Show JSM in action

Signed-off-by: Craig Perkins <cwperx@amazon.com>

Author: cwperks

src/integrationTest/java/org/opensearch/security/systemindex/RunCodeTests.java

@@ -0,0 +1,90 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security.systemindex;
+
+import java.util.List;
+import java.util.Map;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.core.rest.RestStatus;
+import org.opensearch.security.systemindex.sampleplugin.SystemIndexPlugin1;
+import org.opensearch.security.systemindex.sampleplugin.SystemIndexPlugin2;
+import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_KEY;
+import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
+import static org.opensearch.test.framework.TestSecurityConfig.User.USER_ADMIN;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class RunCodeTests {
+
+    public static final AuthcDomain AUTHC_DOMAIN = new AuthcDomain("basic", 0).httpAuthenticatorWithChallenge("basic").backend("internal");
+
+    @ClassRule
+    public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+        .anonymousAuth(false)
+        .authc(AUTHC_DOMAIN)
+        .users(USER_ADMIN)
+        .plugin(SystemIndexPlugin1.class, SystemIndexPlugin2.class)
+        .nodeSettings(
+            Map.of(
+                SECURITY_RESTAPI_ROLES_ENABLED,
+                List.of("user_" + USER_ADMIN.getName() + "__" + ALL_ACCESS.getName()),
+                SECURITY_SYSTEM_INDICES_ENABLED_KEY,
+                true
+            )
+        )
+        .build();
+
+    @Test
+    public void testRunCode() {
+        // Define the policy file location
+        String policyFile = "integration-test.policy";
+
+        // Set the system property for security policy
+        System.setProperty("java.security.policy", RunCodeTests.class.getClassLoader().getResource(policyFile).getPath());
+
+        // Enable the Security Manager (Deprecated in Java 17+)
+        System.setSecurityManager(new SecurityManager());
+        System.out.println("Security manager: " + System.getSecurityManager());
+        try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+            // TODO write a test that calls POST /run-code with a simple System.out.println("Hello, world!")
+            // String javaCode = "System.setProperty(\\\"test.key\\\",\\\"Hello, world!\\\");";
+            // String javaCode = "System.out.println(\\\"Hello, world!\\\");";
+            String javaCode =
+                "java.nio.file.Path filePath = java.nio.file.Paths.get(\\\"/Users/cwperx/Projects/opensearch/OpenSearch/build/distribution/local/opensearch-3.0.0-SNAPSHOT/config/opensearch.yml\\\");"
+                    + "String content = new String(java.nio.file.Files.readAllBytes(filePath), java.nio.charset.StandardCharsets.UTF_8);"
+                    + "System.out.println(\\\"content: \\\" + content);";
+            String requestBody = "{\"code\": \"" + javaCode + "\"}";
+
+            System.out.println("Calling run-code");
+
+            HttpResponse response = client.postJson("run-code", requestBody);
+
+            System.out.println("Finished run-code");
+
+            // Verify response
+            assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
+            assertThat(response.getBody(), response.getBody().contains("\"acknowledged\":true"));
+        }
+    }
+}

src/integrationTest/java/org/opensearch/security/systemindex/SystemIndexTests.java

@@ -314,19 +314,4 @@ public void regularUserShouldGetNoResultsWhenSearchingSystemIndex() {
             assertThat(response1.getBody(), response1.getBody().contains("\"hits\":{\"total\":{\"value\":0,\"relation\":\"eq\"}"));
         }
     }
-
-    @Test
-    public void testRunCode() {
-        try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
-            // TODO write a test that calls POST /run-code with a simple System.out.println("Hello, world!")
-            String javaCode = "System.out.println(\\\"Hello, world!\\\");";
-            String requestBody = "{\"code\": \"" + javaCode + "\"}";
-
-            HttpResponse response = client.postJson("run-code", requestBody);
-
-            // Verify response
-            assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
-            assertThat(response.getBody(), response.getBody().contains("\"acknowledged\":true"));
-        }
-    }
 }

src/integrationTest/java/org/opensearch/test/framework/cluster/LocalOpenSearchCluster.java

@@ -33,6 +33,8 @@
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.nio.file.Files;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -486,8 +488,23 @@ public CompletableFuture<Boolean> stop(long timeout, TimeUnit timeUnit) {
                     running = false;
 
                     if (node != null) {
-                        node.close();
-                        boolean stopped = node.awaitClose(timeout, timeUnit);
+                        boolean stopped = AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
+                            @Override
+                            public Boolean run() {
+                                try {
+                                    node.close();
+                                } catch (IOException e) {
+                                    System.out.println("caught e: " + e.getMessage());
+                                    throw new RuntimeException(e);
+                                }
+                                try {
+                                    return node.awaitClose(timeout, timeUnit);
+                                } catch (InterruptedException e) {
+                                    System.out.println("caught InterruptedException e: " + e.getMessage());
+                                    throw new RuntimeException(e);
+                                }
+                            }
+                        });
                         node = null;
                         return stopped;
                     } else {

src/integrationTest/resources/integration-test.policy

@@ -0,0 +1,39 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+grant {
+  permission org.opensearch.SpecialPermission;
+  permission java.lang.RuntimePermission "modifyThread";
+  permission javax.management.MBeanServerPermission "createMBeanServer";
+  permission javax.management.MBeanPermission "*","*";
+  //permission java.io.FilePermission "/Users/cwperx/Projects/opensearch/OpenSearch/build/distribution/local/opensearch-3.0.0-SNAPSHOT/config/opensearch.yml","read,write,delete,execute";
+  permission java.io.FilePermission "/Users/cwperx/.sdkman/-","read,write,delete,execute";
+  permission java.io.FilePermission "/Users/cwperx/.gradle/-","read,write,delete,execute";
+  permission java.io.FilePermission "/Users/cwperx/.m2/repository/-","read,write,delete,execute";
+  permission java.io.FilePermission "/Users/cwperx/Projects/opensearch/security/build/-","read,write,delete,execute";
+
+  permission javax.security.auth.AuthPermission "*";
+
+  permission java.util.PropertyPermission "*","read,write";
+
+  permission java.security.SecurityPermission "setProperty.ocsp.enable";
+
+  permission java.net.NetPermission "*";
+  permission java.net.SocketPermission "*", "connect,accept,resolve";
+  permission java.security.SecurityPermission "*";
+
+  permission java.lang.RuntimePermission "*";
+
+  // since the gradle test worker jar is on the test classpath, our tests should be able to read it
+  permission java.io.FilePermission "${gradle.worker.jar}", "read";
+  permission java.lang.reflect.ReflectPermission "*";
+  permission org.opensearch.secure_sm.ThreadContextPermission "*";
+};