Consolidate path setting files entitlements to config

The setting based paths could be either absolute or relative, and they
are always relative to the config dir. This commit renames the
path_setting to make it clear it is related to config, and removes the
relative variant.

Author: rjernst

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java

@@ -91,12 +91,8 @@ static FileData ofRelativePath(Path relativePath, BaseDir baseDir, Mode mode) {
             return new RelativePathFileData(relativePath, baseDir, mode, null, false);
         }
 
-        static FileData ofPathSetting(String setting, Mode mode, boolean ignoreUrl) {
-            return new PathSettingFileData(setting, mode, ignoreUrl, null, false);
-        }
-
-        static FileData ofRelativePathSetting(String setting, BaseDir baseDir, Mode mode, boolean ignoreUrl) {
-            return new RelativePathSettingFileData(setting, baseDir, mode, ignoreUrl, null, false);
+        static FileData ofConfigPathSetting(String setting, Mode mode, boolean ignoreUrl) {
+            return new ConfigPathSettingFileData(setting, mode, ignoreUrl, null, false);
         }
 
         /**
@@ -225,71 +221,39 @@ public FileData withPlatform(Platform platform) {
         }
     }
 
-    private record PathSettingFileData(String setting, Mode mode, boolean ignoreUrl, Platform platform, boolean exclusive)
+    private record ConfigPathSettingFileData(String setting, Mode mode, boolean ignoreUrl, Platform platform, boolean exclusive)
         implements
             FileData {
 
         @Override
-        public PathSettingFileData withExclusive(boolean exclusive) {
-            return new PathSettingFileData(setting, mode, ignoreUrl, platform, exclusive);
+        public ConfigPathSettingFileData withExclusive(boolean exclusive) {
+            return new ConfigPathSettingFileData(setting, mode, ignoreUrl, platform, exclusive);
         }
 
         @Override
         public Stream<Path> resolvePaths(PathLookup pathLookup) {
-            return resolvePathSettings(pathLookup, setting, ignoreUrl);
-        }
-
-        @Override
-        public FileData withPlatform(Platform platform) {
-            if (platform == platform()) {
-                return this;
+            Stream<String> result;
+            if (setting.contains("*")) {
+                result = pathLookup.settingGlobResolver().apply(setting);
+            } else {
+                String path = pathLookup.settingResolver().apply(setting);
+                result = path == null ? Stream.of() : Stream.of(path);
             }
-            return new PathSettingFileData(setting, mode, ignoreUrl, platform, exclusive);
-        }
-    }
-
-    private record RelativePathSettingFileData(
-        String setting,
-        BaseDir baseDir,
-        Mode mode,
-        boolean ignoreUrl,
-        Platform platform,
-        boolean exclusive
-    ) implements FileData, RelativeFileData {
-
-        @Override
-        public RelativePathSettingFileData withExclusive(boolean exclusive) {
-            return new RelativePathSettingFileData(setting, baseDir, mode, ignoreUrl, platform, exclusive);
-        }
-
-        @Override
-        public Stream<Path> resolveRelativePaths(PathLookup pathLookup) {
-            return resolvePathSettings(pathLookup, setting, ignoreUrl);
+            if (ignoreUrl) {
+                result = result.filter(s -> s.toLowerCase(Locale.ROOT).startsWith("https://") == false);
+            }
+            return result.map(pathLookup.configDir()::resolve);
         }
 
         @Override
         public FileData withPlatform(Platform platform) {
             if (platform == platform()) {
                 return this;
             }
-            return new RelativePathSettingFileData(setting, baseDir, mode, ignoreUrl, platform, exclusive);
+            return new ConfigPathSettingFileData(setting, mode, ignoreUrl, platform, exclusive);
         }
     }
 
-    private static Stream<Path> resolvePathSettings(PathLookup pathLookup, String setting, boolean ignoreUrl) {
-        Stream<String> result;
-        if (setting.contains("*")) {
-            result = pathLookup.settingGlobResolver().apply(setting);
-        } else {
-            String path = pathLookup.settingResolver().apply(setting);
-            result = path == null ? Stream.of() : Stream.of(path);
-        }
-        if (ignoreUrl) {
-            result = result.filter(s -> s.toLowerCase(Locale.ROOT).startsWith("https://") == false);
-        }
-        return result.map(Path::of);
-    }
-
     private static Mode parseMode(String mode) {
         if (mode.equals("read")) {
             return Mode.READ;
@@ -370,8 +334,7 @@ public static FilesEntitlement build(List<Object> paths) {
             String pathAsString = checkString.apply(file, "path");
             String relativePathAsString = checkString.apply(file, "relative_path");
             String relativeTo = checkString.apply(file, "relative_to");
-            String pathSetting = checkString.apply(file, "path_setting");
-            String relativePathSetting = checkString.apply(file, "relative_path_setting");
+            String configPathSetting = checkString.apply(file, "config_path_setting");
             String modeAsString = checkString.apply(file, "mode");
             String platformAsString = checkString.apply(file, "platform");
             Boolean ignoreUrlAsStringBoolean = checkBoolean.apply(file, "ignore_url");
@@ -382,11 +345,10 @@ public static FilesEntitlement build(List<Object> paths) {
             if (file.isEmpty() == false) {
                 throw new PolicyValidationException("unknown key(s) [" + file + "] in a listed file for files entitlement");
             }
-            int foundKeys = (pathAsString != null ? 1 : 0) + (relativePathAsString != null ? 1 : 0) + (pathSetting != null ? 1 : 0)
-                + (relativePathSetting != null ? 1 : 0);
+            int foundKeys = (pathAsString != null ? 1 : 0) + (relativePathAsString != null ? 1 : 0) + (configPathSetting != null ? 1 : 0);
             if (foundKeys != 1) {
                 throw new PolicyValidationException(
-                    "a files entitlement entry must contain one of " + "[path, relative_path, path_setting, relative_path_setting]"
+                    "a files entitlement entry must contain one of " + "[path, relative_path, config_path_setting]"
                 );
             }
 
