Merge remote-tracking branch 'upstream/main' into searchonly-2

Author: prudhvigodithi

libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/FileInterceptor.java

@@ -61,18 +61,27 @@ public static void intercept(@Advice.AllArguments Object[] args, @Advice.Origin
         final Collection<ProtectionDomain> callers = walker.walk(StackCallerProtectionDomainChainExtractor.INSTANCE);
 
         final String name = method.getName();
-        boolean isMutating = name.equals("copy") || name.equals("move") || name.equals("write") || name.startsWith("create");
+        boolean isMutating = name.equals("move") || name.equals("write") || name.startsWith("create");
         final boolean isDelete = isMutating == false ? name.startsWith("delete") : false;
 
-        if (isMutating == false && isDelete == false && name.equals("newByteChannel") == true) {
-            if (args.length > 1 && args[1] instanceof OpenOption[] opts) {
-                for (final OpenOption opt : opts) {
-                    if (opt != StandardOpenOption.READ) {
-                        isMutating = true;
-                        break;
+        String targetFilePath = null;
+        if (isMutating == false && isDelete == false) {
+            if (name.equals("newByteChannel") == true) {
+                if (args.length > 1 && args[1] instanceof OpenOption[] opts) {
+                    for (final OpenOption opt : opts) {
+                        if (opt != StandardOpenOption.READ) {
+                            isMutating = true;
+                            break;
+                        }
                     }
-                }
 
+                }
+            } else if (name.equals("copy") == true) {
+                if (args.length > 1 && args[1] instanceof String pathStr) {
+                    targetFilePath = Paths.get(pathStr).toAbsolutePath().toString();
+                } else if (args.length > 1 && args[1] instanceof Path path) {
+                    targetFilePath = path.toAbsolutePath().toString();
+                }
             }
         }
 
@@ -85,6 +94,19 @@ public static void intercept(@Advice.AllArguments Object[] args, @Advice.Origin
                 }
             }
 
+            // Handle Files.copy() separately to check read/write permissions properly
+            if (method.getName().equals("copy")) {
+                if (!policy.implies(domain, new FilePermission(filePath, "read"))) {
+                    throw new SecurityException("Denied OPEN access to file: " + filePath + ", domain: " + domain);
+                }
+
+                if (targetFilePath != null) {
+                    if (!policy.implies(domain, new FilePermission(targetFilePath, "write"))) {
+                        throw new SecurityException("Denied OPEN access to file: " + targetFilePath + ", domain: " + domain);
+                    }
+                }
+            }
+
             // File mutating operations
             if (isMutating && !policy.implies(domain, new FilePermission(filePath, "write"))) {
                 throw new SecurityException("Denied WRITE access to file: " + filePath + ", domain: " + domain);

libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/FileInterceptorIntegTests.java

@@ -29,6 +29,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 
 @SuppressWarnings("removal")
@@ -144,6 +145,10 @@ public void testCopy() throws Exception {
 
             // Test copy operation
             Files.copy(sourcePath, targetPath);
+            assertThrows(
+                SecurityException.class,
+                () -> Files.copy(sourcePath, tmpDir.getRoot().resolve("test-target-" + randomAlphaOfLength(8) + ".txt"))
+            );
 
             // Verify copy
             assertTrue("Target file should exist", Files.exists(targetPath));

modules/geo/src/yamlRestTest/resources/rest-api-spec/test/geo_shape/290_geotile_grid.yml

@@ -1,7 +1,4 @@
 setup:
-  - skip:
-        version: " - 6.99.99"
-        reason:  "added in 7.0.0"
   - do:
       indices.create:
         index: test_1

qa/rolling-upgrade/src/test/resources/rest-api-spec/test/old_cluster/20_date_range.yml

