[8.x] Add "always denied" network access checks (elastic#119867) (elastic#120027)

ldematte · web-flow · commit d93011ebc794 · 2025-01-15T16:13:39.000+01:00
diff --git a/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java b/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java
@@ -15,14 +15,18 @@
 import java.net.ContentHandlerFactory;
 import java.net.DatagramSocketImplFactory;
 import java.net.FileNameMap;
+import java.net.ProxySelector;
+import java.net.ResponseCache;
 import java.net.SocketImplFactory;
 import java.net.URL;
+import java.net.URLStreamHandler;
 import java.net.URLStreamHandlerFactory;
 import java.util.List;
 
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocketFactory;
 
 @SuppressWarnings("unused") // Called from instrumentation code inserted by the Entitlements agent
@@ -167,4 +171,22 @@ public interface EntitlementChecker {
 
     void check$java_net_URLConnection$$setContentHandlerFactory(Class<?> callerClass, ContentHandlerFactory fac);
 
+    ////////////////////
+    //
+    // Network access
+    //
+    void check$java_net_ProxySelector$$setDefault(Class<?> callerClass, ProxySelector ps);
+
+    void check$java_net_ResponseCache$$setDefault(Class<?> callerClass, ResponseCache rc);
+
+    void check$java_net_spi_InetAddressResolverProvider$(Class<?> callerClass);
+
+    void check$java_net_spi_URLStreamHandlerProvider$(Class<?> callerClass);
+
+    void check$java_net_URL$(Class<?> callerClass, String protocol, String host, int port, String file, URLStreamHandler handler);
+
+    void check$java_net_URL$(Class<?> callerClass, URL context, String spec, URLStreamHandler handler);
+
+    // The only implementation of SSLSession#getSessionContext(); unfortunately it's an interface, so we need to check the implementation
+    void check$sun_security_ssl_SSLSessionImpl$getSessionContext(Class<?> callerClass, SSLSession sslSession);
 }
diff --git a/libs/entitlement/qa/common/build.gradle b/libs/entitlement/qa/common/build.gradle
@@ -8,6 +8,7 @@
  */
 
 apply plugin: 'elasticsearch.build'
+apply plugin: 'elasticsearch.mrjar'
 
 dependencies {
   implementation project(':server')
diff --git a/libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java b/libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java
@@ -34,53 +34,61 @@
 import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.net.DatagramSocket;
-import java.net.DatagramSocketImpl;
-import java.net.DatagramSocketImplFactory;
 import java.net.HttpURLConnection;
+import java.net.MalformedURLException;
+import java.net.ProxySelector;
+import java.net.ResponseCache;
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.URL;
 import java.net.URLClassLoader;
 import java.net.URLConnection;
+import java.net.URLStreamHandler;
+import java.net.spi.URLStreamHandlerProvider;
 import java.security.NoSuchAlgorithmException;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
 
 import static java.util.Map.entry;
 import static org.elasticsearch.entitlement.qa.common.RestEntitlementsCheckAction.CheckAction.alwaysDenied;
 import static org.elasticsearch.entitlement.qa.common.RestEntitlementsCheckAction.CheckAction.deniedToPlugins;
 import static org.elasticsearch.entitlement.qa.common.RestEntitlementsCheckAction.CheckAction.forPlugins;
 import static org.elasticsearch.rest.RestRequest.Method.GET;
 
+@SuppressWarnings("unused")
 public class RestEntitlementsCheckAction extends BaseRestHandler {
     private static final Logger logger = LogManager.getLogger(RestEntitlementsCheckAction.class);
     public static final Thread NO_OP_SHUTDOWN_HOOK = new Thread(() -> {}, "Shutdown hook for testing");
     private final String prefix;
 
-    record CheckAction(Runnable action, boolean isAlwaysDeniedToPlugins) {
+    record CheckAction(Runnable action, boolean isAlwaysDeniedToPlugins, Integer fromJavaVersion) {
         /**
          * These cannot be granted to plugins, so our test plugins cannot test the "allowed" case.
-         * Used both for always-denied entitlements as well as those granted only to the server itself.
+         * Used both for always-denied entitlements and those granted only to the server itself.
          */
         static CheckAction deniedToPlugins(Runnable action) {
-            return new CheckAction(action, true);
+            return new CheckAction(action, true, null);
         }
 
         static CheckAction forPlugins(Runnable action) {
-            return new CheckAction(action, false);
+            return new CheckAction(action, false, null);
         }
 
         static CheckAction alwaysDenied(Runnable action) {
-            return new CheckAction(action, true);
+            return new CheckAction(action, true, null);
         }
     }
 
