Add a task to run forbiddenapis using cli #32076
Conversation
Add a task that offers an equivalent check to the forbidden APIs plugin, but runs it using the forbiddenAPIs CLI instead. This isn't wired into precommit first, and doesn't work for projects that require specific signatures, etc. It's meant to show how this can be used. The next step is to make a custom task type and configure it based on the project extension from the pugin and make some minor adjustments to some build scripts as we can't bee 100% compatible with that at least due to how additional signatures are passed. Notes: - there's no `--target` for the CLI version so we have to pass in specific bundled signature names - the cli task already wires to `runtimeJavaHome` - no equivalent for `failOnUnsupportedJava = false` but doesn't seem to be a problem. Tested with Java 8 to 11 - there's no way to pass additional signatures as URL, these will have to be on the file system, and can't be resources on the cp unless we rely on how forbiddenapis is implemented and mimic them as boundled signatures. - the average of 3 runs is 4% slower using the CLI for :server. ( `./gradlew clean :server:forbiddenApis` vs `./gradlew clean :server:forbiddenApisCli`) - up-to-date checks don't work on the cli task yet, that will happen with the custom task. See also: elastic#31715
|
Pinging @elastic/es-core-infra |
| forbiddenApisCliJar 'de.thetaphi:forbiddenapis:2.5' | ||
| } | ||
| Task forbiddenApisCli = project.tasks.create('forbiddenApisCli') | ||
| project.ext.getForbiddenSignaturesFile = { name -> project.getForbiddenSignaturesFile(name) } |
There was a problem hiding this comment.
Do we need this one? It looks circular.
There was a problem hiding this comment.
It's so we can call getForbiddenSignaturesFile(name) from a build script instead of import ... ; PrecommitTasks.getForbiddenSignaturesFile(project, name)
There was a problem hiding this comment.
I'll remove it for now, and add it back once it's actually used.
| return forbiddenApisCli | ||
| } | ||
|
|
||
| private static File getForbiddenSignaturesFile(project, String name) { |
There was a problem hiding this comment.
Could you add a type to the project parameter?
There was a problem hiding this comment.
I haven't found a good way to fight IDEA on this ...
The refactoring don't add a type. Will change it.
| executable = "${project.runtimeJavaHome}/bin/java" | ||
| [ | ||
| 'jdk-unsafe-1.8', 'jdk-deprecated-1.8', 'jdk-non-portable', 'jdk-system-out' | ||
| ].forEach { args "-b", it } |
There was a problem hiding this comment.
I think this would be easier to read not using a foreach. Just call args directly with each argument.
| [ | ||
| getForbiddenSignaturesFile(project, 'jdk-signatures'), | ||
| getForbiddenSignaturesFile(project, 'es-all-signatures') | ||
| ].forEach { args "-f", it } |
There was a problem hiding this comment.
Same here, the foreach just makes this harder to read.
| } | ||
|
|
||
| private static File getForbiddenSignaturesFile(Project project, String name) { | ||
| return project.rootProject.file('buildSrc/src/main/resources/forbidden/' + name + '.txt') |
There was a problem hiding this comment.
We can't assume this is accessible, since build-tools is used by external plugin developers. We need to load this from resources and copy to a local file.
There was a problem hiding this comment.
I wasn't aware we publish group: 'org.elasticsearch.gradle', name: 'build-tools', version: '6.3.1' and encourage others to use it. Is this fully documented or more like plugin authors picked up on it ? I don't think we have documentation on any of the build plugins. I think I broke this assumption recently with the naming conventions check, I'll take a look and see if we can add some tests for this.
There was a problem hiding this comment.
Naming conventions check is fine, it looks up the source jar of the relevant class so works as long as the jar is on the file system, the class doesn't have to be. I'll still add a test for this.
There was a problem hiding this comment.
It's not "documented", but we have encouraged plugin authors to use it since we switched to gradle in 5.0. We have long needed a permanent home for plugin author documentation, but we probably need a broader reorg of the docs to enable that, as there are a few parts for plugin authors to consume eg how to build, how to test, core apis and services available, how to publish, etc.
