[Kerberos] Move tests based on SimpleKdc to evil-tests (#33492)

We have a test dependency on Apache Mina when using SimpleKdcServer
for testing Kerberos. When checking for LDAP backend connectivity,
the code checks for deadlocks which require additional security
permissions accessClassInPackage.sun.reflect. As this is only for
test and we do not want to add security permissions to production,
this commit moves these tests and related classes to
x-pack evil-tests where they can run with security manager disabled.
The plan is to handle the security manager exception in the upstream issue
DIRMINA-1093
and then once the release is available to run these tests with security
manager enabled.

Closes #32739

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmCacheTests.java

@@ -102,8 +102,8 @@ public class KerberosRealmCacheTests extends KerberosRealmTestCase {
     public void testAuthenticateWithValidTicketSucessAuthnWithUserDetailsWhenCacheDisabled()
             throws LoginException, GSSException, IOException {
         // if cache.ttl <= 0 then the cache is disabled
-        settings = KerberosTestCase.buildKerberosRealmSettings(
-                KerberosTestCase.writeKeyTab(dir.resolve("key.keytab"), randomAlphaOfLength(4)).toString(), 100, "0m", true,
+        settings = buildKerberosRealmSettings(
+                writeKeyTab(dir.resolve("key.keytab"), randomAlphaOfLength(4)).toString(), 100, "0m", true,
                 randomBoolean());
         final String username = randomPrincipalName();
         final String outToken = randomAlphaOfLength(10);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmSettingsTests.java

@@ -27,12 +27,12 @@ public class KerberosRealmSettingsTests extends ESTestCase {
             configDir = Files.createDirectory(configDir);
         }
         final String keytabPathConfig = "config" + dir.getFileSystem().getSeparator() + "http.keytab";
-        KerberosTestCase.writeKeyTab(dir.resolve(keytabPathConfig), null);
+        KerberosRealmTestCase.writeKeyTab(dir.resolve(keytabPathConfig), null);
         final Integer maxUsers = randomInt();
         final String cacheTTL = randomLongBetween(10L, 100L) + "m";
         final boolean enableDebugLogs = randomBoolean();
         final boolean removeRealmName = randomBoolean();
-        final Settings settings = KerberosTestCase.buildKerberosRealmSettings(keytabPathConfig, maxUsers, cacheTTL, enableDebugLogs,
+        final Settings settings = KerberosRealmTestCase.buildKerberosRealmSettings(keytabPathConfig, maxUsers, cacheTTL, enableDebugLogs,
                 removeRealmName);
 
         assertThat(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(settings), equalTo(keytabPathConfig));

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java

@@ -8,6 +8,7 @@ package org.elasticsearch.xpack.security.authc.kerberos;
 
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.client.Client;
+import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.collect.Tuple;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
@@ -30,6 +31,10 @@ import org.elasticsearch.xpack.security.support.SecurityIndexManager;
 import org.junit.After;
 import org.junit.Before;
 
+import java.io.BufferedWriter;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Arrays;
 import java.util.Collections;
@@ -71,7 +76,7 @@ public abstract class KerberosRealmTestCase extends ESTestCase {
         resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool);
         dir = createTempDir();
         globalSettings = Settings.builder().put("path.home", dir).build();
-        settings = KerberosTestCase.buildKerberosRealmSettings(KerberosTestCase.writeKeyTab(dir.resolve("key.keytab"), "asa").toString(),
+        settings = buildKerberosRealmSettings(writeKeyTab(dir.resolve("key.keytab"), "asa").toString(),
                 100, "10m", true, randomBoolean());
         licenseState = mock(XPackLicenseState.class);
         when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
@@ -177,4 +182,49 @@ public abstract class KerberosRealmTestCase extends ESTestCase {
         }
         return principalName;
     }
+
+    /**
+     * Write content to provided keytab file.
+     *
+     * @param keytabPath {@link Path} to keytab file.
+     * @param content Content for keytab
+     * @return key tab path
+     * @throws IOException if I/O error occurs while writing keytab file
+     */
+    public static Path writeKeyTab(final Path keytabPath, final String content) throws IOException {
+        try (BufferedWriter bufferedWriter = Files.newBufferedWriter(keytabPath, StandardCharsets.US_ASCII)) {
+            bufferedWriter.write(Strings.isNullOrEmpty(content) ? "test-content" : content);
+        }
+        return keytabPath;
+    }
+
+    /**
+     * Build kerberos realm settings with default config and given keytab
+     *
+     * @param keytabPath key tab file path
+     * @return {@link Settings} for kerberos realm
+     */
+    public static Settings buildKerberosRealmSettings(final String keytabPath) {
+        return buildKerberosRealmSettings(keytabPath, 100, "10m", true, false);
+    }
+
+    /**
+     * Build kerberos realm settings
+     *
+     * @param keytabPath key tab file path
+     * @param maxUsersInCache max users to be maintained in cache
+     * @param cacheTTL time to live for cached entries
+     * @param enableDebugging for krb5 logs
+     * @param removeRealmName {@code true} if we want to remove realm name from the username of form 'user@REALM'
+     * @return {@link Settings} for kerberos realm
+     */
+    public static Settings buildKerberosRealmSettings(final String keytabPath, final int maxUsersInCache, final String cacheTTL,
+            final boolean enableDebugging, final boolean removeRealmName) {
+        final Settings.Builder builder = Settings.builder().put(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.getKey(), keytabPath)
+                .put(KerberosRealmSettings.CACHE_MAX_USERS_SETTING.getKey(), maxUsersInCache)
+                .put(KerberosRealmSettings.CACHE_TTL_SETTING.getKey(), cacheTTL)
+                .put(KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.getKey(), enableDebugging)
+                .put(KerberosRealmSettings.SETTING_REMOVE_REALM_NAME.getKey(), removeRealmName);
+        return builder.build();
+    }
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java

