Skip to content

Mirror upstream elastic/elasticsearch#134454 for AI review (snapshot of HEAD tree) #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Mirror upstream elastic/elasticsearch#134454 for AI review (snapshot of HEAD tree) #94

wants to merge 1 commit into from

Conversation

phananh1010
Copy link
Owner

@phananh1010 phananh1010 commented Oct 2, 2025
edited by coderabbitai bot
Loading

Single commit with tree=135d74b33ba9f1ce2b0e61fa5fb2a39a3763c688^{tree}, parent=41fea9d8a715b1e2ffb668c3cf54c6c9645f0331. Exact snapshot of upstream PR head. No conflict resolution attempted.

Summary by CodeRabbit

  • Bug Fixes

    • Improved stability for image/PDF handling, reducing errors in environments using Java Desktop components (e.g., Tika) and newer JDK versions.
    • Refined trust and scope resolution to avoid misclassifying certain system packages, preventing unexpected permission issues.

  • Chores

    • Expanded internal policy visibility and scope resolution mechanisms to better support testing and future maintenance.
    • Added tests covering image I/O scenarios to guard against regressions.

@phananh1010
Mirror upstream elastic#134454 as single snapshot commit for AI review
2060652 
BASE=41fea9d8a715b1e2ffb668c3cf54c6c9645f0331
HEAD=135d74b33ba9f1ce2b0e61fa5fb2a39a3763c688
Branch=main
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Oct 2, 2025
edited
Loading

Walkthrough

Updates entitlement bootstrap to add ManageThreadsEntitlement under java.desktop. Makes certain PolicyManager fields public. Refactors TestScopeResolver from a record to a class with cached excluded system package scopes and new APIs. Adds a new test exercising image I/O. Adjusts TestPolicyManager trust checks to consult excluded scopes.

Changes

Cohort / File(s) Summary
Entitlement bootstrap update
libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java		 Adds ManageThreadsEntitlement to the java.desktop scope alongside LoadNativeLibrariesEntitlement; includes TODO comment referencing sun.java2d.Disposer.
PolicyManager visibility adjustments
libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java		 Makes MODULES_EXCLUDED_FROM_SYSTEM_MODULES public; exposes ComponentKind.componentName as public; no logic changes.
New test for image I/O behavior
libs/entitlement/src/test/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlementsTests.java		 Introduces HardcodedEntitlementsTests with testTikaPDF creating MemoryCacheImageInputStream from ByteArrayInputStream; annotated for entitlements in test code.
Test scope resolver refactor and caching
test/framework/src/main/java/org/elasticsearch/bootstrap/TestScopeResolver.java		 Replaces record with class; adds internal scopeMap, static cache for excluded system package scopes, computeExcludedSystemPackageScopes(); introduces getExcludedSystemPackageScope(Class); updates createScopeResolver(...) to return Function, PolicyScope>; adjusts null code source handling and BouncyCastle fallback.
Trust decision integrates excluded scopes
test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java		 Updates isTrustedSystemClass to consult TestScopeResolver; marks certain system-requesting classes as untrusted when their package is excluded.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Caller
  participant TestCode as Test code (e.g., image I/O)
  participant TSR as TestScopeResolver
  participant TPM as TestPolicyManager
  participant PM as PolicyManager

  Note over TSR: Class-load time: computeExcludedSystemPackageScopes()

  Caller->>TestCode: Invoke operation (may trigger privileged check)
  TestCode->>TPM: isTrustedSystemClass(requestingClass)
  TPM->>TSR: getExcludedSystemPackageScope(requestingClass)
  alt Excluded system package scope found
    TSR-->>TPM: PolicyScope(SERVER, excluded)
    TPM-->>TestCode: false (not trusted)
  else Not excluded
    TPM->>PM: Existing trust logic
    PM-->>TPM: trust decision
    TPM-->>TestCode: result
  end
Loading 
sequenceDiagram
  autonumber
  participant Bootstrap as Entitlement bootstrap
  participant Desktop as java.desktop components
  participant Ents as Entitlement runtime

  Bootstrap->>Ents: createServerEntitlements()
  Note right of Ents: Add LoadNativeLibrariesEntitlement<br/>Add ManageThreadsEntitlement
  Desktop->>Ents: Request operations (native load, thread mgmt)
  Ents-->>Desktop: Permit per configured entitlements
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

I nibbled through scopes with a careful hop,
Cached the system’s packages—carrot on top. 🥕
Threads may twirl where desktops sing,
Trust now checks each package’s ring.
With whiskers twitching, I stamp and cheer—
Our tests now bound, the path is clear!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 11.11% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title clearly indicates that this PR is a direct mirror of upstream elastic#134454 for AI review and notes it’s a snapshot of the HEAD tree, which accurately reflects the developer’s main intent.
✨ Finishing touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch eval/pr-134454-diff
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 41fea9d and 2060652.

📒 Files selected for processing (5)
  • libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java (1 hunks)
  • libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java (2 hunks)
  • libs/entitlement/src/test/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlementsTests.java (1 hunks)
  • test/framework/src/main/java/org/elasticsearch/bootstrap/TestScopeResolver.java (4 hunks)
  • test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java (2 hunks)
🧰 Additional context used
🧬 Code graph analysis (2)
test/framework/src/main/java/org/elasticsearch/bootstrap/TestScopeResolver.java (1)
libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java (1)
  • PolicyManager (50-398)
test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java (1)
test/framework/src/main/java/org/elasticsearch/bootstrap/TestScopeResolver.java (1)
  • TestScopeResolver (35-160)

Comment @coderabbitai help to get the list of available commands and usage tips.

@phananh1010 phananh1010 closed this Oct 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@phananh1010