unit tests

ldematte · ldematte · commit d7104a053315 · 2025-03-14T23:10:55.000+01:00
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyUtils.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyUtils.java
@@ -41,47 +41,6 @@ public class PolicyUtils {
 
     private static final Logger logger = LogManager.getLogger(PolicyUtils.class);
 
-    public static List<Scope> mergeScopes(List<Scope> mainScopes, List<Scope> additionalScopes) {
-        var result = new ArrayList<Scope>();
-        var additionalScopesMap = additionalScopes.stream().collect(Collectors.toMap(Scope::moduleName, Scope::entitlements));
-        for (var mainScope : mainScopes) {
-            List<Entitlement> additionalEntitlements = additionalScopesMap.remove(mainScope.moduleName());
-            if (additionalEntitlements == null) {
-                result.add(mainScope);
-            } else {
-                result.add(new Scope(mainScope.moduleName(), mergeEntitlements(mainScope.entitlements(), additionalEntitlements)));
-            }
-        }
-
-        for (var remainingEntry : additionalScopesMap.entrySet()) {
-            result.add(new Scope(remainingEntry.getKey(), remainingEntry.getValue()));
-        }
-        return result;
-    }
-
-    static List<Entitlement> mergeEntitlements(List<Entitlement> a, List<Entitlement> b) {
-        Map<Class<? extends Entitlement>, Entitlement> entitlementMap = a.stream()
-            .collect(Collectors.toMap(Entitlement::getClass, Function.identity()));
-
-        for (var entitlement : b) {
-            entitlementMap.merge(entitlement.getClass(), entitlement, PolicyUtils::mergeEntitlement);
-        }
-        return entitlementMap.values().stream().toList();
-    }
-
-    static Entitlement mergeEntitlement(Entitlement entitlement1, Entitlement entitlement2) {
-        return switch (entitlement1) {
-            case FilesEntitlement e -> new FilesEntitlement(
-                Stream.concat(e.filesData().stream(), ((FilesEntitlement) entitlement2).filesData().stream()).toList()
-            );
-            case WriteSystemPropertiesEntitlement e -> new WriteSystemPropertiesEntitlement(
-                Stream.concat(e.properties().stream(), ((WriteSystemPropertiesEntitlement) entitlement2).properties().stream())
-                    .collect(Collectors.toUnmodifiableSet())
-            );
-            default -> entitlement1;
-        };
-    }
-
     public record PluginData(Path pluginPath, boolean isModular, boolean isExternalPlugin) {
         public PluginData {
             requireNonNull(pluginPath);
@@ -193,4 +152,49 @@ private static Set<String> getModuleNames(Path pluginRoot, boolean isModular) {
         return Set.of(ALL_UNNAMED);
     }
 
+    public static List<Scope> mergeScopes(List<Scope> mainScopes, List<Scope> additionalScopes) {
+        var result = new ArrayList<Scope>();
+        var additionalScopesMap = additionalScopes.stream().collect(Collectors.toMap(Scope::moduleName, Scope::entitlements));
+        for (var mainScope : mainScopes) {
+            List<Entitlement> additionalEntitlements = additionalScopesMap.remove(mainScope.moduleName());
+            if (additionalEntitlements == null) {
+                result.add(mainScope);
+            } else {
+                result.add(new Scope(mainScope.moduleName(), mergeEntitlements(mainScope.entitlements(), additionalEntitlements)));
+            }
+        }
+
+        for (var remainingEntry : additionalScopesMap.entrySet()) {
+            result.add(new Scope(remainingEntry.getKey(), remainingEntry.getValue()));
+        }
+        return result;
+    }
+
+    static List<Entitlement> mergeEntitlements(List<Entitlement> a, List<Entitlement> b) {
+        Map<Class<? extends Entitlement>, Entitlement> entitlementMap = a.stream()
+            .collect(Collectors.toMap(Entitlement::getClass, Function.identity()));
+
+        for (var entitlement : b) {
+            entitlementMap.merge(entitlement.getClass(), entitlement, PolicyUtils::mergeEntitlement);
+        }
+        return entitlementMap.values().stream().toList();
+    }
+
+    static Entitlement mergeEntitlement(Entitlement entitlement1, Entitlement entitlement2) {
+        return switch (entitlement1) {
+            case FilesEntitlement e -> merge(e, (FilesEntitlement) entitlement2);
+            case WriteSystemPropertiesEntitlement e -> merge(e, (WriteSystemPropertiesEntitlement) entitlement2);
+            default -> entitlement1;
+        };
+    }
+
+    private static FilesEntitlement merge(FilesEntitlement a, FilesEntitlement b) {
+        return new FilesEntitlement(Stream.concat(a.filesData().stream(), b.filesData().stream()).distinct().toList());
+    }
+
+    private static WriteSystemPropertiesEntitlement merge(WriteSystemPropertiesEntitlement a, WriteSystemPropertiesEntitlement b) {
+        return new WriteSystemPropertiesEntitlement(
+            Stream.concat(a.properties().stream(), b.properties().stream()).collect(Collectors.toUnmodifiableSet())
+        );
+    }
 }
diff --git a/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyUtilsTests.java b/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyUtilsTests.java
@@ -9,15 +9,28 @@
 
