Move remaining check methods in RestEntitlementsCheckAction (elastic#125351) (elastic#125436)

All future check methods should be found reflectively with the
EntitlementTest annotation.

Author: rjernst

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/LoadNativeLibrariesCheckActions.java

@@ -9,7 +9,12 @@
 
 package org.elasticsearch.entitlement.qa.test;
 
+import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.PLUGINS;
+
+@SuppressWarnings({ "unused" /* called via reflection */ })
 class LoadNativeLibrariesCheckActions {
+
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void runtimeLoad() {
         try {
             Runtime.getRuntime().load(FileCheckActions.readDir().resolve("libSomeLibFile.so").toString());
@@ -18,6 +23,7 @@ static void runtimeLoad() {
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void systemLoad() {
         try {
             System.load(FileCheckActions.readDir().resolve("libSomeLibFile.so").toString());
@@ -26,6 +32,7 @@ static void systemLoad() {
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void runtimeLoadLibrary() {
         try {
             Runtime.getRuntime().loadLibrary("SomeLib");
@@ -34,11 +41,14 @@ static void runtimeLoadLibrary() {
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void systemLoadLibrary() {
         try {
             System.loadLibrary("SomeLib");
         } catch (UnsatisfiedLinkError ignored) {
             // The library does not exist, so we expect to fail loading it
         }
     }
+
+    private LoadNativeLibrariesCheckActions() {}
 }

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/NetworkAccessCheckActions.java

@@ -12,12 +12,23 @@
 import org.elasticsearch.core.SuppressForbidden;
 
 import java.io.IOException;
+import java.net.DatagramPacket;
+import java.net.DatagramSocket;
+import java.net.HttpURLConnection;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
+import java.net.MalformedURLException;
+import java.net.NetworkInterface;
 import java.net.Proxy;
+import java.net.ProxySelector;
+import java.net.ResponseCache;
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.SocketException;
+import java.net.URL;
+import java.net.URLConnection;
+import java.net.URLStreamHandler;
+import java.net.spi.URLStreamHandlerProvider;
 import java.nio.ByteBuffer;
 import java.nio.channels.AsynchronousServerSocketChannel;
 import java.nio.channels.AsynchronousSocketChannel;
@@ -32,9 +43,17 @@
 import java.util.Arrays;
 import java.util.concurrent.ExecutionException;
 
