Share more entitlement IT setup (#120846)

This commit adds an AbstractEntitlementsIT and moves the entitlement
cluster setup into a bespoke EntitlementTestRule. That allows most of
the common code to be deduplicated. This change also automatically
creates a temp dir which the test passes along into the test cluster.

Author: rjernst

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/AbstractEntitlementsIT.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.qa;
+
+import org.elasticsearch.client.Request;
+import org.elasticsearch.client.Response;
+import org.elasticsearch.test.rest.ESRestTestCase;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+
+public abstract class AbstractEntitlementsIT extends ESRestTestCase {
+
+    static final EntitlementsTestRule.PolicyBuilder ALLOWED_TEST_ENTITLEMENTS = (builder, tempDir) -> {
+        builder.value("create_class_loader");
+        builder.value("set_https_connection_properties");
+        builder.value("inbound_network");
+        builder.value("outbound_network");
+        builder.value("load_native_libraries");
+        builder.value(
+            Map.of(
+                "write_system_properties",
+                Map.of("properties", List.of("es.entitlements.checkSetSystemProperty", "es.entitlements.checkClearSystemProperty"))
+            )
+        );
+    };
+
+    private final String actionName;
+    private final boolean expectAllowed;
+
+    AbstractEntitlementsIT(String actionName, boolean expectAllowed) {
+        this.actionName = actionName;
+        this.expectAllowed = expectAllowed;
+    }
+
+    private Response executeCheck() throws IOException {
+        var request = new Request("GET", "/_entitlement_check");
+        request.addParameter("action", actionName);
+        return client().performRequest(request);
+    }
+
+    public void testAction() throws IOException {
+        logger.info("Executing Entitlement test for [{}]", actionName);
+        if (expectAllowed) {
+            Response result = executeCheck();
+            assertThat(result.getStatusLine().getStatusCode(), equalTo(200));
+        } else {
+            var exception = expectThrows(IOException.class, this::executeCheck);
+            assertThat(exception.getMessage(), containsString("not_entitled_exception"));
+        }
+    }
+}

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAllowedIT.java

@@ -12,31 +12,16 @@
 import com.carrotsearch.randomizedtesting.annotations.Name;
 import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
 
-import org.elasticsearch.client.Request;
-import org.elasticsearch.client.Response;
 import org.elasticsearch.entitlement.qa.test.RestEntitlementsCheckAction;
-import org.elasticsearch.test.cluster.ElasticsearchCluster;
-import org.elasticsearch.test.rest.ESRestTestCase;
 import org.junit.ClassRule;
 
-import java.io.IOException;
-
-import static org.elasticsearch.entitlement.qa.EntitlementsUtil.ALLOWED_ENTITLEMENTS;
-import static org.hamcrest.Matchers.equalTo;
-
-public class EntitlementsAllowedIT extends ESRestTestCase {
+public class EntitlementsAllowedIT extends AbstractEntitlementsIT {
 
     @ClassRule
-    public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
-        .module("entitlement-test-plugin", spec -> EntitlementsUtil.setupEntitlements(spec, true, ALLOWED_ENTITLEMENTS))
-        .systemProperty("es.entitlements.enabled", "true")
-        .setting("xpack.security.enabled", "false")
-        .build();
-
-    private final String actionName;
+    public static EntitlementsTestRule testRule = new EntitlementsTestRule(true, ALLOWED_TEST_ENTITLEMENTS);
 
     public EntitlementsAllowedIT(@Name("actionName") String actionName) {
-        this.actionName = actionName;
+        super(actionName, true);
     }
 
     @ParametersFactory
@@ -46,14 +31,6 @@ public static Iterable<Object[]> data() {
 
     @Override
     protected String getTestRestCluster() {
-        return cluster.getHttpAddresses();
-    }
-
-    public void testCheckActionWithPolicyPass() throws IOException {
-        logger.info("Executing Entitlement test for [{}]", actionName);
-        var request = new Request("GET", "/_entitlement_check");
-        request.addParameter("action", actionName);
-        Response result = client().performRequest(request);
-        assertThat(result.getStatusLine().getStatusCode(), equalTo(200));
+        return testRule.cluster.getHttpAddresses();
     }
 }

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAllowedNonModularIT.java

@@ -12,31 +12,16 @@
 import com.carrotsearch.randomizedtesting.annotations.Name;
 import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
 
-import org.elasticsearch.client.Request;
-import org.elasticsearch.client.Response;
 import org.elasticsearch.entitlement.qa.test.RestEntitlementsCheckAction;
-import org.elasticsearch.test.cluster.ElasticsearchCluster;
-import org.elasticsearch.test.rest.ESRestTestCase;
 import org.junit.ClassRule;
 
