add withExclusive to FileData

Author: jdconrad

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -152,8 +152,8 @@ private static PolicyManager createPolicyManager() {
                     new CreateClassLoaderEntitlement(),
                     new FilesEntitlement(
                         List.of(
-                            FileData.ofPath(bootstrapArgs.repoDirResolver().apply(""), READ_WRITE, false),
-                            FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE, false)
+                            FileData.ofPath(bootstrapArgs.repoDirResolver().apply(""), READ_WRITE),
+                            FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE)
                         )
                     )
                 )
@@ -172,29 +172,29 @@ private static PolicyManager createPolicyManager() {
                     new FilesEntitlement(
                         List.of(
                             // Base ES directories
-                            FileData.ofPath(bootstrapArgs.tempDir(), READ_WRITE, false),
-                            FileData.ofPath(bootstrapArgs.configDir(), READ, false),
-                            FileData.ofPath(bootstrapArgs.logsDir(), READ_WRITE, false),
-                            FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE, false),
-                            FileData.ofPath(bootstrapArgs.repoDirResolver().apply(""), READ_WRITE, false),
+                            FileData.ofPath(bootstrapArgs.tempDir(), READ_WRITE),
+                            FileData.ofPath(bootstrapArgs.configDir(), READ),
+                            FileData.ofPath(bootstrapArgs.logsDir(), READ_WRITE),
+                            FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE),
+                            FileData.ofPath(bootstrapArgs.repoDirResolver().apply(""), READ_WRITE),
 
                             // OS release on Linux
-                            FileData.ofPath(Path.of("/etc/os-release"), READ, false),
-                            FileData.ofPath(Path.of("/etc/system-release"), READ, false),
-                            FileData.ofPath(Path.of("/usr/lib/os-release"), READ, false),
+                            FileData.ofPath(Path.of("/etc/os-release"), READ),
+                            FileData.ofPath(Path.of("/etc/system-release"), READ),
+                            FileData.ofPath(Path.of("/usr/lib/os-release"), READ),
                             // read max virtual memory areas
-                            FileData.ofPath(Path.of("/proc/sys/vm/max_map_count"), READ, false),
-                            FileData.ofPath(Path.of("/proc/meminfo"), READ, false),
+                            FileData.ofPath(Path.of("/proc/sys/vm/max_map_count"), READ),
+                            FileData.ofPath(Path.of("/proc/meminfo"), READ),
                             // load averages on Linux
-                            FileData.ofPath(Path.of("/proc/loadavg"), READ, false),
+                            FileData.ofPath(Path.of("/proc/loadavg"), READ),
                             // control group stats on Linux. cgroup v2 stats are in an unpredicable
                             // location under `/sys/fs/cgroup`, so unfortunately we have to allow
                             // read access to the entire directory hierarchy.
-                            FileData.ofPath(Path.of("/proc/self/cgroup"), READ, false),
-                            FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ, false),
+                            FileData.ofPath(Path.of("/proc/self/cgroup"), READ),
+                            FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ),
                             // // io stats on Linux
-                            FileData.ofPath(Path.of("/proc/self/mountinfo"), READ, false),
-                            FileData.ofPath(Path.of("/proc/diskstats"), READ, false)
+                            FileData.ofPath(Path.of("/proc/self/mountinfo"), READ),
+                            FileData.ofPath(Path.of("/proc/diskstats"), READ)
                         )
                     )
                 )
@@ -208,25 +208,23 @@ private static PolicyManager createPolicyManager() {
                     new ManageThreadsEntitlement(),
                     new FilesEntitlement(
                         List.of(
-                            FileData.ofPath(bootstrapArgs.configDir(), READ, false),
-                            FileData.ofPath(bootstrapArgs.tempDir(), READ, false),
-                            FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE, false)
+                            FileData.ofPath(bootstrapArgs.configDir(), READ),
+                            FileData.ofPath(bootstrapArgs.tempDir(), READ),
+                            FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE)
                         )
                     )
                 )
             ),
             new Scope(
                 "org.apache.lucene.misc",
-                List.of(
-                    new FilesEntitlement(List.of(FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE, false)))
-                )
+                List.of(new FilesEntitlement(List.of(FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE))))
             ),
             new Scope("org.apache.logging.log4j.core", List.of(new ManageThreadsEntitlement())),
             new Scope(
                 "org.elasticsearch.nativeaccess",
                 List.of(
                     new LoadNativeLibrariesEntitlement(),
-                    new FilesEntitlement(List.of(FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE, false)))
+                    new FilesEntitlement(List.of(FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE)))
                 )
             )
         );
@@ -235,17 +233,11 @@ private static PolicyManager createPolicyManager() {
         if (trustStorePath != null) {
             Collections.addAll(
                 serverScopes,
-                new Scope(
-                    "org.bouncycastle.fips.tls",
-                    List.of(new FilesEntitlement(List.of(FileData.ofPath(trustStorePath, READ, false))))
-                ),
+                new Scope("org.bouncycastle.fips.tls", List.of(new FilesEntitlement(List.of(FileData.ofPath(trustStorePath, READ))))),
                 new Scope(
                     "org.bouncycastle.fips.core",
                     // read to lib dir is required for checksum validation
-                    List.of(
-                        new FilesEntitlement(List.of(FileData.ofPath(bootstrapArgs.libDir(), READ, false))),
-                        new ManageThreadsEntitlement()
-                    )
+                    List.of(new FilesEntitlement(List.of(FileData.ofPath(bootstrapArgs.libDir(), READ))), new ManageThreadsEntitlement())
                 )
             );
         }
@@ -259,8 +251,8 @@ private static PolicyManager createPolicyManager() {
             new ManageThreadsEntitlement(),
             new FilesEntitlement(
                 List.of(
-                    FileData.ofPath(Path.of("/co/elastic/apm/agent/"), READ, false),
-                    FileData.ofPath(Path.of("/agent/co/elastic/apm/agent/"), READ, false)
+                    FileData.ofPath(Path.of("/co/elastic/apm/agent/"), READ),
+                    FileData.ofPath(Path.of("/agent/co/elastic/apm/agent/"), READ)
                 )
             )
         );

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java

@@ -47,20 +47,22 @@ public sealed interface FileData {
 
         boolean exclusive();
 
-        static FileData ofPath(Path path, Mode mode, boolean exclusive) {
-            return new AbsolutePathFileData(path, mode, exclusive);
+        FileData withExclusive();
+
+        static FileData ofPath(Path path, Mode mode) {
+            return new AbsolutePathFileData(path, mode, false);
         }
 
-        static FileData ofRelativePath(Path relativePath, BaseDir baseDir, Mode mode, boolean exclusive) {
-            return new RelativePathFileData(relativePath, baseDir, mode, exclusive);
+        static FileData ofRelativePath(Path relativePath, BaseDir baseDir, Mode mode) {
+            return new RelativePathFileData(relativePath, baseDir, mode, false);
         }
 
-        static FileData ofPathSetting(String setting, Mode mode, boolean exclusive) {
-            return new PathSettingFileData(setting, mode, exclusive);
+        static FileData ofPathSetting(String setting, Mode mode) {
+            return new PathSettingFileData(setting, mode, false);
         }
 
-        static FileData ofRelativePathSetting(String setting, BaseDir baseDir, Mode mode, boolean exclusive) {
-            return new RelativePathSettingFileData(setting, baseDir, mode, exclusive);
+        static FileData ofRelativePathSetting(String setting, BaseDir baseDir, Mode mode) {
+            return new RelativePathSettingFileData(setting, baseDir, mode, false);
         }
     }
 
@@ -94,6 +96,12 @@ default Stream<Path> resolvePaths(PathLookup pathLookup) {
     }
 
     private record AbsolutePathFileData(Path path, Mode mode, boolean exclusive) implements FileData {
+
+        @Override
+        public AbsolutePathFileData withExclusive() {
+            return new AbsolutePathFileData(path, mode, true);
+        }
+
         @Override
         public Stream<Path> resolvePaths(PathLookup pathLookup) {
             return Stream.of(path);
@@ -104,13 +112,25 @@ private record RelativePathFileData(Path relativePath, BaseDir baseDir, Mode mod
         implements
             FileData,
             RelativeFileData {
+
+        @Override
+        public RelativePathFileData withExclusive() {
+            return new RelativePathFileData(relativePath, baseDir, mode, true);
+        }
+
         @Override
         public Stream<Path> resolveRelativePaths(PathLookup pathLookup) {
             return Stream.of(relativePath);
         }
     }
 
     private record PathSettingFileData(String setting, Mode mode, boolean exclusive) implements FileData {
+
+        @Override
+        public PathSettingFileData withExclusive() {
+            return new PathSettingFileData(setting, mode, true);
+        }
+
         @Override
         public Stream<Path> resolvePaths(PathLookup pathLookup) {
             return resolvePathSettings(pathLookup, setting);
@@ -121,6 +141,12 @@ private record RelativePathSettingFileData(String setting, BaseDir baseDir, Mode
         implements
             FileData,
             RelativeFileData {
+
+        @Override
+        public RelativePathSettingFileData withExclusive() {
+            return new RelativePathSettingFileData(setting, baseDir, mode, true);
+        }
+
         @Override
         public Stream<Path> resolveRelativePaths(PathLookup pathLookup) {
             return resolvePathSettings(pathLookup, setting);
@@ -195,6 +221,7 @@ public static FilesEntitlement build(List<Object> paths) {
                 baseDir = parseBaseDir(relativeTo);
             }
 
