elastic · prdoyle · May 30, 2025 · May 29, 2025 · May 29, 2025 · May 29, 2025
@@ -20,11 +20,13 @@
     requires static org.elasticsearch.entitlement.bridge; // At runtime, this will be in java.base
 
     exports org.elasticsearch.entitlement.runtime.api;
-    exports org.elasticsearch.entitlement.runtime.policy;
-    exports org.elasticsearch.entitlement.runtime.policy.entitlements to org.elasticsearch.server;
     exports org.elasticsearch.entitlement.instrumentation;
     exports org.elasticsearch.entitlement.bootstrap to org.elasticsearch.server;
     exports org.elasticsearch.entitlement.initialization to java.base;
 
+    // TODO: Most of the things in the policy package should be internal implementation details that are not exported.
+    exports org.elasticsearch.entitlement.runtime.policy;
+    exports org.elasticsearch.entitlement.runtime.policy.entitlements to org.elasticsearch.server;
+
     uses org.elasticsearch.entitlement.instrumentation.InstrumentationService;
 }
@@ -14,11 +14,9 @@
 import com.sun.tools.attach.AttachNotSupportedException;
 import com.sun.tools.attach.VirtualMachine;
 
-import org.elasticsearch.core.Nullable;
 import org.elasticsearch.core.PathUtils;
 import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.entitlement.initialization.EntitlementInitialization;
-import org.elasticsearch.entitlement.runtime.policy.PathLookup;
 import org.elasticsearch.entitlement.runtime.policy.PathLookupImpl;
 import org.elasticsearch.entitlement.runtime.policy.Policy;
 import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
@@ -33,35 +31,11 @@
 import java.util.function.Function;
 import java.util.stream.Stream;
 
-import static java.util.Objects.requireNonNull;
-
 public class EntitlementBootstrap {
 
-    public record BootstrapArgs(
-        @Nullable Policy serverPolicyPatch,
-        Map<String, Policy> pluginPolicies,
-        Function<Class<?>, PolicyManager.PolicyScope> scopeResolver,
-        PathLookup pathLookup,
-        Map<String, Path> sourcePaths,
-        Set<Package> suppressFailureLogPackages
-    ) {
-        public BootstrapArgs {
-            requireNonNull(pluginPolicies);
-            requireNonNull(scopeResolver);
-            requireNonNull(pathLookup);
-            requireNonNull(sourcePaths);
-            requireNonNull(suppressFailureLogPackages);
-        }
-    }
-
-    private static BootstrapArgs bootstrapArgs;
-
-    public static BootstrapArgs bootstrapArgs() {
-        return bootstrapArgs;
-    }
-
     /**
-     * Activates entitlement checking. Once this method returns, calls to methods protected by Entitlements from classes without a valid
+     * Main entry point that activates entitlement checking. Once this method returns,
+     * calls to methods protected by entitlements from classes without a valid
      * policy will throw {@link org.elasticsearch.entitlement.runtime.api.NotEntitledException}.
      *
      * @param serverPolicyPatch a policy with additional entitlements to patch the embedded server layer policy
@@ -98,10 +72,10 @@ public static void bootstrap(
         Set<Package> suppressFailureLogPackages
     ) {
         logger.debug("Loading entitlement agent");
-        if (EntitlementBootstrap.bootstrapArgs != null) {
-            throw new IllegalStateException("plugin data is already set");
+        if (EntitlementInitialization.initializeArgs != null) {
+            throw new IllegalStateException("initialization data is already set");
         }
-        EntitlementBootstrap.bootstrapArgs = new BootstrapArgs(
+        EntitlementInitialization.initializeArgs = new EntitlementInitialization.InitializeArgs(
             serverPolicyPatch,
             pluginPolicies,
             scopeResolver,

@@ -10,9 +10,9 @@
 package org.elasticsearch.entitlement.initialization;
 
 import org.elasticsearch.core.Booleans;
-import org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap;
+import org.elasticsearch.core.Nullable;
 import org.elasticsearch.entitlement.bridge.EntitlementChecker;
-import org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker;
+import org.elasticsearch.entitlement.runtime.policy.ElasticsearchEntitlementChecker;
 import org.elasticsearch.entitlement.runtime.policy.PathLookup;
 import org.elasticsearch.entitlement.runtime.policy.Policy;
 import org.elasticsearch.entitlement.runtime.policy.PolicyChecker;
@@ -22,8 +22,12 @@
 import java.lang.instrument.Instrumentation;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
+import java.nio.file.Path;
 import java.util.Map;
 import java.util.Set;
+import java.util.function.Function;
+
+import static java.util.Objects.requireNonNull;
 
