From 3403903573f66bbea3d1aa4e732929b487956b97 Mon Sep 17 00:00:00 2001 From: Julian Kiryakov Date: Thu, 11 Sep 2025 12:53:39 -0400 Subject: [PATCH] Revert "Grant manage_threads to java.desktop for Tika (#134454)" This reverts commit 9b41320ce6c61424f9f80c41779c9db70a9fdebc. --- .../bootstrap/HardcodedEntitlements.java | 8 +-- .../runtime/policy/PolicyManager.java | 4 +- .../bootstrap/HardcodedEntitlementsTests.java | 33 ---------- .../bootstrap/TestScopeResolver.java | 62 +++---------------- .../runtime/policy/TestPolicyManager.java | 5 -- 5 files changed, 13 insertions(+), 99 deletions(-) delete mode 100644 libs/entitlement/src/test/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlementsTests.java diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java index a1cbf7772ae29..bdc4c92b404aa 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java @@ -114,13 +114,7 @@ private static List createServerEntitlements(Path pidFile) { new FilesEntitlement(serverModuleFileDatas) ) ), - new Scope( - "java.desktop", - List.of( - new LoadNativeLibrariesEntitlement(), - new ManageThreadsEntitlement() // For sun.java2d.Disposer. TODO: https://elasticco.atlassian.net/browse/ES-12888 - ) - ), + new Scope("java.desktop", List.of(new LoadNativeLibrariesEntitlement())), new Scope( "java.xml", List.of( diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java index 85bb220e76b30..8dc10b687e666 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java @@ -54,7 +54,7 @@ public class PolicyManager { */ static final Logger generalLogger = LogManager.getLogger(PolicyManager.class); - public static final Set MODULES_EXCLUDED_FROM_SYSTEM_MODULES = Set.of("java.desktop", "java.xml"); + static final Set MODULES_EXCLUDED_FROM_SYSTEM_MODULES = Set.of("java.desktop", "java.xml"); /** * Identifies a particular entitlement {@link Scope} within a {@link Policy}. @@ -94,7 +94,7 @@ public enum ComponentKind { * If this kind corresponds to a single component, this is that component's name; * otherwise null. */ - public final String componentName; + final String componentName; ComponentKind(String componentName) { this.componentName = componentName; diff --git a/libs/entitlement/src/test/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlementsTests.java b/libs/entitlement/src/test/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlementsTests.java deleted file mode 100644 index e297f64453cfc..0000000000000 --- a/libs/entitlement/src/test/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlementsTests.java +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the "Elastic License - * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side - * Public License v 1"; you may not use this file except in compliance with, at - * your election, the "Elastic License 2.0", the "GNU Affero General Public - * License v3.0 only", or the "Server Side Public License, v 1". - */ - -package org.elasticsearch.entitlement.bootstrap; - -import org.elasticsearch.test.ESTestCase; -import org.elasticsearch.test.ESTestCase.WithEntitlementsOnTestCode; - -import java.io.ByteArrayInputStream; - -import javax.imageio.stream.MemoryCacheImageInputStream; - -import static java.nio.charset.StandardCharsets.UTF_8; - -@WithEntitlementsOnTestCode -public class HardcodedEntitlementsTests extends ESTestCase { - - /** - * The Tika library can do some things we don't ordinarily want to allow. - *

- * Note that {@link MemoryCacheImageInputStream} doesn't even use {@code Disposer} in JDK 26, - * so it's an open question how much effort this deserves. - */ - public void testTikaPDF() { - new MemoryCacheImageInputStream(new ByteArrayInputStream("test test".getBytes(UTF_8))); - } -} diff --git a/test/framework/src/main/java/org/elasticsearch/bootstrap/TestScopeResolver.java b/test/framework/src/main/java/org/elasticsearch/bootstrap/TestScopeResolver.java index 91662f3f35773..3a42485822f3c 100644 --- a/test/framework/src/main/java/org/elasticsearch/bootstrap/TestScopeResolver.java +++ b/test/framework/src/main/java/org/elasticsearch/bootstrap/TestScopeResolver.java @@ -9,14 +9,11 @@ package org.elasticsearch.bootstrap; -import org.elasticsearch.core.Nullable; import org.elasticsearch.core.SuppressForbidden; -import org.elasticsearch.entitlement.runtime.policy.PolicyManager.PolicyScope; +import org.elasticsearch.entitlement.runtime.policy.PolicyManager; import org.elasticsearch.logging.LogManager; import org.elasticsearch.logging.Logger; -import java.lang.module.ModuleDescriptor; -import java.lang.module.ModuleFinder; import java.net.MalformedURLException; import java.net.URL; import java.util.List; @@ -25,78 +22,39 @@ import java.util.TreeMap; import java.util.function.Function; -import static java.util.Objects.requireNonNull; -import static java.util.stream.Collectors.toSet; import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ALL_UNNAMED; import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ComponentKind.PLUGIN; -import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ComponentKind.SERVER; -import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.MODULES_EXCLUDED_FROM_SYSTEM_MODULES; -public