Added negative Integ Tests to validate the correct Security Exception being thrown

pranu2502 · pranu2502 · commit c4e88dfb7177 · 2025-04-18T13:15:19.000+05:30
Signed-off-by: Pranav Reddy &lt;pranavrd@amazon.com&gt;
diff --git a/libs/agent-sm/agent/integ-test-files/test-1a9a00d8.txt b/libs/agent-sm/agent/integ-test-files/test-1a9a00d8.txt
@@ -0,0 +1 @@
+test content
diff --git a/libs/agent-sm/agent/integ-test-files/test-efb29518.txt b/libs/agent-sm/agent/integ-test-files/test-efb29518.txt
@@ -0,0 +1 @@
+test content
diff --git a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/FileInterceptor.java b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/FileInterceptor.java
@@ -8,6 +8,9 @@
 
 package org.opensearch.javaagent;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.common.metrics.CounterMetric;
 import org.opensearch.javaagent.bootstrap.AgentPolicy;
 
 import java.io.FilePermission;
@@ -29,6 +32,8 @@
  * FileInterceptor
  */
 public class FileInterceptor {
+    private static final Logger logger = LogManager.getLogger(FileInterceptor.class);
+
     /**
      * FileInterceptor
      */
@@ -103,8 +108,15 @@ public static void intercept(@Advice.AllArguments Object[] args, @Advice.Origin
                                     break;
                                 }
                             }
+                        } else if (args[1] instanceof Object[] opts) {
+                            for (final Object opt : opts) {
+                                if (opt != StandardOpenOption.READ) {
+                                    isMutating = true;
+                                    break;
+                                }
+                            }
                         } else {
-                            //Add a Warn statement for any other type or args we might be missing
+                            logger.warn("Unknown type: {} for args[1] for method name: {}", args[1].getClass(), method.getName());
                         }
                     }
                 } else if (name.equals("copy") == true) {
diff --git a/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/FileInterceptorIntegTests.java b/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/FileInterceptorIntegTests.java
@@ -15,6 +15,7 @@
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FilePermission;
+import java.io.OutputStream;
 import java.nio.ByteBuffer;
 import java.nio.channels.FileChannel;
 import java.nio.charset.StandardCharsets;
@@ -247,4 +248,57 @@ public void testDelete() throws Exception {
             Files.deleteIfExists(tempPath);
         }
     }
+
+    @Test
+    public void testReadAllLines() throws Exception {
+        Path tmpDir = getTestDir();
+        Path tempPath = tmpDir.resolve("test-readAllLines-" + randomAlphaOfLength(8) + ".txt");
+
+        try {
+            // Create a file with some content
+            String content = "test content";
+            Files.write(tempPath, content.getBytes(StandardCharsets.UTF_8));
+
+            // Verify file exists before deletion
+            assertTrue("File should exist before deletion", Files.exists(tempPath));
+            assertEquals("File should have correct content", content, Files.readString(tempPath, StandardCharsets.UTF_8));
+
+            // Test delete operation - FileInterceptor should intercept this
+            String line = Files.readAllLines(tempPath).getFirst();
+
+            // Verify readAllLines
+            assertEquals("File contents should be returned", "test content", line);
+
+        } finally {
+            // Cleanup in case test fails
+            Files.deleteIfExists(tempPath);
+        }
+    }
+
+    @Test
+    public void testNewOutputStream() throws Exception {
+        Path tmpDir = getTestDir();
+        Path tempPath = tmpDir.resolve("test-readAllLines-" + randomAlphaOfLength(8) + ".txt");
+
+        try {
+            // Create an empty file
+            String content = "";
+            Files.write(tempPath, content.getBytes(StandardCharsets.UTF_8));
+
+            // Verify file exists before deletion
+            assertTrue("File should exist before deletion", Files.exists(tempPath));
+            assertEquals("File should have correct content", content, Files.readString(tempPath, StandardCharsets.UTF_8));
+
+            // Test for new OutputStream
+            try (OutputStream os = Files.newOutputStream(tempPath)) {
+                os.write("test content".getBytes(StandardCharsets.UTF_8));
+            }
+            String line = Files.readAllLines(tempPath).getFirst();
+            assertEquals("File contents should be returned", "test content", line);
+
+        } finally {
+            // Cleanup in case test fails
+            Files.deleteIfExists(tempPath);
+        }
+    }
 }
diff --git a/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/FileInterceptorNegativeIntegTests.java b/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/FileInterceptorNegativeIntegTests.java
@@ -0,0 +1,161 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.javaagent;
+
+import org.opensearch.javaagent.bootstrap.AgentPolicy;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.nio.channels.FileChannel;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.StandardOpenOption;
+import java.security.PermissionCollection;
+import java.security.Permissions;
+import java.security.Policy;
+import java.security.ProtectionDomain;
+import java.util.UUID;
+
+import static org.junit.Assert.assertThrows;
+import static org.junit.Assert.assertTrue;
+
+@SuppressWarnings("removal")
+public class FileInterceptorNegativeIntegTests {
+    private static Path getTestDir() {
+        Path baseDir = Path.of(System.getProperty("user.dir"));