 package org.elasticsearch.entitlement.runtime.policy;
 
+import org.elasticsearch.entitlement.runtime.policy.entitlements.Entitlement;
+import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement;
+import org.elasticsearch.entitlement.runtime.policy.entitlements.InboundNetworkEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.LoadNativeLibrariesEntitlement;
+import org.elasticsearch.entitlement.runtime.policy.entitlements.ManageThreadsEntitlement;
+import org.elasticsearch.entitlement.runtime.policy.entitlements.OutboundNetworkEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.SetHttpsConnectionPropertiesEntitlement;
+import org.elasticsearch.entitlement.runtime.policy.entitlements.WriteAllSystemPropertiesEntitlement;
+import org.elasticsearch.entitlement.runtime.policy.entitlements.WriteSystemPropertiesEntitlement;
 import org.elasticsearch.test.ESTestCase;
 
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
 import java.util.Base64;
 import java.util.List;
 import java.util.Set;
 
+import static org.elasticsearch.entitlement.runtime.policy.PolicyUtils.mergeEntitlement;
+import static org.elasticsearch.entitlement.runtime.policy.PolicyUtils.mergeEntitlements;
+import static org.elasticsearch.test.LambdaMatchers.transformedMatch;
+import static org.hamcrest.Matchers.both;
+import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.nullValue;
 
