Addressing PR comments

Author: ldematte

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -18,7 +18,7 @@
 import org.elasticsearch.entitlement.instrumentation.MethodKey;
 import org.elasticsearch.entitlement.instrumentation.Transformer;
 import org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker;
-import org.elasticsearch.entitlement.runtime.policy.DirectoryResolver;
+import org.elasticsearch.entitlement.runtime.policy.PathLookup;
 import org.elasticsearch.entitlement.runtime.policy.Policy;
 import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
 import org.elasticsearch.entitlement.runtime.policy.Scope;
@@ -130,7 +130,7 @@ private static PolicyManager createPolicyManager() {
         Map<String, Policy> pluginPolicies = bootstrapArgs.pluginPolicies();
         Path[] dataDirs = EntitlementBootstrap.bootstrapArgs().dataDirs();
 
-        var directoryResolver = new EnvironmentDirectoryResolver(bootstrapArgs);
+        var pathLookup = new PathLookup(bootstrapArgs.configDir(), bootstrapArgs.dataDirs(), bootstrapArgs.configDir());
 
         // TODO(ES-10031): Decide what goes in the elasticsearch default policy and extend it
         var serverPolicy = new Policy(
@@ -175,7 +175,7 @@ private static PolicyManager createPolicyManager() {
             resolver,
             AGENTS_PACKAGE_NAME,
             ENTITLEMENTS_MODULE,
-            directoryResolver
+            pathLookup
         );
     }
 
@@ -320,27 +320,4 @@ private static ElasticsearchEntitlementChecker initChecker() {
         "org.elasticsearch.entitlement.instrumentation",
         Set.of()
     ).get();
-
-    static class EnvironmentDirectoryResolver implements DirectoryResolver {
-        private final EntitlementBootstrap.BootstrapArgs bootstrapArgs;
-
-        EnvironmentDirectoryResolver(EntitlementBootstrap.BootstrapArgs bootstrapArgs) {
-            this.bootstrapArgs = bootstrapArgs;
-        }
-
-        @Override
-        public Path resolveConfig(Path path) {
-            return bootstrapArgs.configDir().resolve(path);
-        }
-
-        @Override
-        public Stream<Path> resolveData(Path path) {
-            return Arrays.stream(bootstrapArgs.dataDirs()).map(dir -> dir.resolve(path));
-        }
-
-        @Override
-        public Path resolveTemp(Path path) {
-            return bootstrapArgs.tempDir().resolve(path);
-        }
-    }
 }

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java

@@ -17,49 +17,27 @@
 import java.util.List;
 import java.util.Objects;
 import java.util.function.Consumer;
-import java.util.stream.Stream;
 
 import static org.elasticsearch.core.PathUtils.getDefaultFileSystem;
 
 public final class FileAccessTree {
 
-    private static final DirectoryResolver NULL_DIRECTORY_RESOLVER = new DirectoryResolver() {
-        @Override
-        public Path resolveConfig(Path path) {
-            throw new UnsupportedOperationException();
-        }
-
-        @Override
-        public Stream<Path> resolveData(Path path) {
-            throw new UnsupportedOperationException();
-        }
-
-        @Override
-        public Path resolveTemp(Path path) {
-            throw new UnsupportedOperationException();
-        }
-    };
-
-    public static final FileAccessTree EMPTY = new FileAccessTree(FilesEntitlement.EMPTY, NULL_DIRECTORY_RESOLVER);
+    public static final FileAccessTree EMPTY = new FileAccessTree(FilesEntitlement.EMPTY, null);
     private static final String FILE_SEPARATOR = getDefaultFileSystem().getSeparator();
 
     private final String[] readPaths;
     private final String[] writePaths;
 
