Changed to pass down a DirectoryResolver; added DATA and TEMP base dir types

Author: ldematte

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -18,6 +18,7 @@
 import org.elasticsearch.entitlement.instrumentation.MethodKey;
 import org.elasticsearch.entitlement.instrumentation.Transformer;
 import org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker;
+import org.elasticsearch.entitlement.runtime.policy.DirectoryResolver;
 import org.elasticsearch.entitlement.runtime.policy.Policy;
 import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
 import org.elasticsearch.entitlement.runtime.policy.Scope;
@@ -37,6 +38,7 @@
 import java.nio.file.Path;
 import java.nio.file.spi.FileSystemProvider;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -110,7 +112,23 @@ private static Class<?>[] findClassesToRetransform(Class<?>[] loadedClasses, Set
     private static PolicyManager createPolicyManager() {
         EntitlementBootstrap.BootstrapArgs bootstrapArgs = EntitlementBootstrap.bootstrapArgs();
         Map<String, Policy> pluginPolicies = bootstrapArgs.pluginPolicies();
-        Path configDir = bootstrapArgs.configDir();
+
+        var directoryResolver = new DirectoryResolver() {
+            @Override
+            public Path resolveConfig(Path path) {
+                return bootstrapArgs.configDir().resolve(path);
+            }
+
+            @Override
+            public Stream<Path> resolveData(Path path) {
+                return Arrays.stream(bootstrapArgs.dataDirs());
+            }
+
+            @Override
+            public Path resolveTemp(Path path) {
+                return bootstrapArgs.tempDir();
+            }
+        };
 
         // TODO(ES-10031): Decide what goes in the elasticsearch default policy and extend it
         var serverPolicy = new Policy(
@@ -145,7 +163,7 @@ private static PolicyManager createPolicyManager() {
             resolver,
             AGENTS_PACKAGE_NAME,
             ENTITLEMENTS_MODULE,
-            configDir
+            directoryResolver
         );
     }
 

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/DirectoryResolver.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.runtime.policy;
+
+import java.nio.file.Path;
+import java.util.stream.Stream;
+
+public interface DirectoryResolver {
+    Path resolveConfig(Path path);
+
+    Stream<Path> resolveData(Path path);
+
+    Path resolveTemp(Path path);
+}

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java

@@ -16,30 +16,73 @@
 import java.util.Arrays;
 import java.util.List;
 import java.util.Objects;
+import java.util.function.Consumer;
+import java.util.stream.Stream;
 
 import static org.elasticsearch.core.PathUtils.getDefaultFileSystem;
 
 public final class FileAccessTree {
-    public static final FileAccessTree EMPTY = new FileAccessTree(FilesEntitlement.EMPTY, null);
+
+    private static final DirectoryResolver NULL_DIRECTORY_RESOLVER = new DirectoryResolver() {
+        @Override
+        public Path resolveConfig(Path path) {
+            throw new UnsupportedOperationException();
+        }
+
+        @Override
+        public Stream<Path> resolveData(Path path) {
+            throw new UnsupportedOperationException();
+        }
+
+        @Override
+        public Path resolveTemp(Path path) {
+            throw new UnsupportedOperationException();
+        }
+    };
+
+    public static final FileAccessTree EMPTY = new FileAccessTree(FilesEntitlement.EMPTY, NULL_DIRECTORY_RESOLVER);
     private static final String FILE_SEPARATOR = getDefaultFileSystem().getSeparator();
 
     private final String[] readPaths;
     private final String[] writePaths;
 
-    private FileAccessTree(FilesEntitlement filesEntitlement, Path configFile) {
+    private static void resolvePath(
+        FilesEntitlement.FileData fileData,
+        DirectoryResolver directoryResolver,
+        Consumer<String> resolvedPathReceiver
+    ) {
+        Path path = Path.of(fileData.path());
+        switch (fileData.baseDir()) {
+            case NONE:
+                resolvedPathReceiver.accept(normalizePath(path));
+                break;
+            case CONFIG:
+                resolvedPathReceiver.accept(normalizePath(directoryResolver.resolveConfig(path)));
+                break;
+            case DATA:
+                directoryResolver.resolveData(path).forEach(p -> resolvedPathReceiver.accept(normalizePath(p)));
+                break;
+            case TEMP:
+                resolvedPathReceiver.accept(normalizePath(directoryResolver.resolveTemp(path)));
+                break;
+            default:
+                throw new IllegalArgumentException();
+        }
+    }
+
+    private FileAccessTree(FilesEntitlement filesEntitlement, DirectoryResolver directoryResolver) {
+        Objects.requireNonNull(directoryResolver);
+
         List<String> readPaths = new ArrayList<>();
         List<String> writePaths = new ArrayList<>();
         for (FilesEntitlement.FileData fileData : filesEntitlement.filesData()) {
-            Path path = Path.of(fileData.path());
-            if (fileData.baseDir() == FilesEntitlement.BaseDir.CONFIG) {
-                path = configFile.resolve(path);
-            }
-            String pathStr = normalizePath(path);
             var mode = fileData.mode();
-            if (mode == FilesEntitlement.Mode.READ_WRITE) {
-                writePaths.add(pathStr);
-            }
-            readPaths.add(pathStr);
+            resolvePath(fileData, directoryResolver, pathStr -> {
+                if (mode == FilesEntitlement.Mode.READ_WRITE) {
+                    writePaths.add(pathStr);
+                }
+                readPaths.add(pathStr);
+            });
         }
 
