Merge branch 'main' into bump_json_smart

Author: jfreden

.buildkite/pipelines/intake.yml

@@ -76,7 +76,7 @@ steps:
             ES_VERSION:
               - "9.0.0"
             ES_COMMIT:
-              - "b2cc9d9b8f00ee621f93ddca07ea9c671aab1578" # update to match last commit before lucene bump
+              - "10352e57d85505984582616e1e38530d3ec6ca59" # update to match last commit before lucene bump / head of combat-lucene-10-0-0
         agents:
           provider: gcp
           image: family/elasticsearch-ubuntu-2004

build-tools-internal/version.properties

@@ -17,7 +17,7 @@ jna               = 5.12.1
 netty             = 4.1.115.Final
 commons_lang3     = 3.9
 google_oauth_client = 1.34.1
-awsv1sdk            = 1.12.270
+awsv1sdk            = 1.12.746
 awsv2sdk            = 2.28.13
 reactive_streams    = 1.0.4
 

docs/changelog/122431.yaml

@@ -0,0 +1,5 @@
+pr: 122431
+summary: Upgrade AWS SDK to v1.12.746
+area: Snapshot/Restore
+type: upgrade
+issues: []

gradle/verification-metadata.xml

@@ -89,29 +89,29 @@
             <sha256 value="ccc7efe5cd3ce22d6046cafd4d2f8bff5adcb43e0d27da482178fac5daadef81" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.amazonaws" name="aws-java-sdk-core" version="1.12.270">
-         <artifact name="aws-java-sdk-core-1.12.270.jar">
-            <sha256 value="4e41d9f54606151674fc550e5e6291b0ddf917d55a2a3465a45a4e6ac98c9f8f" origin="Generated by Gradle"/>
+      <component group="com.amazonaws" name="aws-java-sdk-core" version="1.12.746">
+         <artifact name="aws-java-sdk-core-1.12.746.jar">
+            <sha256 value="798fd30dafcf6816e760ad8aef8b3f09c43351ed2e166993bddc4527dbafb0be" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.amazonaws" name="aws-java-sdk-ec2" version="1.12.270">
-         <artifact name="aws-java-sdk-ec2-1.12.270.jar">
-            <sha256 value="faadf443751822e205338e80d2cea5eabd6373c1c3cef6348c24809ca82a9dd0" origin="Generated by Gradle"/>
+      <component group="com.amazonaws" name="aws-java-sdk-ec2" version="1.12.746">
+         <artifact name="aws-java-sdk-ec2-1.12.746.jar">
+            <sha256 value="cec22d57e05ed75417b1342e9dd468c6fe7f2fab97c626c065d6495e44d732ad" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.amazonaws" name="aws-java-sdk-s3" version="1.12.270">
-         <artifact name="aws-java-sdk-s3-1.12.270.jar">
-            <sha256 value="41bbea44bac7cfce3898e2e598a17526984337e265f6b16814839c17168a570e" origin="Generated by Gradle"/>
+      <component group="com.amazonaws" name="aws-java-sdk-s3" version="1.12.746">
+         <artifact name="aws-java-sdk-s3-1.12.746.jar">
+            <sha256 value="dcd839802c71ffc4d3e6bebc8769a2149bc423baf95f3e6c8214f9c91536bc38" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.amazonaws" name="aws-java-sdk-sts" version="1.12.270">
-         <artifact name="aws-java-sdk-sts-1.12.270.jar">
-            <sha256 value="8cf2d3705381b81808c2e75a5e25a7097385b121ef15c001b18fde3d79657571" origin="Generated by Gradle"/>
+      <component group="com.amazonaws" name="aws-java-sdk-sts" version="1.12.746">
+         <artifact name="aws-java-sdk-sts-1.12.746.jar">
+            <sha256 value="2916c28f9a6b6ade40c7e2ffdea3788b198a98b2b16830e02a24ec49fc0fb06f" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.amazonaws" name="jmespath-java" version="1.12.270">
-         <artifact name="jmespath-java-1.12.270.jar">
-            <sha256 value="515d1afb0cd0176630c0707acabd4a3e48424ea938b89359774f61a24b6450f1" origin="Generated by Gradle"/>
+      <component group="com.amazonaws" name="jmespath-java" version="1.12.746">
+         <artifact name="jmespath-java-1.12.746.jar">
+            <sha256 value="d4239a7a1bfacbb9cd1f0e48a46ac95960ab7942c6fbb41ea825161efea72351" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.avast.gradle" name="gradle-docker-compose-plugin" version="0.17.5">

