Move normalization responsibility to FileEntitlement

Author: prdoyle

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java

@@ -12,12 +12,13 @@
 import org.elasticsearch.entitlement.runtime.policy.entitlements.FileEntitlement;
 
 import java.nio.file.Path;
-import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Objects;
 
+import static org.elasticsearch.entitlement.runtime.policy.entitlements.FileEntitlement.normalizePath;
+
 public final class FileAccessTree {
     public static final FileAccessTree EMPTY = new FileAccessTree(List.of());
 
@@ -28,7 +29,7 @@ private FileAccessTree(List<FileEntitlement> fileEntitlements) {
         List<String> readPaths = new ArrayList<>();
         List<String> writePaths = new ArrayList<>();
         for (FileEntitlement fileEntitlement : fileEntitlements) {
-            String path = normalizedPath(fileEntitlement);
+            String path = fileEntitlement.path();
             if (fileEntitlement.mode() == FileEntitlement.Mode.READ_WRITE) {
                 writePaths.add(path);
             }
@@ -47,19 +48,11 @@ public static FileAccessTree of(List<FileEntitlement> fileEntitlements) {
     }
 
     boolean canRead(Path path) {
-        return checkPath(normalize(path), readPaths);
+        return checkPath(normalizePath(path), readPaths);
     }
 
     boolean canWrite(Path path) {
-        return checkPath(normalize(path), writePaths);
-    }
-
-    private static String normalizedPath(FileEntitlement fileEntitlement) {
-        return normalize(Paths.get(fileEntitlement.path()));
-    }
-
-    private static String normalize(Path path) {
-        return path.toAbsolutePath().normalize().toString().replace('\\', '/');
+        return checkPath(normalizePath(path), writePaths);
     }
 
     private static boolean checkPath(String path, String[] paths) {

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FileEntitlement.java

@@ -12,10 +12,15 @@
 import org.elasticsearch.entitlement.runtime.policy.ExternalEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.PolicyValidationException;
 
+import java.nio.file.Path;
 import java.nio.file.Paths;
 
 /**
- * Describes a file entitlement with a path and mode.
+ * Describes entitlement to access files at a particular location.
+ *
+ * @param path the location of the files. Will be automatically {@link #normalizePath normalized}.
+ *            For directories, implicitly includes access to all contained files and (recursively) subdirectories.
+ * @param mode the type of operation
  */
 public record FileEntitlement(String path, Mode mode) implements Entitlement {
 
@@ -25,11 +30,14 @@ public enum Mode {
     }
 
     public FileEntitlement {
-        path = normalizePath(path);
+        path = normalizePath(Paths.get(path));
     }
 
-    private static String normalizePath(String path) {
-        return Paths.get(path).toAbsolutePath().normalize().toString();
+    /**
+     * @return the "canonical" form of of the given {@code path}, to be used for entitlement checks.
+     */
+    public static String normalizePath(Path path) {
+        return path.toAbsolutePath().normalize().toString().replace('\\', '/');
     }
 
     private static Mode parseMode(String mode) {