-import java.io.IOException;
-
-import static org.elasticsearch.entitlement.qa.EntitlementsUtil.ALLOWED_ENTITLEMENTS;
-import static org.hamcrest.Matchers.equalTo;
-
-public class EntitlementsAllowedNonModularIT extends ESRestTestCase {
+public class EntitlementsAllowedNonModularIT extends AbstractEntitlementsIT {
 
     @ClassRule
-    public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
-        .module("entitlement-test-plugin", spec -> EntitlementsUtil.setupEntitlements(spec, false, ALLOWED_ENTITLEMENTS))
-        .systemProperty("es.entitlements.enabled", "true")
-        .setting("xpack.security.enabled", "false")
-        .build();
-
-    private final String actionName;
+    public static EntitlementsTestRule testRule = new EntitlementsTestRule(false, ALLOWED_TEST_ENTITLEMENTS);
 
     public EntitlementsAllowedNonModularIT(@Name("actionName") String actionName) {
-        this.actionName = actionName;
+        super(actionName, true);
     }
 
     @ParametersFactory
@@ -46,14 +31,6 @@ public static Iterable<Object[]> data() {
 
     @Override
     protected String getTestRestCluster() {
-        return cluster.getHttpAddresses();
-    }
-
-    public void testCheckActionWithPolicyPass() throws IOException {
-        logger.info("Executing Entitlement test for [{}]", actionName);
-        var request = new Request("GET", "/_entitlement_check");
-        request.addParameter("action", actionName);
-        Response result = client().performRequest(request);
-        assertThat(result.getStatusLine().getStatusCode(), equalTo(200));
+        return testRule.cluster.getHttpAddresses();
     }
 }

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsDeniedIT.java

@@ -12,50 +12,25 @@
 import com.carrotsearch.randomizedtesting.annotations.Name;
 import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
 
-import org.elasticsearch.client.Request;
 import org.elasticsearch.entitlement.qa.test.RestEntitlementsCheckAction;
-import org.elasticsearch.test.cluster.ElasticsearchCluster;
-import org.elasticsearch.test.rest.ESRestTestCase;
 import org.junit.ClassRule;
 
-import java.io.IOException;
-
-import static org.hamcrest.Matchers.containsString;
-
-public class EntitlementsDeniedIT extends ESRestTestCase {
+public class EntitlementsDeniedIT extends AbstractEntitlementsIT {
 
     @ClassRule
-    public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
-        .module("entitlement-test-plugin", spec -> EntitlementsUtil.setupEntitlements(spec, true, null))
-        .systemProperty("es.entitlements.enabled", "true")
-        .setting("xpack.security.enabled", "false")
-        // Logs in libs/entitlement/qa/build/test-results/javaRestTest/TEST-org.elasticsearch.entitlement.qa.EntitlementsDeniedIT.xml
-        // .setting("logger.org.elasticsearch.entitlement", "DEBUG")
-        .build();
-
-    @Override
-    protected String getTestRestCluster() {
-        return cluster.getHttpAddresses();
-    }
-
-    private final String actionName;
+    public static EntitlementsTestRule testRule = new EntitlementsTestRule(true, null);
 
     public EntitlementsDeniedIT(@Name("actionName") String actionName) {
-        this.actionName = actionName;
+        super(actionName, false);
     }
 
     @ParametersFactory
     public static Iterable<Object[]> data() {
         return RestEntitlementsCheckAction.getAllCheckActions().stream().map(action -> new Object[] { action }).toList();
     }
 
-    public void testCheckThrows() {
-        logger.info("Executing Entitlement test for [{}]", actionName);
-        var exception = expectThrows(IOException.class, () -> {
-            var request = new Request("GET", "/_entitlement_check");
-            request.addParameter("action", actionName);
-            client().performRequest(request);
-        });
-        assertThat(exception.getMessage(), containsString("not_entitled_exception"));
+    @Override
+    protected String getTestRestCluster() {
+        return testRule.cluster.getHttpAddresses();
     }
 }

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsDeniedNonModularIT.java

@@ -12,50 +12,25 @@
 import com.carrotsearch.randomizedtesting.annotations.Name;
 import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
 
-import org.elasticsearch.client.Request;
 import org.elasticsearch.entitlement.qa.test.RestEntitlementsCheckAction;
-import org.elasticsearch.test.cluster.ElasticsearchCluster;
-import org.elasticsearch.test.rest.ESRestTestCase;
 import org.junit.ClassRule;
 
-import java.io.IOException;
-
-import static org.hamcrest.Matchers.containsString;
-
-public class EntitlementsDeniedNonModularIT extends ESRestTestCase {
+public class EntitlementsDeniedNonModularIT extends AbstractEntitlementsIT {
 
