[Entitlements] Moving and refactoring IT tests (#118254)

qa/entitlements/build.gradle → libs/entitlement/qa/build.gradle

@@ -7,23 +7,14 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
-apply plugin: 'elasticsearch.base-internal-es-plugin'
 apply plugin: 'elasticsearch.internal-java-rest-test'
 // Necessary to use tests in Serverless
 apply plugin: 'elasticsearch.internal-test-artifact'
 
-esplugin {
-  name 'entitlement-qa'
-  description 'A test module that triggers entitlement checks'
-  classname 'org.elasticsearch.test.entitlements.EntitlementsCheckPlugin'
-}
-
 dependencies {
-  clusterPlugins project(':qa:entitlements')
+  javaRestTestImplementation project(':libs:entitlement:qa:common')
+  clusterPlugins project(':libs:entitlement:qa:entitlement-allowed')
+  clusterPlugins project(':libs:entitlement:qa:entitlement-allowed-nonmodular')
+  clusterPlugins project(':libs:entitlement:qa:entitlement-denied')
+  clusterPlugins project(':libs:entitlement:qa:entitlement-denied-nonmodular')
 }
-
-tasks.named("javadoc").configure {
-  // There seems to be some problem generating javadoc on a QA project that has a module definition
-  enabled = false
-}
-

libs/entitlement/qa/common/build.gradle

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+apply plugin: 'elasticsearch.build'
+
+dependencies {
+  implementation project(':server')
+  implementation project(':libs:logging')
+}

libs/entitlement/qa/common/src/main/java/module-info.java

@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+module org.elasticsearch.entitlement.qa.common {
+    requires org.elasticsearch.server;
+    requires org.elasticsearch.base;
+    requires org.elasticsearch.logging;
+
+    exports org.elasticsearch.entitlement.qa.common;
+}

libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java

@@ -0,0 +1,112 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.qa.common;
+
+import org.elasticsearch.client.internal.node.NodeClient;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.core.SuppressForbidden;
+import org.elasticsearch.logging.LogManager;
+import org.elasticsearch.logging.Logger;
+import org.elasticsearch.rest.BaseRestHandler;
+import org.elasticsearch.rest.RestRequest;
+import org.elasticsearch.rest.RestResponse;
+import org.elasticsearch.rest.RestStatus;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import static java.util.Map.entry;
+import static org.elasticsearch.rest.RestRequest.Method.GET;
+
+public class RestEntitlementsCheckAction extends BaseRestHandler {
+    private static final Logger logger = LogManager.getLogger(RestEntitlementsCheckAction.class);
+    private final String prefix;
+
+    private record CheckAction(Runnable action, boolean isServerOnly) {
+
+        static CheckAction serverOnly(Runnable action) {
+            return new CheckAction(action, true);
+        }
+
+        static CheckAction serverAndPlugin(Runnable action) {
+            return new CheckAction(action, false);
+        }
+    }
+
+    private static final Map<String, CheckAction> checkActions = Map.ofEntries(
+        entry("system_exit", CheckAction.serverOnly(RestEntitlementsCheckAction::systemExit)),
+        entry("create_classloader", CheckAction.serverAndPlugin(RestEntitlementsCheckAction::createClassLoader))
+    );
+
+    @SuppressForbidden(reason = "Specifically testing System.exit")
+    private static void systemExit() {
+        logger.info("Calling System.exit(123);");
+        System.exit(123);
+    }
+
+    private static void createClassLoader() {
+        logger.info("Calling new URLClassLoader");
+        try (var classLoader = new URLClassLoader("test", new URL[0], RestEntitlementsCheckAction.class.getClassLoader())) {
+            logger.info("Created URLClassLoader [{}]", classLoader.getName());
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
+    public RestEntitlementsCheckAction(String prefix) {
+        this.prefix = prefix;
+    }
+
+    public static Set<String> getServerAndPluginsCheckActions() {
+        return checkActions.entrySet()
+            .stream()
+            .filter(kv -> kv.getValue().isServerOnly() == false)
+            .map(Map.Entry::getKey)
+            .collect(Collectors.toSet());
+    }
+
+    public static Set<String> getAllCheckActions() {
+        return checkActions.keySet();
+    }
+
+    @Override
+    public List<Route> routes() {
+        return List.of(new Route(GET, "/_entitlement/" + prefix + "/_check"));
+    }
+
+    @Override
+    public String getName() {
+        return "check_" + prefix + "_action";
+    }
+
+    @Override
+    protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) {
+        logger.info("RestEntitlementsCheckAction rest handler [{}]", request.path());
+        var actionName = request.param("action");
+        if (Strings.isNullOrEmpty(actionName)) {
+            throw new IllegalArgumentException("Missing action parameter");
+        }
+        var checkAction = checkActions.get(actionName);
+        if (checkAction == null) {
+            throw new IllegalArgumentException(Strings.format("Unknown action [%s]", actionName));
+        }
+
+        return channel -> {
+            checkAction.action().run();
+            channel.sendResponse(new RestResponse(RestStatus.OK, Strings.format("Succesfully executed action [%s]", actionName)));
+        };
+    }
+}

libs/entitlement/qa/entitlement-allowed-nonmodular/build.gradle

@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+apply plugin: 'elasticsearch.base-internal-es-plugin'
+
+esplugin {
+  name 'entitlement-allowed-nonmodular'
+  description 'A non-modular test module that invokes entitlement checks that are supposed to be granted'
+  classname 'org.elasticsearch.entitlement.qa.nonmodular.EntitlementAllowedNonModularPlugin'
+}
+
+dependencies {
+  implementation project(':libs:entitlement:qa:common')
+}
+
+tasks.named("javadoc").configure {
+  enabled = false
+}

