Ensure jdk 21 minimum compatibility across all sub-projects and create replacement for java.security.Policy which is marked for removal

build.gradle

@@ -266,9 +266,7 @@ allprojects {
     }
 
     // See please https://bugs.openjdk.java.net/browse/JDK-8209058
-    if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_11) {
-      compile.options.compilerArgs << '-Werror'
-    }
+    compile.options.compilerArgs << '-Werror'
     compile.options.compilerArgs << '-Xlint:auxiliaryclass'
     compile.options.compilerArgs << '-Xlint:cast'
     compile.options.compilerArgs << '-Xlint:classfile'

buildSrc/src/main/java/org/opensearch/gradle/OpenSearchJavaPlugin.java

@@ -175,9 +175,7 @@ public static void configureCompile(Project project) {
                 compileTask.getConventionMapping().map("sourceCompatibility", () -> java.getSourceCompatibility().toString());
                 compileTask.getConventionMapping().map("targetCompatibility", () -> java.getTargetCompatibility().toString());
                 // The '--release is available from JDK-9 and above
-                if (BuildParams.getRuntimeJavaVersion().compareTo(JavaVersion.VERSION_1_8) > 0) {
-                    compileOptions.getRelease().set(releaseVersionProviderFromCompileTask(project, compileTask));
-                }
+                compileOptions.getRelease().set(releaseVersionProviderFromCompileTask(project, compileTask));
             });
             // also apply release flag to groovy, which is used in build-tools
             project.getTasks().withType(GroovyCompile.class).configureEach(compileTask -> {
@@ -271,9 +269,7 @@ private static void configureJavadoc(Project project) {
              * that the default will change to html5 in the future.
              */
             CoreJavadocOptions javadocOptions = (CoreJavadocOptions) javadoc.getOptions();
-            if (BuildParams.getRuntimeJavaVersion().compareTo(JavaVersion.VERSION_1_8) > 0) {
-                javadocOptions.addBooleanOption("html5", true);
-            }
+            javadocOptions.addBooleanOption("html5", true);
         });
 
         TaskProvider<Javadoc> javadoc = project.getTasks().withType(Javadoc.class).named("javadoc");

buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java

@@ -40,7 +40,6 @@
 import org.opensearch.gradle.test.ErrorReportingTestListener;
 import org.opensearch.gradle.util.Util;
 import org.gradle.api.Action;
-import org.gradle.api.JavaVersion;
 import org.gradle.api.Plugin;
 import org.gradle.api.Project;
 import org.gradle.api.Task;
@@ -107,14 +106,7 @@ public void execute(Task t) {
                     mkdirs(test.getWorkingDir().toPath().resolve("temp").toFile());
 
                     // TODO remove once jvm.options are added to test system properties
-                    if (BuildParams.getRuntimeJavaVersion() == JavaVersion.VERSION_1_8) {
-                        test.systemProperty("java.locale.providers", "SPI,JRE");
-                    } else {
-                        test.systemProperty("java.locale.providers", "SPI,CLDR");
-                        if (test.getJavaVersion().compareTo(JavaVersion.VERSION_17) < 0) {
-                            test.jvmArgs("--illegal-access=warn");
-                        }
-                    }
+                    test.systemProperty("java.locale.providers", "SPI,CLDR");
                 }
             });
             test.getJvmArgumentProviders().add(nonInputProperties);

client/rest/build.gradle

@@ -35,8 +35,8 @@ apply plugin: 'opensearch.publish'
 apply from: "$rootDir/gradle/fips.gradle"
 
 java {
-  targetCompatibility = JavaVersion.VERSION_1_8
-  sourceCompatibility = JavaVersion.VERSION_1_8
+  targetCompatibility = JavaVersion.VERSION_21
+  sourceCompatibility = JavaVersion.VERSION_21
 }
 
 base {
@@ -45,6 +45,7 @@ base {
 }
 
 dependencies {
+  api project(':libs:opensearch-secure-sm')
   api "org.apache.httpcomponents.client5:httpclient5:${versions.httpclient5}"
   api "org.apache.httpcomponents.core5:httpcore5:${versions.httpcore5}"
   api "org.apache.httpcomponents.core5:httpcore5-h2:${versions.httpcore5}"

client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java

@@ -48,13 +48,12 @@
 import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
 import org.apache.hc.core5.reactor.ssl.TlsDetails;
 import org.apache.hc.core5.util.Timeout;
+import org.opensearch.secure_sm.AccessController;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 
-import java.security.AccessController;
 import java.security.NoSuchAlgorithmException;
-import java.security.PrivilegedAction;
 import java.util.List;
 import java.util.Objects;
 import java.util.Optional;
@@ -269,9 +268,7 @@ public RestClient build() {
         if (failureListener == null) {
             failureListener = new RestClient.FailureListener();
         }
-        CloseableHttpAsyncClient httpClient = AccessController.doPrivileged(
-            (PrivilegedAction<CloseableHttpAsyncClient>) this::createHttpClient
-        );
+        CloseableHttpAsyncClient httpClient = AccessController.doPrivileged(this::createHttpClient);
 
         RestClient restClient = null;
 
@@ -341,7 +338,7 @@ public TlsDetails create(final SSLEngine sslEngine) {
             }
 
             final HttpAsyncClientBuilder finalBuilder = httpClientBuilder;
-            return AccessController.doPrivileged((PrivilegedAction<CloseableHttpAsyncClient>) finalBuilder::build);
+            return AccessController.doPrivileged(finalBuilder::build);
         } catch (NoSuchAlgorithmException e) {
             throw new IllegalStateException("could not create the default ssl context", e);
         }

client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java

@@ -39,6 +39,7 @@
 
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
+import org.opensearch.secure_sm.AccessController;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 
@@ -51,9 +52,7 @@
 import java.io.InputStream;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
-import java.security.AccessController;
 import java.security.KeyStore;
-import java.security.PrivilegedAction;
 import java.security.SecureRandom;
 
 import static org.hamcrest.Matchers.instanceOf;
@@ -155,7 +154,7 @@ private static SSLContext getSslContext(boolean server) throws Exception {
      * 12.0.1 so we pin to TLSv1.2 when running on an earlier JDK.
      */
     private static String getProtocol() {
-        String version = AccessController.doPrivileged((PrivilegedAction<String>) () -> System.getProperty("java.version"));
+        String version = AccessController.doPrivileged(() -> System.getProperty("java.version"));
         String[] parts = version.split("-");
         String[] numericComponents;
         if (parts.length == 1) {

client/rest/src/test/java/org/opensearch/client/nio/HeapBufferedAsyncEntityConsumerTests.java

@@ -35,34 +35,34 @@ public void tearDown() {
     }
 
     public void testConsumerAllocatesBufferLimit() throws IOException {
-        consumer.consume((ByteBuffer) randomByteBufferOfLength(1000).flip());
+        consumer.consume(randomByteBufferOfLength(1000).flip());
         assertThat(consumer.getBuffer().capacity(), equalTo(1000));
     }
 
     public void testConsumerAllocatesEmptyBuffer() throws IOException {
-        consumer.consume((ByteBuffer) ByteBuffer.allocate(0).flip());
+        consumer.consume(ByteBuffer.allocate(0).flip());
         assertThat(consumer.getBuffer().capacity(), equalTo(0));
     }
 
     public void testConsumerExpandsBufferLimits() throws IOException {
-        consumer.consume((ByteBuffer) randomByteBufferOfLength(1000).flip());
-        consumer.consume((ByteBuffer) randomByteBufferOfLength(2000).flip());
-        consumer.consume((ByteBuffer) randomByteBufferOfLength(3000).flip());
+        consumer.consume(randomByteBufferOfLength(1000).flip());
+        consumer.consume(randomByteBufferOfLength(2000).flip());
+        consumer.consume(randomByteBufferOfLength(3000).flip());
         assertThat(consumer.getBuffer().capacity(), equalTo(6000));
     }
 
     public void testConsumerAllocatesLimit() throws IOException {
-        consumer.consume((ByteBuffer) randomByteBufferOfLength(BUFFER_LIMIT).flip());
+        consumer.consume(randomByteBufferOfLength(BUFFER_LIMIT).flip());
         assertThat(consumer.getBuffer().capacity(), equalTo(BUFFER_LIMIT));
     }
 
