Merge pull request #8201 from pickypg/feature/groovy-compile-indy-8184

Enable indy (invokedynamic) compile flag for Groovy scripts by default

core/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java

@@ -26,22 +26,29 @@ import java.net.URL;
 import java.security.CodeSource;
 import java.security.Permission;
 import java.security.PermissionCollection;
+import java.security.Permissions;
 import java.security.Policy;
 import java.security.ProtectionDomain;
 import java.security.URIParameter;
+import java.util.PropertyPermission;
 
 /** custom policy for union of static and dynamic permissions */
 final class ESPolicy extends Policy {
     
     /** template policy file, the one used in tests */
     static final String POLICY_RESOURCE = "security.policy";
+    /** limited policy for groovy scripts */
+    static final String GROOVY_RESOURCE = "groovy.policy";
     
     final Policy template;
+    final Policy groovy;
     final PermissionCollection dynamic;
 
     public ESPolicy(PermissionCollection dynamic) throws Exception {
-        URI uri = getClass().getResource(POLICY_RESOURCE).toURI();
+        URI policyUri = getClass().getResource(POLICY_RESOURCE).toURI();
-        this.template = Policy.getInstance("JavaPolicy", new URIParameter(uri));
+        URI groovyUri = getClass().getResource(GROOVY_RESOURCE).toURI();
+        this.template = Policy.getInstance("JavaPolicy", new URIParameter(policyUri));
+        this.groovy = Policy.getInstance("JavaPolicy", new URIParameter(groovyUri));
         this.dynamic = dynamic;
     }
 
@@ -54,9 +61,9 @@ final class ESPolicy extends Policy {
             // location can be null... ??? nobody knows
             // https://bugs.openjdk.java.net/browse/JDK-8129972
             if (location != null) {
-                // run groovy scripts with no permissions
+                // run groovy scripts with no permissions (except logging property)
                 if ("/groovy/script".equals(location.getFile())) {
-                    return false;
+                    return groovy.implies(domain, permission);
                 }
             }
         }

core/src/main/java/org/elasticsearch/script/groovy/GroovyScriptEngineService.java

@@ -57,19 +57,48 @@ import java.util.Map;
  */
 public class GroovyScriptEngineService extends AbstractComponent implements ScriptEngineService {
 
+    /**
+     * The name of the scripting engine/language.
+     */
     public static final String NAME = "groovy";
+    /**
+     * The setting to enable or disable <code>invokedynamic</code> instruction support in Java 7+.
+     * <p>
+     * Note: If this is disabled because <code>invokedynamic</code> is causing issues, then the Groovy
+     * <code>indy</code> jar needs to be replaced by the non-<code>indy</code> variant of it on the classpath (e.g.,
+     * <code>groovy-all-2.4.4-indy.jar</code> should be replaced by <code>groovy-all-2.4.4.jar</code>).
+     * <p>
+     * Defaults to {@code true}.
+     */
+    public static final String GROOVY_INDY_ENABLED = "script.groovy.indy";
+    /**
+     * The name of the Groovy compiler setting to use associated with activating <code>invokedynamic</code> support.
+     */
+    public static final String GROOVY_INDY_SETTING_NAME = "indy";
+
     private final GroovyClassLoader loader;
 
     @Inject
     public GroovyScriptEngineService(Settings settings) {
         super(settings);
+
         ImportCustomizer imports = new ImportCustomizer();
         imports.addStarImports("org.joda.time");
         imports.addStaticStars("java.lang.Math");
+
         CompilerConfiguration config = new CompilerConfiguration();
+
         config.addCompilationCustomizers(imports);
         // Add BigDecimal -> Double transformer
         config.addCompilationCustomizers(new GroovyBigDecimalTransformer(CompilePhase.CONVERSION));
+
+        // Implicitly requires Java 7u60 or later to get valid support
+        if (settings.getAsBoolean(GROOVY_INDY_ENABLED, true)) {
+            // maintain any default optimizations
+            config.getOptimizationOptions().put(GROOVY_INDY_SETTING_NAME, true);
+        }
+
+        // Groovy class loader to isolate Groovy-land code
         this.loader = new GroovyClassLoader(getClass().getClassLoader(), config);
     }
 

core/src/main/resources/org/elasticsearch/bootstrap/groovy.policy

@@ -0,0 +1,31 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+ 
+/*
+ * Limited security policy for groovy scripts.
+ * This is what is needed for its invokeDynamic functionality to work.
+ */
+grant {
+  
+  // groovy IndyInterface bootstrap requires this property for indy logging
+  permission java.util.PropertyPermission "groovy.indy.logging", "read";
+  
+  // needed IndyInterface selectMethod (setCallSiteTarget)
+  permission java.lang.RuntimePermission "getClassLoader";
+};