Merge remote-tracking branch 'upstream/main' into entitlements/nio-files-1

Author: ldematte

build-tools-internal/version.properties

@@ -17,7 +17,7 @@ jna               = 5.12.1
 netty             = 4.1.115.Final
 commons_lang3     = 3.9
 google_oauth_client = 1.34.1
-awsv1sdk            = 1.12.270
+awsv1sdk            = 1.12.746
 awsv2sdk            = 2.28.13
 reactive_streams    = 1.0.4
 

docs/changelog/122247.yaml

@@ -0,0 +1,5 @@
+pr: 122247
+summary: Improve jwt logging on failed auth
+area: Authentication
+type: bug
+issues: []

docs/changelog/122431.yaml

@@ -0,0 +1,5 @@
+pr: 122431
+summary: Upgrade AWS SDK to v1.12.746
+area: Snapshot/Restore
+type: upgrade
+issues: []

gradle/verification-metadata.xml

@@ -89,29 +89,29 @@
             <sha256 value="ccc7efe5cd3ce22d6046cafd4d2f8bff5adcb43e0d27da482178fac5daadef81" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.amazonaws" name="aws-java-sdk-core" version="1.12.270">
-         <artifact name="aws-java-sdk-core-1.12.270.jar">
-            <sha256 value="4e41d9f54606151674fc550e5e6291b0ddf917d55a2a3465a45a4e6ac98c9f8f" origin="Generated by Gradle"/>
+      <component group="com.amazonaws" name="aws-java-sdk-core" version="1.12.746">
+         <artifact name="aws-java-sdk-core-1.12.746.jar">
+            <sha256 value="798fd30dafcf6816e760ad8aef8b3f09c43351ed2e166993bddc4527dbafb0be" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.amazonaws" name="aws-java-sdk-ec2" version="1.12.270">
-         <artifact name="aws-java-sdk-ec2-1.12.270.jar">
-            <sha256 value="faadf443751822e205338e80d2cea5eabd6373c1c3cef6348c24809ca82a9dd0" origin="Generated by Gradle"/>
+      <component group="com.amazonaws" name="aws-java-sdk-ec2" version="1.12.746">
+         <artifact name="aws-java-sdk-ec2-1.12.746.jar">
+            <sha256 value="cec22d57e05ed75417b1342e9dd468c6fe7f2fab97c626c065d6495e44d732ad" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.amazonaws" name="aws-java-sdk-s3" version="1.12.270">
-         <artifact name="aws-java-sdk-s3-1.12.270.jar">
-            <sha256 value="41bbea44bac7cfce3898e2e598a17526984337e265f6b16814839c17168a570e" origin="Generated by Gradle"/>
+      <component group="com.amazonaws" name="aws-java-sdk-s3" version="1.12.746">
+         <artifact name="aws-java-sdk-s3-1.12.746.jar">
+            <sha256 value="dcd839802c71ffc4d3e6bebc8769a2149bc423baf95f3e6c8214f9c91536bc38" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.amazonaws" name="aws-java-sdk-sts" version="1.12.270">
-         <artifact name="aws-java-sdk-sts-1.12.270.jar">
-            <sha256 value="8cf2d3705381b81808c2e75a5e25a7097385b121ef15c001b18fde3d79657571" origin="Generated by Gradle"/>
+      <component group="com.amazonaws" name="aws-java-sdk-sts" version="1.12.746">
+         <artifact name="aws-java-sdk-sts-1.12.746.jar">
+            <sha256 value="2916c28f9a6b6ade40c7e2ffdea3788b198a98b2b16830e02a24ec49fc0fb06f" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.amazonaws" name="jmespath-java" version="1.12.270">
-         <artifact name="jmespath-java-1.12.270.jar">
-            <sha256 value="515d1afb0cd0176630c0707acabd4a3e48424ea938b89359774f61a24b6450f1" origin="Generated by Gradle"/>
+      <component group="com.amazonaws" name="jmespath-java" version="1.12.746">
+         <artifact name="jmespath-java-1.12.746.jar">
+            <sha256 value="d4239a7a1bfacbb9cd1f0e48a46ac95960ab7942c6fbb41ea825161efea72351" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.avast.gradle" name="gradle-docker-compose-plugin" version="0.17.5">

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -10,6 +10,8 @@
 package org.elasticsearch.entitlement.bridge;
 
 import java.io.File;
+import java.io.FileFilter;
+import java.io.FilenameFilter;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.PrintStream;
@@ -520,6 +522,12 @@ public interface EntitlementChecker {
     //
 
     // old io (ie File)
+    void check$java_io_File$canExecute(Class<?> callerClass, File file);
+
+    void check$java_io_File$canRead(Class<?> callerClass, File file);
+
+    void check$java_io_File$canWrite(Class<?> callerClass, File file);
+
     void check$java_io_File$createNewFile(Class<?> callerClass, File file);
 
     void check$java_io_File$$createTempFile(Class<?> callerClass, String prefix, String suffix, File directory);
@@ -528,6 +536,28 @@ public interface EntitlementChecker {
 
     void check$java_io_File$deleteOnExit(Class<?> callerClass, File file);
 