@@ -155,7 +155,7 @@ public class KerberosRealmTests extends KerberosRealmTestCase {
     }
 
     private void assertKerberosRealmConstructorFails(final String keytabPath, final String expectedErrorMessage) {
-        settings = KerberosTestCase.buildKerberosRealmSettings(keytabPath, 100, "10m", true, randomBoolean());
+        settings = buildKerberosRealmSettings(keytabPath, 100, "10m", true, randomBoolean());
         config = new RealmConfig("test-kerb-realm", settings, globalSettings, TestEnvironment.newEnvironment(globalSettings),
                 new ThreadContext(globalSettings));
         mockNativeRoleMappingStore = roleMappingStore(Arrays.asList("user"));

x-pack/qa/evil-tests/build.gradle

@@ -1,9 +1,11 @@
 apply plugin: 'elasticsearch.standalone-test'
 
 dependencies {
-    testCompile "org.elasticsearch.plugin:x-pack-core:${version}"
+    testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
+    testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')
 }
 
 test {
     systemProperty 'tests.security.manager', 'false'
+    include '**/*Tests.class'
 }

x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTestCase.java

@@ -9,20 +9,15 @@ package org.elasticsearch.xpack.security.authc.kerberos;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ExceptionsHelper;
 import org.elasticsearch.common.Randomness;
-import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.ESTestCase;
-import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
 
-import java.io.BufferedWriter;
 import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.AccessController;
 import java.security.PrivilegedActionException;
@@ -130,12 +125,14 @@ public abstract class KerberosTestCase extends ESTestCase {
                 throw ExceptionsHelper.convertToRuntime(e);
             }
         });
-        settings = buildKerberosRealmSettings(ktabPathForService.toString());
+        settings = KerberosRealmTestCase.buildKerberosRealmSettings(ktabPathForService.toString());
     }
 
     @After
     public void tearDownMiniKdc() throws IOException, PrivilegedActionException {
-        simpleKdcLdapServer.stop();
+        if (simpleKdcLdapServer != null) {
+            simpleKdcLdapServer.stop();
+        }
     }
 
     /**
@@ -186,49 +183,4 @@ public abstract class KerberosTestCase extends ESTestCase {
         return AccessController.doPrivileged((PrivilegedExceptionAction<T>) () -> Subject.doAs(subject, action));
     }
 
-    /**
-     * Write content to provided keytab file.
-     *
-     * @param keytabPath {@link Path} to keytab file.
-     * @param content Content for keytab
-     * @return key tab path
-     * @throws IOException if I/O error occurs while writing keytab file
-     */
-    public static Path writeKeyTab(final Path keytabPath, final String content) throws IOException {
-        try (BufferedWriter bufferedWriter = Files.newBufferedWriter(keytabPath, StandardCharsets.US_ASCII)) {
-            bufferedWriter.write(Strings.isNullOrEmpty(content) ? "test-content" : content);
-        }
-        return keytabPath;
-    }
-
-    /**
-     * Build kerberos realm settings with default config and given keytab
-     *
-     * @param keytabPath key tab file path
-     * @return {@link Settings} for kerberos realm
-     */
-    public static Settings buildKerberosRealmSettings(final String keytabPath) {
-        return buildKerberosRealmSettings(keytabPath, 100, "10m", true, false);
-    }
-
-    /**
-     * Build kerberos realm settings
-     *
-     * @param keytabPath key tab file path
-     * @param maxUsersInCache max users to be maintained in cache
-     * @param cacheTTL time to live for cached entries
-     * @param enableDebugging for krb5 logs
-     * @param removeRealmName {@code true} if we want to remove realm name from the username of form 'user@REALM'
-     * @return {@link Settings} for kerberos realm
-     */
-    public static Settings buildKerberosRealmSettings(final String keytabPath, final int maxUsersInCache, final String cacheTTL,
-            final boolean enableDebugging, final boolean removeRealmName) {
-        final Settings.Builder builder = Settings.builder().put(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.getKey(), keytabPath)
-                .put(KerberosRealmSettings.CACHE_MAX_USERS_SETTING.getKey(), maxUsersInCache)
-                .put(KerberosRealmSettings.CACHE_TTL_SETTING.getKey(), cacheTTL)
-                .put(KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.getKey(), enableDebugging)
-                .put(KerberosRealmSettings.SETTING_REMOVE_REALM_NAME.getKey(), removeRealmName);
-        return builder.build();
-    }
-
 }

x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidatorTests.java

@@ -86,8 +86,8 @@ public class KerberosTicketValidatorTests extends KerberosTestCase {
             final String base64KerbToken = spnegoClient.getBase64EncodedTokenForSpnegoHeader();
             assertThat(base64KerbToken, is(notNullValue()));
 
-            final Path ktabPath = writeKeyTab(workDir.resolve("invalid.keytab"), "not - a - valid - key - tab");
-            settings = buildKerberosRealmSettings(ktabPath.toString());
+            final Path ktabPath = KerberosRealmTestCase.writeKeyTab(workDir.resolve("invalid.keytab"), "not - a - valid - key - tab");
+            settings = KerberosRealmTestCase.buildKerberosRealmSettings(ktabPath.toString());
             final Environment env = TestEnvironment.newEnvironment(globalSettings);
             final Path keytabPath = env.configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(settings));
             final PlainActionFuture<Tuple<String, String>> future = new PlainActionFuture<>();