Enable security manager for active directory tests

When active directory tests switched to using test rules for manager
docker fixtures, the security manager was disabled. This commit
re-enables the security manager, and isolates the docker setup/start to
not run under security manager.

Author: rjernst

test/fixtures/testcontainer-utils/build.gradle

@@ -5,7 +5,8 @@ configurations.all {
 }
 
 dependencies {
-  testImplementation project(':test:framework')
+  implementation project(':libs:elasticsearch-core')
+  implementation project(':test:framework')
   api "junit:junit:${versions.junit}"
   api "org.testcontainers:testcontainers:${versions.testcontainer}"
   implementation "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${versions.randomizedrunner}"

test/fixtures/testcontainer-utils/src/main/java/org/elasticsearch/test/fixtures/testcontainers/DockerEnvironmentAwareTestContainer.java

@@ -8,6 +8,7 @@
 
 package org.elasticsearch.test.fixtures.testcontainers;
 
+import org.elasticsearch.bootstrap.BootstrapForTesting;
 import org.elasticsearch.test.fixtures.CacheableTestFixture;
 import org.junit.Assume;
 import org.junit.rules.TestRule;
@@ -65,6 +66,7 @@ public void start() {
         Assume.assumeFalse("Docker support excluded on OS", EXCLUDED_OS);
         Assume.assumeTrue("Docker probing succesful", DOCKER_PROBING_SUCCESSFUL);
         withLogConsumer(new Slf4jLogConsumer(LOGGER));
+        BootstrapForTesting.doWithSecurityManagerDisabled(super::start);
         super.start();
     }
 

test/framework/src/main/java/org/elasticsearch/bootstrap/BootstrapForTesting.java

@@ -30,7 +30,9 @@
 import org.junit.Assert;
 
 import java.io.Closeable;
+import java.io.IOException;
 import java.io.InputStream;
+import java.io.UncheckedIOException;
 import java.lang.invoke.MethodHandles;
 import java.net.SocketPermission;
 import java.net.URL;
@@ -52,6 +54,7 @@
 import java.util.Objects;
 import java.util.Properties;
 import java.util.Set;
+import java.util.function.Supplier;
 import java.util.stream.Collectors;
 
 import static com.carrotsearch.randomizedtesting.RandomizedTest.systemPropertyAsBoolean;
@@ -349,19 +352,17 @@ static Set<URL> parseClassPathWithSymlinks() throws Exception {
     public static void ensureInitialized() {}
 
     /**
-     * Temporarily dsiables security manager for a test.
-     *
-     * <p> This method is only callable by {@link org.elasticsearch.test.ESTestCase}.
+     * Temporarily disables security manager for a test.
      *
      * @return A closeable object which restores the test security manager
      */
     @SuppressWarnings("removal")
     public static Closeable disableTestSecurityManager() {
-        var caller = Thread.currentThread().getStackTrace()[2];
-        if (ESTestCase.class.getName().equals(caller.getClassName()) == false) {
-            throw new SecurityException("Cannot disable test SecurityManager directly. Use @NoSecurityManager to disable on a test suite");
-        }
         final var sm = System.getSecurityManager();
+        if (sm == null) {
+            throw new SecurityException("SecurityManager already disabled. This is indicative of a test bug. " +
+                "Please ensure callers to this method close the returned Closeable.");
+        }
         AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
             Security.setSecurityManager(null);
             return null;
@@ -371,4 +372,28 @@ public static Closeable disableTestSecurityManager() {
             return null;
         });
     }
+
+    /**
+     * Runs the given action, returning the produced object, without the security manager.
+     * This is a convenience method for {@link #disableTestSecurityManager()}.
+     */
+    public static <T> T doWithSecurityManagerDisabled(Supplier<T> action) {
+        try (var ignore = BootstrapForTesting.disableTestSecurityManager()) {
+            return action.get();
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
+    /**
+     * Runs the given action without the security manager.
+     * This is a convenience method for {@link #disableTestSecurityManager()}.
+     */
+    public static void doWithSecurityManagerDisabled(Runnable action) {
+        try (var ignore = BootstrapForTesting.disableTestSecurityManager()) {
+            action.run();
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
 }

x-pack/qa/third-party/active-directory/build.gradle

@@ -26,7 +26,6 @@ tasks.named("forbiddenPatterns").configure {
 }
 
 tasks.named("test").configure {
-  systemProperty 'tests.security.manager', 'false'
   include '**/*IT.class'
   include '**/*Tests.class'
 }

