Ensure that gcs client creation is privileged (elastic#25938)

This is related to elastic#25932. Currently when we create the `GoogleCloudStorageService` client we do not wrap that call in a doPrivileged block. The call might open a connection. This commit ensures that the creation is wrapped in a doPrivileged block.
stlava · Jul 28, 2017 · 71f58e6 · 71f58e6
1 parent c1ee65f
commit 71f58e6
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/...ry-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageRepository.java b/...ry-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageRepository.java
@@ -112,7 +112,10 @@ class GoogleCloudStorageRepository extends BlobStoreRepository {
         logger.debug("using bucket [{}], base_path [{}], chunk_size [{}], compress [{}], application [{}]",
                 bucket, basePath, chunkSize, compress, application);
 
-        Storage client = storageService.createClient(clientName, application, connectTimeout, readTimeout);
+        TimeValue finalConnectTimeout = connectTimeout;
+        TimeValue finalReadTimeout = readTimeout;
+        Storage client = SocketAccess.doPrivilegedIOException(() ->
+            storageService.createClient(clientName, application, finalConnectTimeout, finalReadTimeout));
         this.blobStore = new GoogleCloudStorageBlobStore(settings, bucket, client);
     }
 

diff --git a/...t/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageBlobStoreRepositoryTests.java b/...t/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageBlobStoreRepositoryTests.java
@@ -30,6 +30,8 @@
 import org.elasticsearch.repositories.blobstore.ESBlobStoreRepositoryIntegTestCase;
 import org.junit.BeforeClass;
 
+import java.net.SocketPermission;
+import java.security.AccessController;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.concurrent.atomic.AtomicReference;
@@ -80,6 +82,8 @@ public static class MockGoogleCloudStorageService implements GoogleCloudStorageS
         @Override
         public Storage createClient(String accountName, String application,
                                     TimeValue connectTimeout, TimeValue readTimeout) throws Exception {
+            // The actual impl might open a connection. So check we have permission when this call is made.
+            AccessController.checkPermission(new SocketPermission("*", "connect"));
             return storage.get();
         }
     }