checkpoint

Author: jdconrad

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java

@@ -36,6 +36,10 @@ private FileAccessTree(
         List<ExclusivePath> exclusivePaths
     ) {
         List<String> updatedExclusivePaths = new ArrayList<>();
+        for (ExclusivePath exclusivePath : exclusivePaths) {
+            updatedExclusivePaths.add(normalizePath(exclusivePath.path()));
+        }
+
         List<String> readPaths = new ArrayList<>();
         List<String> writePaths = new ArrayList<>();
         for (FilesEntitlement.FileData fileData : filesEntitlement.filesData()) {
@@ -46,8 +50,25 @@ private FileAccessTree(
                 for (ExclusivePath exclusivePath : exclusivePaths) {
                     if (exclusivePath.componentName().equals(componentName) == false
                         || exclusivePath.moduleName().equals(moduleName) == false) {
+                        if (true) throw new IllegalArgumentException(
+                            path.getFileSystem() + " " + exclusivePath.path().getFileSystem() + " " + path.startsWith(exclusivePath.path())
+                        );
                         if (path.startsWith(exclusivePath.path())) {
-                            // TODO: throw
+                            throw new IllegalArgumentException(
+                                "["
+                                    + componentName
+                                    + "] ["
+                                    + moduleName
+                                    + "] cannot use"
+                                    + "exclusive path ["
+                                    + exclusivePath.path()
+                                    + "] from ["
+                                    + exclusivePath.componentName()
+                                    + "] "
+                                    + "["
+                                    + exclusivePath.moduleName()
+                                    + "]"
+                            );
                         }
                         updatedExclusivePaths.add(normalizePath(exclusivePath.path()));
                     }

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java

@@ -197,7 +197,7 @@ public void testTempDirAccess() {
         assertThat(tree.canWrite(TEST_PATH_LOOKUP.tempDir()), is(true));
     }
 
-    public void testExclusiveAccess() {
+    public void testBasicExclusiveAccess() {
         var tree = accessTree(entitlement("foo", "read"), exclusivePaths("test-component", "test-module", "foo"));
         assertThat(tree.canRead(path("foo")), is(true));
         assertThat(tree.canWrite(path("foo")), is(false));
@@ -213,6 +213,11 @@ public void testExclusiveAccess() {
         assertThat(tree.canWrite(path("foo/bar")), is(false));
     }
 
+    public void testInvalidExclusiveAccess() {
+        var tree = accessTree(entitlement("foo/bar", "read"), exclusivePaths("test-component", "diff-module", "foo"));
+
+    }
+
     FileAccessTree accessTree(FilesEntitlement entitlement, List<ExclusivePath> exclusivePaths) {
         return FileAccessTree.of("test-component", "test-module", entitlement, TEST_PATH_LOOKUP, exclusivePaths);
     }