Use task avoidance with forbidden apis (#55034)

Currently forbidden apis accounts for 800+ tasks in the build. These
tasks are aggressively created by the plugin. In forbidden apis 3.0, we
will get task avoidance
(policeman-tools/forbidden-apis#162), but we
need to ourselves use the same task avoidance mechanisms to not trigger
these task creations. This commit does that for our foribdden apis
usages, in preparation for upgrading to 3.0 when it is released.

Author: rjernst

benchmarks/build.gradle

@@ -48,7 +48,7 @@ compileJava.options.compilerArgs.addAll(["-processor", "org.openjdk.jmh.generato
 run.executable = "${BuildParams.runtimeJavaHome}/bin/java"
 
 // classes generated by JMH can use all sorts of forbidden APIs but we have no influence at all and cannot exclude these classes
-forbiddenApisMain.enabled = false
+disableTasks('forbiddenApisMain')
 
 // No licenses for our benchmark deps (we don't ship benchmarks)
 dependencyLicenses.enabled = false

build.gradle

@@ -537,3 +537,11 @@ subprojects {
     }
   }
 }
+
+subprojects {
+  project.ext.disableTasks = { String... tasknames ->
+    for (String taskname : tasknames) {
+      project.tasks.named(taskname).configure { onlyIf { false } }
+    }
+  }
+}

buildSrc/build.gradle

@@ -168,9 +168,7 @@ if (project != rootProject) {
   // build-tools is not ready for primetime with these...
   dependencyLicenses.enabled = false
   dependenciesInfo.enabled = false
-  forbiddenApisMain.enabled = false
-  forbiddenApisMinimumRuntime.enabled = false
-  forbiddenApisTest.enabled = false
+  disableTasks('forbiddenApisMain', 'forbiddenApisMinimumRuntime', 'forbiddenApisTest')
   jarHell.enabled = false
   thirdPartyAudit.enabled = false
   if (Boolean.parseBoolean(System.getProperty("tests.fips.enabled"))){

buildSrc/src/testKit/elasticsearch.build/build.gradle

@@ -17,8 +17,8 @@ repositories {
 }
 
 // todo remove offending rules
-forbiddenApisMain.enabled = false
-forbiddenApisTest.enabled = false
+tasks.named('forbiddenApisMain').configure { onlyIf { false } }
+tasks.named('forbiddenApisTest').configure { onlyIf { false } }
 // requires dependency on testing fw
 jarHell.enabled = false
 // we don't have tests for now

client/rest-high-level/build.gradle

@@ -78,7 +78,7 @@ dependencyLicenses {
   }
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   // core does not depend on the httpclient for compile so we add the signatures here. We don't add them for test as they are already
   // specified
   addSignatureFiles 'http-signatures'

client/rest/build.gradle

@@ -51,7 +51,7 @@ dependencies {
   testCompile "org.elasticsearch:mocksocket:${versions.mocksocket}"
 }
 
-tasks.withType(CheckForbiddenApis) {
+tasks.withType(CheckForbiddenApis).configureEach {
   //client does not depend on server, so only jdk and http signatures should be checked
   replaceSignatureFiles('jdk-signatures', 'http-signatures')
 }
@@ -60,7 +60,7 @@ forbiddenPatterns {
   exclude '**/*.der'
 }
 
-forbiddenApisTest {
+tasks.named('forbiddenApisTest').configure {
   //we are using jdk-internal instead of jdk-non-portable to allow for com.sun.net.httpserver.* usage
   bundledSignatures -= 'jdk-non-portable'
   bundledSignatures += 'jdk-internal'

client/sniffer/build.gradle

@@ -48,12 +48,12 @@ dependencies {
   testCompile "org.elasticsearch:mocksocket:${versions.mocksocket}"
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   //client does not depend on server, so only jdk signatures should be checked
   replaceSignatureFiles 'jdk-signatures'
 }
 
-forbiddenApisTest {
+tasks.named('forbiddenApisTest').configure {
   //we are using jdk-internal instead of jdk-non-portable to allow for com.sun.net.httpserver.* usage
   bundledSignatures -= 'jdk-non-portable'
   bundledSignatures += 'jdk-internal'

client/test/build.gradle

@@ -30,12 +30,12 @@ dependencies {
   compile "org.hamcrest:hamcrest:${versions.hamcrest}"
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   //client does not depend on core, so only jdk signatures should be checked
   replaceSignatureFiles 'jdk-signatures'
 }
 
