Merge branch 'main' into rest_handlers_services

Author: prdoyle

libs/entitlement/asm-provider/src/main/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumenterImpl.java

@@ -60,6 +60,19 @@ public static InstrumenterImpl create(Class<?> registryClass, Map<MethodKey, Ins
         return new InstrumenterImpl(handleClass, getCheckerClassMethodDescriptor, checkMethods);
     }
 
+    private static boolean isJvmConstant(Object value) {
+        return value == null
+            || value instanceof String
+            || value instanceof Integer
+            || value instanceof Long
+            || value instanceof Float
+            || value instanceof Double
+            || value instanceof Character
+            || value instanceof Short
+            || value instanceof Byte
+            || value instanceof Boolean;
+    }
+
     private enum VerificationPhase {
         BEFORE_INSTRUMENTATION,
         AFTER_INSTRUMENTATION
@@ -291,8 +304,15 @@ public void visitCode() {
                     catchNotEntitledAndReturnEarly();
                 }
                 case DeniedEntitlementStrategy.DefaultValueDeniedEntitlementStrategy defaultValue -> {
-                    // For default value strategy we want to catch not entitled and return the default value
-                    catchNotEntitledAndReturnValue(defaultValue.getDefaultValue());
+                    // For default value strategy we want to catch not entitled and return a default value;
+                    // null, String, and boxed primitives are embedded as JVM constants, all other reference
+                    // types are retrieved at runtime via defaultValue$
+                    Object value = defaultValue.getDefaultValue();
+                    if (isJvmConstant(value)) {
+                        catchNotEntitledAndReturnValue(value);
+                    } else {
+                        catchNotEntitledAndReturnReferenceDefault();
+                    }
                 }
                 case DeniedEntitlementStrategy.MethodArgumentValueDeniedEntitlementStrategy methodArgValue -> {
                     // For method argument value strategy we want to catch not entitled and return the method argument at the given index
@@ -426,6 +446,24 @@ private void invokeInstrumentationMethod() {
             );
         }
 
+        private void catchNotEntitledAndReturnReferenceDefault() {
+            wrapInstrumentationInTryCatch(() -> {
+                mv.visitInsn(Opcodes.POP);
+                pushEntitlementChecker();
+                mv.visitLdcInsn(instrumentationId);
+                mv.visitMethodInsn(
+                    INVOKEINTERFACE,
+                    Type.getReturnType(registryClassMethodDescriptor).getInternalName(),
+                    "defaultValue$",
+                    "(Ljava/lang/String;)Ljava/lang/Object;",
+                    true
+                );
+                Type returnType = Type.getReturnType(instrumentedMethodDescriptor);
+                mv.visitTypeInsn(Opcodes.CHECKCAST, returnType.getInternalName());
+                mv.visitInsn(Opcodes.ARETURN);
+            });
+        }
+
         private void catchNotEntitledAndReturnValue(Object defaultValue) {
             wrapInstrumentationInTryCatch(() -> { returnConstantValue(defaultValue); });
         }
@@ -503,7 +541,9 @@ private void returnConstantValue(Object constant) {
                     || constant instanceof Boolean) {
                         mv.visitInsn(Opcodes.IRETURN);
                     } else {
-                        throw new IllegalStateException("unexpected check method constant [" + constant + "]");
+                        throw new IllegalStateException(
+                            "unsupported default return value [" + constant + "] of type [" + constant.getClass().getName() + "]"
+                        );
                     }
             }
         }

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/InstrumentationRegistry.java

@@ -12,4 +12,10 @@
 public interface InstrumentationRegistry {
 
     void check$(String instrumentationId, Class<?> callingClass, Object... args) throws Exception;
+
+    /**
+     * Returns the configured default reference value for the given instrumentation id.
+     * Called from bytecode catch handlers when a reference-type default is needed on denial.
+     */
+    Object defaultValue$(String instrumentationId);
 }

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/EntitlementTest.java

@@ -32,13 +32,40 @@ enum ExpectedAccess {
     Class<? extends Exception> expectedExceptionIfDenied() default NotEntitledException.class;
 
