push in netflix services

Author: jasonk000

Diff for: server/server.gradle

@@ -13,6 +13,7 @@
 plugins {
     id 'application'
     id "org.springframework.boot" version "3.1.4"
+    id "com.netflix.nebula.jakartaee-migration"
 }
 
 apply from: "$rootDir/gradle/java.gradle"
@@ -22,6 +23,20 @@ springBoot {
     applicationName = 'jifa'
 }
 
+jakartaeeMigration {
+    includeTransform('com.netflix.identity:identity-context-spring')
+    includeTransform('com.netflix.identity:identity-context-core')
+    includeTransform('com.netflix.identity:identity-context-api')
+    includeTransform('com.netflix.identity:identity-context-servlet')
+    includeTransform('com.netflix.identity:identity-context-servlet')
+    includeTransform('com.netflix.archaius:archaius2-api')
+    includeTransform('com.netflix.archaius:archaius2-core')
+    includeTransform('com.netflix.archaius:archaius2-guice')
+    includeTransform('com.netflix.archaius:archaius2-persisted2')
+    includeTransform('com.netflix.spring:spring-boot-netflix-configuration')
+    migrate()
+}
+
 dependencies {
     implementation project(':common')
     implementation project(':analysis')
@@ -33,7 +48,19 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-web'
     implementation 'org.springframework.boot:spring-boot-starter-websocket'
     implementation 'org.springframework.boot:spring-boot-starter-validation'
+    implementation 'org.springframework.boot:spring-boot'
     implementation 'org.springframework.boot:spring-boot-starter-security'
+
+    implementation 'com.netflix.spring:spring-boot-netflix-sso:3.1.19'
+    implementation 'com.netflix.spring:spring-boot-netflix-sso-authn-embedded:3.1.19'
+    implementation 'com.netflix.spring:spring-boot-netflix-starter-configuration:3.1.19'
+    implementation 'com.netflix.spring:spring-boot-netflix-starter-security:3.1.19'
+    implementation 'com.netflix.spring:spring-boot-netflix-starter-security-authn-embedded:3.1.19'
+
+    implementation 'netflix:gandalf-authz-client:latest.release'
+    implementation 'com.netflix.nflxe2etokens:nflx-e2etokens-validation:latest.release'
+    implementation 'com.netflix.identity:identity-context-vertx4:1.8.0'
+
     implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
     implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
@@ -144,6 +171,7 @@ bootJar {
         attributes('Implementation-Title': 'Eclipse Jifa')
     }
     archiveFileName = 'jifa.jar'
+    duplicatesStrategy = DuplicatesStrategy.EXCLUDE
 }
 
 bootDistTar {

Diff for: server/src/main/java/org/eclipse/jifa/server/service/impl/netflix/FileAccessService.java

@@ -0,0 +1,8 @@
+package org.eclipse.jifa.server.service.impl.netflix;
+
+import org.eclipse.jifa.server.domain.entity.shared.file.BaseFileEntity;
+
+public interface FileAccessService {
+
+    public void checkAuthorityForCurrentUser(BaseFileEntity file);
+}

Diff for: server/src/main/java/org/eclipse/jifa/server/service/impl/netflix/InstanceCommand.java

