Partial initial implementation

Author: prdoyle

build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/ElasticsearchJavaBasePlugin.java

@@ -72,6 +72,7 @@ public void apply(Project project) {
         configureCompile(project);
         configureInputNormalization(project);
         configureNativeLibraryPath(project);
+        configureEntitlements(project);
 
         // convenience access to common versions used in dependencies
         project.getExtensions().getExtraProperties().set("versions", VersionProperties.getVersions());
@@ -196,6 +197,38 @@ private static void configureNativeLibraryPath(Project project) {
         });
     }
 
+    private static void configureEntitlements(Project project) {
+        Configuration agentJarConfig = project.getConfigurations().create("entitlementAgentJar");
+        agentJarConfig.defaultDependencies(deps -> {
+            deps.add(project.getDependencies().project(Map.of("path", ":libs:entitlement:agent", "configuration", "default")));
+        });
+        FileCollection agentFiles = agentJarConfig;
+
+        Configuration bridgeJarConfig = project.getConfigurations().create("entitlementBridgeJar");
+        bridgeJarConfig.defaultDependencies(deps -> {
+            deps.add(project.getDependencies().project(Map.of("path", ":libs:entitlement:bridge", "configuration", "default")));
+        });
+        FileCollection bridgeFiles = bridgeJarConfig;
+
+        project.getTasks().withType(Test.class).configureEach(test -> {
+            // See also SystemJvmOptions.maybeAttachEntitlementAgent.
+
+            // Agent
+            var systemProperties = test.getExtensions().getByType(SystemPropertyCommandLineArgumentProvider.class);
+            test.dependsOn(agentFiles);
+            systemProperties.systemProperty("es.entitlement.agentJar", agentFiles.getAsPath());
+            systemProperties.systemProperty("jdk.attach.allowAttachSelf", true);
+
+            // Bridge
+            String modulesContainingEntitlementInstrumentation = "java.logging,java.net.http,java.naming,jdk.net";
+            test.dependsOn(bridgeFiles);
+            // Tests may not be modular, but the JDK still is
+            test.jvmArgs(
+                "--add-exports=java.base/org.elasticsearch.entitlement.bridge=ALL-UNNAMED," + modulesContainingEntitlementInstrumentation
+            );
+        });
+    }
+
     private static Provider<Integer> releaseVersionProviderFromCompileTask(Project project, AbstractCompile compileTask) {
         return project.provider(() -> {
             JavaVersion javaVersion = JavaVersion.toVersion(compileTask.getTargetCompatibility());

build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/ElasticsearchTestBasePlugin.java

@@ -241,7 +241,11 @@ private void configureImmutableCollectionsPatch(Project project) {
             test.getJvmArgumentProviders()
                 .add(
                     () -> List.of(
-                        "--patch-module=java.base=" + patchedFileCollection.getSingleFile() + "/java.base",
+                        "--patch-module=java.base="
+                            + patchedFileCollection.getSingleFile()
+                            + "/java.base"
+                            + File.pathSeparator
+                            + "/Users/prdoyle/IdeaProjects/elasticsearch/libs/entitlement/bridge/build/distributions/elasticsearch-entitlement-bridge-9.1.0-SNAPSHOT.jar",
                         "--add-opens=java.base/java.util=ALL-UNNAMED"
                     )
                 );

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -118,7 +118,7 @@ public enum ComponentKind {
      *
      * @param componentName the plugin name or else one of the special component names like "(server)".
      */
-    record ModuleEntitlements(
+    protected record ModuleEntitlements(
         String componentName,
         String moduleName,
         Map<Class<? extends Entitlement>, List<Entitlement>> entitlementsByType,
@@ -301,11 +301,11 @@ private static Logger getLogger(String componentName, String moduleName) {
      */
     private static final ConcurrentHashMap<String, Logger> MODULE_LOGGERS = new ConcurrentHashMap<>();
 
