Invert license security disabled helper method (#54043) (#54239)

Xpack license state contains a helper method to determine whether
security is disabled due to license level defaults. Most code needs to
know whether security is enabled, not disabled, but this method exists
so that the security being explicitly disabled can be distinguished from
licence level defaulting to disabled. However, in the case that security
is explicitly disabled, the handlers in question are never registered,
so security is implicitly not disabled explicitly, and thus we can share
a single method to know whether licensing is enabled.

Author: rjernst

buildSrc/src/main/java/org/elasticsearch/gradle/test/DistroTestPlugin.java

@@ -153,6 +153,7 @@ public void apply(Project project) {
                         //
                         // The shouldTestDocker property could be null, hence we use Boolean.TRUE.equals()
                         boolean shouldExecute = distribution.getType() != Type.DOCKER
+
                             || Boolean.TRUE.equals(vmProject.findProperty("shouldTestDocker"));
 
                         if (shouldExecute) {

x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java

@@ -586,7 +586,7 @@ public boolean isFlattenedAllowed() {
     public boolean isVectorsAllowed() {
         return allowForAllLicenses();
     }
-    
+
 
     /**
      * Determine if Wildcard support should be enabled.
@@ -595,7 +595,7 @@ public boolean isVectorsAllowed() {
      */
     public synchronized boolean isWildcardAllowed() {
         return status.active;
-    }    
+    }
 
     public boolean isOdbcAllowed() {
         return isAllowedByLicense(OperationMode.PLATINUM);
@@ -621,22 +621,11 @@ public boolean isSecurityAvailable() {
     }
 
     /**
-     * @return true if security has been disabled due it being the default setting for this license type.
-     *  The conditions necessary for this are:
-     *         <ul>
-     *             <li>A trial or basic license</li>
-     *             <li>xpack.security.enabled not specified as a setting</li>
-     *         </ul>
+     * Returns whether security is enabled, taking into account the default enabled state
+     * based on the current license level.
      */
-    public boolean isSecurityDisabledByLicenseDefaults() {
-        return checkAgainstStatus(status -> {
-            switch (status.mode) {
-                case TRIAL:
-                case BASIC:
-                    return isSecurityEnabled && isSecurityExplicitlyEnabled == false;
-            }
-            return false;
-        });
+    public boolean isSecurityEnabled() {
+        return isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
     }
 
     public static boolean isTransportTlsRequired(License license, Settings settings) {

x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java

@@ -110,7 +110,7 @@ public void testSecurityBasicWithoutExplicitSecurityEnabled() {
         assertThat(licenseState.isApiKeyServiceAllowed(), is(false));
 
         assertThat(licenseState.isSecurityAvailable(), is(true));
-        assertThat(licenseState.isSecurityDisabledByLicenseDefaults(), is(true));
+        assertThat(licenseState.isSecurityEnabled(), is(false));
     }
 
     public void testSecurityBasicWithExplicitSecurityEnabled() {
@@ -128,7 +128,7 @@ public void testSecurityBasicWithExplicitSecurityEnabled() {
         assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
 
         assertThat(licenseState.isSecurityAvailable(), is(true));
-        assertThat(licenseState.isSecurityDisabledByLicenseDefaults(), is(false));
+        assertThat(licenseState.isSecurityEnabled(), is(true));
     }
 
     public void testSecurityDefaultBasicExpired() {
@@ -254,7 +254,7 @@ public void testNewTrialDefaultsSecurityOff() {
         XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
         licenseState.update(TRIAL, true, VersionUtils.randomVersionBetween(random(), Version.V_6_3_0, Version.CURRENT));
 
-        assertThat(licenseState.isSecurityDisabledByLicenseDefaults(), is(true));
+        assertThat(licenseState.isSecurityEnabled(), is(false));
         assertSecurityNotAllowed(licenseState);
     }
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityFeatureSet.java

@@ -76,11 +76,7 @@ public boolean available() {
 
     @Override
     public boolean enabled() {
-        if (licenseState != null) {
-            return XPackSettings.SECURITY_ENABLED.get(settings) &&
-                licenseState.isSecurityDisabledByLicenseDefaults() == false;
-        }
-        return false;
+        return licenseState != null && licenseState.isSecurityEnabled();
     }
 
