opensearch-project
diff --git a/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/Agent.java‎
Lines changed: 10 additions & 2 deletions b/‎libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/Agent.java‎
Lines changed: 10 additions & 2 deletions
diff --git a/‎libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/RuntimeHaltInterceptor.java‎
Lines changed: 49 additions & 0 deletions b/‎libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/RuntimeHaltInterceptor.java‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SocketChannelInterceptor.java‎
Lines changed: 6 additions & 6 deletions b/‎libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SocketChannelInterceptor.java‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/StackCallerClassChainExtractor.java‎
Lines changed: 42 additions & 0 deletions b/‎libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/StackCallerClassChainExtractor.java‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/StackCallerChainExtractor.java‎ renamed to ‎libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/StackCallerProtectionDomainChainExtractor.java‎
Lines changed: 9 additions & 7 deletions b/‎libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/StackCallerChainExtractor.java‎ renamed to ‎libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/StackCallerProtectionDomainChainExtractor.java‎
Lines changed: 9 additions & 7 deletions
diff --git a/‎libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SystemExitInterceptor.java‎
Lines changed: 10 additions & 1 deletion b/‎libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SystemExitInterceptor.java‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/SystemExitInterceptorTests.java‎ renamed to ‎libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/AgentTests.java‎
Lines changed: 7 additions & 2 deletions b/‎libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/SystemExitInterceptorTests.java‎ renamed to ‎libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/AgentTests.java‎
Lines changed: 7 additions & 2 deletions
@@ -17,6 +17,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - [Security Manager Replacement] Create initial Java Agent to intercept Socket::connect calls ([#17724](https://github.com/opensearch-project/OpenSearch/pull/17724))
 - Add ingestion management APIs for pause, resume and get ingestion state ([#17631](https://github.com/opensearch-project/OpenSearch/pull/17631))
 - [Security Manager Replacement] Enhance Java Agent to intercept System::exit ([#17746](https://github.com/opensearch-project/OpenSearch/pull/17746))
+- [Security Manager Replacement] Enhance Java Agent to intercept Runtime::halt ([#17757](https://github.com/opensearch-project/OpenSearch/pull/17757))
+- Support AutoExpand for SearchReplica ([#17741](https://github.com/opensearch-project/OpenSearch/pull/17741))
+- Implement fixed interval refresh task scheduling ([#17777](https://github.com/opensearch-project/OpenSearch/pull/17777))
 
 ### Changed
 - Migrate BC libs to their FIPS counterparts ([#14912](https://github.com/opensearch-project/OpenSearch/pull/14912))
@@ -36,6 +39,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Bump `lycheeverse/lychee-action` from 2.3.0 to 2.4.0 ([#17731](https://github.com/opensearch-project/OpenSearch/pull/17731))
 - Bump `com.netflix.nebula.ospackage-base` from 11.11.1 to 11.11.2 ([#17734](https://github.com/opensearch-project/OpenSearch/pull/17734))
 - Bump `com.nimbusds:oauth2-oidc-sdk` from 11.21 to 11.23.1 ([#17729](https://github.com/opensearch-project/OpenSearch/pull/17729))
+- Bump `com.google.api.grpc:proto-google-common-protos` from 2.52.0 to 2.54.1 ([#17733](https://github.com/opensearch-project/OpenSearch/pull/17733))
 
 ### Changed
 
 
@@ -64,8 +64,10 @@ private static AgentBuilder createAgentBuilder(Instrumentation inst) throws Exce
         ClassInjector.UsingUnsafe.ofBootLoader()
             .inject(
                 Map.of(
-                    new TypeDescription.ForLoadedType(StackCallerChainExtractor.class),
-                    ClassFileLocator.ForClassLoader.read(StackCallerChainExtractor.class),
+                    new TypeDescription.ForLoadedType(StackCallerProtectionDomainChainExtractor.class),
+                    ClassFileLocator.ForClassLoader.read(StackCallerProtectionDomainChainExtractor.class),
+                    new TypeDescription.ForLoadedType(StackCallerClassChainExtractor.class),
+                    ClassFileLocator.ForClassLoader.read(StackCallerClassChainExtractor.class),
                     new TypeDescription.ForLoadedType(AgentPolicy.class),
                     ClassFileLocator.ForClassLoader.read(AgentPolicy.class)
                 )
@@ -83,6 +85,12 @@ private static AgentBuilder createAgentBuilder(Instrumentation inst) throws Exce
                 (b, typeDescription, classLoader, module, pd) -> b.visit(
                     Advice.to(SystemExitInterceptor.class).on(ElementMatchers.named("exit"))
                 )
+            )
+            .type(ElementMatchers.is(java.lang.Runtime.class))
+            .transform(
+                (b, typeDescription, classLoader, module, pd) -> b.visit(
+                    Advice.to(RuntimeHaltInterceptor.class).on(ElementMatchers.named("halt"))
+                )
             );
 
         return agentBuilder;
 
