Merge branch 'main' into exclusive2

Author: jdconrad

docs/changelog/123079.yaml

@@ -0,0 +1,5 @@
+pr: 123079
+summary: Register `IngestGeoIpMetadata` as a NamedXContent
+area: Ingest Node
+type: bug
+issues: []

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -67,6 +67,7 @@
 import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.BaseDir.SHARED_REPO;
 import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Mode.READ;
 import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Mode.READ_WRITE;
+import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Platform.LINUX;
 
 /**
  * Called by the agent during {@code agentmain} to configure the entitlement system,
@@ -182,22 +183,22 @@ private static PolicyManager createPolicyManager() {
                             FileData.ofRelativePath(Path.of(""), SHARED_REPO, READ_WRITE),
 
                             // OS release on Linux
-                            FileData.ofPath(Path.of("/etc/os-release"), READ),
-                            FileData.ofPath(Path.of("/etc/system-release"), READ),
-                            FileData.ofPath(Path.of("/usr/lib/os-release"), READ),
+                            FileData.ofPath(Path.of("/etc/os-release"), READ).withPlatform(LINUX),
+                            FileData.ofPath(Path.of("/etc/system-release"), READ).withPlatform(LINUX),
+                            FileData.ofPath(Path.of("/usr/lib/os-release"), READ).withPlatform(LINUX),
                             // read max virtual memory areas
-                            FileData.ofPath(Path.of("/proc/sys/vm/max_map_count"), READ),
-                            FileData.ofPath(Path.of("/proc/meminfo"), READ),
+                            FileData.ofPath(Path.of("/proc/sys/vm/max_map_count"), READ).withPlatform(LINUX),
+                            FileData.ofPath(Path.of("/proc/meminfo"), READ).withPlatform(LINUX),
                             // load averages on Linux
-                            FileData.ofPath(Path.of("/proc/loadavg"), READ),
+                            FileData.ofPath(Path.of("/proc/loadavg"), READ).withPlatform(LINUX),
                             // control group stats on Linux. cgroup v2 stats are in an unpredicable
                             // location under `/sys/fs/cgroup`, so unfortunately we have to allow
                             // read access to the entire directory hierarchy.
-                            FileData.ofPath(Path.of("/proc/self/cgroup"), READ),
-                            FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ),
+                            FileData.ofPath(Path.of("/proc/self/cgroup"), READ).withPlatform(LINUX),
+                            FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ).withPlatform(LINUX),
                             // // io stats on Linux
-                            FileData.ofPath(Path.of("/proc/self/mountinfo"), READ),
-                            FileData.ofPath(Path.of("/proc/diskstats"), READ)
+                            FileData.ofPath(Path.of("/proc/self/mountinfo"), READ).withPlatform(LINUX),
+                            FileData.ofPath(Path.of("/proc/diskstats"), READ).withPlatform(LINUX)
                         )
                     )
                 )

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java

@@ -78,6 +78,10 @@ private FileAccessTree(
         List<String> readPaths = new ArrayList<>();
         List<String> writePaths = new ArrayList<>();
         for (FilesEntitlement.FileData fileData : filesEntitlement.filesData()) {
+            var platform = fileData.platform();
+            if (platform != null && platform.isCurrent() == false) {
+                continue;
+            }
             var mode = fileData.mode();
             var paths = fileData.resolvePaths(pathLookup);
             paths.forEach(path -> {

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java

@@ -42,6 +42,31 @@ public enum BaseDir {
         HOME
     }
 
+    public enum Platform {
+        LINUX,
+        MACOS,
+        WINDOWS;
+
+        private static final Platform current = findCurrent();
+
+        private static Platform findCurrent() {
+            String os = System.getProperty("os.name");
+            if (os.startsWith("Linux")) {
+                return LINUX;
+            } else if (os.startsWith("Mac OS")) {
+                return MACOS;
+            } else if (os.startsWith("Windows")) {
+                return WINDOWS;
+            } else {
+                throw new AssertionError("Unsupported platform [" + os + "]");
+            }
+        }
+
+        public boolean isCurrent() {
+            return this == current;
+        }
+    }
+
     public sealed interface FileData {
 
         Stream<Path> resolvePaths(PathLookup pathLookup);
@@ -50,22 +75,26 @@ public sealed interface FileData {
 
         boolean exclusive();
 
