From 7741829e2cb2cdc302f6bb16a98d3d010f097e0e Mon Sep 17 00:00:00 2001 From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Date: Mon, 5 Jun 2023 14:22:34 -0400 Subject: [PATCH] Format all *.java files tests under test/security (#2837) * Update test/security/s* java files Signed-off-by: Stephen Crawford * Update test/security/s* java files Signed-off-by: Stephen Crawford * Update all tests under security Signed-off-by: Stephen Crawford --------- Signed-off-by: Stephen Crawford Signed-off-by: Maciej Mierzwa --- build.gradle | 18 +- .../AdvancedSecurityMigrationTests.java | 145 +- .../opensearch/security/AggregationTests.java | 106 +- ...waysFalseInterClusterRequestEvaluator.java | 19 +- .../org/opensearch/security/ConfigTests.java | 34 +- .../security/DataStreamIntegrationTests.java | 36 +- .../EncryptionInTransitMigrationTests.java | 44 +- .../org/opensearch/security/HealthTests.java | 15 +- .../security/HttpIntegrationTests.java | 1269 +++++++++++------ .../security/IndexIntegrationTests.java | 634 +++++--- ...exTemplateClusterPermissionsCheckTest.java | 76 +- .../InitializationIntegrationTests.java | 176 ++- .../opensearch/security/IntegrationTests.java | 876 ++++++++---- .../security/PitIntegrationTests.java | 134 +- .../security/PrivilegesEvaluationTest.java | 28 +- .../opensearch/security/ResolveAPITests.java | 134 +- .../security/RolesInjectorIntegTest.java | 99 +- .../security/RolesValidationIntegTest.java | 77 +- .../SecurityAdminIEndpointsTests.java | 99 +- .../SecurityAdminInvalidConfigsTests.java | 278 ++-- .../security/SecurityAdminTests.java | 285 ++-- .../security/SecurityRolesTests.java | 157 +- .../security/SlowIntegrationTests.java | 172 ++- .../security/SnapshotRestoreTests.java | 971 ++++++++++--- .../security/SystemIntegratorsTests.java | 194 ++- .../org/opensearch/security/TaskTests.java | 11 +- .../org/opensearch/security/TracingTests.java | 621 +++++--- .../TransportUserInjectorIntegTest.java | 133 +- .../org/opensearch/security/UtilTests.java | 115 +- .../auditlog/AbstractAuditlogiUnitTest.java | 20 +- .../security/auditlog/AuditTestUtils.java | 3 +- .../compliance/ComplianceAuditlogTest.java | 289 ++-- .../compliance/ComplianceConfigTest.java | 54 +- .../RestApiComplianceAuditlogTest.java | 151 +- .../config/AuditConfigFilterTest.java | 121 +- .../config/AuditConfigSerializeTest.java | 313 ++-- .../auditlog/config/ThreadPoolConfigTest.java | 6 +- .../auditlog/helper/ErroneousHttpHandler.java | 8 +- .../security/auditlog/helper/FailingSink.java | 8 +- .../security/auditlog/helper/LoggingSink.java | 5 +- .../helper/MockAuditMessageFactory.java | 26 +- .../auditlog/helper/MockRestRequest.java | 4 +- .../auditlog/helper/MyOwnAuditLog.java | 23 +- .../security/auditlog/helper/RetrySink.java | 4 +- .../security/auditlog/helper/SlowSink.java | 11 +- .../auditlog/helper/TestHttpHandler.java | 30 +- .../auditlog/impl/AuditCategoryTest.java | 46 +- .../auditlog/impl/AuditMessageTest.java | 31 +- .../security/auditlog/impl/AuditlogTest.java | 86 +- .../security/auditlog/impl/DelegateTest.java | 44 +- .../auditlog/impl/DisabledCategoriesTest.java | 315 ++-- .../auditlog/impl/IgnoreAuditUsersTest.java | 193 ++- .../security/auditlog/impl/TracingTests.java | 411 +++--- .../integration/BasicAuditlogTest.java | 566 +++++--- .../auditlog/integration/SSLAuditlogTest.java | 133 +- .../integration/TestAuditlogImpl.java | 29 +- .../auditlog/routing/FallbackTest.java | 185 +-- .../security/auditlog/routing/PerfTest.java | 42 +- .../security/auditlog/routing/RouterTest.java | 130 +- .../routing/RoutingConfigurationTest.java | 286 ++-- .../security/auditlog/sink/KafkaSinkTest.java | 7 +- .../auditlog/sink/MockWebhookAuditLog.java | 37 +- .../auditlog/sink/SinkProviderTLSTest.java | 209 +-- .../auditlog/sink/SinkProviderTest.java | 157 +- .../auditlog/sink/WebhookAuditLogTest.java | 1036 +++++++------- .../auth/InternalAuthBackendTests.java | 32 +- .../security/auth/RolesInjectorTest.java | 9 +- .../security/auth/UserInjectorTest.java | 4 +- .../limiting/HeapBasedRateTrackerTest.java | 1 - .../security/cache/CachingTest.java | 22 +- .../cache/DummyAuthenticationBackend.java | 8 +- .../security/cache/DummyAuthorizer.java | 6 +- .../cache/DummyHTTPAuthenticator.java | 5 +- ...ossClusterMinimalRoundtripSearchTests.java | 4 +- .../ccstest/CrossClusterSearchTests.java | 1065 ++++++++++---- .../security/ccstest/RemoteReindexTests.java | 72 +- .../security/configuration/SaltTest.java | 18 +- .../dlic/dlsfls/AbstractDlsFlsTest.java | 66 +- .../dlic/dlsfls/CCReplicationTest.java | 134 +- .../CustomFieldMaskedComplexMappingTest.java | 152 +- .../dlic/dlsfls/CustomFieldMaskedTest.java | 247 ++-- .../security/dlic/dlsfls/DateMathTest.java | 81 +- .../dlic/dlsfls/DfmOverwritesAllTest.java | 102 +- .../security/dlic/dlsfls/DlsDateMathTest.java | 49 +- ...ossClusterMinimalRoundtripSearchTests.java | 4 +- .../dlsfls/DlsFlsCrossClusterSearchTest.java | 338 +++-- .../security/dlic/dlsfls/DlsNestedTest.java | 103 +- .../dlic/dlsfls/DlsPropsReplaceTest.java | 63 +- .../security/dlic/dlsfls/DlsScrollTest.java | 54 +- .../dlic/dlsfls/DlsTermLookupQueryTest.java | 1236 +++++++++------- .../security/dlic/dlsfls/DlsTest.java | 369 +++-- .../security/dlic/dlsfls/FieldMaskedTest.java | 203 ++- .../security/dlic/dlsfls/Fls983Test.java | 16 +- .../security/dlic/dlsfls/FlsDlsTestAB.java | 80 +- .../dlic/dlsfls/FlsDlsTestForbiddenField.java | 148 +- .../security/dlic/dlsfls/FlsDlsTestMulti.java | 320 +++-- .../dlic/dlsfls/FlsExistsFieldsTest.java | 123 +- .../security/dlic/dlsfls/FlsFieldsTest.java | 32 +- .../security/dlic/dlsfls/FlsFieldsWcTest.java | 32 +- .../dlic/dlsfls/FlsIndexingTests.java | 73 +- .../security/dlic/dlsfls/FlsKeywordTests.java | 24 +- .../security/dlic/dlsfls/FlsPerfTest.java | 106 +- .../security/dlic/dlsfls/FlsTest.java | 122 +- .../dlic/dlsfls/IndexPatternTest.java | 74 +- .../security/dlic/dlsfls/MFlsTest.java | 80 +- .../rest/api/AbstractRestApiUnitTest.java | 480 ++++--- .../dlic/rest/api/AccountApiTest.java | 27 +- .../dlic/rest/api/ActionGroupsApiTest.java | 195 ++- .../dlic/rest/api/AllowlistApiTest.java | 115 +- .../dlic/rest/api/AuditApiActionTest.java | 308 ++-- .../rest/api/DashboardsInfoActionTest.java | 7 +- .../dlic/rest/api/FlushCacheApiTest.java | 4 +- .../rest/api/GetConfigurationApiTest.java | 7 +- .../dlic/rest/api/IndexMissingTest.java | 14 +- .../rest/api/MultiTenancyConfigApiTest.java | 107 +- .../dlic/rest/api/NodesDnApiTest.java | 107 +- .../api/RestApiPrivilegesEvaluatorTest.java | 14 +- .../dlic/rest/api/RoleBasedAccessTest.java | 56 +- .../security/dlic/rest/api/RolesApiTest.java | 470 +++--- .../dlic/rest/api/RolesMappingApiTest.java | 274 ++-- .../dlic/rest/api/SecurityApiAccessTest.java | 19 +- .../dlic/rest/api/SecurityConfigApiTest.java | 50 +- .../rest/api/SecurityHealthActionTest.java | 7 +- .../dlic/rest/api/SecurityInfoActionTest.java | 7 +- .../dlic/rest/api/SslCertsApiTest.java | 58 +- .../dlic/rest/api/TenantInfoActionTest.java | 26 +- .../security/dlic/rest/api/UserApiTest.java | 499 ++++--- .../dlic/rest/api/WhitelistApiTest.java | 129 +- .../api/legacy/LegacyAccountApiTests.java | 8 +- .../legacy/LegacyActionGroupsApiTests.java | 8 +- .../api/legacy/LegacyAuditApiActionTests.java | 8 +- .../LegacyDashboardsInfoActionTests.java | 2 +- .../api/legacy/LegacyFlushCacheApiTests.java | 8 +- .../LegacyGetConfigurationApiTests.java | 8 +- .../api/legacy/LegacyIndexMissingTests.java | 8 +- .../api/legacy/LegacyNodesDnApiTests.java | 8 +- .../legacy/LegacyRoleBasedAccessTests.java | 8 +- .../rest/api/legacy/LegacyRolesApiTests.java | 8 +- .../legacy/LegacyRolesMappingApiTests.java | 8 +- .../legacy/LegacySecurityApiAccessTests.java | 8 +- .../legacy/LegacySecurityConfigApiTests.java | 8 +- .../LegacySecurityHealthActionTests.java | 8 +- .../legacy/LegacySecurityInfoActionTests.java | 8 +- .../legacy/LegacyTenantInfoActionTests.java | 8 +- .../rest/api/legacy/LegacyUserApiTests.java | 8 +- .../api/legacy/LegacyWhitelistApiTests.java | 8 +- .../validation/PasswordValidatorTest.java | 164 +-- .../security/filter/SecurityFilterTest.java | 47 +- .../filter/SecurityRestFilterTest.java | 273 ++-- .../HTTPExtendedProxyAuthenticatorTest.java | 36 +- .../security/httpclient/HttpClientTest.java | 86 +- .../privileges/PrivilegesEvaluatorTest.java | 26 +- .../SecurityIndexAccessEvaluatorTest.java | 17 +- .../ProtectedIndicesTests.java | 327 +++-- .../test/AbstractSecurityUnitTest.java | 159 ++- .../security/test/DynamicSecurityConfig.java | 89 +- .../security/test/SingleClusterTest.java | 81 +- .../helper/cluster/ClusterConfiguration.java | 145 +- .../test/helper/cluster/ClusterHelper.java | 216 ++- .../test/helper/cluster/ClusterInfo.java | 14 +- .../security/test/helper/file/FileHelper.java | 102 +- .../test/helper/network/SocketUtils.java | 51 +- .../security/test/helper/rest/RestHelper.java | 919 ++++++------ .../helper/rules/SecurityTestWatcher.java | 44 +- .../test/plugin/UserInjectorPlugin.java | 51 +- .../security/util/FakeRestRequest.java | 11 +- .../SettingsBasedSSLConfiguratorV4Test.java | 336 +++-- 167 files changed, 14803 insertions(+), 9161 deletions(-) diff --git a/build.gradle b/build.gradle index 88fe5f5ec2..66410a7951 100644 --- a/build.gradle +++ b/build.gradle @@ -78,14 +78,7 @@ spotless { // non-standard places target '**/com/amazon/dlic/**/*.java' target '**/com/amazon/security/**/*.java' - target '**/test/java/org/opensearch/security/a*/**/*.java' - target '**/test/java/org/opensearch/security/b*/**/*.java' - target '**/test/java/org/opensearch/security/c*/**/*.java' - target '**/test/java/org/opensearch/security/d*/**/*.java' - target '**/test/java/org/opensearch/security/f*/**/*.java' - target '**/test/java/org/opensearch/security/h*/**/*.java' - target '**/test/java/org/opensearch/security/m*/**/*.java' - target '**/test/java/org/opensearch/security/s*/**/*.java' + target '**/test/java/org/opensearch/security/**/*.java' removeUnusedImports() eclipse().configFile rootProject.file('formatter/formatterConfig.xml') @@ -119,14 +112,7 @@ spotless { target '**/*.java' targetExclude '**/com/amazon/dlic/**/*.java' targetExclude '**/com/amazon/security/**/*.java' - targetExclude '**/test/java/org/opensearch/security/a*/**/*.java' - targetExclude '**/test/java/org/opensearch/security/b*/**/*.java' - targetExclude '**/test/java/org/opensearch/security/c*/**/*.java' - targetExclude '**/test/java/org/opensearch/security/d*/**/*.java' - targetExclude '**/test/java/org/opensearch/security/f*/**/*.java' - targetExclude '**/test/java/org/opensearch/security/h*/**/*.java' - targetExclude '**/test/java/org/opensearch/security/m*/**/*.java' - targetExclude '**/test/java/org/opensearch/security/s*/**/*.java' + targetExclude '**/test/java/org/opensearch/security/**/*.java' targetExclude 'src/integrationTest/**' trimTrailingWhitespace() diff --git a/src/test/java/org/opensearch/security/AdvancedSecurityMigrationTests.java b/src/test/java/org/opensearch/security/AdvancedSecurityMigrationTests.java index 3b069a2339..e8ac049385 100644 --- a/src/test/java/org/opensearch/security/AdvancedSecurityMigrationTests.java +++ b/src/test/java/org/opensearch/security/AdvancedSecurityMigrationTests.java @@ -50,8 +50,11 @@ public void testPluginEnabledDataNodeWithSSlOnlyClusterManagerNode_ReqOnSSLNode( final Settings advSecSettings = getAdvSecSettings().build(); final Settings sslOnlySettings = getSSLOnlyModeSettings().build(); - setupGenericNodes(Arrays.asList(sslOnlySettings, advSecSettings, advSecSettings, sslOnlySettings), - Arrays.asList(true, false, false, true), ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA); + setupGenericNodes( + Arrays.asList(sslOnlySettings, advSecSettings, advSecSettings, sslOnlySettings), + Arrays.asList(true, false, false, true), + ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA + ); Thread.sleep(10000); commonTestsForAdvancedSecurityMigration(nonSslRestHelper(), null); @@ -67,8 +70,11 @@ public void testPluginEnabledDataNodeWithSSlOnlyClusterManagerNode_ReqOnAdvSecNo final Settings advSecSettings = getAdvSecSettings().build(); final Settings sslOnlySettings = getSSLOnlyModeSettings().build(); - setupGenericNodes(Arrays.asList(advSecSettings, sslOnlySettings, advSecSettings, sslOnlySettings), - Arrays.asList(false, true, false, true), ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA); + setupGenericNodes( + Arrays.asList(advSecSettings, sslOnlySettings, advSecSettings, sslOnlySettings), + Arrays.asList(false, true, false, true), + ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA + ); Thread.sleep(10000); commonTestsForAdvancedSecurityMigration(nonSslRestHelper(), encodeBasicHeader("admin", "admin")); @@ -84,11 +90,14 @@ public void testPluginEnabledClusterManagerNodeWithSSlOnlyDataNode_ReqOnSSLNode( final Settings advSecSettings = getAdvSecSettings().build(); final Settings sslOnlySettings = getSSLOnlyModeSettings().build(); - setupGenericNodes(Arrays.asList(sslOnlySettings, sslOnlySettings, advSecSettings, advSecSettings), - Arrays.asList(true, true, false, false), ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA); + setupGenericNodes( + Arrays.asList(sslOnlySettings, sslOnlySettings, advSecSettings, advSecSettings), + Arrays.asList(true, true, false, false), + ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA + ); Thread.sleep(10000); - commonTestsForAdvancedSecurityMigration(nonSslRestHelper(),null); + commonTestsForAdvancedSecurityMigration(nonSslRestHelper(), null); } /** @@ -101,8 +110,11 @@ public void testPluginEnabledClusterManagerNodeWithSSlOnlyDataNode_ReqOnAdvSecNo final Settings advSecSettings = getAdvSecSettings().build(); final Settings sslOnlySettings = getSSLOnlyModeSettings().build(); - setupGenericNodes(Arrays.asList(advSecSettings, sslOnlySettings, sslOnlySettings, advSecSettings), - Arrays.asList(false, true, true, false), ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA); + setupGenericNodes( + Arrays.asList(advSecSettings, sslOnlySettings, sslOnlySettings, advSecSettings), + Arrays.asList(false, true, true, false), + ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA + ); Thread.sleep(10000); commonTestsForAdvancedSecurityMigration(nonSslRestHelper(), encodeBasicHeader("admin", "admin")); @@ -118,11 +130,14 @@ public void testPluginEnabledDataNodeWithDisabledClusterManagerNode_ReqOnDisable final Settings advSecSettings = getAdvSecSettingsDualMode().build(); final Settings disabledSettings = getDisabledSettings().build(); - setupGenericNodes(Arrays.asList(disabledSettings, advSecSettings, advSecSettings, disabledSettings), - Arrays.asList(false, false, false, false), ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA); + setupGenericNodes( + Arrays.asList(disabledSettings, advSecSettings, advSecSettings, disabledSettings), + Arrays.asList(false, false, false, false), + ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA + ); Thread.sleep(10000); - commonTestsForAdvancedSecurityMigration(nonSslRestHelper(),null); + commonTestsForAdvancedSecurityMigration(nonSslRestHelper(), null); } /** @@ -135,8 +150,11 @@ public void testPluginEnabledDataNodeWithDisabledClusterManagerNode_ReqOnAdvSecN final Settings advSecSettings = getAdvSecSettingsDualMode().build(); final Settings disabledSettings = getDisabledSettings().build(); - setupGenericNodes(Arrays.asList(advSecSettings, disabledSettings, advSecSettings, disabledSettings), - Arrays.asList(false, false, false, false), ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA); + setupGenericNodes( + Arrays.asList(advSecSettings, disabledSettings, advSecSettings, disabledSettings), + Arrays.asList(false, false, false, false), + ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA + ); Thread.sleep(10000); commonTestsForAdvancedSecurityMigration(nonSslRestHelper(), encodeBasicHeader("admin", "admin")); @@ -152,8 +170,11 @@ public void testPluginEnabledClusterManagerNodeWithDisabledDataNode_ReqOnDisable final Settings advSecSettings = getAdvSecSettingsDualMode().build(); final Settings disabledSettings = getDisabledSettings().build(); - setupGenericNodes(Arrays.asList(disabledSettings, disabledSettings, advSecSettings, advSecSettings), - Arrays.asList(false, false, false, false), ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA); + setupGenericNodes( + Arrays.asList(disabledSettings, disabledSettings, advSecSettings, advSecSettings), + Arrays.asList(false, false, false, false), + ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA + ); Thread.sleep(10000); commonTestsForAdvancedSecurityMigration(nonSslRestHelper(), null); @@ -169,8 +190,11 @@ public void testPluginEnabledClusterManagerNodeWithDisabledDataNode_ReqOnAdvSecN final Settings advSecSettings = getAdvSecSettingsDualMode().build(); final Settings disabledSettings = getDisabledSettings().build(); - setupGenericNodes(Arrays.asList(advSecSettings, disabledSettings, advSecSettings, advSecSettings), - Arrays.asList(false, false, false, false), ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA); + setupGenericNodes( + Arrays.asList(advSecSettings, disabledSettings, advSecSettings, advSecSettings), + Arrays.asList(false, false, false, false), + ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA + ); Thread.sleep(10000); commonTestsForAdvancedSecurityMigration(nonSslRestHelper(), encodeBasicHeader("admin", "admin")); @@ -178,13 +202,17 @@ public void testPluginEnabledClusterManagerNodeWithDisabledDataNode_ReqOnAdvSecN @Test public void testWithPassiveAuthDisabled() throws Exception { - final Settings advSecSettings = getAdvSecSettings() - .put(ConfigConstants.SECURITY_UNSUPPORTED_PASSIVE_INTERTRANSPORT_AUTH_INITIALLY, false) - .build(); + final Settings advSecSettings = getAdvSecSettings().put( + ConfigConstants.SECURITY_UNSUPPORTED_PASSIVE_INTERTRANSPORT_AUTH_INITIALLY, + false + ).build(); final Settings sslOnlySettings = getSSLOnlyModeSettings().build(); - setupGenericNodes(Arrays.asList(sslOnlySettings, sslOnlySettings, advSecSettings, advSecSettings), - Arrays.asList(true, true, false, false), ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA); + setupGenericNodes( + Arrays.asList(sslOnlySettings, sslOnlySettings, advSecSettings, advSecSettings), + Arrays.asList(true, true, false, false), + ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA + ); Thread.sleep(10000); RestHelper.HttpResponse res; @@ -196,15 +224,19 @@ public void testWithPassiveAuthDisabled() throws Exception { @Test public void testWithPassiveAuthDisabledDynamic() throws Exception { - final Settings advSecSettings = getAdvSecSettingsDualMode() - .put(ConfigConstants.SECURITY_UNSUPPORTED_PASSIVE_INTERTRANSPORT_AUTH_INITIALLY, false) - .build(); + final Settings advSecSettings = getAdvSecSettingsDualMode().put( + ConfigConstants.SECURITY_UNSUPPORTED_PASSIVE_INTERTRANSPORT_AUTH_INITIALLY, + false + ).build(); final Settings disabledSettings = getDisabledSettings().build(); - setupGenericNodes(Arrays.asList(disabledSettings, disabledSettings, advSecSettings, advSecSettings), - Arrays.asList(false, false, false, false), ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA); + setupGenericNodes( + Arrays.asList(disabledSettings, disabledSettings, advSecSettings, advSecSettings), + Arrays.asList(false, false, false, false), + ClusterConfiguration.ONE_CLUSTER_MANAGER_THREE_DATA + ); - Thread.sleep(5*1000); + Thread.sleep(5 * 1000); RestHelper.HttpResponse res; RestHelper rh = nonSslRestHelper(); @@ -214,7 +246,7 @@ public void testWithPassiveAuthDisabledDynamic() throws Exception { } private void commonTestsForAdvancedSecurityMigration(final RestHelper rh, final Header basicHeaders) throws Exception { - Thread.sleep(5*1000); + Thread.sleep(5 * 1000); RestHelper.HttpResponse res; res = rh.executePutRequest("testindex", getIndexSettingsForAdvSec(), basicHeaders); @@ -250,50 +282,47 @@ private void commonTestsForAnIndex(final RestHelper rh, final String index, fina private Settings.Builder getAdvSecSettings() { return Settings.builder() - .put(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true) - .put(ConfigConstants.SECURITY_UNSUPPORTED_PASSIVE_INTERTRANSPORT_AUTH_INITIALLY, true) - .put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true) - .put("node.attr.custom_node", true); + .put(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true) + .put(ConfigConstants.SECURITY_UNSUPPORTED_PASSIVE_INTERTRANSPORT_AUTH_INITIALLY, true) + .put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true) + .put("node.attr.custom_node", true); } private Settings.Builder getAdvSecSettingsDualMode() { - return getAdvSecSettings() - .put(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true); + return getAdvSecSettings().put(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true); } private Settings.Builder getSSLOnlyModeSettings() { - return Settings.builder() - .put(ConfigConstants.SECURITY_SSL_ONLY, true); + return Settings.builder().put(ConfigConstants.SECURITY_SSL_ONLY, true); } private Settings.Builder getDisabledSettings() { - return Settings.builder() - .put(ConfigConstants.SECURITY_DISABLED, true); + return Settings.builder().put(ConfigConstants.SECURITY_DISABLED, true); } // Create index with shards only in adv sec nodes private String getIndexSettingsForAdvSec() { - return "{\n" + - " \"settings\" : {\n" + - " \"index\" : {\n" + - " \"number_of_shards\" : 2, \n" + - " \"number_of_replicas\" : 1, \n" + - " \"routing.allocation.include.custom_node\" : true \n" + - " }\n" + - " }\n" + - "}"; + return "{\n" + + " \"settings\" : {\n" + + " \"index\" : {\n" + + " \"number_of_shards\" : 2, \n" + + " \"number_of_replicas\" : 1, \n" + + " \"routing.allocation.include.custom_node\" : true \n" + + " }\n" + + " }\n" + + "}"; } // Create index with shards only in non adv sec nodes private String getIndexSettingForSSLOnlyNode() { - return "{\n" + - " \"settings\" : {\n" + - " \"index\" : {\n" + - " \"number_of_shards\" : 2, \n" + - " \"number_of_replicas\" : 1, \n" + - " \"routing.allocation.exclude.custom_node\" : true \n" + - " }\n" + - " }\n" + - "}"; + return "{\n" + + " \"settings\" : {\n" + + " \"index\" : {\n" + + " \"number_of_shards\" : 2, \n" + + " \"number_of_replicas\" : 1, \n" + + " \"routing.allocation.exclude.custom_node\" : true \n" + + " }\n" + + " }\n" + + "}"; } } diff --git a/src/test/java/org/opensearch/security/AggregationTests.java b/src/test/java/org/opensearch/security/AggregationTests.java index a8a0f94078..728965f82d 100644 --- a/src/test/java/org/opensearch/security/AggregationTests.java +++ b/src/test/java/org/opensearch/security/AggregationTests.java @@ -46,37 +46,74 @@ public class AggregationTests extends SingleClusterTest { @Test public void testBasicAggregations() throws Exception { - final Settings settings = Settings.builder() - .build(); + final Settings settings = Settings.builder().build(); setup(settings); final RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { tc.admin().indices().create(new CreateIndexRequest("copysf")).actionGet(); - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet_library").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("spock").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("kirk").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("role01_role02").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("xyz").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("starfleet","starfleet_academy","starfleet_library").alias("sf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("klingonempire","vulcangov").alias("nonsf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("public").alias("unrestricted"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("xyz").alias("alias1"))).actionGet(); + tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("starfleet_library").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.index(new IndexRequest("spock").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("kirk").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("role01_role02").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + + tc.index(new IndexRequest("xyz").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + AliasActions.add().indices("starfleet", "starfleet_academy", "starfleet_library").alias("sf") + ) + ) + .actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("klingonempire", "vulcangov").alias("nonsf")) + ) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("public").alias("unrestricted"))) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("xyz").alias("alias1"))) + .actionGet(); } HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("_search?pretty", "{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":40}}}}",encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest( + "_search?pretty", + "{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":40}}}}", + encodeBasicHeader("nagilum", "nagilum") + )).getStatusCode() + ); System.out.println(res.getBody()); assertNotContains(res, "*xception*"); assertNotContains(res, "*erial*"); @@ -89,7 +126,14 @@ public void testBasicAggregations() throws Exception { assertContains(res, "*role01_role02*"); assertContains(res, "*\"failed\" : 0*"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("*/_search?pretty", "{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":40}}}}",encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest( + "*/_search?pretty", + "{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":40}}}}", + encodeBasicHeader("nagilum", "nagilum") + )).getStatusCode() + ); System.out.println(res.getBody()); assertNotContains(res, "*xception*"); assertNotContains(res, "*erial*"); @@ -102,7 +146,14 @@ public void testBasicAggregations() throws Exception { assertContains(res, "*role01_role02*"); assertContains(res, "*\"failed\" : 0*"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("_search?pretty", "{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":40}}}}",encodeBasicHeader("worf", "worf"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest( + "_search?pretty", + "{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":40}}}}", + encodeBasicHeader("worf", "worf") + )).getStatusCode() + ); System.out.println(res.getBody()); assertNotContains(res, "*xception*"); assertNotContains(res, "*erial*"); @@ -115,7 +166,14 @@ public void testBasicAggregations() throws Exception { assertContains(res, "*xyz*"); assertContains(res, "*\"failed\" : 0*"); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executePostRequest("_search?pretty", "{\"size\":0,\"aggs\":{\"myindices\":{\"terms\":{\"field\":\"_index\",\"size\":40}}}}",encodeBasicHeader("worf", "worf"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executePostRequest( + "_search?pretty", + "{\"size\":0,\"aggs\":{\"myindices\":{\"terms\":{\"field\":\"_index\",\"size\":40}}}}", + encodeBasicHeader("worf", "worf") + )).getStatusCode() + ); } diff --git a/src/test/java/org/opensearch/security/AlwaysFalseInterClusterRequestEvaluator.java b/src/test/java/org/opensearch/security/AlwaysFalseInterClusterRequestEvaluator.java index a0a1b8bb7b..b741dd2c70 100644 --- a/src/test/java/org/opensearch/security/AlwaysFalseInterClusterRequestEvaluator.java +++ b/src/test/java/org/opensearch/security/AlwaysFalseInterClusterRequestEvaluator.java @@ -32,7 +32,6 @@ import org.opensearch.security.transport.InterClusterRequestEvaluator; import org.opensearch.transport.TransportRequest; - public class AlwaysFalseInterClusterRequestEvaluator implements InterClusterRequestEvaluator { public AlwaysFalseInterClusterRequestEvaluator(Settings settings) { @@ -40,11 +39,19 @@ public AlwaysFalseInterClusterRequestEvaluator(Settings settings) { } @Override - public boolean isInterClusterRequest(TransportRequest request, X509Certificate[] localCerts, X509Certificate[] peerCerts, - String principal) { - - if(localCerts == null || peerCerts == null || principal == null - || localCerts.length == 0 || peerCerts.length == 0 || principal.length() == 0) { + public boolean isInterClusterRequest( + TransportRequest request, + X509Certificate[] localCerts, + X509Certificate[] peerCerts, + String principal + ) { + + if (localCerts == null + || peerCerts == null + || principal == null + || localCerts.length == 0 + || peerCerts.length == 0 + || principal.length() == 0) { return true; } diff --git a/src/test/java/org/opensearch/security/ConfigTests.java b/src/test/java/org/opensearch/security/ConfigTests.java index 3c083ac153..519faa612d 100644 --- a/src/test/java/org/opensearch/security/ConfigTests.java +++ b/src/test/java/org/opensearch/security/ConfigTests.java @@ -57,20 +57,29 @@ public void testEmptyConfig() throws Exception { @Test public void testMigrate() throws Exception { - Tuple, SecurityDynamicConfiguration> rolesResult = Migration.migrateRoles((SecurityDynamicConfiguration)load("./legacy/securityconfig_v6/roles.yml", CType.ROLES), - (SecurityDynamicConfiguration)load("./legacy/securityconfig_v6/roles_mapping.yml", CType.ROLESMAPPING)); + Tuple, SecurityDynamicConfiguration> rolesResult = Migration.migrateRoles( + (SecurityDynamicConfiguration) load("./legacy/securityconfig_v6/roles.yml", CType.ROLES), + (SecurityDynamicConfiguration) load("./legacy/securityconfig_v6/roles_mapping.yml", CType.ROLESMAPPING) + ); System.out.println(Strings.toString(XContentType.JSON, rolesResult.v2(), true, false)); System.out.println(Strings.toString(XContentType.JSON, rolesResult.v1(), true, false)); - - SecurityDynamicConfiguration actionGroupsResult = Migration.migrateActionGroups((SecurityDynamicConfiguration)load("./legacy/securityconfig_v6/action_groups.yml", CType.ACTIONGROUPS)); + SecurityDynamicConfiguration actionGroupsResult = Migration.migrateActionGroups( + (SecurityDynamicConfiguration) load("./legacy/securityconfig_v6/action_groups.yml", CType.ACTIONGROUPS) + ); System.out.println(Strings.toString(XContentType.JSON, actionGroupsResult, true, false)); - SecurityDynamicConfiguration configResult =Migration.migrateConfig((SecurityDynamicConfiguration)load("./legacy/securityconfig_v6/config.yml", CType.CONFIG)); + SecurityDynamicConfiguration configResult = Migration.migrateConfig( + (SecurityDynamicConfiguration) load("./legacy/securityconfig_v6/config.yml", CType.CONFIG) + ); System.out.println(Strings.toString(XContentType.JSON, configResult, true, false)); - SecurityDynamicConfiguration internalUsersResult = Migration.migrateInternalUsers((SecurityDynamicConfiguration)load("./legacy/securityconfig_v6/internal_users.yml", CType.INTERNALUSERS)); + SecurityDynamicConfiguration internalUsersResult = Migration.migrateInternalUsers( + (SecurityDynamicConfiguration) load("./legacy/securityconfig_v6/internal_users.yml", CType.INTERNALUSERS) + ); System.out.println(Strings.toString(XContentType.JSON, internalUsersResult, true, false)); - SecurityDynamicConfiguration rolemappingsResult = Migration.migrateRoleMappings((SecurityDynamicConfiguration)load("./legacy/securityconfig_v6/roles_mapping.yml", CType.ROLESMAPPING)); + SecurityDynamicConfiguration rolemappingsResult = Migration.migrateRoleMappings( + (SecurityDynamicConfiguration) load("./legacy/securityconfig_v6/roles_mapping.yml", CType.ROLESMAPPING) + ); System.out.println(Strings.toString(XContentType.JSON, rolemappingsResult, true, false)); } @@ -101,17 +110,16 @@ private void check(String file, CType cType) throws Exception { JsonNode jsonNode = YAML.readTree(FileUtils.readFileToString(new File(adjustedFilePath), "UTF-8")); int configVersion = 1; System.out.println("%%%%%%%% THIS IS A LINE OF INTEREST %%%%%%%"); - if(jsonNode.get("_meta") != null) { + if (jsonNode.get("_meta") != null) { Assert.assertEquals(jsonNode.get("_meta").get("type").asText(), cType.toLCString()); configVersion = jsonNode.get("_meta").get("config_version").asInt(); } - - System.out.println("%%%%%%%% THIS IS A LINE OF INTEREST: CONFIG VERSION: "+ configVersion + "%%%%%%%"); + System.out.println("%%%%%%%% THIS IS A LINE OF INTEREST: CONFIG VERSION: " + configVersion + "%%%%%%%"); SecurityDynamicConfiguration dc = load(file, cType); Assert.assertNotNull(dc); - //Assert.assertTrue(dc.getCEntries().size() > 0); + // Assert.assertTrue(dc.getCEntries().size() > 0); String jsonSerialize = DefaultObjectMapper.objectMapper.writeValueAsString(dc); SecurityDynamicConfiguration conf = SecurityDynamicConfiguration.fromJson(jsonSerialize, cType, configVersion, 0, 0); SecurityDynamicConfiguration.fromJson(Strings.toString(XContentType.JSON, conf), cType, configVersion, 0, 0); @@ -124,11 +132,11 @@ private SecurityDynamicConfiguration load(String file, CType cType) throws Ex int configVersion = 1; System.out.println("%%%%%%%% THIS IS A LINE OF INTEREST LOAD: CONFIG VERSION: %%%%%%%"); - if(jsonNode.get("_meta") != null) { + if (jsonNode.get("_meta") != null) { Assert.assertEquals(jsonNode.get("_meta").get("type").asText(), cType.toLCString()); configVersion = jsonNode.get("_meta").get("config_version").asInt(); } - System.out.println("%%%%%%%% THIS IS A LINE OF INTEREST: CONFIG VERSION: "+ configVersion + "%%%%%%%"); + System.out.println("%%%%%%%% THIS IS A LINE OF INTEREST: CONFIG VERSION: " + configVersion + "%%%%%%%"); return SecurityDynamicConfiguration.fromNode(jsonNode, cType, configVersion, 0, 0); } } diff --git a/src/test/java/org/opensearch/security/DataStreamIntegrationTests.java b/src/test/java/org/opensearch/security/DataStreamIntegrationTests.java index 78c9ab7818..773244c7ea 100644 --- a/src/test/java/org/opensearch/security/DataStreamIntegrationTests.java +++ b/src/test/java/org/opensearch/security/DataStreamIntegrationTests.java @@ -19,25 +19,29 @@ import org.opensearch.security.test.helper.rest.RestHelper; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; - public class DataStreamIntegrationTests extends SingleClusterTest { - final String bulkDocsBody = - "{ \"create\" : {} }" + System.lineSeparator() + - "{ \"@timestamp\" : \"2099-03-08T11:04:05.000Z\", \"user\" : { \"id\" : \"vlb44hny\", \"name\": \"Sam\"}, \"message\" : \"Login attempt failed\" }" + System.lineSeparator() + - "{ \"create\" : {} }" + System.lineSeparator() + - "{ \"@timestamp\" : \"2099-03-08T11:04:05.000Z\", \"user\" : { \"id\" : \"8a4f500d\", \"name\": \"Dam\"}, \"message\" : \"Login successful\" }" + System.lineSeparator() + - "{ \"create\" : {} }" + System.lineSeparator() + - "{ \"@timestamp\" : \"2099-03-08T11:04:05.000Z\", \"user\" : { \"id\" : \"l7gk7f82\", \"name\": \"Pam\"}, \"message\" : \"Login attempt failed\" }" + System.lineSeparator(); + final String bulkDocsBody = "{ \"create\" : {} }" + + System.lineSeparator() + + "{ \"@timestamp\" : \"2099-03-08T11:04:05.000Z\", \"user\" : { \"id\" : \"vlb44hny\", \"name\": \"Sam\"}, \"message\" : \"Login attempt failed\" }" + + System.lineSeparator() + + "{ \"create\" : {} }" + + System.lineSeparator() + + "{ \"@timestamp\" : \"2099-03-08T11:04:05.000Z\", \"user\" : { \"id\" : \"8a4f500d\", \"name\": \"Dam\"}, \"message\" : \"Login successful\" }" + + System.lineSeparator() + + "{ \"create\" : {} }" + + System.lineSeparator() + + "{ \"@timestamp\" : \"2099-03-08T11:04:05.000Z\", \"user\" : { \"id\" : \"l7gk7f82\", \"name\": \"Pam\"}, \"message\" : \"Login attempt failed\" }" + + System.lineSeparator(); final String searchQuery1 = "{ \"seq_no_primary_term\" : true, \"query\": { \"match\": { \"user.id\": \"8a4f500d\"}}}"; final String searchQuery2 = "{ \"seq_no_primary_term\" : true, \"query\": { \"match\": { \"user.id\": \"l7gk7f82\"}}}"; public String getIndexTemplateBody() { - return "{\"index_patterns\": [ \"my-data-stream*\" ], \"data_stream\": { }, \"priority\": 200, \"template\": {\"settings\": { } } }"; + return "{\"index_patterns\": [ \"my-data-stream*\" ], \"data_stream\": { }, \"priority\": 200, \"template\": {\"settings\": { } } }"; } - public void createSampleDataStreams(RestHelper rh) throws Exception{ + public void createSampleDataStreams(RestHelper rh) throws Exception { // Valid index-template is required to create data-streams rh.executePutRequest("/_index_template/my-data-stream-template", getIndexTemplateBody(), encodeBasicHeader("ds1", "nagilum")); @@ -55,10 +59,18 @@ public void testCreateDataStream() throws Exception { RestHelper rh = nonSslRestHelper(); HttpResponse response; - response = rh.executePutRequest("/_index_template/my-data-stream-template", getIndexTemplateBody(), encodeBasicHeader("ds0", "nagilum")); + response = rh.executePutRequest( + "/_index_template/my-data-stream-template", + getIndexTemplateBody(), + encodeBasicHeader("ds0", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); - response = rh.executePutRequest("/_index_template/my-data-stream-template", getIndexTemplateBody(), encodeBasicHeader("ds1", "nagilum")); + response = rh.executePutRequest( + "/_index_template/my-data-stream-template", + getIndexTemplateBody(), + encodeBasicHeader("ds1", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executePutRequest("/_data_stream/my-data-stream11", getIndexTemplateBody(), encodeBasicHeader("ds0", "nagilum")); diff --git a/src/test/java/org/opensearch/security/EncryptionInTransitMigrationTests.java b/src/test/java/org/opensearch/security/EncryptionInTransitMigrationTests.java index 5535d8a924..462cd591e6 100644 --- a/src/test/java/org/opensearch/security/EncryptionInTransitMigrationTests.java +++ b/src/test/java/org/opensearch/security/EncryptionInTransitMigrationTests.java @@ -44,7 +44,7 @@ private void testSslOnlyMode(boolean dualModeEnabled) throws Exception { HttpResponse res = rh.executeGetRequest("_opendistro/_security/sslinfo"); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - res = rh.executePutRequest("/xyz/_doc/1","{\"a\":5}"); + res = rh.executePutRequest("/xyz/_doc/1", "{\"a\":5}"); Assert.assertEquals(HttpStatus.SC_CREATED, res.getStatusCode()); res = rh.executeGetRequest("/_mappings"); @@ -58,21 +58,29 @@ private void testSslOnlyMode(boolean dualModeEnabled) throws Exception { Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); Assert.assertTrue(res.getBody().contains("\"plugins.security_config.ssl_dual_mode_enabled\":\"true\"")); - String disableDualModeClusterSetting = "{ \"persistent\": { \"" + ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED + "\": false } }"; + String disableDualModeClusterSetting = "{ \"persistent\": { \"" + + ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED + + "\": false } }"; res = rh.executePutRequest("_cluster/settings", disableDualModeClusterSetting); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertEquals("{\"acknowledged\":true,\"persistent\":{\"plugins\":{\"security_config\":{\"ssl_dual_mode_enabled\":\"false\"}}},\"transient\":{}}", res.getBody()); - + Assert.assertEquals( + "{\"acknowledged\":true,\"persistent\":{\"plugins\":{\"security_config\":{\"ssl_dual_mode_enabled\":\"false\"}}},\"transient\":{}}", + res.getBody() + ); res = rh.executeGetRequest("_cluster/settings?flat_settings&include_defaults"); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); Assert.assertTrue(res.getBody().contains("\"plugins.security_config.ssl_dual_mode_enabled\":\"false\"")); - String enableDualModeClusterSetting = "{ \"persistent\": { \"" + ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED + "\": true } }"; + String enableDualModeClusterSetting = "{ \"persistent\": { \"" + + ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED + + "\": true } }"; res = rh.executePutRequest("_cluster/settings", enableDualModeClusterSetting); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertEquals("{\"acknowledged\":true,\"persistent\":{\"plugins\":{\"security_config\":{\"ssl_dual_mode_enabled\":\"true\"}}},\"transient\":{}}", res.getBody()); - + Assert.assertEquals( + "{\"acknowledged\":true,\"persistent\":{\"plugins\":{\"security_config\":{\"ssl_dual_mode_enabled\":\"true\"}}},\"transient\":{}}", + res.getBody() + ); res = rh.executeGetRequest("_cluster/settings?flat_settings&include_defaults"); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); @@ -80,8 +88,10 @@ private void testSslOnlyMode(boolean dualModeEnabled) throws Exception { res = rh.executePutRequest("_cluster/settings", disableDualModeClusterSetting); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertEquals("{\"acknowledged\":true,\"persistent\":{\"plugins\":{\"security_config\":{\"ssl_dual_mode_enabled\":\"false\"}}},\"transient\":{}}", res.getBody()); - + Assert.assertEquals( + "{\"acknowledged\":true,\"persistent\":{\"plugins\":{\"security_config\":{\"ssl_dual_mode_enabled\":\"false\"}}},\"transient\":{}}", + res.getBody() + ); res = rh.executeGetRequest("_cluster/settings?flat_settings&include_defaults"); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); @@ -118,23 +128,19 @@ public void testSslOnlyModeDualModeWithNonSSLDataNode() throws Exception { @Test public void testDualModeSettingFallback() throws Exception { final Settings legacySettings = Settings.builder() - .put(ConfigConstants.LEGACY_OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true) - .build(); + .put(ConfigConstants.LEGACY_OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true) + .build(); Assert.assertEquals(SecuritySettings.SSL_DUAL_MODE_SETTING.get(legacySettings), true); final Settings legacySettings2 = Settings.builder() - .put(ConfigConstants.LEGACY_OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, false) - .build(); + .put(ConfigConstants.LEGACY_OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, false) + .build(); Assert.assertEquals(SecuritySettings.SSL_DUAL_MODE_SETTING.get(legacySettings2), false); - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true) - .build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true).build(); Assert.assertEquals(SecuritySettings.SSL_DUAL_MODE_SETTING.get(settings), true); - final Settings settings2 = Settings.builder() - .put(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, false) - .build(); + final Settings settings2 = Settings.builder().put(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, false).build(); Assert.assertEquals(SecuritySettings.SSL_DUAL_MODE_SETTING.get(settings2), false); } } diff --git a/src/test/java/org/opensearch/security/HealthTests.java b/src/test/java/org/opensearch/security/HealthTests.java index 0785fd620f..a31e22dff4 100644 --- a/src/test/java/org/opensearch/security/HealthTests.java +++ b/src/test/java/org/opensearch/security/HealthTests.java @@ -44,7 +44,10 @@ public void testHealth() throws Exception { RestHelper rh = nonSslRestHelper(); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("_opendistro/_security/health?pretty&mode=lenient")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("_opendistro/_security/health?pretty&mode=lenient")).getStatusCode() + ); System.out.println(res.getBody()); assertContains(res, "*UP*"); assertNotContains(res, "*DOWN*"); @@ -63,13 +66,19 @@ public void testHealthUnitialized() throws Exception { RestHelper rh = nonSslRestHelper(); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("_opendistro/_security/health?pretty&mode=lenient")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("_opendistro/_security/health?pretty&mode=lenient")).getStatusCode() + ); System.out.println(res.getBody()); assertContains(res, "*UP*"); assertNotContains(res, "*DOWN*"); assertNotContains(res, "*strict*"); - Assert.assertEquals(HttpStatus.SC_SERVICE_UNAVAILABLE, (res = rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_SERVICE_UNAVAILABLE, + (res = rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode() + ); System.out.println(res.getBody()); assertContains(res, "*DOWN*"); assertContains(res, "*strict*"); diff --git a/src/test/java/org/opensearch/security/HttpIntegrationTests.java b/src/test/java/org/opensearch/security/HttpIntegrationTests.java index bf185e0972..a4011b05f6 100644 --- a/src/test/java/org/opensearch/security/HttpIntegrationTests.java +++ b/src/test/java/org/opensearch/security/HttpIntegrationTests.java @@ -64,205 +64,373 @@ public class HttpIntegrationTests extends SingleClusterTest { @Test public void testHTTPBasic() throws Exception { final Settings settings = Settings.builder() - .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") - .build(); + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS + ".worf", "knuddel", "nonexists") + .build(); setup(settings); final RestHelper rh = nonSslRestHelper(); - try (Client tc = getClient()) { - tc.admin().indices().create(new CreateIndexRequest("copysf")).actionGet(); - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet_library").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("v2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("v3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("spock").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("kirk").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("role01_role02").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("starfleet","starfleet_academy","starfleet_library").alias("sf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("klingonempire","vulcangov").alias("nonsf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("public").alias("unrestricted"))).actionGet(); - - } - - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("").getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("_search").getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeDeleteRequest("nonexistentindex*", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest(".nonexistentindex*", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePutRequest(".opendistro_security/_doc/2", "{}",encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_NOT_FOUND, rh.executeGetRequest(".opendistro_security/_doc/0", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_NOT_FOUND, rh.executeGetRequest("xxxxyyyy/_doc/0", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("abc", "abc:abc")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("userwithnopassword", "")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("userwithblankpassword", "")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("worf", "wrongpasswd")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", new BasicHeader("Authorization", "Basic "+"wrongheader")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", new BasicHeader("Authorization", "Basic ")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", new BasicHeader("Authorization", "Basic")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", new BasicHeader("Authorization", "")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("picard", "picard")).getStatusCode()); - - for(int i=0; i< 10; i++) { - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("worf", "wrongpasswd")).getStatusCode()); - } - - Assert.assertEquals(HttpStatus.SC_OK, rh.executePutRequest("/theindex","{}",encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_CREATED, rh.executePutRequest("/theindex/_doc/1?refresh=true","{\"a\":0}",encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode()); - //Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("/theindex/_analyze?text=this+is+a+test",encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode()); - //Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("_analyze?text=this+is+a+test",encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeDeleteRequest("/theindex",encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeDeleteRequest("/klingonempire",encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("starfleet/_search", encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("_search", encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeDeleteRequest(".opendistro_security/", encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("/.opendistro_security/_close", null,encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("/.opendistro_security/_upgrade", null,encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePutRequest("/.opendistro_security/_mapping","{}",encodeBasicHeader("worf", "worf")).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest(".opendistro_security/", encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePutRequest(".opendistro_security/_doc/2", "{}",encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest(".opendistro_security/_doc/0",encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeDeleteRequest(".opendistro_security/_doc/0",encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePutRequest(".opendistro_security/_doc/0","{}",encodeBasicHeader("worf", "worf")).getStatusCode()); - - HttpResponse resc = rh.executeGetRequest("_cat/indices/public?v",encodeBasicHeader("bug108", "nagilum")); - Assert.assertTrue(resc.getBody().contains("green")); - Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("role01_role02/_search?pretty",encodeBasicHeader("user_role01_role02_role03", "user_role01_role02_role03")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("role01_role02/_search?pretty",encodeBasicHeader("user_role01", "user_role01")).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("spock/_search?pretty",encodeBasicHeader("spock", "spock")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("spock/_search?pretty",encodeBasicHeader("kirk", "kirk")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("kirk/_search?pretty",encodeBasicHeader("kirk", "kirk")).getStatusCode()); - - //all - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest(".opendistro_security/_mget","{\"ids\" : [\"0\"]}",encodeBasicHeader("worf", "worf")).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf")).getStatusCode()); - - try (Client tc = getClient()) { - tc.index(new IndexRequest(".opendistro_security").id("roles").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("roles", FileHelper.readYamlContent("roles_deny.yml"))).actionGet(); - ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"roles"})).actionGet(); - Assert.assertEquals(clusterInfo.numNodes, cur.getNodes().size()); - } - - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf")).getStatusCode()); - - try (Client tc = getClient()) { - tc.index(new IndexRequest(".opendistro_security").id("roles").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("roles", FileHelper.readYamlContent("roles.yml"))).actionGet(); - ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"roles"})).actionGet(); - Assert.assertEquals(clusterInfo.numNodes, cur.getNodes().size()); - } - - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf")).getStatusCode()); - HttpResponse res = rh.executeGetRequest("_search?pretty", encodeBasicHeader("nagilum", "nagilum")); - Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody().contains("\"value\" : 11")); - Assert.assertTrue(!res.getBody().contains(".opendistro_security")); - - res = rh.executeGetRequest("_nodes/stats?pretty", encodeBasicHeader("nagilum", "nagilum")); - Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody().contains("total_in_bytes")); - Assert.assertTrue(res.getBody().contains("max_file_descriptors")); - Assert.assertTrue(res.getBody().contains("buffer_pools")); - Assert.assertFalse(res.getBody().contains("\"nodes\" : { }")); - - res = rh.executePostRequest("*/_upgrade", "", encodeBasicHeader("nagilum", "nagilum")); - System.out.println(res.getBody()); - System.out.println(res.getStatusReason()); - Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - - String bulkBody = - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field1\" : \"value1\" }" +System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator(); - - res = rh.executePostRequest("_bulk", bulkBody, encodeBasicHeader("writer", "writer")); - System.out.println(res.getBody()); - Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody().contains("\"errors\":false")); - Assert.assertTrue(res.getBody().contains("\"status\":201")); - - res = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader("security_tenant", "unittesttenant"), encodeBasicHeader("worf", "worf")); - Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody().contains("tenant")); - Assert.assertTrue(res.getBody().contains("unittesttenant")); - Assert.assertTrue(res.getBody().contains("\"kltentrw\":true")); - Assert.assertTrue(res.getBody().contains("\"user_name\":\"worf\"")); - - res = rh.executeGetRequest("_opendistro/_security/authinfo", encodeBasicHeader("worf", "worf")); - Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody().contains("tenant")); - Assert.assertTrue(res.getBody().contains("\"user_requested_tenant\":null")); - Assert.assertTrue(res.getBody().contains("\"kltentrw\":true")); - Assert.assertTrue(res.getBody().contains("\"user_name\":\"worf\"")); - Assert.assertTrue(res.getBody().contains("\"custom_attribute_names\":[]")); - Assert.assertFalse(res.getBody().contains("attributes=")); - - res = rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("custattr", "nagilum")); - Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody().contains("tenants")); - Assert.assertTrue(res.getBody().contains("\"user_requested_tenant\" : null")); - Assert.assertTrue(res.getBody().contains("\"user_name\" : \"custattr\"")); - Assert.assertTrue(res.getBody().contains("\"custom_attribute_names\" : [")); - Assert.assertTrue(res.getBody().contains("attr.internal.c3")); - Assert.assertTrue(res.getBody().contains("attr.internal.c1")); - - res = rh.executeGetRequest("v2/_search", encodeBasicHeader("custattr", "nagilum")); - Assert.assertEquals(res.getBody(), HttpStatus.SC_OK, res.getStatusCode()); - - res = rh.executeGetRequest("v3/_search", encodeBasicHeader("custattr", "nagilum")); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); - - final String reindex = "{"+ - "\"source\": {"+ - "\"index\": \"starfleet\""+ - "},"+ - "\"dest\": {"+ - "\"index\": \"copysf\""+ - "}"+ - "}"; - - res = rh.executePostRequest("_reindex?pretty", reindex, encodeBasicHeader("nagilum", "nagilum")); - Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody().contains("\"total\" : 1")); - Assert.assertTrue(res.getBody().contains("\"batches\" : 1")); - Assert.assertTrue(res.getBody().contains("\"failures\" : [ ]")); - - //rest impersonation - res = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader("opendistro_security_impersonate_as","knuddel"), encodeBasicHeader("worf", "worf")); - Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody().contains("name=knuddel")); - Assert.assertTrue(res.getBody().contains("attr.internal.test1")); - Assert.assertFalse(res.getBody().contains("worf")); - - res = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader("opendistro_security_impersonate_as","nonexists"), encodeBasicHeader("worf", "worf")); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); - - res = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader("opendistro_security_impersonate_as","notallowed"), encodeBasicHeader("worf", "worf")); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); + try (Client tc = getClient()) { + tc.admin().indices().create(new CreateIndexRequest("copysf")).actionGet(); + tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("starfleet_library").