github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-04-24 15:17:30 -04:00
Code Issues Projects Releases Packages Wiki Activity

Removing unneeded check on SSLSession#getSessionContext (#120191)

Browse source
This commit is contained in:
Lorenzo Dematté 2025-01-15 15:32:59 +01:00 committed by GitHub
parent 00bc91c218
commit 19965d5794
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 0 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

4
libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java
View file

@ -32,7 +32,6 @@ import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
@SuppressWarnings("unused") // Called from instrumentation code inserted by the Entitlements agent
@ -193,9 +192,6 @@ public interface EntitlementChecker {
void check$java_net_URL$(Class<?> callerClass, URL context, String spec, URLStreamHandler handler);
// The only implementation of SSLSession#getSessionContext(); unfortunately it's an interface, so we need to check the implementation
void check$sun_security_ssl_SSLSessionImpl$getSessionContext(Class<?> callerClass, SSLSession sslSession);
void check$java_net_DatagramSocket$bind(Class<?> callerClass, DatagramSocket that, SocketAddress addr);
void check$java_net_DatagramSocket$connect(Class<?> callerClass, DatagramSocket that, InetAddress addr);

13
libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java
View file

@ -60,9 +60,6 @@ import java.util.stream.Collectors;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import static java.util.Map.entry;
import static org.elasticsearch.entitlement.qa.common.RestEntitlementsCheckAction.CheckAction.alwaysDenied;
@ -147,7 +144,6 @@ public class RestEntitlementsCheckAction extends BaseRestHandler {
entry("createURLStreamHandlerProvider", alwaysDenied(RestEntitlementsCheckAction::createURLStreamHandlerProvider)),
entry("createURLWithURLStreamHandler", alwaysDenied(RestEntitlementsCheckAction::createURLWithURLStreamHandler)),
entry("createURLWithURLStreamHandler2", alwaysDenied(RestEntitlementsCheckAction::createURLWithURLStreamHandler2)),
entry("sslSessionImpl_getSessionContext", alwaysDenied(RestEntitlementsCheckAction::sslSessionImplGetSessionContext)),
entry("datagram_socket_bind", forPlugins(RestEntitlementsCheckAction::bindDatagramSocket)),
entry("datagram_socket_connect", forPlugins(RestEntitlementsCheckAction::connectDatagramSocket)),
entry("datagram_socket_send", forPlugins(RestEntitlementsCheckAction::sendDatagramSocket)),
@ -165,15 +161,6 @@ public class RestEntitlementsCheckAction extends BaseRestHandler {
};
}
private static void sslSessionImplGetSessionContext() throws IOException {
SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory();
try (SSLSocket socket = (SSLSocket) factory.createSocket()) {
SSLSession session = socket.getSession();
session.getSessionContext();
}
}
@SuppressWarnings("deprecation")
private static void createURLWithURLStreamHandler() throws MalformedURLException {
var x = new URL("http", "host", 1234, "file", new URLStreamHandler() {

6
libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java
View file

@ -36,7 +36,6 @@ import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
/**
@ -352,11 +351,6 @@ public class ElasticsearchEntitlementChecker implements EntitlementChecker {
policyManager.checkChangeNetworkHandling(callerClass);
}
@Override
public void check$sun_security_ssl_SSLSessionImpl$getSessionContext(Class<?> callerClass, SSLSession sslSession) {
policyManager.checkReadSensitiveNetworkInformation(callerClass);
}
@Override
public void check$java_net_DatagramSocket$bind(Class<?> callerClass, DatagramSocket that, SocketAddress addr) {
policyManager.checkNetworkAccess(callerClass, NetworkEntitlement.LISTEN_ACTION);

6
muted-tests.yml
View file

@ -235,12 +235,6 @@ tests:
- class: org.elasticsearch.index.mapper.IntervalThrottlerTests
method: testThrottling
issue: https://github.com/elastic/elasticsearch/issues/120023
- class: org.elasticsearch.entitlement.qa.EntitlementsDeniedIT
method: testCheckThrows {pathPrefix=denied actionName=sslSessionImpl_getSessionContext}
issue: https://github.com/elastic/elasticsearch/issues/120053
- class: org.elasticsearch.entitlement.qa.EntitlementsDeniedIT
method: testCheckThrows {pathPrefix=denied_nonmodular actionName=sslSessionImpl_getSessionContext}
issue: https://github.com/elastic/elasticsearch/issues/120054
- class: org.elasticsearch.xpack.ilm.actions.SearchableSnapshotActionIT
method: testUpdatePolicyToAddPhasesYieldsInvalidActionsToBeSkipped
issue: https://github.com/elastic/elasticsearch/issues/118406