[POC] [Security Manager Replacement] GraalVM sandboxing

Signed-off-by: Andriy Redko <[email protected]>
opensearch-project · Jan 14, 2025 · af51fe1 · af51fe1
1 parent f98f426
commit af51fe1
Show file tree

Hide file tree

Showing 45 changed files with 600 additions and 10 deletions.
diff --git a/libs/espresso-converters/build.gradle b/libs/espresso-converters/build.gradle
@@ -0,0 +1,32 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+import org.opensearch.gradle.info.BuildParams
+
+apply plugin: 'opensearch.publish'
+
+base {
+  archivesName = 'espresso-converters'
+}
+
+dependencies {
+  implementation "org.graalvm.espresso:polyglot:24.1.1"
+  implementation project(":server")
+}
+
+tasks.named('forbiddenApisMain').configure {
+  replaceSignatureFiles 'jdk-signatures'
+}
+
+
+tasks.named('missingJavadoc').configure {
+  enabled = false
+}
diff --git a/libs/espresso-converters/licenses/polyglot-24.1.1.jar.sha1 b/libs/espresso-converters/licenses/polyglot-24.1.1.jar.sha1
@@ -0,0 +1 @@
+90838233a34d0768f33cbdba810096d7feb824d2
diff --git a/...spresso-converters/src/main/java/org/opensearch/espresso/sandbox/ActionTypeConverter.java b/...spresso-converters/src/main/java/org/opensearch/espresso/sandbox/ActionTypeConverter.java
@@ -0,0 +1,27 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.espresso.sandbox;
+
+import org.opensearch.action.ActionType;
+import org.opensearch.action.admin.cluster.state.ClusterStateAction;
+
+import com.oracle.truffle.espresso.polyglot.GuestTypeConversion;
+
+/**
+ * converter
+ */
+public class ActionTypeConverter implements GuestTypeConversion<ActionType<?>> {
+    /**
+     * converter
+     */
+    @Override
+    public ActionType<?> toGuest(Object polyglotInstance) {
+        return ClusterStateAction.INSTANCE;
+    }
+}
diff --git a/...converters/src/main/java/org/opensearch/espresso/sandbox/ClusterStateActionConverter.java b/...converters/src/main/java/org/opensearch/espresso/sandbox/ClusterStateActionConverter.java
@@ -0,0 +1,28 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.espresso.sandbox;
+
+import org.opensearch.action.ActionType;
+import org.opensearch.action.admin.cluster.state.ClusterStateAction;
+import org.opensearch.action.admin.cluster.state.ClusterStateResponse;
+
+import com.oracle.truffle.espresso.polyglot.GuestTypeConversion;
+
+/**
+ * converter
+ */
+public class ClusterStateActionConverter implements GuestTypeConversion<ActionType<ClusterStateResponse>> {
+    /**
+     * converter
+     */
+    @Override
+    public ActionType<ClusterStateResponse> toGuest(Object polyglotInstance) {
+        return ClusterStateAction.INSTANCE;
+    }
+}
diff --git a/...rs/src/main/java/org/opensearch/espresso/sandbox/ClusterStateRequestBuilderConverter.java b/...rs/src/main/java/org/opensearch/espresso/sandbox/ClusterStateRequestBuilderConverter.java
@@ -0,0 +1,38 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.espresso.sandbox;
+
+import org.opensearch.action.admin.cluster.state.ClusterStateAction;
+import org.opensearch.action.admin.cluster.state.ClusterStateRequestBuilder;
+import org.opensearch.client.OpenSearchClient;
+
+import com.oracle.truffle.espresso.polyglot.ArityException;
+import com.oracle.truffle.espresso.polyglot.GuestTypeConversion;
+import com.oracle.truffle.espresso.polyglot.Interop;
+import com.oracle.truffle.espresso.polyglot.UnknownIdentifierException;
+import com.oracle.truffle.espresso.polyglot.UnsupportedMessageException;
+import com.oracle.truffle.espresso.polyglot.UnsupportedTypeException;
+
+/**
+ * converter
+ */
+public class ClusterStateRequestBuilderConverter implements GuestTypeConversion<ClusterStateRequestBuilder> {
+    /**
+     * converter
+     */
+    @Override
+    public ClusterStateRequestBuilder toGuest(Object polyglotInstance) {
+        try {
+            final OpenSearchClient client = Interop.invokeMemberWithCast(OpenSearchClient.class, polyglotInstance, "client");
+            return new ClusterStateRequestBuilder(client, ClusterStateAction.INSTANCE);
+        } catch (UnsupportedMessageException | ArityException | UnknownIdentifierException | UnsupportedTypeException e) {
+            throw new RuntimeException(e);
+        }
+    }
+}
diff --git a/...onverters/src/main/java/org/opensearch/espresso/sandbox/ClusterStateRequestConverter.java b/...onverters/src/main/java/org/opensearch/espresso/sandbox/ClusterStateRequestConverter.java