     @Override
@@ -101,13 +97,14 @@ public void usage(ActionListener<XPackFeatureSet.Usage> listener) {
         final AtomicReference<Map<String, Object>> rolesUsageRef = new AtomicReference<>();
         final AtomicReference<Map<String, Object>> roleMappingUsageRef = new AtomicReference<>();
         final AtomicReference<Map<String, Object>> realmsUsageRef = new AtomicReference<>();
+
+        final boolean enabled = licenseState.isSecurityEnabled();
         final CountDown countDown = new CountDown(3);
         final Runnable doCountDown = () -> {
             if (countDown.countDown()) {
                 listener.onResponse(new SecurityFeatureSetUsage(available(), enabled(), realmsUsageRef.get(), rolesUsageRef.get(),
                         roleMappingUsageRef.get(), sslUsage, auditUsage, ipFilterUsage, anonymousUsage, tokenServiceUsage,
-                        apiKeyServiceUsage, fips140Usage));
-            }
+                        apiKeyServiceUsage, fips140Usage)); }
         };
 
         final ActionListener<Map<String, Object>> rolesStoreUsageListener =
@@ -129,17 +126,17 @@ public void usage(ActionListener<XPackFeatureSet.Usage> listener) {
                 doCountDown.run();
             }, listener::onFailure);
 
-        if (rolesStore == null) {
+        if (rolesStore == null || enabled == false) {
             rolesStoreUsageListener.onResponse(Collections.emptyMap());
         } else {
             rolesStore.usageStats(rolesStoreUsageListener);
         }
-        if (roleMappingStore == null) {
+        if (roleMappingStore == null || enabled == false) {
             roleMappingStoreUsageListener.onResponse(Collections.emptyMap());
         } else {
             roleMappingStore.usageStats(roleMappingStoreUsageListener);
         }
-        if (realms == null) {
+        if (realms == null || enabled == false) {
             realmsUsageListener.onResponse(Collections.emptyMap());
         } else {
             realms.usageStats(realmsUsageListener);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java

@@ -111,7 +111,7 @@ public <Request extends ActionRequest, Response extends ActionResponse> void app
                 listener.onFailure(e);
             }
         } else if (SECURITY_ACTION_MATCHER.test(action)) {
-            if (licenseState.isSecurityDisabledByLicenseDefaults()) {
+            if (licenseState.isSecurityEnabled() == false) {
                 listener.onFailure(new ElasticsearchException("Security must be explicitly enabled when using a [" +
                         licenseState.getOperationMode().description() + "] license. " +
                         "Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file " +

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandler.java

@@ -70,7 +70,7 @@ protected Exception checkFeatureAvailable(RestRequest request) {
             return new IllegalStateException("Security is not enabled but a security rest handler is registered");
         } else if (licenseState.isSecurityAvailable() == false) {
             return LicenseUtils.newComplianceException(XPackField.SECURITY);
-        } else if (licenseState.isSecurityDisabledByLicenseDefaults()) {
+        } else if (licenseState.isSecurityEnabled() == false) {
             return new ElasticsearchException("Security must be explicitly enabled when using a [" +
                     licenseState.getOperationMode().description() + "] license. " +
                     "Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file " +

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java

@@ -35,7 +35,7 @@ public SecurityStatusChangeListener(XPackLicenseState licenseState) {
      */
     @Override
     public synchronized void licenseStateChanged() {
-        final boolean newState = licenseState.isSecurityAvailable() && licenseState.isSecurityDisabledByLicenseDefaults() == false;
+        final boolean newState = licenseState.isSecurityAvailable() && licenseState.isSecurityEnabled();
         // old state might be null (undefined) so do Object comparison
         if (Objects.equals(newState, securityEnabled) == false) {
             logger.info("Active license is now [{}]; Security is {}", licenseState.getOperationMode(), newState ? "enabled" : "disabled");

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityFeatureSetTests.java

@@ -79,23 +79,27 @@ public void testAvailable() {
     public void testEnabled() {
         SecurityFeatureSet featureSet = new SecurityFeatureSet(settings, licenseState, realms,
                 rolesStore, roleMappingStore, ipFilter);
+        when(licenseState.isSecurityEnabled()).thenReturn(true);
         assertThat(featureSet.enabled(), is(true));
 
