diff --git a/libs/entitlement/src/main/java/module-info.java b/libs/entitlement/src/main/java/module-info.java index d6737a14a0b88..04145a9d4f40b 100644 --- a/libs/entitlement/src/main/java/module-info.java +++ b/libs/entitlement/src/main/java/module-info.java @@ -20,11 +20,13 @@ requires static org.elasticsearch.entitlement.bridge; // At runtime, this will be in java.base exports org.elasticsearch.entitlement.runtime.api; - exports org.elasticsearch.entitlement.runtime.policy; - exports org.elasticsearch.entitlement.runtime.policy.entitlements to org.elasticsearch.server; exports org.elasticsearch.entitlement.instrumentation; exports org.elasticsearch.entitlement.bootstrap to org.elasticsearch.server; exports org.elasticsearch.entitlement.initialization to java.base; + // TODO: Most of the things in the policy package should be internal implementation details that are not exported. + exports org.elasticsearch.entitlement.runtime.policy; + exports org.elasticsearch.entitlement.runtime.policy.entitlements to org.elasticsearch.server; + uses org.elasticsearch.entitlement.instrumentation.InstrumentationService; } diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/EntitlementBootstrap.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/EntitlementBootstrap.java index f17f464cae23e..3474557bda021 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/EntitlementBootstrap.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/EntitlementBootstrap.java @@ -14,11 +14,9 @@ import com.sun.tools.attach.AttachNotSupportedException; import com.sun.tools.attach.VirtualMachine; -import org.elasticsearch.core.Nullable; import org.elasticsearch.core.PathUtils; import org.elasticsearch.core.SuppressForbidden; import org.elasticsearch.entitlement.initialization.EntitlementInitialization; -import org.elasticsearch.entitlement.runtime.policy.PathLookup; import org.elasticsearch.entitlement.runtime.policy.PathLookupImpl; import org.elasticsearch.entitlement.runtime.policy.Policy; import org.elasticsearch.entitlement.runtime.policy.PolicyManager; @@ -33,35 +31,11 @@ import java.util.function.Function; import java.util.stream.Stream; -import static java.util.Objects.requireNonNull; - public class EntitlementBootstrap { - public record BootstrapArgs( - @Nullable Policy serverPolicyPatch, - Map pluginPolicies, - Function, PolicyManager.PolicyScope> scopeResolver, - PathLookup pathLookup, - Map sourcePaths, - Set suppressFailureLogPackages - ) { - public BootstrapArgs { - requireNonNull(pluginPolicies); - requireNonNull(scopeResolver); - requireNonNull(pathLookup); - requireNonNull(sourcePaths); - requireNonNull(suppressFailureLogPackages); - } - } - - private static BootstrapArgs bootstrapArgs; - - public static BootstrapArgs bootstrapArgs() { - return bootstrapArgs; - } - /** - * Activates entitlement checking. Once this method returns, calls to methods protected by Entitlements from classes without a valid + * Main entry point that activates entitlement checking. Once this method returns, + * calls to methods protected by entitlements from classes without a valid * policy will throw {@link org.elasticsearch.entitlement.runtime.api.NotEntitledException}. * * @param serverPolicyPatch a policy with additional entitlements to patch the embedded server layer policy @@ -98,10 +72,10 @@ public static void bootstrap( Set suppressFailureLogPackages ) { logger.debug("Loading entitlement agent"); - if (EntitlementBootstrap.bootstrapArgs != null) { - throw new IllegalStateException("plugin data is already set"); + if (EntitlementInitialization.initializeArgs != null) { + throw new IllegalStateException("initialization data is already set"); } - EntitlementBootstrap.bootstrapArgs = new BootstrapArgs( + EntitlementInitialization.initializeArgs = new EntitlementInitialization.InitializeArgs( serverPolicyPatch, pluginPolicies, scopeResolver, diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java index 89e8bc134a460..ede41458f7e45 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java @@ -10,9 +10,9 @@ package org.elasticsearch.entitlement.initialization; import org.elasticsearch.core.Booleans; -import