 /**
  * Called by the agent during {@code agentmain} to configure the entitlement system,
@@ -36,6 +40,7 @@ public class EntitlementInitialization {
 
     private static final Module ENTITLEMENTS_MODULE = PolicyManager.class.getModule();
 
+    public static InitializeArgs initializeArgs;
     private static ElasticsearchEntitlementChecker checker;
 
     // Note: referenced by bridge reflectively
@@ -66,29 +71,55 @@ public static void initialize(Instrumentation inst) throws Exception {
         checker = initChecker(inst, createPolicyManager());
     }
 
+    /**
+     * Arguments to {@link #initialize}. Since that's called in a static context from the agent,
+     * we have no way to pass arguments directly, so we stuff them in here.
+     *
+     * @param serverPolicyPatch
+     * @param pluginPolicies
+     * @param scopeResolver
+     * @param pathLookup
+     * @param sourcePaths
+     * @param suppressFailureLogPackages
+     */
+    public record InitializeArgs(
+        @Nullable Policy serverPolicyPatch,
+        Map<String, Policy> pluginPolicies,
+        Function<Class<?>, PolicyManager.PolicyScope> scopeResolver,
+        PathLookup pathLookup,
+        Map<String, Path> sourcePaths,
+        Set<Package> suppressFailureLogPackages
+    ) {
+        public InitializeArgs {
+            requireNonNull(pluginPolicies);
+            requireNonNull(scopeResolver);
+            requireNonNull(pathLookup);
+            requireNonNull(sourcePaths);
+            requireNonNull(suppressFailureLogPackages);
+        }
+    }
+
     private static PolicyCheckerImpl createPolicyChecker(PolicyManager policyManager) {
-        EntitlementBootstrap.BootstrapArgs bootstrapArgs = EntitlementBootstrap.bootstrapArgs();
         return new PolicyCheckerImpl(
-            bootstrapArgs.suppressFailureLogPackages(),
+            initializeArgs.suppressFailureLogPackages(),
             ENTITLEMENTS_MODULE,
             policyManager,
-            bootstrapArgs.pathLookup()
+            initializeArgs.pathLookup()
         );
     }
 
     private static PolicyManager createPolicyManager() {
-        EntitlementBootstrap.BootstrapArgs bootstrapArgs = EntitlementBootstrap.bootstrapArgs();
-        Map<String, Policy> pluginPolicies = bootstrapArgs.pluginPolicies();
-        PathLookup pathLookup = bootstrapArgs.pathLookup();
+        Map<String, Policy> pluginPolicies = initializeArgs.pluginPolicies();
+        PathLookup pathLookup = initializeArgs.pathLookup();
 
         FilesEntitlementsValidation.validate(pluginPolicies, pathLookup);
 
         return new PolicyManager(
-            HardcodedEntitlements.serverPolicy(pathLookup.pidFile(), bootstrapArgs.serverPolicyPatch()),
+            HardcodedEntitlements.serverPolicy(pathLookup.pidFile(), initializeArgs.serverPolicyPatch()),
             HardcodedEntitlements.agentEntitlements(),
             pluginPolicies,
-            EntitlementBootstrap.bootstrapArgs().scopeResolver(),
-            EntitlementBootstrap.bootstrapArgs().sourcePaths(),
+            initializeArgs.scopeResolver(),
+            initializeArgs.sourcePaths(),
             pathLookup
         );
     }

@@ -189,7 +189,7 @@
  * <h2>Checks</h2>
  * <p>
  * The injected prologue calls a {@code check$} method on {@link org.elasticsearch.entitlement.bridge.EntitlementChecker}; its
- * implementation (normally on {@link org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker}, unless it is a
+ * implementation (normally on {@link org.elasticsearch.entitlement.runtime.policy.ElasticsearchEntitlementChecker}, unless it is a
  * version-specific method) calls the appropriate methods on {@link org.elasticsearch.entitlement.runtime.policy.PolicyManager},
  * forwarding the caller class and a specific set of arguments. These methods all start with check, roughly matching an entitlement type
  * (e.g. {@link org.elasticsearch.entitlement.runtime.policy.PolicyChecker#checkInboundNetworkAccess},

@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+/**
+ * The public API for the Entitlements system.
+ * All other packages are implementation details that should use selective exports.
+ */
+package org.elasticsearch.entitlement.runtime.api;
@@ -7,13 +7,12 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
-package org.elasticsearch.entitlement.runtime.api;
+package org.elasticsearch.entitlement.runtime.policy;
 
 import jdk.nio.Channels;
 
 import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.entitlement.bridge.EntitlementChecker;
-import org.elasticsearch.entitlement.runtime.policy.PolicyChecker;
 
 import java.io.File;
 import java.io.FileDescriptor;