-        when(licenseState.isSecurityDisabledByLicenseDefaults()).thenReturn(true);
+        when(licenseState.isSecurityEnabled()).thenReturn(false);
         featureSet = new SecurityFeatureSet(settings, licenseState, realms,
                 rolesStore, roleMappingStore, ipFilter);
         assertThat(featureSet.enabled(), is(false));
     }
 
     public void testUsage() throws Exception {
         final boolean authcAuthzAvailable = randomBoolean();
+        final boolean explicitlyDisabled = randomBoolean();
+        final boolean enabled = explicitlyDisabled == false && randomBoolean();
         when(licenseState.isSecurityAvailable()).thenReturn(authcAuthzAvailable);
+        when(licenseState.isSecurityEnabled()).thenReturn(enabled);
 
         Settings.Builder settings = Settings.builder().put(this.settings);
 
-        boolean enabled = randomBoolean();
-        settings.put(XPackSettings.SECURITY_ENABLED.getKey(), enabled);
-
+        if (explicitlyDisabled) {
+            settings.put("xpack.security.enabled", "false");
+        }
         final boolean httpSSLEnabled = randomBoolean();
         settings.put("xpack.security.http.ssl.enabled", httpSSLEnabled);
         final boolean transportSSLEnabled = randomBoolean();
@@ -224,8 +228,13 @@ public void testUsage() throws Exception {
                 // FIPS 140
                 assertThat(source.getValue("fips_140.enabled"), is(fips140Enabled));
             } else {
+                if (explicitlyDisabled) {
+                    assertThat(source.getValue("ssl"), is(nullValue()));
+                } else {
+                    assertThat(source.getValue("ssl.http.enabled"), is(httpSSLEnabled));
+                    assertThat(source.getValue("ssl.transport.enabled"), is(transportSSLEnabled));
+                }
                 assertThat(source.getValue("realms"), is(nullValue()));
-                assertThat(source.getValue("ssl"), is(nullValue()));
                 assertThat(source.getValue("token_service"), is(nullValue()));
                 assertThat(source.getValue("api_key_service"), is(nullValue()));
                 assertThat(source.getValue("audit"), is(nullValue()));
@@ -252,7 +261,7 @@ public void testUsage() throws Exception {
 
     public void testUsageOnTrialLicenseWithSecurityDisabledByDefault() throws Exception {
         when(licenseState.isSecurityAvailable()).thenReturn(true);
-        when(licenseState.isSecurityDisabledByLicenseDefaults()).thenReturn(true);
+        when(licenseState.isSecurityEnabled()).thenReturn(false);
 
         Settings.Builder settings = Settings.builder().put(this.settings);
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandlerTests.java

@@ -27,11 +27,11 @@
 public class SecurityBaseRestHandlerTests extends ESTestCase {
 
     public void testSecurityBaseRestHandlerChecksLicenseState() throws Exception {
-        final boolean securityDisabledByLicenseDefaults = randomBoolean();
+        final boolean securityDefaultEnabled = randomBoolean();
         final AtomicBoolean consumerCalled = new AtomicBoolean(false);
         final XPackLicenseState licenseState = mock(XPackLicenseState.class);
         when(licenseState.isSecurityAvailable()).thenReturn(true);
-        when(licenseState.isSecurityDisabledByLicenseDefaults()).thenReturn(securityDisabledByLicenseDefaults);
+        when(licenseState.isSecurityEnabled()).thenReturn(securityDefaultEnabled);
         when(licenseState.getOperationMode()).thenReturn(
             randomFrom(License.OperationMode.BASIC, License.OperationMode.STANDARD, License.OperationMode.GOLD));
         SecurityBaseRestHandler handler = new SecurityBaseRestHandler(Settings.EMPTY, licenseState) {
@@ -56,15 +56,15 @@ protected RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClien
             }
         };
         FakeRestRequest fakeRestRequest = new FakeRestRequest();
-        FakeRestChannel fakeRestChannel = new FakeRestChannel(fakeRestRequest, randomBoolean(), securityDisabledByLicenseDefaults ? 1 : 0);
+        FakeRestChannel fakeRestChannel = new FakeRestChannel(fakeRestRequest, randomBoolean(), securityDefaultEnabled ? 0 : 1);
         NodeClient client = mock(NodeClient.class);
 
