Skip to content

[Entitlements] Add URLConnection instrumentation for jar protocol #123861

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 25 commits into from
Mar 9, 2025
Merged

[Entitlements] Add URLConnection instrumentation for jar protocol #123861

Show file tree
Hide file tree
Changes from 22 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
304e1ab
Add URLConnection instrumentation
ldematte Feb 26, 2025
0ed405d
URLConnectionNetworkActions tests
ldematte Feb 27, 2025
7376a85
Merge remote-tracking branch 'upstream/main' into entitlements/missin…
ldematte Feb 27, 2025
9e0209b
Merge remote-tracking branch 'upstream/main' into entitlements/missin…
ldematte Feb 27, 2025
64a6ef6
Missing GCS policy
ldematte Feb 27, 2025
4cd11c6
Missing policy for discovery-gce
ldematte Feb 27, 2025
e0c50df
Merge remote-tracking branch 'upstream/main' into entitlements/missin…
ldematte Mar 1, 2025
6a3e259
split tests
ldematte Mar 1, 2025
a4c2204
instrumentation for URL methods + tests
ldematte Mar 1, 2025
2b690f3
missing azure policy
ldematte Mar 1, 2025
68e996e
missing ml-package-loader policy
ldematte Mar 1, 2025
9ad3a0c
instrument FileURLConnection classes + tests
ldematte Mar 2, 2025
2d21831
Merge remote-tracking branch 'upstream/main' into entitlements/missin…
ldematte Mar 3, 2025
6579182
Merge remote-tracking branch 'upstream/main' into entitlements/missin…
ldematte Mar 3, 2025
a407e99
instrument JarURLConnection
ldematte Mar 3, 2025
07aa3c9
Merge remote-tracking branch 'upstream/main' into entitlements/missin…
ldematte Mar 5, 2025
346f914
Merge remote-tracking branch 'upstream/main' into entitlements/missin…
ldematte Mar 5, 2025
81b2169
allow read access for each plugin to its own directory
ldematte Mar 5, 2025
c6966fd
small fix to extract sub URL from Jar URL
ldematte Mar 5, 2025
47fe9bb
defaultFileAccess must now be plugin-specific
ldematte Mar 5, 2025
4dad7ce
Merge remote-tracking branch 'upstream/main' into entitlements/missin…
ldematte Mar 7, 2025
ff547c3
IT tests
ldematte Mar 7, 2025
589e710
update jar tests to use a real jar and never throw
ldematte Mar 8, 2025
6838ba9
Merge branch 'main' into entitlements/missing-url-connection-5
ldematte Mar 8, 2025
11b9cb7
Merge branch 'main' into entitlements/missing-url-connection-5
ldematte Mar 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions ...tlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1235,6 +1235,34 @@ void checkPathRegister(

void check$sun_net_www_protocol_file_FileURLConnection$getInputStream(Class<?> callerClass, java.net.URLConnection that);

void check$java_net_JarURLConnection$getManifest(Class<?> callerClass, java.net.JarURLConnection that);

void check$java_net_JarURLConnection$getJarEntry(Class<?> callerClass, java.net.JarURLConnection that);

void check$java_net_JarURLConnection$getAttributes(Class<?> callerClass, java.net.JarURLConnection that);

void check$java_net_JarURLConnection$getMainAttributes(Class<?> callerClass, java.net.JarURLConnection that);

void check$java_net_JarURLConnection$getCertificates(Class<?> callerClass, java.net.JarURLConnection that);

void check$sun_net_www_protocol_jar_JarURLConnection$getJarFile(Class<?> callerClass, java.net.JarURLConnection that);

void check$sun_net_www_protocol_jar_JarURLConnection$getJarEntry(Class<?> callerClass, java.net.JarURLConnection that);

void check$sun_net_www_protocol_jar_JarURLConnection$connect(Class<?> callerClass, java.net.JarURLConnection that);

void check$sun_net_www_protocol_jar_JarURLConnection$getInputStream(Class<?> callerClass, java.net.JarURLConnection that);

void check$sun_net_www_protocol_jar_JarURLConnection$getContentLength(Class<?> callerClass, java.net.JarURLConnection that);

void check$sun_net_www_protocol_jar_JarURLConnection$getContentLengthLong(Class<?> callerClass, java.net.JarURLConnection that);

void check$sun_net_www_protocol_jar_JarURLConnection$getContent(Class<?> callerClass, java.net.JarURLConnection that);

void check$sun_net_www_protocol_jar_JarURLConnection$getContentType(Class<?> callerClass, java.net.JarURLConnection that);

void check$sun_net_www_protocol_jar_JarURLConnection$getHeaderField(Class<?> callerClass, java.net.JarURLConnection that, String name);

