SOLR-17864: Migrating system properties to modern name. (#3690)

* Migrating to solr.security.allow.urls.enabled from solr.disable.allowUrls.
Removes old whitelist terminology.
* Remove old deprecated language checks.
* Bring ClusteringComponentDistributedTest into line to how other tests set the allow list variable

Author: epugh

solr/core/src/java/org/apache/solr/handler/component/HttpShardHandlerFactory.java

@@ -58,7 +58,6 @@
 import org.apache.solr.metrics.SolrMetricProducer;
 import org.apache.solr.metrics.SolrMetricsContext;
 import org.apache.solr.request.SolrQueryRequest;
-import org.apache.solr.security.AllowListUrlChecker;
 import org.apache.solr.security.HttpClientBuilderPlugin;
 import org.apache.solr.update.UpdateShardHandlerConfig;
 import org.apache.solr.util.stats.InstrumentedHttpListenerFactory;
@@ -261,12 +260,6 @@ public void init(PluginInfo info) {
             sb);
     this.accessPolicy = getParameter(args, INIT_FAIRNESS_POLICY, accessPolicy, sb);
 
-    if (args != null && args.get("shardsWhitelist") != null) {
-      log.warn(
-          "Property 'shardsWhitelist' is deprecated, please use '{}' instead.",
-          AllowListUrlChecker.URL_ALLOW_LIST);
-    }
-
     // magic sysprop to make tests reproducible: set by SolrTestCaseJ4.
     String v = System.getProperty("tests.shardhandler.randomSeed");
     if (v != null) {

solr/core/src/java/org/apache/solr/security/AllowListUrlChecker.java

@@ -30,24 +30,25 @@
 import java.util.stream.Collectors;
 import org.apache.solr.common.SolrException;
 import org.apache.solr.common.cloud.ClusterState;
+import org.apache.solr.common.util.EnvUtils;
 import org.apache.solr.core.NodeConfig;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-/** Validates URLs based on an allow list or a {@link ClusterState} in SolrCloud. */
+/** Validates URLs using an allow-list or a {@link ClusterState} in SolrCloud. */
 public class AllowListUrlChecker {
 
   private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
 
   /** {@link org.apache.solr.core.SolrXmlConfig} property to configure the allowed URLs. */
   public static final String URL_ALLOW_LIST = "allowUrls";
 
-  /** System property to disable URL checking and {@link #ALLOW_ALL} instead. */
-  public static final String DISABLE_URL_ALLOW_LIST = "solr.disable." + URL_ALLOW_LIST;
+  /** System property to enable URL checking against an allow-list and ignore {@link #ALLOW_ALL}. */
+  public static final String ENABLE_URL_ALLOW_LIST = "solr.security.allow.urls.enabled";
 
   /** Clue given in URL-forbidden exceptions messages. */
   public static final String SET_SOLR_DISABLE_URL_ALLOW_LIST_CLUE =
-      "Set -D" + DISABLE_URL_ALLOW_LIST + "=true to disable URL allow-list checks.";
+      "Set -D" + ENABLE_URL_ALLOW_LIST + "=false to disable URL allow-list checks.";
 
   /** Singleton checker which allows all URLs. {@link #isEnabled()} returns false. */
   public static final AllowListUrlChecker ALLOW_ALL;
@@ -83,7 +84,9 @@ public String toString() {
    */
   private static final Pattern PROTOCOL_PATTERN = Pattern.compile("(\\w+)(://.*)");
 
-  /** Allow list of hosts. Elements in the list will be host:port (no protocol or context). */
+  /**
+   * Allow list of hosts. Elements in the list are formatted as host:port (no protocol or context).
+   */
   private final Set<String> hostAllowList;
 
