add policy manager tests for exclusive

jdconrad · jdconrad · commit c5dbb64d275c · 2025-02-25T13:04:30.000-08:00
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java
@@ -55,8 +55,24 @@ static void validateExclusivePaths(List<ExclusivePath> exclusivePaths) {
             ExclusivePath currentExclusivePath = exclusivePaths.get(0);
             for (int i = 1; i < exclusivePaths.size(); ++i) {
                 ExclusivePath nextPath = exclusivePaths.get(i);
-                if (isParent(currentExclusivePath.path(), nextPath.path())) {
+                if (currentExclusivePath.path().equals(nextPath.path) || isParent(currentExclusivePath.path(), nextPath.path())) {
+                    throw new IllegalArgumentException(
+                        "duplicate/overlapping exclusive paths found in files entitlements: "
+                            + "[["
+                            + currentExclusivePath.componentName()
+                            + "] ["
+                            + currentExclusivePath.moduleName()
+                            + "] ["
+                            + currentExclusivePath.path()
+                            + "]] and [["
 
+                            + nextPath.componentName()
+                            + "] ["
+                            + nextPath.moduleName()
+                            + "] ["
+                            + nextPath.path()
+                            + "]]"
+                    );
                 }
                 currentExclusivePath = nextPath;
             }
@@ -89,7 +105,7 @@ private FileAccessTree(
         BiConsumer<Path, Mode> addPath = (path, mode) -> {
             var normalized = normalizePath(path);
             for (String exclusivePath : updatedExclusivePaths) {
-                if (isParent(exclusivePath, normalized)) {
+                if (exclusivePath.equals(normalized) || isParent(exclusivePath, normalized)) {
                     throw new IllegalArgumentException(
                         "[" + componentName + "] [" + moduleName + "] cannot use exclusive path [" + exclusivePath + "]"
                     );
diff --git a/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java b/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java
@@ -411,6 +411,115 @@ public void testDuplicateEntitlements() {
         );
     }
 
+    public void testFilesEntitlementsWithExclusive() {
+        var iae = expectThrows(
+            IllegalArgumentException.class,
+            () -> new PolicyManager(
+                createEmptyTestServerPolicy(),
+                List.of(),
+                Map.of(
+                    "plugin1",
+                    new Policy(
+                        "test",
+                        List.of(
+                            new Scope(
+                                "test",
+                                List.of(
+                                    new FilesEntitlement(
+                                        List.of(
+                                            FilesEntitlement.FileData.ofPath(Path.of("/tmp/test"), FilesEntitlement.Mode.READ)
+                                                .withExclusive(true)
+                                        )
+                                    )
+                                )
+                            )
+                        )
+                    ),
+                    "plugin2",
+                    new Policy(
+                        "test",
+                        List.of(
+                            new Scope(
+                                "test",
+                                List.of(
+                                    new FilesEntitlement(
+                                        List.of(
+                                            FilesEntitlement.FileData.ofPath(Path.of("/tmp/test"), FilesEntitlement.Mode.READ)
+                                                .withExclusive(true)
+                                        )
+                                    )
+                                )
+                            )
+                        )
+                    )
+                ),
+                c -> "",
+                TEST_AGENTS_PACKAGE_NAME,
+                NO_ENTITLEMENTS_MODULE,
+                TEST_PATH_LOOKUP,
+                Set.of()
+            )
+        );
+        assertEquals(
+            "duplicate/overlapping exclusive paths found in files entitlements: "
+                + "[[plugin1] [test] [/tmp/test]] and [[plugin2] [test] [/tmp/test]]",
+            iae.getMessage()
+        );
+
+        iae = expectThrows(
+            IllegalArgumentException.class,
+            () -> new PolicyManager(
+                new Policy(
+                    "test",
+                    List.of(
+                        new Scope(
+                            "test",
+                            List.of(
+                                new FilesEntitlement(
+                                    List.of(
+                                        FilesEntitlement.FileData.ofPath(
+                                            Path.of("/tmp/test/foo"), FilesEntitlement.Mode.READ).withExclusive(true),
+                                        FilesEntitlement.FileData.ofPath(Path.of("/tmp/"), FilesEntitlement.Mode.READ)
+                                    )
+                                )
+                            )
+                        )
+                    )
+                ),
+                List.of(),
+                Map.of(
+                    "plugin1",
+                    new Policy(
+                        "test",
+                        List.of(
+                            new Scope(
+                                "test",
+                                List.of(
+                                    new FilesEntitlement(
+                                        List.of(
+                                            FilesEntitlement.FileData.ofPath(Path.of("/tmp/test"), FilesEntitlement.Mode.READ)
+                                                .withExclusive(true)
+                                        )
+                                    )
+                                )
+                            )
+                        )
+                    )
+                ),
+                c -> "",
+                TEST_AGENTS_PACKAGE_NAME,
+                NO_ENTITLEMENTS_MODULE,
+                TEST_PATH_LOOKUP,
+                Set.of()
+            )
+        );
+        assertEquals(
+            "duplicate/overlapping exclusive paths found in files entitlements: "
+                + "[[plugin1] [test] [/tmp/test]] and [[(server)] [test] [/tmp/test/foo]]",
+            iae.getMessage()
+        );
+    }
+
     /**
      * If the plugin resolver tells us a class is in a plugin, don't conclude that it's in an agent.
      */
