Split PolicyChecker from PolicyManager

Author: prdoyle

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -96,6 +96,9 @@
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
 
+/**
+ * Contains one "check" method for each distinct JDK method we want to instrument.
+ */
 @SuppressWarnings("unused") // Called from instrumentation code inserted by the Entitlements agent
 public interface EntitlementChecker {
 

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementCheckerUtils.java

@@ -70,7 +70,7 @@ public static void initialize(Instrumentation inst) throws Exception {
 
         DynamicInstrumentation.initialize(
             inst,
-            EntitlementCheckerUtils.getVersionSpecificCheckerClass(EntitlementChecker.class, Runtime.version().feature()),
+            getVersionSpecificCheckerClass(EntitlementChecker.class, Runtime.version().feature()),
             verifyBytecode
         );
     }
@@ -88,9 +88,7 @@ private static PolicyManager createPolicyManager() {
             pluginPolicies,
             EntitlementBootstrap.bootstrapArgs().scopeResolver(),
             EntitlementBootstrap.bootstrapArgs().sourcePaths(),
-            ENTITLEMENTS_MODULE,
-            pathLookup,
-            bootstrapArgs.suppressFailureLogClasses()
+            pathLookup
         );
     }
 
@@ -115,10 +113,7 @@ private static void ensureClassesSensitiveToVerificationAreInitialized() {
     private static ElasticsearchEntitlementChecker initChecker() {
         final PolicyManager policyManager = createPolicyManager();
 
-        final Class<?> clazz = EntitlementCheckerUtils.getVersionSpecificCheckerClass(
-            ElasticsearchEntitlementChecker.class,
-            Runtime.version().feature()
-        );
+        final Class<?> clazz = getVersionSpecificCheckerClass(ElasticsearchEntitlementChecker.class, Runtime.version().feature());
 
         Constructor<?> constructor;
         try {
@@ -132,4 +127,32 @@ private static ElasticsearchEntitlementChecker initChecker() {
             throw new AssertionError(e);
         }
     }
+
+    /**
+     * Returns the "most recent" checker class compatible with the provided runtime Java version.
+     * For checkers, we have (optionally) version specific classes, each with a prefix (e.g. Java23).
+     * The mapping cannot be automatic, as it depends on the actual presence of these classes in the final Jar (see
+     * the various mainXX source sets).
+     */
+    static Class<?> getVersionSpecificCheckerClass(Class<?> baseClass, int javaVersion) {
+        String packageName = baseClass.getPackageName();
+        String baseClassName = baseClass.getSimpleName();
+
+        final String classNamePrefix;
+        if (javaVersion >= 23) {
+            // All Java version from 23 onwards will be able to use che checks in the Java23EntitlementChecker interface and implementation
+            classNamePrefix = "Java23";
+        } else {
+            // For any other Java version, the basic EntitlementChecker interface and implementation contains all the supported checks
+            classNamePrefix = "";
+        }
+        final String className = packageName + "." + classNamePrefix + baseClassName;
+        Class<?> clazz;
+        try {
+            clazz = Class.forName(className);
+        } catch (ClassNotFoundException e) {
+            throw new AssertionError("entitlement lib cannot find entitlement class " + className, e);
+        }
+        return clazz;
+    }
 }

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -192,8 +192,8 @@
  * implementation (normally on {@link org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker}, unless it is a
  * version-specific method) calls the appropriate methods on {@link org.elasticsearch.entitlement.runtime.policy.PolicyManager},
  * forwarding the caller class and a specific set of arguments. These methods all start with check, roughly matching an entitlement type
- * (e.g. {@link org.elasticsearch.entitlement.runtime.policy.PolicyManager#checkInboundNetworkAccess},
- * {@link org.elasticsearch.entitlement.runtime.policy.PolicyManager#checkFileRead}).
+ * (e.g. {@link org.elasticsearch.entitlement.runtime.policy.PolicyChecker#checkInboundNetworkAccess},
+ * {@link org.elasticsearch.entitlement.runtime.policy.PolicyChecker#checkFileRead}).
  * </p>
  * <p>
  * Most of the entitlements are "flag" entitlements: when present, it grants the caller the right to perform an action (or a set of