This updates the gradle wrapper to 8.12
We addressed deprecation warnings due to the update that includes:
- Fix change in TestOutputEvent api
- Fix deprecation in groovy syntax
- Use latest ospackage plugin containing our fix
- Remove project usages at execution time
- Fix deprecated project references in repository-old-versions
(cherry picked from commit ba61f8c7f7)
* Use $$ for static check methods
* Always use class name from checker method name
* Spotless
* Varargs assertParseCheckerMethodSignatureThrows
* Remove hasReceiver again
* Spotless
* Cosmetic changes
* Change to new check method naming convention
* Grant all entitlements to system modules
* [CI] Auto commit changes from spotless
* Make NO_ENTITLEMENTS_MODULE non-null
* Initialize NO_ENTITLEMENTS_MODULE with @BeforeClass.
Looks like @WithoutSecurityManager doesn't work with static initializers.
* Move check to public method
* Logging adjustments
---------
Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
During entitlements initialization the transformer is added to
instrumenation after some classes are already loaded. Currently we end
up force loading (though not initializing) all classes that want to
transform. This commit simplifies the retransform to only apply to
classes which we know are already loaded by the jdk, which
Instrumentation provides.
This commit simplifies the entitlements instrumentation service and
instrumenter a bit. It especially removes some repetition in the
instrumenter tests.
* More robust frame skipping
* Cosmetic improvements for clarity
* Explicit set of runtime classes
* Pass entitlements runtime module to PolicyManager ctor
* Use the term "entitlements module" and filter instead of dropWhile
* [CI] Auto commit changes from spotless
---------
Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
The "sythetic" tests are the only unit tests for the instrumenter. This
commit renames the test suite to be more clear it is the place to put
instrumenter tests.
This PR expands `PolicyManager` to actually use `Policy` and
`Entitlement` classes for checks, instead of hardcoding them.
It also introduces a separate `PluginsResolver`, with a dedicated
function to map a Class to a Plugin (name). `PluginsResolver` is
initialized with data from `PluginsLoader`, and then its resolve
function is used internally in `PolicyManager` to find a plugin policy
(and then test against the entitlements declared in the policy).
Following up
https://github.com/elastic/elasticsearch/pull/117332#discussion_r1856803255,
I refactored `InstrumenterImpl` tests, splitting them into 2 suites: -
`SyntheticInstrumenterImplTests`, which tests the mechanics of
instrumentation using ad-hoc test cases. This should see little change
now that we have our Instrumenter working as intended -
`InstrumenterImplTests`, which is back to its original intent to make
sure (1) the right arguments make it all the way to the check methods,
and (2) if the check method throws, that exception correctly bubbles up
through the instrumented method.
The PR also includes a little change to `InstrumenterImpl` construction
to clean it up a bit and make it more testable.
* Entitlement tools: SecurityManager scanner (#116020)
* Fix entitlement tools to build (#117351)
This commit adjusts the common lib of entitlement tools to use
elasticsearch.build so that it gets java version configuration
automatically. Additionally the mrjar plugin is removed from the core
lib since it is not used there.
* fix compile
---------
Co-authored-by: Lorenzo Dematté <lorenzo.dematte@elastic.co>
* [Entitlements] Consider only system modules in the boot layer (#117017)
* [Entitlements] Implement entry point definitions via checker function signature (#116754)
* Policy manager for entitlements (#116695)
* Add java version variants of entitlements checker (#116878)
As each version of Java is released, there may be additional methods we
want to instrument for entitlements. Since new methods won't exist in
the base version of Java that Elasticsearch is compiled with, we need to
hava different classes and compilation for each version.
This commit adds a scaffolding for adding the classes for new versions
of Java. Unfortunately it requires several classes in different
locations. But hopefully these are infrequent enough that the
boilerplate is ok. We could consider adding a helper Gradle task to
templatize the new classes in the future if it is too cumbersome. Note
that the example for Java23 does not have anything meaningful in it yet,
it's only meant as an example until we find go through classes and
methods that were added after Java 21.
* Spotless
---------
Co-authored-by: Lorenzo Dematté <lorenzo.dematte@elastic.co>
Co-authored-by: Jack Conradson <osjdconrad@gmail.com>
Co-authored-by: Patrick Doyle <patrick.doyle@elastic.co>
* Add initial entitlement policy parsing (#114448)
This change adds entitlement policy parsing with the following design:
* YAML file for readability and re-use of our x-content parsers
* hierarchical structure to group entitlements under a single scope
* no general entitlements without a scope or for the entire project
* Avoid double instrumentation via class annotation (#115398)
* Move entitlement jars to libs (#115883)
The distribution tools are meant to be CLIs. This commit moves the
entitlements jar projects to the libs dir, under a single
libs/entitlement root directory to keep the related jars together.
* Entitlement tools: SecurityManager scanner (#116020)
* Dynamic entitlement agent (#116125)
* Refactor: treat "maybe" JVM options uniformly
* WIP
* Get entitlement running with bridge all the way through, with qualified
exports
* Cosmetic changes to SystemJvmOptions
* Disable entitlements by default
* Bridge module comments
* Fixup forbidden APIs
* spotless
* Rename EntitlementChecker
* Fixup InstrumenterTests
* exclude recursive dep
* Fix some compliance stuff
* Rename asm-provider
* Stop using bridge in InstrumenterTests
* Generalize readme for asm-provider
* InstrumenterTests doesn't need EntitlementCheckerHandle
* Better javadoc
* Call parseBoolean
* Add entitlement to internal module list
* Docs as requested by Lorenzo
* Changes from Jack
* Rename ElasticsearchEntitlementChecker
* Remove logging javadoc
* exportInitializationToAgent should reference EntitlementInitialization, not EntitlementBootstrap.
They're currently in the same module, but if that ever changes, this code would have become wrong.
* Some suggestions from Mark
---------
Co-authored-by: Ryan Ernst <ryan@iernst.net>
* Remove unused EntitlementInternals (#116473)
* Revert "Entitlement tools: SecurityManager scanner (#116020)"
This reverts commit 023fb663de.
---------
Co-authored-by: Jack Conradson <osjdconrad@gmail.com>
Co-authored-by: Lorenzo Dematté <lorenzo.dematte@elastic.co>
Co-authored-by: Ryan Ernst <ryan@iernst.net>