   private volatile Set<String> liveHostUrlsCache;
@@ -94,7 +97,7 @@ public String toString() {
    *     tolerated. An empty list means there is no explicit allow-list of URLs, in this case no URL
    *     is allowed unless a {@link ClusterState} is provided in {@link #checkAllowList(List,
    *     ClusterState)}.
-   * @throws MalformedURLException If an URL is invalid.
+   * @throws MalformedURLException If a URL is invalid.
    */
   public AllowListUrlChecker(List<String> urlAllowList) throws MalformedURLException {
     hostAllowList = parseHostPorts(urlAllowList);
@@ -104,12 +107,8 @@ public AllowListUrlChecker(List<String> urlAllowList) throws MalformedURLExcepti
    * Creates a URL checker based on the {@link NodeConfig} property to configure the allowed URLs.
    */
   public static AllowListUrlChecker create(NodeConfig config) {
-    if (Boolean.getBoolean(DISABLE_URL_ALLOW_LIST)) {
+    if (!EnvUtils.getPropertyAsBool(ENABLE_URL_ALLOW_LIST, true)) {
       return AllowListUrlChecker.ALLOW_ALL;
-    } else if (System.getProperty("solr.disable.shardsWhitelist") != null) {
-      log.warn(
-          "Property 'solr.disable.shardsWhitelist' is deprecated, please use '{}' instead.",
-          DISABLE_URL_ALLOW_LIST);
     }
     try {
       return new AllowListUrlChecker(config.getAllowUrls());
@@ -134,8 +133,8 @@ public void checkAllowList(List<String> urls) throws MalformedURLException {
    *
    * @param urls The list of urls to check.
    * @param clusterState The up to date {@link ClusterState}, can be null in case of non-cloud mode.
-   * @throws MalformedURLException If an URL is invalid.
-   * @throws SolrException If an URL is not present in the allow-list or in the provided {@link
+   * @throws MalformedURLException If a URL is invalid.
+   * @throws SolrException If a URL is not present in the allow-list or in the provided {@link
    *     ClusterState}.
    */
   public void checkAllowList(List<String> urls, ClusterState clusterState)

solr/core/src/test/org/apache/solr/TestCpuTimeSearch.java

@@ -27,7 +27,6 @@
 import org.apache.solr.common.SolrInputDocument;
 import org.apache.solr.common.params.ShardParams;
 import org.apache.solr.common.util.NamedList;
-import org.apache.solr.security.AllowListUrlChecker;
 import org.apache.solr.util.SolrJettyTestRule;
 import org.apache.solr.util.ThreadCpuTimer;
 import org.junit.BeforeClass;
@@ -45,7 +44,6 @@ public class TestCpuTimeSearch extends SolrTestCaseJ4 {
   @BeforeClass
   public static void setupSolr() throws Exception {
     System.setProperty(ThreadCpuTimer.ENABLE_CPU_TIME, "true");
-    System.setProperty(AllowListUrlChecker.DISABLE_URL_ALLOW_LIST, "true");
 
     Path configSet = createTempDir("configSet");
     copyMinConf(configSet);

solr/core/src/test/org/apache/solr/TestTolerantSearch.java

@@ -58,7 +58,7 @@ private static Path createSolrHome() throws Exception {
 
   @BeforeClass
   public static void createThings() throws Exception {
-    systemSetPropertySolrDisableUrlAllowList("true");
+    systemSetPropertyEnableUrlAllowList(false);
     Path solrHome = createSolrHome();
     createAndStartJetty(solrHome);
     String url = getBaseUrl();
@@ -109,7 +109,7 @@ public static void destroyThings() throws Exception {
       collection2 = null;
     }
     resetExceptionIgnores();
-    systemClearPropertySolrDisableUrlAllowList();
+    systemClearPropertySolrEnableUrlAllowList();
   }
 
   @SuppressWarnings("unchecked")

solr/core/src/test/org/apache/solr/handler/TestHealthCheckHandlerLegacyMode.java

@@ -51,7 +51,7 @@ public class TestHealthCheckHandlerLegacyMode extends SolrTestCaseJ4 {
   public void setUp() throws Exception {
     super.setUp();
 
