Add ComponentKind enum

Author: prdoyle

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -58,37 +58,66 @@
 import static java.util.zip.ZipFile.OPEN_DELETE;
 import static java.util.zip.ZipFile.OPEN_READ;
 import static org.elasticsearch.entitlement.bridge.Util.NO_CLASS;
+import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ComponentKind.APM_AGENT;
+import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ComponentKind.PLUGIN;
+import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ComponentKind.SERVER;
+import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ComponentKind.UNKNOWN;
 
 public class PolicyManager {
     /**
      * Use this if you don't have a {@link ModuleEntitlements} in hand.
      */
     private static final Logger generalLogger = LogManager.getLogger(PolicyManager.class);
 
-    public static final String UNKNOWN_COMPONENT_NAME = "(unknown)";
-    public static final String SERVER_COMPONENT_NAME = "(server)";
-    public static final String APM_AGENT_COMPONENT_NAME = "(APM agent)";
-
     static final Class<?> DEFAULT_FILESYSTEM_CLASS = PathUtils.getDefaultFileSystem().getClass();
 
     static final Set<String> MODULES_EXCLUDED_FROM_SYSTEM_MODULES = Set.of("java.desktop");
 
     /**
      * Identifies a particular entitlement {@link Scope} within a {@link Policy}.
-     * @param componentName
-     * @param moduleName
      */
-    public record PolicyScope(String componentName, String moduleName) {
+    public record PolicyScope(ComponentKind kind, String componentName, String moduleName) {
         public PolicyScope {
+            requireNonNull(kind);
             requireNonNull(componentName);
             requireNonNull(moduleName);
+            assert kind.componentName == null || kind.componentName.equals(componentName);
+        }
+
+        public static PolicyScope unknown(String moduleName) {
+            return new PolicyScope(UNKNOWN, UNKNOWN.componentName, moduleName);
+        }
+
+        public static PolicyScope server(String moduleName) {
+            return new PolicyScope(SERVER, SERVER.componentName, moduleName);
+        }
+
+        public static PolicyScope apmAgent(String moduleName) {
+            return new PolicyScope(APM_AGENT, APM_AGENT.componentName, moduleName);
+        }
+
+        public static PolicyScope plugin(String componentName, String moduleName) {
+            return new PolicyScope(PLUGIN, componentName, moduleName);
+        }
+    }
+
+    public enum ComponentKind {
+        UNKNOWN("(unknown)"),
+        SERVER("(server)"),
+        APM_AGENT("(APM agent)"),
+        PLUGIN(null);
+
+        /**
+         * If this kind corresponds to a single component, this is that component's name;
+         * otherwise null.
+         */
+        public final String componentName;
+
+        ComponentKind(String componentName) {
+            this.componentName = componentName;
         }
     }
 
-    /**
-     * @param componentName the plugin name; or else one of the special component names
-     *                      like {@link #SERVER_COMPONENT_NAME} or {@link #APM_AGENT_COMPONENT_NAME}.
-     */
     record ModuleEntitlements(
         String componentName,
         Map<Class<? extends Entitlement>, List<Entitlement>> entitlementsByType,
@@ -215,9 +244,9 @@ public PolicyManager(
 
         List<ExclusiveFileEntitlement> exclusiveFileEntitlements = new ArrayList<>();
         for (var e : serverEntitlements.entrySet()) {
-            validateEntitlementsPerModule(SERVER_COMPONENT_NAME, e.getKey(), e.getValue(), exclusiveFileEntitlements);
+            validateEntitlementsPerModule(SERVER.componentName, e.getKey(), e.getValue(), exclusiveFileEntitlements);
         }
-        validateEntitlementsPerModule(APM_AGENT_COMPONENT_NAME, ALL_UNNAMED, apmAgentEntitlements, exclusiveFileEntitlements);
+        validateEntitlementsPerModule(APM_AGENT.componentName, ALL_UNNAMED, apmAgentEntitlements, exclusiveFileEntitlements);
         for (var p : pluginsEntitlements.entrySet()) {
             for (var m : p.getValue().entrySet()) {
                 validateEntitlementsPerModule(p.getKey(), m.getKey(), m.getValue(), exclusiveFileEntitlements);
@@ -614,31 +643,29 @@ private ModuleEntitlements computeEntitlements(Class<?> requestingClass) {
         var componentName = policyScope.componentName();
         var moduleName = policyScope.moduleName();
 
