Add tests

ldematte · ldematte · commit 3d4532d2e5bb · 2025-02-12T15:21:19.000+01:00
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java
@@ -13,9 +13,12 @@
 import org.elasticsearch.entitlement.runtime.policy.PolicyValidationException;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
+import java.util.stream.Collectors;
 
 /**
  * Describes a file entitlement with a path and mode.
@@ -50,6 +53,15 @@ private static Mode parseMode(String mode) {
         }
     }
 
+    private static BaseDir parseBaseDir(String baseDir) {
+        return switch (baseDir) {
+            case "config" -> BaseDir.CONFIG;
+            case "data" -> BaseDir.DATA;
+            case "temp" -> BaseDir.TEMP;
+            default -> throw new PolicyValidationException("invalid base_dir: " + baseDir + ", valid values: [config, data, temp]");
+        };
+    }
+
     @ExternalEntitlement(parameterNames = { "paths" }, esModulesOnly = false)
     @SuppressWarnings("unchecked")
     public static FilesEntitlement build(List<Object> paths) {
@@ -68,16 +80,8 @@ public static FilesEntitlement build(List<Object> paths) {
                 throw new PolicyValidationException("files entitlement must contain mode for every listed file");
             }
             String baseDirString = file.remove("base_dir");
-            BaseDir baseDir = BaseDir.NONE;
-            if (baseDirString != null) {
-                if ("config".equals(baseDirString)) {
-                    baseDir = BaseDir.CONFIG;
-                } else {
-                    throw new PolicyValidationException(
-                        "unexpected basedir [" + baseDirString + "] for in a listed file for files entitlement"
-                    );
-                }
-            }
+            final BaseDir baseDir = baseDirString == null ? BaseDir.NONE : parseBaseDir(baseDirString);
+
             if (file.isEmpty() == false) {
                 throw new PolicyValidationException("unknown key(s) " + file + " in a listed file for files entitlement");
             }
diff --git a/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java b/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java
@@ -19,9 +19,12 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.stream.Stream;
 
 import static org.elasticsearch.core.PathUtils.getDefaultFileSystem;
 import static org.hamcrest.Matchers.is;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
 
 public class FileAccessTreeTests extends ESTestCase {
 
@@ -85,6 +88,68 @@ public void testReadWriteUnderRead() {
         assertThat(tree.canWrite(path("foo/bar")), is(true));
     }
 
+    public void testReadWithBaseDir() {
+        var resolver = Mockito.mock(DirectoryResolver.class);
+        when(resolver.resolveTemp(any(Path.class))).thenReturn(Path.of("/tmp/foo"));
+        var tree = FileAccessTree.of(
+            entitlement(Map.of("path", "foo", "mode", "read", "base_dir", "temp")),
+            resolver
+        );
+        assertThat(tree.canRead(path("foo")), is(false));
+
+        assertThat(tree.canRead(path("/tmp/foo")), is(true));
+
+        assertThat(tree.canRead(path("/tmp/foo/subdir")), is(true));
+        assertThat(tree.canRead(path("/tmp/food")), is(false));
+        assertThat(tree.canWrite(path("/tmp/foo")), is(false));
+
+        assertThat(tree.canRead(path("/tmp")), is(false));
+        assertThat(tree.canRead(path("/tmp/before")), is(false));
+        assertThat(tree.canRead(path("/tmp/later")), is(false));
+    }
+
+    public void testWriteWithBaseDir() {
+        var resolver = Mockito.mock(DirectoryResolver.class);
+        when(resolver.resolveConfig(any(Path.class))).thenReturn(Path.of("/config/foo"));
+        var tree = FileAccessTree.of(
+            entitlement(Map.of("path", "foo", "mode", "read_write", "base_dir", "config")),
+            resolver
+        );
+        assertThat(tree.canWrite(path("/config/foo")), is(true));
+        assertThat(tree.canWrite(path("/config/foo/subdir")), is(true));
+        assertThat(tree.canWrite(path("foo")), is(false));
+        assertThat(tree.canWrite(path("/config/food")), is(false));
+        assertThat(tree.canRead(path("/config/foo")), is(true));
+        assertThat(tree.canRead(path("foo")), is(false));
+
+        assertThat(tree.canWrite(path("/config")), is(false));
+        assertThat(tree.canWrite(path("/config/before")), is(false));
+        assertThat(tree.canWrite(path("/config/later")), is(false));
+    }
+
+    public void testMultipleDataBaseDir() {
+        var resolver = Mockito.mock(DirectoryResolver.class);
+        when(resolver.resolveData(any(Path.class))).thenReturn(Stream.of(Path.of("/data1/foo"), Path.of("/data2/foo")));
+        var tree = FileAccessTree.of(
+            entitlement(Map.of("path", "foo", "mode", "read_write", "base_dir", "data")),
+            resolver
+        );
+        assertThat(tree.canWrite(path("/data1/foo")), is(true));
+        assertThat(tree.canWrite(path("/data2/foo")), is(true));
+        assertThat(tree.canWrite(path("/data3/foo")), is(false));
+        assertThat(tree.canWrite(path("/data1/foo/subdir")), is(true));
+        assertThat(tree.canWrite(path("foo")), is(false));
+        assertThat(tree.canWrite(path("/data1/food")), is(false));
+        assertThat(tree.canRead(path("/data1/foo")), is(true));
+        assertThat(tree.canRead(path("/data2/foo")), is(true));
+        assertThat(tree.canRead(path("foo")), is(false));
+
+        assertThat(tree.canWrite(path("/data1")), is(false));
+        assertThat(tree.canWrite(path("/data2")), is(false));
+        assertThat(tree.canWrite(path("/config/before")), is(false));
+        assertThat(tree.canWrite(path("/config/later")), is(false));
+    }
+
     public void testNormalizePath() {
         var tree = FileAccessTree.of(entitlement("foo/../bar", "read"), Mockito.mock(DirectoryResolver.class));
         assertThat(tree.canRead(path("foo/../bar")), is(true));
@@ -105,7 +170,7 @@ public void testForwardSlashes() {
         assertThat(tree.canRead(path("m/n")), is(true));
     }
 
