Upgrade to aws 1.10.33

Security issues have been fixed. This removes our hacks.

core/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java

@@ -74,18 +74,6 @@ final class ESPolicy extends Policy {
             }
         }
 
-        // Special handling for broken AWS code which destroys all SSL security
-        // REMOVE THIS when https://github.com/aws/aws-sdk-java/pull/432 is fixed
-        if (permission instanceof RuntimePermission && "accessClassInPackage.sun.security.ssl".equals(permission.getName())) {
-            for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
-                if ("com.amazonaws.http.conn.ssl.SdkTLSSocketFactory".equals(element.getClassName()) &&
-                      "verifyMasterSecret".equals(element.getMethodName())) {
-                    // we found the horrible method: the hack begins!
-                    // force the aws code to back down, by throwing an exception that it catches.
-                    rethrow(new IllegalAccessException("no amazon, you cannot do this."));
-                }
-            }
-        }
         // otherwise defer to template + dynamic file permissions
         return template.implies(domain, permission) || dynamic.implies(permission);
     }
@@ -104,20 +92,4 @@ final class ESPolicy extends Policy {
         // return UNSUPPORTED_EMPTY_COLLECTION since it is safe.
         return super.getPermissions(codesource);
     }
-
-    /**
-     * Classy puzzler to rethrow any checked exception as an unchecked one.
-     */
-    private static class Rethrower<T extends Throwable> {
-        private void rethrow(Throwable t) throws T {
-            throw (T) t;
-        }
-    }
-
-    /**
-     * Rethrows <code>t</code> (identical object).
-     */
-    private void rethrow(Throwable t) {
-        new Rethrower<Error>().rethrow(t);
-    }
 }

plugins/discovery-ec2/build.gradle

@@ -23,7 +23,7 @@ esplugin {
 }
 
 versions << [
-  'aws': '1.10.19'
+  'aws': '1.10.33'
 ]
 
 dependencies {

plugins/discovery-ec2/licenses/aws-java-sdk-core-1.10.19.jar.sha1

@@ -1 +0,0 @@
-b53f650323b7242dcced25b679f3e9aa4b494da5

plugins/discovery-ec2/licenses/aws-java-sdk-core-1.10.33.jar.sha1

@@ -0,0 +1 @@
+fabedbbe2b834b1add150b6a38395c5ef7380168

plugins/discovery-ec2/licenses/aws-java-sdk-ec2-1.10.19.jar.sha1

@@ -1 +0,0 @@
-50ba7eb31719be1260bdae51cf69340df2d91ec4

plugins/discovery-ec2/licenses/aws-java-sdk-ec2-1.10.33.jar.sha1

@@ -0,0 +1 @@
+202f6b5dbc196e355d50c131b0fd34969bfd89e6

plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java

@@ -19,7 +19,6 @@
 
 package org.elasticsearch.plugin.discovery.ec2;
 
-import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.cloud.aws.AwsEc2ServiceImpl;
 import org.elasticsearch.cloud.aws.Ec2Module;
 import org.elasticsearch.common.component.LifecycleComponent;
@@ -32,8 +31,6 @@ import org.elasticsearch.discovery.ec2.AwsEc2UnicastHostsProvider;
 import org.elasticsearch.discovery.ec2.Ec2Discovery;
 import org.elasticsearch.plugins.Plugin;
 
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collection;
 
@@ -41,27 +38,6 @@ import java.util.Collection;
  *
  */
 public class Ec2DiscoveryPlugin extends Plugin {
-    
-    static {
-        // This internal config is deserialized but with wrong access modifiers,
-        // cannot work without suppressAccessChecks permission right now. We force
-        // a one time load with elevated privileges as a workaround.
-        SecurityManager sm = System.getSecurityManager();
-        if (sm != null) {
-            sm.checkPermission(new SpecialPermission());
-        }
-        AccessController.doPrivileged(new PrivilegedAction<Void>() {
-            @Override
-            public Void run() {
-                try {
-                    Class.forName("com.amazonaws.internal.config.InternalConfig$Factory");
-                } catch (ClassNotFoundException e) {
-                    throw new RuntimeException("Unable to initialize internal aws config", e);
-                }
-                return null;
-            }
-        });
-    }
 
     private final Settings settings;
     protected final ESLogger logger = Loggers.getLogger(Ec2DiscoveryPlugin.class);

plugins/discovery-ec2/src/main/plugin-metadata/plugin-security.policy

@@ -1,23 +0,0 @@
-/*
- * Licensed to Elasticsearch under one or more contributor
- * license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright
- * ownership. Elasticsearch licenses this file to you under
- * the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-grant {
-  // needed because of problems in aws-sdk
-  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
-};

plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/AmazonEC2Mock.java

@@ -1355,4 +1355,9 @@ public class AmazonEC2Mock implements AmazonEC2 {
     public ResponseMetadata getCachedResponseMetadata(AmazonWebServiceRequest request) {
         throw new UnsupportedOperationException("Not supported in mock"); 
     }
+
+    @Override
+    public ModifySpotFleetRequestResult modifySpotFleetRequest(ModifySpotFleetRequestRequest modifySpotFleetRequestRequest) throws AmazonServiceException, AmazonClientException {
+        throw new UnsupportedOperationException("Not supported in mock"); 
+    }
 }

plugins/repository-s3/build.gradle

@@ -23,7 +23,7 @@ esplugin {
 }
 
 versions << [
-  'aws': '1.10.19'
+  'aws': '1.10.33'
 ]
 
 dependencies {

plugins/repository-s3/licenses/aws-java-sdk-core-1.10.19.jar.sha1

@@ -1 +0,0 @@
-b53f650323b7242dcced25b679f3e9aa4b494da5

plugins/repository-s3/licenses/aws-java-sdk-core-1.10.33.jar.sha1

@@ -0,0 +1 @@
+fabedbbe2b834b1add150b6a38395c5ef7380168

plugins/repository-s3/licenses/aws-java-sdk-kms-1.10.19.jar.sha1

@@ -1 +0,0 @@
-c8764f3e61a3c420db429870ec22b31fe755d81d

plugins/repository-s3/licenses/aws-java-sdk-kms-1.10.33.jar.sha1

@@ -0,0 +1 @@
+35881245894ecc4d893c074eacdf2e6b56820fda

plugins/repository-s3/licenses/aws-java-sdk-s3-1.10.19.jar.sha1

@@ -1 +0,0 @@
-a23dc60d56d54126250c23cab1d01328b1e83678

plugins/repository-s3/licenses/aws-java-sdk-s3-1.10.33.jar.sha1

@@ -0,0 +1 @@
+5665cf77102a932a16e99ebf41d197e03ddbf25c

plugins/repository-s3/src/main/java/org/elasticsearch/plugin/repository/s3/S3RepositoryPlugin.java

@@ -19,7 +19,6 @@
 
 package org.elasticsearch.plugin.repository.s3;
 
-import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.cloud.aws.S3Module;
 import org.elasticsearch.common.component.LifecycleComponent;
 import org.elasticsearch.common.inject.Module;
@@ -28,8 +27,6 @@ import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.repositories.RepositoriesModule;
 import org.elasticsearch.repositories.s3.S3Repository;
 
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -38,27 +35,6 @@ import java.util.Collections;
  *
  */
 public class S3RepositoryPlugin extends Plugin {
-    
-    static {
-        // This internal config is deserialized but with wrong access modifiers,
-        // cannot work without suppressAccessChecks permission right now. We force
-        // a one time load with elevated privileges as a workaround.
-        SecurityManager sm = System.getSecurityManager();
-        if (sm != null) {
-            sm.checkPermission(new SpecialPermission());
-        }
-        AccessController.doPrivileged(new PrivilegedAction<Void>() {
-            @Override
-            public Void run() {
-                try {
-                    Class.forName("com.amazonaws.internal.config.InternalConfig$Factory");
-                } catch (ClassNotFoundException e) {
-                    throw new RuntimeException("Unable to initialize internal aws config", e);
-                }
-                return null;
-            }
-        });
-    }
 
     @Override
     public String name() {

plugins/repository-s3/src/main/plugin-metadata/plugin-security.policy

@@ -1,23 +0,0 @@
-/*
- * Licensed to Elasticsearch under one or more contributor
- * license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright
- * ownership. Elasticsearch licenses this file to you under
- * the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-grant {
-  // needed because of problems in aws-sdk
-  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
-};

plugins/repository-s3/src/test/java/org/elasticsearch/cloud/aws/AmazonS3Wrapper.java

@@ -628,4 +628,9 @@ public class AmazonS3Wrapper implements AmazonS3 {
     public BucketReplicationConfiguration getBucketReplicationConfiguration(GetBucketReplicationConfigurationRequest getBucketReplicationConfigurationRequest) throws AmazonServiceException, AmazonClientException {
         return delegate.getBucketReplicationConfiguration(getBucketReplicationConfigurationRequest);
     }
+
+    @Override
+    public HeadBucketResult headBucket(HeadBucketRequest headBucketRequest) throws AmazonClientException, AmazonServiceException {
+        return delegate.headBucket(headBucketRequest);
+    }
 }