[Entitlements] Allow policy overrides via system properties (#124489)

This PR adds the ability to override entitlement policies for Elasticsearch plugins and modules via a system property.

The system property is in the form es.entitlements.policy.<plugin name>, and accepts a versioned policy:

versions:
  - version1
  - versionN
policy:
  <a standard entitlement policy>

For example:

versions:
  - 9.1.0
policy:
  ALL-UNNAMED:
    - set_https_connection_properties
    - outbound_network
    - files:
      - relative_path: ".config/gcloud"
        relative_to: home
        mode: read

The versioned policy needs to be base64 encoded. For example, to pass the above policy to a test cluster via gradle run:

./gradlew run --debug-jvm -Dtests.jvm.argline="-Des.entitlements.policy.repository-gcs=dmVyc2lvbnM6CiAgLSA5LjEuMApwb2xpY3k6CiAgQUxMLVVOTkFNRUQ6CiAgICAtIHNldF9odHRwc19jb25uZWN0aW9uX3Byb3BlcnRpZXMKICAgIC0gb3V0Ym91bmRfbmV0d29yawogICAgLSBmaWxlczoKICAgICAgLSByZWxhdGl2ZV9wYXRoOiAiLmNvbmZpZy9nY2xvdWQiCiAgICAgICAgcmVsYXRpdmVfdG86IGhvbWUKICAgICAgICBtb2RlOiByZWFkCg=="

The versions listed in the policy are string-matched against Build.version().current(); it is possible to specify any number of versions. If the list is empty/there is no versions field, the policy is assumed to match any Elasticsearch versions.

The override policy specified for any given plugin replaces the embedded policy for that plugin. See how EntitlementsAllowedViaOverrideIT replaces an empty policy for the entitlement-test-plugin with a policy that allows load_native_libraries and access to files in the test read_dir.

Also tested manually with an override with a different version, with an override with an invalid policy and with a valid override (see command above).

Relates to ES-11009

Author: ldematte

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAllowedViaOverrideIT.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.qa;
+
+import com.carrotsearch.randomizedtesting.annotations.Name;
+import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
+
+import org.elasticsearch.core.Strings;
+import org.junit.ClassRule;
+
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
+import java.util.Base64;
+import java.util.Map;
+import java.util.stream.Stream;
+
+import static org.elasticsearch.entitlement.qa.EntitlementsTestRule.ENTITLEMENT_QA_TEST_MODULE_NAME;
+import static org.elasticsearch.entitlement.qa.EntitlementsTestRule.ENTITLEMENT_TEST_PLUGIN_NAME;
+
+public class EntitlementsAllowedViaOverrideIT extends AbstractEntitlementsIT {
+
+    private static Map<String, String> createPolicyOverrideSystemProperty(Path tempDir) {
+        String policyOverride = Strings.format("""
+            policy:
+              %s:
+                - load_native_libraries
+                - files:
+                    - path: %s
+                      mode: read
+            """, ENTITLEMENT_QA_TEST_MODULE_NAME, tempDir.resolve("read_dir"));
+        var encodedPolicyOverride = new String(Base64.getEncoder().encode(policyOverride.getBytes(StandardCharsets.UTF_8)));
+        return Map.of("es.entitlements.policy." + ENTITLEMENT_TEST_PLUGIN_NAME, encodedPolicyOverride);
+    }
+
+    @ClassRule
+    public static EntitlementsTestRule testRule = new EntitlementsTestRule(
+        true,
+        null,
+        EntitlementsAllowedViaOverrideIT::createPolicyOverrideSystemProperty
+    );
+
+    public EntitlementsAllowedViaOverrideIT(@Name("actionName") String actionName) {
+        super(actionName, true);
+    }
+
+    @ParametersFactory
+    public static Iterable<Object[]> data() {
+        return Stream.of("runtime_load_library", "fileList").map(action -> new Object[] { action }).toList();
+    }
+
+    @Override
+    protected String getTestRestCluster() {
+        return testRule.cluster.getHttpAddresses();
+    }
+}

libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsTestRule.java

@@ -48,17 +48,27 @@ class EntitlementsTestRule implements TestRule {
             )
         );
     };
+    public static final String ENTITLEMENT_QA_TEST_MODULE_NAME = "org.elasticsearch.entitlement.qa.test";
+    public static final String ENTITLEMENT_TEST_PLUGIN_NAME = "entitlement-test-plugin";
 
     interface PolicyBuilder {
         void build(XContentBuilder builder, Path tempDir) throws IOException;
     }
 
+    interface TempDirSystemPropertyProvider {
+        Map<String, String> get(Path tempDir);
+    }
+
     final TemporaryFolder testDir;
     final ElasticsearchCluster cluster;
     final TestRule ruleChain;
 
-    @SuppressWarnings("this-escape")
     EntitlementsTestRule(boolean modular, PolicyBuilder policyBuilder) {
+        this(modular, policyBuilder, tempDir -> Map.of());
+    }
+
+    @SuppressWarnings("this-escape")
+    EntitlementsTestRule(boolean modular, PolicyBuilder policyBuilder, TempDirSystemPropertyProvider tempDirSystemPropertyProvider) {
         testDir = new TemporaryFolder();
         var tempDirSetup = new ExternalResource() {
             @Override
@@ -72,9 +82,10 @@ protected void before() throws Throwable {
         };
         cluster = ElasticsearchCluster.local()
             .module("entitled", spec -> buildEntitlements(spec, "org.elasticsearch.entitlement.qa.entitled", ENTITLED_POLICY))
-            .module("entitlement-test-plugin", spec -> setupEntitlements(spec, modular, policyBuilder))
+            .module(ENTITLEMENT_TEST_PLUGIN_NAME, spec -> setupEntitlements(spec, modular, policyBuilder))
             .systemProperty("es.entitlements.enabled", "true")
             .systemProperty("es.entitlements.testdir", () -> testDir.getRoot().getAbsolutePath())
+            .systemProperties(spec -> tempDirSystemPropertyProvider.get(testDir.getRoot().toPath()))
             .setting("xpack.security.enabled", "false")
             // Logs in libs/entitlement/qa/build/test-results/javaRestTest/TEST-org.elasticsearch.entitlement.qa.EntitlementsXXX.xml
             // .setting("logger.org.elasticsearch.entitlement", "DEBUG")
@@ -108,14 +119,14 @@ private void buildEntitlements(PluginInstallSpec spec, String moduleName, Policy
     }
 
     private void setupEntitlements(PluginInstallSpec spec, boolean modular, PolicyBuilder policyBuilder) {
-        String moduleName = modular ? "org.elasticsearch.entitlement.qa.test" : "ALL-UNNAMED";
+        String moduleName = modular ? ENTITLEMENT_QA_TEST_MODULE_NAME : "ALL-UNNAMED";
         if (policyBuilder != null) {
             buildEntitlements(spec, moduleName, policyBuilder);
         }
 
         if (modular == false) {
             spec.withPropertiesOverride(old -> {
-                String props = old.replace("modulename=org.elasticsearch.entitlement.qa.test", "");
+                String props = old.replace("modulename=" + ENTITLEMENT_QA_TEST_MODULE_NAME, "");
                 System.out.println("Using plugin properties:\n" + props);
                 return Resource.fromString(props);
             });

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyParser.java

@@ -33,10 +33,12 @@
 import java.lang.reflect.Modifier;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Set;
 import java.util.function.Function;
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
@@ -97,6 +99,58 @@ public PolicyParser(InputStream inputStream, String policyName, boolean isExtern
         this.externalEntitlements = externalEntitlements;
     }
 