@@ -0,0 +1,49 @@
+package org.eclipse.jifa.server.service.impl.netflix;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+public class InstanceCommand {
+    final String instanceId;
+    final String commandId;
+    final long pid;
+
+    final static Pattern VALID_REGEX = Pattern.compile("[0-9a-z-]+");
+
+    public InstanceCommand(final String instanceId, final String commandId, final long pid) {
+        this.instanceId = instanceId;
+        this.commandId = commandId;
+        this.pid = pid;
+    }
+
+    public static InstanceCommand parseParam(String param) {
+        if (param == null) {
+            return null;
+        }
+
+        final String[] parts = param.split("!");
+
+        if (parts.length != 4 || !parts[0].equals("s3")) {
+            return null;
+        }
+
+        // validate the data; three requirements:
+        // 1) instance id should be only alpha and hyphen
+        // 2) command id is a uuid
+        Matcher instanceIdMatcher = VALID_REGEX.matcher(parts[1]);
+        Matcher commandIdMatcher = VALID_REGEX.matcher(parts[2]);
+        if (!instanceIdMatcher.matches() || !commandIdMatcher.matches()) {
+            return null;
+        }
+
+        // 3) pid should be parsable as a number (only)
+        final long pid;
+        try {
+            pid = Long.valueOf(parts[3]);
+        } catch (NumberFormatException e) {
+            return null;
+        }
+
+        return new InstanceCommand(parts[1], parts[2], pid);
+    }
+}

Diff for: server/src/main/java/org/eclipse/jifa/server/service/impl/netflix/NetflixGandalfUserAccessService.java

@@ -0,0 +1,131 @@
+package org.eclipse.jifa.server.service.impl.netflix;
+
+import static org.eclipse.jifa.common.enums.CommonErrorCode.ILLEGAL_ARGUMENT;
+import static org.eclipse.jifa.server.enums.ServerErrorCode.ACCESS_DENIED;
+import static org.eclipse.jifa.server.enums.ServerErrorCode.FILE_NOT_FOUND;
+import static org.eclipse.jifa.server.enums.ServerErrorCode.UNAVAILABLE;
+
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.net.URL;
+
+import javax.net.ssl.HttpsURLConnection;
+
+import org.eclipse.jifa.common.domain.exception.ErrorCode;
+import org.eclipse.jifa.common.util.Validate;
+import org.eclipse.jifa.server.domain.entity.shared.file.BaseFileEntity;
+import org.eclipse.jifa.server.domain.entity.shared.user.UserEntity;
+import org.eclipse.jifa.server.enums.ServerErrorCode;
+import org.eclipse.jifa.server.service.UserService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Primary;
+import org.springframework.stereotype.Component;
+
+import com.google.gson.Gson;
+import com.google.gson.JsonObject;
+import com.google.gson.annotations.SerializedName;
+import com.netflix.gandalf.agent.AuthorizationClient;
+import com.netflix.gandalf.agent.GandalfException;
+import com.netflix.gandalf.agent.protogen.AuthorizationResponse;
+import com.netflix.metatron.ipc.security.MetatronSslContext;
+
+import lombok.extern.slf4j.Slf4j;
+
+@Primary
+@Component
+@Slf4j
+public class NetflixGandalfUserAccessService implements FileAccessService {
+
+    private static final String flamecommanderApi = "https://flamecommander.cluster.us-east-1.test.cloud.netflix.net:7004/";
+
+    AuthorizationClient authorizationClient;
+
+    @Autowired
+    UserService userService;
+
+    public NetflixGandalfUserAccessService() {
+        this.authorizationClient = new AuthorizationClient();
+        this.authorizationClient.status();
+    }
+
+    @Override
+    public void checkAuthorityForCurrentUser(BaseFileEntity file)
+    {
+        UserEntity user = userService.getCurrentUser();
+
+        log.info("Checking authority for file '{}' and user '{}'",
+            file.getUniqueName(),
+            user.getName());
+
+        InstanceCommand ic = InstanceCommand.parseParam(file.getUniqueName());
+        Validate.notNull(ic, ILLEGAL_ARGUMENT, "Not an s3! formed pathname: " + file.getUniqueName());
+
+        // look up historic information in flamecommander database for instance
+        final FcEvent fcEvent;
+        try {
+            fcEvent = loadFlamecommanderEvent(ic);
+        } catch (IOException e) {
+            log.error("flamecommander api error, sending error", e);
+            Validate.error(FILE_NOT_FOUND, "flamecommander api error: " + e.getMessage());
+            return;
+        }
+
+        Validate.notNull(fcEvent, FILE_NOT_FOUND,
+            String.format("No event found in flamecommander for instanceId=%s, commandId=%s",
+                ic.instanceId, ic.commandId));
+
+        Validate.notNull(user.getName(), ACCESS_DENIED, "No user identity found");
+
+        log.debug("found identity, verifying resources against gandalf");
+        JsonObject subject = createGandalfSubject(user.getName());
+        JsonObject resource = createGandalfResource();
+        try
+        {
+            AuthorizationResponse authorizationResponse = authorizationClient.isAuthorized(fcEvent.application,
+                            fcEvent.stack, fcEvent.accountId, fcEvent.region, subject, "SSH", resource, null);
+            log.debug("gandalf response: {}", authorizationResponse);
+            Validate.isTrue(authorizationResponse.getAllowed(), ACCESS_DENIED, "Access denied by gandalf");
+        }
+        catch (GandalfException e)
+        {
+            Validate.error(UNAVAILABLE, "gandalf error: " + e.getMessage());
+        }
+
+    }
+
+    static class FcEvent {
+        @SerializedName("account_id")
+        String accountId;
+        String application;
+        String stack;
+        String region;
+    }
+
+    String getFcProfileLookupUrl(InstanceCommand ic) {
+        return flamecommanderApi + "api/jifa/fc-event/" + ic.instanceId + "/" + ic.commandId;
+    }
+
+    FcEvent loadFlamecommanderEvent(InstanceCommand ic) throws IOException {
+        final String eventUrl = getFcProfileLookupUrl(ic);
+        HttpsURLConnection connection = (HttpsURLConnection) new URL(eventUrl).openConnection();
+        connection.setSSLSocketFactory(MetatronSslContext.forClient("flamecommander").getSocketFactory());
+        connection.setHostnameVerifier((hostname, session) -> true);
+        FcEvent[] events = new Gson().fromJson(new InputStreamReader(connection.getInputStream()), FcEvent[].class);
+        return (events.length == 1) ? events[0] : null;
+    }
+
+    JsonObject createGandalfSubject(String email) {
+        final JsonObject user = new JsonObject();
+        user.addProperty("email", email);
+        final JsonObject subject = new JsonObject();
+        subject.add("user", user);
+        return subject;
+    }
+
+    JsonObject createGandalfResource() {
+        final JsonObject resource = new JsonObject();
+        resource.addProperty("username", "nfsuper");
+        return resource;
+    }
+
+}