-    FilesEntitlement entitlement(String... values) {
+    static FilesEntitlement entitlement(String... values) {
         List<Object> filesData = new ArrayList<>();
         for (int i = 0; i < values.length; i += 2) {
             Map<String, String> fileData = new HashMap<>();
@@ -115,4 +180,8 @@ FilesEntitlement entitlement(String... values) {
         }
         return FilesEntitlement.build(filesData);
     }
+
+    static FilesEntitlement entitlement(Map<String, String> value) {
+        return FilesEntitlement.build(List.of(value));
+    }
 }
diff --git a/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyParserTests.java b/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyParserTests.java
@@ -109,6 +109,74 @@ public void testPolicyBuilderOnExternalPlugin() throws IOException {
         assertEquals(expected, parsedPolicy);
     }
 
+    public void testParseFiles() throws IOException {
+        Policy policyWithOnePath = new PolicyParser(new ByteArrayInputStream("""
+            entitlement-module-name:
+              - files:
+                - path: "test/path/to/file"
+                  mode: "read_write"
+            """.getBytes(StandardCharsets.UTF_8)), "test-policy.yaml", false).parsePolicy();
+        Policy expected = new Policy(
+            "test-policy.yaml",
+            List.of(
+                new Scope(
+                    "entitlement-module-name",
+                    List.of(FilesEntitlement.build(List.of(Map.of("path", "test/path/to/file", "mode", "read_write"))))
+                )
+            )
+        );
+        assertEquals(expected, policyWithOnePath);
+
+        Policy policyWithTwoPaths = new PolicyParser(new ByteArrayInputStream("""
+            entitlement-module-name:
+              - files:
+                - path: "test/path/to/file"
+                  mode: "read_write"
+                - path: "test/path/to/read-dir/"
+                  mode: "read"
+            """.getBytes(StandardCharsets.UTF_8)), "test-policy.yaml", false).parsePolicy();
+        expected = new Policy(
+            "test-policy.yaml",
+            List.of(
+                new Scope(
+                    "entitlement-module-name",
+                    List.of(FilesEntitlement.build(List.of(
+                        Map.of("path", "test/path/to/file", "mode", "read_write"),
+                        Map.of("path", "test/path/to/read-dir/", "mode", "read")
+                    )))
+                )
+            )
+        );
+        assertEquals(expected, policyWithTwoPaths);
+
+        Policy policyWithMultiplePathsAndBaseDir = new PolicyParser(new ByteArrayInputStream("""
+            entitlement-module-name:
+              - files:
+                - path: "test/path/to/file"
+                  mode: "read_write"
+                  base_dir: "temp"
+                - path: "test/path/to/read-dir/"
+                  mode: "read"
+                  base_dir: "config"
+                - path: "/path/to/file"
+                  mode: "read_write"
+            """.getBytes(StandardCharsets.UTF_8)), "test-policy.yaml", false).parsePolicy();
+        expected = new Policy(
+            "test-policy.yaml",
+            List.of(
+                new Scope(
+                    "entitlement-module-name",
+                    List.of(FilesEntitlement.build(List.of(
+                        Map.of("path", "test/path/to/file", "mode", "read_write", "base_dir", "temp"),
+                        Map.of("path", "test/path/to/read-dir/", "mode", "read", "base_dir", "config"),
+                        Map.of("path", "/path/to/file", "mode", "read_write")
+                    )))
+                )
+            )
+        );
+        assertEquals(expected, policyWithMultiplePathsAndBaseDir);
+    }
+
     public void testParseNetwork() throws IOException {
         Policy parsedPolicy = new PolicyParser(new ByteArrayInputStream("""
             entitlement-module-name:
diff --git a/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlementTests.java b/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlementTests.java
@@ -13,13 +13,24 @@
 import org.elasticsearch.test.ESTestCase;
 
 import java.util.List;
+import java.util.Map;
+
+import static org.hamcrest.Matchers.is;
 
 public class FilesEntitlementTests extends ESTestCase {
 
     public void testEmptyBuild() {
         PolicyValidationException pve = expectThrows(PolicyValidationException.class, () -> FilesEntitlement.build(List.of()));
-        assertEquals(pve.getMessage(), "must specify at least one path");
+        assertEquals("must specify at least one path", pve.getMessage());
         pve = expectThrows(PolicyValidationException.class, () -> FilesEntitlement.build(null));
-        assertEquals(pve.getMessage(), "must specify at least one path");
+        assertEquals("must specify at least one path", pve.getMessage());
+    }
+
+    public void testNotABaseDir() {
+        var ex = expectThrows(
+            PolicyValidationException.class,
+            () -> FilesEntitlement.build(List.of((Map.of("path", "foo", "mode", "read", "base_dir", "bar"))))
+        );
+        assertThat(ex.getMessage(), is("invalid base_dir: bar, valid values: [config, data, temp]"));
     }
 }
