PR comments

Author: ldematte

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -49,7 +49,6 @@
 import java.nio.file.attribute.FileAttribute;
 import java.nio.file.spi.FileSystemProvider;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -162,7 +161,7 @@ private static PolicyManager createPolicyManager() {
                     "org.elasticsearch.nativeaccess",
                     List.of(
                         new LoadNativeLibrariesEntitlement(),
-                        new FilesEntitlement(Arrays.stream(dataDirs).map(d -> FileData.ofPath(d, READ_WRITE)).toList())
+                        new FilesEntitlement(List.of(FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE)))
                     )
                 )
             )

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -153,7 +153,7 @@ public PolicyManager(
         this.pluginResolver = pluginResolver;
         this.apmAgentPackageName = apmAgentPackageName;
         this.entitlementsModule = entitlementsModule;
-        this.pathLookup = pathLookup;
+        this.pathLookup = requireNonNull(pathLookup);
 
         for (var e : serverEntitlements.entrySet()) {
             validateEntitlementsPerModule(SERVER_COMPONENT_NAME, e.getKey(), e.getValue());

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java

@@ -185,13 +185,13 @@ public static FilesEntitlement build(List<Object> paths) {
 
                 Path relativePath = Path.of(relativePathAsString);
                 if (relativePath.isAbsolute()) {
-                    throw new PolicyValidationException("'relative_path' must be relative");
+                    throw new PolicyValidationException("'relative_path' [" + relativePathAsString + "] must be relative");
                 }
                 filesData.add(FileData.ofRelativePath(relativePath, baseDir, parseMode(mode)));
             } else if (pathAsString != null) {
                 Path path = Path.of(pathAsString);
                 if (path.isAbsolute() == false) {
-                    throw new PolicyValidationException("'path' must be absolute");
+                    throw new PolicyValidationException("'path' [" + pathAsString + "] must be absolute");
                 }
                 filesData.add(FileData.ofPath(path, parseMode(mode)));
             } else {

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java

@@ -53,6 +53,12 @@ public class PolicyManagerTests extends ESTestCase {
      */
     private static Module NO_ENTITLEMENTS_MODULE;
 
+    private static final PathLookup TEST_PATH_LOOKUP = new PathLookup(
+        Path.of("/config"),
+        new Path[] { Path.of("/data1/"), Path.of("/data2") },
+        Path.of("/temp")
+    );
+
     @BeforeClass
     public static void beforeClass() {
         try {
@@ -61,7 +67,6 @@ public static void beforeClass() {
         } catch (Exception e) {
             throw new IllegalStateException(e);
         }
-
     }
 
     public void testGetEntitlementsThrowsOnMissingPluginUnnamedModule() {
@@ -72,7 +77,7 @@ public void testGetEntitlementsThrowsOnMissingPluginUnnamedModule() {
             c -> "plugin1",
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
-            null
+            TEST_PATH_LOOKUP
         );
 
         // Any class from the current module (unnamed) will do
@@ -92,7 +97,7 @@ public void testGetEntitlementsThrowsOnMissingPolicyForPlugin() {
             c -> "plugin1",
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
-            null
+            TEST_PATH_LOOKUP
         );
 
         // Any class from the current module (unnamed) will do
@@ -112,7 +117,7 @@ public void testGetEntitlementsFailureIsCached() {
             c -> "plugin1",
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
-            null
+            TEST_PATH_LOOKUP
         );
 
         // Any class from the current module (unnamed) will do
@@ -137,7 +142,7 @@ public void testGetEntitlementsReturnsEntitlementsForPluginUnnamedModule() {
             c -> "plugin2",
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
-            null
+            TEST_PATH_LOOKUP
         );
 
         // Any class from the current module (unnamed) will do
@@ -155,7 +160,7 @@ public void testGetEntitlementsThrowsOnMissingPolicyForServer() throws ClassNotF
             c -> null,
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
-            null
+            TEST_PATH_LOOKUP
         );
 
         // Tests do not run modular, so we cannot use a server class.
@@ -182,7 +187,7 @@ public void testGetEntitlementsReturnsEntitlementsForServerModule() throws Class
             c -> null,
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
-            null
+            TEST_PATH_LOOKUP
         );
 
         // Tests do not run modular, so we cannot use a server class.
@@ -208,7 +213,7 @@ public void testGetEntitlementsReturnsEntitlementsForPluginModule() throws IOExc
             c -> "mock-plugin",
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
-            null
+            TEST_PATH_LOOKUP
         );
 
         var layer = createLayerForJar(jar, "org.example.plugin");
@@ -228,7 +233,7 @@ public void testGetEntitlementsResultIsCached() {
             c -> "plugin2",
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
-            null
+            TEST_PATH_LOOKUP
         );
 
