Revert "Grant manage_threads to java.desktop for Tika (#134454)"

julian-elastic · web-flow · commit 3403903573f6 · 2025-09-11T12:53:39.000-04:00
This reverts commit 9b41320.
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java
@@ -114,13 +114,7 @@ private static List<Scope> createServerEntitlements(Path pidFile) {
                     new FilesEntitlement(serverModuleFileDatas)
                 )
             ),
-            new Scope(
-                "java.desktop",
-                List.of(
-                    new LoadNativeLibrariesEntitlement(),
-                    new ManageThreadsEntitlement() // For sun.java2d.Disposer. TODO: https://elasticco.atlassian.net/browse/ES-12888
-                )
-            ),
+            new Scope("java.desktop", List.of(new LoadNativeLibrariesEntitlement())),
             new Scope(
                 "java.xml",
                 List.of(
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java
@@ -54,7 +54,7 @@ public class PolicyManager {
      */
     static final Logger generalLogger = LogManager.getLogger(PolicyManager.class);
 
-    public static final Set<String> MODULES_EXCLUDED_FROM_SYSTEM_MODULES = Set.of("java.desktop", "java.xml");
+    static final Set<String> MODULES_EXCLUDED_FROM_SYSTEM_MODULES = Set.of("java.desktop", "java.xml");
 
     /**
      * Identifies a particular entitlement {@link Scope} within a {@link Policy}.
@@ -94,7 +94,7 @@ public enum ComponentKind {
          * If this kind corresponds to a single component, this is that component's name;
          * otherwise null.
          */
-        public final String componentName;
+        final String componentName;
 
         ComponentKind(String componentName) {
             this.componentName = componentName;
diff --git a/libs/entitlement/src/test/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlementsTests.java b/libs/entitlement/src/test/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlementsTests.java
diff --git a/test/framework/src/main/java/org/elasticsearch/bootstrap/TestScopeResolver.java b/test/framework/src/main/java/org/elasticsearch/bootstrap/TestScopeResolver.java
@@ -9,14 +9,11 @@
 
 package org.elasticsearch.bootstrap;
 
-import org.elasticsearch.core.Nullable;
 import org.elasticsearch.core.SuppressForbidden;
-import org.elasticsearch.entitlement.runtime.policy.PolicyManager.PolicyScope;
+import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
 import org.elasticsearch.logging.LogManager;
 import org.elasticsearch.logging.Logger;
 
-import java.lang.module.ModuleDescriptor;
-import java.lang.module.ModuleFinder;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.List;
@@ -25,78 +22,39 @@
 import java.util.TreeMap;
 import java.util.function.Function;
 
-import static java.util.Objects.requireNonNull;
-import static java.util.stream.Collectors.toSet;
 import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ALL_UNNAMED;
 import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ComponentKind.PLUGIN;
-import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ComponentKind.SERVER;
-import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.MODULES_EXCLUDED_FROM_SYSTEM_MODULES;
 
-public final class TestScopeResolver {
+public record TestScopeResolver(Map<String, PolicyManager.PolicyScope> scopeMap) {
 
     private static final Logger logger = LogManager.getLogger(TestScopeResolver.class);
-    private final Map<String, PolicyScope> scopeMap;
-    private static final Map<String, PolicyScope> excludedSystemPackageScopes = computeExcludedSystemPackageScopes();
 
-    public TestScopeResolver(Map<String, PolicyScope> scopeMap) {
-        this.scopeMap = scopeMap;
-    }
-
-    private static Map<String, PolicyScope> computeExcludedSystemPackageScopes() {
-        // Within any one module layer, module names are unique, so we just need the names
-        Set<String> systemModuleNames = ModuleFinder.ofSystem()
-            .findAll()
-            .stream()
-            .map(ref -> ref.descriptor().name())
-            .filter(MODULES_EXCLUDED_FROM_SYSTEM_MODULES::contains)
-            .collect(toSet());
-
-        Map<String, PolicyScope> result = new TreeMap<>();
-        ModuleLayer.boot().modules().stream().filter(m -> systemModuleNames.contains(m.getName())).forEach(m -> {
-            ModuleDescriptor desc = m.getDescriptor();
-            if (desc != null) {
-                desc.packages().forEach(pkg ->
-                // Our component identification logic returns SERVER for these
-                result.put(pkg, new PolicyScope(SERVER, SERVER.componentName, m.getName())));
-            }
-        });
-        return result;
-    }
-
-    public static @Nullable PolicyScope getExcludedSystemPackageScope(Class<?> callerClass) {
-        return excludedSystemPackageScopes.get(callerClass.getPackageName());
-    }
-
-    PolicyScope getScope(Class<?> callerClass) {
+    PolicyManager.PolicyScope getScope(Class<?> callerClass) {
         var callerCodeSource = callerClass.getProtectionDomain().getCodeSource();
-        if (callerCodeSource == null) {
-            // This only happens for JDK classes. Furthermore, for trivially allowed modules, we shouldn't even get here.
-            // Hence, this must be an excluded system module, so check for that.
-            return requireNonNull(getExcludedSystemPackageScope(callerClass));
-        }
+        assert callerCodeSource != null;
 
