add skeleton for base dir

Author: jdconrad

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -108,7 +108,9 @@ private static Class<?>[] findClassesToRetransform(Class<?>[] loadedClasses, Set
     }
 
     private static PolicyManager createPolicyManager() {
-        Map<String, Policy> pluginPolicies = EntitlementBootstrap.bootstrapArgs().pluginPolicies();
+        EntitlementBootstrap.BootstrapArgs bootstrapArgs = EntitlementBootstrap.bootstrapArgs();
+        Map<String, Policy> pluginPolicies = bootstrapArgs.pluginPolicies();
+        Path configDir = bootstrapArgs.configDir();
 
         // TODO(ES-10031): Decide what goes in the elasticsearch default policy and extend it
         var serverPolicy = new Policy(
@@ -136,7 +138,15 @@ private static PolicyManager createPolicyManager() {
         // this should be removed once https://github.com/elastic/elasticsearch/issues/109335 is completed
         List<Entitlement> agentEntitlements = List.of(new CreateClassLoaderEntitlement());
         var resolver = EntitlementBootstrap.bootstrapArgs().pluginResolver();
-        return new PolicyManager(serverPolicy, agentEntitlements, pluginPolicies, resolver, AGENTS_PACKAGE_NAME, ENTITLEMENTS_MODULE);
+        return new PolicyManager(
+            serverPolicy,
+            agentEntitlements,
+            pluginPolicies,
+            resolver,
+            AGENTS_PACKAGE_NAME,
+            ENTITLEMENTS_MODULE,
+            configDir
+        );
     }
 
     /**

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java

@@ -20,22 +20,26 @@
 import static org.elasticsearch.core.PathUtils.getDefaultFileSystem;
 
 public final class FileAccessTree {
-    public static final FileAccessTree EMPTY = new FileAccessTree(FilesEntitlement.EMPTY);
+    public static final FileAccessTree EMPTY = new FileAccessTree(FilesEntitlement.EMPTY, null);
     private static final String FILE_SEPARATOR = getDefaultFileSystem().getSeparator();
 
     private final String[] readPaths;
     private final String[] writePaths;
 
-    private FileAccessTree(FilesEntitlement filesEntitlement) {
+    private FileAccessTree(FilesEntitlement filesEntitlement, Path configFile) {
         List<String> readPaths = new ArrayList<>();
         List<String> writePaths = new ArrayList<>();
         for (FilesEntitlement.FileData fileData : filesEntitlement.filesData()) {
-            var path = normalizePath(Path.of(fileData.path()));
+            Path path = Path.of(fileData.path());
+            if (fileData.baseDir() == FilesEntitlement.BaseDir.CONFIG) {
+                path = configFile.resolve(path);
+            }
+            String pathStr = normalizePath(path);
             var mode = fileData.mode();
             if (mode == FilesEntitlement.Mode.READ_WRITE) {
-                writePaths.add(path);
+                writePaths.add(pathStr);
             }
-            readPaths.add(path);
+            readPaths.add(pathStr);
         }
 
         readPaths.sort(String::compareTo);
@@ -45,8 +49,8 @@ private FileAccessTree(FilesEntitlement filesEntitlement) {
         this.writePaths = writePaths.toArray(new String[0]);
     }
 
-    public static FileAccessTree of(FilesEntitlement filesEntitlement) {
-        return new FileAccessTree(filesEntitlement);
+    public static FileAccessTree of(FilesEntitlement filesEntitlement, Path configFile) {
+        return new FileAccessTree(filesEntitlement, configFile);
     }
 
     boolean canRead(Path path) {

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -72,7 +72,7 @@ public static ModuleEntitlements none(String componentName) {
             return new ModuleEntitlements(componentName, Map.of(), FileAccessTree.EMPTY);
         }
 
-        public static ModuleEntitlements from(String componentName, List<Entitlement> entitlements) {
+        public static ModuleEntitlements from(String componentName, List<Entitlement> entitlements, Path configPath) {
             FilesEntitlement filesEntitlement = FilesEntitlement.EMPTY;
             for (Entitlement entitlement : entitlements) {
                 if (entitlement instanceof FilesEntitlement) {
@@ -82,7 +82,7 @@ public static ModuleEntitlements from(String componentName, List<Entitlement> en
             return new ModuleEntitlements(
                 componentName,
                 entitlements.stream().collect(groupingBy(Entitlement::getClass)),
-                FileAccessTree.of(filesEntitlement)
+                FileAccessTree.of(filesEntitlement, configPath)
             );
         }
 
@@ -133,13 +133,16 @@ private static Set<Module> findSystemModules() {
      */
     private final Module entitlementsModule;
 