-        FileData withExclusive();
+        FileData withExclusive(boolean exclusive);
+
+        Platform platform();
+
+        FileData withPlatform(Platform platform);
 
         static FileData ofPath(Path path, Mode mode) {
-            return new AbsolutePathFileData(path, mode, false);
+            return new AbsolutePathFileData(path, mode, null, false);
         }
 
         static FileData ofRelativePath(Path relativePath, BaseDir baseDir, Mode mode) {
-            return new RelativePathFileData(relativePath, baseDir, mode, false);
+            return new RelativePathFileData(relativePath, baseDir, mode, null, false);
         }
 
         static FileData ofPathSetting(String setting, Mode mode) {
-            return new PathSettingFileData(setting, mode, false);
+            return new PathSettingFileData(setting, mode, null, false);
         }
 
         static FileData ofRelativePathSetting(String setting, BaseDir baseDir, Mode mode) {
-            return new RelativePathSettingFileData(setting, baseDir, mode, false);
+            return new RelativePathSettingFileData(setting, baseDir, mode, null, false);
         }
 
         /**
@@ -149,62 +178,94 @@ private static Stream<Path> relativePathsCombination(Path[] baseDirs, Stream<Pat
         return paths.stream();
     }
 
-    private record AbsolutePathFileData(Path path, Mode mode, boolean exclusive) implements FileData {
+    private record AbsolutePathFileData(Path path, Mode mode, Platform platform, boolean exclusive) implements FileData {
 
         @Override
-        public AbsolutePathFileData withExclusive() {
-            return new AbsolutePathFileData(path, mode, true);
+        public AbsolutePathFileData withExclusive(boolean exclusive) {
+            return new AbsolutePathFileData(path, mode, platform, exclusive);
         }
 
         @Override
         public Stream<Path> resolvePaths(PathLookup pathLookup) {
             return Stream.of(path);
         }
+
+        @Override
+        public FileData withPlatform(Platform platform) {
+            if (platform == platform()) {
+                return this;
+            }
+            return new AbsolutePathFileData(path, mode, platform, exclusive);
+        }
     }
 
-    private record RelativePathFileData(Path relativePath, BaseDir baseDir, Mode mode, boolean exclusive)
+    private record RelativePathFileData(Path relativePath, BaseDir baseDir, Mode mode, Platform platform, boolean exclusive)
         implements
             FileData,
             RelativeFileData {
 
         @Override
-        public RelativePathFileData withExclusive() {
-            return new RelativePathFileData(relativePath, baseDir, mode, true);
+        public RelativePathFileData withExclusive(boolean exclusive) {
+            return new RelativePathFileData(relativePath, baseDir, mode, platform, exclusive);
         }
 
         @Override
         public Stream<Path> resolveRelativePaths(PathLookup pathLookup) {
             return Stream.of(relativePath);
         }
+
+        @Override
+        public FileData withPlatform(Platform platform) {
+            if (platform == platform()) {
+                return this;
+            }
+            return new RelativePathFileData(relativePath, baseDir, mode, platform, exclusive);
+        }
     }
 
-    private record PathSettingFileData(String setting, Mode mode, boolean exclusive) implements FileData {
+    private record PathSettingFileData(String setting, Mode mode, Platform platform, boolean exclusive) implements FileData {
 
         @Override
-        public PathSettingFileData withExclusive() {
-            return new PathSettingFileData(setting, mode, true);
+        public PathSettingFileData withExclusive(boolean exclusive) {
+            return new PathSettingFileData(setting, mode, platform, exclusive);
         }
 
         @Override
         public Stream<Path> resolvePaths(PathLookup pathLookup) {
             return resolvePathSettings(pathLookup, setting);
         }
+
+        @Override
+        public FileData withPlatform(Platform platform) {
+            if (platform == platform()) {
+                return this;
+            }
+            return new PathSettingFileData(setting, mode, platform, exclusive);
+        }
     }
 
-    private record RelativePathSettingFileData(String setting, BaseDir baseDir, Mode mode, boolean exclusive)
+    private record RelativePathSettingFileData(String setting, BaseDir baseDir, Mode mode, Platform platform, boolean exclusive)
         implements
             FileData,
             RelativeFileData {
 
         @Override
-        public RelativePathSettingFileData withExclusive() {
-            return new RelativePathSettingFileData(setting, baseDir, mode, true);
+        public RelativePathSettingFileData withExclusive(boolean exclusive) {
+            return new RelativePathSettingFileData(setting, baseDir, mode, platform, exclusive);
         }
 
         @Override
         public Stream<Path> resolveRelativePaths(PathLookup pathLookup) {
             return resolvePathSettings(pathLookup, setting);
         }
+
+        @Override
+        public FileData withPlatform(Platform platform) {
+            if (platform == platform()) {
+                return this;
+            }
+            return new RelativePathSettingFileData(setting, baseDir, mode, platform, exclusive);
+        }
     }
 
     private static Stream<Path> resolvePathSettings(PathLookup pathLookup, String setting) {
@@ -225,6 +286,18 @@ private static Mode parseMode(String mode) {
         }
     }
 
