add (optional) match on class bytes SHA256 digest

Author: ldematte

build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/dependencies/patches/PatcherInfo.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.gradle.internal.dependencies.patches;
+
+import org.objectweb.asm.ClassVisitor;
+import org.objectweb.asm.ClassWriter;
+
+import java.util.Arrays;
+import java.util.HexFormat;
+import java.util.function.Function;
+
+public record PatcherInfo(String jarEntryName, byte[] classSha256, Function<ClassWriter, ClassVisitor> visitorFactory) {
+
+    /**
+     * Creates a patcher info entry, linking a jar entry path name to a patcher factory (a factory to create an ASM visitor)
+     * @param jarEntryName the jar entry path, as a string
+     * @param visitorFactory the factory to create an ASM visitor from a ASM writer
+     */
+    public static PatcherInfo classPatcher(String jarEntryName, Function<ClassWriter, ClassVisitor> visitorFactory) {
+        return new PatcherInfo(jarEntryName, null, visitorFactory);
+    }
+
+    /**
+     * Creates a patcher info entry, linking a jar entry path name and its SHA256 digest to a patcher factory (a factory to create an ASM
+     * visitor)
+     * @param jarEntryName the jar entry path, as a string
+     * @param classSha256 the SHA256 digest of the class bytes, as a HEX string
+     * @param visitorFactory the factory to create an ASM visitor from a ASM writer
+     */
+    public static PatcherInfo classPatcher(String jarEntryName, String classSha256, Function<ClassWriter, ClassVisitor> visitorFactory) {
+        return new PatcherInfo(jarEntryName, HexFormat.of().parseHex(classSha256), visitorFactory);
+    }
+
+    boolean matches(byte[] otherClassSha256) {
+        if (this.classSha256 == null) {
+            return true;
+        }
+        return Arrays.equals(this.classSha256, otherClassSha256);
+    }
+}

build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/dependencies/patches/Utils.java

@@ -10,28 +10,50 @@
 package org.elasticsearch.gradle.internal.dependencies.patches;
 
 import org.objectweb.asm.ClassReader;
-import org.objectweb.asm.ClassVisitor;
 import org.objectweb.asm.ClassWriter;
 
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Collection;
 import java.util.Enumeration;
-import java.util.HashMap;
+import java.util.HexFormat;
 import java.util.Locale;
-import java.util.Map;
 import java.util.function.Function;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 import java.util.jar.JarOutputStream;
+import java.util.stream.Collectors;
 
 import static org.objectweb.asm.ClassWriter.COMPUTE_FRAMES;
 import static org.objectweb.asm.ClassWriter.COMPUTE_MAXS;
 
 public class Utils {
-    public static void patchJar(File inputFile, File outputFile, Map<String, Function<ClassWriter, ClassVisitor>> patchers) {
-        var classPatchers = new HashMap<>(patchers);
+
+    private static final MessageDigest SHA_256;
+
+    static {
+        try {
+            SHA_256 = MessageDigest.getInstance("SHA-256");
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    /**
+     * Patches the classes in the input JAR file, using the collection of patchers. If the patcher info specify a SHA256 digest, and
+     * the class to patch does not match it, an IllegalArgumentException is thrown.
+     * If the input file does not contain all the classes to patch specified in the patcher info collection, an IllegalArgumentException
+     * is also thrown.
+     * @param inputFile the JAR file to patch
+     * @param outputFile the output (patched) JAR file
+     * @param patchers list of patcher info (classes to patch (jar entry name + optional SHA256 digest) and ASM visitor to transform them)
+     */
+    public static void patchJar(File inputFile, File outputFile, Collection<PatcherInfo> patchers) {
+        var classPatchers = patchers.stream().collect(Collectors.toMap(PatcherInfo::jarEntryName, Function.identity()));
         try (JarFile jarFile = new JarFile(inputFile); JarOutputStream jos = new JarOutputStream(new FileOutputStream(outputFile))) {
             Enumeration<JarEntry> entries = jarFile.entries();
             while (entries.hasMoreElements()) {
@@ -40,13 +62,27 @@ public static void patchJar(File inputFile, File outputFile, Map<String, Functio
                 // Add the entry to the new JAR file
                 jos.putNextEntry(new JarEntry(entryName));
 