-forbiddenApisTest {
+tasks.named('forbiddenApisTest').configure {
   //we are using jdk-internal instead of jdk-non-portable to allow for com.sun.net.httpserver.* usage
   bundledSignatures -= 'jdk-non-portable'
   bundledSignatures += 'jdk-internal'

distribution/tools/java-version-checker/build.gradle

@@ -3,7 +3,7 @@ apply plugin: 'elasticsearch.build'
 targetCompatibility = JavaVersion.VERSION_1_7
 
 // java_version_checker do not depend on core so only JDK signatures should be checked
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   replaceSignatureFiles 'jdk-signatures'
 }
 

distribution/tools/launchers/build.gradle

@@ -29,7 +29,7 @@ dependencies {
 
 archivesBaseName = 'elasticsearch-launchers'
 
-tasks.withType(CheckForbiddenApis) {
+tasks.withType(CheckForbiddenApis).configureEach {
   replaceSignatureFiles 'jdk-signatures'
 }
 

libs/cli/build.gradle

@@ -29,6 +29,6 @@ test.enabled = false
 // Since CLI does not depend on :server, it cannot run the jarHell task
 jarHell.enabled = false
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   replaceSignatureFiles 'jdk-signatures'
 }

libs/core/build.gradle

@@ -88,7 +88,7 @@ dependencies {
   }
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   // :libs:elasticsearch-core does not depend on server
   // TODO: Need to decide how we want to handle for forbidden signatures with the changes to server
   replaceSignatureFiles 'jdk-signatures'

libs/dissect/build.gradle

@@ -26,7 +26,7 @@ dependencies {
   testCompile "com.fasterxml.jackson.core:jackson-databind:${versions.jackson}"
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   replaceSignatureFiles 'jdk-signatures'
 }
 

libs/geo/build.gradle

@@ -26,7 +26,7 @@ dependencies {
   }
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   // geo does not depend on server
   // TODO: Need to decide how we want to handle for forbidden signatures with the changes to core
   replaceSignatureFiles 'jdk-signatures'

libs/grok/build.gradle

@@ -27,6 +27,6 @@ dependencies {
   }
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   replaceSignatureFiles 'jdk-signatures'
 }

libs/nio/build.gradle

@@ -31,7 +31,7 @@ dependencies {
 }
 
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   // nio does not depend on core, so only jdk signatures should be checked
   // es-all is not checked as we connect and accept sockets
   replaceSignatureFiles 'jdk-signatures'

libs/plugin-classloader/build.gradle

@@ -20,5 +20,5 @@
 test.enabled = false
 
 // test depend on ES core...
-forbiddenApisMain.enabled = false
+disableTasks('forbiddenApisMain')
 jarHell.enabled = false

libs/secure-sm/build.gradle

@@ -30,7 +30,7 @@ dependencies {
   }
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   replaceSignatureFiles 'jdk-signatures'
 }
 

libs/ssl-config/build.gradle

@@ -31,7 +31,7 @@ dependencies {
 }
 
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   replaceSignatureFiles 'jdk-signatures'
 }
 

libs/x-content/build.gradle

@@ -39,7 +39,7 @@ dependencies {
 
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   // x-content does not depend on server
   // TODO: Need to decide how we want to handle for forbidden signatures with the changes to core
   replaceSignatureFiles 'jdk-signatures'

plugins/analysis-icu/build.gradle

@@ -25,7 +25,7 @@ esplugin {
   hasClientJar = true
 }
 
-tasks.withType(CheckForbiddenApis) {
+tasks.withType(CheckForbiddenApis).configureEach {
   signatures += [
     "com.ibm.icu.text.Collator#getInstance() @ Don't use default locale, use getInstance(ULocale) instead"
   ]

qa/os/build.gradle

@@ -42,7 +42,7 @@ dependencies {
   testCompile "com.fasterxml.jackson.core:jackson-databind:${versions.jackson}"
 }
 
-forbiddenApisTest {
+tasks.named('forbiddenApisTest').configure {
   replaceSignatureFiles 'jdk-signatures'
 }
 
@@ -58,7 +58,7 @@ tasks.dependenciesInfo.enabled = false
 tasks.thirdPartyAudit.ignoreMissingClasses()
 
 tasks.register('destructivePackagingTest') {
-  dependsOn 'destructiveDistroTest' 
+  dependsOn 'destructiveDistroTest'
 }
 
 processTestResources {

server/build.gradle

@@ -56,7 +56,7 @@ if (!isEclipse) {
     targetCompatibility = 11
   }
 
-  forbiddenApisJava11 {
+  tasks.named('forbiddenApisJava11').configure {
     doFirst {
       if (BuildParams.runtimeJavaVersion < JavaVersion.VERSION_11) {
         targetCompatibility = JavaVersion.VERSION_11.getMajorVersion()

test/fixtures/build.gradle

@@ -1,4 +1,4 @@
 subprojects {
   // fixtures are mostly external and by default we don't want to check forbidden apis
-  forbiddenApisMain.enabled = false
+  disableTasks('forbiddenApisMain')
 }

test/framework/build.gradle

@@ -38,7 +38,7 @@ compileJava.options.compilerArgs << '-Xlint:-cast,-rawtypes,-unchecked'
 compileTestJava.options.compilerArgs << '-Xlint:-rawtypes'
 