+    private static Platform parsePlatform(String platform) {
+        if (platform.equals("linux")) {
+            return Platform.LINUX;
+        } else if (platform.equals("macos")) {
+            return Platform.MACOS;
+        } else if (platform.equals("windows")) {
+            return Platform.WINDOWS;
+        } else {
+            throw new PolicyValidationException("invalid platform: " + platform + ", valid values: [linux, macos, windows]");
+        }
+    }
+
     private static BaseDir parseBaseDir(String baseDir) {
         return switch (baseDir) {
             case "config" -> BaseDir.CONFIG;
@@ -252,6 +325,7 @@ public static FilesEntitlement build(List<Object> paths) {
             String pathSetting = (String) file.remove("path_setting");
             String relativePathSetting = (String) file.remove("relative_path_setting");
             String modeAsString = (String) file.remove("mode");
+            String platformAsString = (String) file.remove("platform");
             Boolean exclusiveBoolean = (Boolean) file.remove("exclusive");
             boolean exclusive = exclusiveBoolean != null && exclusiveBoolean;
 
@@ -270,27 +344,32 @@ public static FilesEntitlement build(List<Object> paths) {
                 throw new PolicyValidationException("files entitlement must contain 'mode' for every listed file");
             }
             Mode mode = parseMode(modeAsString);
+            Platform platform = null;
+            if (platformAsString != null) {
+                platform = parsePlatform(platformAsString);
+            }
 
             BaseDir baseDir = null;
             if (relativeTo != null) {
                 baseDir = parseBaseDir(relativeTo);
             }
 
-            FileData fileData;
+            final FileData fileData;
             if (relativePathAsString != null) {
                 if (baseDir == null) {
                     throw new PolicyValidationException("files entitlement with a 'relative_path' must specify 'relative_to'");
                 }
-
+                Path relativePath = Path.of(relativePathAsString);
                 if (FileData.isAbsolutePath(relativePathAsString)) {
                     throw new PolicyValidationException("'relative_path' [" + relativePathAsString + "] must be relative");
                 }
-                fileData = FileData.ofRelativePath(Path.of(relativePathAsString), baseDir, mode);
+                fileData = FileData.ofRelativePath(relativePath, baseDir, mode);
             } else if (pathAsString != null) {
+                Path path = Path.of(pathAsString);
                 if (FileData.isAbsolutePath(pathAsString) == false) {
                     throw new PolicyValidationException("'path' [" + pathAsString + "] must be absolute");
                 }
-                fileData = FileData.ofPath(Path.of(pathAsString), mode);
+                fileData = FileData.ofPath(path, mode);
             } else if (pathSetting != null) {
                 fileData = FileData.ofPathSetting(pathSetting, mode);
             } else if (relativePathSetting != null) {
@@ -301,7 +380,7 @@ public static FilesEntitlement build(List<Object> paths) {
             } else {
                 throw new AssertionError("File entry validation error");
             }
-            filesData.add(exclusive ? fileData.withExclusive() : fileData);
+            filesData.add(fileData.withPlatform(platform).withExclusive(exclusive));
         }
         return new FilesEntitlement(filesData);
     }

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java

@@ -9,7 +9,6 @@
 
 package org.elasticsearch.entitlement.runtime.policy;
 
-import org.apache.lucene.tests.util.LuceneTestCase;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.entitlement.runtime.policy.FileAccessTree.ExclusivePath;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement;
@@ -25,7 +24,6 @@
 import static org.elasticsearch.core.PathUtils.getDefaultFileSystem;
 import static org.hamcrest.Matchers.is;
 
-@LuceneTestCase.SuppressFileSystems("*")
 public class FileAccessTreeTests extends ESTestCase {
 
     static Path root;

modules/ingest-geoip/qa/full-cluster-restart/build.gradle

@@ -18,7 +18,7 @@ dependencies {
   javaRestTestImplementation(testArtifact(project(":qa:full-cluster-restart"), "javaRestTest"))
 }
 
-buildParams.bwcVersions.withWireCompatible(v -> v.before("9.0.0")) { bwcVersion, baseName ->
+buildParams.bwcVersions.withWireCompatible(v -> v.onOrAfter("8.15.0")) { bwcVersion, baseName ->
   tasks.register(bwcTaskName(bwcVersion), StandaloneRestIntegTestTask) {
     usesBwcDistribution(bwcVersion)
     systemProperty("tests.old_cluster_version", bwcVersion)