opensearch-project
diff --git a/‎build.gradle
+7-1 b/‎build.gradle
+7-1
diff --git a/‎buildSrc/build.gradle
+2-2 b/‎buildSrc/build.gradle
+2-2
diff --git a/‎buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java
+2-1 b/‎buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java
+2-1
diff --git a/‎buildSrc/src/main/java/org/opensearch/gradle/test/DistroTestPlugin.java
+2-2 b/‎buildSrc/src/main/java/org/opensearch/gradle/test/DistroTestPlugin.java
+2-2
diff --git a/‎client/rest-high-level/src/test/resources/org/opensearch/bootstrap/test.policy
+1 b/‎client/rest-high-level/src/test/resources/org/opensearch/bootstrap/test.policy
+1
diff --git a/‎distribution/archives/build.gradle
+9 b/‎distribution/archives/build.gradle
+9
diff --git a/‎distribution/build.gradle
+12 b/‎distribution/build.gradle
+12
diff --git a/‎distribution/src/config/jvm.options
+4-1 b/‎distribution/src/config/jvm.options
+4-1
diff --git a/‎distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
+1-1 b/‎distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
+1-1
diff --git a/‎gradle/ide.gradle
+1-1 b/‎gradle/ide.gradle
+1-1
diff --git a/‎gradle/libs.versions.toml
+4-4 b/‎gradle/libs.versions.toml
+4-4
diff --git a/‎libs/agent-sm/agent/build.gradle
+64 b/‎libs/agent-sm/agent/build.gradle
+64
diff --git a/‎libs/agent-sm/agent/licenses/byte-buddy-1.17.3.jar.sha1
+1 b/‎libs/agent-sm/agent/licenses/byte-buddy-1.17.3.jar.sha1
+1
@@ -433,12 +433,18 @@ gradle.projectsEvaluated {
 
     project.tasks.withType(Test) { task ->
       if (task != null) {
-        if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17) {
+        if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17 && BuildParams.runtimeJavaVersion <= JavaVersion.VERSION_23) {
           task.jvmArgs += ["-Djava.security.manager=allow"]
         }
         if (BuildParams.runtimeJavaVersion >= JavaVersion.VERSION_20) {
           task.jvmArgs += ["--add-modules=jdk.incubator.vector"]
         }
+
+        // Add Java Agent for security sandboxing
+        if (!(project.path in [':build-tools', ":libs:agent-sm:bootstrap", ":libs:agent-sm:agent"])) {
+          dependsOn(project(':libs:agent-sm:agent').copyJars)
+          jvmArgs += ["-javaagent:" + project(':libs:agent-sm:agent').jar.archiveFile.get()]
+        }
       }
     }
 
 
@@ -110,12 +110,12 @@ dependencies {
   api 'com.netflix.nebula:gradle-info-plugin:12.1.6'
   api 'org.apache.rat:apache-rat:0.15'
   api "commons-io:commons-io:${props.getProperty('commonsio')}"
-  api "net.java.dev.jna:jna:5.14.0"
+  api "net.java.dev.jna:jna:5.16.0"
   api 'com.gradleup.shadow:shadow-gradle-plugin:8.3.5'
   api 'org.jdom:jdom2:2.0.6.1'
   api "org.jetbrains.kotlin:kotlin-stdlib-jdk8:${props.getProperty('kotlin')}"
   api 'de.thetaphi:forbiddenapis:3.8'
-  api 'com.avast.gradle:gradle-docker-compose-plugin:0.17.6'
+  api 'com.avast.gradle:gradle-docker-compose-plugin:0.17.12'
   api "org.yaml:snakeyaml:${props.getProperty('snakeyaml')}"
   api 'org.apache.maven:maven-model:3.9.6'
   api 'com.networknt:json-schema-validator:1.2.0'
 
@@ -115,7 +115,8 @@ public void execute(Task t) {
                             test.jvmArgs("--illegal-access=warn");
                         }
                     }
-                    if (test.getJavaVersion().compareTo(JavaVersion.VERSION_17) > 0) {
+                    if (test.getJavaVersion().compareTo(JavaVersion.VERSION_17) > 0
+                        && test.getJavaVersion().compareTo(JavaVersion.VERSION_24) < 0) {
                         test.jvmArgs("-Djava.security.manager=allow");
                     }
                 }
 
@@ -77,9 +77,9 @@
 import java.util.stream.Stream;
 
 public class DistroTestPlugin implements Plugin<Project> {
-    private static final String SYSTEM_JDK_VERSION = "21.0.6+7";
+    private static final String SYSTEM_JDK_VERSION = "23.0.2+7";
     private static final String SYSTEM_JDK_VENDOR = "adoptium";
-    private static final String GRADLE_JDK_VERSION = "21.0.6+7";
+    private static final String GRADLE_JDK_VERSION = "23.0.2+7";
     private static final String GRADLE_JDK_VENDOR = "adoptium";
 
