Allow internal cluster tests to run in MP mode

Author: nielsbauman

test/framework/build.gradle

@@ -38,6 +38,7 @@ dependencies {
   testImplementation project(':x-pack:plugin:mapper-counted-keyword')
   testImplementation project(':x-pack:plugin:mapper-constant-keyword')
   testImplementation project(':x-pack:plugin:wildcard')
+  implementation project(':test:external-modules:test-multi-project')
 }
 
 sourceSets {

test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java

@@ -16,7 +16,9 @@
 import com.carrotsearch.randomizedtesting.generators.RandomNumbers;
 import com.carrotsearch.randomizedtesting.generators.RandomPicks;
 
+import org.apache.http.Header;
 import org.apache.http.HttpHost;
+import org.apache.http.message.BasicHeader;
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.Sort;
 import org.apache.lucene.search.TotalHits;
@@ -69,11 +71,15 @@
 import org.elasticsearch.action.support.RefCountingListener;
 import org.elasticsearch.action.support.SubscribableListener;
 import org.elasticsearch.action.support.broadcast.BroadcastResponse;
+import org.elasticsearch.client.Request;
+import org.elasticsearch.client.Response;
+import org.elasticsearch.client.ResponseException;
 import org.elasticsearch.client.RestClient;
 import org.elasticsearch.client.RestClientBuilder;
 import org.elasticsearch.client.internal.AdminClient;
 import org.elasticsearch.client.internal.Client;
 import org.elasticsearch.client.internal.ClusterAdminClient;
+import org.elasticsearch.client.internal.FilterClient;
 import org.elasticsearch.client.internal.IndicesAdminClient;
 import org.elasticsearch.cluster.ClusterInfoService;
 import org.elasticsearch.cluster.ClusterInfoServiceUtils;
@@ -85,6 +91,7 @@
 import org.elasticsearch.cluster.metadata.DataStream;
 import org.elasticsearch.cluster.metadata.IndexMetadata;
 import org.elasticsearch.cluster.metadata.Metadata;
+import org.elasticsearch.cluster.metadata.ProjectId;
 import org.elasticsearch.cluster.metadata.ProjectMetadata;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.cluster.routing.IndexRoutingTable;
@@ -143,6 +150,7 @@
 import org.elasticsearch.indices.store.IndicesStore;
 import org.elasticsearch.ingest.IngestPipelineTestUtils;
 import org.elasticsearch.monitor.jvm.HotThreads;
+import org.elasticsearch.multiproject.TestOnlyMultiProjectPlugin;
 import org.elasticsearch.node.NodeMocksPlugin;
 import org.elasticsearch.persistent.PersistentTasks;
 import org.elasticsearch.persistent.PersistentTasksCustomMetadata;
@@ -156,9 +164,11 @@
 import org.elasticsearch.search.SearchHit;
 import org.elasticsearch.search.SearchResponseUtils;
 import org.elasticsearch.search.SearchService;
+import org.elasticsearch.tasks.Task;
 import org.elasticsearch.test.client.RandomizingClient;
 import org.elasticsearch.test.disruption.NetworkDisruption;
 import org.elasticsearch.test.disruption.ServiceDisruptionScheme;
+import org.elasticsearch.test.rest.ObjectPath;
 import org.elasticsearch.test.store.MockFSIndexStore;
 import org.elasticsearch.test.transport.MockTransportService;
 import org.elasticsearch.transport.TransportInterceptor;
@@ -171,6 +181,7 @@
 import org.elasticsearch.xcontent.XContentBuilder;
 import org.elasticsearch.xcontent.XContentParser;
 import org.elasticsearch.xcontent.XContentType;
+import org.elasticsearch.xcontent.json.JsonXContent;
 import org.elasticsearch.xcontent.smile.SmileXContent;
 import org.hamcrest.Matchers;
 import org.junit.After;
@@ -364,10 +375,20 @@ public abstract class ESIntegTestCase extends ESTestCase {
     private static ESIntegTestCase INSTANCE = null; // see @SuiteScope
     private static Long SUITE_SEED = null;
 
+    private static boolean multiProjectEnabled;
+    private static ProjectId activeProject;
+    private static Set<ProjectId> extraProjects;
+    private static boolean projectsConfigured = false;
+
     @BeforeClass
     public static void beforeClass() throws Exception {
         SUITE_SEED = randomLong();
         initializeSuiteScope();
+
+        // The active project-id is slightly longer, and has a fixed prefix so that it's easier to pick in error messages etc.
+        activeProject = ProjectId.fromId("active00" + randomAlphaOfLength(8).toLowerCase(Locale.ROOT));
+        extraProjects = randomSet(1, 3, () -> ProjectId.fromId(randomAlphaOfLength(12).toLowerCase(Locale.ROOT)));
+        multiProjectEnabled = Boolean.parseBoolean(System.getProperty("tests.multi_project.enabled"));
     }
 
