check link target and source at once for more informative exception

Author: mosche

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

@@ -2762,7 +2762,9 @@ public void checkPathToRealPath(Class<?> callerClass, Path that, LinkOption... o
         }
         if (followLinks) {
             try {
-                policyManager.checkFileRead(callerClass, Files.readSymbolicLink(that));
+                Path symbolicLink = Files.readSymbolicLink(that);
+                policyManager.checkFileRead(callerClass, that, symbolicLink);
+                return;
             } catch (IOException | UnsupportedOperationException e) {
                 // that is not a link, or unrelated IOException or unsupported
             }

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -36,6 +36,7 @@
 import java.lang.module.ModuleReference;
 import java.nio.file.Path;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -324,28 +325,30 @@ private static boolean isPathOnDefaultFilesystem(Path path) {
         return true;
     }
 
-    public void checkFileRead(Class<?> callerClass, Path path) {
-        if (isPathOnDefaultFilesystem(path) == false) {
-            return;
-        }
-        var requestingClass = requestingClass(callerClass);
-        if (isTriviallyAllowed(requestingClass)) {
-            return;
-        }
+    public void checkFileRead(Class<?> callerClass, Path... paths) {
+        for (var path : paths) {
+            if (isPathOnDefaultFilesystem(path) == false) {
+                return;
+            }
+            var requestingClass = requestingClass(callerClass);
+            if (isTriviallyAllowed(requestingClass)) {
+                return;
+            }
 
-        ModuleEntitlements entitlements = getEntitlements(requestingClass);
-        if (entitlements.fileAccess().canRead(path) == false) {
-            logger.info(entitlements.fileAccess().toDebugString());
-            notEntitled(
-                Strings.format(
-                    "Not entitled: component [%s], module [%s], class [%s], entitlement [file], operation [read], path [%s]",
-                    entitlements.componentName(),
-                    requestingClass.getModule().getName(),
-                    requestingClass,
-                    FileAccessTree.normalizePath(path)
-                ),
-                callerClass
-            );
+            ModuleEntitlements entitlements = getEntitlements(requestingClass);
+            if (entitlements.fileAccess().canRead(path) == false) {
+                logger.info(entitlements.fileAccess().toDebugString());
+                notEntitled(
+                    Strings.format(
+                        "Not entitled: component [%s], module [%s], class [%s], entitlement [file], operation [read], path [%s]",
+                        entitlements.componentName(),
+                        requestingClass.getModule().getName(),
+                        requestingClass,
+                        Arrays.stream(paths).map(FileAccessTree::normalizePath).collect(Collectors.joining(", "))
+                    ),
+                    callerClass
+                );
+            }
         }
     }