-    private static final Map<String, CheckAction> checkActions = Map.ofEntries(
+    private static final Map<String, CheckAction> checkActions = Stream.of(
         entry("runtime_exit", deniedToPlugins(RestEntitlementsCheckAction::runtimeExit)),
         entry("runtime_halt", deniedToPlugins(RestEntitlementsCheckAction::runtimeHalt)),
         entry("system_exit", deniedToPlugins(RestEntitlementsCheckAction::systemExit)),
@@ -125,8 +133,77 @@ static CheckAction alwaysDenied(Runnable action) {
         entry("socket_setSocketImplFactory", alwaysDenied(RestEntitlementsCheckAction::socket$$setSocketImplFactory)),
         entry("url_setURLStreamHandlerFactory", alwaysDenied(RestEntitlementsCheckAction::url$$setURLStreamHandlerFactory)),
         entry("urlConnection_setFileNameMap", alwaysDenied(RestEntitlementsCheckAction::urlConnection$$setFileNameMap)),
-        entry("urlConnection_setContentHandlerFactory", alwaysDenied(RestEntitlementsCheckAction::urlConnection$$setContentHandlerFactory))
-    );
+        entry("urlConnection_setContentHandlerFactory", alwaysDenied(RestEntitlementsCheckAction::urlConnection$$setContentHandlerFactory)),
+
+        entry("proxySelector_setDefault", alwaysDenied(RestEntitlementsCheckAction::setDefaultProxySelector)),
+        entry("responseCache_setDefault", alwaysDenied(RestEntitlementsCheckAction::setDefaultResponseCache)),
+        entry(
+            "createInetAddressResolverProvider",
+            new CheckAction(VersionSpecificNetworkChecks::createInetAddressResolverProvider, true, 18)
+        ),
+        entry("createURLStreamHandlerProvider", alwaysDenied(RestEntitlementsCheckAction::createURLStreamHandlerProvider)),
+        entry("createURLWithURLStreamHandler", alwaysDenied(RestEntitlementsCheckAction::createURLWithURLStreamHandler)),
+        entry("createURLWithURLStreamHandler2", alwaysDenied(RestEntitlementsCheckAction::createURLWithURLStreamHandler2)),
+        entry("sslSessionImpl_getSessionContext", alwaysDenied(RestEntitlementsCheckAction::sslSessionImplGetSessionContext))
+    )
+        .filter(entry -> entry.getValue().fromJavaVersion() == null || Runtime.version().feature() >= entry.getValue().fromJavaVersion())
+        .collect(Collectors.toUnmodifiableMap(Map.Entry::getKey, Map.Entry::getValue));
+
+    private static void createURLStreamHandlerProvider() {
+        var x = new URLStreamHandlerProvider() {
+            @Override
+            public URLStreamHandler createURLStreamHandler(String protocol) {
+                return null;
+            }
+        };
+    }
+
+    private static void sslSessionImplGetSessionContext() {
+        SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory();
+        try (SSLSocket socket = (SSLSocket) factory.createSocket()) {
+            SSLSession session = socket.getSession();
+
+            session.getSessionContext();
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    @SuppressWarnings("deprecation")
+    private static void createURLWithURLStreamHandler() {
+        try {
+            var x = new URL("http", "host", 1234, "file", new URLStreamHandler() {
+                @Override
+                protected URLConnection openConnection(URL u) {
+                    return null;
+                }
+            });
+        } catch (MalformedURLException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    @SuppressWarnings("deprecation")
+    private static void createURLWithURLStreamHandler2() {
+        try {
+            var x = new URL(null, "spec", new URLStreamHandler() {
+                @Override
+                protected URLConnection openConnection(URL u) {
+                    return null;
+                }
+            });
+        } catch (MalformedURLException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private static void setDefaultResponseCache() {
+        ResponseCache.setDefault(null);
+    }
+
+    private static void setDefaultProxySelector() {
+        ProxySelector.setDefault(null);
+    }
 