+    void check$java_io_File$exists(Class<?> callerClass, File file);
+
+    void check$java_io_File$isDirectory(Class<?> callerClass, File file);
+
+    void check$java_io_File$isFile(Class<?> callerClass, File file);
+
+    void check$java_io_File$isHidden(Class<?> callerClass, File file);
+
+    void check$java_io_File$lastModified(Class<?> callerClass, File file);
+
+    void check$java_io_File$length(Class<?> callerClass, File file);
+
+    void check$java_io_File$list(Class<?> callerClass, File file);
+
+    void check$java_io_File$list(Class<?> callerClass, File file, FilenameFilter filter);
+
+    void check$java_io_File$listFiles(Class<?> callerClass, File file);
+
+    void check$java_io_File$listFiles(Class<?> callerClass, File file, FileFilter filter);
+
+    void check$java_io_File$listFiles(Class<?> callerClass, File file, FilenameFilter filter);
+
     void check$java_io_File$mkdir(Class<?> callerClass, File file);
 
     void check$java_io_File$mkdirs(Class<?> callerClass, File file);

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java

@@ -44,6 +44,21 @@ static Path readWriteFile() {
         return testRootDir.resolve("read_write_file");
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileCanExecute() throws IOException {
+        readFile().toFile().canExecute();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileCanRead() throws IOException {
+        readFile().toFile().canRead();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileCanWrite() throws IOException {
+        readFile().toFile().canWrite();
+    }
+
     @EntitlementTest(expectedAccess = PLUGINS)
     static void fileCreateNewFile() throws IOException {
         readWriteDir().resolve("new_file").toFile().createNewFile();
@@ -68,6 +83,61 @@ static void fileDeleteOnExit() throws IOException {
         toDelete.toFile().deleteOnExit();
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileExists() throws IOException {
+        readFile().toFile().exists();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileIsDirectory() throws IOException {
+        readFile().toFile().isDirectory();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileIsFile() throws IOException {
+        readFile().toFile().isFile();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileIsHidden() throws IOException {
+        readFile().toFile().isHidden();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileLastModified() throws IOException {
+        readFile().toFile().lastModified();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileLength() throws IOException {
+        readFile().toFile().length();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileList() throws IOException {
+        readDir().toFile().list();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileListWithFilter() throws IOException {
+        readDir().toFile().list((dir, name) -> true);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileListFiles() throws IOException {
+        readDir().toFile().listFiles();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileListFilesWithFileFilter() throws IOException {
+        readDir().toFile().listFiles(pathname -> true);
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void fileListFilesWithFilenameFilter() throws IOException {
+        readDir().toFile().listFiles((dir, name) -> true);
+    }
+
     @EntitlementTest(expectedAccess = PLUGINS)
     static void fileMkdir() throws IOException {
         Path mkdir = readWriteDir().resolve("mkdir");

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

@@ -14,6 +14,8 @@
 import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
 
 import java.io.File;
+import java.io.FileFilter;
+import java.io.FilenameFilter;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -964,6 +966,21 @@ public void checkSelectorProviderInheritedChannel(Class<?> callerClass, Selector
 
     // old io (ie File)
 
+    @Override
+    public void check$java_io_File$canExecute(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$canRead(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$canWrite(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
     @Override
     public void check$java_io_File$createNewFile(Class<?> callerClass, File file) {
         policyManager.checkFileWrite(callerClass, file);
@@ -984,6 +1001,61 @@ public void checkSelectorProviderInheritedChannel(Class<?> callerClass, Selector
         policyManager.checkFileWrite(callerClass, file);
     }
 
+    @Override
+    public void check$java_io_File$exists(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$isDirectory(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$isFile(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$isHidden(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$lastModified(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$length(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$list(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$list(Class<?> callerClass, File file, FilenameFilter filter) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$listFiles(Class<?> callerClass, File file) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$listFiles(Class<?> callerClass, File file, FileFilter filter) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
+    @Override
+    public void check$java_io_File$listFiles(Class<?> callerClass, File file, FilenameFilter filter) {
+        policyManager.checkFileRead(callerClass, file);
+    }
+
     @Override
     public void check$java_io_File$mkdir(Class<?> callerClass, File file) {
         policyManager.checkFileWrite(callerClass, file);

modules/repository-azure/src/main/plugin-metadata/entitlement-policy.yaml

@@ -1,3 +1,8 @@
 io.netty.common:
   - outbound_network
   - manage_threads
+  - files:
+    - path: "/etc/os-release"
+      mode: "read"
+    - path: "/usr/lib/os-release"
+      mode: "read"

modules/repository-s3/build.gradle

@@ -139,15 +139,6 @@ tasks.named("thirdPartyAudit").configure {
           'org.apache.log.Hierarchy',
           'org.apache.log.Logger',
           'javax.jms.Message',
-          'software.amazon.ion.IonReader',
-          'software.amazon.ion.IonSystem',
-          'software.amazon.ion.IonType',
-          'software.amazon.ion.IonWriter',
-          'software.amazon.ion.Timestamp',
-          'software.amazon.ion.system.IonBinaryWriterBuilder',
-          'software.amazon.ion.system.IonSystemBuilder',
-          'software.amazon.ion.system.IonTextWriterBuilder',
-          'software.amazon.ion.system.IonWriterBuilder',
           // We don't use the kms dependency
           'com.amazonaws.services.kms.AWSKMS',
           'com.amazonaws.services.kms.AWSKMSClient',

modules/transport-netty4/src/main/plugin-metadata/entitlement-policy.yaml

@@ -6,3 +6,8 @@ io.netty.common:
   - inbound_network
   - outbound_network
   - manage_threads
+  - files:
+    - path: "/etc/os-release"
+      mode: "read"
+    - path: "/usr/lib/os-release"
+      mode: "read"