Merge revision 7fb6ca447a into multi-project

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -32,7 +32,7 @@ public interface EntitlementChecker {
     void check$java_net_URLClassLoader$(Class<?> callerClass, String name, URL[] urls, ClassLoader parent, URLStreamHandlerFactory factory);
 
     // Process creation
-    void check$$start(Class<?> callerClass, ProcessBuilder that, ProcessBuilder.Redirect[] redirects);
+    void check$$start(Class<?> callerClass, ProcessBuilder that);
 
     void check$java_lang_ProcessBuilder$startPipeline(Class<?> callerClass, List<ProcessBuilder> builders);
 

libs/entitlement/qa/entitlement-allowed-nonmodular/build.gradle

@@ -10,9 +10,9 @@
 apply plugin: 'elasticsearch.base-internal-es-plugin'
 
 esplugin {
-  name 'entitlement-allowed-nonmodular'
-  description 'A non-modular test module that invokes entitlement checks that are supposed to be granted'
-  classname 'org.elasticsearch.entitlement.qa.nonmodular.EntitlementAllowedNonModularPlugin'
+  name = 'entitlement-allowed-nonmodular'
+  description = 'A non-modular test module that invokes entitlement checks that are supposed to be granted'
+  classname = 'org.elasticsearch.entitlement.qa.nonmodular.EntitlementAllowedNonModularPlugin'
 }
 
 dependencies {

libs/entitlement/qa/entitlement-allowed/build.gradle

@@ -10,9 +10,9 @@
 apply plugin: 'elasticsearch.base-internal-es-plugin'
 
 esplugin {
-  name 'entitlement-allowed'
-  description 'A test module that invokes entitlement checks that are supposed to be granted'
-  classname 'org.elasticsearch.entitlement.qa.EntitlementAllowedPlugin'
+  name = 'entitlement-allowed'
+  description = 'A test module that invokes entitlement checks that are supposed to be granted'
+  classname = 'org.elasticsearch.entitlement.qa.EntitlementAllowedPlugin'
 }
 
 dependencies {

libs/entitlement/qa/entitlement-denied-nonmodular/build.gradle

@@ -10,9 +10,9 @@
 apply plugin: 'elasticsearch.base-internal-es-plugin'
 
 esplugin {
-  name 'entitlement-denied-nonmodular'
-  description 'A non-modular test module that invokes non-granted entitlement and triggers exceptions'
-  classname 'org.elasticsearch.entitlement.qa.nonmodular.EntitlementDeniedNonModularPlugin'
+  name = 'entitlement-denied-nonmodular'
+  description = 'A non-modular test module that invokes non-granted entitlement and triggers exceptions'
+  classname = 'org.elasticsearch.entitlement.qa.nonmodular.EntitlementDeniedNonModularPlugin'
 }
 
 dependencies {

libs/entitlement/qa/entitlement-denied/build.gradle

@@ -10,9 +10,9 @@
 apply plugin: 'elasticsearch.base-internal-es-plugin'
 
 esplugin {
-  name 'entitlement-denied'
-  description 'A test module that invokes non-granted entitlement and triggers exceptions'
-  classname 'org.elasticsearch.entitlement.qa.EntitlementDeniedPlugin'
+  name = 'entitlement-denied'
+  description = 'A test module that invokes non-granted entitlement and triggers exceptions'
+  classname = 'org.elasticsearch.entitlement.qa.EntitlementDeniedPlugin'
 }
 
 dependencies {

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsDeniedIT.java

@@ -31,6 +31,8 @@ public class EntitlementsDeniedIT extends ESRestTestCase {
         .plugin("entitlement-denied-nonmodular")
         .systemProperty("es.entitlements.enabled", "true")
         .setting("xpack.security.enabled", "false")
+        // Logs in libs/entitlement/qa/build/test-results/javaRestTest/TEST-org.elasticsearch.entitlement.qa.EntitlementsDeniedIT.xml
+        // .setting("logger.org.elasticsearch.entitlement", "TRACE")
         .build();
 
     @Override

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

@@ -70,7 +70,7 @@ public class ElasticsearchEntitlementChecker implements EntitlementChecker {
     }
 
