Merge branch 'main' into jbc-bugfix

distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/SystemJvmOptions.java

@@ -171,8 +171,8 @@ private static Stream<String> maybeAttachEntitlementAgent(boolean useEntitlement
             throw new IllegalStateException("Failed to list entitlement jars in: " + dir, e);
         }
         // We instrument classes in these modules to call the bridge. Because the bridge gets patched
-        // into java.base, we must export the bridge from java.base to these modules.
-        String modulesContainingEntitlementInstrumentation = "java.logging";
+        // into java.base, we must export the bridge from java.base to these modules, as a comma-separated list
+        String modulesContainingEntitlementInstrumentation = "java.logging,java.net.http,java.naming";
         return Stream.of(
             "-Des.entitlements.enabled=true",
             "-XX:+EnableDynamicAgentLoading",

docs/changelog/119536.yaml

@@ -0,0 +1,5 @@
+pr: 119536
+summary: Fix ROUND() with unsigned longs throwing in some edge cases
+area: ES|QL
+type: bug
+issues: []

docs/changelog/120192.yaml

@@ -0,0 +1,5 @@
+pr: 120192
+summary: Extend `TranslationAware` to all pushable expressions
+area: ES|QL
+type: enhancement
+issues: []

libs/entitlement/bridge/src/main/java/module-info.java

@@ -10,5 +10,7 @@
 // This module-info is used just to satisfy your IDE.
 // At build and run time, the bridge is patched into the java.base module.
 module org.elasticsearch.entitlement.bridge {
+    requires java.net.http;
+
     exports org.elasticsearch.entitlement.bridge;
 }

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -30,6 +30,17 @@
 import java.net.URL;
 import java.net.URLStreamHandler;
 import java.net.URLStreamHandlerFactory;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.ByteBuffer;
+import java.nio.channels.AsynchronousServerSocketChannel;
+import java.nio.channels.AsynchronousSocketChannel;
+import java.nio.channels.CompletionHandler;
+import java.nio.channels.DatagramChannel;
+import java.nio.channels.ServerSocketChannel;
+import java.nio.channels.SocketChannel;
+import java.security.cert.CertStoreParameters;
 import java.util.List;
 
 import javax.net.ssl.HostnameVerifier;
@@ -254,4 +265,106 @@ public interface EntitlementChecker {
     void check$java_net_Socket$connect(Class<?> callerClass, Socket that, SocketAddress endpoint);
 
