/plugin/core/src/main/java/module-info.java +++ b/x-pack/plugin/core/src/main/java/module-info.java @@ -22,7 +22,6 @@ requires unboundid.ldapsdk; requires org.elasticsearch.tdigest; requires org.elasticsearch.xcore.templates; - requires com.nimbusds.jose.jwt; exports org.elasticsearch.index.engine.frozen; exports org.elasticsearch.license; diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index 07308d5d29a9a..68981041d45d3 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -79,12 +79,12 @@ dependencies { runtimeOnly "joda-time:joda-time:2.10.10" // Dependencies for oidc - api "com.nimbusds:oauth2-oidc-sdk:9.37" - api "com.nimbusds:nimbus-jose-jwt:9.23" - api "com.nimbusds:lang-tag:1.4.4" + api "com.nimbusds:oauth2-oidc-sdk:11.10.1" + api "com.nimbusds:nimbus-jose-jwt:9.39" + api "com.nimbusds:lang-tag:1.7" api "com.sun.mail:jakarta.mail:1.6.3" api "net.jcip:jcip-annotations:1.0" - api "net.minidev:json-smart:2.4.10" + api "net.minidev:json-smart:2.5.1" api "net.minidev:accessors-smart:2.4.2" api "org.ow2.asm:asm:8.0.1" @@ -103,7 +103,7 @@ dependencies { testImplementation('org.apache.kerby:kerb-crypto:1.1.1') testImplementation('org.apache.kerby:kerb-util:1.1.1') testImplementation('org.apache.kerby:token-provider:1.1.1') - testImplementation('com.nimbusds:nimbus-jose-jwt:9.23') + testImplementation('com.nimbusds:nimbus-jose-jwt:9.39') testImplementation('net.jcip:jcip-annotations:1.0') testImplementation('org.apache.kerby:kerb-admin:1.1.1') testImplementation('org.apache.kerby:kerb-server:1.1.1') @@ -225,6 +225,9 @@ tasks.named("thirdPartyAudit").configure { 'javax.servlet.http.HttpSession', 'javax.servlet.http.HttpUpgradeHandler', 'javax.servlet.http.Part', + 'jakarta.servlet.ServletRequest', + 'jakarta.servlet.http.HttpServletRequest', + 'jakarta.servlet.http.HttpServletResponse', // [missing classes] Shibboleth + OpenSAML have velocity support that we don't use 'org.apache.velocity.VelocityContext', 'org.apache.velocity.app.VelocityEngine', @@ -325,14 +328,14 @@ tasks.named("thirdPartyAudit").configure { 'org.bouncycastle.crypto.StreamCipher', 'org.bouncycastle.crypto.agreement.kdf.ConcatenationKDFGenerator', // 'org.bouncycastle.crypto.ec.CustomNamedCurves', - 'org.bouncycastle.crypto.engines.AESEngine', +// 'org.bouncycastle.crypto.engines.AESEngine', 'org.bouncycastle.crypto.generators.BCrypt', 'org.bouncycastle.crypto.generators.OpenSSLPBEParametersGenerator', 'org.bouncycastle.crypto.generators.PKCS5S1ParametersGenerator', 'org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator', 'org.bouncycastle.crypto.macs.HMac', 'org.bouncycastle.crypto.modes.AEADBlockCipher', - 'org.bouncycastle.crypto.modes.GCMBlockCipher', +// 'org.bouncycastle.crypto.modes.GCMBlockCipher', 'org.bouncycastle.crypto.paddings.BlockCipherPadding', 'org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher', 'org.bouncycastle.crypto.params.AsymmetricKeyParameter', @@ -373,13 +376,13 @@ tasks.named("thirdPartyAudit").configure { 'org.bouncycastle.util.Arrays', 'org.bouncycastle.util.io.Streams', 'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder', - 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider', +// 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider', 'org.bouncycastle.cert.X509CertificateHolder', 'org.bouncycastle.openssl.PEMKeyPair', 'org.bouncycastle.openssl.PEMParser', 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter', - 'org.bouncycastle.crypto.InvalidCipherTextException', - 'org.bouncycastle.jce.provider.BouncyCastleProvider', +// 'org.bouncycastle.crypto.InvalidCipherTextException', +// 'org.bouncycastle.jce.provider.BouncyCastleProvider', ) ignoreViolations( @@ -416,6 +419,7 @@ tasks.named("thirdPartyAudit").configure { 'com.google.crypto.tink.subtle.X25519', 'com.google.crypto.tink.subtle.XChaCha20Poly1305', 'com.nimbusds.common.contenttype.ContentType', + 'com.nimbusds.common.contenttype.ContentType$Parameter', 'javax.activation.ActivationDataFlavor', 'javax.activation.DataContentHandler', 'javax.activation.DataHandler', diff --git a/x-pack/plugin/security/src/main/java/module-info.java b/x-pack/plugin/security/src/main/java/module-info.java index a072b34da7e96..6014f4651bf60 100644 --- a/x-pack/plugin/security/src/main/java/module-info.java +++ b/x-pack/plugin/security/src/main/java/module-info.java @@ -38,7 +38,6 @@ requires org.opensaml.xmlsec.impl; requires org.opensaml.xmlsec; - requires com.nimbusds.jose.jwt; requires io.netty.common; requires io.netty.codec.http; requires io.netty.handler; diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy index 97b0f480043e5..136d5ecc008a3 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy @@ -10,6 +10,10 @@ grant { // which uses it in the opensaml-xmlsec-impl permission java.security.SecurityPermission "org.apache.xml.security.register"; + // gson, as included & shaded by nimbus. I think these can be moved out + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + // needed for multiple server implementations used in tests permission java.net.SocketPermission "*", "accept,connect"; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java index be45394b01ec6..a95ecd88f6a8e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java @@ -6,12 +6,13 @@ */ package org.elasticsearch.xpack.security.authc.oidc; +import net.minidev.json.JSONStyle; +import net.minidev.json.JSONValue; +import net.minidev.json.reader.JsonWriterI; + import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.crypto.RSASSASigner; -import com.nimbusds.jose.shaded.json.JSONStyle; -import com.nimbusds.jose.shaded.json.JSONValue; -import com.nimbusds.jose.shaded.json.reader.JsonWriterI; import com.nimbusds.jwt.JWT; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.SignedJWT; From e64f184539f6c8af82d706c274150e8c21a1c990 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Wed, 5 Jun 2024 14:28:15 -0600 Subject: [PATCH 02/47] WIP --- .../plugin/security/src/main/java/module-info.java | 1 + .../xpack/security/authc/jwt/JwtAuthenticator.java | 12 ++++++++++++ .../main/plugin-metadata/plugin-security.codebases | 2 ++ .../src/main/plugin-metadata/plugin-security.policy | 13 +++++++++++++ 4 files changed, 28 insertions(+) diff --git a/x-pack/plugin/security/src/main/java/module-info.java b/x-pack/plugin/security/src/main/java/module-info.java index 6014f4651bf60..b00fedd963821 100644 --- a/x-pack/plugin/security/src/main/java/module-info.java +++ b/x-pack/plugin/security/src/main/java/module-info.java @@ -48,6 +48,7 @@ requires oauth2.oidc.sdk; requires org.slf4j; requires unboundid.ldapsdk; + requires com.nimbusds.jose.jwt; exports org.elasticsearch.xpack.security.action to org.elasticsearch.server; exports org.elasticsearch.xpack.security.action.apikey to org.elasticsearch.server; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java index b06aba1c9d87a..da426143006d7 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java @@ -13,6 +13,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.elasticsearch.SpecialPermission; import org.elasticsearch.action.ActionListener; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.core.Nullable; @@ -23,6 +24,8 @@ import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings; import org.elasticsearch.xpack.core.ssl.SSLService; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.time.Clock; import java.util.ArrayList; import java.util.List; @@ -66,6 +69,15 @@ public JwtAuthenticator( } public void authenticate(JwtAuthenticationToken jwtAuthenticationToken, ActionListener listener) { + // nimbus-jose-jwt uses reflection under the hood + SpecialPermission.check(); + AccessController.doPrivileged((PrivilegedAction) () -> { + doAuthenticate(jwtAuthenticationToken, listener); + return null; + }); + } + + private void doAuthenticate(JwtAuthenticationToken jwtAuthenticationToken, ActionListener listener) { final String tokenPrincipal = jwtAuthenticationToken.principal(); // JWT cache final SignedJWT signedJWT = jwtAuthenticationToken.getSignedJWT(); diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases index 94cfaec2d519c..c6978a20990f6 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases @@ -1,2 +1,4 @@ netty-common: io.netty.util.NettyRuntime netty-transport: io.netty.channel.Channel +oauth2-oidc-sdk: com.nimbusds.jose.shaded.gson.internal.ConstructorConstructor +nimbus-jose-jwt: diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy index 136d5ecc008a3..41468271a54ea 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy @@ -14,6 +14,7 @@ grant { permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + // needed for multiple server implementations used in tests permission java.net.SocketPermission "*", "accept,connect"; @@ -49,3 +50,15 @@ grant codeBase "${codebase.netty-transport}" { // the bug says it only happened rarely, and that its fixed, but apparently it still happens rarely! permission java.util.PropertyPermission "sun.nio.ch.bugLevel", "write"; }; + +grant codeBase "${codebase.oauth2-oidc-sdk}" { + // for JSON serialization based on a shaded GSON dependency + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "${codebase.nimbus-jose-jwt}" { + // for JSON serialization based on a shaded GSON dependency + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; From 49dff0770ece4c536c99ce9e5d83a9674ca6f271 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Thu, 6 Jun 2024 17:03:07 -0600 Subject: [PATCH 03/47] remove nimbus require --- x-pack/plugin/security/src/main/java/module-info.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/security/src/main/java/module-info.java b/x-pack/plugin/security/src/main/java/module-info.java index b00fedd963821..5914398144f84 100644 --- a/x-pack/plugin/security/src/main/java/module-info.java +++ b/x-pack/plugin/security/src/main/java/module-info.java @@ -48,7 +48,7 @@ requires oauth2.oidc.sdk; requires org.slf4j; requires unboundid.ldapsdk; - requires com.nimbusds.jose.jwt; + // requires com.nimbusds.jose.jwt; exports org.elasticsearch.xpack.security.action to org.elasticsearch.server; exports org.elasticsearch.xpack.security.action.apikey to org.elasticsearch.server; From 522a35e7b0288a813e3b22adedd6e905b3863dfb Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Mon, 10 Jun 2024 16:23:29 -0600 Subject: [PATCH 04/47] trying the require in core --- x-pack/plugin/core/src/main/java/module-info.java | 1 + x-pack/plugin/security/src/main/java/module-info.java | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/module-info.java b/x-pack/plugin/core/src/main/java/module-info.java index 2bfd73b43ce3a..a37946200a47d 100644 --- a/x-pack/plugin/core/src/main/java/module-info.java +++ b/x-pack/plugin/core/src/main/java/module-info.java @@ -22,6 +22,7 @@ requires unboundid.ldapsdk; requires org.elasticsearch.tdigest; requires org.elasticsearch.xcore.templates; + requires com.nimbusds.jose.jwt; exports org.elasticsearch.index.engine.frozen; exports org.elasticsearch.license; diff --git a/x-pack/plugin/security/src/main/java/module-info.java b/x-pack/plugin/security/src/main/java/module-info.java index 5914398144f84..6014f4651bf60 100644 --- a/x-pack/plugin/security/src/main/java/module-info.java +++ b/x-pack/plugin/security/src/main/java/module-info.java @@ -48,7 +48,6 @@ requires oauth2.oidc.sdk; requires org.slf4j; requires unboundid.ldapsdk; - // requires com.nimbusds.jose.jwt; exports org.elasticsearch.xpack.security.action to org.elasticsearch.server; exports org.elasticsearch.xpack.security.action.apikey to org.elasticsearch.server; From e254719adb70f2437ec5229436d887124d587f2c Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Thu, 13 Jun 2024 17:03:35 -0600 Subject: [PATCH 05/47] update to jose-jwt 9.39.1, fixing all the module issues -_- --- gradle/verification-metadata.xml | 8 ++++---- x-pack/plugin/core/build.gradle | 2 +- x-pack/plugin/security/build.gradle | 4 ++-- x-pack/plugin/security/src/main/java/module-info.java | 1 + 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml index 63f3a914ae56d..172006cbbb8da 100644 --- a/gradle/verification-metadata.xml +++ b/gradle/verification-metadata.xml @@ -891,10 +891,10 @@ - - - - + + + + diff --git a/x-pack/plugin/core/build.gradle b/x-pack/plugin/core/build.gradle index 3414a8b176575..cf789fd9f7234 100644 --- a/x-pack/plugin/core/build.gradle +++ b/x-pack/plugin/core/build.gradle @@ -51,7 +51,7 @@ dependencies { // security deps api 'com.unboundid:unboundid-ldapsdk:6.0.3' - api "com.nimbusds:nimbus-jose-jwt:9.39" + api "com.nimbusds:nimbus-jose-jwt:9.39.1" implementation project(":x-pack:plugin:core:template-resources") diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index 68981041d45d3..217f27034720e 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -80,7 +80,7 @@ dependencies { // Dependencies for oidc api "com.nimbusds:oauth2-oidc-sdk:11.10.1" - api "com.nimbusds:nimbus-jose-jwt:9.39" + api "com.nimbusds:nimbus-jose-jwt:9.39.1" api "com.nimbusds:lang-tag:1.7" api "com.sun.mail:jakarta.mail:1.6.3" api "net.jcip:jcip-annotations:1.0" @@ -103,7 +103,7 @@ dependencies { testImplementation('org.apache.kerby:kerb-crypto:1.1.1') testImplementation('org.apache.kerby:kerb-util:1.1.1') testImplementation('org.apache.kerby:token-provider:1.1.1') - testImplementation('com.nimbusds:nimbus-jose-jwt:9.39') + testImplementation('com.nimbusds:nimbus-jose-jwt:9.39.1') testImplementation('net.jcip:jcip-annotations:1.0') testImplementation('org.apache.kerby:kerb-admin:1.1.1') testImplementation('org.apache.kerby:kerb-server:1.1.1') diff --git a/x-pack/plugin/security/src/main/java/module-info.java b/x-pack/plugin/security/src/main/java/module-info.java index 6014f4651bf60..b00fedd963821 100644 --- a/x-pack/plugin/security/src/main/java/module-info.java +++ b/x-pack/plugin/security/src/main/java/module-info.java @@ -48,6 +48,7 @@ requires oauth2.oidc.sdk; requires org.slf4j; requires unboundid.ldapsdk; + requires com.nimbusds.jose.jwt; exports org.elasticsearch.xpack.security.action to org.elasticsearch.server; exports org.elasticsearch.xpack.security.action.apikey to org.elasticsearch.server; From ac70e82888adf1e14e696ab416f3851e456d9721 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Tue, 25 Jun 2024 11:28:32 -0600 Subject: [PATCH 06/47] finally got this working, thanks chris --- .../server/cli/ServerProcessBuilder.java | 1 + x-pack/plugin/security/build.gradle | 17 ++++++++++++++++- .../plugin-metadata/plugin-security.codebases | 1 - .../main/plugin-metadata/plugin-security.policy | 5 ----- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/ServerProcessBuilder.java b/distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/ServerProcessBuilder.java index fcc290ebe9e72..6832d3de9db56 100644 --- a/distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/ServerProcessBuilder.java +++ b/distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/ServerProcessBuilder.java @@ -108,6 +108,7 @@ private List getJvmArgs() { esHome.resolve("lib").toString(), // Special circumstances require some modules (not depended on by the main server module) to be explicitly added: "--add-modules=jdk.net", // needed to reflectively set extended socket options + "--add-modules=jdk.crypto.ec", // this module is unnecessarily required by com.nimbus.jose.jwt // we control the module path, which may have additional modules not required by server "--add-modules=ALL-MODULE-PATH", "-m", diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index 217f27034720e..bc55bc9a0a555 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -81,6 +81,14 @@ dependencies { // Dependencies for oidc api "com.nimbusds:oauth2-oidc-sdk:11.10.1" api "com.nimbusds:nimbus-jose-jwt:9.39.1" +// api project(path: 'nimbus-jose-jwt', configuration: 'shadow') +// if (isEclipse) { +// /* +// * Eclipse can't pick up the shadow dependency so we point it at *something* +// * so it can compile things. +// */ +// api project(path: 'nimbus-jose-jwt') +// } api "com.nimbusds:lang-tag:1.7" api "com.sun.mail:jakarta.mail:1.6.3" api "net.jcip:jcip-annotations:1.0" @@ -103,7 +111,14 @@ dependencies { testImplementation('org.apache.kerby:kerb-crypto:1.1.1') testImplementation('org.apache.kerby:kerb-util:1.1.1') testImplementation('org.apache.kerby:token-provider:1.1.1') - testImplementation('com.nimbusds:nimbus-jose-jwt:9.39.1') +// testImplementation project(path: 'nimbus-jose-jwt', configuration: 'shadow') +// if (isEclipse) { +// /* +// * Eclipse can't pick up the shadow dependency so we point it at *something* +// * so it can compile things. +// */ +// testImplementation project(path: 'nimbus-jose-jwt') +// } testImplementation('net.jcip:jcip-annotations:1.0') testImplementation('org.apache.kerby:kerb-admin:1.1.1') testImplementation('org.apache.kerby:kerb-server:1.1.1') diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases index c6978a20990f6..ba0b290ea01d4 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases @@ -1,4 +1,3 @@ netty-common: io.netty.util.NettyRuntime netty-transport: io.netty.channel.Channel oauth2-oidc-sdk: com.nimbusds.jose.shaded.gson.internal.ConstructorConstructor -nimbus-jose-jwt: diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy index da391475d32dc..201b72e806d09 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy @@ -63,8 +63,3 @@ grant codeBase "${codebase.oauth2-oidc-sdk}" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; -grant codeBase "${codebase.nimbus-jose-jwt}" { - // for JSON serialization based on a shaded GSON dependency - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; -}; From 893495dc6ab149b30ec489edb75bd746bfa8b672 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Tue, 25 Jun 2024 14:18:14 -0600 Subject: [PATCH 07/47] 9.39.3 patch --- gradle/verification-metadata.xml | 8 ++++---- x-pack/plugin/core/build.gradle | 2 +- x-pack/plugin/security/build.gradle | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml index af6fcca7f91ec..52e3de3cd2f1f 100644 --- a/gradle/verification-metadata.xml +++ b/gradle/verification-metadata.xml @@ -916,10 +916,10 @@ - - - - + + + + diff --git a/x-pack/plugin/core/build.gradle b/x-pack/plugin/core/build.gradle index cf789fd9f7234..34871c5adb28b 100644 --- a/x-pack/plugin/core/build.gradle +++ b/x-pack/plugin/core/build.gradle @@ -51,7 +51,7 @@ dependencies { // security deps api 'com.unboundid:unboundid-ldapsdk:6.0.3' - api "com.nimbusds:nimbus-jose-jwt:9.39.1" + api "com.nimbusds:nimbus-jose-jwt:9.39.3" implementation project(":x-pack:plugin:core:template-resources") diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index bc55bc9a0a555..b703d5ec41cbc 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -80,7 +80,7 @@ dependencies { // Dependencies for oidc api "com.nimbusds:oauth2-oidc-sdk:11.10.1" - api "com.nimbusds:nimbus-jose-jwt:9.39.1" + api "com.nimbusds:nimbus-jose-jwt:9.39.3" // api project(path: 'nimbus-jose-jwt', configuration: 'shadow') // if (isEclipse) { // /* From a43c02a4fe5d793064d335171ebf1d886c09bd70 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Tue, 25 Jun 2024 15:01:41 -0600 Subject: [PATCH 08/47] Revert "9.39.3 patch" This reverts commit 893495dc6ab149b30ec489edb75bd746bfa8b672. --- gradle/verification-metadata.xml | 8 ++++---- x-pack/plugin/core/build.gradle | 2 +- x-pack/plugin/security/build.gradle | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml index 52e3de3cd2f1f..af6fcca7f91ec 100644 --- a/gradle/verification-metadata.xml +++ b/gradle/verification-metadata.xml @@ -916,10 +916,10 @@ - - - - + + + + diff --git a/x-pack/plugin/core/build.gradle b/x-pack/plugin/core/build.gradle index 34871c5adb28b..cf789fd9f7234 100644 --- a/x-pack/plugin/core/build.gradle +++ b/x-pack/plugin/core/build.gradle @@ -51,7 +51,7 @@ dependencies { // security deps api 'com.unboundid:unboundid-ldapsdk:6.0.3' - api "com.nimbusds:nimbus-jose-jwt:9.39.3" + api "com.nimbusds:nimbus-jose-jwt:9.39.1" implementation project(":x-pack:plugin:core:template-resources") diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index b703d5ec41cbc..bc55bc9a0a555 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -80,7 +80,7 @@ dependencies { // Dependencies for oidc api "com.nimbusds:oauth2-oidc-sdk:11.10.1" - api "com.nimbusds:nimbus-jose-jwt:9.39.3" + api "com.nimbusds:nimbus-jose-jwt:9.39.1" // api project(path: 'nimbus-jose-jwt', configuration: 'shadow') // if (isEclipse) { // /* From 5fdeb93cdfff3447300121ed6ae7d804ce3f5fec Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Mon, 1 Jul 2024 15:58:45 -0600 Subject: [PATCH 09/47] back to 9.37.3 --- gradle/verification-metadata.xml | 8 ++++---- x-pack/plugin/core/build.gradle | 12 ++++++------ x-pack/plugin/security/build.gradle | 12 ++++++------ .../main/plugin-metadata/plugin-security.codebases | 1 + .../src/main/plugin-metadata/plugin-security.policy | 5 +++++ 5 files changed, 22 insertions(+), 16 deletions(-) diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml index af6fcca7f91ec..1b5d8e2eadd2a 100644 --- a/gradle/verification-metadata.xml +++ b/gradle/verification-metadata.xml @@ -916,10 +916,10 @@ - - - - + + + + diff --git a/x-pack/plugin/core/build.gradle b/x-pack/plugin/core/build.gradle index cf789fd9f7234..af593326f0403 100644 --- a/x-pack/plugin/core/build.gradle +++ b/x-pack/plugin/core/build.gradle @@ -51,7 +51,7 @@ dependencies { // security deps api 'com.unboundid:unboundid-ldapsdk:6.0.3' - api "com.nimbusds:nimbus-jose-jwt:9.39.1" + api "com.nimbusds:nimbus-jose-jwt:9.37.3" implementation project(":x-pack:plugin:core:template-resources") @@ -148,11 +148,11 @@ tasks.named("thirdPartyAudit").configure { 'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo', 'org.bouncycastle.cert.X509CertificateHolder', 'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder', -// 'org.bouncycastle.crypto.InvalidCipherTextException', -// 'org.bouncycastle.crypto.engines.AESEngine', -// 'org.bouncycastle.crypto.modes.GCMBlockCipher', -// 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider', -// 'org.bouncycastle.jce.provider.BouncyCastleProvider', + 'org.bouncycastle.crypto.InvalidCipherTextException', + 'org.bouncycastle.crypto.engines.AESEngine', + 'org.bouncycastle.crypto.modes.GCMBlockCipher', + 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider', + 'org.bouncycastle.jce.provider.BouncyCastleProvider', 'org.bouncycastle.openssl.PEMKeyPair', 'org.bouncycastle.openssl.PEMParser', 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter' diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index bc55bc9a0a555..84b2e57f48440 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -80,7 +80,7 @@ dependencies { // Dependencies for oidc api "com.nimbusds:oauth2-oidc-sdk:11.10.1" - api "com.nimbusds:nimbus-jose-jwt:9.39.1" + api "com.nimbusds:nimbus-jose-jwt:9.37.3" // api project(path: 'nimbus-jose-jwt', configuration: 'shadow') // if (isEclipse) { // /* @@ -343,14 +343,14 @@ tasks.named("thirdPartyAudit").configure { 'org.bouncycastle.crypto.StreamCipher', 'org.bouncycastle.crypto.agreement.kdf.ConcatenationKDFGenerator', // 'org.bouncycastle.crypto.ec.CustomNamedCurves', -// 'org.bouncycastle.crypto.engines.AESEngine', + 'org.bouncycastle.crypto.engines.AESEngine', 'org.bouncycastle.crypto.generators.BCrypt', 'org.bouncycastle.crypto.generators.OpenSSLPBEParametersGenerator', 'org.bouncycastle.crypto.generators.PKCS5S1ParametersGenerator', 'org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator', 'org.bouncycastle.crypto.macs.HMac', 'org.bouncycastle.crypto.modes.AEADBlockCipher', -// 'org.bouncycastle.crypto.modes.GCMBlockCipher', + 'org.bouncycastle.crypto.modes.GCMBlockCipher', 'org.bouncycastle.crypto.paddings.BlockCipherPadding', 'org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher', 'org.bouncycastle.crypto.params.AsymmetricKeyParameter', @@ -391,13 +391,13 @@ tasks.named("thirdPartyAudit").configure { 'org.bouncycastle.util.Arrays', 'org.bouncycastle.util.io.Streams', 'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder', -// 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider', + 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider', 'org.bouncycastle.cert.X509CertificateHolder', 'org.bouncycastle.openssl.PEMKeyPair', 'org.bouncycastle.openssl.PEMParser', 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter', -// 'org.bouncycastle.crypto.InvalidCipherTextException', -// 'org.bouncycastle.jce.provider.BouncyCastleProvider', + 'org.bouncycastle.crypto.InvalidCipherTextException', + 'org.bouncycastle.jce.provider.BouncyCastleProvider', ) ignoreViolations( diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases index ba0b290ea01d4..ca7e8029fccdd 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases @@ -1,3 +1,4 @@ netty-common: io.netty.util.NettyRuntime netty-transport: io.netty.channel.Channel oauth2-oidc-sdk: com.nimbusds.jose.shaded.gson.internal.ConstructorConstructor +nimbus-jose-jwt: com.nimbusds.jose.shaded.gson.internal.ConstructorConstructor diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy index 201b72e806d09..da391475d32dc 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy @@ -63,3 +63,8 @@ grant codeBase "${codebase.oauth2-oidc-sdk}" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; +grant codeBase "${codebase.nimbus-jose-jwt}" { + // for JSON serialization based on a shaded GSON dependency + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; From 288a1293589d113cfd82b3054d39a9ae8ed283c0 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Mon, 8 Jul 2024 17:39:35 -0600 Subject: [PATCH 10/47] cleanup --- .../src/main/plugin-metadata/plugin-security.codebases | 1 - .../src/main/plugin-metadata/plugin-security.policy | 6 ------ 2 files changed, 7 deletions(-) diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases index ca7e8029fccdd..ba0b290ea01d4 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases @@ -1,4 +1,3 @@ netty-common: io.netty.util.NettyRuntime netty-transport: io.netty.channel.Channel oauth2-oidc-sdk: com.nimbusds.jose.shaded.gson.internal.ConstructorConstructor -nimbus-jose-jwt: com.nimbusds.jose.shaded.gson.internal.ConstructorConstructor diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy index da391475d32dc..863f033251108 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy @@ -62,9 +62,3 @@ grant codeBase "${codebase.oauth2-oidc-sdk}" { permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; - -grant codeBase "${codebase.nimbus-jose-jwt}" { - // for JSON serialization based on a shaded GSON dependency - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; -}; From fc443103f260ec4f83bac6ff82b2911f378d655a Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Mon, 22 Jul 2024 17:56:36 -0600 Subject: [PATCH 11/47] add doPrivileged call --- .../xpack/security/authc/jwt/JwtRealm.java | 33 ++++++++++++------- .../plugin-metadata/plugin-security.codebases | 3 +- .../plugin-metadata/plugin-security.policy | 6 ++++ 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java index 7613e7b3972af..74a88217b6eca 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java @@ -41,6 +41,8 @@ import org.elasticsearch.xpack.security.authc.support.DelegatedAuthorizationSupport; import org.elasticsearch.xpack.security.support.ReloadableSecurityComponent; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.Collection; import java.util.Collections; import java.util.Date; @@ -48,6 +50,7 @@ import java.util.List; import java.util.Map; import java.util.Objects; +import java.util.concurrent.atomic.AtomicReference; import static java.lang.String.join; import static org.elasticsearch.core.Strings.format; @@ -257,23 +260,29 @@ public void authenticate(final AuthenticationToken authenticationToken, final Ac } processValidatedJwt(tokenPrincipal, jwtCacheKey, claimsSet, listener); }, ex -> { - final String msg = "Realm [" - + name() - + "] JWT validation failed for token=[" - + tokenPrincipal - + "] with header [" - + jwtAuthenticationToken.getSignedJWT().getHeader() - + "] and claimSet [" - + jwtAuthenticationToken.getJWTClaimsSet() - + "]"; + AtomicReference msg = new AtomicReference<>(); + AccessController.doPrivileged((PrivilegedAction) () -> { + msg.set( + "Realm [" + + name() + + "] JWT validation failed for token=[" + + tokenPrincipal + + "] with header [" + + jwtAuthenticationToken.getSignedJWT().getHeader() + + "] and claimSet [" + + jwtAuthenticationToken.getJWTClaimsSet() + + "]" + ); + return null; + }); if (logger.isTraceEnabled()) { - logger.trace(msg, ex); + logger.trace(msg.get(), ex); } else { - logger.debug(msg + " Cause: " + ex.getMessage()); // only log the stack trace at trace level + logger.debug(msg.get() + " Cause: " + ex.getMessage()); // only log the stack trace at trace level } // TODO: No point to continue to another realm if failure is ParseException - listener.onResponse(AuthenticationResult.unsuccessful(msg, ex)); + listener.onResponse(AuthenticationResult.unsuccessful(msg.get(), ex)); })); } else { diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases index ba0b290ea01d4..12c64c29577c5 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases @@ -1,3 +1,4 @@ netty-common: io.netty.util.NettyRuntime netty-transport: io.netty.channel.Channel -oauth2-oidc-sdk: com.nimbusds.jose.shaded.gson.internal.ConstructorConstructor +nimbus-jose-jwt: com.nimbusds.jose.shaded.gson.internal.ConstructorConstructor +oauth2-oidc-sdk: com.nimbusds.jwt.SignedJWT diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy index 863f033251108..da391475d32dc 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy @@ -62,3 +62,9 @@ grant codeBase "${codebase.oauth2-oidc-sdk}" { permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; + +grant codeBase "${codebase.nimbus-jose-jwt}" { + // for JSON serialization based on a shaded GSON dependency + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; From 183bb47eb2a52a2d474faaf9766b073802a88ea9 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Tue, 23 Jul 2024 16:07:35 -0600 Subject: [PATCH 12/47] one more doPrivileged --- .../authc/oidc/OpenIdConnectAuthenticator.java | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java index 0f34850b861b7..35878c3edb75b 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java @@ -253,13 +253,27 @@ public void authenticate(OpenIdConnectToken token, final ActionListener claimsListener + ) { + AccessController.doPrivileged((PrivilegedAction) () -> { + doGetUserClaims(accessToken, idToken, expectedNonce, shouldRetry, claimsListener); + return null; + }); + } + + @SuppressWarnings("unchecked") + private void doGetUserClaims( + AccessToken accessToken, + JWT idToken, + Nonce expectedNonce, + boolean shouldRetry, + ActionListener claimsListener ) { try { if (LOGGER.isDebugEnabled()) { From 6ccacc99e692a994405c1b2147d8e0fb93cb8fef Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Fri, 26 Jul 2024 13:56:59 -0600 Subject: [PATCH 13/47] Add unit test reproducing crypto threadpool queue overflow --- .../security/authc/ApiKeyServiceTests.java | 98 ++++++++++++++++++- 1 file changed, 97 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java index 1dce6a038638b..fcfca8e7fa8a3 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java @@ -145,7 +145,9 @@ import java.util.List; import java.util.Map; import java.util.Set; +import java.util.concurrent.BrokenBarrierException; import java.util.concurrent.CompletableFuture; +import java.util.concurrent.CyclicBarrier; import java.util.concurrent.ExecutionException; import java.util.concurrent.ExecutorService; import java.util.concurrent.Semaphore; @@ -230,6 +232,9 @@ public class ApiKeyServiceTests extends ESTestCase { "search": [ {"names": ["logs"]} ], "replication": [ {"names": ["archive"]} ] }"""); + + private static final int TEST_THREADPOOL_QUEUE_SIZE = 1000; + private ThreadPool threadPool; private Client client; private SecurityIndexManager securityIndex; @@ -245,7 +250,7 @@ public void createThreadPool() { Settings.EMPTY, SECURITY_CRYPTO_THREAD_POOL_NAME, 1, - 1000, + TEST_THREADPOOL_QUEUE_SIZE, "xpack.security.crypto.thread_pool", EsExecutors.TaskTrackingConfig.DO_NOT_TRACK ) @@ -268,6 +273,97 @@ public void setupMocks() { doAnswer(invocation -> Instant.now()).when(clock).instant(); } + public void testFloodThreadpool() throws Exception { + // We're going to be blocking the security-crypto threadpool so we need a new one for the client + ThreadPool clientThreadpool = new TestThreadPool( + this.getTestName(), + new FixedExecutorBuilder( + Settings.EMPTY, + this.getTestName(), + 1, + 100, + "no_settings_used", + EsExecutors.TaskTrackingConfig.DO_NOT_TRACK + ) + ); + try { + when(client.threadPool()).thenReturn(clientThreadpool); + + // setup copied from testAuthenticateWithApiKey + final Settings settings = Settings.builder().put(XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.getKey(), true).build(); + final ApiKeyService service = createApiKeyService(settings); + + final String id = randomAlphaOfLength(12); + final String key = randomAlphaOfLength(16); + + final User user, authUser; + if (randomBoolean()) { + user = new User("hulk", new String[] { "superuser" }, "Bruce Banner", "hulk@test.com", Map.of(), true); + authUser = new User("authenticated_user", "other"); + } else { + user = new User("hulk", new String[] { "superuser" }, "Bruce Banner", "hulk@test.com", Map.of(), true); + authUser = null; + } + final ApiKey.Type type = randomFrom(ApiKey.Type.values()); + final Map metadata = mockKeyDocument(id, key, user, authUser, false, Duration.ofSeconds(3600), null, type); + + // Block the security crypto threadpool + CyclicBarrier barrier = new CyclicBarrier(2); + threadPool.executor(SECURITY_CRYPTO_THREAD_POOL_NAME).execute(() -> { + try { + barrier.await(); + } catch (InterruptedException | BrokenBarrierException e) { + throw new RuntimeException(e); + } + }); + // Now fill it up while the one thread is blocked + for (int i = 0; i < TEST_THREADPOOL_QUEUE_SIZE; i++) { + threadPool.executor(SECURITY_CRYPTO_THREAD_POOL_NAME).execute(() -> {}); + } + + // Check that it's full + for (var stat : threadPool.stats().stats()) { + if (stat.name().equals(SECURITY_CRYPTO_THREAD_POOL_NAME)) { + assertThat(stat.queue(), equalTo(TEST_THREADPOOL_QUEUE_SIZE)); + assertThat(stat.rejected(), equalTo(0L)); + } + } + + // now try to auth with an API key + final AuthenticationResult auth = tryAuthenticate(service, id, key, type); + assertThat(auth.getStatus(), is(AuthenticationResult.Status.TERMINATE)); + + // Make sure one was rejected and the queue is still full + for (var stat : threadPool.stats().stats()) { + if (stat.name().equals(SECURITY_CRYPTO_THREAD_POOL_NAME)) { + assertThat(stat.queue(), equalTo(TEST_THREADPOOL_QUEUE_SIZE)); + assertThat(stat.rejected(), equalTo(1L)); + } + } + ListenableFuture cachedValue = service.getApiKeyAuthCache().get(id); + assertThat("since the request was rejected, there should be no cache entry for this key", cachedValue, nullValue()); + + // unblock the threadpool + barrier.await(); + + // wait for the threadpool queue to drain + assertBusy(() -> { + for (var stat : threadPool.stats().stats()) { + if (stat.name().equals(SECURITY_CRYPTO_THREAD_POOL_NAME)) { + assertThat(stat.rejected(), equalTo(1L)); + assertThat(stat.queue(), equalTo(0)); + } + } + }); + + // try to authenticate again with the same key - if this hangs, check the future caching + final AuthenticationResult shouldSucceed = tryAuthenticate(service, id, key, type); + assertThat(shouldSucceed.getStatus(), is(AuthenticationResult.Status.SUCCESS)); + } finally { + terminate(clientThreadpool); + } + } + public void testCreateApiKeyUsesBulkIndexAction() throws Exception { final Settings settings = Settings.builder().put(XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.getKey(), true).build(); final ApiKeyService service = createApiKeyService(settings); From 0556a5bf37170175bd301651a06338b07df046ae Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Fri, 26 Jul 2024 14:04:32 -0600 Subject: [PATCH 14/47] Fix cache issues on crypto threadpool overflow --- .../xpack/security/authc/ApiKeyService.java | 36 +++++++++++++------ 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java index aaa1841bd2354..de07329cf4a3f 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java @@ -129,6 +129,7 @@ import java.util.Objects; import java.util.Set; import java.util.concurrent.ExecutionException; +import java.util.concurrent.RejectedExecutionException; import java.util.concurrent.atomic.AtomicBoolean; import java.util.concurrent.atomic.AtomicLong; import java.util.concurrent.atomic.LongAdder; @@ -1315,7 +1316,18 @@ void validateApiKeyCredentials( AuthenticationResult.unsuccessful("invalid credentials for API key [" + credentials.getId() + "]", null) ); } - }, listener::onFailure)); + }, exception -> { + // Crypto threadpool queue is full, invalidate this cache entry and make sure nothing is going to wait on it + logger.warn( + Strings.format( + "rejecting possibly valid API key authentication because the [%s] threadpool is full", + SECURITY_CRYPTO_THREAD_POOL_NAME + ) + ); + apiKeyAuthCache.invalidate(credentials.getId(), listenableCacheEntry); + listenableCacheEntry.onFailure(exception); + listener.onFailure(exception); + })); } } else { verifyKeyAgainstHash(apiKeyDoc.hash, credentials, ActionListener.wrap(verified -> { @@ -1453,15 +1465,19 @@ void computeHashForApiKey(SecureString apiKey, ActionListener listener) // Protected instance method so this can be mocked protected void verifyKeyAgainstHash(String apiKeyHash, ApiKeyCredentials credentials, ActionListener listener) { - threadPool.executor(SECURITY_CRYPTO_THREAD_POOL_NAME).execute(ActionRunnable.supply(listener, () -> { - Hasher hasher = Hasher.resolveFromHash(apiKeyHash.toCharArray()); - final char[] apiKeyHashChars = apiKeyHash.toCharArray(); - try { - return hasher.verify(credentials.getKey(), apiKeyHashChars); - } finally { - Arrays.fill(apiKeyHashChars, (char) 0); - } - })); + try { + threadPool.executor(SECURITY_CRYPTO_THREAD_POOL_NAME).execute(ActionRunnable.supply(listener, () -> { + Hasher hasher = Hasher.resolveFromHash(apiKeyHash.toCharArray()); + final char[] apiKeyHashChars = apiKeyHash.toCharArray(); + try { + return hasher.verify(credentials.getKey(), apiKeyHashChars); + } finally { + Arrays.fill(apiKeyHashChars, (char) 0); + } + })); + } catch (RejectedExecutionException e) { + listener.onFailure(e); + } } private static Instant getApiKeyExpiration(Instant now, @Nullable TimeValue expiration) { From 6e45bd6a6d9e34419587f199996d3fc02461fb34 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Fri, 26 Jul 2024 14:04:55 -0600 Subject: [PATCH 15/47] Revert "Fix cache issues on crypto threadpool overflow" This reverts commit 0556a5bf37170175bd301651a06338b07df046ae. --- .../xpack/security/authc/ApiKeyService.java | 36 ++++++------------- 1 file changed, 10 insertions(+), 26 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java index de07329cf4a3f..aaa1841bd2354 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java @@ -129,7 +129,6 @@ import java.util.Objects; import java.util.Set; import java.util.concurrent.ExecutionException; -import java.util.concurrent.RejectedExecutionException; import java.util.concurrent.atomic.AtomicBoolean; import java.util.concurrent.atomic.AtomicLong; import java.util.concurrent.atomic.LongAdder; @@ -1316,18 +1315,7 @@ void validateApiKeyCredentials( AuthenticationResult.unsuccessful("invalid credentials for API key [" + credentials.getId() + "]", null) ); } - }, exception -> { - // Crypto threadpool queue is full, invalidate this cache entry and make sure nothing is going to wait on it - logger.warn( - Strings.format( - "rejecting possibly valid API key authentication because the [%s] threadpool is full", - SECURITY_CRYPTO_THREAD_POOL_NAME - ) - ); - apiKeyAuthCache.invalidate(credentials.getId(), listenableCacheEntry); - listenableCacheEntry.onFailure(exception); - listener.onFailure(exception); - })); + }, listener::onFailure)); } } else { verifyKeyAgainstHash(apiKeyDoc.hash, credentials, ActionListener.wrap(verified -> { @@ -1465,19 +1453,15 @@ void computeHashForApiKey(SecureString apiKey, ActionListener listener) // Protected instance method so this can be mocked protected void verifyKeyAgainstHash(String apiKeyHash, ApiKeyCredentials credentials, ActionListener listener) { - try { - threadPool.executor(SECURITY_CRYPTO_THREAD_POOL_NAME).execute(ActionRunnable.supply(listener, () -> { - Hasher hasher = Hasher.resolveFromHash(apiKeyHash.toCharArray()); - final char[] apiKeyHashChars = apiKeyHash.toCharArray(); - try { - return hasher.verify(credentials.getKey(), apiKeyHashChars); - } finally { - Arrays.fill(apiKeyHashChars, (char) 0); - } - })); - } catch (RejectedExecutionException e) { - listener.onFailure(e); - } + threadPool.executor(SECURITY_CRYPTO_THREAD_POOL_NAME).execute(ActionRunnable.supply(listener, () -> { + Hasher hasher = Hasher.resolveFromHash(apiKeyHash.toCharArray()); + final char[] apiKeyHashChars = apiKeyHash.toCharArray(); + try { + return hasher.verify(credentials.getKey(), apiKeyHashChars); + } finally { + Arrays.fill(apiKeyHashChars, (char) 0); + } + })); } private static Instant getApiKeyExpiration(Instant now, @Nullable TimeValue expiration) { From 2deeffeab3bdf87d541a3d98d27e1cd477f20666 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Tue, 30 Jul 2024 15:08:35 -0600 Subject: [PATCH 16/47] Revert "Add unit test reproducing crypto threadpool queue overflow" This reverts commit 6ccacc99e692a994405c1b2147d8e0fb93cb8fef. --- .../security/authc/ApiKeyServiceTests.java | 98 +------------------ 1 file changed, 1 insertion(+), 97 deletions(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java index fcfca8e7fa8a3..1dce6a038638b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java @@ -145,9 +145,7 @@ import java.util.List; import java.util.Map; import java.util.Set; -import java.util.concurrent.BrokenBarrierException; import java.util.concurrent.CompletableFuture; -import java.util.concurrent.CyclicBarrier; import java.util.concurrent.ExecutionException; import java.util.concurrent.ExecutorService; import java.util.concurrent.Semaphore; @@ -232,9 +230,6 @@ public class ApiKeyServiceTests extends ESTestCase { "search": [ {"names": ["logs"]} ], "replication": [ {"names": ["archive"]} ] }"""); - - private static final int TEST_THREADPOOL_QUEUE_SIZE = 1000; - private ThreadPool threadPool; private Client client; private SecurityIndexManager securityIndex; @@ -250,7 +245,7 @@ public void createThreadPool() { Settings.EMPTY, SECURITY_CRYPTO_THREAD_POOL_NAME, 1, - TEST_THREADPOOL_QUEUE_SIZE, + 1000, "xpack.security.crypto.thread_pool", EsExecutors.TaskTrackingConfig.DO_NOT_TRACK ) @@ -273,97 +268,6 @@ public void setupMocks() { doAnswer(invocation -> Instant.now()).when(clock).instant(); } - public void testFloodThreadpool() throws Exception { - // We're going to be blocking the security-crypto threadpool so we need a new one for the client - ThreadPool clientThreadpool = new TestThreadPool( - this.getTestName(), - new FixedExecutorBuilder( - Settings.EMPTY, - this.getTestName(), - 1, - 100, - "no_settings_used", - EsExecutors.TaskTrackingConfig.DO_NOT_TRACK - ) - ); - try { - when(client.threadPool()).thenReturn(clientThreadpool); - - // setup copied from testAuthenticateWithApiKey - final Settings settings = Settings.builder().put(XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.getKey(), true).build(); - final ApiKeyService service = createApiKeyService(settings); - - final String id = randomAlphaOfLength(12); - final String key = randomAlphaOfLength(16); - - final User user, authUser; - if (randomBoolean()) { - user = new User("hulk", new String[] { "superuser" }, "Bruce