     @Override
@@ -377,12 +398,68 @@ protected final boolean enableWarningsCheck() {
         return false;
     }
 
+    private void configureProjects() throws Exception {
+        if (projectsConfigured || multiProjectEnabled == false) {
+            return;
+        }
+        projectsConfigured = true;
+        createProject(activeProject);
+        for (var project : extraProjects) {
+            createProject(project);
+        }
+    }
+
+    private void createProject(ProjectId project) throws IOException {
+        assert multiProjectEnabled;
+        final Request request = new Request("PUT", "/_project/" + project);
+        try {
+            final Response response = getRestClient().performRequest(request);
+            logger.info("Created project {} : {}", project, response.getStatusLine());
+        } catch (ResponseException e) {
+            logger.error("Failed to create project: {}", project);
+            throw e;
+        }
+    }
+
+    protected ProjectId activeProject() {
+        if (multiProjectEnabled == false) {
+            return ProjectId.DEFAULT;
+        }
+        return activeProject;
+    }
+
+    private void checkSecurityIndex() throws IOException {
+        final Request request = new Request("GET", "/_security/_query/role");
+        request.setJsonEntity("""
+            {
+              "query": {
+                "bool": {
+                  "must_not": {
+                    "term": {
+                      "metadata._reserved": true
+                    }
+                  }
+                }
+              }
+            }""");
+        request.setOptions(
+            request.getOptions().toBuilder().addHeader(Task.X_ELASTIC_PROJECT_ID_HTTP_HEADER, Metadata.DEFAULT_PROJECT_ID.id()).build()
+        );
+        final var response = XContentHelper.convertToMap(
+            JsonXContent.jsonXContent,
+            getRestClient().performRequest(request).getEntity().getContent(),
+            false
+        );
+        assertThat("Security index should not contain any non-reserved roles", (Collection<?>) response.get("roles"), empty());
+    }
+
     protected final void beforeInternal() throws Exception {
         final Scope currentClusterScope = getCurrentClusterScope();
         Callable<Void> setup = () -> {
             cluster().beforeTest(random());
             cluster().wipe(excludeTemplates());
             randomIndexTemplate();
+            configureProjects();
             return null;
         };
         switch (currentClusterScope) {
@@ -2292,6 +2369,9 @@ private NodeConfigurationSource getNodeConfigSource() {
         } else {
             initialNodeSettings.put(SearchService.QUERY_PHASE_PARALLEL_COLLECTION_ENABLED.getKey(), false);
         }
+        if (multiProjectEnabled) {
+            initialNodeSettings.put("test.multi_project.enabled", true);
+        }
         return new NodeConfigurationSource() {
             @Override
             public Settings nodeSettings(int nodeOrdinal, Settings otherSettings) {
@@ -2308,12 +2388,14 @@ public Path nodeConfigPath(int nodeOrdinal) {
 
             @Override
             public Collection<Class<? extends Plugin>> nodePlugins() {
+                List<Class<? extends Plugin>> plugins = new ArrayList<>(ESIntegTestCase.this.nodePlugins());
                 if (enableConcurrentSearch) {
-                    List<Class<? extends Plugin>> plugins = new ArrayList<>(ESIntegTestCase.this.nodePlugins());
                     plugins.add(ConcurrentSearchTestPlugin.class);
-                    return plugins;
                 }
-                return ESIntegTestCase.this.nodePlugins();
+                if (multiProjectEnabled) {
+                    plugins.add(TestOnlyMultiProjectPlugin.class);
+                }
+                return plugins;
             }
         };
     }
@@ -2337,7 +2419,7 @@ protected boolean enableConcurrentSearch() {
 
     /** Returns {@code true} iff this test cluster should use a dummy http transport */
     protected boolean addMockHttpTransport() {
-        return true;
+        return false;
     }
 
     /**
@@ -2360,7 +2442,24 @@ protected boolean addMockFSIndexStore() {
      * framework. By default this method returns an identity function {@link Function#identity()}.
      */
     protected Function<Client, Client> getClientWrapper() {
-        return Function.identity();
+        return client -> new FilterClient(client) {
+            @Override
+            protected <Request extends ActionRequest, Response extends ActionResponse> void doExecute(
+                ActionType<Response> action,
+                Request request,
+                ActionListener<Response> listener
+            ) {
+                if (projectsConfigured == false) {
+                    super.doExecute(action, request, listener);
+                    return;
+                }
+                Map<String, String> headers = Map.of(Task.X_ELASTIC_PROJECT_ID_HTTP_HEADER, activeProject.id());
+                ThreadContext threadContext = threadPool().getThreadContext();
+                try (ThreadContext.StoredContext ctx = threadContext.stashAndMergeHeaders(headers)) {
+                    super.doExecute(action, request, listener);
+                }
+            }
+        };
     }
 