         readPaths.sort(String::compareTo);
@@ -49,8 +92,8 @@ private FileAccessTree(FilesEntitlement filesEntitlement, Path configFile) {
         this.writePaths = writePaths.toArray(new String[0]);
     }
 
-    public static FileAccessTree of(FilesEntitlement filesEntitlement, Path configFile) {
-        return new FileAccessTree(filesEntitlement, configFile);
+    public static FileAccessTree of(FilesEntitlement filesEntitlement, DirectoryResolver directoryResolver) {
+        return new FileAccessTree(filesEntitlement, directoryResolver);
     }
 
     boolean canRead(Path path) {

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -72,7 +72,7 @@ public static ModuleEntitlements none(String componentName) {
             return new ModuleEntitlements(componentName, Map.of(), FileAccessTree.EMPTY);
         }
 
-        public static ModuleEntitlements from(String componentName, List<Entitlement> entitlements, Path configPath) {
+        public static ModuleEntitlements from(String componentName, List<Entitlement> entitlements, DirectoryResolver directoryResolver) {
             FilesEntitlement filesEntitlement = FilesEntitlement.EMPTY;
             for (Entitlement entitlement : entitlements) {
                 if (entitlement instanceof FilesEntitlement) {
@@ -82,7 +82,7 @@ public static ModuleEntitlements from(String componentName, List<Entitlement> en
             return new ModuleEntitlements(
                 componentName,
                 entitlements.stream().collect(groupingBy(Entitlement::getClass)),
-                FileAccessTree.of(filesEntitlement, configPath)
+                FileAccessTree.of(filesEntitlement, directoryResolver)
             );
         }
 
@@ -105,6 +105,7 @@ public <E extends Entitlement> Stream<E> getEntitlements(Class<E> entitlementCla
     protected final List<Entitlement> apmAgentEntitlements;
     protected final Map<String, Map<String, List<Entitlement>>> pluginsEntitlements;
     private final Function<Class<?>, String> pluginResolver;
+    private final DirectoryResolver directoryResolver;
 
     public static final String ALL_UNNAMED = "ALL-UNNAMED";
 
@@ -133,16 +134,14 @@ private static Set<Module> findSystemModules() {
      */
     private final Module entitlementsModule;
 
-    private final Path configDir;
-
     public PolicyManager(
         Policy serverPolicy,
         List<Entitlement> apmAgentEntitlements,
         Map<String, Policy> pluginPolicies,
         Function<Class<?>, String> pluginResolver,
         String apmAgentPackageName,
         Module entitlementsModule,
-        Path configDir
+        DirectoryResolver directoryResolver
     ) {
         this.serverEntitlements = buildScopeEntitlementsMap(requireNonNull(serverPolicy));
         this.apmAgentEntitlements = apmAgentEntitlements;
@@ -152,7 +151,7 @@ public PolicyManager(
         this.pluginResolver = pluginResolver;
         this.apmAgentPackageName = apmAgentPackageName;
         this.entitlementsModule = entitlementsModule;
-        this.configDir = configDir;
+        this.directoryResolver = directoryResolver;
 
         for (var e : serverEntitlements.entrySet()) {
             validateEntitlementsPerModule(SERVER_COMPONENT_NAME, e.getKey(), e.getValue());
@@ -414,7 +413,7 @@ private ModuleEntitlements computeEntitlements(Class<?> requestingClass) {
 
         if (requestingModule.isNamed() == false && requestingClass.getPackageName().startsWith(apmAgentPackageName)) {
             // The APM agent is the only thing running non-modular in the system classloader
-            return ModuleEntitlements.from(APM_AGENT_COMPONENT_NAME, apmAgentEntitlements, configDir);
+            return ModuleEntitlements.from(APM_AGENT_COMPONENT_NAME, apmAgentEntitlements, directoryResolver);
         }
 
