Use dynamic policy for entitled test plugin (#121852) (#122096)

Like the plugin being testing, the entitled test plugin needs access to
dynamic elements (namely, file paths). This commit dynamically generates
the entitlement policy for the entitlted test plugin when it is
installed. It also adds using the file entitltlement as an example.

Author: rjernst

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -50,6 +50,7 @@
 import java.nio.channels.SocketChannel;
 import java.nio.channels.spi.SelectorProvider;
 import java.nio.charset.Charset;
+import java.nio.file.LinkOption;
 import java.nio.file.OpenOption;
 import java.nio.file.Path;
 import java.nio.file.attribute.UserPrincipal;
@@ -514,6 +515,8 @@ public interface EntitlementChecker {
     void check$java_util_Scanner$(Class<?> callerClass, File source, Charset charset);
 
     // nio
+    void check$java_nio_file_Files$$getOwner(Class<?> callerClass, Path path, LinkOption... options);
+
     void check$java_nio_file_Files$$probeContentType(Class<?> callerClass, Path path);
 
     void check$java_nio_file_Files$$setOwner(Class<?> callerClass, Path path, UserPrincipal principal);

libs/entitlement/qa/entitled-plugin/src/main/plugin-metadata/entitlement-policy.yaml

@@ -80,6 +80,11 @@ static void createFileOutputStreamFileWithAppend() throws IOException {
         new FileOutputStream(readWriteFile().toFile(), false).close();
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void filesGetOwner() throws IOException {
+        Files.getOwner(readFile());
+    }
+
     @EntitlementTest(expectedAccess = PLUGINS)
     static void filesProbeContentType() throws IOException {
         Files.probeContentType(readFile());

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java

@@ -11,6 +11,7 @@
 
 import org.elasticsearch.client.Request;
 import org.elasticsearch.client.Response;
+import org.elasticsearch.entitlement.qa.EntitlementsTestRule.PolicyBuilder;
 import org.elasticsearch.test.rest.ESRestTestCase;
 
 import java.io.IOException;
@@ -22,7 +23,7 @@
 
 public abstract class AbstractEntitlementsIT extends ESRestTestCase {
 
-    static final EntitlementsTestRule.PolicyBuilder ALLOWED_TEST_ENTITLEMENTS = (builder, tempDir) -> {
+    static final PolicyBuilder ALLOWED_TEST_ENTITLEMENTS = (builder, tempDir) -> {
         builder.value("create_class_loader");
         builder.value("set_https_connection_properties");
         builder.value("inbound_network");

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/AbstractEntitlementsIT.java

@@ -26,9 +26,27 @@
 import java.io.UncheckedIOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.util.List;
+import java.util.Map;
 
 class EntitlementsTestRule implements TestRule {
 
+    // entitlements that test methods may use, see EntitledActions
+    private static final PolicyBuilder ENTITLED_POLICY = (builder, tempDir) -> {
+        builder.value(Map.of("write_system_properties", Map.of("properties", List.of("org.elasticsearch.entitlement.qa.selfTest"))));
+        builder.value(
+            Map.of(
+                "files",
+                List.of(
+                    Map.of("path", tempDir.resolve("read_dir"), "mode", "read"),
+                    Map.of("path", tempDir.resolve("read_write_dir"), "mode", "read_write"),
+                    Map.of("path", tempDir.resolve("read_file"), "mode", "read"),
+                    Map.of("path", tempDir.resolve("read_write_file"), "mode", "read_write")
+                )
+            )
+        );
+    };
+
     interface PolicyBuilder {
         void build(XContentBuilder builder, Path tempDir) throws IOException;
     }
@@ -51,7 +69,7 @@ protected void before() throws Throwable {
             }
         };
         cluster = ElasticsearchCluster.local()
-            .module("entitled")
+            .module("entitled", spec -> buildEntitlements(spec, "org.elasticsearch.entitlement.qa.entitled", ENTITLED_POLICY))
             .module("entitlement-test-plugin", spec -> setupEntitlements(spec, modular, policyBuilder))
             .systemProperty("es.entitlements.enabled", "true")
             .systemProperty("es.entitlements.testdir", () -> testDir.getRoot().getAbsolutePath())
@@ -65,29 +83,30 @@ public Statement apply(Statement statement, Description description) {
         return ruleChain.apply(statement, description);
     }
 
-    private void setupEntitlements(PluginInstallSpec spec, boolean modular, PolicyBuilder policyBuilder) {
-        String moduleName = modular ? "org.elasticsearch.entitlement.qa.test" : "ALL-UNNAMED";
-        if (policyBuilder != null) {
-            spec.withEntitlementsOverride(old -> {
-                try {
-                    try (var builder = YamlXContent.contentBuilder()) {
-                        builder.startObject();
-                        builder.field(moduleName);
-                        builder.startArray();
+    private void buildEntitlements(PluginInstallSpec spec, String moduleName, PolicyBuilder policyBuilder) {
+        spec.withEntitlementsOverride(old -> {
+            try (var builder = YamlXContent.contentBuilder()) {
+                builder.startObject();
+                builder.field(moduleName);
+                builder.startArray();
 
-                        policyBuilder.build(builder, testDir.getRoot().toPath());
-                        builder.endArray();
-                        builder.endObject();
+                policyBuilder.build(builder, testDir.getRoot().toPath());
+                builder.endArray();
+                builder.endObject();
 
-                        String policy = Strings.toString(builder);
-                        System.out.println("Using entitlement policy:\n" + policy);
-                        return Resource.fromString(policy);
-                    }
+                String policy = Strings.toString(builder);
+                System.out.println("Using entitlement policy for module " + moduleName + ":\n" + policy);
+                return Resource.fromString(policy);
+            } catch (IOException e) {
+                throw new UncheckedIOException(e);
+            }
+        });
+    }
 
-                } catch (IOException e) {
-                    throw new UncheckedIOException(e);
-                }
-            });
+    private void setupEntitlements(PluginInstallSpec spec, boolean modular, PolicyBuilder policyBuilder) {
+        String moduleName = modular ? "org.elasticsearch.entitlement.qa.test" : "ALL-UNNAMED";
+        if (policyBuilder != null) {
+            buildEntitlements(spec, moduleName, policyBuilder);
         }
 
         if (modular == false) {

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsTestRule.java

@@ -55,6 +55,7 @@
 import java.nio.channels.SocketChannel;
 import java.nio.channels.spi.SelectorProvider;
 import java.nio.charset.Charset;
+import java.nio.file.LinkOption;
 import java.nio.file.OpenOption;
 import java.nio.file.Path;
 import java.nio.file.attribute.UserPrincipal;
@@ -976,6 +977,11 @@ public void checkSelectorProviderInheritedChannel(Class<?> callerClass, Selector
 
     // nio
 
+    @Override
+    public void check$java_nio_file_Files$$getOwner(Class<?> callerClass, Path path, LinkOption... options) {
+        policyManager.checkFileRead(callerClass, path);
+    }
+
     @Override
     public void check$java_nio_file_Files$$probeContentType(Class<?> callerClass, Path path) {
         policyManager.checkFileRead(callerClass, path);