@@ -405,7 +367,7 @@ public static FilesEntitlement build(List<Object> paths) {
             }
 
             if (ignoreUrlAsStringBoolean != null && (relativePathAsString != null || pathAsString != null)) {
-                throw new PolicyValidationException("'ignore_url' may only be used with `path_setting` or `relative_path_setting`");
+                throw new PolicyValidationException("'ignore_url' may only be used with 'config_path_setting'");
             }
 
             final FileData fileData;
@@ -424,13 +386,8 @@ public static FilesEntitlement build(List<Object> paths) {
                     throw new PolicyValidationException("'path' [" + pathAsString + "] must be absolute");
                 }
                 fileData = FileData.ofPath(path, mode);
-            } else if (pathSetting != null) {
-                fileData = FileData.ofPathSetting(pathSetting, mode, ignoreUrlAsString);
-            } else if (relativePathSetting != null) {
-                if (baseDir == null) {
-                    throw new PolicyValidationException("files entitlement with a 'relative_path_setting' must specify 'relative_to'");
-                }
-                fileData = FileData.ofRelativePathSetting(relativePathSetting, baseDir, mode, ignoreUrlAsString);
+            } else if (configPathSetting != null) {
+                fileData = FileData.ofConfigPathSetting(configPathSetting, mode, ignoreUrlAsString);
             } else {
                 throw new AssertionError("File entry validation error");
             }

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyParserTests.java

@@ -182,10 +182,7 @@ public void testParseFiles() throws IOException {
                       mode: "read"
                     - path: '%s'
                       mode: "read_write"
-                    - path_setting: foo.bar
-                      mode: read
-                    - relative_path_setting: foo.bar
-                      relative_to: config
+                    - config_path_setting: foo.bar
                       mode: read
                 """, relativePathToFile, relativePathToDir, TEST_ABSOLUTE_PATH_TO_FILE).getBytes(StandardCharsets.UTF_8)),
             "test-policy.yaml",
@@ -202,8 +199,7 @@ public void testParseFiles() throws IOException {
                                 Map.of("relative_path", relativePathToFile, "mode", "read_write", "relative_to", "data"),
                                 Map.of("relative_path", relativePathToDir, "mode", "read", "relative_to", "config"),
                                 Map.of("path", TEST_ABSOLUTE_PATH_TO_FILE, "mode", "read_write"),
-                                Map.of("path_setting", "foo.bar", "mode", "read"),
-                                Map.of("relative_path_setting", "foo.bar", "relative_to", "config", "mode", "read")
+                                Map.of("config_path_setting", "foo.bar", "mode", "read")
                             )
                         )
                     )

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlementTests.java

@@ -25,7 +25,6 @@
 import java.util.List;
 import java.util.Map;
 
-import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.BaseDir.CONFIG;
 import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Mode.READ;
 import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Mode.READ_WRITE;
 import static org.hamcrest.Matchers.contains;
@@ -98,72 +97,70 @@ public void testFileDataRelativeWithEmptyDirectory() {
     }
 
     public void testPathSettingResolve() {
-        var entitlement = FilesEntitlement.build(List.of(Map.of("path_setting", "foo.bar", "mode", "read")));
+        var entitlement = FilesEntitlement.build(List.of(Map.of("config_path_setting", "foo.bar", "mode", "read")));
         var filesData = entitlement.filesData();
-        assertThat(filesData, contains(FileData.ofPathSetting("foo.bar", READ, false)));
+        assertThat(filesData, contains(FileData.ofConfigPathSetting("foo.bar", READ, false)));
 
-        var fileData = FileData.ofPathSetting("foo.bar", READ, false);
+        var fileData = FileData.ofConfigPathSetting("foo.bar", READ, false);
         // empty settings
         assertThat(fileData.resolvePaths(TEST_PATH_LOOKUP).toList(), empty());
 