     /** Return the mock plugins the cluster should use */
@@ -2535,13 +2634,83 @@ public final void cleanUpCluster() throws Exception {
             internalCluster().setBootstrapMasterNodeIndex(InternalTestCluster.BOOTSTRAP_MASTER_NODE_INDEX_AUTO);
         }
         super.ensureAllSearchContextsReleased();
+        assertEmptyProjects();
         if (runTestScopeLifecycle()) {
             printTestMessage("cleaning up after");
             afterInternal(false);
             printTestMessage("cleaned up after");
         }
     }
 
+    private void assertEmptyProjects() throws Exception {
+        if (projectsConfigured == false) {
+            return;
+        }
+        assertEmptyProject(Metadata.DEFAULT_PROJECT_ID);
+        for (var project : extraProjects) {
+            assertEmptyProject(project);
+        }
+    }
+
+    protected void assertEmptyProject(ProjectId projectId) throws IOException {
+        assert multiProjectEnabled;
+        final Request request = new Request("GET", "_cluster/state/metadata,routing_table,customs");
+        request.setOptions(request.getOptions().toBuilder().addHeader(Task.X_ELASTIC_PROJECT_ID_HTTP_HEADER, projectId.id()).build());
+
+        var response = XContentHelper.convertToMap(
+            JsonXContent.jsonXContent,
+            getRestClient().performRequest(request).getEntity().getContent(),
+            false
+        );
+        ObjectPath state = new ObjectPath(response);
+
+        final var indexNames = ((Map<?, ?>) state.evaluate("metadata.indices")).keySet();
+        final var routingTableEntries = ((Map<?, ?>) state.evaluate("routing_table.indices")).keySet();
+        if (indexNames.isEmpty() == false || routingTableEntries.isEmpty() == false) {
+            // Only the default project is allowed to have the security index after tests complete.
+            // The security index could show up in the indices, routing table, or both.
+            // If that happens, we need to check that it hasn't been modified by any leaking API calls.
+            if (projectId.equals(Metadata.DEFAULT_PROJECT_ID)
+                && (indexNames.isEmpty() || (indexNames.size() == 1 && indexNames.contains(".security-7")))
+                && (routingTableEntries.isEmpty() || (routingTableEntries.size() == 1 && routingTableEntries.contains(".security-7")))) {
+                checkSecurityIndex();
+            } else {
+                // If there are any other indices or if this is for a non-default project, we fail the test.
+                assertThat("Project [" + projectId + "] should not have indices", indexNames, empty());
+                assertThat("Project [" + projectId + "] should not have routing entries", routingTableEntries, empty());
+            }
+        }
+        assertThat(
+            "Project [" + projectId + "] should not have graveyard entries",
+            state.evaluate("metadata.index-graveyard.tombstones"),
+            empty()
+        );
+
+        final Map<String, ?> legacyTemplates = state.evaluate("metadata.templates");
+        if (legacyTemplates != null) {
+            var templateNames = legacyTemplates.keySet().stream().filter(name -> "random_index_template".equals(name) == false).toList();
+            assertThat("Project [" + projectId + "] should not have legacy templates", templateNames, empty());
+        }
+
+        final Map<String, Object> indexTemplates = state.evaluate("metadata.index_template.index_template");
+        if (indexTemplates != null) {
+            var templateNames = indexTemplates.keySet();
+            assertThat("Project [" + projectId + "] should not have index templates", templateNames, empty());
+        }
+
+        final Map<String, Object> componentTemplates = state.evaluate("metadata.component_template.component_template");
+        if (componentTemplates != null) {
+            var templateNames = componentTemplates.keySet();
+            assertThat("Project [" + projectId + "] should not have component templates", templateNames, empty());
+        }
+
+        final List<Map<String, ?>> pipelines = state.evaluate("metadata.ingest.pipeline");
+        if (pipelines != null) {
+            var pipelineNames = pipelines.stream().map(pipeline -> String.valueOf(pipeline.get("id"))).toList();
+            assertThat("Project [" + projectId + "] should not have ingest pipelines", pipelineNames, empty());
+        }
+    }
+
     @Override
     protected boolean enableBigArraysReleasedCheck() {
         // checking that all big arrays have been released makes little sense for a still-running cluster, see comments in
@@ -2684,6 +2853,10 @@ protected static RestClient createRestClient(
         if (httpClientConfigCallback != null) {
             builder.setHttpClientConfigCallback(httpClientConfigCallback);
         }
+        if (multiProjectEnabled) {
+            final var defaultHeaders = new Header[] { new BasicHeader(Task.X_ELASTIC_PROJECT_ID_HTTP_HEADER, activeProject.id()) };
+            builder.setDefaultHeaders(defaultHeaders);
+        }
         return builder.build();
     }