-                Function<ClassWriter, ClassVisitor> classPatcher = classPatchers.remove(entryName);
+                var classPatcher = classPatchers.remove(entryName);
                 if (classPatcher != null) {
                     byte[] classToPatch = jarFile.getInputStream(entry).readAllBytes();
+                    var classSha256 = SHA_256.digest(classToPatch);
+
+                    if (classPatcher.matches(classSha256) == false) {
+                        throw new IllegalArgumentException(
+                            String.format(
+                                Locale.ROOT,
+                                "error patching [%s]: jar entry [%s] digest mismatch (expected: [%s], found: [%s])",
+                                inputFile.getName(),
+                                classPatcher.jarEntryName(),
+                                HexFormat.of().formatHex(classPatcher.classSha256()),
+                                HexFormat.of().formatHex(classSha256)
+                            )
+                        );
+                    }
 
                     ClassReader classReader = new ClassReader(classToPatch);
                     ClassWriter classWriter = new ClassWriter(classReader, COMPUTE_MAXS | COMPUTE_FRAMES);
-                    classReader.accept(classPatcher.apply(classWriter), 0);
+                    classReader.accept(classPatcher.visitorFactory().apply(classWriter), 0);
                     jos.write(classWriter.toByteArray());
                 } else {
                     // Read the entry's data and write it to the new JAR
@@ -66,7 +102,7 @@ public static void patchJar(File inputFile, File outputFile, Map<String, Functio
                     Locale.ROOT,
                     "error patching [%s]: the jar does not contain [%s]",
                     inputFile.getName(),
-                    String.join(", ", patchers.keySet())
+                    String.join(", ", classPatchers.keySet())
                 )
             );
         }

build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/dependencies/patches/awsv2sdk/Awsv2ClassPatcher.java

@@ -9,6 +9,7 @@
 
 package org.elasticsearch.gradle.internal.dependencies.patches.awsv2sdk;
 
+import org.elasticsearch.gradle.internal.dependencies.patches.PatcherInfo;
 import org.elasticsearch.gradle.internal.dependencies.patches.Utils;
 import org.gradle.api.artifacts.transform.CacheableTransform;
 import org.gradle.api.artifacts.transform.InputArtifact;
@@ -19,24 +20,25 @@
 import org.gradle.api.provider.Provider;
 import org.gradle.api.tasks.Classpath;
 import org.jetbrains.annotations.NotNull;
-import org.objectweb.asm.ClassVisitor;
-import org.objectweb.asm.ClassWriter;
 
 import java.io.File;
-import java.util.Map;
-import java.util.function.Function;
+import java.util.List;
 
-import static java.util.Map.entry;
+import static org.elasticsearch.gradle.internal.dependencies.patches.PatcherInfo.classPatcher;
 
 @CacheableTransform
 public abstract class Awsv2ClassPatcher implements TransformAction<TransformParameters.None> {
 
     private static final String JAR_FILE_TO_PATCH = "aws-query-protocol";
 
-    private static final Map<String, Function<ClassWriter, ClassVisitor>> CLASS_PATCHERS = Map.ofEntries(
+    private static final List<PatcherInfo> CLASS_PATCHERS = List.of(
         // This patcher is needed because of this AWS bug: https://github.com/aws/aws-sdk-java-v2/issues/5968
         // As soon as the bug is resolved and we upgrade our AWS SDK v2 libraries, we can remove this.
-        entry("software/amazon/awssdk/protocols/query/internal/marshall/ListQueryMarshaller.class", StringFormatInPathResolverPatcher::new)
+        classPatcher(
+            "software/amazon/awssdk/protocols/query/internal/marshall/ListQueryMarshaller.class",
+            "213e84d9a745bdae4b844334d17aecdd6499b36df32aa73f82dc114b35043009",
+            StringFormatInPathResolverPatcher::new
+        )
     );
 
     @Classpath
@@ -47,13 +49,13 @@ public abstract class Awsv2ClassPatcher implements TransformAction<TransformPara
     public void transform(@NotNull TransformOutputs outputs) {
         File inputFile = getInputArtifact().get().getAsFile();
 
-        if (inputFile.getName().startsWith(JAR_FILE_TO_PATCH) == false) {
-            System.out.println("Skipping " + inputFile.getName());
-            outputs.file(getInputArtifact());
-        } else {
+        if (inputFile.getName().startsWith(JAR_FILE_TO_PATCH)) {
             System.out.println("Patching " + inputFile.getName());
             File outputFile = outputs.file(inputFile.getName().replace(".jar", "-patched.jar"));
             Utils.patchJar(inputFile, outputFile, CLASS_PATCHERS);
+        } else {
+            System.out.println("Skipping " + inputFile.getName());
+            outputs.file(getInputArtifact());
         }
     }
 }

build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/dependencies/patches/hdfs/HdfsClassPatcher.java