Diff for: server/src/main/java/org/eclipse/jifa/server/service/impl/netflix/PathLookupService.java

@@ -0,0 +1,10 @@
+package org.eclipse.jifa.server.service.impl.netflix;
+
+import java.nio.file.Path;
+
+import org.eclipse.jifa.server.enums.FileType;
+
+public interface PathLookupService
+{
+    Path lookupFile(Path basePath, FileType type, String name);
+}

Diff for: server/src/main/java/org/eclipse/jifa/server/service/impl/netflix/PathLookupServiceImpl.java

@@ -0,0 +1,29 @@
+package org.eclipse.jifa.server.service.impl.netflix;
+
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+import org.eclipse.jifa.server.enums.FileType;
+import org.springframework.stereotype.Component;
+
+import lombok.extern.slf4j.Slf4j;
+
+@Component
+@Slf4j
+public class PathLookupServiceImpl implements PathLookupService {
+    @Override
+    public Path lookupFile(Path basePath, FileType type, String name)
+    {
+        if (name.startsWith("s3!") && type == FileType.HEAP_DUMP) {
+            InstanceCommand ic = InstanceCommand.parseParam(name);
+            String path = String.format("%s/heapdump/%s/%s/%s", "/efs/ssm-outputs", ic.instanceId, ic.commandId, ic.pid);
+            Path result = Paths.get(path).resolve("heapdump.hprof");
+            log.info("Path lookup (Netflix) for {} of type {} resolved to {}", name, type, result);
+            return result;
+        }
+
+        Path result = basePath.resolve(type.getStorageDirectoryName()).resolve(name).resolve(name);
+        log.info("Path lookup (default) for {} of type {} resolved to {}", name, type, result);
+        return result;
+    }
+}

Diff for: server/src/main/java/org/eclipse/jifa/server/service/impl/netflix/ReadAheadService.java

@@ -0,0 +1,105 @@
+package org.eclipse.jifa.server.service.impl.netflix;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.nio.file.Path;
+import java.time.Instant;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import org.springframework.stereotype.Component;
+
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+import lombok.extern.slf4j.Slf4j;
+
+@Component
+@Slf4j
+public class ReadAheadService {
+    final static int CHUNK_SIZE = 8*1024*1024;
+    final static int READ_THREADS = 16;
+
+    final static int MAX_AGE_SECONDS = 300;
+    final static AtomicInteger threadCount = new AtomicInteger(0);
+    final ExecutorService readers = Executors.newFixedThreadPool(READ_THREADS, r -> new Thread(r, "ReadAheader-" + threadCount.getAndIncrement()));
+
+    final ConcurrentMap<String, Instant> readAheadRequests = new ConcurrentHashMap<>();
+
+    static final String[] INDEXES = new String[]{
+        // this assumes the files are all based on heapdump.hprof
+
+        // any order
+        "heapdump.i2sv2.index", // retained size cache (histogram & leak suspects)
+        "heapdump.domOut.index", // dominator tree outbound
+        "heapdump.o2ret.index", // retained size for object
+        "heapdump.o2hprof.index", // file pointer
+        "heapdump.o2c.index", // class id for object
+        "heapdump.a2s.index", // array to size
+        "heapdump.inbound.index", // inbound pointers for an object
+        "heapdump.outbound.index", // outbound pointers for object
+        "heapdump.domIn.index", // dominator tree inbound
+
+        // last
+        // "heapdump.idx.index",
+        // "heapdump.index",
+
+        // of course, also the hprof
+        // "heapdump.hprof"
+    };
+
+    // the readahead request is likely to come through concurrently, so maybe
+    // it will occur again before completing
+    // note that because we use standard CompletableFuture it will run on fj pool
+
+    public ReadAheadService() {
+        log.info("init(): setting up readahead, read_threads = {}, chunk_size = {}, max_age_seconds = {}",
+            READ_THREADS, CHUNK_SIZE, MAX_AGE_SECONDS);
+    }
+
+    public synchronized void issueForPath(Path hprofFile) {
+        Path path = hprofFile.getParent();
+        for (String index : INDEXES) {
+            issueReadFile(path.resolve(index));
+        }
+    }
+
+    void issueReadFile(final Path file) {
+        String filename = file.toString();
+        Instant existingRequest = readAheadRequests.get(filename);
+        if (needsLoad(existingRequest)) {
+            readAheadRequests.put(filename, Instant.now());
+            log.info("issueReadFile(): issuing for {}", filename);
+            readers.submit(() -> {
+                readAheadRequests.put(filename, Instant.now());
+
+                log.info("issueReadFile(): issued for {}", filename);
+                try {
+                    byte[] chunk = new byte[CHUNK_SIZE];
+                    FileInputStream fis = new FileInputStream(filename);
+                    while(fis.read(chunk) > 0) {
+                        // read again
+                    }
+                    log.info("issueReadFile(): completed for {}", filename);
+                } catch (IOException e) {
+                    log.info("issueReadFile(): failed for {}, {}", filename, e);
+                }
+
+                readAheadRequests.put(filename, Instant.now());
+            });
+        }
+    }
+
+    boolean needsLoad(Instant instant) {
+        if (instant == null) {
+            return true;
+        }
+
+        Instant OLDEST_OK_AGE = Instant.now().minusSeconds(MAX_AGE_SECONDS);
+        if (instant.isBefore(OLDEST_OK_AGE)) {
+            return true;
+        }
+
+        return false;
+    }
+}