From 641a6c9e62d4622b9e735ca5be3caa1b5f405ca5 Mon Sep 17 00:00:00 2001
From: Jason Tedor <jason@tedor.me>
Date: Fri, 9 Feb 2018 09:08:07 -0500
Subject: [PATCH] Guard accessDeclaredMembers for Tika on JDK 10

Tika parsers need accessDeclaredMembers because ZipFile needs
accessDeclaredMembers on JDK 10. This commit guards adding this
permission to parsers so that the permission is only granted on JDK
10. Additionally, we add an assertion that forces us to check if the
permission is still needed in JDK 11.

Relates #28603
---
 .../elasticsearch/ingest/attachment/TikaImpl.java    | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/plugins/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java b/plugins/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java
index 4cf7801502f..dde9edb0e67 100644
--- a/plugins/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java
+++ b/plugins/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java
@@ -29,6 +29,7 @@ import org.apache.tika.parser.ParserDecorator;
 import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.bootstrap.FilePermissionUtils;
 import org.elasticsearch.bootstrap.JarHell;
+import org.elasticsearch.bootstrap.JavaVersion;
 import org.elasticsearch.common.SuppressForbidden;
 import org.elasticsearch.common.io.PathUtils;
 
@@ -161,8 +162,15 @@ final class TikaImpl {
         perms.add(new ReflectPermission("suppressAccessChecks"));
         // xmlbeans, use by POI, needs to get the context classloader
         perms.add(new RuntimePermission("getClassLoader"));
-        // ZipFile needs accessDeclaredMembers on Java 10
-        perms.add(new RuntimePermission("accessDeclaredMembers"));
+        // ZipFile needs accessDeclaredMembers on JDK 10; cf. https://bugs.openjdk.java.net/browse/JDK-8187485
+        if (JavaVersion.current().compareTo(JavaVersion.parse("10")) >= 0) {
+            /*
+             * See if this permission can be removed in JDK 11, bump the version here to 12 if not. If this permission can be removed, also
+             * remove the grant in the plugin-security.policy.
+             */
+            assert JavaVersion.current().compareTo(JavaVersion.parse("11")) < 0;
+            perms.add(new RuntimePermission("accessDeclaredMembers"));
+        }
         perms.setReadOnly();
         return perms;
     }