server policy patching via system property (merge, not replace)

Author: ldematte

libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/EntitlementBootstrap.java

@@ -14,6 +14,7 @@
 import com.sun.tools.attach.AttachNotSupportedException;
 import com.sun.tools.attach.VirtualMachine;
 
+import org.elasticsearch.core.Nullable;
 import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.entitlement.initialization.EntitlementInitialization;
 import org.elasticsearch.entitlement.runtime.policy.Policy;
@@ -33,6 +34,7 @@
 public class EntitlementBootstrap {
 
     public record BootstrapArgs(
+        @Nullable Policy serverPolicyPatch,
         Map<String, Policy> pluginPolicies,
         Function<Class<?>, String> pluginResolver,
         Function<String, Stream<String>> settingResolver,
@@ -78,6 +80,7 @@ public static BootstrapArgs bootstrapArgs() {
      * Activates entitlement checking. Once this method returns, calls to methods protected by Entitlements from classes without a valid
      * policy will throw {@link org.elasticsearch.entitlement.runtime.api.NotEntitledException}.
      *
+     * @param serverPolicyPatch a policy with additional entitlements to patch the embedded server layer policy
      * @param pluginPolicies a map holding policies for plugins (and modules), by plugin (or module) name.
      * @param pluginResolver a functor to map a Java Class to the plugin it belongs to (the plugin name).
      * @param settingResolver a functor to resolve a setting name pattern for one or more Elasticsearch settings.
@@ -94,6 +97,7 @@ public static BootstrapArgs bootstrapArgs() {
      * @param suppressFailureLogClasses   classes for which we do not need or want to log Entitlements failures
      */
     public static void bootstrap(
+        Policy serverPolicyPatch,
         Map<String, Policy> pluginPolicies,
         Function<Class<?>, String> pluginResolver,
         Function<String, Stream<String>> settingResolver,
@@ -114,6 +118,7 @@ public static void bootstrap(
             throw new IllegalStateException("plugin data is already set");
         }
         EntitlementBootstrap.bootstrapArgs = new BootstrapArgs(
+            serverPolicyPatch,
             pluginPolicies,
             pluginResolver,
             settingResolver,

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -23,6 +23,7 @@
 import org.elasticsearch.entitlement.runtime.policy.PathLookup;
 import org.elasticsearch.entitlement.runtime.policy.Policy;
 import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
+import org.elasticsearch.entitlement.runtime.policy.PolicyParserUtils;
 import org.elasticsearch.entitlement.runtime.policy.Scope;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.CreateClassLoaderEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.Entitlement;
@@ -268,8 +269,13 @@ private static PolicyManager createPolicyManager() {
             );
         }
 
-        // TODO(ES-10031): Decide what goes in the elasticsearch default policy and extend it
-        var serverPolicy = new Policy("server", serverScopes);
+        var serverPolicy = new Policy(
+            "server",
+            bootstrapArgs.serverPolicyPatch() == null
+                ? serverScopes
+                : PolicyParserUtils.mergeScopes(serverScopes, bootstrapArgs.serverPolicyPatch().scopes())
+        );
+
         // agents run without a module, so this is a special hack for the apm agent
         // this should be removed once https://github.com/elastic/elasticsearch/issues/109335 is completed
         // See also modules/apm/src/main/plugin-metadata/entitlement-policy.yaml

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -131,9 +131,9 @@ ModuleEntitlements policyEntitlements(String componentName, Path componentPath,
 
     public static final String ALL_UNNAMED = "ALL-UNNAMED";
 
-    private static final Set<Module> systemModules = findSystemModules();
+    private static final Set<Module> SYSTEM_LAYER_MODULES = findSystemLayerModules();
 
-    private static Set<Module> findSystemModules() {
+    private static Set<Module> findSystemLayerModules() {
         var systemModulesDescriptors = ModuleFinder.ofSystem()
             .findAll()
             .stream()
@@ -153,6 +153,13 @@ private static Set<Module> findSystemModules() {
         ).collect(Collectors.toUnmodifiableSet());
     }
 
