Create equivalents of JSM's AccessController in the java agent

CHANGELOG.md

@@ -30,6 +30,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Add support for `matched_fields` with the unified highlighter ([#18164](https://github.com/opensearch-project/OpenSearch/issues/18164))
 - [repository-s3] Add support for SSE-KMS and S3 bucket owner verification ([#18312](https://github.com/opensearch-project/OpenSearch/pull/18312))
 - Added File Cache Stats - Involves Block level as well as full file level stats ([#17538](https://github.com/opensearch-project/OpenSearch/issues/17479))
+- Create equivalents of JSM's AccessController in the java agent ([#18346](https://github.com/opensearch-project/OpenSearch/issues/18346))
 
 ### Changed
 - Create generic DocRequest to better categorize ActionRequests ([#18269](https://github.com/opensearch-project/OpenSearch/pull/18269)))

libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/StackCallerProtectionDomainChainExtractor.java

@@ -11,6 +11,7 @@
 import java.lang.StackWalker.StackFrame;
 import java.security.ProtectionDomain;
 import java.util.Collection;
+import java.util.Set;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@@ -24,6 +25,14 @@
      */
     public static final StackCallerProtectionDomainChainExtractor INSTANCE = new StackCallerProtectionDomainChainExtractor();
 
+    private static final StackWalker STACK_WALKER = StackWalker.getInstance(StackWalker.Option.RETAIN_CLASS_REFERENCE);
+    private static final Set<String> ACCESS_CONTROLLER_CLASSES = Set.of(
+        "java.security.AccessController",
+        "org.opensearch.javaagent.bootstrap.AccessController"
+    );
+
+    private static final Set<String> DO_PRIVILEGED_METHODS = Set.of("doPrivileged", "doPrivilegedChecked");
+
     /**
      * Constructor
      */
@@ -36,7 +45,7 @@
     @Override
     public Collection<ProtectionDomain> apply(Stream<StackFrame> frames) {
         return frames.takeWhile(
-            frame -> !(frame.getClassName().equals("java.security.AccessController") && frame.getMethodName().equals("doPrivileged"))
+            frame -> !(ACCESS_CONTROLLER_CLASSES.contains(frame.getClassName()) && DO_PRIVILEGED_METHODS.contains(frame.getMethodName()))
         )
             .map(StackFrame::getDeclaringClass)
             .map(Class::getProtectionDomain)

libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/StackCallerProtectionDomainExtractorTests.java

@@ -19,12 +19,16 @@
 import java.security.ProtectionDomain;
 import java.util.List;
 import java.util.Set;
+import java.util.concurrent.Callable;
+import java.util.function.Supplier;
 import java.util.stream.Collectors;
 
+import static org.opensearch.javaagent.bootstrap.AccessController.CheckedRunnable;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.hasItem;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThrows;
 
