Entitled plugin for testing (#120840)

* Entitled plugin

* [CI] Auto commit changes from spotless

* SuppressForbidden in entitled plugin

* Respond to PR comments

* Reinstate entitled plugin

* Make System_clearProperty package-private

---------

Co-authored-by: elasticsearchmachine <[email protected]>

Author: prdoyle

libs/entitlement/qa/build.gradle

@@ -13,5 +13,7 @@ apply plugin: 'elasticsearch.internal-test-artifact'
 
 dependencies {
   javaRestTestImplementation project(':libs:entitlement:qa:entitlement-test-plugin')
+  javaRestTestImplementation project(':libs:entitlement:qa:entitled-plugin')
   clusterModules project(':libs:entitlement:qa:entitlement-test-plugin')
+  clusterModules project(':libs:entitlement:qa:entitled-plugin')
 }

libs/entitlement/qa/entitled-plugin/build.gradle

@@ -0,0 +1,34 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import org.elasticsearch.gradle.internal.precommit.CheckForbiddenApisTask
+
+apply plugin: 'elasticsearch.base-internal-es-plugin'
+apply plugin: 'elasticsearch.build'
+
+esplugin {
+  name = 'entitled'
+  description = 'A utility plugin that provides access to functionality denied to the main test plugin'
+  classname = 'org.elasticsearch.entitlement.qa.entitled.EntitledPlugin'
+}
+
+dependencies {
+  compileOnly project(':server')
+  compileOnly project(':libs:logging')
+  compileOnly project(':libs:entitlement')
+}
+
+tasks.named("javadoc").configure {
+  enabled = false
+}
+
+tasks.withType(CheckForbiddenApisTask).configureEach {
+  replaceSignatureFiles 'jdk-signatures'
+}
+

libs/entitlement/qa/entitled-plugin/src/main/java/module-info.java

@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+module org.elasticsearch.entitlement.qa.entitled {
+    requires org.elasticsearch.server;
+    requires org.elasticsearch.entitlement;
+    requires org.elasticsearch.base; // SuppressForbidden
+    requires org.elasticsearch.logging;
+
+    exports org.elasticsearch.entitlement.qa.entitled; // Must be unqualified so non-modular IT tests can call us
+}

libs/entitlement/qa/entitled-plugin/src/main/java/org/elasticsearch/entitlement/qa/entitled/EntitledActions.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.qa.entitled;
+
+import org.elasticsearch.core.SuppressForbidden;
+
+public final class EntitledActions {
+    private EntitledActions() {}
+
+    @SuppressForbidden(reason = "Exposes forbidden APIs for testing purposes")
+    static void System_clearProperty(String key) {
+        System.clearProperty(key);
+    }
+
+}

libs/entitlement/qa/entitled-plugin/src/main/java/org/elasticsearch/entitlement/qa/entitled/EntitledPlugin.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.qa.entitled;
+
+import org.elasticsearch.entitlement.runtime.api.NotEntitledException;
+import org.elasticsearch.logging.LogManager;
+import org.elasticsearch.logging.Logger;
+import org.elasticsearch.plugins.ExtensiblePlugin;
+import org.elasticsearch.plugins.Plugin;
+
+import static org.elasticsearch.entitlement.qa.entitled.EntitledActions.System_clearProperty;
+
+public class EntitledPlugin extends Plugin implements ExtensiblePlugin {
+
+    /**
+     * Runs some actions that should be allowed or denied for this plugin,
+     * to ensure the entitlement system is handling them correctly.
+     */
+    public static void selfTest() {
+        selfTestEntitled();
+        selfTestNotEntitled();
+    }
+
+    private static final String SELF_TEST_PROPERTY = "org.elasticsearch.entitlement.qa.selfTest";
+
+    private static void selfTestEntitled() {
+        logger.debug("selfTestEntitled");
+        System_clearProperty(SELF_TEST_PROPERTY);
+    }
+
+    private static void selfTestNotEntitled() {
+        logger.debug("selfTestNotEntitled");
+        try {
+            System.setIn(System.in);
+        } catch (NotEntitledException e) {
+            // All is well
+            return;
+        }
+        throw new AssertionError("Expected self-test not to be entitled");
+    }
+
+    private static final Logger logger = LogManager.getLogger(EntitledPlugin.class);
+}

libs/entitlement/qa/entitled-plugin/src/main/plugin-metadata/entitlement-policy.yaml

@@ -0,0 +1,4 @@
+org.elasticsearch.entitlement.qa.entitled:
+  - write_system_properties:
+      properties:
+        - org.elasticsearch.entitlement.qa.selfTest

libs/entitlement/qa/entitlement-test-plugin/build.gradle

@@ -17,11 +17,13 @@ esplugin {
   name = 'entitlement-test-plugin'
   description = 'A test plugin that invokes methods checked by entitlements'
   classname = 'org.elasticsearch.entitlement.qa.test.EntitlementTestPlugin'
+  extendedPlugins = ['entitled']
 }
 
 dependencies {
-  implementation project(':server')
-  implementation project(':libs:logging')
+  compileOnly project(':server')
+  compileOnly project(':libs:logging')
+  compileOnly project(":libs:entitlement:qa:entitled-plugin")
 }
 
 tasks.named("javadoc").configure {

libs/entitlement/qa/entitlement-test-plugin/src/main/java/module-info.java

@@ -11,6 +11,7 @@
     requires org.elasticsearch.server;
     requires org.elasticsearch.base;
     requires org.elasticsearch.logging;
+    requires org.elasticsearch.entitlement.qa.entitled;
 
     // Modules we'll attempt to use in order to exercise entitlements
     requires java.logging;

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java

@@ -74,7 +74,6 @@ public class RestEntitlementsCheckAction extends BaseRestHandler {
     record CheckAction(CheckedRunnable<Exception> action, boolean isAlwaysDeniedToPlugins, Integer fromJavaVersion) {
         /**
          * These cannot be granted to plugins, so our test plugins cannot test the "allowed" case.
-         * Used both for always-denied entitlements and those granted only to the server itself.
          */
         static CheckAction deniedToPlugins(CheckedRunnable<Exception> action) {
             return new CheckAction(action, true, null);

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/WritePropertiesCheckActions.java

@@ -10,6 +10,7 @@
 package org.elasticsearch.entitlement.qa.test;
 
 import org.elasticsearch.core.SuppressForbidden;
+import org.elasticsearch.entitlement.qa.entitled.EntitledPlugin;
 
 import java.util.Locale;
 import java.util.TimeZone;
@@ -29,6 +30,7 @@ static void setSystemProperty() {
     }
 
     static void clearSystemProperty() {
+        EntitledPlugin.selfTest(); // TODO: find a better home
         System.clearProperty("es.entitlements.checkClearSystemProperty");
     }