Entitlements tools: public callers finder (#116257)

* WIP: Tool to find all public caller from a starting list of (JDK) methods.

* Add public-callers-finder tool, extract common stuff to common module

* Adjustments to visibility/functions and classes and modules to print out

* Spotless

* Missing gradle configuration

* Add details in README as requested in PR

* Update ASM version

* Including protected methods

Author: ldematte

libs/entitlement/tools/common/src/main/java/org/elasticsearch/entitlement/tools/ExternalAccess.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.tools;
+
+import java.util.Arrays;
+import java.util.EnumSet;
+import java.util.stream.Collectors;
+
+public enum ExternalAccess {
+    PUBLIC_CLASS,
+    PUBLIC_METHOD,
+    PROTECTED_METHOD;
+
+    private static final String DELIMITER = ":";
+
+    public static String toString(EnumSet<ExternalAccess> externalAccesses) {
+        return externalAccesses.stream().map(Enum::toString).collect(Collectors.joining(DELIMITER));
+    }
+
+    public static EnumSet<ExternalAccess> fromPermissions(
+        boolean packageExported,
+        boolean publicClass,
+        boolean publicMethod,
+        boolean protectedMethod
+    ) {
+        if (publicMethod && protectedMethod) {
+            throw new IllegalArgumentException();
+        }
+
+        EnumSet<ExternalAccess> externalAccesses = EnumSet.noneOf(ExternalAccess.class);
+        if (publicMethod) {
+            externalAccesses.add(ExternalAccess.PUBLIC_METHOD);
+        } else if (protectedMethod) {
+            externalAccesses.add(ExternalAccess.PROTECTED_METHOD);
+        }
+
+        if (packageExported && publicClass) {
+            externalAccesses.add(ExternalAccess.PUBLIC_CLASS);
+        }
+        return externalAccesses;
+    }
+
+    public static boolean isExternallyAccessible(EnumSet<ExternalAccess> access) {
+        return access.contains(ExternalAccess.PUBLIC_CLASS)
+            && (access.contains(ExternalAccess.PUBLIC_METHOD) || access.contains(ExternalAccess.PROTECTED_METHOD));
+    }
+
+    public static EnumSet<ExternalAccess> fromString(String accessAsString) {
+        if ("PUBLIC".equals(accessAsString)) {
+            return EnumSet.of(ExternalAccess.PUBLIC_CLASS, ExternalAccess.PUBLIC_METHOD);
+        }
+        if ("PUBLIC-METHOD".equals(accessAsString)) {
+            return EnumSet.of(ExternalAccess.PUBLIC_METHOD);
+        }
+        if ("PRIVATE".equals(accessAsString)) {
+            return EnumSet.noneOf(ExternalAccess.class);
+        }
+
+        return EnumSet.copyOf(Arrays.stream(accessAsString.split(DELIMITER)).map(ExternalAccess::valueOf).toList());
+    }
+}

libs/entitlement/tools/common/src/main/java/org/elasticsearch/entitlement/tools/Utils.java

@@ -11,16 +11,28 @@
 
 import java.io.IOException;
 import java.lang.module.ModuleDescriptor;
+import java.net.URI;
 import java.nio.file.FileSystem;
+import java.nio.file.FileSystems;
 import java.nio.file.Files;
+import java.nio.file.Path;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;
 
 public class Utils {
 
-    public static Map<String, Set<String>> findModuleExports(FileSystem fs) throws IOException {
+    private static final Set<String> EXCLUDED_MODULES = Set.of(
+        "java.desktop",
+        "jdk.jartool",
+        "jdk.jdi",
+        "java.security.jgss",
+        "jdk.jshell"
+    );
+
+    private static Map<String, Set<String>> findModuleExports(FileSystem fs) throws IOException {
         var modulesExports = new HashMap<String, Set<String>>();
         try (var stream = Files.walk(fs.getPath("modules"))) {
             stream.filter(p -> p.getFileName().toString().equals("module-info.class")).forEach(x -> {
@@ -42,4 +54,27 @@ public static Map<String, Set<String>> findModuleExports(FileSystem fs) throws I
         return modulesExports;
     }
 
+    public interface JdkModuleConsumer {
+        void accept(String moduleName, List<Path> moduleClasses, Set<String> moduleExports);
+    }
+
+    public static void walkJdkModules(JdkModuleConsumer c) throws IOException {
+
+        FileSystem fs = FileSystems.getFileSystem(URI.create("jrt:/"));
+
+        var moduleExports = Utils.findModuleExports(fs);
+
+        try (var stream = Files.walk(fs.getPath("modules"))) {
+            var modules = stream.filter(x -> x.toString().endsWith(".class"))
+                .collect(Collectors.groupingBy(x -> x.subpath(1, 2).toString()));
+
+            for (var kv : modules.entrySet()) {
+                var moduleName = kv.getKey();
+                if (Utils.EXCLUDED_MODULES.contains(moduleName) == false) {
+                    var thisModuleExports = moduleExports.get(moduleName);
+                    c.accept(moduleName, kv.getValue(), thisModuleExports);
+                }
+            }
+        }
+    }
 }