-    ModuleEntitlements getEntitlements(Class<?> requestingClass) {
+    protected ModuleEntitlements getEntitlements(Class<?> requestingClass) {
         return moduleEntitlementsMap.computeIfAbsent(requestingClass.getModule(), m -> computeEntitlements(requestingClass));
     }
 
-    private ModuleEntitlements computeEntitlements(Class<?> requestingClass) {
+    protected final ModuleEntitlements computeEntitlements(Class<?> requestingClass) {
         var policyScope = scopeResolver.apply(requestingClass);
         var componentName = policyScope.componentName();
         var moduleName = policyScope.moduleName();
@@ -344,8 +344,7 @@ private ModuleEntitlements computeEntitlements(Class<?> requestingClass) {
         }
     }
 
-    // pkg private for testing
-    static Collection<Path> getComponentPathsFromClass(Class<?> requestingClass) {
+    protected Collection<Path> getComponentPathsFromClass(Class<?> requestingClass) {
         var codeSource = requestingClass.getProtectionDomain().getCodeSource();
         if (codeSource == null) {
             return List.of();

libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/PolicyManagerTests.java

@@ -89,7 +89,6 @@ public void testGetEntitlements() {
         AtomicReference<PolicyScope> policyScope = new AtomicReference<>();
 
         // A common policy with a variety of entitlements to test
-        Collection<Path> thisSourcePaths = PolicyManager.getComponentPathsFromClass(getClass());
         var plugin1SourcePaths = List.of(Path.of("modules", "plugin1"));
         var policyManager = new PolicyManager(
             new Policy("server", List.of(new Scope("org.example.httpclient", List.of(new OutboundNetworkEntitlement())))),
@@ -99,6 +98,7 @@ public void testGetEntitlements() {
             Map.of("plugin1", plugin1SourcePaths),
             TEST_PATH_LOOKUP
         );
+        Collection<Path> thisSourcePaths = policyManager.getComponentPathsFromClass(getClass());
 
         // "Unspecified" below means that the module is not named in the policy
 

server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java

@@ -267,11 +267,18 @@ private static void initPhase2(Bootstrap bootstrap) throws IOException {
             args.pidFile(),
             Set.of(EntitlementSelfTester.class.getPackage())
         );
-        EntitlementSelfTester.entitlementSelfTest();
+        entitlementSelfTest();
 
         bootstrap.setPluginsLoader(pluginsLoader);
     }
 
+    /**
+     * @throws IllegalStateException if entitlements aren't functioning properly.
+     */
+    static void entitlementSelfTest() {
+        EntitlementSelfTester.entitlementSelfTest();
+    }
+
     private static void logSystemInfo() {
         final Logger logger = LogManager.getLogger(Elasticsearch.class);
         logger.info(

server/src/test/java/org/elasticsearch/bootstrap/EntitlementMetaTests.java

@@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.bootstrap;
+
+import org.elasticsearch.core.SuppressForbidden;
+import org.elasticsearch.test.ESTestCase;
+
+import java.io.IOException;
+import java.nio.file.Path;
+
+/**
+ * Ensures that unit tests are subject to entitlement checks.
+ * This is a "meta test" because it tests that the tests are working:
+ * if these tests fail, it means other tests won't be correctly detecting
+ * entitlement enforcement errors.
+ * <p>
+ * It may seem strange to have this test where it is, rather than in the entitlement library.
+ * There's a reason for that.
+ * <p>
+ * To exercise entitlement enforcement, we must attempt an operation that should be denied.
+ * This necessitates some operation that fails the entitlement check,
+ * and it must be in production code (or else we'd also need {@link WithEntitlementsOnTestCode},
+ * and we don't want to require that here).
+ * Naturally, there are very few candidates, because most code doesn't fail entitlement checks:
+ * really just the entitlement self-test we do at startup. Hence, that's what we use here.
+ * <p>
+ * Even then, we cannot call this from someplace outside the server, because in other places,
+ * we deliberately don't check entitlements on dependencies that aren't used in production,
+ * and other places like {@code libs} don't depend on server at runtime. Hence, this test
+ * must be in {@code server}, rather than {@code libs/entitlement}, even if the latter
+ * seems like a more natural choice.
+ *
+ * @see WithoutEntitlementsMetaTests
+ * @see WithEntitlementsOnTestCodeMetaTests
+ */
+public class EntitlementMetaTests extends ESTestCase {
+    public void testSelfTestPasses() {
+        Elasticsearch.entitlementSelfTest();
+    }
+
+    @SuppressForbidden(reason = "Testing that a forbidden API is disallowed")
+    public void testForbiddenActionAllowed() throws IOException {
+        Path.of(".").toRealPath();
+    }
+}

