updates

Author: jdconrad

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java

@@ -9,7 +9,6 @@
 
 package org.elasticsearch.entitlement.runtime.policy;
 
-import org.elasticsearch.entitlement.runtime.policy.PolicyManager.ExclusivePath;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement;
 
 import java.nio.file.Path;
@@ -23,6 +22,39 @@
 
 public final class FileAccessTree {
 
+    record ExclusiveFileEntitlement(String componentName, String moduleName, FilesEntitlement filesEntitlement) {}
+
+    record ExclusivePath(String componentName, String moduleName, String path) {}
+
+    static List<ExclusivePath> buildExclusivePathList(List<ExclusiveFileEntitlement> exclusiveFileEntitlements, PathLookup pathLookup) {
+        List<ExclusivePath> exclusivePaths = new ArrayList<>();
+        for (ExclusiveFileEntitlement efe : exclusiveFileEntitlements) {
+            for (FilesEntitlement.FileData fd : efe.filesEntitlement().filesData()) {
+                if (fd.exclusive()) {
+                    List<Path> paths = fd.resolvePaths(pathLookup).toList();
+                    for (Path path : paths) {
+                        exclusivePaths.add(new ExclusivePath(efe.componentName(), efe.moduleName(), normalizePath(path)));
+                    }
+                }
+            }
+        }
+        exclusivePaths.sort((ep1, ep2) -> PATH_ORDER.compare(ep1.path(), ep2.path()));
+        return exclusivePaths;
+    }
+
+    static void validateExclusivePaths(List<ExclusivePath> exclusivePaths) {
+        if (exclusivePaths.isEmpty() == false) {
+            ExclusivePath currentExclusivePath = exclusivePaths.get(0);
+            for (int i = 1; i < exclusivePaths.size(); ++i) {
+                ExclusivePath nextPath = exclusivePaths.get(i);
+                if (isParent(currentExclusivePath.path(), nextPath.path())) {
+
+                }
+                currentExclusivePath = nextPath;
+            }
+        }
+    }
+
     private static final String FILE_SEPARATOR = getDefaultFileSystem().getSeparator();
 
     private final String[] exclusivePaths;
@@ -38,7 +70,9 @@ private FileAccessTree(
     ) {
         List<String> updatedExclusivePaths = new ArrayList<>();
         for (ExclusivePath exclusivePath : exclusivePaths) {
-            updatedExclusivePaths.add(normalizePath(exclusivePath.path()));
+            if (exclusivePath.componentName().equals(componentName) == false || exclusivePath.moduleName().equals(moduleName) == false) {
+                updatedExclusivePaths.add(exclusivePath.path());
+            }
         }
 
         List<String> readPaths = new ArrayList<>();
@@ -48,30 +82,11 @@ private FileAccessTree(
             var paths = fileData.resolvePaths(pathLookup);
             paths.forEach(path -> {
                 var normalized = normalizePath(path);
-                for (ExclusivePath exclusivePath : exclusivePaths) {
-                    if (exclusivePath.componentName().equals(componentName) == false
-                        || exclusivePath.moduleName().equals(moduleName) == false) {
-                        if (true) throw new IllegalArgumentException(
-                            path.getFileSystem() + " " + exclusivePath.path().getFileSystem() + " " + path.startsWith(exclusivePath.path())
+                for (String exclusivePath : updatedExclusivePaths) {
+                    if (isParent(exclusivePath, normalized)) {
+                        throw new IllegalArgumentException(
+                            "[" + componentName + "] [" + moduleName + "] cannot use exclusive path [" + exclusivePath + "]"
                         );
-                        if (path.startsWith(exclusivePath.path())) {
-                            throw new IllegalArgumentException(
-                                "["
-                                    + componentName
-                                    + "] ["
-                                    + moduleName
-                                    + "] cannot use"
-                                    + "exclusive path ["
-                                    + exclusivePath.path()
-                                    + "] from ["
-                                    + exclusivePath.componentName()
-                                    + "] "
-                                    + "["
-                                    + exclusivePath.moduleName()
-                                    + "]"
-                            );
-                        }
-                        updatedExclusivePaths.add(normalizePath(exclusivePath.path()));
                     }
                 }
                 if (mode == FilesEntitlement.Mode.READ_WRITE) {
@@ -86,14 +101,13 @@ private FileAccessTree(
         readPaths.add(tempDir);
         writePaths.add(tempDir);
 