 public class StackCallerProtectionDomainExtractorTests {
 
@@ -115,4 +119,148 @@ public Void run() {
             }
         });
     }
+
+    @Test
+    public void testStackTruncationWithOpenSearchAccessController() {
+        org.opensearch.javaagent.bootstrap.AccessController.doPrivileged(() -> {
+            StackCallerProtectionDomainChainExtractor extractor = StackCallerProtectionDomainChainExtractor.INSTANCE;
+            Set<ProtectionDomain> protectionDomains = (Set<ProtectionDomain>) extractor.apply(captureStackFrames().stream());
+            assertEquals(1, protectionDomains.size());
+            List<String> simpleNames = protectionDomains.stream().map(pd -> {
+                try {
+                    return pd.getCodeSource().getLocation().toURI();
+                } catch (URISyntaxException e) {
+                    throw new RuntimeException(e);
+                }
+            })
+                .map(URI::getPath)
+                .map(Paths::get)
+                .map(Path::getFileName)
+                .map(Path::toString)
+                // strip trailing “-VERSION.jar” if present
+                .map(name -> name.replaceFirst("-\\d[\\d\\.]*\\.jar$", ""))
+                // otherwise strip “.jar”
+                .map(name -> name.replaceFirst("\\.jar$", ""))
+                .toList();
+            assertThat(
+                simpleNames,
+                containsInAnyOrder(
+                    "test"    // from the build/classes/java/test directory
+                )
+            );
+        });
+    }
+
+    @Test
+    public void testStackTruncationWithOpenSearchAccessControllerUsingSupplier() {
+        org.opensearch.javaagent.bootstrap.AccessController.doPrivileged((Supplier<Void>) () -> {
+            StackCallerProtectionDomainChainExtractor extractor = StackCallerProtectionDomainChainExtractor.INSTANCE;
+            Set<ProtectionDomain> protectionDomains = (Set<ProtectionDomain>) extractor.apply(captureStackFrames().stream());
+            assertEquals(1, protectionDomains.size());
+            List<String> simpleNames = protectionDomains.stream().map(pd -> {
+                try {
+                    return pd.getCodeSource().getLocation().toURI();
+                } catch (URISyntaxException e) {
+                    throw new RuntimeException(e);
+                }
+            })
+                .map(URI::getPath)
+                .map(Paths::get)
+                .map(Path::getFileName)
+                .map(Path::toString)
+                // strip trailing “-VERSION.jar” if present
+                .map(name -> name.replaceFirst("-\\d[\\d\\.]*\\.jar$", ""))
+                // otherwise strip “.jar”
+                .map(name -> name.replaceFirst("\\.jar$", ""))
+                .toList();
+            assertThat(
+                simpleNames,
+                containsInAnyOrder(
+                    "test"    // from the build/classes/java/test directory
+                )
+            );
+            return null;
+        });
+    }
+
+    @Test
+    public void testStackTruncationWithOpenSearchAccessControllerUsingCallable() throws Exception {
+        org.opensearch.javaagent.bootstrap.AccessController.doPrivilegedChecked((Callable<Void>) () -> {
+            StackCallerProtectionDomainChainExtractor extractor = StackCallerProtectionDomainChainExtractor.INSTANCE;
+            Set<ProtectionDomain> protectionDomains = (Set<ProtectionDomain>) extractor.apply(captureStackFrames().stream());
+            assertEquals(1, protectionDomains.size());
+            List<String> simpleNames = protectionDomains.stream().map(pd -> {
+                try {
+                    return pd.getCodeSource().getLocation().toURI();
+                } catch (URISyntaxException e) {
+                    throw new RuntimeException(e);
+                }
+            })
+                .map(URI::getPath)
+                .map(Paths::get)
+                .map(Path::getFileName)
+                .map(Path::toString)
+                // strip trailing “-VERSION.jar” if present
+                .map(name -> name.replaceFirst("-\\d[\\d\\.]*\\.jar$", ""))
+                // otherwise strip “.jar”
+                .map(name -> name.replaceFirst("\\.jar$", ""))
+                .toList();
+            assertThat(
+                simpleNames,
+                containsInAnyOrder(
+                    "test"    // from the build/classes/java/test directory
+                )
+            );
+            return null;
+        });
+    }
+
+    @Test
+    public void testAccessControllerUsingCallableThrowsException() {
+        assertThrows(IllegalArgumentException.class, () -> {
+            org.opensearch.javaagent.bootstrap.AccessController.doPrivilegedChecked((Callable<Void>) () -> {
+                throw new IllegalArgumentException("Test exception");
+            });
+        });
+    }
+
+    @Test
+    public void testStackTruncationWithOpenSearchAccessControllerUsingCheckedRunnable() throws IllegalArgumentException {
+        org.opensearch.javaagent.bootstrap.AccessController.doPrivilegedChecked((CheckedRunnable<IllegalArgumentException>) () -> {
+            StackCallerProtectionDomainChainExtractor extractor = StackCallerProtectionDomainChainExtractor.INSTANCE;
+            Set<ProtectionDomain> protectionDomains = (Set<ProtectionDomain>) extractor.apply(captureStackFrames().stream());
+            assertEquals(1, protectionDomains.size());
+            List<String> simpleNames = protectionDomains.stream().map(pd -> {
+                try {
+                    return pd.getCodeSource().getLocation().toURI();
+                } catch (URISyntaxException e) {
+                    throw new RuntimeException(e);
+                }
+            })
+                .map(URI::getPath)
+                .map(Paths::get)
+                .map(Path::getFileName)
+                .map(Path::toString)
+                // strip trailing “-VERSION.jar” if present
+                .map(name -> name.replaceFirst("-\\d[\\d\\.]*\\.jar$", ""))
+                // otherwise strip “.jar”
+                .map(name -> name.replaceFirst("\\.jar$", ""))
+                .toList();
+            assertThat(
+                simpleNames,
+                containsInAnyOrder(
+                    "test"    // from the build/classes/java/test directory
+                )
+            );
+        });
+    }
+
+    @Test
+    public void testAccessControllerUsingCheckedRunnableThrowsException() {
+        assertThrows(IllegalArgumentException.class, () -> {
+            org.opensearch.javaagent.bootstrap.AccessController.doPrivilegedChecked((CheckedRunnable<IllegalArgumentException>) () -> {
+                throw new IllegalArgumentException("Test exception");
+            });
+        });
+    }
 }

