Revert "move notEntitled into policManager to possibly ignore in tests"

This reverts commit bbfb065.

Author: mosche

libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/EntitlementBootstrap.java

@@ -93,7 +93,8 @@ public static void bootstrap(
         );
         EntitlementInitialization.initializeArgs = new EntitlementInitialization.InitializeArgs(
             pathLookup,
-            createPolicyManager(pluginPolicies, pathLookup, serverPolicyPatch, scopeResolver, pluginSourcePaths, suppressFailureLogPackages)
+            suppressFailureLogPackages,
+            createPolicyManager(pluginPolicies, pathLookup, serverPolicyPatch, scopeResolver, pluginSourcePaths)
         );
         exportInitializationToAgent();
         loadAgent(findAgentJar(), EntitlementInitialization.class.getName());
@@ -160,8 +161,7 @@ private static PolicyManager createPolicyManager(
         PathLookup pathLookup,
         Policy serverPolicyPatch,
         Function<Class<?>, PolicyManager.PolicyScope> scopeResolver,
-        Map<String, Collection<Path>> pluginSourcePathsResolver,
-        Set<Package> suppressFailureLogPackages
+        Map<String, Collection<Path>> pluginSourcePathsResolver
     ) {
         FilesEntitlementsValidation.validate(pluginPolicies, pathLookup);
 
@@ -171,8 +171,7 @@ private static PolicyManager createPolicyManager(
             pluginPolicies,
             scopeResolver,
             pluginSourcePathsResolver::get,
-            pathLookup,
-            suppressFailureLogPackages
+            pathLookup
         );
     }
 

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -91,17 +91,24 @@ public static void initialize(Instrumentation inst) {
      * we have no way to pass arguments directly, so we stuff them in here.
      *
      * @param pathLookup
+     * @param suppressFailureLogPackages
      * @param policyManager
      */
-    public record InitializeArgs(PathLookup pathLookup, PolicyManager policyManager) {
+    public record InitializeArgs(PathLookup pathLookup, Set<Package> suppressFailureLogPackages, PolicyManager policyManager) {
         public InitializeArgs {
             requireNonNull(pathLookup);
+            requireNonNull(suppressFailureLogPackages);
             requireNonNull(policyManager);
         }
     }
 
     private static PolicyCheckerImpl createPolicyChecker(PolicyManager policyManager) {
-        return new PolicyCheckerImpl(ENTITLEMENTS_MODULE, policyManager, initializeArgs.pathLookup());
+        return new PolicyCheckerImpl(
+            initializeArgs.suppressFailureLogPackages(),
+            ENTITLEMENTS_MODULE,
+            policyManager,
+            initializeArgs.pathLookup()
+        );
     }
 
     /**

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyCheckerImpl.java

@@ -57,6 +57,8 @@
  */
 @SuppressForbidden(reason = "Explicitly checking APIs that are forbidden")
 public class PolicyCheckerImpl implements PolicyChecker {
+
+    protected final Set<Package> suppressFailureLogPackages;
     /**
      * Frames originating from this module are ignored in the permission logic.
      */
@@ -66,7 +68,13 @@ public class PolicyCheckerImpl implements PolicyChecker {
 
     private final PathLookup pathLookup;
 
-    public PolicyCheckerImpl(Module entitlementsModule, PolicyManager policyManager, PathLookup pathLookup) {
+    public PolicyCheckerImpl(
+        Set<Package> suppressFailureLogPackages,
+        Module entitlementsModule,
+        PolicyManager policyManager,
+        PathLookup pathLookup
+    ) {
+        this.suppressFailureLogPackages = suppressFailureLogPackages;
         this.entitlementsModule = entitlementsModule;
         this.policyManager = policyManager;
         this.pathLookup = pathLookup;
@@ -121,7 +129,7 @@ private void neverEntitled(Class<?> callerClass, Supplier<String> operationDescr
         }
 
         ModuleEntitlements entitlements = policyManager.getEntitlements(requestingClass);
-        policyManager.notEntitled(
+        notEntitled(
             Strings.format(
                 "component [%s], module [%s], class [%s], operation [%s]",
                 entitlements.componentName(),
@@ -233,7 +241,7 @@ public void checkFileRead(Class<?> callerClass, Path path, boolean followLinks)
         }
 
         if (canRead == false) {
-            policyManager.notEntitled(
+            notEntitled(
                 Strings.format(
                     "component [%s], module [%s], class [%s], entitlement [file], operation [read], path [%s]",
                     entitlements.componentName(),
@@ -265,7 +273,7 @@ public void checkFileWrite(Class<?> callerClass, Path path) {
 
