allow read access for each plugin to its own directory

Author: ldematte

libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/EntitlementBootstrap.java

@@ -42,6 +42,7 @@ public record BootstrapArgs(
         Path libDir,
         Path modulesDir,
         Path pluginsDir,
+        Map<String, Path> bundlesDirs,
         Path logsDir,
         Path tempDir,
         Path pidFile,
@@ -60,6 +61,7 @@ public record BootstrapArgs(
             requireNonNull(libDir);
             requireNonNull(modulesDir);
             requireNonNull(pluginsDir);
+            requireNonNull(bundlesDirs);
             requireNonNull(logsDir);
             requireNonNull(tempDir);
             requireNonNull(suppressFailureLogClasses);
@@ -80,11 +82,12 @@ public static BootstrapArgs bootstrapArgs() {
      * @param pluginResolver a functor to map a Java Class to the plugin it belongs to (the plugin name).
      * @param settingResolver a functor to resolve a setting name pattern for one or more Elasticsearch settings.
      * @param dataDirs       data directories for Elasticsearch
-     * @param sharedRepoDirs       shared repository directories for Elasticsearch
+     * @param sharedRepoDirs shared repository directories for Elasticsearch
      * @param configDir      the config directory for Elasticsearch
      * @param libDir         the lib directory for Elasticsearch
      * @param modulesDir     the directory where Elasticsearch modules are
      * @param pluginsDir     the directory where plugins are installed for Elasticsearch
+     * @param bundlesDirs    a map holding the path for each plugin or module, by plugin (or module) name.
      * @param tempDir        the temp directory for Elasticsearch
      * @param logsDir        the log directory for Elasticsearch
      * @param pidFile        path to a pid file for Elasticsearch, or {@code null} if one was not specified
@@ -100,6 +103,7 @@ public static void bootstrap(
         Path libDir,
         Path modulesDir,
         Path pluginsDir,
+        Map<String, Path> bundlesDirs,
         Path logsDir,
         Path tempDir,
         Path pidFile,
@@ -119,6 +123,7 @@ public static void bootstrap(
             libDir,
             modulesDir,
             pluginsDir,
+            bundlesDirs,
             logsDir,
             tempDir,
             pidFile,

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -281,12 +281,12 @@ private static PolicyManager createPolicyManager() {
                 )
             )
         );
-        var resolver = EntitlementBootstrap.bootstrapArgs().pluginResolver();
         return new PolicyManager(
             serverPolicy,
             agentEntitlements,
             pluginPolicies,
-            resolver,
+            EntitlementBootstrap.bootstrapArgs().pluginResolver(),
+            EntitlementBootstrap.bootstrapArgs().bundlesDirs(),
             AGENTS_PACKAGE_NAME,
             ENTITLEMENTS_MODULE,
             pathLookup,

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java

@@ -9,6 +9,7 @@
 
 package org.elasticsearch.entitlement.runtime.policy;
 
+import org.elasticsearch.core.Nullable;
 import org.elasticsearch.core.Strings;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Mode;
@@ -91,6 +92,7 @@ private FileAccessTree(
         String moduleName,
         FilesEntitlement filesEntitlement,
         PathLookup pathLookup,
+        Path componentDir,
         List<ExclusivePath> exclusivePaths
     ) {
         List<String> updatedExclusivePaths = new ArrayList<>();
@@ -139,10 +141,13 @@ private FileAccessTree(
             });
         }
 
-        // everything has access to the temp dir, config dir and the jdk
+        // everything has access to the temp dir, config dir, to their own dir (their own jar files) and the jdk
         addPathAndMaybeLink.accept(pathLookup.tempDir(), READ_WRITE);
         // TODO: this grants read access to the config dir for all modules until explicit read entitlements can be added
         addPathAndMaybeLink.accept(pathLookup.configDir(), Mode.READ);
+        if (componentDir != null) {
+            addPathAndMaybeLink.accept(componentDir, Mode.READ);
+        }
 
         // TODO: watcher uses javax.activation which looks for known mime types configuration, should this be global or explicit in watcher?
         Path jdk = Paths.get(System.getProperty("java.home"));
@@ -179,9 +184,10 @@ public static FileAccessTree of(
         String moduleName,
         FilesEntitlement filesEntitlement,
         PathLookup pathLookup,
+        @Nullable Path componentDir,
         List<ExclusivePath> exclusivePaths
     ) {
-        return new FileAccessTree(componentName, moduleName, filesEntitlement, pathLookup, exclusivePaths);
+        return new FileAccessTree(componentName, moduleName, filesEntitlement, pathLookup, componentDir, exclusivePaths);
     }
 
     boolean canRead(Path path) {

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -107,7 +107,7 @@ ModuleEntitlements policyEntitlements(String componentName, String moduleName, L
         return new ModuleEntitlements(
             componentName,
             entitlements.stream().collect(groupingBy(Entitlement::getClass)),
-            FileAccessTree.of(componentName, moduleName, filesEntitlement, pathLookup, exclusivePaths)
+            FileAccessTree.of(componentName, moduleName, filesEntitlement, pathLookup, bundlesDirs.get(componentName), exclusivePaths)
         );
     }
 
