From c5dbb64d275cb41c8a9e8ba60a2c710a9017df2d Mon Sep 17 00:00:00 2001 From: Jack Conradson Date: Tue, 25 Feb 2025 13:04:30 -0800 Subject: [PATCH] add policy manager tests for exclusive --- .../runtime/policy/FileAccessTree.java | 20 +++- .../runtime/policy/PolicyManagerTests.java | 109 ++++++++++++++++++ 2 files changed, 127 insertions(+), 2 deletions(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java index 0dc7e249ced44..45b22dad4e78c 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java @@ -55,8 +55,24 @@ static void validateExclusivePaths(List exclusivePaths) { ExclusivePath currentExclusivePath = exclusivePaths.get(0); for (int i = 1; i < exclusivePaths.size(); ++i) { ExclusivePath nextPath = exclusivePaths.get(i); - if (isParent(currentExclusivePath.path(), nextPath.path())) { + if (currentExclusivePath.path().equals(nextPath.path) || isParent(currentExclusivePath.path(), nextPath.path())) { + throw new IllegalArgumentException( + "duplicate/overlapping exclusive paths found in files entitlements: " + + "[[" + + currentExclusivePath.componentName() + + "] [" + + currentExclusivePath.moduleName() + + "] [" + + currentExclusivePath.path() + + "]] and [[" + + nextPath.componentName() + + "] [" + + nextPath.moduleName() + + "] [" + + nextPath.path() + + "]]" + ); } currentExclusivePath = nextPath; } @@ -89,7 +105,7 @@ private FileAccessTree( BiConsumer addPath = (path, mode) -> { var normalized = normalizePath(path); for (String exclusivePath : updatedExclusivePaths) { - if (isParent(exclusivePath, normalized)) { + if (exclusivePath.equals(normalized) || isParent(exclusivePath, normalized)) { throw new IllegalArgumentException( "[" + componentName + "] [" + moduleName + "] cannot use exclusive path [" + exclusivePath + "]" ); diff --git a/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java b/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java index 2eb7c39059816..97dc14d60f2b2 100644 --- a/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java +++ b/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java @@ -411,6 +411,115 @@ public void testDuplicateEntitlements() { ); } + public void testFilesEntitlementsWithExclusive() { + var iae = expectThrows( + IllegalArgumentException.class, + () -> new PolicyManager( + createEmptyTestServerPolicy(), + List.of(), + Map.of( + "plugin1", + new Policy( + "test", + List.of( + new Scope( + "test", + List.of( + new FilesEntitlement( + List.of( + FilesEntitlement.FileData.ofPath(Path.of("/tmp/test"), FilesEntitlement.Mode.READ) + .withExclusive(true) + ) + ) + ) + ) + ) + ), + "plugin2", + new Policy( + "test", + List.of( + new Scope( + "test", + List.of( + new FilesEntitlement( + List.of( + FilesEntitlement.FileData.ofPath(Path.of("/tmp/test"), FilesEntitlement.Mode.READ) + .withExclusive(true) + ) + ) + ) + ) + ) + ) + ), + c -> "", + TEST_AGENTS_PACKAGE_NAME, + NO_ENTITLEMENTS_MODULE, + TEST_PATH_LOOKUP, + Set.of() + ) + ); + assertEquals( + "duplicate/overlapping exclusive paths found in files entitlements: " + + "[[plugin1] [test] [/tmp/test]] and [[plugin2] [test] [/tmp/test]]", + iae.getMessage() + ); + + iae = expectThrows( + IllegalArgumentException.class, + () -> new PolicyManager( + new Policy( + "test", + List.of( + new Scope( + "test", + List.of( + new FilesEntitlement( + List.of( + FilesEntitlement.FileData.ofPath( + Path.of("/tmp/test/foo"), FilesEntitlement.Mode.READ).withExclusive(true), + FilesEntitlement.FileData.ofPath(Path.of("/tmp/"), FilesEntitlement.Mode.READ) + ) + ) + ) + ) + ) + ), + List.of(), + Map.of( + "plugin1", + new Policy( + "test", + List.of( + new Scope( + "test", + List.of( + new FilesEntitlement( + List.of( + FilesEntitlement.FileData.ofPath(Path.of("/tmp/test"), FilesEntitlement.Mode.READ) + .withExclusive(true) + ) + ) + ) + ) + ) + ) + ), + c -> "", + TEST_AGENTS_PACKAGE_NAME, + NO_ENTITLEMENTS_MODULE, + TEST_PATH_LOOKUP, + Set.of() + ) + ); + assertEquals( + "duplicate/overlapping exclusive paths found in files entitlements: " + + "[[plugin1] [test] [/tmp/test]] and [[(server)] [test] [/tmp/test/foo]]", + iae.getMessage() + ); + } + /** * If the plugin resolver tells us a class is in a plugin, don't conclude that it's in an agent. */