Fix tests

kumargu · kumargu · commit 65702218092d · 2025-03-12T16:48:28.000+05:30
Signed-off-by: Gulshan Kumar &lt;kumargu@amazon.com&gt;
diff --git a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SocketChannelInterceptor.java b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SocketChannelInterceptor.java
@@ -52,19 +52,20 @@ public static void intercept(@Advice.AllArguments Object[] args, @Origin Method
         if (args[0] instanceof InetSocketAddress address) {
             if (!AgentPolicy.isTrustedHost(address.getHostString())) {
                 final String host = address.getHostString() + ":" + address.getPort();
-
-                final SocketPermission permission = new SocketPermission(host, "connect,resolve");
+                final SocketPermission connectResolve = new SocketPermission("*", "connect,resolve");
+                final SocketPermission allSocketActions = new SocketPermission("*", "connect,resolve,listen,accept");
                 for (final ProtectionDomain domain : callers) {
-                    if (!policy.implies(domain, permission)) {
-                        throw new SecurityException("Denied access to: " + host + ", domain " + domain);
+                    boolean hasPermission = policy.implies(domain, connectResolve) || policy.implies(domain, allSocketActions);
+                    if (!hasPermission) {
+                        throw new SecurityException("Denied access to: " + host + ", domain: " + domain);
                     }
                 }
             }
         } else if (args[0] instanceof UnixDomainSocketAddress address) {
             final NetPermission permission = new NetPermission("accessUnixDomainSocket");
             for (final ProtectionDomain domain : callers) {
                 if (!policy.implies(domain, permission)) {
-                    throw new SecurityException("Denied access to: " + address + ", domain " + domain);
+                    throw new SecurityException("Denied access to: " + address + ", domain: " + domain);
                 }
             }
         }
diff --git a/plugins/repository-hdfs/src/test/resources/org/opensearch/repositories/hdfs/test.policy b/plugins/repository-hdfs/src/test/resources/org/opensearch/repositories/hdfs/test.policy
@@ -0,0 +1,4 @@
+grant {
+  permission java.net.SocketPermission "*", "connect,resolve,listen,accept";
+  permission java.net.NetPermission "accessUnixDomainSocket";
+};
diff --git a/plugins/repository-hdfs/src/test/resources/rest-api-spec/test/hdfs_repository/test.policy b/plugins/repository-hdfs/src/test/resources/rest-api-spec/test/hdfs_repository/test.policy
@@ -0,0 +1,4 @@
+grant {
+  permission java.net.SocketPermission "*", "connect,resolve,listen,accept";
+  permission java.net.NetPermission "accessUnixDomainSocket";
+};
diff --git a/plugins/repository-hdfs/src/test/resources/rest-api-spec/test/secure_hdfs_repository/test.policy b/plugins/repository-hdfs/src/test/resources/rest-api-spec/test/secure_hdfs_repository/test.policy
@@ -0,0 +1,4 @@
+grant {
+  permission java.net.SocketPermission "*", "connect,resolve,listen,accept";
+  permission java.net.NetPermission "accessUnixDomainSocket";
+};

Original file line number	Diff line number	Diff line change
`@@ -52,19 +52,20 @@ public static void intercept(@Advice.AllArguments Object[] args, @Origin Method`
`52`	`52`	`if (args[0] instanceof InetSocketAddress address) {`
`53`	`53`	`if (!AgentPolicy.isTrustedHost(address.getHostString())) {`
`54`	`54`	`final String host = address.getHostString() + ":" + address.getPort();`
`55`		`-`
`56`		`- final SocketPermission permission = new SocketPermission(host, "connect,resolve");`
	`55`	`+ final SocketPermission connectResolve = new SocketPermission("*", "connect,resolve");`
	`56`	`+ final SocketPermission allSocketActions = new SocketPermission("*", "connect,resolve,listen,accept");`
`57`	`57`	`for (final ProtectionDomain domain : callers) {`
`58`		`- if (!policy.implies(domain, permission)) {`
`59`		`- throw new SecurityException("Denied access to: " + host + ", domain " + domain);`
	`58`	`+ boolean hasPermission = policy.implies(domain, connectResolve) \|\| policy.implies(domain, allSocketActions);`
	`59`	`+ if (!hasPermission) {`
	`60`	`+ throw new SecurityException("Denied access to: " + host + ", domain: " + domain);`
`60`	`61`	`}`
`61`	`62`	`}`
`62`	`63`	`}`
`63`	`64`	`} else if (args[0] instanceof UnixDomainSocketAddress address) {`
`64`	`65`	`final NetPermission permission = new NetPermission("accessUnixDomainSocket");`
`65`	`66`	`for (final ProtectionDomain domain : callers) {`
`66`	`67`	`if (!policy.implies(domain, permission)) {`
`67`		`- throw new SecurityException("Denied access to: " + address + ", domain " + domain);`
	`68`	`+ throw new SecurityException("Denied access to: " + address + ", domain: " + domain);`
`68`	`69`	`}`
`69`	`70`	`}`
`70`	`71`	`}`