Closes #849 (#852)

- enabled reflective access to `java.io.ByteArrayInputStream` and `sun.misc.security.KeyUtil` on JDK 17+ - Minor refactor to ServicesTest to avoid the need for PowerMock
jwtk · Oct 5, 2023 · 1625067 · 1625067
1 parent 44cd552
commit 1625067
Show file tree

Hide file tree

Showing 10 changed files with 243 additions and 184 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 ## Release Notes
 
+### JJWT_RELEASE_VERSION
+
+Enabled reflective access on JDK 17+ to `java.io.ByteArrayInputStream` and `sun.security.util.KeyUtil` for
+`jjwt-impl.jar`
+
 ### 0.12.0
 
 This is a big release! JJWT now fully supports Encrypted JSON Web Tokens (JWE), JSON Web Keys (JWK) and more!  See the 

diff --git a/impl/src/main/java/io/jsonwebtoken/impl/io/Streams.java b/impl/src/main/java/io/jsonwebtoken/impl/io/Streams.java
@@ -15,6 +15,7 @@
  */
 package io.jsonwebtoken.impl.io;
 
+import io.jsonwebtoken.impl.lang.AddOpens;
 import io.jsonwebtoken.impl.lang.Bytes;
 import io.jsonwebtoken.lang.Assert;
 import io.jsonwebtoken.lang.Classes;
@@ -42,6 +43,11 @@ public class Streams {
      */
     public static final int EOF = -1;
 
+    static {
+        // For reflective access to ByteArrayInputStream via the 'bytes' static method on >= JDK 9:
+        AddOpens.open("java.base", "java.io");
+    }
+
     public static byte[] bytes(final InputStream in, String exmsg) {
         if (in instanceof ByteArrayInputStream) {
             return Classes.getFieldValue(in, "buf", byte[].class);