         ModuleEntitlements entitlements = policyManager.getEntitlements(requestingClass);
         if (entitlements.fileAccess().canWrite(path) == false) {
-            policyManager.notEntitled(
+            notEntitled(
                 Strings.format(
                     "component [%s], module [%s], class [%s], entitlement [file], operation [write], path [%s]",
                     entitlements.componentName(),
@@ -379,7 +387,7 @@ public void checkWriteProperty(Class<?> callerClass, String property) {
             );
             return;
         }
-        policyManager.notEntitled(
+        notEntitled(
             Strings.format(
                 "component [%s], module [%s], class [%s], entitlement [write_system_properties], property [%s]",
                 entitlements.componentName(),
@@ -431,7 +439,7 @@ private void checkFlagEntitlement(
         Class<?> requestingClass
     ) {
         if (classEntitlements.hasEntitlement(entitlementClass) == false) {
-            policyManager.notEntitled(
+            notEntitled(
                 Strings.format(
                     "component [%s], module [%s], class [%s], entitlement [%s]",
                     classEntitlements.componentName(),
@@ -454,6 +462,15 @@ private void checkFlagEntitlement(
         );
     }
 
+    private void notEntitled(String message, Class<?> requestingClass, ModuleEntitlements entitlements) {
+        var exception = new NotEntitledException(message);
+        // Don't emit a log for suppressed packages, e.g. packages containing self tests
+        if (suppressFailureLogPackages.contains(requestingClass.getPackage()) == false) {
+            entitlements.logger(requestingClass).warn("Not entitled: {}", message, exception);
+        }
+        throw exception;
+    }
+
     @Override
     public void checkEntitlementPresent(Class<?> callerClass, Class<? extends Entitlement> entitlementClass) {
         var requestingClass = requestingClass(callerClass);

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -9,7 +9,6 @@
 
 package org.elasticsearch.entitlement.runtime.policy;
 
-import org.elasticsearch.entitlement.runtime.api.NotEntitledException;
 import org.elasticsearch.entitlement.runtime.policy.FileAccessTree.ExclusiveFileEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.FileAccessTree.ExclusivePath;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.Entitlement;
@@ -144,7 +143,7 @@ public <E extends Entitlement> Stream<E> getEntitlements(Class<E> entitlementCla
             return entitlements.stream().map(entitlementClass::cast);
         }
 
-        private Logger logger(Class<?> requestingClass) {
+        Logger logger(Class<?> requestingClass) {
             var packageName = requestingClass.getPackageName();
             var loggerSuffix = "." + componentName + "." + ((moduleName == null) ? ALL_UNNAMED : moduleName) + "." + packageName;
             return LogManager.getLogger(PolicyManager.class.getName() + loggerSuffix);
@@ -183,7 +182,6 @@ ModuleEntitlements policyEntitlements(
 
     final Map<Module, ModuleEntitlements> moduleEntitlementsMap = new ConcurrentHashMap<>();
 
-    private final Set<Package> suppressFailureLogPackages;
     private final Map<String, List<Entitlement>> serverEntitlements;
     private final List<Entitlement> apmAgentEntitlements;
     private final Map<String, Map<String, List<Entitlement>>> pluginsEntitlements;
@@ -234,8 +232,7 @@ public PolicyManager(
         Map<String, Policy> pluginPolicies,
         Function<Class<?>, PolicyScope> scopeResolver,
         Function<String, Collection<Path>> pluginSourcePathsResolver,
-        PathLookup pathLookup,
-        Set<Package> suppressFailureLogPackages
+        PathLookup pathLookup
     ) {
         this.serverEntitlements = buildScopeEntitlementsMap(requireNonNull(serverPolicy));
         this.apmAgentEntitlements = apmAgentEntitlements;
@@ -245,7 +242,6 @@ public PolicyManager(
         this.scopeResolver = scopeResolver;
         this.pluginSourcePathsResolver = pluginSourcePathsResolver;
         this.pathLookup = requireNonNull(pathLookup);
-        this.suppressFailureLogPackages = suppressFailureLogPackages;
 
         List<ExclusiveFileEntitlement> exclusiveFileEntitlements = new ArrayList<>();
         for (var e : serverEntitlements.entrySet()) {
@@ -354,15 +350,6 @@ protected Collection<Path> getComponentPathsFromClass(Class<?> requestingClass)
         }
     }
 
-    void notEntitled(String message, Class<?> requestingClass, ModuleEntitlements entitlements) {
-        var exception = new NotEntitledException(message);
-        // Don't emit a log for suppressed packages, e.g. packages containing self tests
-        if (suppressFailureLogPackages.contains(requestingClass.getPackage()) == false) {
-            entitlements.logger(requestingClass).warn("Not entitled: {}", message, exception);
-        }
-        throw exception;
-    }
-
     private ModuleEntitlements getModuleScopeEntitlements(
         Map<String, List<Entitlement>> scopeEntitlements,
         String scopeName,

