opensearch-project · cwperks · Apr 10, 2025 · Apr 9, 2025 · Apr 9, 2025 · Apr 10, 2025
@@ -78,6 +78,7 @@ grant {
   //Enable this permission to debug unauthorized de-serialization attempt
   //permission java.io.SerializablePermission "enableSubstitution";
 
+  permission java.net.NetPermission "accessUnixDomainSocket";
 };
 
 grant codeBase "${codebase.netty-common}" {

@@ -23,6 +23,7 @@
 import org.opensearch.common.settings.Settings;
 import org.opensearch.http.HttpServerTransport;
 import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
+import org.opensearch.plugins.SecureAuxTransportSettingsProvider;
 import org.opensearch.plugins.SecureHttpTransportSettingsProvider;
 import org.opensearch.plugins.SecureSettingsFactory;
 import org.opensearch.plugins.SecureTransportSettingsProvider;
@@ -185,4 +186,9 @@ public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpSe
             }
         });
     }
+
+    @Override
+    public Optional<SecureAuxTransportSettingsProvider> getSecureAuxTransportSettingsProvider(Settings settings) {
+        return Optional.empty();
+    }
 }
@@ -33,23 +33,14 @@
     public void createDemoCertificates() {
         for (Certificates cert : Certificates.values()) {
             String filePath = this.installer.OPENSEARCH_CONF_DIR + File.separator + cert.getFileName();
-            writeCertificateToFile(filePath, cert.getContent());
-        }
-    }
-
-    /**
-     * Helper method to write the certificates to their own file
-     * @param filePath the file which needs to be written
-     * @param content the content which needs to be written to this file
-     */
-    static void writeCertificateToFile(String filePath, String content) {
-        try {
-            FileWriter fileWriter = new FileWriter(filePath, StandardCharsets.UTF_8);
-            fileWriter.write(content);
-            fileWriter.close();
-        } catch (IOException e) {
-            System.err.println("Error writing certificate file: " + filePath);
-            System.exit(-1);
+            try {
+                FileWriter fileWriter = new FileWriter(filePath, StandardCharsets.UTF_8);
+                fileWriter.write(cert.getContent());
+                fileWriter.close();
+            } catch (IOException e) {
+                System.err.println("Error writing certificate file: " + filePath);
+                installer.getExitHandler().exit(-1);
+            }
         }
     }
 }
@@ -0,0 +1,22 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.tools.democonfig;
+
+/**
+ * Default ExitHandler implementation that calls System.exit.
+ */
+public final class DefaultExitHandler implements ExitHandler {
+    @Override
+    public void exit(int status) {
+        System.exit(status);
+    }
+}
@@ -0,0 +1,19 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.tools.democonfig;
+
+/**
+ * An interface to handle exit behavior.
+ */
+public interface ExitHandler {
+    void exit(int status);
+}
@@ -11,6 +11,7 @@
 
 package org.opensearch.security.tools.democonfig;
 
+// CS-SUPPRESS-SINGLE: RegexpSingleline Extension is used to refer to file extensions, keeping this rule disable for the whole file
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileReader;
@@ -40,7 +41,6 @@
     private static Installer instance;
 
     private static SecuritySettingsConfigurer securitySettingsConfigurer;
-
     private static CertificateGenerator certificateGenerator;
 
     boolean assumeyes = false;
@@ -71,19 +71,37 @@
     // To print help information for this script
     private final HelpFormatter formatter = new HelpFormatter();
 
+    private ExitHandler exitHandler;
+
     /**
      * We do not want this class to be instantiated more than once,
-     * as we are following Singleton Factory pattern
+     * as we are following the Singleton pattern.
      */
     private Installer() {
         this.OS = System.getProperty("os.name") + " " + System.getProperty("os.version") + " " + System.getProperty("os.arch");
         FILE_EXTENSION = OS.toLowerCase().contains("win") ? ".bat" : ".sh";
         options = new Options();
+        // Use the default exit handler (simply calls System.exit)
+        this.exitHandler = new DefaultExitHandler();
+    }
+
+    /**
+     * Allows dependency injection of an ExitHandler.
+     */
+    public void setExitHandler(ExitHandler exitHandler) {
+        this.exitHandler = exitHandler;
     }
 
     /**
-     * Returns a singleton instance of this class
-     * @return an existing instance OR a new instance if there was no existing instance
+     * Returns current exit handler
+     */
+    public ExitHandler getExitHandler() {
+        return this.exitHandler;
+    }
+
+    /**
+     * Returns a singleton instance of this class.
+     * @return an existing instance OR a new instance if there was no existing instance.
      */
     public static Installer getInstance() {
         if (instance == null) {
@@ -95,8 +113,8 @@
     }
 
     /**
-     * Installs the demo security configuration
-     * @param options the options passed to the script
+     * Installs the demo security configuration.
+     * @param options the options passed to the script.
      */
     public void installDemoConfiguration(String[] options) throws IOException {
         readOptions(options);
@@ -116,7 +134,7 @@
     }
 
     /**
-     * Builds options supported by this tool
+     * Builds options supported by this tool.
      */
     void buildOptions() {
         options.addOption("h", "show-help", false, "Shows help for this tool.");
@@ -148,16 +166,16 @@
     }
 
     /**
-     * Prints headers that indicate the start of script execution
+     * Prints headers that indicate the start of script execution.
      */
     static void printScriptHeaders() {
         System.out.println("### OpenSearch Security Demo Installer");
         System.out.println("### ** Warning: Do not use on production or public reachable systems **");
     }
 