org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap; +import org.elasticsearch.core.Nullable; import org.elasticsearch.entitlement.bridge.EntitlementChecker; -import org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker; +import org.elasticsearch.entitlement.runtime.policy.ElasticsearchEntitlementChecker; import org.elasticsearch.entitlement.runtime.policy.PathLookup; import org.elasticsearch.entitlement.runtime.policy.Policy; import org.elasticsearch.entitlement.runtime.policy.PolicyChecker; @@ -22,8 +22,12 @@ import java.lang.instrument.Instrumentation; import java.lang.reflect.Constructor; import java.lang.reflect.InvocationTargetException; +import java.nio.file.Path; import java.util.Map; import java.util.Set; +import java.util.function.Function; + +import static java.util.Objects.requireNonNull; /** * Called by the agent during {@code agentmain} to configure the entitlement system, @@ -36,6 +40,7 @@ public class EntitlementInitialization { private static final Module ENTITLEMENTS_MODULE = PolicyManager.class.getModule(); + public static InitializeArgs initializeArgs; private static ElasticsearchEntitlementChecker checker; // Note: referenced by bridge reflectively @@ -66,29 +71,55 @@ public static void initialize(Instrumentation inst) throws Exception { checker = initChecker(inst, createPolicyManager()); } + /** + * Arguments to {@link #initialize}. Since that's called in a static context from the agent, + * we have no way to pass arguments directly, so we stuff them in here. + * + * @param serverPolicyPatch + * @param pluginPolicies + * @param scopeResolver + * @param pathLookup + * @param sourcePaths + * @param suppressFailureLogPackages + */ + public record InitializeArgs( + @Nullable Policy serverPolicyPatch, + Map pluginPolicies, + Function, PolicyManager.PolicyScope> scopeResolver, + PathLookup pathLookup, + Map sourcePaths, + Set suppressFailureLogPackages + ) { + public InitializeArgs { + requireNonNull(pluginPolicies); + requireNonNull(scopeResolver); + requireNonNull(pathLookup); + requireNonNull(sourcePaths); + requireNonNull(suppressFailureLogPackages); + } + } + private static PolicyCheckerImpl createPolicyChecker(PolicyManager policyManager) { - EntitlementBootstrap.BootstrapArgs bootstrapArgs = EntitlementBootstrap.bootstrapArgs(); return new PolicyCheckerImpl( - bootstrapArgs.suppressFailureLogPackages(), + initializeArgs.suppressFailureLogPackages(), ENTITLEMENTS_MODULE, policyManager, - bootstrapArgs.pathLookup() + initializeArgs.pathLookup() ); } private static PolicyManager createPolicyManager() { - EntitlementBootstrap.BootstrapArgs bootstrapArgs = EntitlementBootstrap.bootstrapArgs(); - Map pluginPolicies = bootstrapArgs.pluginPolicies(); - PathLookup pathLookup = bootstrapArgs.pathLookup(); + Map pluginPolicies = initializeArgs.pluginPolicies(); + PathLookup pathLookup = initializeArgs.pathLookup(); FilesEntitlementsValidation.validate(pluginPolicies, pathLookup); return new PolicyManager( - HardcodedEntitlements.serverPolicy(pathLookup.pidFile(), bootstrapArgs.serverPolicyPatch()), + HardcodedEntitlements.serverPolicy(pathLookup.pidFile(), initializeArgs.serverPolicyPatch()), HardcodedEntitlements.agentEntitlements(), pluginPolicies, - EntitlementBootstrap.bootstrapArgs().scopeResolver(), - EntitlementBootstrap.bootstrapArgs().sourcePaths(), + initializeArgs.scopeResolver(), + initializeArgs.sourcePaths(), pathLookup ); } diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/package-info.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/package-info.java index 9ee416068807f..0989f98481a38 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/package-info.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/package-info.java @@ -189,7 +189,7 @@ *

Checks

*

* The injected prologue calls a {@code check$} method on {@link org.elasticsearch.entitlement.bridge.EntitlementChecker}; its - * implementation (normally on {@link org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker}, unless it is a + * implementation (normally on {@link org.elasticsearch.entitlement.runtime.policy.ElasticsearchEntitlementChecker}, unless it is a * version-specific method) calls the appropriate methods on {@link org.elasticsearch.entitlement.runtime.policy.PolicyManager}, * forwarding the caller class and a specific set of arguments. These methods all start with check, roughly matching an entitlement type * (e.g. {@link org.elasticsearch.entitlement.runtime.policy.PolicyChecker#checkInboundNetworkAccess}, diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/package-info.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/package-info.java new file mode 100644 index 0000000000000..fadae3a5dee91 --- /dev/null +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/package-info.java @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the "Elastic License + * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side + * Public License v 1"; you may not use this file except in compliance with, at + * your election, the "Elastic License 2.0", the "GNU Affero General Public + * License v3.0 only", or the "Server Side Public License, v 1". + */ + +/** + * The public API for the Entitlements system. + * All other packages are implementation details that should use selective exports. + */ +package org.elasticsearch.entitlement.runtime.api; diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/ElasticsearchEntitlementChecker.java similarity index 99% rename from libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java rename to libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/ElasticsearchEntitlementChecker.java index 5b615cc5163d7..648572e3b4d65 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/ElasticsearchEntitlementChecker.java @@ -7,13 +7,12 @@ * License v3.0 only", or the "Server Side Public License, v 1". */ -package org.elasticsearch.entitlement.runtime.api; +package org.elasticsearch.entitlement.runtime.policy; import jdk.nio.Channels; import org.elasticsearch.core.SuppressForbidden; import org.elasticsearch.entitlement.bridge.EntitlementChecker; -import org.elasticsearch.entitlement.runtime.policy.PolicyChecker; import java.io.File; import java.io.FileDescriptor; diff --git a/libs/entitlement/src/main19/java/org/elasticsearch/entitlement/runtime/api/Java19ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main19/java/org/elasticsearch/entitlement/runtime/policy/Java19ElasticsearchEntitlementChecker.java similarity index 95% rename from libs/entitlement/src/main19/java/org/elasticsearch/entitlement/runtime/api/Java19ElasticsearchEntitlementChecker.java rename to libs/entitlement/src/main19/java/org/elasticsearch/entitlement/runtime/policy/Java19ElasticsearchEntitlementChecker.java index c32e28d30319f..0f7b3bfecc21f 100644 --- a/libs/entitlement/src/main19/java/org/elasticsearch/entitlement/runtime/api/Java19ElasticsearchEntitlementChecker.java +++ b/libs/entitlement/src/main19/java/org/elasticsearch/entitlement/runtime/policy/Java19ElasticsearchEntitlementChecker.java @@ -7,10 +7,9 @@ * License v3.0 only", or the "Server Side Public License, v 1". */ -package org.elasticsearch.entitlement.runtime.api; +package org.elasticsearch.entitlement.runtime.policy; import org.elasticsearch.entitlement.bridge.Java19EntitlementChecker; -import org.elasticsearch.entitlement.runtime.policy.PolicyChecker; import java.lang.foreign.Addressable; import java.lang.foreign.FunctionDescriptor; diff --git a/libs/entitlement/src/main20/java/org/elasticsearch/entitlement/runtime/api/Java20ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main20/java/org/elasticsearch/entitlement/runtime/policy/Java20ElasticsearchEntitlementChecker.java similarity index 97% rename from libs/entitlement/src/main20/java/org/elasticsearch/entitlement/runtime/api/Java20ElasticsearchEntitlementChecker.java rename to libs/entitlement/src/main20/java/org/elasticsearch/entitlement/runtime/policy/Java20ElasticsearchEntitlementChecker.java index 906cf2de8aac6..a62301b2a2402 100644 --- a/libs/entitlement/src/main20/java/org/elasticsearch/entitlement/runtime/api/Java20ElasticsearchEntitlementChecker.java +++ b/libs/entitlement/src/main20/java/org/elasticsearch/entitlement/runtime/policy/Java20ElasticsearchEntitlementChecker.java @@ -7,10 +7,9 @@ * License v3.0 only", or the "Server Side Public License, v 1". */ -package org.elasticsearch.entitlement.runtime.api; +package org.elasticsearch.entitlement.runtime.policy; import org.elasticsearch.entitlement.bridge.Java20EntitlementChecker; -import org.elasticsearch.entitlement.runtime.policy.PolicyChecker; import java.lang.foreign.FunctionDescriptor; import java.lang.foreign.Linker; diff --git a/libs/entitlement/src/main21/java/org/elasticsearch/entitlement/runtime/api/Java21ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main21/java/org/elasticsearch/entitlement/runtime/policy/Java21ElasticsearchEntitlementChecker.java similarity index 97% rename from libs/entitlement/src/main21/java/org/elasticsearch/entitlement/runtime/api/Java21ElasticsearchEntitlementChecker.java rename to libs/entitlement/src/main21/java/org/elasticsearch/entitlement/runtime/policy/Java21ElasticsearchEntitlementChecker.java index 72773e8e9c0f6..87b46b5f10ef6 100644 --- a/libs/entitlement/src/main21/java/org/elasticsearch/entitlement/runtime/api/Java21ElasticsearchEntitlementChecker.java +++ b/libs/entitlement/src/main21/java/org/elasticsearch/entitlement/runtime/policy/Java21ElasticsearchEntitlementChecker.java @@ -7,10 +7,9 @@ * License v3.0 only", or the "Server Side Public License, v 1". */ -package org.elasticsearch.entitlement.runtime.api; +package org.elasticsearch.entitlement.runtime.policy; import org.elasticsearch.entitlement.bridge.Java21EntitlementChecker; -import org.elasticsearch.entitlement.runtime.policy.PolicyChecker; import java.lang.foreign.AddressLayout; import java.lang.foreign.Arena; diff --git a/libs/entitlement/src/main22/java/org/elasticsearch/entitlement/runtime/api/Java22ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main22/java/org/elasticsearch/entitlement/runtime/policy/Java22ElasticsearchEntitlementChecker.java similarity index 87% rename from libs/entitlement/src/main22/java/org/elasticsearch/entitlement/runtime/api/Java22ElasticsearchEntitlementChecker.java rename to libs/entitlement/src/main22/java/org/elasticsearch/entitlement/runtime/policy/Java22ElasticsearchEntitlementChecker.java index 49e9453cd5053..1ec7c8001afc8 100644 --- a/libs/entitlement/src/main22/java/org/elasticsearch/entitlement/runtime/api/Java22ElasticsearchEntitlementChecker.java +++ b/libs/entitlement/src/main22/java/org/elasticsearch/entitlement/runtime/policy/Java22ElasticsearchEntitlementChecker.java @@ -7,10 +7,9 @@ * License v3.0 only", or the "Server Side Public License, v 1". */ -package org.elasticsearch.entitlement.runtime.api; +package org.elasticsearch.entitlement.runtime.policy; import org.elasticsearch.entitlement.bridge.Java22EntitlementChecker; -import org.elasticsearch.entitlement.runtime.policy.PolicyChecker; public class Java22ElasticsearchEntitlementChecker extends Java21ElasticsearchEntitlementChecker implements Java22EntitlementChecker { diff --git a/libs/entitlement/src/main23/java/org/elasticsearch/entitlement/runtime/api/Java23ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main23/java/org/elasticsearch/entitlement/runtime/policy/Java23ElasticsearchEntitlementChecker.java similarity index 87% rename from libs/entitlement/src/main23/java/org/elasticsearch/entitlement/runtime/api/Java23ElasticsearchEntitlementChecker.java rename to libs/entitlement/src/main23/java/org/elasticsearch/entitlement/runtime/policy/Java23ElasticsearchEntitlementChecker.java index a54c2f4cf827e..e6f692d992407 100644 --- a/libs/entitlement/src/main23/java/org/elasticsearch/entitlement/runtime/api/Java23ElasticsearchEntitlementChecker.java +++ b/libs/entitlement/src/main23/java/org/elasticsearch/entitlement/runtime/policy/Java23ElasticsearchEntitlementChecker.java @@ -7,10 +7,9 @@ * License v3.0 only", or the "Server Side Public License, v 1". */ -package org.elasticsearch.entitlement.runtime.api; +package org.elasticsearch.entitlement.runtime.policy; import org.elasticsearch.entitlement.bridge.Java23EntitlementChecker; -import org.elasticsearch.entitlement.runtime.policy.PolicyChecker; public class Java23ElasticsearchEntitlementChecker extends Java22ElasticsearchEntitlementChecker implements Java23EntitlementChecker { diff --git a/test/framework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java