Banner", "hulk@test.com", Map.of(), true); - authUser = new User("authenticated_user", "other"); - } else { - user = new User("hulk", new String[] { "superuser" }, "Bruce Banner", "hulk@test.com", Map.of(), true); - authUser = null; - } - final ApiKey.Type type = randomFrom(ApiKey.Type.values()); - final Map metadata = mockKeyDocument(id, key, user, authUser, false, Duration.ofSeconds(3600), null, type); - - // Block the security crypto threadpool - CyclicBarrier barrier = new CyclicBarrier(2); - threadPool.executor(SECURITY_CRYPTO_THREAD_POOL_NAME).execute(() -> { - try { - barrier.await(); - } catch (InterruptedException | BrokenBarrierException e) { - throw new RuntimeException(e); - } - }); - // Now fill it up while the one thread is blocked - for (int i = 0; i < TEST_THREADPOOL_QUEUE_SIZE; i++) { - threadPool.executor(SECURITY_CRYPTO_THREAD_POOL_NAME).execute(() -> {}); - } - - // Check that it's full - for (var stat : threadPool.stats().stats()) { - if (stat.name().equals(SECURITY_CRYPTO_THREAD_POOL_NAME)) { - assertThat(stat.queue(), equalTo(TEST_THREADPOOL_QUEUE_SIZE)); - assertThat(stat.rejected(), equalTo(0L)); - } - } - - // now try to auth with an API key - final AuthenticationResult auth = tryAuthenticate(service, id, key, type); - assertThat(auth.getStatus(), is(AuthenticationResult.Status.TERMINATE)); - - // Make sure one was rejected and the queue is still full - for (var stat : threadPool.stats().stats()) { - if (stat.name().equals(SECURITY_CRYPTO_THREAD_POOL_NAME)) { - assertThat(stat.queue(), equalTo(TEST_THREADPOOL_QUEUE_SIZE)); - assertThat(stat.rejected(), equalTo(1L)); - } - } - ListenableFuture cachedValue = service.getApiKeyAuthCache().get(id); - assertThat("since the request was rejected, there should be no cache entry for this key", cachedValue, nullValue()); - - // unblock the threadpool - barrier.await(); - - // wait for the threadpool queue to drain - assertBusy(() -> { - for (var stat : threadPool.stats().stats()) { - if (stat.name().equals(SECURITY_CRYPTO_THREAD_POOL_NAME)) { - assertThat(stat.rejected(), equalTo(1L)); - assertThat(stat.queue(), equalTo(0)); - } - } - }); - - // try to authenticate again with the same key - if this hangs, check the future caching - final AuthenticationResult shouldSucceed = tryAuthenticate(service, id, key, type); - assertThat(shouldSucceed.getStatus(), is(AuthenticationResult.Status.SUCCESS)); - } finally { - terminate(clientThreadpool); - } - } - public void testCreateApiKeyUsesBulkIndexAction() throws Exception { final Settings settings = Settings.builder().put(XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.getKey(), true).build(); final ApiKeyService service = createApiKeyService(settings); From ba520c17f300463557493d18952e4161b1a2cb14 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Fri, 2 Aug 2024 07:39:13 -0600 Subject: [PATCH 17/47] WIP --- .../elasticsearch/xpack/security/authc/jwt/JwtRealm.java | 7 ++++++- .../src/main/plugin-metadata/plugin-security.policy | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java index 74a88217b6eca..701192e306322 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java @@ -262,6 +262,7 @@ public void authenticate(final AuthenticationToken authenticationToken, final Ac }, ex -> { AtomicReference msg = new AtomicReference<>(); AccessController.doPrivileged((PrivilegedAction) () -> { + JWTClaimsSet jwtClaimsSet = jwtAuthenticationToken.getJWTClaimsSet(); msg.set( "Realm [" + name() @@ -270,7 +271,11 @@ public void authenticate(final AuthenticationToken authenticationToken, final Ac + "] with header [" + jwtAuthenticationToken.getSignedJWT().getHeader() + "] and claimSet [" - + jwtAuthenticationToken.getJWTClaimsSet() + + AccessController.doPrivileged( + (PrivilegedAction) () -> jwtClaimsSet.toString(), + AccessController.getContext(), + new RuntimePermission("accessDeclaredMembers") + ) + "]" ); return null; diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy index da391475d32dc..228da4d105024 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy @@ -17,8 +17,8 @@ grant { permission java.security.SecurityPermission "org.apache.xml.security.register"; // gson, as included & shaded by nimbus. I think these can be moved out - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // needed for multiple server implementations used in tests From 2c0dece915c7d34a4122ad7b05aaf85d10f00fbd Mon Sep 17 00:00:00 2001 From: Jake Landis Date: Mon, 5 Aug 2024 14:07:37 -0500 Subject: [PATCH 18/47] passes the testFailureOnExpiredJwt --- x-pack/plugin/security/build.gradle | 20 +- x-pack/plugin/security/lib/build.gradle | 0 .../security/lib/jose-wrapper/build.gradle | 36 ++++ .../licenses/nimbus-jose-jwt-LICENSE.txt | 202 ++++++++++++++++++ .../licenses/nimbus-jose-jwt-NOTICE.txt | 14 ++ .../src/main/java/module-info.java | 13 ++ .../org/elasticsearch/jose/JoseWrapper.java | 38 ++++ .../security/src/main/java/module-info.java | 3 +- .../xpack/security/authc/jwt/JwtRealm.java | 40 ++-- .../plugin-metadata/plugin-security.policy | 10 +- 10 files changed, 327 insertions(+), 49 deletions(-) create mode 100644 x-pack/plugin/security/lib/build.gradle create mode 100644 x-pack/plugin/security/lib/jose-wrapper/build.gradle create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/nimbus-jose-jwt-LICENSE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/nimbus-jose-jwt-NOTICE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java create mode 100644 x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/jose/JoseWrapper.java diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index 84b2e57f48440..b8432ecf5d6ce 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -81,15 +81,8 @@ dependencies { // Dependencies for oidc api "com.nimbusds:oauth2-oidc-sdk:11.10.1" api "com.nimbusds:nimbus-jose-jwt:9.37.3" -// api project(path: 'nimbus-jose-jwt', configuration: 'shadow') -// if (isEclipse) { -// /* -// * Eclipse can't pick up the shadow dependency so we point it at *something* -// * so it can compile things. -// */ -// api project(path: 'nimbus-jose-jwt') -// } - api "com.nimbusds:lang-tag:1.7" + api project(xpackModule('security:lib:jose-wrapper')) + api "com.nimbusds:lang-tag:1.4.4" api "com.sun.mail:jakarta.mail:1.6.3" api "net.jcip:jcip-annotations:1.0" api "net.minidev:json-smart:2.5.1" @@ -111,14 +104,7 @@ dependencies { testImplementation('org.apache.kerby:kerb-crypto:1.1.1') testImplementation('org.apache.kerby:kerb-util:1.1.1') testImplementation('org.apache.kerby:token-provider:1.1.1') -// testImplementation project(path: 'nimbus-jose-jwt', configuration: 'shadow') -// if (isEclipse) { -// /* -// * Eclipse can't pick up the shadow dependency so we point it at *something* -// * so it can compile things. -// */ -// testImplementation project(path: 'nimbus-jose-jwt') -// } + testImplementation('com.nimbusds:nimbus-jose-jwt:9.37.3') //fixme?? testImplementation('net.jcip:jcip-annotations:1.0') testImplementation('org.apache.kerby:kerb-admin:1.1.1') testImplementation('org.apache.kerby:kerb-server:1.1.1') diff --git a/x-pack/plugin/security/lib/build.gradle b/x-pack/plugin/security/lib/build.gradle new file mode 100644 index 0000000000000..e69de29bb2d1d diff --git a/x-pack/plugin/security/lib/jose-wrapper/build.gradle b/x-pack/plugin/security/lib/jose-wrapper/build.gradle new file mode 100644 index 0000000000000..5c475eac1fecc --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/build.gradle @@ -0,0 +1,36 @@ +apply plugin: 'elasticsearch.build' + +base { + archivesName = 'elasticsearch-jose-wrapper' +} + +dependencies { + api "com.nimbusds:nimbus-jose-jwt:9.37.3" + api project(':server') +} + +tasks.named("thirdPartyAudit").configure { + ignoreMissingClasses( + // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037) + 'com.google.crypto.tink.subtle.Ed25519Sign', + 'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair', + 'com.google.crypto.tink.subtle.Ed25519Verify', + 'com.google.crypto.tink.subtle.X25519', + 'com.google.crypto.tink.subtle.XChaCha20Poly1305', +// 'com.nimbusds.common.contenttype.ContentType', +// 'com.nimbusds.common.contenttype.ContentType$Parameter', + 'org.bouncycastle.asn1.pkcs.PrivateKeyInfo', + 'org.bouncycastle.asn1.x509.AlgorithmIdentifier', + 'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo', + 'org.bouncycastle.cert.X509CertificateHolder', + 'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder', + 'org.bouncycastle.crypto.InvalidCipherTextException', + 'org.bouncycastle.crypto.engines.AESEngine', + 'org.bouncycastle.crypto.modes.GCMBlockCipher', + 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider', + 'org.bouncycastle.jce.provider.BouncyCastleProvider', + 'org.bouncycastle.openssl.PEMKeyPair', + 'org.bouncycastle.openssl.PEMParser', + 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter', + ) +} diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/nimbus-jose-jwt-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/nimbus-jose-jwt-LICENSE.txt new file mode 100644 index 0000000000000..d645695673349 --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/licenses/nimbus-jose-jwt-LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/nimbus-jose-jwt-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/nimbus-jose-jwt-NOTICE.txt new file mode 100644 index 0000000000000..cb9ad94f662a6 --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/licenses/nimbus-jose-jwt-NOTICE.txt @@ -0,0 +1,14 @@ +Nimbus JOSE + JWT + +Copyright 2012 - 2018, Connect2id Ltd. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not use +this file except in compliance with the License. You may obtain a copy of the +License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software distributed +under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +CONDITIONS OF ANY KIND, either express or implied. See the License for the +specific language governing permissions and limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java new file mode 100644 index 0000000000000..57a941d4645db --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +module org.elasticsearch.jose { + requires org.elasticsearch.server; + requires com.nimbusds.jose.jwt; + + exports org.elasticsearch.jose; +} diff --git a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/jose/JoseWrapper.java b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/jose/JoseWrapper.java new file mode 100644 index 0000000000000..2bf4e2f67c678 --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/jose/JoseWrapper.java @@ -0,0 +1,38 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package org.elasticsearch.jose; + +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.jwt.SignedJWT; + +import org.elasticsearch.SpecialPermission; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +/** + * This class wraps the operations requiring access in {@link AccessController#doPrivileged(PrivilegedAction)} blocks. + * Can't do these operations inline with giving too much access due to how the security manager calculates the stack for lambda expressions. + * Isolating the calls here allows for least privilege access to this helper jar. + */ +public class JoseWrapper { + + // utility class + private JoseWrapper() {} + + public static String getHeaderAsString(SignedJWT signedJWT) { + SpecialPermission.check(); + return AccessController.doPrivileged((PrivilegedAction) () -> signedJWT.getHeader().toString()); + + } + + public static String getClaimsSetAsString(JWTClaimsSet jwtClaimsSet) { + SpecialPermission.check(); + return AccessController.doPrivileged((PrivilegedAction) jwtClaimsSet::toString); + } +} diff --git a/x-pack/plugin/security/src/main/java/module-info.java b/x-pack/plugin/security/src/main/java/module-info.java index b00fedd963821..3377e187a383e 100644 --- a/x-pack/plugin/security/src/main/java/module-info.java +++ b/x-pack/plugin/security/src/main/java/module-info.java @@ -38,6 +38,7 @@ requires org.opensaml.xmlsec.impl; requires org.opensaml.xmlsec; + requires com.nimbusds.jose.jwt; requires io.netty.common; requires io.netty.codec.http; requires io.netty.handler; @@ -48,7 +49,7 @@ requires oauth2.oidc.sdk; requires org.slf4j; requires unboundid.ldapsdk; - requires com.nimbusds.jose.jwt; + requires org.elasticsearch.jose; exports org.elasticsearch.xpack.security.action to org.elasticsearch.server; exports org.elasticsearch.xpack.security.action.apikey to org.elasticsearch.server; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java index 701192e306322..3cba7c8642cc8 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java @@ -25,6 +25,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.core.Releasable; import org.elasticsearch.core.TimeValue; +import org.elasticsearch.jose.JoseWrapper; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.AuthenticationToken; @@ -41,8 +42,6 @@ import org.elasticsearch.xpack.security.authc.support.DelegatedAuthorizationSupport; import org.elasticsearch.xpack.security.support.ReloadableSecurityComponent; -import java.security.AccessController; -import java.security.PrivilegedAction; import java.util.Collection; import java.util.Collections; import java.util.Date; @@ -50,7 +49,6 @@ import java.util.List; import java.util.Map; import java.util.Objects; -import java.util.concurrent.atomic.AtomicReference; import static java.lang.String.join; import static org.elasticsearch.core.Strings.format; @@ -260,34 +258,24 @@ public void authenticate(final AuthenticationToken authenticationToken, final Ac } processValidatedJwt(tokenPrincipal, jwtCacheKey, claimsSet, listener); }, ex -> { - AtomicReference msg = new AtomicReference<>(); - AccessController.doPrivileged((PrivilegedAction) () -> { - JWTClaimsSet jwtClaimsSet = jwtAuthenticationToken.getJWTClaimsSet(); - msg.set( - "Realm [" - + name() - + "] JWT validation failed for token=[" - + tokenPrincipal - + "] with header [" - + jwtAuthenticationToken.getSignedJWT().getHeader() - + "] and claimSet [" - + AccessController.doPrivileged( - (PrivilegedAction) () -> jwtClaimsSet.toString(), - AccessController.getContext(), - new RuntimePermission("accessDeclaredMembers") - ) - + "]" - ); - return null; - }); + + final String msg = "Realm [" + + name() + + "] JWT validation failed for token=[" + + tokenPrincipal + + "] with header [" + + JoseWrapper.getHeaderAsString(jwtAuthenticationToken.getSignedJWT()) + + "] and claimSet [" + + JoseWrapper.getClaimsSetAsString(jwtAuthenticationToken.getJWTClaimsSet()) + + "]"; if (logger.isTraceEnabled()) { - logger.trace(msg.get(), ex); + logger.trace(msg, ex); } else { - logger.debug(msg.get() + " Cause: " + ex.getMessage()); // only log the stack trace at trace level + logger.debug(msg + " Cause: " + ex.getMessage()); // only log the stack trace at trace level } // TODO: No point to continue to another realm if failure is ParseException - listener.onResponse(AuthenticationResult.unsuccessful(msg.get(), ex)); + listener.onResponse(AuthenticationResult.unsuccessful(msg, ex)); })); } else { diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy index 228da4d105024..a6546320ed71d 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy @@ -16,11 +16,6 @@ grant { // which uses it in the opensaml-xmlsec-impl permission java.security.SecurityPermission "org.apache.xml.security.register"; - // gson, as included & shaded by nimbus. I think these can be moved out - //permission java.lang.RuntimePermission "accessDeclaredMembers"; - //permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; - - // needed for multiple server implementations used in tests permission java.net.SocketPermission "*", "accept,connect"; @@ -68,3 +63,8 @@ grant codeBase "${codebase.nimbus-jose-jwt}" { permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; + +grant codeBase "${codebase.elasticsearch-jose-wrapper}" { + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; From faf294f947a52c493201c3b6b8563c8b04d8b4c9 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Mon, 5 Aug 2024 16:41:33 -0600 Subject: [PATCH 19/47] Disable security manager for JWT & OIDC unit tests We rely on the integ tests to catch stuff anyway --- x-pack/plugin/security/build.gradle | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index b8432ecf5d6ce..e016790fc8439 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -440,3 +440,31 @@ tasks.named("internalClusterTest").configure { } addQaCheckDependencies(project) + +// These unit tests are run without the security manager because they use, directly or +// indirectly, nimbus-jose-jwt code, which uses gson internally, which is not friendly +// to the security manager. Note that we do not disable the security manager for +// any integration tests, any failures of which should be taken very seriously. +String[] noSecurityManagerClasses = [ + "**/JwtRealmAuthenticateTests.class", + "**/JwtRealmAuthenticateAccessTokenTypeTests.class", + "**/JwtRealmGenerateTests.class", + "**/JwtAuthenticatorAccessTokenTypeTests.class", + "**/JwtAuthenticatorIdTokenTypeTests.class", + "**/JwtSignatureValidatorTests.class", + "**/OpenIdConnectAuthenticatorTests.class", + "**/TransportOpenIdConnectLogoutActionTests.class", + "**/OpenIdConnectRealmTests.class", +] + +tasks.register('testNoSecurityManager', Test) { + testClassesDirs = sourceSets.test.output.classesDirs + classpath = sourceSets.test.runtimeClasspath + include noSecurityManagerClasses + systemProperty 'tests.security.manager', 'false' +} +tasks.named("check").configure { dependsOn 'testNoSecurityManager' } + +tasks.named('test').configure { + exclude noSecurityManagerClasses +} From 53405d1c52fab817d37773b5da08130cfb8d73f0 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Mon, 5 Aug 2024 16:41:50 -0600 Subject: [PATCH 20/47] Fix failure in unit test --- .../xpack/security/authc/jwt/JwtSignatureValidatorTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidatorTests.java index 3732573b2f03d..f1927876eba5f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidatorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidatorTests.java @@ -266,7 +266,7 @@ public void testJwtSignVerifyPassedForAllSupportedAlgorithms() { try { helpTestSignatureAlgorithm(signatureAlgorithm, false); } catch (Exception e) { - fail("signature validation with algorithm [" + signatureAlgorithm + "] should have succeeded"); + throw new RuntimeException("signature validation with algorithm [" + signatureAlgorithm + "] should have succeeded", e); } } // Fail: "ES256K" From 99d57b8c313d6203166a7b1adf79e74463dfb0aa Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Tue, 6 Aug 2024 14:13:12 -0600 Subject: [PATCH 21/47] Wrap jose access in JWT `ESIntegTestCase`s --- .../org/elasticsearch/jose/JoseWrapper.java | 29 +++++++++++++++++++ .../authc/jwt/JwtRealmSingleNodeTests.java | 10 +++---- 2 files changed, 33 insertions(+), 6 deletions(-) diff --git a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/jose/JoseWrapper.java b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/jose/JoseWrapper.java index 2bf4e2f67c678..a03dda55a3080 100644 --- a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/jose/JoseWrapper.java +++ b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/jose/JoseWrapper.java @@ -7,6 +7,8 @@ package org.elasticsearch.jose; +import com.nimbusds.jose.JWSHeader; +import com.nimbusds.jose.util.Base64URL; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.SignedJWT; @@ -14,6 +16,10 @@ import java.security.AccessController; import java.security.PrivilegedAction; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; +import java.text.ParseException; +import java.util.Map; /** * This class wraps the operations requiring access in {@link AccessController#doPrivileged(PrivilegedAction)} blocks. @@ -35,4 +41,27 @@ public static String getClaimsSetAsString(JWTClaimsSet jwtClaimsSet) { SpecialPermission.check(); return AccessController.doPrivileged((PrivilegedAction) jwtClaimsSet::toString); } + + // only used in tests + public static SignedJWT newSignedJwt(JWSHeader header, JWTClaimsSet claimsSet) { + SpecialPermission.check(); + return AccessController.doPrivileged((PrivilegedAction) () -> new SignedJWT(header, claimsSet)); + } + + // only used in tests + public static SignedJWT newSignedJWT(Map header, JWTClaimsSet claimsSet, String signatureUrl) throws ParseException { + SpecialPermission.check(); + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> new SignedJWT( + JWSHeader.parse(header).toBase64URL(), + claimsSet.toPayload().toBase64URL(), + Base64URL.encode(signatureUrl) + ) + ); + } catch (PrivilegedActionException ex) { + throw (ParseException) ex.getException(); + } + + } } diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java index 435706dce7019..b4fbd6c8fc7f3 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java @@ -30,6 +30,7 @@ import org.elasticsearch.common.xcontent.XContentHelper; import org.elasticsearch.core.Strings; import org.elasticsearch.core.TimeValue; +import org.elasticsearch.jose.JoseWrapper; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.PluginsService; import org.elasticsearch.test.SecuritySettingsSource; @@ -710,7 +711,7 @@ static SignedJWT getSignedJWT(JWTClaimsSet claimsSet, byte[] hmacKeyBytes) throw JWSHeader jwtHeader = new JWSHeader.Builder(JWSAlgorithm.HS256).build(); OctetSequenceKey.Builder jwt0signer = new OctetSequenceKey.Builder(hmacKeyBytes); jwt0signer.algorithm(JWSAlgorithm.HS256); - SignedJWT jwt = new SignedJWT(jwtHeader, claimsSet); + SignedJWT jwt = JoseWrapper.newSignedJwt(jwtHeader, claimsSet); jwt.sign(new MACSigner(jwt0signer.build())); return jwt; } @@ -764,11 +765,8 @@ private SignedJWT getSignedJWT(Map m) throws ParseException { claimsMap.put("exp", now.plus(randomIntBetween(-1, 1), ChronoUnit.DAYS).getEpochSecond()); final JWTClaimsSet claimsSet = JWTClaimsSet.parse(claimsMap); - final SignedJWT signedJWT = new SignedJWT( - JWSHeader.parse(Map.of("alg", randomAlphaOfLengthBetween(5, 10))).toBase64URL(), - claimsSet.toPayload().toBase64URL(), - Base64URL.encode("signature") - ); + final SignedJWT signedJWT = JoseWrapper.newSignedJWT(Map.of("alg", randomAlphaOfLengthBetween(5, 10)), claimsSet, "signature"); + return signedJWT; } From b760c6c4bc68d08fe6a8378876bc582cda1f16f3 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Tue, 6 Aug 2024 16:38:31 -0600 Subject: [PATCH 22/47] Expand wrapper to include nimbus --- x-pack/plugin/security/build.gradle | 2 +- .../security/lib/jose-wrapper/build.gradle | 68 ++ .../licenses/accessors-smart-LICENSE.txt | 202 ++++++ .../licenses/accessors-smart-NOTICE.txt | 0 .../lib/jose-wrapper/licenses/asm-LICENSE.txt | 26 + .../lib/jose-wrapper/licenses/asm-NOTICE.txt | 1 + .../licenses/jakarta.mail-LICENSE.txt | 637 ++++++++++++++++++ .../licenses/jakarta.mail-NOTICE.txt | 50 ++ .../licenses/jcip-annotations-LICENSE.txt | 202 ++++++ .../licenses/jcip-annotations-NOTICE.txt | 0 .../licenses/json-smart-LICENSE.txt | 202 ++++++ .../licenses/json-smart-NOTICE.txt | 0 .../licenses/lang-tag-LICENSE.txt | 202 ++++++ .../jose-wrapper/licenses/lang-tag-NOTICE.txt | 14 + .../licenses/oauth2-oidc-sdk-LICENSE.txt | 202 ++++++ .../licenses/oauth2-oidc-sdk-NOTICE.txt | 14 + .../src/main/java/module-info.java | 3 +- .../NimubsWrapper.java} | 6 +- .../authc/jwt/JwtRealmSingleNodeTests.java | 6 +- .../xpack/security/authc/jwt/JwtRealm.java | 6 +- .../oidc/OpenIdConnectAuthenticator.java | 46 +- 21 files changed, 1861 insertions(+), 28 deletions(-) create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/accessors-smart-LICENSE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/accessors-smart-NOTICE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/asm-LICENSE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/asm-NOTICE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-LICENSE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-NOTICE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/jcip-annotations-LICENSE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/jcip-annotations-NOTICE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/json-smart-LICENSE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/json-smart-NOTICE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-LICENSE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-NOTICE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-LICENSE.txt create mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-NOTICE.txt rename x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/{jose/JoseWrapper.java => nimbus/NimubsWrapper.java} (96%) diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index e016790fc8439..15e3b73fffd96 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -104,7 +104,7 @@ dependencies { testImplementation('org.apache.kerby:kerb-crypto:1.1.1') testImplementation('org.apache.kerby:kerb-util:1.1.1') testImplementation('org.apache.kerby:token-provider:1.1.1') - testImplementation('com.nimbusds:nimbus-jose-jwt:9.37.3') //fixme?? + testImplementation('com.nimbusds:nimbus-jose-jwt:9.37.3') testImplementation('net.jcip:jcip-annotations:1.0') testImplementation('org.apache.kerby:kerb-admin:1.1.1') testImplementation('org.apache.kerby:kerb-server:1.1.1') diff --git a/x-pack/plugin/security/lib/jose-wrapper/build.gradle b/x-pack/plugin/security/lib/jose-wrapper/build.gradle index 5c475eac1fecc..4da6c7ea7cf4e 100644 --- a/x-pack/plugin/security/lib/jose-wrapper/build.gradle +++ b/x-pack/plugin/security/lib/jose-wrapper/build.gradle @@ -5,7 +5,18 @@ base { } dependencies { + // the actual two libraries we care about + api "com.nimbusds:oauth2-oidc-sdk:11.10.1" api "com.nimbusds:nimbus-jose-jwt:9.37.3" + + // transitive dependencies of oidc + api "com.nimbusds:lang-tag:1.4.4" + api "com.sun.mail:jakarta.mail:1.6.3" + api "net.jcip:jcip-annotations:1.0" + api "net.minidev:json-smart:2.5.1" + api "net.minidev:accessors-smart:2.4.2" + api "org.ow2.asm:asm:8.0.1" + api project(':server') } @@ -32,5 +43,62 @@ tasks.named("thirdPartyAudit").configure { 'org.bouncycastle.openssl.PEMKeyPair', 'org.bouncycastle.openssl.PEMParser', 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter', + + // unchecked + "com.nimbusds.common.contenttype.ContentType", + 'com.nimbusds.common.contenttype.ContentType$Parameter', + "jakarta.servlet.ServletRequest", + "jakarta.servlet.http.HttpServletRequest", + "jakarta.servlet.http.HttpServletResponse", + "javax.activation.ActivationDataFlavor", + "javax.activation.DataContentHandler", + "javax.activation.DataHandler", + "javax.activation.DataSource", + "javax.activation.FileDataSource", + "javax.activation.FileTypeMap", + "javax.servlet.ServletRequest", + "javax.servlet.http.HttpServletRequest", + "javax.servlet.http.HttpServletResponse", + "net.shibboleth.utilities.java.support.xml.SerializeSupport", + "org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder", + "org.bouncycastle.operator.jcajce.JcaContentSignerBuilder", + "org.cryptomator.siv.SivMode", + "org.joda.time.DateTime", + "org.opensaml.core.config.InitializationException", + "org.opensaml.core.config.InitializationService", + "org.opensaml.core.xml.XMLObject", + "org.opensaml.core.xml.XMLObjectBuilder", + "org.opensaml.core.xml.XMLObjectBuilderFactory", + "org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport", + "org.opensaml.core.xml.io.Marshaller", + "org.opensaml.core.xml.io.MarshallerFactory", + "org.opensaml.core.xml.io.MarshallingException", + "org.opensaml.core.xml.io.Unmarshaller", + "org.opensaml.core.xml.io.UnmarshallerFactory", + "org.opensaml.core.xml.schema.XSString", + "org.opensaml.core.xml.schema.impl.XSStringBuilder", + "org.opensaml.saml.saml2.core.Assertion", + "org.opensaml.saml.saml2.core.Attribute", + "org.opensaml.saml.saml2.core.AttributeStatement", + "org.opensaml.saml.saml2.core.AttributeValue", + "org.opensaml.saml.saml2.core.Audience", + "org.opensaml.saml.saml2.core.AudienceRestriction", + "org.opensaml.saml.saml2.core.AuthnContext", + "org.opensaml.saml.saml2.core.AuthnContextClassRef", + "org.opensaml.saml.saml2.core.AuthnStatement", + "org.opensaml.saml.saml2.core.Conditions", + "org.opensaml.saml.saml2.core.Issuer", + "org.opensaml.saml.saml2.core.NameID", + "org.opensaml.saml.saml2.core.Subject", + "org.opensaml.saml.saml2.core.SubjectConfirmation", + "org.opensaml.saml.saml2.core.SubjectConfirmationData", + "org.opensaml.saml.security.impl.SAMLSignatureProfileValidator", + "org.opensaml.security.credential.BasicCredential", + "org.opensaml.security.credential.Credential", + "org.opensaml.security.credential.UsageType", + "org.opensaml.xmlsec.signature.Signature", + "org.opensaml.xmlsec.signature.support.SignatureException", + "org.opensaml.xmlsec.signature.support.SignatureValidator", + "org.opensaml.xmlsec.signature.support.Signer", ) } diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/accessors-smart-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/accessors-smart-LICENSE.txt new file mode 100644 index 0000000000000..d645695673349 --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/licenses/accessors-smart-LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/accessors-smart-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/accessors-smart-NOTICE.txt new file mode 100644 index 0000000000000..e69de29bb2d1d diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/asm-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/asm-LICENSE.txt new file mode 100644 index 0000000000000..afb064f2f2666 --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/licenses/asm-LICENSE.txt @@ -0,0 +1,26 @@ +Copyright (c) 2012 France Télécom +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. +3. Neither the name of the copyright holders nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF +THE POSSIBILITY OF SUCH DAMAGE. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/asm-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/asm-NOTICE.txt new file mode 100644 index 0000000000000..8d1c8b69c3fce --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/licenses/asm-NOTICE.txt @@ -0,0 +1 @@ + diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-LICENSE.txt new file mode 100644 index 0000000000000..5de3d1b40c199 --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-LICENSE.txt @@ -0,0 +1,637 @@ +# Eclipse Public License - v 2.0 + + THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE + PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION + OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT. + + 1. DEFINITIONS + + "Contribution" means: + + a) in the case of the initial Contributor, the initial content + Distributed under this Agreement, and + + b) in the case of each subsequent Contributor: + i) changes to the Program, and + ii) additions to the Program; + where such changes and/or additions to the Program originate from + and are Distributed by that particular Contributor. A Contribution + "originates" from a Contributor if it was added to the Program by + such Contributor itself or anyone acting on such Contributor's behalf. + Contributions do not include changes or additions to the Program that + are not Modified Works. + + "Contributor" means any person or entity that Distributes the Program. + + "Licensed Patents" mean patent claims licensable by a Contributor which + are necessarily infringed by the use or sale of its Contribution alone + or when combined with the Program. + + "Program" means the Contributions Distributed in accordance with this + Agreement. + + "Recipient" means anyone who receives the Program under this Agreement + or any Secondary License (as applicable), including Contributors. + + "Derivative Works" shall mean any work, whether in Source Code or other + form, that is based on (or derived from) the Program and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. + + "Modified Works" shall mean any work in Source Code or other form that + results from an addition to, deletion from, or modification of the + contents of the Program, including, for purposes of clarity any new file + in Source Code form that contains any contents of the Program. Modified + Works shall not include works that contain only declarations, + interfaces, types, classes, structures, or files of the Program solely + in each case in order to link to, bind by name, or subclass the Program + or Modified Works thereof. + + "Distribute" means the acts of a) distributing or b) making available + in any manner that enables the transfer of a copy. + + "Source Code" means the form of a Program preferred for making + modifications, including but not limited to software source code, + documentation source, and configuration files. + + "Secondary License" means either the GNU General Public License, + Version 2.0, or any later versions of that license, including any + exceptions or additional permissions as identified by the initial + Contributor. + + 2. GRANT OF RIGHTS + + a) Subject to the terms of this Agreement, each Contributor hereby + grants Recipient a non-exclusive, worldwide, royalty-free copyright + license to reproduce, prepare Derivative Works of, publicly display, + publicly perform, Distribute and sublicense the Contribution of such + Contributor, if any, and such Derivative Works. + + b) Subject to the terms of this Agreement, each Contributor hereby + grants Recipient a non-exclusive, worldwide, royalty-free patent + license under Licensed Patents to make, use, sell, offer to sell, + import and otherwise transfer the Contribution of such Contributor, + if any, in Source Code or other form. This patent license shall + apply to the combination of the Contribution and the Program if, at + the time the Contribution is added by the Contributor, such addition + of the Contribution causes such combination to be covered by the + Licensed Patents. The patent license shall not apply to any other + combinations which include the Contribution. No hardware per se is + licensed hereunder. + + c) Recipient understands that although each Contributor grants the + licenses to its Contributions set forth herein, no assurances are + provided by any Contributor that the Program does not infringe the + patent or other intellectual property rights of any other entity. + Each Contributor disclaims any liability to Recipient for claims + brought by any other entity based on infringement of intellectual + property rights or otherwise. As a condition to exercising the + rights and licenses granted hereunder, each Recipient hereby + assumes sole responsibility to secure any other intellectual + property rights needed, if any. For example, if a third party + patent license is required to allow Recipient to Distribute the + Program, it is Recipient's responsibility to acquire that license + before distributing the Program. + + d) Each Contributor represents that to its knowledge it has + sufficient copyright rights in its Contribution, if any, to grant + the copyright license set forth in this Agreement. + + e) Notwithstanding the terms of any Secondary License, no + Contributor makes additional grants to any Recipient (other than + those set forth in this Agreement) as a result of such Recipient's + receipt of the Program under the terms of a Secondary License + (if permitted under the terms of Section 3). + + 3. REQUIREMENTS + + 3.1 If a Contributor Distributes the Program in any form, then: + + a) the Program must also be made available as Source Code, in + accordance with section 3.2, and the Contributor must accompany + the Program with a statement that the Source Code for the Program + is available under this Agreement, and informs Recipients how to + obtain it in a reasonable manner on or through a medium customarily + used for software exchange; and + + b) the Contributor may Distribute the Program under a license + different than this Agreement, provided that such license: + i) effectively disclaims on behalf of all other Contributors all + warranties and conditions, express and implied, including + warranties or conditions of title and non-infringement, and + implied warranties or conditions of merchantability and fitness + for a particular purpose; + + ii) effectively excludes on behalf of all other Contributors all + liability for damages, including direct, indirect, special, + incidental and consequential damages, such as lost profits; + + iii) does not attempt to limit or alter the recipients' rights + in the Source Code under section 3.2; and + + iv) requires any subsequent distribution of the Program by any + party to be under a license that satisfies the requirements + of this section 3. + + 3.2 When the Program is Distributed as Source Code: + + a) it must be made available under this Agreement, or if the + Program (i) is combined with other material in a separate file or + files made available under a Secondary License, and (ii) the initial + Contributor attached to the Source Code the notice described in + Exhibit A of this Agreement, then the Program may be made available + under the terms of such Secondary Licenses, and + + b) a copy of this Agreement must be included with each copy of + the Program. + + 3.3 Contributors may not remove or alter any copyright, patent, + trademark, attribution notices, disclaimers of warranty, or limitations + of liability ("notices") contained within the Program from any copy of + the Program which they Distribute, provided that Contributors may add + their own appropriate notices. + + 4. COMMERCIAL DISTRIBUTION + + Commercial distributors of software may accept certain responsibilities + with respect to end users, business partners and the like. While this + license is intended to facilitate the commercial use of the Program, + the Contributor who includes the Program in a commercial product + offering should do so in a manner which does not create potential + liability for other Contributors. Therefore, if a Contributor includes + the Program in a commercial product offering, such Contributor + ("Commercial Contributor") hereby agrees to defend and indemnify every + other Contributor ("Indemnified Contributor") against any losses, + damages and costs (collectively "Losses") arising from claims, lawsuits + and other legal actions brought by a third party against the Indemnified + Contributor to the extent caused by the acts or omissions of such + Commercial Contributor in connection with its distribution of the Program + in a commercial product offering. The obligations in this section do not + apply to any claims or Losses relating to any actual or alleged + intellectual property infringement. In order to qualify, an Indemnified + Contributor must: a) promptly notify the Commercial Contributor in + writing of such claim, and b) allow the Commercial Contributor to control, + and cooperate with the Commercial Contributor in, the defense and any + related settlement negotiations. The Indemnified Contributor may + participate in any such claim at its own expense. + + For example, a Contributor might include the Program in a commercial + product offering, Product X. That Contributor is then a Commercial + Contributor. If that Commercial Contributor then makes performance + claims, or offers warranties related to Product X, those performance + claims and warranties are such Commercial Contributor's responsibility + alone. Under this section, the Commercial Contributor would have to + defend claims against the other Contributors related to those performance + claims and warranties, and if a court requires any other Contributor to + pay any damages as a result, the Commercial Contributor must pay + those damages. + + 5. NO WARRANTY + + EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT + PERMITTED BY APPLICABLE LAW, THE PROGRAM IS PROVIDED ON AN "AS IS" + BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR + IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF + TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR + PURPOSE. Each Recipient is solely responsible for determining the + appropriateness of using and distributing the Program and assumes all + risks associated with its exercise of rights under this Agreement, + including but not limited to the risks and costs of program errors, + compliance with applicable laws, damage to or loss of data, programs + or equipment, and unavailability or interruption of operations. + + 6. DISCLAIMER OF LIABILITY + + EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT + PERMITTED BY APPLICABLE LAW, NEITHER RECIPIENT NOR ANY CONTRIBUTORS + SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST + PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE + EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGES. + + 7. GENERAL + + If any provision of this Agreement is invalid or unenforceable under + applicable law, it shall not affect the validity or enforceability of + the remainder of the terms of this Agreement, and without further + action by the parties hereto, such provision shall be reformed to the + minimum extent necessary to make such provision valid and enforceable. + + If Recipient institutes patent litigation against any entity + (including a cross-claim or counterclaim in a lawsuit) alleging that the + Program itself (excluding combinations of the Program with other software + or hardware) infringes such Recipient's patent(s), then such Recipient's + rights granted under Section 2(b) shall terminate as of the date such + litigation is filed. + + All Recipient's rights under this Agreement shall terminate if it + fails to comply with any of the material terms or conditions of this + Agreement and does not cure such failure in a reasonable period of + time after becoming aware of such noncompliance. If all Recipient's + rights under this Agreement terminate, Recipient agrees to cease use + and distribution of the Program as soon as reasonably practicable. + However, Recipient's obligations under this Agreement and any licenses + granted by Recipient relating to the Program shall continue and survive. + + Everyone is permitted to copy and distribute copies of this Agreement, + but in order to avoid inconsistency the Agreement is copyrighted and + may only be modified in the following manner. The Agreement Steward + reserves the right to publish new versions (including revisions) of + this Agreement from time to time. No one other than the Agreement + Steward has the right to modify this Agreement. The Eclipse Foundation + is the initial Agreement Steward. The Eclipse Foundation may assign the + responsibility to serve as the Agreement Steward to a suitable separate + entity. Each new version of the Agreement will be given a distinguishing + version number. The Program (including Contributions) may always be + Distributed subject to the version of the Agreement under which it was + received. In addition, after a new version of the Agreement is published, + Contributor may elect to Distribute the Program (including its + Contributions) under the new version. + + Except as expressly stated in Sections 2(a) and 2(b) above, Recipient + receives no rights or licenses to the intellectual property of any + Contributor under this Agreement, whether expressly, by implication, + estoppel or otherwise. All rights in the Program not expressly granted + under this Agreement are reserved. Nothing in this Agreement is intended + to be enforceable by any entity that is not a Contributor or Recipient. + No third-party beneficiary rights are created under this Agreement. + + Exhibit A - Form of Secondary Licenses Notice + + "This Source Code may also be made available under the following + Secondary Licenses when the conditions for such availability set forth + in the Eclipse Public License, v. 2.0 are satisfied: {name license(s), + version(s), and exceptions or additional permissions here}." + + Simply including a copy of this Agreement, including this Exhibit A + is not sufficient to license the Source Code under Secondary Licenses. + + If it is not possible or desirable to put the notice in a particular + file, then You may include the notice in a location (such as a LICENSE + file in a relevant directory) where a recipient would be likely to + look for such a notice. + + You may add additional accurate notices of copyright ownership. + +--- + +## The GNU General Public License (GPL) Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor + Boston, MA 02110-1335 + USA + + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your freedom to + share and change it. By contrast, the GNU General Public License is + intended to guarantee your freedom to share and change free software--to + make sure the software is free for all its users. This General Public + License applies to most of the Free Software Foundation's software and + to any other program whose authors commit to using it. (Some other Free + Software Foundation software is covered by the GNU Library General + Public License instead.) You can apply it to your programs, too. + + When we speak of free software, we are referring to freedom, not price. + Our General Public Licenses are designed to make sure that you have the + freedom to distribute copies of free software (and charge for this + service if you wish), that you receive source code or can get it if you + want it, that you can change the software or use pieces of it in new + free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid anyone + to deny you these rights or to ask you to surrender the rights. These + restrictions translate to certain responsibilities for you if you + distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether gratis + or for a fee, you must give the recipients all the rights that you have. + You must make sure that they, too, receive or can get the source code. + And you must show them these terms so they know their rights. + + We protect your rights with two steps: (1) copyright the software, and + (2) offer you this license which gives you legal permission to copy, + distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain + that everyone understands that there is no warranty for this free + software. If the software is modified by someone else and passed on, we + want its recipients to know that what they have is not the original, so + that any problems introduced by others will not reflect on the original + authors' reputations. + + Finally, any free program is threatened constantly by software patents. + We wish to avoid the danger that redistributors of a free program will + individually obtain patent licenses, in effect making the program + proprietary. To prevent this, we have made it clear that any patent must + be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and + modification follow. + + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains a + notice placed by the copyright holder saying it may be distributed under + the terms of this General Public License. The "Program", below, refers + to any such program or work, and a "work based on the Program" means + either the Program or any derivative work under copyright law: that is + to say, a work containing the Program or a portion of it, either + verbatim or with modifications and/or translated into another language. + (Hereinafter, translation is included without limitation in the term + "modification".) Each licensee is addressed as "you". + + Activities other than copying, distribution and modification are not + covered by this License; they are outside its scope. The act of running + the Program is not restricted, and the output from the Program is + covered only if its contents constitute a work based on the Program + (independent of having been made by running the Program). Whether that + is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's source + code as you receive it, in any medium, provided that you conspicuously + and appropriately publish on each copy an appropriate copyright notice + and disclaimer of warranty; keep intact all the notices that refer to + this License and to the absence of any warranty; and give any other + recipients of the Program a copy of this License along with the Program. + + You may charge a fee for the physical act of transferring a copy, and + you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion of + it, thus forming a work based on the Program, and copy and distribute + such modifications or work under the terms of Section 1 above, provided + that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any part + thereof, to be licensed as a whole at no charge to all third parties + under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a notice + that there is no warranty (or else, saying that you provide a + warranty) and that users may redistribute the program under these + conditions, and telling the user how to view a copy of this License. + (Exception: if the Program itself is interactive but does not + normally print such an announcement, your work based on the Program + is not required to print an announcement.) + + These requirements apply to the modified work as a whole. If + identifiable sections of that work are not derived from the Program, and + can be reasonably considered independent and separate works in + themselves, then this License, and its terms, do not apply to those + sections when you distribute them as separate works. But when you + distribute the same sections as part of a whole which is a work based on + the Program, the distribution of the whole must be on the terms of this + License, whose permissions for other licensees extend to the entire + whole, and thus to each and every part regardless of who wrote it. + + Thus, it is not the intent of this section to claim rights or contest + your rights to work written entirely by you; rather, the intent is to + exercise the right to control the distribution of derivative or + collective works based on the Program. + + In addition, mere aggregation of another work not based on the Program + with the Program (or with a work based on the Program) on a volume of a + storage or distribution medium does not bring the other work under the + scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, + under Section 2) in object code or executable form under the terms of + Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections 1 + and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your cost + of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer to + distribute corresponding source code. (This alternative is allowed + only for noncommercial distribution and only if you received the + program in object code or executable form with such an offer, in + accord with Subsection b above.) + + The source code for a work means the preferred form of the work for + making modifications to it. For an executable work, complete source code + means all the source code for all modules it contains, plus any + associated interface definition files, plus the scripts used to control + compilation and installation of the executable. However, as a special + exception, the source code distributed need not include anything that is + normally distributed (in either source or binary form) with the major + components (compiler, kernel, and so on) of the operating system on + which the executable runs, unless that component itself accompanies the + executable. + + If distribution of executable or object code is made by offering access + to copy from a designated place, then offering equivalent access to copy + the source code from the same place counts as distribution of the source + code, even though third parties are not compelled to copy the source + along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program + except as expressly provided under this License. Any attempt otherwise + to copy, modify, sublicense or distribute the Program is void, and will + automatically terminate your rights under this License. However, parties + who have received copies, or rights, from you under this License will + not have their licenses terminated so long as such parties remain in + full compliance. + + 5. You are not required to accept this License, since you have not + signed it. However, nothing else grants you permission to modify or + distribute the Program or its derivative works. These actions are + prohibited by law if you do not accept this License. Therefore, by + modifying or distributing the Program (or any work based on the + Program), you indicate your acceptance of this License to do so, and all + its terms and conditions for copying, distributing or modifying the + Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the + Program), the recipient automatically receives a license from the + original licensor to copy, distribute or modify the Program subject to + these terms and conditions. You may not impose any further restrictions + on the recipients' exercise of the rights granted herein. You are not + responsible for enforcing compliance by third parties to this License. + + 7. If, as a consequence of a court judgment or allegation of patent + infringement or for any other reason (not limited to patent issues), + conditions are imposed on you (whether by court order, agreement or + otherwise) that contradict the conditions of this License, they do not + excuse you from the conditions of this License. If you cannot distribute + so as to satisfy simultaneously your obligations under this License and + any other pertinent obligations, then as a consequence you may not + distribute the Program at all. For example, if a patent license would + not permit royalty-free redistribution of the Program by all those who + receive copies directly or indirectly through you, then the only way you + could satisfy both it and this License would be to refrain entirely from + distribution of the Program. + + If any portion of this section is held invalid or unenforceable under + any particular circumstance, the balance of the section is intended to + apply and the section as a whole is intended to apply in other + circumstances. + + It is not the purpose of this section to induce you to infringe any + patents or other property right claims or to contest validity of any + such claims; this section has the sole purpose of protecting the + integrity of the free software distribution system, which is implemented + by public license practices. Many people have made generous + contributions to the wide range of software distributed through that + system in reliance on consistent application of that system; it is up to + the author/donor to decide if he or she is willing to distribute + software through any other system and a licensee cannot impose that choice. + + This section is intended to make thoroughly clear what is believed to be + a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in + certain countries either by patents or by copyrighted interfaces, the + original copyright holder who places the Program under this License may + add an explicit geographical distribution limitation excluding those + countries, so that distribution is permitted only in or among countries + not thus excluded. In such case, this License incorporates the + limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new + versions of the General Public License from time to time. Such new + versions will be similar in spirit to the present version, but may + differ in detail to address new problems or concerns. + + Each version is given a distinguishing version number. If the Program + specifies a version number of this License which applies to it and "any + later version", you have the option of following the terms and + conditions either of that version or of any later version published by + the Free Software Foundation. If the Program does not specify a version + number of this License, you may choose any version ever published by the + Free Software Foundation. + + 10. If you wish to incorporate parts of the Program into other free + programs whose distribution conditions are different, write to the + author to ask for permission. For software which is copyrighted by the + Free Software Foundation, write to the Free Software Foundation; we + sometimes make exceptions for this. Our decision will be guided by the + two goals of preserving the free status of all derivatives of our free + software and of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO + WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. + EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR + OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, + EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE + ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH + YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL + NECESSARY SERVICING, REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN + WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY + AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR + DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL + DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM + (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED + INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF + THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR + OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest + possible use to the public, the best way to achieve this is to make it + free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest to + attach them to the start of each source file to most effectively convey + the exclusion of warranty; and each file should have at least the + "copyright" line and a pointer to where the full notice is found. + + One line to give the program's name and a brief idea of what it does. + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335 USA + + Also add information on how to contact you by electronic and paper mail. + + If the program is interactive, make it output a short notice like this + when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type + `show w'. This is free software, and you are welcome to redistribute + it under certain conditions; type `show c' for details. + + The hypothetical commands `show w' and `show c' should show the + appropriate parts of the General Public License. Of course, the commands + you use may be called something other than `show w' and `show c'; they + could even be mouse-clicks or menu items--whatever suits your program. + + You should also get your employer (if you work as a programmer) or your + school, if any, to sign a "copyright disclaimer" for the program, if + necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the + program `Gnomovision' (which makes passes at compilers) written by + James Hacker. + + signature of Ty Coon, 1 April 1989 + Ty Coon, President of Vice + + This General Public License does not permit incorporating your program + into proprietary programs. If your program is a subroutine library, you + may consider it more useful to permit linking proprietary applications + with the library. If this is what you want to do, use the GNU Library + General Public License instead of this License. + +--- + +## CLASSPATH EXCEPTION + + Linking this library statically or dynamically with other modules is + making a combined work based on this library. Thus, the terms and + conditions of the GNU General Public License version 2 cover the whole + combination. + + As a special exception, the copyright holders of this library give you + permission to link this library with independent modules to produce an + executable, regardless of the license terms of these independent + modules, and to copy and distribute the resulting executable under + terms of your choice, provided that you also meet, for each linked + independent module, the terms and conditions of the license of that + module. An independent module is a module which is not derived from or + based on this library. If you modify this library, you may extend this + exception to your version of the library, but you are not obligated to + do so. If you do not wish to do so, delete this exception statement + from your version. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-NOTICE.txt new file mode 100644 index 0000000000000..9a5159e29c9e3 --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-NOTICE.txt @@ -0,0 +1,50 @@ +# Notices for Eclipse Project for JavaMail + +This content is produced and maintained by the Eclipse Project for JavaMail +project. + +* Project home: https://projects.eclipse.org/projects/ee4j.javamail + +## Trademarks + +Eclipse Project for JavaMail is a trademark of the Eclipse Foundation. + +## Copyright + +All content is the property of the respective authors or their employers. For +more information regarding authorship of content, please consult the listed +source code repository logs. + +## Declared Project Licenses + +This program and the accompanying materials are made available under the terms +of the Eclipse Public License v. 2.0 which is available at +http://www.eclipse.org/legal/epl-2.0. This Source Code may also be made +available under the following Secondary Licenses when the conditions for such +availability set forth in the Eclipse Public License v. 2.0 are satisfied: GNU +General Public License, version 2 with the GNU Classpath Exception which is +available at https://www.gnu.org/software/classpath/license.html. + +SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + +## Source Code + +The project maintains the following source code repositories: + +* https://github.com/eclipse-ee4j/javamail + +## Third-party Content + +This project leverages the following third party content. + +None + +## Cryptography + +Content may contain encryption software. The country in which you are currently +may have restrictions on the import, possession, and use, and/or re-export to +another country, of encryption software. BEFORE using any encryption software, +please check the country's laws, regulations and policies concerning the import, +possession, or use, and re-export of encryption software, to see if this is +permitted. + diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/jcip-annotations-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/jcip-annotations-LICENSE.txt new file mode 100644 index 0000000000000..d645695673349 --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/licenses/jcip-annotations-LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/jcip-annotations-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/jcip-annotations-NOTICE.txt new file mode 100644 index 0000000000000..e69de29bb2d1d diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/json-smart-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/json-smart-LICENSE.txt new file mode 100644 index 0000000000000..d645695673349 --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/licenses/json-smart-LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/json-smart-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/json-smart-NOTICE.txt new file mode 100644 index 0000000000000..e69de29bb2d1d diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-LICENSE.txt new file mode 100644 index 0000000000000..d645695673349 --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-NOTICE.txt new file mode 100644 index 0000000000000..37a85f6850d57 --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-NOTICE.txt @@ -0,0 +1,14 @@ +Nimbus Language Tags + +Copyright 2012-2016, Connect2id Ltd. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not use +this file except in compliance with the License. You may obtain a copy of the +License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software distributed +under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +CONDITIONS OF ANY KIND, either express or implied. See the License for the +specific language governing permissions and limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-LICENSE.txt new file mode 100644 index 0000000000000..d645695673349 --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-NOTICE.txt new file mode 100644 index 0000000000000..5e111b04cfc45 --- /dev/null +++ b/x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-NOTICE.txt @@ -0,0 +1,14 @@ +Nimbus OAuth 2.0 SDK with OpenID Connect extensions + +Copyright 2012-2018, Connect2id Ltd and contributors. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not use +this file except in compliance with the License. You may obtain a copy of the +License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software distributed +under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +CONDITIONS OF ANY KIND, either express or implied. See the License for the +specific language governing permissions and limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java index 57a941d4645db..5a0924ed32c2f 100644 --- a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java +++ b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java @@ -8,6 +8,7 @@ module org.elasticsearch.jose { requires org.elasticsearch.server; requires com.nimbusds.jose.jwt; + requires oauth2.oidc.sdk; - exports org.elasticsearch.jose; + exports org.elasticsearch.nimbus; } diff --git a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/jose/JoseWrapper.java b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimubsWrapper.java similarity index 96% rename from x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/jose/JoseWrapper.java rename to x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimubsWrapper.java index a03dda55a3080..c63a4575033df 100644 --- a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/jose/JoseWrapper.java +++ b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimubsWrapper.java @@ -5,7 +5,7 @@ * 2.0. */ -package org.elasticsearch.jose; +package org.elasticsearch.nimbus; import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.util.Base64URL; @@ -26,10 +26,10 @@ * Can't do these operations inline with giving too much access due to how the security manager calculates the stack for lambda expressions. * Isolating the calls here allows for least privilege access to this helper jar. */ -public class JoseWrapper { +public class NimubsWrapper { // utility class - private JoseWrapper() {} + private NimubsWrapper() {} public static String getHeaderAsString(SignedJWT signedJWT) { SpecialPermission.check(); diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java index b4fbd6c8fc7f3..106afacc2fabe 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java @@ -30,7 +30,7 @@ import org.elasticsearch.common.xcontent.XContentHelper; import org.elasticsearch.core.Strings; import org.elasticsearch.core.TimeValue; -import org.elasticsearch.jose.JoseWrapper; +import org.elasticsearch.nimbus.NimubsWrapper; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.PluginsService; import org.elasticsearch.test.SecuritySettingsSource; @@ -711,7 +711,7 @@ static SignedJWT getSignedJWT(JWTClaimsSet claimsSet, byte[] hmacKeyBytes) throw JWSHeader jwtHeader = new JWSHeader.Builder(JWSAlgorithm.HS256).build(); OctetSequenceKey.Builder jwt0signer = new OctetSequenceKey.Builder(hmacKeyBytes); jwt0signer.algorithm(JWSAlgorithm.HS256); - SignedJWT jwt = JoseWrapper.newSignedJwt(jwtHeader, claimsSet); + SignedJWT jwt = NimubsWrapper.newSignedJwt(jwtHeader, claimsSet); jwt.sign(new MACSigner(jwt0signer.build())); return jwt; } @@ -765,7 +765,7 @@ private SignedJWT getSignedJWT(Map m) throws ParseException { claimsMap.put("exp", now.plus(randomIntBetween(-1, 1), ChronoUnit.DAYS).getEpochSecond()); final JWTClaimsSet claimsSet = JWTClaimsSet.parse(claimsMap); - final SignedJWT signedJWT = JoseWrapper.newSignedJWT(Map.of("alg", randomAlphaOfLengthBetween(5, 10)), claimsSet, "signature"); + final SignedJWT signedJWT = NimubsWrapper.newSignedJWT(Map.of("alg", randomAlphaOfLengthBetween(5, 10)), claimsSet, "signature"); return signedJWT; } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java index 3cba7c8642cc8..06052be3f1c7f 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java @@ -25,8 +25,8 @@ import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.core.Releasable; import org.elasticsearch.core.TimeValue; -import org.elasticsearch.jose.JoseWrapper; import org.elasticsearch.license.XPackLicenseState; +import org.elasticsearch.nimbus.NimubsWrapper; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.AuthenticationToken; import org.elasticsearch.xpack.core.security.authc.Realm; @@ -264,9 +264,9 @@ public void authenticate(final AuthenticationToken authenticationToken, final Ac + "] JWT validation failed for token=[" + tokenPrincipal + "] with header [" - + JoseWrapper.getHeaderAsString(jwtAuthenticationToken.getSignedJWT()) + + NimubsWrapper.getHeaderAsString(jwtAuthenticationToken.getSignedJWT()) + "] and claimSet [" - + JoseWrapper.getClaimsSetAsString(jwtAuthenticationToken.getJWTClaimsSet()) + + NimubsWrapper.getClaimsSetAsString(jwtAuthenticationToken.getJWTClaimsSet()) + "]"; if (logger.isTraceEnabled()) { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java index 35878c3edb75b..8cf02701819b1 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java @@ -279,7 +279,9 @@ private void doGetUserClaims( if (LOGGER.isDebugEnabled()) { LOGGER.debug("ID Token Header: {}", idToken.getHeader()); } - JWTClaimsSet verifiedIdTokenClaims = idTokenValidator.get().validate(idToken, expectedNonce).toJWTClaimsSet(); + JWTClaimsSet verifiedIdTokenClaims = AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> idTokenValidator.get().validate(idToken, expectedNonce).toJWTClaimsSet() + ); if (LOGGER.isTraceEnabled()) { LOGGER.trace("Received and validated the Id Token for the user: [{}]", verifiedIdTokenClaims); } @@ -298,24 +300,34 @@ private void doGetUserClaims( } claimsListener.onResponse(enrichedVerifiedIdTokenClaims); } - } catch (BadJOSEException e) { - // We only try to update the cached JWK set once if a remote source is used and - // RSA or ECDSA is used for signatures - if (shouldRetry - && JWSAlgorithm.Family.HMAC_SHA.contains(rpConfig.getSignatureAlgorithm()) == false - && opConfig.getJwkSetPath().startsWith("https://")) { - ((ReloadableJWKSource) ((JWSVerificationKeySelector) idTokenValidator.get().getJWSKeySelector()).getJWKSource()) - .triggerReload(ActionListener.wrap(v -> { - getUserClaims(accessToken, idToken, expectedNonce, false, claimsListener); - }, ex -> { - LOGGER.debug("Attempted and failed to refresh JWK cache upon token validation failure", e); - claimsListener.onFailure(ex); - })); + } catch (PrivilegedActionException exception) { + Exception innerException = exception.getException(); + if (innerException instanceof BadJOSEException e) { + // We only try to update the cached JWK set once if a remote source is used and + // RSA or ECDSA is used for signatures + if (shouldRetry + && JWSAlgorithm.Family.HMAC_SHA.contains(rpConfig.getSignatureAlgorithm()) == false + && opConfig.getJwkSetPath().startsWith("https://")) { + ((ReloadableJWKSource) ((JWSVerificationKeySelector) idTokenValidator.get().getJWSKeySelector()).getJWKSource()) + .triggerReload(ActionListener.wrap(v -> { + getUserClaims(accessToken, idToken, expectedNonce, false, claimsListener); + }, ex -> { + LOGGER.debug("Attempted and failed to refresh JWK cache upon token validation failure", e); + claimsListener.onFailure(ex); + })); + } else { + LOGGER.debug("Failed to parse or validate the ID Token", e); + claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e)); + } } else { - LOGGER.debug("Failed to parse or validate the ID Token", e); - claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e)); + LOGGER.debug( + () -> format("ID Token: [%s], Nonce: [%s]", JwtUtil.toStringRedactSignature(idToken).get(), expectedNonce.toString()), + innerException + ); + claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", innerException)); } - } catch (com.nimbusds.oauth2.sdk.ParseException | ParseException | JOSEException e) { + + } catch (ParseException e) { LOGGER.debug( () -> format("ID Token: [%s], Nonce: [%s]", JwtUtil.toStringRedactSignature(idToken).get(), expectedNonce.toString()), e From 0edae4a0c40231d74e5ae6c98f8aeca75506ea24 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Tue, 6 Aug 2024 19:17:51 -0600 Subject: [PATCH 23/47] Fix typo + wrap one more thing --- .../src/main/java/module-info.java | 2 +- ...{NimubsWrapper.java => NimbusWrapper.java} | 27 ++++++++++- .../authc/jwt/JwtRealmSingleNodeTests.java | 6 +-- .../security/src/main/java/module-info.java | 2 +- .../xpack/security/authc/jwt/JwtRealm.java | 6 +-- .../oidc/OpenIdConnectAuthenticator.java | 47 +++++++------------ 6 files changed, 51 insertions(+), 39 deletions(-) rename x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/{NimubsWrapper.java => NimbusWrapper.java} (70%) diff --git a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java index 5a0924ed32c2f..80393ef57768a 100644 --- a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java +++ b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java @@ -5,7 +5,7 @@ * 2.0. */ -module org.elasticsearch.jose { +module org.elasticsearch.nimbus { requires org.elasticsearch.server; requires com.nimbusds.jose.jwt; requires oauth2.oidc.sdk; diff --git a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimubsWrapper.java b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java similarity index 70% rename from x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimubsWrapper.java rename to x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java index c63a4575033df..5b1bba5fe1c72 100644 --- a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimubsWrapper.java +++ b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java @@ -7,11 +7,17 @@ package org.elasticsearch.nimbus; +import com.nimbusds.jose.JOSEException; import com.nimbusds.jose.JWSHeader; +import com.nimbusds.jose.proc.BadJOSEException; import com.nimbusds.jose.util.Base64URL; +import com.nimbusds.jwt.JWT; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.SignedJWT; +import com.nimbusds.openid.connect.sdk.Nonce; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import org.elasticsearch.ElasticsearchException; import org.elasticsearch.SpecialPermission; import java.security.AccessController; @@ -26,10 +32,10 @@ * Can't do these operations inline with giving too much access due to how the security manager calculates the stack for lambda expressions. * Isolating the calls here allows for least privilege access to this helper jar. */ -public class NimubsWrapper { +public class NimbusWrapper { // utility class - private NimubsWrapper() {} + private NimbusWrapper() {} public static String getHeaderAsString(SignedJWT signedJWT) { SpecialPermission.check(); @@ -42,6 +48,23 @@ public static String getClaimsSetAsString(JWTClaimsSet jwtClaimsSet) { return AccessController.doPrivileged((PrivilegedAction) jwtClaimsSet::toString); } + public static JWTClaimsSet verifyTokenClaims(IDTokenValidator validator, JWT idToken, Nonce nonce) throws BadJOSEException, + JOSEException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> validator.validate(idToken, nonce).toJWTClaimsSet() + ); + } catch (PrivilegedActionException exception) { + if (exception.getCause() instanceof BadJOSEException e) { + throw e; + } else if (exception.getCause() instanceof JOSEException e) { + throw e; + } else { + throw new ElasticsearchException(exception); + } + } + } + // only used in tests public static SignedJWT newSignedJwt(JWSHeader header, JWTClaimsSet claimsSet) { SpecialPermission.check(); diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java index 106afacc2fabe..360f8ea1b791f 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java @@ -30,7 +30,7 @@ import org.elasticsearch.common.xcontent.XContentHelper; import org.elasticsearch.core.Strings; import org.elasticsearch.core.TimeValue; -import org.elasticsearch.nimbus.NimubsWrapper; +import org.elasticsearch.nimbus.NimbusWrapper; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.PluginsService; import org.elasticsearch.test.SecuritySettingsSource; @@ -711,7 +711,7 @@ static SignedJWT getSignedJWT(JWTClaimsSet claimsSet, byte[] hmacKeyBytes) throw JWSHeader jwtHeader = new JWSHeader.Builder(JWSAlgorithm.HS256).build(); OctetSequenceKey.Builder jwt0signer = new OctetSequenceKey.Builder(hmacKeyBytes); jwt0signer.algorithm(JWSAlgorithm.HS256); - SignedJWT jwt = NimubsWrapper.newSignedJwt(jwtHeader, claimsSet); + SignedJWT jwt = NimbusWrapper.newSignedJwt(jwtHeader, claimsSet); jwt.sign(new MACSigner(jwt0signer.build())); return jwt; } @@ -765,7 +765,7 @@ private SignedJWT getSignedJWT(Map m) throws ParseException { claimsMap.put("exp", now.plus(randomIntBetween(-1, 1), ChronoUnit.DAYS).getEpochSecond()); final JWTClaimsSet claimsSet = JWTClaimsSet.parse(claimsMap); - final SignedJWT signedJWT = NimubsWrapper.newSignedJWT(Map.of("alg", randomAlphaOfLengthBetween(5, 10)), claimsSet, "signature"); + final SignedJWT signedJWT = NimbusWrapper.newSignedJWT(Map.of("alg", randomAlphaOfLengthBetween(5, 10)), claimsSet, "signature"); return signedJWT; } diff --git a/x-pack/plugin/security/src/main/java/module-info.java b/x-pack/plugin/security/src/main/java/module-info.java index 3377e187a383e..8d74da1034b7b 100644 --- a/x-pack/plugin/security/src/main/java/module-info.java +++ b/x-pack/plugin/security/src/main/java/module-info.java @@ -49,7 +49,7 @@ requires oauth2.oidc.sdk; requires org.slf4j; requires unboundid.ldapsdk; - requires org.elasticsearch.jose; + requires org.elasticsearch.nimbus; exports org.elasticsearch.xpack.security.action to org.elasticsearch.server; exports org.elasticsearch.xpack.security.action.apikey to org.elasticsearch.server; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java index 06052be3f1c7f..f3b41b5cdd81d 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java @@ -26,7 +26,7 @@ import org.elasticsearch.core.Releasable; import org.elasticsearch.core.TimeValue; import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.nimbus.NimubsWrapper; +import org.elasticsearch.nimbus.NimbusWrapper; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.AuthenticationToken; import org.elasticsearch.xpack.core.security.authc.Realm; @@ -264,9 +264,9 @@ public void authenticate(final AuthenticationToken authenticationToken, final Ac + "] JWT validation failed for token=[" + tokenPrincipal + "] with header [" - + NimubsWrapper.getHeaderAsString(jwtAuthenticationToken.getSignedJWT()) + + NimbusWrapper.getHeaderAsString(jwtAuthenticationToken.getSignedJWT()) + "] and claimSet [" - + NimubsWrapper.getClaimsSetAsString(jwtAuthenticationToken.getJWTClaimsSet()) + + NimbusWrapper.getClaimsSetAsString(jwtAuthenticationToken.getJWTClaimsSet()) + "]"; if (logger.isTraceEnabled()) { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java index 8cf02701819b1..c4959c3ef8733 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java @@ -85,6 +85,7 @@ import org.elasticsearch.core.CheckedRunnable; import org.elasticsearch.core.Nullable; import org.elasticsearch.core.Tuple; +import org.elasticsearch.nimbus.NimbusWrapper; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.watcher.FileChangesListener; import org.elasticsearch.watcher.FileWatcher; @@ -279,9 +280,7 @@ private void doGetUserClaims( if (LOGGER.isDebugEnabled()) { LOGGER.debug("ID Token Header: {}", idToken.getHeader()); } - JWTClaimsSet verifiedIdTokenClaims = AccessController.doPrivileged( - (PrivilegedExceptionAction) () -> idTokenValidator.get().validate(idToken, expectedNonce).toJWTClaimsSet() - ); + JWTClaimsSet verifiedIdTokenClaims = NimbusWrapper.verifyTokenClaims(idTokenValidator.get(), idToken, expectedNonce); if (LOGGER.isTraceEnabled()) { LOGGER.trace("Received and validated the Id Token for the user: [{}]", verifiedIdTokenClaims); } @@ -300,34 +299,24 @@ private void doGetUserClaims( } claimsListener.onResponse(enrichedVerifiedIdTokenClaims); } - } catch (PrivilegedActionException exception) { - Exception innerException = exception.getException(); - if (innerException instanceof BadJOSEException e) { - // We only try to update the cached JWK set once if a remote source is used and - // RSA or ECDSA is used for signatures - if (shouldRetry - && JWSAlgorithm.Family.HMAC_SHA.contains(rpConfig.getSignatureAlgorithm()) == false - && opConfig.getJwkSetPath().startsWith("https://")) { - ((ReloadableJWKSource) ((JWSVerificationKeySelector) idTokenValidator.get().getJWSKeySelector()).getJWKSource()) - .triggerReload(ActionListener.wrap(v -> { - getUserClaims(accessToken, idToken, expectedNonce, false, claimsListener); - }, ex -> { - LOGGER.debug("Attempted and failed to refresh JWK cache upon token validation failure", e); - claimsListener.onFailure(ex); - })); - } else { - LOGGER.debug("Failed to parse or validate the ID Token", e); - claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e)); - } + } catch (BadJOSEException e) { + // We only try to update the cached JWK set once if a remote source is used and + // RSA or ECDSA is used for signatures + if (shouldRetry + && JWSAlgorithm.Family.HMAC_SHA.contains(rpConfig.getSignatureAlgorithm()) == false + && opConfig.getJwkSetPath().startsWith("https://")) { + ((ReloadableJWKSource) ((JWSVerificationKeySelector) idTokenValidator.get().getJWSKeySelector()).getJWKSource()) + .triggerReload(ActionListener.wrap(v -> { + getUserClaims(accessToken, idToken, expectedNonce, false, claimsListener); + }, ex -> { + LOGGER.debug("Attempted and failed to refresh JWK cache upon token validation failure", e); + claimsListener.onFailure(ex); + })); } else { - LOGGER.debug( - () -> format("ID Token: [%s], Nonce: [%s]", JwtUtil.toStringRedactSignature(idToken).get(), expectedNonce.toString()), - innerException - ); - claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", innerException)); + LOGGER.debug("Failed to parse or validate the ID Token", e); + claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e)); } - - } catch (ParseException e) { + } catch (ParseException | JOSEException e) { LOGGER.debug( () -> format("ID Token: [%s], Nonce: [%s]", JwtUtil.toStringRedactSignature(idToken).get(), expectedNonce.toString()), e From 0a2fdba95c156a5101491daeb196a04593561a03 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Tue, 6 Aug 2024 20:09:54 -0600 Subject: [PATCH 24/47] Another wrapper + a bit of cleanup --- .../elasticsearch/nimbus/NimbusWrapper.java | 20 +++++++++++++++++-- .../authc/jwt/JwtRealmSingleNodeTests.java | 2 +- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java index 5b1bba5fe1c72..998c1a3f892c0 100644 --- a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java +++ b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java @@ -82,9 +82,25 @@ public static SignedJWT newSignedJWT(Map header, JWTClaimsSet cl Base64URL.encode(signatureUrl) ) ); - } catch (PrivilegedActionException ex) { - throw (ParseException) ex.getException(); + } catch (PrivilegedActionException e) { + if (e.getException() instanceof ParseException ex) { + throw ex; + } else { + throw new RuntimeException(e.getException()); + } } + } + public static Base64URL parseHeader(Map header) throws ParseException { + SpecialPermission.check(); + try { + return AccessController.doPrivileged((PrivilegedExceptionAction) ()-> JWSHeader.parse(header).toBase64URL()); + } catch (PrivilegedActionException e) { + if (e.getException() instanceof ParseException ex) { + throw ex; + } else { + throw new RuntimeException(e.getException()); + } + } } } diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java index 360f8ea1b791f..99d873859ad17 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java @@ -455,7 +455,7 @@ public void testJwtRealmThrowsErrorOnJwtParsingFailure() throws ParseException { // Payload is not JSON final SignedJWT signedJWT2 = new SignedJWT( - JWSHeader.parse(Map.of("alg", randomAlphaOfLengthBetween(5, 10))).toBase64URL(), + NimbusWrapper.parseHeader(Map.of("alg", randomAlphaOfLengthBetween(5, 10))), Base64URL.encode("payload"), Base64URL.encode("signature") ); From f024591d7be1d1092840dd98db9dda1b5628ff51 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Tue, 6 Aug 2024 20:23:11 -0600 Subject: [PATCH 25/47] spotless --- .../java/org/elasticsearch/nimbus/NimbusWrapper.java | 2 +- .../xpack/security/authc/jwt/JwtAuthenticator.java | 12 +----------- 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java index 998c1a3f892c0..678bf22ec4ad7 100644 --- a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java +++ b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java @@ -94,7 +94,7 @@ public static SignedJWT newSignedJWT(Map header, JWTClaimsSet cl public static Base64URL parseHeader(Map header) throws ParseException { SpecialPermission.check(); try { - return AccessController.doPrivileged((PrivilegedExceptionAction) ()-> JWSHeader.parse(header).toBase64URL()); + return AccessController.doPrivileged((PrivilegedExceptionAction) () -> JWSHeader.parse(header).toBase64URL()); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException ex) { throw ex; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java index e3ebd4dc1c625..0114944567131 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java @@ -13,7 +13,6 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.elasticsearch.SpecialPermission; import org.elasticsearch.action.ActionListener; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.core.Nullable; @@ -23,8 +22,6 @@ import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings; import org.elasticsearch.xpack.core.ssl.SSLService; -import java.security.AccessController; -import java.security.PrivilegedAction; import java.time.Clock; import java.util.ArrayList; import java.util.List; @@ -69,14 +66,7 @@ public JwtAuthenticator( public void authenticate(JwtAuthenticationToken jwtAuthenticationToken, ActionListener listener) { // nimbus-jose-jwt uses reflection under the hood - SpecialPermission.check(); - AccessController.doPrivileged((PrivilegedAction) () -> { - doAuthenticate(jwtAuthenticationToken, listener); - return null; - }); - } - - private void doAuthenticate(JwtAuthenticationToken jwtAuthenticationToken, ActionListener listener) { + // SpecialPermission.check(); final String tokenPrincipal = jwtAuthenticationToken.principal(); // JWT cache final SignedJWT signedJWT = jwtAuthenticationToken.getSignedJWT(); From b573ceaa2d7e28ec7ffb1db756919fc78d3816b9 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Wed, 7 Aug 2024 16:33:28 -0600 Subject: [PATCH 26/47] Include system property necessary for unit tests --- x-pack/plugin/security/build.gradle | 2 ++ 1 file changed, 2 insertions(+) diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index 15e3b73fffd96..db13aec0f20d3 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -462,7 +462,9 @@ tasks.register('testNoSecurityManager', Test) { classpath = sourceSets.test.runtimeClasspath include noSecurityManagerClasses systemProperty 'tests.security.manager', 'false' + systemProperty 'es.insecure_network_trace_enabled', 'true' } + tasks.named("check").configure { dependsOn 'testNoSecurityManager' } tasks.named('test').configure { From 66fb729a810b237544b885bb330e3a00797708d0 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Wed, 7 Aug 2024 16:34:03 -0600 Subject: [PATCH 27/47] Put testNoSecurityManager next to test --- x-pack/plugin/security/build.gradle | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index db13aec0f20d3..a9ed87da17153 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -158,6 +158,14 @@ tasks.named("test").configure { systemProperty 'es.insecure_network_trace_enabled', 'true' } +tasks.register('testNoSecurityManager', Test) { + testClassesDirs = sourceSets.test.output.classesDirs + classpath = sourceSets.test.runtimeClasspath + include noSecurityManagerClasses + systemProperty 'tests.security.manager', 'false' + systemProperty 'es.insecure_network_trace_enabled', 'true' +} + tasks.named("processInternalClusterTestResources").configure { from(project(xpackModule('core')).file('src/main/config')) from(project(xpackModule('core')).file('src/test/resources')) @@ -457,14 +465,6 @@ String[] noSecurityManagerClasses = [ "**/OpenIdConnectRealmTests.class", ] -tasks.register('testNoSecurityManager', Test) { - testClassesDirs = sourceSets.test.output.classesDirs - classpath = sourceSets.test.runtimeClasspath - include noSecurityManagerClasses - systemProperty 'tests.security.manager', 'false' - systemProperty 'es.insecure_network_trace_enabled', 'true' -} - tasks.named("check").configure { dependsOn 'testNoSecurityManager' } tasks.named('test').configure { From 4e96c29a006cfec6aa853ee0a9376c794549bcc1 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Wed, 7 Aug 2024 17:09:21 -0600 Subject: [PATCH 28/47] General cleanup --- .../security/authc/jwt/JwtAuthenticator.java | 2 -- .../authc/oidc/OpenIdConnectAuthenticator.java | 16 +--------------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java index 0114944567131..2345add07ba51 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java @@ -65,8 +65,6 @@ public JwtAuthenticator( } public void authenticate(JwtAuthenticationToken jwtAuthenticationToken, ActionListener listener) { - // nimbus-jose-jwt uses reflection under the hood - // SpecialPermission.check(); final String tokenPrincipal = jwtAuthenticationToken.principal(); // JWT cache final SignedJWT signedJWT = jwtAuthenticationToken.getSignedJWT(); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java index c4959c3ef8733..01e8585c29d11 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java @@ -254,27 +254,13 @@ public void authenticate(OpenIdConnectToken token, final ActionListener claimsListener - ) { - AccessController.doPrivileged((PrivilegedAction) () -> { - doGetUserClaims(accessToken, idToken, expectedNonce, shouldRetry, claimsListener); - return null; - }); - } - - @SuppressWarnings("unchecked") - private void doGetUserClaims( - AccessToken accessToken, - JWT idToken, - Nonce expectedNonce, - boolean shouldRetry, - ActionListener claimsListener ) { try { if (LOGGER.isDebugEnabled()) { From 7a7544a7259060702a55621c07d2dfc3523a7983 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Wed, 7 Aug 2024 17:09:31 -0600 Subject: [PATCH 29/47] Revert "Put testNoSecurityManager next to test" This reverts commit 66fb729a810b237544b885bb330e3a00797708d0. --- x-pack/plugin/security/build.gradle | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index a9ed87da17153..db13aec0f20d3 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -158,14 +158,6 @@ tasks.named("test").configure { systemProperty 'es.insecure_network_trace_enabled', 'true' } -tasks.register('testNoSecurityManager', Test) { - testClassesDirs = sourceSets.test.output.classesDirs - classpath = sourceSets.test.runtimeClasspath - include noSecurityManagerClasses - systemProperty 'tests.security.manager', 'false' - systemProperty 'es.insecure_network_trace_enabled', 'true' -} - tasks.named("processInternalClusterTestResources").configure { from(project(xpackModule('core')).file('src/main/config')) from(project(xpackModule('core')).file('src/test/resources')) @@ -465,6 +457,14 @@ String[] noSecurityManagerClasses = [ "**/OpenIdConnectRealmTests.class", ] +tasks.register('testNoSecurityManager', Test) { + testClassesDirs = sourceSets.test.output.classesDirs + classpath = sourceSets.test.runtimeClasspath + include noSecurityManagerClasses + systemProperty 'tests.security.manager', 'false' + systemProperty 'es.insecure_network_trace_enabled', 'true' +} + tasks.named("check").configure { dependsOn 'testNoSecurityManager' } tasks.named('test').configure { From 06cf7c44e3a854b6b2aec6275b98add99c011191 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Wed, 7 Aug 2024 17:35:20 -0600 Subject: [PATCH 30/47] Revert "General cleanup" This reverts commit 4e96c29a006cfec6aa853ee0a9376c794549bcc1. --- .../security/authc/jwt/JwtAuthenticator.java | 2 ++ .../authc/oidc/OpenIdConnectAuthenticator.java | 16 +++++++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java index 2345add07ba51..0114944567131 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java @@ -65,6 +65,8 @@ public JwtAuthenticator( } public void authenticate(JwtAuthenticationToken jwtAuthenticationToken, ActionListener listener) { + // nimbus-jose-jwt uses reflection under the hood + // SpecialPermission.check(); final String tokenPrincipal = jwtAuthenticationToken.principal(); // JWT cache final SignedJWT signedJWT = jwtAuthenticationToken.getSignedJWT(); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java index 01e8585c29d11..c4959c3ef8733 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java @@ -254,13 +254,27 @@ public void authenticate(OpenIdConnectToken token, final ActionListener claimsListener + ) { + AccessController.doPrivileged((PrivilegedAction) () -> { + doGetUserClaims(accessToken, idToken, expectedNonce, shouldRetry, claimsListener); + return null; + }); + } + + @SuppressWarnings("unchecked") + private void doGetUserClaims( + AccessToken accessToken, + JWT idToken, + Nonce expectedNonce, + boolean shouldRetry, + ActionListener claimsListener ) { try { if (LOGGER.isDebugEnabled()) { From f91badf2811d93b874dfb133c77a95546636f4b9 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Wed, 7 Aug 2024 17:35:37 -0600 Subject: [PATCH 31/47] Remove comment --- .../xpack/security/authc/jwt/JwtAuthenticator.