[Kerberos] Move tests based on SimpleKdc to evil-tests (#33492)

We have a test dependency on Apache Mina when using SimpleKdcServer
for testing Kerberos. When checking for LDAP backend connectivity,
the code checks for deadlocks which require additional security
permissions accessClassInPackage.sun.reflect. As this is only for
test and we do not want to add security permissions to production,
this commit moves these tests and related classes to
x-pack evil-tests where they can run with security manager disabled.
The plan is to handle the security manager exception in the upstream issue
DIRMINA-1093
and then once the release is available to run these tests with security
manager enabled.

Closes #32739

Author: bizybot

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmCacheTests.java

@@ -102,8 +102,8 @@ public void testCacheInvalidationScenarios() throws LoginException, GSSException
     public void testAuthenticateWithValidTicketSucessAuthnWithUserDetailsWhenCacheDisabled()
             throws LoginException, GSSException, IOException {
         // if cache.ttl <= 0 then the cache is disabled
-        settings = KerberosTestCase.buildKerberosRealmSettings(
-                KerberosTestCase.writeKeyTab(dir.resolve("key.keytab"), randomAlphaOfLength(4)).toString(), 100, "0m", true,
+        settings = buildKerberosRealmSettings(
+                writeKeyTab(dir.resolve("key.keytab"), randomAlphaOfLength(4)).toString(), 100, "0m", true,
                 randomBoolean());
         final String username = randomPrincipalName();
         final String outToken = randomAlphaOfLength(10);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmSettingsTests.java

@@ -27,12 +27,12 @@ public void testKerberosRealmSettings() throws IOException {
             configDir = Files.createDirectory(configDir);
         }
         final String keytabPathConfig = "config" + dir.getFileSystem().getSeparator() + "http.keytab";
-        KerberosTestCase.writeKeyTab(dir.resolve(keytabPathConfig), null);
+        KerberosRealmTestCase.writeKeyTab(dir.resolve(keytabPathConfig), null);
         final Integer maxUsers = randomInt();
         final String cacheTTL = randomLongBetween(10L, 100L) + "m";
         final boolean enableDebugLogs = randomBoolean();
         final boolean removeRealmName = randomBoolean();
-        final Settings settings = KerberosTestCase.buildKerberosRealmSettings(keytabPathConfig, maxUsers, cacheTTL, enableDebugLogs,
+        final Settings settings = KerberosRealmTestCase.buildKerberosRealmSettings(keytabPathConfig, maxUsers, cacheTTL, enableDebugLogs,
                 removeRealmName);
 
         assertThat(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(settings), equalTo(keytabPathConfig));

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java

@@ -8,6 +8,7 @@
 
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.client.Client;
+import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.collect.Tuple;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
@@ -28,6 +29,10 @@
 import org.junit.After;
 import org.junit.Before;
 
+import java.io.BufferedWriter;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Arrays;
 import java.util.List;
@@ -67,7 +72,7 @@ public void setup() throws Exception {
         resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool);
         dir = createTempDir();
         globalSettings = Settings.builder().put("path.home", dir).build();
-        settings = KerberosTestCase.buildKerberosRealmSettings(KerberosTestCase.writeKeyTab(dir.resolve("key.keytab"), "asa").toString(),
+        settings = buildKerberosRealmSettings(writeKeyTab(dir.resolve("key.keytab"), "asa").toString(),
                 100, "10m", true, randomBoolean());
     }
 
@@ -165,4 +170,49 @@ protected String maybeRemoveRealmName(final String principalName) {
         }
         return principalName;
     }
+
+    /**
+     * Write content to provided keytab file.
+     *
+     * @param keytabPath {@link Path} to keytab file.
+     * @param content Content for keytab
+     * @return key tab path
+     * @throws IOException if I/O error occurs while writing keytab file
+     */
+    public static Path writeKeyTab(final Path keytabPath, final String content) throws IOException {
+        try (BufferedWriter bufferedWriter = Files.newBufferedWriter(keytabPath, StandardCharsets.US_ASCII)) {
+            bufferedWriter.write(Strings.isNullOrEmpty(content) ? "test-content" : content);
+        }
+        return keytabPath;
+    }
+
+    /**
+     * Build kerberos realm settings with default config and given keytab
+     *
+     * @param keytabPath key tab file path
+     * @return {@link Settings} for kerberos realm
+     */
+    public static Settings buildKerberosRealmSettings(final String keytabPath) {
+        return buildKerberosRealmSettings(keytabPath, 100, "10m", true, false);
+    }
+
+    /**
+     * Build kerberos realm settings
+     *
+     * @param keytabPath key tab file path
+     * @param maxUsersInCache max users to be maintained in cache
+     * @param cacheTTL time to live for cached entries
+     * @param enableDebugging for krb5 logs
+     * @param removeRealmName {@code true} if we want to remove realm name from the username of form 'user@REALM'
+     * @return {@link Settings} for kerberos realm
+     */
+    public static Settings buildKerberosRealmSettings(final String keytabPath, final int maxUsersInCache, final String cacheTTL,
+            final boolean enableDebugging, final boolean removeRealmName) {
+        final Settings.Builder builder = Settings.builder().put(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.getKey(), keytabPath)
+                .put(KerberosRealmSettings.CACHE_MAX_USERS_SETTING.getKey(), maxUsersInCache)
+                .put(KerberosRealmSettings.CACHE_TTL_SETTING.getKey(), cacheTTL)
+                .put(KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.getKey(), enableDebugging)
+                .put(KerberosRealmSettings.SETTING_REMOVE_REALM_NAME.getKey(), removeRealmName);
+        return builder.build();
+    }
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java

