Addressing PR comments

Author: ldematte

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -130,22 +130,7 @@ private static PolicyManager createPolicyManager() {
         Map<String, Policy> pluginPolicies = bootstrapArgs.pluginPolicies();
         Path[] dataDirs = EntitlementBootstrap.bootstrapArgs().dataDirs();
 
-        var directoryResolver = new DirectoryResolver() {
-            @Override
-            public Path resolveConfig(Path path) {
-                return bootstrapArgs.configDir().resolve(path);
-            }
-
-            @Override
-            public Stream<Path> resolveData(Path path) {
-                return Arrays.stream(bootstrapArgs.dataDirs());
-            }
-
-            @Override
-            public Path resolveTemp(Path path) {
-                return bootstrapArgs.tempDir();
-            }
-        };
+        var directoryResolver = new EnvironmentDirectoryResolver(bootstrapArgs);
 
         // TODO(ES-10031): Decide what goes in the elasticsearch default policy and extend it
         var serverPolicy = new Policy(
@@ -171,9 +156,7 @@ public Path resolveTemp(Path path) {
                     "org.elasticsearch.nativeaccess",
                     List.of(
                         new LoadNativeLibrariesEntitlement(),
-                        new FilesEntitlement(
-                            Arrays.stream(dataDirs).map(d -> new FileData(d.toString(), READ_WRITE, FilesEntitlement.BaseDir.NONE)).toList()
-                        )
+                        new FilesEntitlement(Arrays.stream(dataDirs).map(d -> FileData.ofPath(Path.of(d.toString()), READ_WRITE)).toList())
                     )
                 )
             )
@@ -285,4 +268,27 @@ private static ElasticsearchEntitlementChecker initChecker() {
         "org.elasticsearch.entitlement.instrumentation",
         Set.of()
     ).get();
+
+    static class EnvironmentDirectoryResolver implements DirectoryResolver {
+        private final EntitlementBootstrap.BootstrapArgs bootstrapArgs;
+
+        EnvironmentDirectoryResolver(EntitlementBootstrap.BootstrapArgs bootstrapArgs) {
+            this.bootstrapArgs = bootstrapArgs;
+        }
+
+        @Override
+        public Path resolveConfig(Path path) {
+            return bootstrapArgs.configDir().resolve(path);
+        }
+
+        @Override
+        public Stream<Path> resolveData(Path path) {
+            return Arrays.stream(bootstrapArgs.dataDirs()).map(dir -> dir.resolve(path));
+        }
+
+        @Override
+        public Path resolveTemp(Path path) {
+            return bootstrapArgs.tempDir().resolve(path);
+        }
+    }
 }

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java

@@ -51,22 +51,21 @@ private static void resolvePath(
         DirectoryResolver directoryResolver,
         Consumer<String> resolvedPathReceiver
     ) {
-        Path path = Path.of(fileData.path());
-        switch (fileData.baseDir()) {
-            case NONE:
-                resolvedPathReceiver.accept(normalizePath(path));
-                break;
-            case CONFIG:
-                resolvedPathReceiver.accept(normalizePath(directoryResolver.resolveConfig(path)));
-                break;
-            case DATA:
-                directoryResolver.resolveData(path).forEach(p -> resolvedPathReceiver.accept(normalizePath(p)));
-                break;
-            case TEMP:
-                resolvedPathReceiver.accept(normalizePath(directoryResolver.resolveTemp(path)));
-                break;
-            default:
-                throw new IllegalArgumentException();
+        if (fileData.path() != null) {
+            resolvedPathReceiver.accept(normalizePath(fileData.path()));
+        } else if (fileData.relativePath() != null && fileData.baseDir() != null) {
+            switch (fileData.baseDir()) {
+                case CONFIG:
+                    resolvedPathReceiver.accept(normalizePath(directoryResolver.resolveConfig(fileData.relativePath())));
+                    break;
+                case DATA:
+                    directoryResolver.resolveData(fileData.relativePath()).forEach(p -> resolvedPathReceiver.accept(normalizePath(p)));
+                    break;
+                default:
+                    throw new IllegalArgumentException();
+            }
+        } else {
+            throw new IllegalArgumentException();
         }
     }
 