diff --git a/impl/src/main/java/io/jsonwebtoken/impl/lang/AddOpens.java b/impl/src/main/java/io/jsonwebtoken/impl/lang/AddOpens.java
@@ -0,0 +1,128 @@
+/*
+ * Copyright 2021 Stefan Zobel
+ * Copyright © 2023 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.impl.lang;
+
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+
+/**
+ * A utility class that allows to open arbitrary packages to the calling module
+ * at runtime, so it is a kind of dynamic device for "--add-opens" that could be
+ * used inside libraries instead of forcing the application to be run with
+ * command line parameters like "--add-opens java.base/java.util=ALL-UNNAMED" or
+ * having the "Add-Opens:" entries supplied in the application Jar manifest.
+ * Note that this still works in the Java 17 GA release, dated 2021-09-14 but it
+ * may break at any time in the future (theoretically even for a minor
+ * release!).
+ *
+ * @since JJWT_RELEASE_VERSION, gratefully copied from <a href="https://github.com/stefan-zobel/wip/blob/b74e927edddf19a5dce7c8610835f620c0b6f557/src/main/java/misc/AddOpens.java">https://github.com/stefan-zobel/wip/blob/b74e927edddf19a5dce7c8610835f620c0b6f557/src/main/java/misc/AddOpens.java</a>
+ * under the terms of the Apache 2 open source license (same as the JJWT license).
+ */
+public final class AddOpens {
+
+    // field offset of the override field (Warning: this may change at any time!)
+    private static final long OVERRIDE_OFFSET = 12;
+    private static final sun.misc.Unsafe U = getUnsafe();
+
+    private AddOpens() {
+        throw new AssertionError();
+    }
+
+    /**
+     * Open one or more packages in the given module to the current module. Example
+     * usage:
+     *
+     * <pre>{@code
+     *  boolean success = AddOpens.open("java.base", "java.util", "java.net");
+     * }</pre>
+     *
+     * @param moduleName   the module you want to open
+     * @param packageNames packages in that module you want to be opened
+     * @return {@code true} if the open operation has succeeded for all packages,
+     * otherwise {@code false}
+     */
+    public static boolean open(String moduleName, String... packageNames) {
+        // Use reflection so that this code can run on Java 8
+        Class<?> javaLangModule;
+        try {
+            javaLangModule = Class.forName("java.lang.Module");
+        } catch (Throwable t) {
+            // we must be < Java 9
+            return true;
+        }
+        try {
+            // the module we are currently running in (either named or unnamed)
+            Object thisModule = getCurrentModule();
+            // find the module to open
+            Object targetModule = findModule(moduleName);
+            // get the method that is also used by "--add-opens"
+            Method m = javaLangModule.getDeclaredMethod("implAddOpens", String.class, javaLangModule);
+            // override language-level access checks
+            setAccessible(m);
+            // open given packages in the target module to this module
+            for (String package_ : packageNames) {
+                m.invoke(targetModule, package_, thisModule);
+            }
+            return true;
+        } catch (Throwable ignore) {
+            return false;
+        }
+    }
+
+    private static Object findModule(String moduleName) {
+        // Use reflection so that this code can run on Java 8
+        try {
+            Class<?> moduleLayerClass = Class.forName("java.lang.ModuleLayer");
+            Method bootMethod = moduleLayerClass.getDeclaredMethod("boot");
+            Object bootLayer = bootMethod.invoke(null);
+            Method findModuleMethod = moduleLayerClass.getDeclaredMethod("findModule", String.class);
+            Object optionalModule = findModuleMethod.invoke(bootLayer, moduleName);
+            Class<?> optionalClass = Class.forName("java.util.Optional");
+            Method getMethod = optionalClass.getDeclaredMethod("get");
+            return getMethod.invoke(optionalModule);
+        } catch (Throwable t) {
+            return null;
+        }
+    }
+
+    private static Object getCurrentModule() {
+        // Use reflection so that this code can run on Java 8
+        try {
+            Method m = Class.class.getDeclaredMethod("getModule");
+            setAccessible(m);
+            return m.invoke(AddOpens.class);
+        } catch (Throwable t) {
+            return null;
+        }
+    }
+
+    private static void setAccessible(Method method) {
+        if (U != null) {
+            U.putBoolean(method, OVERRIDE_OFFSET, true);
+        }
+    }
+
+    private static sun.misc.Unsafe getUnsafe() {
+        try {
+            Field unsafe = sun.misc.Unsafe.class.getDeclaredField("theUnsafe");
+            unsafe.setAccessible(true);
+            return (sun.misc.Unsafe) unsafe.get(null);
+        } catch (Throwable ignore) {
+            return null;
+        }
+    }
+}
diff --git a/impl/src/main/java/io/jsonwebtoken/impl/lang/Services.java b/impl/src/main/java/io/jsonwebtoken/impl/lang/Services.java
@@ -18,7 +18,6 @@
 import io.jsonwebtoken.lang.Assert;
 
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.List;
 import java.util.ServiceLoader;
 import java.util.concurrent.ConcurrentHashMap;

diff --git a/impl/src/main/java/io/jsonwebtoken/impl/security/KeysBridge.java b/impl/src/main/java/io/jsonwebtoken/impl/security/KeysBridge.java
@@ -15,6 +15,7 @@
  */
 package io.jsonwebtoken.impl.security;
 
+import io.jsonwebtoken.impl.lang.AddOpens;
 import io.jsonwebtoken.impl.lang.Bytes;
 import io.jsonwebtoken.impl.lang.OptionalMethodInvoker;
 import io.jsonwebtoken.lang.Assert;
@@ -41,6 +42,11 @@ public final class KeysBridge {
             new OptionalMethodInvoker<>(SUN_KEYUTIL_CLASSNAME, "getKeySize", Key.class, true);
     private static final String SUN_KEYUTIL_ERR = "Unexpected " + SUN_KEYUTIL_CLASSNAME + " invocation error.";
 