@@ -151,7 +151,7 @@ public void testKerberosRealmThrowsErrorWhenKeytabFileHasNoReadPermissions() thr
     }
 
     private void assertKerberosRealmConstructorFails(final String keytabPath, final String expectedErrorMessage) {
-        settings = KerberosTestCase.buildKerberosRealmSettings(keytabPath, 100, "10m", true, randomBoolean());
+        settings = buildKerberosRealmSettings(keytabPath, 100, "10m", true, randomBoolean());
         config = new RealmConfig("test-kerb-realm", settings, globalSettings, TestEnvironment.newEnvironment(globalSettings),
                 new ThreadContext(globalSettings));
         mockNativeRoleMappingStore = roleMappingStore(Arrays.asList("user"));

x-pack/qa/evil-tests/build.gradle

@@ -1,9 +1,11 @@
 apply plugin: 'elasticsearch.standalone-test'
 
 dependencies {
-    testCompile project(path: xpackModule('core'), configuration: 'shadow')
+    testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
+    testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')
 }
 
 test {
     systemProperty 'tests.security.manager', 'false'
+    include '**/*Tests.class'
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTestCase.java renamed to x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTestCase.java

@@ -9,20 +9,15 @@
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ExceptionsHelper;
 import org.elasticsearch.common.Randomness;
-import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.ESTestCase;
-import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
 
-import java.io.BufferedWriter;
 import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.AccessController;
 import java.security.PrivilegedActionException;
@@ -130,12 +125,14 @@ public void startSimpleKdcLdapServer() throws Exception {
                 throw ExceptionsHelper.convertToRuntime(e);
             }
         });
-        settings = buildKerberosRealmSettings(ktabPathForService.toString());
+        settings = KerberosRealmTestCase.buildKerberosRealmSettings(ktabPathForService.toString());
     }
 
     @After
     public void tearDownMiniKdc() throws IOException, PrivilegedActionException {
-        simpleKdcLdapServer.stop();
+        if (simpleKdcLdapServer != null) {
+            simpleKdcLdapServer.stop();
+        }
     }
 
     /**
@@ -186,49 +183,4 @@ static <T> T doAsWrapper(final Subject subject, final PrivilegedExceptionAction<
         return AccessController.doPrivileged((PrivilegedExceptionAction<T>) () -> Subject.doAs(subject, action));
     }
 
-    /**
-     * Write content to provided keytab file.
-     *
-     * @param keytabPath {@link Path} to keytab file.
-     * @param content Content for keytab
-     * @return key tab path
-     * @throws IOException if I/O error occurs while writing keytab file
-     */
-    public static Path writeKeyTab(final Path keytabPath, final String content) throws IOException {
-        try (BufferedWriter bufferedWriter = Files.newBufferedWriter(keytabPath, StandardCharsets.US_ASCII)) {
-            bufferedWriter.write(Strings.isNullOrEmpty(content) ? "test-content" : content);
-        }
-        return keytabPath;
-    }
-
-    /**
-     * Build kerberos realm settings with default config and given keytab
-     *
-     * @param keytabPath key tab file path
-     * @return {@link Settings} for kerberos realm
-     */
-    public static Settings buildKerberosRealmSettings(final String keytabPath) {
-        return buildKerberosRealmSettings(keytabPath, 100, "10m", true, false);
-    }
-
-    /**
-     * Build kerberos realm settings
-     *
-     * @param keytabPath key tab file path
-     * @param maxUsersInCache max users to be maintained in cache
-     * @param cacheTTL time to live for cached entries
-     * @param enableDebugging for krb5 logs
-     * @param removeRealmName {@code true} if we want to remove realm name from the username of form 'user@REALM'
-     * @return {@link Settings} for kerberos realm
-     */
-    public static Settings buildKerberosRealmSettings(final String keytabPath, final int maxUsersInCache, final String cacheTTL,
-            final boolean enableDebugging, final boolean removeRealmName) {
-        final Settings.Builder builder = Settings.builder().put(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.getKey(), keytabPath)
-                .put(KerberosRealmSettings.CACHE_MAX_USERS_SETTING.getKey(), maxUsersInCache)
-                .put(KerberosRealmSettings.CACHE_TTL_SETTING.getKey(), cacheTTL)
-                .put(KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.getKey(), enableDebugging)
-                .put(KerberosRealmSettings.SETTING_REMOVE_REALM_NAME.getKey(), removeRealmName);
-        return builder.build();
-    }
-
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidatorTests.java renamed to x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidatorTests.java

@@ -86,8 +86,8 @@ public void testWhenKeyTabWithInvalidContentFailsValidation()
             final String base64KerbToken = spnegoClient.getBase64EncodedTokenForSpnegoHeader();
             assertThat(base64KerbToken, is(notNullValue()));
 
-            final Path ktabPath = writeKeyTab(workDir.resolve("invalid.keytab"), "not - a - valid - key - tab");
-            settings = buildKerberosRealmSettings(ktabPath.toString());
+            final Path ktabPath = KerberosRealmTestCase.writeKeyTab(workDir.resolve("invalid.keytab"), "not - a - valid - key - tab");
+            settings = KerberosRealmTestCase.buildKerberosRealmSettings(ktabPath.toString());
             final Environment env = TestEnvironment.newEnvironment(globalSettings);
             final Path keytabPath = env.configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(settings));
             final PlainActionFuture<Tuple<String, String>> future = new PlainActionFuture<>();