final class TestScopeResolver { +public record TestScopeResolver(Map scopeMap) { private static final Logger logger = LogManager.getLogger(TestScopeResolver.class); - private final Map scopeMap; - private static final Map excludedSystemPackageScopes = computeExcludedSystemPackageScopes(); - public TestScopeResolver(Map scopeMap) { - this.scopeMap = scopeMap; - } - - private static Map computeExcludedSystemPackageScopes() { - // Within any one module layer, module names are unique, so we just need the names - Set systemModuleNames = ModuleFinder.ofSystem() - .findAll() - .stream() - .map(ref -> ref.descriptor().name()) - .filter(MODULES_EXCLUDED_FROM_SYSTEM_MODULES::contains) - .collect(toSet()); - - Map result = new TreeMap<>(); - ModuleLayer.boot().modules().stream().filter(m -> systemModuleNames.contains(m.getName())).forEach(m -> { - ModuleDescriptor desc = m.getDescriptor(); - if (desc != null) { - desc.packages().forEach(pkg -> - // Our component identification logic returns SERVER for these - result.put(pkg, new PolicyScope(SERVER, SERVER.componentName, m.getName()))); - } - }); - return result; - } - - public static @Nullable PolicyScope getExcludedSystemPackageScope(Class callerClass) { - return excludedSystemPackageScopes.get(callerClass.getPackageName()); - } - - PolicyScope getScope(Class callerClass) { + PolicyManager.PolicyScope getScope(Class callerClass) { var callerCodeSource = callerClass.getProtectionDomain().getCodeSource(); - if (callerCodeSource == null) { - // This only happens for JDK classes. Furthermore, for trivially allowed modules, we shouldn't even get here. - // Hence, this must be an excluded system module, so check for that. - return requireNonNull(getExcludedSystemPackageScope(callerClass)); - } + assert callerCodeSource != null; var location = callerCodeSource.getLocation().toString(); var scope = scopeMap.get(location); if (scope == null) { // Special cases for libraries not handled by our automatically-generated scopeMap if (callerClass.getPackageName().startsWith("org.bouncycastle")) { - scope = new PolicyScope(PLUGIN, "security", ALL_UNNAMED); + scope = new PolicyManager.PolicyScope(PLUGIN, "security", ALL_UNNAMED); logger.debug("Assuming bouncycastle is part of the security plugin"); } } if (scope == null) { logger.warn("Cannot identify a scope for class [{}], location [{}]", callerClass.getName(), location); - return PolicyScope.unknown(location); + return PolicyManager.PolicyScope.unknown(location); } return scope; } - public static Function, PolicyScope> createScopeResolver( + public static Function, PolicyManager.PolicyScope> createScopeResolver( TestBuildInfo serverBuildInfo, List pluginsBuildInfo, Set modularPlugins ) { - Map scopeMap = new TreeMap<>(); // Sorted to make it easier to read during debugging + Map scopeMap = new TreeMap<>(); // Sorted to make it easier to read during debugging for (var pluginBuildInfo : pluginsBuildInfo) { boolean isModular = modularPlugins.contains(pluginBuildInfo.component()); for (var location : pluginBuildInfo.locations()) { @@ -108,7 +66,7 @@ public static Function, PolicyScope> createScopeResolver( String module = isModular ? location.module() : ALL_UNNAMED; scopeMap.put( getCodeSource(codeSource, location.representativeClass()), - PolicyScope.plugin(pluginBuildInfo.component(), module) + PolicyManager.PolicyScope.plugin(pluginBuildInfo.component(), module) ); } catch (MalformedURLException e) { throw new IllegalArgumentException("Cannot locate class [" + location.representativeClass() + "]", e); @@ -123,7 +81,7 @@ public static Function, PolicyScope> createScopeResolver( continue; } try { - scopeMap.put(getCodeSource(classUrl, location.representativeClass()), PolicyScope.server(location.module())); + scopeMap.put(getCodeSource(classUrl, location.representativeClass()), PolicyManager.PolicyScope.server(location.module())); } catch (MalformedURLException e) { throw new IllegalArgumentException("Cannot locate class [" + location.representativeClass() + "]", e); } diff --git a/test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java b/test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java index 83f85458b2f55..f7397c8f898ed 100644 --- a/test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java +++ b/test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java @@ -9,7 +9,6 @@ package org.elasticsearch.entitlement.runtime.policy; -import org.elasticsearch.bootstrap.TestScopeResolver; import org.elasticsearch.common.util.ArrayUtils; import org.elasticsearch.entitlement.runtime.policy.entitlements.Entitlement; import org.elasticsearch.test.ESTestCase; @@ -98,10 +97,6 @@ public final void clearModuleEntitlementsCache() { @Override protected boolean isTrustedSystemClass(Class requestingClass) { - if (TestScopeResolver.getExcludedSystemPackageScope(requestingClass) != null) { - // We don't trust the excluded packages even though they are in system modules - return false; - } ClassLoader loader = requestingClass.getClassLoader(); return loader == null || loader == ClassLoader.getPlatformClassLoader(); }