 // the main files are actually test files, so use the appropriate forbidden api sigs
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   replaceSignatureFiles 'jdk-signatures', 'es-all-signatures', 'es-test-signatures'
 }
 

test/logger-usage/build.gradle

@@ -27,8 +27,7 @@ dependencies {
 
 loggerUsageCheck.enabled = false
 
-forbiddenApisMain.enabled = true // disabled by parent project
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   replaceSignatureFiles 'jdk-signatures' // does not depend on core, only jdk signatures
 }
 jarHell.enabled = true // disabled by parent project

x-pack/plugin/core/build.gradle

@@ -90,7 +90,7 @@ forbiddenPatterns {
   exclude '**/*.zip'
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   signaturesFiles += files('forbidden/hasher-signatures.txt')
 }
 

x-pack/plugin/identity-provider/build.gradle

@@ -69,7 +69,7 @@ forbiddenPatterns {
   exclude '**/*.zip'
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   signaturesFiles += files('forbidden/xml-signatures.txt')
 }
 

x-pack/plugin/security/build.gradle

@@ -172,7 +172,7 @@ forbiddenPatterns {
   exclude '**/*.zip'
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   signaturesFiles += files('forbidden/ldap-signatures.txt', 'forbidden/xml-signatures.txt', 'forbidden/oidc-signatures.txt')
 }
 

x-pack/plugin/security/cli/build.gradle

@@ -42,7 +42,7 @@ if (BuildParams.inFipsJvm) {
   testingConventions.enabled = false
   // Forbiden APIs non-portable checks fail because bouncy castle classes being used from the FIPS JDK since those are
   // not part of the Java specification - all of this is as designed, so we have to relax this check for FIPS.
-  tasks.withType(CheckForbiddenApis) {
+  tasks.withType(CheckForbiddenApis).configureEach {
     bundledSignatures -= "jdk-non-portable"
   }
 }

x-pack/plugin/sql/jdbc/build.gradle

@@ -5,7 +5,7 @@ apply plugin: 'com.github.johnrengelman.shadow'
 description = 'JDBC driver for Elasticsearch'
 archivesBaseName = "x-pack-sql-jdbc"
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   // does not depend on core, so only jdk and http signatures should be checked
   replaceSignatureFiles 'jdk-signatures'
 }

x-pack/plugin/sql/qa/build.gradle

@@ -39,7 +39,7 @@ dependencyLicenses.enabled = false
 dependenciesInfo.enabled = false
 
 // the main files are actually test files, so use the appropriate forbidden api sigs
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   replaceSignatureFiles 'es-all-signatures', 'es-test-signatures'
 }
 

x-pack/plugin/sql/sql-action/build.gradle

@@ -28,7 +28,7 @@ dependencies {
   testCompile project(":test:framework")
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   //sql does not depend on server, so only jdk signatures should be checked
   replaceSignatureFiles 'jdk-signatures'
 }

x-pack/plugin/sql/sql-cli/build.gradle

@@ -55,7 +55,7 @@ shadowJar {
   }
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   //sql does not depend on server, so only jdk signatures should be checked
   replaceSignatureFiles 'jdk-signatures'
   signaturesFiles += files('src/forbidden/cli-signatures.txt')

x-pack/plugin/sql/sql-client/build.gradle

@@ -21,12 +21,12 @@ dependencyLicenses {
   ignoreSha 'elasticsearch-core'
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   // does not depend on core, so only jdk and http signatures should be checked
   replaceSignatureFiles 'jdk-signatures'
 }
 
-forbiddenApisTest {
+tasks.named('forbiddenApisTest').configure {
   bundledSignatures -= 'jdk-non-portable'
   bundledSignatures += 'jdk-internal'
 }

x-pack/plugin/sql/sql-proto/build.gradle

@@ -18,7 +18,7 @@ dependencies {
   testCompile project(":test:framework")
 }
 
-forbiddenApisMain {
+tasks.named('forbiddenApisMain').configure {
   //sql does not depend on server, so only jdk signatures should be checked
   replaceSignatureFiles 'jdk-signatures'
 }