+        Path integTestFiles = baseDir.resolve("integ-test-files").normalize();
+        return integTestFiles;
+    }
+
+    private String randomAlphaOfLength(int length) {
+        // Using UUID to generate random string and taking first 'length' characters
+        return UUID.randomUUID().toString().replaceAll("-", "").substring(0, length);
+    }
+
+    @BeforeClass
+    public static void setUp() throws Exception {
+        Policy policy = new Policy() {
+            @Override
+            public PermissionCollection getPermissions(ProtectionDomain domain) {
+                Permissions permissions = new Permissions();
+                return permissions;
+            }
+        };
+        AgentPolicy.setPolicy(policy);
+    }
+
+    @Test
+    public void testFileInputStream() {
+        Path tmpDir = getTestDir();
+        assertTrue("Tmp directory should exist", Files.exists(tmpDir));
+        assertTrue("Tmp directory should be writable", Files.isWritable(tmpDir));
+
+        // Create a unique file name
+        String fileName = "test-" + randomAlphaOfLength(8) + ".txt";
+        Path tempPath = tmpDir.resolve(fileName);
+
+        // Verify error when writing Content
+        String content = "test content";
+        SecurityException exception = assertThrows("", SecurityException.class, () -> {
+            Files.write(tempPath, content.getBytes(StandardCharsets.UTF_8));
+        });
+        assertTrue(exception.getMessage().contains("Denied WRITE access to file"));
+    }
+
+    @Test
+    public void testOpenForReadAndWrite() {
+        Path tmpDir = getTestDir();
+        assertTrue("Tmp directory should exist", Files.exists(tmpDir));
+        assertTrue("Tmp directory should be writable", Files.isWritable(tmpDir));
+
+        // Create a unique file name
+        String fileName = "test-" + randomAlphaOfLength(8) + ".txt";
+        Path tempPath = tmpDir.resolve(fileName);
+
+        // Verify error when opening file
+        SecurityException exception = assertThrows("", SecurityException.class, () -> {
+            FileChannel.open(tempPath, StandardOpenOption.CREATE, StandardOpenOption.READ, StandardOpenOption.WRITE);
+        });
+        assertTrue(exception.getMessage().contains("Denied OPEN (read/write) access to file"));
+    }
+
+    @Test
+    public void testCopy() {
+        Path tmpDir = getTestDir();
+        Path sourcePath = tmpDir.resolve("test-source-" + randomAlphaOfLength(8) + ".txt");
+        Path targetPath = tmpDir.resolve("test-target-" + randomAlphaOfLength(8) + ".txt");
+
+        // Verify Error when copying file
+        SecurityException exception = assertThrows(SecurityException.class, () -> Files.copy(sourcePath, targetPath));
+        assertTrue(exception.getMessage().contains("Denied COPY (read) access to file"));
+    }
+
+    @Test
+    public void testCreateFile() {
+        Path tmpDir = getTestDir();
+        Path tempPath = tmpDir.resolve("test-create-" + randomAlphaOfLength(8) + ".txt");
+
+        // Verify Error when creating file
+        SecurityException exception = assertThrows(SecurityException.class, () -> Files.createFile(tempPath));
+        assertTrue(exception.getMessage().contains("Denied WRITE access to file"));
+    }
+
+    @Test
+    public void testMove() {
+        Path tmpDir = getTestDir();
+        Path sourcePath = tmpDir.resolve("test-source-" + randomAlphaOfLength(8) + ".txt");
+        Path targetPath = tmpDir.resolve("test-target-" + randomAlphaOfLength(8) + ".txt");
+
+        // Verify Error when moving file
+        SecurityException exception = assertThrows(SecurityException.class, () -> Files.move(sourcePath, targetPath));
+        assertTrue(exception.getMessage().contains("Denied WRITE access to file"));
+    }
+
+    @Test
+    public void testCreateLink() throws Exception {
+        Path tmpDir = getTestDir();
+        Path originalPath = tmpDir.resolve("test-original-" + randomAlphaOfLength(8) + ".txt");
+        Path linkPath = tmpDir.resolve("test-link-" + randomAlphaOfLength(8) + ".txt");
+
+        // Verify Error when creating link
+        SecurityException exception = assertThrows(SecurityException.class, () -> Files.createLink(linkPath, originalPath));
+        assertTrue(exception.getMessage().contains("Denied WRITE access to file"));
+    }
+
+    @Test
+    public void testDelete() throws Exception {
+        Path tmpDir = getTestDir();
+        Path tempPath = tmpDir.resolve("test-delete-" + randomAlphaOfLength(8) + ".txt");
+
+        // Verify Error when deleting file
+        SecurityException exception = assertThrows(SecurityException.class, () -> Files.delete(tempPath));
+        assertTrue(exception.getMessage().contains("Denied DELETE access to file"));
+    }
+
+    @Test
+    public void testReadAllLines() throws Exception {
+        Path tmpDir = getTestDir();
+        Path tempPath = tmpDir.resolve("test-readAllLines-" + randomAlphaOfLength(8) + ".txt");
+
+        // Verify Error when reading file
+        SecurityException exception = assertThrows(SecurityException.class, () -> Files.readAllLines(tempPath));
+        assertTrue(exception.getMessage().contains("Denied READ access to file"));
+    }
+
+    @Test
+    public void testNewOutputStream() throws Exception {
+        Path tmpDir = getTestDir();
+        Path tempPath = tmpDir.resolve("test-readAllLines-" + randomAlphaOfLength(8) + ".txt");
+
+        // Verify error when calling newOutputStream
+        SecurityException exception = assertThrows(SecurityException.class, () -> Files.newOutputStream(tempPath));
+        assertTrue(exception.getMessage().contains("Denied OPEN (read/write) access to file"));
+    }
+}