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java index 0114944567131..2345add07ba51 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java @@ -65,8 +65,6 @@ public JwtAuthenticator( } public void authenticate(JwtAuthenticationToken jwtAuthenticationToken, ActionListener listener) { - // nimbus-jose-jwt uses reflection under the hood - // SpecialPermission.check(); final String tokenPrincipal = jwtAuthenticationToken.principal(); // JWT cache final SignedJWT signedJWT = jwtAuthenticationToken.getSignedJWT(); From 44c569eeb9025ce2bfd46e71ac1510597634f853 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Fri, 9 Aug 2024 16:25:26 -0600 Subject: [PATCH 32/47] Remove unnecessary no-op module This require was added in a later version of nimbus-jose-jwt and was left over from the process of figuring out which version was usable. --- .../java/org/elasticsearch/server/cli/ServerProcessBuilder.java | 1 - 1 file changed, 1 deletion(-) diff --git a/distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/ServerProcessBuilder.java b/distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/ServerProcessBuilder.java index 6832d3de9db56..fcc290ebe9e72 100644 --- a/distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/ServerProcessBuilder.java +++ b/distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/ServerProcessBuilder.java @@ -108,7 +108,6 @@ private List getJvmArgs() { esHome.resolve("lib").toString(), // Special circumstances require some modules (not depended on by the main server module) to be explicitly added: "--add-modules=jdk.net", // needed to reflectively set extended socket options - "--add-modules=jdk.crypto.ec", // this module is unnecessarily required by com.nimbus.jose.jwt // we control the module path, which may have additional modules not required by server "--add-modules=ALL-MODULE-PATH", "-m", From 1273af4ddcce1cde04d23e055c7cfa815c8ba59b Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Fri, 9 Aug 2024 17:56:18 -0600 Subject: [PATCH 33/47] First pass at forbidden APIs --- x-pack/plugin/security/build.gradle | 261 +++++++++--------- .../security/forbidden/jwt-signatures.txt | 47 ++++ 2 files changed, 180 insertions(+), 128 deletions(-) create mode 100644 x-pack/plugin/security/forbidden/jwt-signatures.txt diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index db13aec0f20d3..6cf43643e1be2 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -188,7 +188,12 @@ tasks.named("forbiddenPatterns").configure { } tasks.named('forbiddenApisMain').configure { - signaturesFiles += files('forbidden/ldap-signatures.txt', 'forbidden/xml-signatures.txt', 'forbidden/oidc-signatures.txt') + signaturesFiles += files( + 'forbidden/ldap-signatures.txt', + 'forbidden/xml-signatures.txt', + 'forbidden/oidc-signatures.txt', + 'forbidden/jwt-signatures.txt' + ) } tasks.named('forbiddenApisTest').configure { @@ -278,112 +283,112 @@ tasks.named("thirdPartyAudit").configure { // [missing classes] Http Client cache has optional ehcache support 'net.sf.ehcache.Ehcache', 'net.sf.ehcache.Element', - // Bouncycastle is an optional dependency for apache directory, cryptacular and opensaml packages. We - // acknowledge them here instead of adding bouncy castle as a compileOnly dependency - 'org.bouncycastle.asn1.ASN1Encodable', - 'org.bouncycastle.asn1.ASN1InputStream', - 'org.bouncycastle.asn1.ASN1Integer', - 'org.bouncycastle.asn1.ASN1ObjectIdentifier', - 'org.bouncycastle.asn1.ASN1OctetString', - 'org.bouncycastle.asn1.ASN1Primitive', - 'org.bouncycastle.asn1.ASN1Sequence', - 'org.bouncycastle.asn1.ASN1TaggedObject', - // 'org.bouncycastle.asn1.DEROctetString', - 'org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo', - 'org.bouncycastle.asn1.pkcs.EncryptionScheme', - 'org.bouncycastle.asn1.pkcs.KeyDerivationFunc', - 'org.bouncycastle.asn1.pkcs.PBEParameter', - 'org.bouncycastle.asn1.pkcs.PBES2Parameters', - 'org.bouncycastle.asn1.pkcs.PBKDF2Params', - 'org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers', - 'org.bouncycastle.asn1.pkcs.PrivateKeyInfo', - 'org.bouncycastle.asn1.x500.AttributeTypeAndValue', - 'org.bouncycastle.asn1.x500.RDN', - 'org.bouncycastle.asn1.x500.X500Name', - 'org.bouncycastle.asn1.x509.AccessDescription', - 'org.bouncycastle.asn1.x509.AlgorithmIdentifier', - 'org.bouncycastle.asn1.x509.AuthorityKeyIdentifier', - 'org.bouncycastle.asn1.x509.BasicConstraints', - 'org.bouncycastle.asn1.x509.DistributionPoint', - 'org.bouncycastle.asn1.x509.Extension', - 'org.bouncycastle.asn1.x509.GeneralName', - 'org.bouncycastle.asn1.x509.GeneralNames', - 'org.bouncycastle.asn1.x509.GeneralNamesBuilder', - 'org.bouncycastle.asn1.x509.KeyPurposeId', - 'org.bouncycastle.asn1.x509.KeyUsage', - 'org.bouncycastle.asn1.x509.PolicyInformation', - 'org.bouncycastle.asn1.x509.SubjectKeyIdentifier', - 'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo', - // 'org.bouncycastle.asn1.x9.DomainParameters', - // 'org.bouncycastle.asn1.x9.ECNamedCurveTable', - 'org.bouncycastle.asn1.x9.X9ECParameters', - 'org.bouncycastle.cert.X509v3CertificateBuilder', - 'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter', - 'org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils', - 'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder', - 'org.bouncycastle.crypto.BlockCipher', - 'org.bouncycastle.crypto.BufferedBlockCipher', - 'org.bouncycastle.crypto.CipherParameters', - 'org.bouncycastle.crypto.Digest', - 'org.bouncycastle.crypto.PBEParametersGenerator', - 'org.bouncycastle.crypto.StreamCipher', - 'org.bouncycastle.crypto.agreement.kdf.ConcatenationKDFGenerator', - // 'org.bouncycastle.crypto.ec.CustomNamedCurves', - 'org.bouncycastle.crypto.engines.AESEngine', - 'org.bouncycastle.crypto.generators.BCrypt', - 'org.bouncycastle.crypto.generators.OpenSSLPBEParametersGenerator', - 'org.bouncycastle.crypto.generators.PKCS5S1ParametersGenerator', - 'org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator', - 'org.bouncycastle.crypto.macs.HMac', - 'org.bouncycastle.crypto.modes.AEADBlockCipher', - 'org.bouncycastle.crypto.modes.GCMBlockCipher', - 'org.bouncycastle.crypto.paddings.BlockCipherPadding', - 'org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher', - 'org.bouncycastle.crypto.params.AsymmetricKeyParameter', - 'org.bouncycastle.crypto.params.DSAKeyParameters', - 'org.bouncycastle.crypto.params.DSAParameters', - 'org.bouncycastle.crypto.params.DSAPrivateKeyParameters', - 'org.bouncycastle.crypto.params.DSAPublicKeyParameters', - 'org.bouncycastle.crypto.params.ECDomainParameters', - 'org.bouncycastle.crypto.params.ECKeyParameters', - 'org.bouncycastle.crypto.params.ECPrivateKeyParameters', - 'org.bouncycastle.crypto.params.ECPublicKeyParameters', - // 'org.bouncycastle.crypto.params.KDFParameters', - 'org.bouncycastle.crypto.params.KeyParameter', - 'org.bouncycastle.crypto.params.RSAKeyParameters', - 'org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters', - 'org.bouncycastle.crypto.prng.EntropySource', - 'org.bouncycastle.crypto.prng.SP800SecureRandom', - 'org.bouncycastle.crypto.prng.SP800SecureRandomBuilder', - 'org.bouncycastle.crypto.prng.drbg.SP80090DRBG', - 'org.bouncycastle.crypto.signers.DSASigner', - 'org.bouncycastle.crypto.signers.ECDSASigner', - 'org.bouncycastle.crypto.signers.RSADigestSigner', - 'org.bouncycastle.crypto.util.PrivateKeyFactory', - 'org.bouncycastle.crypto.util.PrivateKeyInfoFactory', - 'org.bouncycastle.crypto.util.PublicKeyFactory', - 'org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory', - 'org.bouncycastle.jcajce.provider.asymmetric.dsa.KeyPairGeneratorSpi', - 'org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC', - 'org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyPairGeneratorSpi', - 'org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util', - 'org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil', - // 'org.bouncycastle.jce.ECNamedCurveTable', - // 'org.bouncycastle.jce.spec.ECNamedCurveParameterSpec', - 'org.bouncycastle.math.ec.ECFieldElement', - 'org.bouncycastle.math.ec.ECPoint', - 'org.bouncycastle.openssl.jcajce.JcaPEMWriter', - 'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder', - 'org.bouncycastle.util.Arrays', - 'org.bouncycastle.util.io.Streams', - 'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder', - 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider', - 'org.bouncycastle.cert.X509CertificateHolder', - 'org.bouncycastle.openssl.PEMKeyPair', - 'org.bouncycastle.openssl.PEMParser', - 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter', - 'org.bouncycastle.crypto.InvalidCipherTextException', - 'org.bouncycastle.jce.provider.BouncyCastleProvider', + // Bouncycastle is an optional dependency for apache directory, cryptacular and opensaml packages. We + // acknowledge them here instead of adding bouncy castle as a compileOnly dependency + 'org.bouncycastle.asn1.ASN1Encodable', + 'org.bouncycastle.asn1.ASN1InputStream', + 'org.bouncycastle.asn1.ASN1Integer', + 'org.bouncycastle.asn1.ASN1ObjectIdentifier', + 'org.bouncycastle.asn1.ASN1OctetString', + 'org.bouncycastle.asn1.ASN1Primitive', + 'org.bouncycastle.asn1.ASN1Sequence', + 'org.bouncycastle.asn1.ASN1TaggedObject', + // 'org.bouncycastle.asn1.DEROctetString', + 'org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo', + 'org.bouncycastle.asn1.pkcs.EncryptionScheme', + 'org.bouncycastle.asn1.pkcs.KeyDerivationFunc', + 'org.bouncycastle.asn1.pkcs.PBEParameter', + 'org.bouncycastle.asn1.pkcs.PBES2Parameters', + 'org.bouncycastle.asn1.pkcs.PBKDF2Params', + 'org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers', + 'org.bouncycastle.asn1.pkcs.PrivateKeyInfo', + 'org.bouncycastle.asn1.x500.AttributeTypeAndValue', + 'org.bouncycastle.asn1.x500.RDN', + 'org.bouncycastle.asn1.x500.X500Name', + 'org.bouncycastle.asn1.x509.AccessDescription', + 'org.bouncycastle.asn1.x509.AlgorithmIdentifier', + 'org.bouncycastle.asn1.x509.AuthorityKeyIdentifier', + 'org.bouncycastle.asn1.x509.BasicConstraints', + 'org.bouncycastle.asn1.x509.DistributionPoint', + 'org.bouncycastle.asn1.x509.Extension', + 'org.bouncycastle.asn1.x509.GeneralName', + 'org.bouncycastle.asn1.x509.GeneralNames', + 'org.bouncycastle.asn1.x509.GeneralNamesBuilder', + 'org.bouncycastle.asn1.x509.KeyPurposeId', + 'org.bouncycastle.asn1.x509.KeyUsage', + 'org.bouncycastle.asn1.x509.PolicyInformation', + 'org.bouncycastle.asn1.x509.SubjectKeyIdentifier', + 'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo', + // 'org.bouncycastle.asn1.x9.DomainParameters', + // 'org.bouncycastle.asn1.x9.ECNamedCurveTable', + 'org.bouncycastle.asn1.x9.X9ECParameters', + 'org.bouncycastle.cert.X509v3CertificateBuilder', + 'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter', + 'org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils', + 'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder', + 'org.bouncycastle.crypto.BlockCipher', + 'org.bouncycastle.crypto.BufferedBlockCipher', + 'org.bouncycastle.crypto.CipherParameters', + 'org.bouncycastle.crypto.Digest', + 'org.bouncycastle.crypto.PBEParametersGenerator', + 'org.bouncycastle.crypto.StreamCipher', + 'org.bouncycastle.crypto.agreement.kdf.ConcatenationKDFGenerator', + // 'org.bouncycastle.crypto.ec.CustomNamedCurves', + 'org.bouncycastle.crypto.engines.AESEngine', + 'org.bouncycastle.crypto.generators.BCrypt', + 'org.bouncycastle.crypto.generators.OpenSSLPBEParametersGenerator', + 'org.bouncycastle.crypto.generators.PKCS5S1ParametersGenerator', + 'org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator', + 'org.bouncycastle.crypto.macs.HMac', + 'org.bouncycastle.crypto.modes.AEADBlockCipher', + 'org.bouncycastle.crypto.modes.GCMBlockCipher', + 'org.bouncycastle.crypto.paddings.BlockCipherPadding', + 'org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher', + 'org.bouncycastle.crypto.params.AsymmetricKeyParameter', + 'org.bouncycastle.crypto.params.DSAKeyParameters', + 'org.bouncycastle.crypto.params.DSAParameters', + 'org.bouncycastle.crypto.params.DSAPrivateKeyParameters', + 'org.bouncycastle.crypto.params.DSAPublicKeyParameters', + 'org.bouncycastle.crypto.params.ECDomainParameters', + 'org.bouncycastle.crypto.params.ECKeyParameters', + 'org.bouncycastle.crypto.params.ECPrivateKeyParameters', + 'org.bouncycastle.crypto.params.ECPublicKeyParameters', + // 'org.bouncycastle.crypto.params.KDFParameters', + 'org.bouncycastle.crypto.params.KeyParameter', + 'org.bouncycastle.crypto.params.RSAKeyParameters', + 'org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters', + 'org.bouncycastle.crypto.prng.EntropySource', + 'org.bouncycastle.crypto.prng.SP800SecureRandom', + 'org.bouncycastle.crypto.prng.SP800SecureRandomBuilder', + 'org.bouncycastle.crypto.prng.drbg.SP80090DRBG', + 'org.bouncycastle.crypto.signers.DSASigner', + 'org.bouncycastle.crypto.signers.ECDSASigner', + 'org.bouncycastle.crypto.signers.RSADigestSigner', + 'org.bouncycastle.crypto.util.PrivateKeyFactory', + 'org.bouncycastle.crypto.util.PrivateKeyInfoFactory', + 'org.bouncycastle.crypto.util.PublicKeyFactory', + 'org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory', + 'org.bouncycastle.jcajce.provider.asymmetric.dsa.KeyPairGeneratorSpi', + 'org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC', + 'org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyPairGeneratorSpi', + 'org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util', + 'org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil', + // 'org.bouncycastle.jce.ECNamedCurveTable', + // 'org.bouncycastle.jce.spec.ECNamedCurveParameterSpec', + 'org.bouncycastle.math.ec.ECFieldElement', + 'org.bouncycastle.math.ec.ECPoint', + 'org.bouncycastle.openssl.jcajce.JcaPEMWriter', + 'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder', + 'org.bouncycastle.util.Arrays', + 'org.bouncycastle.util.io.Streams', + 'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder', + 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider', + 'org.bouncycastle.cert.X509CertificateHolder', + 'org.bouncycastle.openssl.PEMKeyPair', + 'org.bouncycastle.openssl.PEMParser', + 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter', + 'org.bouncycastle.crypto.InvalidCipherTextException', + 'org.bouncycastle.jce.provider.BouncyCastleProvider', ) ignoreViolations( @@ -406,27 +411,27 @@ tasks.named("thirdPartyAudit").configure { tasks.named("thirdPartyAudit").configure { ignoreMissingClasses( - 'javax.xml.bind.JAXBContext', - 'javax.xml.bind.JAXBElement', - 'javax.xml.bind.JAXBException', - 'javax.xml.bind.Unmarshaller', - 'javax.xml.bind.UnmarshallerHandler', - // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE - 'org.cryptomator.siv.SivMode', - // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037) - 'com.google.crypto.tink.subtle.Ed25519Sign', - 'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair', - 'com.google.crypto.tink.subtle.Ed25519Verify', - 'com.google.crypto.tink.subtle.X25519', - 'com.google.crypto.tink.subtle.XChaCha20Poly1305', - 'com.nimbusds.common.contenttype.ContentType', - 'com.nimbusds.common.contenttype.ContentType$Parameter', - 'javax.activation.ActivationDataFlavor', - 'javax.activation.DataContentHandler', - 'javax.activation.DataHandler', - 'javax.activation.DataSource', - 'javax.activation.FileDataSource', - 'javax.activation.FileTypeMap' + 'javax.xml.bind.JAXBContext', + 'javax.xml.bind.JAXBElement', + 'javax.xml.bind.JAXBException', + 'javax.xml.bind.Unmarshaller', + 'javax.xml.bind.UnmarshallerHandler', + // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE + 'org.cryptomator.siv.SivMode', + // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037) + 'com.google.crypto.tink.subtle.Ed25519Sign', + 'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair', + 'com.google.crypto.tink.subtle.Ed25519Verify', + 'com.google.crypto.tink.subtle.X25519', + 'com.google.crypto.tink.subtle.XChaCha20Poly1305', + 'com.nimbusds.common.contenttype.ContentType', + 'com.nimbusds.common.contenttype.ContentType$Parameter', + 'javax.activation.ActivationDataFlavor', + 'javax.activation.DataContentHandler', + 'javax.activation.DataHandler', + 'javax.activation.DataSource', + 'javax.activation.FileDataSource', + 'javax.activation.FileTypeMap' ) } diff --git a/x-pack/plugin/security/forbidden/jwt-signatures.txt b/x-pack/plugin/security/forbidden/jwt-signatures.txt new file mode 100644 index 0000000000000..660b5644eb4d1 --- /dev/null +++ b/x-pack/plugin/security/forbidden/jwt-signatures.txt @@ -0,0 +1,47 @@ +@defaultMessage Nimbus-jose-jwt calls which use gson internally must be contained in NimbusWrapper +com.nimbusds.jwt.JWTClaimsSet#toString() +com.nimbusds.jwt.JWTClaimsSet#toString(boolean) +com.nimbusds.jwt.JWTClaimsSet#toJSONObject() +com.nimbusds.jwt.JWTClaimsSet#parse(java.util.Map) +com.nimbusds.jwt.JWTClaimsSet#parse(java.lang.String) +com.nimbusds.jwt.JWTParser#parse(java.lang.String) +com.nimbusds.jose.Header#toJSONObject() +com.nimbusds.jose.Header#toString() +com.nimbusds.jose.Header#parseAlgorithm(java.util.Map) +com.nimbusds.jose.Header#parse(java.util.Map) +com.nimbusds.jose.Header#parse(java.lang.String, com.nimbusds.jose.util.Base64URL) +com.nimbusds.jose.JWEObject#parse(java.lang.String) +com.nimbusds.jose.JWSObject#parse(java.lang.String) +com.nimbusds.jose.PlainObject#parse(java.lang.String) +com.nimbusds.jose.JWEHeader#parseEncryptionMethod(java.util.Map) +com.nimbusds.jose.JWEHeader#parse(java.util.Map, com.nimbusds.jose.util.Base64URL) +com.nimbusds.jose.JWEHeader#parse(java.lang.String) +com.nimbusds.jose.JWEHeader#parse(java.lang.String, com.nimbusds.jose.util.Base64URL) +com.nimbusds.jose.JWEObjectJSON#getEncryptedKey() +com.nimbusds.jose.JWEObjectJSON#encrypt(com.nimbusds.jose.JWEEncrypter) +com.nimbusds.jose.JWEObjectJSON#toBaseJSONObject() +com.nimbusds.jose.JWEObjectJSON#toFlattenedJSONObject() +com.nimbusds.jose.JWEObjectJSON#serializeGeneral() +com.nimbusds.jose.JWEObjectJSON#serializeFlattened() +com.nimbusds.jose.JWEObjectJSON#parse(java.util.Map) +com.nimbusds.jose.JWEObjectJSON#parse(java.lang.String) +com.nimbusds.jose.JWSObjectJSON#toFlattenedJSONObject() +com.nimbusds.jose.JWSObjectJSON#serializeGeneral() +com.nimbusds.jose.JWSObjectJSON#serializeFlattened() +com.nimbusds.jose.JWSObjectJSON#parse(java.util.Map) +com.nimbusds.jose.JWSObjectJSON#parse(java.lang.String) +com.nimbusds.jose.JWSHeader#parse(java.util.Map, com.nimbusds.jose.util.Base64URL) +com.nimbusds.jose.JWSHeader#parse(java.lang.String, com.nimbusds.jose.util.Base64URL) +com.nimbusds.jose.JWSObjectJSON#toGeneralJSONObject() +com.nimbusds.jose.JWSObjectJSON#toFlattenedJSONObject() +com.nimbusds.jose.JWSObjectJSON#serializeGeneral() +com.nimbusds.jose.JWSObjectJSON#serializeFlattened() +com.nimbusds.jose.JWSObjectJSON#parseJWSHeader(java.util.Map) +com.nimbusds.jose.JWSObjectJSON#parse(java.util.Map) +com.nimbusds.jose.JWSObjectJSON#parse(java.lang.String) +com.nimbusds.jose.Payload#toString() +com.nimbusds.jose.Payload#toJSONObject() +com.nimbusds.jose.PlainHeader#parse(java.util.Map, com.nimbusds.jose.util.Base64URL) +com.nimbusds.jose.PlainHeader#parse(java.lang.String, com.nimbusds.jose.util.Base64URL) +com.nimbusds.jose.UnprotectedHeader#toJSONObject() + From 69e022fb10c48b3451b97d7afa1a82f356c488bd Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Sat, 10 Aug 2024 17:11:05 -0600 Subject: [PATCH 34/47] Ah, that's how you reference inner classes --- x-pack/plugin/security/forbidden/jwt-signatures.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/x-pack/plugin/security/forbidden/jwt-signatures.txt b/x-pack/plugin/security/forbidden/jwt-signatures.txt index 660b5644eb4d1..cde94036914ac 100644 --- a/x-pack/plugin/security/forbidden/jwt-signatures.txt +++ b/x-pack/plugin/security/forbidden/jwt-signatures.txt @@ -25,6 +25,8 @@ com.nimbusds.jose.JWEObjectJSON#serializeGeneral() com.nimbusds.jose.JWEObjectJSON#serializeFlattened() com.nimbusds.jose.JWEObjectJSON#parse(java.util.Map) com.nimbusds.jose.JWEObjectJSON#parse(java.lang.String) +com.nimbusds.jose.JWEObjectJSON$Recipient#toJSONObject() +com.nimbusds.jose.JWEObjectJSON$Recipient#parse(java.util.Map) com.nimbusds.jose.JWSObjectJSON#toFlattenedJSONObject() com.nimbusds.jose.JWSObjectJSON#serializeGeneral() com.nimbusds.jose.JWSObjectJSON#serializeFlattened() @@ -39,6 +41,7 @@ com.nimbusds.jose.JWSObjectJSON#serializeFlattened() com.nimbusds.jose.JWSObjectJSON#parseJWSHeader(java.util.Map) com.nimbusds.jose.JWSObjectJSON#parse(java.util.Map) com.nimbusds.jose.JWSObjectJSON#parse(java.lang.String) +com.nimbusds.jose.JWSObjectJSON$Signature#toJSONObject() com.nimbusds.jose.Payload#toString() com.nimbusds.jose.Payload#toJSONObject() com.nimbusds.jose.PlainHeader#parse(java.util.Map, com.nimbusds.jose.util.Base64URL) From cb320bc187029e3ae664096436286f4ba866cf8d Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Sun, 11 Aug 2024 14:39:14 -0600 Subject: [PATCH 35/47] That's all of them (in nimbus-jose-jwt) --- .../security/forbidden/jwt-signatures.txt | 45 ++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/security/forbidden/jwt-signatures.txt b/x-pack/plugin/security/forbidden/jwt-signatures.txt index cde94036914ac..b144d44e55963 100644 --- a/x-pack/plugin/security/forbidden/jwt-signatures.txt +++ b/x-pack/plugin/security/forbidden/jwt-signatures.txt @@ -1,4 +1,8 @@ +# The methods listed here were determined by finding all references +# to JSONObjectUtils (in which gson is contained, thankfully) with +# IntelliJ and listing them manually. @defaultMessage Nimbus-jose-jwt calls which use gson internally must be contained in NimbusWrapper +com.nimbusds.jose.util.JSONObjectUtils com.nimbusds.jwt.JWTClaimsSet#toString() com.nimbusds.jwt.JWTClaimsSet#toString(boolean) com.nimbusds.jwt.JWTClaimsSet#toJSONObject() @@ -47,4 +51,43 @@ com.nimbusds.jose.Payload#toJSONObject() com.nimbusds.jose.PlainHeader#parse(java.util.Map, com.nimbusds.jose.util.Base64URL) com.nimbusds.jose.PlainHeader#parse(java.lang.String, com.nimbusds.jose.util.Base64URL) com.nimbusds.jose.UnprotectedHeader#toJSONObject() - +com.nimbusds.jose.crypto.MultiDecrypter#decrypt(com.nimbusds.jose.JWEHeader, com.nimbusds.jose.util.Base64URL, com.nimbusds.jose.util.Base64URL, com.nimbusds.jose.util.Base64URL, com.nimbusds.jose.util.Base64URL, byte[]) +com.nimbusds.jose.crypto.MultiEncrypter#encrypt(com.nimbusds.jose.JWEHeader, byte[], byte[]) +com.nimbusds.jose.jwk.ECKey#parse(java.lang.String) +com.nimbusds.jose.jwk.ECKey#parse(java.util.Map) +com.nimbusds.jose.jwk.JWK#toJSONObject() +com.nimbusds.jose.jwk.JWK#toJSONString() +com.nimbusds.jose.jwk.JWK#toString() +com.nimbusds.jose.jwk.JWK#parse(java.lang.String) +com.nimbusds.jose.jwk.JWK#parse(java.util.Map) +com.nimbusds.jose.jwk.JWKMetadata#parseKeyType(java.util.Map) +com.nimbusds.jose.jwk.JWKMetadata#parseKeyUse(java.util.Map) +com.nimbusds.jose.jwk.JWKMetadata#parseKeyOperations(java.util.Map) +com.nimbusds.jose.jwk.JWKMetadata#parseAlgorithm(java.util.Map) +com.nimbusds.jose.jwk.JWKMetadata#parseKeyID(java.util.Map) +com.nimbusds.jose.jwk.JWKMetadata#parseX509CertURL(java.util.Map) +com.nimbusds.jose.jwk.JWKMetadata#parseX509CertThumbprint(java.util.Map) +com.nimbusds.jose.jwk.JWKMetadata#parseX509CertSHA256Thumbprint(java.util.Map) +com.nimbusds.jose.jwk.JWKMetadata#parseX509CertChain(java.util.Map) +com.nimbusds.jose.jwk.JWKMetadata#parseExpirationTime(java.util.Map) +com.nimbusds.jose.jwk.JWKMetadata#parseNotBeforeTime(java.util.Map) +com.nimbusds.jose.jwk.JWKMetadata#parseIssueTime(java.util.Map) +com.nimbusds.jose.jwk.JWKSet#toJSONObject(boolean) +com.nimbusds.jose.jwk.JWKSet#toString(boolean) +com.nimbusds.jose.jwk.JWKSet#parse(java.lang.String) +com.nimbusds.jose.jwk.JWKSet#parse(java.util.Map) +com.nimbusds.jose.jwk.OctetKeyPair#parse(java.lang.String) +com.nimbusds.jose.jwk.OctetKeyPair#parse(java.util.Map) +com.nimbusds.jose.jwk.OctetSequenceKey#parse(java.lang.String) +com.nimbusds.jose.jwk.OctetSequenceKey#parse(java.util.Map) +com.nimbusds.jose.jwk.RSAKey#toJSONObject() +com.nimbusds.jose.jwk.RSAKey#parse(java.lang.String) +com.nimbusds.jose.jwk.RSAKey#parse(java.util.Map) +com.nimbusds.jose.jwk.ThumbprintUtils#compute(java.lang.String, java.util.LinkedHashMap) +com.nimbusds.jwt.JWTClaimsSet#getJSONObjectClaim(java.lang.String) +com.nimbusds.jwt.JWTClaimsSet#toJSONObject(boolean) +com.nimbusds.jwt.JWTClaimsSet#toString() +com.nimbusds.jwt.JWTClaimsSet#toString(boolean) +com.nimbusds.jwt.JWTClaimsSet#parse(java.util.Map) +com.nimbusds.jwt.JWTClaimsSet#parse(java.lang.String) +com.nimbusds.jwt.JWTParser#parse(java.lang.String) From ab86673d33b665df268db0c75fe88b594f75d2ae Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Sun, 11 Aug 2024 16:57:53 -0600 Subject: [PATCH 36/47] Just cut this knot --- x-pack/plugin/security/build.gradle | 56 +- .../security/lib/jose-wrapper/build.gradle | 104 --- .../licenses/accessors-smart-LICENSE.txt | 202 ------ .../licenses/accessors-smart-NOTICE.txt | 0 .../lib/jose-wrapper/licenses/asm-LICENSE.txt | 26 - .../lib/jose-wrapper/licenses/asm-NOTICE.txt | 1 - .../licenses/jakarta.mail-LICENSE.txt | 637 ------------------ .../licenses/jakarta.mail-NOTICE.txt | 50 -- .../licenses/jcip-annotations-LICENSE.txt | 202 ------ .../licenses/jcip-annotations-NOTICE.txt | 0 .../licenses/json-smart-LICENSE.txt | 202 ------ .../licenses/json-smart-NOTICE.txt | 0 .../licenses/lang-tag-LICENSE.txt | 202 ------ .../jose-wrapper/licenses/lang-tag-NOTICE.txt | 14 - .../licenses/oauth2-oidc-sdk-LICENSE.txt | 202 ------ .../licenses/oauth2-oidc-sdk-NOTICE.txt | 14 - .../src/main/java/module-info.java | 14 - .../elasticsearch/nimbus/NimbusWrapper.java | 106 --- .../lib/nimbus-jose-jwt-fixed/build.gradle | 29 + .../licenses/nimbus-jose-jwt-LICENSE.txt | 0 .../licenses/nimbus-jose-jwt-NOTICE.txt | 0 .../nimbusds/jose/util/JSONObjectUtils.java | 519 ++++++++++++++ .../nimbusds/jose/util/JSONStringUtils.java | 31 + .../licenses/nimbus-jose-jwt-LICENSE.txt | 202 ------ .../licenses/nimbus-jose-jwt-NOTICE.txt | 14 - .../authc/jwt/JwtRealmSingleNodeTests.java | 12 +- .../security/src/main/java/module-info.java | 1 - .../xpack/security/authc/jwt/JwtRealm.java | 6 +- .../oidc/OpenIdConnectAuthenticator.java | 21 +- .../plugin-metadata/plugin-security.policy | 7 +- 30 files changed, 616 insertions(+), 2258 deletions(-) delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/build.gradle delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/accessors-smart-LICENSE.txt delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/accessors-smart-NOTICE.txt delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/asm-LICENSE.txt delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/asm-NOTICE.txt delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-LICENSE.txt delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-NOTICE.txt delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/jcip-annotations-LICENSE.txt delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/jcip-annotations-NOTICE.txt delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/json-smart-LICENSE.txt delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/json-smart-NOTICE.txt delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-LICENSE.txt delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-NOTICE.txt delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-LICENSE.txt delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-NOTICE.txt delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java delete mode 100644 x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java create mode 100644 x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle rename x-pack/plugin/security/lib/{jose-wrapper => nimbus-jose-jwt-fixed}/licenses/nimbus-jose-jwt-LICENSE.txt (100%) rename x-pack/plugin/security/lib/{jose-wrapper => nimbus-jose-jwt-fixed}/licenses/nimbus-jose-jwt-NOTICE.txt (100%) create mode 100644 x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java create mode 100644 x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java delete mode 100644 x-pack/plugin/security/licenses/nimbus-jose-jwt-LICENSE.txt delete mode 100644 x-pack/plugin/security/licenses/nimbus-jose-jwt-NOTICE.txt diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index 6cf43643e1be2..ff3e3671dd446 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -80,8 +80,15 @@ dependencies { // Dependencies for oidc api "com.nimbusds:oauth2-oidc-sdk:11.10.1" - api "com.nimbusds:nimbus-jose-jwt:9.37.3" - api project(xpackModule('security:lib:jose-wrapper')) + api project(path: xpackModule('security:lib:nimbus-jose-jwt-fixed'), configuration: 'shadow') +// if (isEclipse) { +// /* +// * Eclipse can't pick up the shadow dependency so we point it at *something* +// * so it can compile things. +// */ +// api project(xpackModule('security:lib:nimbus-jose-jwt-fixed')) +// } +// api project(xpackModule('security:lib:jose-wrapper')) api "com.nimbusds:lang-tag:1.4.4" api "com.sun.mail:jakarta.mail:1.6.3" api "net.jcip:jcip-annotations:1.0" @@ -104,7 +111,7 @@ dependencies { testImplementation('org.apache.kerby:kerb-crypto:1.1.1') testImplementation('org.apache.kerby:kerb-util:1.1.1') testImplementation('org.apache.kerby:token-provider:1.1.1') - testImplementation('com.nimbusds:nimbus-jose-jwt:9.37.3') +// testImplementation('com.nimbusds:nimbus-jose-jwt:9.37.3') testImplementation('net.jcip:jcip-annotations:1.0') testImplementation('org.apache.kerby:kerb-admin:1.1.1') testImplementation('org.apache.kerby:kerb-server:1.1.1') @@ -192,7 +199,6 @@ tasks.named('forbiddenApisMain').configure { 'forbidden/ldap-signatures.txt', 'forbidden/xml-signatures.txt', 'forbidden/oidc-signatures.txt', - 'forbidden/jwt-signatures.txt' ) } @@ -334,14 +340,12 @@ tasks.named("thirdPartyAudit").configure { 'org.bouncycastle.crypto.StreamCipher', 'org.bouncycastle.crypto.agreement.kdf.ConcatenationKDFGenerator', // 'org.bouncycastle.crypto.ec.CustomNamedCurves', - 'org.bouncycastle.crypto.engines.AESEngine', 'org.bouncycastle.crypto.generators.BCrypt', 'org.bouncycastle.crypto.generators.OpenSSLPBEParametersGenerator', 'org.bouncycastle.crypto.generators.PKCS5S1ParametersGenerator', 'org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator', 'org.bouncycastle.crypto.macs.HMac', 'org.bouncycastle.crypto.modes.AEADBlockCipher', - 'org.bouncycastle.crypto.modes.GCMBlockCipher', 'org.bouncycastle.crypto.paddings.BlockCipherPadding', 'org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher', 'org.bouncycastle.crypto.params.AsymmetricKeyParameter', @@ -381,14 +385,7 @@ tasks.named("thirdPartyAudit").configure { 'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder', 'org.bouncycastle.util.Arrays', 'org.bouncycastle.util.io.Streams', - 'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder', - 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider', 'org.bouncycastle.cert.X509CertificateHolder', - 'org.bouncycastle.openssl.PEMKeyPair', - 'org.bouncycastle.openssl.PEMParser', - 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter', - 'org.bouncycastle.crypto.InvalidCipherTextException', - 'org.bouncycastle.jce.provider.BouncyCastleProvider', ) ignoreViolations( @@ -419,11 +416,6 @@ tasks.named("thirdPartyAudit").configure { // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE 'org.cryptomator.siv.SivMode', // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037) - 'com.google.crypto.tink.subtle.Ed25519Sign', - 'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair', - 'com.google.crypto.tink.subtle.Ed25519Verify', - 'com.google.crypto.tink.subtle.X25519', - 'com.google.crypto.tink.subtle.XChaCha20Poly1305', 'com.nimbusds.common.contenttype.ContentType', 'com.nimbusds.common.contenttype.ContentType$Parameter', 'javax.activation.ActivationDataFlavor', @@ -461,17 +453,17 @@ String[] noSecurityManagerClasses = [ "**/TransportOpenIdConnectLogoutActionTests.class", "**/OpenIdConnectRealmTests.class", ] - -tasks.register('testNoSecurityManager', Test) { - testClassesDirs = sourceSets.test.output.classesDirs - classpath = sourceSets.test.runtimeClasspath - include noSecurityManagerClasses - systemProperty 'tests.security.manager', 'false' - systemProperty 'es.insecure_network_trace_enabled', 'true' -} - -tasks.named("check").configure { dependsOn 'testNoSecurityManager' } - -tasks.named('test').configure { - exclude noSecurityManagerClasses -} +// +//tasks.register('testNoSecurityManager', Test) { +// testClassesDirs = sourceSets.test.output.classesDirs +// classpath = sourceSets.test.runtimeClasspath +// include noSecurityManagerClasses +// systemProperty 'tests.security.manager', 'false' +// systemProperty 'es.insecure_network_trace_enabled', 'true' +//} +// +//tasks.named("check").configure { dependsOn 'testNoSecurityManager' } +// +//tasks.named('test').configure { +// exclude noSecurityManagerClasses +//} diff --git a/x-pack/plugin/security/lib/jose-wrapper/build.gradle b/x-pack/plugin/security/lib/jose-wrapper/build.gradle deleted file mode 100644 index 4da6c7ea7cf4e..0000000000000 --- a/x-pack/plugin/security/lib/jose-wrapper/build.gradle +++ /dev/null @@ -1,104 +0,0 @@ -apply plugin: 'elasticsearch.build' - -base { - archivesName = 'elasticsearch-jose-wrapper' -} - -dependencies { - // the actual two libraries we care about - api "com.nimbusds:oauth2-oidc-sdk:11.10.1" - api "com.nimbusds:nimbus-jose-jwt:9.37.3" - - // transitive dependencies of oidc - api "com.nimbusds:lang-tag:1.4.4" - api "com.sun.mail:jakarta.mail:1.6.3" - api "net.jcip:jcip-annotations:1.0" - api "net.minidev:json-smart:2.5.1" - api "net.minidev:accessors-smart:2.4.2" - api "org.ow2.asm:asm:8.0.1" - - api project(':server') -} - -tasks.named("thirdPartyAudit").configure { - ignoreMissingClasses( - // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037) - 'com.google.crypto.tink.subtle.Ed25519Sign', - 'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair', - 'com.google.crypto.tink.subtle.Ed25519Verify', - 'com.google.crypto.tink.subtle.X25519', - 'com.google.crypto.tink.subtle.XChaCha20Poly1305', -// 'com.nimbusds.common.contenttype.ContentType', -// 'com.nimbusds.common.contenttype.ContentType$Parameter', - 'org.bouncycastle.asn1.pkcs.PrivateKeyInfo', - 'org.bouncycastle.asn1.x509.AlgorithmIdentifier', - 'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo', - 'org.bouncycastle.cert.X509CertificateHolder', - 'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder', - 'org.bouncycastle.crypto.InvalidCipherTextException', - 'org.bouncycastle.crypto.engines.AESEngine', - 'org.bouncycastle.crypto.modes.GCMBlockCipher', - 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider', - 'org.bouncycastle.jce.provider.BouncyCastleProvider', - 'org.bouncycastle.openssl.PEMKeyPair', - 'org.bouncycastle.openssl.PEMParser', - 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter', - - // unchecked - "com.nimbusds.common.contenttype.ContentType", - 'com.nimbusds.common.contenttype.ContentType$Parameter', - "jakarta.servlet.ServletRequest", - "jakarta.servlet.http.HttpServletRequest", - "jakarta.servlet.http.HttpServletResponse", - "javax.activation.ActivationDataFlavor", - "javax.activation.DataContentHandler", - "javax.activation.DataHandler", - "javax.activation.DataSource", - "javax.activation.FileDataSource", - "javax.activation.FileTypeMap", - "javax.servlet.ServletRequest", - "javax.servlet.http.HttpServletRequest", - "javax.servlet.http.HttpServletResponse", - "net.shibboleth.utilities.java.support.xml.SerializeSupport", - "org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder", - "org.bouncycastle.operator.jcajce.JcaContentSignerBuilder", - "org.cryptomator.siv.SivMode", - "org.joda.time.DateTime", - "org.opensaml.core.config.InitializationException", - "org.opensaml.core.config.InitializationService", - "org.opensaml.core.xml.XMLObject", - "org.opensaml.core.xml.XMLObjectBuilder", - "org.opensaml.core.xml.XMLObjectBuilderFactory", - "org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport", - "org.opensaml.core.xml.io.Marshaller", - "org.opensaml.core.xml.io.MarshallerFactory", - "org.opensaml.core.xml.io.MarshallingException", - "org.opensaml.core.xml.io.Unmarshaller", - "org.opensaml.core.xml.io.UnmarshallerFactory", - "org.opensaml.core.xml.schema.XSString", - "org.opensaml.core.xml.schema.impl.XSStringBuilder", - "org.opensaml.saml.saml2.core.Assertion", - "org.opensaml.saml.saml2.core.Attribute", - "org.opensaml.saml.saml2.core.AttributeStatement", - "org.opensaml.saml.saml2.core.AttributeValue", - "org.opensaml.saml.saml2.core.Audience", - "org.opensaml.saml.saml2.core.AudienceRestriction", - "org.opensaml.saml.saml2.core.AuthnContext", - "org.opensaml.saml.saml2.core.AuthnContextClassRef", - "org.opensaml.saml.saml2.core.AuthnStatement", - "org.opensaml.saml.saml2.core.Conditions", - "org.opensaml.saml.saml2.core.Issuer", - "org.opensaml.saml.saml2.core.NameID", - "org.opensaml.saml.saml2.core.Subject", - "org.opensaml.saml.saml2.core.SubjectConfirmation", - "org.opensaml.saml.saml2.core.SubjectConfirmationData", - "org.opensaml.saml.security.impl.SAMLSignatureProfileValidator", - "org.opensaml.security.credential.BasicCredential", - "org.opensaml.security.credential.Credential", - "org.opensaml.security.credential.UsageType", - "org.opensaml.xmlsec.signature.Signature", - "org.opensaml.xmlsec.signature.support.SignatureException", - "org.opensaml.xmlsec.signature.support.SignatureValidator", - "org.opensaml.xmlsec.signature.support.Signer", - ) -} diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/accessors-smart-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/accessors-smart-LICENSE.txt deleted file mode 100644 index d645695673349..0000000000000 --- a/x-pack/plugin/security/lib/jose-wrapper/licenses/accessors-smart-LICENSE.txt +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/accessors-smart-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/accessors-smart-NOTICE.txt deleted file mode 100644 index e69de29bb2d1d..0000000000000 diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/asm-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/asm-LICENSE.txt deleted file mode 100644 index afb064f2f2666..0000000000000 --- a/x-pack/plugin/security/lib/jose-wrapper/licenses/asm-LICENSE.txt +++ /dev/null @@ -1,26 +0,0 @@ -Copyright (c) 2012 France Télécom -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: -1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. -3. Neither the name of the copyright holders nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -THE POSSIBILITY OF SUCH DAMAGE. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/asm-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/asm-NOTICE.txt deleted file mode 100644 index 8d1c8b69c3fce..0000000000000 --- a/x-pack/plugin/security/lib/jose-wrapper/licenses/asm-NOTICE.txt +++ /dev/null @@ -1 +0,0 @@ - diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-LICENSE.txt deleted file mode 100644 index 5de3d1b40c199..0000000000000 --- a/x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-LICENSE.txt +++ /dev/null @@ -1,637 +0,0 @@ -# Eclipse Public License - v 2.0 - - THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE - PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION - OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT. - - 1. DEFINITIONS - - "Contribution" means: - - a) in the case of the initial Contributor, the initial content - Distributed under this Agreement, and - - b) in the case of each subsequent Contributor: - i) changes to the Program, and - ii) additions to the Program; - where such changes and/or additions to the Program originate from - and are Distributed by that particular Contributor. A Contribution - "originates" from a Contributor if it was added to the Program by - such Contributor itself or anyone acting on such Contributor's behalf. - Contributions do not include changes or additions to the Program that - are not Modified Works. - - "Contributor" means any person or entity that Distributes the Program. - - "Licensed Patents" mean patent claims licensable by a Contributor which - are necessarily infringed by the use or sale of its Contribution alone - or when combined with the Program. - - "Program" means the Contributions Distributed in accordance with this - Agreement. - - "Recipient" means anyone who receives the Program under this Agreement - or any Secondary License (as applicable), including Contributors. - - "Derivative Works" shall mean any work, whether in Source Code or other - form, that is based on (or derived from) the Program and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. - - "Modified Works" shall mean any work in Source Code or other form that - results from an addition to, deletion from, or modification of the - contents of the Program, including, for purposes of clarity any new file - in Source Code form that contains any contents of the Program. Modified - Works shall not include works that contain only declarations, - interfaces, types, classes, structures, or files of the Program solely - in each case in order to link to, bind by name, or subclass the Program - or Modified Works thereof. - - "Distribute" means the acts of a) distributing or b) making available - in any manner that enables the transfer of a copy. - - "Source Code" means the form of a Program preferred for making - modifications, including but not limited to software source code, - documentation source, and configuration files. - - "Secondary License" means either the GNU General Public License, - Version 2.0, or any later versions of that license, including any - exceptions or additional permissions as identified by the initial - Contributor. - - 2. GRANT OF RIGHTS - - a) Subject to the terms of this Agreement, each Contributor hereby - grants Recipient a non-exclusive, worldwide, royalty-free copyright - license to reproduce, prepare Derivative Works of, publicly display, - publicly perform, Distribute and sublicense the Contribution of such - Contributor, if any, and such Derivative Works. - - b) Subject to the terms of this Agreement, each Contributor hereby - grants Recipient a non-exclusive, worldwide, royalty-free patent - license under Licensed Patents to make, use, sell, offer to sell, - import and otherwise transfer the Contribution of such Contributor, - if any, in Source Code or other form. This patent license shall - apply to the combination of the Contribution and the Program if, at - the time the Contribution is added by the Contributor, such addition - of the Contribution causes such combination to be covered by the - Licensed Patents. The patent license shall not apply to any other - combinations which include the Contribution. No hardware per se is - licensed hereunder. - - c) Recipient understands that although each Contributor grants the - licenses to its Contributions set forth herein, no assurances are - provided by any Contributor that the Program does not infringe the - patent or other intellectual property rights of any other entity. - Each Contributor disclaims any liability to Recipient for claims - brought by any other entity based on infringement of intellectual - property rights or otherwise. As a condition to exercising the - rights and licenses granted hereunder, each Recipient hereby - assumes sole responsibility to secure any other intellectual - property rights needed, if any. For example, if a third party - patent license is required to allow Recipient to Distribute the - Program, it is Recipient's responsibility to acquire that license - before distributing the Program. - - d) Each Contributor represents that to its knowledge it has - sufficient copyright rights in its Contribution, if any, to grant - the copyright license set forth in this Agreement. - - e) Notwithstanding the terms of any Secondary License, no - Contributor makes additional grants to any Recipient (other than - those set forth in this Agreement) as a result of such Recipient's - receipt of the Program under the terms of a Secondary License - (if permitted under the terms of Section 3). - - 3. REQUIREMENTS - - 3.1 If a Contributor Distributes the Program in any form, then: - - a) the Program must also be made available as Source Code, in - accordance with section 3.2, and the Contributor must accompany - the Program with a statement that the Source Code for the Program - is available under this Agreement, and informs Recipients how to - obtain it in a reasonable manner on or through a medium customarily - used for software exchange; and - - b) the Contributor may Distribute the Program under a license - different than this Agreement, provided that such license: - i) effectively disclaims on behalf of all other Contributors all - warranties and conditions, express and implied, including - warranties or conditions of title and non-infringement, and - implied warranties or conditions of merchantability and fitness - for a particular purpose; - - ii) effectively excludes on behalf of all other Contributors all - liability for damages, including direct, indirect, special, - incidental and consequential damages, such as lost profits; - - iii) does not attempt to limit or alter the recipients' rights - in the Source Code under section 3.2; and - - iv) requires any subsequent distribution of the Program by any - party to be under a license that satisfies the requirements - of this section 3. - - 3.2 When the Program is Distributed as Source Code: - - a) it must be made available under this Agreement, or if the - Program (i) is combined with other material in a separate file or - files made available under a Secondary License, and (ii) the initial - Contributor attached to the Source Code the notice described in - Exhibit A of this Agreement, then the Program may be made available - under the terms of such Secondary Licenses, and - - b) a copy of this Agreement must be included with each copy of - the Program. - - 3.3 Contributors may not remove or alter any copyright, patent, - trademark, attribution notices, disclaimers of warranty, or limitations - of liability ("notices") contained within the Program from any copy of - the Program which they Distribute, provided that Contributors may add - their own appropriate notices. - - 4. COMMERCIAL DISTRIBUTION - - Commercial distributors of software may accept certain responsibilities - with respect to end users, business partners and the like. While this - license is intended to facilitate the commercial use of the Program, - the Contributor who includes the Program in a commercial product - offering should do so in a manner which does not create potential - liability for other Contributors. Therefore, if a Contributor includes - the Program in a commercial product offering, such Contributor - ("Commercial Contributor") hereby agrees to defend and indemnify every - other Contributor ("Indemnified Contributor") against any losses, - damages and costs (collectively "Losses") arising from claims, lawsuits - and other legal actions brought by a third party against the Indemnified - Contributor to the extent caused by the acts or omissions of such - Commercial Contributor in connection with its distribution of the Program - in a commercial product offering. The obligations in this section do not - apply to any claims or Losses relating to any actual or alleged - intellectual property infringement. In order to qualify, an Indemnified - Contributor must: a) promptly notify the Commercial Contributor in - writing of such claim, and b) allow the Commercial Contributor to control, - and cooperate with the Commercial Contributor in, the defense and any - related settlement negotiations. The Indemnified Contributor may - participate in any such claim at its own expense. - - For example, a Contributor might include the Program in a commercial - product offering, Product X. That Contributor is then a Commercial - Contributor. If that Commercial Contributor then makes performance - claims, or offers warranties related to Product X, those performance - claims and warranties are such Commercial Contributor's responsibility - alone. Under this section, the Commercial Contributor would have to - defend claims against the other Contributors related to those performance - claims and warranties, and if a court requires any other Contributor to - pay any damages as a result, the Commercial Contributor must pay - those damages. - - 5. NO WARRANTY - - EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT - PERMITTED BY APPLICABLE LAW, THE PROGRAM IS PROVIDED ON AN "AS IS" - BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR - IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF - TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR - PURPOSE. Each Recipient is solely responsible for determining the - appropriateness of using and distributing the Program and assumes all - risks associated with its exercise of rights under this Agreement, - including but not limited to the risks and costs of program errors, - compliance with applicable laws, damage to or loss of data, programs - or equipment, and unavailability or interruption of operations. - - 6. DISCLAIMER OF LIABILITY - - EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT - PERMITTED BY APPLICABLE LAW, NEITHER RECIPIENT NOR ANY CONTRIBUTORS - SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST - PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE - EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGES. - - 7. GENERAL - - If any provision of this Agreement is invalid or unenforceable under - applicable law, it shall not affect the validity or enforceability of - the remainder of the terms of this Agreement, and without further - action by the parties hereto, such provision shall be reformed to the - minimum extent necessary to make such provision valid and enforceable. - - If Recipient institutes patent litigation against any entity - (including a cross-claim or counterclaim in a lawsuit) alleging that the - Program itself (excluding combinations of the Program with other software - or hardware) infringes such Recipient's patent(s), then such Recipient's - rights granted under Section 2(b) shall terminate as of the date such - litigation is filed. - - All Recipient's rights under this Agreement shall terminate if it - fails to comply with any of the material terms or conditions of this - Agreement and does not cure such failure in a reasonable period of - time after becoming aware of such noncompliance. If all Recipient's - rights under this Agreement terminate, Recipient agrees to cease use - and distribution of the Program as soon as reasonably practicable. - However, Recipient's obligations under this Agreement and any licenses - granted by Recipient relating to the Program shall continue and survive. - - Everyone is permitted to copy and distribute copies of this Agreement, - but in order to avoid inconsistency the Agreement is copyrighted and - may only be modified in the following manner. The Agreement Steward - reserves the right to publish new versions (including revisions) of - this Agreement from time to time. No one other than the Agreement - Steward has the right to modify this Agreement. The Eclipse Foundation - is the initial Agreement Steward. The Eclipse Foundation may assign the - responsibility to serve as the Agreement Steward to a suitable separate - entity. Each new version of the Agreement will be given a distinguishing - version number. The Program (including Contributions) may always be - Distributed subject to the version of the Agreement under which it was - received. In addition, after a new version of the Agreement is published, - Contributor may elect to Distribute the Program (including its - Contributions) under the new version. - - Except as expressly stated in Sections 2(a) and 2(b) above, Recipient - receives no rights or licenses to the intellectual property of any - Contributor under this Agreement, whether expressly, by implication, - estoppel or otherwise. All rights in the Program not expressly granted - under this Agreement are reserved. Nothing in this Agreement is intended - to be enforceable by any entity that is not a Contributor or Recipient. - No third-party beneficiary rights are created under this Agreement. - - Exhibit A - Form of Secondary Licenses Notice - - "This Source Code may also be made available under the following - Secondary Licenses when the conditions for such availability set forth - in the Eclipse Public License, v. 2.0 are satisfied: {name license(s), - version(s), and exceptions or additional permissions here}." - - Simply including a copy of this Agreement, including this Exhibit A - is not sufficient to license the Source Code under Secondary Licenses. - - If it is not possible or desirable to put the notice in a particular - file, then You may include the notice in a location (such as a LICENSE - file in a relevant directory) where a recipient would be likely to - look for such a notice. - - You may add additional accurate notices of copyright ownership. - ---- - -## The GNU General Public License (GPL) Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 51 Franklin Street, Fifth Floor - Boston, MA 02110-1335 - USA - - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your freedom to - share and change it. By contrast, the GNU General Public License is - intended to guarantee your freedom to share and change free software--to - make sure the software is free for all its users. This General Public - License applies to most of the Free Software Foundation's software and - to any other program whose authors commit to using it. (Some other Free - Software Foundation software is covered by the GNU Library General - Public License instead.) You can apply it to your programs, too. - - When we speak of free software, we are referring to freedom, not price. - Our General Public Licenses are designed to make sure that you have the - freedom to distribute copies of free software (and charge for this - service if you wish), that you receive source code or can get it if you - want it, that you can change the software or use pieces of it in new - free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid anyone - to deny you these rights or to ask you to surrender the rights. These - restrictions translate to certain responsibilities for you if you - distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether gratis - or for a fee, you must give the recipients all the rights that you have. - You must make sure that they, too, receive or can get the source code. - And you must show them these terms so they know their rights. - - We protect your rights with two steps: (1) copyright the software, and - (2) offer you this license which gives you legal permission to copy, - distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain - that everyone understands that there is no warranty for this free - software. If the software is modified by someone else and passed on, we - want its recipients to know that what they have is not the original, so - that any problems introduced by others will not reflect on the original - authors' reputations. - - Finally, any free program is threatened constantly by software patents. - We wish to avoid the danger that redistributors of a free program will - individually obtain patent licenses, in effect making the program - proprietary. To prevent this, we have made it clear that any patent must - be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and - modification follow. - - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains a - notice placed by the copyright holder saying it may be distributed under - the terms of this General Public License. The "Program", below, refers - to any such program or work, and a "work based on the Program" means - either the Program or any derivative work under copyright law: that is - to say, a work containing the Program or a portion of it, either - verbatim or with modifications and/or translated into another language. - (Hereinafter, translation is included without limitation in the term - "modification".) Each licensee is addressed as "you". - - Activities other than copying, distribution and modification are not - covered by this License; they are outside its scope. The act of running - the Program is not restricted, and the output from the Program is - covered only if its contents constitute a work based on the Program - (independent of having been made by running the Program). Whether that - is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's source - code as you receive it, in any medium, provided that you conspicuously - and appropriately publish on each copy an appropriate copyright notice - and disclaimer of warranty; keep intact all the notices that refer to - this License and to the absence of any warranty; and give any other - recipients of the Program a copy of this License along with the Program. - - You may charge a fee for the physical act of transferring a copy, and - you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion of - it, thus forming a work based on the Program, and copy and distribute - such modifications or work under the terms of Section 1 above, provided - that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any part - thereof, to be licensed as a whole at no charge to all third parties - under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a notice - that there is no warranty (or else, saying that you provide a - warranty) and that users may redistribute the program under these - conditions, and telling the user how to view a copy of this License. - (Exception: if the Program itself is interactive but does not - normally print such an announcement, your work based on the Program - is not required to print an announcement.) - - These requirements apply to the modified work as a whole. If - identifiable sections of that work are not derived from the Program, and - can be reasonably considered independent and separate works in - themselves, then this License, and its terms, do not apply to those - sections when you distribute them as separate works. But when you - distribute the same sections as part of a whole which is a work based on - the Program, the distribution of the whole must be on the terms of this - License, whose permissions for other licensees extend to the entire - whole, and thus to each and every part regardless of who wrote it. - - Thus, it is not the intent of this section to claim rights or contest - your rights to work written entirely by you; rather, the intent is to - exercise the right to control the distribution of derivative or - collective works based on the Program. - - In addition, mere aggregation of another work not based on the Program - with the Program (or with a work based on the Program) on a volume of a - storage or distribution medium does not bring the other work under the - scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, - under Section 2) in object code or executable form under the terms of - Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections 1 - and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your cost - of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer to - distribute corresponding source code. (This alternative is allowed - only for noncommercial distribution and only if you received the - program in object code or executable form with such an offer, in - accord with Subsection b above.) - - The source code for a work means the preferred form of the work for - making modifications to it. For an executable work, complete source code - means all the source code for all modules it contains, plus any - associated interface definition files, plus the scripts used to control - compilation and installation of the executable. However, as a special - exception, the source code distributed need not include anything that is - normally distributed (in either source or binary form) with the major - components (compiler, kernel, and so on) of the operating system on - which the executable runs, unless that component itself accompanies the - executable. - - If distribution of executable or object code is made by offering access - to copy from a designated place, then offering equivalent access to copy - the source code from the same place counts as distribution of the source - code, even though third parties are not compelled to copy the source - along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program - except as expressly provided under this License. Any attempt otherwise - to copy, modify, sublicense or distribute the Program is void, and will - automatically terminate your rights under this License. However, parties - who have received copies, or rights, from you under this License will - not have their licenses terminated so long as such parties remain in - full compliance. - - 5. You are not required to accept this License, since you have not - signed it. However, nothing else grants you permission to modify or - distribute the Program or its derivative works. These actions are - prohibited by law if you do not accept this License. Therefore, by - modifying or distributing the Program (or any work based on the - Program), you indicate your acceptance of this License to do so, and all - its terms and conditions for copying, distributing or modifying the - Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the - Program), the recipient automatically receives a license from the - original licensor to copy, distribute or modify the Program subject to - these terms and conditions. You may not impose any further restrictions - on the recipients' exercise of the rights granted herein. You are not - responsible for enforcing compliance by third parties to this License. - - 7. If, as a consequence of a court judgment or allegation of patent - infringement or for any other reason (not limited to patent issues), - conditions are imposed on you (whether by court order, agreement or - otherwise) that contradict the conditions of this License, they do not - excuse you from the conditions of this License. If you cannot distribute - so as to satisfy simultaneously your obligations under this License and - any other pertinent obligations, then as a consequence you may not - distribute the Program at all. For example, if a patent license would - not permit royalty-free redistribution of the Program by all those who - receive copies directly or indirectly through you, then the only way you - could satisfy both it and this License would be to refrain entirely from - distribution of the Program. - - If any portion of this section is held invalid or unenforceable under - any particular circumstance, the balance of the section is intended to - apply and the section as a whole is intended to apply in other - circumstances. - - It is not the purpose of this section to induce you to infringe any - patents or other property right claims or to contest validity of any - such claims; this section has the sole purpose of protecting the - integrity of the free software distribution system, which is implemented - by public license practices. Many people have made generous - contributions to the wide range of software distributed through that - system in reliance on consistent application of that system; it is up to - the author/donor to decide if he or she is willing to distribute - software through any other system and a licensee cannot impose that choice. - - This section is intended to make thoroughly clear what is believed to be - a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in - certain countries either by patents or by copyrighted interfaces, the - original copyright holder who places the Program under this License may - add an explicit geographical distribution limitation excluding those - countries, so that distribution is permitted only in or among countries - not thus excluded. In such case, this License incorporates the - limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new - versions of the General Public License from time to time. Such new - versions will be similar in spirit to the present version, but may - differ in detail to address new problems or concerns. - - Each version is given a distinguishing version number. If the Program - specifies a version number of this License which applies to it and "any - later version", you have the option of following the terms and - conditions either of that version or of any later version published by - the Free Software Foundation. If the Program does not specify a version - number of this License, you may choose any version ever published by the - Free Software Foundation. - - 10. If you wish to incorporate parts of the Program into other free - programs whose distribution conditions are different, write to the - author to ask for permission. For software which is copyrighted by the - Free Software Foundation, write to the Free Software Foundation; we - sometimes make exceptions for this. Our decision will be guided by the - two goals of preserving the free status of all derivatives of our free - software and of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO - WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. - EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR - OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, - EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE - ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH - YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL - NECESSARY SERVICING, REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN - WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY - AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR - DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL - DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM - (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED - INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF - THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR - OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest - possible use to the public, the best way to achieve this is to make it - free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest to - attach them to the start of each source file to most effectively convey - the exclusion of warranty; and each file should have at least the - "copyright" line and a pointer to where the full notice is found. - - One line to give the program's name and a brief idea of what it does. - Copyright (C) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335 USA - - Also add information on how to contact you by electronic and paper mail. - - If the program is interactive, make it output a short notice like this - when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type - `show w'. This is free software, and you are welcome to redistribute - it under certain conditions; type `show c' for details. - - The hypothetical commands `show w' and `show c' should show the - appropriate parts of the General Public License. Of course, the commands - you use may be called something other than `show w' and `show c'; they - could even be mouse-clicks or menu items--whatever suits your program. - - You should also get your employer (if you work as a programmer) or your - school, if any, to sign a "copyright disclaimer" for the program, if - necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the - program `Gnomovision' (which makes passes at compilers) written by - James Hacker. - - signature of Ty Coon, 1 April 1989 - Ty Coon, President of Vice - - This General Public License does not permit incorporating your program - into proprietary programs. If your program is a subroutine library, you - may consider it more useful to permit linking proprietary applications - with the library. If this is what you want to do, use the GNU Library - General Public License instead of this License. - ---- - -## CLASSPATH EXCEPTION - - Linking this library statically or dynamically with other modules is - making a combined work based on this library. Thus, the terms and - conditions of the GNU General Public License version 2 cover the whole - combination. - - As a special exception, the copyright holders of this library give you - permission to link this library with independent modules to produce an - executable, regardless of the license terms of these independent - modules, and to copy and distribute the resulting executable under - terms of your choice, provided that you also meet, for each linked - independent module, the terms and conditions of the license of that - module. An independent module is a module which is not derived from or - based on this library. If you modify this library, you may extend this - exception to your version of the library, but you are not obligated to - do so. If you do not wish to do so, delete this exception statement - from your version. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-NOTICE.txt deleted file mode 100644 index 9a5159e29c9e3..0000000000000 --- a/x-pack/plugin/security/lib/jose-wrapper/licenses/jakarta.mail-NOTICE.txt +++ /dev/null @@ -1,50 +0,0 @@ -# Notices for Eclipse Project for JavaMail - -This content is produced and maintained by the Eclipse Project for JavaMail -project. - -* Project home: https://projects.eclipse.org/projects/ee4j.javamail - -## Trademarks - -Eclipse Project for JavaMail is a trademark of the Eclipse Foundation. - -## Copyright - -All content is the property of the respective authors or their employers. For -more information regarding authorship of content, please consult the listed -source code repository logs. - -## Declared Project Licenses - -This program and the accompanying materials are made available under the terms -of the Eclipse Public License v. 2.0 which is available at -http://www.eclipse.org/legal/epl-2.0. This Source Code may also be made -available under the following Secondary Licenses when the conditions for such -availability set forth in the Eclipse Public License v. 2.0 are satisfied: GNU -General Public License, version 2 with the GNU Classpath Exception which is -available at https://www.gnu.org/software/classpath/license.html. - -SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 - -## Source Code - -The project maintains the following source code repositories: - -* https://github.com/eclipse-ee4j/javamail - -## Third-party Content - -This project leverages the following third party content. - -None - -## Cryptography - -Content may contain encryption software. The country in which you are currently -may have restrictions on the import, possession, and use, and/or re-export to -another country, of encryption software. BEFORE using any encryption software, -please check the country's laws, regulations and policies concerning the import, -possession, or use, and re-export of encryption software, to see if this is -permitted. - diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/jcip-annotations-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/jcip-annotations-LICENSE.txt deleted file mode 100644 index d645695673349..0000000000000 --- a/x-pack/plugin/security/lib/jose-wrapper/licenses/jcip-annotations-LICENSE.txt +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/jcip-annotations-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/jcip-annotations-NOTICE.txt deleted file mode 100644 index e69de29bb2d1d..0000000000000 diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/json-smart-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/json-smart-LICENSE.txt deleted file mode 100644 index d645695673349..0000000000000 --- a/x-pack/plugin/security/lib/jose-wrapper/licenses/json-smart-LICENSE.txt +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/json-smart-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/json-smart-NOTICE.txt deleted file mode 100644 index e69de29bb2d1d..0000000000000 diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-LICENSE.txt deleted file mode 100644 index d645695673349..0000000000000 --- a/x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-LICENSE.txt +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-NOTICE.txt deleted file mode 100644 index 37a85f6850d57..0000000000000 --- a/x-pack/plugin/security/lib/jose-wrapper/licenses/lang-tag-NOTICE.txt +++ /dev/null @@ -1,14 +0,0 @@ -Nimbus Language Tags - -Copyright 2012-2016, Connect2id Ltd. - -Licensed under the Apache License, Version 2.0 (the "License"); you may not use -this file except in compliance with the License. You may obtain a copy of the -License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software distributed -under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -CONDITIONS OF ANY KIND, either express or implied. See the License for the -specific language governing permissions and limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-LICENSE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-LICENSE.txt deleted file mode 100644 index d645695673349..0000000000000 --- a/x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-LICENSE.txt +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-NOTICE.txt b/x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-NOTICE.txt deleted file mode 100644 index 5e111b04cfc45..0000000000000 --- a/x-pack/plugin/security/lib/jose-wrapper/licenses/oauth2-oidc-sdk-NOTICE.txt +++ /dev/null @@ -1,14 +0,0 @@ -Nimbus OAuth 2.0 SDK with OpenID Connect extensions - -Copyright 2012-2018, Connect2id Ltd and contributors. - -Licensed under the Apache License, Version 2.0 (the "License"); you may not use -this file except in compliance with the License. You may obtain a copy of the -License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software distributed -under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -CONDITIONS OF ANY KIND, either express or implied. See the License for the -specific language governing permissions and limitations under the License. diff --git a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java deleted file mode 100644 index 80393ef57768a..0000000000000 --- a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/module-info.java +++ /dev/null @@ -1,14 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -module org.elasticsearch.nimbus { - requires org.elasticsearch.server; - requires com.nimbusds.jose.jwt; - requires oauth2.oidc.sdk; - - exports org.elasticsearch.nimbus; -} diff --git a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java b/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java deleted file mode 100644 index 678bf22ec4ad7..0000000000000 --- a/x-pack/plugin/security/lib/jose-wrapper/src/main/java/org/elasticsearch/nimbus/NimbusWrapper.java +++ /dev/null @@ -1,106 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -package org.elasticsearch.nimbus; - -import com.nimbusds.jose.JOSEException; -import com.nimbusds.jose.JWSHeader; -import com.nimbusds.jose.proc.BadJOSEException; -import com.nimbusds.jose.util.Base64URL; -import com.nimbusds.jwt.JWT; -import com.nimbusds.jwt.JWTClaimsSet; -import com.nimbusds.jwt.SignedJWT; -import com.nimbusds.openid.connect.sdk.Nonce; -import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; - -import org.elasticsearch.ElasticsearchException; -import org.elasticsearch.SpecialPermission; - -import java.security.AccessController; -import java.security.PrivilegedAction; -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; -import java.text.ParseException; -import java.util.Map; - -/** - * This class wraps the operations requiring access in {@link AccessController#doPrivileged(PrivilegedAction)} blocks. - * Can't do these operations inline with giving too much access due to how the security manager calculates the stack for lambda expressions. - * Isolating the calls here allows for least privilege access to this helper jar. - */ -public class NimbusWrapper { - - // utility class - private NimbusWrapper() {} - - public static String getHeaderAsString(SignedJWT signedJWT) { - SpecialPermission.check(); - return AccessController.doPrivileged((PrivilegedAction) () -> signedJWT.getHeader().toString()); - - } - - public static String getClaimsSetAsString(JWTClaimsSet jwtClaimsSet) { - SpecialPermission.check(); - return AccessController.doPrivileged((PrivilegedAction) jwtClaimsSet::toString); - } - - public static JWTClaimsSet verifyTokenClaims(IDTokenValidator validator, JWT idToken, Nonce nonce) throws BadJOSEException, - JOSEException { - try { - return AccessController.doPrivileged( - (PrivilegedExceptionAction) () -> validator.validate(idToken, nonce).toJWTClaimsSet() - ); - } catch (PrivilegedActionException exception) { - if (exception.getCause() instanceof BadJOSEException e) { - throw e; - } else if (exception.getCause() instanceof JOSEException e) { - throw e; - } else { - throw new ElasticsearchException(exception); - } - } - } - - // only used in tests - public static SignedJWT newSignedJwt(JWSHeader header, JWTClaimsSet claimsSet) { - SpecialPermission.check(); - return AccessController.doPrivileged((PrivilegedAction) () -> new SignedJWT(header, claimsSet)); - } - - // only used in tests - public static SignedJWT newSignedJWT(Map header, JWTClaimsSet claimsSet, String signatureUrl) throws ParseException { - SpecialPermission.check(); - try { - return AccessController.doPrivileged( - (PrivilegedExceptionAction) () -> new SignedJWT( - JWSHeader.parse(header).toBase64URL(), - claimsSet.toPayload().toBase64URL(), - Base64URL.encode(signatureUrl) - ) - ); - } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException ex) { - throw ex; - } else { - throw new RuntimeException(e.getException()); - } - } - } - - public static Base64URL parseHeader(Map header) throws ParseException { - SpecialPermission.check(); - try { - return AccessController.doPrivileged((PrivilegedExceptionAction) () -> JWSHeader.parse(header).toBase64URL()); - } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException ex) { - throw ex; - } else { - throw new RuntimeException(e.getException()); - } - } - } -} diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle new file mode 100644 index 0000000000000..f3c17748e6fd4 --- /dev/null +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle @@ -0,0 +1,29 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +apply plugin: 'elasticsearch.build' +apply plugin: 'com.github.johnrengelman.shadow' + +dependencies { + implementation "com.nimbusds:nimbus-jose-jwt:9.37.3" +} + +tasks.named('shadowJar').configure { + exclude 'com/nimbusds/jose/util/JSONObjectUtils$*.class' + exclude 'com/nimbusds/jose/util/JSONStringUtils$*.class' + manifest { + // The original library uses this and it gets stripped by shadowJar + attributes 'Automatic-Module-Name': 'com.nimbusds.jose.jwt' + } +} + +['jarHell', 'thirdPartyAudit', 'forbiddenApisMain', 'splitPackagesAudit'].each { + tasks.named(it).configure { + enabled = false + } +} diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/nimbus-jose-jwt-LICENSE.txt b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/licenses/nimbus-jose-jwt-LICENSE.txt similarity index 100% rename from x-pack/plugin/security/lib/jose-wrapper/licenses/nimbus-jose-jwt-LICENSE.txt rename to x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/licenses/nimbus-jose-jwt-LICENSE.txt diff --git a/x-pack/plugin/security/lib/jose-wrapper/licenses/nimbus-jose-jwt-NOTICE.txt b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/licenses/nimbus-jose-jwt-NOTICE.txt similarity index 100% rename from x-pack/plugin/security/lib/jose-wrapper/licenses/nimbus-jose-jwt-NOTICE.txt rename to x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/licenses/nimbus-jose-jwt-NOTICE.txt diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java new file mode 100644 index 0000000000000..9f71191a231ae --- /dev/null +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java @@ -0,0 +1,519 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package com.nimbusds.jose.util; + +import com.nimbusds.jose.shaded.gson.Gson; +import com.nimbusds.jose.shaded.gson.GsonBuilder; +import com.nimbusds.jose.shaded.gson.ToNumberPolicy; +import com.nimbusds.jose.shaded.gson.reflect.TypeToken; + +import java.lang.reflect.Type; +import java.net.URI; +import java.net.URISyntaxException; +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.text.ParseException; +import java.util.Arrays; +import java.util.Date; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +/** + * Copied from nimbus-jose-jwt version 9.37.3. + * + * Original code Copyright 2012-2016, Connect2id Ltd. Licensed under the Apache License, Version 2.0 + * + * The only modifications in this file are: + * 1) {@link AccessController#doPrivileged(PrivilegedAction)} calls to make gson work with the security manager + * 2) Formatting/Warning suppression as necessary to work with our infrastructure + * 3) This comment and the license comment + */ +@SuppressWarnings({ "unchecked", "rawtypes" }) +public class JSONObjectUtils { + + /** + * The GSon instance for serialisation and parsing. + */ + private static final Gson GSON = new GsonBuilder().serializeNulls() + .setObjectToNumberStrategy(ToNumberPolicy.LONG_OR_DOUBLE) + .disableHtmlEscaping() + .create(); + + /** + * Parses a JSON object. + * + *

