Adjustments + IT tests

Author: ldematte

distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/SystemJvmOptions.java

@@ -180,7 +180,7 @@ private static Stream<String> maybeAttachEntitlementAgent(boolean useEntitlement
         }
         // We instrument classes in these modules to call the bridge. Because the bridge gets patched
         // into java.base, we must export the bridge from java.base to these modules, as a comma-separated list
-        String modulesContainingEntitlementInstrumentation = "java.logging,java.net.http,java.naming";
+        String modulesContainingEntitlementInstrumentation = "java.logging,java.net.http,java.naming,jdk.net";
         return Stream.of(
             "-Des.entitlements.enabled=true",
             "-XX:+EnableDynamicAgentLoading",

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -608,6 +608,7 @@ public interface EntitlementChecker {
         Class<?> callerClass,
         Path path,
         Set<? extends OpenOption> options,
+        ExecutorService executor,
         FileAttribute<?>... attrs
     );
 

libs/entitlement/qa/entitlement-test-plugin/src/main/java/module-info.java

@@ -16,4 +16,5 @@
     // Modules we'll attempt to use in order to exercise entitlements
     requires java.logging;
     requires java.net.http;
+    requires jdk.net;
 }

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/DummyImplementations.java

@@ -24,14 +24,9 @@
 import java.net.SocketException;
 import java.net.SocketImpl;
 import java.net.URI;
-import java.nio.channels.AsynchronousChannelGroup;
-import java.nio.channels.AsynchronousServerSocketChannel;
-import java.nio.channels.AsynchronousSocketChannel;
-import java.nio.channels.DatagramChannel;
-import java.nio.channels.Pipe;
-import java.nio.channels.SeekableByteChannel;
-import java.nio.channels.ServerSocketChannel;
-import java.nio.channels.SocketChannel;
+import java.nio.ByteBuffer;
+import java.nio.MappedByteBuffer;
+import java.nio.channels.*;
 import java.nio.channels.spi.AbstractSelector;
 import java.nio.channels.spi.AsynchronousChannelProvider;
 import java.nio.channels.spi.SelectorProvider;
@@ -67,6 +62,7 @@
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Future;
 import java.util.concurrent.ThreadFactory;
 import java.util.spi.CalendarDataProvider;
 import java.util.spi.CalendarNameProvider;
@@ -676,4 +672,153 @@ public void setAttribute(Path path, String attribute, Object value, LinkOption..
 
         }
     }
+
+    static class DummyFileChannel extends FileChannel {
+        @Override
+        protected void implCloseChannel() throws IOException {
+
+        }
+
+        @Override
+        public int read(ByteBuffer dst) throws IOException {
+            return 0;
+        }
+
+        @Override
+        public long read(ByteBuffer[] dsts, int offset, int length) throws IOException {
+            return 0;
+        }
+
+        @Override
+        public int write(ByteBuffer src) throws IOException {
+            return 0;
+        }
+
+        @Override
+        public long write(ByteBuffer[] srcs, int offset, int length) throws IOException {
+            return 0;
+        }
+
+        @Override
+        public long position() throws IOException {
+            return 0;
+        }
+
+        @Override
+        public FileChannel position(long newPosition) throws IOException {
+            return null;
+        }
+
+        @Override
+        public long size() throws IOException {
+            return 0;
+        }
+
+        @Override
+        public FileChannel truncate(long size) throws IOException {
+            return null;
+        }
+
+        @Override
+        public void force(boolean metaData) throws IOException {
+
+        }
+
+        @Override
+        public long transferTo(long position, long count, WritableByteChannel target) throws IOException {
+            return 0;
+        }
+
+        @Override
+        public long transferFrom(ReadableByteChannel src, long position, long count) throws IOException {
+            return 0;
+        }
+
+        @Override
+        public int read(ByteBuffer dst, long position) throws IOException {
+            return 0;
+        }
+
+        @Override
+        public int write(ByteBuffer src, long position) throws IOException {
+            return 0;
+        }
+
+        @Override
+        public MappedByteBuffer map(MapMode mode, long position, long size) throws IOException {
+            return null;
+        }
+
+        @Override
+        public FileLock lock(long position, long size, boolean shared) throws IOException {
+            return null;
+        }
+
+        @Override
+        public FileLock tryLock(long position, long size, boolean shared) throws IOException {
+            return null;
+        }
+    }
+
+    static class DummyAsynchronousFileChannel extends AsynchronousFileChannel {
+        @Override
+        public boolean isOpen() {
+            return false;
+        }
+
+        @Override
+        public void close() throws IOException {
+
+        }
+
+        @Override
+        public long size() throws IOException {
+            return 0;
+        }
+
+        @Override
+        public AsynchronousFileChannel truncate(long size) throws IOException {
+            return null;
+        }
+
+        @Override
+        public void force(boolean metaData) throws IOException {
+
+        }
+
+        @Override
+        public <A> void lock(long position, long size, boolean shared, A attachment, CompletionHandler<FileLock, ? super A> handler) {
+
+        }
+
+        @Override
+        public Future<FileLock> lock(long position, long size, boolean shared) {
+            return null;
+        }
+
+        @Override
+        public FileLock tryLock(long position, long size, boolean shared) throws IOException {
+            return null;
+        }
+
+        @Override
+        public <A> void read(ByteBuffer dst, long position, A attachment, CompletionHandler<Integer, ? super A> handler) {
+
+        }
+
+        @Override
+        public Future<Integer> read(ByteBuffer dst, long position) {
+            return null;
+        }
+
+        @Override
+        public <A> void write(ByteBuffer src, long position, A attachment, CompletionHandler<Integer, ? super A> handler) {
+
+        }
+
+        @Override
+        public Future<Integer> write(ByteBuffer src, long position) {
+            return null;
+        }
+    }
 }

