SOLR-15121: Move XSLT (tr param) to scripting contrib

[epugh]

Description

Reduce security exposure for solr by moving the xslt to scripting.

Solution

Migrating code.

Tests

running existing tests.

Checklist

Please review the following and check all that apply:

• [X ] I have reviewed the guidelines for How to Contribute and my code conforms to the standards described there to the best of my ability.
• [ X] I have created a Jira issue and added the issue ID to my pull request title.
• [ X] I have given Solr maintainers access to contribute to my PR branch. (optional but recommended)
• [X ] I have developed this patch against the master branch.
• [ X] I have run ./gradlew check.
• [ X] I have added tests for my changes.
• [ X] I have added documentation for the Ref Guide (for Solr changes only).

[epugh]

I still have a broken test, and need to update docs.

[dsmiley]

There used to be an XsltUpdateRequestHandler. Maybe we need to bring it back.
https://issues.apache.org/jira/browse/SOLR-2630
(not sure which JIRA it was removed in)
It would mean that use of "tr" would require a dedicated handler but I think that's fine not many people use this and they can register at /update/xslt.

[dsmiley]

I see why you added this here but I don't think there's a role for XSLTParams. Just move this "tr" constant to the plugin that defines it for its internal use only. CommonParams was in SolrJ deliberately; This XSLTParams you added is not (and should not be).

[dsmiley]

The formatting in this file is a bit off (indentation varies etc.). Lucene recently adopted the Google Java Format. I use an IntelliJ plugin for this. Can you please reformat this file with that? Even the built-in formatter is probably fine.

[epugh]

I found this blog post: http://www.practicesofmastery.com/post/eclipse-google-java-style-guide/ (since I use Eclipse)... Do we have a JIRA about moving towards this? Should I look to figure out how to add the Google Java Format to the default Eclipse setup? Or at least a message when you run ./gradlew eclipse that recommends adding this formatter to your setup?

[dsmiley]

Apparently there's an Eclipse plugin listed here: https://github.com/google/google-java-format
The Lucene side issue is here: https://issues.apache.org/jira/browse/LUCENE-9564
But you'll see in the comments were held off on Solr for a later date.

BTW if I'm mistaken and you moved an existing source file, then I recommend doing no formatting changes as it may fool git rename detection.

[dsmiley]

Your recent edits here look good BTW.

[dsmiley]

In tests, you can just refer to the parameter directly: "tr". Yonik advised this practice once on the reasoning that the test catches API changes you might not have meant to make. Also, it's shorter :-)

[dsmiley]

If the scripting contrib is added as a package, Solr core.jar will not be able to load it in this way, I think.

[epugh]

This was the part where I didn't like what I did... And was putting something up as a starter.. I really appreciate your and @uschindler input on this. Definitily lets find another approach!

[dsmiley]

Looks like you substantially copied XMLLoader? Sorry; let's find another approach.

[dsmiley]

why not the xslt package?

[dsmiley]

Your recent edits here look good BTW.

[dsmiley]

@epugh I see in your latest change that XMLLoader continues to know about XSLT stylesheets. Couldn't/shouldn't that go in the XsltRequestHandler that you added? I suppose you're getting somewhat conflicting feedback between me and @uschindler . My preference is that all XSLT stuff is in this new contrib. Uwe had suggested some trivial toggle/setting to the existing code. I think his latest feedback is basically the idea of adding an intercepting spot (in XMLLoader) so that it needn't have the XSLT code there but it could be added in by the contrib, say by subclassing XMLLoader. @uschindler does this make sense to you?

[epugh]

I think there is a bit of back and forth.. I added a boolean to XMLLoader constructor to decide if the tr parameter was acceptible. I was going to have it throw an exception from the UpdateRequestHandler if a tr was passed in via solr params, but allow it if it was from the XSLTUpdateRequestHandler...

I'm open to any approach. I wonder if the reason to keep the TransformerProvider.java in core is for people who write their own Solr plugins that use it, and not have to require the scripting module?