-        switch (componentName) {
-            case SERVER_COMPONENT_NAME -> {
+        switch (policyScope.kind()) {
+            case SERVER -> {
                 return getModuleScopeEntitlements(
                     serverEntitlements,
                     moduleName,
-                    SERVER_COMPONENT_NAME,
+                    SERVER.componentName,
                     getComponentPathFromClass(requestingClass)
                 );
             }
-            case APM_AGENT_COMPONENT_NAME -> {
+            case APM_AGENT -> {
                 // The APM agent is the only thing running non-modular in the system classloader
                 return policyEntitlements(
-                    APM_AGENT_COMPONENT_NAME,
+                    APM_AGENT.componentName,
                     getComponentPathFromClass(requestingClass),
                     ALL_UNNAMED,
                     apmAgentEntitlements
                 );
             }
-            case UNKNOWN_COMPONENT_NAME -> {
-                return defaultEntitlements(UNKNOWN_COMPONENT_NAME, null, moduleName);
+            case UNKNOWN -> {
+                return defaultEntitlements(UNKNOWN.componentName, null, moduleName);
             }
             default -> {
-                // Must be a plugin
-                assert componentName.startsWith("(") == false
-                    : "Parentheses indicate a special component name that isn't a plugin: " + componentName;
+                assert policyScope.kind() == PLUGIN;
                 var pluginEntitlements = pluginsEntitlements.get(componentName);
                 if (pluginEntitlements == null) {
                     return defaultEntitlements(componentName, sourcePaths.get(componentName), moduleName);

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java

@@ -39,8 +39,7 @@
 
 import static java.util.Map.entry;
 import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ALL_UNNAMED;
-import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.APM_AGENT_COMPONENT_NAME;
-import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.SERVER_COMPONENT_NAME;
+import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ComponentKind.SERVER;
 import static org.hamcrest.Matchers.aMapWithSize;
 import static org.hamcrest.Matchers.allOf;
 import static org.hamcrest.Matchers.containsString;
@@ -91,7 +90,7 @@ public void testGetEntitlementsThrowsOnMissingPluginUnnamedModule() {
             createEmptyTestServerPolicy(),
             List.of(),
             Map.of("plugin1", createPluginPolicy("plugin.module")),
-            c -> new PolicyScope("plugin1", moduleName(c)),
+            c -> PolicyScope.plugin("plugin1", moduleName(c)),
             Map.of("plugin1", plugin1SourcePath),
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -120,7 +119,7 @@ public void testGetEntitlementsThrowsOnMissingPolicyForPlugin() {
             createEmptyTestServerPolicy(),
             List.of(),
             Map.of(),
-            c -> new PolicyScope("plugin1", moduleName(c)),
+            c -> PolicyScope.plugin("plugin1", moduleName(c)),
             Map.of("plugin1", plugin1SourcePath),
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -149,7 +148,7 @@ public void testGetEntitlementsFailureIsCached() {
             createEmptyTestServerPolicy(),
             List.of(),
             Map.of(),
-            c -> new PolicyScope("plugin1", moduleName(c)),
+            c -> PolicyScope.plugin("plugin1", moduleName(c)),
             Map.of("plugin1", plugin1SourcePath),
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -187,7 +186,7 @@ public void testGetEntitlementsReturnsEntitlementsForPluginUnnamedModule() {
             createEmptyTestServerPolicy(),
             List.of(),
             Map.ofEntries(entry("plugin2", createPluginPolicy(ALL_UNNAMED))),
-            c -> new PolicyScope("plugin2", moduleName(c)),
+            c -> PolicyScope.plugin("plugin2", moduleName(c)),
             Map.of("plugin2", Path.of("modules", "plugin2")),
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -206,7 +205,7 @@ public void testGetEntitlementsReturnsDefaultOnMissingPolicyForServer() throws C
             createTestServerPolicy("example"),
             List.of(),
             Map.of(),
-            c -> new PolicyScope(SERVER_COMPONENT_NAME, moduleName(c)),
+            c -> PolicyScope.server(moduleName(c)),
             Map.of(),
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -222,12 +221,12 @@ public void testGetEntitlementsReturnsDefaultOnMissingPolicyForServer() throws C
 
         assertEquals(
             "No policy for this module in server",
-            policyManager.defaultEntitlements(SERVER_COMPONENT_NAME, mockServerSourcePath, httpserverModuleName),
+            policyManager.defaultEntitlements(SERVER.componentName, mockServerSourcePath, httpserverModuleName),
             policyManager.getEntitlements(mockServerClass)
         );
 
         assertEquals(
-            Map.of(requestingModule, policyManager.defaultEntitlements(SERVER_COMPONENT_NAME, mockServerSourcePath, httpserverModuleName)),
+            Map.of(requestingModule, policyManager.defaultEntitlements(SERVER.componentName, mockServerSourcePath, httpserverModuleName)),
             policyManager.moduleEntitlementsMap
         );
     }
@@ -238,7 +237,7 @@ public void testGetEntitlementsReturnsEntitlementsForServerModule() throws Class
             createTestServerPolicy(httpserverModuleName),
             List.of(),
             Map.of(),
-            c -> new PolicyScope(SERVER_COMPONENT_NAME, moduleName(c)),
+            c -> PolicyScope.server(moduleName(c)),
             Map.of(),
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -263,7 +262,7 @@ public void testGetEntitlementsReturnsEntitlementsForPluginModule() throws IOExc
             createEmptyTestServerPolicy(),
             List.of(),
             Map.of("mock-plugin", createPluginPolicy("org.example.plugin")),
-            c -> new PolicyScope("mock-plugin", moduleName(c)),
+            c -> PolicyScope.plugin("mock-plugin", moduleName(c)),
             Map.of("mock-plugin", Path.of("modules", "mock-plugin")),
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -283,7 +282,7 @@ public void testGetEntitlementsResultIsCached() {
             createEmptyTestServerPolicy(),
             List.of(),
             Map.ofEntries(entry("plugin2", createPluginPolicy(ALL_UNNAMED))),
-            c -> new PolicyScope("plugin2", moduleName(c)),
+            c -> PolicyScope.plugin("plugin2", moduleName(c)),
             Map.of("plugin2", Path.of("modules", "plugin2")),
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -347,8 +346,8 @@ public void testAgentsEntitlements() throws IOException, ClassNotFoundException
             List.of(new CreateClassLoaderEntitlement()),
             Map.of(),
             c -> c.getPackageName().startsWith(TEST_AGENTS_PACKAGE_NAME)
-                ? new PolicyScope(APM_AGENT_COMPONENT_NAME, "test.agent.module")
-                : new PolicyScope("test", "test.plugin.module"),
+                ? PolicyScope.apmAgent("test.agent.module")
+                : PolicyScope.plugin("test", "test.plugin.module"),
             Map.of(),
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -377,7 +376,7 @@ public void testDuplicateEntitlements() {
                 ),
                 List.of(),
                 Map.of(),
-                c -> new PolicyScope("test", moduleName(c)),
+                c -> PolicyScope.plugin("test", moduleName(c)),
                 Map.of(),
                 NO_ENTITLEMENTS_MODULE,
                 TEST_PATH_LOOKUP,
@@ -395,7 +394,7 @@ public void testDuplicateEntitlements() {
                 createEmptyTestServerPolicy(),
                 List.of(new CreateClassLoaderEntitlement(), new CreateClassLoaderEntitlement()),
                 Map.of(),
-                c -> new PolicyScope("test", moduleName(c)),
+                c -> PolicyScope.plugin("test", moduleName(c)),
                 Map.of(),
                 NO_ENTITLEMENTS_MODULE,
                 TEST_PATH_LOOKUP,
@@ -433,7 +432,7 @@ public void testDuplicateEntitlements() {
                         )
                     )
                 ),
-                c -> new PolicyScope("plugin1", moduleName(c)),
+                c -> PolicyScope.plugin("plugin1", moduleName(c)),
                 Map.of("plugin1", Path.of("modules", "plugin1")),
                 NO_ENTITLEMENTS_MODULE,
                 TEST_PATH_LOOKUP,
@@ -485,7 +484,7 @@ public void testFilesEntitlementsWithExclusive() {
                         )
                     )
                 ),
-                c -> new PolicyScope("", moduleName(c)),
+                c -> PolicyScope.plugin("", moduleName(c)),
                 Map.of("plugin1", Path.of("modules", "plugin1"), "plugin2", Path.of("modules", "plugin2")),
                 NO_ENTITLEMENTS_MODULE,
                 TEST_PATH_LOOKUP,
@@ -538,7 +537,7 @@ public void testFilesEntitlementsWithExclusive() {
                         )
                     )
                 ),
-                c -> new PolicyScope("", moduleName(c)),
+                c -> PolicyScope.plugin("", moduleName(c)),
                 Map.of(),
                 NO_ENTITLEMENTS_MODULE,
                 TEST_PATH_LOOKUP,
@@ -564,7 +563,7 @@ public void testPluginResolverOverridesAgents() {
             createEmptyTestServerPolicy(),
             List.of(new CreateClassLoaderEntitlement()),
             Map.of(),
-            c -> new PolicyScope("test", moduleName(c)), // Insist that the class is in a plugin
+            c -> PolicyScope.plugin("test", moduleName(c)), // Insist that the class is in a plugin
             Map.of(),
             NO_ENTITLEMENTS_MODULE,
             TEST_PATH_LOOKUP,
@@ -586,7 +585,7 @@ private static PolicyManager policyManager(Module entitlementsModule) {
             createEmptyTestServerPolicy(),
             List.of(),
             Map.of(),
-            c -> new PolicyScope("test", moduleName(c)),
+            c -> PolicyScope.plugin("test", moduleName(c)),
             Map.of(),
             entitlementsModule,
             TEST_PATH_LOOKUP,

