add IT tests for always allowed with no policy; add test functions with Environment

Author: ldematte

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/EntitlementTestPlugin.java

@@ -15,17 +15,28 @@
 import org.elasticsearch.common.settings.IndexScopedSettings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsFilter;
+import org.elasticsearch.env.Environment;
 import org.elasticsearch.features.NodeFeature;
 import org.elasticsearch.plugins.ActionPlugin;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.rest.RestController;
 import org.elasticsearch.rest.RestHandler;
 
+import java.util.Collection;
 import java.util.List;
 import java.util.function.Predicate;
 import java.util.function.Supplier;
 
 public class EntitlementTestPlugin extends Plugin implements ActionPlugin {
+
+    private Environment environment;
+
+    @Override
+    public Collection<?> createComponents(PluginServices services) {
+        environment = services.environment();
+        return super.createComponents(services);
+    }
+
     @Override
     public List<RestHandler> getRestHandlers(
         final Settings settings,
@@ -38,6 +49,6 @@ public List<RestHandler> getRestHandlers(
         final Supplier<DiscoveryNodes> nodesInCluster,
         Predicate<NodeFeature> clusterSupportsFeature
     ) {
-        return List.of(new RestEntitlementsCheckAction());
+        return List.of(new RestEntitlementsCheckAction(environment));
     }
 }

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java

@@ -12,6 +12,7 @@
 import org.elasticsearch.core.CheckedRunnable;
 import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.entitlement.qa.entitled.EntitledActions;
+import org.elasticsearch.env.Environment;
 
 import java.io.File;
 import java.io.FileDescriptor;
@@ -22,9 +23,11 @@
 import java.io.FileWriter;
 import java.io.IOException;
 import java.io.RandomAccessFile;
+import java.net.URISyntaxException;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.security.GeneralSecurityException;
@@ -41,6 +44,7 @@
 import static java.util.zip.ZipFile.OPEN_DELETE;
 import static java.util.zip.ZipFile.OPEN_READ;
 import static org.elasticsearch.entitlement.qa.entitled.EntitledActions.createTempFileForWrite;
+import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.ALWAYS_ALLOWED;
 import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.ALWAYS_DENIED;
 import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.PLUGINS;
 
@@ -563,5 +567,29 @@ static void httpResponseBodySubscribersOfFile_FileOpenOptions_readOnly() {
         HttpResponse.BodySubscribers.ofFile(readFile(), CREATE, WRITE);
     }
 
+    @EntitlementTest(expectedAccess = ALWAYS_ALLOWED)
+    static void readAccessConfigDirectory(Environment environment) {
+        Files.exists(environment.configDir());
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void writeAccessConfigDirectory(Environment environment) throws IOException {
+        var file = environment.configDir().resolve("to_create");
+        Files.createFile(file);
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_ALLOWED)
+    static void readAccessSourcePath() throws URISyntaxException {
+        var sourcePath = Paths.get(EntitlementTestPlugin.class.getProtectionDomain().getCodeSource().getLocation().toURI());
+        Files.exists(sourcePath);
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void writeAccessSourcePath() throws IOException, URISyntaxException {
+        var sourcePath = Paths.get(EntitlementTestPlugin.class.getProtectionDomain().getCodeSource().getLocation().toURI());
+        var file = sourcePath.getParent().resolve("to_create");
+        Files.createFile(file);
+    }
+
     private FileCheckActions() {}
 }

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java

@@ -11,8 +11,10 @@
 
 import org.elasticsearch.client.internal.node.NodeClient;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.core.CheckedConsumer;
 import org.elasticsearch.core.CheckedRunnable;
 import org.elasticsearch.core.SuppressForbidden;
+import org.elasticsearch.env.Environment;
 import org.elasticsearch.logging.LogManager;
 import org.elasticsearch.logging.Logger;
 import org.elasticsearch.rest.BaseRestHandler;
@@ -68,20 +70,24 @@
 public class RestEntitlementsCheckAction extends BaseRestHandler {
     private static final Logger logger = LogManager.getLogger(RestEntitlementsCheckAction.class);
 
-    record CheckAction(CheckedRunnable<Exception> action, EntitlementTest.ExpectedAccess expectedAccess, Integer fromJavaVersion) {
+    record CheckAction(
+        CheckedConsumer<Environment, Exception> action,
+        EntitlementTest.ExpectedAccess expectedAccess,
+        Integer fromJavaVersion
+    ) {
         /**
          * These cannot be granted to plugins, so our test plugins cannot test the "allowed" case.
          */
         static CheckAction deniedToPlugins(CheckedRunnable<Exception> action) {
-            return new CheckAction(action, SERVER_ONLY, null);
+            return new CheckAction(env -> action.run(), SERVER_ONLY, null);
         }
 
         static CheckAction forPlugins(CheckedRunnable<Exception> action) {
-            return new CheckAction(action, PLUGINS, null);
+            return new CheckAction(env -> action.run(), PLUGINS, null);
         }
 
         static CheckAction alwaysDenied(CheckedRunnable<Exception> action) {
-            return new CheckAction(action, ALWAYS_DENIED, null);
+            return new CheckAction(env -> action.run(), ALWAYS_DENIED, null);
         }
     }
 
