[Entitlements] Add URLConnection instrumentation for jar protocol (#123861)

Follows #123824

Relates to ES-10994

Author: ldematte

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -1235,6 +1235,34 @@ void checkPathRegister(
 
     void check$sun_net_www_protocol_file_FileURLConnection$getInputStream(Class<?> callerClass, java.net.URLConnection that);
 
+    void check$java_net_JarURLConnection$getManifest(Class<?> callerClass, java.net.JarURLConnection that);
+
+    void check$java_net_JarURLConnection$getJarEntry(Class<?> callerClass, java.net.JarURLConnection that);
+
+    void check$java_net_JarURLConnection$getAttributes(Class<?> callerClass, java.net.JarURLConnection that);
+
+    void check$java_net_JarURLConnection$getMainAttributes(Class<?> callerClass, java.net.JarURLConnection that);
+
+    void check$java_net_JarURLConnection$getCertificates(Class<?> callerClass, java.net.JarURLConnection that);
+
+    void check$sun_net_www_protocol_jar_JarURLConnection$getJarFile(Class<?> callerClass, java.net.JarURLConnection that);
+
+    void check$sun_net_www_protocol_jar_JarURLConnection$getJarEntry(Class<?> callerClass, java.net.JarURLConnection that);
+
+    void check$sun_net_www_protocol_jar_JarURLConnection$connect(Class<?> callerClass, java.net.JarURLConnection that);
+
+    void check$sun_net_www_protocol_jar_JarURLConnection$getInputStream(Class<?> callerClass, java.net.JarURLConnection that);
+
+    void check$sun_net_www_protocol_jar_JarURLConnection$getContentLength(Class<?> callerClass, java.net.JarURLConnection that);
+
+    void check$sun_net_www_protocol_jar_JarURLConnection$getContentLengthLong(Class<?> callerClass, java.net.JarURLConnection that);
+
+    void check$sun_net_www_protocol_jar_JarURLConnection$getContent(Class<?> callerClass, java.net.JarURLConnection that);
+
+    void check$sun_net_www_protocol_jar_JarURLConnection$getContentType(Class<?> callerClass, java.net.JarURLConnection that);
+
+    void check$sun_net_www_protocol_jar_JarURLConnection$getHeaderField(Class<?> callerClass, java.net.JarURLConnection that, String name);
+
     ////////////////////
     //
     // Thread management

libs/entitlement/qa/entitled-plugin/src/main/java/org/elasticsearch/entitlement/qa/entitled/EntitledActions.java

@@ -18,8 +18,13 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.nio.file.StandardOpenOption;
 import java.nio.file.attribute.UserPrincipal;
 import java.security.SecureRandom;
+import java.util.jar.Attributes;
+import java.util.jar.JarEntry;
+import java.util.jar.JarOutputStream;
+import java.util.jar.Manifest;
 
 @SuppressForbidden(reason = "Exposes forbidden APIs for testing purposes")
 public final class EntitledActions {
@@ -81,4 +86,23 @@ public static URLConnection createFileURLConnection() throws IOException {
     public static URLConnection createMailToURLConnection() throws URISyntaxException, IOException {
         return new URI("mailto", "[email protected]", null).toURL().openConnection();
     }
+
+    public static Path createJar(Path dir, String name, Manifest manifest, String... files) throws IOException {
+        Path jarpath = dir.resolve(name);
+        try (var os = Files.newOutputStream(jarpath, StandardOpenOption.CREATE); var out = new JarOutputStream(os, manifest)) {
+            for (String file : files) {
+                out.putNextEntry(new JarEntry(file));
+            }
+        }
+        return jarpath;
+    }
+
+    public static URLConnection createJarURLConnection() throws IOException {
+        var manifest = new Manifest();
+        manifest.getMainAttributes().put(Attributes.Name.MANIFEST_VERSION, "1.0");
+        var tmpJarFile = createJar(readWriteDir(), "entitlements-" + random.nextLong() + ".jar", manifest, "a", "b");
+        var jarFileUrl = tmpJarFile.toUri().toURL();
+        var jarUrl = URI.create("jar:" + jarFileUrl + "!/a").toURL();
+        return jarUrl.openConnection();
+    }
 }

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/URLConnectionFileActions.java

@@ -13,6 +13,7 @@
 import org.elasticsearch.entitlement.qa.entitled.EntitledActions;
 
 import java.io.IOException;
+import java.net.JarURLConnection;
 import java.net.URLConnection;
 
 import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.PLUGINS;
@@ -30,6 +31,13 @@ private static void withJdkFileConnection(CheckedConsumer<URLConnection, Excepti
         }
     }
 
