Skip to content

Commit 1988c55

Browse files
prdoyleprdoyle
committed
Move more nontrivial logic to PolicyChecker
1 parent 60de9dc commit 1988c55

File tree

3 files changed

+164
-141
lines changed

3 files changed

+164
-141
lines changed

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

Lines changed: 36 additions & 141 deletions
Original file line numberDiff line numberDiff line change
@@ -35,11 +35,9 @@
3535
import java.net.DatagramSocket;
3636
import java.net.DatagramSocketImplFactory;
3737
import java.net.FileNameMap;
38-
import java.net.HttpURLConnection;
3938
import java.net.InetAddress;
4039
import java.net.InetSocketAddress;
4140
import java.net.JarURLConnection;
42-
import java.net.MalformedURLException;
4341
import java.net.MulticastSocket;
4442
import java.net.NetworkInterface;
4543
import java.net.Proxy;
@@ -50,9 +48,7 @@
5048
import java.net.SocketAddress;
5149
import java.net.SocketImplFactory;
5250
import java.net.URI;
53-
import java.net.URISyntaxException;
5451
import java.net.URL;
55-
import java.net.URLConnection;
5652
import java.net.URLStreamHandler;
5753
import java.net.URLStreamHandlerFactory;
5854
import java.net.http.HttpClient;
@@ -77,7 +73,6 @@
7773
import java.nio.file.NoSuchFileException;
7874
import java.nio.file.OpenOption;
7975
import java.nio.file.Path;
80-
import java.nio.file.Paths;
8176
import java.nio.file.StandardOpenOption;
8277
import java.nio.file.WatchEvent;
8378
import java.nio.file.WatchService;
@@ -646,162 +641,67 @@ public ElasticsearchEntitlementChecker(PolicyChecker policyChecker) {
646641
policyChecker.checkOutboundNetworkAccess(callerClass);
647642
}
648643

649-
@SuppressWarnings("deprecation")
650-
private URL extractJarFileUrl(URL jarUrl) {
651-
String spec = jarUrl.getFile();
652-
int separator = spec.indexOf("!/");
653-
654-
// URL does not handle nested JAR URLs (it would be a MalformedURLException upon connection)
655-
if (separator == -1) {
656-
return null;
657-
}
658-
659-
try {
660-
return new URL(spec.substring(0, separator));
661-
} catch (MalformedURLException e) {
662-
return null;
663-
}
664-
}
665-
666-
private boolean handleNetworkOrFileUrlCheck(Class<?> callerClass, URL url) {
667-
if (isNetworkUrl(url)) {
668-
policyChecker.checkOutboundNetworkAccess(callerClass);
669-
return true;
670-
}
671-
if (isFileUrl(url)) {
672-
checkURLFileRead(callerClass, url);
673-
return true;
674-
}
675-
return false;
676-
}
677-
678-
private void checkJarURLAccess(Class<?> callerClass, JarURLConnection that) {
679-
var jarFileUrl = that.getJarFileURL();
680-
if (handleNetworkOrFileUrlCheck(callerClass, jarFileUrl)) {
681-
return;
682-
}
683-
policyChecker.checkUnsupportedURLProtocolConnection(callerClass, jarFileUrl.getProtocol());
684-
}
685-
686-
private void checkEntitlementForUrl(Class<?> callerClass, URL that) {
687-
if (handleNetworkOrFileUrlCheck(callerClass, that)) {
688-
return;
689-
}
690-
if (isJarUrl(that)) {
691-
var jarFileUrl = extractJarFileUrl(that);
692-
if (jarFileUrl == null || handleNetworkOrFileUrlCheck(callerClass, jarFileUrl) == false) {
693-
policyChecker.checkUnsupportedURLProtocolConnection(callerClass, "jar with unsupported inner protocol");
694-
}
695-
} else {
696-
policyChecker.checkUnsupportedURLProtocolConnection(callerClass, that.getProtocol());
697-
}
698-
}
699-
700644
@Override
701645
public void check$java_net_URL$openConnection(Class<?> callerClass, java.net.URL that) {
702-
checkEntitlementForUrl(callerClass, that);
646+
policyChecker.checkEntitlementForUrl(callerClass, that);
703647
}
704648

