Add a policy parser for Java Agent (#17753)

* Add a policy parser for java agent

Signed-off-by: Gulshan <[email protected]>

* Url no depricated version of url resolution

Signed-off-by: Gulshan <[email protected]>

* Remove unused methods and switch to modern Java collections

Signed-off-by: Gulshan <[email protected]>

* Use record classes and other small refactorings

Signed-off-by: Andrew Ross <[email protected]>

---------

Signed-off-by: Gulshan <[email protected]>
Signed-off-by: Andrew Ross <[email protected]>
Co-authored-by: Andrew Ross <[email protected]>

Author: kumargu

CHANGELOG.md

@@ -18,6 +18,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - [Security Manager Replacement] Create initial Java Agent to intercept Socket::connect calls ([#17724](https://github.com/opensearch-project/OpenSearch/pull/17724))
 - Add ingestion management APIs for pause, resume and get ingestion state ([#17631](https://github.com/opensearch-project/OpenSearch/pull/17631))
 - [Security Manager Replacement] Enhance Java Agent to intercept System::exit ([#17746](https://github.com/opensearch-project/OpenSearch/pull/17746))
+- [Security Manager Replacement] Add a policy parser for Java agent security policies ([#17753](https://github.com/opensearch-project/OpenSearch/pull/17753))
 - [Security Manager Replacement] Implement File Interceptor and add integration tests ([#17760](https://github.com/opensearch-project/OpenSearch/pull/17760))
 - [Security Manager Replacement] Enhance Java Agent to intercept Runtime::halt ([#17757](https://github.com/opensearch-project/OpenSearch/pull/17757))
 - Support AutoExpand for SearchReplica ([#17741](https://github.com/opensearch-project/OpenSearch/pull/17741))

gradle/missing-javadoc.gradle

@@ -106,6 +106,7 @@ configure([
   project(":libs:opensearch-secure-sm"),
   project(":libs:opensearch-ssl-config"),
   project(":libs:opensearch-x-content"),
+  project(":libs:agent-sm:agent-policy"),
   project(":modules:aggs-matrix-stats"),
   project(":modules:analysis-common"),
   project(":modules:geo"),

libs/agent-sm/agent-policy/build.gradle

@@ -0,0 +1,27 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+apply plugin: 'opensearch.build'
+apply plugin: 'opensearch.publish'
+
+ext {
+  failOnJavadocWarning = false
+}
+
+base {
+  archivesName = 'opensearch-agent-policy'
+}
+
+disableTasks('forbiddenApisMain')
+
+dependencies {
+  testImplementation(project(":test:framework"))
+}

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/GrantEntry.java

@@ -0,0 +1,13 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+package org.opensearch.secure_sm.policy;
+
+import java.util.List;
+
+public record GrantEntry(String codeBase, List<PermissionEntry> permissionEntries) {
+}

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PermissionEntry.java

@@ -0,0 +1,11 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+package org.opensearch.secure_sm.policy;
+
+public record PermissionEntry(String permission, String name, String action) {
+}

