Fix the metaspace leak that occurs every time a policy is evaluated or a policy set is created

Author: anubhavi25

acs-integration-tests/pom.xml

@@ -74,7 +74,7 @@
             <plugin>
                 <groupId>org.codehaus.cargo</groupId>
                 <artifactId>cargo-maven2-plugin</artifactId>
-                <version>1.4.19</version>
+                <version>1.7.7</version>
                 <configuration>
                     <skip>${maven.test.skip}</skip>
                     <configuration>
@@ -84,6 +84,7 @@
                         </properties>
                     </configuration>
                     <container>
+                        <timeout>600000</timeout>
                         <containerId>tomcat8x</containerId>
                         <systemProperties>
                             <CLOUD_FOUNDRY_CONFIG_PATH>${project.basedir}/uaa/config</CLOUD_FOUNDRY_CONFIG_PATH>

commons/pom.xml

@@ -61,7 +61,8 @@
         </dependency>
         <dependency>
             <groupId>org.codehaus.groovy</groupId>
-            <artifactId>groovy-all</artifactId>
+            <artifactId>groovy</artifactId>
+            <classifier>indy</classifier>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>

commons/src/main/java/org/eclipse/keti/acs/commons/policy/condition/ConditionShell.java

@@ -44,7 +44,6 @@ public class GroovyConditionScript implements ConditionScript {
      *            the script object.
      */
     public GroovyConditionScript(final Script script) {
-        super();
         this.script = script;
     }
 

commons/src/main/java/org/eclipse/keti/acs/commons/policy/condition/groovy/GroovyConditionScript.java

@@ -23,8 +23,8 @@
 
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Map;
-import java.util.Map.Entry;
 import java.util.Set;
 
 import org.apache.commons.lang.StringUtils;
@@ -37,14 +37,9 @@
 import org.eclipse.keti.acs.commons.policy.condition.ConditionAssertionFailedException;
 import org.eclipse.keti.acs.commons.policy.condition.ConditionParsingException;
 import org.eclipse.keti.acs.commons.policy.condition.ConditionScript;
-import org.eclipse.keti.acs.commons.policy.condition.ConditionShell;
 import org.eclipse.keti.acs.commons.policy.condition.ResourceHandler;
 import org.eclipse.keti.acs.commons.policy.condition.SubjectHandler;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
 
-import groovy.lang.Binding;
 import groovy.lang.GroovyShell;
 import groovy.lang.GroovySystem;
 import groovy.lang.Script;
@@ -54,13 +49,13 @@
  * @author [email protected]
  */
 @SuppressWarnings("nls")
-@Component
-public class GroovyConditionShell implements ConditionShell {
-    private static final Logger LOGGER = LoggerFactory.getLogger(GroovyConditionShell.class);
+public class GroovyConditionShell {
 
+    private final GroovyConditionCache conditionCache;
     private final GroovyShell shell;
 
-    public GroovyConditionShell() {
+    public GroovyConditionShell(final GroovyConditionCache conditionCache) {
+        this.conditionCache = conditionCache;
 
         SecureASTCustomizer secureASTCustomizer = createSecureASTCustomizer();
         ImportCustomizer importCustomizer = createImportCustomizer();
@@ -70,66 +65,78 @@ public GroovyConditionShell() {
         compilerConfiguration.addCompilationCustomizers(secureASTCustomizer);
         compilerConfiguration.addCompilationCustomizers(importCustomizer);
         compilerConfiguration.addCompilationCustomizers(astTransformationCustomizer);
+        compilerConfiguration.getOptimizationOptions().put(CompilerConfiguration.INVOKEDYNAMIC, true);
 
-        this.shell = new GroovyShell(GroovyConditionShell.class.getClassLoader(), compilerConfiguration);
+        this.shell = new GroovyShell(this.getClass().getClassLoader(), compilerConfiguration);
     }
 