705649
@Override
706650
public void check$java_net_URL$openConnection(Class<?> callerClass, URL that, Proxy proxy) {
707651
if (proxy.type() != Proxy.Type.DIRECT) {
708652
policyChecker.checkOutboundNetworkAccess(callerClass);
709653
}
710-
checkEntitlementForUrl(callerClass, that);
654+
policyChecker.checkEntitlementForUrl(callerClass, that);
711655
}
712656

713657
@Override
714658
public void check$java_net_URL$openStream(Class<?> callerClass, java.net.URL that) {
715-
checkEntitlementForUrl(callerClass, that);
659+
policyChecker.checkEntitlementForUrl(callerClass, that);
716660
}
717661

718662
@Override
719663
public void check$java_net_URL$getContent(Class<?> callerClass, java.net.URL that) {
720-
checkEntitlementForUrl(callerClass, that);
664+
policyChecker.checkEntitlementForUrl(callerClass, that);
721665
}
722666

723667
@Override
724668
public void check$java_net_URL$getContent(Class<?> callerClass, java.net.URL that, Class<?>[] classes) {
725-
checkEntitlementForUrl(callerClass, that);
726-
}
727-
728-
private static final Set<String> NETWORK_PROTOCOLS = Set.of("http", "https", "ftp", "mailto");
729-
730-
private static boolean isNetworkUrl(java.net.URL url) {
731-
return NETWORK_PROTOCOLS.contains(url.getProtocol());
732-
}
733-
734-
private static boolean isFileUrl(java.net.URL url) {
735-
return "file".equals(url.getProtocol());
736-
}
737-
738-
private static boolean isJarUrl(java.net.URL url) {
739-
return "jar".equals(url.getProtocol());
740-
}
741-
742-
// We have to use class names for sun.net.www classes as java.base does not export them
743-
private static final List<String> ADDITIONAL_NETWORK_URL_CONNECT_CLASS_NAMES = List.of(
744-
"sun.net.www.protocol.ftp.FtpURLConnection",
745-
"sun.net.www.protocol.mailto.MailToURLConnection"
746-
);
747-
748-
private static boolean isNetworkUrlConnection(java.net.URLConnection urlConnection) {
749-
var connectionClass = urlConnection.getClass();
750-
return HttpURLConnection.class.isAssignableFrom(connectionClass)
751-
|| ADDITIONAL_NETWORK_URL_CONNECT_CLASS_NAMES.contains(connectionClass.getName());
752-
}
753-
754-
// We have to use class names for sun.net.www classes as java.base does not export them
755-
private static boolean isFileUrlConnection(java.net.URLConnection urlConnection) {
756-
var connectionClass = urlConnection.getClass();
757-
return "sun.net.www.protocol.file.FileURLConnection".equals(connectionClass.getName());
758-
}
759-
760-
private void checkEntitlementForURLConnection(Class<?> callerClass, URLConnection that) {
761-
if (isNetworkUrlConnection(that)) {
762-
policyChecker.checkOutboundNetworkAccess(callerClass);
763-
} else if (isFileUrlConnection(that)) {
764-
checkURLFileRead(callerClass, that.getURL());
765-
} else if (that instanceof JarURLConnection jarURLConnection) {
766-
checkJarURLAccess(callerClass, jarURLConnection);
767-
} else {
768-
policyChecker.checkUnsupportedURLProtocolConnection(callerClass, that.getURL().getProtocol());
769-
}
669+
policyChecker.checkEntitlementForUrl(callerClass, that);
770670
}
771671

772672
@Override
773673
public void check$java_net_URLConnection$getContentLength(Class<?> callerClass, java.net.URLConnection that) {
774-
checkEntitlementForURLConnection(callerClass, that);
674+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
775675
}
776676

777677
@Override
778678
public void check$java_net_URLConnection$getContentLengthLong(Class<?> callerClass, java.net.URLConnection that) {
779-
checkEntitlementForURLConnection(callerClass, that);
679+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
780680
}
781681

782682
@Override
783683
public void check$java_net_URLConnection$getContentType(Class<?> callerClass, java.net.URLConnection that) {
784-
checkEntitlementForURLConnection(callerClass, that);
684+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
785685
}
786686

