Design and implementation of Entitlement with this level of detail needs to stay close to the code, and take advantage of javadoc features like linking and class-references to help us with refactorings and future code changes.
The bulk of the information went into the package-info file for the main library, but I split up some parts and referenced them from the main doc, where I thought it made sense (mainly: the bridge sub-project for some implementation details, PolicyManager, EntitlementInitialization and FileAccessTree); this way they still can be reached from the "overview" while being closer to where the information really belongs.
Relates to ES-11284
This will rethrow the `NoSuchFileException` when encountering an invalid
symbolic link when following links during file (read) entitlement
checks.
Relates to https://github.com/elastic/elasticsearch/pull/124133
(ES-11019)
Our check methods injected by the instrumenter receive "this" as the second parameter.
For internal classes like AbstractDelegateHttpsURLConnection we generally use a base type; in this case we were using javax.net.ssl.HttpsURLConnection, which is incorrect as AbstractDelegateHttpsURLConnection derives from java.net.HttpURLConnection.
This was not failing in our tests because we don't actually use that parameter in that check function.
Also, it was not failing on transform, just on retransformClasses, and only in JDK 24. Apparently, JDK 24 introduced new validation there (to be confirmed).
And it was failing just on cloud as the APM agent there (which is loaded before our agent) connects to a https endpoint - our IT tests, and ./gradlew run --with-apm-server, use a http endpoint. Using https makes the JVM load AbstractDelegateHttpsURLConnection, making it one of the classes we need to retransform, triggering the VerifyError.
* java.base entitlements
* SuppressForbidden, and add a missing test
* Revert logging back to commented-out printlns
* Merge FileCheckActions and rename for overloads
* Remove stray logger
* Remove more traces of logging change
* Remove more traces of logging
This commit adds instrumentation for File methods that require write
permission. No server or plugins use these methods, so no policy changes
were necessary. Note that since we are not planning to restrict temp
file creation, the bootstrap self test on file writing was removed,
which failed with these changes.
Like the plugin being testing, the entitled test plugin needs access to
dynamic elements (namely, file paths). This commit dynamically generates
the entitlement policy for the entitlted test plugin when it is
installed. It also adds using the file entitltlement as an example.
Instrumented methods in EntitlementChecker are loosely grouped by the
associated entitlement. This commit sorts the methods within groups to
allow more clear placement of additional instrumented methods.
This commit adds FileEntitlement to entitlements. It does not add checks
for all file access methods yet, instead opting for example read and
write methods.
Each module contains a sorted array of paths with read and write
permissions. Binary search is used to quickly identify the closest path
to determine whether a target path can be read or written.
Some important things about FileEntitlement are the path can either be a
file or a directory. All directories grant recursive permission. The
mode is either read or read_write. All operations like create or delete
are considered write.
relates ES-10354
Co-authored-by: Jack Conradson <osjdconrad@gmail.com>
Instrument write access to System properties by means of the `WriteSystemPropertiesEntitlement`.
`System.setProperties(Properties)` is always denied.
Part of #ES-10359
* Refactor: separate check method name vs signature parsing
* Cosmetic: change checker comment format
* Entitlements for JDK-wide global state
* [CI] Auto commit changes from spotless
* Comment explaining entitlement add-exports
* @SuppressForbidden
* Refactor: rename dummy subclases
---------
Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
* Use $$ for static check methods
* Always use class name from checker method name
* Spotless
* Varargs assertParseCheckerMethodSignatureThrows
* Remove hasReceiver again
* Spotless
* Cosmetic changes
* Change to new check method naming convention
* Grant all entitlements to system modules
* [CI] Auto commit changes from spotless
* Make NO_ENTITLEMENTS_MODULE non-null
* Initialize NO_ENTITLEMENTS_MODULE with @BeforeClass.
Looks like @WithoutSecurityManager doesn't work with static initializers.
* Move check to public method
* Logging adjustments
---------
Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
As each version of Java is released, there may be additional methods we
want to instrument for entitlements. Since new methods won't exist in
the base version of Java that Elasticsearch is compiled with, we need to
hava different classes and compilation for each version.
This commit adds a scaffolding for adding the classes for new versions
of Java. Unfortunately it requires several classes in different
locations. But hopefully these are infrequent enough that the
boilerplate is ok. We could consider adding a helper Gradle task to
templatize the new classes in the future if it is too cumbersome. Note
that the example for Java23 does not have anything meaningful in it yet,
it's only meant as an example until we find go through classes and
methods that were added after Java 21.
* Refactor: treat "maybe" JVM options uniformly
* WIP
* Get entitlement running with bridge all the way through, with qualified
exports
* Cosmetic changes to SystemJvmOptions
* Disable entitlements by default
* Bridge module comments
* Fixup forbidden APIs
* spotless
* Rename EntitlementChecker
* Fixup InstrumenterTests
* exclude recursive dep
* Fix some compliance stuff
* Rename asm-provider
* Stop using bridge in InstrumenterTests
* Generalize readme for asm-provider
* InstrumenterTests doesn't need EntitlementCheckerHandle
* Better javadoc
* Call parseBoolean
* Add entitlement to internal module list
* Docs as requested by Lorenzo
* Changes from Jack
* Rename ElasticsearchEntitlementChecker
* Remove logging javadoc
* exportInitializationToAgent should reference EntitlementInitialization, not EntitlementBootstrap.
They're currently in the same module, but if that ever changes, this code would have become wrong.
* Some suggestions from Mark
---------
Co-authored-by: Ryan Ernst <ryan@iernst.net>
The distribution tools are meant to be CLIs. This commit moves the
entitlements jar projects to the libs dir, under a single
libs/entitlement root directory to keep the related jars together.