+    // Anything in the boot layer that is not in the system layer, is in the server layer
+    public static final Set<Module> SERVER_LAYER_MODULES = ModuleLayer.boot()
+        .modules()
+        .stream()
+        .filter(m -> SYSTEM_LAYER_MODULES.contains(m) == false)
+        .collect(Collectors.toUnmodifiableSet());
+
     private final Map<String, Path> sourcePaths;
     /**
      * The package name containing classes from the APM agent.
@@ -705,7 +712,7 @@ private static boolean isTriviallyAllowed(Class<?> requestingClass) {
             logger.debug("Entitlement trivially allowed: no caller frames outside the entitlement library");
             return true;
         }
-        if (systemModules.contains(requestingClass.getModule())) {
+        if (SYSTEM_LAYER_MODULES.contains(requestingClass.getModule())) {
             logger.debug("Entitlement trivially allowed from system module [{}]", requestingClass.getModule().getName());
             return true;
         }

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyParserUtils.java

@@ -10,6 +10,8 @@
 package org.elasticsearch.entitlement.runtime.policy;
 
 import org.elasticsearch.core.Strings;
+import org.elasticsearch.entitlement.runtime.policy.entitlements.Entitlement;
+import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement;
 import org.elasticsearch.logging.LogManager;
 import org.elasticsearch.logging.Logger;
 
@@ -20,14 +22,15 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardOpenOption;
+import java.util.ArrayList;
 import java.util.Base64;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import static java.util.Objects.requireNonNull;
 import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ALL_UNNAMED;
@@ -36,6 +39,45 @@ public class PolicyParserUtils {
 
     private static final Logger logger = LogManager.getLogger(PolicyParserUtils.class);
 
+    public static List<Scope> mergeScopes(List<Scope> mainScopes, List<Scope> additionalScopes) {
+        var result = new ArrayList<Scope>();
+        var additionalScopesMap = additionalScopes.stream().collect(Collectors.toMap(Scope::moduleName, Scope::entitlements));
+        for (var mainScope : mainScopes) {
+            List<Entitlement> additionalEntitlements = additionalScopesMap.remove(mainScope.moduleName());
+            if (additionalEntitlements != null) {
+                result.add(new Scope(mainScope.moduleName(), mergeEntitlements(mainScope.entitlements(), additionalEntitlements)));
+            } else {
+                result.add(mainScope);
+            }
+        }
+
+        for (var remainingEntry : additionalScopesMap.entrySet()) {
+            result.add(new Scope(remainingEntry.getKey(), remainingEntry.getValue()));
+        }
+        return result;
+    }
+
+    static List<Entitlement> mergeEntitlements(List<Entitlement> a, List<Entitlement> b) {
+        Map<Class<? extends Entitlement>, List<Entitlement>> allEntitlements = Stream.concat(a.stream(), b.stream())
+            .collect(Collectors.groupingBy(Entitlement::getClass));
+
+        List<Entitlement> result = new ArrayList<>();
+        for (var entitlements : allEntitlements.entrySet()) {
+            var entitlementClass = entitlements.getKey();
+            if (entitlementClass.equals(FilesEntitlement.class)) {
+                var filesData = entitlements.getValue().stream().flatMap(entitlement -> {
+                    FilesEntitlement filesEntitlement = (FilesEntitlement) entitlement;
+                    return filesEntitlement.filesData().stream();
+                }).filter(x -> x.platform().isCurrent()).distinct();
+
+                result.add(new FilesEntitlement(filesData.toList()));
+            } else {
+                result.add(entitlements.getValue().get(0));
+            }
+        }
+        return result;
+    }
+
     public record PluginData(Path pluginPath, boolean isModular, boolean isExternalPlugin) {
         public PluginData {
             requireNonNull(pluginPath);
@@ -44,8 +86,6 @@ public record PluginData(Path pluginPath, boolean isModular, boolean isExternalP
 
     private static final String POLICY_FILE_NAME = "entitlement-policy.yaml";
 
-    public static final String POLICY_OVERRIDE_PREFIX = "es.entitlements.policy.";
-
     public static Map<String, Policy> createPluginPolicies(Collection<PluginData> pluginData, Map<String, String> overrides, String version)
         throws IOException {
         Map<String, Policy> pluginPolicies = new HashMap<>(pluginData.size());
@@ -54,9 +94,15 @@ public static Map<String, Policy> createPluginPolicies(Collection<PluginData> pl
             String pluginName = pluginRoot.getFileName().toString();
             final Set<String> moduleNames = getModuleNames(pluginRoot, entry.isModular());
 
-            var overriddenPolicy = parsePolicyOverrideIfExists(overrides, version, entry.isExternalPlugin(), pluginName, moduleNames);
-            if (overriddenPolicy.isPresent()) {
-                pluginPolicies.put(pluginName, overriddenPolicy.get());
+            var overriddenPolicy = parsePolicyOverrideIfExists(
+                overrides.get(pluginName),
+                version,
+                entry.isExternalPlugin(),
+                pluginName,
+                moduleNames
+            );
+            if (overriddenPolicy != null) {
+                pluginPolicies.put(pluginName, overriddenPolicy);
             } else {
                 Path policyFile = pluginRoot.resolve(POLICY_FILE_NAME);
                 var policy = parsePolicyIfExists(pluginName, policyFile, entry.isExternalPlugin());
@@ -67,59 +113,55 @@ public static Map<String, Policy> createPluginPolicies(Collection<PluginData> pl
         return pluginPolicies;
     }
 
-    static Optional<Policy> parsePolicyOverrideIfExists(
-        Map<String, String> overrides,
+    public static Policy parsePolicyOverrideIfExists(
+        String policyOverride,
         String version,
         boolean externalPlugin,
-        String pluginName,
+        String layerName,
         Set<String> moduleNames
     ) {
-        var policyOverride = overrides.get(pluginName);
         if (policyOverride != null) {
             try {
-                var versionedPolicy = decodeOverriddenPluginPolicy(policyOverride, pluginName, externalPlugin);
-                validatePolicyScopes(pluginName, versionedPolicy.policy(), moduleNames, "<override>");
+                var versionedPolicy = decodeOverriddenPluginPolicy(policyOverride, layerName, externalPlugin);
+                validatePolicyScopes(layerName, versionedPolicy.policy(), moduleNames, "<override>");
 
                 // Empty versions defaults to "any"
                 if (versionedPolicy.versions().isEmpty() || versionedPolicy.versions().contains(version)) {
-                    logger.info("Using policy override for plugin [{}]", pluginName);
-                    return Optional.of(versionedPolicy.policy());
+                    logger.info("Using policy override for layer [{}]", layerName);
+                    return versionedPolicy.policy();
                 } else {
                     logger.warn(
                         "Found a policy override with version mismatch. The override will not be applied. "
-                            + "Plugin [{}]; policy versions [{}]; current version [{}]",
-                        pluginName,
+                            + "Layer [{}]; policy versions [{}]; current version [{}]",
+                        layerName,
                         String.join(",", versionedPolicy.versions()),
                         version
                     );
                 }
             } catch (Exception ex) {
                 logger.warn(
-                    Strings.format(
-                        "Found a policy override with invalid content. The override will not be applied. Plugin [%s]",
-                        pluginName
-                    ),
+                    Strings.format("Found a policy override with invalid content. The override will not be applied. Layer [%s]", layerName),
                     ex
                 );
             }
         }
-        return Optional.empty();
+        return null;
     }
 
-    static VersionedPolicy decodeOverriddenPluginPolicy(String base64String, String pluginName, boolean isExternalPlugin)
+    static VersionedPolicy decodeOverriddenPluginPolicy(String base64String, String layerName, boolean isExternalPlugin)
         throws IOException {
         byte[] policyDefinition = Base64.getDecoder().decode(base64String);
-        return new PolicyParser(new ByteArrayInputStream(policyDefinition), pluginName, isExternalPlugin).parseVersionedPolicy();
+        return new PolicyParser(new ByteArrayInputStream(policyDefinition), layerName, isExternalPlugin).parseVersionedPolicy();
     }
 
-    private static void validatePolicyScopes(String pluginName, Policy policy, Set<String> moduleNames, String policyLocation) {
+    private static void validatePolicyScopes(String layerName, Policy policy, Set<String> moduleNames, String policyLocation) {
         // TODO: should this check actually be part of the parser?
         for (Scope scope : policy.scopes()) {
             if (moduleNames.contains(scope.moduleName()) == false) {
                 throw new IllegalStateException(
                     Strings.format(
-                        "Invalid module name in policy: plugin [%s] does not have module [%s]; available modules [%s]; policy path [%s]",
-                        pluginName,
+                        "Invalid module name in policy: layer [%s] does not have module [%s]; available modules [%s]; policy path [%s]",
+                        layerName,
                         scope.moduleName(),
                         String.join(", ", moduleNames),
                         policyLocation

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyParserUtilsTests.java

@@ -16,11 +16,10 @@
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.List;
-import java.util.Map;
 import java.util.Set;
 
-import static org.elasticsearch.test.hamcrest.OptionalMatchers.isEmpty;
-import static org.elasticsearch.test.hamcrest.OptionalMatchers.isPresentWith;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.nullValue;
 
 @ESTestCase.WithoutSecurityManager
 public class PolicyParserUtilsTests extends ESTestCase {
@@ -41,8 +40,6 @@ public void testCreatePluginPolicyWithOverride() {
             Base64.getEncoder().encode(policyForOverride.getBytes(StandardCharsets.UTF_8)),
             StandardCharsets.UTF_8
         );
-        var overrides = Map.of("test-plugin", base64EncodedPolicy);
-
         final Policy expectedPolicy = new Policy(
             "test-plugin",
             List.of(
@@ -52,14 +49,14 @@ public void testCreatePluginPolicyWithOverride() {
         );
 
         var policy = PolicyParserUtils.parsePolicyOverrideIfExists(
-            overrides,
+            base64EncodedPolicy,
             "9.0.0",
             true,
             "test-plugin",
             Set.of("entitlement-module-name", "entitlement-module-name-2")
         );
 
-        assertThat(policy, isPresentWith(expectedPolicy));
+        assertThat(policy, equalTo(expectedPolicy));
     }
 
     public void testCreatePluginPolicyWithOverrideAnyVersion() {
@@ -75,7 +72,6 @@ public void testCreatePluginPolicyWithOverrideAnyVersion() {
             Base64.getEncoder().encode(policyForOverride.getBytes(StandardCharsets.UTF_8)),
             StandardCharsets.UTF_8
         );
-        var overrides = Map.of("test-plugin", base64EncodedPolicy);
 
         final Policy expectedPolicy = new Policy(
             "test-plugin",
@@ -86,14 +82,14 @@ public void testCreatePluginPolicyWithOverrideAnyVersion() {
         );
 
         var policy = PolicyParserUtils.parsePolicyOverrideIfExists(
-            overrides,
+            base64EncodedPolicy,
             "abcdef",
             true,
             "test-plugin",
             Set.of("entitlement-module-name", "entitlement-module-name-2")
         );
 
-        assertThat(policy, isPresentWith(expectedPolicy));
+        assertThat(policy, equalTo(expectedPolicy));
     }
 
     public void testNoOverriddenPolicyWithVersionMismatch() {
@@ -112,17 +108,16 @@ public void testNoOverriddenPolicyWithVersionMismatch() {
             Base64.getEncoder().encode(policyForOverride.getBytes(StandardCharsets.UTF_8)),
             StandardCharsets.UTF_8
         );
-        var overrides = Map.of("test-plugin", base64EncodedPolicy);
 
         var policy = PolicyParserUtils.parsePolicyOverrideIfExists(
-            overrides,
+            base64EncodedPolicy,
             "9.1.0",
             true,
             "test-plugin",
             Set.of("entitlement-module-name", "entitlement-module-name-2")
         );
 
-        assertThat(policy, isEmpty());
+        assertThat(policy, nullValue());
     }
 
     public void testNoOverriddenPolicyWithValidationError() {
@@ -141,11 +136,10 @@ public void testNoOverriddenPolicyWithValidationError() {
             Base64.getEncoder().encode(policyForOverride.getBytes(StandardCharsets.UTF_8)),
             StandardCharsets.UTF_8
         );
-        var overrides = Map.of("test-plugin", base64EncodedPolicy);
 
-        var policy = PolicyParserUtils.parsePolicyOverrideIfExists(overrides, "9.0.0", true, "test-plugin", Set.of());
+        var policy = PolicyParserUtils.parsePolicyOverrideIfExists(base64EncodedPolicy, "9.0.0", true, "test-plugin", Set.of());
 
-        assertThat(policy, isEmpty());
+        assertThat(policy, nullValue());
     }
 
     public void testNoOverriddenPolicyWithParsingError() {
@@ -160,10 +154,9 @@ public void testNoOverriddenPolicyWithParsingError() {
             Base64.getEncoder().encode(policyForOverride.getBytes(StandardCharsets.UTF_8)),
             StandardCharsets.UTF_8
         );
-        var overrides = Map.of("test-plugin", base64EncodedPolicy);
 
-        var policy = PolicyParserUtils.parsePolicyOverrideIfExists(overrides, "9.0.0", true, "test-plugin", Set.of());
+        var policy = PolicyParserUtils.parsePolicyOverrideIfExists(base64EncodedPolicy, "9.0.0", true, "test-plugin", Set.of());
 
-        assertThat(policy, isEmpty());
+        assertThat(policy, nullValue());
     }
 }