update to use path instead of string and component and module for

exclusive path validation

Author: jdconrad

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java

@@ -9,6 +9,7 @@
 
 package org.elasticsearch.entitlement.runtime.policy;
 
+import org.elasticsearch.entitlement.runtime.policy.PolicyManager.ExclusivePath;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement;
 
 import java.nio.file.Path;
@@ -27,7 +28,13 @@ public final class FileAccessTree {
     private final String[] readPaths;
     private final String[] writePaths;
 
-    private FileAccessTree(FilesEntitlement filesEntitlement, PathLookup pathLookup, List<String> exclusivePaths) {
+    private FileAccessTree(
+        String componentName,
+        String moduleName,
+        FilesEntitlement filesEntitlement,
+        PathLookup pathLookup,
+        List<ExclusivePath> exclusivePaths
+    ) {
         List<String> updatedExclusivePaths = new ArrayList<>();
         List<String> readPaths = new ArrayList<>();
         List<String> writePaths = new ArrayList<>();
@@ -36,12 +43,13 @@ private FileAccessTree(FilesEntitlement filesEntitlement, PathLookup pathLookup,
             var paths = fileData.resolvePaths(pathLookup);
             paths.forEach(path -> {
                 var normalized = normalizePath(path);
-                for (String exclusivePath : exclusivePaths) {
-                    if (normalized.equals(exclusivePath) == false) {
-                        if (normalized.startsWith(exclusivePath)) {
+                for (ExclusivePath exclusivePath : exclusivePaths) {
+                    if (exclusivePath.componentName().equals(componentName) == false
+                        || exclusivePath.moduleName().equals(moduleName) == false) {
+                        if (path.startsWith(exclusivePath.path())) {
                             // TODO: throw
                         }
-                        updatedExclusivePaths.add(exclusivePath);
+                        updatedExclusivePaths.add(normalizePath(exclusivePath.path()));
                     }
                 }
                 if (mode == FilesEntitlement.Mode.READ_WRITE) {
@@ -62,6 +70,8 @@ private FileAccessTree(FilesEntitlement filesEntitlement, PathLookup pathLookup,
         this.exclusivePaths = updatedExclusivePaths.toArray(new String[0]);
         this.readPaths = pruneSortedPaths(readPaths).toArray(new String[0]);
         this.writePaths = pruneSortedPaths(writePaths).toArray(new String[0]);
+        // if (true) throw new IllegalStateException("EXCLUSIVE: " + Arrays.toString(this.exclusivePaths) +
+        // "\n READ: " + Arrays.toString(this.readPaths) + "\n WRITE: " + Arrays.toString(this.writePaths));
     }
 
     private static List<String> pruneSortedPaths(List<String> paths) {
@@ -81,8 +91,14 @@ private static List<String> pruneSortedPaths(List<String> paths) {
 
     }
 
-    public static FileAccessTree of(FilesEntitlement filesEntitlement, PathLookup pathLookup, List<String> exclusivePaths) {
-        return new FileAccessTree(filesEntitlement, pathLookup, exclusivePaths);
+    public static FileAccessTree of(
+        String componentName,
+        String moduleName,
+        FilesEntitlement filesEntitlement,
+        PathLookup pathLookup,
+        List<ExclusivePath> exclusivePaths
+    ) {
+        return new FileAccessTree(componentName, moduleName, filesEntitlement, pathLookup, exclusivePaths);
     }
 
     boolean canRead(Path path) {

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -95,7 +95,7 @@ ModuleEntitlements defaultEntitlements(String componentName) {
     }
 
     // pkg private for testing
-    ModuleEntitlements policyEntitlements(String componentName, List<Entitlement> entitlements) {
+    ModuleEntitlements policyEntitlements(String componentName, String moduleName, List<Entitlement> entitlements) {
         FilesEntitlement filesEntitlement = FilesEntitlement.EMPTY;
         for (Entitlement entitlement : entitlements) {
             if (entitlement instanceof FilesEntitlement) {
@@ -105,7 +105,7 @@ ModuleEntitlements policyEntitlements(String componentName, List<Entitlement> en
         return new ModuleEntitlements(
             componentName,
             entitlements.stream().collect(groupingBy(Entitlement::getClass)),
-            FileAccessTree.of(filesEntitlement, pathLookup, List.of())
+            FileAccessTree.of(componentName, moduleName, filesEntitlement, pathLookup, exclusivePaths)
         );
     }
 