@@ -128,7 +134,7 @@ static CheckAction alwaysDenied(CheckedRunnable<Exception> action) {
             entry("responseCache_setDefault", alwaysDenied(RestEntitlementsCheckAction::setDefaultResponseCache)),
             entry(
                 "createInetAddressResolverProvider",
-                new CheckAction(VersionSpecificNetworkChecks::createInetAddressResolverProvider, SERVER_ONLY, 18)
+                new CheckAction(env -> VersionSpecificNetworkChecks.createInetAddressResolverProvider(), SERVER_ONLY, 18)
             ),
             entry("createURLStreamHandlerProvider", alwaysDenied(RestEntitlementsCheckAction::createURLStreamHandlerProvider)),
             entry("createURLWithURLStreamHandler", alwaysDenied(RestEntitlementsCheckAction::createURLWithURLStreamHandler)),
@@ -204,6 +210,12 @@ static CheckAction alwaysDenied(CheckedRunnable<Exception> action) {
         .filter(entry -> entry.getValue().fromJavaVersion() == null || Runtime.version().feature() >= entry.getValue().fromJavaVersion())
         .collect(Collectors.toUnmodifiableMap(Entry::getKey, Entry::getValue));
 
+    private final Environment environment;
+
+    public RestEntitlementsCheckAction(Environment environment) {
+        this.environment = environment;
+    }
+
     @SuppressForbidden(reason = "Need package private methods so we don't have to make them all public")
     private static Method[] getDeclaredMethods(Class<?> clazz) {
         return clazz.getDeclaredMethods();
@@ -219,13 +231,10 @@ private static Stream<Entry<String, CheckAction>> getTestEntries(Class<?> action
             if (Modifier.isStatic(method.getModifiers()) == false) {
                 throw new AssertionError("Entitlement test method [" + method + "] must be static");
             }
-            if (method.getParameterTypes().length != 0) {
-                throw new AssertionError("Entitlement test method [" + method + "] must not have parameters");
-            }
-
-            CheckedRunnable<Exception> runnable = () -> {
+            final CheckedConsumer<Environment, Exception> call = createConsumerForMethod(method);
+            CheckedConsumer<Environment, Exception> runnable = env -> {
                 try {
-                    method.invoke(null);
+                    call.accept(env);
                 } catch (IllegalAccessException e) {
                     throw new AssertionError(e);
                 } catch (InvocationTargetException e) {
@@ -242,6 +251,17 @@ private static Stream<Entry<String, CheckAction>> getTestEntries(Class<?> action
         return entries.stream();
     }
 
+    private static CheckedConsumer<Environment, Exception> createConsumerForMethod(Method method) {
+        Class<?>[] parameters = method.getParameterTypes();
+        if (parameters.length == 0) {
+            return env -> method.invoke(null);
+        }
+        if (parameters.length == 1 && parameters[0].equals(Environment.class)) {
+            return env -> method.invoke(null, env);
+        }
+        throw new AssertionError("Entitlement test method [" + method + "] must have no parameters or 1 parameter (Environment)");
+    }
+
     private static void createURLStreamHandlerProvider() {
         var x = new URLStreamHandlerProvider() {
             @Override
@@ -405,6 +425,14 @@ public static Set<String> getCheckActionsAllowedInPlugins() {
             .collect(Collectors.toSet());
     }
 
+    public static Set<String> getAlwaysAllowedCheckActions() {
+        return checkActions.entrySet()
+            .stream()
+            .filter(kv -> kv.getValue().expectedAccess().equals(ALWAYS_ALLOWED))
+            .map(Entry::getKey)
+            .collect(Collectors.toSet());
+    }
+
     public static Set<String> getDeniableCheckActions() {
         return checkActions.entrySet()
             .stream()
@@ -437,10 +465,9 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli
 
         return channel -> {
             logger.info("Calling check action [{}]", actionName);
-            checkAction.action().run();
+            checkAction.action().accept(environment);
             logger.debug("Check action [{}] returned", actionName);
             channel.sendResponse(new RestResponse(RestStatus.OK, Strings.format("Succesfully executed action [%s]", actionName)));
         };
     }
-
 }

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAlwaysAllowedIT.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.qa;
+
+import com.carrotsearch.randomizedtesting.annotations.Name;
+import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
+
+import org.elasticsearch.entitlement.qa.test.RestEntitlementsCheckAction;
+import org.junit.ClassRule;
+
+public class EntitlementsAlwaysAllowedIT extends AbstractEntitlementsIT {
+
+    @ClassRule
+    public static EntitlementsTestRule testRule = new EntitlementsTestRule(true, null);
+
+    public EntitlementsAlwaysAllowedIT(@Name("actionName") String actionName) {
+        super(actionName, true);
+    }
+
+    @ParametersFactory
+    public static Iterable<Object[]> data() {
+        return RestEntitlementsCheckAction.getAlwaysAllowedCheckActions().stream().map(action -> new Object[] { action }).toList();
+    }
+
+    @Override
+    protected String getTestRestCluster() {
+        return testRule.cluster.getHttpAddresses();
+    }
+}

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAlwaysAllowedNonModularIT.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.qa;
+
+import com.carrotsearch.randomizedtesting.annotations.Name;
+import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
+
+import org.elasticsearch.entitlement.qa.test.RestEntitlementsCheckAction;
+import org.junit.ClassRule;
+
+public class EntitlementsAlwaysAllowedNonModularIT extends AbstractEntitlementsIT {
+
+    @ClassRule
+    public static EntitlementsTestRule testRule = new EntitlementsTestRule(false, null);
+
+    public EntitlementsAlwaysAllowedNonModularIT(@Name("actionName") String actionName) {
+        super(actionName, true);
+    }
+
+    @ParametersFactory
+    public static Iterable<Object[]> data() {
+        return RestEntitlementsCheckAction.getAlwaysAllowedCheckActions().stream().map(action -> new Object[] { action }).toList();
+    }
+
+    @Override
+    protected String getTestRestCluster() {
+        return testRule.cluster.getHttpAddresses();
+    }
+}