This commit cleans up how entitlement test methods are discovered. It
also adds another robustness check to ensure an annotation doesn't exist
on a private method.
* Move remaining check methods in RestEntitlementsCheckAction (#125351)
All future check methods should be found reflectively with the
EntitlementTest annotation.
* Fix compilation after #125442
Using ASM CheckClassAdapter was key to diagnose the issue we had with incorrect signatures for some check methods.
In this PR I polished up the code I used to pinpoint the issue, and made it available via a system property so it can be turned on if we need it (and it's always on for Entitlements IT tests too).
It is also turned on in case we get VerifyErrors during retransformClasses early in the Entitlement agent bootstrap: retransformClasses runs in the native part of the JVM, so the VerifyError it produces is not so readable (e.g. it lacks a full stack trace and a description); in case this happens, we re-apply the transformation with verification turned on to get a meaningful error before dying.
This PR adds the ability to override entitlement policies for Elasticsearch plugins and modules via a system property.
The system property is in the form es.entitlements.policy.<plugin name>, and accepts a versioned policy:
versions:
- version1
- versionN
policy:
<a standard entitlement policy>
For example:
versions:
- 9.1.0
policy:
ALL-UNNAMED:
- set_https_connection_properties
- outbound_network
- files:
- relative_path: ".config/gcloud"
relative_to: home
mode: read
The versioned policy needs to be base64 encoded. For example, to pass the above policy to a test cluster via gradle run:
./gradlew run --debug-jvm -Dtests.jvm.argline="-Des.entitlements.policy.repository-gcs=dmVyc2lvbnM6CiAgLSA5LjEuMApwb2xpY3k6CiAgQUxMLVVOTkFNRUQ6CiAgICAtIHNldF9odHRwc19jb25uZWN0aW9uX3Byb3BlcnRpZXMKICAgIC0gb3V0Ym91bmRfbmV0d29yawogICAgLSBmaWxlczoKICAgICAgLSByZWxhdGl2ZV9wYXRoOiAiLmNvbmZpZy9nY2xvdWQiCiAgICAgICAgcmVsYXRpdmVfdG86IGhvbWUKICAgICAgICBtb2RlOiByZWFkCg=="
The versions listed in the policy are string-matched against Build.version().current(); it is possible to specify any number of versions. If the list is empty/there is no versions field, the policy is assumed to match any Elasticsearch versions.
The override policy specified for any given plugin replaces the embedded policy for that plugin. See how EntitlementsAllowedViaOverrideIT replaces an empty policy for the entitlement-test-plugin with a policy that allows load_native_libraries and access to files in the test read_dir.
Also tested manually with an override with a different version, with an override with an invalid policy and with a valid override (see command above).
Relates to ES-11009
Writing tests for #123861, turns out that #124195 is not enough.
We really need new IT test cases for "always allowed" actions: in order to be sure they are allowed, we need to setup the plugin with no policy.
This PR adds test cases for that, plus the support for writing test functions that accept one Environment parameter: many test paths we test and allow/deny are relative to paths in Environment, so it's useful to have access to it (see readAccessConfigDirectory as an example)
This will rethrow the `NoSuchFileException` when encountering an invalid
symbolic link when following links during file (read) entitlement
checks.
Relates to https://github.com/elastic/elasticsearch/pull/124133
(ES-11019)
* java.base entitlements
* SuppressForbidden, and add a missing test
* Revert logging back to commented-out printlns
* Merge FileCheckActions and rename for overloads
* Remove stray logger
* Remove more traces of logging change
* Remove more traces of logging
This commit adds instrumentation for File methods that require read permissions.
see #122109 for the write side
(cherry picked from commit bf1cbb0e47)
# Conflicts:
# x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml
Co-authored-by: Ryan Ernst <ryan@iernst.net>
* [Entitlements] Instrumentation for FileSystemProvider (#122232)
* Move some check function and tests to version specific checker classes
* Refactor/fix: lookupImplementationMethod looks up the class hierarchy too
* Spotless
This commit adds instrumentation for File methods that require write
permission. No server or plugins use these methods, so no policy changes
were necessary. Note that since we are not planning to restrict temp
file creation, the bootstrap self test on file writing was removed,
which failed with these changes.
Like the plugin being testing, the entitled test plugin needs access to
dynamic elements (namely, file paths). This commit dynamically generates
the entitlement policy for the entitlted test plugin when it is
installed. It also adds using the file entitltlement as an example.
This change replaces FileEntitlement with FilesEntitlement so that we can have exactly one entitlement
class per module (or possibly future scope). This cleans up our policy files so that all files are located
together to allow access, and this opens up the design for future optimizations.
This commit adds an EntitlementTest annotation that can be used on
classes containing test actions for entitlements. The annotation mirrors
the parameters of CheckAction. Only file check actions are currently
converted, the rest can be moved and annotated as followups. Note that
the check action name is simply the method name, no fancy name
manipulation is done.
This commit adds FileEntitlement to entitlements. It does not add checks
for all file access methods yet, instead opting for example read and
write methods.
Each module contains a sorted array of paths with read and write
permissions. Binary search is used to quickly identify the closest path
to determine whether a target path can be read or written.
Some important things about FileEntitlement are the path can either be a
file or a directory. All directories grant recursive permission. The
mode is either read or read_write. All operations like create or delete
are considered write.
relates ES-10354
Co-authored-by: Jack Conradson <osjdconrad@gmail.com>
* [Entitlements] Add checks for native libraries restricted methods (#120775)
* Introducing main21 (does not compile with main23 on the main lib)
* Move foreign API to Java22; fix EntitlementInitialization to work across multiple versions
* [CI] Auto commit changes from spotless
---------
Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
This commit adds an AbstractEntitlementsIT and moves the entitlement
cluster setup into a bespoke EntitlementTestRule. That allows most of
the common code to be deduplicated. This change also automatically
creates a temp dir which the test passes along into the test cluster.
This commit combines the different entitlement test plugins used for
integration tests into a single plugin. When installing the plugin in
the integ test cluster, the entitlement policy and plugin properties are
adjusted to test the desired combination of settings. This allows the
plugin policy to be dynamically generated by each test, rather than rely
on a static policy.
Instrument write access to System properties by means of the `WriteSystemPropertiesEntitlement`.
`System.setProperties(Properties)` is always denied.
Part of #ES-10359
