Skip to content

Prune extraneous files entitlements paths to prevent incorrect binary search #123177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rjernst merged 6 commits into from
Feb 22, 2025
Merged

Prune extraneous files entitlements paths to prevent incorrect binary search #123177

rjernst merged 6 commits into from
Feb 22, 2025

Conversation

@jdconrad
Copy link
Contributor

@jdconrad jdconrad commented Feb 21, 2025

This prevents an incorrect binary search by pruning files entitlements paths at the time of construction.

As an example:

/foo [read]
/foo/bar [read]

look up
/foo/baz [read]

This would previously cause /foo/baz to see /foo/bar as its parent instead of /foo.

This change prunes /foo/bar from the read list since /foo is already available. And now foo/baz will see foo as its parent.

@jdconrad jdconrad added >bug auto-backport Automatically create backport pull requests when merged test-entitlements v8.18.1 v8.19.0 v9.0.1 v9.1.0 :Core/Infra/Entitlements Entitlements infrastructure labels Feb 21, 2025
@jdconrad jdconrad requested a review from a team as a code owner February 21, 2025 18:11
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Feb 21, 2025

Pinging @elastic/es-core-infra (Team:Core/Infra)

@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Feb 21, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Feb 21, 2025

Hi @jdconrad, I've created a changelog YAML for you.

@jdconrad jdconrad added >non-issue and removed >bug labels Feb 21, 2025
rjernst
rjernst approved these changes Feb 21, 2025
View reviewed changes
Copy link
Member

@rjernst rjernst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

...itlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java
assertThat(tree.canRead(path("foo/bar")), is(true));
assertThat(tree.canWrite(path("foo/bar")), is(false));
assertThat(tree.canRead(path("foo/baz")), is(true));
assertThat(tree.canWrite(path("foo/baz")), is(false));
Copy link
Member

@rjernst rjernst Feb 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we test a path has read access that is not explicitly entitled? ie that would be hit by the bug

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java Outdated
this.writePaths = pruneSortedPaths(writePaths).toArray(new String[0]);
}

public static List<String> pruneSortedPaths(List<String> paths) {
Copy link
Member

@rjernst rjernst Feb 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this can be private?

@rjernst rjernst enabled auto-merge (squash) February 22, 2025 00:33
@rjernst rjernst merged commit 7cbd305 into elastic:main Feb 22, 2025
22 checks passed
This was referenced Feb 22, 2025
Merged
Merged
Merged
jdconrad added a commit to jdconrad/elasticsearch that referenced this pull request Feb 22, 2025
@jdconrad
Prune extraneous files entitlements paths to prevent incorrect binary…
a5bf132 
… search (elastic#123177)
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Feb 22, 2025

💚 Backport successful

Status Branch Result
8.18
8.x
9.0

jdconrad added a commit to jdconrad/elasticsearch that referenced this pull request Feb 22, 2025
@jdconrad
Prune extraneous files entitlements paths to prevent incorrect binary…
c22cf82 
… search (elastic#123177)
jdconrad added a commit to jdconrad/elasticsearch that referenced this pull request Feb 22, 2025
@jdconrad
Prune extraneous files entitlements paths to prevent incorrect binary…
b48015d 
… search (elastic#123177)
elasticsearchmachine pushed a commit that referenced this pull request Feb 22, 2025
@jdconrad
Prune extraneous files entitlements paths to prevent incorrect binary…
e341735 
… search (#123177) (#123205)
elasticsearchmachine pushed a commit that referenced this pull request Feb 22, 2025
@jdconrad
Prune extraneous files entitlements paths to prevent incorrect binary…
7e27776 
… search (#123177) (#123207)
elasticsearchmachine pushed a commit that referenced this pull request Feb 22, 2025
@jdconrad
Prune extraneous files entitlements paths to prevent incorrect binary…
da7df4c 
… search (#123177) (#123206)
@jdconrad jdconrad mentioned this pull request Feb 23, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rjernst rjernst rjernst approved these changes

Assignees

No one assigned

Labels

auto-backport Automatically create backport pull requests when merged :Core/Infra/Entitlements Entitlements infrastructure >non-issue Team:Core/Infra Meta label for core/infra team v8.18.1 v8.19.0 v9.0.1 v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jdconrad @elasticsearchmachine @rjernst