         // Any class from the current module (unnamed) will do
@@ -287,7 +292,7 @@ public void testAgentsEntitlements() throws IOException, ClassNotFoundException
             c -> c.getPackageName().startsWith(TEST_AGENTS_PACKAGE_NAME) ? null : "test",
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
-            null
+            TEST_PATH_LOOKUP
         );
         ModuleEntitlements agentsEntitlements = policyManager.getEntitlements(TestAgent.class);
         assertThat(agentsEntitlements.hasEntitlement(CreateClassLoaderEntitlement.class), is(true));
@@ -315,7 +320,7 @@ public void testDuplicateEntitlements() {
                 c -> "test",
                 TEST_AGENTS_PACKAGE_NAME,
                 NO_ENTITLEMENTS_MODULE,
-                null
+                TEST_PATH_LOOKUP
             )
         );
         assertEquals(
@@ -332,7 +337,7 @@ public void testDuplicateEntitlements() {
                 c -> "test",
                 TEST_AGENTS_PACKAGE_NAME,
                 NO_ENTITLEMENTS_MODULE,
-                null
+                TEST_PATH_LOOKUP
             )
         );
         assertEquals(
@@ -366,7 +371,7 @@ public void testDuplicateEntitlements() {
                 c -> "plugin1",
                 TEST_AGENTS_PACKAGE_NAME,
                 NO_ENTITLEMENTS_MODULE,
-                null
+                TEST_PATH_LOOKUP
             )
         );
         assertEquals(
@@ -386,7 +391,7 @@ public void testPluginResolverOverridesAgents() {
             c -> "test", // Insist that the class is in a plugin
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
-            null
+            TEST_PATH_LOOKUP
         );
         ModuleEntitlements notAgentsEntitlements = policyManager.getEntitlements(TestAgent.class);
         assertThat(notAgentsEntitlements.hasEntitlement(CreateClassLoaderEntitlement.class), is(false));
@@ -407,7 +412,7 @@ private static PolicyManager policyManager(String agentsPackageName, Module enti
             c -> "test",
             agentsPackageName,
             entitlementsModule,
-            null
+            TEST_PATH_LOOKUP
         );
     }
 

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyParserFailureTests.java

@@ -73,7 +73,7 @@ public void testEntitlementRelativePathWhenAbsolute() {
             """.getBytes(StandardCharsets.UTF_8)), "test-failure-policy.yaml", false).parsePolicy());
         assertEquals(
             "[2:5] policy parsing error for [test-failure-policy.yaml] in scope [entitlement-module-name] "
-                + "for entitlement type [files]: 'path' must be absolute",
+                + "for entitlement type [files]: 'path' [test-path] must be absolute",
             ppe.getMessage()
         );
     }
@@ -88,7 +88,7 @@ public void testEntitlementAbsolutePathWhenRelative() {
             """.getBytes(StandardCharsets.UTF_8)), "test-failure-policy.yaml", false).parsePolicy());
         assertEquals(
             "[2:5] policy parsing error for [test-failure-policy.yaml] in scope [entitlement-module-name] "
-                + "for entitlement type [files]: 'relative_path' must be relative",
+                + "for entitlement type [files]: 'relative_path' [/test-path] must be relative",
             ppe.getMessage()
         );
     }

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlementTests.java

@@ -9,12 +9,16 @@
 
 package org.elasticsearch.entitlement.runtime.policy.entitlements;
 
+import org.elasticsearch.entitlement.runtime.policy.PathLookup;
 import org.elasticsearch.entitlement.runtime.policy.PolicyValidationException;
 import org.elasticsearch.test.ESTestCase;
 
+import java.nio.file.Path;
 import java.util.List;
 import java.util.Map;
 
+import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Mode.READ_WRITE;
+import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.is;
 
 public class FilesEntitlementTests extends ESTestCase {
@@ -33,4 +37,12 @@ public void testInvalidRelativeDirectory() {
         );
         assertThat(ex.getMessage(), is("invalid relative directory: bar, valid values: [config, data]"));
     }
+
+    public void testFileDataRelativeWithEmptyDirectory() {
+        var fileData = FilesEntitlement.FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE);
+        var dataDirs = fileData.resolvePaths(
+            new PathLookup(Path.of("/config"), new Path[] { Path.of("/data1/"), Path.of("/data2") }, Path.of("/temp"))
+        );
+        assertThat(dataDirs.toList(), contains(Path.of("/data1/"), Path.of("/data2")));
+    }
 }