Merge pull request #1918 from newrelic/parse-sec-excludes

Add security related class excludes during normal class transformer creation

newrelic-agent/src/main/java/com/newrelic/agent/config/AgentConfigImpl.java

@@ -780,36 +780,8 @@ private BrowserMonitoringConfig initBrowserMonitoringConfig() {
     private ClassTransformerConfig initClassTransformerConfig(boolean liteMode) {
         boolean customTracingEnabled = getProperty(ENABLE_CUSTOM_TRACING, DEFAULT_ENABLE_CUSTOM_TRACING);
         Map<String, Object> props = nestedProps(CLASS_TRANSFORMER);
-        props = placeSecurityCollectorRelatedModification(props);
-        return ClassTransformerConfigImpl.createClassTransformerConfig(props, customTracingEnabled, liteMode);
-    }
-
-    /**
-     * Security agent specific excludes needed to allow functioning with java.io.InputStream and OutputStream instrumentation.
-     */
-    private Map<String, Object> placeSecurityCollectorRelatedModification(Map<String, Object> props) {
-        if (getProperty("security") != null) {
-            if (props == null) {
-                props = new HashMap<>();
-            } else {
-                props = new HashMap<>(props);
-            }
-            Set<String> securityExcludes = new HashSet<>();
-            securityExcludes.add("java/util/zip/InflaterInputStream");
-            securityExcludes.add("java/util/zip/ZipFile$ZipFileInputStream");
-            securityExcludes.add("java/util/zip/ZipFile$ZipFileInflaterInputStream");
-            securityExcludes.add("com/newrelic/api/agent/security/.*");
-            securityExcludes.add("com/newrelic/agent/security/.*");
-
-            Object userProvidedExcludes = props.get(ClassTransformerConfigImpl.EXCLUDES);
-            if (userProvidedExcludes instanceof String) {
-                securityExcludes.add((String) userProvidedExcludes);
-            } else if (userProvidedExcludes instanceof Set) {
-                securityExcludes.addAll((Collection<? extends String>) userProvidedExcludes);
-            }
-            props.put(ClassTransformerConfigImpl.EXCLUDES, securityExcludes);
-        }
-        return props;
+        boolean addSecurityExcludes = getProperty("security") != null;
+        return ClassTransformerConfigImpl.createClassTransformerConfig(props, customTracingEnabled, liteMode, addSecurityExcludes);
     }
 
     private CircuitBreakerConfig initCircuitBreakerConfig() {

newrelic-agent/src/main/java/com/newrelic/agent/config/ClassTransformerConfigImpl.java

@@ -66,6 +66,10 @@ final class ClassTransformerConfigImpl extends BaseConfig implements ClassTransf
     private static final Set<String> DEFAULT_DISABLED_WEAVE_PACKAGES = new HashSet<>();
     private static final Set<String> DEFAULT_CLASSLOADER_EXCLUDES = new HashSet<>();
 
+    // Security agent specific excludes needed to allow functioning with java.io.InputStream and OutputStream instrumentation.
+    private static final Set<String> SECURITY_AGENT_CLASS_EXCLUDES = new HashSet<>(Arrays.asList("java/util/zip/InflaterInputStream", "java/util/zip/ZipFile$ZipFileInputStream",
+            "java/util/zip/ZipFile$ZipFileInflaterInputStream", "com/newrelic/api/agent/security/.*", "com/newrelic/agent/security/.*"));
+
     static {
         DEFAULT_DISABLED_WEAVE_PACKAGES.add("com.newrelic.instrumentation.servlet-user");
         DEFAULT_DISABLED_WEAVE_PACKAGES.add("com.newrelic.instrumentation.spring-aop-2");
@@ -103,14 +107,14 @@ final class ClassTransformerConfigImpl extends BaseConfig implements ClassTransf
     private final boolean litemode;
     private final long autoAsyncLinkRateLimit;
 
-    public ClassTransformerConfigImpl(Map<String, Object> props, boolean customTracingEnabled, boolean litemode) {
+    public ClassTransformerConfigImpl(Map<String, Object> props, boolean customTracingEnabled, boolean litemode, boolean addSecurityExcludes) {
         super(props, SYSTEM_PROPERTY_ROOT);
         this.custom_tracing = customTracingEnabled;
         this.litemode = litemode;
         isEnabled = getProperty(ENABLED, DEFAULT_ENABLED);
         isDefaultInstrumentationEnabled = getDefaultInstrumentationEnabled();
         isBuiltinExtensionEnabled = getBuiltinExensionEnabled();
-        excludes = Collections.unmodifiableSet(new HashSet<>(getUniqueStrings(EXCLUDES)));
+        excludes = initializeClassExcludes(addSecurityExcludes);
         includes = Collections.unmodifiableSet(new HashSet<>(getUniqueStrings(INCLUDES)));
         classloaderExclusions = initializeClassloaderExcludes();
         classloaderDelegationExcludes = initializeClassloaderDelegationExcludes();
@@ -131,7 +135,7 @@ public ClassTransformerConfigImpl(Map<String, Object> props, boolean customTraci
     }
 
     public ClassTransformerConfigImpl(Map<String, Object> props, boolean customTracingEnabled) {
-        this(props, customTracingEnabled, false);
+        this(props, customTracingEnabled, false, false);
     }
 
     private boolean getBuiltinExensionEnabled() {
@@ -156,6 +160,15 @@ private boolean getDefaultInstrumentationEnabled() {
         }
     }
 
+    private Set<String> initializeClassExcludes(boolean addSecurityExcludes) {
+        HashSet<String> tempExcludes = new HashSet<>(getUniqueStrings(EXCLUDES));
+        if (addSecurityExcludes) {
+            tempExcludes.addAll(SECURITY_AGENT_CLASS_EXCLUDES);
+        }
+
+        return Collections.unmodifiableSet(new HashSet<>(tempExcludes));
+    }
+
     private Set<String> initializeClassloaderExcludes() {
         Set<String> classloadersToExclude = new HashSet<>(getUniqueStrings(CLASSLOADER_EXCLUDES));
 
@@ -326,11 +339,11 @@ public Collection<String> getJdbcStatements() {
         return Arrays.asList(jdbcStatementsProp.split(",[\\s]*"));
     }
 
-    static ClassTransformerConfig createClassTransformerConfig(Map<String, Object> settings, boolean custom_tracing, boolean litemode) {
+    static ClassTransformerConfig createClassTransformerConfig(Map<String, Object> settings, boolean custom_tracing, boolean litemode, boolean addSecurityExcludes) {
         if (settings == null) {
             settings = Collections.emptyMap();
         }
-        return new ClassTransformerConfigImpl(settings, custom_tracing, litemode);
+        return new ClassTransformerConfigImpl(settings, custom_tracing, litemode, addSecurityExcludes);
     }
 
     @Override

newrelic-agent/src/main/resources/META-INF/excludes

@@ -3,10 +3,10 @@
 ^java/io/(BufferedOutputStream|ByteArrayOutputStream|DataOutputStream|FilterOutputStream|ObjectOutputStream|PipedOutputStream)
 ^java/lang/(NullOutputStream|ProcessPipeOutputStream)
 ^java/net/SocketOutputStream
-//To resolve class circularity error
+# To resolve class circularity error
 ^javax/crypto/BadPaddingException
 ^javax/crypto/SecretKey
-//Remove ThreadLocal Weak Random Class Instrumentation
+# Remove ThreadLocal Weak Random Class Instrumentation
 ^java/util/concurrent/ThreadLocalRandom
 ^(org/objectweb/asm/|javax/xml/|org/apache/juli/)(.*)
 # Don't instrument agent threads