         return ModuleEntitlements.none(UNKNOWN_COMPONENT_NAME);
@@ -429,7 +428,7 @@ private ModuleEntitlements getModuleScopeEntitlements(
         if (entitlements == null) {
             return ModuleEntitlements.none(componentName);
         }
-        return ModuleEntitlements.from(componentName, entitlements, configDir);
+        return ModuleEntitlements.from(componentName, entitlements, directoryResolver);
     }
 
     private static boolean isServerModule(Module requestingModule) {

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java

@@ -31,7 +31,9 @@ public enum Mode {
 
     public enum BaseDir {
         NONE,
-        CONFIG
+        CONFIG,
+        DATA,
+        TEMP
     }
 
     public record FileData(String path, Mode mode, BaseDir baseDir) {

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java

@@ -12,6 +12,7 @@
 import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement;
 import org.elasticsearch.test.ESTestCase;
 import org.junit.BeforeClass;
+import org.mockito.Mockito;
 
 import java.nio.file.Path;
 import java.util.ArrayList;
@@ -36,13 +37,13 @@ private static Path path(String s) {
     }
 
     public void testEmpty() {
-        var tree = FileAccessTree.of(FilesEntitlement.EMPTY);
+        var tree = FileAccessTree.of(FilesEntitlement.EMPTY, Mockito.mock(DirectoryResolver.class));
         assertThat(tree.canRead(path("path")), is(false));
         assertThat(tree.canWrite(path("path")), is(false));
     }
 
     public void testRead() {
-        var tree = FileAccessTree.of(entitlement("foo", "read"));
+        var tree = FileAccessTree.of(entitlement("foo", "read"), Mockito.mock(DirectoryResolver.class));
         assertThat(tree.canRead(path("foo")), is(true));
         assertThat(tree.canRead(path("foo/subdir")), is(true));
         assertThat(tree.canRead(path("food")), is(false));
@@ -54,7 +55,7 @@ public void testRead() {
     }
 
     public void testWrite() {
-        var tree = FileAccessTree.of(entitlement("foo", "read_write"));
+        var tree = FileAccessTree.of(entitlement("foo", "read_write"), Mockito.mock(DirectoryResolver.class));
         assertThat(tree.canWrite(path("foo")), is(true));
         assertThat(tree.canWrite(path("foo/subdir")), is(true));
         assertThat(tree.canWrite(path("food")), is(false));
@@ -66,7 +67,7 @@ public void testWrite() {
     }
 
     public void testTwoPaths() {
-        var tree = FileAccessTree.of(entitlement("foo", "read", "bar", "read"));
+        var tree = FileAccessTree.of(entitlement("foo", "read", "bar", "read"), Mockito.mock(DirectoryResolver.class));
         assertThat(tree.canRead(path("a")), is(false));
         assertThat(tree.canRead(path("bar")), is(true));
         assertThat(tree.canRead(path("bar/subdir")), is(true));
@@ -77,23 +78,23 @@ public void testTwoPaths() {
     }
 
     public void testReadWriteUnderRead() {
-        var tree = FileAccessTree.of(entitlement("foo", "read", "foo/bar", "read_write"));
+        var tree = FileAccessTree.of(entitlement("foo", "read", "foo/bar", "read_write"), Mockito.mock(DirectoryResolver.class));
         assertThat(tree.canRead(path("foo")), is(true));
         assertThat(tree.canWrite(path("foo")), is(false));
         assertThat(tree.canRead(path("foo/bar")), is(true));
         assertThat(tree.canWrite(path("foo/bar")), is(true));
     }
 
     public void testNormalizePath() {
-        var tree = FileAccessTree.of(entitlement("foo/../bar", "read"));
+        var tree = FileAccessTree.of(entitlement("foo/../bar", "read"), Mockito.mock(DirectoryResolver.class));
         assertThat(tree.canRead(path("foo/../bar")), is(true));
         assertThat(tree.canRead(path("foo")), is(false));
         assertThat(tree.canRead(path("")), is(false));
     }
 
     public void testForwardSlashes() {
         String sep = getDefaultFileSystem().getSeparator();
-        var tree = FileAccessTree.of(entitlement("a/b", "read", "m" + sep + "n", "read"));
+        var tree = FileAccessTree.of(entitlement("a/b", "read", "m" + sep + "n", "read"), Mockito.mock(DirectoryResolver.class));
 
         // Native separators work
         assertThat(tree.canRead(path("a" + sep + "b")), is(true));