     // all distributions used by distro tests. this is temporary until tests are per distribution
 
@@ -8,4 +8,5 @@
 
 grant {
   permission java.net.SocketPermission "*", "connect,resolve";
+  permission java.net.NetPermission "accessUnixDomainSocket";
 };
@@ -38,6 +38,9 @@ CopySpec archiveFiles(CopySpec modulesFiles, String distributionType, String pla
       into('lib') {
         with libFiles()
       }
+      into('agent') {
+        with agentFiles()
+      }
       into('config') {
         dirPermissions {
           unix 0750
@@ -226,3 +229,9 @@ subprojects {
 
   group = "org.opensearch.distribution"
 }
+
+tasks.each {
+  if (it.name.startsWith("build")) {
+    it.dependsOn project(':libs:agent-sm:agent').copyJars, project(':libs:agent-sm:agent').assemble
+  }
+}
@@ -357,6 +357,18 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
       }
     }
 
+    agentFiles = {
+      copySpec {
+        from(project(':libs:agent-sm:agent').copyJars) {
+          include '**/*.jar'
+          exclude '**/*-javadoc.jar'
+          exclude '**/*-sources.jar'
+          // strip the version since jvm.options is using agent without version
+          rename("opensearch-agent-${project.version}.jar", "opensearch-agent.jar")
+        }
+      }
+    }
+
     modulesFiles = { platform ->
       copySpec {
         eachFile {
 
@@ -77,7 +77,7 @@ ${error.file}
 9-:-Xlog:gc*,gc+age=trace,safepoint:file=${loggc}:utctime,pid,tags:filecount=32,filesize=64m
 
 # Explicitly allow security manager (https://bugs.openjdk.java.net/browse/JDK-8270380)
-18-:-Djava.security.manager=allow
+18-23:-Djava.security.manager=allow
 
 # JDK 20+ Incubating Vector Module for SIMD optimizations;
 # disabling may reduce performance on vector optimized lucene
@@ -89,3 +89,6 @@ ${error.file}
 # See please https://bugs.openjdk.org/browse/JDK-8341127 (openjdk/jdk#21283)
 23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.setAsTypeCache
 23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.asTypeUncached
+
+# It should be JDK-24 (but we cannot bring JDK-24 since Gradle does not support it yet)
+21-:-javaagent:agent/opensearch-agent.jar
@@ -85,7 +85,7 @@ static List<String> systemJvmOptions() {
     }
 
     private static String allowSecurityManagerOption() {
-        if (Runtime.version().feature() > 17) {
+        if (Runtime.version().feature() > 17 && Runtime.version().feature() < 24) {
             return "-Djava.security.manager=allow";
         } else {
             return "";
 
@@ -82,7 +82,7 @@ if (System.getProperty('idea.active') == 'true') {
         runConfigurations {
           defaults(JUnit) {
             vmParameters = '-ea -Djava.locale.providers=SPI,CLDR'
-            if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17) {
+            if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17 && BuildParams.runtimeJavaVersion < JavaVersion.VERSION_24) {
               vmParameters += ' -Djava.security.manager=allow'
             }
           }
 
@@ -3,7 +3,7 @@ opensearch        = "3.0.0"
 lucene            = "10.1.0"
 
 bundled_jdk_vendor = "adoptium"
-bundled_jdk = "21.0.6+7"
+bundled_jdk = "23.0.2+7"
 
 # optional dependencies
 spatial4j         = "0.7"
@@ -31,7 +31,7 @@ grpc              = "1.68.2"
 json_smart        = "2.5.2"
 
 # when updating the JNA version, also update the version in buildSrc/build.gradle
-jna               = "5.13.0"
+jna               = "5.16.0"
 
 netty             = "4.1.118.Final"
 joda              = "2.12.7"
@@ -70,9 +70,9 @@ password4j        = "1.8.2"
 randomizedrunner  = "2.7.1"
 junit             = "4.13.2"
 hamcrest          = "2.1"
-mockito           = "5.14.2"
+mockito           = "5.16.0"
 objenesis         = "3.3"
-bytebuddy         = "1.15.10"
+bytebuddy         = "1.17.3"
 