Specific JSON to Java entity mapping (as per JSON Smart): + * + *

    + *
  • JSON true|false map to {@code java.lang.Boolean}. + *
  • JSON numbers map to {@code java.lang.Number}. + *
      + *
    • JSON integer numbers map to {@code long}. + *
    • JSON fraction numbers map to {@code double}. + *
    + *
  • JSON strings map to {@code java.lang.String}. + *
  • JSON arrays map to {@code java.util.List}. + *
  • JSON objects map to {@code java.util.Map}. + * + * + * @param s The JSON object string to parse. Must not be {@code null}. + * + * @return The JSON object. + * + * @throws ParseException If the string cannot be parsed to a valid JSON + * object. + */ + public static Map parse(final String s) throws ParseException { + + return parse(s, -1); + } + + /** + * Parses a JSON object with the option to limit the input string size. + * + *

    Specific JSON to Java entity mapping (as per JSON Smart): + * + *

      + *
    • JSON true|false map to {@code java.lang.Boolean}. + *
    • JSON numbers map to {@code java.lang.Number}. + *
        + *
      • JSON integer numbers map to {@code long}. + *
      • JSON fraction numbers map to {@code double}. + *
      + *
    • JSON strings map to {@code java.lang.String}. + *
    • JSON arrays map to {@code java.util.List}. + *
    • JSON objects map to {@code java.util.Map}. + * + * + * @param s The JSON object string to parse. Must not be + * {@code null}. + * @param sizeLimit The max allowed size of the string to parse. A + * negative integer means no limit. + * + * @return The JSON object. + * + * @throws ParseException If the string cannot be parsed to a valid JSON + * object. + */ + public static Map parse(final String s, final int sizeLimit) throws ParseException { + + if (s.trim().isEmpty()) { + throw new ParseException("Invalid JSON object", 0); + } + + if (sizeLimit >= 0 && s.length() > sizeLimit) { + throw new ParseException("The parsed string is longer than the max accepted size of " + sizeLimit + " characters", 0); + } + + Type mapType = TypeToken.getParameterized(Map.class, String.class, Object.class).getType(); + + try { + return AccessController.doPrivileged((PrivilegedAction>) () -> GSON.fromJson(s, mapType)); + } catch (Exception e) { + throw new ParseException("Invalid JSON: " + e.getMessage(), 0); + } catch (StackOverflowError e) { + throw new ParseException("Excessive JSON object and / or array nesting", 0); + } + } + + /** + * Use {@link #parse(String)} instead. + * + * @param s The JSON object string to parse. Must not be {@code null}. + * + * @return The JSON object. + * + * @throws ParseException If the string cannot be parsed to a valid JSON + * object. + */ + @Deprecated + public static Map parseJSONObject(final String s) throws ParseException { + + return parse(s); + } + + /** + * Gets a generic member of a JSON object. + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * @param clazz The expected class of the JSON object member value. + * Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + private static T getGeneric(final Map o, final String name, final Class clazz) throws ParseException { + + if (o.get(name) == null) { + return null; + } + + Object value = o.get(name); + + if (clazz.isAssignableFrom(value.getClass()) == false) { + throw new ParseException("Unexpected type of JSON object member " + name + "", 0); + } + + @SuppressWarnings("unchecked") + T castValue = (T) value; + return castValue; + } + + /** + * Gets a boolean member of a JSON object. + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * + * @return The JSON object member value. + * + * @throws ParseException If the member is missing, the value is + * {@code null} or not of the expected type. + */ + public static boolean getBoolean(final Map o, final String name) throws ParseException { + + Boolean value = getGeneric(o, name, Boolean.class); + + if (value == null) { + throw new ParseException("JSON object member " + name + " is missing or null", 0); + } + + return value; + } + + /** + * Gets a number member of a JSON object as {@code int}. + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * + * @return The JSON object member value. + * + * @throws ParseException If the member is missing, the value is + * {@code null} or not of the expected type. + */ + public static int getInt(final Map o, final String name) throws ParseException { + + Number value = getGeneric(o, name, Number.class); + + if (value == null) { + throw new ParseException("JSON object member " + name + " is missing or null", 0); + } + + return value.intValue(); + } + + /** + * Gets a number member of a JSON object as {@code long}. + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * + * @return The JSON object member value. + * + * @throws ParseException If the member is missing, the value is + * {@code null} or not of the expected type. + */ + public static long getLong(final Map o, final String name) throws ParseException { + + Number value = getGeneric(o, name, Number.class); + + if (value == null) { + throw new ParseException("JSON object member " + name + " is missing or null", 0); + } + + return value.longValue(); + } + + /** + * Gets a number member of a JSON object {@code float}. + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the member is missing, the value is + * {@code null} or not of the expected type. + */ + public static float getFloat(final Map o, final String name) throws ParseException { + + Number value = getGeneric(o, name, Number.class); + + if (value == null) { + throw new ParseException("JSON object member " + name + " is missing or null", 0); + } + + return value.floatValue(); + } + + /** + * Gets a number member of a JSON object as {@code double}. + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the member is missing, the value is + * {@code null} or not of the expected type. + */ + public static double getDouble(final Map o, final String name) throws ParseException { + + Number value = getGeneric(o, name, Number.class); + + if (value == null) { + throw new ParseException("JSON object member " + name + " is missing or null", 0); + } + + return value.doubleValue(); + } + + /** + * Gets a string member of a JSON object. + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static String getString(final Map o, final String name) throws ParseException { + + return getGeneric(o, name, String.class); + } + + /** + * Gets a string member of a JSON object as {@code java.net.URI}. + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static URI getURI(final Map o, final String name) throws ParseException { + + String value = getString(o, name); + + if (value == null) { + return null; + } + + try { + return new URI(value); + + } catch (URISyntaxException e) { + + throw new ParseException(e.getMessage(), 0); + } + } + + /** + * Gets a JSON array member of a JSON object. + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static List getJSONArray(final Map o, final String name) throws ParseException { + + @SuppressWarnings("unchecked") + List jsonArray = getGeneric(o, name, List.class); + return jsonArray; + } + + /** + * Gets a string array member of a JSON object. + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static String[] getStringArray(final Map o, final String name) throws ParseException { + + List jsonArray = getJSONArray(o, name); + + if (jsonArray == null) { + return null; + } + + try { + return jsonArray.toArray(new String[0]); + } catch (ArrayStoreException e) { + throw new ParseException("JSON object member " + name + " is not an array of strings", 0); + } + } + + /** + * Gets a JSON objects array member of a JSON object. + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static Map[] getJSONObjectArray(final Map o, final String name) throws ParseException { + + List jsonArray = getJSONArray(o, name); + + if (jsonArray == null) { + return null; + } + + if (jsonArray.isEmpty()) { + return new HashMap[0]; + } + + for (Object member : jsonArray) { + if (member == null) { + continue; + } + if (member instanceof Map) { + try { + return jsonArray.toArray(new Map[0]); + } catch (ArrayStoreException e) { + break; // throw parse exception below + } + } + } + throw new ParseException("JSON object member " + name + " is not an array of JSON objects", 0); + } + + /** + * Gets a string list member of a JSON object + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static List getStringList(final Map o, final String name) throws ParseException { + + String[] array = getStringArray(o, name); + + if (array == null) { + return null; + } + + return Arrays.asList(array); + } + + /** + * Gets a JSON object member of a JSON object. + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static Map getJSONObject(final Map o, final String name) throws ParseException { + + Map jsonObject = getGeneric(o, name, Map.class); + + if (jsonObject == null) { + return null; + } + + // Verify keys are String + for (Object oKey : jsonObject.keySet()) { + if ((oKey instanceof String) == false) { + throw new ParseException("JSON object member " + name + " not a JSON object", 0); + } + } + @SuppressWarnings("unchecked") + Map castJSONObject = (Map) jsonObject; + return castJSONObject; + } + + /** + * Gets a string member of a JSON object as {@link Base64URL}. + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static Base64URL getBase64URL(final Map o, final String name) throws ParseException { + + String value = getString(o, name); + + if (value == null) { + return null; + } + + return new Base64URL(value); + } + + /** + * Gets a number member of a JSON object as a {@link Date} expressed in + * seconds since the Unix epoch. + * + * @param o The JSON object. Must not be {@code null}. + * @param name The JSON object member name. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static Date getEpochSecondAsDate(final Map o, final String name) throws ParseException { + + Number value = getGeneric(o, name, Number.class); + + if (value == null) { + return null; + } + + return DateUtils.fromSecondsSinceEpoch(value.longValue()); + } + + /** + * Serialises the specified map to a JSON object using the entity + * mapping specified in {@link #parse(String)}. + * + * @param o The map. Must not be {@code null}. + * + * @return The JSON object as string. + */ + public static String toJSONString(final Map o) { + return AccessController.doPrivileged((PrivilegedAction) () -> GSON.toJson(o)); + } + + /** + * Creates a new JSON object (unordered). + * + * @return The new empty JSON object. + */ + public static Map newJSONObject() { + return new HashMap<>(); + } + + /** + * Prevents public instantiation. + */ + private JSONObjectUtils() {} +} diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java new file mode 100644 index 0000000000000..e57ddfb61ac55 --- /dev/null +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java @@ -0,0 +1,31 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package com.nimbusds.jose.util; + +import com.nimbusds.jose.shaded.gson.Gson; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +/** + * Copied from nimbus-jose-jwt version 9.37.3. + * + * Original code Copyright 2012-2016, Connect2id Ltd. Licensed under the Apache License, Version 2.0 + * + * The only modifications in this file are: + * 1) {@link AccessController#doPrivileged(PrivilegedAction)} calls to make gson work with the security manager + * 2) Formatting/Warning suppression as necessary to work with our infrastructure + * 3) This comment and the license comment + */ +public class JSONStringUtils { + public static String toJSONString(String string) { + return AccessController.doPrivileged((PrivilegedAction) () -> (new Gson()).toJson(string)); + } + + private JSONStringUtils() {} +} diff --git a/x-pack/plugin/security/licenses/nimbus-jose-jwt-LICENSE.txt b/x-pack/plugin/security/licenses/nimbus-jose-jwt-LICENSE.txt deleted file mode 100644 index d645695673349..0000000000000 --- a/x-pack/plugin/security/licenses/nimbus-jose-jwt-LICENSE.txt +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/x-pack/plugin/security/licenses/nimbus-jose-jwt-NOTICE.txt b/x-pack/plugin/security/licenses/nimbus-jose-jwt-NOTICE.txt deleted file mode 100644 index cb9ad94f662a6..0000000000000 --- a/x-pack/plugin/security/licenses/nimbus-jose-jwt-NOTICE.txt +++ /dev/null @@ -1,14 +0,0 @@ -Nimbus JOSE + JWT - -Copyright 2012 - 2018, Connect2id Ltd. - -Licensed under the Apache License, Version 2.0 (the "License"); you may not use -this file except in compliance with the License. You may obtain a copy of the -License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software distributed -under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -CONDITIONS OF ANY KIND, either express or implied. See the License for the -specific language governing permissions and limitations under the License. diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java index 99d873859ad17..435706dce7019 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java @@ -30,7 +30,6 @@ import org.elasticsearch.common.xcontent.XContentHelper; import org.elasticsearch.core.Strings; import org.elasticsearch.core.TimeValue; -import org.elasticsearch.nimbus.NimbusWrapper; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.PluginsService; import org.elasticsearch.test.SecuritySettingsSource; @@ -455,7 +454,7 @@ public void testJwtRealmThrowsErrorOnJwtParsingFailure() throws ParseException { // Payload is not JSON final SignedJWT signedJWT2 = new SignedJWT( - NimbusWrapper.parseHeader(Map.of("alg", randomAlphaOfLengthBetween(5, 10))), + JWSHeader.parse(Map.of("alg", randomAlphaOfLengthBetween(5, 10))).toBase64URL(), Base64URL.encode("payload"), Base64URL.encode("signature") ); @@ -711,7 +710,7 @@ static SignedJWT getSignedJWT(JWTClaimsSet claimsSet, byte[] hmacKeyBytes) throw JWSHeader jwtHeader = new JWSHeader.Builder(JWSAlgorithm.HS256).build(); OctetSequenceKey.Builder jwt0signer = new OctetSequenceKey.Builder(hmacKeyBytes); jwt0signer.algorithm(JWSAlgorithm.HS256); - SignedJWT jwt = NimbusWrapper.newSignedJwt(jwtHeader, claimsSet); + SignedJWT jwt = new SignedJWT(jwtHeader, claimsSet); jwt.sign(new MACSigner(jwt0signer.build())); return jwt; } @@ -765,8 +764,11 @@ private SignedJWT getSignedJWT(Map m) throws ParseException { claimsMap.put("exp", now.plus(randomIntBetween(-1, 1), ChronoUnit.DAYS).getEpochSecond()); final JWTClaimsSet claimsSet = JWTClaimsSet.parse(claimsMap); - final SignedJWT signedJWT = NimbusWrapper.newSignedJWT(Map.of("alg", randomAlphaOfLengthBetween(5, 10)), claimsSet, "signature"); - + final SignedJWT signedJWT = new SignedJWT( + JWSHeader.parse(Map.of("alg", randomAlphaOfLengthBetween(5, 10))).toBase64URL(), + claimsSet.toPayload().toBase64URL(), + Base64URL.encode("signature") + ); return signedJWT; } diff --git a/x-pack/plugin/security/src/main/java/module-info.java b/x-pack/plugin/security/src/main/java/module-info.java index 8d74da1034b7b..a072b34da7e96 100644 --- a/x-pack/plugin/security/src/main/java/module-info.java +++ b/x-pack/plugin/security/src/main/java/module-info.java @@ -49,7 +49,6 @@ requires oauth2.oidc.sdk; requires org.slf4j; requires unboundid.ldapsdk; - requires org.elasticsearch.nimbus; exports org.elasticsearch.xpack.security.action to org.elasticsearch.server; exports org.elasticsearch.xpack.security.action.apikey to org.elasticsearch.server; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java index f3b41b5cdd81d..7613e7b3972af 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java @@ -26,7 +26,6 @@ import org.elasticsearch.core.Releasable; import org.elasticsearch.core.TimeValue; import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.nimbus.NimbusWrapper; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.AuthenticationToken; import org.elasticsearch.xpack.core.security.authc.Realm; @@ -258,15 +257,14 @@ public void authenticate(final AuthenticationToken authenticationToken, final Ac } processValidatedJwt(tokenPrincipal, jwtCacheKey, claimsSet, listener); }, ex -> { - final String msg = "Realm [" + name() + "] JWT validation failed for token=[" + tokenPrincipal + "] with header [" - + NimbusWrapper.getHeaderAsString(jwtAuthenticationToken.getSignedJWT()) + + jwtAuthenticationToken.getSignedJWT().getHeader() + "] and claimSet [" - + NimbusWrapper.getClaimsSetAsString(jwtAuthenticationToken.getJWTClaimsSet()) + + jwtAuthenticationToken.getJWTClaimsSet() + "]"; if (logger.isTraceEnabled()) { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java index c4959c3ef8733..0f34850b861b7 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java @@ -85,7 +85,6 @@ import org.elasticsearch.core.CheckedRunnable; import org.elasticsearch.core.Nullable; import org.elasticsearch.core.Tuple; -import org.elasticsearch.nimbus.NimbusWrapper; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.watcher.FileChangesListener; import org.elasticsearch.watcher.FileWatcher; @@ -254,33 +253,19 @@ public void authenticate(OpenIdConnectToken token, final ActionListener claimsListener - ) { - AccessController.doPrivileged((PrivilegedAction) () -> { - doGetUserClaims(accessToken, idToken, expectedNonce, shouldRetry, claimsListener); - return null; - }); - } - - @SuppressWarnings("unchecked") - private void doGetUserClaims( - AccessToken accessToken, - JWT idToken, - Nonce expectedNonce, - boolean shouldRetry, - ActionListener claimsListener ) { try { if (LOGGER.isDebugEnabled()) { LOGGER.debug("ID Token Header: {}", idToken.getHeader()); } - JWTClaimsSet verifiedIdTokenClaims = NimbusWrapper.verifyTokenClaims(idTokenValidator.get(), idToken, expectedNonce); + JWTClaimsSet verifiedIdTokenClaims = idTokenValidator.get().validate(idToken, expectedNonce).toJWTClaimsSet(); if (LOGGER.isTraceEnabled()) { LOGGER.trace("Received and validated the Id Token for the user: [{}]", verifiedIdTokenClaims); } @@ -316,7 +301,7 @@ private void doGetUserClaims( LOGGER.debug("Failed to parse or validate the ID Token", e); claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e)); } - } catch (ParseException | JOSEException e) { + } catch (com.nimbusds.oauth2.sdk.ParseException | ParseException | JOSEException e) { LOGGER.debug( () -> format("ID Token: [%s], Nonce: [%s]", JwtUtil.toStringRedactSignature(idToken).get(), expectedNonce.toString()), e diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy index a6546320ed71d..095949ac25a21 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy @@ -58,13 +58,8 @@ grant codeBase "${codebase.oauth2-oidc-sdk}" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; -grant codeBase "${codebase.nimbus-jose-jwt}" { +grant codeBase "${codebase.nimbus-jose-jwt-fixed}" { // for JSON serialization based on a shaded GSON dependency permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; - -grant codeBase "${codebase.elasticsearch-jose-wrapper}" { - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; -}; From c9e4e528cd2ba97e104050c93673b9a597c6b63e Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Sun, 11 Aug 2024 17:15:25 -0600 Subject: [PATCH 37/47] Clean up comments --- x-pack/plugin/security/build.gradle | 32 ----------------------------- 1 file changed, 32 deletions(-) diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index ff3e3671dd446..8247178458d60 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -111,7 +111,6 @@ dependencies { testImplementation('org.apache.kerby:kerb-crypto:1.1.1') testImplementation('org.apache.kerby:kerb-util:1.1.1') testImplementation('org.apache.kerby:token-provider:1.1.1') -// testImplementation('com.nimbusds:nimbus-jose-jwt:9.37.3') testImplementation('net.jcip:jcip-annotations:1.0') testImplementation('org.apache.kerby:kerb-admin:1.1.1') testImplementation('org.apache.kerby:kerb-server:1.1.1') @@ -415,7 +414,6 @@ tasks.named("thirdPartyAudit").configure { 'javax.xml.bind.UnmarshallerHandler', // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE 'org.cryptomator.siv.SivMode', - // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037) 'com.nimbusds.common.contenttype.ContentType', 'com.nimbusds.common.contenttype.ContentType$Parameter', 'javax.activation.ActivationDataFlavor', @@ -437,33 +435,3 @@ tasks.named("internalClusterTest").configure { } addQaCheckDependencies(project) - -// These unit tests are run without the security manager because they use, directly or -// indirectly, nimbus-jose-jwt code, which uses gson internally, which is not friendly -// to the security manager. Note that we do not disable the security manager for -// any integration tests, any failures of which should be taken very seriously. -String[] noSecurityManagerClasses = [ - "**/JwtRealmAuthenticateTests.class", - "**/JwtRealmAuthenticateAccessTokenTypeTests.class", - "**/JwtRealmGenerateTests.class", - "**/JwtAuthenticatorAccessTokenTypeTests.class", - "**/JwtAuthenticatorIdTokenTypeTests.class", - "**/JwtSignatureValidatorTests.class", - "**/OpenIdConnectAuthenticatorTests.class", - "**/TransportOpenIdConnectLogoutActionTests.class", - "**/OpenIdConnectRealmTests.class", -] -// -//tasks.register('testNoSecurityManager', Test) { -// testClassesDirs = sourceSets.test.output.classesDirs -// classpath = sourceSets.test.runtimeClasspath -// include noSecurityManagerClasses -// systemProperty 'tests.security.manager', 'false' -// systemProperty 'es.insecure_network_trace_enabled', 'true' -//} -// -//tasks.named("check").configure { dependsOn 'testNoSecurityManager' } -// -//tasks.named('test').configure { -// exclude noSecurityManagerClasses -//} From 97f178c48fc6727d8a63bf130579e3f3fa847388 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Sun, 11 Aug 2024 17:37:37 -0600 Subject: [PATCH 38/47] Policy cleanup --- .../src/main/plugin-metadata/plugin-security.codebases | 2 -- .../src/main/plugin-metadata/plugin-security.policy | 6 ------ 2 files changed, 8 deletions(-) diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases index 12c64c29577c5..94cfaec2d519c 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.codebases @@ -1,4 +1,2 @@ netty-common: io.netty.util.NettyRuntime netty-transport: io.netty.channel.Channel -nimbus-jose-jwt: com.nimbusds.jose.shaded.gson.internal.ConstructorConstructor -oauth2-oidc-sdk: com.nimbusds.jwt.SignedJWT diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy index 095949ac25a21..7f760598edb10 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy @@ -52,12 +52,6 @@ grant codeBase "${codebase.netty-transport}" { permission java.util.PropertyPermission "sun.nio.ch.bugLevel", "write"; }; -grant codeBase "${codebase.oauth2-oidc-sdk}" { - // for JSON serialization based on a shaded GSON dependency - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; -}; - grant codeBase "${codebase.nimbus-jose-jwt-fixed}" { // for JSON serialization based on a shaded GSON dependency permission java.lang.RuntimePermission "accessDeclaredMembers"; From 4351a5c09864c3e80810bdcf8d59f5328503177f Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Sun, 11 Aug 2024 17:42:42 -0600 Subject: [PATCH 39/47] Bit more cleanup --- x-pack/plugin/security/build.gradle | 21 ++--- .../security/forbidden/jwt-signatures.txt | 93 ------------------- 2 files changed, 8 insertions(+), 106 deletions(-) delete mode 100644 x-pack/plugin/security/forbidden/jwt-signatures.txt diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index 8247178458d60..9d6036a61c05d 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -81,14 +81,13 @@ dependencies { // Dependencies for oidc api "com.nimbusds:oauth2-oidc-sdk:11.10.1" api project(path: xpackModule('security:lib:nimbus-jose-jwt-fixed'), configuration: 'shadow') -// if (isEclipse) { -// /* -// * Eclipse can't pick up the shadow dependency so we point it at *something* -// * so it can compile things. -// */ -// api project(xpackModule('security:lib:nimbus-jose-jwt-fixed')) -// } -// api project(xpackModule('security:lib:jose-wrapper')) + if (isEclipse) { + /* + * Eclipse can't pick up the shadow dependency so we point it at *something* + * so it can compile things. + */ + api project(xpackModule('security:lib:nimbus-jose-jwt-fixed')) + } api "com.nimbusds:lang-tag:1.4.4" api "com.sun.mail:jakarta.mail:1.6.3" api "net.jcip:jcip-annotations:1.0" @@ -194,11 +193,7 @@ tasks.named("forbiddenPatterns").configure { } tasks.named('forbiddenApisMain').configure { - signaturesFiles += files( - 'forbidden/ldap-signatures.txt', - 'forbidden/xml-signatures.txt', - 'forbidden/oidc-signatures.txt', - ) + signaturesFiles += files('forbidden/ldap-signatures.txt', 'forbidden/xml-signatures.txt', 'forbidden/oidc-signatures.txt') } tasks.named('forbiddenApisTest').configure { diff --git a/x-pack/plugin/security/forbidden/jwt-signatures.txt b/x-pack/plugin/security/forbidden/jwt-signatures.txt deleted file mode 100644 index b144d44e55963..0000000000000 --- a/x-pack/plugin/security/forbidden/jwt-signatures.txt +++ /dev/null @@ -1,93 +0,0 @@ -# The methods listed here were determined by finding all references -# to JSONObjectUtils (in which gson is contained, thankfully) with -# IntelliJ and listing them manually. -@defaultMessage Nimbus-jose-jwt calls which use gson internally must be contained in NimbusWrapper -com.nimbusds.jose.util.JSONObjectUtils -com.nimbusds.jwt.JWTClaimsSet#toString() -com.nimbusds.jwt.JWTClaimsSet#toString(boolean) -com.nimbusds.jwt.JWTClaimsSet#toJSONObject() -com.nimbusds.jwt.JWTClaimsSet#parse(java.util.Map) -com.nimbusds.jwt.JWTClaimsSet#parse(java.lang.String) -com.nimbusds.jwt.JWTParser#parse(java.lang.String) -com.nimbusds.jose.Header#toJSONObject() -com.nimbusds.jose.Header#toString() -com.nimbusds.jose.Header#parseAlgorithm(java.util.Map) -com.nimbusds.jose.Header#parse(java.util.Map) -com.nimbusds.jose.Header#parse(java.lang.String, com.nimbusds.jose.util.Base64URL) -com.nimbusds.jose.JWEObject#parse(java.lang.String) -com.nimbusds.jose.JWSObject#parse(java.lang.String) -com.nimbusds.jose.PlainObject#parse(java.lang.String) -com.nimbusds.jose.JWEHeader#parseEncryptionMethod(java.util.Map) -com.nimbusds.jose.JWEHeader#parse(java.util.Map, com.nimbusds.jose.util.Base64URL) -com.nimbusds.jose.JWEHeader#parse(java.lang.String) -com.nimbusds.jose.JWEHeader#parse(java.lang.String, com.nimbusds.jose.util.Base64URL) -com.nimbusds.jose.JWEObjectJSON#getEncryptedKey() -com.nimbusds.jose.JWEObjectJSON#encrypt(com.nimbusds.jose.JWEEncrypter) -com.nimbusds.jose.JWEObjectJSON#toBaseJSONObject() -com.nimbusds.jose.JWEObjectJSON#toFlattenedJSONObject() -com.nimbusds.jose.JWEObjectJSON#serializeGeneral() -com.nimbusds.jose.JWEObjectJSON#serializeFlattened() -com.nimbusds.jose.JWEObjectJSON#parse(java.util.Map) -com.nimbusds.jose.JWEObjectJSON#parse(java.lang.String) -com.nimbusds.jose.JWEObjectJSON$Recipient#toJSONObject() -com.nimbusds.jose.JWEObjectJSON$Recipient#parse(java.util.Map) -com.nimbusds.jose.JWSObjectJSON#toFlattenedJSONObject() -com.nimbusds.jose.JWSObjectJSON#serializeGeneral() -com.nimbusds.jose.JWSObjectJSON#serializeFlattened() -com.nimbusds.jose.JWSObjectJSON#parse(java.util.Map) -com.nimbusds.jose.JWSObjectJSON#parse(java.lang.String) -com.nimbusds.jose.JWSHeader#parse(java.util.Map, com.nimbusds.jose.util.Base64URL) -com.nimbusds.jose.JWSHeader#parse(java.lang.String, com.nimbusds.jose.util.Base64URL) -com.nimbusds.jose.JWSObjectJSON#toGeneralJSONObject() -com.nimbusds.jose.JWSObjectJSON#toFlattenedJSONObject() -com.nimbusds.jose.JWSObjectJSON#serializeGeneral() -com.nimbusds.jose.JWSObjectJSON#serializeFlattened() -com.nimbusds.jose.JWSObjectJSON#parseJWSHeader(java.util.Map) -com.nimbusds.jose.JWSObjectJSON#parse(java.util.Map) -com.nimbusds.jose.JWSObjectJSON#parse(java.lang.String) -com.nimbusds.jose.JWSObjectJSON$Signature#toJSONObject() -com.nimbusds.jose.Payload#toString() -com.nimbusds.jose.Payload#toJSONObject() -com.nimbusds.jose.PlainHeader#parse(java.util.Map, com.nimbusds.jose.util.Base64URL) -com.nimbusds.jose.PlainHeader#parse(java.lang.String, com.nimbusds.jose.util.Base64URL) -com.nimbusds.jose.UnprotectedHeader#toJSONObject() -com.nimbusds.jose.crypto.MultiDecrypter#decrypt(com.nimbusds.jose.JWEHeader, com.nimbusds.jose.util.Base64URL, com.nimbusds.jose.util.Base64URL, com.nimbusds.jose.util.Base64URL, com.nimbusds.jose.util.Base64URL, byte[]) -com.nimbusds.jose.crypto.MultiEncrypter#encrypt(com.nimbusds.jose.JWEHeader, byte[], byte[]) -com.nimbusds.jose.jwk.ECKey#parse(java.lang.String) -com.nimbusds.jose.jwk.ECKey#parse(java.util.Map) -com.nimbusds.jose.jwk.JWK#toJSONObject() -com.nimbusds.jose.jwk.JWK#toJSONString() -com.nimbusds.jose.jwk.JWK#toString() -com.nimbusds.jose.jwk.JWK#parse(java.lang.String) -com.nimbusds.jose.jwk.JWK#parse(java.util.Map) -com.nimbusds.jose.jwk.JWKMetadata#parseKeyType(java.util.Map) -com.nimbusds.jose.jwk.JWKMetadata#parseKeyUse(java.util.Map) -com.nimbusds.jose.jwk.JWKMetadata#parseKeyOperations(java.util.Map) -com.nimbusds.jose.jwk.JWKMetadata#parseAlgorithm(java.util.Map) -com.nimbusds.jose.jwk.JWKMetadata#parseKeyID(java.util.Map) -com.nimbusds.jose.jwk.JWKMetadata#parseX509CertURL(java.util.Map) -com.nimbusds.jose.jwk.JWKMetadata#parseX509CertThumbprint(java.util.Map) -com.nimbusds.jose.jwk.JWKMetadata#parseX509CertSHA256Thumbprint(java.util.Map) -com.nimbusds.jose.jwk.JWKMetadata#parseX509CertChain(java.util.Map) -com.nimbusds.jose.jwk.JWKMetadata#parseExpirationTime(java.util.Map) -com.nimbusds.jose.jwk.JWKMetadata#parseNotBeforeTime(java.util.Map) -com.nimbusds.jose.jwk.JWKMetadata#parseIssueTime(java.util.Map) -com.nimbusds.jose.jwk.JWKSet#toJSONObject(boolean) -com.nimbusds.jose.jwk.JWKSet#toString(boolean) -com.nimbusds.jose.jwk.JWKSet#parse(java.lang.String) -com.nimbusds.jose.jwk.JWKSet#parse(java.util.Map) -com.nimbusds.jose.jwk.OctetKeyPair#parse(java.lang.String) -com.nimbusds.jose.jwk.OctetKeyPair#parse(java.util.Map) -com.nimbusds.jose.jwk.OctetSequenceKey#parse(java.lang.String) -com.nimbusds.jose.jwk.OctetSequenceKey#parse(java.util.Map) -com.nimbusds.jose.jwk.RSAKey#toJSONObject() -com.nimbusds.jose.jwk.RSAKey#parse(java.lang.String) -com.nimbusds.jose.jwk.RSAKey#parse(java.util.Map) -com.nimbusds.jose.jwk.ThumbprintUtils#compute(java.lang.String, java.util.LinkedHashMap) -com.nimbusds.jwt.JWTClaimsSet#getJSONObjectClaim(java.lang.String) -com.nimbusds.jwt.JWTClaimsSet#toJSONObject(boolean) -com.nimbusds.jwt.JWTClaimsSet#toString() -com.nimbusds.jwt.JWTClaimsSet#toString(boolean) -com.nimbusds.jwt.JWTClaimsSet#parse(java.util.Map) -com.nimbusds.jwt.JWTClaimsSet#parse(java.lang.String) -com.nimbusds.jwt.JWTParser#parse(java.lang.String) From 291b30c159fdbdc407c845909515f1a46d746a75 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Mon, 12 Aug 2024 17:14:49 -0600 Subject: [PATCH 40/47] Break modifications out into "wrapper" classes --- .../jose/util/InnerJSONObjectUtils.java | 515 ++++++++++++++++ .../jose/util/InnerJSONStringUtils.java | 45 ++ .../nimbusds/jose/util/JSONObjectUtils.java | 557 ++++-------------- .../nimbusds/jose/util/JSONStringUtils.java | 17 +- 4 files changed, 682 insertions(+), 452 deletions(-) create mode 100644 x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONObjectUtils.java create mode 100644 x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONStringUtils.java diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONObjectUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONObjectUtils.java new file mode 100644 index 0000000000000..04c57d3201ea5 --- /dev/null +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONObjectUtils.java @@ -0,0 +1,515 @@ +/* + * nimbus-jose-jwt + * + * Copyright 2012-2016, Connect2id Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use + * this file except in compliance with the License. You may obtain a copy of the + * License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed + * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR + * CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ + +package com.nimbusds.jose.util; + +import com.nimbusds.jose.shaded.gson.Gson; +import com.nimbusds.jose.shaded.gson.GsonBuilder; +import com.nimbusds.jose.shaded.gson.ToNumberPolicy; +import com.nimbusds.jose.shaded.gson.internal.LinkedTreeMap; +import com.nimbusds.jose.shaded.gson.reflect.TypeToken; + +import java.lang.reflect.Type; +import java.net.URI; +import java.net.URISyntaxException; +import java.text.ParseException; +import java.util.Arrays; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +/* + * Copied from nimbus-jose-jwt version 9.37.3. + * + * The only modifications in this file are formatting & warning suppression as necessary to work with our infrastructure, tweaks to + * field visibility to enable this wrapping strategy, and this comment. + */ + +/** + * JSON object helper methods. + * + * @author Vladimir Dzhuvinov + * @version 2022-08-19 + */ +@SuppressWarnings({ "unchecked", "rawtypes" }) +public class InnerJSONObjectUtils { + + /** + * The GSon instance for serialisation and parsing. + */ + private static final Gson GSON = new GsonBuilder().serializeNulls() + .setObjectToNumberStrategy(ToNumberPolicy.LONG_OR_DOUBLE) + .disableHtmlEscaping() + .create(); + + /** + * Parses a JSON object. + * + *