@@ -7,10 +7,9 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
-package org.elasticsearch.entitlement.runtime.api;
+package org.elasticsearch.entitlement.runtime.policy;
 
 import org.elasticsearch.entitlement.bridge.Java23EntitlementChecker;
-import org.elasticsearch.entitlement.runtime.policy.PolicyChecker;
 
 public class Java23ElasticsearchEntitlementChecker extends ElasticsearchEntitlementChecker implements Java23EntitlementChecker {
 

diff --git a/...ework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java b/...ework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java
@@ -14,25 +14,46 @@
 import org.elasticsearch.logging.LogManager;
 import org.elasticsearch.logging.Logger;
 
+import java.nio.file.Path;
+import java.util.stream.Stream;
+
 public class TestEntitlementBootstrap {
 
     private static final Logger logger = LogManager.getLogger(TestEntitlementBootstrap.class);
-    private static BootstrapArgs bootstrapArgs;
 
     /**
      * Activates entitlement checking in tests.
-     * @param bootstrapArgs arguments used for and passed to entitlement initialization
      */
-    public static void bootstrap(BootstrapArgs bootstrapArgs) {
-        assert bootstrapArgs != null;
-        TestEntitlementBootstrap.bootstrapArgs = bootstrapArgs;
+    public static void bootstrap() {
+        TestEntitlementInitialization.initializeArgs = new TestEntitlementInitialization.InitializeArgs(new TestPathLookup());
         logger.debug("Loading entitlement agent");
         EntitlementBootstrap.loadAgent(EntitlementBootstrap.findAgentJar(), TestEntitlementInitialization.class.getName());
     }
 
-    public static BootstrapArgs bootstrapArgs() {
-        return bootstrapArgs;
-    }
+    private record TestPathLookup() implements PathLookup {
+        @Override
+        public Path pidFile() {
+            throw notYetImplemented();
+        }
+
+        @Override
+        public Stream<Path> getBaseDirPaths(BaseDir baseDir) {
+            throw notYetImplemented();
+        }
+
+        @Override
+        public Stream<Path> resolveRelativePaths(BaseDir baseDir, Path relativePath) {
+            throw notYetImplemented();
+        }
 
-    public record BootstrapArgs(PathLookup pathLookup) {}
+        @Override
+        public Stream<Path> resolveSettingPaths(BaseDir baseDir, String settingName) {
+            throw notYetImplemented();
+        }
+
+        private static IllegalStateException notYetImplemented() {
+            return new IllegalStateException("not yet implemented");
+        }
+
+    }
 }
diff --git a/...main/java/org/elasticsearch/entitlement/initialization/TestEntitlementInitialization.java b/...main/java/org/elasticsearch/entitlement/initialization/TestEntitlementInitialization.java
@@ -14,9 +14,8 @@
 import org.elasticsearch.bootstrap.TestScopeResolver;
 import org.elasticsearch.core.Strings;
 import org.elasticsearch.core.SuppressForbidden;
-import org.elasticsearch.entitlement.bootstrap.TestEntitlementBootstrap;
 import org.elasticsearch.entitlement.bridge.EntitlementChecker;
-import org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker;
+import org.elasticsearch.entitlement.runtime.policy.ElasticsearchEntitlementChecker;
 import org.elasticsearch.entitlement.runtime.policy.PathLookup;
 import org.elasticsearch.entitlement.runtime.policy.Policy;
 import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
@@ -38,17 +37,19 @@
 public class TestEntitlementInitialization {
 
     private static ElasticsearchEntitlementChecker checker;
+    public static InitializeArgs initializeArgs;
 
     // Note: referenced by bridge reflectively
     public static EntitlementChecker checker() {
         return checker;
     }
 
     public static void initialize(Instrumentation inst) throws Exception {
-        TestEntitlementBootstrap.BootstrapArgs bootstrapArgs = TestEntitlementBootstrap.bootstrapArgs();
-        checker = EntitlementInitialization.initChecker(inst, createPolicyManager(bootstrapArgs.pathLookup()));
+        checker = EntitlementInitialization.initChecker(inst, createPolicyManager(initializeArgs.pathLookup()));
     }
 
+    public record InitializeArgs(PathLookup pathLookup) {}
+
     private record TestPluginData(String pluginName, boolean isModular, boolean isExternalPlugin) {}
 
     private static Map<String, Policy> parsePluginsPolicies(List<TestPluginData> pluginsData) {
@@ -115,4 +116,5 @@ private static PolicyManager createPolicyManager(PathLookup pathLookup) throws I
         );
         throw new IllegalStateException("Not yet implemented!");
     }
+
 }