Fails with: ``` ERROR: IO problem while reading files with API signatures: java.io.FileNotFoundException: /home/alpar/work/elastic/elasticsearch/buildSrc/src/testKit/forbidden-apis/buildSrc/src/main/resources/forbidden/jdk-signatures.txt (No such file or directory) ``` because signature definitiions are accessed on the FS directly.
|
Depends on #32201 for completion. |
This reverts commit 60570d7.
|
@rjernst This now uses the |
|
I changed the name to |
…listeners * elastic/master: (58 commits) [ML] Partition-wise maximum scores (elastic#32748) [DOCS] XContentBuilder#bytes method removed, using BytesReference.bytes(docBuilder) (elastic#32771) HLRC: migration get assistance API (elastic#32744) Add a task to run forbiddenapis using cli (elastic#32076) [Kerberos] Add debug log statement for exceptions (elastic#32663) Make x-pack core pull transport-nio (elastic#32757) Painless: Clean Up Whitelist Names (elastic#32791) Cat apis: Fix index creation time to use strict date format (elastic#32510) Clear Job#finished_time when it is opened (elastic#32605) (elastic#32755) Test: Only sniff host metadata for node_selectors (elastic#32750) Update scripted metric docs to use `state` variable (elastic#32695) Painless: Clean up PainlessCast (elastic#32754) [TEST] Certificate NONE not allowed in FIPS JVM (elastic#32753) [ML] Refactor ProcessCtrl into Autodetect and Normalizer builders (elastic#32720) Access build tools resources (elastic#32201) Tests: Disable rolling upgrade tests with system key on fips JVM (elastic#32775) HLRC: Ban LoggingDeprecationHandler (elastic#32756) Fix test reproducability in AbstractBuilderTestCase setup (elastic#32403) Only require java<version>_home env var if needed Tests: Muted ScriptDocValuesDatesTests.testJodaTimeBwc ...
* Add a task to run forbiddenapis using cli Add a task that offers an equivalent check to the forbidden APIs plugin, but runs it using the forbiddenAPIs CLI instead. This isn't wired into precommit first, and doesn't work for projects that require specific signatures, etc. It's meant to show how this can be used. The next step is to make a custom task type and configure it based on the project extension from the pugin and make some minor adjustments to some build scripts as we can't bee 100% compatible with that at least due to how additional signatures are passed. Notes: - there's no `--target` for the CLI version so we have to pass in specific bundled signature names - the cli task already wires to `runtimeJavaHome` - no equivalent for `failOnUnsupportedJava = false` but doesn't seem to be a problem. Tested with Java 8 to 11 - there's no way to pass additional signatures as URL, these will have to be on the file system, and can't be resources on the cp unless we rely on how forbiddenapis is implemented and mimic them as boundled signatures. - the average of 3 runs is 4% slower using the CLI for :server. ( `./gradlew clean :server:forbiddenApis` vs `./gradlew clean :server:forbiddenApisCli`) - up-to-date checks don't work on the cli task yet, that will happen with the custom task. See also: #31715
Add a task that offers an equivalent check to the forbidden APIs plugin,
but runs it using the forbiddenAPIs CLI instead.
This isn't wired into precommit first, and doesn't work for projects
that require specific signatures, etc. It's meant to show how this can
be used. The next step is to make a custom task type and configure it
based on the project extension from the pugin and make some minor
adjustments to some build scripts as we can't bee 100% compatible with
that at least due to how additional signatures are passed.
Notes:
--targetfor the CLI version so we have to pass inspecific bundled signature names
runtimeJavaHomefailOnUnsupportedJava = falsebut doesn't seem tobe a problem. Tested with Java 8 to 11
to be on the file system, and can't be resources on the cp unless we
rely on how forbiddenapis is implemented and mimic them as boundled
signatures.
(
./gradlew clean :server:forbiddenApisvs./gradlew clean :server:forbiddenApisCli)with the custom task.
See also: #31715