Merge branch 'main' into lucene_snapshot_10_1

Author: ChrisHegarty

docs/changelog/119580.yaml

@@ -0,0 +1,5 @@
+pr: 119580
+summary: Do not serialize `EsIndex` in plan
+area: ES|QL
+type: enhancement
+issues: []

docs/changelog/120458.yaml

@@ -0,0 +1,5 @@
+pr: 120458
+summary: Do not recommend increasing `max_shards_per_node`
+area: Health
+type: bug
+issues: []

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -269,10 +269,7 @@ public interface EntitlementChecker {
     // Network miscellanea
     void check$java_net_URL$openConnection(Class<?> callerClass, java.net.URL that, Proxy proxy);
 
-    // HttpClient.Builder is an interface, so we instrument its only (internal) implementation
-    void check$jdk_internal_net_http_HttpClientBuilderImpl$build(Class<?> callerClass, HttpClient.Builder that);
-
-    // HttpClient#send and sendAsync are abstract, so we instrument their internal implementation
+    // HttpClient#send and sendAsync are abstract, so we instrument their internal implementations
     void check$jdk_internal_net_http_HttpClientImpl$send(
         Class<?> callerClass,
         HttpClient that,
@@ -295,6 +292,28 @@ public interface EntitlementChecker {
         HttpResponse.PushPromiseHandler<?> pushPromiseHandler
     );
 
+    void check$jdk_internal_net_http_HttpClientFacade$send(
+        Class<?> callerClass,
+        HttpClient that,
+        HttpRequest request,
+        HttpResponse.BodyHandler<?> responseBodyHandler
+    );
+
+    void check$jdk_internal_net_http_HttpClientFacade$sendAsync(
+        Class<?> callerClass,
+        HttpClient that,
+        HttpRequest userRequest,
+        HttpResponse.BodyHandler<?> responseHandler
+    );
+
+    void check$jdk_internal_net_http_HttpClientFacade$sendAsync(
+        Class<?> callerClass,
+        HttpClient that,
+        HttpRequest userRequest,
+        HttpResponse.BodyHandler<?> responseHandler,
+        HttpResponse.PushPromiseHandler<?> pushPromiseHandler
+    );
+
     // We need to check the LDAPCertStore, as this will connect, but this is internal/created via SPI,
     // so we instrument the general factory instead and then filter in the check method implementation
     void check$java_security_cert_CertStore$$getInstance(Class<?> callerClass, String type, CertStoreParameters params);

libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/NetworkAccessCheckActions.java

@@ -20,9 +20,6 @@
 import java.net.SocketException;
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.net.http.HttpClient;
-import java.net.http.HttpRequest;
-import java.net.http.HttpResponse;
 import java.nio.ByteBuffer;
 import java.nio.channels.AsynchronousServerSocketChannel;
 import java.nio.channels.AsynchronousSocketChannel;
@@ -84,43 +81,6 @@ static void urlOpenConnectionWithProxy() throws URISyntaxException, IOException
         assert urlConnection != null;
     }
 
-    static void httpClientBuilderBuild() {
-        try (HttpClient httpClient = HttpClient.newBuilder().build()) {
-            assert httpClient != null;
-        }
-    }
-
-    static void httpClientSend() throws InterruptedException {
-        try (HttpClient httpClient = HttpClient.newBuilder().build()) {
-            // Shutdown the client, so the send action will shortcut before actually executing any network operation
-            // (but after it run our check in the prologue)
-            httpClient.shutdown();
-            try {
-                httpClient.send(HttpRequest.newBuilder(URI.create("http://localhost")).build(), HttpResponse.BodyHandlers.discarding());
-            } catch (IOException e) {
-                // Expected, since we shut down the client.
-                // "send" will be called and exercise the Entitlement check, we don't care if it fails afterward for this known reason.
-            }
-        }
-    }
-
-    static void httpClientSendAsync() {
-        try (HttpClient httpClient = HttpClient.newBuilder().build()) {
-            // Shutdown the client, so the send action will return before actually executing any network operation
-            // (but after it run our check in the prologue)
-            httpClient.shutdown();
-            var future = httpClient.sendAsync(
-                HttpRequest.newBuilder(URI.create("http://localhost")).build(),
-                HttpResponse.BodyHandlers.discarding()
-            );
-            assert future.isCompletedExceptionally();
-            future.exceptionally(ex -> {
-                assert ex instanceof IOException;
-                return null;
-            });
-        }
-    }
-
     static void createLDAPCertStore() throws NoSuchAlgorithmException {
         try {
             // We pass down null params to provoke a InvalidAlgorithmParameterException

libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java

@@ -160,9 +160,8 @@ static CheckAction alwaysDenied(CheckedRunnable<Exception> action) {
         entry("server_socket_accept", forPlugins(NetworkAccessCheckActions::serverSocketAccept)),
 
         entry("url_open_connection_proxy", forPlugins(NetworkAccessCheckActions::urlOpenConnectionWithProxy)),
-        entry("http_client_builder_build", forPlugins(NetworkAccessCheckActions::httpClientBuilderBuild)),
-        entry("http_client_send", forPlugins(NetworkAccessCheckActions::httpClientSend)),
-        entry("http_client_send_async", forPlugins(NetworkAccessCheckActions::httpClientSendAsync)),
+        entry("http_client_send", forPlugins(VersionSpecificNetworkChecks::httpClientSend)),
+        entry("http_client_send_async", forPlugins(VersionSpecificNetworkChecks::httpClientSendAsync)),
         entry("create_ldap_cert_store", forPlugins(NetworkAccessCheckActions::createLDAPCertStore)),
 
         entry("server_socket_channel_bind", forPlugins(NetworkAccessCheckActions::serverSocketChannelBind)),

libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/VersionSpecificNetworkChecks.java

