Fully initialize policy checker before instrumenting (#128703) (#128704)

rjernst · web-flow · commit 2d336becd83e · 2025-05-31T11:11:31.000+10:00
Entitlement instrumentation works by reflectively calling back into the
entitlements lib to grab the checker. It must be fully in place before
any classes are instrumented. This commit fixes a bug that was
introduced by refactoring which caused the checker to not be set until
after all classes were instrumented. In some situations this could lead
the checker to being null when it is grab (and statically cached) by the
entitlement bridge.
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
@@ -68,7 +68,9 @@ public static EntitlementChecker checker() {
      * @param inst the JVM instrumentation class instance
      */
     public static void initialize(Instrumentation inst) throws Exception {
-        checker = initChecker(inst, createPolicyManager());
+        // the checker _MUST_ be set before _any_ instrumentation is done
+        checker = initChecker(createPolicyManager());
+        initInstrumentation(inst);
     }
 
     /**
@@ -148,7 +150,7 @@ private static void ensureClassesSensitiveToVerificationAreInitialized() {
         }
     }
 
-    static ElasticsearchEntitlementChecker initChecker(Instrumentation inst, PolicyManager policyManager) throws Exception {
+    static ElasticsearchEntitlementChecker initChecker(PolicyManager policyManager) {
         final PolicyChecker policyChecker = createPolicyChecker(policyManager);
         final Class<?> clazz = EntitlementCheckerUtils.getVersionSpecificCheckerClass(
             ElasticsearchEntitlementChecker.class,
@@ -169,17 +171,20 @@ static ElasticsearchEntitlementChecker initChecker(Instrumentation inst, PolicyM
             throw new AssertionError(e);
         }
 
+        return checker;
+    }
+
+    static void initInstrumentation(Instrumentation instrumentation) throws Exception {
         var verifyBytecode = Booleans.parseBoolean(System.getProperty("es.entitlements.verify_bytecode", "false"));
         if (verifyBytecode) {
             ensureClassesSensitiveToVerificationAreInitialized();
         }
 
         DynamicInstrumentation.initialize(
-            inst,
+            instrumentation,
             EntitlementCheckerUtils.getVersionSpecificCheckerClass(EntitlementChecker.class, Runtime.version().feature()),
             verifyBytecode
         );
 
-        return checker;
     }
 }
diff --git a/test/framework/src/main/java/org/elasticsearch/entitlement/initialization/TestEntitlementInitialization.java b/test/framework/src/main/java/org/elasticsearch/entitlement/initialization/TestEntitlementInitialization.java
@@ -31,6 +31,8 @@
 import java.util.List;
 import java.util.Map;
 
+import static org.elasticsearch.entitlement.initialization.EntitlementInitialization.initInstrumentation;
+
 /**
  * Test-specific version of {@code EntitlementInitialization}
  */
@@ -45,7 +47,8 @@ public static EntitlementChecker checker() {
     }
 
     public static void initialize(Instrumentation inst) throws Exception {
-        checker = EntitlementInitialization.initChecker(inst, createPolicyManager(initializeArgs.pathLookup()));
+        checker = EntitlementInitialization.initChecker(createPolicyManager(initializeArgs.pathLookup()));
+        initInstrumentation(inst);
     }
 
     public record InitializeArgs(PathLookup pathLookup) {}

Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,9 @@ public static EntitlementChecker checker() {`
`68`	`68`	`* @param inst the JVM instrumentation class instance`
`69`	`69`	`*/`
`70`	`70`	`public static void initialize(Instrumentation inst) throws Exception {`
`71`		`- checker = initChecker(inst, createPolicyManager());`
	`71`	`+ // the checker _MUST_ be set before _any_ instrumentation is done`
	`72`	`+ checker = initChecker(createPolicyManager());`
	`73`	`+ initInstrumentation(inst);`
`72`	`74`	`}`
`73`	`75`
`74`	`76`	`/**`
`@@ -148,7 +150,7 @@ private static void ensureClassesSensitiveToVerificationAreInitialized() {`
`148`	`150`	`}`
`149`	`151`	`}`
`150`	`152`
`151`		`- static ElasticsearchEntitlementChecker initChecker(Instrumentation inst, PolicyManager policyManager) throws Exception {`
	`153`	`+ static ElasticsearchEntitlementChecker initChecker(PolicyManager policyManager) {`
`152`	`154`	`final PolicyChecker policyChecker = createPolicyChecker(policyManager);`
`153`	`155`	`final Class<?> clazz = EntitlementCheckerUtils.getVersionSpecificCheckerClass(`
`154`	`156`	`ElasticsearchEntitlementChecker.class,`
`@@ -169,17 +171,20 @@ static ElasticsearchEntitlementChecker initChecker(Instrumentation inst, PolicyM`
`169`	`171`	`throw new AssertionError(e);`
`170`	`172`	`}`
`171`	`173`
	`174`	`+ return checker;`
	`175`	`+ }`
	`176`	`+`
	`177`	`+ static void initInstrumentation(Instrumentation instrumentation) throws Exception {`
`172`	`178`	`var verifyBytecode = Booleans.parseBoolean(System.getProperty("es.entitlements.verify_bytecode", "false"));`
`173`	`179`	`if (verifyBytecode) {`
`174`	`180`	`ensureClassesSensitiveToVerificationAreInitialized();`
`175`	`181`	`}`
`176`	`182`
`177`	`183`	`DynamicInstrumentation.initialize(`
`178`		`- inst,`
	`184`	`+ instrumentation,`
`179`	`185`	`EntitlementCheckerUtils.getVersionSpecificCheckerClass(EntitlementChecker.class, Runtime.version().feature()),`
`180`	`186`	`verifyBytecode`
`181`	`187`	`);`
`182`	`188`
`183`		`- return checker;`
`184`	`189`	`}`
`185`	`190`	`}`