[Entitlements] "dynamic" instrumentation method keys (elastic#120811) (elastic#121299)

Author: ldematte

libs/entitlement/asm-provider/build.gradle

@@ -11,6 +11,7 @@ apply plugin: 'elasticsearch.build'
 
 dependencies {
   compileOnly project(':libs:entitlement')
+  compileOnly project(':libs:core')
   implementation 'org.ow2.asm:asm:9.7.1'
   testImplementation project(":test:framework")
   testImplementation project(":libs:entitlement:bridge")

libs/entitlement/asm-provider/src/main/java/module-info.java

@@ -14,5 +14,7 @@
     requires org.objectweb.asm;
     requires org.elasticsearch.entitlement;
 
+    requires static org.elasticsearch.base; // for SuppressForbidden
+
     provides InstrumentationService with InstrumentationServiceImpl;
 }

libs/entitlement/asm-provider/src/main/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImpl.java

@@ -9,6 +9,7 @@
 
 package org.elasticsearch.entitlement.instrumentation.impl;
 
+import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.entitlement.instrumentation.CheckMethod;
 import org.elasticsearch.entitlement.instrumentation.InstrumentationService;
 import org.elasticsearch.entitlement.instrumentation.Instrumenter;
@@ -20,11 +21,15 @@
 import org.objectweb.asm.Type;
 
 import java.io.IOException;
+import java.lang.reflect.Method;
+import java.lang.reflect.Modifier;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 public class InstrumentationServiceImpl implements InstrumentationService {
 
@@ -48,22 +53,159 @@ public MethodVisitor visitMethod(
                 String[] exceptions
             ) {
                 var mv = super.visitMethod(access, checkerMethodName, checkerMethodDescriptor, signature, exceptions);
+                if (checkerMethodName.startsWith(InstrumentationService.CHECK_METHOD_PREFIX)) {
+                    var checkerMethodArgumentTypes = Type.getArgumentTypes(checkerMethodDescriptor);
+                    var methodToInstrument = parseCheckerMethodSignature(checkerMethodName, checkerMethodArgumentTypes);
 
-                var checkerMethodArgumentTypes = Type.getArgumentTypes(checkerMethodDescriptor);
-                var methodToInstrument = parseCheckerMethodSignature(checkerMethodName, checkerMethodArgumentTypes);
-
-                var checkerParameterDescriptors = Arrays.stream(checkerMethodArgumentTypes).map(Type::getDescriptor).toList();
-                var checkMethod = new CheckMethod(Type.getInternalName(checkerClass), checkerMethodName, checkerParameterDescriptors);
-
-                methodsToInstrument.put(methodToInstrument, checkMethod);
+                    var checkerParameterDescriptors = Arrays.stream(checkerMethodArgumentTypes).map(Type::getDescriptor).toList();
+                    var checkMethod = new CheckMethod(Type.getInternalName(checkerClass), checkerMethodName, checkerParameterDescriptors);
 
+                    methodsToInstrument.put(methodToInstrument, checkMethod);
+                }
                 return mv;
             }
         };
         reader.accept(visitor, 0);
         return methodsToInstrument;
     }
 
+    @SuppressForbidden(reason = "Need access to abstract methods (protected/package internal) in base class")
+    @Override
+    public InstrumentationInfo lookupImplementationMethod(
+        Class<?> targetSuperclass,
+        String methodName,
+        Class<?> implementationClass,
+        Class<?> checkerClass,
+        String checkMethodName,
+        Class<?>... parameterTypes
+    ) throws NoSuchMethodException, ClassNotFoundException {
+
+        var targetMethod = targetSuperclass.getDeclaredMethod(methodName, parameterTypes);
+        validateTargetMethod(implementationClass, targetMethod);
+
+        var checkerAdditionalArguments = Stream.of(Class.class, targetSuperclass);
+        var checkMethodArgumentTypes = Stream.concat(checkerAdditionalArguments, Arrays.stream(parameterTypes))
+            .map(Type::getType)
+            .toArray(Type[]::new);
+
+        CheckMethod[] checkMethod = new CheckMethod[1];
+
+        try {
+            InstrumenterImpl.ClassFileInfo classFileInfo = InstrumenterImpl.getClassFileInfo(checkerClass);
+            ClassReader reader = new ClassReader(classFileInfo.bytecodes());
+            ClassVisitor visitor = new ClassVisitor(Opcodes.ASM9) {
+                @Override
+                public MethodVisitor visitMethod(
+                    int access,
+                    String methodName,
+                    String methodDescriptor,
+                    String signature,
+                    String[] exceptions
+                ) {
+                    var mv = super.visitMethod(access, methodName, methodDescriptor, signature, exceptions);
+                    if (methodName.equals(checkMethodName)) {
+                        var methodArgumentTypes = Type.getArgumentTypes(methodDescriptor);
+                        if (Arrays.equals(methodArgumentTypes, checkMethodArgumentTypes)) {
+                            var checkerParameterDescriptors = Arrays.stream(methodArgumentTypes).map(Type::getDescriptor).toList();
+                            checkMethod[0] = new CheckMethod(Type.getInternalName(checkerClass), methodName, checkerParameterDescriptors);
+                        }
+                    }
+                    return mv;
+                }
+            };
+            reader.accept(visitor, 0);
+        } catch (IOException e) {
+            throw new ClassNotFoundException("Cannot find a definition for class [" + checkerClass.getName() + "]", e);
+        }
+
+        if (checkMethod[0] == null) {
+            throw new NoSuchMethodException(
+                String.format(
+                    Locale.ROOT,
+                    "Cannot find a method with name [%s] and arguments [%s] in class [%s]",
+                    checkMethodName,
+                    Arrays.stream(checkMethodArgumentTypes).map(Type::toString).collect(Collectors.joining()),
+                    checkerClass.getName()
+                )
+            );
+        }
+
+        return new InstrumentationInfo(
+            new MethodKey(
+                Type.getInternalName(implementationClass),
+                targetMethod.getName(),
+                Arrays.stream(parameterTypes).map(c -> Type.getType(c).getInternalName()).toList()
+            ),
+            checkMethod[0]
+        );
+    }
+
+    private static void validateTargetMethod(Class<?> implementationClass, Method targetMethod) {
+        if (targetMethod.getDeclaringClass().isAssignableFrom(implementationClass) == false) {
+            throw new IllegalArgumentException(
+                String.format(
+                    Locale.ROOT,
+                    "Not an implementation class for %s: %s does not implement %s",
+                    targetMethod.getName(),
+                    implementationClass.getName(),
+                    targetMethod.getDeclaringClass().getName()
+                )
+            );
+        }
+        if (Modifier.isPrivate(targetMethod.getModifiers())) {
+            throw new IllegalArgumentException(
+                String.format(
+                    Locale.ROOT,
+                    "Not a valid instrumentation method: %s is private in %s",
+                    targetMethod.getName(),
+                    targetMethod.getDeclaringClass().getName()
+                )
+            );
+        }
+        if (Modifier.isStatic(targetMethod.getModifiers())) {
+            throw new IllegalArgumentException(
+                String.format(
+                    Locale.ROOT,
+                    "Not a valid instrumentation method: %s is static in %s",
+                    targetMethod.getName(),
+                    targetMethod.getDeclaringClass().getName()
+                )
+            );
+        }
+        try {
+            var implementationMethod = implementationClass.getMethod(targetMethod.getName(), targetMethod.getParameterTypes());
+            var methodModifiers = implementationMethod.getModifiers();
+            if (Modifier.isAbstract(methodModifiers)) {
+                throw new IllegalArgumentException(
+                    String.format(
+                        Locale.ROOT,
+                        "Not a valid instrumentation method: %s is abstract in %s",
+                        targetMethod.getName(),
+                        implementationClass.getName()
+                    )
+                );
+            }
+            if (Modifier.isPublic(methodModifiers) == false) {
+                throw new IllegalArgumentException(
+                    String.format(
+                        Locale.ROOT,
+                        "Not a valid instrumentation method: %s is not public in %s",
+                        targetMethod.getName(),
+                        implementationClass.getName()
+                    )
+                );
+            }
+        } catch (NoSuchMethodException e) {
+            assert false
+                : String.format(
+                    Locale.ROOT,
+                    "Not a valid instrumentation method: %s cannot be found in %s",
+                    targetMethod.getName(),
+                    implementationClass.getName()
+                );
+        }
+    }
+
     private static final Type CLASS_TYPE = Type.getType(Class.class);
 
     static ParsedCheckerMethod parseCheckerMethodName(String checkerMethodName) {
@@ -85,8 +227,8 @@ static ParsedCheckerMethod parseCheckerMethodName(String checkerMethodName) {
                 String.format(
                     Locale.ROOT,
                     "Checker method %s has incorrect name format. "
-                        + "It should be either check$$methodName (instance), check$package_ClassName$methodName (static) or "
-                        + "check$package_ClassName$ (ctor)",
+                        + "It should be either check$package_ClassName$methodName (instance), check$package_ClassName$$methodName (static) "
+                        + "or check$package_ClassName$ (ctor)",
                     checkerMethodName
                 )
             );

libs/entitlement/asm-provider/src/test/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImplTests.java

@@ -29,7 +29,23 @@ public class InstrumentationServiceImplTests extends ESTestCase {
 
     final InstrumentationService instrumentationService = new InstrumentationServiceImpl();
 
-    static class TestTargetClass {}
+    interface TestTargetInterface {
+        void instanceMethod(int x, String y);
+    }
+
+    static class TestTargetClass implements TestTargetInterface {
+        @Override
+        public void instanceMethod(int x, String y) {}
+    }
+
+    abstract static class TestTargetBaseClass {
+        abstract void instanceMethod(int x, String y);
+    }
+
+    static class TestTargetImplementationClass extends TestTargetBaseClass {
+        @Override
+        public void instanceMethod(int x, String y) {}
+    }
 
     interface TestChecker {
         void check$org_example_TestTargetClass$$staticMethod(Class<?> clazz, int arg0, String arg1, Object arg2);
@@ -51,6 +67,14 @@ interface TestCheckerCtors {
         void check$org_example_TestTargetClass$(Class<?> clazz, int x, String y);
     }
 
+    interface TestCheckerMixed {
+        void check$org_example_TestTargetClass$$staticMethod(Class<?> clazz, int arg0, String arg1, Object arg2);
+
+        void checkInstanceMethodManual(Class<?> clazz, TestTargetInterface that, int x, String y);
+
+        void checkInstanceMethodManual(Class<?> clazz, TestTargetBaseClass that, int x, String y);
+    }
+
     public void testInstrumentationTargetLookup() throws IOException {
         Map<MethodKey, CheckMethod> checkMethods = instrumentationService.lookupMethods(TestChecker.class);
 
@@ -168,6 +192,101 @@ public void testInstrumentationTargetLookupWithCtors() throws IOException {
         );
     }
 
+    public void testInstrumentationTargetLookupWithExtraMethods() throws IOException {
+        Map<MethodKey, CheckMethod> checkMethods = instrumentationService.lookupMethods(TestCheckerMixed.class);
+
+        assertThat(checkMethods, aMapWithSize(1));
+        assertThat(
+            checkMethods,
+            hasEntry(
+                equalTo(new MethodKey("org/example/TestTargetClass", "staticMethod", List.of("I", "java/lang/String", "java/lang/Object"))),
+                equalTo(
+                    new CheckMethod(
+                        "org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImplTests$TestCheckerMixed",
+                        "check$org_example_TestTargetClass$$staticMethod",
+                        List.of("Ljava/lang/Class;", "I", "Ljava/lang/String;", "Ljava/lang/Object;")
+                    )
+                )
+            )
+        );
+    }
+
+    public void testLookupImplementationMethodWithInterface() throws ClassNotFoundException, NoSuchMethodException {
+        var info = instrumentationService.lookupImplementationMethod(
+            TestTargetInterface.class,
+            "instanceMethod",
+            TestTargetClass.class,
+            TestCheckerMixed.class,
+            "checkInstanceMethodManual",
+            int.class,
+            String.class
+        );
+
+        assertThat(
+            info.targetMethod(),
+            equalTo(
+                new MethodKey(
+                    "org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImplTests$TestTargetClass",
+                    "instanceMethod",
+                    List.of("I", "java/lang/String")
+                )
+            )
+        );
+        assertThat(
+            info.checkMethod(),
+            equalTo(
+                new CheckMethod(
+                    "org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImplTests$TestCheckerMixed",
+                    "checkInstanceMethodManual",
+                    List.of(
+                        "Ljava/lang/Class;",
+                        "Lorg/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImplTests$TestTargetInterface;",
+                        "I",
+                        "Ljava/lang/String;"
+                    )
+                )
+            )
+        );
+    }
+
+    public void testLookupImplementationMethodWithBaseClass() throws ClassNotFoundException, NoSuchMethodException {
+        var info = instrumentationService.lookupImplementationMethod(
+            TestTargetBaseClass.class,
+            "instanceMethod",
+            TestTargetImplementationClass.class,
+            TestCheckerMixed.class,
+            "checkInstanceMethodManual",
+            int.class,
+            String.class
+        );
+
+        assertThat(
+            info.targetMethod(),
+            equalTo(
+                new MethodKey(
+                    "org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImplTests$TestTargetImplementationClass",
+                    "instanceMethod",
+                    List.of("I", "java/lang/String")
+                )
+            )
+        );
+        assertThat(
+            info.checkMethod(),
+            equalTo(
+                new CheckMethod(
+                    "org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImplTests$TestCheckerMixed",
+                    "checkInstanceMethodManual",
+                    List.of(
+                        "Ljava/lang/Class;",
+                        "Lorg/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImplTests$TestTargetBaseClass;",
+                        "I",
+                        "Ljava/lang/String;"
+                    )
+                )
+            )
+        );
+    }
+
     public void testParseCheckerMethodSignatureStaticMethod() {
         var methodKey = InstrumentationServiceImpl.parseCheckerMethodSignature(
             "check$org_example_TestClass$$staticMethod",

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -42,8 +42,10 @@
 import java.nio.channels.ServerSocketChannel;
 import java.nio.channels.SocketChannel;
 import java.nio.charset.Charset;
+import java.nio.file.OpenOption;
 import java.nio.file.Path;
 import java.nio.file.attribute.UserPrincipal;
+import java.nio.file.spi.FileSystemProvider;
 import java.security.cert.CertStoreParameters;
 import java.util.List;
 import java.util.Locale;
@@ -448,4 +450,7 @@ public interface EntitlementChecker {
     void check$java_nio_file_Files$$probeContentType(Class<?> callerClass, Path path);
 
     void check$java_nio_file_Files$$setOwner(Class<?> callerClass, Path path, UserPrincipal principal);
+
+    // hand-wired methods
+    void checkNewInputStream(Class<?> callerClass, FileSystemProvider that, Path path, OpenOption... options);
 }