libs/agent-sm/bootstrap/src/main/java/org/opensearch/javaagent/bootstrap/AccessController.java

@@ -0,0 +1,101 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.javaagent.bootstrap;
+
+import java.util.concurrent.Callable;
+import java.util.function.Supplier;
+
+/**
+ * Utility class to run code in a privileged block.
+ */
+public final class AccessController {
+    /**
+     * Don't allow instantiation an {@code AccessController}
+     */
+    private AccessController() {}
+
+    /**
+     * Performs the specified action in a privileged block.
+     *
+     * <p> If the action's {@code run} method throws an (unchecked)
+     * exception, it will propagate through this method.
+     *
+     * @param action the action to be performed
+     */
+    public static void doPrivileged(Runnable action) {
+        action.run();
+    }
+
+    /**
+     * Performs the specified action.
+     *
+     * <p> If the action's {@code run} method throws an <i>unchecked</i>
+     * exception, it will propagate through this method.
+     *
+     * @param <T> the type of the value returned by the
+     *                  PrivilegedExceptionAction's {@code run} method
+     *
+     * @param action the action to be performed
+     *
+     * @return the value returned by the action's {@code run} method
+     */
+    public static <T> T doPrivileged(Supplier<T> action) {
+        return action.get();
+    }
+
+    /**
+     * Performs the specified action.
+     *
+     * <p> If the action's {@code run} method throws an <i>unchecked</i>
+     * exception, it will propagate through this method.
+     *
+     * @param <T> the type of the value returned by the
+     *                  PrivilegedExceptionAction's {@code run} method
+     *
+     * @param action the action to be performed
+     *
+     * @return the value returned by the action's {@code run} method
+     *
+     * @throws Exception if the specified action's
+     *         {@code call} method threw a <i>checked</i> exception
+     */
+    public static <T> T doPrivilegedChecked(Callable<T> action) throws Exception {
+        return action.call();
+    }
+
+    /**
+     * Performs the specified action in a privileged block.
+     *
+     * <p> If the action's {@code run} method throws an (unchecked)
+     * exception, it will propagate through this method.
+     *
+     * @param action the action to be performed
+     *
+     * @throws T if the specified action's
+     *         {@code call} method threw a <i>checked</i> exception
+     */
+    public static <T extends Exception> void doPrivilegedChecked(CheckedRunnable<T> action) throws T {
+        action.run();
+    }
+
+    /**
+     * A functional interface that represents a runnable action that can throw a checked exception.
+     *
+     * @param <E> the type of the exception that can be thrown
+     */
+    public interface CheckedRunnable<E extends Exception> {
+
+        /**
+         * Executes the action.
+         *
+         * @throws E
+         */
+        void run() throws E;
+    }
+}