Skip to content

[Java Agent] Implement protection domain caching #17832

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 8, 2025
Merged

[Java Agent] Implement protection domain caching #17832

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e985c04
[Java Agent] Implement protection domain caching
kumargu Apr 7, 2025
da3fb2d
Replace synchronized list with copy-on-write paradigm
kumargu Apr 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 27 additions & 15 deletions libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,12 @@
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.PropertyPermission;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Function;

@SuppressWarnings("removal")
public class PolicyFile extends java.security.Policy {
Expand All @@ -62,16 +65,17 @@
}

private PolicyInfo init(URL policy) throws PolicyInitializationException {
PolicyInfo info = new PolicyInfo();
List<PolicyEntry> entries = new ArrayList<>();

Check warning on line 68 in libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java

View check run for this annotation

Codecov / codecov/patch

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java#L68 

Added line #L68 was not covered by tests
try (InputStreamReader reader = new InputStreamReader(getInputStream(policy), StandardCharsets.UTF_8)) {
List<GrantEntry> grantEntries = PolicyParser.read(reader);
for (GrantEntry grantEntry : grantEntries) {
addGrantEntry(grantEntry, info);
addGrantEntry(grantEntry, entries);

Check warning on line 72 in libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java

View check run for this annotation

Codecov / codecov/patch

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java#L72 

Added line #L72 was not covered by tests
}
} catch (Exception e) {
throw new PolicyInitializationException("Failed to load policy from: " + policy, e);
}
return info;

return new PolicyInfo(entries);

Check warning on line 78 in libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java

View check run for this annotation

Codecov / codecov/patch

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java#L78 

Added line #L78 was not covered by tests
}

public static InputStream getInputStream(URL url) throws IOException {
Expand All @@ -94,32 +98,30 @@
}
}

private void addGrantEntry(GrantEntry grantEntry, PolicyInfo newInfo) throws PolicyInitializationException {
private void addGrantEntry(GrantEntry grantEntry, List<PolicyEntry> entries) throws PolicyInitializationException {
CodeSource codesource = getCodeSource(grantEntry);
if (codesource == null) {
throw new PolicyInitializationException("Null CodeSource for: " + grantEntry.codeBase());
}

List<Permission> permissions = new ArrayList<>();
List<PermissionEntry> permissionList = grantEntry.permissionEntries();
for (PermissionEntry pe : permissionList) {
for (PermissionEntry pe : grantEntry.permissionEntries()) {
final PermissionEntry expandedEntry = expandPermissionName(pe);
try {
Optional<Permission> perm = getInstance(expandedEntry.permission(), expandedEntry.name(), expandedEntry.action());
if (perm.isPresent()) {
permissions.add(perm.get());
}
perm.ifPresent(permissions::add);

Check warning on line 112 in libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java

View check run for this annotation

Codecov / codecov/patch

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java#L112 

Added line #L112 was not covered by tests
} catch (ClassNotFoundException e) {
// these were mostly custom permission classes added for security
// manager. Since security manager is deprecated, we can skip these
// permissions classes.
if (PERM_CLASSES_TO_SKIP.contains(pe.permission())) {
continue; // skip this permission
continue;

Check warning on line 118 in libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java

View check run for this annotation

Codecov / codecov/patch

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java#L118 

Added line #L118 was not covered by tests
}
throw new PolicyInitializationException("Permission class not found: " + pe.permission(), e);
}
}
newInfo.policyEntries.add(new PolicyEntry(codesource, permissions));

entries.add(new PolicyEntry(codesource, permissions));

Check warning on line 124 in libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java

View check run for this annotation

Codecov / codecov/patch

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java#L124 

Added line #L124 was not covered by tests
}

private static PermissionEntry expandPermissionName(PermissionEntry pe) {
Expand Down Expand Up @@ -180,7 +182,11 @@

@Override
public boolean implies(ProtectionDomain pd, Permission p) {
PermissionCollection pc = getPermissions(pd);
if (pd == null || p == null) {
return false;

Check warning on line 186 in libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java

View check run for this annotation

Codecov / codecov/patch

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java#L186 

Added line #L186 was not covered by tests
}

PermissionCollection pc = policyInfo.getOrCompute(pd, this::getPermissions);

Check warning on line 189 in libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java

View check run for this annotation

Codecov / codecov/patch

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java#L189 

Added line #L189 was not covered by tests
return pc != null && pc.implies(p);
}

Expand Down Expand Up @@ -307,10 +313,16 @@
}

private static class PolicyInfo {
final List<PolicyEntry> policyEntries;
private final List<PolicyEntry> policyEntries;
private final Map<ProtectionDomain, PermissionCollection> pdMapping;

PolicyInfo(List<PolicyEntry> entries) {
this.policyEntries = List.copyOf(entries); // an immutable copy for thread safety.
this.pdMapping = new ConcurrentHashMap<>();
}

Check warning on line 322 in libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java

View check run for this annotation

Codecov / codecov/patch

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java#L319-L322 

Added lines #L319 - L322 were not covered by tests

PolicyInfo() {
policyEntries = new ArrayList<>();
public PermissionCollection getOrCompute(ProtectionDomain pd, Function<ProtectionDomain, PermissionCollection> computeFn) {
return pdMapping.computeIfAbsent(pd, k -> computeFn.apply(k));

Check warning on line 325 in libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java

View check run for this annotation

Codecov / codecov/patch

libs/agent-sm/agent-policy/src/main/java/org/opensearch/secure_sm/policy/PolicyFile.java#L325 

Added line #L325 was not covered by tests
}
}

Expand Down
Loading