[Entitlements] Network access checks on Sockets (#120093)

Author: ldematte

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -20,8 +20,11 @@
 import java.net.InetAddress;
 import java.net.MulticastSocket;
 import java.net.NetworkInterface;
+import java.net.Proxy;
 import java.net.ProxySelector;
 import java.net.ResponseCache;
+import java.net.ServerSocket;
+import java.net.Socket;
 import java.net.SocketAddress;
 import java.net.SocketImplFactory;
 import java.net.URL;
@@ -215,4 +218,40 @@ public interface EntitlementChecker {
     void check$java_net_MulticastSocket$leaveGroup(Class<?> callerClass, MulticastSocket that, SocketAddress addr, NetworkInterface ni);
 
     void check$java_net_MulticastSocket$send(Class<?> callerClass, MulticastSocket that, DatagramPacket p, byte ttl);
+
+    // Binding/connecting ctor
+    void check$java_net_ServerSocket$(Class<?> callerClass, int port);
+
+    void check$java_net_ServerSocket$(Class<?> callerClass, int port, int backlog);
+
+    void check$java_net_ServerSocket$(Class<?> callerClass, int port, int backlog, InetAddress bindAddr);
+
+    void check$java_net_ServerSocket$accept(Class<?> callerClass, ServerSocket that);
+
+    void check$java_net_ServerSocket$implAccept(Class<?> callerClass, ServerSocket that, Socket s);
+
+    void check$java_net_ServerSocket$bind(Class<?> callerClass, ServerSocket that, SocketAddress endpoint);
+
+    void check$java_net_ServerSocket$bind(Class<?> callerClass, ServerSocket that, SocketAddress endpoint, int backlog);
+
+    // Binding/connecting ctors
+    void check$java_net_Socket$(Class<?> callerClass, Proxy proxy);
+
+    void check$java_net_Socket$(Class<?> callerClass, String host, int port);
+
+    void check$java_net_Socket$(Class<?> callerClass, InetAddress address, int port);
+
+    void check$java_net_Socket$(Class<?> callerClass, String host, int port, InetAddress localAddr, int localPort);
+
+    void check$java_net_Socket$(Class<?> callerClass, InetAddress address, int port, InetAddress localAddr, int localPort);
+
+    void check$java_net_Socket$(Class<?> callerClass, String host, int port, boolean stream);
+
+    void check$java_net_Socket$(Class<?> callerClass, InetAddress host, int port, boolean stream);
+
+    void check$java_net_Socket$bind(Class<?> callerClass, Socket that, SocketAddress endpoint);
+
+    void check$java_net_Socket$connect(Class<?> callerClass, Socket that, SocketAddress endpoint);
+
+    void check$java_net_Socket$connect(Class<?> callerClass, Socket that, SocketAddress endpoint, int backlog);
 }

libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/DummyImplementations.java

@@ -10,14 +10,18 @@
 package org.elasticsearch.entitlement.qa.common;
 
 import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
 import java.net.DatagramPacket;
 import java.net.DatagramSocket;
 import java.net.DatagramSocketImpl;
 import java.net.InetAddress;
 import java.net.NetworkInterface;
+import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.SocketAddress;
 import java.net.SocketException;
+import java.net.SocketImpl;
 import java.security.cert.Certificate;
 import java.text.BreakIterator;
 import java.text.Collator;
@@ -297,6 +301,81 @@ public Certificate[] getServerCertificates() {
         }
     }
 
+    private static class DummySocketImpl extends SocketImpl {
+        @Override
+        protected void create(boolean stream) {}
+
+        @Override
+        protected void connect(String host, int port) {}
+
+        @Override
+        protected void connect(InetAddress address, int port) {}
+
+        @Override
+        protected void connect(SocketAddress address, int timeout) {}
+
+        @Override
+        protected void bind(InetAddress host, int port) {}
+
+        @Override
+        protected void listen(int backlog) {}
+
+        @Override
+        protected void accept(SocketImpl s) {}
+
+        @Override
+        protected InputStream getInputStream() {
+            return null;
+        }
+
+        @Override
+        protected OutputStream getOutputStream() {
+            return null;
+        }
+
+        @Override
+        protected int available() {
+            return 0;
+        }
+
+        @Override
+        protected void close() {}
+
+        @Override
+        protected void sendUrgentData(int data) {}
+
+        @Override
+        public void setOption(int optID, Object value) {}
+
+        @Override
+        public Object getOption(int optID) {
+            return null;
+        }
+    }
+
+    static class DummySocket extends Socket {
+        DummySocket() throws SocketException {
+            super(new DummySocketImpl());
+        }
+    }
+
+    static class DummyServerSocket extends ServerSocket {
+        DummyServerSocket() {
+            super(new DummySocketImpl());
+        }
+    }
+
+    static class DummyBoundServerSocket extends ServerSocket {
+        DummyBoundServerSocket() {
+            super(new DummySocketImpl());
+        }
+
+        @Override
+        public boolean isBound() {
+            return true;
+        }
+    }
+
     static class DummySSLSocketFactory extends SSLSocketFactory {
         @Override
         public Socket createSocket(String host, int port) {

libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/NetworkAccessCheckActions.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.qa.common;
+
+import org.elasticsearch.core.SuppressForbidden;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.net.Proxy;
+import java.net.ServerSocket;
+import java.net.Socket;
+
+class NetworkAccessCheckActions {
+
+    static void serverSocketAccept() throws IOException {
+        try (ServerSocket socket = new DummyImplementations.DummyBoundServerSocket()) {
+            try {
+                socket.accept();
+            } catch (IOException e) {
+                // Our dummy socket cannot accept connections unless we tell the JDK how to create a socket for it.
+                // But Socket.setSocketImplFactory(); is one of the methods we always forbid, so we cannot use it.
+                // Still, we can check accept is called (allowed/denied), we don't care if it fails later for this
+                // known reason.
+                assert e.getMessage().contains("client socket implementation factory not set");
+            }
+        }
+    }
+
+    static void serverSocketBind() throws IOException {
+        try (ServerSocket socket = new DummyImplementations.DummyServerSocket()) {
+            socket.bind(null);
+        }
+    }
+
+    @SuppressForbidden(reason = "Testing entitlement check on forbidden action")
+    static void createSocketWithProxy() throws IOException {
+        try (Socket socket = new Socket(new Proxy(Proxy.Type.HTTP, new InetSocketAddress(0)))) {
+            assert socket.isBound() == false;
+        }
+    }
+
+    static void socketBind() throws IOException {
+        try (Socket socket = new DummyImplementations.DummySocket()) {
+            socket.bind(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0));
+        }
+    }
+
+    @SuppressForbidden(reason = "Testing entitlement check on forbidden action")
+    static void socketConnect() throws IOException {
+        try (Socket socket = new DummyImplementations.DummySocket()) {
+            socket.connect(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0));
+        }
+    }
+}

libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java

@@ -149,7 +149,13 @@ static CheckAction alwaysDenied(CheckedRunnable<Exception> action) {
         entry("datagram_socket_send", forPlugins(RestEntitlementsCheckAction::sendDatagramSocket)),
         entry("datagram_socket_receive", forPlugins(RestEntitlementsCheckAction::receiveDatagramSocket)),
         entry("datagram_socket_join_group", forPlugins(RestEntitlementsCheckAction::joinGroupDatagramSocket)),
-        entry("datagram_socket_leave_group", forPlugins(RestEntitlementsCheckAction::leaveGroupDatagramSocket))
+        entry("datagram_socket_leave_group", forPlugins(RestEntitlementsCheckAction::leaveGroupDatagramSocket)),
+
+        entry("create_socket_with_proxy", forPlugins(NetworkAccessCheckActions::createSocketWithProxy)),
+        entry("socket_bind", forPlugins(NetworkAccessCheckActions::socketBind)),
+        entry("socket_connect", forPlugins(NetworkAccessCheckActions::socketConnect)),
+        entry("server_socket_bind", forPlugins(NetworkAccessCheckActions::serverSocketBind)),
+        entry("server_socket_accept", forPlugins(NetworkAccessCheckActions::serverSocketAccept))
     );
 
     private static void createURLStreamHandlerProvider() {

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -22,6 +22,7 @@
 import org.elasticsearch.entitlement.runtime.policy.CreateClassLoaderEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.Entitlement;
 import org.elasticsearch.entitlement.runtime.policy.ExitVMEntitlement;
+import org.elasticsearch.entitlement.runtime.policy.NetworkEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.Policy;
 import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
 import org.elasticsearch.entitlement.runtime.policy.PolicyParser;
@@ -44,6 +45,9 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 
+import static org.elasticsearch.entitlement.runtime.policy.NetworkEntitlement.ACCEPT_ACTION;
+import static org.elasticsearch.entitlement.runtime.policy.NetworkEntitlement.CONNECT_ACTION;
+import static org.elasticsearch.entitlement.runtime.policy.NetworkEntitlement.LISTEN_ACTION;
 import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ALL_UNNAMED;
 
 /**
@@ -97,7 +101,15 @@ private static PolicyManager createPolicyManager() throws IOException {
             List.of(
                 new Scope("org.elasticsearch.base", List.of(new CreateClassLoaderEntitlement())),
                 new Scope("org.elasticsearch.xcontent", List.of(new CreateClassLoaderEntitlement())),
-                new Scope("org.elasticsearch.server", List.of(new ExitVMEntitlement(), new CreateClassLoaderEntitlement()))
+                new Scope(
+                    "org.elasticsearch.server",
+                    List.of(
+                        new ExitVMEntitlement(),
+                        new CreateClassLoaderEntitlement(),
+                        new NetworkEntitlement(LISTEN_ACTION | CONNECT_ACTION | ACCEPT_ACTION)
+                    )
+                ),
+                new Scope("org.apache.httpcomponents.httpclient", List.of(new NetworkEntitlement(CONNECT_ACTION)))
             )
         );
         // agents run without a module, so this is a special hack for the apm agent

