more debugging

mosche · mosche · commit 3283ff2786bf · 2025-03-03T16:18:19.000+01:00
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java
@@ -154,6 +154,11 @@ private FileAccessTree(
         this.writePaths = pruneSortedPaths(writePaths).toArray(new String[0]);
     }
 
+    public String toDebugString() {
+        return Strings.format("FileAccessTree[readPaths: [%s], writePaths: [%s], exclusivePaths: [%s]]",
+            String.join(",", readPaths), String.join(",", writePaths), String.join(",", exclusivePaths));
+    }
+
     private static List<String> pruneSortedPaths(List<String> paths) {
         List<String> prunedReadPaths = new ArrayList<>();
         if (paths.isEmpty() == false) {
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java
@@ -335,13 +335,14 @@ public void checkFileRead(Class<?> callerClass, Path path) {
 
         ModuleEntitlements entitlements = getEntitlements(requestingClass);
         if (entitlements.fileAccess().canRead(path) == false) {
+            logger.info(entitlements.fileAccess().toDebugString());
             notEntitled(
                 Strings.format(
                     "Not entitled: component [%s], module [%s], class [%s], entitlement [file], operation [read], path [%s]",
                     entitlements.componentName(),
                     requestingClass.getModule().getName(),
                     requestingClass,
-                    path
+                    FileAccessTree.normalizePath(path)
                 ),
                 callerClass
             );
@@ -364,13 +365,14 @@ public void checkFileWrite(Class<?> callerClass, Path path) {
 
         ModuleEntitlements entitlements = getEntitlements(requestingClass);
         if (entitlements.fileAccess().canWrite(path) == false) {
+            logger.info(entitlements.fileAccess().toDebugString());
             notEntitled(
                 Strings.format(
                     "Not entitled: component [%s], module [%s], class [%s], entitlement [file], operation [write], path [%s]",
                     entitlements.componentName(),
                     requestingClass.getModule().getName(),
                     requestingClass,
-                    path
+                    FileAccessTree.normalizePath(path)
                 ),
                 callerClass
             );