server/src/test/java/org/elasticsearch/bootstrap/WithEntitlementsOnTestCodeMetaTests.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.bootstrap;
+
+import org.elasticsearch.core.SuppressForbidden;
+import org.elasticsearch.entitlement.runtime.api.NotEntitledException;
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.test.ESTestCase.WithEntitlementsOnTestCode;
+
+import java.nio.file.Path;
+
+/**
+ * Tests {@link WithEntitlementsOnTestCode}.
+ *
+ * @see EntitlementMetaTests
+ * @see WithoutEntitlementsMetaTests
+ */
+@WithEntitlementsOnTestCode
+public class WithEntitlementsOnTestCodeMetaTests extends ESTestCase {
+    public void testSelfTestPasses() {
+        Elasticsearch.entitlementSelfTest();
+    }
+
+    @SuppressForbidden(reason = "Testing that a forbidden API is disallowed")
+    public void testForbiddenActionDenied() {
+        assertThrows(NotEntitledException.class, () -> Path.of(".").toRealPath());
+    }
+}

server/src/test/java/org/elasticsearch/bootstrap/WithoutEntitlementsMetaTests.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.bootstrap;
+
+import org.elasticsearch.core.SuppressForbidden;
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.test.ESTestCase.WithoutEntitlements;
+
+import java.io.IOException;
+import java.nio.file.Path;
+
+/**
+ * Tests {@link WithoutEntitlements}.
+ *
+ * @see EntitlementMetaTests
+ * @see WithEntitlementsOnTestCodeMetaTests
+ */
+@WithoutEntitlements
+public class WithoutEntitlementsMetaTests extends ESTestCase {
+    public void testSelfTestFails() {
+        assertThrows(IllegalStateException.class, Elasticsearch::entitlementSelfTest);
+    }
+
+    @SuppressForbidden(reason = "Testing that a forbidden API is disallowed")
+    public void testForbiddenActionAllowed() throws IOException {
+        Path.of(".").toRealPath();
+    }
+}

test/framework/src/main/java/org/elasticsearch/bootstrap/BootstrapForTesting.java

@@ -15,6 +15,7 @@
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.core.Booleans;
 import org.elasticsearch.core.PathUtils;
+import org.elasticsearch.entitlement.bootstrap.TestEntitlementBootstrap;
 import org.elasticsearch.jdk.JarHell;
 
 import java.io.IOException;
@@ -71,6 +72,13 @@ public class BootstrapForTesting {
 
         // Log ifconfig output before SecurityManager is installed
         IfConfig.logIfNecessary();
+
+        // Fire up entitlements
+        try {
+            TestEntitlementBootstrap.bootstrap(javaTmpDir);
+        } catch (IOException e) {
+            throw new IllegalStateException(e.getClass().getSimpleName() + " while initializing entitlements for tests", e);
+        }
     }
 
     // does nothing, just easy way to make sure the class is loaded.

test/framework/src/main/java/org/elasticsearch/entitlement/bootstrap/TestEntitlementBootstrap.java

