From 491aa01805d1ba5c5c598ad98c8ae71a7302d9ea Mon Sep 17 00:00:00 2001 From: Lorenzo Dematte Date: Thu, 6 Mar 2025 12:21:30 +0100 Subject: [PATCH 1/2] add support for IT testing always allowed actions --- .../entitlement/qa/test/EntitlementTest.java | 3 +- .../qa/test/RestEntitlementsCheckAction.java | 34 ++++++++++++------ .../qa/EntitlementsAlwaysAllowedIT.java | 36 +++++++++++++++++++ .../entitlement/qa/EntitlementsDeniedIT.java | 2 +- .../qa/EntitlementsDeniedNonModularIT.java | 2 +- 5 files changed, 64 insertions(+), 13 deletions(-) create mode 100644 libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAlwaysAllowedIT.java diff --git a/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/EntitlementTest.java b/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/EntitlementTest.java index a4b9767c4c64f..ee4dfa26743bc 100644 --- a/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/EntitlementTest.java +++ b/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/EntitlementTest.java @@ -21,7 +21,8 @@ enum ExpectedAccess { PLUGINS, ES_MODULES_ONLY, SERVER_ONLY, - ALWAYS_DENIED + ALWAYS_DENIED, + ALWAYS_ALLOWED } ExpectedAccess expectedAccess(); diff --git a/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java b/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java index cbb5fb514ae59..acbfbb414987c 100644 --- a/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java +++ b/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java @@ -55,7 +55,10 @@ import javax.net.ssl.SSLContext; import static java.util.Map.entry; +import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.ALWAYS_ALLOWED; +import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.ALWAYS_DENIED; import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.PLUGINS; +import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.SERVER_ONLY; import static org.elasticsearch.entitlement.qa.test.RestEntitlementsCheckAction.CheckAction.alwaysDenied; import static org.elasticsearch.entitlement.qa.test.RestEntitlementsCheckAction.CheckAction.deniedToPlugins; import static org.elasticsearch.entitlement.qa.test.RestEntitlementsCheckAction.CheckAction.forPlugins; @@ -65,20 +68,20 @@ public class RestEntitlementsCheckAction extends BaseRestHandler { private static final Logger logger = LogManager.getLogger(RestEntitlementsCheckAction.class); - record CheckAction(CheckedRunnable action, boolean isAlwaysDeniedToPlugins, Integer fromJavaVersion) { + record CheckAction(CheckedRunnable action, EntitlementTest.ExpectedAccess expectedAccess, Integer fromJavaVersion) { /** * These cannot be granted to plugins, so our test plugins cannot test the "allowed" case. */ static CheckAction deniedToPlugins(CheckedRunnable action) { - return new CheckAction(action, true, null); + return new CheckAction(action, SERVER_ONLY, null); } static CheckAction forPlugins(CheckedRunnable action) { - return new CheckAction(action, false, null); + return new CheckAction(action, PLUGINS, null); } static CheckAction alwaysDenied(CheckedRunnable action) { - return new CheckAction(action, true, null); + return new CheckAction(action, ALWAYS_DENIED, null); } } @@ -125,7 +128,7 @@ static CheckAction alwaysDenied(CheckedRunnable action) { entry("responseCache_setDefault", alwaysDenied(RestEntitlementsCheckAction::setDefaultResponseCache)), entry( "createInetAddressResolverProvider", - new CheckAction(VersionSpecificNetworkChecks::createInetAddressResolverProvider, true, 18) + new CheckAction(VersionSpecificNetworkChecks::createInetAddressResolverProvider, SERVER_ONLY, 18) ), entry("createURLStreamHandlerProvider", alwaysDenied(RestEntitlementsCheckAction::createURLStreamHandlerProvider)), entry("createURLWithURLStreamHandler", alwaysDenied(RestEntitlementsCheckAction::createURLWithURLStreamHandler)), @@ -233,9 +236,8 @@ private static Stream> getTestEntries(Class action } } }; - boolean deniedToPlugins = testAnnotation.expectedAccess() != PLUGINS; Integer fromJavaVersion = testAnnotation.fromJavaVersion() == -1 ? null : testAnnotation.fromJavaVersion(); - entries.add(entry(method.getName(), new CheckAction(runnable, deniedToPlugins, fromJavaVersion))); + entries.add(entry(method.getName(), new CheckAction(runnable, testAnnotation.expectedAccess(), fromJavaVersion))); } return entries.stream(); } @@ -398,13 +400,25 @@ private static void receiveDatagramSocket() throws IOException { public static Set getCheckActionsAllowedInPlugins() { return checkActions.entrySet() .stream() - .filter(kv -> kv.getValue().isAlwaysDeniedToPlugins() == false) + .filter(kv -> kv.getValue().expectedAccess().equals(PLUGINS)) .map(Entry::getKey) .collect(Collectors.toSet()); } - public static Set getAllCheckActions() { - return checkActions.keySet(); + public static Set getAlwaysAllowedCheckActions() { + return checkActions.entrySet() + .stream() + .filter(kv -> kv.getValue().expectedAccess().equals(ALWAYS_ALLOWED)) + .map(Entry::getKey) + .collect(Collectors.toSet()); + } + + public static Set getDeniableCheckActions() { + return checkActions.entrySet() + .stream() + .filter(kv -> kv.getValue().expectedAccess().equals(ALWAYS_ALLOWED) == false) + .map(Entry::getKey) + .collect(Collectors.toSet()); } @Override diff --git a/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAlwaysAllowedIT.java b/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAlwaysAllowedIT.java new file mode 100644 index 0000000000000..36e5b6dd4b8ac --- /dev/null +++ b/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAlwaysAllowedIT.java @@ -0,0 +1,36 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the "Elastic License + * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side + * Public License v 1"; you may not use this file except in compliance with, at + * your election, the "Elastic License 2.0", the "GNU Affero General Public + * License v3.0 only", or the "Server Side Public License, v 1". + */ + +package org.elasticsearch.entitlement.qa; + +import com.carrotsearch.randomizedtesting.annotations.Name; +import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; + +import org.elasticsearch.entitlement.qa.test.RestEntitlementsCheckAction; +import org.junit.ClassRule; + +public class EntitlementsAlwaysAllowedIT extends AbstractEntitlementsIT { + + @ClassRule + public static EntitlementsTestRule testRule = new EntitlementsTestRule(true, null); + + public EntitlementsAlwaysAllowedIT(@Name("actionName") String actionName) { + super(actionName, true); + } + + @ParametersFactory + public static Iterable data() { + return RestEntitlementsCheckAction.getAlwaysAllowedCheckActions().stream().map(action -> new Object[] { action }).toList(); + } + + @Override + protected String getTestRestCluster() { + return testRule.cluster.getHttpAddresses(); + } +} diff --git a/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsDeniedIT.java b/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsDeniedIT.java index 6f348d38d8e53..5d31afbd8a5b3 100644 --- a/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsDeniedIT.java +++ b/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsDeniedIT.java @@ -26,7 +26,7 @@ public EntitlementsDeniedIT(@Name("actionName") String actionName) { @ParametersFactory public static Iterable data() { - return RestEntitlementsCheckAction.getAllCheckActions().stream().map(action -> new Object[] { action }).toList(); + return RestEntitlementsCheckAction.getDeniableCheckActions().stream().map(action -> new Object[] { action }).toList(); } @Override diff --git a/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsDeniedNonModularIT.java b/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsDeniedNonModularIT.java index 6f2003f7275d4..ece18d4830387 100644 --- a/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsDeniedNonModularIT.java +++ b/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsDeniedNonModularIT.java @@ -26,7 +26,7 @@ public EntitlementsDeniedNonModularIT(@Name("actionName") String actionName) { @ParametersFactory public static Iterable data() { - return RestEntitlementsCheckAction.getAllCheckActions().stream().map(action -> new Object[] { action }).toList(); + return RestEntitlementsCheckAction.getDeniableCheckActions().stream().map(action -> new Object[] { action }).toList(); } @Override From afbba1bc5ee37e4de9c98fd6004c8832097af2ae Mon Sep 17 00:00:00 2001 From: Lorenzo Dematte Date: Fri, 7 Mar 2025 14:10:24 +0100 Subject: [PATCH 2/2] always allowed action as part of existing AllowedIT tests --- .../qa/test/RestEntitlementsCheckAction.java | 10 +----- .../qa/EntitlementsAlwaysAllowedIT.java | 36 ------------------- 2 files changed, 1 insertion(+), 45 deletions(-) delete mode 100644 libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAlwaysAllowedIT.java diff --git a/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java b/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java index acbfbb414987c..5af9df8f749a6 100644 --- a/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java +++ b/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/RestEntitlementsCheckAction.java @@ -400,15 +400,7 @@ private static void receiveDatagramSocket() throws IOException { public static Set getCheckActionsAllowedInPlugins() { return checkActions.entrySet() .stream() - .filter(kv -> kv.getValue().expectedAccess().equals(PLUGINS)) - .map(Entry::getKey) - .collect(Collectors.toSet()); - } - - public static Set getAlwaysAllowedCheckActions() { - return checkActions.entrySet() - .stream() - .filter(kv -> kv.getValue().expectedAccess().equals(ALWAYS_ALLOWED)) + .filter(kv -> kv.getValue().expectedAccess().equals(PLUGINS) || kv.getValue().expectedAccess().equals(ALWAYS_ALLOWED)) .map(Entry::getKey) .collect(Collectors.toSet()); } diff --git a/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAlwaysAllowedIT.java b/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAlwaysAllowedIT.java deleted file mode 100644 index 36e5b6dd4b8ac..0000000000000 --- a/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsAlwaysAllowedIT.java +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the "Elastic License - * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side - * Public License v 1"; you may not use this file except in compliance with, at - * your election, the "Elastic License 2.0", the "GNU Affero General Public - * License v3.0 only", or the "Server Side Public License, v 1". - */ - -package org.elasticsearch.entitlement.qa; - -import com.carrotsearch.randomizedtesting.annotations.Name; -import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; - -import org.elasticsearch.entitlement.qa.test.RestEntitlementsCheckAction; -import org.junit.ClassRule; - -public class EntitlementsAlwaysAllowedIT extends AbstractEntitlementsIT { - - @ClassRule - public static EntitlementsTestRule testRule = new EntitlementsTestRule(true, null); - - public EntitlementsAlwaysAllowedIT(@Name("actionName") String actionName) { - super(actionName, true); - } - - @ParametersFactory - public static Iterable data() { - return RestEntitlementsCheckAction.getAlwaysAllowedCheckActions().stream().map(action -> new Object[] { action }).toList(); - } - - @Override - protected String getTestRestCluster() { - return testRule.cluster.getHttpAddresses(); - } -}