-    systemSetPropertySolrDisableUrlAllowList("true");
+    systemSetPropertyEnableUrlAllowList(false);
 
     leader = new ReplicationTestHelper.SolrInstance(createTempDir("solr-instance"), "leader", null);
     leader.setUp();

solr/core/src/test/org/apache/solr/handler/TestReplicationHandler.java

@@ -107,7 +107,7 @@ public class TestReplicationHandler extends SolrTestCaseJ4 {
   @Before
   public void setUp() throws Exception {
     super.setUp();
-    systemSetPropertySolrDisableUrlAllowList("true");
+    systemSetPropertyEnableUrlAllowList(false);
     System.setProperty("solr.directoryFactory", "solr.StandardDirectoryFactory");
     // For manual testing only
     // useFactory(null); // force an FS factory.
@@ -140,7 +140,7 @@ public void clearIndexWithReplication() throws Exception {
   @After
   public void tearDown() throws Exception {
     super.tearDown();
-    systemClearPropertySolrDisableUrlAllowList();
+    systemClearPropertySolrEnableUrlAllowList();
     if (null != leaderJetty) {
       leaderJetty.stop();
       leaderJetty = null;
@@ -255,7 +255,7 @@ public void doTestHandlerPathUnchanged() {
   public void testUrlAllowList() throws Exception {
     // Run another test with URL allow-list enabled and allow-list is empty.
     // Expect an exception because the leader URL is not allowed.
-    systemClearPropertySolrDisableUrlAllowList();
+    systemClearPropertySolrEnableUrlAllowList();
     SolrException e = expectThrows(SolrException.class, this::doTestDetails);
     assertTrue(
         e.getMessage()

solr/core/src/test/org/apache/solr/handler/TestUserManagedReplicationWithAuth.java

@@ -74,7 +74,7 @@ public class TestUserManagedReplicationWithAuth extends SolrTestCaseJ4 {
   @Before
   public void setUp() throws Exception {
     super.setUp();
-    systemSetPropertySolrDisableUrlAllowList("true");
+    systemSetPropertyEnableUrlAllowList(false);
     // leader with Basic auth enabled via security.json
     leader = new ReplicationTestHelper.SolrInstance(createTempDir("solr-instance"), "leader", null);
     leader.setUp();

solr/core/src/test/org/apache/solr/handler/component/DistributedDebugComponentTest.java

@@ -58,7 +58,7 @@ private static Path createSolrHome() throws Exception {
 
   @BeforeClass
   public static void createThings() throws Exception {
-    systemSetPropertySolrDisableUrlAllowList("true");
+    systemSetPropertyEnableUrlAllowList(false);
     Path solrHome = createSolrHome();
     createAndStartJetty(solrHome);
     String url = getBaseUrl();
@@ -102,7 +102,7 @@ public static void destroyThings() throws Exception {
       collection2 = null;
     }
     resetExceptionIgnores();
-    systemClearPropertySolrDisableUrlAllowList();
+    systemClearPropertySolrEnableUrlAllowList();
   }
 
   @Test

solr/core/src/test/org/apache/solr/search/TestSmileRequest.java

@@ -42,7 +42,7 @@ public class TestSmileRequest extends SolrTestCaseJ4 {
 
   @BeforeClass
   public static void beforeTests() throws Exception {
-    systemSetPropertySolrDisableUrlAllowList("true");
+    systemSetPropertyEnableUrlAllowList(false);
     System.setProperty("solr.requests.streaming.body.enabled", "true");
     JSONTestUtil.failRepeatedKeys = true;
     initCore("solrconfig-tlog.xml", "schema_latest.xml");
@@ -61,7 +61,7 @@ public static void afterTests() throws Exception {
       servers.stop();
       servers = null;
     }
-    systemClearPropertySolrDisableUrlAllowList();
+    systemClearPropertySolrEnableUrlAllowList();
   }
 
   @Test

solr/core/src/test/org/apache/solr/search/facet/TestJsonFacetErrors.java

@@ -34,7 +34,7 @@ public class TestJsonFacetErrors extends SolrTestCaseHS {
   @SuppressWarnings("deprecation")
   @BeforeClass
   public static void beforeTests() throws Exception {
-    systemSetPropertySolrDisableUrlAllowList("true");
+    systemSetPropertyEnableUrlAllowList(false);
     JSONTestUtil.failRepeatedKeys = true;
 
     // we need DVs on point fields to compute stats & facets
@@ -54,7 +54,7 @@ public static void initServers() throws Exception {
   @SuppressWarnings("deprecation")
   @AfterClass
   public static void afterTests() throws Exception {
-    systemClearPropertySolrDisableUrlAllowList();
+    systemClearPropertySolrEnableUrlAllowList();
     JSONTestUtil.failRepeatedKeys = false;
     if (servers != null) {
       servers.stop();