Add logic to remove default class_transformer.excludes when security …

[jasonjkeller]

…agent is enabled

DO NOT MERGE!

---

By default, the following three class_transformer.exclude rules defined in META-INF/excludes will be applied to prevent any classes from being transformed in packages matching ^java/security/.*, ^javax/crypto/.*, or ^net/sf/saxon.*. Exclude rules are evaluated when determining whether to transform classes in the InstrumentationContextManager or the PointCutClassTransformer.

### All default excludes listed below get ignored when the security agent is enabled
# exclude java.security and sun.reflect classes from transformation
^java/security/.*
# crypto classes can cause class circularity errors if they get too far along in the class transformer
^javax/crypto/.*
# saxon xlst classes - see ticket 195949
^net/sf/saxon.*

Classes from these packages are excluded from transformation to prevent various issues such as long startup times (net/sf/saxon), ClassCircularityErrors (javax/crypto), and StackOverflowErrors (java/security).

However, preventing transformation of classes in these packages hinders functionality of the security agent.

This PR will remove the three listed default exclude rules when the security agent is enabled. The following will be logged indicating that this behavior is taking place.

2023-08-16T15:17:11,001-0700 [43845 1] com.newrelic.agent.instrumentation.PointCutClassTransformer FINER: Ignored ^java/security/.* class_transformer exclude defined in META-INF/excludes because the security agent is enabled. This can be overridden by explicitly setting newrelic.config.class_transformer.excludes=^javax/crypto/.*,^java/security/.*,^net/sf/saxon.* or NEW_RELIC_CLASS_TRANSFORMER_EXCLUDES=^javax/crypto/.*,^java/security/.*,^net/sf/saxon.*
2023-08-16T15:17:11,001-0700 [43845 1] com.newrelic.agent.instrumentation.PointCutClassTransformer FINER: Ignored ^javax/crypto/.* class_transformer exclude defined in META-INF/excludes because the security agent is enabled. This can be overridden by explicitly setting newrelic.config.class_transformer.excludes=^javax/crypto/.*,^java/security/.*,^net/sf/saxon.* or NEW_RELIC_CLASS_TRANSFORMER_EXCLUDES=^javax/crypto/.*,^java/security/.*,^net/sf/saxon.*
2023-08-16T15:17:11,001-0700 [43845 1] com.newrelic.agent.instrumentation.PointCutClassTransformer FINER: Ignored ^net/sf/saxon.* class_transformer exclude defined in META-INF/excludes because the security agent is enabled. This can be overridden by explicitly setting newrelic.config.class_transformer.excludes=^javax/crypto/.*,^java/security/.*,^net/sf/saxon.* or NEW_RELIC_CLASS_TRANSFORMER_EXCLUDES=^javax/crypto/.*,^java/security/.*,^net/sf/saxon.*
2023-08-16T15:17:11,012-0700 [43845 1] com.newrelic FINER: Ignored ^java/security/.* class_transformer exclude defined in META-INF/excludes because the security agent is enabled. This can be overridden by explicitly setting newrelic.config.class_transformer.excludes=^javax/crypto/.*,^java/security/.*,^net/sf/saxon.* or NEW_RELIC_CLASS_TRANSFORMER_EXCLUDES=^javax/crypto/.*,^java/security/.*,^net/sf/saxon.*
2023-08-16T15:17:11,012-0700 [43845 1] com.newrelic FINER: Ignored ^javax/crypto/.* class_transformer exclude defined in META-INF/excludes because the security agent is enabled. This can be overridden by explicitly setting newrelic.config.class_transformer.excludes=^javax/crypto/.*,^java/security/.*,^net/sf/saxon.* or NEW_RELIC_CLASS_TRANSFORMER_EXCLUDES=^javax/crypto/.*,^java/security/.*,^net/sf/saxon.*
2023-08-16T15:17:11,012-0700 [43845 1] com.newrelic FINER: Ignored ^net/sf/saxon.* class_transformer exclude defined in META-INF/excludes because the security agent is enabled. This can be overridden by explicitly setting newrelic.config.class_transformer.excludes=^javax/crypto/.*,^java/security/.*,^net/sf/saxon.* or NEW_RELIC_CLASS_TRANSFORMER_EXCLUDES=^javax/crypto/.*,^java/security/.*,^net/sf/saxon.*

Additionally, even if the security agent is enabled, these exclude rules can be explicitly added via one of the following agent config options, in which case the user configured exclude rule will take precedence and will not be removed due to the security agent being enabled.