b/test/framework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java index 54c5ed001fb5c..a2a2fd110c586 100644 --- a/test/framework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java +++ b/test/framework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java @@ -14,25 +14,46 @@ import org.elasticsearch.logging.LogManager; import org.elasticsearch.logging.Logger; +import java.nio.file.Path; +import java.util.stream.Stream; + public class TestEntitlementBootstrap { private static final Logger logger = LogManager.getLogger(TestEntitlementBootstrap.class); - private static BootstrapArgs bootstrapArgs; /** * Activates entitlement checking in tests. - * @param bootstrapArgs arguments used for and passed to entitlement initialization */ - public static void bootstrap(BootstrapArgs bootstrapArgs) { - assert bootstrapArgs != null; - TestEntitlementBootstrap.bootstrapArgs = bootstrapArgs; + public static void bootstrap() { + TestEntitlementInitialization.initializeArgs = new TestEntitlementInitialization.InitializeArgs(new TestPathLookup()); logger.debug("Loading entitlement agent"); EntitlementBootstrap.loadAgent(EntitlementBootstrap.findAgentJar(), TestEntitlementInitialization.class.getName()); } - public static BootstrapArgs bootstrapArgs() { - return bootstrapArgs; - } + private record TestPathLookup() implements PathLookup { + @Override + public Path pidFile() { + throw notYetImplemented(); + } + + @Override + public Stream getBaseDirPaths(BaseDir baseDir) { + throw notYetImplemented(); + } + + @Override + public Stream resolveRelativePaths(BaseDir baseDir, Path relativePath) { + throw notYetImplemented(); + } - public record BootstrapArgs(PathLookup pathLookup) {} + @Override + public Stream resolveSettingPaths(BaseDir baseDir, String settingName) { + throw notYetImplemented(); + } + + private static IllegalStateException notYetImplemented() { + return new IllegalStateException("not yet implemented"); + } + + } } diff --git a/test/framework/src/main/java/org/elasticsearch/entitlement/initialization/TestEntitlementInitialization.java b/test/framework/src/main/java/org/elasticsearch/entitlement/initialization/TestEntitlementInitialization.java index 7e66d9e0343fd..1ff0a17032ac4 100644 --- a/test/framework/src/main/java/org/elasticsearch/entitlement/initialization/TestEntitlementInitialization.java +++ b/test/framework/src/main/java/org/elasticsearch/entitlement/initialization/TestEntitlementInitialization.java @@ -14,9 +14,8 @@ import org.elasticsearch.bootstrap.TestScopeResolver; import org.elasticsearch.core.Strings; import org.elasticsearch.core.SuppressForbidden; -import org.elasticsearch.entitlement.bootstrap.TestEntitlementBootstrap; import org.elasticsearch.entitlement.bridge.EntitlementChecker; -import org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker; +import org.elasticsearch.entitlement.runtime.policy.ElasticsearchEntitlementChecker; import org.elasticsearch.entitlement.runtime.policy.PathLookup; import org.elasticsearch.entitlement.runtime.policy.Policy; import org.elasticsearch.entitlement.runtime.policy.PolicyManager; @@ -38,6 +37,7 @@ public class TestEntitlementInitialization { private static ElasticsearchEntitlementChecker checker; + public static InitializeArgs initializeArgs; // Note: referenced by bridge reflectively public static EntitlementChecker checker() { @@ -45,10 +45,11 @@ public static EntitlementChecker checker() { } public static void initialize(Instrumentation inst) throws Exception { - TestEntitlementBootstrap.BootstrapArgs bootstrapArgs = TestEntitlementBootstrap.bootstrapArgs(); - checker = EntitlementInitialization.initChecker(inst, createPolicyManager(bootstrapArgs.pathLookup())); + checker = EntitlementInitialization.initChecker(inst, createPolicyManager(initializeArgs.pathLookup())); } + public record InitializeArgs(PathLookup pathLookup) {} + private record TestPluginData(String pluginName, boolean isModular, boolean isExternalPlugin) {} private static Map parsePluginsPolicies(List pluginsData) { @@ -115,4 +116,5 @@ private static PolicyManager createPolicyManager(PathLookup pathLookup) throws I ); throw new IllegalStateException("Not yet implemented!"); } + }