update junit test cases and handle case where we can get security exception other than one expected

Author: joviegas

http-clients/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/Apache5HttpClient.java

@@ -544,7 +544,7 @@ public interface Builder extends SdkHttpClient.Builder<Apache5HttpClient.Builder
     }
 
     private static final class DefaultBuilder implements Builder {
-        private static final String[] REQUIRED_TCP_KEEPALIVE_PERMISSIONS = {
+        private static final String[] REQUIRED_TCP_SOCKET_OPTION_PERMISSIONS = {
             "setOption.TCP_KEEPIDLE",
             "setOption.TCP_KEEPINTERVAL",
             "setOption.TCP_KEEPCOUNT"
@@ -751,7 +751,7 @@ public void setAuthSchemeProviderRegistry(Registry<AuthSchemeFactory> authScheme
         public SdkHttpClient buildWithDefaults(AttributeMap serviceDefaults) {
             AttributeMap resolvedOptions = standardOptions.build().merge(serviceDefaults).merge(
                 SdkHttpConfigurationOption.GLOBAL_HTTP_DEFAULTS);
-            checkTcpKeepAlivePermissions();
+            checkTcpSocketOptionPermissions();
             return new Apache5HttpClient(this, resolvedOptions);
         }
 
@@ -760,28 +760,46 @@ public SdkHttpClient buildWithDefaults(AttributeMap serviceDefaults) {
          * that Apache HC5 requires for its default TCP keepalive socket options.
          * No-op when no SecurityManager is installed (including Java 24+).
          */
-        private static void checkTcpKeepAlivePermissions() {
+        private static void checkTcpSocketOptionPermissions() {
             SecurityManager sm = System.getSecurityManager();
             if (sm == null) {
                 return;
             }
 
             try {
                 Class<?> permClass = ClassLoaderHelper.loadClass("jdk.net.NetworkPermission", Apache5HttpClient.class);
-                for (String permName : REQUIRED_TCP_KEEPALIVE_PERMISSIONS) {
+                for (String permName : REQUIRED_TCP_SOCKET_OPTION_PERMISSIONS) {
                     java.security.Permission perm =
                         (java.security.Permission) permClass.getConstructor(String.class).newInstance(permName);
                     sm.checkPermission(perm);
                 }
             } catch (SecurityException e) {
-                throw new IllegalStateException(
-                    "Apache5HttpClient requires jdk.net.NetworkPermission for \""
-                    + String.join("\", \"", REQUIRED_TCP_KEEPALIVE_PERMISSIONS)
-                    + "\" when a SecurityManager is active.", e);
+                if (isTcpSocketOptionPermissionDenied(e)) {
+                    throw new IllegalStateException(
+                        "Apache5HttpClient requires jdk.net.NetworkPermission for \""
+                        + String.join("\", \"", REQUIRED_TCP_SOCKET_OPTION_PERMISSIONS)
+                        + "\" when a SecurityManager is active.", e);
+                }
+                log.debug(() -> "SecurityManager denied a non-TCP socket option permission during "
+                               + "verification: " + e.getMessage(), e);
             } catch (Exception e) {
-                log.warn(() -> "Unable to verify TCP keepalive permissions: " + e.getMessage(), e);
+                log.debug(() -> "Could not verify jdk.net.NetworkPermission for TCP socket options: " + e.getMessage(), e);
             }
         }
+
+        private static boolean isTcpSocketOptionPermissionDenied(SecurityException e) {
+            String message = e.getMessage();
+            if (message == null) {
+                return false;
+            }
+            for (String perm : REQUIRED_TCP_SOCKET_OPTION_PERMISSIONS) {
+                if (message.contains(perm)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
     }
 
     private static class ApacheConnectionManagerFactory {

http-clients/apache5-client/src/test/java/software/amazon/awssdk/http/apache5/Apache5HttpClientSecurityManagerTest.java