+    static {
+        // For reflective access to KeyUtil on >= JDK 9:
+        AddOpens.open("java.base", "sun.security.util");
+    }
+
     // prevent instantiation
     private KeysBridge() {
     }

diff --git a/impl/src/test/groovy/io/jsonwebtoken/impl/io/FakeServiceDescriptorClassLoader.groovy b/impl/src/test/groovy/io/jsonwebtoken/impl/io/FakeServiceDescriptorClassLoader.groovy
diff --git a/impl/src/test/groovy/io/jsonwebtoken/impl/io/NoServiceDescriptorClassLoader.groovy b/impl/src/test/groovy/io/jsonwebtoken/impl/io/NoServiceDescriptorClassLoader.groovy
diff --git a/impl/src/test/groovy/io/jsonwebtoken/impl/lang/DefaultRegistryTest.groovy b/impl/src/test/groovy/io/jsonwebtoken/impl/lang/DefaultRegistryTest.groovy
@@ -76,6 +76,6 @@ class DefaultRegistryTest {
 
     @Test
     void testToString() {
-        assertEquals reg.@DELEGATE.toString(), reg.toString()
+        assertEquals '{a=a, b=b, c=c, d=d}', reg.toString()
     }
 }
diff --git a/impl/src/test/groovy/io/jsonwebtoken/impl/lang/ServicesTest.groovy b/impl/src/test/groovy/io/jsonwebtoken/impl/lang/ServicesTest.groovy
@@ -19,17 +19,9 @@ import io.jsonwebtoken.StubService
 import io.jsonwebtoken.impl.DefaultStubService
 import org.junit.After
 import org.junit.Test
-import org.junit.runner.RunWith
-import org.powermock.api.easymock.PowerMock
-import org.powermock.core.classloader.annotations.PrepareForTest
-import org.powermock.modules.junit4.PowerMockRunner
-
-import java.lang.reflect.Field
 
 import static org.junit.Assert.*
 
-@RunWith(PowerMockRunner.class)
-@PrepareForTest([Services])
 class ServicesTest {
 
     @Test
@@ -41,9 +33,7 @@ class ServicesTest {
 
     @Test(expected = UnavailableImplementationException)
     void testLoadFirstUnavailable() {
-        NoServicesClassLoader.runWith {
-            Services.loadFirst(StubService.class)
-        }
+        Services.loadFirst(NoService.class)
     }
 
     @Test
@@ -55,9 +45,7 @@ class ServicesTest {
 
     @Test(expected = UnavailableImplementationException)
     void testLoadAllUnavailable() {
-        NoServicesClassLoader.runWith {
-            Services.loadAll(StubService.class)
-        }
+        Services.loadAll(NoService.class)
     }
 
     @Test
@@ -79,38 +67,5 @@ class ServicesTest {
         Services.reload();
     }
 
-    static class NoServicesClassLoader extends ClassLoader {
-        private NoServicesClassLoader(ClassLoader parent) {
-            super(parent)
-        }
-
-        @Override
-        Enumeration<URL> getResources(String name) throws IOException {
-            if (name.startsWith("META-INF/services/")) {
-                return Collections.emptyEnumeration()
-            } else {
-                return super.getResources(name)
-            }
-        }
-
-        static void runWith(Closure closure) {
-            Field field = PowerMock.field(Services.class, "CLASS_LOADER_ACCESSORS")
-            def originalValue = field.get(Services.class)
-            try {
-                // use powermock to change the list of the classloaders we are using
-                List<Services.ClassLoaderAccessor> classLoaderAccessors = [
-                        new Services.ClassLoaderAccessor() {
-                            @Override
-                            ClassLoader getClassLoader() {
-                                return new NoServicesClassLoader(Thread.currentThread().getContextClassLoader())
-                            }
-                        }
-                ]
-                field.set(Services.class, classLoaderAccessors)
-                closure.run()
-            } finally {
-                field.set(Services.class, originalValue)
-            }
-        }
-    }
+    interface NoService {} // no implementations
 }