      Specific JSON to Java entity mapping (as per JSON Smart): + * + *

        + *
      • JSON true|false map to {@code java.lang.Boolean}. + *
      • JSON numbers map to {@code java.lang.Number}. + *
          + *
        • JSON integer numbers map to {@code long}. + *
        • JSON fraction numbers map to {@code double}. + *
        + *
      • JSON strings map to {@code java.lang.String}. + *
      • JSON arrays map to {@code java.util.List}. + *
      • JSON objects map to {@code java.util.Map}. + * + * + * @param s The JSON object string to parse. Must not be {@code null}. + * + * @return The JSON object. + * + * @throws ParseException If the string cannot be parsed to a valid JSON + * object. + */ + public static Map parse(final String s) throws ParseException { + + return parse(s, -1); + } + + /** + * Parses a JSON object with the option to limit the input string size. + * + *

        Specific JSON to Java entity mapping (as per JSON Smart): + * + *

          + *
        • JSON true|false map to {@code java.lang.Boolean}. + *
        • JSON numbers map to {@code java.lang.Number}. + *
            + *
          • JSON integer numbers map to {@code long}. + *
          • JSON fraction numbers map to {@code double}. + *
          + *
        • JSON strings map to {@code java.lang.String}. + *
        • JSON arrays map to {@code java.util.List}. + *
        • JSON objects map to {@code java.util.Map}. + * + * + * @param s The JSON object string to parse. Must not be + * {@code null}. + * @param sizeLimit The max allowed size of the string to parse. A + * negative integer means no limit. + * + * @return The JSON object. + * + * @throws ParseException If the string cannot be parsed to a valid JSON + * object. + */ + public static Map parse(final String s, final int sizeLimit) throws ParseException { + + if (s.trim().isEmpty()) { + throw new ParseException("Invalid JSON object", 0); + } + + if (sizeLimit >= 0 && s.length() > sizeLimit) { + throw new ParseException("The parsed string is longer than the max accepted size of " + sizeLimit + " characters", 0); + } + + Type mapType = TypeToken.getParameterized(Map.class, String.class, Object.class).getType(); + + try { + return GSON.fromJson(s, mapType); + } catch (Exception e) { + throw new ParseException("Invalid JSON: " + e.getMessage(), 0); + } catch (StackOverflowError e) { + throw new ParseException("Excessive JSON object and / or array nesting", 0); + } + } + + /** + * Use {@link #parse(String)} instead. + * + * @param s The JSON object string to parse. Must not be {@code null}. + * + * @return The JSON object. + * + * @throws ParseException If the string cannot be parsed to a valid JSON + * object. + */ + @Deprecated + public static Map parseJSONObject(final String s) throws ParseException { + + return parse(s); + } + + /** + * Gets a generic member of a JSON object. + * + * @param o The JSON object. Must not be {@code null}. + * @param key The JSON object member key. Must not be {@code null}. + * @param clazz The expected class of the JSON object member value. Must + * not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + private static T getGeneric(final Map o, final String key, final Class clazz) throws ParseException { + + if (o.get(key) == null) { + return null; + } + + Object value = o.get(key); + + if (false == clazz.isAssignableFrom(value.getClass())) { + throw new ParseException("Unexpected type of JSON object member with key " + key + "", 0); + } + + @SuppressWarnings("unchecked") + T castValue = (T) value; + return castValue; + } + + /** + * Gets a boolean member of a JSON object. + * + * @param o The JSON object. Must not be {@code null}. + * @param key The JSON object member key. Must not be {@code null}. + * + * @return The JSON object member value. + * + * @throws ParseException If the member is missing, the value is + * {@code null} or not of the expected type. + */ + public static boolean getBoolean(final Map o, final String key) throws ParseException { + + Boolean value = getGeneric(o, key, Boolean.class); + + if (value == null) { + throw new ParseException("JSON object member with key " + key + " is missing or null", 0); + } + + return value; + } + + /** + * Gets an number member of a JSON object as {@code int}. + * + * @param o The JSON object. Must not be {@code null}. + * @param key The JSON object member key. Must not be {@code null}. + * + * @return The JSON object member value. + * + * @throws ParseException If the member is missing, the value is + * {@code null} or not of the expected type. + */ + public static int getInt(final Map o, final String key) throws ParseException { + + Number value = getGeneric(o, key, Number.class); + + if (value == null) { + throw new ParseException("JSON object member with key " + key + " is missing or null", 0); + } + + return value.intValue(); + } + + /** + * Gets a number member of a JSON object as {@code long}. + * + * @param o The JSON object. Must not be {@code null}. + * @param key The JSON object member key. Must not be {@code null}. + * + * @return The JSON object member value. + * + * @throws ParseException If the member is missing, the value is + * {@code null} or not of the expected type. + */ + public static long getLong(final Map o, final String key) throws ParseException { + + Number value = getGeneric(o, key, Number.class); + + if (value == null) { + throw new ParseException("JSON object member with key " + key + " is missing or null", 0); + } + + return value.longValue(); + } + + /** + * Gets a number member of a JSON object {@code float}. + * + * @param o The JSON object. Must not be {@code null}. + * @param key The JSON object member key. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the member is missing, the value is + * {@code null} or not of the expected type. + */ + public static float getFloat(final Map o, final String key) throws ParseException { + + Number value = getGeneric(o, key, Number.class); + + if (value == null) { + throw new ParseException("JSON object member with key " + key + " is missing or null", 0); + } + + return value.floatValue(); + } + + /** + * Gets a number member of a JSON object as {@code double}. + * + * @param o The JSON object. Must not be {@code null}. + * @param key The JSON object member key. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the member is missing, the value is + * {@code null} or not of the expected type. + */ + public static double getDouble(final Map o, final String key) throws ParseException { + + Number value = getGeneric(o, key, Number.class); + + if (value == null) { + throw new ParseException("JSON object member with key " + key + " is missing or null", 0); + } + + return value.doubleValue(); + } + + /** + * Gets a string member of a JSON object. + * + * @param o The JSON object. Must not be {@code null}. + * @param key The JSON object member key. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static String getString(final Map o, final String key) throws ParseException { + + return getGeneric(o, key, String.class); + } + + /** + * Gets a string member of a JSON object as {@code java.net.URI}. + * + * @param o The JSON object. Must not be {@code null}. + * @param key The JSON object member key. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static URI getURI(final Map o, final String key) throws ParseException { + + String value = getString(o, key); + + if (value == null) { + return null; + } + + try { + return new URI(value); + + } catch (URISyntaxException e) { + + throw new ParseException(e.getMessage(), 0); + } + } + + /** + * Gets a JSON array member of a JSON object. + * + * @param o The JSON object. Must not be {@code null}. + * @param key The JSON object member key. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static List getJSONArray(final Map o, final String key) throws ParseException { + + @SuppressWarnings("unchecked") + List jsonArray = getGeneric(o, key, List.class); + return jsonArray; + } + + /** + * Gets a string array member of a JSON object. + * + * @param o The JSON object. Must not be {@code null}. + * @param key The JSON object member key. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static String[] getStringArray(final Map o, final String key) throws ParseException { + + List jsonArray = getJSONArray(o, key); + + if (jsonArray == null) { + return null; + } + + try { + return jsonArray.toArray(new String[0]); + } catch (ArrayStoreException e) { + throw new ParseException("JSON object member with key \"" + key + "\" is not an array of strings", 0); + } + } + + /** + * Gets a JSON objects array member of a JSON object. + * + * @param o The JSON object. Must not be {@code null}. + * @param key The JSON object member key. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static Map[] getJSONObjectArray(final Map o, final String key) throws ParseException { + + List jsonArray = getJSONArray(o, key); + + if (jsonArray == null) { + return null; + } + + if (jsonArray.isEmpty()) { + return new HashMap[0]; + } + + for (Object member : jsonArray) { + if (member == null) { + continue; + } + if (member instanceof HashMap) { + try { + return jsonArray.toArray(new HashMap[0]); + } catch (ArrayStoreException e) { + break; // throw parse exception below + } + } + if (member instanceof LinkedTreeMap) { + try { + return jsonArray.toArray(new LinkedTreeMap[0]); + } catch (ArrayStoreException e) { + break; // throw parse exception below + } + } + } + throw new ParseException("JSON object member with key \"" + key + "\" is not an array of JSON objects", 0); + } + + /** + * Gets a string list member of a JSON object + * + * @param o The JSON object. Must not be {@code null}. + * @param key The JSON object member key. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static List getStringList(final Map o, final String key) throws ParseException { + + String[] array = getStringArray(o, key); + + if (array == null) { + return null; + } + + return Arrays.asList(array); + } + + /** + * Gets a JSON object member of a JSON object. + * + * @param o The JSON object. Must not be {@code null}. + * @param key The JSON object member key. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static Map getJSONObject(final Map o, final String key) throws ParseException { + + Map jsonObject = getGeneric(o, key, Map.class); + + if (jsonObject == null) { + return null; + } + + // Verify keys are String + for (Object oKey : jsonObject.keySet()) { + if (false == (oKey instanceof String)) { + throw new ParseException("JSON object member with key " + key + " not a JSON object", 0); + } + } + @SuppressWarnings("unchecked") + Map castJSONObject = (Map) jsonObject; + return castJSONObject; + } + + /** + * Gets a string member of a JSON object as {@link Base64URL}. + * + * @param o The JSON object. Must not be {@code null}. + * @param key The JSON object member key. Must not be {@code null}. + * + * @return The JSON object member value, may be {@code null}. + * + * @throws ParseException If the value is not of the expected type. + */ + public static Base64URL getBase64URL(final Map o, final String key) throws ParseException { + + String value = getString(o, key); + + if (value == null) { + return null; + } + + return new Base64URL(value); + } + + /** + * Serialises the specified map to a JSON object using the entity + * mapping specified in {@link #parse(String)}. + * + * @param o The map. Must not be {@code null}. + * + * @return The JSON object as string. + */ + public static String toJSONString(final Map o) { + return GSON.toJson(o); + } + + /** + * Creates a new JSON object (unordered). + * + * @return The new empty JSON object. + */ + public static Map newJSONObject() { + return new HashMap<>(); + } + + /** + * Prevents public instantiation. + */ + private InnerJSONObjectUtils() {} +} diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONStringUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONStringUtils.java new file mode 100644 index 0000000000000..39b7aa6d446fb --- /dev/null +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONStringUtils.java @@ -0,0 +1,45 @@ +/* + * nimbus-jose-jwt + * + * Copyright 2012-2016, Connect2id Ltd and contributors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use + * this file except in compliance with the License. You may obtain a copy of the + * License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed + * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR + * CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ + +package com.nimbusds.jose.util; + +import com.nimbusds.jose.shaded.gson.Gson; + +/** + * JSON string helper methods. + * + * @author Vladimir Dzhuvinov + * @version 2022-08-16 + */ +public class InnerJSONStringUtils { + + /** + * Serialises the specified string to a JSON string. + * + * @param string The string. Must not be {@code null}. + * + * @return The string as JSON string. + */ + public static String toJSONString(final String string) { + return new Gson().toJson(string); + } + + /** + * Prevents public instantiation. + */ + private InnerJSONStringUtils() {} +} diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java index 9f71191a231ae..3a6e877c30fab 100644 --- a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java @@ -7,513 +7,194 @@ package com.nimbusds.jose.util; -import com.nimbusds.jose.shaded.gson.Gson; -import com.nimbusds.jose.shaded.gson.GsonBuilder; -import com.nimbusds.jose.shaded.gson.ToNumberPolicy; -import com.nimbusds.jose.shaded.gson.reflect.TypeToken; - -import java.lang.reflect.Type; import java.net.URI; -import java.net.URISyntaxException; import java.security.AccessController; import java.security.PrivilegedAction; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; import java.text.ParseException; -import java.util.Arrays; -import java.util.Date; -import java.util.HashMap; import java.util.List; import java.util.Map; /** - * Copied from nimbus-jose-jwt version 9.37.3. - * - * Original code Copyright 2012-2016, Connect2id Ltd. Licensed under the Apache License, Version 2.0 - * - * The only modifications in this file are: - * 1) {@link AccessController#doPrivileged(PrivilegedAction)} calls to make gson work with the security manager - * 2) Formatting/Warning suppression as necessary to work with our infrastructure - * 3) This comment and the license comment + * This class wraps {@link InnerJSONObjectUtils}, which is copied directly from the source library, and delegates to + * that class as quickly as possible. This layer is only here to provide a point at which we can insert + * {@link java.security.AccessController#doPrivileged(PrivilegedAction)} calls as necessary. We don't do anything here + * other than ensure gson has the proper security manager permissions. */ -@SuppressWarnings({ "unchecked", "rawtypes" }) public class JSONObjectUtils { - /** - * The GSon instance for serialisation and parsing. - */ - private static final Gson GSON = new GsonBuilder().serializeNulls() - .setObjectToNumberStrategy(ToNumberPolicy.LONG_OR_DOUBLE) - .disableHtmlEscaping() - .create(); - - /** - * Parses a JSON object. - * - *

          Specific JSON to Java entity mapping (as per JSON Smart): - * - *

            - *
          • JSON true|false map to {@code java.lang.Boolean}. - *
          • JSON numbers map to {@code java.lang.Number}. - *
              - *
            • JSON integer numbers map to {@code long}. - *
            • JSON fraction numbers map to {@code double}. - *
            - *
          • JSON strings map to {@code java.lang.String}. - *
          • JSON arrays map to {@code java.util.List}. - *
          • JSON objects map to {@code java.util.Map}. - * - * - * @param s The JSON object string to parse. Must not be {@code null}. - * - * @return The JSON object. - * - * @throws ParseException If the string cannot be parsed to a valid JSON - * object. - */ public static Map parse(final String s) throws ParseException { - - return parse(s, -1); + try { + return AccessController.doPrivileged((PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.parse(s)); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); + } } - /** - * Parses a JSON object with the option to limit the input string size. - * - *

            Specific JSON to Java entity mapping (as per JSON Smart): - * - *

              - *
            • JSON true|false map to {@code java.lang.Boolean}. - *
            • JSON numbers map to {@code java.lang.Number}. - *
                - *
              • JSON integer numbers map to {@code long}. - *
              • JSON fraction numbers map to {@code double}. - *
              - *
            • JSON strings map to {@code java.lang.String}. - *
            • JSON arrays map to {@code java.util.List}. - *
            • JSON objects map to {@code java.util.Map}. - * - * - * @param s The JSON object string to parse. Must not be - * {@code null}. - * @param sizeLimit The max allowed size of the string to parse. A - * negative integer means no limit. - * - * @return The JSON object. - * - * @throws ParseException If the string cannot be parsed to a valid JSON - * object. - */ public static Map parse(final String s, final int sizeLimit) throws ParseException { - - if (s.trim().isEmpty()) { - throw new ParseException("Invalid JSON object", 0); - } - - if (sizeLimit >= 0 && s.length() > sizeLimit) { - throw new ParseException("The parsed string is longer than the max accepted size of " + sizeLimit + " characters", 0); - } - - Type mapType = TypeToken.getParameterized(Map.class, String.class, Object.class).getType(); - try { - return AccessController.doPrivileged((PrivilegedAction>) () -> GSON.fromJson(s, mapType)); - } catch (Exception e) { - throw new ParseException("Invalid JSON: " + e.getMessage(), 0); - } catch (StackOverflowError e) { - throw new ParseException("Excessive JSON object and / or array nesting", 0); + return AccessController.doPrivileged( + (PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.parse(s, sizeLimit) + ); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } } - /** - * Use {@link #parse(String)} instead. - * - * @param s The JSON object string to parse. Must not be {@code null}. - * - * @return The JSON object. - * - * @throws ParseException If the string cannot be parsed to a valid JSON - * object. - */ @Deprecated public static Map parseJSONObject(final String s) throws ParseException { - - return parse(s); - } - - /** - * Gets a generic member of a JSON object. - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * @param clazz The expected class of the JSON object member value. - * Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - private static T getGeneric(final Map o, final String name, final Class clazz) throws ParseException { - - if (o.get(name) == null) { - return null; - } - - Object value = o.get(name); - - if (clazz.isAssignableFrom(value.getClass()) == false) { - throw new ParseException("Unexpected type of JSON object member " + name + "", 0); + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.parseJSONObject(s) + ); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } - - @SuppressWarnings("unchecked") - T castValue = (T) value; - return castValue; } - /** - * Gets a boolean member of a JSON object. - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * - * @return The JSON object member value. - * - * @throws ParseException If the member is missing, the value is - * {@code null} or not of the expected type. - */ - public static boolean getBoolean(final Map o, final String name) throws ParseException { - - Boolean value = getGeneric(o, name, Boolean.class); - - if (value == null) { - throw new ParseException("JSON object member " + name + " is missing or null", 0); + public static boolean getBoolean(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getBoolean(o, key)); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } - - return value; } - /** - * Gets a number member of a JSON object as {@code int}. - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * - * @return The JSON object member value. - * - * @throws ParseException If the member is missing, the value is - * {@code null} or not of the expected type. - */ - public static int getInt(final Map o, final String name) throws ParseException { - - Number value = getGeneric(o, name, Number.class); - - if (value == null) { - throw new ParseException("JSON object member " + name + " is missing or null", 0); + public static int getInt(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getInt(o, key)); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } - - return value.intValue(); } - /** - * Gets a number member of a JSON object as {@code long}. - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * - * @return The JSON object member value. - * - * @throws ParseException If the member is missing, the value is - * {@code null} or not of the expected type. - */ - public static long getLong(final Map o, final String name) throws ParseException { - - Number value = getGeneric(o, name, Number.class); - - if (value == null) { - throw new ParseException("JSON object member " + name + " is missing or null", 0); + public static long getLong(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getLong(o, key)); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } - - return value.longValue(); } - /** - * Gets a number member of a JSON object {@code float}. - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the member is missing, the value is - * {@code null} or not of the expected type. - */ - public static float getFloat(final Map o, final String name) throws ParseException { - - Number value = getGeneric(o, name, Number.class); - - if (value == null) { - throw new ParseException("JSON object member " + name + " is missing or null", 0); + public static float getFloat(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getFloat(o, key)); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } - - return value.floatValue(); } - /** - * Gets a number member of a JSON object as {@code double}. - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the member is missing, the value is - * {@code null} or not of the expected type. - */ - public static double getDouble(final Map o, final String name) throws ParseException { - - Number value = getGeneric(o, name, Number.class); - - if (value == null) { - throw new ParseException("JSON object member " + name + " is missing or null", 0); + public static double getDouble(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getDouble(o, key)); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } - - return value.doubleValue(); } - /** - * Gets a string member of a JSON object. - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static String getString(final Map o, final String name) throws ParseException { - - return getGeneric(o, name, String.class); - } - - /** - * Gets a string member of a JSON object as {@code java.net.URI}. - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static URI getURI(final Map o, final String name) throws ParseException { - - String value = getString(o, name); - - if (value == null) { - return null; - } - + public static String getString(final Map o, final String key) throws ParseException { try { - return new URI(value); - - } catch (URISyntaxException e) { - - throw new ParseException(e.getMessage(), 0); + return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getString(o, key)); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } } - /** - * Gets a JSON array member of a JSON object. - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static List getJSONArray(final Map o, final String name) throws ParseException { - - @SuppressWarnings("unchecked") - List jsonArray = getGeneric(o, name, List.class); - return jsonArray; - } - - /** - * Gets a string array member of a JSON object. - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static String[] getStringArray(final Map o, final String name) throws ParseException { - - List jsonArray = getJSONArray(o, name); - - if (jsonArray == null) { - return null; - } - + public static URI getURI(final Map o, final String key) throws ParseException { try { - return jsonArray.toArray(new String[0]); - } catch (ArrayStoreException e) { - throw new ParseException("JSON object member " + name + " is not an array of strings", 0); + return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getURI(o, key)); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } } - /** - * Gets a JSON objects array member of a JSON object. - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static Map[] getJSONObjectArray(final Map o, final String name) throws ParseException { - - List jsonArray = getJSONArray(o, name); - - if (jsonArray == null) { - return null; - } - - if (jsonArray.isEmpty()) { - return new HashMap[0]; - } - - for (Object member : jsonArray) { - if (member == null) { - continue; - } - if (member instanceof Map) { - try { - return jsonArray.toArray(new Map[0]); - } catch (ArrayStoreException e) { - break; // throw parse exception below - } - } + public static List getJSONArray(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged((PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.getJSONArray(o, key)); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } - throw new ParseException("JSON object member " + name + " is not an array of JSON objects", 0); } - /** - * Gets a string list member of a JSON object - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static List getStringList(final Map o, final String name) throws ParseException { - - String[] array = getStringArray(o, name); - - if (array == null) { - return null; + public static String[] getStringArray(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getStringArray(o, key)); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } - - return Arrays.asList(array); } - /** - * Gets a JSON object member of a JSON object. - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static Map getJSONObject(final Map o, final String name) throws ParseException { - - Map jsonObject = getGeneric(o, name, Map.class); - - if (jsonObject == null) { - return null; + public static Map[] getJSONObjectArray(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction[]>) () -> InnerJSONObjectUtils.getJSONObjectArray(o, key) + ); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } + } - // Verify keys are String - for (Object oKey : jsonObject.keySet()) { - if ((oKey instanceof String) == false) { - throw new ParseException("JSON object member " + name + " not a JSON object", 0); - } + public static List getStringList(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.getStringList(o, key) + ); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } - @SuppressWarnings("unchecked") - Map castJSONObject = (Map) jsonObject; - return castJSONObject; } - /** - * Gets a string member of a JSON object as {@link Base64URL}. - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static Base64URL getBase64URL(final Map o, final String name) throws ParseException { - - String value = getString(o, name); - - if (value == null) { - return null; + public static Map getJSONObject(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.getJSONObject(o, key) + ); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } - - return new Base64URL(value); } - /** - * Gets a number member of a JSON object as a {@link Date} expressed in - * seconds since the Unix epoch. - * - * @param o The JSON object. Must not be {@code null}. - * @param name The JSON object member name. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static Date getEpochSecondAsDate(final Map o, final String name) throws ParseException { - - Number value = getGeneric(o, name, Number.class); - - if (value == null) { - return null; + public static Base64URL getBase64URL(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getBase64URL(o, key)); + } catch (PrivilegedActionException e) { + handleException(e); + throw new RuntimeException("this should be unreachable"); } - - return DateUtils.fromSecondsSinceEpoch(value.longValue()); } - /** - * Serialises the specified map to a JSON object using the entity - * mapping specified in {@link #parse(String)}. - * - * @param o The map. Must not be {@code null}. - * - * @return The JSON object as string. - */ public static String toJSONString(final Map o) { - return AccessController.doPrivileged((PrivilegedAction) () -> GSON.toJson(o)); + return AccessController.doPrivileged((PrivilegedAction) () -> InnerJSONObjectUtils.toJSONString(o)); } - /** - * Creates a new JSON object (unordered). - * - * @return The new empty JSON object. - */ public static Map newJSONObject() { - return new HashMap<>(); + return AccessController.doPrivileged((PrivilegedAction>) InnerJSONObjectUtils::newJSONObject); + } + + private static void handleException(final PrivilegedActionException e) throws ParseException { + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } - /** - * Prevents public instantiation. - */ private JSONObjectUtils() {} } diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java index e57ddfb61ac55..91e9a64f37184 100644 --- a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java @@ -7,24 +7,13 @@ package com.nimbusds.jose.util; -import com.nimbusds.jose.shaded.gson.Gson; - import java.security.AccessController; import java.security.PrivilegedAction; -/** - * Copied from nimbus-jose-jwt version 9.37.3. - * - * Original code Copyright 2012-2016, Connect2id Ltd. Licensed under the Apache License, Version 2.0 - * - * The only modifications in this file are: - * 1) {@link AccessController#doPrivileged(PrivilegedAction)} calls to make gson work with the security manager - * 2) Formatting/Warning suppression as necessary to work with our infrastructure - * 3) This comment and the license comment - */ public class JSONStringUtils { - public static String toJSONString(String string) { - return AccessController.doPrivileged((PrivilegedAction) () -> (new Gson()).toJson(string)); + + public static String toJSONString(final String string) { + return AccessController.doPrivileged((PrivilegedAction) () -> InnerJSONStringUtils.toJSONString(string)); } private JSONStringUtils() {} From 9e09edbc7070d693248661af52a9c8fad6f35979 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Mon, 12 Aug 2024 17:15:01 -0600 Subject: [PATCH 41/47] License headers check --- x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle index f3c17748e6fd4..bf4424156ce3c 100644 --- a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle @@ -22,7 +22,7 @@ tasks.named('shadowJar').configure { } } -['jarHell', 'thirdPartyAudit', 'forbiddenApisMain', 'splitPackagesAudit'].each { +['jarHell', 'thirdPartyAudit', 'forbiddenApisMain', 'splitPackagesAudit', 'licenseHeaders'].each { tasks.named(it).configure { enabled = false } From 575539b9a07d9848d7a6c6bf4f8cb866abbe26b2 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Mon, 12 Aug 2024 17:15:51 -0600 Subject: [PATCH 42/47] JSONStringUtils javadoc --- .../main/java/com/nimbusds/jose/util/JSONStringUtils.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java index 91e9a64f37184..a4adf8149ebdf 100644 --- a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java @@ -10,6 +10,12 @@ import java.security.AccessController; import java.security.PrivilegedAction; +/** + * This class wraps {@link InnerJSONStringUtils}, which is copied directly from the source library, and delegates to + * that class as quickly as possible. This layer is only here to provide a point at which we can insert + * {@link java.security.AccessController#doPrivileged(PrivilegedAction)} calls as necessary. We don't do anything here + * other than ensure gson has the proper security manager permissions. + */ public class JSONStringUtils { public static String toJSONString(final String string) { From 41e0e57ed6b67362f36f69fd7922607d63003aff Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Mon, 12 Aug 2024 17:39:25 -0600 Subject: [PATCH 43/47] cleanup --- .../nimbusds/jose/util/JSONObjectUtils.java | 137 ++++++++++++------ 1 file changed, 96 insertions(+), 41 deletions(-) diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java index 3a6e877c30fab..65f949e45496b 100644 --- a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java @@ -28,8 +28,12 @@ public static Map parse(final String s) throws ParseException { try { return AccessController.doPrivileged((PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.parse(s)); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -39,8 +43,12 @@ public static Map parse(final String s, final int sizeLimit) thr (PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.parse(s, sizeLimit) ); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -51,8 +59,12 @@ public static Map parseJSONObject(final String s) throws ParseEx (PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.parseJSONObject(s) ); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -60,8 +72,12 @@ public static boolean getBoolean(final Map o, final String key) try { return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getBoolean(o, key)); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -69,8 +85,12 @@ public static int getInt(final Map o, final String key) throws P try { return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getInt(o, key)); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -78,8 +98,12 @@ public static long getLong(final Map o, final String key) throws try { return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getLong(o, key)); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -87,8 +111,12 @@ public static float getFloat(final Map o, final String key) thro try { return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getFloat(o, key)); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -96,8 +124,12 @@ public static double getDouble(final Map o, final String key) th try { return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getDouble(o, key)); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -105,8 +137,12 @@ public static String getString(final Map o, final String key) th try { return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getString(o, key)); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -114,8 +150,12 @@ public static URI getURI(final Map o, final String key) throws P try { return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getURI(o, key)); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -123,8 +163,12 @@ public static List getJSONArray(final Map o, final Strin try { return AccessController.doPrivileged((PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.getJSONArray(o, key)); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -132,8 +176,12 @@ public static String[] getStringArray(final Map o, final String try { return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getStringArray(o, key)); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -143,8 +191,12 @@ public static Map[] getJSONObjectArray(final Map (PrivilegedExceptionAction[]>) () -> InnerJSONObjectUtils.getJSONObjectArray(o, key) ); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -154,8 +206,12 @@ public static List getStringList(final Map o, final Stri (PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.getStringList(o, key) ); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -165,8 +221,12 @@ public static Map getJSONObject(final Map o, fin (PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.getJSONObject(o, key) ); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -174,8 +234,12 @@ public static Base64URL getBase64URL(final Map o, final String k try { return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getBase64URL(o, key)); } catch (PrivilegedActionException e) { - handleException(e); - throw new RuntimeException("this should be unreachable"); + if (e.getException() instanceof ParseException pe) { + throw pe; + } else if (e.getException() instanceof RuntimeException re) { + throw re; + } + throw new RuntimeException(e); } } @@ -187,14 +251,5 @@ public static Map newJSONObject() { return AccessController.doPrivileged((PrivilegedAction>) InnerJSONObjectUtils::newJSONObject); } - private static void handleException(final PrivilegedActionException e) throws ParseException { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); - } - private JSONObjectUtils() {} } From 1fc71bf597b2329ebb570189a773a89ea2f60f0f Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Tue, 13 Aug 2024 15:02:25 -0600 Subject: [PATCH 44/47] Reconfigure the build to reference original class files --- .../lib/nimbus-jose-jwt-fixed/build.gradle | 18 +- .../jose/util/InnerJSONObjectUtils.java | 515 ------------------ .../jose/util/InnerJSONStringUtils.java | 45 -- .../nimbusds/jose/util/JSONObjectUtils.java | 77 ++- .../nimbusds/jose/util/JSONStringUtils.java | 4 +- .../lib/njj-moved-utils-only/build.gradle | 27 + .../njj-remapped-intermediate/build.gradle | 28 + .../licenses/nimbus-jose-jwt-LICENSE.txt | 202 +++++++ .../licenses/nimbus-jose-jwt-NOTICE.txt | 14 + 9 files changed, 344 insertions(+), 586 deletions(-) delete mode 100644 x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONObjectUtils.java delete mode 100644 x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONStringUtils.java create mode 100644 x-pack/plugin/security/lib/njj-moved-utils-only/build.gradle create mode 100644 x-pack/plugin/security/lib/njj-remapped-intermediate/build.gradle create mode 100644 x-pack/plugin/security/lib/njj-remapped-intermediate/licenses/nimbus-jose-jwt-LICENSE.txt create mode 100644 x-pack/plugin/security/lib/njj-remapped-intermediate/licenses/nimbus-jose-jwt-NOTICE.txt diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle index bf4424156ce3c..56b0e864447e0 100644 --- a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle @@ -9,13 +9,27 @@ apply plugin: 'elasticsearch.build' apply plugin: 'com.github.johnrengelman.shadow' +// This build deserves an explanation. Nimbus-jose-jwt uses gson internally, which is unfriendly +// to our usage of the security manager, to a degree that it makes the library extremely difficult +// to work with safely. The purpose of this build is to create a version of nimbus-jose-jwt with +// a couple classes replaced with wrappers which work with the security manager, the source files +// in this directory. + +// Because we want to include the original class files so that we can reference them without +// modification, there are a couple intermediate steps: +// 1) Create a version of the JAR in which the relevant class files are moved to a different package. +// This is not immediately usable as this process rewrites the rest of the JAR to "correctly" +// reference the new classes. So, we need to... +// 2) Create a JAR from the result of step 1 which contains *only* the relevant class files. +// 3) Use the result of step 2 here, combined with the original library, so that we can use our +// replacement classes which wrap the original class files. + dependencies { implementation "com.nimbusds:nimbus-jose-jwt:9.37.3" + implementation project(path: xpackModule('security:lib:njj-moved-utils-only'), configuration: 'shadow') } tasks.named('shadowJar').configure { - exclude 'com/nimbusds/jose/util/JSONObjectUtils$*.class' - exclude 'com/nimbusds/jose/util/JSONStringUtils$*.class' manifest { // The original library uses this and it gets stripped by shadowJar attributes 'Automatic-Module-Name': 'com.nimbusds.jose.jwt' diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONObjectUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONObjectUtils.java deleted file mode 100644 index 04c57d3201ea5..0000000000000 --- a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONObjectUtils.java +++ /dev/null @@ -1,515 +0,0 @@ -/* - * nimbus-jose-jwt - * - * Copyright 2012-2016, Connect2id Ltd. - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not use - * this file except in compliance with the License. You may obtain a copy of the - * License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed - * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR - * CONDITIONS OF ANY KIND, either express or implied. See the License for the - * specific language governing permissions and limitations under the License. - */ - -package com.nimbusds.jose.util; - -import com.nimbusds.jose.shaded.gson.Gson; -import com.nimbusds.jose.shaded.gson.GsonBuilder; -import com.nimbusds.jose.shaded.gson.ToNumberPolicy; -import com.nimbusds.jose.shaded.gson.internal.LinkedTreeMap; -import com.nimbusds.jose.shaded.gson.reflect.TypeToken; - -import java.lang.reflect.Type; -import java.net.URI; -import java.net.URISyntaxException; -import java.text.ParseException; -import java.util.Arrays; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - -/* - * Copied from nimbus-jose-jwt version 9.37.3. - * - * The only modifications in this file are formatting & warning suppression as necessary to work with our infrastructure, tweaks to - * field visibility to enable this wrapping strategy, and this comment. - */ - -/** - * JSON object helper methods. - * - * @author Vladimir Dzhuvinov - * @version 2022-08-19 - */ -@SuppressWarnings({ "unchecked", "rawtypes" }) -public class InnerJSONObjectUtils { - - /** - * The GSon instance for serialisation and parsing. - */ - private static final Gson GSON = new GsonBuilder().serializeNulls() - .setObjectToNumberStrategy(ToNumberPolicy.LONG_OR_DOUBLE) - .disableHtmlEscaping() - .create(); - - /** - * Parses a JSON object. - * - *

              Specific JSON to Java entity mapping (as per JSON Smart): - * - *

                - *
              • JSON true|false map to {@code java.lang.Boolean}. - *
              • JSON numbers map to {@code java.lang.Number}. - *
                  - *
                • JSON integer numbers map to {@code long}. - *
                • JSON fraction numbers map to {@code double}. - *
                - *
              • JSON strings map to {@code java.lang.String}. - *
              • JSON arrays map to {@code java.util.List}. - *
              • JSON objects map to {@code java.util.Map}. - * - * - * @param s The JSON object string to parse. Must not be {@code null}. - * - * @return The JSON object. - * - * @throws ParseException If the string cannot be parsed to a valid JSON - * object. - */ - public static Map parse(final String s) throws ParseException { - - return parse(s, -1); - } - - /** - * Parses a JSON object with the option to limit the input string size. - * - *

                Specific JSON to Java entity mapping (as per JSON Smart): - * - *

                  - *
                • JSON true|false map to {@code java.lang.Boolean}. - *
                • JSON numbers map to {@code java.lang.Number}. - *
                    - *
                  • JSON integer numbers map to {@code long}. - *
                  • JSON fraction numbers map to {@code double}. - *
                  - *
                • JSON strings map to {@code java.lang.String}. - *
                • JSON arrays map to {@code java.util.List}. - *
                • JSON objects map to {@code java.util.Map}. - * - * - * @param s The JSON object string to parse. Must not be - * {@code null}. - * @param sizeLimit The max allowed size of the string to parse. A - * negative integer means no limit. - * - * @return The JSON object. - * - * @throws ParseException If the string cannot be parsed to a valid JSON - * object. - */ - public static Map parse(final String s, final int sizeLimit) throws ParseException { - - if (s.trim().isEmpty()) { - throw new ParseException("Invalid JSON object", 0); - } - - if (sizeLimit >= 0 && s.length() > sizeLimit) { - throw new ParseException("The parsed string is longer than the max accepted size of " + sizeLimit + " characters", 0); - } - - Type mapType = TypeToken.getParameterized(Map.class, String.class, Object.class).getType(); - - try { - return GSON.fromJson(s, mapType); - } catch (Exception e) { - throw new ParseException("Invalid JSON: " + e.getMessage(), 0); - } catch (StackOverflowError e) { - throw new ParseException("Excessive JSON object and / or array nesting", 0); - } - } - - /** - * Use {@link #parse(String)} instead. - * - * @param s The JSON object string to parse. Must not be {@code null}. - * - * @return The JSON object. - * - * @throws ParseException If the string cannot be parsed to a valid JSON - * object. - */ - @Deprecated - public static Map parseJSONObject(final String s) throws ParseException { - - return parse(s); - } - - /** - * Gets a generic member of a JSON object. - * - * @param o The JSON object. Must not be {@code null}. - * @param key The JSON object member key. Must not be {@code null}. - * @param clazz The expected class of the JSON object member value. Must - * not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - private static T getGeneric(final Map o, final String key, final Class clazz) throws ParseException { - - if (o.get(key) == null) { - return null; - } - - Object value = o.get(key); - - if (false == clazz.isAssignableFrom(value.getClass())) { - throw new ParseException("Unexpected type of JSON object member with key " + key + "", 0); - } - - @SuppressWarnings("unchecked") - T castValue = (T) value; - return castValue; - } - - /** - * Gets a boolean member of a JSON object. - * - * @param o The JSON object. Must not be {@code null}. - * @param key The JSON object member key. Must not be {@code null}. - * - * @return The JSON object member value. - * - * @throws ParseException If the member is missing, the value is - * {@code null} or not of the expected type. - */ - public static boolean getBoolean(final Map o, final String key) throws ParseException { - - Boolean value = getGeneric(o, key, Boolean.class); - - if (value == null) { - throw new ParseException("JSON object member with key " + key + " is missing or null", 0); - } - - return value; - } - - /** - * Gets an number member of a JSON object as {@code int}. - * - * @param o The JSON object. Must not be {@code null}. - * @param key The JSON object member key. Must not be {@code null}. - * - * @return The JSON object member value. - * - * @throws ParseException If the member is missing, the value is - * {@code null} or not of the expected type. - */ - public static int getInt(final Map o, final String key) throws ParseException { - - Number value = getGeneric(o, key, Number.class); - - if (value == null) { - throw new ParseException("JSON object member with key " + key + " is missing or null", 0); - } - - return value.intValue(); - } - - /** - * Gets a number member of a JSON object as {@code long}. - * - * @param o The JSON object. Must not be {@code null}. - * @param key The JSON object member key. Must not be {@code null}. - * - * @return The JSON object member value. - * - * @throws ParseException If the member is missing, the value is - * {@code null} or not of the expected type. - */ - public static long getLong(final Map o, final String key) throws ParseException { - - Number value = getGeneric(o, key, Number.class); - - if (value == null) { - throw new ParseException("JSON object member with key " + key + " is missing or null", 0); - } - - return value.longValue(); - } - - /** - * Gets a number member of a JSON object {@code float}. - * - * @param o The JSON object. Must not be {@code null}. - * @param key The JSON object member key. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the member is missing, the value is - * {@code null} or not of the expected type. - */ - public static float getFloat(final Map o, final String key) throws ParseException { - - Number value = getGeneric(o, key, Number.class); - - if (value == null) { - throw new ParseException("JSON object member with key " + key + " is missing or null", 0); - } - - return value.floatValue(); - } - - /** - * Gets a number member of a JSON object as {@code double}. - * - * @param o The JSON object. Must not be {@code null}. - * @param key The JSON object member key. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the member is missing, the value is - * {@code null} or not of the expected type. - */ - public static double getDouble(final Map o, final String key) throws ParseException { - - Number value = getGeneric(o, key, Number.class); - - if (value == null) { - throw new ParseException("JSON object member with key " + key + " is missing or null", 0); - } - - return value.doubleValue(); - } - - /** - * Gets a string member of a JSON object. - * - * @param o The JSON object. Must not be {@code null}. - * @param key The JSON object member key. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static String getString(final Map o, final String key) throws ParseException { - - return getGeneric(o, key, String.class); - } - - /** - * Gets a string member of a JSON object as {@code java.net.URI}. - * - * @param o The JSON object. Must not be {@code null}. - * @param key The JSON object member key. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static URI getURI(final Map o, final String key) throws ParseException { - - String value = getString(o, key); - - if (value == null) { - return null; - } - - try { - return new URI(value); - - } catch (URISyntaxException e) { - - throw new ParseException(e.getMessage(), 0); - } - } - - /** - * Gets a JSON array member of a JSON object. - * - * @param o The JSON object. Must not be {@code null}. - * @param key The JSON object member key. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static List getJSONArray(final Map o, final String key) throws ParseException { - - @SuppressWarnings("unchecked") - List jsonArray = getGeneric(o, key, List.class); - return jsonArray; - } - - /** - * Gets a string array member of a JSON object. - * - * @param o The JSON object. Must not be {@code null}. - * @param key The JSON object member key. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static String[] getStringArray(final Map o, final String key) throws ParseException { - - List jsonArray = getJSONArray(o, key); - - if (jsonArray == null) { - return null; - } - - try { - return jsonArray.toArray(new String[0]); - } catch (ArrayStoreException e) { - throw new ParseException("JSON object member with key \"" + key + "\" is not an array of strings", 0); - } - } - - /** - * Gets a JSON objects array member of a JSON object. - * - * @param o The JSON object. Must not be {@code null}. - * @param key The JSON object member key. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static Map[] getJSONObjectArray(final Map o, final String key) throws ParseException { - - List jsonArray = getJSONArray(o, key); - - if (jsonArray == null) { - return null; - } - - if (jsonArray.isEmpty()) { - return new HashMap[0]; - } - - for (Object member : jsonArray) { - if (member == null) { - continue; - } - if (member instanceof HashMap) { - try { - return jsonArray.toArray(new HashMap[0]); - } catch (ArrayStoreException e) { - break; // throw parse exception below - } - } - if (member instanceof LinkedTreeMap) { - try { - return jsonArray.toArray(new LinkedTreeMap[0]); - } catch (ArrayStoreException e) { - break; // throw parse exception below - } - } - } - throw new ParseException("JSON object member with key \"" + key + "\" is not an array of JSON objects", 0); - } - - /** - * Gets a string list member of a JSON object - * - * @param o The JSON object. Must not be {@code null}. - * @param key The JSON object member key. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static List getStringList(final Map o, final String key) throws ParseException { - - String[] array = getStringArray(o, key); - - if (array == null) { - return null; - } - - return Arrays.asList(array); - } - - /** - * Gets a JSON object member of a JSON object. - * - * @param o The JSON object. Must not be {@code null}. - * @param key The JSON object member key. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static Map getJSONObject(final Map o, final String key) throws ParseException { - - Map jsonObject = getGeneric(o, key, Map.class); - - if (jsonObject == null) { - return null; - } - - // Verify keys are String - for (Object oKey : jsonObject.keySet()) { - if (false == (oKey instanceof String)) { - throw new ParseException("JSON object member with key " + key + " not a JSON object", 0); - } - } - @SuppressWarnings("unchecked") - Map castJSONObject = (Map) jsonObject; - return castJSONObject; - } - - /** - * Gets a string member of a JSON object as {@link Base64URL}. - * - * @param o The JSON object. Must not be {@code null}. - * @param key The JSON object member key. Must not be {@code null}. - * - * @return The JSON object member value, may be {@code null}. - * - * @throws ParseException If the value is not of the expected type. - */ - public static Base64URL getBase64URL(final Map o, final String key) throws ParseException { - - String value = getString(o, key); - - if (value == null) { - return null; - } - - return new Base64URL(value); - } - - /** - * Serialises the specified map to a JSON object using the entity - * mapping specified in {@link #parse(String)}. - * - * @param o The map. Must not be {@code null}. - * - * @return The JSON object as string. - */ - public static String toJSONString(final Map o) { - return GSON.toJson(o); - } - - /** - * Creates a new JSON object (unordered). - * - * @return The new empty JSON object. - */ - public static Map newJSONObject() { - return new HashMap<>(); - } - - /** - * Prevents public instantiation. - */ - private InnerJSONObjectUtils() {} -} diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONStringUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONStringUtils.java deleted file mode 100644 index 39b7aa6d446fb..0000000000000 --- a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/InnerJSONStringUtils.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * nimbus-jose-jwt - * - * Copyright 2012-2016, Connect2id Ltd and contributors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not use - * this file except in compliance with the License. You may obtain a copy of the - * License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed - * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR - * CONDITIONS OF ANY KIND, either express or implied. See the License for the - * specific language governing permissions and limitations under the License. - */ - -package com.nimbusds.jose.util; - -import com.nimbusds.jose.shaded.gson.Gson; - -/** - * JSON string helper methods. - * - * @author Vladimir Dzhuvinov - * @version 2022-08-16 - */ -public class InnerJSONStringUtils { - - /** - * Serialises the specified string to a JSON string. - * - * @param string The string. Must not be {@code null}. - * - * @return The string as JSON string. - */ - public static String toJSONString(final String string) { - return new Gson().toJson(string); - } - - /** - * Prevents public instantiation. - */ - private InnerJSONStringUtils() {} -} diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java index 65f949e45496b..ae063fbf80fa1 100644 --- a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java @@ -17,16 +17,18 @@ import java.util.Map; /** - * This class wraps {@link InnerJSONObjectUtils}, which is copied directly from the source library, and delegates to - * that class as quickly as possible. This layer is only here to provide a point at which we can insert - * {@link java.security.AccessController#doPrivileged(PrivilegedAction)} calls as necessary. We don't do anything here - * other than ensure gson has the proper security manager permissions. + * This class wraps {@link org.elasticsearch.nimbus.jose.util.JSONObjectUtils}, which is copied directly from the source + * library, and delegates to that class as quickly as possible. This layer is only here to provide a point at which we + * can insert {@link java.security.AccessController#doPrivileged(PrivilegedAction)} calls as necessary. We don't do + * anything here other than ensure gson has the proper security manager permissions. */ public class JSONObjectUtils { public static Map parse(final String s) throws ParseException { try { - return AccessController.doPrivileged((PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.parse(s)); + return AccessController.doPrivileged( + (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.parse(s) + ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { throw pe; @@ -40,7 +42,10 @@ public static Map parse(final String s) throws ParseException { public static Map parse(final String s, final int sizeLimit) throws ParseException { try { return AccessController.doPrivileged( - (PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.parse(s, sizeLimit) + (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.parse( + s, + sizeLimit + ) ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { @@ -56,7 +61,7 @@ public static Map parse(final String s, final int sizeLimit) thr public static Map parseJSONObject(final String s) throws ParseException { try { return AccessController.doPrivileged( - (PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.parseJSONObject(s) + (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.parseJSONObject(s) ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { @@ -70,7 +75,9 @@ public static Map parseJSONObject(final String s) throws ParseEx public static boolean getBoolean(final Map o, final String key) throws ParseException { try { - return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getBoolean(o, key)); + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getBoolean(o, key) + ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { throw pe; @@ -83,7 +90,9 @@ public static boolean getBoolean(final Map o, final String key) public static int getInt(final Map o, final String key) throws ParseException { try { - return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getInt(o, key)); + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getInt(o, key) + ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { throw pe; @@ -96,7 +105,9 @@ public static int getInt(final Map o, final String key) throws P public static long getLong(final Map o, final String key) throws ParseException { try { - return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getLong(o, key)); + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getLong(o, key) + ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { throw pe; @@ -109,7 +120,9 @@ public static long getLong(final Map o, final String key) throws public static float getFloat(final Map o, final String key) throws ParseException { try { - return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getFloat(o, key)); + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getFloat(o, key) + ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { throw pe; @@ -122,7 +135,9 @@ public static float getFloat(final Map o, final String key) thro public static double getDouble(final Map o, final String key) throws ParseException { try { - return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getDouble(o, key)); + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getDouble(o, key) + ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { throw pe; @@ -135,7 +150,9 @@ public static double getDouble(final Map o, final String key) th public static String getString(final Map o, final String key) throws ParseException { try { - return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getString(o, key)); + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getString(o, key) + ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { throw pe; @@ -148,7 +165,9 @@ public static String getString(final Map o, final String key) th public static URI getURI(final Map o, final String key) throws ParseException { try { - return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getURI(o, key)); + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getURI(o, key) + ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { throw pe; @@ -161,7 +180,9 @@ public static URI getURI(final Map o, final String key) throws P public static List getJSONArray(final Map o, final String key) throws ParseException { try { - return AccessController.doPrivileged((PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.getJSONArray(o, key)); + return AccessController.doPrivileged( + (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getJSONArray(o, key) + ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { throw pe; @@ -174,7 +195,9 @@ public static List getJSONArray(final Map o, final Strin public static String[] getStringArray(final Map o, final String key) throws ParseException { try { - return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getStringArray(o, key)); + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getStringArray(o, key) + ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { throw pe; @@ -188,7 +211,8 @@ public static String[] getStringArray(final Map o, final String public static Map[] getJSONObjectArray(final Map o, final String key) throws ParseException { try { return AccessController.doPrivileged( - (PrivilegedExceptionAction[]>) () -> InnerJSONObjectUtils.getJSONObjectArray(o, key) + (PrivilegedExceptionAction[]>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils + .getJSONObjectArray(o, key) ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { @@ -203,7 +227,7 @@ public static Map[] getJSONObjectArray(final Map public static List getStringList(final Map o, final String key) throws ParseException { try { return AccessController.doPrivileged( - (PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.getStringList(o, key) + (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getStringList(o, key) ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { @@ -218,7 +242,10 @@ public static List getStringList(final Map o, final Stri public static Map getJSONObject(final Map o, final String key) throws ParseException { try { return AccessController.doPrivileged( - (PrivilegedExceptionAction>) () -> InnerJSONObjectUtils.getJSONObject(o, key) + (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getJSONObject( + o, + key + ) ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { @@ -232,7 +259,9 @@ public static Map getJSONObject(final Map o, fin public static Base64URL getBase64URL(final Map o, final String key) throws ParseException { try { - return AccessController.doPrivileged((PrivilegedExceptionAction) () -> InnerJSONObjectUtils.getBase64URL(o, key)); + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getBase64URL(o, key) + ); } catch (PrivilegedActionException e) { if (e.getException() instanceof ParseException pe) { throw pe; @@ -244,11 +273,15 @@ public static Base64URL getBase64URL(final Map o, final String k } public static String toJSONString(final Map o) { - return AccessController.doPrivileged((PrivilegedAction) () -> InnerJSONObjectUtils.toJSONString(o)); + return AccessController.doPrivileged( + (PrivilegedAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.toJSONString(o) + ); } public static Map newJSONObject() { - return AccessController.doPrivileged((PrivilegedAction>) InnerJSONObjectUtils::newJSONObject); + return AccessController.doPrivileged( + (PrivilegedAction>) org.elasticsearch.nimbus.jose.util.JSONObjectUtils::newJSONObject + ); } private JSONObjectUtils() {} diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java index a4adf8149ebdf..e9e34d21ce7d6 100644 --- a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java @@ -11,7 +11,7 @@ import java.security.PrivilegedAction; /** - * This class wraps {@link InnerJSONStringUtils}, which is copied directly from the source library, and delegates to + * This class wraps {@link JSONStringUtils}, which is copied directly from the source library, and delegates to * that class as quickly as possible. This layer is only here to provide a point at which we can insert * {@link java.security.AccessController#doPrivileged(PrivilegedAction)} calls as necessary. We don't do anything here * other than ensure gson has the proper security manager permissions. @@ -19,7 +19,7 @@ public class JSONStringUtils { public static String toJSONString(final String string) { - return AccessController.doPrivileged((PrivilegedAction) () -> InnerJSONStringUtils.toJSONString(string)); + return AccessController.doPrivileged((PrivilegedAction) () -> JSONStringUtils.toJSONString(string)); } private JSONStringUtils() {} diff --git a/x-pack/plugin/security/lib/njj-moved-utils-only/build.gradle b/x-pack/plugin/security/lib/njj-moved-utils-only/build.gradle new file mode 100644 index 0000000000000..598f5cbde1da7 --- /dev/null +++ b/x-pack/plugin/security/lib/njj-moved-utils-only/build.gradle @@ -0,0 +1,27 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +apply plugin: 'elasticsearch.build' +apply plugin: 'com.github.johnrengelman.shadow' + +// The previous build step produced an artifact in which the classes we care about have been +// relocated to an org.elasticsearch package. However, the entire JAR has been updated to account +// for this, and we want *only* the moved classes. So we drop everything in the original namespace. + +dependencies { + implementation project(path: xpackModule('security:lib:njj-remapped-intermediate'), configuration: 'shadow') +} + +tasks.named('shadowJar').configure { + exclude 'com/nimbusds/' +} + +['jarHell', 'thirdPartyAudit', 'forbiddenApisMain', 'splitPackagesAudit', 'licenseHeaders'].each { + tasks.named(it).configure { + enabled = false + } +} diff --git a/x-pack/plugin/security/lib/njj-remapped-intermediate/build.gradle b/x-pack/plugin/security/lib/njj-remapped-intermediate/build.gradle new file mode 100644 index 0000000000000..1dd0725e736fc --- /dev/null +++ b/x-pack/plugin/security/lib/njj-remapped-intermediate/build.gradle @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +apply plugin: 'elasticsearch.build' +apply plugin: 'com.github.johnrengelman.shadow' + +dependencies { + implementation "com.nimbusds:nimbus-jose-jwt:9.37.3" +} + +tasks.named('shadowJar').configure { + // Attempting to exclude all of the classes we *don't* move here ought to be possible per the + // shadowJar docs, but actually attempting to do so results in an empty JAR. So we'll do that as a + // separate step (see njj-moved-utils-only) + relocate 'com.nimbusds.jose.util.JSONObjectUtils', 'org.elasticsearch.nimbus.jose.util.JSONObjectUtils' + relocate 'com.nimbusds.jose.util.JSONStringUtils', 'org.elasticsearch.nimbus.jose.util.JSONStringUtils' +} + +['jarHell', 'thirdPartyAudit', 'forbiddenApisMain', 'splitPackagesAudit', 'licenseHeaders'].each { + tasks.named(it).configure { + enabled = false + } +} + diff --git a/x-pack/plugin/security/lib/njj-remapped-intermediate/licenses/nimbus-jose-jwt-LICENSE.txt b/x-pack/plugin/security/lib/njj-remapped-intermediate/licenses/nimbus-jose-jwt-LICENSE.txt new file mode 100644 index 0000000000000..d645695673349 --- /dev/null +++ b/x-pack/plugin/security/lib/njj-remapped-intermediate/licenses/nimbus-jose-jwt-LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/x-pack/plugin/security/lib/njj-remapped-intermediate/licenses/nimbus-jose-jwt-NOTICE.txt b/x-pack/plugin/security/lib/njj-remapped-intermediate/licenses/nimbus-jose-jwt-NOTICE.txt new file mode 100644 index 0000000000000..cb9ad94f662a6 --- /dev/null +++ b/x-pack/plugin/security/lib/njj-remapped-intermediate/licenses/nimbus-jose-jwt-NOTICE.txt @@ -0,0 +1,14 @@ +Nimbus JOSE + JWT + +Copyright 2012 - 2018, Connect2id Ltd. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not use +this file except in compliance with the License. You may obtain a copy of the +License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software distributed +under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +CONDITIONS OF ANY KIND, either express or implied. See the License for the +specific language governing permissions and limitations under the License. From c5c82d89db4b743a82431a04c780fef5fed365d7 Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Tue, 13 Aug 2024 15:02:47 -0600 Subject: [PATCH 45/47] We have json serializiation at home --- .../xpack/security/authc/jwt/JwtUtil.java | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtUtil.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtUtil.java index 928ecd7fa265d..b345178e205c3 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtUtil.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtUtil.java @@ -11,7 +11,6 @@ import com.nimbusds.jose.jwk.JWK; import com.nimbusds.jose.jwk.JWKSet; import com.nimbusds.jose.util.Base64URL; -import com.nimbusds.jose.util.JSONObjectUtils; import com.nimbusds.jwt.JWT; import com.nimbusds.jwt.SignedJWT; @@ -33,6 +32,7 @@ import org.apache.http.nio.reactor.ConnectingIOReactor; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.elasticsearch.ElasticsearchException; import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.SpecialPermission; import org.elasticsearch.action.ActionListener; @@ -45,11 +45,14 @@ import org.elasticsearch.common.ssl.SslConfiguration; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.env.Environment; +import org.elasticsearch.xcontent.XContentBuilder; +import org.elasticsearch.xcontent.XContentFactory; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings; import org.elasticsearch.xpack.core.ssl.SSLService; +import java.io.IOException; import java.io.InputStream; import java.net.URI; import java.nio.charset.StandardCharsets; @@ -64,6 +67,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.List; +import java.util.Map; import java.util.Objects; import java.util.function.Supplier; @@ -237,7 +241,13 @@ public static String serializeJwkSet(final JWKSet jwkSet, final boolean publicKe if (jwkSet == null) { return null; } - return JSONObjectUtils.toJSONString(jwkSet.toJSONObject(publicKeysOnly)); + Map jwkJson = jwkSet.toJSONObject(publicKeysOnly); + try (XContentBuilder builder = XContentFactory.jsonBuilder()) { + builder.map(jwkJson); + return Strings.toString(builder); + } catch (IOException e) { + throw new ElasticsearchException(e); + } } public static String serializeJwkHmacOidc(final JWK key) { From a535fa05d5f34cdfb7e1326d6ad669fb463f87de Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Thu, 15 Aug 2024 10:25:43 -0600 Subject: [PATCH 46/47] Adjust exception handling per review --- .../nimbusds/jose/util/JSONObjectUtils.java | 112 +++--------------- 1 file changed, 16 insertions(+), 96 deletions(-) diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java index ae063fbf80fa1..4ca3074c40f81 100644 --- a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java @@ -30,12 +30,7 @@ public static Map parse(final String s) throws ParseException { (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.parse(s) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -48,12 +43,7 @@ public static Map parse(final String s, final int sizeLimit) thr ) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -64,12 +54,7 @@ public static Map parseJSONObject(final String s) throws ParseEx (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.parseJSONObject(s) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -79,12 +64,7 @@ public static boolean getBoolean(final Map o, final String key) (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getBoolean(o, key) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -94,12 +74,7 @@ public static int getInt(final Map o, final String key) throws P (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getInt(o, key) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -109,12 +84,7 @@ public static long getLong(final Map o, final String key) throws (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getLong(o, key) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -124,12 +94,7 @@ public static float getFloat(final Map o, final String key) thro (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getFloat(o, key) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -139,12 +104,7 @@ public static double getDouble(final Map o, final String key) th (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getDouble(o, key) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -154,12 +114,7 @@ public static String getString(final Map o, final String key) th (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getString(o, key) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -169,12 +124,7 @@ public static URI getURI(final Map o, final String key) throws P (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getURI(o, key) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -184,12 +134,7 @@ public static List getJSONArray(final Map o, final Strin (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getJSONArray(o, key) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -199,12 +144,7 @@ public static String[] getStringArray(final Map o, final String (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getStringArray(o, key) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -215,12 +155,7 @@ public static Map[] getJSONObjectArray(final Map .getJSONObjectArray(o, key) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -230,12 +165,7 @@ public static List getStringList(final Map o, final Stri (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getStringList(o, key) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -248,12 +178,7 @@ public static Map getJSONObject(final Map o, fin ) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } @@ -263,12 +188,7 @@ public static Base64URL getBase64URL(final Map o, final String k (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getBase64URL(o, key) ); } catch (PrivilegedActionException e) { - if (e.getException() instanceof ParseException pe) { - throw pe; - } else if (e.getException() instanceof RuntimeException re) { - throw re; - } - throw new RuntimeException(e); + throw (ParseException) e.getException(); } } From 6b55a8bc490aa1156e99bfc3561e4615bf707a8f Mon Sep 17 00:00:00 2001 From: Athena Brown Date: Thu, 15 Aug 2024 10:45:59 -0600 Subject: [PATCH 47/47] Rename directories + spotless --- x-pack/plugin/security/build.gradle | 6 +-- x-pack/plugin/security/lib/build.gradle | 13 ++++++ .../lib/nimbus-jose-jwt-fixed/build.gradle | 43 ------------------- .../build.gradle | 5 ++- .../licenses/nimbus-jose-jwt-LICENSE.txt | 0 .../licenses/nimbus-jose-jwt-NOTICE.txt | 0 .../build.gradle | 7 ++- .../lib/nimbus-jose-jwt-modified/build.gradle | 30 +++++++++++++ .../licenses/nimbus-jose-jwt-LICENSE.txt | 0 .../licenses/nimbus-jose-jwt-NOTICE.txt | 0 .../nimbusds/jose/util/JSONObjectUtils.java | 32 +++++++------- .../nimbusds/jose/util/JSONStringUtils.java | 0 .../plugin-metadata/plugin-security.policy | 2 +- 13 files changed, 69 insertions(+), 69 deletions(-) delete mode 100644 x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle rename x-pack/plugin/security/lib/{njj-remapped-intermediate => nimbus-jose-jwt-modified-part1}/build.gradle (86%) rename x-pack/plugin/security/lib/{nimbus-jose-jwt-fixed => nimbus-jose-jwt-modified-part1}/licenses/nimbus-jose-jwt-LICENSE.txt (100%) rename x-pack/plugin/security/lib/{nimbus-jose-jwt-fixed => nimbus-jose-jwt-modified-part1}/licenses/nimbus-jose-jwt-NOTICE.txt (100%) rename x-pack/plugin/security/lib/{njj-moved-utils-only => nimbus-jose-jwt-modified-part2}/build.gradle (59%) create mode 100644 x-pack/plugin/security/lib/nimbus-jose-jwt-modified/build.gradle rename x-pack/plugin/security/lib/{njj-remapped-intermediate => nimbus-jose-jwt-modified}/licenses/nimbus-jose-jwt-LICENSE.txt (100%) rename x-pack/plugin/security/lib/{njj-remapped-intermediate => nimbus-jose-jwt-modified}/licenses/nimbus-jose-jwt-NOTICE.txt (100%) rename x-pack/plugin/security/lib/{nimbus-jose-jwt-fixed => nimbus-jose-jwt-modified}/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java (90%) rename x-pack/plugin/security/lib/{nimbus-jose-jwt-fixed => nimbus-jose-jwt-modified}/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java (100%) diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index 9d6036a61c05d..d3697eade8b24 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -80,13 +80,13 @@ dependencies { // Dependencies for oidc api "com.nimbusds:oauth2-oidc-sdk:11.10.1" - api project(path: xpackModule('security:lib:nimbus-jose-jwt-fixed'), configuration: 'shadow') + api project(path: xpackModule('security:lib:nimbus-jose-jwt-modified'), configuration: 'shadow') if (isEclipse) { /* - * Eclipse can't pick up the shadow dependency so we point it at *something* + * Eclipse can't pick up the shadow dependency so we point it at the unmodified version of the library * so it can compile things. */ - api project(xpackModule('security:lib:nimbus-jose-jwt-fixed')) + api "com.nimbusds:nimbus-jose-jwt:9.37.3" } api "com.nimbusds:lang-tag:1.4.4" api "com.sun.mail:jakarta.mail:1.6.3" diff --git a/x-pack/plugin/security/lib/build.gradle b/x-pack/plugin/security/lib/build.gradle index e69de29bb2d1d..7bc94f348e781 100644 --- a/x-pack/plugin/security/lib/build.gradle +++ b/x-pack/plugin/security/lib/build.gradle @@ -0,0 +1,13 @@ +// This build deserves an explanation. Nimbus-jose-jwt uses gson internally, which is unfriendly +// to our usage of the security manager, to a degree that it makes the library extremely difficult +// to work with safely. The purpose of this build is to create a version of nimbus-jose-jwt with +// a couple classes replaced with wrappers which work with the security manager, the source files +// in this directory. + +// Because we want to include the original class files so that we can reference them without +// modification, there are a couple intermediate steps: +// nimbus-jose-jwt-modified-part1: Create a version of the JAR in which the relevant class files are moved to a different package. +// This is not immediately usable as this process rewrites the rest of the JAR to "correctly" reference the new classes. So, we need to... +// nimbus-jose-jwt-modified-part2: Create a JAR from the result of part 1 which contains *only* the relevant class files by removing everything else. +// nimbus-jose-jwt-modified: Use the result of part 2 here, combined with the original library, so that we can use our +// replacement classes which wrap the original class files. diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle b/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle deleted file mode 100644 index 56b0e864447e0..0000000000000 --- a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/build.gradle +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -apply plugin: 'elasticsearch.build' -apply plugin: 'com.github.johnrengelman.shadow' - -// This build deserves an explanation. Nimbus-jose-jwt uses gson internally, which is unfriendly -// to our usage of the security manager, to a degree that it makes the library extremely difficult -// to work with safely. The purpose of this build is to create a version of nimbus-jose-jwt with -// a couple classes replaced with wrappers which work with the security manager, the source files -// in this directory. - -// Because we want to include the original class files so that we can reference them without -// modification, there are a couple intermediate steps: -// 1) Create a version of the JAR in which the relevant class files are moved to a different package. -// This is not immediately usable as this process rewrites the rest of the JAR to "correctly" -// reference the new classes. So, we need to... -// 2) Create a JAR from the result of step 1 which contains *only* the relevant class files. -// 3) Use the result of step 2 here, combined with the original library, so that we can use our -// replacement classes which wrap the original class files. - -dependencies { - implementation "com.nimbusds:nimbus-jose-jwt:9.37.3" - implementation project(path: xpackModule('security:lib:njj-moved-utils-only'), configuration: 'shadow') -} - -tasks.named('shadowJar').configure { - manifest { - // The original library uses this and it gets stripped by shadowJar - attributes 'Automatic-Module-Name': 'com.nimbusds.jose.jwt' - } -} - -['jarHell', 'thirdPartyAudit', 'forbiddenApisMain', 'splitPackagesAudit', 'licenseHeaders'].each { - tasks.named(it).configure { - enabled = false - } -} diff --git a/x-pack/plugin/security/lib/njj-remapped-intermediate/build.gradle b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/build.gradle similarity index 86% rename from x-pack/plugin/security/lib/njj-remapped-intermediate/build.gradle rename to x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/build.gradle index 1dd0725e736fc..f751fcd0a655d 100644 --- a/x-pack/plugin/security/lib/njj-remapped-intermediate/build.gradle +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/build.gradle @@ -8,14 +8,15 @@ apply plugin: 'elasticsearch.build' apply plugin: 'com.github.johnrengelman.shadow' +// See the build.gradle file in the parent directory for an explanation of this unusual build + dependencies { implementation "com.nimbusds:nimbus-jose-jwt:9.37.3" } tasks.named('shadowJar').configure { // Attempting to exclude all of the classes we *don't* move here ought to be possible per the - // shadowJar docs, but actually attempting to do so results in an empty JAR. So we'll do that as a - // separate step (see njj-moved-utils-only) + // shadowJar docs, but actually attempting to do so results in an empty JAR. May be a bug in the shadowJar plugin. relocate 'com.nimbusds.jose.util.JSONObjectUtils', 'org.elasticsearch.nimbus.jose.util.JSONObjectUtils' relocate 'com.nimbusds.jose.util.JSONStringUtils', 'org.elasticsearch.nimbus.jose.util.JSONStringUtils' } diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/licenses/nimbus-jose-jwt-LICENSE.txt b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/licenses/nimbus-jose-jwt-LICENSE.txt similarity index 100% rename from x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/licenses/nimbus-jose-jwt-LICENSE.txt rename to x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/licenses/nimbus-jose-jwt-LICENSE.txt diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/licenses/nimbus-jose-jwt-NOTICE.txt b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/licenses/nimbus-jose-jwt-NOTICE.txt similarity index 100% rename from x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/licenses/nimbus-jose-jwt-NOTICE.txt rename to x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/licenses/nimbus-jose-jwt-NOTICE.txt diff --git a/x-pack/plugin/security/lib/njj-moved-utils-only/build.gradle b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part2/build.gradle similarity index 59% rename from x-pack/plugin/security/lib/njj-moved-utils-only/build.gradle rename to x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part2/build.gradle index 598f5cbde1da7..c4c0f2ebd2fe1 100644 --- a/x-pack/plugin/security/lib/njj-moved-utils-only/build.gradle +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part2/build.gradle @@ -8,15 +8,14 @@ apply plugin: 'elasticsearch.build' apply plugin: 'com.github.johnrengelman.shadow' -// The previous build step produced an artifact in which the classes we care about have been -// relocated to an org.elasticsearch package. However, the entire JAR has been updated to account -// for this, and we want *only* the moved classes. So we drop everything in the original namespace. +// See the build.gradle file in the parent directory for an explanation of this unusual build dependencies { - implementation project(path: xpackModule('security:lib:njj-remapped-intermediate'), configuration: 'shadow') + implementation project(path: xpackModule('security:lib:nimbus-jose-jwt-modified-part1'), configuration: 'shadow') } tasks.named('shadowJar').configure { + // Drop everything in the original namespace, as the classes we want to modify have already been moved to another package by part 1 exclude 'com/nimbusds/' } diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/build.gradle b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/build.gradle new file mode 100644 index 0000000000000..3438c067d8ab5 --- /dev/null +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/build.gradle @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +apply plugin: 'elasticsearch.build' +apply plugin: 'com.github.johnrengelman.shadow' + +// See the build.gradle file in the parent directory for an explanation of this unusual build + +dependencies { + implementation "com.nimbusds:nimbus-jose-jwt:9.37.3" + implementation project(path: xpackModule('security:lib:nimbus-jose-jwt-modified-part2'), configuration: 'shadow') +} + +tasks.named('shadowJar').configure { + manifest { + // The original library uses this and it gets stripped by shadowJar + attributes 'Automatic-Module-Name': 'com.nimbusds.jose.jwt' + } +} + +['jarHell', 'thirdPartyAudit', 'forbiddenApisMain', 'splitPackagesAudit', 'licenseHeaders'].each { + tasks.named(it).configure { + enabled = false + } +} diff --git a/x-pack/plugin/security/lib/njj-remapped-intermediate/licenses/nimbus-jose-jwt-LICENSE.txt b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/licenses/nimbus-jose-jwt-LICENSE.txt similarity index 100% rename from x-pack/plugin/security/lib/njj-remapped-intermediate/licenses/nimbus-jose-jwt-LICENSE.txt rename to x-pack/plugin/security/lib/nimbus-jose-jwt-modified/licenses/nimbus-jose-jwt-LICENSE.txt diff --git a/x-pack/plugin/security/lib/njj-remapped-intermediate/licenses/nimbus-jose-jwt-NOTICE.txt b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/licenses/nimbus-jose-jwt-NOTICE.txt similarity index 100% rename from x-pack/plugin/security/lib/njj-remapped-intermediate/licenses/nimbus-jose-jwt-NOTICE.txt rename to x-pack/plugin/security/lib/nimbus-jose-jwt-modified/licenses/nimbus-jose-jwt-NOTICE.txt diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java similarity index 90% rename from x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java rename to x-pack/plugin/security/lib/nimbus-jose-jwt-modified/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java index 4ca3074c40f81..1ea11f5c280ef 100644 --- a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java @@ -30,7 +30,7 @@ public static Map parse(final String s) throws ParseException { (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.parse(s) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -43,7 +43,7 @@ public static Map parse(final String s, final int sizeLimit) thr ) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -54,7 +54,7 @@ public static Map parseJSONObject(final String s) throws ParseEx (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.parseJSONObject(s) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -64,7 +64,7 @@ public static boolean getBoolean(final Map o, final String key) (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getBoolean(o, key) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -74,7 +74,7 @@ public static int getInt(final Map o, final String key) throws P (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getInt(o, key) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -84,7 +84,7 @@ public static long getLong(final Map o, final String key) throws (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getLong(o, key) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -94,7 +94,7 @@ public static float getFloat(final Map o, final String key) thro (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getFloat(o, key) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -104,7 +104,7 @@ public static double getDouble(final Map o, final String key) th (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getDouble(o, key) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -114,7 +114,7 @@ public static String getString(final Map o, final String key) th (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getString(o, key) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -124,7 +124,7 @@ public static URI getURI(final Map o, final String key) throws P (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getURI(o, key) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -134,7 +134,7 @@ public static List getJSONArray(final Map o, final Strin (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getJSONArray(o, key) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -144,7 +144,7 @@ public static String[] getStringArray(final Map o, final String (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getStringArray(o, key) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -155,7 +155,7 @@ public static Map[] getJSONObjectArray(final Map .getJSONObjectArray(o, key) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -165,7 +165,7 @@ public static List getStringList(final Map o, final Stri (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getStringList(o, key) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -178,7 +178,7 @@ public static Map getJSONObject(final Map o, fin ) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } @@ -188,7 +188,7 @@ public static Base64URL getBase64URL(final Map o, final String k (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getBase64URL(o, key) ); } catch (PrivilegedActionException e) { - throw (ParseException) e.getException(); + throw (ParseException) e.getException(); } } diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java similarity index 100% rename from x-pack/plugin/security/lib/nimbus-jose-jwt-fixed/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java rename to x-pack/plugin/security/lib/nimbus-jose-jwt-modified/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy index 7f760598edb10..b3d5e80e09dcd 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy @@ -52,7 +52,7 @@ grant codeBase "${codebase.netty-transport}" { permission java.util.PropertyPermission "sun.nio.ch.bugLevel", "write"; }; -grant codeBase "${codebase.nimbus-jose-jwt-fixed}" { +grant codeBase "${codebase.nimbus-jose-jwt-modified}" { // for JSON serialization based on a shaded GSON dependency permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks";