Entitlements for JDK-wide global state changes (#119592) (#119715)

* Refactor: separate check method name vs signature parsing * Cosmetic: change checker comment format * Entitlements for JDK-wide global state * [CI] Auto commit changes from spotless * Comment explaining entitlement add-exports * @SuppressForbidden * Refactor: rename dummy subclases --------- Co-authored-by: elasticsearchmachine <[email protected]>
elastic · Jan 8, 2025 · e46ca40 · e46ca40
1 parent c124f1b
commit e46ca40
Show file tree

Hide file tree

Showing 10 changed files with 853 additions and 122 deletions.
diff --git a/...n/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImpl.java b/...n/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImpl.java
@@ -66,7 +66,7 @@ public MethodVisitor visitMethod(
 
     private static final Type CLASS_TYPE = Type.getType(Class.class);
 
-    static MethodKey parseCheckerMethodSignature(String checkerMethodName, Type[] checkerMethodArgumentTypes) {
+    static ParsedCheckerMethod parseCheckerMethodName(String checkerMethodName) {
         boolean targetMethodIsStatic;
         int classNameEndIndex = checkerMethodName.lastIndexOf("$$");
         int methodNameStartIndex;
@@ -100,9 +100,14 @@ static MethodKey parseCheckerMethodSignature(String checkerMethodName, Type[] ch
         if (targetClassName.isBlank()) {
             throw new IllegalArgumentException(String.format(Locale.ROOT, "Checker method %s has no class name", checkerMethodName));
         }
+        return new ParsedCheckerMethod(targetClassName, targetMethodName, targetMethodIsStatic, targetMethodIsCtor);
+    }
+
+    static MethodKey parseCheckerMethodSignature(String checkerMethodName, Type[] checkerMethodArgumentTypes) {
+        ParsedCheckerMethod checkerMethod = parseCheckerMethodName(checkerMethodName);
 
         final List<String> targetParameterTypes;
-        if (targetMethodIsStatic || targetMethodIsCtor) {
+        if (checkerMethod.targetMethodIsStatic() || checkerMethod.targetMethodIsCtor()) {
             if (checkerMethodArgumentTypes.length < 1 || CLASS_TYPE.equals(checkerMethodArgumentTypes[0]) == false) {
                 throw new IllegalArgumentException(
                     String.format(
@@ -130,7 +135,13 @@ static MethodKey parseCheckerMethodSignature(String checkerMethodName, Type[] ch
             }
             targetParameterTypes = Arrays.stream(checkerMethodArgumentTypes).skip(2).map(Type::getInternalName).toList();
         }
-        boolean hasReceiver = (targetMethodIsStatic || targetMethodIsCtor) == false;
-        return new MethodKey(targetClassName, targetMethodName, targetParameterTypes);
+        return new MethodKey(checkerMethod.targetClassName(), checkerMethod.targetMethodName(), targetParameterTypes);
     }
+
+    private record ParsedCheckerMethod(
+        String targetClassName,
+        String targetMethodName,
+        boolean targetMethodIsStatic,
+        boolean targetMethodIsCtor
+    ) {}
 }
diff --git a/...tlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java b/...tlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java
@@ -9,6 +9,13 @@
 
 package org.elasticsearch.entitlement.bridge;
 
+import java.io.InputStream;
+import java.io.PrintStream;
+import java.io.PrintWriter;
+import java.net.ContentHandlerFactory;
+import java.net.DatagramSocketImplFactory;
+import java.net.FileNameMap;
+import java.net.SocketImplFactory;
 import java.net.URL;
 import java.net.URLStreamHandlerFactory;
 import java.util.List;
@@ -21,26 +28,42 @@
 @SuppressWarnings("unused") // Called from instrumentation code inserted by the Entitlements agent
 public interface EntitlementChecker {
 
+    ////////////////////
+    //
     // Exit the JVM process
+    //
+
     void check$java_lang_Runtime$exit(Class<?> callerClass, Runtime runtime, int status);
 
     void check$java_lang_Runtime$halt(Class<?> callerClass, Runtime runtime, int status);
 
+    ////////////////////
+    //
     // ClassLoader ctor
+    //
+
     void check$java_lang_ClassLoader$(Class<?> callerClass);
 
     void check$java_lang_ClassLoader$(Class<?> callerClass, ClassLoader parent);
 
     void check$java_lang_ClassLoader$(Class<?> callerClass, String name, ClassLoader parent);
 
+    ////////////////////
+    //
     // SecureClassLoader ctor
+    //
+
     void check$java_security_SecureClassLoader$(Class<?> callerClass);
 
     void check$java_security_SecureClassLoader$(Class<?> callerClass, ClassLoader parent);
 
     void check$java_security_SecureClassLoader$(Class<?> callerClass, String name, ClassLoader parent);
 
+    ////////////////////
+    //
     // URLClassLoader constructors
+    //
+
     void check$java_net_URLClassLoader$(Class<?> callerClass, URL[] urls);
 
     void check$java_net_URLClassLoader$(Class<?> callerClass, URL[] urls, ClassLoader parent);
@@ -51,7 +74,11 @@ public interface EntitlementChecker {
 
     void check$java_net_URLClassLoader$(Class<?> callerClass, String name, URL[] urls, ClassLoader parent, URLStreamHandlerFactory factory);
 
