github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-04-25 07:37:19 -04:00
Code Issues Projects Releases Packages Wiki Activity

Building scope -> entitlements map during PolicyManager initialization (#118070)

Browse source
This commit is contained in:
Lorenzo Dematté 2024-12-12 09:28:58 +01:00 committed by GitHub
parent 80a1a6f7af
commit 95315cc08c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 22 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

47
libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java
View file

@ -18,7 +18,6 @@ import org.elasticsearch.logging.Logger;
import java.lang.module.ModuleFinder; import java.lang.module.ModuleFinder;
import java.lang.module.ModuleReference; import java.lang.module.ModuleReference;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.IdentityHashMap; import java.util.IdentityHashMap;
import java.util.List; import java.util.List;
@ -56,8 +55,8 @@ public class PolicyManager {
final Map<Module, ModuleEntitlements> moduleEntitlementsMap = new HashMap<>(); final Map<Module, ModuleEntitlements> moduleEntitlementsMap = new HashMap<>();
protected final Policy serverPolicy; protected final Map<String, List<Entitlement>> serverEntitlements;
protected final Map<String, Policy> pluginPolicies; protected final Map<String, Map<String, List<Entitlement>>> pluginsEntitlements;
private final Function<Class<?>, String> pluginResolver; private final Function<Class<?>, String> pluginResolver;
public static final String ALL_UNNAMED = "ALL-UNNAMED"; public static final String ALL_UNNAMED = "ALL-UNNAMED";
@ -79,19 +78,16 @@ public class PolicyManager {
} }
public PolicyManager(Policy defaultPolicy, Map<String, Policy> pluginPolicies, Function<Class<?>, String> pluginResolver) { public PolicyManager(Policy defaultPolicy, Map<String, Policy> pluginPolicies, Function<Class<?>, String> pluginResolver) {
this.serverPolicy = Objects.requireNonNull(defaultPolicy); this.serverEntitlements = buildScopeEntitlementsMap(Objects.requireNonNull(defaultPolicy));
this.pluginPolicies = Collections.unmodifiableMap(Objects.requireNonNull(pluginPolicies)); this.pluginsEntitlements = Objects.requireNonNull(pluginPolicies)
.entrySet()
.stream()
.collect(Collectors.toUnmodifiableMap(Map.Entry::getKey, e -> buildScopeEntitlementsMap(e.getValue())));
this.pluginResolver = pluginResolver; this.pluginResolver = pluginResolver;
} }
private static List<Entitlement> lookupEntitlementsForModule(Policy policy, String moduleName) { private static Map<String, List<Entitlement>> buildScopeEntitlementsMap(Policy policy) {
for (int i = 0; i < policy.scopes.size(); ++i) { return policy.scopes.stream().collect(Collectors.toUnmodifiableMap(scope -> scope.name, scope -> scope.entitlements));
var scope = policy.scopes.get(i);
if (scope.name.equals(moduleName)) {
return scope.entitlements;
}
}
return null;
} }
public void checkExitVM(Class<?> callerClass) { public void checkExitVM(Class<?> callerClass) {
@ -141,21 +137,21 @@ public class PolicyManager {
if (isServerModule(requestingModule)) { if (isServerModule(requestingModule)) {
var scopeName = requestingModule.getName(); var scopeName = requestingModule.getName();
return getModuleEntitlementsOrThrow(callerClass, requestingModule, serverPolicy, scopeName); return getModuleEntitlementsOrThrow(callerClass, requestingModule, serverEntitlements, scopeName);
} }
// plugins // plugins
var pluginName = pluginResolver.apply(callerClass); var pluginName = pluginResolver.apply(callerClass);
if (pluginName != null) { if (pluginName != null) {
var pluginPolicy = pluginPolicies.get(pluginName); var pluginEntitlements = pluginsEntitlements.get(pluginName);
if (pluginPolicy != null) { if (pluginEntitlements != null) {
final String scopeName; final String scopeName;
if (requestingModule.isNamed() == false) { if (requestingModule.isNamed() == false) {
scopeName = ALL_UNNAMED; scopeName = ALL_UNNAMED;
} else { } else {
scopeName = requestingModule.getName(); scopeName = requestingModule.getName();
} }
return getModuleEntitlementsOrThrow(callerClass, requestingModule, pluginPolicy, scopeName); return getModuleEntitlementsOrThrow(callerClass, requestingModule, pluginEntitlements, scopeName);
} }
} }
@ -167,15 +163,20 @@ public class PolicyManager {
return Strings.format("Missing entitlement policy: caller [%s], module [%s]", callerClass, requestingModule.getName()); return Strings.format("Missing entitlement policy: caller [%s], module [%s]", callerClass, requestingModule.getName());
} }
private ModuleEntitlements getModuleEntitlementsOrThrow(Class<?> callerClass, Module module, Policy policy, String moduleName) { private ModuleEntitlements getModuleEntitlementsOrThrow(
var entitlements = lookupEntitlementsForModule(policy, moduleName); Class<?> callerClass,
Module module,
Map<String, List<Entitlement>> scopeEntitlements,
String moduleName
) {
var entitlements = scopeEntitlements.get(moduleName);
if (entitlements == null) { if (entitlements == null) {
// Module without entitlements - remember we don't have any // Module without entitlements - remember we don't have any
moduleEntitlementsMap.put(module, ModuleEntitlements.NONE); moduleEntitlementsMap.put(module, ModuleEntitlements.NONE);
throw new NotEntitledException(buildModuleNoPolicyMessage(callerClass, module)); throw new NotEntitledException(buildModuleNoPolicyMessage(callerClass, module));
} }
// We have a policy for this module // We have a policy for this module
var classEntitlements = createClassEntitlements(entitlements); var classEntitlements = new ModuleEntitlements(entitlements);
moduleEntitlementsMap.put(module, classEntitlements); moduleEntitlementsMap.put(module, classEntitlements);
return classEntitlements; return classEntitlements;
} }
@ -184,10 +185,6 @@ public class PolicyManager {
return requestingModule.isNamed() && requestingModule.getLayer() == ModuleLayer.boot(); return requestingModule.isNamed() && requestingModule.getLayer() == ModuleLayer.boot();
} }
private ModuleEntitlements createClassEntitlements(List<Entitlement> entitlements) {
return new ModuleEntitlements(entitlements);
}
private static Module requestingModule(Class<?> callerClass) { private static Module requestingModule(Class<?> callerClass) {
if (callerClass != null) { if (callerClass != null) {
Module callerModule = callerClass.getModule(); Module callerModule = callerClass.getModule();
@ -222,6 +219,6 @@ public class PolicyManager {
@Override @Override
public String toString() { public String toString() {
return "PolicyManager{" + "serverPolicy=" + serverPolicy + ", pluginPolicies=" + pluginPolicies + '}'; return "PolicyManager{" + "serverEntitlements=" + serverEntitlements + ", pluginsEntitlements=" + pluginsEntitlements + '}';
} }
} }