     @Override
-    public void check$$start(Class<?> callerClass, ProcessBuilder processBuilder, ProcessBuilder.Redirect[] redirects) {
+    public void check$$start(Class<?> callerClass, ProcessBuilder processBuilder) {
         policyManager.checkStartProcess(callerClass);
     }
 

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -10,7 +10,6 @@
 package org.elasticsearch.entitlement.runtime.policy;
 
 import org.elasticsearch.core.Strings;
-import org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker;
 import org.elasticsearch.entitlement.runtime.api.NotEntitledException;
 import org.elasticsearch.logging.LogManager;
 import org.elasticsearch.logging.Logger;
@@ -32,10 +31,9 @@ import java.util.stream.Stream;
 
 import static java.lang.StackWalker.Option.RETAIN_CLASS_REFERENCE;
 import static java.util.Objects.requireNonNull;
-import static java.util.function.Predicate.not;
 
 public class PolicyManager {
-    private static final Logger logger = LogManager.getLogger(ElasticsearchEntitlementChecker.class);
+    private static final Logger logger = LogManager.getLogger(PolicyManager.class);
 
     static class ModuleEntitlements {
         public static final ModuleEntitlements NONE = new ModuleEntitlements(List.of());
@@ -68,18 +66,12 @@ public class PolicyManager {
 
     private static final Set<Module> systemModules = findSystemModules();
 
-    /**
-     * Frames originating from this module are ignored in the permission logic.
-     */
-    private final Module entitlementsModule;
-
     private static Set<Module> findSystemModules() {
         var systemModulesDescriptors = ModuleFinder.ofSystem()
             .findAll()
             .stream()
             .map(ModuleReference::descriptor)
             .collect(Collectors.toUnmodifiableSet());
-
         return ModuleLayer.boot()
             .modules()
             .stream()
@@ -87,6 +79,11 @@ public class PolicyManager {
             .collect(Collectors.toUnmodifiableSet());
     }
 
+    /**
+     * Frames originating from this module are ignored in the permission logic.
+     */
+    private final Module entitlementsModule;
+
     public PolicyManager(
         Policy defaultPolicy,
         Map<String, Policy> pluginPolicies,
@@ -227,12 +224,12 @@ public class PolicyManager {
      *                    this is a fast-path check that can avoid the stack walk
      *                    in cases where the caller class is available.
      * @return the requesting module, or {@code null} if the entire call stack
-     * comes from modules that are trusted.
+     * comes from the entitlement library itself.
      */
     Module requestingModule(Class<?> callerClass) {
         if (callerClass != null) {
-            Module callerModule = callerClass.getModule();
-            if (systemModules.contains(callerModule) == false) {
+            var callerModule = callerClass.getModule();
+            if (callerModule != null && entitlementsModule.equals(callerModule) == false) {
                 // fast path
                 return callerModule;
             }
@@ -251,8 +248,8 @@ public class PolicyManager {
     Optional<Module> findRequestingModule(Stream<Class<?>> classes) {
         return classes.map(Objects::requireNonNull)
             .map(PolicyManager::moduleOf)
-            .filter(m -> m != entitlementsModule)  // Ignore the entitlements library itself
-            .filter(not(systemModules::contains))  // Skip trusted JDK modules
+            .filter(m -> m != entitlementsModule)  // Ignore the entitlements library itself entirely
+            .skip(1)                            // Skip the sensitive method itself
             .findFirst();
     }
 
@@ -266,8 +263,15 @@ public class PolicyManager {
     }
 
     private static boolean isTriviallyAllowed(Module requestingModule) {
+        if (logger.isTraceEnabled()) {
+            logger.trace("Stack trace for upcoming trivially-allowed check", new Exception());
+        }
         if (requestingModule == null) {
-            logger.debug("Entitlement trivially allowed: entire call stack is in composed of classes in system modules");
+            logger.debug("Entitlement trivially allowed: no caller frames outside the entitlement library");
+            return true;
+        }
+        if (systemModules.contains(requestingModule)) {
+            logger.debug("Entitlement trivially allowed from system module [{}]", requestingModule.getName());
             return true;
         }
         logger.trace("Entitlement not trivially allowed");

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java

@@ -13,6 +13,7 @@ import org.elasticsearch.entitlement.runtime.api.NotEntitledException;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.compiler.InMemoryJavaCompiler;
 import org.elasticsearch.test.jar.JarUtils;
+import org.junit.BeforeClass;
 
 import java.io.IOException;
 import java.lang.module.Configuration;
@@ -37,8 +38,22 @@ import static org.hamcrest.Matchers.sameInstance;
 