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+
+import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.ALWAYS_DENIED;
+import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.PLUGINS;
+
 @SuppressForbidden(reason = "Testing entitlement check on forbidden action")
+@SuppressWarnings({ "unused" /* called via reflection */, "deprecation" })
 class NetworkAccessCheckActions {
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void serverSocketAccept() throws IOException {
         try (ServerSocket socket = new DummyImplementations.DummyBoundServerSocket()) {
             try {
@@ -49,30 +68,35 @@ static void serverSocketAccept() throws IOException {
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void serverSocketBind() throws IOException {
         try (ServerSocket socket = new DummyImplementations.DummyServerSocket()) {
             socket.bind(null);
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void createSocketWithProxy() throws IOException {
         try (Socket socket = new Socket(new Proxy(Proxy.Type.HTTP, new InetSocketAddress(0)))) {
             assert socket.isBound() == false;
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void socketBind() throws IOException {
         try (Socket socket = new DummyImplementations.DummySocket()) {
             socket.bind(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0));
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void socketConnect() throws IOException {
         try (Socket socket = new DummyImplementations.DummySocket()) {
             socket.connect(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0));
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void createLDAPCertStore() {
         try {
             // We pass down null params to provoke a InvalidAlgorithmParameterException
@@ -86,18 +110,21 @@ static void createLDAPCertStore() {
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void serverSocketChannelBind() throws IOException {
         try (var serverSocketChannel = ServerSocketChannel.open()) {
             serverSocketChannel.bind(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0));
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void serverSocketChannelBindWithBacklog() throws IOException {
         try (var serverSocketChannel = ServerSocketChannel.open()) {
             serverSocketChannel.bind(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0), 50);
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void serverSocketChannelAccept() throws IOException {
         try (var serverSocketChannel = ServerSocketChannel.open()) {
             serverSocketChannel.configureBlocking(false);
@@ -110,18 +137,21 @@ static void serverSocketChannelAccept() throws IOException {
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void asynchronousServerSocketChannelBind() throws IOException {
         try (var serverSocketChannel = AsynchronousServerSocketChannel.open()) {
             serverSocketChannel.bind(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0));
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void asynchronousServerSocketChannelBindWithBacklog() throws IOException {
         try (var serverSocketChannel = AsynchronousServerSocketChannel.open()) {
             serverSocketChannel.bind(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0), 50);
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void asynchronousServerSocketChannelAccept() throws IOException {
         try (var serverSocketChannel = AsynchronousServerSocketChannel.open()) {
             try {
@@ -134,6 +164,7 @@ static void asynchronousServerSocketChannelAccept() throws IOException {
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void asynchronousServerSocketChannelAcceptWithHandler() throws IOException {
         try (var serverSocketChannel = AsynchronousServerSocketChannel.open()) {
             try {
@@ -153,12 +184,14 @@ public void failed(Throwable exc, Object attachment) {
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void socketChannelBind() throws IOException {
         try (var socketChannel = SocketChannel.open()) {
             socketChannel.bind(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0));
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void socketChannelConnect() throws IOException {
         try (var socketChannel = SocketChannel.open()) {
             try {
@@ -170,12 +203,14 @@ static void socketChannelConnect() throws IOException {
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void asynchronousSocketChannelBind() throws IOException {
         try (var socketChannel = AsynchronousSocketChannel.open()) {
             socketChannel.bind(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0));
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void asynchronousSocketChannelConnect() throws IOException, InterruptedException {
         try (var socketChannel = AsynchronousSocketChannel.open()) {
             var future = socketChannel.connect(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0));
@@ -189,6 +224,7 @@ static void asynchronousSocketChannelConnect() throws IOException, InterruptedEx
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void asynchronousSocketChannelConnectWithCompletion() throws IOException {
         try (var socketChannel = AsynchronousSocketChannel.open()) {
             socketChannel.connect(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0), null, new CompletionHandler<>() {
@@ -203,12 +239,14 @@ public void failed(Throwable exc, Object attachment) {
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void datagramChannelBind() throws IOException {
         try (var channel = DatagramChannel.open()) {
             channel.bind(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0));
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void datagramChannelConnect() throws IOException {
         try (var channel = DatagramChannel.open()) {
             channel.configureBlocking(false);
@@ -221,18 +259,165 @@ static void datagramChannelConnect() throws IOException {
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void datagramChannelSend() throws IOException {
         try (var channel = DatagramChannel.open()) {
             channel.configureBlocking(false);
             channel.send(ByteBuffer.wrap(new byte[] { 0 }), new InetSocketAddress(InetAddress.getLoopbackAddress(), 1234));
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void datagramChannelReceive() throws IOException {
         try (var channel = DatagramChannel.open()) {
             channel.configureBlocking(false);
             var buffer = new byte[1];
             channel.receive(ByteBuffer.wrap(buffer));
         }
     }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void createURLStreamHandlerProvider() {
+        var x = new URLStreamHandlerProvider() {
+            @Override
+            public URLStreamHandler createURLStreamHandler(String protocol) {
+                return null;
+            }
+        };
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void createURLWithURLStreamHandler() throws MalformedURLException {
+        var x = new URL("http", "host", 1234, "file", new URLStreamHandler() {
+            @Override
+            protected URLConnection openConnection(URL u) {
+                return null;
+            }
+        });
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void createURLWithURLStreamHandler2() throws MalformedURLException {
+        var x = new URL(null, "spec", new URLStreamHandler() {
+            @Override
+            protected URLConnection openConnection(URL u) {
+                return null;
+            }
+        });
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void setDefaultResponseCache() {
+        ResponseCache.setDefault(null);
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void setDefaultProxySelector() {
+        ProxySelector.setDefault(null);
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void setDefaultSSLContext() throws NoSuchAlgorithmException {
+        SSLContext.setDefault(SSLContext.getDefault());
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void setDefaultHostnameVerifier() {
+        HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> false);
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void setDefaultSSLSocketFactory() {
+        HttpsURLConnection.setDefaultSSLSocketFactory(new DummyImplementations.DummySSLSocketFactory());
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void setHttpsConnectionProperties() {
+        new DummyImplementations.DummyHttpsURLConnection().setSSLSocketFactory(new DummyImplementations.DummySSLSocketFactory());
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void datagramSocket$$setDatagramSocketImplFactory() throws IOException {
+        DatagramSocket.setDatagramSocketImplFactory(() -> { throw new IllegalStateException(); });
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void httpURLConnection$$setFollowRedirects() {
+        HttpURLConnection.setFollowRedirects(HttpURLConnection.getFollowRedirects());
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void serverSocket$$setSocketFactory() throws IOException {
+        ServerSocket.setSocketFactory(() -> { throw new IllegalStateException(); });
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void socket$$setSocketImplFactory() throws IOException {
+        Socket.setSocketImplFactory(() -> { throw new IllegalStateException(); });
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void url$$setURLStreamHandlerFactory() {
+        URL.setURLStreamHandlerFactory(__ -> { throw new IllegalStateException(); });
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void urlConnection$$setFileNameMap() {
+        URLConnection.setFileNameMap(__ -> { throw new IllegalStateException(); });
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void urlConnection$$setContentHandlerFactory() {
+        URLConnection.setContentHandlerFactory(__ -> { throw new IllegalStateException(); });
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void bindDatagramSocket() throws SocketException {
+        try (var socket = new DatagramSocket(null)) {
+            socket.bind(null);
+        }
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void connectDatagramSocket() throws SocketException {
+        try (var socket = new DummyImplementations.DummyDatagramSocket()) {
+            socket.connect(new InetSocketAddress(1234));
+        }
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void joinGroupDatagramSocket() throws IOException {
+        try (var socket = new DummyImplementations.DummyDatagramSocket()) {
+            socket.joinGroup(
+                new InetSocketAddress(InetAddress.getByAddress(new byte[] { (byte) 230, 0, 0, 1 }), 1234),
+                NetworkInterface.getByIndex(0)
+            );
+        }
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void leaveGroupDatagramSocket() throws IOException {
+        try (var socket = new DummyImplementations.DummyDatagramSocket()) {
+            socket.leaveGroup(
+                new InetSocketAddress(InetAddress.getByAddress(new byte[] { (byte) 230, 0, 0, 1 }), 1234),
+                NetworkInterface.getByIndex(0)
+            );
+        }
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void sendDatagramSocket() throws IOException {
+        try (var socket = new DummyImplementations.DummyDatagramSocket()) {
+            socket.send(new DatagramPacket(new byte[] { 0 }, 1, InetAddress.getLocalHost(), 1234));
+        }
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void receiveDatagramSocket() throws IOException {
+        try (var socket = new DummyImplementations.DummyDatagramSocket()) {
+            socket.receive(new DatagramPacket(new byte[1], 1, InetAddress.getLocalHost(), 1234));
+        }
+    }
+
+    private NetworkAccessCheckActions() {}
 }