-    private static void resolvePath(
-        FilesEntitlement.FileData fileData,
-        DirectoryResolver directoryResolver,
-        Consumer<String> resolvedPathReceiver
-    ) {
+    private static void resolvePath(FilesEntitlement.FileData fileData, PathLookup pathLookup, Consumer<Path> resolvedPathReceiver) {
         if (fileData.path() != null) {
-            resolvedPathReceiver.accept(normalizePath(fileData.path()));
-        } else if (fileData.relativePath() != null && fileData.baseDir() != null) {
+            resolvedPathReceiver.accept(fileData.path());
+        } else if (fileData.relativePath() != null && fileData.baseDir() != null && pathLookup != null) {
             switch (fileData.baseDir()) {
                 case CONFIG:
-                    resolvedPathReceiver.accept(normalizePath(directoryResolver.resolveConfig(fileData.relativePath())));
+                    resolvedPathReceiver.accept(pathLookup.configDir().resolve(fileData.relativePath()));
                     break;
                 case DATA:
-                    directoryResolver.resolveData(fileData.relativePath()).forEach(p -> resolvedPathReceiver.accept(normalizePath(p)));
+                    Arrays.stream(pathLookup.dataDirs()).map(d -> d.resolve(fileData.relativePath())).forEach(resolvedPathReceiver::accept);
                     break;
                 default:
                     throw new IllegalArgumentException();
@@ -69,18 +47,17 @@ private static void resolvePath(
         }
     }
 
-    private FileAccessTree(FilesEntitlement filesEntitlement, DirectoryResolver directoryResolver) {
-        Objects.requireNonNull(directoryResolver);
-
+    private FileAccessTree(FilesEntitlement filesEntitlement, PathLookup pathLookup) {
         List<String> readPaths = new ArrayList<>();
         List<String> writePaths = new ArrayList<>();
         for (FilesEntitlement.FileData fileData : filesEntitlement.filesData()) {
             var mode = fileData.mode();
-            resolvePath(fileData, directoryResolver, pathStr -> {
+            resolvePath(fileData, pathLookup, path -> {
+                var normalized = normalizePath(path);
                 if (mode == FilesEntitlement.Mode.READ_WRITE) {
-                    writePaths.add(pathStr);
+                    writePaths.add(normalized);
                 }
-                readPaths.add(pathStr);
+                readPaths.add(normalized);
             });
         }
 
@@ -91,8 +68,8 @@ private FileAccessTree(FilesEntitlement filesEntitlement, DirectoryResolver dire
         this.writePaths = writePaths.toArray(new String[0]);
     }
 
-    public static FileAccessTree of(FilesEntitlement filesEntitlement, DirectoryResolver directoryResolver) {
-        return new FileAccessTree(filesEntitlement, directoryResolver);
+    public static FileAccessTree of(FilesEntitlement filesEntitlement, PathLookup pathLookup) {
+        return new FileAccessTree(filesEntitlement, pathLookup);
     }
 
     boolean canRead(Path path) {

…nt/runtime/policy/DirectoryResolver.java …titlement/runtime/policy/PathLookup.javalibs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/DirectoryResolver.java renamed to libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PathLookup.java libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/DirectoryResolver.java renamed to libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PathLookup.java

@@ -10,12 +10,5 @@
 package org.elasticsearch.entitlement.runtime.policy;
 
 import java.nio.file.Path;
-import java.util.stream.Stream;
 
-public interface DirectoryResolver {
-    Path resolveConfig(Path path);
-
-    Stream<Path> resolveData(Path path);
-
-    Path resolveTemp(Path path);
-}
+public record PathLookup(Path configDir, Path[] dataDirs, Path tempDir) {}

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -73,7 +73,7 @@ public static ModuleEntitlements none(String componentName) {
             return new ModuleEntitlements(componentName, Map.of(), FileAccessTree.EMPTY);
         }
 
-        public static ModuleEntitlements from(String componentName, List<Entitlement> entitlements, DirectoryResolver directoryResolver) {
+        public static ModuleEntitlements from(String componentName, List<Entitlement> entitlements, PathLookup pathLookup) {
             FilesEntitlement filesEntitlement = FilesEntitlement.EMPTY;
             for (Entitlement entitlement : entitlements) {
                 if (entitlement instanceof FilesEntitlement) {
@@ -83,7 +83,7 @@ public static ModuleEntitlements from(String componentName, List<Entitlement> en
             return new ModuleEntitlements(
                 componentName,
                 entitlements.stream().collect(groupingBy(Entitlement::getClass)),
-                FileAccessTree.of(filesEntitlement, directoryResolver)
+                FileAccessTree.of(filesEntitlement, pathLookup)
             );
         }
 