 @ESTestCase.WithoutSecurityManager
 public class PolicyManagerTests extends ESTestCase {
+    /**
+     * A module you can use for test cases that don't actually care about the
+     * entitlements module.
+     */
+    private static Module NO_ENTITLEMENTS_MODULE;
 
-    private static final Module NO_ENTITLEMENTS_MODULE = null;
+    @BeforeClass
+    public static void beforeClass() {
+        try {
+            // Any old module will do for tests using NO_ENTITLEMENTS_MODULE
+            NO_ENTITLEMENTS_MODULE = makeClassInItsOwnModule().getModule();
+        } catch (Exception e) {
+            throw new IllegalStateException(e);
+        }
+
+    }
 
     public void testGetEntitlementsThrowsOnMissingPluginUnnamedModule() {
         var policyManager = new PolicyManager(
@@ -210,53 +225,31 @@ public class PolicyManagerTests extends ESTestCase {
     }
 
     public void testRequestingModuleWithStackWalk() throws IOException, ClassNotFoundException {
-        var requestingClass = makeClassInItsOwnModule();
-        var runtimeClass = makeClassInItsOwnModule(); // A class in the entitlements library itself
+        var entitlementsClass = makeClassInItsOwnModule();    // A class in the entitlements library itself
+        var requestingClass = makeClassInItsOwnModule();      // This guy is always the right answer
+        var instrumentedClass = makeClassInItsOwnModule();    // The class that called the check method
         var ignorableClass = makeClassInItsOwnModule();
-        var systemClass = Object.class;
 
-        var policyManager = policyManagerWithEntitlementsModule(runtimeClass.getModule());
+        var policyManager = policyManagerWithEntitlementsModule(entitlementsClass.getModule());
 
         var requestingModule = requestingClass.getModule();
 
         assertEquals(
-            "Skip one system frame",
+            "Skip entitlement library and the instrumented method",
             requestingModule,
-            policyManager.findRequestingModule(Stream.of(systemClass, requestingClass, ignorableClass)).orElse(null)
-        );
-        assertEquals(
-            "Skip multiple system frames",
-            requestingModule,
-            policyManager.findRequestingModule(Stream.of(systemClass, systemClass, systemClass, requestingClass, ignorableClass))
+            policyManager.findRequestingModule(Stream.of(entitlementsClass, instrumentedClass, requestingClass, ignorableClass))
                 .orElse(null)
         );
         assertEquals(
-            "Skip system frame between runtime frames",
+            "Skip multiple library frames",
             requestingModule,
-            policyManager.findRequestingModule(Stream.of(runtimeClass, systemClass, runtimeClass, requestingClass, ignorableClass))
-                .orElse(null)
-        );
-        assertEquals(
-            "Skip runtime frame between system frames",
-            requestingModule,
-            policyManager.findRequestingModule(Stream.of(systemClass, runtimeClass, systemClass, requestingClass, ignorableClass))
-                .orElse(null)
-        );
-        assertEquals(
-            "No system frames",
-            requestingModule,
-            policyManager.findRequestingModule(Stream.of(requestingClass, ignorableClass)).orElse(null)
-        );
-        assertEquals(
-            "Skip runtime frames up to the first system frame",
-            requestingModule,
-            policyManager.findRequestingModule(Stream.of(runtimeClass, runtimeClass, systemClass, requestingClass, ignorableClass))
+            policyManager.findRequestingModule(Stream.of(entitlementsClass, entitlementsClass, instrumentedClass, requestingClass))
                 .orElse(null)
         );
         assertThrows(
             "Non-modular caller frames are not supported",
             NullPointerException.class,
-            () -> policyManager.findRequestingModule(Stream.of(systemClass, null))
+            () -> policyManager.findRequestingModule(Stream.of(entitlementsClass, null))
         );
     }
 

libs/grok/src/main/java/org/elasticsearch/grok/PatternBank.java

@@ -23,7 +23,7 @@ import java.util.Set;
 
 public class PatternBank {
 
-    public static PatternBank EMPTY = new PatternBank(Map.of());
+    public static final PatternBank EMPTY = new PatternBank(Map.of());
 
     private final Map<String, String> bank;
 

libs/h3/src/main/java/org/elasticsearch/h3/Constants.java

@@ -29,7 +29,7 @@ final class Constants {
     /**
      * sqrt(3) / 2.0
      */
-    public static double M_SQRT3_2 = 0.8660254037844386467637231707529361834714;
+    public static final double M_SQRT3_2 = 0.8660254037844386467637231707529361834714;
     /**
      * 2.0 * PI
      */
@@ -37,19 +37,19 @@ final class Constants {
     /**
      * The number of H3 base cells
      */
-    public static int NUM_BASE_CELLS = 122;
+    public static final int NUM_BASE_CELLS = 122;
     /**
      * The number of vertices in a hexagon
      */
-    public static int NUM_HEX_VERTS = 6;
+    public static final int NUM_HEX_VERTS = 6;
     /**
      * The number of vertices in a pentagon
      */
-    public static int NUM_PENT_VERTS = 5;
+    public static final int NUM_PENT_VERTS = 5;
     /**
      * H3 index modes
      */
-    public static int H3_CELL_MODE = 1;
+    public static final int H3_CELL_MODE = 1;
     /**
      * square root of 7
      */
@@ -64,14 +64,14 @@ final class Constants {
      * (or distance between adjacent cell center points
      * on the plane) to gnomonic unit length.
      */
-    public static double RES0_U_GNOMONIC = 0.38196601125010500003;
+    public static final double RES0_U_GNOMONIC = 0.38196601125010500003;
     /**
      * rotation angle between Class II and Class III resolution axes
      * (asin(sqrt(3.0 / 28.0)))
      */
-    public static double M_AP7_ROT_RADS = 0.333473172251832115336090755351601070065900389;
+    public static final double M_AP7_ROT_RADS = 0.333473172251832115336090755351601070065900389;
     /**
      * threshold epsilon
      */
-    public static double EPSILON = 0.0000000000000001;
+    public static final double EPSILON = 0.0000000000000001;
 }

libs/h3/src/main/java/org/elasticsearch/h3/H3.java

@@ -33,7 +33,7 @@ public final class H3 {
     /**
      * max H3 resolution; H3 version 1 has 16 resolutions, numbered 0 through 15
      */
-    public static int MAX_H3_RES = 15;
+    public static final int MAX_H3_RES = 15;
 
     private static final long[] NORTH = new long[MAX_H3_RES + 1];
     private static final long[] SOUTH = new long[MAX_H3_RES + 1];

libs/h3/src/main/java/org/elasticsearch/h3/H3Index.java

@@ -41,22 +41,22 @@ final class H3Index {
         return BaseCells.isBaseCellPentagon(H3Index.H3_get_base_cell(h3)) && H3Index.h3LeadingNonZeroDigit(h3) == 0;
     }
 
-    public static long H3_INIT = 35184372088831L;
+    public static final long H3_INIT = 35184372088831L;
 
     /**
      * The bit offset of the mode in an H3 index.
      */
-    public static int H3_MODE_OFFSET = 59;
+    public static final int H3_MODE_OFFSET = 59;
 
     /**
      * 1's in the 4 mode bits, 0's everywhere else.
      */
-    public static long H3_MODE_MASK = 15L << H3_MODE_OFFSET;
+    public static final long H3_MODE_MASK = 15L << H3_MODE_OFFSET;
 
     /**
      * 0's in the 4 mode bits, 1's everywhere else.
      */
-    public static long H3_MODE_MASK_NEGATIVE = ~H3_MODE_MASK;
+    public static final long H3_MODE_MASK_NEGATIVE = ~H3_MODE_MASK;
 
     public static long H3_set_mode(long h3, long mode) {
         return (h3 & H3_MODE_MASK_NEGATIVE) | (mode << H3_MODE_OFFSET);
@@ -65,16 +65,16 @@ final class H3Index {
     /**
      * The bit offset of the base cell in an H3 index.
      */
-    public static int H3_BC_OFFSET = 45;
+    public static final int H3_BC_OFFSET = 45;
     /**
      * 1's in the 7 base cell bits, 0's everywhere else.
      */
-    public static long H3_BC_MASK = 127L << H3_BC_OFFSET;
+    public static final long H3_BC_MASK = 127L << H3_BC_OFFSET;
 