@@ -159,4 +172,120 @@ public void testNoOverriddenPolicyWithParsingError() {
 
         assertThat(policy, nullValue());
     }
+
+    public void testMergeScopes() {
+        var originalPolicy = List.of(
+            new Scope("module1", List.of(new LoadNativeLibrariesEntitlement())),
+            new Scope("module2", List.of(new ManageThreadsEntitlement())),
+            new Scope("module3", List.of(new InboundNetworkEntitlement()))
+        );
+
+        var patchPolicy = List.of(
+            new Scope("module2", List.of(new ManageThreadsEntitlement())),
+            new Scope("module3", List.of(new OutboundNetworkEntitlement())),
+            new Scope("module4", List.of(new WriteAllSystemPropertiesEntitlement()))
+        );
+
+        var resultPolicy = PolicyUtils.mergeScopes(originalPolicy, patchPolicy);
+        assertThat(
+            resultPolicy,
+            containsInAnyOrder(
+                equalTo(new Scope("module1", List.of(new LoadNativeLibrariesEntitlement()))),
+                equalTo(new Scope("module2", List.of(new ManageThreadsEntitlement()))),
+                both(transformedMatch(Scope::moduleName, equalTo("module3"))).and(
+                    transformedMatch(
+                        Scope::entitlements,
+                        containsInAnyOrder(new InboundNetworkEntitlement(), new OutboundNetworkEntitlement())
+                    )
+                ),
+                equalTo(new Scope("module4", List.of(new WriteAllSystemPropertiesEntitlement())))
+            )
+        );
+    }
+
+    public void testMergeSameFlagEntitlement() {
+        var e1 = new InboundNetworkEntitlement();
+        var e2 = new InboundNetworkEntitlement();
+
+        assertThat(mergeEntitlement(e1, e2), equalTo(new InboundNetworkEntitlement()));
+    }
+
+    public void testMergeFilesEntitlement() {
+        var e1 = new FilesEntitlement(
+            List.of(
+                FilesEntitlement.FileData.ofPath(Path.of("/a/b"), FilesEntitlement.Mode.READ),
+                FilesEntitlement.FileData.ofPath(Path.of("/a/c"), FilesEntitlement.Mode.READ_WRITE),
+                FilesEntitlement.FileData.ofRelativePath(Path.of("c/d"), FilesEntitlement.BaseDir.CONFIG, FilesEntitlement.Mode.READ)
+            )
+        );
+        var e2 = new FilesEntitlement(
+            List.of(
+                FilesEntitlement.FileData.ofPath(Path.of("/a/b"), FilesEntitlement.Mode.READ), // identical
+                FilesEntitlement.FileData.ofPath(Path.of("/a/c"), FilesEntitlement.Mode.READ), // different mode
+                FilesEntitlement.FileData.ofPath(Path.of("/c/d"), FilesEntitlement.Mode.READ)  // different type
+            )
+        );
+
+        var merged = mergeEntitlement(e1, e2);
+        assertThat(
+            merged,
+            transformedMatch(
+                x -> ((FilesEntitlement) x).filesData(),
+                containsInAnyOrder(
+                    FilesEntitlement.FileData.ofPath(Path.of("/a/b"), FilesEntitlement.Mode.READ),
+                    FilesEntitlement.FileData.ofPath(Path.of("/a/c"), FilesEntitlement.Mode.READ),
+                    FilesEntitlement.FileData.ofPath(Path.of("/a/c"), FilesEntitlement.Mode.READ_WRITE),
+                    FilesEntitlement.FileData.ofRelativePath(Path.of("c/d"), FilesEntitlement.BaseDir.CONFIG, FilesEntitlement.Mode.READ),
+                    FilesEntitlement.FileData.ofPath(Path.of("/c/d"), FilesEntitlement.Mode.READ)
+                )
+            )
+        );
+    }
+
+    public void testMergeWritePropertyEntitlement() {
+        var e1 = new WriteSystemPropertiesEntitlement(List.of("a", "b", "c"));
+        var e2 = new WriteSystemPropertiesEntitlement(List.of("b", "c", "d"));
+
+        var merged = mergeEntitlement(e1, e2);
+        assertThat(
+            merged,
+            transformedMatch(x -> ((WriteSystemPropertiesEntitlement) x).properties(), containsInAnyOrder("a", "b", "c", "d"))
+        );
+    }
+
+    public void testMergeEntitlements() {
+        List<Entitlement> a = List.of(
+            new InboundNetworkEntitlement(),
+            new OutboundNetworkEntitlement(),
+            new FilesEntitlement(
+                List.of(
+                    FilesEntitlement.FileData.ofPath(Path.of("/a/b"), FilesEntitlement.Mode.READ),
+                    FilesEntitlement.FileData.ofPath(Path.of("/a/c"), FilesEntitlement.Mode.READ_WRITE)
+                )
+            )
+        );
+        List<Entitlement> b = List.of(
+            new InboundNetworkEntitlement(),
+            new LoadNativeLibrariesEntitlement(),
+            new FilesEntitlement(List.of()),
+            new WriteSystemPropertiesEntitlement(List.of("a"))
+        );
+
+        var merged = mergeEntitlements(a, b);
+        assertThat(
+            merged,
+            containsInAnyOrder(
+                new InboundNetworkEntitlement(),
+                new OutboundNetworkEntitlement(),
+                new LoadNativeLibrariesEntitlement(),
+                new FilesEntitlement(
+                    List.of(
+                        FilesEntitlement.FileData.ofPath(Path.of("/a/b"), FilesEntitlement.Mode.READ),
+                        FilesEntitlement.FileData.ofPath(Path.of("/a/c"), FilesEntitlement.Mode.READ_WRITE)
+                    )
+                ),
+                new WriteSystemPropertiesEntitlement(List.of("a"))
+            )
+        );
+    }
 }