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/NioChannelsActions.java

@@ -0,0 +1,95 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.qa.test;
+
+import jdk.nio.Channels;
+
+import org.elasticsearch.common.util.concurrent.EsExecutors;
+import org.elasticsearch.entitlement.qa.entitled.EntitledActions;
+
+import java.io.FileDescriptor;
+import java.io.IOException;
+import java.nio.channels.AsynchronousFileChannel;
+import java.nio.channels.FileChannel;
+import java.nio.channels.SelectableChannel;
+import java.nio.file.StandardOpenOption;
+import java.util.Set;
+
+import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.ALWAYS_DENIED;
+import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.PLUGINS;
+
+class NioChannelsActions {
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void createFileChannel() throws IOException {
+        new DummyImplementations.DummyFileChannel().close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileChannelOpenForWrite() throws IOException {
+        FileChannel.open(FileCheckActions.readWriteFile(), StandardOpenOption.WRITE).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileChannelOpenForRead() throws IOException {
+        FileChannel.open(FileCheckActions.readFile()).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileChannelOpenForWriteWithOptions() throws IOException {
+        FileChannel.open(FileCheckActions.readWriteFile(), Set.of(StandardOpenOption.WRITE)).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileChannelOpenForReadWithOptions() throws IOException {
+        FileChannel.open(FileCheckActions.readFile(), Set.of(StandardOpenOption.READ)).close();
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void createAsynchronousFileChannel() throws IOException {
+        new DummyImplementations.DummyAsynchronousFileChannel().close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void asynchronousFileChannelOpenForWrite() throws IOException {
+        var file = EntitledActions.createTempFileForWrite();
+        AsynchronousFileChannel.open(file, StandardOpenOption.WRITE).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void asynchronousFileChannelOpenForRead() throws IOException {
+        var file = EntitledActions.createTempFileForRead();
+        AsynchronousFileChannel.open(file).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void asynchronousFileChannelOpenForWriteWithOptions() throws IOException {
+        var file = EntitledActions.createTempFileForWrite();
+        AsynchronousFileChannel.open(file, Set.of(StandardOpenOption.WRITE), EsExecutors.DIRECT_EXECUTOR_SERVICE).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void asynchronousFileChannelOpenForReadWithOptions() throws IOException {
+        var file = EntitledActions.createTempFileForRead();
+        AsynchronousFileChannel.open(file, Set.of(StandardOpenOption.READ), EsExecutors.DIRECT_EXECUTOR_SERVICE).close();
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void channelsReadWriteSelectableChannel() throws IOException {
+
+        jdk.nio.Channels.readWriteSelectableChannel(new FileDescriptor(), new Channels.SelectableChannelCloser() {
+            @Override
+            public void implCloseChannel(SelectableChannel sc) throws IOException {}
+
+            @Override
+            public void implReleaseChannel(SelectableChannel sc) throws IOException {}
+        }).close();
+    }
+}

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java

@@ -189,6 +189,7 @@ static CheckAction alwaysDenied(CheckedRunnable<Exception> action) {
         getTestEntries(FileStoreActions.class),
         getTestEntries(ManageThreadsActions.class),
         getTestEntries(NativeActions.class),
+        getTestEntries(NioChannelsActions.class),
         getTestEntries(NioFileSystemActions.class),
         getTestEntries(PathActions.class),
         getTestEntries(SpiActions.class),

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -141,7 +141,13 @@ private static PolicyManager createPolicyManager() {
         var serverPolicy = new Policy(
             "server",
             List.of(
-                new Scope("org.elasticsearch.base", List.of(new CreateClassLoaderEntitlement())),
+                new Scope(
+                    "org.elasticsearch.base",
+                    List.of(
+                        new CreateClassLoaderEntitlement(),
+                        new FilesEntitlement(List.of(FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE)))
+                    )
+                ),
                 new Scope("org.elasticsearch.xcontent", List.of(new CreateClassLoaderEntitlement())),
                 new Scope(
                     "org.elasticsearch.server",

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

@@ -1182,6 +1182,7 @@ public void checkSelectorProviderInheritedChannel(Class<?> callerClass, Selector
         Class<?> callerClass,
         Path path,
         Set<? extends OpenOption> options,
+        ExecutorService executor,
         FileAttribute<?>... attrs
     ) {
         if (isOpenForWrite(options)) {