Add single flag entitlement validation (#121234)

This adds basic flag entitlement validation when creating PolicyManager. If a module has the same flag 
entitlement as part of it's policy multiple times we will throw an IllegalArgumentException. With this 
validation we can safely assume FileEntitlement is the only one we currently have that allows multiple entitlements in a policy.

Author: jdconrad

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -20,6 +20,7 @@
 import java.lang.module.ModuleFinder;
 import java.lang.module.ModuleReference;
 import java.nio.file.Path;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@@ -120,12 +121,43 @@ public PolicyManager(
         this.pluginResolver = pluginResolver;
         this.agentsPackageName = agentsPackageName;
         this.entitlementsModule = entitlementsModule;
+
+        for (var e : serverEntitlements.entrySet()) {
+            validateEntitlementsPerModule("server", e.getKey(), e.getValue());
+        }
+        validateEntitlementsPerModule("agent", "unnamed", agentEntitlements);
+        for (var p : pluginsEntitlements.entrySet()) {
+            for (var m : p.getValue().entrySet()) {
+                validateEntitlementsPerModule(p.getKey(), m.getKey(), m.getValue());
+            }
+        }
     }
 
     private static Map<String, List<Entitlement>> buildScopeEntitlementsMap(Policy policy) {
         return policy.scopes().stream().collect(toUnmodifiableMap(Scope::moduleName, Scope::entitlements));
     }
 
+    private static void validateEntitlementsPerModule(String sourceName, String moduleName, List<Entitlement> entitlements) {
+        Set<Class<? extends Entitlement>> flagEntitlements = new HashSet<>();
+        for (var e : entitlements) {
+            if (e instanceof FileEntitlement) {
+                continue;
+            }
+            if (flagEntitlements.contains(e.getClass())) {
+                throw new IllegalArgumentException(
+                    "["
+                        + sourceName
+                        + "] using module ["
+                        + moduleName
+                        + "] found duplicate flag entitlements ["
+                        + e.getClass().getName()
+                        + "]"
+                );
+            }
+            flagEntitlements.add(e.getClass());
+        }
+    }
+
     public void checkStartProcess(Class<?> callerClass) {
         neverEntitled(callerClass, "start process");
     }

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java

@@ -286,6 +286,78 @@ public void testAgentsEntitlements() throws IOException, ClassNotFoundException
         }
     }
 
+    public void testDuplicateFlagEntitlements() {
+        IllegalArgumentException iae = expectThrows(
+            IllegalArgumentException.class,
+            () -> new PolicyManager(
+                new Policy(
+                    "server",
+                    List.of(new Scope("test", List.of(new CreateClassLoaderEntitlement(), new CreateClassLoaderEntitlement())))
+                ),
+                List.of(),
+                Map.of(),
+                c -> "test",
+                TEST_AGENTS_PACKAGE_NAME,
+                NO_ENTITLEMENTS_MODULE
+            )
+        );
+        assertEquals(
+            "[server] using module [test] found duplicate flag entitlements "
+                + "[org.elasticsearch.entitlement.runtime.policy.CreateClassLoaderEntitlement]",
+            iae.getMessage()
+        );
+
+        iae = expectThrows(
+            IllegalArgumentException.class,
+            () -> new PolicyManager(
+                createEmptyTestServerPolicy(),
+                List.of(new CreateClassLoaderEntitlement(), new CreateClassLoaderEntitlement()),
+                Map.of(),
+                c -> "test",
+                TEST_AGENTS_PACKAGE_NAME,
+                NO_ENTITLEMENTS_MODULE
+            )
+        );
+        assertEquals(
+            "[agent] using module [unnamed] found duplicate flag entitlements "
+                + "[org.elasticsearch.entitlement.runtime.policy.CreateClassLoaderEntitlement]",
+            iae.getMessage()
+        );
+
+        iae = expectThrows(
+            IllegalArgumentException.class,
+            () -> new PolicyManager(
+                createEmptyTestServerPolicy(),
+                List.of(),
+                Map.of(
+                    "plugin1",
+                    new Policy(
+                        "test",
+                        List.of(
+                            new Scope(
+                                "test",
+                                List.of(
+                                    new FileEntitlement("/test/path", FileEntitlement.Mode.READ),
+                                    new CreateClassLoaderEntitlement(),
+                                    new FileEntitlement("/test/test", FileEntitlement.Mode.READ),
+                                    new CreateClassLoaderEntitlement()
+                                )
+                            )
+                        )
+                    )
+                ),
+                c -> "plugin1",
+                TEST_AGENTS_PACKAGE_NAME,
+                NO_ENTITLEMENTS_MODULE
+            )
+        );
+        assertEquals(
+            "[plugin1] using module [test] found duplicate flag entitlements "
+                + "[org.elasticsearch.entitlement.runtime.policy.CreateClassLoaderEntitlement]",
+            iae.getMessage()
+        );
+    }
+
     private static Class<?> makeClassInItsOwnModule() throws IOException, ClassNotFoundException {
         final Path home = createTempDir();
         Path jar = createMockPluginJar(home);