     /**
-     * When a denied entitlement strategy returns a default value instead of throwing,
-     * this specifies the expected string representation of that default value. Test methods
-     * using this must return a {@code String} representing the actual result. The test
-     * infrastructure will verify the returned value matches this when running in a denied context.
-     * An empty string (the default) means no default value check is performed.
+     * When a denied entitlement strategy returns a non-null default value instead of throwing,
+     * this specifies the expected string representation of that default value as a single-element
+     * array. Test methods using this must return the actual result (any type); the infrastructure
+     * converts it via {@code toString()}. The test infrastructure will verify the returned value
+     * matches the element when running in a denied context.
+     * An empty array (the default) means no default value check is performed.
+     * Mutually exclusive with {@link #isExpectedDefaultNull()} and {@link #isExpectedNoOp()}.
      */
-    String expectedDefaultIfDenied() default "";
+    String[] expectedDefaultIfDenied() default {};
+
+    /**
+     * When set, the test infrastructure will verify that the actual result type matches this class.
+     * This disambiguates cases where different types produce the same {@code toString()} output
+     * (e.g. empty {@link java.util.List} and empty {@link java.util.Set} both produce {@code "[]"}).
+     * Only meaningful when {@link #expectedDefaultIfDenied()} is also set.
+     * {@code void.class} (the default) means no type check is performed.
+     */
+    Class<?> expectedDefaultType() default void.class;
+
+    /**
+     * When a denied entitlement strategy returns {@code null} instead of throwing,
+     * set this to {@code true}. The test infrastructure will verify that the result
+     * is actually {@code null} when running in a denied context.
+     * Mutually exclusive with {@link #expectedDefaultIfDenied()} and {@link #isExpectedNoOp()}.
+     */
+    boolean isExpectedDefaultNull() default false;
+
+    /**
+     * When a denied entitlement strategy silently returns early (no-op) for a void method
+     * instead of throwing, set this to {@code true}. The test infrastructure will accept
+     * a successful response as valid denial behavior.
+     * Mutually exclusive with {@link #expectedDefaultIfDenied()} and {@link #isExpectedDefaultNull()}.
+     */
+    boolean isExpectedNoOp() default false;
 
     int fromJavaVersion() default -1;
 }

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java

@@ -43,10 +43,13 @@ public class RestEntitlementsCheckAction extends BaseRestHandler {
     private static final Logger logger = LogManager.getLogger(RestEntitlementsCheckAction.class);
 
     record CheckAction(
-        CheckedFunction<Environment, String, Exception> action,
+        CheckedFunction<Environment, Object, Exception> action,
         EntitlementTest.ExpectedAccess expectedAccess,
         Class<? extends Exception> expectedExceptionIfDenied,
-        String expectedDefaultIfDenied,
+        String[] expectedDefaultIfDenied,
+        Class<?> expectedDefaultType,
+        boolean isExpectedDefaultNull,
+        boolean isExpectedNoOp,
         Integer fromJavaVersion
     ) {}
 
