using FileAccessTree

Author: ldematte

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -21,6 +21,7 @@
 import org.elasticsearch.entitlement.instrumentation.MethodKey;
 import org.elasticsearch.entitlement.instrumentation.Transformer;
 import org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker;
+import org.elasticsearch.entitlement.runtime.policy.FileAccessTree;
 import org.elasticsearch.entitlement.runtime.policy.PathLookup;
 import org.elasticsearch.entitlement.runtime.policy.Policy;
 import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
@@ -353,45 +354,64 @@ static void validateFilesEntitlements(
         Path modulesDir,
         Path libDir
     ) {
-        var pluginReadAccessForbidden = pathSet(pluginsDir, modulesDir, libDir);
-        var pluginWriteAccessForbidden = pathSet(configDir);
+        var readAccessForbidden = pathSet(pluginsDir, modulesDir, libDir);
+        var writeAccessForbidden = pathSet(configDir);
         for (var pluginPolicy : pluginPolicies.entrySet()) {
-            List<Path> readPaths = getFileDataStream(pluginPolicy.getValue()).flatMap(x -> x.resolvePaths(pathLookup)).toList();
-            List<Path> writePaths = getFileDataStream(pluginPolicy.getValue()).filter(x -> x.mode().equals(READ_WRITE))
-                .flatMap(x -> x.resolvePaths(pathLookup))
-                .toList();
-            validateLayerFilesEntitlements(pluginPolicy.getKey(), readPaths, pluginReadAccessForbidden, READ);
-            validateLayerFilesEntitlements(pluginPolicy.getKey(), writePaths, pluginWriteAccessForbidden, READ_WRITE);
+            for (var scope : pluginPolicy.getValue().scopes()) {
+                var filesEntitlement = scope.entitlements()
+                    .stream()
+                    .filter(x -> x instanceof FilesEntitlement)
+                    .map(x -> ((FilesEntitlement) x))
+                    .findFirst();
+                if (filesEntitlement.isPresent()) {
+                    var fileAccessTree = FileAccessTree.withoutExclusivePaths(filesEntitlement.get(), pathLookup, null);
+                    validateReadFilesEntitlements(pluginPolicy.getKey(), scope.moduleName(), fileAccessTree, readAccessForbidden);
+                    validateWriteFilesEntitlements(pluginPolicy.getKey(), scope.moduleName(), fileAccessTree, writeAccessForbidden);
+                }
+            }
         }
     }
 
-    private static Stream<FileData> getFileDataStream(Policy policy) {
-        return getFileDataStream(policy.scopes().stream().flatMap(x -> x.entitlements().stream()));
+    private static IllegalArgumentException buildValidationException(
+        String componentName,
+        String moduleName,
+        Path forbiddenPath,
+        FilesEntitlement.Mode mode
+    ) {
+        return new IllegalArgumentException(
+            Strings.format(
+                "policy for module [%s] in [%s] has an invalid file entitlement. Any path under [%s] is forbidden for mode [%s].",
+                moduleName,
+                componentName,
+                forbiddenPath,
+                mode
+            )
+        );
     }
 
-    private static Stream<FileData> getFileDataStream(Stream<Entitlement> entitlements) {
-        return entitlements.filter(x -> x instanceof FilesEntitlement).flatMap(x -> ((FilesEntitlement) x).filesData().stream());
+    private static void validateReadFilesEntitlements(
+        String componentName,
+        String moduleName,
+        FileAccessTree fileAccessTree,
+        Set<Path> readForbiddenPaths
+    ) {
+
+        for (Path forbiddenPath : readForbiddenPaths) {
+            if (fileAccessTree.canRead(forbiddenPath)) {
+                throw buildValidationException(componentName, moduleName, forbiddenPath, READ);
+            }
+        }
     }
 
-    private static void validateLayerFilesEntitlements(
-        String layerName,
-        List<Path> paths,
-        Set<Path> forbiddenPaths,
-        FilesEntitlement.Mode mode
+    private static void validateWriteFilesEntitlements(
+        String componentName,
+        String moduleName,
+        FileAccessTree fileAccessTree,
+        Set<Path> writeForbiddenPaths
     ) {
-        for (var path : paths) {
-            for (Path forbiddenPath : forbiddenPaths) {
-                if (path.startsWith(forbiddenPath)) {
-                    throw new IllegalArgumentException(
-                        Strings.format(
-                            "policy for [%s] cannot contain a file entitlement for [%s]. Any path under [%s] is forbidden for mode [%s].",
-                            layerName,
-                            path,
-                            forbiddenPath,
-                            mode
-                        )
-                    );
-                }
+        for (Path forbiddenPath : writeForbiddenPaths) {
+            if (fileAccessTree.canWrite(forbiddenPath)) {
+                throw buildValidationException(componentName, moduleName, forbiddenPath, READ_WRITE);
             }
         }
     }

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java

@@ -111,12 +111,9 @@ static void validateExclusivePaths(List<ExclusivePath> exclusivePaths) {
     private final String[] readPaths;
     private final String[] writePaths;
 