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("v2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("v3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.index(new IndexRequest("spock").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("kirk").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("role01_role02").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + AliasActions.add().indices("starfleet", "starfleet_academy", "starfleet_library").alias("sf") + ) + ) + .actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("klingonempire", "vulcangov").alias("nonsf")) + ) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("public").alias("unrestricted"))) + .actionGet(); + + } + + Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("").getStatusCode()); + Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("_search").getStatusCode()); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("worf", "worf")).getStatusCode()); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeDeleteRequest("nonexistentindex*", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest(".nonexistentindex*", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest(".opendistro_security/_doc/2", "{}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_NOT_FOUND, + rh.executeGetRequest(".opendistro_security/_doc/0", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_NOT_FOUND, + rh.executeGetRequest("xxxxyyyy/_doc/0", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("abc", "abc:abc")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + rh.executeGetRequest("", encodeBasicHeader("userwithnopassword", "")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + rh.executeGetRequest("", encodeBasicHeader("userwithblankpassword", "")).getStatusCode() + ); + Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("worf", "wrongpasswd")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + rh.executeGetRequest("", new BasicHeader("Authorization", "Basic " + "wrongheader")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + rh.executeGetRequest("", new BasicHeader("Authorization", "Basic ")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + rh.executeGetRequest("", new BasicHeader("Authorization", "Basic")).getStatusCode() + ); + Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", new BasicHeader("Authorization", "")).getStatusCode()); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("picard", "picard")).getStatusCode()); + + for (int i = 0; i < 10; i++) { + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + rh.executeGetRequest("", encodeBasicHeader("worf", "wrongpasswd")).getStatusCode() + ); } + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePutRequest("/theindex", "{}", encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_CREATED, + rh.executePutRequest("/theindex/_doc/1?refresh=true", "{\"a\":0}", encodeBasicHeader("theindexadmin", "theindexadmin")) + .getStatusCode() + ); + // Assert.assertEquals(HttpStatus.SC_OK, + // rh.executeGetRequest("/theindex/_analyze?text=this+is+a+test",encodeBasicHeader("theindexadmin", + // "theindexadmin")).getStatusCode()); + // Assert.assertEquals(HttpStatus.SC_FORBIDDEN, + // rh.executeGetRequest("_analyze?text=this+is+a+test",encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeDeleteRequest("/theindex", encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeDeleteRequest("/klingonempire", encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode() + ); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("starfleet/_search", encodeBasicHeader("worf", "worf")).getStatusCode()); + Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("_search", encodeBasicHeader("worf", "worf")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeDeleteRequest(".opendistro_security/", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest("/.opendistro_security/_close", null, encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest("/.opendistro_security/_upgrade", null, encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest("/.opendistro_security/_mapping", "{}", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeGetRequest(".opendistro_security/", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest(".opendistro_security/_doc/2", "{}", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeGetRequest(".opendistro_security/_doc/0", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeDeleteRequest(".opendistro_security/_doc/0", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest(".opendistro_security/_doc/0", "{}", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + + HttpResponse resc = rh.executeGetRequest("_cat/indices/public?v", encodeBasicHeader("bug108", "nagilum")); + Assert.assertTrue(resc.getBody().contains("green")); + Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); + + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest( + "role01_role02/_search?pretty", + encodeBasicHeader("user_role01_role02_role03", "user_role01_role02_role03") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeGetRequest("role01_role02/_search?pretty", encodeBasicHeader("user_role01", "user_role01")).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("spock/_search?pretty", encodeBasicHeader("spock", "spock")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeGetRequest("spock/_search?pretty", encodeBasicHeader("kirk", "kirk")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("kirk/_search?pretty", encodeBasicHeader("kirk", "kirk")).getStatusCode() + ); + + // all + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest(".opendistro_security/_mget", "{\"ids\" : [\"0\"]}", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + + try (Client tc = getClient()) { + tc.index( + new IndexRequest(".opendistro_security").id("roles") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("roles", FileHelper.readYamlContent("roles_deny.yml")) + ).actionGet(); + ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[] { "roles" })) + .actionGet(); + Assert.assertEquals(clusterInfo.numNodes, cur.getNodes().size()); + } + + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + + try (Client tc = getClient()) { + tc.index( + new IndexRequest(".opendistro_security").id("roles") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("roles", FileHelper.readYamlContent("roles.yml")) + ).actionGet(); + ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[] { "roles" })) + .actionGet(); + Assert.assertEquals(clusterInfo.numNodes, cur.getNodes().size()); + } + + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + HttpResponse res = rh.executeGetRequest("_search?pretty", encodeBasicHeader("nagilum", "nagilum")); + Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); + Assert.assertTrue(res.getBody().contains("\"value\" : 11")); + Assert.assertTrue(!res.getBody().contains(".opendistro_security")); + + res = rh.executeGetRequest("_nodes/stats?pretty", encodeBasicHeader("nagilum", "nagilum")); + Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); + Assert.assertTrue(res.getBody().contains("total_in_bytes")); + Assert.assertTrue(res.getBody().contains("max_file_descriptors")); + Assert.assertTrue(res.getBody().contains("buffer_pools")); + Assert.assertFalse(res.getBody().contains("\"nodes\" : { }")); + + res = rh.executePostRequest("*/_upgrade", "", encodeBasicHeader("nagilum", "nagilum")); + System.out.println(res.getBody()); + System.out.println(res.getStatusReason()); + Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); + + String bulkBody = "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field1\" : \"value1\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator(); + + res = rh.executePostRequest("_bulk", bulkBody, encodeBasicHeader("writer", "writer")); + System.out.println(res.getBody()); + Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); + Assert.assertTrue(res.getBody().contains("\"errors\":false")); + Assert.assertTrue(res.getBody().contains("\"status\":201")); + + res = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader("security_tenant", "unittesttenant"), + encodeBasicHeader("worf", "worf") + ); + Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); + Assert.assertTrue(res.getBody().contains("tenant")); + Assert.assertTrue(res.getBody().contains("unittesttenant")); + Assert.assertTrue(res.getBody().contains("\"kltentrw\":true")); + Assert.assertTrue(res.getBody().contains("\"user_name\":\"worf\"")); + + res = rh.executeGetRequest("_opendistro/_security/authinfo", encodeBasicHeader("worf", "worf")); + Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); + Assert.assertTrue(res.getBody().contains("tenant")); + Assert.assertTrue(res.getBody().contains("\"user_requested_tenant\":null")); + Assert.assertTrue(res.getBody().contains("\"kltentrw\":true")); + Assert.assertTrue(res.getBody().contains("\"user_name\":\"worf\"")); + Assert.assertTrue(res.getBody().contains("\"custom_attribute_names\":[]")); + Assert.assertFalse(res.getBody().contains("attributes=")); + + res = rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("custattr", "nagilum")); + Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); + Assert.assertTrue(res.getBody().contains("tenants")); + Assert.assertTrue(res.getBody().contains("\"user_requested_tenant\" : null")); + Assert.assertTrue(res.getBody().contains("\"user_name\" : \"custattr\"")); + Assert.assertTrue(res.getBody().contains("\"custom_attribute_names\" : [")); + Assert.assertTrue(res.getBody().contains("attr.internal.c3")); + Assert.assertTrue(res.getBody().contains("attr.internal.c1")); + + res = rh.executeGetRequest("v2/_search", encodeBasicHeader("custattr", "nagilum")); + Assert.assertEquals(res.getBody(), HttpStatus.SC_OK, res.getStatusCode()); + + res = rh.executeGetRequest("v3/_search", encodeBasicHeader("custattr", "nagilum")); + Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); + + final String reindex = "{" + + "\"source\": {" + + "\"index\": \"starfleet\"" + + "}," + + "\"dest\": {" + + "\"index\": \"copysf\"" + + "}" + + "}"; + + res = rh.executePostRequest("_reindex?pretty", reindex, encodeBasicHeader("nagilum", "nagilum")); + Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); + Assert.assertTrue(res.getBody().contains("\"total\" : 1")); + Assert.assertTrue(res.getBody().contains("\"batches\" : 1")); + Assert.assertTrue(res.getBody().contains("\"failures\" : [ ]")); + + // rest impersonation + res = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader("opendistro_security_impersonate_as", "knuddel"), + encodeBasicHeader("worf", "worf") + ); + Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); + Assert.assertTrue(res.getBody().contains("name=knuddel")); + Assert.assertTrue(res.getBody().contains("attr.internal.test1")); + Assert.assertFalse(res.getBody().contains("worf")); + + res = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader("opendistro_security_impersonate_as", "nonexists"), + encodeBasicHeader("worf", "worf") + ); + Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); + + res = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader("opendistro_security_impersonate_as", "notallowed"), + encodeBasicHeader("worf", "worf") + ); + Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); + } + @Test public void testHTTPSCompressionEnabled() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .put("http.compression",true) - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("http.compression", true) + .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true); - final RestHelper rh = restHelper(); //ssl resthelper + final RestHelper rh = restHelper(); // ssl resthelper HttpResponse res = rh.executeGetRequest("_opendistro/_security/sslinfo", encodeBasicHeader("nagilum", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); @@ -278,12 +446,12 @@ public void testHTTPSCompressionEnabled() throws Exception { @Test public void testHTTPSCompression() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true); - final RestHelper rh = restHelper(); //ssl resthelper + final RestHelper rh = restHelper(); // ssl resthelper HttpResponse res = rh.executeGetRequest("_opendistro/_security/sslinfo", encodeBasicHeader("nagilum", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); @@ -299,64 +467,78 @@ public void testHTTPSCompression() throws Exception { @Test public void testHTTPAnon() throws Exception { - setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_anon.yml"), Settings.EMPTY, true); + setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_anon.yml"), Settings.EMPTY, true); - RestHelper rh = nonSslRestHelper(); + RestHelper rh = nonSslRestHelper(); + + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("").getStatusCode()); + Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("worf", "wrong")).getStatusCode()); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + + HttpResponse resc = rh.executeGetRequest("_opendistro/_security/authinfo"); + Assert.assertTrue(resc.getBody().contains("opendistro_security_anonymous")); + Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); + + resc = rh.executeGetRequest("_opendistro/_security/authinfo?pretty=true"); + System.out.println(resc.getBody()); + Assert.assertTrue(resc.getBody().contains("\"remote_address\" : \"")); // check pretty print + Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); + + resc = rh.executeGetRequest("_opendistro/_security/authinfo", encodeBasicHeader("nagilum", "nagilum")); + System.out.println(resc.getBody()); + Assert.assertTrue(resc.getBody().contains("nagilum")); + Assert.assertFalse(resc.getBody().contains("opendistro_security_anonymous")); + Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); + + try (Client tc = getClient()) { + tc.index( + new IndexRequest(".opendistro_security").id("config") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("config", FileHelper.readYamlContent("config.yml")) + ).actionGet(); + tc.index( + new IndexRequest(".opendistro_security").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("internalusers") + .source("internalusers", FileHelper.readYamlContent("internal_users.yml")) + ).actionGet(); + ConfigUpdateResponse cur = tc.execute( + ConfigUpdateAction.INSTANCE, + new ConfigUpdateRequest(new String[] { "config", "roles", "rolesmapping", "internalusers", "actiongroups" }) + ).actionGet(); + Assert.assertFalse(cur.hasFailures()); + Assert.assertEquals(clusterInfo.numNodes, cur.getNodes().size()); + } - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("").getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("worf", "wrong")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - - HttpResponse resc = rh.executeGetRequest("_opendistro/_security/authinfo"); - Assert.assertTrue(resc.getBody().contains("opendistro_security_anonymous")); - Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - - resc = rh.executeGetRequest("_opendistro/_security/authinfo?pretty=true"); - System.out.println(resc.getBody()); - Assert.assertTrue(resc.getBody().contains("\"remote_address\" : \"")); //check pretty print - Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - - resc = rh.executeGetRequest("_opendistro/_security/authinfo", encodeBasicHeader("nagilum", "nagilum")); - System.out.println(resc.getBody()); - Assert.assertTrue(resc.getBody().contains("nagilum")); - Assert.assertFalse(resc.getBody().contains("opendistro_security_anonymous")); - Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - - try (Client tc = getClient()) { - tc.index(new IndexRequest(".opendistro_security").id("config").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("config", FileHelper.readYamlContent("config.yml"))).actionGet(); - tc.index(new IndexRequest(".opendistro_security").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("internalusers").source("internalusers", FileHelper.readYamlContent("internal_users.yml"))).actionGet(); - ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config","roles","rolesmapping","internalusers","actiongroups"})).actionGet(); - Assert.assertFalse(cur.hasFailures()); - Assert.assertEquals(clusterInfo.numNodes, cur.getNodes().size()); - } - - - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("").getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("_opendistro/_security/authinfo").getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("worf", "wrong")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("").getStatusCode()); + Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("_opendistro/_security/authinfo").getStatusCode()); + Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("worf", "wrong")).getStatusCode()); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); } @Test public void testHTTPClientCert() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.clientauth_mode","REQUIRE") - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") - .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") - .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") - .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") - .build(); + .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1.1", "TLSv1.2") + .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") + .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.1", "TLSv1.2") + .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") + .