Catch up entitlements backports (#117363)

* [Entitlements] Consider only system modules in the boot layer (#117017)

* [Entitlements] Implement entry point definitions via checker function signature (#116754)

* Policy manager for entitlements (#116695)

* Add java version variants of entitlements checker (#116878)

As each version of Java is released, there may be additional methods we
want to instrument for entitlements. Since new methods won't exist in
the base version of Java that Elasticsearch is compiled with, we need to
hava different classes and compilation for each version.

This commit adds a scaffolding for adding the classes for new versions
of Java. Unfortunately it requires several classes in different
locations. But hopefully these are infrequent enough that the
boilerplate is ok. We could consider adding a helper Gradle task to
templatize the new classes in the future if it is too cumbersome. Note
that the example for Java23 does not have anything meaningful in it yet,
it's only meant as an example until we find go through classes and
methods that were added after Java 21.

* Spotless

---------

Co-authored-by: Lorenzo Dematté <[email protected]>
Co-authored-by: Jack Conradson <[email protected]>
Co-authored-by: Patrick Doyle <[email protected]>

Author: 4 people

build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/MrjarPlugin.java

@@ -20,9 +20,12 @@
 import org.gradle.api.plugins.JavaPluginExtension;
 import org.gradle.api.tasks.SourceSet;
 import org.gradle.api.tasks.SourceSetContainer;
+import org.gradle.api.tasks.TaskProvider;
 import org.gradle.api.tasks.compile.CompileOptions;
 import org.gradle.api.tasks.compile.JavaCompile;
+import org.gradle.api.tasks.javadoc.Javadoc;
 import org.gradle.api.tasks.testing.Test;
+import org.gradle.external.javadoc.CoreJavadocOptions;
 import org.gradle.jvm.tasks.Jar;
 import org.gradle.jvm.toolchain.JavaLanguageVersion;
 import org.gradle.jvm.toolchain.JavaToolchainService;
@@ -79,6 +82,7 @@ public void apply(Project project) {
                 String mainSourceSetName = SourceSet.MAIN_SOURCE_SET_NAME + javaVersion;
                 SourceSet mainSourceSet = addSourceSet(project, javaExtension, mainSourceSetName, mainSourceSets, javaVersion);
                 configureSourceSetInJar(project, mainSourceSet, javaVersion);
+                addJar(project, mainSourceSet, javaVersion);
                 mainSourceSets.add(mainSourceSetName);
                 testSourceSets.add(mainSourceSetName);
 
@@ -142,6 +146,29 @@ private SourceSet addSourceSet(
         return sourceSet;
     }
 
+    private void addJar(Project project, SourceSet sourceSet, int javaVersion) {
+        project.getConfigurations().register("java" + javaVersion);
+        TaskProvider<Jar> jarTask = project.getTasks().register("java" + javaVersion + "Jar", Jar.class, task -> {
+            task.from(sourceSet.getOutput());
+        });
+        project.getArtifacts().add("java" + javaVersion, jarTask);
+    }
+
+    private void configurePreviewFeatures(Project project, SourceSet sourceSet, int javaVersion) {
+        project.getTasks().withType(JavaCompile.class).named(sourceSet.getCompileJavaTaskName()).configure(compileTask -> {
+            CompileOptions compileOptions = compileTask.getOptions();
+            compileOptions.getCompilerArgs().add("--enable-preview");
+            compileOptions.getCompilerArgs().add("-Xlint:-preview");
+
+            compileTask.doLast(t -> { stripPreviewFromFiles(compileTask.getDestinationDirectory().getAsFile().get().toPath()); });
+        });
+        project.getTasks().withType(Javadoc.class).named(name -> name.equals(sourceSet.getJavadocTaskName())).configureEach(javadocTask -> {
+            CoreJavadocOptions options = (CoreJavadocOptions) javadocTask.getOptions();
+            options.addBooleanOption("-enable-preview", true);
+            options.addStringOption("-release", String.valueOf(javaVersion));
+        });
+    }
+
     private void configureSourceSetInJar(Project project, SourceSet sourceSet, int javaVersion) {
         var jarTask = project.getTasks().withType(Jar.class).named(JavaPlugin.JAR_TASK_NAME);
         jarTask.configure(task -> task.into("META-INF/versions/" + javaVersion, copySpec -> copySpec.from(sourceSet.getOutput())));

libs/entitlement/asm-provider/src/main/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImpl.java

@@ -9,19 +9,29 @@
 
 package org.elasticsearch.entitlement.instrumentation.impl;
 
+import org.elasticsearch.entitlement.instrumentation.CheckerMethod;
 import org.elasticsearch.entitlement.instrumentation.InstrumentationService;
 import org.elasticsearch.entitlement.instrumentation.Instrumenter;
 import org.elasticsearch.entitlement.instrumentation.MethodKey;
+import org.objectweb.asm.ClassReader;
+import org.objectweb.asm.ClassVisitor;
+import org.objectweb.asm.MethodVisitor;
+import org.objectweb.asm.Opcodes;
 import org.objectweb.asm.Type;
 