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

@@ -24,8 +24,11 @@
 import java.net.InetAddress;
 import java.net.MulticastSocket;
 import java.net.NetworkInterface;
+import java.net.Proxy;
 import java.net.ProxySelector;
 import java.net.ResponseCache;
+import java.net.ServerSocket;
+import java.net.Socket;
 import java.net.SocketAddress;
 import java.net.SocketImplFactory;
 import java.net.URL;
@@ -414,4 +417,91 @@ public ElasticsearchEntitlementChecker(PolicyManager policyManager) {
     public void check$java_net_MulticastSocket$send(Class<?> callerClass, MulticastSocket that, DatagramPacket p, byte ttl) {
         policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.CONNECT_ACTION | NetworkEntitlement.ACCEPT_ACTION);
     }
+
+    @Override
+    public void check$java_net_ServerSocket$(Class<?> callerClass, int port) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.LISTEN_ACTION);
+    }
+
+    @Override
+    public void check$java_net_ServerSocket$(Class<?> callerClass, int port, int backlog) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.LISTEN_ACTION);
+    }
+
+    @Override
+    public void check$java_net_ServerSocket$(Class<?> callerClass, int port, int backlog, InetAddress bindAddr) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.LISTEN_ACTION);
+    }
+
+    @Override
+    public void check$java_net_ServerSocket$accept(Class<?> callerClass, ServerSocket that) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.ACCEPT_ACTION);
+    }
+
+    @Override
+    public void check$java_net_ServerSocket$implAccept(Class<?> callerClass, ServerSocket that, Socket s) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.ACCEPT_ACTION);
+    }
+
+    @Override
+    public void check$java_net_ServerSocket$bind(Class<?> callerClass, ServerSocket that, SocketAddress endpoint) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.LISTEN_ACTION);
+    }
+
+    @Override
+    public void check$java_net_ServerSocket$bind(Class<?> callerClass, ServerSocket that, SocketAddress endpoint, int backlog) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.LISTEN_ACTION);
+    }
+
+    @Override
+    public void check$java_net_Socket$(Class<?> callerClass, Proxy proxy) {
+        if (proxy.type() == Proxy.Type.SOCKS || proxy.type() == Proxy.Type.HTTP) {
+            policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.CONNECT_ACTION);
+        }
+    }
+
+    @Override
+    public void check$java_net_Socket$(Class<?> callerClass, String host, int port) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.LISTEN_ACTION | NetworkEntitlement.CONNECT_ACTION);
+    }
+
+    @Override
+    public void check$java_net_Socket$(Class<?> callerClass, InetAddress address, int port) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.LISTEN_ACTION | NetworkEntitlement.CONNECT_ACTION);
+    }
+
+    @Override
+    public void check$java_net_Socket$(Class<?> callerClass, String host, int port, InetAddress localAddr, int localPort) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.LISTEN_ACTION | NetworkEntitlement.CONNECT_ACTION);
+    }
+
+    @Override
+    public void check$java_net_Socket$(Class<?> callerClass, InetAddress address, int port, InetAddress localAddr, int localPort) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.LISTEN_ACTION | NetworkEntitlement.CONNECT_ACTION);
+    }
+
+    @Override
+    public void check$java_net_Socket$(Class<?> callerClass, String host, int port, boolean stream) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.LISTEN_ACTION | NetworkEntitlement.CONNECT_ACTION);
+    }
+
+    @Override
+    public void check$java_net_Socket$(Class<?> callerClass, InetAddress host, int port, boolean stream) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.LISTEN_ACTION | NetworkEntitlement.CONNECT_ACTION);
+    }
+
+    @Override
+    public void check$java_net_Socket$bind(Class<?> callerClass, Socket that, SocketAddress endpoint) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.LISTEN_ACTION);
+    }
+
+    @Override
+    public void check$java_net_Socket$connect(Class<?> callerClass, Socket that, SocketAddress endpoint) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.CONNECT_ACTION);
+    }
+
+    @Override
+    public void check$java_net_Socket$connect(Class<?> callerClass, Socket that, SocketAddress endpoint, int backlog) {
+        policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.CONNECT_ACTION);
+    }
 }

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/NetworkEntitlement.java

@@ -58,7 +58,11 @@ public NetworkEntitlement(List<String> actionsList) {
         this.actions = actionsInt;
     }
 
-    public static Object printActions(int actions) {
+    public NetworkEntitlement(int actions) {
+        this.actions = actions;
+    }
+
+    public static String printActions(int actions) {
         var joiner = new StringJoiner(",");
         for (var entry : ACTION_MAP.entrySet()) {
             var action = entry.getValue();