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java

@@ -47,7 +47,7 @@
 public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
 
     @ClassRule
-    public static final SmbTestContainer smbFixture = new SmbTestContainer();
+    public static final SmbTestContainer smbFixture = SmbTestContainer.create();
     // follow referrals defaults to false here which differs from the default value of the setting
     // this is needed to prevent test logs being filled by errors as the default configuration of
     // the tests run against a vagrant samba4 instance configured as a domain controller with the

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java

@@ -14,6 +14,7 @@
 import org.elasticsearch.action.ActionFuture;
 import org.elasticsearch.action.DocWriteResponse;
 import org.elasticsearch.action.get.GetResponse;
+import org.elasticsearch.bootstrap.BootstrapForTesting;
 import org.elasticsearch.client.internal.Client;
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.settings.SecureString;
@@ -42,6 +43,7 @@
 import org.junit.ClassRule;
 
 import java.io.IOException;
+import java.io.UncheckedIOException;
 import java.nio.file.Path;
 import java.util.Arrays;
 import java.util.Collections;
@@ -76,7 +78,7 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
     public static final String SECURITY_INDEX = "security";
 
     @ClassRule
-    public static final SmbTestContainer smbFixture = new SmbTestContainer();
+    public static final SmbTestContainer smbFixture = SmbTestContainer.create();
 
     private static final RoleMappingEntry[] AD_ROLE_MAPPING = new RoleMappingEntry[] {
         new RoleMappingEntry("SHIELD:  [ \"CN=SHIELD,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com\" ]", """

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryGroupsResolverTests.java

@@ -36,7 +36,7 @@ public class ActiveDirectoryGroupsResolverTests extends GroupsResolverTestCase {
     private static final RealmConfig.RealmIdentifier REALM_ID = new RealmConfig.RealmIdentifier("active_directory", "ad");
 
     @ClassRule
-    public static final SmbTestContainer smbFixture = new SmbTestContainer();
+    public static final SmbTestContainer smbFixture = SmbTestContainer.create();
 
     @Before
     public void setReferralFollowing() {

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/UserAttributeGroupsResolverTests.java

@@ -11,6 +11,7 @@
 import com.unboundid.ldap.sdk.SearchRequest;
 import com.unboundid.ldap.sdk.SearchScope;
 
+import org.elasticsearch.bootstrap.BootstrapForTesting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.test.fixtures.smb.SmbTestContainer;
@@ -37,7 +38,7 @@ public class UserAttributeGroupsResolverTests extends GroupsResolverTestCase {
     private static final RealmConfig.RealmIdentifier REALM_ID = new RealmConfig.RealmIdentifier("ldap", "realm1");
 
     @ClassRule
-    public static final SmbTestContainer smbFixture = new SmbTestContainer();
+    public static final SmbTestContainer smbFixture = SmbTestContainer.create();
 
     public void testResolve() throws Exception {
         // falling back on the 'memberOf' attribute

x-pack/test/smb-fixture/build.gradle

@@ -2,6 +2,7 @@ apply plugin: 'elasticsearch.java'
 apply plugin: 'elasticsearch.cache-test-fixtures'
 
 dependencies {
+  implementation project(':test:framework')
   api project(':test:fixtures:testcontainer-utils')
   api "junit:junit:${versions.junit}"
   api "org.testcontainers:testcontainers:${versions.testcontainer}"

x-pack/test/smb-fixture/src/main/java/org/elasticsearch/test/fixtures/smb/SmbTestContainer.java

@@ -7,6 +7,7 @@
 
 package org.elasticsearch.test.fixtures.smb;
 
+import org.elasticsearch.bootstrap.BootstrapForTesting;
 import org.elasticsearch.test.fixtures.testcontainers.DockerEnvironmentAwareTestContainer;
 import org.testcontainers.images.builder.ImageFromDockerfile;
 
@@ -16,7 +17,7 @@ public final class SmbTestContainer extends DockerEnvironmentAwareTestContainer
     public static final int AD_LDAP_PORT = 636;
     public static final int AD_LDAP_GC_PORT = 3269;
 
-    public SmbTestContainer() {
+    private SmbTestContainer() {
         super(
             new ImageFromDockerfile("es-smb-fixture").withDockerfileFromBuilder(
                 builder -> builder.from(DOCKER_BASE_IMAGE)
@@ -43,6 +44,10 @@ public SmbTestContainer() {
         addExposedPort(AD_LDAP_GC_PORT);
     }
 
+    public static SmbTestContainer create() {
+        return BootstrapForTesting.doWithSecurityManagerDisabled(SmbTestContainer::new);
+    }
+
     public String getAdLdapUrl() {
         return "ldaps://localhost:" + getMappedPort(AD_LDAP_PORT);
     }