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java

@@ -12,10 +12,12 @@
 import org.elasticsearch.entitlement.runtime.policy.ExternalEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.PolicyValidationException;
 
+import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 
 /**
  * Describes a file entitlement with a path and mode.
@@ -30,14 +32,64 @@ public enum Mode {
     }
 
     public enum BaseDir {
-        NONE,
         CONFIG,
-        DATA,
-        TEMP
+        DATA
     }
 
-    public record FileData(String path, Mode mode, BaseDir baseDir) {
+    public static final class FileData {
+        private final Path path;
+        private final Mode mode;
+        private final Path relativePath;
+        private final BaseDir baseDir;
 
+        private FileData(Path path, Mode mode, Path relativePath, BaseDir baseDir) {
+            this.path = path;
+            this.mode = mode;
+            this.relativePath = relativePath;
+            this.baseDir = baseDir;
+        }
+
+        public static FileData ofPath(Path path, Mode mode) {
+            assert path.isAbsolute();
+            return new FileData(path, mode, null, null);
+        }
+
+        public static FileData ofRelativePath(Path relativePath, BaseDir baseDir, Mode mode) {
+            assert relativePath.isAbsolute() == false;
+            return new FileData(null, mode, relativePath, baseDir);
+        }
+
+        public Path path() {
+            return path;
+        }
+
+        public Mode mode() {
+            return mode;
+        }
+
+        public Path relativePath() {
+            return relativePath;
+        }
+
+        public BaseDir baseDir() {
+            return baseDir;
+        }
+
+        @Override
+        public boolean equals(Object obj) {
+            if (obj == this) return true;
+            if (obj == null || obj.getClass() != this.getClass()) return false;
+            var that = (FileData) obj;
+            return Objects.equals(this.path, that.path)
+                && Objects.equals(this.mode, that.mode)
+                && Objects.equals(this.relativePath, that.relativePath)
+                && Objects.equals(this.baseDir, that.baseDir);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(path, mode, relativePath, baseDir);
+        }
     }
 
     private static Mode parseMode(String mode) {
@@ -51,12 +103,12 @@ private static Mode parseMode(String mode) {
     }
 
     private static BaseDir parseBaseDir(String baseDir) {
-        return switch (baseDir) {
-            case "config" -> BaseDir.CONFIG;
-            case "data" -> BaseDir.DATA;
-            case "temp" -> BaseDir.TEMP;
-            default -> throw new PolicyValidationException("invalid base_dir: " + baseDir + ", valid values: [config, data, temp]");
-        };
+        if (baseDir.equals("config")) {
+            return BaseDir.CONFIG;
+        } else if (baseDir.equals("data")) {
+            return BaseDir.DATA;
+        }
+        throw new PolicyValidationException("invalid relative directory: " + baseDir + ", valid values: [config, data]");
     }
 
     @ExternalEntitlement(parameterNames = { "paths" }, esModulesOnly = false)
@@ -68,21 +120,38 @@ public static FilesEntitlement build(List<Object> paths) {
         List<FileData> filesData = new ArrayList<>();
         for (Object object : paths) {
             Map<String, String> file = new HashMap<>((Map<String, String>) object);
-            String path = file.remove("path");
-            if (path == null) {
-                throw new PolicyValidationException("files entitlement must contain path for every listed file");
-            }
+            String pathAsString = file.remove("path");
+            String relativePathAsString = file.remove("relative_path");
+            String relativeTo = file.remove("relative_to");
             String mode = file.remove("mode");
+
+            if (file.isEmpty() == false) {
+                throw new PolicyValidationException("unknown key(s) [" + file + "] in a listed file for files entitlement");
+            }
             if (mode == null) {
-                throw new PolicyValidationException("files entitlement must contain mode for every listed file");
+                throw new PolicyValidationException("files entitlement must contain 'mode' for every listed file");
+            }
+            if ((pathAsString == null && relativePathAsString == null) || (pathAsString != null && relativePathAsString != null)) {
+                throw new PolicyValidationException("files entitlement must contain either 'path' or 'relative_path' for every entry");
             }
-            String baseDirString = file.remove("base_dir");
-            final BaseDir baseDir = baseDirString == null ? BaseDir.NONE : parseBaseDir(baseDirString);
+            if (relativePathAsString != null) {
+                if (relativeTo == null) {
+                    throw new PolicyValidationException("files entitlement with a 'relative_path' must specify 'relative_to'");
+                }
+                final var baseDir = parseBaseDir(relativeTo);
 
-            if (file.isEmpty() == false) {
-                throw new PolicyValidationException("unknown key(s) " + file + " in a listed file for files entitlement");
+                Path relativePath = Path.of(relativePathAsString);
+                if (relativePath.isAbsolute()) {
+                    throw new PolicyValidationException("'relative_path' must be relative");
+                }
+                filesData.add(FileData.ofRelativePath(relativePath, baseDir, parseMode(mode)));
+            } else {
+                Path path = Path.of(pathAsString);
+                if (path.isAbsolute() == false) {
+                    throw new PolicyValidationException("'path' must be absolute");
+                }
+                filesData.add(FileData.ofPath(path, parseMode(mode)));
             }
-            filesData.add(new FileData(path, parseMode(mode), baseDir));
         }
         return new FilesEntitlement(filesData);
     }

libs/entitlement/src/test/java/org/elasticsearch/entitlement/initialization/EnvironmentDirectoryResolverTests.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.initialization;
+
+import org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap;
+import org.elasticsearch.entitlement.runtime.policy.DirectoryResolver;
+import org.elasticsearch.test.ESTestCase;
+
+import java.nio.file.Path;
+import java.util.Map;
+
+import static org.hamcrest.Matchers.contains;
+import static org.hamcrest.Matchers.is;
+
+public class EnvironmentDirectoryResolverTests extends ESTestCase {
+
+    public void testDataDirs() {
+        var resolver = createResolver();
+        var dataDirs = resolver.resolveData(Path.of("foo")).toList();
+        assertThat(dataDirs, contains(Path.of("/data1/foo"), Path.of("/data2/foo")));
+    }
+
+    public void testConfigDir() {
+        var resolver = createResolver();
+        var configDir = resolver.resolveConfig(Path.of("foo"));
+        assertThat(configDir, is(Path.of("/config/foo")));
+    }
+
+    public void testTempDir() {
+        var resolver = createResolver();
+        var tempDir = resolver.resolveTemp(Path.of("foo"));
+        assertThat(tempDir, is(Path.of("/tmp/foo")));
+    }
+
+    private static DirectoryResolver createResolver() {
+        return new EntitlementInitialization.EnvironmentDirectoryResolver(
+            new EntitlementBootstrap.BootstrapArgs(
+                Map.of(),
+                c -> null,
+                new Path[] { Path.of("/data1"), Path.of("/data2") },
+                Path.of("/config"),
+                Path.of("/tmp")
+            )
+        );
+    }
+}

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java

@@ -88,27 +88,27 @@ public void testReadWriteUnderRead() {
         assertThat(tree.canWrite(path("foo/bar")), is(true));
     }
 
-    public void testReadWithBaseDir() {
+    public void testReadWithRelativePath() {
         var resolver = Mockito.mock(DirectoryResolver.class);
-        when(resolver.resolveTemp(any(Path.class))).thenReturn(Path.of("/tmp/foo"));
-        var tree = FileAccessTree.of(entitlement(Map.of("path", "foo", "mode", "read", "base_dir", "temp")), resolver);
+        when(resolver.resolveConfig(any(Path.class))).thenReturn(Path.of("/config/foo"));
+        var tree = FileAccessTree.of(entitlement(Map.of("relative_path", "foo", "mode", "read", "relative_to", "config")), resolver);
         assertThat(tree.canRead(path("foo")), is(false));
 
-        assertThat(tree.canRead(path("/tmp/foo")), is(true));
+        assertThat(tree.canRead(path("/config/foo")), is(true));
 
-        assertThat(tree.canRead(path("/tmp/foo/subdir")), is(true));
-        assertThat(tree.canRead(path("/tmp/food")), is(false));
-        assertThat(tree.canWrite(path("/tmp/foo")), is(false));
+        assertThat(tree.canRead(path("/config/foo/subdir")), is(true));
+        assertThat(tree.canRead(path("/config/food")), is(false));
+        assertThat(tree.canWrite(path("/config/foo")), is(false));
 
-        assertThat(tree.canRead(path("/tmp")), is(false));
-        assertThat(tree.canRead(path("/tmp/before")), is(false));
-        assertThat(tree.canRead(path("/tmp/later")), is(false));
+        assertThat(tree.canRead(path("/config")), is(false));
+        assertThat(tree.canRead(path("/config/before")), is(false));
+        assertThat(tree.canRead(path("/config/later")), is(false));
     }
 
-    public void testWriteWithBaseDir() {
+    public void testWriteWithRelativePath() {
         var resolver = Mockito.mock(DirectoryResolver.class);
         when(resolver.resolveConfig(any(Path.class))).thenReturn(Path.of("/config/foo"));
-        var tree = FileAccessTree.of(entitlement(Map.of("path", "foo", "mode", "read_write", "base_dir", "config")), resolver);
+        var tree = FileAccessTree.of(entitlement(Map.of("relative_path", "foo", "mode", "read_write", "relative_to", "config")), resolver);
         assertThat(tree.canWrite(path("/config/foo")), is(true));
         assertThat(tree.canWrite(path("/config/foo/subdir")), is(true));
         assertThat(tree.canWrite(path("foo")), is(false));
@@ -121,10 +121,10 @@ public void testWriteWithBaseDir() {
         assertThat(tree.canWrite(path("/config/later")), is(false));
     }
 
-    public void testMultipleDataBaseDir() {
+    public void testMultipleDataDirs() {
         var resolver = Mockito.mock(DirectoryResolver.class);
         when(resolver.resolveData(any(Path.class))).thenReturn(Stream.of(Path.of("/data1/foo"), Path.of("/data2/foo")));
-        var tree = FileAccessTree.of(entitlement(Map.of("path", "foo", "mode", "read_write", "base_dir", "data")), resolver);
+        var tree = FileAccessTree.of(entitlement(Map.of("relative_path", "foo", "mode", "read_write", "relative_to", "data")), resolver);
         assertThat(tree.canWrite(path("/data1/foo")), is(true));
         assertThat(tree.canWrite(path("/data2/foo")), is(true));
         assertThat(tree.canWrite(path("/data3/foo")), is(false));

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java

@@ -357,9 +357,7 @@ public void testDuplicateEntitlements() {
                                     FilesEntitlement.EMPTY,
                                     new CreateClassLoaderEntitlement(),
                                     new FilesEntitlement(
-                                        List.of(
-                                            new FilesEntitlement.FileData("test", FilesEntitlement.Mode.READ, FilesEntitlement.BaseDir.NONE)
-                                        )
+                                        List.of(FilesEntitlement.FileData.ofPath(Path.of("/tmp/test"), FilesEntitlement.Mode.READ))
                                     )
                                 )
                             )
@@ -431,9 +429,7 @@ private static Policy createPluginPolicy(String... pluginModules) {
                         name,
                         List.of(
                             new FilesEntitlement(
-                                List.of(
-                                    new FilesEntitlement.FileData("/test/path", FilesEntitlement.Mode.READ, FilesEntitlement.BaseDir.NONE)
-                                )
+                                List.of(FilesEntitlement.FileData.ofPath(Path.of("/test/path"), FilesEntitlement.Mode.READ))
                             ),
                             new CreateClassLoaderEntitlement()
                         )