[Entitlements] Add native checks support and tests for Java 21 (preview) (elastic#121881)

Author: ldematte

libs/entitlement/qa/entitlement-test-plugin/src/main22/java/org/elasticsearch/entitlement/qa/test/VersionSpecificNativeChecks.java renamed to libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/NativeActions.java

@@ -30,9 +30,12 @@
 
 import static java.lang.foreign.ValueLayout.ADDRESS;
 import static java.lang.foreign.ValueLayout.JAVA_LONG;
+import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.PLUGINS;
+import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.SERVER_ONLY;
 
-class VersionSpecificNativeChecks {
+class NativeActions {
 
+    @EntitlementTest(expectedAccess = SERVER_ONLY)
     static void enableNativeAccess() throws Exception {
         ModuleLayer parent = ModuleLayer.boot();
 
@@ -49,16 +52,19 @@ static void enableNativeAccess() throws Exception {
         controller.enableNativeAccess(targetModule.get());
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void addressLayoutWithTargetLayout() {
         AddressLayout addressLayout = ADDRESS.withoutTargetLayout();
         addressLayout.withTargetLayout(MemoryLayout.sequenceLayout(Long.MAX_VALUE, ValueLayout.JAVA_BYTE));
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void linkerDowncallHandle() {
         Linker linker = Linker.nativeLinker();
         linker.downcallHandle(FunctionDescriptor.of(JAVA_LONG, ADDRESS));
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void linkerDowncallHandleWithAddress() {
         Linker linker = Linker.nativeLinker();
         linker.downcallHandle(linker.defaultLookup().find("strlen").get(), FunctionDescriptor.of(JAVA_LONG, ADDRESS));
@@ -68,12 +74,13 @@ static int callback() {
         return 0;
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void linkerUpcallStub() throws NoSuchMethodException {
         Linker linker = Linker.nativeLinker();
 
         MethodHandle mh = null;
         try {
-            mh = MethodHandles.lookup().findStatic(VersionSpecificNativeChecks.class, "callback", MethodType.methodType(int.class));
+            mh = MethodHandles.lookup().findStatic(NativeActions.class, "callback", MethodType.methodType(int.class));
         } catch (IllegalAccessException e) {
             assert false;
         }
@@ -82,24 +89,28 @@ static void linkerUpcallStub() throws NoSuchMethodException {
         linker.upcallStub(mh, callbackDescriptor, Arena.ofAuto());
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void memorySegmentReinterpret() {
         Arena arena = Arena.ofAuto();
         MemorySegment segment = arena.allocate(100);
         segment.reinterpret(50);
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void memorySegmentReinterpretWithCleanup() {
         Arena arena = Arena.ofAuto();
         MemorySegment segment = arena.allocate(100);
         segment.reinterpret(Arena.ofAuto(), s -> {});
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void memorySegmentReinterpretWithSizeAndCleanup() {
         Arena arena = Arena.ofAuto();
         MemorySegment segment = arena.allocate(100);
         segment.reinterpret(50, Arena.ofAuto(), s -> {});
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void symbolLookupWithPath() {
         try {
             SymbolLookup.libraryLookup(Path.of("/foo/bar/libFoo.so"), Arena.ofAuto());
@@ -108,6 +119,7 @@ static void symbolLookupWithPath() {
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
     static void symbolLookupWithName() {
         try {
             SymbolLookup.libraryLookup("foo", Arena.ofAuto());

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java

@@ -180,27 +180,12 @@ static CheckAction alwaysDenied(CheckedRunnable<Exception> action) {
             entry("runtime_load", forPlugins(LoadNativeLibrariesCheckActions::runtimeLoad)),
             entry("runtime_load_library", forPlugins(LoadNativeLibrariesCheckActions::runtimeLoadLibrary)),
             entry("system_load", forPlugins(LoadNativeLibrariesCheckActions::systemLoad)),
-            entry("system_load_library", forPlugins(LoadNativeLibrariesCheckActions::systemLoadLibrary)),
-            entry("enable_native_access", new CheckAction(VersionSpecificNativeChecks::enableNativeAccess, false, 22)),
-            entry("address_target_layout", new CheckAction(VersionSpecificNativeChecks::addressLayoutWithTargetLayout, false, 22)),
-            entry("donwncall_handle", new CheckAction(VersionSpecificNativeChecks::linkerDowncallHandle, false, 22)),
-            entry(
-                "donwncall_handle_with_address",
-                new CheckAction(VersionSpecificNativeChecks::linkerDowncallHandleWithAddress, false, 22)
-            ),
-            entry("upcall_stub", new CheckAction(VersionSpecificNativeChecks::linkerUpcallStub, false, 22)),
-            entry("reinterpret", new CheckAction(VersionSpecificNativeChecks::memorySegmentReinterpret, false, 22)),
-            entry("reinterpret_cleanup", new CheckAction(VersionSpecificNativeChecks::memorySegmentReinterpretWithCleanup, false, 22)),
-            entry(
-                "reinterpret_size_cleanup",
-                new CheckAction(VersionSpecificNativeChecks::memorySegmentReinterpretWithSizeAndCleanup, false, 22)
-            ),
-            entry("symbol_lookup_name", new CheckAction(VersionSpecificNativeChecks::symbolLookupWithName, false, 22)),
-            entry("symbol_lookup_path", new CheckAction(VersionSpecificNativeChecks::symbolLookupWithPath, false, 22))
+            entry("system_load_library", forPlugins(LoadNativeLibrariesCheckActions::systemLoadLibrary))
         ),
         getTestEntries(FileCheckActions.class),
         getTestEntries(SpiActions.class),
-        getTestEntries(SystemActions.class)
+        getTestEntries(SystemActions.class),
+        getTestEntries(NativeActions.class)
     )
         .flatMap(Function.identity())
         .filter(entry -> entry.getValue().fromJavaVersion() == null || Runtime.version().feature() >= entry.getValue().fromJavaVersion())

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/VersionSpecificNativeChecks.java

@@ -908,7 +908,7 @@ public ElasticsearchEntitlementChecker(PolicyManager policyManager) {
         ModuleLayer.Controller that,
         Module target
     ) {
-        policyManager.checkLoadingNativeLibraries(callerClass);
+        policyManager.checkChangeJVMGlobalState(callerClass);
     }
 
     /// /////////////////

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

@@ -11,11 +11,15 @@
 
 public class NativeAccessUtil {
     /**
-     * Enables native access for the provided module. No-op for JDK 21 or before.
+     * Enables native access for the provided module.
+     * We need to have this adapter even if the method is available in JDK 21, as it was in preview.
+     * Available to JDK 22+, required for JDK 24+ when using --illegal-native-access=deny
      */
-    public static void enableNativeAccess(ModuleLayer.Controller controller, Module module) {}
+    public static void enableNativeAccess(ModuleLayer.Controller controller, Module module) {
+        controller.enableNativeAccess(module);
+    }
 
     public static boolean isNativeAccessEnabled(Module module) {
-        return true;
+        return module.isNativeAccessEnabled();
     }
 }