     public void testConsumerFailsToAllocateOverLimit() throws IOException {
-        assertThrows(ContentTooLongException.class, () -> consumer.consume((ByteBuffer) randomByteBufferOfLength(BUFFER_LIMIT + 1).flip()));
+        assertThrows(ContentTooLongException.class, () -> consumer.consume(randomByteBufferOfLength(BUFFER_LIMIT + 1).flip()));
     }
 
     public void testConsumerFailsToExpandOverLimit() throws IOException {
-        consumer.consume((ByteBuffer) randomByteBufferOfLength(BUFFER_LIMIT).flip());
-        assertThrows(ContentTooLongException.class, () -> consumer.consume((ByteBuffer) randomByteBufferOfLength(1).flip()));
+        consumer.consume(randomByteBufferOfLength(BUFFER_LIMIT).flip());
+        assertThrows(ContentTooLongException.class, () -> consumer.consume(randomByteBufferOfLength(1).flip()));
     }
 
     private static ByteBuffer randomByteBufferOfLength(int length) {

client/sniffer/build.gradle

@@ -31,8 +31,8 @@ apply plugin: 'opensearch.build'
 apply plugin: 'opensearch.publish'
 
 java {
-  targetCompatibility = JavaVersion.VERSION_11
-  sourceCompatibility = JavaVersion.VERSION_11
+  targetCompatibility = JavaVersion.VERSION_21
+  sourceCompatibility = JavaVersion.VERSION_21
 }
 
 base {

client/test/build.gradle

@@ -31,8 +31,8 @@ apply plugin: 'opensearch.build'
 apply from: "$rootDir/gradle/fips.gradle"
 
 java {
-  targetCompatibility = JavaVersion.VERSION_1_8
-  sourceCompatibility = JavaVersion.VERSION_1_8
+  targetCompatibility = JavaVersion.VERSION_21
+  sourceCompatibility = JavaVersion.VERSION_21
 }
 
 base {

distribution/tools/java-version-checker/build.gradle

@@ -12,8 +12,8 @@
 apply plugin: 'opensearch.build'
 
 java {
-  sourceCompatibility = JavaVersion.VERSION_11
-  targetCompatibility = JavaVersion.VERSION_11
+  sourceCompatibility = JavaVersion.VERSION_21
+  targetCompatibility = JavaVersion.VERSION_21
 }
 
 // targetting very old java versions enables a warning by default on newer JDK: disable it.

distribution/tools/plugin-cli/src/main/java/org/opensearch/tools/cli/plugin/PluginSecurity.java

@@ -38,6 +38,7 @@
 import org.opensearch.cli.UserException;
 import org.opensearch.common.SuppressForbidden;
 import org.opensearch.common.util.io.IOUtils;
+import org.opensearch.secure_sm.policy.Policy;
 import org.opensearch.secure_sm.policy.PolicyFile;
 
 import java.io.IOException;
@@ -46,7 +47,6 @@
 import java.security.Permission;
 import java.security.PermissionCollection;
 import java.security.Permissions;
-import java.security.Policy;
 import java.security.UnresolvedPermission;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -136,7 +136,6 @@ static String formatPermission(Permission permission) {
     /**
      * Parses plugin policy into a set of permissions. Each permission is formatted for output to users.
      */
-    @SuppressWarnings("removal")
     static Set<String> parsePermissions(Path file, Path tmpDir) throws IOException {
         // create a zero byte file for "comparison"
         // this is necessary because the default policy impl automatically grants two permissions:
@@ -151,7 +150,7 @@ static Set<String> parsePermissions(Path file, Path tmpDir) throws IOException {
         final Policy policy = new PolicyFile(file.toUri().toURL());
         final PermissionCollection permissions = policy.getPermissions(PluginSecurity.class.getProtectionDomain());
         // this method is supported with the specific implementation we use, but just check for safety.
-        if (permissions == Policy.UNSUPPORTED_EMPTY_COLLECTION) {
+        if (permissions == Policy.EMPTY_PERMISSION_COLLECTION) {
             throw new UnsupportedOperationException("JavaPolicy implementation does not support retrieving permissions");
         }
         PermissionCollection actualPermissions = new Permissions();