@@ -15,6 +15,7 @@
 
 package software.amazon.awssdk.http.apache5;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatNoException;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
@@ -23,13 +24,15 @@
 import java.util.HashSet;
 import java.util.Set;
 import java.util.stream.Stream;
+import org.apache.logging.log4j.Level;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.condition.EnabledForJreRange;
 import org.junit.jupiter.api.condition.JRE;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
+import software.amazon.awssdk.testutils.LogCaptor;
 
 /**
  * Tests that Apache5HttpClient fails fast at construction time when a SecurityManager
@@ -47,7 +50,7 @@ void tearDown() {
 
     @Test
     void buildWithDefaults_whenStandardPermissionsGrantedButNetworkPermissionMissing_shouldThrowIllegalStateException() {
-        System.setProperty("java.security.policy", "=" + getPolicyUrl());
+        System.setProperty("java.security.policy", "=" + getPolicyUrl("security-manager-test.policy"));
         java.security.Policy.getPolicy().refresh();
         System.setSecurityManager(new SecurityManager());
 
@@ -56,8 +59,42 @@ void buildWithDefaults_whenStandardPermissionsGrantedButNetworkPermissionMissing
             .hasMessageContaining("jdk.net.NetworkPermission");
     }
 
-    private String getPolicyUrl() {
-        return getClass().getResource("security-manager-test.policy").toExternalForm();
+    @Test
+    void buildWithDefaults_whenPolicyGrantsNetworkPermissions_shouldSucceed() {
+        System.setProperty("java.security.policy", "=" + getPolicyUrl("security-manager-test-with-network-permissions.policy"));
+        java.security.Policy.getPolicy().refresh();
+        System.setSecurityManager(new SecurityManager());
+
+        assertThatNoException().isThrownBy(() -> {
+            Apache5HttpClient.builder().build().close();
+        });
+    }
+
+    private String getPolicyUrl(String policyFileName) {
+        return getClass().getResource(policyFileName).toExternalForm();
+    }
+
+    @Test
+    void buildWithDefaults_whenUnrelatedSecurityExceptionThrown_shouldNotThrow() {
+        System.setSecurityManager(new SecurityManager() {
+            @Override
+            public void checkPermission(Permission perm) {
+                if ("jdk.net.NetworkPermission".equals(perm.getClass().getName())) {
+                    throw new SecurityException("access denied: some.unrelated.permission");
+                }
+            }
+        });
+
+        try (LogCaptor logCaptor = LogCaptor.create(Level.DEBUG)) {
+            assertThatNoException().isThrownBy(() -> {
+                Apache5HttpClient.builder().build().close();
+            });
+            assertThat(logCaptor.loggedEvents()).anySatisfy(logEvent -> {
+                assertThat(logEvent.getLevel()).isEqualTo(Level.DEBUG);
+                assertThat(logEvent.getMessage().getFormattedMessage())
+                    .contains("SecurityManager denied a non-TCP socket option permission");
+            });
+        }
     }
 
     @ParameterizedTest
@@ -120,4 +157,5 @@ public void checkPermission(Permission perm) {
             }
         }
     }
+
 }

http-clients/apache5-client/src/test/resources/software/amazon/awssdk/http/apache5/security-manager-test-with-network-permissions.policy

@@ -0,0 +1,17 @@
+grant {
+    permission java.util.PropertyPermission "*", "read,write";
+    permission java.io.FilePermission "<<ALL FILES>>", "read,write";
+    permission java.lang.RuntimePermission "getenv.*";
+    permission "java.lang.RuntimePermission" "accessDeclaredMembers";
+    permission "java.lang.RuntimePermission" "modifyThread";
+    permission "javax.net.ssl.SSLPermission" "setDefaultSSLContext";
+    permission "java.net.SocketPermission" "*", "connect,resolve";
+
+    // Needed for test to remove the security manager
+    permission java.lang.RuntimePermission "setSecurityManager";
+
+    // TCP socket option permissions required by Apache HC5
+    permission "jdk.net.NetworkPermission" "setOption.TCP_KEEPIDLE";
+    permission "jdk.net.NetworkPermission" "setOption.TCP_KEEPINTERVAL";
+    permission "jdk.net.NetworkPermission" "setOption.TCP_KEEPCOUNT";
+};