Grant manage_threads to java.desktop for Tika

Author: prdoyle

libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java

@@ -114,7 +114,13 @@ private static List<Scope> createServerEntitlements(Path pidFile) {
                     new FilesEntitlement(serverModuleFileDatas)
                 )
             ),
-            new Scope("java.desktop", List.of(new LoadNativeLibrariesEntitlement())),
+            new Scope(
+                "java.desktop",
+                List.of(
+                    new LoadNativeLibrariesEntitlement(),
+                    new ManageThreadsEntitlement() // For sun.java2d.Disposer
+                )
+            ),
             new Scope(
                 "java.xml",
                 List.of(

libs/entitlement/src/test/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlementsTests.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.bootstrap;
+
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.test.ESTestCase.WithEntitlementsOnTestCode;
+
+import java.io.ByteArrayInputStream;
+
+import javax.imageio.stream.MemoryCacheImageInputStream;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+@WithEntitlementsOnTestCode
+public class HardcodedEntitlementsTests extends ESTestCase {
+
+    /**
+     * The Tika library can do some things we don't ordinarily want to allow.
+     * <p>
+     * <em>NOTE</em>: this test never actually fails, due to
+     * the artificiality of the non-modular testing environment,
+     * unless you also change {@link org.elasticsearch.bootstrap.TestScopeResolver#getScope}
+     * to return a {@link org.elasticsearch.entitlement.runtime.policy.PolicyManager.ComponentKind#SERVER SERVER} scope
+     * with module name {@code java.desktop} when {@code getCodeSource} returns null.
+     * <p>
+     * If we were to generate test build info for the JDK modules, then this could work properly.
+     * <p>
+     * Note that {@link MemoryCacheImageInputStream} doesn't even use {@code Disposer} in JDK 26,
+     * so it's an open question how much effort this deserves.
+     */
+    public void testTikaPDF() {
+        new MemoryCacheImageInputStream(new ByteArrayInputStream("test test".getBytes(UTF_8)));
+    }
+}

test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java

@@ -97,6 +97,10 @@ public final void clearModuleEntitlementsCache() {
 
     @Override
     protected boolean isTrustedSystemClass(Class<?> requestingClass) {
+        if (requestingClass.getPackageName().startsWith("sun.java2d")) {
+            // This is part of the java.desktop module
+            return false;
+        }
         ClassLoader loader = requestingClass.getClassLoader();
         return loader == null || loader == ClassLoader.getPlatformClassLoader();
     }