 # benchmark dependencies
 jmh               = "1.35"
 
@@ -0,0 +1,64 @@
+apply plugin: 'opensearch.build'
+apply plugin: 'opensearch.publish'
+
+base {
+  archivesName = 'opensearch-agent'
+}
+
+configurations {
+  bootstrap.extendsFrom(implementation)
+}
+
+dependencies {
+  implementation project(":libs:agent-sm:bootstrap")
+  implementation "net.bytebuddy:byte-buddy:${versions.bytebuddy}"
+  compileOnly "com.google.code.findbugs:jsr305:3.0.2"
+}
+
+var bootClasspath = configurations.bootstrap.incoming.artifactView { }.files
+  .getFiles()
+  .collect { it.name }
+
+jar {
+  manifest {
+    attributes(
+      "Can-Redefine-Classes": "true",
+      "Can-Retransform-Classes": "true",
+      "Agent-Class": "org.opensearch.javaagent.Agent",
+      "Premain-Class": "org.opensearch.javaagent.Agent",
+      "Boot-Class-Path":  bootClasspath.join(' ')
+    )
+  }
+}
+
+compileJava {
+  options.compilerArgs -= '-Werror'
+}
+
+test.enabled = false
+testingConventions.enabled = false
+
+tasks.named('forbiddenApisMain').configure {
+  replaceSignatureFiles 'jdk-signatures'
+}
+
+task copyJars(type: Copy) {
+  from(configurations.runtimeClasspath)
+  into "$buildDir/distributions"
+  dependsOn jar
+}
+
+thirdPartyAudit {
+  ignoreMissingClasses(
+    'com.sun.jna.FunctionMapper',
+    'com.sun.jna.JNIEnv',
+    'com.sun.jna.Library',
+    'com.sun.jna.Native',
+    'com.sun.jna.NativeLibrary',
+    'com.sun.jna.Platform'
+  )
+}
+
+tasks.named('validateNebulaPom') {
+  dependsOn copyJars
+}
@@ -0,0 +1 @@
+dff77e21ebdac42bb4ebf5f3311fc7bfbac19cc3
Original file line number	Diff line number	Diff line change
`@@ -433,12 +433,18 @@ gradle.projectsEvaluated {`
`433`	`433`
`434`	`434`	`project.tasks.withType(Test) { task ->`
`435`	`435`	`if (task != null) {`
`436`		`- if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17) {`
	`436`	`+ if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17 && BuildParams.runtimeJavaVersion <= JavaVersion.VERSION_23) {`
`437`	`437`	`task.jvmArgs += ["-Djava.security.manager=allow"]`
`438`	`438`	`}`
`439`	`439`	`if (BuildParams.runtimeJavaVersion >= JavaVersion.VERSION_20) {`
`440`	`440`	`task.jvmArgs += ["--add-modules=jdk.incubator.vector"]`
`441`	`441`	`}`
	`442`	`+`
	`443`	`+ // Add Java Agent for security sandboxing`
	`444`	`+ if (!(project.path in [':build-tools', ":libs:agent-sm:bootstrap", ":libs:agent-sm:agent"])) {`
	`445`	`+ dependsOn(project(':libs:agent-sm:agent').copyJars)`
	`446`	`+ jvmArgs += ["-javaagent:" + project(':libs:agent-sm:agent').jar.archiveFile.get()]`
	`447`	`+ }`
`442`	`448`	`}`
`443`	`449`	`}`
`444`	`450`
Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,8 @@ public void execute(Task t) {`
`115`	`115`	`test.jvmArgs("--illegal-access=warn");`
`116`	`116`	`}`
`117`	`117`	`}`
`118`		`- if (test.getJavaVersion().compareTo(JavaVersion.VERSION_17) > 0) {`
	`118`	`+ if (test.getJavaVersion().compareTo(JavaVersion.VERSION_17) > 0`
	`119`	`+ && test.getJavaVersion().compareTo(JavaVersion.VERSION_24) < 0) {`
`119`	`120`	`test.jvmArgs("-Djava.security.manager=allow");`
`120`	`121`	`}`
`121`	`122`	`}`
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ static List<String> systemJvmOptions() {`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`private static String allowSecurityManagerOption() {`
`88`		`- if (Runtime.version().feature() > 17) {`
	`88`	`+ if (Runtime.version().feature() > 17 && Runtime.version().feature() < 24) {`
`89`	`89`	`return "-Djava.security.manager=allow";`
`90`	`90`	`} else {`
`91`	`91`	`return "";`
Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ if (System.getProperty('idea.active') == 'true') {`
`82`	`82`	`runConfigurations {`
`83`	`83`	`defaults(JUnit) {`
`84`	`84`	`vmParameters = '-ea -Djava.locale.providers=SPI,CLDR'`
`85`		`- if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17) {`
	`85`	`+ if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17 && BuildParams.runtimeJavaVersion < JavaVersion.VERSION_24) {`
`86`	`86`	`vmParameters += ' -Djava.security.manager=allow'`
`87`	`87`	`}`
`88`	`88`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+dff77e21ebdac42bb4ebf5f3311fc7bfbac19cc3`