+            FileData fileData;
             if (relativePathAsString != null) {
                 if (baseDir == null) {
                     throw new PolicyValidationException("files entitlement with a 'relative_path' must specify 'relative_to'");
@@ -204,23 +231,24 @@ public static FilesEntitlement build(List<Object> paths) {
                 if (relativePath.isAbsolute()) {
                     throw new PolicyValidationException("'relative_path' [" + relativePathAsString + "] must be relative");
                 }
-                filesData.add(FileData.ofRelativePath(relativePath, baseDir, mode, exclusive));
+                fileData = FileData.ofRelativePath(relativePath, baseDir, mode);
             } else if (pathAsString != null) {
                 Path path = Path.of(pathAsString);
                 if (path.isAbsolute() == false) {
                     throw new PolicyValidationException("'path' [" + pathAsString + "] must be absolute");
                 }
-                filesData.add(FileData.ofPath(path, mode, exclusive));
+                fileData = FileData.ofPath(path, mode);
             } else if (pathSetting != null) {
-                filesData.add(FileData.ofPathSetting(pathSetting, mode, exclusive));
+                fileData = FileData.ofPathSetting(pathSetting, mode);
             } else if (relativePathSetting != null) {
                 if (baseDir == null) {
                     throw new PolicyValidationException("files entitlement with a 'relative_path_setting' must specify 'relative_to'");
                 }
-                filesData.add(FileData.ofRelativePathSetting(relativePathSetting, baseDir, mode, exclusive));
+                fileData = FileData.ofRelativePathSetting(relativePathSetting, baseDir, mode);
             } else {
                 throw new AssertionError("File entry validation error");
             }
+            filesData.add(exclusive ? fileData.withExclusive() : fileData);
         }
         return new FilesEntitlement(filesData);
     }

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java

@@ -379,7 +379,7 @@ public void testDuplicateEntitlements() {
                                     FilesEntitlement.EMPTY,
                                     new CreateClassLoaderEntitlement(),
                                     new FilesEntitlement(
-                                        List.of(FilesEntitlement.FileData.ofPath(Path.of("/tmp/test"), FilesEntitlement.Mode.READ, false))
+                                        List.of(FilesEntitlement.FileData.ofPath(Path.of("/tmp/test"), FilesEntitlement.Mode.READ))
                                     )
                                 )
                             )
@@ -450,9 +450,7 @@ private static Policy createPluginPolicy(String... pluginModules) {
                     name -> new Scope(
                         name,
                         List.of(
-                            new FilesEntitlement(
-                                List.of(FilesEntitlement.FileData.ofPath(TEST_BASE_DIR, FilesEntitlement.Mode.READ, false))
-                            ),
+                            new FilesEntitlement(List.of(FilesEntitlement.FileData.ofPath(TEST_BASE_DIR, FilesEntitlement.Mode.READ))),
                             new CreateClassLoaderEntitlement()
                         )
                     )

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlementTests.java

@@ -61,29 +61,29 @@ public void testInvalidRelativeDirectory() {
     }
 
     public void testFileDataRelativeWithEmptyDirectory() {
-        var fileData = FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE, false);
+        var fileData = FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE);
         var dataDirs = fileData.resolvePaths(TEST_PATH_LOOKUP);
         assertThat(dataDirs.toList(), contains(Path.of("/data1/"), Path.of("/data2")));
     }
 
     public void testPathSettingResolve() {
         var entitlement = FilesEntitlement.build(List.of(Map.of("path_setting", "foo.bar", "mode", "read")));
         var filesData = entitlement.filesData();
-        assertThat(filesData, contains(FileData.ofPathSetting("foo.bar", READ, false)));
+        assertThat(filesData, contains(FileData.ofPathSetting("foo.bar", READ)));
 
-        var fileData = FileData.ofPathSetting("foo.bar", READ, false);
+        var fileData = FileData.ofPathSetting("foo.bar", READ);
         // empty settings
         assertThat(fileData.resolvePaths(TEST_PATH_LOOKUP).toList(), empty());
 
-        fileData = FileData.ofPathSetting("foo.bar", READ, false);
+        fileData = FileData.ofPathSetting("foo.bar", READ);
         settings = Settings.builder().put("foo.bar", "/setting/path").build();
         assertThat(fileData.resolvePaths(TEST_PATH_LOOKUP).toList(), contains(Path.of("/setting/path")));
 
-        fileData = FileData.ofPathSetting("foo.*.bar", READ, false);
+        fileData = FileData.ofPathSetting("foo.*.bar", READ);
         settings = Settings.builder().put("foo.baz.bar", "/setting/path").build();
         assertThat(fileData.resolvePaths(TEST_PATH_LOOKUP).toList(), contains(Path.of("/setting/path")));
 
-        fileData = FileData.ofPathSetting("foo.*.bar", READ, false);
+        fileData = FileData.ofPathSetting("foo.*.bar", READ);
         settings = Settings.builder().put("foo.baz.bar", "/setting/path").put("foo.baz2.bar", "/other/path").build();
         assertThat(fileData.resolvePaths(TEST_PATH_LOOKUP).toList(), containsInAnyOrder(Path.of("/setting/path"), Path.of("/other/path")));
     }