YAML:

  class_transformer:
    excludes: ^javax/crypto/.*,^java/security/.*,^net/sf/saxon.*

System property:

-Dnewrelic.config.class_transformer.excludes=^javax/crypto/.*,^java/security/.*,^net/sf/saxon.*

Environment variable:

NEW_RELIC_CLASS_TRANSFORMER_EXCLUDES=^javax/crypto/.*,^java/security/.*,^net/sf/saxon.*

When explicitly setting the excludes via user config the following will be logged:

2023-08-16T15:17:11,000-0700 [43845 1] com.newrelic.agent.instrumentation.PointCutClassTransformer FINER: ^java/security/.* class_transformer exclude explicitly added by user config. The user configured exclude rule will take precedence and will not be ignored due to the security agent being enabled.
2023-08-16T15:17:11,000-0700 [43845 1] com.newrelic.agent.instrumentation.PointCutClassTransformer FINER: ^javax/crypto/.* class_transformer exclude explicitly added by user config. The user configured exclude rule will take precedence and will not be ignored due to the security agent being enabled.
2023-08-16T15:17:11,000-0700 [43845 1] com.newrelic.agent.instrumentation.PointCutClassTransformer FINER: ^net/sf/saxon.* class_transformer exclude explicitly added by user config. The user configured exclude rule will take precedence and will not be ignored due to the security agent being enabled.
2023-08-16T15:17:11,011-0700 [43845 1] com.newrelic FINER: ^java/security/.* class_transformer exclude explicitly added by user config. The user configured exclude rule will take precedence and will not be ignored due to the security agent being enabled.
2023-08-16T15:17:11,011-0700 [43845 1] com.newrelic FINER: ^javax/crypto/.* class_transformer exclude explicitly added by user config. The user configured exclude rule will take precedence and will not be ignored due to the security agent being enabled.
2023-08-16T15:17:11,012-0700 [43845 1] com.newrelic FINER: ^net/sf/saxon.* class_transformer exclude explicitly added by user config. The user configured exclude rule will take precedence and will not be ignored due to the security agent being enabled.

[jasonjkeller]

This is the full set of default class_transformer.exclude rules that need to be ignored when the security agent is enabled. Should further exclude rules need to be treated the same in the future they can simply be added here and no other logic should need to be changed elsewhere in the agent codebase. Only new tests would need to be added to IncludeExcludeTest.

[jasonjkeller]

This exclude rule was moved to the META-INF/excludes file to simplify the logic and keep all of the security agent related excludes in a central place.

[jasonjkeller]

These are the three default exclude rules that are effected by the security agent.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.60%. Comparing base (7435d77) to head (1ab94a6).
Report is 1231 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main    #1453   +/-   ##
=========================================
  Coverage     70.60%   70.60%           
- Complexity     9794     9795    +1     
=========================================
  Files           817      817           
  Lines         39489    39500   +11     
  Branches       5995     5999    +4     
=========================================
+ Hits          27880    27888    +8     
  Misses         8902     8902           
- Partials       2707     2710    +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jasonjkeller]

Only consider removing one of the default exclude rules if the shouldInitializeSecurityAgent() check evaluates to true.

[lovesh-ap]

@jasonjkeller Hey there! 👋 Just wanted to let you know that we currently have an open issue (#154979) related to the changes in this PR. It might be good to keep an eye on that while reviewing this. Thanks!