instrumentation for URL methods + tests

Author: ldematte

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -324,8 +324,16 @@ public interface EntitlementChecker {
 
     // URLConnection (java.net + sun.net.www)
 
+    void check$java_net_URL$openConnection(Class<?> callerClass, java.net.URL that);
+
     void check$java_net_URL$openConnection(Class<?> callerClass, java.net.URL that, Proxy proxy);
 
+    void check$java_net_URL$openStream(Class<?> callerClass, java.net.URL that);
+
+    void check$java_net_URL$getContent(Class<?> callerClass, java.net.URL that);
+
+    void check$java_net_URL$getContent(Class<?> callerClass, java.net.URL that, Class<?>[] classes);
+
     void check$java_net_URLConnection$getContentLength(Class<?> callerClass, java.net.URLConnection that);
 
     void check$java_net_URLConnection$getContentLengthLong(Class<?> callerClass, java.net.URLConnection that);

libs/entitlement/qa/entitled-plugin/src/main/java/org/elasticsearch/entitlement/qa/entitled/EntitledActions.java

@@ -12,7 +12,6 @@
 import org.elasticsearch.core.SuppressForbidden;
 
 import java.io.IOException;
-import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URLConnection;
 import java.nio.file.Files;

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/NetworkAccessCheckActions.java

@@ -18,8 +18,6 @@
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.SocketException;
-import java.net.URI;
-import java.net.URISyntaxException;
 import java.nio.ByteBuffer;
 import java.nio.channels.AsynchronousServerSocketChannel;
 import java.nio.channels.AsynchronousSocketChannel;
@@ -75,12 +73,6 @@ static void socketConnect() throws IOException {
         }
     }
 
-    static void urlOpenConnectionWithProxy() throws URISyntaxException, IOException {
-        var url = new URI("http://localhost").toURL();
-        var urlConnection = url.openConnection(new Proxy(Proxy.Type.HTTP, new InetSocketAddress(0)));
-        assert urlConnection != null;
-    }
-
     static void createLDAPCertStore() {
         try {
             // We pass down null params to provoke a InvalidAlgorithmParameterException

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java

@@ -143,7 +143,6 @@ static CheckAction alwaysDenied(CheckedRunnable<Exception> action) {
             entry("server_socket_bind", forPlugins(NetworkAccessCheckActions::serverSocketBind)),
             entry("server_socket_accept", forPlugins(NetworkAccessCheckActions::serverSocketAccept)),
 
-            entry("url_open_connection_proxy", forPlugins(NetworkAccessCheckActions::urlOpenConnectionWithProxy)),
             entry("http_client_send", forPlugins(VersionSpecificNetworkChecks::httpClientSend)),
             entry("http_client_send_async", forPlugins(VersionSpecificNetworkChecks::httpClientSendAsync)),
             entry("create_ldap_cert_store", forPlugins(NetworkAccessCheckActions::createLDAPCertStore)),

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/URLConnectionNetworkActions.java

@@ -10,14 +10,18 @@
 package org.elasticsearch.entitlement.qa.test;
 
 import org.elasticsearch.core.CheckedConsumer;
+import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.entitlement.qa.entitled.EntitledActions;
 
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.ConnectException;
 import java.net.HttpURLConnection;
+import java.net.InetSocketAddress;
 import java.net.MalformedURLException;
+import java.net.Proxy;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.net.URLConnection;
 
@@ -75,6 +79,46 @@ private static void withJdkHttpConnection(CheckedConsumer<HttpURLConnection, Exc
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void urlOpenConnection() throws Exception {
+        URI.create("http://127.0.0.1:12345/").toURL().openConnection();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    @SuppressForbidden(reason = "just testing, not a real connection")
+    static void urlOpenConnectionWithProxy() throws URISyntaxException, IOException {
+        var url = new URI("http://localhost").toURL();
+        var urlConnection = url.openConnection(new Proxy(Proxy.Type.HTTP, new InetSocketAddress(0)));
+        assert urlConnection != null;
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void urlOpenStream() throws Exception {
+        try {
+            URI.create("http://127.0.0.1:12345/").toURL().openStream().close();
+        } catch (java.net.ConnectException e) {
+            // It's OK, it means we passed entitlement checks, and we tried to connect
+        }
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void urlGetContent() throws Exception {
+        try {
+            URI.create("http://127.0.0.1:12345/").toURL().getContent();
+        } catch (java.net.ConnectException e) {
+            // It's OK, it means we passed entitlement checks, and we tried to connect
+        }
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void urlGetContentWithClasses() throws Exception {
+        try {
+            URI.create("http://127.0.0.1:12345/").toURL().getContent(new Class<?>[] { String.class });
+        } catch (java.net.ConnectException e) {
+            // It's OK, it means we passed entitlement checks, and we tried to connect
+        }
+    }
+
     @EntitlementTest(expectedAccess = PLUGINS)
     static void baseUrlConnectionGetContentLength() throws Exception {
         withPlainNetworkConnection(URLConnection::getContentLength);

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsTestRule.java

@@ -34,6 +34,7 @@ class EntitlementsTestRule implements TestRule {
     // entitlements that test methods may use, see EntitledActions
     private static final PolicyBuilder ENTITLED_POLICY = (builder, tempDir) -> {
         builder.value("manage_threads");
+        builder.value("outbound_network");
         builder.value(
             Map.of(
                 "files",

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

@@ -640,9 +640,37 @@ public ElasticsearchEntitlementChecker(PolicyManager policyManager) {
         policyManager.checkOutboundNetworkAccess(callerClass);
     }
 
+    @Override
+    public void check$java_net_URL$openConnection(Class<?> callerClass, java.net.URL that) {
+        if (isNetworkUrl(that)) {
+            policyManager.checkOutboundNetworkAccess(callerClass);
+        }
+    }
+
     @Override
     public void check$java_net_URL$openConnection(Class<?> callerClass, URL that, Proxy proxy) {
-        if (proxy.type() != Proxy.Type.DIRECT) {
+        if (proxy.type() != Proxy.Type.DIRECT || isNetworkUrl(that)) {
+            policyManager.checkOutboundNetworkAccess(callerClass);
+        }
+    }
+
+    @Override
+    public void check$java_net_URL$openStream(Class<?> callerClass, java.net.URL that) {
+        if (isNetworkUrl(that)) {
+            policyManager.checkOutboundNetworkAccess(callerClass);
+        }
+    }
+
+    @Override
+    public void check$java_net_URL$getContent(Class<?> callerClass, java.net.URL that) {
+        if (isNetworkUrl(that)) {
+            policyManager.checkOutboundNetworkAccess(callerClass);
+        }
+    }
+
+    @Override
+    public void check$java_net_URL$getContent(Class<?> callerClass, java.net.URL that, Class<?>[] classes) {
+        if (isNetworkUrl(that)) {
             policyManager.checkOutboundNetworkAccess(callerClass);
         }
     }
@@ -653,6 +681,12 @@ public ElasticsearchEntitlementChecker(PolicyManager policyManager) {
         "sun.net.www.protocol.mailto.MailToURLConnection"
     );
 
+    private static final Set<String> NETWORK_PROTOCOLS = Set.of("http", "https", "ftp", "mailto");
+
+    private static boolean isNetworkUrl(java.net.URL url) {
+        return NETWORK_PROTOCOLS.contains(url.getProtocol());
+    }
+
     private static boolean isNetworkUrlConnection(java.net.URLConnection urlConnection) {
         var connectionClass = urlConnection.getClass();
         return HttpURLConnection.class.isAssignableFrom(connectionClass)