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -10,6 +10,8 @@
 package org.elasticsearch.entitlement.bridge;
 
 import java.io.File;
+import java.io.FileFilter;
+import java.io.FilenameFilter;
 import java.io.InputStream;
 import java.io.PrintStream;
 import java.io.PrintWriter;
@@ -512,6 +514,12 @@ public interface EntitlementChecker {
     //
 
     // old io (ie File)
+    void check$java_io_File$canExecute(Class<?> callerClass, File file);
+
+    void check$java_io_File$canRead(Class<?> callerClass, File file);
+
+    void check$java_io_File$canWrite(Class<?> callerClass, File file);
+
     void check$java_io_File$createNewFile(Class<?> callerClass, File file);
 
     void check$java_io_File$$createTempFile(Class<?> callerClass, String prefix, String suffix, File directory);
@@ -520,6 +528,28 @@ public interface EntitlementChecker {
 
     void check$java_io_File$deleteOnExit(Class<?> callerClass, File file);
 
+    void check$java_io_File$exists(Class<?> callerClass, File file);
+
+    void check$java_io_File$isDirectory(Class<?> callerClass, File file);
+
+    void check$java_io_File$isFile(Class<?> callerClass, File file);
+
+    void check$java_io_File$isHidden(Class<?> callerClass, File file);
+
+    void check$java_io_File$lastModified(Class<?> callerClass, File file);
+
+    void check$java_io_File$length(Class<?> callerClass, File file);
+
+    void check$java_io_File$list(Class<?> callerClass, File file);
+
+    void check$java_io_File$list(Class<?> callerClass, File file, FilenameFilter filter);
+
+    void check$java_io_File$listFiles(Class<?> callerClass, File file);
+
+    void check$java_io_File$listFiles(Class<?> callerClass, File file, FileFilter filter);
+
+    void check$java_io_File$listFiles(Class<?> callerClass, File file, FilenameFilter filter);
+
     void check$java_io_File$mkdir(Class<?> callerClass, File file);
 
     void check$java_io_File$mkdirs(Class<?> callerClass, File file);

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java

@@ -46,6 +46,21 @@ static Path readWriteFile() {
         return testRootDir.resolve("read_write_file");
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileCanExecute() throws IOException {
+        readFile().toFile().canExecute();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileCanRead() throws IOException {
+        readFile().toFile().canRead();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileCanWrite() throws IOException {
+        readFile().toFile().canWrite();
+    }
+
     @EntitlementTest(expectedAccess = PLUGINS)
     static void fileCreateNewFile() throws IOException {
         readWriteDir().resolve("new_file").toFile().createNewFile();
@@ -70,6 +85,61 @@ static void fileDeleteOnExit() throws IOException {
         toDelete.toFile().deleteOnExit();
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileExists() throws IOException {
+        readFile().toFile().exists();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileIsDirectory() throws IOException {
+        readFile().toFile().isDirectory();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileIsFile() throws IOException {
+        readFile().toFile().isFile();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileIsHidden() throws IOException {
+        readFile().toFile().isHidden();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileLastModified() throws IOException {
+        readFile().toFile().lastModified();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileLength() throws IOException {
+        readFile().toFile().length();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileList() throws IOException {
+        readDir().toFile().list();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileListWithFilter() throws IOException {
+        readDir().toFile().list((dir, name) -> true);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileListFiles() throws IOException {
+        readDir().toFile().listFiles();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileListFilesWithFileFilter() throws IOException {
+        readDir().toFile().listFiles(pathname -> true);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileListFilesWithFilenameFilter() throws IOException {
+        readDir().toFile().listFiles((dir, name) -> true);
+    }
+
     @EntitlementTest(expectedAccess = PLUGINS)
     static void fileMkdir() throws IOException {
         Path mkdir = readWriteDir().resolve("mkdir");

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -9,6 +9,7 @@
 
 package org.elasticsearch.entitlement.initialization;
 
+import org.elasticsearch.core.PathUtils;
 import org.elasticsearch.core.internal.provider.ProviderLocator;
 import org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap;
 import org.elasticsearch.entitlement.bridge.EntitlementChecker;
@@ -133,7 +134,7 @@ private static Class<?>[] findClassesToRetransform(Class<?>[] loadedClasses, Set
     private static PolicyManager createPolicyManager() {
         EntitlementBootstrap.BootstrapArgs bootstrapArgs = EntitlementBootstrap.bootstrapArgs();
         Map<String, Policy> pluginPolicies = bootstrapArgs.pluginPolicies();
-        var pathLookup = new PathLookup(bootstrapArgs.configDir(), bootstrapArgs.dataDirs(), bootstrapArgs.tempDir());
+        var pathLookup = new PathLookup(getUserHome(), bootstrapArgs.configDir(), bootstrapArgs.dataDirs(), bootstrapArgs.tempDir());
         Path logsDir = EntitlementBootstrap.bootstrapArgs().logsDir();
 