+        updatedExclusivePaths.sort(PATH_ORDER);
         readPaths.sort(PATH_ORDER);
         writePaths.sort(PATH_ORDER);
 
         this.exclusivePaths = updatedExclusivePaths.toArray(new String[0]);
         this.readPaths = pruneSortedPaths(readPaths).toArray(new String[0]);
         this.writePaths = pruneSortedPaths(writePaths).toArray(new String[0]);
-        // if (true) throw new IllegalStateException("EXCLUSIVE: " + Arrays.toString(this.exclusivePaths) +
-        // "\n READ: " + Arrays.toString(this.readPaths) + "\n WRITE: " + Arrays.toString(this.writePaths));
     }
 
     private static List<String> pruneSortedPaths(List<String> paths) {
@@ -110,7 +124,6 @@ private static List<String> pruneSortedPaths(List<String> paths) {
             }
         }
         return prunedReadPaths;
-
     }
 
     public static FileAccessTree of(

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -15,6 +15,8 @@
 import org.elasticsearch.entitlement.bridge.EntitlementChecker;
 import org.elasticsearch.entitlement.instrumentation.InstrumentationService;
 import org.elasticsearch.entitlement.runtime.api.NotEntitledException;
+import org.elasticsearch.entitlement.runtime.policy.FileAccessTree.ExclusiveFileEntitlement;
+import org.elasticsearch.entitlement.runtime.policy.FileAccessTree.ExclusivePath;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.CreateClassLoaderEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.Entitlement;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.ExitVMEntitlement;
@@ -35,7 +37,6 @@
 import java.lang.module.ModuleReference;
 import java.nio.file.Path;
 import java.util.ArrayList;
-import java.util.Comparator;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -172,29 +173,31 @@ public PolicyManager(
         this.pathLookup = requireNonNull(pathLookup);
         this.defaultFileAccess = FileAccessTree.of("", "", FilesEntitlement.EMPTY, pathLookup, List.of());
 
-        List<ExclusivePath> exclusivePaths = new ArrayList<>();
+        List<ExclusiveFileEntitlement> exclusiveFileEntitlements = new ArrayList<>();
         for (var e : serverEntitlements.entrySet()) {
-            validateEntitlementsPerModule(SERVER_COMPONENT_NAME, e.getKey(), e.getValue());
-            buildExclusivePathList(exclusivePaths, pathLookup, SERVER_COMPONENT_NAME, e.getKey(), e.getValue());
+            validateEntitlementsPerModule(SERVER_COMPONENT_NAME, e.getKey(), e.getValue(), exclusiveFileEntitlements);
         }
-        validateEntitlementsPerModule(APM_AGENT_COMPONENT_NAME, ALL_UNNAMED, apmAgentEntitlements);
-        buildExclusivePathList(exclusivePaths, pathLookup, APM_AGENT_COMPONENT_NAME, ALL_UNNAMED, apmAgentEntitlements);
+        validateEntitlementsPerModule(APM_AGENT_COMPONENT_NAME, ALL_UNNAMED, apmAgentEntitlements, exclusiveFileEntitlements);
         for (var p : pluginsEntitlements.entrySet()) {
             for (var m : p.getValue().entrySet()) {
-                validateEntitlementsPerModule(p.getKey(), m.getKey(), m.getValue());
-                buildExclusivePathList(exclusivePaths, pathLookup, p.getKey(), m.getKey(), m.getValue());
+                validateEntitlementsPerModule(p.getKey(), m.getKey(), m.getValue(), exclusiveFileEntitlements);
             }
         }
-        exclusivePaths.sort(Comparator.comparing(ExclusivePath::path));
-        validateExclusivePaths(exclusivePaths);
+        List<ExclusivePath> exclusivePaths = FileAccessTree.buildExclusivePathList(exclusiveFileEntitlements, pathLookup);
+        FileAccessTree.validateExclusivePaths(exclusivePaths);
         this.exclusivePaths = exclusivePaths;
     }
 
     private static Map<String, List<Entitlement>> buildScopeEntitlementsMap(Policy policy) {
         return policy.scopes().stream().collect(toUnmodifiableMap(Scope::moduleName, Scope::entitlements));
     }
 