@@ -150,7 +150,7 @@ private static Set<Module> findSystemModules() {
      * structures to indicate other modules aren't allowed to use these
      * files in {@link FileAccessTree}s.
      */
-    private final List<String> exclusivePaths;
+    private final List<ExclusivePath> exclusivePaths;
 
     public PolicyManager(
         Policy serverPolicy,
@@ -170,15 +170,15 @@ public PolicyManager(
         this.apmAgentPackageName = apmAgentPackageName;
         this.entitlementsModule = entitlementsModule;
         this.pathLookup = requireNonNull(pathLookup);
-        this.defaultFileAccess = FileAccessTree.of(FilesEntitlement.EMPTY, pathLookup, List.of());
+        this.defaultFileAccess = FileAccessTree.of("", "", FilesEntitlement.EMPTY, pathLookup, List.of());
 
         List<ExclusivePath> exclusivePaths = new ArrayList<>();
         for (var e : serverEntitlements.entrySet()) {
             validateEntitlementsPerModule(SERVER_COMPONENT_NAME, e.getKey(), e.getValue());
             buildExclusivePathList(exclusivePaths, pathLookup, SERVER_COMPONENT_NAME, e.getKey(), e.getValue());
         }
-        validateEntitlementsPerModule(APM_AGENT_COMPONENT_NAME, "unnamed", apmAgentEntitlements);
-        buildExclusivePathList(exclusivePaths, pathLookup, APM_AGENT_COMPONENT_NAME, "unnamed", apmAgentEntitlements);
+        validateEntitlementsPerModule(APM_AGENT_COMPONENT_NAME, ALL_UNNAMED, apmAgentEntitlements);
+        buildExclusivePathList(exclusivePaths, pathLookup, APM_AGENT_COMPONENT_NAME, ALL_UNNAMED, apmAgentEntitlements);
         for (var p : pluginsEntitlements.entrySet()) {
             for (var m : p.getValue().entrySet()) {
                 validateEntitlementsPerModule(p.getKey(), m.getKey(), m.getValue());
@@ -187,7 +187,7 @@ public PolicyManager(
         }
         exclusivePaths.sort(Comparator.comparing(ExclusivePath::path));
         validateExclusivePaths(exclusivePaths);
-        this.exclusivePaths = exclusivePaths.stream().map(ExclusivePath::path).toList();
+        this.exclusivePaths = exclusivePaths;
     }
 
     private static Map<String, List<Entitlement>> buildScopeEntitlementsMap(Policy policy) {
@@ -206,7 +206,7 @@ private static void validateEntitlementsPerModule(String componentName, String m
         }
     }
 
-    private record ExclusivePath(String componentName, String moduleName, String path) {}
+    record ExclusivePath(String componentName, String moduleName, Path path) {}
 
     private static void buildExclusivePathList(
         List<ExclusivePath> exclusivePaths,
@@ -221,8 +221,7 @@ private static void buildExclusivePathList(
                     if (fd.exclusive()) {
                         List<Path> paths = fd.resolvePaths(pathLookup).toList();
                         for (Path path : paths) {
-                            String pathStr = FileAccessTree.normalizePath(path);
-                            exclusivePaths.add(new ExclusivePath(componentName, moduleName, pathStr));
+                            exclusivePaths.add(new ExclusivePath(componentName, moduleName, path));
                         }
                     }
                 }
@@ -551,7 +550,7 @@ private ModuleEntitlements computeEntitlements(Class<?> requestingClass) {
 
         if (requestingModule.isNamed() == false && requestingClass.getPackageName().startsWith(apmAgentPackageName)) {
             // The APM agent is the only thing running non-modular in the system classloader
-            return policyEntitlements(APM_AGENT_COMPONENT_NAME, apmAgentEntitlements);
+            return policyEntitlements(APM_AGENT_COMPONENT_NAME, ALL_UNNAMED, apmAgentEntitlements);
         }
 
         return defaultEntitlements(UNKNOWN_COMPONENT_NAME);
@@ -566,7 +565,7 @@ private ModuleEntitlements getModuleScopeEntitlements(
         if (entitlements == null) {
             return defaultEntitlements(componentName);
         }
-        return policyEntitlements(componentName, entitlements);
+        return policyEntitlements(componentName, moduleName, entitlements);
     }
 
     private static boolean isServerModule(Module requestingModule) {

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java

@@ -10,6 +10,7 @@
 package org.elasticsearch.entitlement.runtime.policy;
 
