Skip to content

Commit 2d336be

Browse files
authored
Fully initialize policy checker before instrumenting (#128703) (#128704)
Entitlement instrumentation works by reflectively calling back into the entitlements lib to grab the checker. It must be fully in place before any classes are instrumented. This commit fixes a bug that was introduced by refactoring which caused the checker to not be set until after all classes were instrumented. In some situations this could lead the checker to being null when it is grab (and statically cached) by the entitlement bridge.
1 parent bdbb95b commit 2d336be

File tree

2 files changed

+13
-5
lines changed

2 files changed

+13
-5
lines changed

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,9 @@ public static EntitlementChecker checker() {
6868
* @param inst the JVM instrumentation class instance
6969
*/
7070
public static void initialize(Instrumentation inst) throws Exception {
71-
checker = initChecker(inst, createPolicyManager());
71+
// the checker _MUST_ be set before _any_ instrumentation is done
72+
checker = initChecker(createPolicyManager());
73+
initInstrumentation(inst);
7274
}
7375

7476
/**
@@ -148,7 +150,7 @@ private static void ensureClassesSensitiveToVerificationAreInitialized() {
148150
}
149151
}
150152

151-
static ElasticsearchEntitlementChecker initChecker(Instrumentation inst, PolicyManager policyManager) throws Exception {
153+
static ElasticsearchEntitlementChecker initChecker(PolicyManager policyManager) {
152154
final PolicyChecker policyChecker = createPolicyChecker(policyManager);
153155
final Class<?> clazz = EntitlementCheckerUtils.getVersionSpecificCheckerClass(
154156
ElasticsearchEntitlementChecker.class,
@@ -169,17 +171,20 @@ static ElasticsearchEntitlementChecker initChecker(Instrumentation inst, PolicyM
169171
throw new AssertionError(e);
170172
}
171173

174+
return checker;
175+
}
176+
177+
static void initInstrumentation(Instrumentation instrumentation) throws Exception {
172178
var verifyBytecode = Booleans.parseBoolean(System.getProperty("es.entitlements.verify_bytecode", "false"));
173179
if (verifyBytecode) {
174180
ensureClassesSensitiveToVerificationAreInitialized();
175181
}
176182

177183
DynamicInstrumentation.initialize(
178-
inst,
184+
instrumentation,
179185
EntitlementCheckerUtils.getVersionSpecificCheckerClass(EntitlementChecker.class, Runtime.version().feature()),
180186
verifyBytecode
181187
);
182188

183-
return checker;
184189
}
185190
}

test/framework/src/main/java/org/elasticsearch/entitlement/initialization/TestEntitlementInitialization.java

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@
3131
import java.util.List;
3232
import java.util.Map;
3333

34+
import static org.elasticsearch.entitlement.initialization.EntitlementInitialization.initInstrumentation;
35+
3436
/**
3537
* Test-specific version of {@code EntitlementInitialization}
3638
*/
@@ -45,7 +47,8 @@ public static EntitlementChecker checker() {
4547
}
4648

4749
public static void initialize(Instrumentation inst) throws Exception {
48-
checker = EntitlementInitialization.initChecker(inst, createPolicyManager(initializeArgs.pathLookup()));
50+
checker = EntitlementInitialization.initChecker(createPolicyManager(initializeArgs.pathLookup()));
51+
initInstrumentation(inst);
4952
}
5053

5154
public record InitializeArgs(PathLookup pathLookup) {}

0 commit comments

Comments
 (0)