WIP - Explore parsing codepaths

core/src/main/java/org/elasticsearch/bootstrap/Security.java

@@ -20,7 +20,6 @@
 package org.elasticsearch.bootstrap;
 
 import org.elasticsearch.SecureSM;
-import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.SuppressForbidden;
 import org.elasticsearch.common.io.PathUtils;
 import org.elasticsearch.common.network.NetworkModule;
@@ -45,11 +44,15 @@
 import java.security.Permissions;
 import java.security.Policy;
 import java.security.URIParameter;
+import java.util.ArrayDeque;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.Deque;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 /**
  * Initializes SecurityManager with necessary permissions.
@@ -188,25 +191,57 @@ static Map<String,Policy> getPluginPermissions(Environment environment) throws I
     @SuppressForbidden(reason = "accesses fully qualified URLs to configure security")
     static Policy readPolicy(URL policyFile, URL codebases[]) {
         try {
+            Set<String> addedProperties = new HashSet<>();
             try {
                 // set codebase properties
                 for (URL url : codebases) {
-                    String shortName = PathUtils.get(url.toURI()).getFileName().toString();
-                    System.setProperty("codebase." + shortName, url.toString());
+                    Path path = PathUtils.get(url.toURI());
+                    if (Files.isDirectory(path)) {
+                        if ("test".equals(path.getFileName().toString()) ||
+                            "main".equals(path.getFileName().toString())) {
+                            String alias = getESCodeAlias(path);
+                            addedProperties.add(alias);
+                            System.setProperty("codebase." + alias, url.toString());
+                        }
+                    } else {
+                        String shortName = path.getFileName().toString();
+                        addedProperties.add(shortName);
+                        System.setProperty("codebase." + shortName, url.toString());
+                    }
                 }
                 return Policy.getInstance("JavaPolicy", new URIParameter(policyFile.toURI()));
             } finally {
                 // clear codebase properties
-                for (URL url : codebases) {
-                    String shortName = PathUtils.get(url.toURI()).getFileName().toString();
-                    System.clearProperty("codebase." + shortName);
+                for (String property : addedProperties) {
+                    System.clearProperty("codebase." + property);
                 }
             }
         } catch (NoSuchAlgorithmException | URISyntaxException e) {
             throw new IllegalArgumentException("unable to parse policy file `" + policyFile + "`", e);
         }
     }
 
+    private static String getESCodeAlias(Path path) {
+        Deque<String> tokens = new ArrayDeque<>();
+
+        Path currentPath = path;
+        String fileName = currentPath.getFileName().toString();
+        while (!"elasticsearch".equals(fileName)) {
+            if (!"classes".equals(fileName) && !fileName.contains("build")) {
+                tokens.push(currentPath.getFileName().toString());
+                tokens.push(".");
+            }
+            currentPath = currentPath.getParent();
+            fileName = currentPath.getFileName().toString();
+        }
+        tokens.push(fileName);
+        StringBuilder sb = new StringBuilder();
+        for (String s : tokens) {
+            sb.append(s);
+        }
+        return sb.toString();
+    }
+
     /** returns dynamic Permissions to configured paths and bind ports */
     static Permissions createPermissions(Environment environment) throws IOException {
         Permissions policy = new Permissions();

core/src/main/resources/org/elasticsearch/bootstrap/security.policy

@@ -56,7 +56,7 @@ grant {
   permission org.elasticsearch.SpecialPermission;
 
   // Allow connecting to the internet anywhere
-  permission java.net.SocketPermission "*", "accept,connect,resolve";
+  permission java.net.SocketPermission "*", "connect,resolve";
 
   // Allow read access to all system properties
   permission java.util.PropertyPermission "*", "read";

core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy

@@ -62,3 +62,11 @@ grant codeBase "${codebase.junit-4.11.jar}" {
   // needed for TestClass creation
   permission java.lang.RuntimePermission "accessDeclaredMembers";
 };
+
+grant codeBase "${codebase.elasticsearch.test.framework.main}" {
+  permission java.net.SocketPermission "*", "accept,connect,resolve";
+};
+
+grant codeBase "${codebase.framework-6.0.0-alpha1-SNAPSHOT.jar}" {
+  permission java.net.SocketPermission "*", "accept,connect,resolve";
+};

test/framework/src/main/java/org/elasticsearch/transport/AbstractSimpleTransportTestCase.java

@@ -1863,7 +1863,7 @@ public void testTcpHandshakeTimeout() throws IOException {
     }
 
     public void testTcpHandshakeConnectionReset() throws IOException, InterruptedException {
-        try (ServerSocket socket = new ServerSocket()) {
+        try (ServerSocket socket = new MockServerSocket()) {
             socket.bind(new InetSocketAddress(InetAddress.getLocalHost(), 0), 1);
             socket.setReuseAddress(true);
             DiscoveryNode dummy = new DiscoveryNode("TEST", new TransportAddress(socket.getInetAddress(),

test/framework/src/main/java/org/elasticsearch/transport/MockServerSocket.java

@@ -0,0 +1,35 @@
+package org.elasticsearch.transport;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+
+public class MockServerSocket extends ServerSocket {
+    public MockServerSocket() throws IOException {
+    }
+
+    public MockServerSocket(int port) throws IOException {
+        super(port);
+    }
+
+    public MockServerSocket(int port, int backlog) throws IOException {
+        super(port, backlog);
+    }
+
+    public MockServerSocket(int port, int backlog, InetAddress bindAddr) throws IOException {
+        super(port, backlog, bindAddr);
+    }
+
+    public Socket accept() throws IOException {
+        try {
+            return AccessController.doPrivileged((PrivilegedExceptionAction<Socket>) super::accept);
+        } catch (PrivilegedActionException e) {
+            throw (IOException) e.getCause();
+        }
+    }
+
+}

test/framework/src/main/java/org/elasticsearch/transport/MockTcpTransport.java

@@ -47,6 +47,9 @@
 import java.net.Socket;
 import java.net.SocketException;
 import java.net.SocketTimeoutException;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
@@ -110,7 +113,7 @@ protected InetSocketAddress getLocalAddress(MockChannel mockChannel) {
 
     @Override
     protected MockChannel bind(final String name, InetSocketAddress address) throws IOException {
-        ServerSocket socket = new ServerSocket();
+        ServerSocket socket = new MockServerSocket();
         socket.bind(address);
         socket.setReuseAddress(TCP_REUSE_ADDRESS.get(settings));
         ByteSizeValue tcpReceiveBufferSize = TCP_RECEIVE_BUFFER_SIZE.get(settings);