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.entitlement.runtime.policy.PolicyManager.ExclusivePath;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement;
 import org.elasticsearch.test.ESTestCase;
 import org.junit.BeforeClass;
@@ -191,19 +192,19 @@ public void testForwardSlashes() {
     }
 
     public void testTempDirAccess() {
-        var tree = FileAccessTree.of(FilesEntitlement.EMPTY, TEST_PATH_LOOKUP, List.of());
+        var tree = FileAccessTree.of("test-component", "test-module", FilesEntitlement.EMPTY, TEST_PATH_LOOKUP, List.of());
         assertThat(tree.canRead(TEST_PATH_LOOKUP.tempDir()), is(true));
         assertThat(tree.canWrite(TEST_PATH_LOOKUP.tempDir()), is(true));
     }
 
     public void testExclusiveAccess() {
-        var tree = accessTree(entitlement("foo", "read"), exclusivePaths("foo"));
+        var tree = accessTree(entitlement("foo", "read"), exclusivePaths("test-component", "test-module", "foo"));
         assertThat(tree.canRead(path("foo")), is(true));
         assertThat(tree.canWrite(path("foo")), is(false));
-        tree = accessTree(entitlement("foo", "read_write"), exclusivePaths("foo"));
+        tree = accessTree(entitlement("foo", "read_write"), exclusivePaths("test-component", "test-module", "foo"));
         assertThat(tree.canRead(path("foo")), is(true));
         assertThat(tree.canWrite(path("foo")), is(true));
-        tree = accessTree(entitlement("foo", "read"), exclusivePaths("foo/bar"));
+        tree = accessTree(entitlement("foo", "read"), exclusivePaths("test-component", "diff-module", "foo/bar"));
         assertThat(tree.canRead(path("foo")), is(true));
         assertThat(tree.canWrite(path("foo")), is(false));
         assertThat(tree.canRead(path("foo/baz")), is(true));
@@ -212,8 +213,8 @@ public void testExclusiveAccess() {
         assertThat(tree.canWrite(path("foo/bar")), is(false));
     }
 
-    FileAccessTree accessTree(FilesEntitlement entitlement, List<String> exclusivePaths) {
-        return FileAccessTree.of(entitlement, TEST_PATH_LOOKUP, exclusivePaths);
+    FileAccessTree accessTree(FilesEntitlement entitlement, List<ExclusivePath> exclusivePaths) {
+        return FileAccessTree.of("test-component", "test-module", entitlement, TEST_PATH_LOOKUP, exclusivePaths);
     }
 
     static FilesEntitlement entitlement(String... values) {
@@ -231,10 +232,10 @@ static FilesEntitlement entitlement(Map<String, String> value) {
         return FilesEntitlement.build(List.of(value));
     }
 
-    static List<String> exclusivePaths(String... paths) {
-        List<String> exclusivePaths = new ArrayList<>();
+    static List<ExclusivePath> exclusivePaths(String componentName, String moduleName, String... paths) {
+        List<ExclusivePath> exclusivePaths = new ArrayList<>();
         for (String path : paths) {
-            exclusivePaths.add(FileAccessTree.normalizePath(path(path)));
+            exclusivePaths.add(new ExclusivePath(componentName, moduleName, path(path)));
         }
         return exclusivePaths;
     }

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java

@@ -356,7 +356,10 @@ public void testDuplicateEntitlements() {
             )
         );
         assertEquals(
-            "[(APM agent)] using module [unnamed] found duplicate entitlement " + "[" + CreateClassLoaderEntitlement.class.getName() + "]",
+            "[(APM agent)] using module [ALL-UNNAMED] found duplicate entitlement "
+                + "["
+                + CreateClassLoaderEntitlement.class.getName()
+                + "]",
             iae.getMessage()
         );