787687
@Override
788688
public void check$java_net_URLConnection$getContentEncoding(Class<?> callerClass, java.net.URLConnection that) {
789-
checkEntitlementForURLConnection(callerClass, that);
689+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
790690
}
791691

792692
@Override
793693
public void check$java_net_URLConnection$getExpiration(Class<?> callerClass, java.net.URLConnection that) {
794-
checkEntitlementForURLConnection(callerClass, that);
694+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
795695
}
796696

797697
@Override
798698
public void check$java_net_URLConnection$getDate(Class<?> callerClass, java.net.URLConnection that) {
799-
checkEntitlementForURLConnection(callerClass, that);
699+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
800700
}
801701

802702
@Override
803703
public void check$java_net_URLConnection$getLastModified(Class<?> callerClass, java.net.URLConnection that) {
804-
checkEntitlementForURLConnection(callerClass, that);
704+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
805705
}
806706

807707
@Override
@@ -811,7 +711,7 @@ private void checkEntitlementForURLConnection(Class<?> callerClass, URLConnectio
811711
String name,
812712
int defaultValue
813713
) {
814-
checkEntitlementForURLConnection(callerClass, that);
714+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
815715
}
816716

817717
@Override
@@ -821,7 +721,7 @@ private void checkEntitlementForURLConnection(Class<?> callerClass, URLConnectio
821721
String name,
822722
long defaultValue
823723
) {
824-
checkEntitlementForURLConnection(callerClass, that);
724+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
825725
}
826726

827727
@Override
@@ -831,17 +731,17 @@ private void checkEntitlementForURLConnection(Class<?> callerClass, URLConnectio
831731
String name,
832732
long defaultValue
833733
) {
834-
checkEntitlementForURLConnection(callerClass, that);
734+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
835735
}
836736

837737
@Override
838738
public void check$java_net_URLConnection$getContent(Class<?> callerClass, java.net.URLConnection that) {
839-
checkEntitlementForURLConnection(callerClass, that);
739+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
840740
}
841741

842742
@Override
843743
public void check$java_net_URLConnection$getContent(Class<?> callerClass, java.net.URLConnection that, Class<?>[] classes) {
844-
checkEntitlementForURLConnection(callerClass, that);
744+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
845745
}
846746

847747
@Override
@@ -867,32 +767,32 @@ private void checkEntitlementForURLConnection(Class<?> callerClass, URLConnectio
867767
// Using java.net.URLConnection for "that" as sun.net.www.URLConnection is not exported
868768
@Override
869769
public void check$sun_net_www_URLConnection$getHeaderField(Class<?> callerClass, java.net.URLConnection that, String name) {
870-
checkEntitlementForURLConnection(callerClass, that);
770+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
871771
}
872772

873773
@Override
874774
public void check$sun_net_www_URLConnection$getHeaderFields(Class<?> callerClass, java.net.URLConnection that) {
875-
checkEntitlementForURLConnection(callerClass, that);
775+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
876776
}
877777

878778
@Override
879779
public void check$sun_net_www_URLConnection$getHeaderFieldKey(Class<?> callerClass, java.net.URLConnection that, int n) {
880-
checkEntitlementForURLConnection(callerClass, that);
780+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
881781
}
882782

883783
@Override
884784
public void check$sun_net_www_URLConnection$getHeaderField(Class<?> callerClass, java.net.URLConnection that, int n) {
885-
checkEntitlementForURLConnection(callerClass, that);
785+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
886786
}
887787

888788
@Override
889789
public void check$sun_net_www_URLConnection$getContentType(Class<?> callerClass, java.net.URLConnection that) {
890-
checkEntitlementForURLConnection(callerClass, that);
790+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
891791
}
892792

893793
@Override
894794
public void check$sun_net_www_URLConnection$getContentLength(Class<?> callerClass, java.net.URLConnection that) {
895-
checkEntitlementForURLConnection(callerClass, that);
795+
policyChecker.checkEntitlementForURLConnection(callerClass, that);
896796
}
897797

898798
@Override
@@ -2773,23 +2673,14 @@ public void checkPathRegister(
27732673
policyChecker.checkFileRead(callerClass, that);
27742674
}
27752675