@@ -139,6 +139,7 @@ private static Set<Module> findSystemModules() {
         ).collect(Collectors.toUnmodifiableSet());
     }
 
+    private final Map<String, Path> bundlesDirs;
     /**
      * The package name containing classes from the APM agent.
      */
@@ -161,6 +162,7 @@ public PolicyManager(
         List<Entitlement> apmAgentEntitlements,
         Map<String, Policy> pluginPolicies,
         Function<Class<?>, String> pluginResolver,
+        Map<String, Path> bundlesDirs,
         String apmAgentPackageName,
         Module entitlementsModule,
         PathLookup pathLookup,
@@ -172,6 +174,7 @@ public PolicyManager(
             .stream()
             .collect(toUnmodifiableMap(Map.Entry::getKey, e -> buildScopeEntitlementsMap(e.getValue())));
         this.pluginResolver = pluginResolver;
+        this.bundlesDirs = bundlesDirs;
         this.apmAgentPackageName = apmAgentPackageName;
         this.entitlementsModule = entitlementsModule;
         this.pathLookup = requireNonNull(pathLookup);
@@ -180,6 +183,7 @@ public PolicyManager(
             UNKNOWN_COMPONENT_NAME,
             FilesEntitlement.EMPTY,
             pathLookup,
+            null,
             List.of()
         );
         this.mutedClasses = suppressFailureLogClasses;

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java

@@ -291,13 +291,13 @@ public void testFollowLinks() throws IOException {
     }
 
     public void testTempDirAccess() {
-        var tree = FileAccessTree.of("test-component", "test-module", FilesEntitlement.EMPTY, TEST_PATH_LOOKUP, List.of());
+        var tree = FileAccessTree.of("test-component", "test-module", FilesEntitlement.EMPTY, TEST_PATH_LOOKUP, null, List.of());
         assertThat(tree.canRead(TEST_PATH_LOOKUP.tempDir()), is(true));
         assertThat(tree.canWrite(TEST_PATH_LOOKUP.tempDir()), is(true));
     }
 
     public void testConfigDirAccess() {
-        var tree = FileAccessTree.of("test-component", "test-module", FilesEntitlement.EMPTY, TEST_PATH_LOOKUP, List.of());
+        var tree = FileAccessTree.of("test-component", "test-module", FilesEntitlement.EMPTY, TEST_PATH_LOOKUP, null, List.of());
         assertThat(tree.canRead(TEST_PATH_LOOKUP.configDir()), is(true));
         assertThat(tree.canWrite(TEST_PATH_LOOKUP.configDir()), is(false));
     }
@@ -453,6 +453,7 @@ public void testWindowsAbsolutPathAccess() {
                 )
             ),
             TEST_PATH_LOOKUP,
+            null,
             List.of()
         );
 
@@ -464,7 +465,7 @@ public void testWindowsAbsolutPathAccess() {
     }
 
     FileAccessTree accessTree(FilesEntitlement entitlement, List<ExclusivePath> exclusivePaths) {
-        return FileAccessTree.of("test-component", "test-module", entitlement, TEST_PATH_LOOKUP, exclusivePaths);
+        return FileAccessTree.of("test-component", "test-module", entitlement, TEST_PATH_LOOKUP, null, exclusivePaths);
     }
 
