elastic
diff --git a/‎libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java‎
Lines changed: 23 additions & 4 deletions b/‎libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java‎
Lines changed: 23 additions & 4 deletions
diff --git a/‎libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/NetworkAccessCheckActions.java‎
Lines changed: 0 additions & 6 deletions b/‎libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/NetworkAccessCheckActions.java‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java‎
Lines changed: 0 additions & 1 deletion b/‎libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎libs/entitlement/qa/entitlement-allowed-nonmodular/src/main/plugin-metadata/entitlement-policy.yaml‎
Lines changed: 2 additions & 5 deletions b/‎libs/entitlement/qa/entitlement-allowed-nonmodular/src/main/plugin-metadata/entitlement-policy.yaml‎
Lines changed: 2 additions & 5 deletions
diff --git a/‎libs/entitlement/qa/entitlement-allowed/src/main/plugin-metadata/entitlement-policy.yaml‎
Lines changed: 2 additions & 5 deletions b/‎libs/entitlement/qa/entitlement-allowed/src/main/plugin-metadata/entitlement-policy.yaml‎
Lines changed: 2 additions & 5 deletions
diff --git a/‎libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java‎
Lines changed: 6 additions & 7 deletions b/‎libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java‎
Lines changed: 6 additions & 7 deletions
@@ -269,10 +269,7 @@ public interface EntitlementChecker {
     // Network miscellanea
     void check$java_net_URL$openConnection(Class<?> callerClass, java.net.URL that, Proxy proxy);
 
-    // HttpClient.Builder is an interface, so we instrument its only (internal) implementation
-    void check$jdk_internal_net_http_HttpClientBuilderImpl$build(Class<?> callerClass, HttpClient.Builder that);
-
-    // HttpClient#send and sendAsync are abstract, so we instrument their internal implementation
+    // HttpClient#send and sendAsync are abstract, so we instrument their internal implementations
     void check$jdk_internal_net_http_HttpClientImpl$send(
         Class<?> callerClass,
         HttpClient that,
@@ -295,6 +292,28 @@ public interface EntitlementChecker {
         HttpResponse.PushPromiseHandler<?> pushPromiseHandler
     );
 
+    void check$jdk_internal_net_http_HttpClientFacade$send(
+        Class<?> callerClass,
+        HttpClient that,
+        HttpRequest request,
+        HttpResponse.BodyHandler<?> responseBodyHandler
+    );
+
+    void check$jdk_internal_net_http_HttpClientFacade$sendAsync(
+        Class<?> callerClass,
+        HttpClient that,
+        HttpRequest userRequest,
+        HttpResponse.BodyHandler<?> responseHandler
+    );
+
+    void check$jdk_internal_net_http_HttpClientFacade$sendAsync(
+        Class<?> callerClass,
+        HttpClient that,
+        HttpRequest userRequest,
+        HttpResponse.BodyHandler<?> responseHandler,
+        HttpResponse.PushPromiseHandler<?> pushPromiseHandler
+    );
+
     // We need to check the LDAPCertStore, as this will connect, but this is internal/created via SPI,
     // so we instrument the general factory instead and then filter in the check method implementation
     void check$java_security_cert_CertStore$$getInstance(Class<?> callerClass, String type, CertStoreParameters params);
 
@@ -84,12 +84,6 @@ static void urlOpenConnectionWithProxy() throws URISyntaxException, IOException
         assert urlConnection != null;
     }
 
-    static void httpClientBuilderBuild() {
-        try (HttpClient httpClient = HttpClient.newBuilder().build()) {
-            assert httpClient != null;
-        }
-    }
-
     static void httpClientSend() throws InterruptedException {
         try (HttpClient httpClient = HttpClient.newBuilder().build()) {
             // Shutdown the client, so the send action will shortcut before actually executing any network operation
 
@@ -160,7 +160,6 @@ static CheckAction alwaysDenied(CheckedRunnable<Exception> action) {
         entry("server_socket_accept", forPlugins(NetworkAccessCheckActions::serverSocketAccept)),
 
         entry("url_open_connection_proxy", forPlugins(NetworkAccessCheckActions::urlOpenConnectionWithProxy)),
-        entry("http_client_builder_build", forPlugins(NetworkAccessCheckActions::httpClientBuilderBuild)),
         entry("http_client_send", forPlugins(NetworkAccessCheckActions::httpClientSend)),
         entry("http_client_send_async", forPlugins(NetworkAccessCheckActions::httpClientSendAsync)),
         entry("create_ldap_cert_store", forPlugins(NetworkAccessCheckActions::createLDAPCertStore)),
 
@@ -1,8 +1,5 @@
 ALL-UNNAMED:
   - create_class_loader
   - set_https_connection_properties
-  - network:
-      actions:
-        - listen
-        - accept
-        - connect
+  - inbound_network
+  - outbound_network
@@ -1,8 +1,5 @@
 org.elasticsearch.entitlement.qa.common:
   - create_class_loader
   - set_https_connection_properties
-  - network:
-      actions:
-        - listen
-        - accept
-        - connect
+  - inbound_network
+  - outbound_network
@@ -22,7 +22,8 @@
 import org.elasticsearch.entitlement.runtime.policy.CreateClassLoaderEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.Entitlement;
 import org.elasticsearch.entitlement.runtime.policy.ExitVMEntitlement;
-import org.elasticsearch.entitlement.runtime.policy.NetworkEntitlement;
+import org.elasticsearch.entitlement.runtime.policy.InboundNetworkEntitlement;
+import org.elasticsearch.entitlement.runtime.policy.OutboundNetworkEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.Policy;
 import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
 import org.elasticsearch.entitlement.runtime.policy.PolicyParser;
@@ -45,9 +46,6 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 
-import static org.elasticsearch.entitlement.runtime.policy.NetworkEntitlement.ACCEPT_ACTION;
-import static org.elasticsearch.entitlement.runtime.policy.NetworkEntitlement.CONNECT_ACTION;
-import static org.elasticsearch.entitlement.runtime.policy.NetworkEntitlement.LISTEN_ACTION;
 import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ALL_UNNAMED;
 
 /**
@@ -106,11 +104,12 @@ private static PolicyManager createPolicyManager() throws IOException {
                     List.of(
                         new ExitVMEntitlement(),
                         new CreateClassLoaderEntitlement(),
-                        new NetworkEntitlement(LISTEN_ACTION | CONNECT_ACTION | ACCEPT_ACTION)
+                        new InboundNetworkEntitlement(),
+                        new OutboundNetworkEntitlement()
                     )
                 ),
-                new Scope("org.apache.httpcomponents.httpclient", List.of(new NetworkEntitlement(CONNECT_ACTION))),
-                new Scope("io.netty.transport", List.of(new NetworkEntitlement(LISTEN_ACTION)))
+                new Scope("org.apache.httpcomponents.httpclient", List.of(new OutboundNetworkEntitlement())),
+                new Scope("io.netty.transport", List.of(new InboundNetworkEntitlement(), new OutboundNetworkEntitlement()))
             )
         );
         // agents run without a module, so this is a special hack for the apm agent