Removing unneeded check on SSLSession#getSessionContext (#120191)

ldematte · web-flow · commit 19965d57940b · 2025-01-15T15:32:59.000+01:00
diff --git a/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java b/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java
@@ -32,7 +32,6 @@
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocketFactory;
 
 @SuppressWarnings("unused") // Called from instrumentation code inserted by the Entitlements agent
@@ -193,9 +192,6 @@ public interface EntitlementChecker {
 
     void check$java_net_URL$(Class<?> callerClass, URL context, String spec, URLStreamHandler handler);
 
-    // The only implementation of SSLSession#getSessionContext(); unfortunately it's an interface, so we need to check the implementation
-    void check$sun_security_ssl_SSLSessionImpl$getSessionContext(Class<?> callerClass, SSLSession sslSession);
-
     void check$java_net_DatagramSocket$bind(Class<?> callerClass, DatagramSocket that, SocketAddress addr);
 
     void check$java_net_DatagramSocket$connect(Class<?> callerClass, DatagramSocket that, InetAddress addr);
diff --git a/libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java b/libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java
@@ -60,9 +60,6 @@
 
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.SSLSocketFactory;
 
 import static java.util.Map.entry;
 import static org.elasticsearch.entitlement.qa.common.RestEntitlementsCheckAction.CheckAction.alwaysDenied;
@@ -147,7 +144,6 @@ static CheckAction alwaysDenied(CheckedRunnable<Exception> action) {
         entry("createURLStreamHandlerProvider", alwaysDenied(RestEntitlementsCheckAction::createURLStreamHandlerProvider)),
         entry("createURLWithURLStreamHandler", alwaysDenied(RestEntitlementsCheckAction::createURLWithURLStreamHandler)),
         entry("createURLWithURLStreamHandler2", alwaysDenied(RestEntitlementsCheckAction::createURLWithURLStreamHandler2)),
-        entry("sslSessionImpl_getSessionContext", alwaysDenied(RestEntitlementsCheckAction::sslSessionImplGetSessionContext)),
         entry("datagram_socket_bind", forPlugins(RestEntitlementsCheckAction::bindDatagramSocket)),
         entry("datagram_socket_connect", forPlugins(RestEntitlementsCheckAction::connectDatagramSocket)),
         entry("datagram_socket_send", forPlugins(RestEntitlementsCheckAction::sendDatagramSocket)),
@@ -165,15 +161,6 @@ public URLStreamHandler createURLStreamHandler(String protocol) {
         };
     }
 
-    private static void sslSessionImplGetSessionContext() throws IOException {
-        SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory();
-        try (SSLSocket socket = (SSLSocket) factory.createSocket()) {
-            SSLSession session = socket.getSession();
-
-            session.getSessionContext();
-        }
-    }
-
     @SuppressWarnings("deprecation")
     private static void createURLWithURLStreamHandler() throws MalformedURLException {
         var x = new URL("http", "host", 1234, "file", new URLStreamHandler() {
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java
@@ -36,7 +36,6 @@
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocketFactory;
 
 /**
@@ -352,11 +351,6 @@ public ElasticsearchEntitlementChecker(PolicyManager policyManager) {
         policyManager.checkChangeNetworkHandling(callerClass);
     }
 
-    @Override
-    public void check$sun_security_ssl_SSLSessionImpl$getSessionContext(Class<?> callerClass, SSLSession sslSession) {
-        policyManager.checkReadSensitiveNetworkInformation(callerClass);
-    }
-
     @Override
     public void check$java_net_DatagramSocket$bind(Class<?> callerClass, DatagramSocket that, SocketAddress addr) {
         policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.LISTEN_ACTION);
diff --git a/muted-tests.yml b/muted-tests.yml
@@ -235,12 +235,6 @@ tests:
 - class: org.elasticsearch.index.mapper.IntervalThrottlerTests
   method: testThrottling
   issue: https://github.com/elastic/elasticsearch/issues/120023
-- class: org.elasticsearch.entitlement.qa.EntitlementsDeniedIT
-  method: testCheckThrows {pathPrefix=denied actionName=sslSessionImpl_getSessionContext}
-  issue: https://github.com/elastic/elasticsearch/issues/120053
-- class: org.elasticsearch.entitlement.qa.EntitlementsDeniedIT
-  method: testCheckThrows {pathPrefix=denied_nonmodular actionName=sslSessionImpl_getSessionContext}
-  issue: https://github.com/elastic/elasticsearch/issues/120054
 - class: org.elasticsearch.xpack.ilm.actions.SearchableSnapshotActionIT
   method: testUpdatePolicyToAddPhasesYieldsInvalidActionsToBeSkipped
   issue: https://github.com/elastic/elasticsearch/issues/118406