@@ -0,0 +1,26 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.espresso.sandbox;
+
+import org.opensearch.action.admin.cluster.state.ClusterStateRequest;
+
+import com.oracle.truffle.espresso.polyglot.GuestTypeConversion;
+
+/**
+ * converter
+ */
+public class ClusterStateRequestConverter implements GuestTypeConversion<ClusterStateRequest> {
+    /**
+     * converter
+     */
+    @Override
+    public ClusterStateRequest toGuest(Object polyglotInstance) {
+        return new ClusterStateRequest();
+    }
+}
diff --git a/...nverters/src/main/java/org/opensearch/espresso/sandbox/ClusterStateResponseConverter.java b/...nverters/src/main/java/org/opensearch/espresso/sandbox/ClusterStateResponseConverter.java
@@ -0,0 +1,28 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.espresso.sandbox;
+
+import org.opensearch.action.admin.cluster.state.ClusterStateResponse;
+import org.opensearch.cluster.ClusterName;
+import org.opensearch.cluster.ClusterState;
+
+import com.oracle.truffle.espresso.polyglot.GuestTypeConversion;
+
+/**
+ * converter
+ */
+public class ClusterStateResponseConverter implements GuestTypeConversion<ClusterStateResponse> {
+    /**
+     * converter
+     */
+    @Override
+    public ClusterStateResponse toGuest(Object polyglotInstance) {
+        return new ClusterStateResponse(ClusterName.DEFAULT, ClusterState.EMPTY_STATE, false);
+    }
+}
diff --git a/libs/espresso-converters/src/main/java/org/opensearch/espresso/sandbox/NoOpClient.java b/libs/espresso-converters/src/main/java/org/opensearch/espresso/sandbox/NoOpClient.java
@@ -0,0 +1,76 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/*
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.espresso.sandbox;
+
+import org.opensearch.OpenSearchException;
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.ActionType;
+import org.opensearch.action.admin.cluster.state.ClusterStateResponse;
+import org.opensearch.client.support.AbstractClient;
+import org.opensearch.cluster.ClusterName;
+import org.opensearch.cluster.ClusterState;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.core.action.ActionListener;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.threadpool.ThreadPool;
+
+import java.util.concurrent.TimeUnit;
+
+public class NoOpClient extends AbstractClient {
+    public NoOpClient(ThreadPool threadPool) {
+        super(Settings.EMPTY, threadPool);
+    }
+
+    public NoOpClient(String testName) {
+        super(Settings.EMPTY, new ThreadPool(Settings.EMPTY));
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    protected <Request extends ActionRequest, Response extends ActionResponse> void doExecute(
+        ActionType<Response> action,
+        Request request,
+        ActionListener<Response> listener
+    ) {
+        listener.onResponse((Response) new ClusterStateResponse(ClusterName.DEFAULT, ClusterState.EMPTY_STATE, false));
+    }
+
+    @Override
+    public void close() {
+        try {
+            ThreadPool.terminate(threadPool(), 10, TimeUnit.SECONDS);
+        } catch (Exception e) {
+            throw new OpenSearchException(e.getMessage(), e);
+        }
+    }
+}
diff --git a/libs/espresso-converters/src/main/java/org/opensearch/espresso/sandbox/package-info.java b/libs/espresso-converters/src/main/java/org/opensearch/espresso/sandbox/package-info.java
@@ -0,0 +1,10 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+/** GraalVM sandbox */
+package org.opensearch.espresso.sandbox;
diff --git a/libs/espresso-sm/build.gradle b/libs/espresso-sm/build.gradle
@@ -0,0 +1,50 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+import org.opensearch.gradle.info.BuildParams
+
+apply plugin: 'opensearch.publish'
+
+base {
+  archivesName = 'espresso-sm'
+}
+
+dependencies {
+  implementation "org.graalvm.polyglot:polyglot:24.1.1"
+  implementation "org.graalvm.sdk:nativeimage:24.1.1"
+  implementation "org.graalvm.sdk:collections:24.1.1"
+  implementation "org.graalvm.sdk:word:24.1.1"
+  implementation "org.graalvm.sdk:jniutils:24.1.1"
+  implementation "org.graalvm.llvm:llvm-api:24.1.1"
+  implementation "org.graalvm.llvm:llvm-language:24.1.1"
+  implementation "org.graalvm.llvm:llvm-language-native:24.1.1"
+  implementation "org.graalvm.llvm:llvm-language-native-resources:24.1.1"
+  implementation "org.graalvm.llvm:llvm-language-nfi:24.1.1"