2776-
private void checkURLFileRead(Class<?> callerClass, URL url) {
2777-
try {
2778-
policyChecker.checkFileRead(callerClass, Paths.get(url.toURI()));
2779-
} catch (URISyntaxException e) {
2780-
// We expect this method to be called only on File URLs; otherwise the underlying method would fail anyway
2781-
throw new RuntimeException(e);
2782-
}
2783-
}
2784-
27852676
@Override
27862677
public void check$sun_net_www_protocol_file_FileURLConnection$connect(Class<?> callerClass, java.net.URLConnection that) {
2787-
checkURLFileRead(callerClass, that.getURL());
2678+
policyChecker.checkURLFileRead(callerClass, that.getURL());
27882679
}
27892680

27902681
@Override
27912682
public void check$sun_net_www_protocol_file_FileURLConnection$getHeaderFields(Class<?> callerClass, java.net.URLConnection that) {
2792-
checkURLFileRead(callerClass, that.getURL());
2683+
policyChecker.checkURLFileRead(callerClass, that.getURL());
27932684
}
27942685

27952686
@Override
@@ -2798,22 +2689,22 @@ private void checkURLFileRead(Class<?> callerClass, URL url) {
27982689
java.net.URLConnection that,
27992690
String name
28002691
) {
2801-
checkURLFileRead(callerClass, that.getURL());
2692+
policyChecker.checkURLFileRead(callerClass, that.getURL());
28022693
}
28032694

28042695
@Override
28052696
public void check$sun_net_www_protocol_file_FileURLConnection$getHeaderField(Class<?> callerClass, java.net.URLConnection that, int n) {
2806-
checkURLFileRead(callerClass, that.getURL());
2697+
policyChecker.checkURLFileRead(callerClass, that.getURL());
28072698
}
28082699

28092700
@Override
28102701
public void check$sun_net_www_protocol_file_FileURLConnection$getContentLength(Class<?> callerClass, java.net.URLConnection that) {
2811-
checkURLFileRead(callerClass, that.getURL());
2702+
policyChecker.checkURLFileRead(callerClass, that.getURL());
28122703
}
28132704

28142705
@Override
28152706
public void check$sun_net_www_protocol_file_FileURLConnection$getContentLengthLong(Class<?> callerClass, java.net.URLConnection that) {
2816-
checkURLFileRead(callerClass, that.getURL());
2707+
policyChecker.checkURLFileRead(callerClass, that.getURL());
28172708
}
28182709

28192710
@Override
@@ -2822,24 +2713,28 @@ private void checkURLFileRead(Class<?> callerClass, URL url) {
28222713
java.net.URLConnection that,
28232714
int n
28242715
) {
2825-
checkURLFileRead(callerClass, that.getURL());
2716+
policyChecker.checkURLFileRead(callerClass, that.getURL());
28262717
}
28272718

28282719
@Override
28292720
public void check$sun_net_www_protocol_file_FileURLConnection$getLastModified(Class<?> callerClass, java.net.URLConnection that) {
2830-
checkURLFileRead(callerClass, that.getURL());
2721+
policyChecker.checkURLFileRead(callerClass, that.getURL());
28312722
}
28322723

28332724
@Override
28342725
public void check$sun_net_www_protocol_file_FileURLConnection$getInputStream(Class<?> callerClass, java.net.URLConnection that) {
2835-
checkURLFileRead(callerClass, that.getURL());
2726+
policyChecker.checkURLFileRead(callerClass, that.getURL());
28362727
}
28372728

28382729
@Override
28392730
public void check$java_net_JarURLConnection$getManifest(Class<?> callerClass, java.net.JarURLConnection that) {
28402731
checkJarURLAccess(callerClass, that);
28412732
}
28422733

2734+
private void checkJarURLAccess(Class<?> callerClass, JarURLConnection connection) {
2735+
policyChecker.checkJarURLAccess(callerClass, connection);
2736+
}
2737+
28432738
@Override
28442739
public void check$java_net_JarURLConnection$getJarEntry(Class<?> callerClass, java.net.JarURLConnection that) {
28452740
checkJarURLAccess(callerClass, that);

0 commit comments

Comments
 (0)