From af20a4d37ba0097923686009976bac2b18d6c7f2 Mon Sep 17 00:00:00 2001 From: Lorenzo Dematte Date: Fri, 7 Mar 2025 15:14:15 +0100 Subject: [PATCH] [Entitlements] Fix AbstractDelegateHttpsURLConnection "this" parameter type (#124304) Our check methods injected by the instrumenter receive "this" as the second parameter. For internal classes like AbstractDelegateHttpsURLConnection we generally use a base type; in this case we were using javax.net.ssl.HttpsURLConnection, which is incorrect as AbstractDelegateHttpsURLConnection derives from java.net.HttpURLConnection. This was not failing in our tests because we don't actually use that parameter in that check function. Also, it was not failing on transform, just on retransformClasses, and only in JDK 24. Apparently, JDK 24 introduced new validation there (to be confirmed). And it was failing just on cloud as the APM agent there (which is loaded before our agent) connects to a https endpoint - our IT tests, and ./gradlew run --with-apm-server, use a http endpoint. Using https makes the JVM load AbstractDelegateHttpsURLConnection, making it one of the classes we need to retransform, triggering the VerifyError. --- .../elasticsearch/entitlement/bridge/EntitlementChecker.java | 5 +---- .../runtime/api/ElasticsearchEntitlementChecker.java | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java b/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java index 5b4727041d782..3c5ebecb1d9e7 100644 --- a/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java +++ b/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java @@ -510,10 +510,7 @@ public interface EntitlementChecker { Class[] classes ); - void check$sun_net_www_protocol_https_AbstractDelegateHttpsURLConnection$connect( - Class callerClass, - javax.net.ssl.HttpsURLConnection that - ); + void check$sun_net_www_protocol_https_AbstractDelegateHttpsURLConnection$connect(Class callerClass, java.net.HttpURLConnection that); void check$sun_net_www_protocol_mailto_MailToURLConnection$connect(Class callerClass, java.net.URLConnection that); diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java index 3c6212f93135f..096e4a0529df5 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java @@ -1172,7 +1172,7 @@ private static boolean isFileUrlConnection(java.net.URLConnection urlConnection) @Override public void check$sun_net_www_protocol_https_AbstractDelegateHttpsURLConnection$connect( Class callerClass, - javax.net.ssl.HttpsURLConnection that + java.net.HttpURLConnection that ) { policyManager.checkOutboundNetworkAccess(callerClass); }