[Entitlements] External IT test for checkSystemExit (#116435) (#116705)

ldematte · web-flow · commit cb4485e1685f · 2024-11-13T20:41:48.000+11:00
diff --git a/libs/entitlement/bridge/build.gradle b/libs/entitlement/bridge/build.gradle
@@ -9,8 +9,17 @@
 
 apply plugin: 'elasticsearch.build'
 
+configurations {
+  bridgeJar {
+    canBeConsumed = true
+    canBeResolved = false
+  }
+}
+
+artifacts {
+  bridgeJar(jar)
+}
 
 tasks.named('forbiddenApisMain').configure {
   replaceSignatureFiles 'jdk-signatures'
 }
-
diff --git a/qa/entitlements/build.gradle b/qa/entitlements/build.gradle
@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+apply plugin: 'elasticsearch.base-internal-es-plugin'
+apply plugin: 'elasticsearch.internal-java-rest-test'
+// Necessary to use tests in Serverless
+apply plugin: 'elasticsearch.internal-test-artifact'
+
+esplugin {
+  name 'entitlement-qa'
+  description 'A test module that triggers entitlement checks'
+  classname 'org.elasticsearch.test.entitlements.EntitlementsCheckPlugin'
+}
+
+configurations {
+  entitlementBridge {
+    canBeConsumed = false
+  }
+}
+
+dependencies {
+  clusterPlugins project(':qa:entitlements')
+  entitlementBridge project(':libs:entitlement:bridge')
+}
+
+tasks.named('javaRestTest') {
+  systemProperty "tests.entitlement-bridge.jar-name", configurations.entitlementBridge.singleFile.getName()
+  usesDefaultDistribution()
+  systemProperty "tests.security.manager", "false"
+}
+
+tasks.named("javadoc").configure {
+  // There seems to be some problem generating javadoc on a QA project that has a module definition
+  enabled = false
+}
+
diff --git a/qa/entitlements/src/javaRestTest/java/org/elasticsearch/test/entitlements/EntitlementsIT.java b/qa/entitlements/src/javaRestTest/java/org/elasticsearch/test/entitlements/EntitlementsIT.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.test.entitlements;
+
+import org.elasticsearch.client.Request;
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.test.cluster.ElasticsearchCluster;
+import org.elasticsearch.test.cluster.local.distribution.DistributionType;
+import org.elasticsearch.test.rest.ESRestTestCase;
+import org.junit.ClassRule;
+
+import java.io.IOException;
+
+import static org.hamcrest.Matchers.containsString;
+
+@ESTestCase.WithoutSecurityManager
+public class EntitlementsIT extends ESRestTestCase {
+
+    private static final String ENTITLEMENT_BRIDGE_JAR_NAME = System.getProperty("tests.entitlement-bridge.jar-name");
+
+    @ClassRule
+    public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
+        .distribution(DistributionType.INTEG_TEST)
+        .plugin("entitlement-qa")
+        .systemProperty("es.entitlements.enabled", "true")
+        .setting("xpack.security.enabled", "false")
+        .jvmArg("-Djdk.attach.allowAttachSelf=true")
+        .jvmArg("-XX:+EnableDynamicAgentLoading")
+        .jvmArg("--patch-module=java.base=lib/entitlement-bridge/" + ENTITLEMENT_BRIDGE_JAR_NAME)
+        .jvmArg("--add-exports=java.base/org.elasticsearch.entitlement.bridge=org.elasticsearch.entitlement")
+        .build();
+
+    @Override
+    protected String getTestRestCluster() {
+        return cluster.getHttpAddresses();
+    }
+
+    public void testCheckSystemExit() {
+        var exception = expectThrows(
+            IOException.class,
+            () -> { client().performRequest(new Request("GET", "/_entitlement/_check_system_exit")); }
+        );
+        assertThat(exception.getMessage(), containsString("not_entitled_exception"));
+    }
+}
diff --git a/qa/entitlements/src/main/java/module-info.java b/qa/entitlements/src/main/java/module-info.java
@@ -0,0 +1,5 @@
+module elasticsearch.qa.entitlements {
+    requires org.elasticsearch.server;
+    requires org.elasticsearch.base;
+    requires org.apache.logging.log4j;
+}