-    private FileAccessTree(
+    private static String[] buildUpdatedAndSortedExclusivePaths(
         String componentName,
         String moduleName,
-        FilesEntitlement filesEntitlement,
-        PathLookup pathLookup,
-        Path componentPath,
         List<ExclusivePath> exclusivePaths
     ) {
         List<String> updatedExclusivePaths = new ArrayList<>();
@@ -125,7 +122,11 @@ private FileAccessTree(
                 updatedExclusivePaths.add(exclusivePath.path());
             }
         }
+        updatedExclusivePaths.sort(PATH_ORDER);
+        return updatedExclusivePaths.toArray(new String[0]);
+    }
 
+    private FileAccessTree(FilesEntitlement filesEntitlement, PathLookup pathLookup, Path componentPath, String[] sortedExclusivePaths) {
         List<String> readPaths = new ArrayList<>();
         List<String> writePaths = new ArrayList<>();
         BiConsumer<Path, Mode> addPath = (path, mode) -> {
@@ -177,11 +178,10 @@ private FileAccessTree(
         Path jdk = Paths.get(System.getProperty("java.home"));
         addPathAndMaybeLink.accept(jdk.resolve("conf"), Mode.READ);
 
-        updatedExclusivePaths.sort(PATH_ORDER);
         readPaths.sort(PATH_ORDER);
         writePaths.sort(PATH_ORDER);
 
-        this.exclusivePaths = updatedExclusivePaths.toArray(new String[0]);
+        this.exclusivePaths = sortedExclusivePaths;
         this.readPaths = pruneSortedPaths(readPaths).toArray(new String[0]);
         this.writePaths = pruneSortedPaths(writePaths).toArray(new String[0]);
     }
@@ -211,14 +211,30 @@ static FileAccessTree of(
         @Nullable Path componentPath,
         List<ExclusivePath> exclusivePaths
     ) {
-        return new FileAccessTree(componentName, moduleName, filesEntitlement, pathLookup, componentPath, exclusivePaths);
+        return new FileAccessTree(
+            filesEntitlement,
+            pathLookup,
+            componentPath,
+            buildUpdatedAndSortedExclusivePaths(componentName, moduleName, exclusivePaths)
+        );
+    }
+
+    /**
+     * A special factory method to create a FileAccessTree with no ExclusivePaths, e.g. for quick validation or for default file access
+     */
+    public static FileAccessTree withoutExclusivePaths(
+        FilesEntitlement filesEntitlement,
+        PathLookup pathLookup,
+        @Nullable Path componentPath
+    ) {
+        return new FileAccessTree(filesEntitlement, pathLookup, componentPath, new String[0]);
     }
 
-    boolean canRead(Path path) {
+    public boolean canRead(Path path) {
         return checkPath(normalizePath(path), readPaths);
     }
 
-    boolean canWrite(Path path) {
+    public boolean canWrite(Path path) {
         return checkPath(normalizePath(path), writePaths);
     }
 

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -101,18 +101,13 @@ public <E extends Entitlement> Stream<E> getEntitlements(Class<E> entitlementCla
         }
     }
 
-    private FileAccessTree getDefaultFileAccess(String componentName, Path componentPath) {
-        return FileAccessTree.of(componentName, UNKNOWN_COMPONENT_NAME, FilesEntitlement.EMPTY, pathLookup, componentPath, List.of());
+    private FileAccessTree getDefaultFileAccess(Path componentPath) {
+        return FileAccessTree.withoutExclusivePaths(FilesEntitlement.EMPTY, pathLookup, componentPath);
     }
 
     // pkg private for testing
     ModuleEntitlements defaultEntitlements(String componentName, Path componentPath, String moduleName) {
-        return new ModuleEntitlements(
-            componentName,
-            Map.of(),
-            getDefaultFileAccess(componentName, componentPath),
-            getLogger(componentName, moduleName)
-        );
+        return new ModuleEntitlements(componentName, Map.of(), getDefaultFileAccess(componentPath), getLogger(componentName, moduleName));
     }
 
     // pkg private for testing

libs/entitlement/src/test/java/org/elasticsearch/entitlement/initialization/EntitlementInitializationTests.java

@@ -108,7 +108,9 @@ public void testValidationFailForRead() {
         );
         assertThat(
             ex.getMessage(),
-            both(startsWith("policy for [plugin] cannot contain a file entitlement for")).and(endsWith("is forbidden for mode [READ]."))
+            both(startsWith("policy for module [module2] in [plugin] has an invalid file entitlement")).and(
+                endsWith("is forbidden for mode [READ].")
+            )
         );
 
         // check fails for mode READ_WRITE too
@@ -138,7 +140,9 @@ public void testValidationFailForRead() {
         );
         assertThat(
             ex.getMessage(),
-            both(startsWith("policy for [plugin2] cannot contain a file entitlement")).and(endsWith("is forbidden for mode [READ]."))
+            both(startsWith("policy for module [module1] in [plugin2] has an invalid file entitlement")).and(
+                endsWith("is forbidden for mode [READ].")
+            )
         );
     }
 
@@ -169,7 +173,9 @@ public void testValidationFailForWrite() {
         );
         assertThat(
             ex.getMessage(),
-            both(startsWith("policy for [plugin] cannot contain a file entitlement")).and(endsWith("is forbidden for mode [READ_WRITE]."))
+            both(startsWith("policy for module [module1] in [plugin] has an invalid file entitlement")).and(
+                endsWith("is forbidden for mode [READ_WRITE].")
+            )
         );
     }
 }