/*
 * SPDX-License-Identifier: Apache-2.0
 *
 * The OpenSearch Contributors require contributions made to
 * this file be licensed under the Apache-2.0 license or a
 * compatible open source license.
 */

/*
 * Licensed to Elasticsearch under one or more contributor
 * license agreements. See the NOTICE file distributed with
 * this work for additional information regarding copyright
 * ownership. Elasticsearch licenses this file to you under
 * the Apache License, Version 2.0 (the "License"); you may
 * not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

/*
 * Modifications Copyright OpenSearch Contributors. See
 * GitHub history for details.
 */

//// additional test framework permissions.
//// These are mock objects and test management that we allow test framework libs
//// to provide on our behalf. But tests themselves cannot do this stuff!

grant codeBase "${codebase.mockito-core}" {
  // needed to access ReflectionFactory (see below)
  permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
  // needed for reflection in ibm jdk
  permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
  // needed to support creation of mocks
  permission java.lang.RuntimePermission "reflectionFactoryAccess";
  // needed for spy interception, etc
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission java.lang.RuntimePermission "getClassLoader";
};

grant codeBase "${codebase.objenesis}" {
  permission java.lang.RuntimePermission "reflectionFactoryAccess";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

grant codeBase "${codebase.byte-buddy}" {
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.RuntimePermission "net.bytebuddy.createJavaDispatcher";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission java.lang.reflect.ReflectPermission "newProxyInPackage.net.bytebuddy.utility";
  permission java.lang.reflect.ReflectPermission "newProxyInPackage.net.bytebuddy.dynamic.loading";
  permission java.lang.reflect.ReflectPermission "newProxyInPackage.net.bytebuddy.description.type";
  permission java.lang.reflect.ReflectPermission "newProxyInPackage.net.bytebuddy.description.method";
};

grant codeBase "${codebase.lucene-test-framework}" {
  // needed by RamUsageTester
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  // needed for testing hardlinks in StoreRecoveryTests since we install MockFS
  permission java.nio.file.LinkPermission "hard";
  // needed for RAMUsageTester
  permission java.lang.RuntimePermission "accessDeclaredMembers";
};

grant codeBase "${codebase.randomizedtesting-runner}" {
  // optionally needed for access to private test methods (e.g. beforeClass)
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  // needed to fail tests on uncaught exceptions from other threads
  permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
  // needed for top threads handling
  permission org.opensearch.secure_sm.ThreadPermission "modifyArbitraryThreadGroup";
  // needed for TestClass creation
  permission java.lang.RuntimePermission "accessDeclaredMembers";
};

grant codeBase "${codebase.junit}" {
  // needed for TestClass creation
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  // needed for test listener notifications
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

grant codeBase "${codebase.opensearch-nio}" {
  // opensearch-nio makes and accepts socket connections
  permission java.net.SocketPermission "*", "accept,connect";
};

grant codeBase "${codebase.opensearch-rest-client}" {
  // rest makes socket connections for rest tests
  permission java.net.SocketPermission "*", "connect";
  // rest client uses system properties which gets the default proxy
  permission java.net.NetPermission "getProxySelector";
};

grant codeBase "${codebase.httpcore5}" {
  // httpcore makes socket connections for rest tests
  permission java.net.SocketPermission "*", "connect";
};

grant codeBase "${codebase.httpclient5}" {
  // httpclient5 makes socket connections for rest tests
  permission java.net.SocketPermission "*", "connect";
};

grant codeBase "${codebase.httpcore-nio}" {
  // httpcore makes socket connections for rest tests
  permission java.net.SocketPermission "*", "connect";
};

grant codeBase "${codebase.httpasyncclient}" {
  // httpasyncclient makes socket connections for rest tests
  permission java.net.SocketPermission "*", "connect";
  // rest client uses system properties which gets the default proxy
  permission java.net.NetPermission "getProxySelector";
};

grant codeBase "${codebase.junit-rt.jar}" {
  // allows IntelliJ IDEA JUnit test runner to control number of test iterations
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

grant codeBase "${codebase.idea_rt.jar}" {
  // allows IntelliJ IDEA (2022.3.3) JUnit test runner to control number of test iterations
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

grant codeBase "file:${gradle.dist.lib}/-" {
  // gradle test worker code needs a slew of permissions, we give full access here since gradle isn't a production
  // dependency and there's no point in exercising the security policy against it
  permission java.security.AllPermission;
};

grant codeBase "file:${gradle.worker.jar}" {
  // gradle test worker code needs a slew of permissions, we give full access here since gradle isn't a production
  // dependency and there's no point in exercising the security policy against it
  permission java.security.AllPermission;
};

grant {
  // since the gradle test worker jar is on the test classpath, our tests should be able to read it
  permission java.io.FilePermission "${gradle.worker.jar}", "read";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.RuntimePermission "reflectionFactoryAccess";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};