@@ -106,7 +106,7 @@ public <E extends Entitlement> Stream<E> getEntitlements(Class<E> entitlementCla
     protected final List<Entitlement> apmAgentEntitlements;
     protected final Map<String, Map<String, List<Entitlement>>> pluginsEntitlements;
     private final Function<Class<?>, String> pluginResolver;
-    private final DirectoryResolver directoryResolver;
+    private final PathLookup pathLookup;
 
     public static final String ALL_UNNAMED = "ALL-UNNAMED";
 
@@ -142,7 +142,7 @@ public PolicyManager(
         Function<Class<?>, String> pluginResolver,
         String apmAgentPackageName,
         Module entitlementsModule,
-        DirectoryResolver directoryResolver
+        PathLookup pathLookup
     ) {
         this.serverEntitlements = buildScopeEntitlementsMap(requireNonNull(serverPolicy));
         this.apmAgentEntitlements = apmAgentEntitlements;
@@ -152,7 +152,7 @@ public PolicyManager(
         this.pluginResolver = pluginResolver;
         this.apmAgentPackageName = apmAgentPackageName;
         this.entitlementsModule = entitlementsModule;
-        this.directoryResolver = directoryResolver;
+        this.pathLookup = pathLookup;
 
         for (var e : serverEntitlements.entrySet()) {
             validateEntitlementsPerModule(SERVER_COMPONENT_NAME, e.getKey(), e.getValue());
@@ -431,7 +431,7 @@ private ModuleEntitlements computeEntitlements(Class<?> requestingClass) {
 
         if (requestingModule.isNamed() == false && requestingClass.getPackageName().startsWith(apmAgentPackageName)) {
             // The APM agent is the only thing running non-modular in the system classloader
-            return ModuleEntitlements.from(APM_AGENT_COMPONENT_NAME, apmAgentEntitlements, directoryResolver);
+            return ModuleEntitlements.from(APM_AGENT_COMPONENT_NAME, apmAgentEntitlements, pathLookup);
         }
 
         return ModuleEntitlements.none(UNKNOWN_COMPONENT_NAME);
@@ -446,7 +446,7 @@ private ModuleEntitlements getModuleScopeEntitlements(
         if (entitlements == null) {
             return ModuleEntitlements.none(componentName);
         }
-        return ModuleEntitlements.from(componentName, entitlements, directoryResolver);
+        return ModuleEntitlements.from(componentName, entitlements, pathLookup);
     }
 
     private static boolean isServerModule(Module requestingModule) {

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java

@@ -131,26 +131,29 @@ public static FilesEntitlement build(List<Object> paths) {
             if (mode == null) {
                 throw new PolicyValidationException("files entitlement must contain 'mode' for every listed file");
             }
-            if ((pathAsString == null && relativePathAsString == null) || (pathAsString != null && relativePathAsString != null)) {
-                throw new PolicyValidationException("files entitlement must contain either 'path' or 'relative_path' for every entry");
+            if (pathAsString != null && relativePathAsString != null) {
+                throw new PolicyValidationException("a files entitlement entry cannot contain both 'path' and 'relative_path'");
             }
+
             if (relativePathAsString != null) {
                 if (relativeTo == null) {
                     throw new PolicyValidationException("files entitlement with a 'relative_path' must specify 'relative_to'");
                 }
-                final var baseDir = parseBaseDir(relativeTo);
+                final BaseDir baseDir = parseBaseDir(relativeTo);
 
                 Path relativePath = Path.of(relativePathAsString);
                 if (relativePath.isAbsolute()) {
                     throw new PolicyValidationException("'relative_path' must be relative");
                 }
                 filesData.add(FileData.ofRelativePath(relativePath, baseDir, parseMode(mode)));
-            } else {
+            } else if (pathAsString != null) {
                 Path path = Path.of(pathAsString);
                 if (path.isAbsolute() == false) {
                     throw new PolicyValidationException("'path' must be absolute");
                 }
                 filesData.add(FileData.ofPath(path, parseMode(mode)));
+            } else {
+                throw new PolicyValidationException("files entitlement must contain either 'path' or 'relative_path' for every entry");
             }
         }
         return new FilesEntitlement(filesData);