@@ -103,15 +106,39 @@ private static void getTestEntries(List<Entry<String, CheckAction>> entries, Cla
             if (Modifier.isPrivate(method.getModifiers())) {
                 throw new AssertionError("Entitlement test method [" + method + "] must not be private");
             }
-            String expectedDefault = testAnnotation.expectedDefaultIfDenied();
-            if (expectedDefault.isEmpty() == false && method.getReturnType() != String.class) {
-                throw new AssertionError("Entitlement test method [" + method + "] must return String when expectedDefaultIfDenied is set");
+            String[] expectedDefault = testAnnotation.expectedDefaultIfDenied();
+            Class<?> expectedDefaultType = testAnnotation.expectedDefaultType();
+            boolean isExpectedDefaultNull = testAnnotation.isExpectedDefaultNull();
+            boolean isExpectedNoOp = testAnnotation.isExpectedNoOp();
+            boolean hasDefaultValue = expectedDefault.length > 0;
+            if (hasDefaultValue && expectedDefault.length != 1) {
+                throw new AssertionError("Entitlement test method [" + method + "] expectedDefaultIfDenied must have exactly one element");
+            }
+            if (expectedDefaultType != void.class && hasDefaultValue == false) {
+                throw new AssertionError(
+                    "Entitlement test method [" + method + "] expectedDefaultType requires expectedDefaultIfDenied to be set"
+                );
+            }
+            int denialStrategyCount = (hasDefaultValue ? 1 : 0) + (isExpectedDefaultNull ? 1 : 0) + (isExpectedNoOp ? 1 : 0);
+            if (denialStrategyCount > 1) {
+                throw new AssertionError(
+                    "Entitlement test method ["
+                        + method
+                        + "] must set at most one of expectedDefaultIfDenied, isExpectedDefaultNull, or isExpectedNoOp"
+                );
+            }
+            if ((hasDefaultValue || isExpectedDefaultNull) && method.getReturnType() == void.class) {
+                throw new AssertionError(
+                    "Entitlement test method [" + method + "] must have a return type when a default value is expected"
+                );
+            }
+            if (isExpectedNoOp && method.getReturnType() != void.class) {
+                throw new AssertionError("Entitlement test method [" + method + "] must be void when isExpectedNoOp is set");
             }
             final CheckedFunction<Environment, Object, Exception> call = createFunctionForMethod(method);
-            CheckedFunction<Environment, String, Exception> action = env -> {
+            CheckedFunction<Environment, Object, Exception> action = env -> {
                 try {
-                    Object result = call.apply(env);
-                    return result == null ? null : result.toString();
+                    return call.apply(env);
                 } catch (IllegalAccessException e) {
                     throw new AssertionError(e);
                 } catch (InvocationTargetException e) {
@@ -128,6 +155,9 @@ private static void getTestEntries(List<Entry<String, CheckAction>> entries, Cla
                 testAnnotation.expectedAccess(),
                 testAnnotation.expectedExceptionIfDenied(),
                 expectedDefault,
+                expectedDefaultType,
+                isExpectedDefaultNull,
+                isExpectedNoOp,
                 fromJavaVersion
             );
             if (filter.test(checkAction)) {
@@ -216,19 +246,32 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli
             logger.info("Calling check action [{}]", actionName);
             RestResponse response;
             try {
-                String result = checkAction.action().apply(environment);
-                response = new RestResponse(RestStatus.OK, Strings.format("Succesfully executed action [%s]", actionName));
+                Object result = checkAction.action().apply(environment);
+                response = new RestResponse(RestStatus.OK, Strings.format("Successfully executed action [%s]", actionName));
                 if (result != null) {
-                    response.addHeader("resultValue", result);
+                    response.addHeader("resultValue", result.toString());
+                    response.addHeader("resultType", result.getClass().getName());
+                } else {
+                    response.addHeader("resultIsNull", "true");
+                }
+                if (checkAction.expectedDefaultIfDenied().length == 1) {
+                    response.addHeader("expectedDefaultIfDenied", checkAction.expectedDefaultIfDenied()[0]);
+                }
+                if (checkAction.expectedDefaultType() != void.class) {
+                    response.addHeader("expectedDefaultType", checkAction.expectedDefaultType().getName());
+                }
+                if (checkAction.isExpectedDefaultNull()) {
+                    response.addHeader("isExpectedDefaultNull", "true");
                 }
-                if (checkAction.expectedDefaultIfDenied().isEmpty() == false) {
-                    response.addHeader("expectedDefaultIfDenied", checkAction.expectedDefaultIfDenied());
+                if (checkAction.isExpectedNoOp()) {
+                    response.addHeader("isExpectedNoOp", "true");
                 }
             } catch (Exception e) {
                 var statusCode = checkAction.expectedExceptionIfDenied.isInstance(e)
                     ? RestStatus.FORBIDDEN
                     : RestStatus.INTERNAL_SERVER_ERROR;
                 response = new RestResponse(channel, statusCode, e);
+                response.addHeader("actualException", e.getClass().getName());
                 response.addHeader("expectedException", checkAction.expectedExceptionIfDenied.getName());
                 if (statusCode == RestStatus.FORBIDDEN && e.getCause() != null) {
                     response.addHeader("notEntitledCause", String.valueOf(hasCause(e, NOT_ENTITLED_EXCEPTION_NAME)));

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/AbstractEntitlementsIT.java

@@ -78,15 +78,32 @@ public void testAction() throws IOException {
         } else {
             try {
                 Response result = executeCheck();
-                // If the call succeeded in a denied context, a default value strategy must be in play.
-                // Verify the returned default matches the expected value.
-                String expectedDefault = result.getHeader("expectedDefaultIfDenied");
-                assertNotNull(
-                    "Action [" + actionName + "] succeeded in denied context but has no expectedDefaultIfDenied",
-                    expectedDefault
-                );
-                String actualValue = result.getHeader("resultValue");
-                assertThat("Action [" + actionName + "] returned unexpected default value", actualValue, equalTo(expectedDefault));
+                assertThat(result.getStatusLine().getStatusCode(), equalTo(200));
+                if ("true".equals(result.getHeader("isExpectedNoOp"))) {
+                    // void method with elseReturnEarly — silent success is expected
+                } else if ("true".equals(result.getHeader("isExpectedDefaultNull"))) {
+                    assertTrue(
+                        "Action [" + actionName + "] expected null default but got a non-null result",
+                        "true".equals(result.getHeader("resultIsNull"))
+                    );
+                } else if (result.getHeader("expectedDefaultIfDenied") != null) {
+                    String actualValue = result.getHeader("resultValue");
+                    assertThat(
+                        "Action [" + actionName + "] returned unexpected default value",
+                        actualValue,
+                        equalTo(result.getHeader("expectedDefaultIfDenied"))
+                    );
+                    String expectedType = result.getHeader("expectedDefaultType");
+                    if (expectedType != null) {
+                        assertThat(
+                            "Action [" + actionName + "] returned unexpected default type",
+                            result.getHeader("resultType"),
+                            equalTo(expectedType)
+                        );
+                    }
+                } else {
+                    fail("Action [" + actionName + "] was expected to be denied but succeeded");
+                }
             } catch (ResponseException exception) {
                 assertThat(exception, statusCodeMatcher(403));
             }
@@ -105,6 +122,11 @@ protected boolean matchesSafely(ResponseException item) {
                 if (resp.getStatusLine().getStatusCode() != statusCode || expectedException == null) {
                     return false;
                 }
+                String actualException = resp.getHeader("actualException");
+                if (expectedException.equals(actualException) == false) {
+                    mismatchDetail = "expected exception [" + expectedException + "] but got [" + actualException + "]";
+                    return false;
+                }
                 String notEntitledCause = resp.getHeader("notEntitledCause");
                 if ("false".equals(notEntitledCause)) {
                     mismatchDetail = "expected NotEntitledException in cause chain but it was absent";