     @ClassRule
-    public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
-        .module("entitlement-test-plugin", spec -> EntitlementsUtil.setupEntitlements(spec, false, null))
-        .systemProperty("es.entitlements.enabled", "true")
-        .setting("xpack.security.enabled", "false")
-        // Logs in libs/entitlement/qa/build/test-results/javaRestTest/TEST-org.elasticsearch.entitlement.qa.EntitlementsDeniedIT.xml
-        // .setting("logger.org.elasticsearch.entitlement", "DEBUG")
-        .build();
-
-    @Override
-    protected String getTestRestCluster() {
-        return cluster.getHttpAddresses();
-    }
-
-    private final String actionName;
+    public static EntitlementsTestRule testRule = new EntitlementsTestRule(false, null);
 
     public EntitlementsDeniedNonModularIT(@Name("actionName") String actionName) {
-        this.actionName = actionName;
+        super(actionName, false);
     }
 
     @ParametersFactory
     public static Iterable<Object[]> data() {
         return RestEntitlementsCheckAction.getAllCheckActions().stream().map(action -> new Object[] { action }).toList();
     }
 
-    public void testCheckThrows() {
-        logger.info("Executing Entitlement test for [{}]", actionName);
-        var exception = expectThrows(IOException.class, () -> {
-            var request = new Request("GET", "/_entitlement_check");
-            request.addParameter("action", actionName);
-            client().performRequest(request);
-        });
-        assertThat(exception.getMessage(), containsString("not_entitled_exception"));
+    @Override
+    protected String getTestRestCluster() {
+        return testRule.cluster.getHttpAddresses();
     }
 }

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsTestRule.java

@@ -0,0 +1,87 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.qa;
+
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.test.cluster.ElasticsearchCluster;
+import org.elasticsearch.test.cluster.local.PluginInstallSpec;
+import org.elasticsearch.test.cluster.util.resource.Resource;
+import org.elasticsearch.xcontent.XContentBuilder;
+import org.elasticsearch.xcontent.yaml.YamlXContent;
+import org.junit.rules.RuleChain;
+import org.junit.rules.TemporaryFolder;
+import org.junit.rules.TestRule;
+import org.junit.runner.Description;
+import org.junit.runners.model.Statement;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.nio.file.Path;
+
+class EntitlementsTestRule implements TestRule {
+
+    interface PolicyBuilder {
+        void build(XContentBuilder builder, Path tempDir) throws IOException;
+    }
+
+    final TemporaryFolder testDir;
+    final ElasticsearchCluster cluster;
+    final TestRule ruleChain;
+
+    @SuppressWarnings("this-escape")
+    EntitlementsTestRule(boolean modular, PolicyBuilder policyBuilder) {
+        testDir = new TemporaryFolder();
+        cluster = ElasticsearchCluster.local()
+            .module("entitlement-test-plugin", spec -> setupEntitlements(spec, modular, policyBuilder))
+            .systemProperty("es.entitlements.enabled", "true")
+            .systemProperty("es.entitlements.testdir", () -> testDir.getRoot().getAbsolutePath())
+            .setting("xpack.security.enabled", "false")
+            .build();
+        ruleChain = RuleChain.outerRule(testDir).around(cluster);
+    }
+
+    @Override
+    public Statement apply(Statement statement, Description description) {
+        return ruleChain.apply(statement, description);
+    }
+
+    private void setupEntitlements(PluginInstallSpec spec, boolean modular, PolicyBuilder policyBuilder) {
+        String moduleName = modular ? "org.elasticsearch.entitlement.qa.test" : "ALL-UNNAMED";
+        if (policyBuilder != null) {
+            spec.withEntitlementsOverride(old -> {
+                try {
+                    try (var builder = YamlXContent.contentBuilder()) {
+                        builder.startObject();
+                        builder.field(moduleName);
+                        builder.startArray();
+                        policyBuilder.build(builder, testDir.getRoot().toPath());
+                        builder.endArray();
+                        builder.endObject();
+
+                        String policy = Strings.toString(builder);
+                        System.out.println("Using entitlement policy:\n" + policy);
+                        return Resource.fromString(policy);
+                    }
+
+                } catch (IOException e) {
+                    throw new UncheckedIOException(e);
+                }
+            });
+        }
+
+        if (modular == false) {
+            spec.withPropertiesOverride(old -> {
+                String props = old.replace("modulename=org.elasticsearch.entitlement.qa.test", "");
+                System.out.println("Using plugin properties:\n" + props);
+                return Resource.fromString(props);
+            });
+        }
+    }
+}