@@ -9,6 +9,7 @@
 
 package org.elasticsearch.gradle.internal.dependencies.patches.hdfs;
 
+import org.elasticsearch.gradle.internal.dependencies.patches.PatcherInfo;
 import org.elasticsearch.gradle.internal.dependencies.patches.Utils;
 import org.gradle.api.artifacts.transform.CacheableTransform;
 import org.gradle.api.artifacts.transform.InputArtifact;
@@ -21,41 +22,36 @@
 import org.gradle.api.tasks.Input;
 import org.gradle.api.tasks.Optional;
 import org.jetbrains.annotations.NotNull;
-import org.objectweb.asm.ClassVisitor;
-import org.objectweb.asm.ClassWriter;
 
 import java.io.File;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
-import java.util.function.Function;
 import java.util.regex.Pattern;
 
-import static java.util.Map.entry;
+import static org.elasticsearch.gradle.internal.dependencies.patches.PatcherInfo.classPatcher;
 
 @CacheableTransform
 public abstract class HdfsClassPatcher implements TransformAction<HdfsClassPatcher.Parameters> {
 
-    record JarPatchers(String artifactTag, Pattern artifactPattern, Map<String, Function<ClassWriter, ClassVisitor>> jarPatchers) {}
+    record JarPatchers(String artifactTag, Pattern artifactPattern, List<PatcherInfo> jarPatchers) {}
 
     static final List<JarPatchers> allPatchers = List.of(
         new JarPatchers(
             "hadoop-common",
             Pattern.compile("hadoop-common-(?!.*tests)"),
-            Map.ofEntries(
-                entry("org/apache/hadoop/util/ShutdownHookManager.class", ShutdownHookManagerPatcher::new),
-                entry("org/apache/hadoop/util/Shell.class", ShellPatcher::new),
-                entry("org/apache/hadoop/security/UserGroupInformation.class", SubjectGetSubjectPatcher::new)
+            List.of(
+                classPatcher("org/apache/hadoop/util/ShutdownHookManager.class", ShutdownHookManagerPatcher::new),
+                classPatcher("org/apache/hadoop/util/Shell.class", ShellPatcher::new),
+                classPatcher("org/apache/hadoop/security/UserGroupInformation.class", SubjectGetSubjectPatcher::new)
             )
         ),
         new JarPatchers(
             "hadoop-client-api",
             Pattern.compile("hadoop-client-api.*"),
-            Map.ofEntries(
-                entry("org/apache/hadoop/util/ShutdownHookManager.class", ShutdownHookManagerPatcher::new),
-                entry("org/apache/hadoop/util/Shell.class", ShellPatcher::new),
-                entry("org/apache/hadoop/security/UserGroupInformation.class", SubjectGetSubjectPatcher::new),
-                entry("org/apache/hadoop/security/authentication/client/KerberosAuthenticator.class", SubjectGetSubjectPatcher::new)
+            List.of(
+                classPatcher("org/apache/hadoop/util/ShutdownHookManager.class", ShutdownHookManagerPatcher::new),
+                classPatcher("org/apache/hadoop/util/Shell.class", ShellPatcher::new),
+                classPatcher("org/apache/hadoop/security/UserGroupInformation.class", SubjectGetSubjectPatcher::new),
+                classPatcher("org/apache/hadoop/security/authentication/client/KerberosAuthenticator.class", SubjectGetSubjectPatcher::new)
             )
         )
     );
@@ -85,11 +81,8 @@ public void transform(@NotNull TransformOutputs outputs) {
         } else {
             patchersToApply.forEach(patchers -> {
                 System.out.println("Patching " + inputFile.getName());
-
-                Map<String, Function<ClassWriter, ClassVisitor>> jarPatchers = new HashMap<>(patchers.jarPatchers());
                 File outputFile = outputs.file(inputFile.getName().replace(".jar", "-patched.jar"));
-
-                Utils.patchJar(inputFile, outputFile, jarPatchers);
+                Utils.patchJar(inputFile, outputFile, patchers.jarPatchers());
             });
         }
     }