[Entitlements] MailToURLConnection instrumentation (elastic#123829) (elastic#124232)

Author: ldematte

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -515,6 +515,10 @@ public interface EntitlementChecker {
         javax.net.ssl.HttpsURLConnection that
     );
 
+    void check$sun_net_www_protocol_mailto_MailToURLConnection$connect(Class<?> callerClass, java.net.URLConnection that);
+
+    void check$sun_net_www_protocol_mailto_MailToURLConnection$getOutputStream(Class<?> callerClass, java.net.URLConnection that);
+
     // Network miscellanea
 
     // HttpClient#send and sendAsync are abstract, so we instrument their internal implementations

libs/entitlement/qa/entitled-plugin/src/main/java/org/elasticsearch/entitlement/qa/entitled/EntitledActions.java

@@ -13,6 +13,7 @@
 
 import java.io.IOException;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URLConnection;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -76,4 +77,8 @@ public static URLConnection createFileURLConnection() throws IOException {
         var fileUrl = createTempFileForWrite().toUri().toURL();
         return fileUrl.openConnection();
     }
+
+    public static URLConnection createMailToURLConnection() throws URISyntaxException, IOException {
+        return new URI("mailto", "[email protected]", null).toURL().openConnection();
+    }
 }

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/URLConnectionNetworkActions.java

@@ -103,6 +103,17 @@ private static void withJdkFtpConnection(CheckedConsumer<URLConnection, Exceptio
         }
     }
 
+    private static void withJdkMailToConnection(CheckedConsumer<URLConnection, Exception> connectionConsumer) throws Exception {
+        var conn = EntitledActions.createMailToURLConnection();
+        // Be sure we got the connection implementation we want
+        assert conn.getClass().getSimpleName().equals("MailToURLConnection");
+        try {
+            connectionConsumer.accept(conn);
+        } catch (IOException e) {
+            // It's OK, it means we passed entitlement checks, and we tried to perform some IO
+        }
+    }
+
     @EntitlementTest(expectedAccess = PLUGINS)
     static void urlOpenConnection() throws Exception {
         URI.create("http://127.0.0.1:12345/").toURL().openConnection();
@@ -429,4 +440,14 @@ static void sunHttpsURLConnectionImplGetContent() throws Exception {
     static void sunHttpsURLConnectionImplGetContentWithClasses() throws Exception {
         withJdkHttpsConnection(httpsURLConnection -> httpsURLConnection.getContent(new Class<?>[] { String.class }));
     }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void sunMailToURLConnectionConnect() throws Exception {
+        withJdkMailToConnection(URLConnection::connect);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void sunMailToURLConnectionGetOutputStream() throws Exception {
+        withJdkMailToConnection(URLConnection::getOutputStream);
+    }
 }

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

@@ -1177,6 +1177,16 @@ private static boolean isFileUrlConnection(java.net.URLConnection urlConnection)
         policyManager.checkOutboundNetworkAccess(callerClass);
     }
 
+    @Override
+    public void check$sun_net_www_protocol_mailto_MailToURLConnection$connect(Class<?> callerClass, java.net.URLConnection that) {
+        policyManager.checkOutboundNetworkAccess(callerClass);
+    }
+
+    @Override
+    public void check$sun_net_www_protocol_mailto_MailToURLConnection$getOutputStream(Class<?> callerClass, java.net.URLConnection that) {
+        policyManager.checkOutboundNetworkAccess(callerClass);
+    }
+
     @Override
     public void check$jdk_internal_net_http_HttpClientImpl$send(
         Class<?> callerClass,