diff --git a/qa/entitlements/src/main/java/org/elasticsearch/test/entitlements/EntitlementsCheckPlugin.java b/qa/entitlements/src/main/java/org/elasticsearch/test/entitlements/EntitlementsCheckPlugin.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+package org.elasticsearch.test.entitlements;
+
+import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
+import org.elasticsearch.cluster.node.DiscoveryNodes;
+import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
+import org.elasticsearch.common.settings.ClusterSettings;
+import org.elasticsearch.common.settings.IndexScopedSettings;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.settings.SettingsFilter;
+import org.elasticsearch.core.SuppressForbidden;
+import org.elasticsearch.features.NodeFeature;
+import org.elasticsearch.plugins.ActionPlugin;
+import org.elasticsearch.plugins.Plugin;
+import org.elasticsearch.rest.RestController;
+import org.elasticsearch.rest.RestHandler;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.function.Predicate;
+import java.util.function.Supplier;
+
+public class EntitlementsCheckPlugin extends Plugin implements ActionPlugin {
+
+    @Override
+    @SuppressForbidden(reason = "Specifically testing System.exit")
+    public List<RestHandler> getRestHandlers(
+        final Settings settings,
+        NamedWriteableRegistry namedWriteableRegistry,
+        final RestController restController,
+        final ClusterSettings clusterSettings,
+        final IndexScopedSettings indexScopedSettings,
+        final SettingsFilter settingsFilter,
+        final IndexNameExpressionResolver indexNameExpressionResolver,
+        final Supplier<DiscoveryNodes> nodesInCluster,
+        Predicate<NodeFeature> clusterSupportsFeature
+    ) {
+        return Collections.singletonList(new RestEntitlementsCheckSystemExitAction());
+    }
+}
diff --git a/qa/entitlements/src/main/java/org/elasticsearch/test/entitlements/RestEntitlementsCheckSystemExitAction.java b/qa/entitlements/src/main/java/org/elasticsearch/test/entitlements/RestEntitlementsCheckSystemExitAction.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.test.entitlements;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.client.internal.node.NodeClient;
+import org.elasticsearch.rest.BaseRestHandler;
+import org.elasticsearch.rest.RestRequest;
+
+import java.util.List;
+
+import static org.elasticsearch.rest.RestRequest.Method.GET;
+
+public class RestEntitlementsCheckSystemExitAction extends BaseRestHandler {
+
+    private static final Logger logger = LogManager.getLogger(RestEntitlementsCheckSystemExitAction.class);
+
+    RestEntitlementsCheckSystemExitAction() {}
+
+    @Override
+    public List<Route> routes() {
+        return List.of(new Route(GET, "/_entitlement/_check_system_exit"));
+    }
+
+    @Override
+    public String getName() {
+        return "check_system_exit_action";
+    }
+
+    @Override
+    protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) {
+        logger.info("RestEntitlementsCheckSystemExitAction rest handler");
+        return channel -> {
+            logger.info("Calling System.exit(123);");
+            System.exit(123);
+        };
+    }
+}
diff --git a/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java b/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java
@@ -200,9 +200,11 @@ private static void initPhase2(Bootstrap bootstrap) throws IOException {
         );
 
         if (Boolean.parseBoolean(System.getProperty("es.entitlements.enabled"))) {
+            logger.info("Bootstrapping Entitlements");
             EntitlementBootstrap.bootstrap();
         } else {
             // install SM after natives, shutdown hooks, etc.
+            logger.info("Bootstrapping java SecurityManager");
             org.elasticsearch.bootstrap.Security.configure(
                 nodeEnv,
                 SECURITY_FILTER_BAD_DEFAULTS_SETTING.get(args.nodeSettings()),