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_clientcert.yml"), settings, true); try (Client tc = getClient()) { - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); - ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config","roles","rolesmapping","internalusers","actiongroups"})).actionGet(); + ConfigUpdateResponse cur = tc.execute( + ConfigUpdateAction.INSTANCE, + new ConfigUpdateRequest(new String[] { "config", "roles", "rolesmapping", "internalusers", "actiongroups" }) + ).actionGet(); Assert.assertFalse(cur.hasFailures()); Assert.assertEquals(clusterInfo.numNodes, cur.getNodes().size()); } @@ -383,10 +565,10 @@ public void testHTTPPlaintextErrMsg() throws Exception { try { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .put("plugins.security.ssl.http.enabled", true) - .build(); + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.enabled", true) + .build(); setup(settings); RestHelper rh = nonSslRestHelper(); rh.executeGetRequest("", encodeBasicHeader("worf", "worf")); @@ -395,12 +577,11 @@ public void testHTTPPlaintextErrMsg() throws Exception { String log = FileUtils.readFileToString(new File("unittest.log"), StandardCharsets.UTF_8); Assert.assertTrue(log, log.contains("speaks http plaintext instead of ssl, will close the channel")); } catch (Exception e) { - Assert.fail("NoHttpResponseException expected but was "+e.getClass()+"#"+e.getMessage()); + Assert.fail("NoHttpResponseException expected but was " + e.getClass() + "#" + e.getMessage()); } } - @Test public void testHTTPProxyDefault() throws Exception { setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_proxy.yml"), Settings.EMPTY, true); @@ -408,13 +589,62 @@ public void testHTTPProxyDefault() throws Exception { Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("").getStatusCode()); Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"),new BasicHeader("x-proxy-user", "scotty"), encodeBasicHeader("nagilum-wrong", "nagilum-wrong")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"),new BasicHeader("x-proxy-user-wrong", "scotty"), encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_INTERNAL_SERVER_ERROR, rh.executeGetRequest("", new BasicHeader("x-forwarded-for", "a"),new BasicHeader("x-proxy-user", "scotty"), encodeBasicHeader("nagilum-wrong", "nagilum-wrong")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_INTERNAL_SERVER_ERROR, rh.executeGetRequest("", new BasicHeader("x-forwarded-for", "a,b,c"),new BasicHeader("x-proxy-user", "scotty")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"),new BasicHeader("x-proxy-user", "scotty")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"),new BasicHeader("X-Proxy-User", "scotty")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"),new BasicHeader("x-proxy-user", "scotty"),new BasicHeader("x-proxy-roles", "starfleet,engineer")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest( + "", + new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"), + new BasicHeader("x-proxy-user", "scotty"), + encodeBasicHeader("nagilum-wrong", "nagilum-wrong") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest( + "", + new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"), + new BasicHeader("x-proxy-user-wrong", "scotty"), + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_INTERNAL_SERVER_ERROR, + rh.executeGetRequest( + "", + new BasicHeader("x-forwarded-for", "a"), + new BasicHeader("x-proxy-user", "scotty"), + encodeBasicHeader("nagilum-wrong", "nagilum-wrong") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_INTERNAL_SERVER_ERROR, + rh.executeGetRequest("", new BasicHeader("x-forwarded-for", "a,b,c"), new BasicHeader("x-proxy-user", "scotty")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest( + "", + new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"), + new BasicHeader("x-proxy-user", "scotty") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest( + "", + new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"), + new BasicHeader("X-Proxy-User", "scotty") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest( + "", + new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"), + new BasicHeader("x-proxy-user", "scotty"), + new BasicHeader("x-proxy-roles", "starfleet,engineer") + ).getStatusCode() + ); } @@ -423,119 +653,260 @@ public void testHTTPProxyRolesSeparator() throws Exception { setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_proxy_custom.yml"), Settings.EMPTY, true); RestHelper rh = nonSslRestHelper(); // separator is configured as ";" so separating roles with "," leads to one (wrong) backend role - HttpResponse res = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"),new BasicHeader("user", "scotty"),new BasicHeader("roles", "starfleet,engineer")); - Assert.assertTrue("Expected one backend role since separator is incorrect", res.getBody().contains("\"backend_roles\":[\"starfleet,engineer\"]")); + HttpResponse res = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"), + new BasicHeader("user", "scotty"), + new BasicHeader("roles", "starfleet,engineer") + ); + Assert.assertTrue( + "Expected one backend role since separator is incorrect", + res.getBody().contains("\"backend_roles\":[\"starfleet,engineer\"]") + ); // correct separator, now we should see two backend roles - res = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"),new BasicHeader("user", "scotty"),new BasicHeader("roles", "starfleet;engineer")); - Assert.assertTrue("Expected two backend roles string since separator is correct: " + res.getBody(), res.getBody().contains("\"backend_roles\":[\"starfleet\",\"engineer\"]")); + res = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader("x-forwarded-for", "localhost,192.168.0.1,10.0.0.2"), + new BasicHeader("user", "scotty"), + new BasicHeader("roles", "starfleet;engineer") + ); + Assert.assertTrue( + "Expected two backend roles string since separator is correct: " + res.getBody(), + res.getBody().contains("\"backend_roles\":[\"starfleet\",\"engineer\"]") + ); } @Test - public void testHTTPBasic2() throws Exception { - - setup(Settings.EMPTY, new DynamicSecurityConfig(), Settings.EMPTY); + public void testHTTPBasic2() throws Exception { - try (Client tc = getClient()) { + setup(Settings.EMPTY, new DynamicSecurityConfig(), Settings.EMPTY); - tc.admin().indices().create(new CreateIndexRequest("copysf")).actionGet(); - - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("starfleet_library").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + try (Client tc = getClient()) { - tc.index(new IndexRequest("spock").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("kirk").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("role01_role02").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + tc.admin().indices().create(new CreateIndexRequest("copysf")).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("starfleet","starfleet_academy","starfleet_library").alias("sf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("klingonempire","vulcangov").alias("nonsf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("public").alias("unrestricted"))).actionGet(); - } + tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.index( + new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + + tc.index( + new IndexRequest("starfleet_library").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + + tc.index( + new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + + tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.index(new IndexRequest("spock").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("kirk").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("role01_role02").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + AliasActions.add().indices("starfleet", "starfleet_academy", "starfleet_library").alias("sf") + ) + ) + .actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("klingonempire", "vulcangov").alias("nonsf")) + ) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("public").alias("unrestricted"))) + .actionGet(); + } - RestHelper rh = nonSslRestHelper(); + RestHelper rh = nonSslRestHelper(); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("").getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeDeleteRequest("nonexistentindex*", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest(".nonexistentindex*", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePutRequest(".opendistro_security/_doc/2", "{}",encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_NOT_FOUND, rh.executeGetRequest(".opendistro_security/_doc/0", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_NOT_FOUND, rh.executeGetRequest("xxxxyyyy/_doc/0", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("abc", "abc:abc")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("userwithnopassword", "")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("userwithblankpassword", "")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("worf", "wrongpasswd")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", new BasicHeader("Authorization", "Basic "+"wrongheader")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", new BasicHeader("Authorization", "Basic ")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", new BasicHeader("Authorization", "Basic")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", new BasicHeader("Authorization", "")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("picard", "picard")).getStatusCode()); - - for(int i=0; i< 10; i++) { - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("worf", "wrongpasswd")).getStatusCode()); - } - - Assert.assertEquals(HttpStatus.SC_OK, rh.executePutRequest("/theindex","{}",encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_CREATED, rh.executePutRequest("/theindex/_doc/1?refresh=true","{\"a\":0}",encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode()); - //Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("/theindex/_analyze?text=this+is+a+test",encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode()); - //Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("_analyze?text=this+is+a+test",encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeDeleteRequest("/theindex",encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeDeleteRequest("/klingonempire",encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("starfleet/_search", encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("_search", encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeDeleteRequest(".opendistro_security/", encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("/.opendistro_security/_close", null,encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("/.opendistro_security/_upgrade", null,encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePutRequest("/.opendistro_security/_mapping","{}",encodeBasicHeader("worf", "worf")).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest(".opendistro_security/", encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePutRequest(".opendistro_security/_doc/2", "{}",encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest(".opendistro_security/_doc/0",encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeDeleteRequest(".opendistro_security/_doc/0",encodeBasicHeader("worf", "worf")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePutRequest(".opendistro_security/_doc/0","{}",encodeBasicHeader("worf", "worf")).getStatusCode()); - - HttpResponse resc = rh.executeGetRequest("_cat/indices/public",encodeBasicHeader("bug108", "nagilum")); - System.out.println(resc.getBody()); - //Assert.assertTrue(resc.getBody().contains("green")); - Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("role01_role02/_search?pretty",encodeBasicHeader("user_role01_role02_role03", "user_role01_role02_role03")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("role01_role02/_search?pretty",encodeBasicHeader("user_role01", "user_role01")).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("spock/_search?pretty",encodeBasicHeader("spock", "spock")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("spock/_search?pretty",encodeBasicHeader("kirk", "kirk")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("kirk/_search?pretty",encodeBasicHeader("kirk", "kirk")).getStatusCode()); - - System.out.println("ok"); - //all + Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("").getStatusCode()); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("worf", "worf")).getStatusCode()); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeDeleteRequest("nonexistentindex*", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest(".nonexistentindex*", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest(".opendistro_security/_doc/2", "{}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_NOT_FOUND, + rh.executeGetRequest(".opendistro_security/_doc/0", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_NOT_FOUND, + rh.executeGetRequest("xxxxyyyy/_doc/0", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("abc", "abc:abc")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + rh.executeGetRequest("", encodeBasicHeader("userwithnopassword", "")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + rh.executeGetRequest("", encodeBasicHeader("userwithblankpassword", "")).getStatusCode() + ); + Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("worf", "wrongpasswd")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + rh.executeGetRequest("", new BasicHeader("Authorization", "Basic " + "wrongheader")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + rh.executeGetRequest("", new BasicHeader("Authorization", "Basic ")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + rh.executeGetRequest("", new BasicHeader("Authorization", "Basic")).getStatusCode() + ); + Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", new BasicHeader("Authorization", "")).getStatusCode()); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("picard", "picard")).getStatusCode()); + + for (int i = 0; i < 10; i++) { + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + rh.executeGetRequest("", encodeBasicHeader("worf", "wrongpasswd")).getStatusCode() + ); + } + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePutRequest("/theindex", "{}", encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_CREATED, + rh.executePutRequest("/theindex/_doc/1?refresh=true", "{\"a\":0}", encodeBasicHeader("theindexadmin", "theindexadmin")) + .getStatusCode() + ); + // Assert.assertEquals(HttpStatus.SC_OK, + // rh.executeGetRequest("/theindex/_analyze?text=this+is+a+test",encodeBasicHeader("theindexadmin", + // "theindexadmin")).getStatusCode()); + // Assert.assertEquals(HttpStatus.SC_FORBIDDEN, + // rh.executeGetRequest("_analyze?text=this+is+a+test",encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeDeleteRequest("/theindex", encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeDeleteRequest("/klingonempire", encodeBasicHeader("theindexadmin", "theindexadmin")).getStatusCode() + ); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("starfleet/_search", encodeBasicHeader("worf", "worf")).getStatusCode()); + Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("_search", encodeBasicHeader("worf", "worf")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeDeleteRequest(".opendistro_security/", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest("/.opendistro_security/_close", null, encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest("/.opendistro_security/_upgrade", null, encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest("/.opendistro_security/_mapping", "{}", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeGetRequest(".opendistro_security/", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest(".opendistro_security/_doc/2", "{}", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeGetRequest(".opendistro_security/_doc/0", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeDeleteRequest(".opendistro_security/_doc/0", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest(".opendistro_security/_doc/0", "{}", encodeBasicHeader("worf", "worf")).getStatusCode() + ); + + HttpResponse resc = rh.executeGetRequest("_cat/indices/public", encodeBasicHeader("bug108", "nagilum")); + System.out.println(resc.getBody()); + // Assert.assertTrue(resc.getBody().contains("green")); + Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); + + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest( + "role01_role02/_search?pretty", + encodeBasicHeader("user_role01_role02_role03", "user_role01_role02_role03") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeGetRequest("role01_role02/_search?pretty", encodeBasicHeader("user_role01", "user_role01")).