[Code] Add Java security manager options for Java langserver (#45862)

* [Code] Add Java security manager options for Java langserver * [Code] Fix typo * Fix some minor issues * Adapt to new platform
2025-04-24 17:59:23 -04:00 · 2019-10-14 21:25:07 +08:00 · 2019-10-14 21:25:07 +08:00 · ce67c5b30e
commit ce67c5b30e
parent 48b41cebb1
5 changed files with 23 additions and 2 deletions
--- a/docs/settings/code-settings.asciidoc
+++ b/docs/settings/code-settings.asciidoc
@ -35,6 +35,12 @@ Whitelist of protocols for git clone address. Defaults to `[ 'https', 'git', 'ss
 `xpack.code.security.enableGitCertCheck`::
 Whether enable HTTPS certificate check when clone from HTTPS URL.

+`xpack.code.security.enableJavaSecurityManager`::
+Whether enable Java security manager for Java langserver. Defaults to `true`.
+
+`xpack.code.security.extraJavaRepositoryWhitelist`::
+Whitelist of extra repository to download dependencies for Java language. Defaults to `[]`.
+
 `xpack.code.maxWorkspace`::
 Maximal number of workspaces each language server allows to span. Defaults to `5`.

--- a/x-pack/legacy/plugins/code/server/lsp/java_launcher.ts
+++ b/x-pack/legacy/plugins/code/server/lsp/java_launcher.ts
@ -23,7 +23,6 @@ const JAVA_LANG_DETACH_PORT = 2090;
 export class JavaLauncher extends AbstractLauncher {
  private needModuleArguments: boolean = true;
  private readonly gradleHomeFolder = '.gradle';
-  private readonly mavenSettingsFile = path.resolve('settings', 'settings.xml');
  constructor(
    readonly targetHost: string,
    readonly options: ServerOptions,
@ -51,7 +50,7 @@ export class JavaLauncher extends AbstractLauncher {
            ),
            'java.configuration.maven.userSettings': path.resolve(
              this.installationPath,
-              this.mavenSettingsFile
+              'settings/settings.xml'
            ),
          },
        },
@ -167,6 +166,13 @@ export class JavaLauncher extends AbstractLauncher {
      this.options.jdtWorkspacePath,
    ];

+    if (this.options.security.enableJavaSecurityManager) {
+      params.unshift(
+        '-Dorg.osgi.framework.security=osgi',
+        `-Djava.security.policy=${path.resolve(this.installationPath, 'all.policy')}`
+      );
+    }
+
    if (this.needModuleArguments) {
      params.push(
        '--add-modules=ALL-SYSTEM',
@ -191,6 +197,7 @@ export class JavaLauncher extends AbstractLauncher {
        CLIENT_HOST: '127.0.0.1',
        CLIENT_PORT: port.toString(),
        JAVA_HOME: javaHomePath,
+        EXTRA_WHITELIST_HOST: this.options.security.extraJavaRepositoryWhitelist.join(','),
      },
    });
    p.stdout.on('data', data => {
--- a/x-pack/legacy/plugins/code/server/server_options.ts
+++ b/x-pack/legacy/plugins/code/server/server_options.ts
@ -21,6 +21,9 @@ export interface SecurityOptions {
  installNodeDependency: boolean;
  gitHostWhitelist: string[];
  gitProtocolWhitelist: string[];
+  enableGitCertCheck: boolean;
+  enableJavaSecurityManager: boolean;
+  extraJavaRepositoryWhitelist: string[];
 }

 export interface DiskOptions {
--- a/x-pack/legacy/plugins/code/server/test_utils.ts
+++ b/x-pack/legacy/plugins/code/server/test_utils.ts
@ -79,6 +79,7 @@ const TEST_OPTIONS = {
    installNodeDependency: true,
    enableGitCertCheck: true,
    gitProtocolWhitelist: ['ssh', 'https', 'git'],
+    enableJavaSecurityManager: true,
  },
  disk: {
    thresholdEnabled: true,
--- a/x-pack/plugins/code/server/config.ts
+++ b/x-pack/plugins/code/server/config.ts
@ -85,6 +85,10 @@ const createCodeConfigSchema = () => {
        defaultValue: ['https', 'git', 'ssh'],
      }),
      enableGitCertCheck: schema.boolean({ defaultValue: true }),
+      enableJavaSecurityManager: schema.boolean({ defaultValue: true }),
+      extraJavaRepositoryWhitelist: schema.arrayOf(schema.string(), {
+        defaultValue: [],
+      }),
    }),
    disk: schema.object({
      thresholdEnabled: schema.boolean({ defaultValue: true }),