From 3bb83a35cbec4503bd26240d685da03d6bd2bd53 Mon Sep 17 00:00:00 2001 From: Jerry Duffy Date: Tue, 27 Feb 2024 10:35:00 -0500 Subject: [PATCH] Disallow JFR when HSM is enabled --- .../java/com/newrelic/agent/jfr/JfrService.java | 5 ++++- .../com/newrelic/agent/jfr/JfrServiceTest.java | 15 +++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/newrelic-agent/src/main/java/com/newrelic/agent/jfr/JfrService.java b/newrelic-agent/src/main/java/com/newrelic/agent/jfr/JfrService.java index 6c8cb69594..d8b12778c6 100644 --- a/newrelic-agent/src/main/java/com/newrelic/agent/jfr/JfrService.java +++ b/newrelic-agent/src/main/java/com/newrelic/agent/jfr/JfrService.java @@ -88,10 +88,13 @@ void startJfrLoop() throws JfrRecorderException { @Override public final boolean isEnabled() { final boolean enabled = jfrConfig.isEnabled(); + boolean isHighSecurity = defaultAgentConfig.isHighSecurity(); if (!enabled) { Agent.LOG.log(Level.INFO, "New Relic JFR Monitor is disabled: JFR config has not been enabled in the Java agent."); + } else if (isHighSecurity) { + Agent.LOG.log(Level.INFO, "New Relic JFR Monitor is enabled but High Security mode is also enabled; JFR will not be activated."); } - return enabled; + return enabled && !isHighSecurity; } @Override diff --git a/newrelic-agent/src/test/java/com/newrelic/agent/jfr/JfrServiceTest.java b/newrelic-agent/src/test/java/com/newrelic/agent/jfr/JfrServiceTest.java index 50a85c372d..ded460e379 100644 --- a/newrelic-agent/src/test/java/com/newrelic/agent/jfr/JfrServiceTest.java +++ b/newrelic-agent/src/test/java/com/newrelic/agent/jfr/JfrServiceTest.java @@ -105,6 +105,21 @@ public void jfrLoopDoesNotStartWhenIsEnabledIsFalse() throws JfrRecorderExceptio assertFalse(spyJfr.isEnabled()); verify(spyJfr, times(0)).startJfrLoop(); } + + @Test + public void jfrLoopDoesNotStartWhenIsEnabledIsTrueAndHighSecurityIsTrue() throws JfrRecorderException { + JfrService jfrService = new JfrService(jfrConfig, agentConfig); + JfrService spyJfr = spy(jfrService); + when(agentConfig.isHighSecurity()).thenReturn(true); + when(jfrConfig.isEnabled()).thenReturn(true); + when(spyJfr.coreApisExist()).thenReturn(true); + + spyJfr.doStart(); + + assertFalse(spyJfr.isEnabled()); + verify(spyJfr, times(0)).startJfrLoop(); + } + @Category( IBMJ9IncompatibleTest.class ) @Test public void jfrLoopDoesStart() {