First pass at entitlement policy review

Author: prdoyle

x-pack/plugin/identity-provider/src/main/plugin-metadata/plugin-security.policy

@@ -1,16 +1,21 @@
 grant {
+  // PD: Doesn't actually appear to use this. Contains no callers to anything that calls checkSetFactory
   permission java.lang.RuntimePermission "setFactory";
 
   // ApacheXMLSecurityInitializer
+  // PD: Done
   permission java.util.PropertyPermission "org.apache.xml.security.ignoreLineBreaks", "read,write";
+  // PD: Dup!
   permission java.security.SecurityPermission "org.apache.xml.security.register";
 
+  // PD: TODO Not sure how to check this one
   // needed during initialization of OpenSAML library where xml security algorithms are registered
   // see https://github.com/apache/santuario-java/blob/e79f1fe4192de73a975bc7246aee58ed0703343d/src/main/java/org/apache/xml/security/utils/JavaUtils.java#L205-L220
   // and https://git.shibboleth.net/view/?p=java-opensaml.git;a=blob;f=opensaml-xmlsec-impl/src/main/java/org/opensaml/xmlsec/signature/impl/SignatureMarshaller.java;hb=db0eaa64210f0e32d359cd6c57bedd57902bf811#l52
   // which uses it in the opensaml-xmlsec-impl
   permission java.security.SecurityPermission "org.apache.xml.security.register";
 
   // needed for multiple server implementations used in tests
+  // PD: TODO: Why aren't tests failing?
   permission java.net.SocketPermission "*", "accept,connect";
 };

x-pack/plugin/inference/src/main/plugin-metadata/plugin-security.policy

@@ -8,22 +8,29 @@
 grant {
   // required by: com.google.api.client.json.JsonParser#parseValue
   // also required by AWS SDK for client configuration
+  // PD: Always granted
   permission java.lang.RuntimePermission "accessDeclaredMembers";
+  // PD: Always granted
   permission java.lang.RuntimePermission "getClassLoader";
 
   // required by: com.google.api.client.json.GenericJson#<init>
   // also by AWS SDK for Jackson's ObjectMapper
+  // PD: TODO: What entitlement does this map to?
   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
 
   // required to add google certs to the gcs client trustore
+  // PD: Done
   permission java.lang.RuntimePermission "setFactory";
 
   // gcs client opens socket connections for to access repository
   // also, AWS Bedrock client opens socket connections and needs resolve for to access to resources
+  // PD: TODO Add outgoing network
   permission java.net.SocketPermission "*", "connect,resolve";
 
   // AWS Clients always try to access the credentials and config files, even if we configure otherwise
+  // PD: TODO Add these
   permission java.io.FilePermission "${user.home}/.aws/credentials", "read";
   permission java.io.FilePermission "${user.home}/.aws/config", "read";
+  // PD: Always granted
   permission java.util.PropertyPermission "http.proxyHost", "read";
 };

x-pack/plugin/logstash/src/main/plugin-metadata/plugin-security.policy

@@ -1,4 +1,5 @@
 grant {
   // needed for multiple server implementations used in tests
+  // PD: TODO: Why aren't tests failing?
   permission java.net.SocketPermission "*", "accept,connect";
 };

x-pack/plugin/ml-package-loader/src/main/plugin-metadata/plugin-security.policy

@@ -6,5 +6,6 @@
  */
 
 grant {
+  // PD: TODO outgoing network?
   permission java.net.SocketPermission "*", "connect";
 };

x-pack/plugin/ml/src/main/plugin-metadata/plugin-security-test.policy

@@ -1,5 +1,6 @@
 // Needed for painless script to run
 grant {
   // needed to create the classloader which allows plugins to extend other plugins
+  // PD: We think this isn't doing anything. https://elastic.slack.com/archives/C07HQL9TNP6/p1740683230530729?thread_ts=1740683097.110529&cid=C07HQL9TNP6
   permission java.lang.RuntimePermission "createClassLoader";
 };

x-pack/plugin/ml/src/main/plugin-metadata/plugin-security.policy

@@ -1,7 +1,9 @@
 grant {
   // needed for Windows named pipes in machine learning
+  // PD: Done
   permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write";
 
   // needed for ojalgo linear programming solver
+  // PD: Always granted
   permission java.lang.RuntimePermission "accessDeclaredMembers";
 };