-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add logic to remove default class_transformer.excludes when security … #1453
Conversation
@@ -44,6 +48,8 @@ public class SecurityAgentConfig { | |||
private static final Config config = NewRelic.getAgent().getConfig(); | |||
private static final String ENABLED = "enabled"; | |||
private static final String DISABLED = "disabled"; | |||
public static final Set<String> SECURITY_AGENT_CLASS_TRANSFORMER_EXCLUDES_TO_IGNORE = Collections.unmodifiableSet( | |||
Sets.newHashSet("^java/security/.*", "^javax/crypto/.*", "^net/sf/saxon.*")); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the full set of default class_transformer.exclude
rules that need to be ignored when the security agent is enabled. Should further exclude rules need to be treated the same in the future they can simply be added here and no other logic should need to be changed elsewhere in the agent codebase. Only new tests would need to be added to IncludeExcludeTest
.
if (internalClassName.startsWith("javax/crypto/")) { | ||
// crypto classes can cause class circularity errors if they get too far along in the class transformer | ||
Agent.LOG.finest(MessageFormat.format("Instrumentation skipped by ''javax crypto'' rule: {0}", internalClassName)); | ||
return false; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This exclude rule was moved to the META-INF/excludes
file to simplify the logic and keep all of the security agent related excludes in a central place.
### All default excludes listed below get ignored when the security agent is enabled | ||
# exclude java.security and sun.reflect classes from transformation | ||
^java/security/.* | ||
# crypto classes can cause class circularity errors if they get too far along in the class transformer | ||
^javax/crypto/.* | ||
# saxon xlst classes - see ticket 195949 | ||
^net/sf/saxon.* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are the three default exclude rules that are effected by the security agent.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1453 +/- ##
=========================================
Coverage 70.60% 70.60%
- Complexity 9794 9795 +1
=========================================
Files 817 817
Lines 39489 39500 +11
Branches 5995 5999 +4
=========================================
+ Hits 27880 27888 +8
Misses 8902 8902
- Partials 2707 2710 +3 ☔ View full report in Codecov by Sentry. |
@@ -112,15 +124,34 @@ public void addExcludeFileClassFilters() { | |||
// ignore | |||
} | |||
} | |||
boolean ignoreExcludeForSecurityAgent = false; | |||
String formattedIgnoredExcludes = String.join(",", SECURITY_AGENT_CLASS_TRANSFORMER_EXCLUDES_TO_IGNORE); | |||
boolean shouldInitializeSecurityAgent = shouldInitializeSecurityAgent(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only consider removing one of the default exclude rules if the shouldInitializeSecurityAgent()
check evaluates to true
.
@jasonjkeller Hey there! 👋 Just wanted to let you know that we currently have an open issue (#154979) related to the changes in this PR. It might be good to keep an eye on that while reviewing this. Thanks! |
…agent is enabled
DO NOT MERGE!
By default, the following three
class_transformer.exclude
rules defined inMETA-INF/excludes
will be applied to prevent any classes from being transformed in packages matching^java/security/.*
,^javax/crypto/.*
, or^net/sf/saxon.*
. Exclude rules are evaluated when determining whether to transform classes in theInstrumentationContextManager
or thePointCutClassTransformer
.Classes from these packages are excluded from transformation to prevent various issues such as long startup times (
net/sf/saxon
),ClassCircularityError
s (javax/crypto
), andStackOverflowError
s (java/security
).However, preventing transformation of classes in these packages hinders functionality of the security agent.
This PR will remove the three listed default exclude rules when the security agent is enabled. The following will be logged indicating that this behavior is taking place.
Additionally, even if the security agent is enabled, these exclude rules can be explicitly added via one of the following agent config options, in which case the user configured exclude rule will take precedence and will not be removed due to the security agent being enabled.
YAML:
System property:
Environment variable:
When explicitly setting the excludes via user config the following will be logged: