From 9bb09255265bd1f2d694475ae226858af8d77e38 Mon Sep 17 00:00:00 2001 From: Ryan Ernst Date: Tue, 14 Jan 2025 14:14:38 -0800 Subject: [PATCH] stash --- .../bridge/EntitlementChecker.java | 13 +++++++++++ .../common/RestEntitlementsCheckAction.java | 11 +++++++++ .../entitlement/qa/EntitlementsAllowedIT.java | 1 + .../api/ElasticsearchEntitlementChecker.java | 23 +++++++++++++++++++ 4 files changed, 48 insertions(+) diff --git a/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java b/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java index 69fc57973f68a..3284541457329 100644 --- a/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java +++ b/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java @@ -9,6 +9,7 @@ package org.elasticsearch.entitlement.bridge; +import java.io.File; import java.io.InputStream; import java.io.PrintStream; import java.io.PrintWriter; @@ -27,6 +28,8 @@ import java.net.URL; import java.net.URLStreamHandler; import java.net.URLStreamHandlerFactory; +import java.nio.charset.Charset; +import java.nio.charset.CharsetDecoder; import java.util.List; import javax.net.ssl.HostnameVerifier; @@ -219,4 +222,14 @@ public interface EntitlementChecker { void check$java_net_MulticastSocket$leaveGroup(Class callerClass, MulticastSocket that, SocketAddress addr, NetworkInterface ni); void check$java_net_MulticastSocket$send(Class callerClass, MulticastSocket that, DatagramPacket p, byte ttl); + + //////////////////// + // + // File access + // + + void check$java_util_Scanner$(Class callerClass, File source); + void check$java_util_Scanner$(Class callerClass, File source, String charsetName); + void check$java_util_Scanner$(Class callerClass, File source, Charset charset); + void check$java_util_Scanner$(Class callerClass, File source, CharsetDecoder charsetDecoder); } diff --git a/libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java b/libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java index 3a5480f468528..9b4af6a36f189 100644 --- a/libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java +++ b/libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java @@ -32,6 +32,8 @@ import org.elasticsearch.rest.RestResponse; import org.elasticsearch.rest.RestStatus; +import java.io.File; +import java.io.FileNotFoundException; import java.io.IOException; import java.net.DatagramPacket; import java.net.DatagramSocket; @@ -55,6 +57,7 @@ import java.security.NoSuchAlgorithmException; import java.util.List; import java.util.Map; +import java.util.Scanner; import java.util.Set; import java.util.stream.Collectors; @@ -419,6 +422,14 @@ private static void receiveDatagramSocket() throws IOException { } } + private static void createScanner1() throws FileNotFoundException { + new Scanner(new File("")); + } + + private static void createScanner2() throws FileNotFoundException { + new Scanner(new File("")); + } + public RestEntitlementsCheckAction(String prefix) { this.prefix = prefix; } diff --git a/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAllowedIT.java b/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAllowedIT.java index c38e8b3f35efb..39081a324dc38 100644 --- a/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAllowedIT.java +++ b/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAllowedIT.java @@ -31,6 +31,7 @@ public class EntitlementsAllowedIT extends ESRestTestCase { .module("entitlement-allowed") .module("entitlement-allowed-nonmodular") .systemProperty("es.entitlements.enabled", "true") + .systemProperty("entitlements.dummyfile", ) .setting("xpack.security.enabled", "false") .build(); diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java index dd39ec3c5fe43..b360660c4275b 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java @@ -13,6 +13,7 @@ import org.elasticsearch.entitlement.runtime.policy.NetworkEntitlement; import org.elasticsearch.entitlement.runtime.policy.PolicyManager; +import java.io.File; import java.io.InputStream; import java.io.PrintStream; import java.io.PrintWriter; @@ -31,6 +32,8 @@ import java.net.URL; import java.net.URLStreamHandler; import java.net.URLStreamHandlerFactory; +import java.nio.charset.Charset; +import java.nio.charset.CharsetDecoder; import java.util.List; import javax.net.ssl.HostnameVerifier; @@ -420,4 +423,24 @@ public ElasticsearchEntitlementChecker(PolicyManager policyManager) { public void check$java_net_MulticastSocket$send(Class callerClass, MulticastSocket that, DatagramPacket p, byte ttl) { policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.CONNECT_ACTION | NetworkEntitlement.ACCEPT_ACTION); } + + @Override + public void check$java_util_Scanner$(Class callerClass, File source) { + policyManager.checkFileRead(callerClass, source); + } + + @Override + public void check$java_util_Scanner$(Class callerClass, File source, String charsetName) { + policyManager.checkFileRead(callerClass, source); + } + + @Override + public void check$java_util_Scanner$(Class callerClass, File source, Charset charset) { + policyManager.checkFileRead(callerClass, source); + } + + @Override + public void check$java_util_Scanner$(Class callerClass, File source, CharsetDecoder charsetDecoder) { + policyManager.checkFileRead(callerClass, source); + } }