+    private static void withJarConnection(CheckedConsumer<JarURLConnection, Exception> connectionConsumer) throws Exception {
+        var conn = EntitledActions.createJarURLConnection();
+        // Be sure we got the connection implementation we want
+        assert JarURLConnection.class.isAssignableFrom(conn.getClass());
+        connectionConsumer.accept((JarURLConnection) conn);
+    }
+
     @EntitlementTest(expectedAccess = PLUGINS)
     static void sunFileURLConnectionConnect() throws Exception {
         withJdkFileConnection(URLConnection::connect);
@@ -114,4 +122,114 @@ static void sunFileURLConnectionGetContent() throws Exception {
     static void sunFileURLConnectionGetContentWithClasses() throws Exception {
         withJdkFileConnection(conn -> conn.getContent(new Class<?>[] { String.class }));
     }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void netJarURLConnectionGetManifest() throws Exception {
+        withJarConnection(JarURLConnection::getManifest);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void netJarURLConnectionGetJarEntry() throws Exception {
+        withJarConnection(JarURLConnection::getJarEntry);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void netJarURLConnectionGetAttributes() throws Exception {
+        withJarConnection(JarURLConnection::getAttributes);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void netJarURLConnectionGetMainAttributes() throws Exception {
+        withJarConnection(JarURLConnection::getMainAttributes);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void netJarURLConnectionGetCertificates() throws Exception {
+        withJarConnection(JarURLConnection::getCertificates);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void sunJarURLConnectionGetJarFile() throws Exception {
+        withJarConnection(JarURLConnection::getJarFile);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void sunJarURLConnectionGetJarEntry() throws Exception {
+        withJarConnection(JarURLConnection::getJarEntry);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void sunJarURLConnectionConnect() throws Exception {
+        withJarConnection(JarURLConnection::connect);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void sunJarURLConnectionGetInputStream() throws Exception {
+        withJarConnection(JarURLConnection::getInputStream);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void sunJarURLConnectionGetContentLength() throws Exception {
+        withJarConnection(JarURLConnection::getContentLength);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void sunJarURLConnectionGetContentLengthLong() throws Exception {
+        withJarConnection(JarURLConnection::getContentLengthLong);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void sunJarURLConnectionGetContent() throws Exception {
+        withJarConnection(JarURLConnection::getContent);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void sunJarURLConnectionGetContentType() throws Exception {
+        withJarConnection(JarURLConnection::getContentType);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void sunJarURLConnectionGetHeaderFieldWithName() throws Exception {
+        withJarConnection(conn -> conn.getHeaderField("field"));
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void netJarURLConnectionGetContentEncoding() throws Exception {
+        withJarConnection(URLConnection::getContentEncoding);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void netJarURLConnectionGetExpiration() throws Exception {
+        withJarConnection(URLConnection::getExpiration);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void netJarURLConnectionGetDate() throws Exception {
+        withJarConnection(URLConnection::getDate);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void netJarURLConnectionGetLastModified() throws Exception {
+        withJarConnection(URLConnection::getLastModified);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void netJarURLConnectionGetHeaderFieldInt() throws Exception {
+        withJarConnection(conn -> conn.getHeaderFieldInt("field", 0));
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void netJarURLConnectionGetHeaderFieldLong() throws Exception {
+        withJarConnection(conn -> conn.getHeaderFieldLong("field", 0));
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void netJarURLConnectionGetHeaderFieldDate() throws Exception {
+        withJarConnection(conn -> conn.getHeaderFieldDate("field", 0));
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void netJarURLConnectionGetContent() throws Exception {
+        withJarConnection(conn -> conn.getContent(new Class<?>[] { String.class }));
+    }
 }

libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/EntitlementBootstrap.java

@@ -40,6 +40,7 @@ public record BootstrapArgs(
         Path[] sharedRepoDirs,
         Path configDir,
         Path libDir,
+        Path modulesDir,
         Path pluginsDir,
         Map<String, Path> sourcePaths,
         Path logsDir,
@@ -58,6 +59,7 @@ public record BootstrapArgs(
             requireNonNull(sharedRepoDirs);
             requireNonNull(configDir);
             requireNonNull(libDir);
+            requireNonNull(modulesDir);
             requireNonNull(pluginsDir);
             requireNonNull(sourcePaths);
             requireNonNull(logsDir);
@@ -83,6 +85,7 @@ public static BootstrapArgs bootstrapArgs() {
      * @param sharedRepoDirs shared repository directories for Elasticsearch
      * @param configDir      the config directory for Elasticsearch
      * @param libDir         the lib directory for Elasticsearch
+     * @param modulesDir     the directory where Elasticsearch modules are
      * @param pluginsDir     the directory where plugins are installed for Elasticsearch
      * @param sourcePaths    a map holding the path to each plugin or module jars, by plugin (or module) name.
      * @param tempDir        the temp directory for Elasticsearch
@@ -98,6 +101,7 @@ public static void bootstrap(
         Path[] sharedRepoDirs,
         Path configDir,
         Path libDir,
+        Path modulesDir,
         Path pluginsDir,
         Map<String, Path> sourcePaths,
         Path logsDir,
@@ -117,6 +121,7 @@ public static void bootstrap(
             sharedRepoDirs,
             configDir,
             libDir,
+            modulesDir,
             pluginsDir,
             sourcePaths,
             logsDir,

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -154,8 +154,10 @@ private static PolicyManager createPolicyManager() {
             serverModuleFileDatas,
             // Base ES directories
             FileData.ofPath(bootstrapArgs.pluginsDir(), READ),
+            FileData.ofPath(bootstrapArgs.modulesDir(), READ),
             FileData.ofPath(bootstrapArgs.configDir(), READ),
             FileData.ofPath(bootstrapArgs.logsDir(), READ_WRITE),
+            FileData.ofPath(bootstrapArgs.libDir(), READ),
             FileData.ofRelativePath(Path.of(""), DATA, READ_WRITE),
             FileData.ofRelativePath(Path.of(""), SHARED_REPO, READ_WRITE),