+import java.io.IOException;
 import java.lang.reflect.Method;
-import java.lang.reflect.Modifier;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.stream.Stream;
 
 public class InstrumentationServiceImpl implements InstrumentationService {
+
     @Override
-    public Instrumenter newInstrumenter(String classNameSuffix, Map<MethodKey, Method> instrumentationMethods) {
+    public Instrumenter newInstrumenter(String classNameSuffix, Map<MethodKey, CheckerMethod> instrumentationMethods) {
         return new InstrumenterImpl(classNameSuffix, instrumentationMethods);
     }
 
@@ -33,9 +43,97 @@ public MethodKey methodKeyForTarget(Method targetMethod) {
         return new MethodKey(
             Type.getInternalName(targetMethod.getDeclaringClass()),
             targetMethod.getName(),
-            Stream.of(actualType.getArgumentTypes()).map(Type::getInternalName).toList(),
-            Modifier.isStatic(targetMethod.getModifiers())
+            Stream.of(actualType.getArgumentTypes()).map(Type::getInternalName).toList()
         );
     }
 
+    @Override
+    public Map<MethodKey, CheckerMethod> lookupMethodsToInstrument(String entitlementCheckerClassName) throws ClassNotFoundException,
+        IOException {
+        var methodsToInstrument = new HashMap<MethodKey, CheckerMethod>();
+        var checkerClass = Class.forName(entitlementCheckerClassName);
+        var classFileInfo = InstrumenterImpl.getClassFileInfo(checkerClass);
+        ClassReader reader = new ClassReader(classFileInfo.bytecodes());
+        ClassVisitor visitor = new ClassVisitor(Opcodes.ASM9) {
+            @Override
+            public MethodVisitor visitMethod(
+                int access,
+                String checkerMethodName,
+                String checkerMethodDescriptor,
+                String signature,
+                String[] exceptions
+            ) {
+                var mv = super.visitMethod(access, checkerMethodName, checkerMethodDescriptor, signature, exceptions);
+
+                var checkerMethodArgumentTypes = Type.getArgumentTypes(checkerMethodDescriptor);
+                var methodToInstrument = parseCheckerMethodSignature(checkerMethodName, checkerMethodArgumentTypes);
+
+                var checkerParameterDescriptors = Arrays.stream(checkerMethodArgumentTypes).map(Type::getDescriptor).toList();
+                var checkerMethod = new CheckerMethod(Type.getInternalName(checkerClass), checkerMethodName, checkerParameterDescriptors);
+
+                methodsToInstrument.put(methodToInstrument, checkerMethod);
+
+                return mv;
+            }
+        };
+        reader.accept(visitor, 0);
+        return methodsToInstrument;
+    }
+
+    private static final Type CLASS_TYPE = Type.getType(Class.class);
+
+    static MethodKey parseCheckerMethodSignature(String checkerMethodName, Type[] checkerMethodArgumentTypes) {
+        var classNameStartIndex = checkerMethodName.indexOf('$');
+        var classNameEndIndex = checkerMethodName.lastIndexOf('$');
+
+        if (classNameStartIndex == -1 || classNameStartIndex >= classNameEndIndex) {
+            throw new IllegalArgumentException(
+                String.format(
+                    Locale.ROOT,
+                    "Checker method %s has incorrect name format. "
+                        + "It should be either check$$methodName (instance) or check$package_ClassName$methodName (static)",
+                    checkerMethodName
+                )
+            );
+        }
+
+        // No "className" (check$$methodName) -> method is static, and we'll get the class from the actual typed argument
+        final boolean targetMethodIsStatic = classNameStartIndex + 1 != classNameEndIndex;
+        final String targetMethodName = checkerMethodName.substring(classNameEndIndex + 1);
+
+        final String targetClassName;
+        final List<String> targetParameterTypes;
+        if (targetMethodIsStatic) {
+            if (checkerMethodArgumentTypes.length < 1 || CLASS_TYPE.equals(checkerMethodArgumentTypes[0]) == false) {
+                throw new IllegalArgumentException(
+                    String.format(
+                        Locale.ROOT,
+                        "Checker method %s has incorrect argument types. " + "It must have a first argument of Class<?> type.",
+                        checkerMethodName
+                    )
+                );
+            }
+
+            targetClassName = checkerMethodName.substring(classNameStartIndex + 1, classNameEndIndex).replace('_', '/');
+            targetParameterTypes = Arrays.stream(checkerMethodArgumentTypes).skip(1).map(Type::getInternalName).toList();
+        } else {
+            if (checkerMethodArgumentTypes.length < 2
+                || CLASS_TYPE.equals(checkerMethodArgumentTypes[0]) == false
+                || checkerMethodArgumentTypes[1].getSort() != Type.OBJECT) {
+                throw new IllegalArgumentException(
+                    String.format(
+                        Locale.ROOT,
+                        "Checker method %s has incorrect argument types. "
+                            + "It must have a first argument of Class<?> type, and a second argument of the class containing the method to "
+                            + "instrument",
+                        checkerMethodName
+                    )
+                );
+            }
+            var targetClassType = checkerMethodArgumentTypes[1];
+            targetClassName = targetClassType.getInternalName();
+            targetParameterTypes = Arrays.stream(checkerMethodArgumentTypes).skip(2).map(Type::getInternalName).toList();
+        }
+        return new MethodKey(targetClassName, targetMethodName, targetParameterTypes);
+    }
 }

libs/entitlement/asm-provider/src/main/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumenterImpl.java

@@ -9,6 +9,7 @@
 
 package org.elasticsearch.entitlement.instrumentation.impl;
 
+import org.elasticsearch.entitlement.instrumentation.CheckerMethod;
 import org.elasticsearch.entitlement.instrumentation.Instrumenter;
 import org.elasticsearch.entitlement.instrumentation.MethodKey;
 import org.objectweb.asm.AnnotationVisitor;
@@ -23,7 +24,6 @@
 
 import java.io.IOException;
 import java.io.InputStream;
-import java.lang.reflect.Method;
 import java.util.Map;
 import java.util.stream.Stream;
 
@@ -36,13 +36,29 @@
 import static org.objectweb.asm.Opcodes.INVOKEVIRTUAL;
 
 public class InstrumenterImpl implements Instrumenter {
+
+    private static final String checkerClassDescriptor;
+    private static final String handleClass;
+    static {
+        int javaVersion = Runtime.version().feature();
+        final String classNamePrefix;
+        if (javaVersion >= 23) {
+            classNamePrefix = "Java23";
+        } else {
+            classNamePrefix = "";
+        }
+        String checkerClass = "org/elasticsearch/entitlement/bridge/" + classNamePrefix + "EntitlementChecker";
+        handleClass = checkerClass + "Handle";
+        checkerClassDescriptor = Type.getObjectType(checkerClass).getDescriptor();
+    }
+
     /**
      * To avoid class name collisions during testing without an agent to replace classes in-place.
      */
     private final String classNameSuffix;
-    private final Map<MethodKey, Method> instrumentationMethods;
+    private final Map<MethodKey, CheckerMethod> instrumentationMethods;
 
-    public InstrumenterImpl(String classNameSuffix, Map<MethodKey, Method> instrumentationMethods) {
+    public InstrumenterImpl(String classNameSuffix, Map<MethodKey, CheckerMethod> instrumentationMethods) {
         this.classNameSuffix = classNameSuffix;
         this.instrumentationMethods = instrumentationMethods;
     }
@@ -138,12 +154,7 @@ public MethodVisitor visitMethod(int access, String name, String descriptor, Str
             var mv = super.visitMethod(access, name, descriptor, signature, exceptions);
             if (isAnnotationPresent == false) {
                 boolean isStatic = (access & ACC_STATIC) != 0;
-                var key = new MethodKey(
-                    className,
-                    name,
-                    Stream.of(Type.getArgumentTypes(descriptor)).map(Type::getInternalName).toList(),
-                    isStatic
-                );
+                var key = new MethodKey(className, name, Stream.of(Type.getArgumentTypes(descriptor)).map(Type::getInternalName).toList());
                 var instrumentationMethod = instrumentationMethods.get(key);
                 if (instrumentationMethod != null) {
                     // LOGGER.debug("Will instrument method {}", key);
@@ -177,15 +188,15 @@ private void addClassAnnotationIfNeeded() {
     class EntitlementMethodVisitor extends MethodVisitor {
         private final boolean instrumentedMethodIsStatic;
         private final String instrumentedMethodDescriptor;
-        private final Method instrumentationMethod;
+        private final CheckerMethod instrumentationMethod;
         private boolean hasCallerSensitiveAnnotation = false;
 
         EntitlementMethodVisitor(
             int api,
             MethodVisitor methodVisitor,
             boolean instrumentedMethodIsStatic,
             String instrumentedMethodDescriptor,
-            Method instrumentationMethod
+            CheckerMethod instrumentationMethod
         ) {
             super(api, methodVisitor);
             this.instrumentedMethodIsStatic = instrumentedMethodIsStatic;
@@ -262,22 +273,19 @@ private void forwardIncomingArguments() {
         private void invokeInstrumentationMethod() {
             mv.visitMethodInsn(
                 INVOKEINTERFACE,
-                Type.getInternalName(instrumentationMethod.getDeclaringClass()),
-                instrumentationMethod.getName(),
-                Type.getMethodDescriptor(instrumentationMethod),
+                instrumentationMethod.className(),
+                instrumentationMethod.methodName(),
+                Type.getMethodDescriptor(
+                    Type.VOID_TYPE,
+                    instrumentationMethod.parameterDescriptors().stream().map(Type::getType).toArray(Type[]::new)
+                ),
                 true
             );
         }
     }
 
     protected void pushEntitlementChecker(MethodVisitor mv) {
-        mv.visitMethodInsn(
-            INVOKESTATIC,
-            "org/elasticsearch/entitlement/bridge/EntitlementCheckerHandle",
-            "instance",
-            "()Lorg/elasticsearch/entitlement/bridge/EntitlementChecker;",
-            false
-        );
+        mv.visitMethodInsn(INVOKESTATIC, handleClass, "instance", "()" + checkerClassDescriptor, false);
     }
 
     public record ClassFileInfo(String fileName, byte[] bytecodes) {}