Skip to content

Commit

Permalink
add policy manager tests for exclusive
Browse files Browse the repository at this point in the history
  • Loading branch information
@jdconrad
jdconrad committed Feb 25, 2025
1 parent b255a2c commit c5dbb64
Show file tree
Hide file tree
Showing 2 changed files with 127 additions and 2 deletions.
20 changes: 18 additions & 2 deletions ...ntitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,24 @@ static void validateExclusivePaths(List<ExclusivePath> exclusivePaths) {
ExclusivePath currentExclusivePath = exclusivePaths.get(0);
for (int i = 1; i < exclusivePaths.size(); ++i) {
ExclusivePath nextPath = exclusivePaths.get(i);
if (isParent(currentExclusivePath.path(), nextPath.path())) {
if (currentExclusivePath.path().equals(nextPath.path) || isParent(currentExclusivePath.path(), nextPath.path())) {
throw new IllegalArgumentException(
"duplicate/overlapping exclusive paths found in files entitlements: "
+ "[["
+ currentExclusivePath.componentName()
+ "] ["
+ currentExclusivePath.moduleName()
+ "] ["
+ currentExclusivePath.path()
+ "]] and [["

+ nextPath.componentName()
+ "] ["
+ nextPath.moduleName()
+ "] ["
+ nextPath.path()
+ "]]"
);
}
currentExclusivePath = nextPath;
}
Expand Down Expand Up @@ -89,7 +105,7 @@ private FileAccessTree(
BiConsumer<Path, Mode> addPath = (path, mode) -> {
var normalized = normalizePath(path);
for (String exclusivePath : updatedExclusivePaths) {
if (isParent(exclusivePath, normalized)) {
if (exclusivePath.equals(normalized) || isParent(exclusivePath, normalized)) {
throw new IllegalArgumentException(
"[" + componentName + "] [" + moduleName + "] cannot use exclusive path [" + exclusivePath + "]"
);
Expand Down
109 changes: 109 additions & 0 deletions ...lement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -411,6 +411,115 @@ public void testDuplicateEntitlements() {
);
}

public void testFilesEntitlementsWithExclusive() {
var iae = expectThrows(
IllegalArgumentException.class,
() -> new PolicyManager(
createEmptyTestServerPolicy(),
List.of(),
Map.of(
"plugin1",
new Policy(
"test",
List.of(
new Scope(
"test",
List.of(
new FilesEntitlement(
List.of(
FilesEntitlement.FileData.ofPath(Path.of("/tmp/test"), FilesEntitlement.Mode.READ)
.withExclusive(true)
)
)
)
)
)
),
"plugin2",
new Policy(
"test",
List.of(
new Scope(
"test",
List.of(
new FilesEntitlement(
List.of(
FilesEntitlement.FileData.ofPath(Path.of("/tmp/test"), FilesEntitlement.Mode.READ)
.withExclusive(true)
)
)
)
)
)
)
),
c -> "",
TEST_AGENTS_PACKAGE_NAME,
NO_ENTITLEMENTS_MODULE,
TEST_PATH_LOOKUP,
Set.of()
)
);
assertEquals(
"duplicate/overlapping exclusive paths found in files entitlements: "
+ "[[plugin1] [test] [/tmp/test]] and [[plugin2] [test] [/tmp/test]]",
iae.getMessage()
);

iae = expectThrows(
IllegalArgumentException.class,
() -> new PolicyManager(
new Policy(
"test",
List.of(
new Scope(
"test",
List.of(
new FilesEntitlement(
List.of(
FilesEntitlement.FileData.ofPath(
Path.of("/tmp/test/foo"), FilesEntitlement.Mode.READ).withExclusive(true),
FilesEntitlement.FileData.ofPath(Path.of("/tmp/"), FilesEntitlement.Mode.READ)
)
)
)
)
)
),
List.of(),
Map.of(
"plugin1",
new Policy(
"test",
List.of(
new Scope(
"test",
List.of(
new FilesEntitlement(
List.of(
FilesEntitlement.FileData.ofPath(Path.of("/tmp/test"), FilesEntitlement.Mode.READ)
.withExclusive(true)
)
)
)
)
)
)
),
c -> "",
TEST_AGENTS_PACKAGE_NAME,
NO_ENTITLEMENTS_MODULE,
TEST_PATH_LOOKUP,
Set.of()
)
);
assertEquals(
"duplicate/overlapping exclusive paths found in files entitlements: "
+ "[[plugin1] [test] [/tmp/test]] and [[(server)] [test] [/tmp/test/foo]]",
iae.getMessage()
);
}

/**
* If the plugin resolver tells us a class is in a plugin, don't conclude that it's in an agent.
*/
Expand Down

0 comments on commit c5dbb64

Please sign in to comment.