libs/entitlement/tools/public-callers-finder/README.md

@@ -0,0 +1,50 @@
+This tool scans the JDK on which it is running. It takes a list of methods (compatible with the output of the `securitymanager-scanner` tool), and looks for the "public surface" of these methods (i.e. any class/method accessible from regular Java code that calls into the original list, directly or transitively).
+
+It acts basically as a recursive "Find Usages" in Intellij, stopping at the first fully accessible point (public method on a public class).
+The tool scans every method in every class inside the same java module; e.g.
+if you have a private method `File#normalizedList`, it will scan `java.base` to find
+public methods like `File#list(String)`, `File#list(FilenameFilter, String)` and
+`File#listFiles(File)`.
+
+The tool considers implemented interfaces (directly); e.g. if we're looking at a
+method `C.m`, where `C implements I`, it will look for calls to `I.m`. It will
+also consider (indirectly) calls to `S.m` (where `S` is a supertype of `C`), as
+it treats calls to `super` in `S.m` as regular calls (e.g. `example() -> S.m() -> C.m()`).
+
+
+In order to run the tool, use:
+```shell
+./gradlew :libs:entitlement:tools:public-callers-finder:run <input-file> [<bubble-up-from-public>]
+```
+Where `input-file` is a CSV file (columns separated by `TAB`) that contains the following columns:
+Module name
+1. unused
+2. unused
+3. unused
+4. Fully qualified class name (ASM style, with `/` separators)
+5. Method name
+6. Method descriptor (ASM signature)
+7. Visibility (PUBLIC/PUBLIC-METHOD/PRIVATE)
+
+And `bubble-up-from-public` is a boolean (`true|false`) indicating if the code should stop at the first public method (`false`: default, recommended) or continue to find usages recursively even after reaching the "public surface".
+
+The output of the tool is another CSV file, with one line for each entry-point, columns separated by `TAB`
+
+1. Module name
+2. File name (from source root)
+3. Line number
+4. Fully qualified class name (ASM style, with `/` separators)
+5. Method name
+6. Method descriptor (ASM signature)
+7. Visibility (PUBLIC/PUBLIC-METHOD/PRIVATE)
+8. Original caller Module name
+9. Original caller Class name (ASM style, with `/` separators)
+10. Original caller Method name
+11. Original caller Visibility
+
+Examples:
+```
+java.base	DeleteOnExitHook.java	50	java/io/DeleteOnExitHook$1	run	()V	PUBLIC	java.base	java/io/File	delete	PUBLIC
+java.base	ZipFile.java	254	java/util/zip/ZipFile	<init>	(Ljava/io/File;ILjava/nio/charset/Charset;)V	PUBLIC	java.base	java/io/File	delete	PUBLIC
+java.logging	FileHandler.java	279	java/util/logging/FileHandler	<init>	()V	PUBLIC	java.base	java/io/File	delete	PUBLIC
+```

libs/entitlement/tools/public-callers-finder/build.gradle

@@ -0,0 +1,61 @@
+plugins {
+  id 'application'
+}
+
+apply plugin: 'elasticsearch.build'
+apply plugin: 'elasticsearch.publish'
+
+tasks.named("dependencyLicenses").configure {
+  mapping from: /asm-.*/, to: 'asm'
+}
+
+group = 'org.elasticsearch.entitlement.tools'
+
+ext {
+  javaMainClass = "org.elasticsearch.entitlement.tools.publiccallersfinder.Main"
+}
+
+application {
+  mainClass.set(javaMainClass)
+  applicationDefaultJvmArgs = [
+    '--add-exports', 'java.base/sun.security.util=ALL-UNNAMED',
+    '--add-opens', 'java.base/java.lang=ALL-UNNAMED',
+    '--add-opens', 'java.base/java.net=ALL-UNNAMED',
+    '--add-opens', 'java.base/java.net.spi=ALL-UNNAMED',
+    '--add-opens', 'java.base/java.util.concurrent=ALL-UNNAMED',
+    '--add-opens', 'java.base/javax.crypto=ALL-UNNAMED',
+    '--add-opens', 'java.base/javax.security.auth=ALL-UNNAMED',
+    '--add-opens', 'java.base/jdk.internal.logger=ALL-UNNAMED',
+    '--add-opens', 'java.base/sun.nio.ch=ALL-UNNAMED',
+    '--add-opens', 'jdk.management.jfr/jdk.management.jfr=ALL-UNNAMED',
+    '--add-opens', 'java.logging/java.util.logging=ALL-UNNAMED',
+    '--add-opens', 'java.logging/sun.util.logging.internal=ALL-UNNAMED',
+    '--add-opens', 'java.naming/javax.naming.ldap.spi=ALL-UNNAMED',
+    '--add-opens', 'java.rmi/sun.rmi.runtime=ALL-UNNAMED',
+    '--add-opens', 'jdk.dynalink/jdk.dynalink=ALL-UNNAMED',
+    '--add-opens', 'jdk.dynalink/jdk.dynalink.linker=ALL-UNNAMED',
+    '--add-opens', 'java.desktop/sun.awt=ALL-UNNAMED',
+    '--add-opens', 'java.sql.rowset/javax.sql.rowset.spi=ALL-UNNAMED',
+    '--add-opens', 'java.sql/java.sql=ALL-UNNAMED',
+    '--add-opens', 'java.xml.crypto/com.sun.org.apache.xml.internal.security.utils=ALL-UNNAMED'
+  ]
+}
+
+repositories {
+  mavenCentral()
+}
+
+dependencies {
+  compileOnly(project(':libs:core'))
+  implementation 'org.ow2.asm:asm:9.7.1'
+  implementation 'org.ow2.asm:asm-util:9.7.1'
+  implementation(project(':libs:entitlement:tools:common'))
+}
+
+tasks.named('forbiddenApisMain').configure {
+  replaceSignatureFiles 'jdk-signatures'
+}
+
+tasks.named("thirdPartyAudit").configure {
+  ignoreMissingClasses()
+}

libs/entitlement/tools/public-callers-finder/licenses/asm-LICENSE.txt

@@ -0,0 +1,26 @@
+Copyright (c) 2012 France Télécom
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. Neither the name of the copyright holders nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+THE POSSIBILITY OF SUCH DAMAGE.

libs/entitlement/tools/public-callers-finder/licenses/asm-NOTICE.txt

@@ -0,0 +1 @@
+