         var location = callerCodeSource.getLocation().toString();
         var scope = scopeMap.get(location);
         if (scope == null) {
             // Special cases for libraries not handled by our automatically-generated scopeMap
             if (callerClass.getPackageName().startsWith("org.bouncycastle")) {
-                scope = new PolicyScope(PLUGIN, "security", ALL_UNNAMED);
+                scope = new PolicyManager.PolicyScope(PLUGIN, "security", ALL_UNNAMED);
                 logger.debug("Assuming bouncycastle is part of the security plugin");
             }
         }
         if (scope == null) {
             logger.warn("Cannot identify a scope for class [{}], location [{}]", callerClass.getName(), location);
-            return PolicyScope.unknown(location);
+            return PolicyManager.PolicyScope.unknown(location);
         }
         return scope;
     }
 
-    public static Function<Class<?>, PolicyScope> createScopeResolver(
+    public static Function<Class<?>, PolicyManager.PolicyScope> createScopeResolver(
         TestBuildInfo serverBuildInfo,
         List<TestBuildInfo> pluginsBuildInfo,
         Set<String> modularPlugins
     ) {
-        Map<String, PolicyScope> scopeMap = new TreeMap<>(); // Sorted to make it easier to read during debugging
+        Map<String, PolicyManager.PolicyScope> scopeMap = new TreeMap<>(); // Sorted to make it easier to read during debugging
         for (var pluginBuildInfo : pluginsBuildInfo) {
             boolean isModular = modularPlugins.contains(pluginBuildInfo.component());
             for (var location : pluginBuildInfo.locations()) {
@@ -108,7 +66,7 @@ public static Function<Class<?>, PolicyScope> createScopeResolver(
                     String module = isModular ? location.module() : ALL_UNNAMED;
                     scopeMap.put(
                         getCodeSource(codeSource, location.representativeClass()),
-                        PolicyScope.plugin(pluginBuildInfo.component(), module)
+                        PolicyManager.PolicyScope.plugin(pluginBuildInfo.component(), module)
                     );
                 } catch (MalformedURLException e) {
                     throw new IllegalArgumentException("Cannot locate class [" + location.representativeClass() + "]", e);
@@ -123,7 +81,7 @@ public static Function<Class<?>, PolicyScope> createScopeResolver(
                 continue;
             }
             try {
-                scopeMap.put(getCodeSource(classUrl, location.representativeClass()), PolicyScope.server(location.module()));
+                scopeMap.put(getCodeSource(classUrl, location.representativeClass()), PolicyManager.PolicyScope.server(location.module()));
             } catch (MalformedURLException e) {
                 throw new IllegalArgumentException("Cannot locate class [" + location.representativeClass() + "]", e);
             }
diff --git a/test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java b/test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java
@@ -9,7 +9,6 @@
 
 package org.elasticsearch.entitlement.runtime.policy;
 
-import org.elasticsearch.bootstrap.TestScopeResolver;
 import org.elasticsearch.common.util.ArrayUtils;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.Entitlement;
 import org.elasticsearch.test.ESTestCase;
@@ -98,10 +97,6 @@ public final void clearModuleEntitlementsCache() {
 
     @Override
     protected boolean isTrustedSystemClass(Class<?> requestingClass) {
-        if (TestScopeResolver.getExcludedSystemPackageScope(requestingClass) != null) {
-            // We don't trust the excluded packages even though they are in system modules
-            return false;
-        }
         ClassLoader loader = requestingClass.getClassLoader();
         return loader == null || loader == ClassLoader.getPlatformClassLoader();
     }