-        fileData = FileData.ofPathSetting("foo.bar", READ, false);
+        fileData = FileData.ofConfigPathSetting("foo.bar", READ, false);
         settings = Settings.builder().put("foo.bar", "/setting/path").build();
         assertThat(fileData.resolvePaths(TEST_PATH_LOOKUP).toList(), contains(Path.of("/setting/path")));
 
-        fileData = FileData.ofPathSetting("foo.*.bar", READ, false);
+        fileData = FileData.ofConfigPathSetting("foo.*.bar", READ, false);
         settings = Settings.builder().put("foo.baz.bar", "/setting/path").build();
         assertThat(fileData.resolvePaths(TEST_PATH_LOOKUP).toList(), contains(Path.of("/setting/path")));
 
-        fileData = FileData.ofPathSetting("foo.*.bar", READ, false);
+        fileData = FileData.ofConfigPathSetting("foo.*.bar", READ, false);
         settings = Settings.builder().put("foo.baz.bar", "/setting/path").put("foo.baz2.bar", "/other/path").build();
         assertThat(fileData.resolvePaths(TEST_PATH_LOOKUP).toList(), containsInAnyOrder(Path.of("/setting/path"), Path.of("/other/path")));
-    }
 
-    public void testExclusiveParsing() throws Exception {
-        Policy parsedPolicy = new PolicyParser(new ByteArrayInputStream("""
-                    entitlement-module-name:
-                      - files:
-                        - path: /test
-                          mode: read
-                          exclusive: true
-            """.getBytes(StandardCharsets.UTF_8)), "test-policy.yaml", true).parsePolicy();
-        Policy expected = new Policy(
-            "test-policy.yaml",
-            List.of(
-                new Scope(
-                    "entitlement-module-name",
-                    List.of(FilesEntitlement.build(List.of(Map.of("path", "/test", "mode", "read", "exclusive", true))))
-                )
-            )
-        );
-        assertEquals(expected, parsedPolicy);
+        fileData = FileData.ofConfigPathSetting("foo.bar", READ, false);
+        settings = Settings.builder().put("foo.bar", "relative_path").build();
+        assertThat(fileData.resolvePaths(TEST_PATH_LOOKUP).toList(), contains(Path.of("/config/relative_path")));
     }
 
     public void testPathSettingIgnoreUrl() {
-        var fileData = FileData.ofPathSetting("foo.*.bar", READ, true);
+        var fileData = FileData.ofConfigPathSetting("foo.*.bar", READ, true);
         settings = Settings.builder().put("foo.nonurl.bar", "/setting/path").put("foo.url.bar", "https://mysite").build();
         assertThat(fileData.resolvePaths(TEST_PATH_LOOKUP).toList(), contains(Path.of("/setting/path")));
     }
 
-    public void testRelativePathSettingIgnoreUrl() {
-        var fileData = FileData.ofRelativePathSetting("foo.*.bar", CONFIG, READ, true);
-        settings = Settings.builder().put("foo.nonurl.bar", "path").put("foo.url.bar", "https://mysite").build();
-        assertThat(fileData.resolvePaths(TEST_PATH_LOOKUP).toList(), contains(Path.of("/config/path")));
-    }
-
     public void testIgnoreUrlValidation() {
         var e = expectThrows(
             PolicyValidationException.class,
             () -> FilesEntitlement.build(List.of(Map.of("path", "/foo", "mode", "read", "ignore_url", true)))
         );
-        assertThat(e.getMessage(), is("'ignore_url' may only be used with `path_setting` or `relative_path_setting`"));
+        assertThat(e.getMessage(), is("'ignore_url' may only be used with 'config_path_setting'"));
 
         e = expectThrows(
             PolicyValidationException.class,
             () -> FilesEntitlement.build(
                 List.of(Map.of("relative_path", "foo", "relative_to", "config", "mode", "read", "ignore_url", true))
             )
         );
-        assertThat(e.getMessage(), is("'ignore_url' may only be used with `path_setting` or `relative_path_setting`"));
+        assertThat(e.getMessage(), is("'ignore_url' may only be used with 'config_path_setting'"));
+    }
+
+    public void testExclusiveParsing() throws Exception {
+        Policy parsedPolicy = new PolicyParser(new ByteArrayInputStream("""
+                    entitlement-module-name:
+                      - files:
+                        - path: /test
+                          mode: read
+                          exclusive: true
+            """.getBytes(StandardCharsets.UTF_8)), "test-policy.yaml", true).parsePolicy();
+        Policy expected = new Policy(
+            "test-policy.yaml",
+            List.of(
+                new Scope(
+                    "entitlement-module-name",
+                    List.of(FilesEntitlement.build(List.of(Map.of("path", "/test", "mode", "read", "exclusive", true))))
+                )
+            )
+        );
+        assertEquals(expected, parsedPolicy);
     }
 }