[Test] Handle file permissions for Windows (#32681)

This commit modifies the test to handle file permission
tests in windows/dos environments. The test requires access
to UserPrincipal and so have modified the plugin-security policy
to access user information.

Closes#32637

Author: bizybot

x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy

@@ -25,6 +25,10 @@ grant {
   permission java.util.PropertyPermission "sun.security.krb5.debug","write";
   permission java.util.PropertyPermission "java.security.debug","write";
   permission java.util.PropertyPermission "sun.security.spnego.debug","write";
+
+  // needed for kerberos file permission tests to access user information
+  permission java.lang.RuntimePermission "accessUserInformation";
+  permission java.lang.RuntimePermission "getFileStoreAttributes";
 };
 
 grant codeBase "${codebase.xmlsec-2.0.8.jar}" {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java

@@ -23,17 +23,19 @@
 import org.ietf.jgss.GSSException;
 
 import java.io.IOException;
-import java.nio.ByteBuffer;
-import java.nio.channels.SeekableByteChannel;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.nio.file.StandardOpenOption;
-import java.nio.file.attribute.FileAttribute;
-import java.nio.file.attribute.PosixFilePermission;
+import java.nio.file.attribute.AclEntry;
+import java.nio.file.attribute.AclEntryPermission;
+import java.nio.file.attribute.AclEntryType;
+import java.nio.file.attribute.AclFileAttributeView;
+import java.nio.file.attribute.PosixFileAttributeView;
 import java.nio.file.attribute.PosixFilePermissions;
+import java.nio.file.attribute.UserPrincipal;
 import java.util.Arrays;
-import java.util.EnumSet;
+import java.util.List;
+import java.util.Locale;
 import java.util.Set;
 
 import javax.security.auth.login.LoginException;
@@ -112,7 +114,6 @@ public void testKerberosRealmWithInvalidKeytabPathConfigurations() throws IOExce
         final String keytabPathCase = randomFrom("keytabPathAsDirectory", "keytabFileDoesNotExist", "keytabPathWithNoReadPermissions");
         final String expectedErrorMessage;
         final String keytabPath;
-        final Set<PosixFilePermission> filePerms;
         switch (keytabPathCase) {
         case "keytabPathAsDirectory":
             final String dirName = randomAlphaOfLength(5);
@@ -125,14 +126,29 @@ public void testKerberosRealmWithInvalidKeytabPathConfigurations() throws IOExce
             expectedErrorMessage = "configured service key tab file [" + keytabPath + "] does not exist";
             break;
         case "keytabPathWithNoReadPermissions":
-            filePerms = PosixFilePermissions.fromString("---------");
-            final String keytabFileName = randomAlphaOfLength(5) + ".keytab";
-            final FileAttribute<Set<PosixFilePermission>> fileAttributes = PosixFilePermissions.asFileAttribute(filePerms);
-            try (SeekableByteChannel byteChannel = Files.newByteChannel(dir.resolve(keytabFileName),
-                    EnumSet.of(StandardOpenOption.CREATE_NEW, StandardOpenOption.WRITE), fileAttributes)) {
-                byteChannel.write(ByteBuffer.wrap(randomByteArrayOfLength(10)));
+            final String fileName = randomAlphaOfLength(5);
+            final Path keytabFilePath = Files.createTempFile(dir, fileName, ".keytab");
+            Files.write(keytabFilePath, randomAlphaOfLength(5).getBytes(StandardCharsets.UTF_8));
+            final Set<String> supportedAttributes = keytabFilePath.getFileSystem().supportedFileAttributeViews();
+            if (supportedAttributes.contains("posix")) {
+                final PosixFileAttributeView fileAttributeView = Files.getFileAttributeView(keytabFilePath, PosixFileAttributeView.class);
+                fileAttributeView.setPermissions(PosixFilePermissions.fromString("---------"));
+            } else if (supportedAttributes.contains("acl")) {
+                final UserPrincipal principal = Files.getOwner(keytabFilePath);
+                final AclFileAttributeView view = Files.getFileAttributeView(keytabFilePath, AclFileAttributeView.class);
+                final AclEntry entry = AclEntry.newBuilder()
+                        .setType(AclEntryType.DENY)
+                        .setPrincipal(principal)
+                        .setPermissions(AclEntryPermission.READ_DATA, AclEntryPermission.READ_ATTRIBUTES).build();
+                final List<AclEntry> acl = view.getAcl();
+                acl.add(0, entry);
+                view.setAcl(acl);
+            } else {
+                throw new UnsupportedOperationException(
+                        String.format(Locale.ROOT, "Don't know how to make file [%s] non-readable on a file system with attributes [%s]",
+                                keytabFilePath, supportedAttributes));
             }
-            keytabPath = dir.resolve(keytabFileName).toString();
+            keytabPath = keytabFilePath.toString();
             expectedErrorMessage = "configured service key tab file [" + keytabPath + "] must have read permission";
             break;
         default: