Skip to content

Greengrass DiscoveryClient does not work if a SecurityManager is installed #320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
nicolatimeus opened this issue Sep 15, 2022 · 3 comments · Fixed by #427
Closed

Greengrass DiscoveryClient does not work if a SecurityManager is installed #320

nicolatimeus opened this issue Sep 15, 2022 · 3 comments · Fixed by #427
Assignees
@yasminetalby
Labels
bug This issue is a bug. p2 This is a standard priority issue pending-release This issue will be fixed by an approved PR that hasn't been released yet.

Comments

@nicolatimeus
Copy link

nicolatimeus commented Sep 15, 2022
edited
Loading

Describe the bug

If a SecurityManager is installed, Greengrass Core Device discovery performed using DiscoveryClient will fail even with a permissive policy.

Expected Behavior

Greengrass Discovery completes successfully even if a security manager is installed.

Current Behavior

Greengrass Core Device discovery performed using DiscoveryClient fails with exception [1]

[1]

Exception thrown: java.util.concurrent.ExecutionException: com.google.gson.JsonIOException: Failed making field 'software.amazon.awssdk.iot.discovery.model.DiscoverResponse#GGGroups' accessible; either change its visibility or write a custom TypeAdapter for its declaring type
java.util.concurrent.ExecutionException: com.google.gson.JsonIOException: Failed making field 'software.amazon.awssdk.iot.discovery.model.DiscoverResponse#GGGroups' accessible; either change its visibility or write a custom TypeAdapter for its declaring type
	at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357)
	at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1908)
	at greengrass.BasicDiscovery.getClientFromDiscovery(BasicDiscovery.java:157)
	at greengrass.BasicDiscovery.main(BasicDiscovery.java:114)
Caused by: com.google.gson.JsonIOException: Failed making field 'software.amazon.awssdk.iot.discovery.model.DiscoverResponse#GGGroups' accessible; either change its visibility or write a custom TypeAdapter for its declaring type
	at com.google.gson.internal.reflect.ReflectionHelper.makeAccessible(ReflectionHelper.java:22)
	at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.getBoundFields(ReflectiveTypeAdapterFactory.java:158)
	at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.create(ReflectiveTypeAdapterFactory.java:101)
	at com.google.gson.Gson.getAdapter(Gson.java:501)
	at com.google.gson.Gson.fromJson(Gson.java:990)
	at com.google.gson.Gson.fromJson(Gson.java:929)
	at software.amazon.awssdk.iot.discovery.DiscoveryClient.lambda$discover$0(DiscoveryClient.java:97)
	at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1604)
	at java.util.concurrent.CompletableFuture$AsyncSupply.exec(CompletableFuture.java:1596)
	at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
	at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056)
	at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692)
	at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:175)
Caused by: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.security.AccessController.checkPermission(AccessController.java:886)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:128)
	at com.google.gson.internal.reflect.ReflectionHelper.makeAccessible(ReflectionHelper.java:19)
	... 12 more

Reproduction Steps

Build a standalone JAR file that executes https://github.com/aws/aws-iot-device-sdk-java-v2/blob/main/samples/Greengrass/src/main/java/greengrass/BasicDiscovery.java as main class. This can obtained for example by adding the snippet [1] to the build -> plugins section of https://github.com/aws/aws-iot-device-sdk-java-v2/blob/main/samples/Greengrass/pom.xml.

Run the produced jar file with the following command:

java -Djava.security.manager -Djava.security.policy=security.policy -jar ./Greengrass-1.0-SNAPSHOT-jar-with-dependencies.jar ${DISCOVERY_SAMPLE_ARGS}

where DISCOVERY_SAMPLE_ARGS is as described in https://docs.aws.amazon.com/greengrass/v2/developerguide/test-client-device-communications.html#test-client-device-communications-java and security.policy contains the following maximally permissive policy:

grant { 
      permission java.security.AllPermission;
};

The command should fail logging the reported exception if the-Djava.security.manager -Djava.security.policy=security.policy arguments are provided and succeed if they are removed.

[1]

<plugin>
    <artifactId>maven-assembly-plugin</artifactId>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>single</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <archive>
            <manifest>
                <mainClass>greengrass.BasicDiscovery</mainClass>
            </manifest>
        </archive>
        <descriptorRefs>
            <descriptorRef>jar-with-dependencies</descriptorRef>
        </descriptorRefs>
    </configuration>
</plugin>

Possible Solution

The issue is likely caused by the fact that

aws-iot-device-sdk-java-v2/sdk/src/main/java/software/amazon/awssdk/iot/discovery/DiscoveryClient.java

Line 97 in 472d0ec

return GSON.fromJson(new StringReader(responseString), DiscoverResponse.class);

is executed through CompletableFuture.supplyAsync() using the Fork Join Pool common pool.

Quoting from ForkJoinPool Javadoc, If a SecurityManager is present and no factory is specified, then the default pool uses a factory supplying threads that have no Permissions enabled..

Additional Information/Context

No response

SDK version used

main branch cloned from 1a2e1b5

Environment details (OS name and version, etc.)

Raspberry PI OS, openjdk version "1.8.0_312" OpenJDK Runtime Environment (build 1.8.0_312-8u312-b07-1+rpi1-b07) OpenJDK Client VM (build 25.312-b07, mixed mode)
@nicolatimeus nicolatimeus added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 15, 2022
@jmklix jmklix self-assigned this Jan 26, 2023
@jmklix jmklix added needs-reproduction This issue needs reproduction. p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Jan 26, 2023
@jmklix jmklix assigned yasminetalby and unassigned jmklix May 22, 2023
@TwistedTwigleg TwistedTwigleg mentioned this issue Jun 6, 2023
Merged
@yasminetalby yasminetalby added pending-release This issue will be fixed by an approved PR that hasn't been released yet. and removed needs-reproduction This issue needs reproduction. pending-release This issue will be fixed by an approved PR that hasn't been released yet. labels Jun 7, 2023
@yasminetalby
Copy link

Hello @nicolatimeus ,

Thank you very much for reaching out, I sincerely apologize for the delay of answer on this issue.
We have confirmed the issue and will be working on a fix.
I will update this issue once it is resolved.

Thank you very much for your feedback and detailed submission.

Best regards,

Yasmine

@yasminetalby yasminetalby added the pending-release This issue will be fixed by an approved PR that hasn't been released yet. label Jun 9, 2023
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@yasminetalby
Copy link

Hello @nicolatimeus ,

This issue has been resolved by #427 and the fix will be available in the next IoT Java v2 SDK release.

Thank you very much for your feedback and contribution.

Sincerely,

Yasmine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yasminetalby yasminetalby

Labels
bug This issue is a bug. p2 This is a standard priority issue pending-release This issue will be fixed by an approved PR that hasn't been released yet.
Projects
None yet
Milestone
No milestone
3 participants
@jmklix @nicolatimeus @yasminetalby