+    public VersionedPolicy parseVersionedPolicy() {
+        Set<String> versions = Set.of();
+        Policy policy = emptyPolicy();
+        try {
+            if (policyParser.nextToken() != XContentParser.Token.START_OBJECT) {
+                throw newPolicyParserException("expected object <versioned policy>");
+            }
+
+            while (policyParser.nextToken() != XContentParser.Token.END_OBJECT) {
+                if (policyParser.currentToken() == XContentParser.Token.FIELD_NAME) {
+                    if (policyParser.currentName().equals("versions")) {
+                        versions = parseVersions();
+                    } else if (policyParser.currentName().equals("policy")) {
+                        policy = parsePolicy();
+                    } else {
+                        throw newPolicyParserException("expected either <version> or <policy> field");
+                    }
+                } else {
+                    throw newPolicyParserException("expected either <version> or <policy> field");
+                }
+            }
+
+            return new VersionedPolicy(policy, versions);
+        } catch (IOException ioe) {
+            throw new UncheckedIOException(ioe);
+        }
+    }
+
+    private Policy emptyPolicy() {
+        return new Policy(policyName, List.of());
+    }
+
+    private Set<String> parseVersions() throws IOException {
+        try {
+            if (policyParser.nextToken() != XContentParser.Token.START_ARRAY) {
+                throw newPolicyParserException("expected array of <versions>");
+            }
+            Set<String> versions = new HashSet<>();
+            while (policyParser.nextToken() != XContentParser.Token.END_ARRAY) {
+                if (policyParser.currentToken() == XContentParser.Token.VALUE_STRING) {
+                    String version = policyParser.text();
+                    versions.add(version);
+                } else {
+                    throw newPolicyParserException("expected <version>");
+                }
+            }
+            return versions;
+        } catch (IOException ioe) {
+            throw new UncheckedIOException(ioe);
+        }
+    }
+
     public Policy parsePolicy() {
         try {
             if (policyParser.nextToken() != XContentParser.Token.START_OBJECT) {

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyParserUtils.java

@@ -10,17 +10,22 @@
 package org.elasticsearch.entitlement.runtime.policy;
 
 import org.elasticsearch.core.Strings;
+import org.elasticsearch.logging.LogManager;
+import org.elasticsearch.logging.Logger;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.lang.module.ModuleFinder;
 import java.lang.module.ModuleReference;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardOpenOption;
+import java.util.Base64;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -29,6 +34,8 @@
 
 public class PolicyParserUtils {
 
+    private static final Logger logger = LogManager.getLogger(PolicyParserUtils.class);
+
     public record PluginData(Path pluginPath, boolean isModular, boolean isExternalPlugin) {
         public PluginData {
             requireNonNull(pluginPath);
@@ -37,41 +44,89 @@ public record PluginData(Path pluginPath, boolean isModular, boolean isExternalP
 
     private static final String POLICY_FILE_NAME = "entitlement-policy.yaml";
 
-    public static Map<String, Policy> createPluginPolicies(Collection<PluginData> pluginData) throws IOException {
+    public static final String POLICY_OVERRIDE_PREFIX = "es.entitlements.policy.";
+
+    public static Map<String, Policy> createPluginPolicies(Collection<PluginData> pluginData, Map<String, String> overrides, String version)
+        throws IOException {
         Map<String, Policy> pluginPolicies = new HashMap<>(pluginData.size());
         for (var entry : pluginData) {
             Path pluginRoot = entry.pluginPath();
             String pluginName = pluginRoot.getFileName().toString();
-
-            final Policy policy = loadPluginPolicy(pluginRoot, entry.isModular(), pluginName, entry.isExternalPlugin());
-
-            pluginPolicies.put(pluginName, policy);
+            final Set<String> moduleNames = getModuleNames(pluginRoot, entry.isModular());
+
+            var overriddenPolicy = parsePolicyOverrideIfExists(overrides, version, entry.isExternalPlugin(), pluginName, moduleNames);
+            if (overriddenPolicy.isPresent()) {
+                pluginPolicies.put(pluginName, overriddenPolicy.get());
+            } else {
+                Path policyFile = pluginRoot.resolve(POLICY_FILE_NAME);
+                var policy = parsePolicyIfExists(pluginName, policyFile, entry.isExternalPlugin());
+                validatePolicyScopes(pluginName, policy, moduleNames, policyFile.toString());
+                pluginPolicies.put(pluginName, policy);
+            }
         }
         return pluginPolicies;
     }
 