     /**
      * 0's in the 7 base cell bits, 1's everywhere else.
      */
-    public static long H3_BC_MASK_NEGATIVE = ~H3_BC_MASK;
+    public static final long H3_BC_MASK_NEGATIVE = ~H3_BC_MASK;
 
     /**
      * Sets the integer base cell of h3 to bc.
@@ -83,26 +83,26 @@ final class H3Index {
         return (h3 & H3_BC_MASK_NEGATIVE) | (bc << H3_BC_OFFSET);
     }
 
-    public static int H3_RES_OFFSET = 52;
+    public static final int H3_RES_OFFSET = 52;
     /**
      * 1's in the 4 resolution bits, 0's everywhere else.
      */
-    public static long H3_RES_MASK = 15L << H3_RES_OFFSET;
+    public static final long H3_RES_MASK = 15L << H3_RES_OFFSET;
 
     /**
      * 0's in the 4 resolution bits, 1's everywhere else.
      */
-    public static long H3_RES_MASK_NEGATIVE = ~H3_RES_MASK;
+    public static final long H3_RES_MASK_NEGATIVE = ~H3_RES_MASK;
 
     /**
      * The bit offset of the max resolution digit in an H3 index.
      */
-    public static int H3_MAX_OFFSET = 63;
+    public static final int H3_MAX_OFFSET = 63;
 
     /**
      * 1 in the highest bit, 0's everywhere else.
      */
-    public static long H3_HIGH_BIT_MASK = (1L << H3_MAX_OFFSET);
+    public static final long H3_HIGH_BIT_MASK = (1L << H3_MAX_OFFSET);
 
     /**
      * Gets the highest bit of the H3 index.
@@ -121,12 +121,12 @@ final class H3Index {
     /**
      * The bit offset of the reserved bits in an H3 index.
      */
-    public static int H3_RESERVED_OFFSET = 56;
+    public static final int H3_RESERVED_OFFSET = 56;
 
     /**
      * 1's in the 3 reserved bits, 0's everywhere else.
      */
-    public static long H3_RESERVED_MASK = (7L << H3_RESERVED_OFFSET);
+    public static final long H3_RESERVED_MASK = (7L << H3_RESERVED_OFFSET);
 
     /**
      * Gets a value in the reserved space. Should always be zero for valid indexes.
@@ -149,12 +149,12 @@ final class H3Index {
     /**
      * The number of bits in a single H3 resolution digit.
      */
-    public static int H3_PER_DIGIT_OFFSET = 3;
+    public static final int H3_PER_DIGIT_OFFSET = 3;
 
     /**
      * 1's in the 3 bits of res 15 digit bits, 0's everywhere else.
      */
-    public static long H3_DIGIT_MASK = 7L;
+    public static final long H3_DIGIT_MASK = 7L;
 
     /**
      * Gets the resolution res integer digit (0-7) of h3.

libs/logstash-bridge/src/main/java/org/elasticsearch/logstashbridge/ingest/IngestDocumentBridge.java

@@ -20,8 +20,6 @@ import java.util.function.BiConsumer;
 
 public class IngestDocumentBridge extends StableBridgeAPI.Proxy<IngestDocument> {
 
-    public static String INGEST_KEY = IngestDocument.INGEST_KEY;
-
     public static IngestDocumentBridge wrap(final IngestDocument ingestDocument) {
         if (ingestDocument == null) {
             return null;

libs/native/libraries/build.gradle

@@ -25,7 +25,7 @@ repositories {
   exclusiveContent {
     forRepository {
       maven {
-        url "https://artifactory.elastic.dev/artifactory/elasticsearch-native"
+        url = "https://artifactory.elastic.dev/artifactory/elasticsearch-native"
         metadataSources {
           artifact()
         }

libs/tdigest/src/main/java/org/elasticsearch/tdigest/MergingDigest.java

@@ -111,7 +111,7 @@ public class MergingDigest extends AbstractTDigest {
     // based on accumulated k-index. This can be much faster since we
     // scale functions are more expensive than the corresponding
     // weight limits.
-    public static boolean useWeightLimit = true;
+    public static final boolean useWeightLimit = true;
 
     static MergingDigest create(TDigestArrays arrays, double compression) {
         arrays.adjustBreaker(SHALLOW_SIZE);