     void check$java_net_Socket$connect(Class<?> callerClass, Socket that, SocketAddress endpoint, int backlog);
+
+    // Network miscellanea
+    void check$java_net_URL$openConnection(Class<?> callerClass, java.net.URL that, Proxy proxy);
+
+    // HttpClient.Builder is an interface, so we instrument its only (internal) implementation
+    void check$jdk_internal_net_http_HttpClientBuilderImpl$build(Class<?> callerClass, HttpClient.Builder that);
+
+    // HttpClient#send and sendAsync are abstract, so we instrument their internal implementation
+    void check$jdk_internal_net_http_HttpClientImpl$send(
+        Class<?> callerClass,
+        HttpClient that,
+        HttpRequest request,
+        HttpResponse.BodyHandler<?> responseBodyHandler
+    );
+
+    void check$jdk_internal_net_http_HttpClientImpl$sendAsync(
+        Class<?> callerClass,
+        HttpClient that,
+        HttpRequest userRequest,
+        HttpResponse.BodyHandler<?> responseHandler
+    );
+
+    void check$jdk_internal_net_http_HttpClientImpl$sendAsync(
+        Class<?> callerClass,
+        HttpClient that,
+        HttpRequest userRequest,
+        HttpResponse.BodyHandler<?> responseHandler,
+        HttpResponse.PushPromiseHandler<?> pushPromiseHandler
+    );
+
+    // We need to check the LDAPCertStore, as this will connect, but this is internal/created via SPI,
+    // so we instrument the general factory instead and then filter in the check method implementation
+    void check$java_security_cert_CertStore$$getInstance(Class<?> callerClass, String type, CertStoreParameters params);
+
+    /* NIO
+     * For NIO, we are sometime able to check a method on the public surface/interface (e.g. AsynchronousServerSocketChannel#bind)
+     * but most of the time these methods are abstract in the public classes/interfaces (e.g. ServerSocketChannel#accept,
+     * NetworkChannel#bind), so we are forced to implement the "impl" classes.
+     * You can distinguish the 2 cases form the namespaces: java_nio_channels for the public ones, sun_nio_ch for the implementation
+     * classes. When you see a check on a sun_nio_ch class/method, this means the matching method on the public class is abstract
+     * (not instrumentable).
+     */
+
+    // bind
+
+    void check$java_nio_channels_AsynchronousServerSocketChannel$bind(
+        Class<?> callerClass,
+        AsynchronousServerSocketChannel that,
+        SocketAddress local
+    );
+
+    void check$sun_nio_ch_AsynchronousServerSocketChannelImpl$bind(
+        Class<?> callerClass,
+        AsynchronousServerSocketChannel that,
+        SocketAddress local,
+        int backlog
+    );
+
+    void check$sun_nio_ch_AsynchronousSocketChannelImpl$bind(Class<?> callerClass, AsynchronousSocketChannel that, SocketAddress local);
+
+    void check$sun_nio_ch_DatagramChannelImpl$bind(Class<?> callerClass, DatagramChannel that, SocketAddress local);
+
+    void check$java_nio_channels_ServerSocketChannel$bind(Class<?> callerClass, ServerSocketChannel that, SocketAddress local);
+
+    void check$sun_nio_ch_ServerSocketChannelImpl$bind(Class<?> callerClass, ServerSocketChannel that, SocketAddress local, int backlog);
+
+    void check$sun_nio_ch_SocketChannelImpl$bind(Class<?> callerClass, SocketChannel that, SocketAddress local);
+
+    // connect
+
+    void check$sun_nio_ch_SocketChannelImpl$connect(Class<?> callerClass, SocketChannel that, SocketAddress remote);
+
+    void check$sun_nio_ch_AsynchronousSocketChannelImpl$connect(Class<?> callerClass, AsynchronousSocketChannel that, SocketAddress remote);
+
+    void check$sun_nio_ch_AsynchronousSocketChannelImpl$connect(
+        Class<?> callerClass,
+        AsynchronousSocketChannel that,
+        SocketAddress remote,
+        Object attachment,
+        CompletionHandler<Void, Object> handler
+    );
+
+    void check$sun_nio_ch_DatagramChannelImpl$connect(Class<?> callerClass, DatagramChannel that, SocketAddress remote);
+
+    // accept
+
+    void check$sun_nio_ch_ServerSocketChannelImpl$accept(Class<?> callerClass, ServerSocketChannel that);
+
+    void check$sun_nio_ch_AsynchronousServerSocketChannelImpl$accept(Class<?> callerClass, AsynchronousServerSocketChannel that);
+
+    void check$sun_nio_ch_AsynchronousServerSocketChannelImpl$accept(
+        Class<?> callerClass,
+        AsynchronousServerSocketChannel that,
+        Object attachment,
+        CompletionHandler<AsynchronousSocketChannel, Object> handler
+    );
+
+    // send/receive
+
+    void check$sun_nio_ch_DatagramChannelImpl$send(Class<?> callerClass, DatagramChannel that, ByteBuffer src, SocketAddress target);
+
+    void check$sun_nio_ch_DatagramChannelImpl$receive(Class<?> callerClass, DatagramChannel that, ByteBuffer dst);
 }

libs/entitlement/qa/common/src/main/java/module-info.java

@@ -14,6 +14,7 @@
 
     // Modules we'll attempt to use in order to exercise entitlements
     requires java.logging;
+    requires java.net.http;
 
     exports org.elasticsearch.entitlement.qa.common;
 }