Skip to content

Add a policy parser for Java Agent #17753

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Apr 7, 2025
Merged

Add a policy parser for Java Agent #17753

merged 5 commits into from
Apr 7, 2025

Conversation

kumargu
Copy link
Contributor

@kumargu kumargu commented Apr 1, 2025

Description

The PR write a parser to parse java-security-manager style policies supporting parsing Grants, Permissions and Codebases in policy files. The primary reason being: Policy parser would be removed in JDK24 and upwards. Our our policy parser would although exist needed for JAVA agent intercepting calls based on a policy. The policy grammer remains same as in JDK to support backward compatibility and avoid breaking existing plugins. The grammer however will not support Principals, KeyStore, Aliasing and Signing -- we don't need those complex stuff.

The parser uses tokenization (common for parsers) to generate token and a then a Recursive Descent Parser to scan over matching token. We also support expansion of variables in CodeBase to fully keep it backward compatibility.

Related Issues

#17659

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@kumargu kumargu marked this pull request as ready for review April 1, 2025 16:25
@kumargu kumargu force-pushed the policy_parser_java_agent branch 2 times, most recently from 72e5c43 to 49d2dde Compare April 1, 2025 16:39
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 1, 2025

❌ Gradle check result for 49d2dde: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@cwperks
Copy link
Member

cwperks commented Apr 1, 2025

@kumargu Can you fix the precommit failures?

@kumargu kumargu force-pushed the policy_parser_java_agent branch from 49d2dde to 2808d74 Compare April 1, 2025 17:39
cwperks
cwperks approved these changes Apr 7, 2025
View reviewed changes
Copy link
Member

@cwperks cwperks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No further comments from me. This change LGTM, thank you @kumargu!

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 7, 2025

❌ Gradle check result for b33f1e9: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

andrross
andrross reviewed Apr 7, 2025
View reviewed changes
@kumargu kumargu force-pushed the policy_parser_java_agent branch from b33f1e9 to 1a4a456 Compare April 7, 2025 16:09
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 7, 2025

❌ Gradle check result for 75b2a94: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@kumargu kumargu force-pushed the policy_parser_java_agent branch from 75b2a94 to 22f63b3 Compare April 7, 2025 16:56
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 7, 2025

❌ Gradle check result for 1d85a2d: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@kumargu kumargu force-pushed the policy_parser_java_agent branch from 1d85a2d to 14a3b25 Compare April 7, 2025 17:36
andrross
andrross approved these changes Apr 7, 2025
View reviewed changes
Copy link
Member

@andrross andrross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cwperks Can you take a quick look at the latest update?

cwperks
cwperks reviewed Apr 7, 2025
View reviewed changes
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 7, 2025

✅ Gradle check result for 21a7eb5: SUCCESS

@cwperks cwperks merged commit 115de22 into opensearch-project:main Apr 7, 2025
33 checks passed
@kumargu kumargu deleted the policy_parser_java_agent branch April 7, 2025 19:43
@kumargu kumargu mentioned this pull request Apr 7, 2025
Closed
3 tasks
reta
reta reviewed Apr 7, 2025
View reviewed changes
libs/agent-sm/agent-policy/build.gradle
disableTasks('forbiddenApisMain')

dependencies {
testImplementation(project(":test:framework"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kumargu sorry I am late - we cannot depend on :test:framework here since it will introduce cycle: :test:framework -> :agent -> :agent-policy :(

guojialiang92 pushed a commit to guojialiang92/OpenSearch that referenced this pull request Apr 8, 2025
@kumargu @andrross @guojialiang92
Add a policy parser for Java Agent (opensearch-project#17753)
5bcce9e 
* Add a policy parser for java agent

Signed-off-by: Gulshan <[email protected]>

* Url no depricated version of url resolution

Signed-off-by: Gulshan <[email protected]>

* Remove unused methods and switch to modern Java collections

Signed-off-by: Gulshan <[email protected]>

* Use record classes and other small refactorings

Signed-off-by: Andrew Ross <[email protected]>

---------

Signed-off-by: Gulshan <[email protected]>
Signed-off-by: Andrew Ross <[email protected]>
Co-authored-by: Andrew Ross <[email protected]>
@kumargu kumargu mentioned this pull request Apr 10, 2025
Closed
3 tasks
This was referenced Apr 14, 2025
Open
Closed
Open
Open
Closed
Open
Open
@reta reta mentioned this pull request Apr 18, 2025
Closed
@BrewTestBot BrewTestBot mentioned this pull request May 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reta reta reta left review comments

@andrross andrross andrross approved these changes

@cwperks cwperks cwperks approved these changes

@anasalkouz anasalkouz Awaiting requested review from anasalkouz

@ashking94 ashking94 Awaiting requested review from ashking94

@bugmakerrrrrr bugmakerrrrrr Awaiting requested review from bugmakerrrrrr

@Bukhtawar Bukhtawar Awaiting requested review from Bukhtawar

@CEHENKLE CEHENKLE Awaiting requested review from CEHENKLE

@dblock dblock Awaiting requested review from dblock

@dbwiddis dbwiddis Awaiting requested review from dbwiddis

@gbbafna gbbafna Awaiting requested review from gbbafna

@jainankitk jainankitk Awaiting requested review from jainankitk

@kotwanikunal kotwanikunal Awaiting requested review from kotwanikunal

@linuxpi linuxpi Awaiting requested review from linuxpi

@mch2 mch2 Awaiting requested review from mch2

@msfroh msfroh Awaiting requested review from msfroh

@nknize nknize Awaiting requested review from nknize

@owaiskazi19 owaiskazi19 Awaiting requested review from owaiskazi19

@Rishikesh1159 Rishikesh1159 Awaiting requested review from Rishikesh1159

@sachinpkale sachinpkale Awaiting requested review from sachinpkale

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli

@shwetathareja shwetathareja Awaiting requested review from shwetathareja

@sohami sohami Awaiting requested review from sohami

@VachaShah VachaShah Awaiting requested review from VachaShah

@jed326 jed326 Awaiting requested review from jed326

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kumargu @cwperks @reta @andrross