@@ -0,0 +1,49 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.javaagent;
+
+import org.opensearch.javaagent.bootstrap.AgentPolicy;
+
+import java.lang.StackWalker.Option;
+import java.security.Policy;
+import java.util.stream.Stream;
+
+import net.bytebuddy.asm.Advice;
+
+/**
+ * {@link Runtime#halt} interceptor
+ */
+public class RuntimeHaltInterceptor {
+    /**
+     * RuntimeHaltInterceptor
+     */
+    public RuntimeHaltInterceptor() {}
+
+    /**
+     * Interceptor
+     * @param code exit code
+     * @throws Exception exceptions
+     */
+    @Advice.OnMethodEnter
+    @SuppressWarnings("removal")
+    public static void intercept(int code) throws Exception {
+        final Policy policy = AgentPolicy.getPolicy();
+        if (policy == null) {
+            return; /* noop */
+        }
+
+        final StackWalker walker = StackWalker.getInstance(Option.RETAIN_CLASS_REFERENCE);
+        final Class<?> caller = walker.getCallerClass();
+        final Stream<Class<?>> chain = walker.walk(StackCallerClassChainExtractor.INSTANCE);
+
+        if (AgentPolicy.isChainThatCanExit(caller, chain) == false) {
+            throw new SecurityException("The class " + caller + " is not allowed to call Runtime::halt(" + code + ")");
+        }
+    }
+}
@@ -18,7 +18,7 @@
 import java.net.UnixDomainSocketAddress;
 import java.security.Policy;
 import java.security.ProtectionDomain;
-import java.util.List;
+import java.util.stream.Stream;
 
 import net.bytebuddy.asm.Advice;
 import net.bytebuddy.asm.Advice.Origin;
@@ -47,26 +47,26 @@ public static void intercept(@Advice.AllArguments Object[] args, @Origin Method
         }
 
         final StackWalker walker = StackWalker.getInstance(Option.RETAIN_CLASS_REFERENCE);
-        final List<ProtectionDomain> callers = walker.walk(new StackCallerChainExtractor());
+        final Stream<ProtectionDomain> callers = walker.walk(StackCallerProtectionDomainChainExtractor.INSTANCE);
 
         if (args[0] instanceof InetSocketAddress address) {
             if (!AgentPolicy.isTrustedHost(address.getHostString())) {
                 final String host = address.getHostString() + ":" + address.getPort();
 
                 final SocketPermission permission = new SocketPermission(host, "connect,resolve");
-                for (final ProtectionDomain domain : callers) {
+                callers.forEach(domain -> {
                     if (!policy.implies(domain, permission)) {
                         throw new SecurityException("Denied access to: " + host + ", domain " + domain);
                     }
-                }
+                });
             }
         } else if (args[0] instanceof UnixDomainSocketAddress address) {
             final NetPermission permission = new NetPermission("accessUnixDomainSocket");
-            for (final ProtectionDomain domain : callers) {
+            callers.forEach(domain -> {
                 if (!policy.implies(domain, permission)) {
                     throw new SecurityException("Denied access to: " + address + ", domain " + domain);
                 }
-            }
+            });
         }
     }
 }
@@ -0,0 +1,42 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.javaagent;
+
+import java.lang.StackWalker.StackFrame;
+import java.util.function.Function;
+import java.util.stream.Stream;
+
+/**
+ * Stack Caller Class Chain Extractor
+ */
+public final class StackCallerClassChainExtractor implements Function<Stream<StackFrame>, Stream<Class<?>>> {
+    /**
+     * Single instance of stateless class.
+     */
+    public static final StackCallerClassChainExtractor INSTANCE = new StackCallerClassChainExtractor();
+
+    /**
+     * Constructor
+     */
+    private StackCallerClassChainExtractor() {}
+
+    /**
+     * Folds the stack
+     * @param frames stack frames
+     */
+    @Override
+    public Stream<Class<?>> apply(Stream<StackFrame> frames) {
+        return cast(frames);
+    }
+
+    @SuppressWarnings("unchecked")
+    private static <A> Stream<A> cast(Stream<StackFrame> frames) {
+        return (Stream<A>) frames.map(StackFrame::getDeclaringClass).filter(c -> !c.isHidden()).distinct();
+    }
+}
@@ -10,30 +10,32 @@
 
 import java.lang.StackWalker.StackFrame;
 import java.security.ProtectionDomain;
-import java.util.List;
 import java.util.function.Function;
-import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 /**
  * Stack Caller Chain Extractor
  */
-public final class StackCallerChainExtractor implements Function<Stream<StackFrame>, List<ProtectionDomain>> {
+public final class StackCallerProtectionDomainChainExtractor implements Function<Stream<StackFrame>, Stream<ProtectionDomain>> {
+    /**
+     * Single instance of stateless class.
+     */
+    public static final StackCallerProtectionDomainChainExtractor INSTANCE = new StackCallerProtectionDomainChainExtractor();
+
     /**
      * Constructor
      */
-    public StackCallerChainExtractor() {}
+    private StackCallerProtectionDomainChainExtractor() {}
 
