Entitlements for JDK-wide global state changes (elastic#119592)

* Refactor: separate check method name vs signature parsing

* Cosmetic: change checker comment format

* Entitlements for JDK-wide global state

* [CI] Auto commit changes from spotless

* Comment explaining entitlement add-exports

* @SuppressForbidden

* Refactor: rename dummy subclases

---------

Co-authored-by: elasticsearchmachine <[email protected]>

Author: prdoyle

distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/SystemJvmOptions.java

@@ -167,12 +167,16 @@ private static Stream<String> maybeAttachEntitlementAgent(boolean useEntitlement
         } catch (IOException e) {
             throw new IllegalStateException("Failed to list entitlement jars in: " + dir, e);
         }
+        // We instrument classes in these modules to call the bridge. Because the bridge gets patched
+        // into java.base, we must export the bridge from java.base to these modules.
+        String modulesContainingEntitlementInstrumentation = "java.logging";
         return Stream.of(
             "-Des.entitlements.enabled=true",
             "-XX:+EnableDynamicAgentLoading",
             "-Djdk.attach.allowAttachSelf=true",
             "--patch-module=java.base=" + bridgeJar,
-            "--add-exports=java.base/org.elasticsearch.entitlement.bridge=org.elasticsearch.entitlement"
+            "--add-exports=java.base/org.elasticsearch.entitlement.bridge=org.elasticsearch.entitlement,"
+                + modulesContainingEntitlementInstrumentation
         );
     }
 }

libs/entitlement/asm-provider/src/main/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImpl.java

@@ -66,7 +66,7 @@ public MethodVisitor visitMethod(
 
     private static final Type CLASS_TYPE = Type.getType(Class.class);
 
-    static MethodKey parseCheckerMethodSignature(String checkerMethodName, Type[] checkerMethodArgumentTypes) {
+    static ParsedCheckerMethod parseCheckerMethodName(String checkerMethodName) {
         boolean targetMethodIsStatic;
         int classNameEndIndex = checkerMethodName.lastIndexOf("$$");
         int methodNameStartIndex;
@@ -100,9 +100,14 @@ static MethodKey parseCheckerMethodSignature(String checkerMethodName, Type[] ch
         if (targetClassName.isBlank()) {
             throw new IllegalArgumentException(String.format(Locale.ROOT, "Checker method %s has no class name", checkerMethodName));
         }
+        return new ParsedCheckerMethod(targetClassName, targetMethodName, targetMethodIsStatic, targetMethodIsCtor);
+    }
+
+    static MethodKey parseCheckerMethodSignature(String checkerMethodName, Type[] checkerMethodArgumentTypes) {
+        ParsedCheckerMethod checkerMethod = parseCheckerMethodName(checkerMethodName);
 
         final List<String> targetParameterTypes;
-        if (targetMethodIsStatic || targetMethodIsCtor) {
+        if (checkerMethod.targetMethodIsStatic() || checkerMethod.targetMethodIsCtor()) {
             if (checkerMethodArgumentTypes.length < 1 || CLASS_TYPE.equals(checkerMethodArgumentTypes[0]) == false) {
                 throw new IllegalArgumentException(
                     String.format(
@@ -130,7 +135,13 @@ static MethodKey parseCheckerMethodSignature(String checkerMethodName, Type[] ch
             }
             targetParameterTypes = Arrays.stream(checkerMethodArgumentTypes).skip(2).map(Type::getInternalName).toList();
         }
-        boolean hasReceiver = (targetMethodIsStatic || targetMethodIsCtor) == false;
-        return new MethodKey(targetClassName, targetMethodName, targetParameterTypes);
+        return new MethodKey(checkerMethod.targetClassName(), checkerMethod.targetMethodName(), targetParameterTypes);
     }
+
+    private record ParsedCheckerMethod(
+        String targetClassName,
+        String targetMethodName,
+        boolean targetMethodIsStatic,
+        boolean targetMethodIsCtor
+    ) {}
 }

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -9,6 +9,13 @@
 
 package org.elasticsearch.entitlement.bridge;
 
+import java.io.InputStream;
+import java.io.PrintStream;
+import java.io.PrintWriter;
+import java.net.ContentHandlerFactory;
+import java.net.DatagramSocketImplFactory;
+import java.net.FileNameMap;
+import java.net.SocketImplFactory;
 import java.net.URL;
 import java.net.URLStreamHandlerFactory;
 import java.util.List;
@@ -21,26 +28,42 @@
 @SuppressWarnings("unused") // Called from instrumentation code inserted by the Entitlements agent
 public interface EntitlementChecker {
 
+    ////////////////////
+    //
     // Exit the JVM process
+    //
+
     void check$java_lang_Runtime$exit(Class<?> callerClass, Runtime runtime, int status);
 
     void check$java_lang_Runtime$halt(Class<?> callerClass, Runtime runtime, int status);
 
+    ////////////////////
+    //
     // ClassLoader ctor
+    //
+
     void check$java_lang_ClassLoader$(Class<?> callerClass);
 
     void check$java_lang_ClassLoader$(Class<?> callerClass, ClassLoader parent);
 
     void check$java_lang_ClassLoader$(Class<?> callerClass, String name, ClassLoader parent);
 
+    ////////////////////
+    //
     // SecureClassLoader ctor
+    //
+
     void check$java_security_SecureClassLoader$(Class<?> callerClass);
 
     void check$java_security_SecureClassLoader$(Class<?> callerClass, ClassLoader parent);
 
     void check$java_security_SecureClassLoader$(Class<?> callerClass, String name, ClassLoader parent);
 
+    ////////////////////
+    //
     // URLClassLoader constructors
+    //
+
     void check$java_net_URLClassLoader$(Class<?> callerClass, URL[] urls);
 
     void check$java_net_URLClassLoader$(Class<?> callerClass, URL[] urls, ClassLoader parent);
@@ -51,7 +74,11 @@ public interface EntitlementChecker {
 
     void check$java_net_URLClassLoader$(Class<?> callerClass, String name, URL[] urls, ClassLoader parent, URLStreamHandlerFactory factory);
 
+    ////////////////////
+    //
     // "setFactory" methods
+    //
+
     void check$javax_net_ssl_HttpsURLConnection$setSSLSocketFactory(Class<?> callerClass, HttpsURLConnection conn, SSLSocketFactory sf);
 
     void check$javax_net_ssl_HttpsURLConnection$$setDefaultSSLSocketFactory(Class<?> callerClass, SSLSocketFactory sf);
@@ -60,9 +87,82 @@ public interface EntitlementChecker {
 
     void check$javax_net_ssl_SSLContext$$setDefault(Class<?> callerClass, SSLContext context);
 
+    ////////////////////
+    //
     // Process creation
+    //
+
     void check$java_lang_ProcessBuilder$start(Class<?> callerClass, ProcessBuilder that);
 
     void check$java_lang_ProcessBuilder$$startPipeline(Class<?> callerClass, List<ProcessBuilder> builders);
 
+    ////////////////////
+    //
+    // JVM-wide state changes
+    //
+
+    void check$java_lang_System$$setIn(Class<?> callerClass, InputStream in);
+
+    void check$java_lang_System$$setOut(Class<?> callerClass, PrintStream out);
+
+    void check$java_lang_System$$setErr(Class<?> callerClass, PrintStream err);
+
+    void check$java_lang_Runtime$addShutdownHook(Class<?> callerClass, Runtime runtime, Thread hook);
+
+    void check$java_lang_Runtime$removeShutdownHook(Class<?> callerClass, Runtime runtime, Thread hook);
+
+    void check$jdk_tools_jlink_internal_Jlink$(Class<?> callerClass);
+
+    void check$jdk_tools_jlink_internal_Main$$run(Class<?> callerClass, PrintWriter out, PrintWriter err, String... args);
+
+    void check$jdk_vm_ci_services_JVMCIServiceLocator$$getProviders(Class<?> callerClass, Class<?> service);
+
+    void check$jdk_vm_ci_services_Services$$load(Class<?> callerClass, Class<?> service);
+
+    void check$jdk_vm_ci_services_Services$$loadSingle(Class<?> callerClass, Class<?> service, boolean required);
+
+    void check$com_sun_tools_jdi_VirtualMachineManagerImpl$$virtualMachineManager(Class<?> callerClass);
+
+    void check$java_lang_Thread$$setDefaultUncaughtExceptionHandler(Class<?> callerClass, Thread.UncaughtExceptionHandler ueh);
+
+    void check$java_util_spi_LocaleServiceProvider$(Class<?> callerClass);
+
+    void check$java_text_spi_BreakIteratorProvider$(Class<?> callerClass);
+
+    void check$java_text_spi_CollatorProvider$(Class<?> callerClass);
+
+    void check$java_text_spi_DateFormatProvider$(Class<?> callerClass);
+
+    void check$java_text_spi_DateFormatSymbolsProvider$(Class<?> callerClass);
+
+    void check$java_text_spi_DecimalFormatSymbolsProvider$(Class<?> callerClass);
+
+    void check$java_text_spi_NumberFormatProvider$(Class<?> callerClass);
+
+    void check$java_util_spi_CalendarDataProvider$(Class<?> callerClass);
+
+    void check$java_util_spi_CalendarNameProvider$(Class<?> callerClass);
+
+    void check$java_util_spi_CurrencyNameProvider$(Class<?> callerClass);
+
+    void check$java_util_spi_LocaleNameProvider$(Class<?> callerClass);
+
+    void check$java_util_spi_TimeZoneNameProvider$(Class<?> callerClass);
+
+    void check$java_util_logging_LogManager$(Class<?> callerClass);
+
+    void check$java_net_DatagramSocket$$setDatagramSocketImplFactory(Class<?> callerClass, DatagramSocketImplFactory fac);
+
+    void check$java_net_HttpURLConnection$$setFollowRedirects(Class<?> callerClass, boolean set);
+
+    void check$java_net_ServerSocket$$setSocketFactory(Class<?> callerClass, SocketImplFactory fac);
+
+    void check$java_net_Socket$$setSocketImplFactory(Class<?> callerClass, SocketImplFactory fac);
+
+    void check$java_net_URL$$setURLStreamHandlerFactory(Class<?> callerClass, URLStreamHandlerFactory fac);
+
+    void check$java_net_URLConnection$$setFileNameMap(Class<?> callerClass, FileNameMap map);
+
+    void check$java_net_URLConnection$$setContentHandlerFactory(Class<?> callerClass, ContentHandlerFactory fac);
+
 }

libs/entitlement/qa/common/src/main/java/module-info.java

@@ -12,5 +12,8 @@
     requires org.elasticsearch.base;
     requires org.elasticsearch.logging;
 
+    // Modules we'll attempt to use in order to exercise entitlements
+    requires java.logging;
+
     exports org.elasticsearch.entitlement.qa.common;
 }