+    ////////////////////
+    //
     // "setFactory" methods
+    //
+
     void check$javax_net_ssl_HttpsURLConnection$setSSLSocketFactory(Class<?> callerClass, HttpsURLConnection conn, SSLSocketFactory sf);
 
     void check$javax_net_ssl_HttpsURLConnection$$setDefaultSSLSocketFactory(Class<?> callerClass, SSLSocketFactory sf);
@@ -60,9 +87,82 @@ public interface EntitlementChecker {
 
     void check$javax_net_ssl_SSLContext$$setDefault(Class<?> callerClass, SSLContext context);
 
+    ////////////////////
+    //
     // Process creation
+    //
+
     void check$java_lang_ProcessBuilder$start(Class<?> callerClass, ProcessBuilder that);
 
     void check$java_lang_ProcessBuilder$$startPipeline(Class<?> callerClass, List<ProcessBuilder> builders);
 
+    ////////////////////
+    //
+    // JVM-wide state changes
+    //
+
+    void check$java_lang_System$$setIn(Class<?> callerClass, InputStream in);
+
+    void check$java_lang_System$$setOut(Class<?> callerClass, PrintStream out);
+
+    void check$java_lang_System$$setErr(Class<?> callerClass, PrintStream err);
+
+    void check$java_lang_Runtime$addShutdownHook(Class<?> callerClass, Runtime runtime, Thread hook);
+
+    void check$java_lang_Runtime$removeShutdownHook(Class<?> callerClass, Runtime runtime, Thread hook);
+
+    void check$jdk_tools_jlink_internal_Jlink$(Class<?> callerClass);
+
+    void check$jdk_tools_jlink_internal_Main$$run(Class<?> callerClass, PrintWriter out, PrintWriter err, String... args);
+
+    void check$jdk_vm_ci_services_JVMCIServiceLocator$$getProviders(Class<?> callerClass, Class<?> service);
+
+    void check$jdk_vm_ci_services_Services$$load(Class<?> callerClass, Class<?> service);
+
+    void check$jdk_vm_ci_services_Services$$loadSingle(Class<?> callerClass, Class<?> service, boolean required);
+
+    void check$com_sun_tools_jdi_VirtualMachineManagerImpl$$virtualMachineManager(Class<?> callerClass);
+
+    void check$java_lang_Thread$$setDefaultUncaughtExceptionHandler(Class<?> callerClass, Thread.UncaughtExceptionHandler ueh);
+
+    void check$java_util_spi_LocaleServiceProvider$(Class<?> callerClass);
+
+    void check$java_text_spi_BreakIteratorProvider$(Class<?> callerClass);
+
+    void check$java_text_spi_CollatorProvider$(Class<?> callerClass);
+
+    void check$java_text_spi_DateFormatProvider$(Class<?> callerClass);
+
+    void check$java_text_spi_DateFormatSymbolsProvider$(Class<?> callerClass);
+
+    void check$java_text_spi_DecimalFormatSymbolsProvider$(Class<?> callerClass);
+
+    void check$java_text_spi_NumberFormatProvider$(Class<?> callerClass);
+
+    void check$java_util_spi_CalendarDataProvider$(Class<?> callerClass);
+
+    void check$java_util_spi_CalendarNameProvider$(Class<?> callerClass);
+
+    void check$java_util_spi_CurrencyNameProvider$(Class<?> callerClass);
+
+    void check$java_util_spi_LocaleNameProvider$(Class<?> callerClass);
+
+    void check$java_util_spi_TimeZoneNameProvider$(Class<?> callerClass);
+
+    void check$java_util_logging_LogManager$(Class<?> callerClass);
+
+    void check$java_net_DatagramSocket$$setDatagramSocketImplFactory(Class<?> callerClass, DatagramSocketImplFactory fac);
+
+    void check$java_net_HttpURLConnection$$setFollowRedirects(Class<?> callerClass, boolean set);
+
+    void check$java_net_ServerSocket$$setSocketFactory(Class<?> callerClass, SocketImplFactory fac);
+
+    void check$java_net_Socket$$setSocketImplFactory(Class<?> callerClass, SocketImplFactory fac);
+
+    void check$java_net_URL$$setURLStreamHandlerFactory(Class<?> callerClass, URLStreamHandlerFactory fac);
+
+    void check$java_net_URLConnection$$setFileNameMap(Class<?> callerClass, FileNameMap map);
+
+    void check$java_net_URLConnection$$setContentHandlerFactory(Class<?> callerClass, ContentHandlerFactory fac);
+
 }
diff --git a/libs/entitlement/qa/common/src/main/java/module-info.java b/libs/entitlement/qa/common/src/main/java/module-info.java
@@ -12,5 +12,8 @@
     requires org.elasticsearch.base;
     requires org.elasticsearch.logging;
 
+    // Modules we'll attempt to use in order to exercise entitlements
+    requires java.logging;
+
     exports org.elasticsearch.entitlement.qa.common;
 }