         assertFalse(consumerCalled.get());
         verifyZeroInteractions(licenseState);
         handler.handleRequest(fakeRestRequest, fakeRestChannel, client);
 
         verify(licenseState).isSecurityAvailable();
-        if (securityDisabledByLicenseDefaults == false) {
+        if (securityDefaultEnabled) {
             assertTrue(consumerCalled.get());
             assertEquals(0, fakeRestChannel.responses().get());
             assertEquals(0, fakeRestChannel.errors().get());

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestCreateApiKeyActionTests.java

@@ -54,6 +54,7 @@ public void setUp() throws Exception {
                 .build();
         threadPool = new ThreadPool(settings);
         when(mockLicenseState.isSecurityAvailable()).thenReturn(true);
+        when(mockLicenseState.isSecurityEnabled()).thenReturn(true);
         when(mockLicenseState.isApiKeyServiceAllowed()).thenReturn(true);
     }
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestGetApiKeyActionTests.java

@@ -54,6 +54,7 @@ public void setUp() throws Exception {
                 .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir().toString()).build();
         threadPool = new ThreadPool(settings);
         when(mockLicenseState.isSecurityAvailable()).thenReturn(true);
+        when(mockLicenseState.isSecurityEnabled()).thenReturn(true);
         when(mockLicenseState.isApiKeyServiceAllowed()).thenReturn(true);
     }
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestInvalidateApiKeyActionTests.java

@@ -54,6 +54,7 @@ public void setUp() throws Exception {
                 .build();
         threadPool = new ThreadPool(settings);
         when(mockLicenseState.isSecurityAvailable()).thenReturn(true);
+        when(mockLicenseState.isSecurityEnabled()).thenReturn(true);
         when(mockLicenseState.isApiKeyServiceAllowed()).thenReturn(true);
     }
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java

@@ -47,7 +47,7 @@ public void cleanup() {
     }
 
     public void testSecurityEnabledToDisabled() {
-        when(licenseState.isSecurityDisabledByLicenseDefaults()).thenReturn(false);
+        when(licenseState.isSecurityEnabled()).thenReturn(true);
 
         when(licenseState.getOperationMode()).thenReturn(License.OperationMode.GOLD);
         logAppender.addExpectation(new MockLogAppender.SeenEventExpectation(
@@ -66,7 +66,7 @@ public void testSecurityEnabledToDisabled() {
             "Active license is now [PLATINUM]; Security is enabled"
         ));
 
-        when(licenseState.isSecurityDisabledByLicenseDefaults()).thenReturn(true);
+        when(licenseState.isSecurityEnabled()).thenReturn(false);
         when(licenseState.getOperationMode()).thenReturn(License.OperationMode.BASIC);
         logAppender.addExpectation(new MockLogAppender.SeenEventExpectation(
             "change to basic",
@@ -80,7 +80,7 @@ public void testSecurityEnabledToDisabled() {
     }
 
     public void testSecurityDisabledToEnabled() {
-        when(licenseState.isSecurityDisabledByLicenseDefaults()).thenReturn(true);
+        when(licenseState.isSecurityEnabled()).thenReturn(false);
 
         when(licenseState.getOperationMode()).thenReturn(License.OperationMode.TRIAL);
         logAppender.addExpectation(new MockLogAppender.SeenEventExpectation(
@@ -99,7 +99,7 @@ public void testSecurityDisabledToEnabled() {
             "Active license is now [BASIC]; Security is disabled"
         ));
 
-        when(licenseState.isSecurityDisabledByLicenseDefaults()).thenReturn(false);
+        when(licenseState.isSecurityEnabled()).thenReturn(true);
         when(licenseState.getOperationMode()).thenReturn(License.OperationMode.PLATINUM);
         logAppender.addExpectation(new MockLogAppender.SeenEventExpectation(
             "change to platinum",