     /**
-     * Reads the options passed to the script
-     * @param args an array of strings containing options passed to the script
+     * Reads the options passed to the script.
+     * @param args an array of strings containing options passed to the script.
      */
     void readOptions(String[] args) {
         // set script execution dir
@@ -179,28 +197,28 @@
 
         } catch (ParseException exp) {
             System.out.println("ERR: Parsing failed.  Reason: " + exp.getMessage());
-            System.exit(-1);
+            exitHandler.exit(-1);
         }
     }
 
     /**
-     * Prints the help menu when -h option is passed
+     * Prints the help menu when -h option is passed.
      */
     void showHelp() {
         formatter.printHelp("install_demo_configuration" + FILE_EXTENSION, options, true);
-        System.exit(0);
+        exitHandler.exit(0);
     }
 
     /**
-     * Prompt the user and collect user inputs
-     * Input collection will be skipped if -y option was passed
+     * Prompt the user and collect user inputs.
+     * Input collection will be skipped if -y option was passed.
      */
     void gatherUserInputs() {
         if (!assumeyes) {
             try (Scanner scanner = new Scanner(System.in, StandardCharsets.UTF_8)) {
 
                 if (!confirmAction(scanner, "Install demo certificates?")) {
-                    System.exit(0);
+                    exitHandler.exit(0);
                 }
 
                 if (!initsecurity) {
@@ -218,9 +236,9 @@
 
     /**
      * Helper method to scan user inputs.
-     * @param scanner object to be used for scanning user input
-     * @param message prompt question
-     * @return true or false based on user input
+     * @param scanner object to be used for scanning user input.
+     * @param message prompt question.
+     * @return true or false based on user input.
      */
     boolean confirmAction(Scanner scanner, String message) {
         System.out.print(message + " [y/N] ");
@@ -229,7 +247,7 @@
     }
 
     /**
-     * Initialize all class level variables required
+     * Initialize all class level variables required.
      */
     void initializeVariables() {
         setBaseDir();
@@ -238,22 +256,22 @@
     }
 
     /**
-     * Sets the base directory to be used by the script
+     * Sets the base directory to be used by the script.
      */
     void setBaseDir() {
         File baseDirFile = new File(SCRIPT_DIR).getParentFile().getParentFile().getParentFile();
         BASE_DIR = baseDirFile != null ? baseDirFile.getAbsolutePath() : null;
 
         if (BASE_DIR == null || !new File(BASE_DIR).isDirectory()) {
             System.out.println("DEBUG: basedir does not exist");
-            System.exit(-1);
+            exitHandler.exit(-1);
         }
 
         BASE_DIR += File.separator;
     }
 
     /**
-     * Sets the variables for items at OpenSearch level
+     * Sets the variables for items at OpenSearch level.
      */
     void setOpenSearchVariables() {
         OPENSEARCH_CONF_FILE = BASE_DIR + "config" + File.separator + "opensearch.yml";
@@ -266,17 +284,17 @@
 
         if (!errorMessages.isEmpty()) {
             errorMessages.forEach(System.out::println);
-            System.exit(-1);
+            exitHandler.exit(-1);
         }
 
         OPENSEARCH_CONF_DIR = new File(OPENSEARCH_CONF_FILE).getParent();
         OPENSEARCH_CONF_DIR = new File(OPENSEARCH_CONF_DIR).getAbsolutePath() + File.separator;
     }
 
     /**
-     * Helper method
-     * Returns a set of error messages for the paths that didn't contain files/directories
-     * @return a set containing error messages if any, empty otherwise
+     * Helper method.
+     * Returns a set of error messages for the paths that didn't contain files/directories.
+     * @return a set containing error messages if any, empty otherwise.
      */
     private Set<String> validatePaths() {
         Set<String> errorMessages = new HashSet<>();
@@ -299,8 +317,8 @@
     }
 
     /**
-     * Returns the installation type based on the underlying operating system
-     * @return will be one of `.zip`, `.tar.gz` or `rpm/deb`
+     * Returns the installation type based on the underlying operating system.
+     * @return will be one of `.zip`, `.tar.gz` or `rpm/deb`.
      */
     String determineInstallType() {
         // windows (.bat execution)
@@ -320,12 +338,12 @@
     }
 
     /**
-     * Sets the path variables for items at OpenSearch security plugin level
+     * Sets the path variables for items at OpenSearch security plugin level.
      */
     void setSecurityVariables() {
         if (!(new File(OPENSEARCH_PLUGINS_DIR + "opensearch-security").exists())) {
             System.out.println("OpenSearch Security plugin not installed. Quit.");
-            System.exit(-1);
+            exitHandler.exit(-1);
         }
 
         // Extract OpenSearch version and Security version
@@ -349,7 +367,7 @@
     }
 
     /**
-     * Prints the initialized variables
+     * Prints the initialized variables.
      */
     void printVariables() {
         System.out.println("OpenSearch install type: " + OPENSEARCH_INSTALL_TYPE + " on " + OS);
@@ -439,9 +457,11 @@
 
     /**
      * FOR TESTS ONLY
-     * resets the installer state to allow testing with fresh instance for the next test.
+     * Resets the installer state to allow testing with a fresh instance for the next test.
      */
     static void resetInstance() {
         instance = null;
     }
+
 }
+// CS-ENFORCE-SINGLE