-    private static void validateEntitlementsPerModule(String componentName, String moduleName, List<Entitlement> entitlements) {
+    private static void validateEntitlementsPerModule(
+        String componentName,
+        String moduleName,
+        List<Entitlement> entitlements,
+        List<ExclusiveFileEntitlement> exclusiveFileEntitlements
+    ) {
         Set<Class<? extends Entitlement>> found = new HashSet<>();
         for (var e : entitlements) {
             if (found.contains(e.getClass())) {
@@ -203,43 +206,8 @@ private static void validateEntitlementsPerModule(String componentName, String m
                 );
             }
             found.add(e.getClass());
-        }
-    }
-
-    record ExclusivePath(String componentName, String moduleName, Path path) {}
-
-    private static void buildExclusivePathList(
-        List<ExclusivePath> exclusivePaths,
-        PathLookup pathLookup,
-        String componentName,
-        String moduleName,
-        List<Entitlement> entitlements
-    ) {
-        for (var e : entitlements) {
             if (e instanceof FilesEntitlement fe) {
-                for (FilesEntitlement.FileData fd : fe.filesData()) {
-                    if (fd.exclusive()) {
-                        List<Path> paths = fd.resolvePaths(pathLookup).toList();
-                        for (Path path : paths) {
-                            exclusivePaths.add(new ExclusivePath(componentName, moduleName, path));
-                        }
-                    }
-                }
-            }
-        }
-    }
-
-    private static void validateExclusivePaths(List<ExclusivePath> exclusivePaths) {
-        if (exclusivePaths.isEmpty() == false) {
-            ExclusivePath currentExclusivePath = exclusivePaths.get(0);
-            for (int i = 1; i < exclusivePaths.size(); ++i) {
-                ExclusivePath nextPath = exclusivePaths.get(i);
-                if (nextPath.path().equals(currentExclusivePath.path())) {
-                    // TODO: throw
-                } else if (nextPath.path().startsWith(currentExclusivePath.path())) {
-                    // TODO: throw
-                }
-                currentExclusivePath = nextPath;
+                exclusiveFileEntitlements.add(new ExclusiveFileEntitlement(componentName, moduleName, fe));
             }
         }
     }

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java

@@ -9,8 +9,9 @@
 
 package org.elasticsearch.entitlement.runtime.policy;
 
+import org.apache.lucene.tests.util.LuceneTestCase;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.entitlement.runtime.policy.PolicyManager.ExclusivePath;
+import org.elasticsearch.entitlement.runtime.policy.FileAccessTree.ExclusivePath;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement;
 import org.elasticsearch.test.ESTestCase;
 import org.junit.BeforeClass;
@@ -24,6 +25,7 @@
 import static org.elasticsearch.core.PathUtils.getDefaultFileSystem;
 import static org.hamcrest.Matchers.is;
 
+@LuceneTestCase.SuppressFileSystems("*")
 public class FileAccessTreeTests extends ESTestCase {
 
     static Path root;
@@ -237,8 +239,18 @@ public void testBasicExclusiveAccess() {
     }
 
     public void testInvalidExclusiveAccess() {
-        var tree = accessTree(entitlement("foo/bar", "read"), exclusivePaths("test-component", "diff-module", "foo"));
-
+        var iae = assertThrows(
+            IllegalArgumentException.class,
+            () -> accessTree(entitlement("foo/bar", "read"), exclusivePaths("test-component", "diff-module", "foo"))
+        );
+        assertThat(
+            iae.getMessage(),
+            is(
+                "[test-component] [test-module] cannot use exclusive path "
+                    + "[/home/jdconrad/Code/elastic/elasticsearch/libs/entitlement/build/testrun/test/temp/"
+                    + "org.elasticsearch.entitlement.runtime.policy.FileAccessTreeTests_F47C6163CA22BE09-001/tempDir-002/foo]"
+            )
+        );
     }
 
     FileAccessTree accessTree(FilesEntitlement entitlement, List<ExclusivePath> exclusivePaths) {
@@ -263,7 +275,7 @@ static FilesEntitlement entitlement(Map<String, String> value) {
     static List<ExclusivePath> exclusivePaths(String componentName, String moduleName, String... paths) {
         List<ExclusivePath> exclusivePaths = new ArrayList<>();
         for (String path : paths) {
-            exclusivePaths.add(new ExclusivePath(componentName, moduleName, path(path)));
+            exclusivePaths.add(new ExclusivePath(componentName, moduleName, path(path).toString()));
         }
         return exclusivePaths;
     }