search

ibmruntimes / openj9-openjdk-jdk

Extensions for OpenJDK for Eclipse OpenJ9
GNU General Public License v2.0
17 stars 73 forks source link

Allow extension of RestrictedSecurity profiles #793

Closed KostasTsiounis closed 2 months ago

KostasTsiounis commented 3 months ago

RestrictedSecurity profiles sometimes share a lot of duplicate settings with only minor differences. With these changes the extension, similar to object-orientation, of profiles becomes possible.

More specifically, a profile A can extend another a profile B, using RestrictedSecurity.<profile A name>.extends = RestrictedSecurity.<profile B name>. This allows profile A to inherit all of profile B's properties. One can add additional properties to profile A, or amend some of the existing ones. That includes overriding, appending or removing from a property (wherever that's applicable).

An additional property is introduced. The RestrictedSecurity.<profile name>.desc.hash = <hash algorithm>:<hash> is used to ensure the profile hasn't been unintentionally altered. The profile's properties are hashed using the selected <hash algorithm>, and the result is compared to the <hash> provided through the property. This property is mandatory for base profiles (i.e., profiles that are not extending anything), and optional for the rest.

Signed-off by: Kostas Tsiounis kostas.tsiounis@ibm.com

keithc-ca commented 3 months ago

It would be helpful to have a fuller description here of how users will interact with this change, including what the restrictions are and perhaps some examples.

KostasTsiounis commented 2 months ago

I removed the isFIPS1402() method, as it's no longer needed by https://github.com/ibmruntimes/openj9-openjdk-jdk/pull/758

keithc-ca commented 2 months ago

I think the changes are good. Please squash and ensure that the commit message accurately and adequately describes these changes.

KostasTsiounis commented 2 months ago

Squashed and updated commit message to match issue description.

keithc-ca commented 2 months ago

Jenkins copyright check

keithc-ca commented 2 months ago

Jenkins line endings check

keithc-ca commented 2 months ago

Jenkins test sanity zlinux jdknext

keithc-ca commented 2 months ago

Testing in https://openj9-jenkins.osuosl.org/job/Grinder/3673 failed because a newer version of jtreg is required. See https://github.com/adoptium/TKG/pull/573 and https://github.com/adoptium/ci-jenkins-pipelines/pull/1051 that aim to address that.

In the meantime, you could start back-porting this to jdk23, jdk22, etc.

keithc-ca commented 2 months ago

Merging on the strength of testing results in https://github.com/ibmruntimes/openj9-openjdk-jdk23/pull/2.