@@ -1,83 +1,3 @@
----
-"Create index with joda style index that is incompatible with java.time. (6.0)":
-  - skip:
-      features: "allowed_warnings"
-      version: "6.8.1 -"
-      reason: change of warning message
-  - do:
-      allowed_warnings:
-        - "Use of 'Y' (year-of-era) will change to 'y' in the next major version of OpenSearch. Prefix your date format with '8' to use the new specifier."
-      indices.create:
-        index: joda_for_range
-        body:
-          settings:
-            index:
-              number_of_replicas: 2
-          mappings:
-              "properties":
-                "time_frame":
-                  "type": "date_range"
-                  "format": "YYYY-MM-dd'T'HH:mmZZ"
-
-  - do:
-      bulk:
-        refresh: true
-        body:
-          - '{"index": {"_index": "joda_for_range"}}'
-          - '{"time_frame": {"gte": "2019-01-01T00:00+01:00", "lte" : "2019-03-01T00:00+01:00"}}'
-
-  - do:
-      search:
-        rest_total_hits_as_int: true
-        index: joda_for_range
-        body:
-          query:
-            range:
-              time_frame:
-                gte: "2019-02-01T00:00+01:00"
-                lte: "2019-02-01T00:00+01:00"
-  - match: { hits.total: 1 }
-
----
-"Create index with joda style index that is incompatible with java.time (>6.1)":
-  - skip:
-      features: "allowed_warnings"
-      version: " - 6.8.0, 7.0.0 -"
-      reason: change of warning message, we skip 7 becase this format will be considered java
-  - do:
-      allowed_warnings:
-        - "'Y' year-of-era should be replaced with 'y'. Use 'Y' for week-based-year.; 'Z' time zone offset/id fails when parsing 'Z' for Zulu timezone. Consider using 'X'. Prefix your date format with '8' to use the new specifier."
-      indices.create:
-        index: joda_for_range
-        body:
-          settings:
-            index:
-              number_of_replicas: 2
-          mappings:
-            "properties":
-              "time_frame":
-                "type": "date_range"
-                "format": "YYYY-MM-dd'T'HH:mmZZ"
-
-  - do:
-      bulk:
-        refresh: true
-        body:
-          - '{"index": {"_index": "joda_for_range"}}'
-          - '{"time_frame": {"gte": "2019-01-01T00:00+01:00", "lte" : "2019-03-01T00:00+01:00"}}'
-
-  - do:
-      search:
-        rest_total_hits_as_int: true
-        index: joda_for_range
-        body:
-          query:
-            range:
-              time_frame:
-                gte: "2019-02-01T00:00+01:00"
-                lte: "2019-02-01T00:00+01:00"
-  - match: { hits.total: 1 }
-
 ---
 "Create index with java style index in 6":
   - do:

rest-api-spec/src/main/resources/rest-api-spec/test/cat.thread_pool/10_basic.yml

@@ -54,9 +54,6 @@
 
 ---
 "Test cat thread_pool output":
-  - skip:
-        version: " - 6.99.99"
-        reason: this API was changed in a backwards-incompatible fashion in 7.0.0 so we need to skip in a mixed cluster
 
   - do:
       cat.thread_pool: {}

rest-api-spec/src/main/resources/rest-api-spec/test/cluster.state/10_basic.yml

@@ -7,10 +7,6 @@
 
 ---
 "get cluster state returns cluster_uuid at the top level":
-  - skip:
-      version:  " - 6.3.99"
-      reason:   "cluster state including cluster_uuid at the top level is new in v6.4.0 and higher"
-
   - do:
       cluster.state:
         human: true

rest-api-spec/src/main/resources/rest-api-spec/test/cluster.state/20_filtering.yml

@@ -156,8 +156,6 @@ setup:
 ---
 "Filtering the cluster state returns cluster_uuid at the top level regardless of metric filters":
   - skip:
-      version:  " - 6.3.99"
-      reason:   "cluster state including cluster_uuid at the top level is new in v6.4.0 and higher"
       features: allowed_warnings
 
   # Get the current cluster_uuid

rest-api-spec/src/main/resources/rest-api-spec/test/cluster.voting_config_exclusions/10_basic.yml

@@ -4,10 +4,6 @@ teardown:
 
 ---
 "Get cluster state without voting config exclusions":
-  - skip:
-      version:     " - 6.99.99"
-      reason:      Voting config exclusions were introduced in 7.0.0
-
   - do:
       cluster.state: {}
 

rest-api-spec/src/main/resources/rest-api-spec/test/create/10_with_id.yml

@@ -1,8 +1,6 @@
 ---
 "Create with ID":
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
+
  - do:
       create:
           index:  test_1

rest-api-spec/src/main/resources/rest-api-spec/test/create/15_without_id.yml

@@ -1,8 +1,6 @@
 ---
 "Create without ID":
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
+
  - do:
       catch: param
       create:

rest-api-spec/src/main/resources/rest-api-spec/test/create/35_external_version.yml

@@ -1,8 +1,6 @@
 ---
 "External version":
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
+
  - do:
       catch:              bad_request
       create:

rest-api-spec/src/main/resources/rest-api-spec/test/create/40_routing.yml

@@ -1,8 +1,6 @@
 ---
 "Routing":
- - skip:
-     version: " - 6.99.99"
-     reason: types are required in requests before 7.0.0
+
  - do:
      indices.create:
        index:    test_1

rest-api-spec/src/main/resources/rest-api-spec/test/create/60_refresh.yml

@@ -1,8 +1,6 @@
 ---
 "Refresh":
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
+
  - do:
       indices.create:
           index:    test_1
@@ -44,9 +42,7 @@
 
 ---
 "When refresh url parameter is an empty string that means \"refresh immediately\"":
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
+
  - do:
       create:
           index:   test_1
@@ -66,9 +62,7 @@
 
 ---
 "refresh=wait_for waits until changes are visible in search":
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
+
  - do:
       index:
           index:   create_60_refresh_1

rest-api-spec/src/main/resources/rest-api-spec/test/delete/10_basic.yml

@@ -1,10 +1,6 @@
 ---
 "Basic":
 
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
-
  - do:
       index:
           index:  test_1

rest-api-spec/src/main/resources/rest-api-spec/test/delete/11_shard_header.yml

@@ -1,10 +1,6 @@
 ---
 "Delete check shard header":
 
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
-
  - do:
       indices.create:
         index: foobar

rest-api-spec/src/main/resources/rest-api-spec/test/delete/12_result.yml

@@ -1,10 +1,6 @@
 ---
 "Delete result field":
 
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
-
  - do:
       index:
           index:   test_1

rest-api-spec/src/main/resources/rest-api-spec/test/delete/20_cas.yml

@@ -1,10 +1,6 @@
 ---
 "Internal version":
 
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
-
  - do:
       index:
           index:   test_1

rest-api-spec/src/main/resources/rest-api-spec/test/delete/25_external_version.yml

@@ -1,10 +1,6 @@
 ---
 "External version":
 
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
-
  - do:
       index:
           index:          test_1

rest-api-spec/src/main/resources/rest-api-spec/test/delete/26_external_gte_version.yml

@@ -1,10 +1,6 @@
 ---
 "External GTE version":
 
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
-
  - do:
       index:
           index:          test_1

rest-api-spec/src/main/resources/rest-api-spec/test/delete/30_routing.yml

@@ -1,10 +1,6 @@
 ---
 "Routing":
 
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
-
  - do:
       indices.create:
           index: test_1

rest-api-spec/src/main/resources/rest-api-spec/test/delete/50_refresh.yml

@@ -1,10 +1,6 @@
 ---
 "Refresh":
 
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
-
  - do:
       indices.create:
           index:    test_1
@@ -81,10 +77,6 @@
 ---
 "When refresh url parameter is an empty string that means \"refresh immediately\"":
 
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
-
  - do:
       index:
           index:   test_1
@@ -118,10 +110,6 @@
 ---
 "refresh=wait_for waits until changes are visible in search":
 
- - skip:
-      version: " - 6.99.99"
-      reason: types are required in requests before 7.0.0
-
  - do:
       index:
           index:   delete_50_refresh_1