Our check methods injected by the instrumenter receive "this" as the second parameter.
For internal classes like AbstractDelegateHttpsURLConnection we generally use a base type; in this case we were using javax.net.ssl.HttpsURLConnection, which is incorrect as AbstractDelegateHttpsURLConnection derives from java.net.HttpURLConnection.
This was not failing in our tests because we don't actually use that parameter in that check function.
Also, it was not failing on transform, just on retransformClasses, and only in JDK 24. Apparently, JDK 24 introduced new validation there (to be confirmed).
And it was failing just on cloud as the APM agent there (which is loaded before our agent) connects to a https endpoint - our IT tests, and ./gradlew run --with-apm-server, use a http endpoint. Using https makes the JVM load AbstractDelegateHttpsURLConnection, making it one of the classes we need to retransform, triggering the VerifyError.
Makes the execution and use of enrich policies project-aware.
Note: this does not make the enrich cache project-aware. That is to be
handled in a follow-up PR.
This PR adjusts the list of supported ciphers to reflect ciphers
available in JDK 24.
JDK 24 [drops](https://bugs.openjdk.org/browse/JDK-8245545) support for
`TLS_RSA` suites. These ciphers will no longer be supported in
Elasticsearch with a bundled JDK with version >= 24. JDK's of lower
versions will continue to support to dropped ciphers.
I will follow up this PR with a separate docs PR.
* Fix Gradle Deprecation warning as declaring an is- property with a Boolean type has been deprecated.
* Make use of new layout.settingsFolder api to address some cross project references
* Fix buildParams snapshot check for multiprojet projects
* Remove @UpdateForV9 annotation in RuntimeVersionFeature
Re ES-10338 the Core/Infra team agreed that this is not blocked on security manager removal. We should go ahead and remove these 2 instances of the @UpdateForV9 annotation, the code will be cleaned up soon with the removal of Security Manager.
* Remove @UpdateForV9 annotation from SystemJvmOptions
re ES-10338 the Core/Infra team agreed this is not blocked on security manager removal. We should go ahead and remove this instance of the @UpdateForV9 annotation.
All CLIs in elasticsearch support command line flags for controlling the
output level. When --silent is used, the expectation is that normal
logging is omitted. Yet the log4j logger is still configured to output
error level logs. This commit sets the appropriate log level for log4j
depending on the Terminal log level.
This commit reworks the settings globs to be more useable. Primarily it
expands the values so that the settings may be lists, iterating over
each value. Additionally it simplifies the function to also allow
non-glob settings so that this single method may be used to lookup all
values for a given setting pattern, whether it contains a glob or not.
The setting based paths could be either absolute or relative, and they
are always relative to the config dir. This commit renames the
path_setting to make it clear it is related to config, and removes the
relative variant.
SSL file utils currently only handle security manager access control
exceptions around file read checks. This PR extends these to support
entitlement checks as well.
There is no easy way to unit test this since we can't run unit tests
with entitlements enabled (for now). The PR includes a REST test
instead.
Relates: https://github.com/elastic/elasticsearch/issues/121960
Bit of a random find. Looks like we're effectively spending something
like ~0.5% of the total CPU time on resolving virtual calls for these
methods. Inlining `IOUtils` reduces their size quite a bit, removes
dead-code for rethrowing `IOException` that is never actually thrown
and hopefully as a result improve compilation a little here.
This adds an exclusive parameter for FilesEntitlement where a path can be made exclusive for a certain
module. Should two modules attempt to both specify the same path as exclusive an exception is
thrown.
File entitlements which read a setting may actually contain urls. This
commit adds an optional `ignore_url` property for the entitlement to
skip any values which are urls.
The NamedComponentReader reads a file created upon plugin installation
for stable plugins from the plugin installation dir. This commit passes
the plugins directory through to entitlements and grants server access.
* Consider entitlement lib as system module
Entitlements sometimes needs to perform sensitive operations,
particularly within the FileAccessTree. This commit expands the
trivially allowed check to include entitlements as one of the system
modules alongside the jdk. One consequence is that the self test must be
moved outside entitlements.
* [CI] Auto commit changes from spotless
* remove old method call
---------
Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Some file paths are OS specific. This commit adds a `platform` property
to each file in a files entitlement that can be used to limit that file
to a specific platform.
Co-authored-by: Moritz Mack <mmack@apache.org>
Co-authored-by: Lorenzo Dematte <lorenzo.dematte@elastic.co>