+    private final Path configDir;
+
     public PolicyManager(
         Policy serverPolicy,
         List<Entitlement> apmAgentEntitlements,
         Map<String, Policy> pluginPolicies,
         Function<Class<?>, String> pluginResolver,
         String apmAgentPackageName,
-        Module entitlementsModule
+        Module entitlementsModule,
+        Path configDir
     ) {
         this.serverEntitlements = buildScopeEntitlementsMap(requireNonNull(serverPolicy));
         this.apmAgentEntitlements = apmAgentEntitlements;
@@ -149,6 +152,7 @@ public PolicyManager(
         this.pluginResolver = pluginResolver;
         this.apmAgentPackageName = apmAgentPackageName;
         this.entitlementsModule = entitlementsModule;
+        this.configDir = configDir;
 
         for (var e : serverEntitlements.entrySet()) {
             validateEntitlementsPerModule(SERVER_COMPONENT_NAME, e.getKey(), e.getValue());
@@ -410,7 +414,7 @@ private ModuleEntitlements computeEntitlements(Class<?> requestingClass) {
 
         if (requestingModule.isNamed() == false && requestingClass.getPackageName().startsWith(apmAgentPackageName)) {
             // The APM agent is the only thing running non-modular in the system classloader
-            return ModuleEntitlements.from(APM_AGENT_COMPONENT_NAME, apmAgentEntitlements);
+            return ModuleEntitlements.from(APM_AGENT_COMPONENT_NAME, apmAgentEntitlements, configDir);
         }
 
         return ModuleEntitlements.none(UNKNOWN_COMPONENT_NAME);
@@ -425,7 +429,7 @@ private ModuleEntitlements getModuleScopeEntitlements(
         if (entitlements == null) {
             return ModuleEntitlements.none(componentName);
         }
-        return ModuleEntitlements.from(componentName, entitlements);
+        return ModuleEntitlements.from(componentName, entitlements, configDir);
     }
 
     private static boolean isServerModule(Module requestingModule) {

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java

@@ -29,7 +29,12 @@ public enum Mode {
         READ_WRITE
     }
 
-    public record FileData(String path, Mode mode) {
+    public enum BaseDir {
+        NONE,
+        CONFIG
+    }
+
+    public record FileData(String path, Mode mode, BaseDir baseDir) {
 
     }
 
@@ -60,10 +65,21 @@ public static FilesEntitlement build(List<Object> paths) {
             if (mode == null) {
                 throw new PolicyValidationException("files entitlement must contain mode for every listed file");
             }
+            String baseDirString = file.remove("base_dir");
+            BaseDir baseDir = BaseDir.NONE;
+            if (baseDirString != null) {
+                if ("config".equals(baseDirString)) {
+                    baseDir = BaseDir.CONFIG;
+                } else {
+                    throw new PolicyValidationException(
+                        "unexpected basedir [" + baseDirString + "] for in a listed file for files entitlement"
+                    );
+                }
+            }
             if (file.isEmpty() == false) {
                 throw new PolicyValidationException("unknown key(s) " + file + " in a listed file for files entitlement");
             }
-            filesData.add(new FileData(path, parseMode(mode)));
+            filesData.add(new FileData(path, parseMode(mode), baseDir));
         }
         return new FilesEntitlement(filesData);
     }

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java

@@ -71,7 +71,8 @@ public void testGetEntitlementsThrowsOnMissingPluginUnnamedModule() {
             Map.of("plugin1", createPluginPolicy("plugin.module")),
             c -> "plugin1",
             TEST_AGENTS_PACKAGE_NAME,
-            NO_ENTITLEMENTS_MODULE
+            NO_ENTITLEMENTS_MODULE,
+            null
         );
 
         // Any class from the current module (unnamed) will do
@@ -90,7 +91,8 @@ public void testGetEntitlementsThrowsOnMissingPolicyForPlugin() {
             Map.of(),
             c -> "plugin1",
             TEST_AGENTS_PACKAGE_NAME,
-            NO_ENTITLEMENTS_MODULE
+            NO_ENTITLEMENTS_MODULE,
+            null
         );
 
         // Any class from the current module (unnamed) will do
@@ -109,7 +111,8 @@ public void testGetEntitlementsFailureIsCached() {
             Map.of(),
             c -> "plugin1",
             TEST_AGENTS_PACKAGE_NAME,
-            NO_ENTITLEMENTS_MODULE
+            NO_ENTITLEMENTS_MODULE,
+            null
         );
 
         // Any class from the current module (unnamed) will do
@@ -133,7 +136,8 @@ public void testGetEntitlementsReturnsEntitlementsForPluginUnnamedModule() {
             Map.ofEntries(entry("plugin2", createPluginPolicy(ALL_UNNAMED))),
             c -> "plugin2",
             TEST_AGENTS_PACKAGE_NAME,
-            NO_ENTITLEMENTS_MODULE
+            NO_ENTITLEMENTS_MODULE,
+            null
         );
 
         // Any class from the current module (unnamed) will do
@@ -150,7 +154,8 @@ public void testGetEntitlementsThrowsOnMissingPolicyForServer() throws ClassNotF
             Map.of(),
             c -> null,
             TEST_AGENTS_PACKAGE_NAME,
-            NO_ENTITLEMENTS_MODULE
+            NO_ENTITLEMENTS_MODULE,
+            null
         );
 
         // Tests do not run modular, so we cannot use a server class.
@@ -176,7 +181,8 @@ public void testGetEntitlementsReturnsEntitlementsForServerModule() throws Class
             Map.of(),
             c -> null,
             TEST_AGENTS_PACKAGE_NAME,
-            NO_ENTITLEMENTS_MODULE
+            NO_ENTITLEMENTS_MODULE,
+            null
         );
 