-    /*
-     * (non-Javadoc)
+    /**
+     * Validates the script & generates condition script object.
      *
-     * @see org.eclipse.keti.acs.commons.conditions.ConditionShell#parse(java.lang. String )
+     * @param script
+     *            the policy condition string
+     * @return a Script object instance capable of executing the policy condition.
+     * @throws ConditionParsingException
+     *             on validation error
      */
-    @Override
     public ConditionScript parse(final String script) throws ConditionParsingException {
+        return parse(script, true);
+    }
+
+    private ConditionScript parse(
+        final String script,
+        final boolean removeLoadedClasses
+    ) throws ConditionParsingException {
         if (StringUtils.isEmpty(script)) {
             throw new IllegalArgumentException("Script is null or empty.");
         }
 
         try {
-            Script groovyScript = this.shell.parse(script);
-            return new GroovyConditionScript(groovyScript);
+            ConditionScript compiledScript = conditionCache.get(script);
+            if (compiledScript == null) {
+                Script groovyScript = this.shell.parse(script);
+                compiledScript = new GroovyConditionScript(groovyScript);
+                conditionCache.put(script, compiledScript);
+            }
+            return compiledScript;
         } catch (CompilationFailedException e) {
-            throw new ConditionParsingException("Failed to validate the condition script.", script, e);
+            throw new ConditionParsingException("Failed to parse the condition script.", script, e);
+        } finally {
+            if (removeLoadedClasses) {
+                removeLoadedClasses();
+            }
         }
     }
 
-    /*
-     * (non-Javadoc)
+    /**
+     * Validates & executes the policy condition script.
      *
-     * @see org.eclipse.keti.acs.commons.conditions.ConditionShell#execute(java.lang. String, java.util.Map )
+     * @param script
+     *            the policy condition string
+     * @param boundVariables
+     *            variable bindings of the script
+     * @return result of executing the policy condition script.
+     * @throws ConditionParsingException
+     *             on script validation error
      */
-    @Override
     public boolean execute(final String script, final Map<String, Object> boundVariables)
             throws ConditionParsingException {
-        if (StringUtils.isEmpty(script)) {
-            throw new IllegalArgumentException("Script is null or empty.");
-        }
+        ConditionScript conditionScript = parse(script, false);
 
         try {
-            Script groovyScript = this.shell.parse(script);
-
-            if (LOGGER.isDebugEnabled()) {
-                StringBuilder msgBuilder = new StringBuilder();
-                msgBuilder.append("The script is bound to the following variables:\n");
-                for (Entry<String, Object> entry : boundVariables.entrySet()) {
-                    msgBuilder.append("* ").append(entry.getKey()).append(":").append(entry.getValue()).append("\n");
-                }
-                LOGGER.debug(msgBuilder.toString());
-            }
-
-            Binding binding = new Binding(boundVariables);
-            groovyScript.setBinding(binding);
-            boolean result = (boolean) groovyScript.run();
-
-            this.shell.getClassLoader().clearCache();
-            GroovySystem.getMetaClassRegistry().removeMetaClass(groovyScript.getClass());
-
-            return result;
-        } catch (CompilationFailedException e) {
-            throw new ConditionParsingException("Failed to parse the condition script.", script, e);
+            return conditionScript.execute(boundVariables);
         } catch (ConditionAssertionFailedException e) {
             return false;
+        } finally {
+            removeLoadedClasses();
+        }
+    }
+
+    private void removeLoadedClasses() {
+        for (Class<?> groovyClass : shell.getClassLoader().getLoadedClasses()) {
+            GroovySystem.getMetaClassRegistry().removeMetaClass(groovyClass);
         }
+        shell.resetLoadedClasses();
     }
 
     private static ImportCustomizer createImportCustomizer() {
@@ -147,18 +154,18 @@ private static SecureASTCustomizer createSecureASTCustomizer() {
         // Disallow method definition.
         secureASTCustomizer.setMethodDefinitionAllowed(false);
         // Disallow all imports by setting a blank whitelist.
-        secureASTCustomizer.setImportsWhitelist(Arrays.asList(new String[] {}));
+        secureASTCustomizer.setImportsWhitelist(Collections.emptyList());
         // Disallow star imports by setting a blank whitelist.
         secureASTCustomizer.setStarImportsWhitelist(Arrays.asList(
-                new String[] { "org.crsh.command.*", "org.crsh.cli.*", "org.crsh.groovy.*",
-                        "org.eclipse.keti.acs.commons.policy.condition.*" }));
+                "org.crsh.command.*", "org.crsh.cli.*", "org.crsh.groovy.*",
+                "org.eclipse.keti.acs.commons.policy.condition.*"));
         // Set white list for constant type classes.
         secureASTCustomizer.setConstantTypesClassesWhiteList(Arrays.asList(
-                new Class[] { Boolean.class, boolean.class, Collection.class, Double.class, double.class, Float.class,
-                        float.class, Integer.class, int.class, Long.class, long.class, Object.class, String.class }));
+                Boolean.class, boolean.class, Collection.class, Double.class, double.class, Float.class,
+                float.class, Integer.class, int.class, Long.class, long.class, Object.class, String.class));
         secureASTCustomizer.setReceiversClassesWhiteList(Arrays.asList(
-                new Class[] { Boolean.class, Collection.class, Integer.class, Iterable.class, Object.class, Set.class,
-                        String.class }));
+                Boolean.class, Collection.class, Integer.class, Iterable.class, Object.class, Set.class,
+                String.class));
         return secureASTCustomizer;
     }
 

commons/src/main/java/org/eclipse/keti/acs/commons/policy/condition/groovy/GroovyConditionShell.java

@@ -23,12 +23,10 @@
 import java.util.Map;
 
 import org.testng.Assert;
-import org.testng.annotations.BeforeClass;
 import org.testng.annotations.Test;
 
 import org.eclipse.keti.acs.commons.policy.condition.ConditionParsingException;
 import org.eclipse.keti.acs.commons.policy.condition.ConditionScript;
-import org.eclipse.keti.acs.commons.policy.condition.ConditionShell;
 import org.eclipse.keti.acs.commons.policy.condition.ResourceHandler;
 import org.eclipse.keti.acs.commons.policy.condition.SubjectHandler;
 import org.eclipse.keti.acs.model.Attribute;
@@ -39,12 +37,7 @@
  * @author [email protected]
  */
 public class GroovyConditionScriptTest {
-    private ConditionShell shell;
-
-    @BeforeClass
-    public void setup() {
-        this.shell = new GroovyConditionShell();
-    }
+    private final GroovyConditionShell shell = new GroovyConditionShell(new NonCachingGroovyConditionCache());
 
     /**
      * Test the execution of a policy condition, which should evaluate to true, using strings constants.

commons/src/test/java/org/eclipse/keti/acs/commons/policy/condition/groovy/GroovyConditionScriptTest.java

@@ -24,7 +24,6 @@
 
 import org.eclipse.keti.acs.commons.policy.condition.ConditionParsingException;
 import org.eclipse.keti.acs.commons.policy.condition.ConditionScript;
-import org.eclipse.keti.acs.commons.policy.condition.ConditionShell;
 import org.eclipse.keti.acs.commons.policy.condition.ResourceHandler;
 import org.eclipse.keti.acs.commons.policy.condition.SubjectHandler;
 import org.eclipse.keti.acs.model.Attribute;
@@ -44,7 +43,7 @@ public class GroovyConditionShellTest {
 
     private static Map<String, Object> emptyBindingMap = new HashMap<>();
 
-    private ConditionShell shell = new GroovyConditionShell();
+    private final GroovyConditionShell shell = new GroovyConditionShell(new NonCachingGroovyConditionCache());
 
     /**
      * Test a policy condition parsing and compilation using an allowed policy operations.