     private static void setDefaultSSLContext() {
         try {
@@ -270,12 +347,7 @@ private static void setHttpsConnectionProperties() {
     @SuppressForbidden(reason = "We're required to prevent calls to this forbidden API")
     private static void datagramSocket$$setDatagramSocketImplFactory() {
         try {
-            DatagramSocket.setDatagramSocketImplFactory(new DatagramSocketImplFactory() {
-                @Override
-                public DatagramSocketImpl createDatagramSocketImpl() {
-                    throw new IllegalStateException();
-                }
-            });
+            DatagramSocket.setDatagramSocketImplFactory(() -> { throw new IllegalStateException(); });
         } catch (IOException e) {
             throw new IllegalStateException(e);
         }
diff --git a/libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/VersionSpecificNetworkChecks.java b/libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/VersionSpecificNetworkChecks.java
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.qa.common;
+
+class VersionSpecificNetworkChecks {
+    static void createInetAddressResolverProvider() {}
+}
diff --git a/libs/entitlement/qa/common/src/main18/java/org/elasticsearch/entitlement/qa/common/VersionSpecificNetworkChecks.java b/libs/entitlement/qa/common/src/main18/java/org/elasticsearch/entitlement/qa/common/VersionSpecificNetworkChecks.java
@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.qa.common;
+
+import java.net.spi.InetAddressResolver;
+import java.net.spi.InetAddressResolverProvider;
+
+class VersionSpecificNetworkChecks {
+    static void createInetAddressResolverProvider() {
+        var x = new InetAddressResolverProvider() {
+            @Override
+            public InetAddressResolver get(Configuration configuration) {
+                return null;
+            }
+
+            @Override
+            public String name() {
+                return "TEST";
+            }
+        };
+    }
+}
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java
@@ -18,14 +18,18 @@
 import java.net.ContentHandlerFactory;
 import java.net.DatagramSocketImplFactory;
 import java.net.FileNameMap;
+import java.net.ProxySelector;
+import java.net.ResponseCache;
 import java.net.SocketImplFactory;
 import java.net.URL;
+import java.net.URLStreamHandler;
 import java.net.URLStreamHandlerFactory;
 import java.util.List;
 
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocketFactory;
 
 /**
@@ -310,4 +314,39 @@ public ElasticsearchEntitlementChecker(PolicyManager policyManager) {
     public void check$javax_net_ssl_SSLContext$$setDefault(Class<?> callerClass, SSLContext context) {
         policyManager.checkChangeJVMGlobalState(callerClass);
     }
+
+    @Override
+    public void check$java_net_ProxySelector$$setDefault(Class<?> callerClass, ProxySelector ps) {
+        policyManager.checkChangeNetworkHandling(callerClass);
+    }
+
+    @Override
+    public void check$java_net_ResponseCache$$setDefault(Class<?> callerClass, ResponseCache rc) {
+        policyManager.checkChangeNetworkHandling(callerClass);
+    }
+
+    @Override
+    public void check$java_net_spi_InetAddressResolverProvider$(Class<?> callerClass) {
+        policyManager.checkChangeNetworkHandling(callerClass);
+    }
+
+    @Override
+    public void check$java_net_spi_URLStreamHandlerProvider$(Class<?> callerClass) {
+        policyManager.checkChangeNetworkHandling(callerClass);
+    }
+
+    @Override
+    public void check$java_net_URL$(Class<?> callerClass, String protocol, String host, int port, String file, URLStreamHandler handler) {
+        policyManager.checkChangeNetworkHandling(callerClass);
+    }
+
+    @Override
+    public void check$java_net_URL$(Class<?> callerClass, URL context, String spec, URLStreamHandler handler) {
+        policyManager.checkChangeNetworkHandling(callerClass);
+    }
+
+    @Override
+    public void check$sun_security_ssl_SSLSessionImpl$getSessionContext(Class<?> callerClass, SSLSession sslSession) {
+        policyManager.checkReadSensitiveNetworkInformation(callerClass);
+    }
 }
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java
@@ -171,6 +171,20 @@ public void checkChangeJVMGlobalState(Class<?> callerClass) {
         });
     }
 
+    /**
+     * Check for operations that can modify the way network operations are handled
+     */
+    public void checkChangeNetworkHandling(Class<?> callerClass) {
+        checkChangeJVMGlobalState(callerClass);
+    }
+
+    /**
+     * Check for operations that can access sensitive network information, e.g. secrets, tokens or SSL sessions
+     */
+    public void checkReadSensitiveNetworkInformation(Class<?> callerClass) {
+        neverEntitled(callerClass, "access sensitive network information");
+    }
+
     private String operationDescription(String methodName) {
         // TODO: Use a more human-readable description. Perhaps share code with InstrumentationServiceImpl.parseCheckerMethodName
         return methodName.substring(methodName.indexOf('$'));