     /**
      * Folds the stack
      * @param frames stack frames
      */
     @Override
-    public List<ProtectionDomain> apply(Stream<StackFrame> frames) {
+    public Stream<ProtectionDomain> apply(Stream<StackFrame> frames) {
         return frames.map(StackFrame::getDeclaringClass)
             .map(Class::getProtectionDomain)
             .filter(pd -> pd.getCodeSource() != null) /* JDK */
-            .distinct()
-            .collect(Collectors.toList());
+            .distinct();
     }
 }
@@ -11,6 +11,8 @@
 import org.opensearch.javaagent.bootstrap.AgentPolicy;
 
 import java.lang.StackWalker.Option;
+import java.security.Policy;
+import java.util.stream.Stream;
 
 import net.bytebuddy.asm.Advice;
 
@@ -29,11 +31,18 @@ public SystemExitInterceptor() {}
      * @throws Exception exceptions
      */
     @Advice.OnMethodEnter()
+    @SuppressWarnings("removal")
     public static void intercept(int code) throws Exception {
+        final Policy policy = AgentPolicy.getPolicy();
+        if (policy == null) {
+            return; /* noop */
+        }
+
         final StackWalker walker = StackWalker.getInstance(Option.RETAIN_CLASS_REFERENCE);
         final Class<?> caller = walker.getCallerClass();
+        final Stream<Class<?>> chain = walker.walk(StackCallerClassChainExtractor.INSTANCE);
 
-        if (!AgentPolicy.isClassThatCanExit(caller.getName())) {
+        if (AgentPolicy.isChainThatCanExit(caller, chain) == false) {
             throw new SecurityException("The class " + caller + " is not allowed to call System::exit(" + code + ")");
         }
     }
 
@@ -15,16 +15,21 @@
 import java.security.Policy;
 import java.util.Set;
 
-public class SystemExitInterceptorTests {
+public class AgentTests {
     @SuppressWarnings("removal")
     @BeforeClass
     public static void setUp() {
         AgentPolicy.setPolicy(new Policy() {
-        }, Set.of(), new String[] { "worker.org.gradle.process.internal.worker.GradleWorkerMain" });
+        }, Set.of(), (caller, chain) -> caller.getName().equalsIgnoreCase("worker.org.gradle.process.internal.worker.GradleWorkerMain"));
     }
 
     @Test(expected = SecurityException.class)
     public void testSystemExitIsForbidden() {
         System.exit(0);
     }
+
+    @Test(expected = SecurityException.class)
+    public void testRuntimeHaltIsForbidden() {
+        Runtime.getRuntime().halt(0);
+    }
 }
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@`
`18`	`18`	`import java.net.UnixDomainSocketAddress;`
`19`	`19`	`import java.security.Policy;`
`20`	`20`	`import java.security.ProtectionDomain;`
`21`		`-import java.util.List;`
	`21`	`+import java.util.stream.Stream;`
`22`	`22`
`23`	`23`	`import net.bytebuddy.asm.Advice;`
`24`	`24`	`import net.bytebuddy.asm.Advice.Origin;`
`@@ -47,26 +47,26 @@ public static void intercept(@Advice.AllArguments Object[] args, @Origin Method`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`final StackWalker walker = StackWalker.getInstance(Option.RETAIN_CLASS_REFERENCE);`
`50`		`- final List<ProtectionDomain> callers = walker.walk(new StackCallerChainExtractor());`
	`50`	`+ final Stream<ProtectionDomain> callers = walker.walk(StackCallerProtectionDomainChainExtractor.INSTANCE);`
`51`	`51`
`52`	`52`	`if (args[0] instanceof InetSocketAddress address) {`
`53`	`53`	`if (!AgentPolicy.isTrustedHost(address.getHostString())) {`
`54`	`54`	`final String host = address.getHostString() + ":" + address.getPort();`
`55`	`55`
`56`	`56`	`final SocketPermission permission = new SocketPermission(host, "connect,resolve");`
`57`		`- for (final ProtectionDomain domain : callers) {`
	`57`	`+ callers.forEach(domain -> {`
`58`	`58`	`if (!policy.implies(domain, permission)) {`
`59`	`59`	`throw new SecurityException("Denied access to: " + host + ", domain " + domain);`
`60`	`60`	`}`
`61`		`- }`
	`61`	`+ });`
`62`	`62`	`}`
`63`	`63`	`} else if (args[0] instanceof UnixDomainSocketAddress address) {`
`64`	`64`	`final NetPermission permission = new NetPermission("accessUnixDomainSocket");`
`65`		`- for (final ProtectionDomain domain : callers) {`
	`65`	`+ callers.forEach(domain -> {`
`66`	`66`	`if (!policy.implies(domain, permission)) {`
`67`	`67`	`throw new SecurityException("Denied access to: " + address + ", domain " + domain);`
`68`	`68`	`}`
`69`		`- }`
	`69`	`+ });`
`70`	`70`	`}`
`71`	`71`	`}`
`72`	`72`	`}`