dsmiley commented on code in PR #4471:
URL: https://github.com/apache/solr/pull/4471#discussion_r3328104209
##########
solr/solr-ref-guide/modules/configuration-guide/pages/solr-properties.adoc:
##########
@@ -92,6 +92,12 @@ NOTE: Properties marked with "!" indicate inverted meaning
between pre Solr 10 a
|solr.responses.stacktrace.enabled|!solr.hideStackTrace|false|Controls whether
stack traces are included in responses. When set to `true`, stack traces are
included in responses.
+|solr.security.agent.extra.policy||`${server.dir}/etc/agent-security-extra.policy`|Path
to the operator extension policy file for the Solr security agent. Overrides
the default location. An absent file is silently skipped.
+
+|solr.security.agent.mode||`warn`|Enforcement mode for the Solr security
agent: `warn` (log violations, continue) or `enforce` (log violations, block
the operation with `SecurityException`).
+
+|solr.security.agent.skip||`false`|If set to `true`, omits the `-javaagent:`
flag from the JVM command line, disabling all Solr security agent controls.
Intended for temporary troubleshooting only.
Review Comment:
I assume these can't be set via env vars because these are pre-EnvUtils?
##########
solr/core/src/java/org/apache/solr/core/CoreContainer.java:
##########
Review Comment:
IMO `org.apache.solr.servlet.CoreContainerProvider#init` is a more suitable
place. CoreContainer can be used for embedding and lighter-weight tests that
shouldn't have to deal with initialization of this nature.
##########
solr/agent-sm/src/java/org/apache/solr/security/agent/ApprovedCallSite.java:
##########
@@ -0,0 +1,96 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.security.agent;
+
+import java.util.List;
+
+/**
+ * A policy entry approving a class (or code source) to perform a restricted
operation.
+ *
+ * <p>Class-name matching ({@link #codeBase()} is {@code null}): {@code "*"}
matches any class; a
+ * pattern ending in {@code ".*"} matches that package and sub-packages;
otherwise exact match.
+ * codeBase matching: the calling class must have been loaded from a location
matching the JDK
+ * policy {@code codeBase} URL ({@code file:/path/-} recursive, {@code
file:/path/to.jar} exact).
+ */
+public final class ApprovedCallSite {
Review Comment:
not a record?
Please audit these classes for record suitability. Tip: IntelliJ will do
the conversion for you and may even suggest it.
##########
solr/agent-sm/src/java/org/apache/solr/security/agent/PermittedPath.java:
##########
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.security.agent;
+
+import java.nio.file.Path;
+import java.util.Arrays;
+import java.util.Locale;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+/**
+ * A single file-system access rule from the security policy.
+ *
+ * <p>Rules are loaded at startup and are immutable thereafter. A rule grants
access to a path (and
+ * optionally all descendants) for the set of operations encoded in the {@code
actions} string
+ * ({@code "read"}, {@code "write"}, {@code "delete"}, or any comma-separated
combination).
+ */
+public final class PermittedPath {
Review Comment:
not a record?
##########
solr/docker/build.gradle:
##########
Review Comment:
I suppose we could configure the Docker process to use certain ownership but
ultimately it's probably pointless if the only ultimate effect is gradle
needing to know it must run the task each time.
##########
solr/agent-sm/src/java/org/apache/solr/security/agent/SolrAgentEntryPoint.java:
##########
@@ -0,0 +1,183 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.security.agent;
+
+import java.lang.instrument.Instrumentation;
+import java.net.Socket;
+import java.nio.channels.FileChannel;
+import java.nio.channels.SocketChannel;
+import java.nio.file.Path;
+import java.nio.file.spi.FileSystemProvider;
+import net.bytebuddy.ByteBuddy;
+import net.bytebuddy.agent.builder.AgentBuilder;
+import net.bytebuddy.asm.Advice;
+import net.bytebuddy.implementation.Implementation;
+import net.bytebuddy.matcher.ElementMatchers;
+
+/**
+ * Java agent entry point. Invoked by the JVM before the application main
class when the agent JAR
+ * is specified via {@code -javaagent:}. Loads the policy, initializes {@link
AgentPolicy}, and
+ * installs ByteBuddy interceptors. The agent JAR is on {@code
Boot-Class-Path} so interceptor
+ * classes are visible to the bootstrap classloader; SLF4J is excluded from
the fat JAR to avoid
+ * poisoning the binding before Log4j2 initializes.
Review Comment:
I keep seeing this repeated; I don't think you need to say anything and not
here. Just maybe the build.gradle loudly in the dependency list "// DO NOT
DEPEND ON SLF4J OR OTHER LOGGING JARS" is fine to prevent future fools from
doing so.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
