Skip to content

Entitlement policies correct handling of prefixes that are not directories #121598

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Feb 5, 2025
Merged

Entitlement policies correct handling of prefixes that are not directories #121598

merged 16 commits into from
Feb 5, 2025

Conversation

@prdoyle
Copy link
Contributor

@prdoyle prdoyle commented Feb 3, 2025
edited
Loading

Effect

  • Prevents foo from matching food despite being a prefix
  • Normalizes the paths coming from the entitlement policies to use platform-native separators

Backslash rationale

To the greatest extent possible, we want things to "just work" on Windows. Policy files should not fail to parse, or work incorrectly, due solely to the use of the forward slash as a file separator on Windows.

The simplest solution turned out to be to use toAbsolutePath() to turn all slashes into platform-default slashes. This behaviour isn't documented in toAbsolutePath()'s javadocs, but it's the behaviour I observed on Windows.

@prdoyle prdoyle added >non-issue :Core/Infra/Core Core issues without another label auto-backport Automatically create backport pull requests when merged test-entitlements v8.18.1 v8.19.0 v9.0.1 v9.1.0 labels Feb 3, 2025
@prdoyle prdoyle self-assigned this Feb 3, 2025
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Feb 3, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Feb 3, 2025

Pinging @elastic/es-core-infra (Team:Core/Infra)

rjernst
rjernst reviewed Feb 4, 2025
View reviewed changes
Copy link
Member

@rjernst rjernst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple questions

@prdoyle prdoyle mentioned this pull request Feb 4, 2025
Closed
@prdoyle prdoyle enabled auto-merge (squash) February 4, 2025 21:34
rjernst
rjernst approved these changes Feb 5, 2025
View reviewed changes
Copy link
Member

@rjernst rjernst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@prdoyle prdoyle merged commit c1deef4 into elastic:main Feb 5, 2025
22 checks passed
@prdoyle prdoyle deleted the file-prefixes branch February 5, 2025 19:05
This was referenced Feb 5, 2025
Merged
Merged
prdoyle added a commit to prdoyle/elasticsearch that referenced this pull request Feb 5, 2025
@prdoyle
Entitlement policies correct handling of prefixes that are not direct…
2ef7572 
…ories (elastic#121598)

* Fix FileAccessTree for prefixes that aren't parents

* Support backslashes

* Whoops, nio

* Move normalization responsibility to FileEntitlement

* Normalize to native separators

* Avoid forbidden API
@prdoyle prdoyle mentioned this pull request Feb 5, 2025
Merged
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Feb 5, 2025

💚 Backport successful

Status Branch Result
8.18
8.x
9.0

prdoyle added a commit to prdoyle/elasticsearch that referenced this pull request Feb 5, 2025
@prdoyle
Entitlement policies correct handling of prefixes that are not direct…
dd3de49 
…ories (elastic#121598)

* Fix FileAccessTree for prefixes that aren't parents

* Support backslashes

* Whoops, nio

* Move normalization responsibility to FileEntitlement

* Normalize to native separators

* Avoid forbidden API
elasticsearchmachine pushed a commit that referenced this pull request Feb 5, 2025
@prdoyle
Entitlement policies correct handling of prefixes that are not direct…
c2d89d8 
…ories (#121598) (#121809)

* Fix FileAccessTree for prefixes that aren't parents

* Support backslashes

* Whoops, nio

* Move normalization responsibility to FileEntitlement

* Normalize to native separators

* Avoid forbidden API
elasticsearchmachine pushed a commit that referenced this pull request Feb 5, 2025
@prdoyle
Entitlement policies correct handling of prefixes that are not direct…
bca02ec 
…ories (#121598) (#121808)

* Fix FileAccessTree for prefixes that aren't parents

* Support backslashes

* Whoops, nio

* Move normalization responsibility to FileEntitlement

* Normalize to native separators

* Avoid forbidden API
elasticsearchmachine pushed a commit that referenced this pull request Feb 5, 2025
@prdoyle
Entitlement policies correct handling of prefixes that are not direct…
21477f1 
…ories (#121598) (#121807)

* Fix FileAccessTree for prefixes that aren't parents

* Support backslashes

* Whoops, nio

* Move normalization responsibility to FileEntitlement

* Normalize to native separators

* Avoid forbidden API
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rjernst rjernst rjernst approved these changes

Assignees

@prdoyle prdoyle

Labels

auto-backport Automatically create backport pull requests when merged :Core/Infra/Core Core issues without another label >non-issue Team:Core/Infra Meta label for core/infra team v8.18.1 v8.19.0 v9.0.1 v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@prdoyle @elasticsearchmachine @rjernst