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("spock/_search?pretty", encodeBasicHeader("spock", "spock")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeGetRequest("spock/_search?pretty", encodeBasicHeader("kirk", "kirk")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("kirk/_search?pretty", encodeBasicHeader("kirk", "kirk")).getStatusCode() + ); + + System.out.println("ok"); + // all - } + } @Test public void testBulk() throws Exception { - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") - .build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH").build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityRoles("roles_bulk.yml"), settings); final RestHelper rh = nonSslRestHelper(); - String bulkBody = - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field1\" : \"value1\" }" +System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator(); + String bulkBody = "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field1\" : \"value1\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator(); HttpResponse res = rh.executePostRequest("_bulk", bulkBody, encodeBasicHeader("bulk", "nagilum")); System.out.println(res.getBody()); @@ -546,17 +917,18 @@ public void testBulk() throws Exception { @Test public void testBulkWithOneIndexFailure() throws Exception { - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") - .build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH").build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityRoles("roles_bulk.yml"), settings); final RestHelper rh = nonSslRestHelper(); - String bulkBody = - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"a\" : \"b\" }" +System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"myindex\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"a\" : \"b\" }"+System.lineSeparator(); + String bulkBody = "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"a\" : \"b\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"myindex\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"a\" : \"b\" }" + + System.lineSeparator(); HttpResponse res = rh.executePostRequest("_bulk?refresh=true", bulkBody, encodeBasicHeader("bulk_test_user", "nagilum")); System.out.println(res.getBody()); @@ -569,30 +941,40 @@ public void testBulkWithOneIndexFailure() throws Exception { @Test public void test557() throws Exception { - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") - .build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH").build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings); try (Client tc = getClient()) { tc.admin().indices().create(new CreateIndexRequest("copysf")).actionGet(); - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); - tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); - tc.index(new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); } final RestHelper rh = nonSslRestHelper(); - HttpResponse res = rh.executePostRequest("/*/_search", "{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":10}}}}", encodeBasicHeader("nagilum", "nagilum")); + HttpResponse res = rh.executePostRequest( + "/*/_search", + "{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":10}}}}", + encodeBasicHeader("nagilum", "nagilum") + ); System.out.println(res.getBody()); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); Assert.assertTrue(res.getBody().contains("starfleet_academy")); - res = rh.executePostRequest("/*/_search", "{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":10}}}}", encodeBasicHeader("557", "nagilum")); + res = rh.executePostRequest( + "/*/_search", + "{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":10}}}}", + encodeBasicHeader("557", "nagilum") + ); System.out.println(res.getBody()); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); Assert.assertTrue(res.getBody().contains("starfleet_academy")); @@ -600,25 +982,52 @@ public void test557() throws Exception { @Test public void testITT1635() throws Exception { - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") - .build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH").build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_dnfof.yml").setSecurityRoles("roles_itt1635.yml"), settings); try (Client tc = getClient()) { - tc.index(new IndexRequest("esb-prod-1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("esb-prod-2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("esb-prod-3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":3}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("esb-prod-4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":4}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("esb-prod-5").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":5}", XContentType.JSON)).actionGet(); - - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("esb-prod-1","esb-prod-2","esb-prod-3","esb-prod-4","esb-prod-5").alias("esb-prod-all"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("esb-prod-1").alias("esb-alias-1"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("esb-prod-2").alias("esb-alias-2"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("esb-prod-3").alias("esb-alias-3"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("esb-prod-4").alias("esb-alias-4"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("esb-prod-5").alias("esb-alias-5"))).actionGet(); + tc.index(new IndexRequest("esb-prod-1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("esb-prod-2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("esb-prod-3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":3}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("esb-prod-4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":4}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("esb-prod-5").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":5}", XContentType.JSON)) + .actionGet(); + + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + AliasActions.add() + .indices("esb-prod-1", "esb-prod-2", "esb-prod-3", "esb-prod-4", "esb-prod-5") + .alias("esb-prod-all") + ) + ) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("esb-prod-1").alias("esb-alias-1"))) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("esb-prod-2").alias("esb-alias-2"))) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("esb-prod-3").alias("esb-alias-3"))) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("esb-prod-4").alias("esb-alias-4"))) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("esb-prod-5").alias("esb-alias-5"))) + .actionGet(); } @@ -637,39 +1046,72 @@ public void testITT1635() throws Exception { @Test public void testTenantInfo() throws Exception { - final Settings settings = Settings.builder() - .build(); + final Settings settings = Settings.builder().build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings); /* [admin_1, praxisrw, abcdef_2_2, kltentro, praxisro, kltentrw] - admin_1==.kibana_-1139640511_admin1 - praxisrw==.kibana_-1386441176_praxisrw - abcdef_2_2==.kibana_-634608247_abcdef22 - kltentro==.kibana_-2014056171_kltentro - praxisro==.kibana_-1386441184_praxisro - kltentrw==.kibana_-2014056163_kltentrw + admin_1==.kibana_-1139640511_admin1 + praxisrw==.kibana_-1386441176_praxisrw + abcdef_2_2==.kibana_-634608247_abcdef22 + kltentro==.kibana_-2014056171_kltentro + praxisro==.kibana_-1386441184_praxisro + kltentrw==.kibana_-2014056163_kltentrw */ try (Client tc = getClient()) { - tc.index(new IndexRequest(".kibana-6").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest(".kibana_-1139640511_admin1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":3}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest(".kibana_-1386441176_praxisrw").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":3}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest(".kibana_-634608247_abcdef22").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":3}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest(".kibana_-12345_123456").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":3}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest(".kibana2_-12345_123456").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":3}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest(".kibana_9876_xxx_ccc").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":3}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest(".kibana_fff_eee").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":3}", XContentType.JSON)).actionGet(); - - - tc.index(new IndexRequest("esb-prod-5").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":5}", XContentType.JSON)).actionGet(); - - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices(".kibana-6").alias(".kibana"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("esb-prod-5").alias(".kibana_-2014056163_kltentrw"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("esb-prod-5").alias("esb-alias-5"))).actionGet(); + tc.index(new IndexRequest(".kibana-6").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest(".kibana_-1139640511_admin1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":3}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest(".kibana_-1386441176_praxisrw").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":3}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest(".kibana_-634608247_abcdef22").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":3}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest(".kibana_-12345_123456").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":3}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest(".kibana2_-12345_123456").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":3}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest(".kibana_9876_xxx_ccc").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":3}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest(".kibana_fff_eee").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":3}", XContentType.JSON) + ).actionGet(); + + tc.index(new IndexRequest("esb-prod-5").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":5}", XContentType.JSON)) + .actionGet(); + + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices(".kibana-6").alias(".kibana"))) + .actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + AliasActions.add().indices("esb-prod-5").alias(".kibana_-2014056163_kltentrw") + ) + ) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("esb-prod-5").alias("esb-alias-5"))) + .actionGet(); } @@ -695,13 +1137,17 @@ public void testTenantInfo() throws Exception { @Test public void testRestImpersonation() throws Exception { final Settings settings = Settings.builder() - .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "someotherusernotininternalusersfile") - .build(); + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS + ".worf", "someotherusernotininternalusersfile") + .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_rest_impersonation.yml"), settings); final RestHelper rh = nonSslRestHelper(); - //rest impersonation - HttpResponse res = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader("opendistro_security_impersonate_as","someotherusernotininternalusersfile"), encodeBasicHeader("worf", "worf")); + // rest impersonation + HttpResponse res = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader("opendistro_security_impersonate_as", "someotherusernotininternalusersfile"), + encodeBasicHeader("worf", "worf") + ); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); Assert.assertTrue(res.getBody().contains("name=someotherusernotininternalusersfile")); Assert.assertFalse(res.getBody().contains("worf")); @@ -709,16 +1155,14 @@ public void testRestImpersonation() throws Exception { @Test public void testSslOnlyMode() throws Exception { - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_SSL_ONLY, true).build(); setupSslOnlyMode(settings); final RestHelper rh = nonSslRestHelper(); HttpResponse res = rh.executeGetRequest("_opendistro/_security/sslinfo"); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - res = rh.executePutRequest("/xyz/_doc/1","{\"a\":5}"); + res = rh.executePutRequest("/xyz/_doc/1", "{\"a\":5}"); Assert.assertEquals(HttpStatus.SC_CREATED, res.getStatusCode()); res = rh.executeGetRequest("/_mappings"); @@ -736,10 +1180,13 @@ public void testAll() throws Exception { try (Client tc = getClient()) { tc.index(new IndexRequest("abcdef").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) - .actionGet(); + .actionGet(); } - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("_all/_search", encodeBasicHeader("worf", "worf")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeGetRequest("_all/_search", encodeBasicHeader("worf", "worf")).getStatusCode() + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("*/_search", encodeBasicHeader("worf", "worf")).getStatusCode()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("_search", encodeBasicHeader("worf", "worf")).getStatusCode()); } diff --git a/src/test/java/org/opensearch/security/IndexIntegrationTests.java b/src/test/java/org/opensearch/security/IndexIntegrationTests.java index 7dcef21483..6a8703842e 100644 --- a/src/test/java/org/opensearch/security/IndexIntegrationTests.java +++ b/src/test/java/org/opensearch/security/IndexIntegrationTests.java @@ -60,23 +60,36 @@ public class IndexIntegrationTests extends SingleClusterTest { @Test public void testComposite() throws Exception { - setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("composite_config.yml").setSecurityRoles("roles_composite.yml"), Settings.EMPTY, true); + setup( + Settings.EMPTY, + new DynamicSecurityConfig().setConfig("composite_config.yml").setSecurityRoles("roles_composite.yml"), + Settings.EMPTY, + true + ); final RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { - tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); } - String msearchBody = - "{\"index\":\"starfleet\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator()+ - "{\"index\":\"klingonempire\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator()+ - "{\"index\":\"public\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); - + String msearchBody = "{\"index\":\"starfleet\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator() + + "{\"index\":\"klingonempire\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator() + + "{\"index\":\"public\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator(); HttpResponse resc = rh.executePostRequest("_msearch", msearchBody, encodeBasicHeader("worf", "worf")); Assert.assertEquals(200, resc.getStatusCode()); @@ -93,33 +106,55 @@ public void testBulkShards() throws Exception { final RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { - //create indices and mapping upfront - tc.index(new IndexRequest("test").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"field2\":\"init\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("lorem").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"field2\":\"init\"}", XContentType.JSON)).actionGet(); + // create indices and mapping upfront + tc.index(new IndexRequest("test").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"field2\":\"init\"}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("lorem").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"field2\":\"init\"}", XContentType.JSON)) + .actionGet(); } - String bulkBody = - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value1\" }" +System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"3\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"4\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"5\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"lorem\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"lorem\", \"_id\" : \"2\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"lorem\", \"_id\" : \"3\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"lorem\", \"_id\" : \"4\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"lorem\", \"_id\" : \"5\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - "{ \"delete\" : { \"_index\" : \"lorem\", \"_id\" : \"5\" } }"+System.lineSeparator(); + String bulkBody = "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value1\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"3\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"4\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"5\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"lorem\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"lorem\", \"_id\" : \"2\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"lorem\", \"_id\" : \"3\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"lorem\", \"_id\" : \"4\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"lorem\", \"_id\" : \"5\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + "{ \"delete\" : { \"_index\" : \"lorem\", \"_id\" : \"5\" } }" + + System.lineSeparator(); System.out.println("############ _bulk"); HttpResponse res = rh.executePostRequest("_bulk?refresh=true&pretty=true", bulkBody, encodeBasicHeader("worf", "worf")); @@ -132,7 +167,6 @@ public void testBulkShards() throws Exception { System.out.println("############ check shards"); System.out.println(rh.executeGetRequest("_cat/shards?v", encodeBasicHeader("nagilum", "nagilum"))); - } @Test @@ -142,21 +176,39 @@ public void testCreateIndex() throws Exception { RestHelper rh = nonSslRestHelper(); HttpResponse res; - Assert.assertEquals("Unable to create index 'nag'", HttpStatus.SC_OK, rh.executePutRequest("nag1", null, encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals("Unable to create index 'starfleet_library'", HttpStatus.SC_OK, rh.executePutRequest("starfleet_library", null, encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + "Unable to create index 'nag'", + HttpStatus.SC_OK, + rh.executePutRequest("nag1", null, encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + "Unable to create index 'starfleet_library'", + HttpStatus.SC_OK, + rh.executePutRequest("starfleet_library", null, encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); clusterHelper.waitForCluster(ClusterHealthStatus.GREEN, TimeValue.timeValueSeconds(10), clusterInfo.numNodes); - Assert.assertEquals("Unable to close index 'starfleet_library'", HttpStatus.SC_OK, rh.executePostRequest("starfleet_library/_close", null, encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - - Assert.assertEquals("Unable to open index 'starfleet_library'", HttpStatus.SC_OK, (res = rh.executePostRequest("starfleet_library/_open", null, encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + "Unable to close index 'starfleet_library'", + HttpStatus.SC_OK, + rh.executePostRequest("starfleet_library/_close", null, encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + + Assert.assertEquals( + "Unable to open index 'starfleet_library'", + HttpStatus.SC_OK, + (res = rh.executePostRequest("starfleet_library/_open", null, encodeBasicHeader("nagilum", "nagilum"))).getStatusCode() + ); Assert.assertTrue("open index 'starfleet_library' not acknowledged", res.getBody().contains("acknowledged")); Assert.assertFalse("open index 'starfleet_library' not acknowledged", res.getBody().contains("false")); clusterHelper.waitForCluster(ClusterHealthStatus.GREEN, TimeValue.timeValueSeconds(10), clusterInfo.numNodes); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePutRequest("public", null, encodeBasicHeader("spock", "spock")).getStatusCode()); - + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest("public", null, encodeBasicHeader("spock", "spock")).getStatusCode() + ); } @@ -167,29 +219,51 @@ public void testFilteredAlias() throws Exception { try (Client tc = getClient()) { - tc.index(new IndexRequest("theindex").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("otherindex").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().alias("alias1").filter(QueryBuilders.termQuery("_type", "type1")).index("theindex"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().alias("alias2").filter(QueryBuilders.termQuery("_type", "type2")).index("theindex"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().alias("alias3").filter(QueryBuilders.termQuery("_type", "type2")).index("otherindex"))).actionGet(); + tc.index(new IndexRequest("theindex").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("otherindex").