Add shared_repo relative dir for files entitlement (#123221)

This commit adds the shared repo path as a relative base dir. However,
it does not make this available to policy files, only to server.

Author: rjernst

libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/EntitlementBootstrap.java

@@ -39,8 +39,8 @@ public record BootstrapArgs(
         Function<Class<?>, String> pluginResolver,
         Function<String, String> settingResolver,
         Function<String, Stream<String>> settingGlobResolver,
-        Function<String, Path> repoDirResolver,
         Path[] dataDirs,
+        Path[] sharedRepoDirs,
         Path configDir,
         Path libDir,
         Path logsDir,
@@ -51,11 +51,11 @@ public record BootstrapArgs(
             requireNonNull(pluginResolver);
             requireNonNull(settingResolver);
             requireNonNull(settingGlobResolver);
-            requireNonNull(repoDirResolver);
             requireNonNull(dataDirs);
             if (dataDirs.length == 0) {
                 throw new IllegalArgumentException("must provide at least one data directory");
             }
+            requireNonNull(sharedRepoDirs);
             requireNonNull(configDir);
             requireNonNull(libDir);
             requireNonNull(logsDir);
@@ -77,8 +77,8 @@ public static BootstrapArgs bootstrapArgs() {
      * @param pluginResolver a functor to map a Java Class to the plugin it belongs to (the plugin name).
      * @param settingResolver a functor to resolve the value of an Elasticsearch setting.
      * @param settingGlobResolver a functor to resolve a glob expression for one or more Elasticsearch settings.
-     * @param repoDirResolver a functor to map a repository location to its Elasticsearch path.
      * @param dataDirs       data directories for Elasticsearch
+     * @param sharedRepoDirs       shared repository directories for Elasticsearch
      * @param configDir      the config directory for Elasticsearch
      * @param libDir         the lib directory for Elasticsearch
      * @param tempDir        the temp directory for Elasticsearch
@@ -89,8 +89,8 @@ public static void bootstrap(
         Function<Class<?>, String> pluginResolver,
         Function<String, String> settingResolver,
         Function<String, Stream<String>> settingGlobResolver,
-        Function<String, Path> repoDirResolver,
         Path[] dataDirs,
+        Path[] sharedRepoDirs,
         Path configDir,
         Path libDir,
         Path logsDir,
@@ -105,8 +105,8 @@ public static void bootstrap(
             pluginResolver,
             settingResolver,
             settingGlobResolver,
-            repoDirResolver,
             dataDirs,
+            sharedRepoDirs,
             configDir,
             libDir,
             logsDir,

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -63,6 +63,8 @@
 import java.util.stream.Stream;
 import java.util.stream.StreamSupport;
 
+import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.BaseDir.DATA;
+import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.BaseDir.SHARED_REPO;
 import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Mode.READ;
 import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Mode.READ_WRITE;
 
@@ -138,6 +140,7 @@ private static PolicyManager createPolicyManager() {
             getUserHome(),
             bootstrapArgs.configDir(),
             bootstrapArgs.dataDirs(),
+            bootstrapArgs.sharedRepoDirs(),
             bootstrapArgs.tempDir(),
             bootstrapArgs.settingResolver(),
             bootstrapArgs.settingGlobResolver()
@@ -152,8 +155,8 @@ private static PolicyManager createPolicyManager() {
                     new CreateClassLoaderEntitlement(),
                     new FilesEntitlement(
                         List.of(
-                            FileData.ofPath(bootstrapArgs.repoDirResolver().apply(""), READ_WRITE),
-                            FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE)
+                            FileData.ofRelativePath(Path.of(""), SHARED_REPO, READ_WRITE),
+                            FileData.ofRelativePath(Path.of(""), DATA, READ_WRITE)
                         )
                     )
                 )
@@ -175,8 +178,8 @@ private static PolicyManager createPolicyManager() {
                             FileData.ofPath(bootstrapArgs.tempDir(), READ_WRITE),
                             FileData.ofPath(bootstrapArgs.configDir(), READ),
                             FileData.ofPath(bootstrapArgs.logsDir(), READ_WRITE),
-                            FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE),
-                            FileData.ofPath(bootstrapArgs.repoDirResolver().apply(""), READ_WRITE),
+                            FileData.ofRelativePath(Path.of(""), DATA, READ_WRITE),
+                            FileData.ofRelativePath(Path.of(""), SHARED_REPO, READ_WRITE),
 
                             // OS release on Linux
                             FileData.ofPath(Path.of("/etc/os-release"), READ),
@@ -210,21 +213,21 @@ private static PolicyManager createPolicyManager() {
                         List.of(
                             FileData.ofPath(bootstrapArgs.configDir(), READ),
                             FileData.ofPath(bootstrapArgs.tempDir(), READ),
-                            FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE)
+                            FileData.ofRelativePath(Path.of(""), DATA, READ_WRITE)
                         )
                     )
                 )
             ),
             new Scope(
                 "org.apache.lucene.misc",
-                List.of(new FilesEntitlement(List.of(FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE))))
+                List.of(new FilesEntitlement(List.of(FileData.ofRelativePath(Path.of(""), DATA, READ_WRITE))))
             ),
             new Scope("org.apache.logging.log4j.core", List.of(new ManageThreadsEntitlement())),
             new Scope(
                 "org.elasticsearch.nativeaccess",
                 List.of(
                     new LoadNativeLibrariesEntitlement(),
-                    new FilesEntitlement(List.of(FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE)))
+                    new FilesEntitlement(List.of(FileData.ofRelativePath(Path.of(""), DATA, READ_WRITE)))
                 )
             )
         );

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PathLookup.java

@@ -17,6 +17,7 @@ public record PathLookup(
     Path homeDir,
     Path configDir,
     Path[] dataDirs,
+    Path[] sharedRepoDirs,
     Path tempDir,
     Function<String, String> settingResolver,
     Function<String, Stream<String>> settingGlobResolver

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java

@@ -38,6 +38,7 @@ public enum Mode {
     public enum BaseDir {
         CONFIG,
         DATA,
+        SHARED_REPO,
         HOME
     }
 
@@ -122,14 +123,9 @@ default Stream<Path> resolvePaths(PathLookup pathLookup) {
                 case CONFIG:
                     return relativePaths.map(relativePath -> pathLookup.configDir().resolve(relativePath));
                 case DATA:
-                    // multiple data dirs are a pain...we need the combination of relative paths and data dirs
-                    List<Path> paths = new ArrayList<>();
-                    for (var relativePath : relativePaths.toList()) {
-                        for (var dataDir : pathLookup.dataDirs()) {
-                            paths.add(dataDir.resolve(relativePath));
-                        }
-                    }
-                    return paths.stream();
+                    return relativePathsCombination(pathLookup.dataDirs(), relativePaths);
+                case SHARED_REPO:
+                    return relativePathsCombination(pathLookup.sharedRepoDirs(), relativePaths);
                 case HOME:
                     return relativePaths.map(relativePath -> pathLookup.homeDir().resolve(relativePath));
                 default:
@@ -138,6 +134,17 @@ default Stream<Path> resolvePaths(PathLookup pathLookup) {
         }
     }
 
+    private static Stream<Path> relativePathsCombination(Path[] baseDirs, Stream<Path> relativePaths) {
+        // multiple base dirs are a pain...we need the combination of the base dirs and relative paths
+        List<Path> paths = new ArrayList<>();
+        for (var relativePath : relativePaths.toList()) {
+            for (var dataDir : baseDirs) {
+                paths.add(dataDir.resolve(relativePath));
+            }
+        }
+        return paths.stream();
+    }
+
     private record AbsolutePathFileData(Path path, Mode mode) implements FileData {
         @Override
         public Stream<Path> resolvePaths(PathLookup pathLookup) {
@@ -189,6 +196,7 @@ private static BaseDir parseBaseDir(String baseDir) {
             case "config" -> BaseDir.CONFIG;
             case "data" -> BaseDir.DATA;
             case "home" -> BaseDir.HOME;
+            // NOTE: shared_repo is _not_ accessible to policy files, only internally
             default -> throw new PolicyValidationException(
                 "invalid relative directory: " + baseDir + ", valid values: [config, data, home]"
             );

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java

@@ -42,6 +42,7 @@ private static Path path(String s) {
         Path.of("/home"),
         Path.of("/config"),
         new Path[] { Path.of("/data1"), Path.of("/data2") },
+        new Path[] { Path.of("/shared1"), Path.of("/shared2") },
         Path.of("/tmp"),
         setting -> settings.get(setting),
         glob -> settings.getGlobValues(glob)

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java

@@ -69,6 +69,7 @@ public static void beforeClass() {
                 TEST_BASE_DIR.resolve("/user/home"),
                 TEST_BASE_DIR.resolve("/config"),
                 new Path[] { TEST_BASE_DIR.resolve("/data1/"), TEST_BASE_DIR.resolve("/data2") },
+                new Path[] { TEST_BASE_DIR.resolve("/shared1"), TEST_BASE_DIR.resolve("/shared2") },
                 TEST_BASE_DIR.resolve("/temp"),
                 Settings.EMPTY::get,
                 Settings.EMPTY::getGlobValues

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlementTests.java

@@ -40,6 +40,7 @@ public static void setupRoot() {
         Path.of("home"),
         Path.of("/config"),
         new Path[] { Path.of("/data1"), Path.of("/data2") },
+        new Path[] { Path.of("/shared1"), Path.of("/shared2") },
         Path.of("/tmp"),
         setting -> settings.get(setting),
         glob -> settings.getGlobValues(glob)

server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java

@@ -247,8 +247,8 @@ private static void initPhase2(Bootstrap bootstrap) throws IOException {
                 pluginsResolver::resolveClassToPluginName,
                 nodeEnv.settings()::get,
                 nodeEnv.settings()::getGlobValues,
-                nodeEnv::resolveRepoDir,
                 nodeEnv.dataDirs(),
+                nodeEnv.repoDirs(),
                 nodeEnv.configDir(),
                 nodeEnv.libDir(),
                 nodeEnv.logsDir(),

server/src/main/java/org/elasticsearch/env/Environment.java

@@ -335,7 +335,7 @@ public static long getUsableSpace(Path path) throws IOException {
      */
     public static void assertEquivalent(Environment actual, Environment expected) {
         assertEquals(actual.dataDirs(), expected.dataDirs(), "dataDirs");
-        assertEquals(actual.repoDirs(), expected.repoDirs(), "repoDirs");
+        assertEquals(actual.repoDirs(), expected.repoDirs(), "sharedRepoDirs");
         assertEquals(actual.configDir(), expected.configDir(), "configDir");
         assertEquals(actual.pluginsDir(), expected.pluginsDir(), "pluginsDir");
         assertEquals(actual.binDir(), expected.binDir(), "binDir");