server/src/main/java/org/elasticsearch/bootstrap/ScopeResolver.java

@@ -17,9 +17,6 @@
 import java.util.stream.Stream;
 
 import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ALL_UNNAMED;
-import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.APM_AGENT_COMPONENT_NAME;
-import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.SERVER_COMPONENT_NAME;
-import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.UNKNOWN_COMPONENT_NAME;
 
 public class ScopeResolver {
     private final Map<Module, String> pluginNameByModule;
@@ -57,17 +54,17 @@ public PolicyScope resolveClassToScope(Class<?> clazz) {
         var module = clazz.getModule();
         var scopeName = getScopeName(module);
         if (isServerModule(module)) {
-            return new PolicyScope(SERVER_COMPONENT_NAME, scopeName);
+            return PolicyScope.server(scopeName);
         }
         String pluginName = pluginNameByModule.get(module);
         if (pluginName != null) {
-            return new PolicyScope(pluginName, scopeName);
+            return PolicyScope.plugin(pluginName, scopeName);
         }
         if (module.isNamed() == false && clazz.getPackageName().startsWith(apmAgentPackageName)) {
             // The APM agent is the only thing running non-modular in the system classloader
-            return new PolicyScope(APM_AGENT_COMPONENT_NAME, ALL_UNNAMED);
+            return PolicyScope.apmAgent(ALL_UNNAMED);
         }
-        return new PolicyScope(UNKNOWN_COMPONENT_NAME, scopeName);
+        return PolicyScope.unknown(scopeName);
     }
 
     private static boolean isServerModule(Module requestingModule) {