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyCheckerImplTests.java

@@ -12,6 +12,7 @@
 import org.elasticsearch.test.ESTestCase;
 
 import java.io.IOException;
+import java.util.Set;
 import java.util.stream.Stream;
 
 import static org.elasticsearch.entitlement.runtime.policy.PolicyManagerTests.NO_ENTITLEMENTS_MODULE;
@@ -54,7 +55,7 @@ public void testRequestingModuleWithStackWalk() throws IOException, ClassNotFoun
     }
 
     private static PolicyCheckerImpl checker(Module entitlementsModule) {
-        return new PolicyCheckerImpl(entitlementsModule, null, TEST_PATH_LOOKUP);
+        return new PolicyCheckerImpl(Set.of(), entitlementsModule, null, TEST_PATH_LOOKUP);
     }
 
 }

test/framework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java

@@ -73,7 +73,7 @@ public static void bootstrap(@Nullable Path tempDir) throws IOException {
         assert previousTempDir == null : "Test entitlement bootstrap called multiple times";
         TestPathLookup pathLookup = new TestPathLookup(baseDirPaths);
         policyManager = createPolicyManager(pathLookup);
-        EntitlementInitialization.initializeArgs = new EntitlementInitialization.InitializeArgs(pathLookup, policyManager);
+        EntitlementInitialization.initializeArgs = new EntitlementInitialization.InitializeArgs(pathLookup, Set.of(), policyManager);
         logger.debug("Loading entitlement agent");
         EntitlementBootstrap.loadAgent(EntitlementBootstrap.findAgentJar(), EntitlementInitialization.class.getName());
     }

test/framework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java

@@ -20,7 +20,6 @@
 import java.security.ProtectionDomain;
 import java.util.Arrays;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
@@ -52,7 +51,7 @@ public TestPolicyManager(
         Collection<Path> classpath,
         Collection<URI> testOnlyClasspath
     ) {
-        super(serverPolicy, apmAgentEntitlements, pluginPolicies, scopeResolver, name -> classpath, pathLookup, Collections.emptySet());
+        super(serverPolicy, apmAgentEntitlements, pluginPolicies, scopeResolver, name -> classpath, pathLookup);
         this.classpath = classpath;
         this.testOnlyClasspath = testOnlyClasspath;
         reset();
@@ -86,13 +85,6 @@ public final void reset() {
         isTriviallyAllowingTestCode = true;
     }
 
-    @Override
-    void notEntitled(String message, Class<?> requestingClass, ModuleEntitlements entitlements) {
-        // ignore if a class on the stack is annotated with WithoutEntitlements
-        if (hasEntitlementsDisabledForStack()) return;
-        super.notEntitled(message, requestingClass, entitlements);
-    }
-
     @Override
     protected boolean isTrustedSystemClass(Class<?> requestingClass) {
         ClassLoader loader = requestingClass.getClassLoader();
@@ -125,7 +117,11 @@ boolean isTriviallyAllowed(Class<?> requestingClass) {
         if (isTriviallyAllowingTestCode && isTestCode(requestingClass)) {
             return true;
         }
-        return super.isTriviallyAllowed(requestingClass);
+        if (super.isTriviallyAllowed(requestingClass)) {
+            return true;
+        }
+        ;
+        return isStackWithoutEntitlements();
     }
 
     @Override
@@ -137,7 +133,7 @@ private static boolean hasWithoutEntitlements(Class<?> clazz) {
         return clazz.getAnnotation(ESTestCase.WithoutEntitlements.class) != null;
     }
 
-    private static boolean hasEntitlementsDisabledForStack() {
+    private static boolean isStackWithoutEntitlements() {
         return StackWalker.getInstance(RETAIN_CLASS_REFERENCE)
             .walk(
                 frames -> frames.map(StackWalker.StackFrame::getDeclaringClass)

test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java

@@ -499,7 +499,7 @@ protected void afterIfFailed(List<Throwable> errors) {}
     protected void afterIfSuccessful() throws Exception {}
 
     /**
-     * Marks a test suite or a test utility that should run without checking for entitlements.
+     * Marks a test suite or a test method that should run without checking for entitlements.
      */
     @Retention(RetentionPolicy.RUNTIME)
     @Target(ElementType.TYPE)
@@ -508,7 +508,7 @@ protected void afterIfSuccessful() throws Exception {}
     }
 
     /**
-     * Marks a test suite to enforce entitlements on the test code itself.
+     * Marks a test suite or a test method that enforce entitlements on the test code itself.
      * Useful for testing the enforcement of entitlements; for any other test cases, this probably isn't what you want.
      */
     @Retention(RetentionPolicy.RUNTIME)