Security manager test & fix (#3077)

Author: SylvainJuge

CHANGELOG.asciidoc

@@ -52,6 +52,7 @@ communication - {pull}2996[#2996]
 * Fix exceptions filtering based on <<config-ignore-exceptions>> when those are <<config-unnest-exceptions, nested>> - {pull}3025[#3025]
 * Fix usage of `HttpUrlConnection.getResponseCode()` causing an error event due to exception capturing, even when it is internally handled - {pull}3024[#3024]
 * Fix source code jar to contain apm-agent sources - {pull}3063[#3063]
+* Fix security exception when security manager is used with `log_level=debug` - {pull}3077[#3077]
 
 [[release-notes-1.x]]
 === Java Agent version 1.x

apm-agent-core/src/main/java/co/elastic/apm/agent/util/PrivilegedActionUtils.java

@@ -23,6 +23,7 @@
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.net.ProxySelector;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.AccessController;
@@ -62,6 +63,35 @@ public Map<String, String> run() {
         });
     }
 
+
+    @Nullable
+    public static String getProperty(final String name) {
+        if (System.getSecurityManager() == null) {
+            return System.getProperty(name);
+        }
+
+        return AccessController.doPrivileged(new PrivilegedAction<String>() {
+            @Override
+            public String run() {
+                return System.getProperty(name);
+            }
+        });
+    }
+
+    @Nullable
+    public static ProxySelector getDefaultProxySelector() {
+        if (System.getSecurityManager() == null) {
+            return ProxySelector.getDefault();
+        }
+
+        return AccessController.doPrivileged(new PrivilegedAction<ProxySelector>() {
+            @Override
+            public ProxySelector run() {
+                return ProxySelector.getDefault();
+            }
+        });
+    }
+
     @Nullable
     public static ClassLoader getClassLoader(final Class<?> type) {
         if (System.getSecurityManager() == null) {

apm-agent-core/src/main/java/co/elastic/apm/agent/util/UrlConnectionUtils.java

@@ -46,13 +46,13 @@ public static URLConnection openUrlConnectionThreadSafely(URL url) throws IOExce
     }
 
     private static void debugPrintProxySettings(URL url) {
-        ProxySelector proxySelector = ProxySelector.getDefault();
+        ProxySelector proxySelector = PrivilegedActionUtils.getDefaultProxySelector();
         if (proxySelector == null || proxySelector.getClass().getName().equals("sun.net.spi.DefaultProxySelector")) {
             String proxyHostProperty = url.getProtocol() + ".proxyHost";
             String proxyPortProperty = url.getProtocol() + ".proxyPort";
-            String proxyHost = System.getProperty(proxyHostProperty);
-            String proxyPort = System.getProperty(proxyPortProperty);
-            String nonProxyHosts = System.getProperty("http.nonProxyHosts"); // common to http & https
+            String proxyHost = PrivilegedActionUtils.getProperty(proxyHostProperty);
+            String proxyPort = PrivilegedActionUtils.getProperty(proxyPortProperty);
+            String nonProxyHosts = PrivilegedActionUtils.getProperty("http.nonProxyHosts"); // common to http & https
             if (proxyHost == null || proxyHost.isEmpty()) {
                 logger.debug("Opening {} without proxy", url);
             } else {

apm-agent-core/src/test/java/co/elastic/apm/agent/util/PrivilegedActionUtilsTest.java

@@ -60,7 +60,7 @@ void getEnv() {
         String envKey = envMap.keySet().stream().findFirst().get();
         String envValue = envMap.get(envKey);
 
-        testWithAndWithoutSecurityManager(()->{
+        testWithAndWithoutSecurityManager(() -> {
             assertThat(PrivilegedActionUtils.getEnv(envKey)).isEqualTo(envValue);
             assertThat(PrivilegedActionUtils.getEnv()).containsAllEntriesOf(envMap);
         });
@@ -70,13 +70,13 @@ void getEnv() {
     @Test
     void getClassLoader() {
         ClassLoader cl = PrivilegedActionUtilsTest.class.getClassLoader();
-        testWithAndWithoutSecurityManager(()-> assertThat(PrivilegedActionUtils.getClassLoader(PrivilegedActionUtilsTest.class)).isSameAs(cl));
+        testWithAndWithoutSecurityManager(() -> assertThat(PrivilegedActionUtils.getClassLoader(PrivilegedActionUtilsTest.class)).isSameAs(cl));
     }
 
     @Test
     void getProtectionDomain() {
         ProtectionDomain pd = PrivilegedActionUtilsTest.class.getProtectionDomain();
-        testWithAndWithoutSecurityManager(()-> assertThat(PrivilegedActionUtils.getProtectionDomain(PrivilegedActionUtilsTest.class)).isSameAs(pd));
+        testWithAndWithoutSecurityManager(() -> assertThat(PrivilegedActionUtils.getProtectionDomain(PrivilegedActionUtilsTest.class)).isSameAs(pd));
     }
 
     @Test
@@ -161,7 +161,12 @@ void createDirectories(@TempDir Path tempDir) throws IOException {
         });
     }
 
-    private static void testPrivileged(Runnable task){
+    @Test
+    void getProxySelector() {
+        testWithAndWithoutSecurityManager(PrivilegedActionUtils::getDefaultProxySelector);
+    }
+
+    private static void testPrivileged(Runnable task) {
         AccessController.doPrivileged(new PrivilegedAction<Object>() {
             @Override
             public Object run() {
@@ -171,7 +176,7 @@ public Object run() {
         });
     }
 
-    void testWithAndWithoutSecurityManager(Runnable assertions){
+    void testWithAndWithoutSecurityManager(Runnable assertions) {
         assertions.run();
         try {
             enableSecurityManager();
@@ -209,7 +214,7 @@ public void checkPermission(Permission perm, Object context) {
         private static void checkPrivileged() {
             StackTraceElement[] stackTrace = new RuntimeException().getStackTrace();
             for (StackTraceElement e : stackTrace) {
-                if(e.getClassName().equals("java.security.AccessController") && e.getMethodName().equals("doPrivileged")){
+                if (e.getClassName().equals("java.security.AccessController") && e.getMethodName().equals("doPrivileged")) {
                     return;
                 }
             }