         // Tests do not run modular, so we cannot use a server class.
@@ -201,7 +207,8 @@ public void testGetEntitlementsReturnsEntitlementsForPluginModule() throws IOExc
             Map.of("mock-plugin", createPluginPolicy("org.example.plugin")),
             c -> "mock-plugin",
             TEST_AGENTS_PACKAGE_NAME,
-            NO_ENTITLEMENTS_MODULE
+            NO_ENTITLEMENTS_MODULE,
+            null
         );
 
         var layer = createLayerForJar(jar, "org.example.plugin");
@@ -220,7 +227,8 @@ public void testGetEntitlementsResultIsCached() {
             Map.ofEntries(entry("plugin2", createPluginPolicy(ALL_UNNAMED))),
             c -> "plugin2",
             TEST_AGENTS_PACKAGE_NAME,
-            NO_ENTITLEMENTS_MODULE
+            NO_ENTITLEMENTS_MODULE,
+            null
         );
 
         // Any class from the current module (unnamed) will do
@@ -278,7 +286,8 @@ public void testAgentsEntitlements() throws IOException, ClassNotFoundException
             Map.of(),
             c -> c.getPackageName().startsWith(TEST_AGENTS_PACKAGE_NAME) ? null : "test",
             TEST_AGENTS_PACKAGE_NAME,
-            NO_ENTITLEMENTS_MODULE
+            NO_ENTITLEMENTS_MODULE,
+            null
         );
         ModuleEntitlements agentsEntitlements = policyManager.getEntitlements(TestAgent.class);
         assertThat(agentsEntitlements.hasEntitlement(CreateClassLoaderEntitlement.class), is(true));
@@ -305,7 +314,8 @@ public void testDuplicateEntitlements() {
                 Map.of(),
                 c -> "test",
                 TEST_AGENTS_PACKAGE_NAME,
-                NO_ENTITLEMENTS_MODULE
+                NO_ENTITLEMENTS_MODULE,
+                null
             )
         );
         assertEquals(
@@ -321,7 +331,8 @@ public void testDuplicateEntitlements() {
                 Map.of(),
                 c -> "test",
                 TEST_AGENTS_PACKAGE_NAME,
-                NO_ENTITLEMENTS_MODULE
+                NO_ENTITLEMENTS_MODULE,
+                null
             )
         );
         assertEquals(
@@ -344,15 +355,20 @@ public void testDuplicateEntitlements() {
                                 List.of(
                                     FilesEntitlement.EMPTY,
                                     new CreateClassLoaderEntitlement(),
-                                    new FilesEntitlement(List.of(new FilesEntitlement.FileData("test", FilesEntitlement.Mode.READ)))
+                                    new FilesEntitlement(
+                                        List.of(
+                                            new FilesEntitlement.FileData("test", FilesEntitlement.Mode.READ, FilesEntitlement.BaseDir.NONE)
+                                        )
+                                    )
                                 )
                             )
                         )
                     )
                 ),
                 c -> "plugin1",
                 TEST_AGENTS_PACKAGE_NAME,
-                NO_ENTITLEMENTS_MODULE
+                NO_ENTITLEMENTS_MODULE,
+                null
             )
         );
         assertEquals(
@@ -371,7 +387,8 @@ public void testPluginResolverOverridesAgents() {
             Map.of(),
             c -> "test", // Insist that the class is in a plugin
             TEST_AGENTS_PACKAGE_NAME,
-            NO_ENTITLEMENTS_MODULE
+            NO_ENTITLEMENTS_MODULE,
+            null
         );
         ModuleEntitlements notAgentsEntitlements = policyManager.getEntitlements(TestAgent.class);
         assertThat(notAgentsEntitlements.hasEntitlement(CreateClassLoaderEntitlement.class), is(false));
@@ -385,7 +402,15 @@ private static Class<?> makeClassInItsOwnModule() throws IOException, ClassNotFo
     }
 
     private static PolicyManager policyManager(String agentsPackageName, Module entitlementsModule) {
-        return new PolicyManager(createEmptyTestServerPolicy(), List.of(), Map.of(), c -> "test", agentsPackageName, entitlementsModule);
+        return new PolicyManager(
+            createEmptyTestServerPolicy(),
+            List.of(),
+            Map.of(),
+            c -> "test",
+            agentsPackageName,
+            entitlementsModule,
+            null
+        );
     }
 
     private static Policy createEmptyTestServerPolicy() {
@@ -404,7 +429,11 @@ private static Policy createPluginPolicy(String... pluginModules) {
                     name -> new Scope(
                         name,
                         List.of(
-                            new FilesEntitlement(List.of(new FilesEntitlement.FileData("/test/path", FilesEntitlement.Mode.READ))),
+                            new FilesEntitlement(
+                                List.of(
+                                    new FilesEntitlement.FileData("/test/path", FilesEntitlement.Mode.READ, FilesEntitlement.BaseDir.NONE)
+                                )
+                            ),
                             new CreateClassLoaderEntitlement()
                         )
                     )