libs/entitlement/qa/entitlement-allowed-nonmodular/src/main/java/org/elasticsearch/entitlement/qa/nonmodular/EntitlementAllowedNonModularPlugin.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+package org.elasticsearch.entitlement.qa.nonmodular;
+
+import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
+import org.elasticsearch.cluster.node.DiscoveryNodes;
+import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
+import org.elasticsearch.common.settings.ClusterSettings;
+import org.elasticsearch.common.settings.IndexScopedSettings;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.settings.SettingsFilter;
+import org.elasticsearch.entitlement.qa.common.RestEntitlementsCheckAction;
+import org.elasticsearch.features.NodeFeature;
+import org.elasticsearch.plugins.ActionPlugin;
+import org.elasticsearch.plugins.Plugin;
+import org.elasticsearch.rest.RestController;
+import org.elasticsearch.rest.RestHandler;
+
+import java.util.List;
+import java.util.function.Predicate;
+import java.util.function.Supplier;
+
+public class EntitlementAllowedNonModularPlugin extends Plugin implements ActionPlugin {
+
+    @Override
+    public List<RestHandler> getRestHandlers(
+        final Settings settings,
+        NamedWriteableRegistry namedWriteableRegistry,
+        final RestController restController,
+        final ClusterSettings clusterSettings,
+        final IndexScopedSettings indexScopedSettings,
+        final SettingsFilter settingsFilter,
+        final IndexNameExpressionResolver indexNameExpressionResolver,
+        final Supplier<DiscoveryNodes> nodesInCluster,
+        Predicate<NodeFeature> clusterSupportsFeature
+    ) {
+        return List.of(new RestEntitlementsCheckAction("allowed_nonmodular"));
+    }
+}

libs/entitlement/qa/entitlement-allowed-nonmodular/src/main/plugin-metadata/entitlement-policy.yaml

@@ -0,0 +1,2 @@
+ALL-UNNAMED:
+  - create_class_loader

libs/entitlement/qa/entitlement-allowed/build.gradle

@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+apply plugin: 'elasticsearch.base-internal-es-plugin'
+
+esplugin {
+  name 'entitlement-allowed'
+  description 'A test module that invokes entitlement checks that are supposed to be granted'
+  classname 'org.elasticsearch.entitlement.qa.EntitlementAllowedPlugin'
+}
+
+dependencies {
+  implementation project(':libs:entitlement:qa:common')
+}
+
+tasks.named("javadoc").configure {
+  enabled = false
+}
+

libs/entitlement/qa/entitlement-allowed/src/main/java/module-info.java

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+module org.elasticsearch.entitlement.qa.allowed {
+    requires org.elasticsearch.server;
+    requires org.elasticsearch.base;
+    requires org.elasticsearch.logging;
+    requires org.elasticsearch.entitlement.qa.common;
+}

libs/entitlement/qa/entitlement-allowed/src/main/java/org/elasticsearch/entitlement/qa/EntitlementAllowedPlugin.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+package org.elasticsearch.entitlement.qa;
+
+import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
+import org.elasticsearch.cluster.node.DiscoveryNodes;
+import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
+import org.elasticsearch.common.settings.ClusterSettings;
+import org.elasticsearch.common.settings.IndexScopedSettings;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.settings.SettingsFilter;
+import org.elasticsearch.entitlement.qa.common.RestEntitlementsCheckAction;
+import org.elasticsearch.features.NodeFeature;
+import org.elasticsearch.plugins.ActionPlugin;
+import org.elasticsearch.plugins.Plugin;
+import org.elasticsearch.rest.RestController;
+import org.elasticsearch.rest.RestHandler;
+
+import java.util.List;
+import java.util.function.Predicate;
+import java.util.function.Supplier;
+
+public class EntitlementAllowedPlugin extends Plugin implements ActionPlugin {
+
+    @Override
+    public List<RestHandler> getRestHandlers(
+        final Settings settings,
+        NamedWriteableRegistry namedWriteableRegistry,
+        final RestController restController,
+        final ClusterSettings clusterSettings,
+        final IndexScopedSettings indexScopedSettings,
+        final SettingsFilter settingsFilter,
+        final IndexNameExpressionResolver indexNameExpressionResolver,
+        final Supplier<DiscoveryNodes> nodesInCluster,
+        Predicate<NodeFeature> clusterSupportsFeature
+    ) {
+        return List.of(new RestEntitlementsCheckAction("allowed"));
+    }
+}

libs/entitlement/qa/entitlement-allowed/src/main/plugin-metadata/entitlement-policy.yaml

@@ -0,0 +1,2 @@
+org.elasticsearch.entitlement.qa.common:
+  - create_class_loader

libs/entitlement/qa/entitlement-denied-nonmodular/build.gradle

@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+apply plugin: 'elasticsearch.base-internal-es-plugin'
+
+esplugin {
+  name 'entitlement-denied-nonmodular'
+  description 'A non-modular test module that invokes non-granted entitlement and triggers exceptions'
+  classname 'org.elasticsearch.entitlement.qa.nonmodular.EntitlementDeniedNonModularPlugin'
+}
+
+dependencies {
+  implementation project(':libs:entitlement:qa:common')
+}
+
+tasks.named("javadoc").configure {
+  enabled = false
+}