I'm going to push up a set of changes where all the paths work and tests pass momentarily.

[uschindler]

Yes, I tend to think of an interception point.

By default in core the interception point just returns the original Source instance. In the subclass it applies the transformation and returns a new Source instance.

[uschindler]

I have to again look at the code, to figure out the best interaction that is still performant and clean to implement. So we don't convert too often between different XML API representations.

I think the converter protected method should take a Source impl and return a new Source impl, in base class it just returns the parameter unmodified.

[epugh]

@uschindler if you want to push up an example/make the change the way you are thinking, I'm 100% happy to have that! Your Java skillz are way beyond mine, and while I sort of understnad what you say, it may take you 20 minutes to get the change you want, and then I'll learn from you ;-)

[epugh]

I am testing out the idea of exporting in Solr XML, and then reimporting using a XSLT, which is something metnioned int he docs.. to see how well this works.

[epugh]

Okay, I've done a bunch of tweaking (banging my head?) against the ref guide docs, and they are working, and I think all the tests are passing.

I don't like that the SolrJ tests depend on the sample_techproducts_configs directory, but I think adding some startup=lazy settings for the XSLT classes means that the links in the ref guide will work, and the solrj tests don't blow up on the missing xslt classes.

[dsmiley]

Feel free to just commit this typo stuff by itself directly (no PR needed)

[dsmiley]

BTW, I the most common naming convention is for acronyms to use camel case instead of all-caps. This has been a long trend over many years. I know why you changed it here -- to match the class it's testing, and so it's a net improvement over what existed. But arguably it's the class it's testing that should be renamed; not this.

[epugh]

I am down for making this change... XSLT -> Xslt for the files touched in this PR, and then maybe a seperate JIRA for XML --> Xml in the other classes?

[epugh]

Thanks for getting your hands dirty @dsmiley and making these changes, they LGTM.

[uschindler]

@uschindler if you want to push up an example/make the change the way you are thinking, I'm 100% happy to have that! Your Java skillz are way beyond mine, and while I sort of understnad what you say, it may take you 20 minutes to get the change you want, and then I'll learn from you ;-)

Sorry, my father died on Thursday. So excuse my ignorance! To me @dsmiley changes look fine. I will review later as some "long term specialist" 😉 on XML processing.

[dsmiley]

Sorry, my father died on Thursday.

Wow; so sorry to hear! I fear the same for my own Dad; I can't take his existence for granted so I'll be visiting him tomorrow.

I will review later as some "long term specialist" 😉 on XML processing.

You're not the only one; I'm a long-time XML fan :-) It seems the new kids know little about such things :-/ "What is this weird syntax... " as he/she goes off to then write a dozen lines that an XPath does in one.

I kept the all-caps XSLT despite my preferences because All of the XML related APIs we use are using all-caps for XML and thus it looked off to see it differently. But then... the user doesn't know that and sees XML in the config file so... Hmm.

Maybe the XSLT response writer should demand "tr" and thus be more consistent with the XSLT response writer? After all, you're choosing to send the response there so why would you send it there if it wasn't? I guess it gives you choice and the ability to be more similar to what we have today. Shrug.

We need some docs to show how to reference the XSLT update handler, or at the very least an upgrade note about this.

I hate the crappy caching; it's inferior to a SolrCache but alas... I hold myself back from feature-creep. This code was written forever-ago so I can appreciate it has excuses.

[epugh]

Sorry to hear that news @uschindler ....

I did a pass through the Ref Guide to document how to use the XSLT stuff, and more explicitly called out the sample .xsl files that we have. I can add more if needed.

So, if we aren't changing the name of the Java class in this PR, then I think we just need to update the Upgrade to Solr 9 page, and we're good to go?

[dsmiley]

So, if we aren't changing the name of the Java class in this PR, then I think we just need to update the Upgrade to Solr 9 page, and we're good to go?

+1

[mikemccand]

Sorry, my father died on Thursday.

So sorry to hear this @uschindler.