-    private static Policy loadPluginPolicy(Path pluginRoot, boolean isModular, String pluginName, boolean isExternalPlugin)
-        throws IOException {
-        Path policyFile = pluginRoot.resolve(POLICY_FILE_NAME);
+    static Optional<Policy> parsePolicyOverrideIfExists(
+        Map<String, String> overrides,
+        String version,
+        boolean externalPlugin,
+        String pluginName,
+        Set<String> moduleNames
+    ) {
+        var policyOverride = overrides.get(pluginName);
+        if (policyOverride != null) {
+            try {
+                var versionedPolicy = decodeOverriddenPluginPolicy(policyOverride, pluginName, externalPlugin);
+                validatePolicyScopes(pluginName, versionedPolicy.policy(), moduleNames, "<override>");
+
+                // Empty versions defaults to "any"
+                if (versionedPolicy.versions().isEmpty() || versionedPolicy.versions().contains(version)) {
+                    logger.info("Using policy override for plugin [{}]", pluginName);
+                    return Optional.of(versionedPolicy.policy());
+                } else {
+                    logger.warn(
+                        "Found a policy override with version mismatch. The override will not be applied. "
+                            + "Plugin [{}]; policy versions [{}]; current version [{}]",
+                        pluginName,
+                        String.join(",", versionedPolicy.versions()),
+                        version
+                    );
+                }
+            } catch (Exception ex) {
+                logger.warn(
+                    Strings.format(
+                        "Found a policy override with invalid content. The override will not be applied. Plugin [%s]",
+                        pluginName
+                    ),
+                    ex
+                );
+            }
+        }
+        return Optional.empty();
+    }
 
-        final Set<String> moduleNames = getModuleNames(pluginRoot, isModular);
-        final Policy policy = parsePolicyIfExists(pluginName, policyFile, isExternalPlugin);
+    static VersionedPolicy decodeOverriddenPluginPolicy(String base64String, String pluginName, boolean isExternalPlugin)
+        throws IOException {
+        byte[] policyDefinition = Base64.getDecoder().decode(base64String);
+        return new PolicyParser(new ByteArrayInputStream(policyDefinition), pluginName, isExternalPlugin).parseVersionedPolicy();
+    }
 
+    private static void validatePolicyScopes(String pluginName, Policy policy, Set<String> moduleNames, String policyLocation) {
         // TODO: should this check actually be part of the parser?
         for (Scope scope : policy.scopes()) {
             if (moduleNames.contains(scope.moduleName()) == false) {
                 throw new IllegalStateException(
                     Strings.format(
-                        "Invalid module name in policy: plugin [%s] does not have module [%s]; available modules [%s]; policy file [%s]",
+                        "Invalid module name in policy: plugin [%s] does not have module [%s]; available modules [%s]; policy path [%s]",
                         pluginName,
                         scope.moduleName(),
                         String.join(", ", moduleNames),
-                        policyFile
+                        policyLocation
                     )
                 );
             }
         }
-        return policy;
     }
 
     private static Policy parsePolicyIfExists(String pluginName, Path policyFile, boolean isExternalPlugin) throws IOException {

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/VersionedPolicy.java

@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.runtime.policy;
+
+import java.util.Set;
+
+/**
+ * A Policy and associated versions to which the policy applies
+ */
+public record VersionedPolicy(Policy policy, Set<String> versions) {}