@@ -17,8 +17,8 @@
 import org.elasticsearch.entitlement.initialization.EntitlementInitialization;
 import org.elasticsearch.entitlement.runtime.policy.PathLookup;
 import org.elasticsearch.entitlement.runtime.policy.Policy;
-import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
 import org.elasticsearch.entitlement.runtime.policy.PolicyParser;
+import org.elasticsearch.entitlement.runtime.policy.TestPathLookup;
 import org.elasticsearch.entitlement.runtime.policy.TestPolicyManager;
 import org.elasticsearch.logging.LogManager;
 import org.elasticsearch.logging.Logger;
@@ -29,50 +29,42 @@
 import java.net.URL;
 import java.nio.file.Path;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.stream.Stream;
 
 public class TestEntitlementBootstrap {
 
     private static final Logger logger = LogManager.getLogger(TestEntitlementBootstrap.class);
 
+    private static TestPolicyManager policyManager;
+
     /**
      * Activates entitlement checking in tests.
      */
-    public static void bootstrap() throws IOException {
-        TestPathLookup pathLookup = new TestPathLookup();
-        EntitlementInitialization.initializeArgs = new EntitlementInitialization.InitializeArgs(
-            pathLookup,
-            Set.of(),
-            createPolicyManager(pathLookup)
-        );
+    public static void bootstrap(Path tempDir) throws IOException {
+        TestPathLookup pathLookup = new TestPathLookup(List.of(tempDir));
+        policyManager = createPolicyManager(pathLookup);
+        EntitlementInitialization.initializeArgs = new EntitlementInitialization.InitializeArgs(pathLookup, Set.of(), policyManager);
         logger.debug("Loading entitlement agent");
         EntitlementBootstrap.loadAgent(EntitlementBootstrap.findAgentJar(), EntitlementInitialization.class.getName());
     }
 
-    private record TestPathLookup() implements PathLookup {
-        @Override
-        public Path pidFile() {
-            return null;
-        }
-
-        @Override
-        public Stream<Path> getBaseDirPaths(BaseDir baseDir) {
-            return Stream.empty();
-        }
-
-        @Override
-        public Stream<Path> resolveSettingPaths(BaseDir baseDir, String settingName) {
-            return Stream.empty();
-        }
+    public static void setActive(boolean newValue) {
+        policyManager.setActive(newValue);
+    }
 
+    public static void setTriviallyAllowingTestCode(boolean newValue) {
+        policyManager.setTriviallyAllowingTestCode(newValue);
     }
 
-    private static PolicyManager createPolicyManager(PathLookup pathLookup) throws IOException {
+    public static void reset() {
+        policyManager.reset();
+    }
 
+    private static TestPolicyManager createPolicyManager(PathLookup pathLookup) throws IOException {
         var pluginsTestBuildInfo = TestBuildInfoParser.parseAllPluginTestBuildInfo();
         var serverTestBuildInfo = TestBuildInfoParser.parseServerTestBuildInfo();
         var scopeResolver = TestScopeResolver.createScopeResolver(serverTestBuildInfo, pluginsTestBuildInfo);
@@ -83,6 +75,7 @@ private static PolicyManager createPolicyManager(PathLookup pathLookup) throws I
             .map(descriptor -> new TestPluginData(descriptor.getName(), descriptor.isModular(), false))
             .toList();
         Map<String, Policy> pluginPolicies = parsePluginsPolicies(pluginsData);
+        Map<String, Collection<Path>> pluginSourcePaths = Map.of();
 
         FilesEntitlementsValidation.validate(pluginPolicies, pathLookup);
 
@@ -91,13 +84,11 @@ private static PolicyManager createPolicyManager(PathLookup pathLookup) throws I
             HardcodedEntitlements.agentEntitlements(),
             pluginPolicies,
             scopeResolver,
-            Map.of(),
+            pluginSourcePaths,
             pathLookup
         );
     }
 
-    private record TestPluginData(String pluginName, boolean isModular, boolean isExternalPlugin) {}
-
     private static Map<String, Policy> parsePluginsPolicies(List<TestPluginData> pluginsData) {
         Map<String, Policy> policies = new HashMap<>();
         for (var pluginData : pluginsData) {
@@ -137,4 +128,6 @@ private static InputStream getStream(URL resource) throws IOException {
         return resource.openStream();
     }
 
+    private record TestPluginData(String pluginName, boolean isModular, boolean isExternalPlugin) {}
+
 }