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/registry/InstrumentationRegistryImpl.java

@@ -47,6 +47,15 @@ public InstrumentationRegistryImpl(PolicyChecker policyChecker) {
         }
     }
 
+    @Override
+    public Object defaultValue$(String instrumentationId) {
+        DeniedEntitlementStrategy strategy = implementationIdToStrategy.get(instrumentationId);
+        if (strategy instanceof DeniedEntitlementStrategy.DefaultValueDeniedEntitlementStrategy<?> defaultValue) {
+            return defaultValue.getDefaultValue();
+        }
+        throw new IllegalStateException("No default value configured for instrumentation id [" + instrumentationId + "]");
+    }
+
     @Override
     public Map<MethodKey, InstrumentationInfo> getInstrumentedMethods() {
         return Collections.unmodifiableMap(methodToImplementationInfo);

server/src/main/java/org/elasticsearch/common/settings/ClusterSettings.java

@@ -340,6 +340,7 @@ public void apply(Settings value, Settings current, Settings previous) {
         HttpTransportSettings.SETTING_CORS_ALLOW_HEADERS,
         HttpTransportSettings.SETTING_HTTP_DETAILED_ERRORS_ENABLED,
         HttpTransportSettings.SETTING_HTTP_MAX_CONTENT_LENGTH,
+        HttpTransportSettings.SETTING_HTTP_MAX_PROTOBUF_CONTENT_LENGTH,
         HttpTransportSettings.SETTING_HTTP_MAX_CHUNK_SIZE,
         HttpTransportSettings.SETTING_HTTP_MAX_HEADER_SIZE,
         HttpTransportSettings.SETTING_HTTP_MAX_WARNING_HEADER_COUNT,

server/src/main/java/org/elasticsearch/http/HttpTransportSettings.java

@@ -92,6 +92,13 @@ public final class HttpTransportSettings {
         ByteSizeValue.ofBytes(Integer.MAX_VALUE),
         Property.NodeScope
     );
+    public static final Setting<ByteSizeValue> SETTING_HTTP_MAX_PROTOBUF_CONTENT_LENGTH = Setting.byteSizeSetting(
+        "http.max_protobuf_content_length",
+        ByteSizeValue.of(8, ByteSizeUnit.MB),
+        ByteSizeValue.ZERO,
+        ByteSizeValue.ofBytes(Integer.MAX_VALUE),
+        Property.NodeScope
+    );
     public static final Setting<ByteSizeValue> SETTING_HTTP_MAX_CHUNK_SIZE = Setting.byteSizeSetting(
         "http.max_chunk_size",
         ByteSizeValue.of(8, ByteSizeUnit.KB),

server/src/main/java/org/elasticsearch/index/IndexingPressure.java

@@ -303,6 +303,18 @@ public void increment(int operations, long bytes) {
             totalCoordinatingRequests.getAndIncrement();
         }
 
+        /**
+         * Reduces the tracked byte count for this coordinating operation without closing it.
+         * Use this to lower a reservation once the actual size is known to be smaller than the initially reserved amount.
+         */
+        public void reduceBytes(long bytes) {
+            assert closed.get() == false;
+            assert currentOperationsSize >= bytes;
+            currentOperationsSize -= bytes;
+            currentCombinedCoordinatingAndPrimaryBytes.getAndAdd(-bytes);
+            currentCoordinatingBytes.getAndAdd(-bytes);
+        }
+
         @Override
         public void close() {
             if (closed.compareAndSet(false, true)) {