better logging / handling of links

Author: mosche

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

@@ -19,7 +19,6 @@
 import java.io.FileDescriptor;
 import java.io.FileFilter;
 import java.io.FilenameFilter;
-import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.PrintStream;
@@ -71,7 +70,6 @@
 import java.nio.file.FileStore;
 import java.nio.file.FileVisitOption;
 import java.nio.file.FileVisitor;
-import java.nio.file.Files;
 import java.nio.file.LinkOption;
 import java.nio.file.OpenOption;
 import java.nio.file.Path;
@@ -2760,16 +2758,7 @@ public void checkPathToRealPath(Class<?> callerClass, Path that, LinkOption... o
                 followLinks = false;
             }
         }
-        if (followLinks) {
-            try {
-                Path symbolicLink = Files.readSymbolicLink(that);
-                policyManager.checkFileRead(callerClass, that, symbolicLink);
-                return;
-            } catch (IOException | UnsupportedOperationException e) {
-                // that is not a link, or unrelated IOException or unsupported
-            }
-        }
-        policyManager.checkFileRead(callerClass, that);
+        policyManager.checkFileRead(callerClass, that, followLinks);
     }
 
     @Override

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -31,12 +31,13 @@
 import org.elasticsearch.logging.Logger;
 
 import java.io.File;
+import java.io.IOException;
 import java.lang.StackWalker.StackFrame;
 import java.lang.module.ModuleFinder;
 import java.lang.module.ModuleReference;
+import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -325,31 +326,53 @@ private static boolean isPathOnDefaultFilesystem(Path path) {
         return true;
     }
 
-    public void checkFileRead(Class<?> callerClass, Path... paths) {
-        for (var path : paths) {
-            if (isPathOnDefaultFilesystem(path) == false) {
-                return;
-            }
-            var requestingClass = requestingClass(callerClass);
-            if (isTriviallyAllowed(requestingClass)) {
-                return;
-            }
+    public void checkFileRead(Class<?> callerClass, Path path) {
+        checkFileRead(callerClass, path, false);
+    }
 
-            ModuleEntitlements entitlements = getEntitlements(requestingClass);
-            if (entitlements.fileAccess().canRead(path) == false) {
-                logger.info(entitlements.fileAccess().toDebugString());
-                notEntitled(
-                    Strings.format(
-                        "Not entitled: component [%s], module [%s], class [%s], entitlement [file], operation [read], path [%s]",
-                        entitlements.componentName(),
-                        requestingClass.getModule().getName(),
-                        requestingClass,
-                        Arrays.stream(paths).map(FileAccessTree::normalizePath).collect(Collectors.joining(", "))
-                    ),
-                    callerClass
-                );
+    public void checkFileRead(Class<?> callerClass, Path path, boolean followLinks) {
+        if (isPathOnDefaultFilesystem(path) == false) {
+            return;
+        }
+        var requestingClass = requestingClass(callerClass);
+        if (isTriviallyAllowed(requestingClass)) {
+            return;
+        }
+
+        ModuleEntitlements entitlements = getEntitlements(requestingClass);
+
+        Path realPath = null, symbolicLinkPath = null;
+        boolean canRead = entitlements.fileAccess().canRead(path);
+
+        if (canRead && followLinks) {
+            try {
+                realPath = path.toRealPath();
+            } catch (IOException e) {}
+            try {
+                symbolicLinkPath = Files.readSymbolicLink(path);
+                canRead = entitlements.fileAccess.canRead(symbolicLinkPath);
+            } catch (IOException e) {}
+
+            if (canRead == false) {
+                logger.warn("Cannot read symbolic link [{} -> {}]: [real path: {}]", path, symbolicLinkPath, realPath);
             }
         }
+
+        if (canRead == false) {
+            logger.info(entitlements.fileAccess().toDebugString());
+            notEntitled(
+                Strings.format(
+                    "Not entitled: component [%s], module [%s], class [%s], entitlement [file], operation [read], path [%s]",
+                    entitlements.componentName(),
+                    requestingClass.getModule().getName(),
+                    requestingClass,
+                    symbolicLinkPath == null
+                        ? FileAccessTree.normalizePath(path)
+                        : FileAccessTree.normalizePath(path) + " -> " + FileAccessTree.normalizePath(symbolicLinkPath)
+                ),
+                callerClass
+            );
+        }
     }
 
     @SuppressForbidden(reason = "Explicitly checking File apis")
@@ -612,7 +635,7 @@ Optional<Class<?>> findRequestingClass(Stream<Class<?>> classes) {
     /**
      * @return true if permission is granted regardless of the entitlement
      */
-    private static boolean isTriviallyAllowed(Class<?> requestingClass) {
+    protected static boolean isTriviallyAllowed(Class<?> requestingClass) {
         if (logger.isTraceEnabled()) {
             logger.trace("Stack trace for upcoming trivially-allowed check", new Exception());
         }