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java

@@ -0,0 +1,320 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.secure_sm.policy;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FilePermission;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.net.MalformedURLException;
+import java.net.NetPermission;
+import java.net.SocketPermission;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+import java.security.AllPermission;
+import java.security.CodeSource;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.security.Permissions;
+import java.security.ProtectionDomain;
+import java.security.SecurityPermission;
+import java.security.cert.Certificate;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.Optional;
+import java.util.PropertyPermission;
+import java.util.Set;
+
+@SuppressWarnings("removal")
+public class PolicyFile extends java.security.Policy {
+    public static final Set<String> PERM_CLASSES_TO_SKIP = Set.of(
+        "org.opensearch.secure_sm.ThreadContextPermission",
+        "org.opensearch.secure_sm.ThreadPermission",
+        "org.opensearch.SpecialPermission",
+        "org.bouncycastle.crypto.CryptoServicesPermission",
+        "org.opensearch.script.ClassPermission",
+        "javax.security.auth.AuthPermission",
+        "javax.security.auth.kerberos.ServicePermission"
+    );
+
+    private final PolicyInfo policyInfo;
+    private final URL url;
+
+    public PolicyFile(URL url) {
+        this.url = url;
+        try {
+            policyInfo = init(url);
+        } catch (PolicyInitializationException e) {
+            throw new RuntimeException("Failed to initialize policy file", e);
+        }
+    }
+
+    private PolicyInfo init(URL policy) throws PolicyInitializationException {
+        PolicyInfo info = new PolicyInfo();
+        try (InputStreamReader reader = new InputStreamReader(getInputStream(policy), StandardCharsets.UTF_8)) {
+            List<GrantEntry> grantEntries = PolicyParser.read(reader);
+            for (GrantEntry grantEntry : grantEntries) {
+                addGrantEntry(grantEntry, info);
+            }
+        } catch (Exception e) {
+            throw new PolicyInitializationException("Failed to load policy from: " + policy, e);
+        }
+        return info;
+    }
+
+    public static InputStream getInputStream(URL url) throws IOException {
+        if ("file".equals(url.getProtocol())) {
+            String path = url.getFile().replace('/', File.separatorChar);
+            path = URLDecoder.decode(path, StandardCharsets.UTF_8);
+            return new FileInputStream(path);
+        } else {
+            return url.openStream();
+        }
+    }
+
+    private CodeSource getCodeSource(GrantEntry grantEntry) throws PolicyInitializationException {
+        try {
+            Certificate[] certs = null;
+            URL location = (grantEntry.codeBase() != null) ? newURL(grantEntry.codeBase()) : null;
+            return canonicalizeCodebase(new CodeSource(location, certs));
+        } catch (Exception e) {
+            throw new PolicyInitializationException("Failed to get CodeSource", e);
+        }
+    }
+
+    private void addGrantEntry(GrantEntry grantEntry, PolicyInfo newInfo) throws PolicyInitializationException {
+        CodeSource codesource = getCodeSource(grantEntry);
+        if (codesource == null) {
+            throw new PolicyInitializationException("Null CodeSource for: " + grantEntry.codeBase());
+        }
+
+        List<Permission> permissions = new ArrayList<>();
+        List<PermissionEntry> permissionList = grantEntry.permissionEntries();
+        for (PermissionEntry pe : permissionList) {
+            final PermissionEntry expandedEntry = expandPermissionName(pe);
+            try {
+                Optional<Permission> perm = getInstance(expandedEntry.permission(), expandedEntry.name(), expandedEntry.action());
+                if (perm.isPresent()) {
+                    permissions.add(perm.get());
+                }
+            } catch (ClassNotFoundException e) {
+                // these were mostly custom permission classes added for security
+                // manager. Since security manager is deprecated, we can skip these
+                // permissions classes.
+                if (PERM_CLASSES_TO_SKIP.contains(pe.permission())) {
+                    continue; // skip this permission
+                }
+                throw new PolicyInitializationException("Permission class not found: " + pe.permission(), e);
+            }
+        }
+        newInfo.policyEntries.add(new PolicyEntry(codesource, permissions));
+    }
+
+    private static PermissionEntry expandPermissionName(PermissionEntry pe) {
+        if (pe.name() == null || !pe.name().contains("${{")) {
+            return pe;
+        }
+
+        int startIndex = 0;
+        int b, e;
+        StringBuilder sb = new StringBuilder();
+
+        while ((b = pe.name().indexOf("${{", startIndex)) != -1 && (e = pe.name().indexOf("}}", b)) != -1) {
+            sb.append(pe.name(), startIndex, b);
+            String value = pe.name().substring(b + 3, e);
+            sb.append("${{").append(value).append("}}");
+            startIndex = e + 2;
+        }
+
+        sb.append(pe.name().substring(startIndex));
+        return new PermissionEntry(pe.permission(), sb.toString(), pe.action());
+    }
+
+    private static final Optional<Permission> getInstance(String type, String name, String actions) throws ClassNotFoundException {
+        Class<?> pc = Class.forName(type, false, null);
+        Permission answer = getKnownPermission(pc, name, actions);
+
+        return Optional.ofNullable(answer);
+    }
+
+    private static Permission getKnownPermission(Class<?> claz, String name, String actions) {
+        if (claz.equals(FilePermission.class)) {
+            return new FilePermission(name, actions);
+        } else if (claz.equals(SocketPermission.class)) {
+            return new SocketPermission(name, actions);
+        } else if (claz.equals(RuntimePermission.class)) {
+            return new RuntimePermission(name, actions);
+        } else if (claz.equals(PropertyPermission.class)) {
+            return new PropertyPermission(name, actions);
+        } else if (claz.equals(NetPermission.class)) {
+            return new NetPermission(name, actions);
+        } else if (claz.equals(AllPermission.class)) {
+            return new AllPermission();
+        } else if (claz.equals(SecurityPermission.class)) {
+            return new SecurityPermission(name, actions);
+        } else {
+            return null;
+        }
+    }
+
+    @Override
+    public void refresh() {
+        try {
+            init(url);
+        } catch (PolicyInitializationException e) {
+            throw new RuntimeException("Failed to refresh policy", e);
+        }
+    }
+
+    @Override
+    public boolean implies(ProtectionDomain pd, Permission p) {
+        PermissionCollection pc = getPermissions(pd);
+        return pc != null && pc.implies(p);
+    }
+
+    @Override
+    public PermissionCollection getPermissions(ProtectionDomain domain) {
+        Permissions perms = new Permissions();
+        if (domain == null) return perms;
+
+        try {
+            getPermissionsForProtectionDomain(perms, domain);
+        } catch (PolicyInitializationException e) {
+            throw new RuntimeException("Failed to get permissions for domain", e);
+        }
+
+        PermissionCollection pc = domain.getPermissions();
+        if (pc != null) {
+            synchronized (pc) {
+                Enumeration<Permission> e = pc.elements();
+                while (e.hasMoreElements()) {
+                    perms.add(e.nextElement());
+                }
+            }
+        }
+
+        return perms;
+    }
+
+    @Override
+    public PermissionCollection getPermissions(CodeSource codesource) {
+        if (codesource == null) return new Permissions();
+
+        Permissions perms = new Permissions();
+        CodeSource canonicalCodeSource;
+
+        try {
+            canonicalCodeSource = canonicalizeCodebase(codesource);
+        } catch (PolicyInitializationException e) {
+            throw new RuntimeException("Failed to canonicalize CodeSource", e);
+        }
+
+        for (PolicyEntry entry : policyInfo.policyEntries) {
+            if (entry.codeSource().implies(canonicalCodeSource)) {
+                for (Permission permission : entry.permissions) {
+                    perms.add(permission);
+                }
+            }
+        }
+
+        return perms;
+    }
+
+    private void getPermissionsForProtectionDomain(Permissions perms, ProtectionDomain pd) throws PolicyInitializationException {
+        final CodeSource cs = pd.getCodeSource();
+        if (cs == null) return;
+
+        CodeSource canonicalCodeSource = canonicalizeCodebase(cs);
+
+        for (PolicyEntry entry : policyInfo.policyEntries) {
+            if (entry.codeSource().implies(canonicalCodeSource)) {
+                for (Permission permission : entry.permissions) {
+                    perms.add(permission);
+                }
+            }
+        }
+    }
+
+    private CodeSource canonicalizeCodebase(CodeSource cs) throws PolicyInitializationException {
+        URL location = cs.getLocation();
+        if (location == null) return cs;
+
+        try {
+            URL canonicalUrl = canonicalizeUrl(location);
+            return new CodeSource(canonicalUrl, cs.getCertificates());
+        } catch (IOException e) {
+            throw new PolicyInitializationException("Failed to canonicalize CodeSource", e);
+        }
+    }
+
+    @SuppressWarnings("deprecation")
+    private URL canonicalizeUrl(URL url) throws IOException {
+        String protocol = url.getProtocol();
+
+        if ("jar".equals(protocol)) {
+            String spec = url.getFile();
+            int separator = spec.indexOf("!/");
+            if (separator != -1) {
+                try {
+                    url = new URL(spec.substring(0, separator));
+                } catch (MalformedURLException e) {
+                    throw new IOException("Malformed nested jar URL", e);
+                }
+            }
+        }
+
+        if ("file".equals(url.getProtocol())) {
+            String path = url.getPath();
+            path = canonicalizePath(path);
+            return new File(path).toURI().toURL();
+        }
+
+        return url;
+    }
+
+    private String canonicalizePath(String path) throws IOException {
+        if (path.endsWith("*")) {
+            path = path.substring(0, path.length() - 1);
+            return new File(path).getCanonicalPath() + "*";
+        } else {
+            return new File(path).getCanonicalPath();
+        }
+    }
+
+    private record PolicyEntry(CodeSource codeSource, List<Permission> permissions) {
+        @Override
+        public String toString() {
+            StringBuilder sb = new StringBuilder();
+            sb.append("{").append(codeSource).append("\n");
+            for (Permission p : permissions) {
+                sb.append("  ").append(p).append("\n");
+            }
+            sb.append("}\n");
+            return sb.toString();
+        }
+    }
+
+    private static class PolicyInfo {
+        final List<PolicyEntry> policyEntries;
+
+        PolicyInfo() {
+            policyEntries = new ArrayList<>();
+        }
+    }
+
+    private static URL newURL(String spec) throws MalformedURLException, URISyntaxException {
+        return new URI(spec).toURL();
+    }
+}