Add native check support and tests for preview version (21)

Author: ldematte

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java

@@ -181,22 +181,22 @@ static CheckAction alwaysDenied(CheckedRunnable<Exception> action) {
             entry("runtime_load_library", forPlugins(LoadNativeLibrariesCheckActions::runtimeLoadLibrary)),
             entry("system_load", forPlugins(LoadNativeLibrariesCheckActions::systemLoad)),
             entry("system_load_library", forPlugins(LoadNativeLibrariesCheckActions::systemLoadLibrary)),
-            entry("enable_native_access", new CheckAction(VersionSpecificNativeChecks::enableNativeAccess, false, 22)),
-            entry("address_target_layout", new CheckAction(VersionSpecificNativeChecks::addressLayoutWithTargetLayout, false, 22)),
-            entry("donwncall_handle", new CheckAction(VersionSpecificNativeChecks::linkerDowncallHandle, false, 22)),
+            entry("enable_native_access", deniedToPlugins(VersionSpecificNativeChecks::enableNativeAccess)),
+            entry("address_target_layout", new CheckAction(VersionSpecificNativeChecks::addressLayoutWithTargetLayout, false, 21)),
+            entry("donwncall_handle", new CheckAction(VersionSpecificNativeChecks::linkerDowncallHandle, false, 21)),
             entry(
                 "donwncall_handle_with_address",
-                new CheckAction(VersionSpecificNativeChecks::linkerDowncallHandleWithAddress, false, 22)
+                new CheckAction(VersionSpecificNativeChecks::linkerDowncallHandleWithAddress, false, 21)
             ),
-            entry("upcall_stub", new CheckAction(VersionSpecificNativeChecks::linkerUpcallStub, false, 22)),
-            entry("reinterpret", new CheckAction(VersionSpecificNativeChecks::memorySegmentReinterpret, false, 22)),
-            entry("reinterpret_cleanup", new CheckAction(VersionSpecificNativeChecks::memorySegmentReinterpretWithCleanup, false, 22)),
+            entry("upcall_stub", new CheckAction(VersionSpecificNativeChecks::linkerUpcallStub, false, 21)),
+            entry("reinterpret", new CheckAction(VersionSpecificNativeChecks::memorySegmentReinterpret, false, 21)),
+            entry("reinterpret_cleanup", new CheckAction(VersionSpecificNativeChecks::memorySegmentReinterpretWithCleanup, false, 21)),
             entry(
                 "reinterpret_size_cleanup",
-                new CheckAction(VersionSpecificNativeChecks::memorySegmentReinterpretWithSizeAndCleanup, false, 22)
+                new CheckAction(VersionSpecificNativeChecks::memorySegmentReinterpretWithSizeAndCleanup, false, 21)
             ),
-            entry("symbol_lookup_name", new CheckAction(VersionSpecificNativeChecks::symbolLookupWithName, false, 22)),
-            entry("symbol_lookup_path", new CheckAction(VersionSpecificNativeChecks::symbolLookupWithPath, false, 22))
+            entry("symbol_lookup_name", new CheckAction(VersionSpecificNativeChecks::symbolLookupWithName, false, 21)),
+            entry("symbol_lookup_path", new CheckAction(VersionSpecificNativeChecks::symbolLookupWithPath, false, 21))
         ),
         getTestEntries(FileCheckActions.class),
         getTestEntries(SpiActions.class),

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/VersionSpecificNativeChecks.java

@@ -9,25 +9,110 @@
 
 package org.elasticsearch.entitlement.qa.test;
 
+import org.elasticsearch.entitlement.qa.entitled.EntitledPlugin;
+
+import java.lang.foreign.AddressLayout;
+import java.lang.foreign.Arena;
+import java.lang.foreign.FunctionDescriptor;
+import java.lang.foreign.Linker;
+import java.lang.foreign.MemoryLayout;
+import java.lang.foreign.MemorySegment;
+import java.lang.foreign.SymbolLookup;
+import java.lang.foreign.ValueLayout;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
+import java.lang.module.Configuration;
+import java.lang.module.ModuleFinder;
+import java.nio.file.Path;
+import java.util.List;
+import java.util.Set;
+
+import static java.lang.foreign.ValueLayout.ADDRESS;
+import static java.lang.foreign.ValueLayout.JAVA_LONG;
+
 class VersionSpecificNativeChecks {
 
-    static void enableNativeAccess() throws Exception {}
+    static void enableNativeAccess() throws Exception {
+        ModuleLayer parent = ModuleLayer.boot();
+
+        var location = EntitledPlugin.class.getProtectionDomain().getCodeSource().getLocation();
+
+        // We create a layer for our own module, so we have a controller to try and call enableNativeAccess on it.
+        // This works in both the modular and non-modular case: the target module has to be present in the new layer, but its entitlements
+        // and policies do not matter to us: we are checking that the caller is (or isn't) entitled to use enableNativeAccess
+        Configuration cf = parent.configuration()
+            .resolve(ModuleFinder.of(Path.of(location.toURI())), ModuleFinder.of(), Set.of("org.elasticsearch.entitlement.qa.entitled"));
+        var controller = ModuleLayer.defineModulesWithOneLoader(cf, List.of(parent), ClassLoader.getSystemClassLoader());
+        var targetModule = controller.layer().findModule("org.elasticsearch.entitlement.qa.entitled");
+
+        controller.enableNativeAccess(targetModule.get());
+    }
+
+    static void addressLayoutWithTargetLayout() {
+        AddressLayout addressLayout = ADDRESS.withoutTargetLayout();
+        addressLayout.withTargetLayout(MemoryLayout.sequenceLayout(Long.MAX_VALUE, ValueLayout.JAVA_BYTE));
+    }
+
+    static void linkerDowncallHandle() {
+        Linker linker = Linker.nativeLinker();
+        linker.downcallHandle(FunctionDescriptor.of(JAVA_LONG, ADDRESS));
+    }
+
+    static void linkerDowncallHandleWithAddress() {
+        Linker linker = Linker.nativeLinker();
+        linker.downcallHandle(linker.defaultLookup().find("strlen").get(), FunctionDescriptor.of(JAVA_LONG, ADDRESS));
+    }
 
-    static void addressLayoutWithTargetLayout() {}
+    static int callback() {
+        return 0;
+    }
 
-    static void linkerDowncallHandle() {}
+    static void linkerUpcallStub() throws NoSuchMethodException {
+        Linker linker = Linker.nativeLinker();
 
-    static void linkerDowncallHandleWithAddress() {}
+        MethodHandle mh = null;
+        try {
+            mh = MethodHandles.lookup().findStatic(VersionSpecificNativeChecks.class, "callback", MethodType.methodType(int.class));
+        } catch (IllegalAccessException e) {
+            assert false;
+        }
 
-    static void linkerUpcallStub() throws NoSuchMethodException {}
+        FunctionDescriptor callbackDescriptor = FunctionDescriptor.of(ValueLayout.JAVA_INT);
+        linker.upcallStub(mh, callbackDescriptor, Arena.ofAuto());
+    }
 
-    static void memorySegmentReinterpret() {}
+    static void memorySegmentReinterpret() {
+        Arena arena = Arena.ofAuto();
+        MemorySegment segment = arena.allocate(100);
+        segment.reinterpret(50);
+    }
 
-    static void memorySegmentReinterpretWithCleanup() {}
+    static void memorySegmentReinterpretWithCleanup() {
+        Arena arena = Arena.ofAuto();
+        MemorySegment segment = arena.allocate(100);
+        segment.reinterpret(Arena.ofAuto(), s -> {});
+    }
 
-    static void memorySegmentReinterpretWithSizeAndCleanup() {}
+    static void memorySegmentReinterpretWithSizeAndCleanup() {
+        Arena arena = Arena.ofAuto();
+        MemorySegment segment = arena.allocate(100);
+        segment.reinterpret(50, Arena.ofAuto(), s -> {});
+    }
 
-    static void symbolLookupWithPath() {}
+    static void symbolLookupWithPath() {
+        try {
+            SymbolLookup.libraryLookup(Path.of("/foo/bar/libFoo.so"), Arena.ofAuto());
+        } catch (IllegalArgumentException e) {
+            // IllegalArgumentException is thrown if path does not point to a valid library (and it does not)
+        }
+    }
 
-    static void symbolLookupWithName() {}
+    static void symbolLookupWithName() {
+        try {
+            SymbolLookup.libraryLookup("foo", Arena.ofAuto());
+        } catch (IllegalArgumentException e) {
+            // IllegalArgumentException is thrown if path does not point to a valid library (and it does not)
+        }
+    }
 }

libs/entitlement/qa/entitlement-test-plugin/src/main22/java/org/elasticsearch/entitlement/qa/test/VersionSpecificNativeChecks.java

@@ -908,7 +908,7 @@ public ElasticsearchEntitlementChecker(PolicyManager policyManager) {
         ModuleLayer.Controller that,
         Module target
     ) {
-        policyManager.checkLoadingNativeLibraries(callerClass);
+        policyManager.checkChangeJVMGlobalState(callerClass);
     }
 
     /// /////////////////

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

@@ -11,11 +11,15 @@
 
 public class NativeAccessUtil {
     /**
-     * Enables native access for the provided module. No-op for JDK 21 or before.
+     * Enables native access for the provided module.
+     * We need to have this adapter even if the method is available in JDK 21, as it was in preview.
+     * Available to JDK 22+, required for JDK 24+ when using --illegal-native-access=deny
      */
-    public static void enableNativeAccess(ModuleLayer.Controller controller, Module module) {}
+    public static void enableNativeAccess(ModuleLayer.Controller controller, Module module) {
+        controller.enableNativeAccess(module);
+    }
 
     public static boolean isNativeAccessEnabled(Module module) {
-        return true;
+        return module.isNativeAccessEnabled();
     }
 }