////////////////////
//
// Thread management
Expand Down
7 changes: 7 additions & 0 deletions ...itled-plugin/src/main/java/org/elasticsearch/entitlement/qa/entitled/EntitledActions.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,4 +81,11 @@ public static URLConnection createFileURLConnection() throws IOException {
public static URLConnection createMailToURLConnection() throws URISyntaxException, IOException {
return new URI("mailto", "[email protected]", null).toURL().openConnection();
}

public static URLConnection createJarURLConnection() throws IOException {
var tmpJarFile = Files.createFile(readWriteDir().resolve("entitlements-" + random.nextLong() + ".jar"));
var jarFileUrl = tmpJarFile.toUri().toURL();
var jarUrl = URI.create("jar:" + jarFileUrl + "!/").toURL();
return jarUrl.openConnection();
}
}
122 changes: 122 additions & 0 deletions ...-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/URLConnectionFileActions.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
import org.elasticsearch.entitlement.qa.entitled.EntitledActions;

import java.io.IOException;
import java.net.JarURLConnection;
import java.net.URLConnection;

import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.PLUGINS;
Expand All @@ -30,6 +31,17 @@ private static void withJdkFileConnection(CheckedConsumer<URLConnection, Excepti
}
}

private static void withJarConnection(CheckedConsumer<JarURLConnection, Exception> connectionConsumer) throws Exception {
var conn = EntitledActions.createJarURLConnection();
// Be sure we got the connection implementation we want
assert JarURLConnection.class.isAssignableFrom(conn.getClass());
try {
connectionConsumer.accept((JarURLConnection) conn);
} catch (IOException e) {
// It's OK, it means we passed entitlement checks, and we tried to perform some operation
}
}

@EntitlementTest(expectedAccess = PLUGINS)
static void sunFileURLConnectionConnect() throws Exception {
withJdkFileConnection(URLConnection::connect);
Expand Down Expand Up @@ -114,4 +126,114 @@ static void sunFileURLConnectionGetContent() throws Exception {
static void sunFileURLConnectionGetContentWithClasses() throws Exception {
withJdkFileConnection(conn -> conn.getContent(new Class<?>[] { String.class }));
}

@EntitlementTest(expectedAccess = PLUGINS)
static void netJarURLConnectionGetManifest() throws Exception {
withJarConnection(JarURLConnection::getManifest);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void netJarURLConnectionGetJarEntry() throws Exception {
withJarConnection(JarURLConnection::getJarEntry);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void netJarURLConnectionGetAttributes() throws Exception {
withJarConnection(JarURLConnection::getAttributes);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void netJarURLConnectionGetMainAttributes() throws Exception {
withJarConnection(JarURLConnection::getMainAttributes);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void netJarURLConnectionGetCertificates() throws Exception {
withJarConnection(JarURLConnection::getCertificates);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void sunJarURLConnectionGetJarFile() throws Exception {
withJarConnection(JarURLConnection::getJarFile);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void sunJarURLConnectionGetJarEntry() throws Exception {
withJarConnection(JarURLConnection::getJarEntry);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void sunJarURLConnectionConnect() throws Exception {
withJarConnection(JarURLConnection::connect);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void sunJarURLConnectionGetInputStream() throws Exception {
withJarConnection(JarURLConnection::getInputStream);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void sunJarURLConnectionGetContentLength() throws Exception {
withJarConnection(JarURLConnection::getContentLength);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void sunJarURLConnectionGetContentLengthLong() throws Exception {
withJarConnection(JarURLConnection::getContentLengthLong);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void sunJarURLConnectionGetContent() throws Exception {
withJarConnection(JarURLConnection::getContent);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void sunJarURLConnectionGetContentType() throws Exception {
withJarConnection(JarURLConnection::getContentType);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void sunJarURLConnectionGetHeaderFieldWithName() throws Exception {
withJarConnection(conn -> conn.getHeaderField("field"));
}

@EntitlementTest(expectedAccess = PLUGINS)
static void netJarURLConnectionGetContentEncoding() throws Exception {
withJarConnection(URLConnection::getContentEncoding);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void netJarURLConnectionGetExpiration() throws Exception {
withJarConnection(URLConnection::getExpiration);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void netJarURLConnectionGetDate() throws Exception {
withJarConnection(URLConnection::getDate);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void netJarURLConnectionGetLastModified() throws Exception {
withJarConnection(URLConnection::getLastModified);
}

@EntitlementTest(expectedAccess = PLUGINS)
static void netJarURLConnectionGetHeaderFieldInt() throws Exception {
withJarConnection(conn -> conn.getHeaderFieldInt("field", 0));
}

@EntitlementTest(expectedAccess = PLUGINS)
static void netJarURLConnectionGetHeaderFieldLong() throws Exception {
withJarConnection(conn -> conn.getHeaderFieldLong("field", 0));
}

@EntitlementTest(expectedAccess = PLUGINS)
static void netJarURLConnectionGetHeaderFieldDate() throws Exception {
withJarConnection(conn -> conn.getHeaderFieldDate("field", 0));
}

@EntitlementTest(expectedAccess = PLUGINS)
static void netJarURLConnectionGetContent() throws Exception {
withJarConnection(conn -> conn.getContent(new Class<?>[] { String.class }));
}
}
5 changes: 5 additions & 0 deletions ...titlement/src/main/java/org/elasticsearch/entitlement/bootstrap/EntitlementBootstrap.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ public record BootstrapArgs(
Path[] sharedRepoDirs,
Path configDir,
Path libDir,
Path modulesDir,
Path pluginsDir,
Map<String, Path> sourcePaths,
Path logsDir,
Expand All @@ -58,6 +59,7 @@ public record BootstrapArgs(
requireNonNull(sharedRepoDirs);
requireNonNull(configDir);
requireNonNull(libDir);
requireNonNull(modulesDir);
requireNonNull(pluginsDir);
requireNonNull(sourcePaths);
requireNonNull(logsDir);
Expand All @@ -83,6 +85,7 @@ public static BootstrapArgs bootstrapArgs() {
* @param sharedRepoDirs shared repository directories for Elasticsearch
* @param configDir the config directory for Elasticsearch
* @param libDir the lib directory for Elasticsearch
* @param modulesDir the directory where Elasticsearch modules are
* @param pluginsDir the directory where plugins are installed for Elasticsearch
* @param sourcePaths a map holding the path to each plugin or module jars, by plugin (or module) name.
* @param tempDir the temp directory for Elasticsearch
Expand All @@ -98,6 +101,7 @@ public static void bootstrap(
Path[] sharedRepoDirs,
Path configDir,
Path libDir,
Path modulesDir,
Path pluginsDir,
Map<String, Path> sourcePaths,
Path logsDir,
Expand All @@ -117,6 +121,7 @@ public static void bootstrap(
sharedRepoDirs,
configDir,
libDir,
modulesDir,
pluginsDir,
sourcePaths,
logsDir,
Expand Down
2 changes: 2 additions & 0 deletions ...src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,8 +154,10 @@ private static PolicyManager createPolicyManager() {
serverModuleFileDatas,
// Base ES directories
FileData.ofPath(bootstrapArgs.pluginsDir(), READ),
FileData.ofPath(bootstrapArgs.modulesDir(), READ),
FileData.ofPath(bootstrapArgs.configDir(), READ),
FileData.ofPath(bootstrapArgs.logsDir(), READ_WRITE),
FileData.ofPath(bootstrapArgs.libDir(), READ),
Copy link
Member

@rjernst rjernst Mar 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this from native lib finding the platform dir?

Copy link
Contributor Author

@ldematte ldematte Mar 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC this was also started from PluginService; I guess you are correct and it is from plugins with native libraries, but I can double check.

FileData.ofRelativePath(Path.of(""), DATA, READ_WRITE),
FileData.ofRelativePath(Path.of(""), SHARED_REPO, READ_WRITE),

Expand Down
Loading