@@ -9,6 +9,26 @@
 
 package org.elasticsearch.entitlement.qa.common;
 
+import java.io.IOException;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+
 class VersionSpecificNetworkChecks {
     static void createInetAddressResolverProvider() {}
+
+    static void httpClientSend() throws InterruptedException {
+        HttpClient httpClient = HttpClient.newBuilder().build();
+        try {
+            httpClient.send(HttpRequest.newBuilder(URI.create("http://localhost")).build(), HttpResponse.BodyHandlers.discarding());
+        } catch (IOException e) {
+            // Expected, the send action may fail with these parameters (but after it run the entitlement check in the prologue)
+        }
+    }
+
+    static void httpClientSendAsync() {
+        HttpClient httpClient = HttpClient.newBuilder().build();
+        httpClient.sendAsync(HttpRequest.newBuilder(URI.create("http://localhost")).build(), HttpResponse.BodyHandlers.discarding());
+    }
 }

libs/entitlement/qa/common/src/main18/java/org/elasticsearch/entitlement/qa/common/VersionSpecificNetworkChecks.java

@@ -9,6 +9,11 @@
 
 package org.elasticsearch.entitlement.qa.common;
 
+import java.io.IOException;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
 import java.net.spi.InetAddressResolver;
 import java.net.spi.InetAddressResolverProvider;
 
@@ -26,4 +31,18 @@ public String name() {
             }
         };
     }
+
+    static void httpClientSend() throws InterruptedException {
+        HttpClient httpClient = HttpClient.newBuilder().build();
+        try {
+            httpClient.send(HttpRequest.newBuilder(URI.create("http://localhost")).build(), HttpResponse.BodyHandlers.discarding());
+        } catch (IOException e) {
+            // Expected, the send action may fail with these parameters (but after it run the entitlement check in the prologue)
+        }
+    }
+
+    static void httpClientSendAsync() {
+        HttpClient httpClient = HttpClient.newBuilder().build();
+        httpClient.sendAsync(HttpRequest.newBuilder(URI.create("http://localhost")).build(), HttpResponse.BodyHandlers.discarding());
+    }
 }

libs/entitlement/qa/common/src/main21/java/org/elasticsearch/entitlement/qa/common/VersionSpecificNetworkChecks.java

@@ -0,0 +1,64 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.qa.common;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.net.spi.InetAddressResolver;
+import java.net.spi.InetAddressResolverProvider;
+
+class VersionSpecificNetworkChecks {
+    static void createInetAddressResolverProvider() {
+        var x = new InetAddressResolverProvider() {
+            @Override
+            public InetAddressResolver get(Configuration configuration) {
+                return null;
+            }
+
+            @Override
+            public String name() {
+                return "TEST";
+            }
+        };
+    }
+
+    static void httpClientSend() throws InterruptedException {
+        try (HttpClient httpClient = HttpClient.newBuilder().build()) {
+            // Shutdown the client, so the send action will shortcut before actually executing any network operation
+            // (but after it run our check in the prologue)
+            httpClient.shutdown();
+            try {
+                httpClient.send(HttpRequest.newBuilder(URI.create("http://localhost")).build(), HttpResponse.BodyHandlers.discarding());
+            } catch (IOException e) {
+                // Expected, since we shut down the client
+            }
+        }
+    }
+
+    static void httpClientSendAsync() {
+        try (HttpClient httpClient = HttpClient.newBuilder().build()) {
+            // Shutdown the client, so the send action will return before actually executing any network operation
+            // (but after it run our check in the prologue)
+            httpClient.shutdown();
+            var future = httpClient.sendAsync(
+                HttpRequest.newBuilder(URI.create("http://localhost")).build(),
+                HttpResponse.BodyHandlers.discarding()
+            );
+            assert future.isCompletedExceptionally();
+            future.exceptionally(ex -> {
+                assert ex instanceof IOException;
+                return null;
+            });
+        }
+    }
+}

libs/entitlement/qa/entitlement-allowed-nonmodular/src/main/plugin-metadata/entitlement-policy.yaml

@@ -1,8 +1,5 @@
 ALL-UNNAMED:
   - create_class_loader
   - set_https_connection_properties
-  - network:
-      actions:
-        - listen
-        - accept
-        - connect
+  - inbound_network
+  - outbound_network

libs/entitlement/qa/entitlement-allowed/src/main/plugin-metadata/entitlement-policy.yaml

@@ -1,8 +1,5 @@
 org.elasticsearch.entitlement.qa.common:
   - create_class_loader
   - set_https_connection_properties
-  - network:
-      actions:
-        - listen
-        - accept
-        - connect
+  - inbound_network
+  - outbound_network