         // TODO(ES-10031): Decide what goes in the elasticsearch default policy and extend it
@@ -221,6 +222,14 @@ private static PolicyManager createPolicyManager() {
         );
     }
 
+    private static Path getUserHome() {
+        String userHome = System.getProperty("user.home");
+        if (userHome == null) {
+            throw new IllegalStateException("user.home system property is required");
+        }
+        return PathUtils.get(userHome);
+    }
+
     private static Stream<InstrumentationService.InstrumentationInfo> fileSystemProviderChecks() throws ClassNotFoundException,
         NoSuchMethodException {
         var fileSystemProviderClass = FileSystems.getDefault().provider().getClass();

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

@@ -14,6 +14,8 @@
 import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
 
 import java.io.File;
+import java.io.FileFilter;
+import java.io.FilenameFilter;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.PrintStream;
@@ -955,6 +957,21 @@ public void checkSelectorProviderInheritedChannel(Class<?> callerClass, Selector
 
     // old io (ie File)
 
+    @Override
+    public void check$java_io_File$canExecute(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$canRead(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$canWrite(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
     @Override
     public void check$java_io_File$createNewFile(Class<?> callerClass, File file) {
         policyManager.checkFileWrite(callerClass, file);
@@ -975,6 +992,61 @@ public void checkSelectorProviderInheritedChannel(Class<?> callerClass, Selector
         policyManager.checkFileWrite(callerClass, file);
     }
 
+    @Override
+    public void check$java_io_File$exists(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$isDirectory(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$isFile(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$isHidden(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$lastModified(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$length(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$list(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$list(Class<?> callerClass, File file, FilenameFilter filter) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$listFiles(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$listFiles(Class<?> callerClass, File file, FileFilter filter) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$listFiles(Class<?> callerClass, File file, FilenameFilter filter) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
     @Override
     public void check$java_io_File$mkdir(Class<?> callerClass, File file) {
         policyManager.checkFileWrite(callerClass, file);

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PathLookup.java

@@ -11,4 +11,4 @@
 
 import java.nio.file.Path;
 
-public record PathLookup(Path configDir, Path[] dataDirs, Path tempDir) {}
+public record PathLookup(Path homeDir, Path configDir, Path[] dataDirs, Path tempDir) {}

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java

@@ -36,7 +36,8 @@ public enum Mode {
 
     public enum BaseDir {
         CONFIG,
-        DATA
+        DATA,
+        HOME
     }
 
     public sealed interface FileData {
@@ -46,12 +47,10 @@ public sealed interface FileData {
         Mode mode();
 
         static FileData ofPath(Path path, Mode mode) {
-            assert path.isAbsolute();
             return new AbsolutePathFileData(path, mode);
         }
 
         static FileData ofRelativePath(Path relativePath, BaseDir baseDir, Mode mode) {
-            assert relativePath.isAbsolute() == false;
             return new RelativePathFileData(relativePath, baseDir, mode);
         }
     }
@@ -73,6 +72,8 @@ public Stream<Path> resolvePaths(PathLookup pathLookup) {
                     return Stream.of(pathLookup.configDir().resolve(relativePath));
                 case DATA:
                     return Arrays.stream(pathLookup.dataDirs()).map(d -> d.resolve(relativePath));
+                case HOME:
+                    return Stream.of(pathLookup.homeDir().resolve(relativePath));
                 default:
                     throw new IllegalArgumentException();
             }
@@ -90,12 +91,14 @@ private static Mode parseMode(String mode) {
     }
 
     private static BaseDir parseBaseDir(String baseDir) {
-        if (baseDir.equals("config")) {
-            return BaseDir.CONFIG;
-        } else if (baseDir.equals("data")) {
-            return BaseDir.DATA;
-        }
-        throw new PolicyValidationException("invalid relative directory: " + baseDir + ", valid values: [config, data]");
+        return switch (baseDir) {
+            case "config" -> BaseDir.CONFIG;
+            case "data" -> BaseDir.DATA;
+            case "home" -> BaseDir.HOME;
+            default -> throw new PolicyValidationException(
+                "invalid relative directory: " + baseDir + ", valid values: [config, data, home]"
+            );
+        };
     }
 
     @ExternalEntitlement(parameterNames = { "paths" }, esModulesOnly = false)