     static FilesEntitlement entitlement(String... values) {

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java

@@ -85,6 +85,7 @@ public void testGetEntitlementsThrowsOnMissingPluginUnnamedModule() {
             List.of(),
             Map.of("plugin1", createPluginPolicy("plugin.module")),
             c -> "plugin1",
+            Map.of("plugin1", Path.of("modules", "plugin1")),
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -110,6 +111,7 @@ public void testGetEntitlementsThrowsOnMissingPolicyForPlugin() {
             List.of(),
             Map.of(),
             c -> "plugin1",
+            Map.of("plugin1", Path.of("modules", "plugin1")),
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -131,6 +133,7 @@ public void testGetEntitlementsFailureIsCached() {
             List.of(),
             Map.of(),
             c -> "plugin1",
+            Map.of("plugin1", Path.of("modules", "plugin1")),
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -157,6 +160,7 @@ public void testGetEntitlementsReturnsEntitlementsForPluginUnnamedModule() {
             List.of(),
             Map.ofEntries(entry("plugin2", createPluginPolicy(ALL_UNNAMED))),
             c -> "plugin2",
+            Map.of("plugin2", Path.of("modules", "plugin2")),
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -176,6 +180,7 @@ public void testGetEntitlementsThrowsOnMissingPolicyForServer() throws ClassNotF
             List.of(),
             Map.of(),
             c -> null,
+            Map.of(),
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -207,6 +212,7 @@ public void testGetEntitlementsReturnsEntitlementsForServerModule() throws Class
             List.of(),
             Map.of(),
             c -> null,
+            Map.of(),
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -234,6 +240,7 @@ public void testGetEntitlementsReturnsEntitlementsForPluginModule() throws IOExc
             List.of(),
             Map.of("mock-plugin", createPluginPolicy("org.example.plugin")),
             c -> "mock-plugin",
+            Map.of("mock-plugin", Path.of("modules", "mock-plugin")),
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -254,6 +261,7 @@ public void testGetEntitlementsResultIsCached() {
             List.of(),
             Map.ofEntries(entry("plugin2", createPluginPolicy(ALL_UNNAMED))),
             c -> "plugin2",
+            Map.of("plugin2", Path.of("modules", "plugin2")),
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -314,6 +322,7 @@ public void testAgentsEntitlements() throws IOException, ClassNotFoundException
             List.of(new CreateClassLoaderEntitlement()),
             Map.of(),
             c -> c.getPackageName().startsWith(TEST_AGENTS_PACKAGE_NAME) ? null : "test",
+            Map.of(),
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -343,6 +352,7 @@ public void testDuplicateEntitlements() {
                 List.of(),
                 Map.of(),
                 c -> "test",
+                Map.of(),
                 TEST_AGENTS_PACKAGE_NAME,
                 NO_ENTITLEMENTS_MODULE,
                 TEST_PATH_LOOKUP,
@@ -361,6 +371,7 @@ public void testDuplicateEntitlements() {
                 List.of(new CreateClassLoaderEntitlement(), new CreateClassLoaderEntitlement()),
                 Map.of(),
                 c -> "test",
+                Map.of(),
                 TEST_AGENTS_PACKAGE_NAME,
                 NO_ENTITLEMENTS_MODULE,
                 TEST_PATH_LOOKUP,
@@ -399,6 +410,7 @@ public void testDuplicateEntitlements() {
                     )
                 ),
                 c -> "plugin1",
+                Map.of("plugin1", Path.of("modules", "plugin1")),
                 TEST_AGENTS_PACKAGE_NAME,
                 NO_ENTITLEMENTS_MODULE,
                 TEST_PATH_LOOKUP,
@@ -451,6 +463,7 @@ public void testFilesEntitlementsWithExclusive() {
                     )
                 ),
                 c -> "",
+                Map.of("plugin1", Path.of("modules", "plugin1"), "plugin2", Path.of("modules", "plugin2")),
                 TEST_AGENTS_PACKAGE_NAME,
                 NO_ENTITLEMENTS_MODULE,
                 TEST_PATH_LOOKUP,
@@ -497,6 +510,7 @@ public void testFilesEntitlementsWithExclusive() {
                     )
                 ),
                 c -> "",
+                Map.of(),
                 TEST_AGENTS_PACKAGE_NAME,
                 NO_ENTITLEMENTS_MODULE,
                 TEST_PATH_LOOKUP,
@@ -523,6 +537,7 @@ public void testPluginResolverOverridesAgents() {
             List.of(new CreateClassLoaderEntitlement()),
             Map.of(),
             c -> "test", // Insist that the class is in a plugin
+            Map.of(),
             TEST_AGENTS_PACKAGE_NAME,
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -545,6 +560,7 @@ private static PolicyManager policyManager(String agentsPackageName, Module enti
             List.of(),
             Map.of(),
             c -> "test",
+            Map.of(),
             agentsPackageName,
             entitlementsModule,
             TEST_PATH_LOOKUP,

server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java

@@ -48,6 +48,7 @@
 import org.elasticsearch.nativeaccess.NativeAccess;
 import org.elasticsearch.node.Node;
 import org.elasticsearch.node.NodeValidationException;
+import org.elasticsearch.plugins.PluginBundle;
 import org.elasticsearch.plugins.PluginsLoader;
 import org.elasticsearch.rest.MethodHandlers;
 import org.elasticsearch.transport.RequestHandlerRegistry;
@@ -70,6 +71,7 @@
 import java.util.Set;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
+import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 import static org.elasticsearch.bootstrap.BootstrapSettings.SECURITY_FILTER_BAD_DEFAULTS_SETTING;
@@ -245,6 +247,8 @@ private static void initPhase2(Bootstrap bootstrap) throws IOException {
             pluginsLoader = PluginsLoader.createPluginsLoader(modulesBundles, pluginsBundles, findPluginsWithNativeAccess(pluginPolicies));
 
             var pluginsResolver = PluginsResolver.create(pluginsLoader);
+            Map<String, Path> bundlesDirs = Stream.concat(modulesBundles.stream(), pluginsBundles.stream())
+                .collect(Collectors.toUnmodifiableMap(bundle -> bundle.pluginDescriptor().getName(), PluginBundle::getDir));
             EntitlementBootstrap.bootstrap(
                 pluginPolicies,
                 pluginsResolver::resolveClassToPluginName,
@@ -255,6 +259,7 @@ private static void initPhase2(Bootstrap bootstrap) throws IOException {
                 nodeEnv.libDir(),
                 nodeEnv.modulesDir(),
                 nodeEnv.pluginsDir(),
+                bundlesDirs,
                 nodeEnv.logsDir(),
                 nodeEnv.tmpDir(),
                 args.pidFile(),