+  implementation "org.graalvm.truffle:truffle-api:24.1.1"
+  implementation "org.graalvm.truffle:truffle-compiler:24.1.1"
+  implementation "org.graalvm.truffle:truffle-nfi:24.1.1"
+  implementation "org.graalvm.truffle:truffle-nfi-libffi:24.1.1"
+  implementation "org.graalvm.truffle:truffle-runtime:24.1.1"
+  implementation "org.graalvm.espresso:espresso-language:24.1.1"
+  implementation "org.graalvm.espresso:polyglot:24.1.1"
+  implementation "org.graalvm.espresso:espresso-libs-resources-linux-amd64:24.0.2"
+  implementation "org.graalvm.espresso:espresso-runtime-resources-linux-amd64:24.0.2"
+  implementation project(":server")
+}
+
+tasks.named('forbiddenApisMain').configure {
+  replaceSignatureFiles 'jdk-signatures'
+}
+
+
+tasks.named('missingJavadoc').configure {
+  enabled = false
+}
diff --git a/libs/espresso-sm/licenses/collections-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/collections-24.1.1.jar.sha1
@@ -0,0 +1 @@
+16b6de3fe00198630e375e6a8dc26a39a6df288d
diff --git a/libs/espresso-sm/licenses/espresso-language-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/espresso-language-24.1.1.jar.sha1
@@ -0,0 +1 @@
+f3b53d189b224ec8277bfc378b79aa69540678b0
diff --git a/libs/espresso-sm/licenses/espresso-libs-resources-linux-amd64-24.0.2.jar.sha1 b/libs/espresso-sm/licenses/espresso-libs-resources-linux-amd64-24.0.2.jar.sha1
@@ -0,0 +1 @@
+14daa53850647f16e505ce23a72c0f2223ac2df0
diff --git a/libs/espresso-sm/licenses/espresso-runtime-resources-linux-amd64-24.0.2.jar.sha1 b/libs/espresso-sm/licenses/espresso-runtime-resources-linux-amd64-24.0.2.jar.sha1
@@ -0,0 +1 @@
+b35e24aafc0e5e5b62fa112766194ba789d9a75c
diff --git a/libs/espresso-sm/licenses/jniutils-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/jniutils-24.1.1.jar.sha1
@@ -0,0 +1 @@
+4b938ddc284a5da3fa39bc408e8df98abf2d7e36
diff --git a/libs/espresso-sm/licenses/llvm-api-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/llvm-api-24.1.1.jar.sha1
@@ -0,0 +1 @@
+780c182c59ad36d57932a4e3f2b2f2cfefbcd510
diff --git a/libs/espresso-sm/licenses/llvm-language-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/llvm-language-24.1.1.jar.sha1
@@ -0,0 +1 @@
+92e9e65aff646259b0ad2ecb1cc4628d6622dc6f
diff --git a/libs/espresso-sm/licenses/llvm-language-native-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/llvm-language-native-24.1.1.jar.sha1
@@ -0,0 +1 @@
+69795c2626736f7c05277daebd9121d620e3f96b
diff --git a/libs/espresso-sm/licenses/llvm-language-native-resources-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/llvm-language-native-resources-24.1.1.jar.sha1
@@ -0,0 +1 @@
+6d67373a5cd874b8e1fbe050e10d4e1d9decb13c
diff --git a/libs/espresso-sm/licenses/llvm-language-nfi-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/llvm-language-nfi-24.1.1.jar.sha1
@@ -0,0 +1 @@
+4d676f8a41ae3a56835961fb872d4cf4c5c720cc
diff --git a/libs/espresso-sm/licenses/nativeimage-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/nativeimage-24.1.1.jar.sha1
@@ -0,0 +1 @@
+a3a3e22b928e1c3bf527548d3127c6680e122b32
diff --git a/libs/espresso-sm/licenses/polyglot-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/polyglot-24.1.1.jar.sha1
@@ -0,0 +1 @@
+90838233a34d0768f33cbdba810096d7feb824d2
diff --git a/libs/espresso-sm/licenses/truffle-api-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/truffle-api-24.1.1.jar.sha1
@@ -0,0 +1 @@
+ab928bda7b6e0b32c07d1881109c80c8b0906e84
diff --git a/libs/espresso-sm/licenses/truffle-compiler-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/truffle-compiler-24.1.1.jar.sha1
@@ -0,0 +1 @@
+cf1980f8d824b7370a125efa51b1c5dde4b15aab
diff --git a/libs/espresso-sm/licenses/truffle-nfi-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/truffle-nfi-24.1.1.jar.sha1
@@ -0,0 +1 @@
+03a0933174665ce62be94652831af998a88f3ca5
diff --git a/libs/espresso-sm/licenses/truffle-nfi-libffi-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/truffle-nfi-libffi-24.1.1.jar.sha1
@@ -0,0 +1 @@
+cf27ea3a964faa49043b2201ffcbe8afbfd74d8f
diff --git a/libs/espresso-sm/licenses/truffle-runtime-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/truffle-runtime-24.1.1.jar.sha1
@@ -0,0 +1 @@
+405a3db994bb09149103226ba88eaa69865ccdb7
diff --git a/libs/espresso-sm/licenses/word-24.1.1.jar.sha1 b/libs/espresso-sm/licenses/word-24.1.1.jar.sha1
@@ -0,0 +1 @@
+3c30d46d03d86d5d1069bfd34a57390f8cf8a30c