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + AliasActions.add().alias("alias1").filter(QueryBuilders.termQuery("_type", "type1")).index("theindex") + ) + ) + .actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + AliasActions.add().alias("alias2").filter(QueryBuilders.termQuery("_type", "type2")).index("theindex") + ) + ) + .actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + AliasActions.add().alias("alias3").filter(QueryBuilders.termQuery("_type", "type2")).index("otherindex") + ) + ) + .actionGet(); } - RestHelper rh = nonSslRestHelper(); - //opendistro_security_user1 -> worf - //opendistro_security_user2 -> picard + // opendistro_security_user1 -> worf + // opendistro_security_user2 -> picard HttpResponse resc = rh.executeGetRequest("alias*/_search", encodeBasicHeader("worf", "worf")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); - resc = rh.executeGetRequest("theindex/_search", encodeBasicHeader("nagilum", "nagilum")); + resc = rh.executeGetRequest("theindex/_search", encodeBasicHeader("nagilum", "nagilum")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); - resc = rh.executeGetRequest("alias3/_search", encodeBasicHeader("nagilum", "nagilum")); + resc = rh.executeGetRequest("alias3/_search", encodeBasicHeader("nagilum", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - resc = rh.executeGetRequest("_cat/indices", encodeBasicHeader("nagilum", "nagilum")); + resc = rh.executeGetRequest("_cat/indices", encodeBasicHeader("nagilum", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); } @@ -200,16 +274,25 @@ public void testIndexTypeEvaluation() throws Exception { setup(); try (Client tc = getClient()) { - tc.index(new IndexRequest("foo1").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("foo2").id("2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("foo").id("3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":3}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("fooba").id("4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":4}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("foo1").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("foo2").id("2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON) + ).actionGet(); + tc.index(new IndexRequest("foo").id("3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":3}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("fooba").id("4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":4}", XContentType.JSON) + ).actionGet(); try { - tc.index(new IndexRequest("x#a").id("4a").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":4}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("x#a").id("4a").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":4}", XContentType.JSON) + ).actionGet(); Assert.fail("Indexname can contain #"); } catch (InvalidIndexNameException e) { - //expected + // expected } } @@ -227,8 +310,8 @@ public void testIndexTypeEvaluation() throws Exception { Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("\"content\" : 3")); - //resc = rh.executeGetRequest("/fooba/z/_search?pretty", encodeBasicHeader("baz", "worf")); - //Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); + // resc = rh.executeGetRequest("/fooba/z/_search?pretty", encodeBasicHeader("baz", "worf")); + // Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); resc = rh.executeGetRequest("/foo1/_doc/1?pretty", encodeBasicHeader("baz", "worf")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); @@ -245,11 +328,11 @@ public void testIndexTypeEvaluation() throws Exception { Assert.assertTrue(resc.getBody().contains("\"content\" : 3")); Assert.assertTrue(resc.getBody().contains("\"found\" : true")); - //resc = rh.executeGetRequest("/fooba/z/4?pretty", encodeBasicHeader("baz", "worf")); - //Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); + // resc = rh.executeGetRequest("/fooba/z/4?pretty", encodeBasicHeader("baz", "worf")); + // Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); - //resc = rh.executeGetRequest("/foo*/_search?pretty", encodeBasicHeader("baz", "worf")); - //Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); + // resc = rh.executeGetRequest("/foo*/_search?pretty", encodeBasicHeader("baz", "worf")); + // Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); resc = rh.executeGetRequest("/foo*,-fooba/_search?pretty", encodeBasicHeader("baz", "worf")); Assert.assertEquals(200, resc.getStatusCode()); @@ -263,73 +346,174 @@ public void testIndices() throws Exception { setup(); try (Client tc = getClient()) { - tc.index(new IndexRequest("nopermindex").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("logstash-1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("logstash-2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("logstash-3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("logstash-4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + tc.index(new IndexRequest("nopermindex").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.index(new IndexRequest("logstash-1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("logstash-2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("logstash-3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("logstash-4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); SimpleDateFormat sdf = new SimpleDateFormat("yyyy.MM.dd", SecurityUtils.EN_Locale); sdf.setTimeZone(TimeZone.getTimeZone("UTC")); String date = sdf.format(new Date()); - tc.index(new IndexRequest("logstash-"+date).setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("logstash-" + date).setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); } RestHelper rh = nonSslRestHelper(); HttpResponse res = null; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logstash-1/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - //nonexistent index with permissions - Assert.assertEquals(HttpStatus.SC_NOT_FOUND, (res = rh.executeGetRequest("/logstash-nonex/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - //existent index without permissions - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executeGetRequest("/nopermindex/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - //nonexistent index without permissions - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executeGetRequest("/does-not-exist-and-no-perm/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - //nonexistent and existent index with permissions - Assert.assertEquals(HttpStatus.SC_NOT_FOUND, (res = rh.executeGetRequest("/logstash-nonex,logstash-1/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - //existent index with permissions - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logstash-1/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - //nonexistent index with failed login - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, (res = rh.executeGetRequest("/logstash-nonex/_search", encodeBasicHeader("nouser", "nosuer"))).getStatusCode()); - - //nonexistent index with no login + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logstash-1/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))) + .getStatusCode() + ); + + // nonexistent index with permissions + Assert.assertEquals( + HttpStatus.SC_NOT_FOUND, + (res = rh.executeGetRequest("/logstash-nonex/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))) + .getStatusCode() + ); + + // existent index without permissions + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executeGetRequest("/nopermindex/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))) + .getStatusCode() + ); + + // nonexistent index without permissions + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executeGetRequest( + "/does-not-exist-and-no-perm/_search", + encodeBasicHeader("opendistro_security_logstash", "nagilum") + )).getStatusCode() + ); + + // nonexistent and existent index with permissions + Assert.assertEquals( + HttpStatus.SC_NOT_FOUND, + (res = rh.executeGetRequest("/logstash-nonex,logstash-1/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))) + .getStatusCode() + ); + + // existent index with permissions + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logstash-1/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))) + .getStatusCode() + ); + + // nonexistent index with failed login + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + (res = rh.executeGetRequest("/logstash-nonex/_search", encodeBasicHeader("nouser", "nosuer"))).getStatusCode() + ); + + // nonexistent index with no login Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, (res = rh.executeGetRequest("/logstash-nonex/_search")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executeGetRequest("/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executeGetRequest("/_all/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executeGetRequest("/*/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executeGetRequest("/nopermindex,logstash-1,nonexist/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executeGetRequest("/logstash-1,nonexist/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executeGetRequest("/nonexist/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/%3Clogstash-%7Bnow%2Fd%7D%3E/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executeGetRequest("/%3Cnonex-%7Bnow%2Fd%7D%3E/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/%3Clogstash-%7Bnow%2Fd%7D%3E,logstash-*/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/%3Clogstash-%7Bnow%2Fd%7D%3E,logstash-1/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_CREATED, (res = rh.executePutRequest("/logstash-b/_doc/1", "{}",encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePutRequest("/%3Clogstash-cnew-%7Bnow%2Fd%7D%3E", "{}",encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_CREATED, (res = rh.executePutRequest("/%3Clogstash-new-%7Bnow%2Fd%7D%3E/_doc/1", "{}",encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/_cat/indices?v" ,encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executeGetRequest("/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executeGetRequest("/_all/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executeGetRequest("/*/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executeGetRequest( + "/nopermindex,logstash-1,nonexist/_search", + encodeBasicHeader("opendistro_security_logstash", "nagilum") + )).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executeGetRequest("/logstash-1,nonexist/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))) + .getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executeGetRequest("/nonexist/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest( + "/%3Clogstash-%7Bnow%2Fd%7D%3E/_search", + encodeBasicHeader("opendistro_security_logstash", "nagilum") + )).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executeGetRequest("/%3Cnonex-%7Bnow%2Fd%7D%3E/_search", encodeBasicHeader("opendistro_security_logstash", "nagilum"))) + .getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest( + "/%3Clogstash-%7Bnow%2Fd%7D%3E,logstash-*/_search", + encodeBasicHeader("opendistro_security_logstash", "nagilum") + )).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest( + "/%3Clogstash-%7Bnow%2Fd%7D%3E,logstash-1/_search", + encodeBasicHeader("opendistro_security_logstash", "nagilum") + )).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_CREATED, + (res = rh.executePutRequest("/logstash-b/_doc/1", "{}", encodeBasicHeader("opendistro_security_logstash", "nagilum"))) + .getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePutRequest( + "/%3Clogstash-cnew-%7Bnow%2Fd%7D%3E", + "{}", + encodeBasicHeader("opendistro_security_logstash", "nagilum") + )).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_CREATED, + (res = rh.executePutRequest( + "/%3Clogstash-new-%7Bnow%2Fd%7D%3E/_doc/1", + "{}", + encodeBasicHeader("opendistro_security_logstash", "nagilum") + )).getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/_cat/indices?v", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("logstash-b")); @@ -341,82 +525,122 @@ public void testIndices() throws Exception { @Test public void testAliases() throws Exception { - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") - .build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH").build(); setup(settings); try (Client tc = getClient()) { - tc.index(new IndexRequest("nopermindex").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("logstash-1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("logstash-2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("logstash-3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("logstash-4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("logstash-5").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("logstash-del").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("logstash-del-ok").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + tc.index(new IndexRequest("nopermindex").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.index(new IndexRequest("logstash-1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("logstash-2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("logstash-3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("logstash-4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("logstash-5").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("logstash-del").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("logstash-del-ok").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); String date = new SimpleDateFormat("YYYY.MM.dd").format(new Date()); - tc.index(new IndexRequest("logstash-"+date).setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("nopermindex").alias("nopermalias"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices(".opendistro_security").alias("mysgi"))).actionGet(); + tc.index( + new IndexRequest("logstash-" + date).setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("nopermindex").alias("nopermalias"))) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices(".opendistro_security").alias("mysgi"))) + .actionGet(); } RestHelper rh = nonSslRestHelper(); HttpResponse res = null; - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executePostRequest("/mysgi/_doc", "{}",encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/mysgi/_search?pretty", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executePostRequest("/mysgi/_doc", "{}", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/mysgi/_search?pretty", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode() + ); assertContains(res, "*\"hits\" : {*\"value\" : 0,*\"hits\" : [ ]*"); System.out.println("#### add alias to allowed index"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePutRequest("/logstash-1/_alias/alog1", "",encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePutRequest("/logstash-1/_alias/alog1", "", encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode() + ); System.out.println("#### add alias to not existing (no perm)"); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executePutRequest("/nonexitent/_alias/alnp", "",encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executePutRequest("/nonexitent/_alias/alnp", "", encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode() + ); System.out.println("#### add alias to not existing (with perm)"); - Assert.assertEquals(HttpStatus.SC_NOT_FOUND, (res = rh.executePutRequest("/logstash-nonex/_alias/alnp", "",encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_NOT_FOUND, + (res = rh.executePutRequest("/logstash-nonex/_alias/alnp", "", encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode() + ); System.out.println("#### add alias to not allowed index"); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executePutRequest("/nopermindex/_alias/alnp", "",encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode()); - - String aliasRemoveIndex = "{"+ - "\"actions\" : ["+ - "{ \"add\": { \"index\": \"logstash-del-ok\", \"alias\": \"logstash-del\" } },"+ - "{ \"remove_index\": { \"index\": \"logstash-del\" } } "+ - "]"+ - "}"; + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executePutRequest("/nopermindex/_alias/alnp", "", encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode() + ); + + String aliasRemoveIndex = "{" + + "\"actions\" : [" + + "{ \"add\": { \"index\": \"logstash-del-ok\", \"alias\": \"logstash-del\" } }," + + "{ \"remove_index\": { \"index\": \"logstash-del\" } } " + + "]" + + "}"; System.out.println("#### remove_index"); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executePostRequest("/_aliases", aliasRemoveIndex,encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode()); - + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executePostRequest("/_aliases", aliasRemoveIndex, encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode() + ); System.out.println("#### get alias for permitted index"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logstash-1/_alias/alog1", encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode()); - + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logstash-1/_alias/alog1", encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode() + ); System.out.println("#### get alias for all indices"); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executeGetRequest("/_alias/alog1", encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode()); - + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executeGetRequest("/_alias/alog1", encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode() + ); System.out.println("#### get alias no perm"); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executeGetRequest("/_alias/nopermalias", encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode()); - - String alias = - "{"+ - "\"aliases\": {"+ - "\"alias1\": {}"+ - "}"+ - "}"; + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executeGetRequest("/_alias/nopermalias", encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode() + ); + String alias = "{" + "\"aliases\": {" + "\"alias1\": {}" + "}" + "}"; System.out.println("#### create alias along with index"); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executePutRequest("/beats-withalias", alias,encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executePutRequest("/beats-withalias", alias, encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode() + ); } @Test @@ -425,7 +649,10 @@ public void testIndexResolveInvalidIndexName() throws Exception { final RestHelper rh = nonSslRestHelper(); // invalid_index_name_exception should be thrown and responded when invalid index name is mentioned in requests. - HttpResponse res = rh.executeGetRequest(URLEncoder.encode("_##pdt_data/_search", "UTF-8"), encodeBasicHeader("ccsresolv", "nagilum")); + HttpResponse res = rh.executeGetRequest( + URLEncoder.encode("_##pdt_data/_search", "UTF-8"), + encodeBasicHeader("ccsresolv", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, res.getStatusCode()); Assert.assertTrue(res.getBody().contains("invalid_index_name_exception")); } @@ -437,16 +664,17 @@ public void testCCSIndexResolve() throws Exception { final RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { - tc.index(new IndexRequest(".abc-6").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + tc.index(new IndexRequest(".abc-6").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); } - //ccsresolv has perm for ?abc* + // ccsresolv has perm for ?abc* HttpResponse res = rh.executeGetRequest("ggg:.abc-6,.abc-6/_search", encodeBasicHeader("ccsresolv", "nagilum")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); res = rh.executeGetRequest("/*:.abc-6,.abc-6/_search", encodeBasicHeader("ccsresolv", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - //TODO: Change for 25.0 to be forbidden (possible bug in ES regarding ccs wildcard) + // TODO: Change for 25.0 to be forbidden (possible bug in ES regarding ccs wildcard) } @Test @@ -457,38 +685,41 @@ public void testCCSIndexResolve2() throws Exception { final RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { - tc.index(new IndexRequest(".abc").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("xyz").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("noperm").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":3}", XContentType.JSON)).actionGet(); + tc.index(new IndexRequest(".abc").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("xyz").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("noperm").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":3}", XContentType.JSON)) + .actionGet(); } HttpResponse res = rh.executeGetRequest("/*:.abc,.abc/_search", encodeBasicHeader("nagilum", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody(),res.getBody().contains("\"content\":1")); + Assert.assertTrue(res.getBody(), res.getBody().contains("\"content\":1")); res = rh.executeGetRequest("/ba*bcuzh/_search", encodeBasicHeader("nagilum", "nagilum")); - Assert.assertTrue(res.getBody(),res.getBody().contains("\"content\":12")); + Assert.assertTrue(res.getBody(), res.getBody().contains("\"content\":12")); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); res = rh.executeGetRequest("/*:.abc/_search", encodeBasicHeader("nagilum", "nagilum")); - Assert.assertTrue(res.getBody(),res.getBody().contains("\"content\":1")); + Assert.assertTrue(res.getBody(), res.getBody().contains("\"content\":1")); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); res = rh.executeGetRequest("/*:xyz,xyz/_search", encodeBasicHeader("nagilum", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody(),res.getBody().contains("\"content\":2")); + Assert.assertTrue(res.getBody(), res.getBody().contains("\"content\":2")); - //res = rh.executeGetRequest("/*noexist/_search", encodeBasicHeader("nagilum", "nagilum")); - //Assert.assertEquals(HttpStatus.SC_NOT_FOUND, res.getStatusCode()); + // res = rh.executeGetRequest("/*noexist/_search", encodeBasicHeader("nagilum", "nagilum")); + // Assert.assertEquals(HttpStatus.SC_NOT_FOUND, res.getStatusCode()); res = rh.executeGetRequest("/*:.abc/_search", encodeBasicHeader("nagilum", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody(),res.getBody().contains("\"content\":1")); + Assert.assertTrue(res.getBody(), res.getBody().contains("\"content\":1")); res = rh.executeGetRequest("/*:xyz/_search", encodeBasicHeader("nagilum", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody(),res.getBody().contains("\"content\":2")); + Assert.assertTrue(res.getBody(), res.getBody().contains("\"content\":2")); res = rh.executeGetRequest("/.abc/_search", encodeBasicHeader("ccsresolv", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); @@ -515,18 +746,26 @@ public void testCCSIndexResolve2() throws Exception { @Test public void testIndexResolveIgnoreUnavailable() throws Exception { - setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_respect_indices_options.yml").setSecurityRoles("roles_bs.yml"), Settings.EMPTY, true); + setup( + Settings.EMPTY, + new DynamicSecurityConfig().setConfig("config_respect_indices_options.yml").setSecurityRoles("roles_bs.yml"), + Settings.EMPTY, + true + ); final RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { - //create indices and mapping upfront - tc.index(new IndexRequest("test").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"field2\":\"init\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("lorem").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"field2\":\"init\"}", XContentType.JSON)).actionGet(); + // create indices and mapping upfront + tc.index(new IndexRequest("test").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"field2\":\"init\"}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("lorem").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"field2\":\"init\"}", XContentType.JSON)) + .actionGet(); } - String msearchBody = - "{\"index\": [\"tes*\",\"-security\",\"-missing\"], \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"match_all\":{}}}"+System.lineSeparator(); + String msearchBody = "{\"index\": [\"tes*\",\"-security\",\"-missing\"], \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"match_all\":{}}}" + + System.lineSeparator(); HttpResponse resc = rh.executePostRequest("_msearch", msearchBody, encodeBasicHeader("worf", "worf")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); @@ -540,9 +779,14 @@ public void testIndexResolveIndicesAlias() throws Exception { final RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { - //create indices and mapping upfront - tc.index(new IndexRequest("foo-index").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"field2\":\"init\"}", XContentType.JSON)).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("foo-index").alias("foo-alias"))).actionGet(); + // create indices and mapping upfront + tc.index( + new IndexRequest("foo-index").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"field2\":\"init\"}", XContentType.JSON) + ).actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("foo-index").alias("foo-alias"))) + .actionGet(); tc.admin().indices().delete(new DeleteIndexRequest("foo-index")).actionGet(); } @@ -567,8 +811,10 @@ public void testIndexResolveMinus() throws Exception { final RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { - //create indices and mapping upfront - tc.index(new IndexRequest("foo-abc").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"field2\":\"init\"}", XContentType.JSON)).actionGet(); + // create indices and mapping upfront + tc.index( + new IndexRequest("foo-abc").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"field2\":\"init\"}", XContentType.JSON) + ).actionGet(); } HttpResponse resc = rh.executeGetRequest("/**/_search", encodeBasicHeader("foo_all", "nagilum")); diff --git a/src/test/java/org/opensearch/security/IndexTemplateClusterPermissionsCheckTest.java b/src/test/java/org/opensearch/security/IndexTemplateClusterPermissionsCheckTest.java index b2c483abd7..03d26e2062 100644 --- a/src/test/java/org/opensearch/security/IndexTemplateClusterPermissionsCheckTest.java +++ b/src/test/java/org/opensearch/security/IndexTemplateClusterPermissionsCheckTest.java @@ -20,45 +20,55 @@ import org.opensearch.security.test.helper.rest.RestHelper; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class IndexTemplateClusterPermissionsCheckTest extends SingleClusterTest{ - private RestHelper rh; +public class IndexTemplateClusterPermissionsCheckTest extends SingleClusterTest { + private RestHelper rh; - final static String indexTemplateBody = "{ \"index_patterns\": [\"sem1234*\"], \"template\": { \"settings\": { \"number_of_shards\": 2, \"number_of_replicas\": 1 }, \"mappings\": { \"properties\": { \"timestamp\": { \"type\": \"date\", \"format\": \"yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis\" }, \"value\": { \"type\": \"double\" } } } } }"; + final static String indexTemplateBody = + "{ \"index_patterns\": [\"sem1234*\"], \"template\": { \"settings\": { \"number_of_shards\": 2, \"number_of_replicas\": 1 }, \"mappings\": { \"properties\": { \"timestamp\": { \"type\": \"date\", \"format\": \"yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis\" }, \"value\": { \"type\": \"double\" } } } } }"; - private String getFailureResponseReason(String user) { - return "no permissions for [indices:admin/index_template/put] and User [name=" + user + ", backend_roles=[], requestedTenant=null]"; - } + private String getFailureResponseReason(String user) { + return "no permissions for [indices:admin/index_template/put] and User [name=" + user + ", backend_roles=[], requestedTenant=null]"; + } - @Before - public void setupRestHelper() throws Exception{ - setup(); - rh = nonSslRestHelper(); - } - @Test - public void testPutIndexTemplateByNonPrivilegedUser() throws Exception { - String expectedFailureResponse = getFailureResponseReason("ds4"); + @Before + public void setupRestHelper() throws Exception { + setup(); + rh = nonSslRestHelper(); + } - // should fail, as user `ds3` doesn't have correct permissions - HttpResponse response = rh.executePutRequest("/_index_template/sem1234", indexTemplateBody, encodeBasicHeader("ds4", "nagilum")); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); - Assert.assertEquals(expectedFailureResponse, response.findValueInJson("error.root_cause[0].reason")); - } + @Test + public void testPutIndexTemplateByNonPrivilegedUser() throws Exception { + String expectedFailureResponse = getFailureResponseReason("ds4"); - @Test - public void testPutIndexTemplateByPrivilegedUser() throws Exception { - // should pass, as user `sem-user` has correct permissions - HttpResponse response = rh.executePutRequest("/_index_template/sem1234", indexTemplateBody, encodeBasicHeader("sem-user", "nagilum")); - Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - } + // should fail, as user `ds3` doesn't have correct permissions + HttpResponse response = rh.executePutRequest("/_index_template/sem1234", indexTemplateBody, encodeBasicHeader("ds4", "nagilum")); + Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); + Assert.assertEquals(expectedFailureResponse, response.findValueInJson("error.root_cause[0].reason")); + } - @Test - public void testPutIndexTemplateAsIndexLevelPermission() throws Exception { - String expectedFailureResponse = getFailureResponseReason("sem-user2"); + @Test + public void testPutIndexTemplateByPrivilegedUser() throws Exception { + // should pass, as user `sem-user` has correct permissions + HttpResponse response = rh.executePutRequest( + "/_index_template/sem1234", + indexTemplateBody, + encodeBasicHeader("sem-user", "nagilum") + ); + Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); + } - // should fail, as user `sem-user2` is assigned `put-template` permission as index-level, not cluster-level - HttpResponse response = rh.executePutRequest("/_index_template/sem1234", indexTemplateBody, encodeBasicHeader("sem-user2", "nagilum")); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); - Assert.assertEquals(expectedFailureResponse, response.findValueInJson("error.root_cause[0].reason")); - } + @Test + public void testPutIndexTemplateAsIndexLevelPermission() throws Exception { + String expectedFailureResponse = getFailureResponseReason("sem-user2"); + // should fail, as user `sem-user2` is assigned `put-template` permission as index-level, not cluster-level + HttpResponse response = rh.executePutRequest( + "/_index_template/sem1234", + indexTemplateBody, + encodeBasicHeader("sem-user2", "nagilum") + ); + Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); + Assert.assertEquals(expectedFailureResponse, response.findValueInJson("error.root_cause[0].reason")); } + +} diff --git a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java index 87241ee110..0fec953472 100644 --- a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java +++ b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java @@ -67,23 +67,31 @@ public class InitializationIntegrationTests extends SingleClusterTest { public void testEnsureInitViaRestDoesWork() throws Exception { final Settings settings = Settings.builder() - .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); + .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); setup(Settings.EMPTY, null, settings, false); - final RestHelper rh = restHelper(); //ssl resthelper + final RestHelper rh = restHelper(); // ssl resthelper rh.enableHTTPClientSSL = true; rh.trustHTTPServerCertificate = true; rh.sendAdminCertificate = true; - Assert.assertEquals(HttpStatus.SC_SERVICE_UNAVAILABLE, rh.executePutRequest(".opendistro_security/_doc/0", "{}", encodeBasicHeader("___", "")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_SERVICE_UNAVAILABLE, rh.executePutRequest(".opendistro_security/_doc/config", "{}", encodeBasicHeader("___", "")).getStatusCode()); - + Assert.assertEquals( + HttpStatus.SC_SERVICE_UNAVAILABLE, + rh.executePutRequest(".opendistro_security/_doc/0", "{}", encodeBasicHeader("___", "")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_SERVICE_UNAVAILABLE, + rh.executePutRequest(".opendistro_security/_doc/config", "{}", encodeBasicHeader("___", "")).getStatusCode() + ); rh.keystore = "kirk-keystore.jks"; - Assert.assertEquals(HttpStatus.SC_CREATED, rh.executePutRequest(".opendistro_security/_doc/config", "{}", encodeBasicHeader("___", "")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_CREATED, + rh.executePutRequest(".opendistro_security/_doc/config", "{}", encodeBasicHeader("___", "")).getStatusCode() + ); Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_size_in_bytes\" : 0")); Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_count\" : 0")); @@ -96,28 +104,38 @@ public void testEnsureInitViaRestDoesWork() throws Exception { public void testInitWithInjectedUser() throws Exception { final Settings settings = Settings.builder() - .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) - .put("plugins.security.unsupported.inject_user.enabled", true) - .build(); + .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) + .put("plugins.security.unsupported.inject_user.enabled", true) + .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_disable_all.yml"), settings, true); RestHelper rh = nonSslRestHelper(); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executePutRequest(".opendistro_security/_doc/0", "{}", encodeBasicHeader("___", "")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executePutRequest(".opendistro_security/_doc/config", "{}", encodeBasicHeader("___", "")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + rh.executePutRequest(".opendistro_security/_doc/0", "{}", encodeBasicHeader("___", "")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_UNAUTHORIZED, + rh.executePutRequest(".opendistro_security/_doc/config", "{}", encodeBasicHeader("___", "")).getStatusCode() + ); } @Test public void testWhoAmI() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); - setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityInternalUsers("internal_empty.yml") - .setSecurityRoles("roles_deny.yml"), settings, true); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); + setup( + Settings.EMPTY, + new DynamicSecurityConfig().setSecurityInternalUsers("internal_empty.yml").setSecurityRoles("roles_deny.yml"), + settings, + true + ); try (RestHighLevelClient restHighLevelClient = getRestClient(clusterInfo, "spock-keystore.jks", "truststore.jks")) { Response whoAmIRes = restHighLevelClient.getLowLevelClient().performRequest(new Request("GET", "/_plugins/_security/whoami")); @@ -135,14 +153,25 @@ public void testWhoAmI() throws Exception { @Test public void testWhoAmIForceHttp1() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); - setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityInternalUsers("internal_empty.yml") - .setSecurityRoles("roles_deny.yml"), settings, true); - - try (RestHighLevelClient restHighLevelClient = getRestClient(clusterInfo, "spock-keystore.jks", "truststore.jks", HttpVersionPolicy.FORCE_HTTP_1)) { + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); + setup( + Settings.EMPTY, + new DynamicSecurityConfig().setSecurityInternalUsers("internal_empty.yml").setSecurityRoles("roles_deny.yml"), + settings, + true + ); + + try ( + RestHighLevelClient restHighLevelClient = getRestClient( + clusterInfo, + "spock-keystore.jks", + "truststore.jks", + HttpVersionPolicy.FORCE_HTTP_1 + ) + ) { Response whoAmIRes = restHighLevelClient.getLowLevelClient().performRequest(new Request("GET", "/_plugins/_security/whoami")); Assert.assertEquals(whoAmIRes.getStatusLine().getStatusCode(), 200); // The HTTP/1.1 is forced and should be used instead @@ -164,7 +193,17 @@ public void testConfigHotReload() throws Exception { for (Iterator iterator = clusterInfo.httpAdresses.iterator(); iterator.hasNext();) { TransportAddress TransportAddress = (TransportAddress) iterator.next(); - HttpResponse res = rh.executeRequest(new HttpGet("http://"+TransportAddress.getAddress()+":"+TransportAddress.getPort() + "/" + "_opendistro/_security/authinfo?pretty=true"), spock); + HttpResponse res = rh.executeRequest( + new HttpGet( + "http://" + + TransportAddress.getAddress() + + ":" + + TransportAddress.getPort() + + "/" + + "_opendistro/_security/authinfo?pretty=true" + ), + spock + ); Assert.assertTrue(res.getBody().contains("spock")); Assert.assertFalse(res.getBody().contains("additionalrole")); Assert.assertTrue(res.getBody().contains("vulcan")); @@ -172,15 +211,32 @@ public void testConfigHotReload() throws Exception { try (Client tc = getClient()) { Assert.assertEquals(clusterInfo.numNodes, tc.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size()); - tc.index(new IndexRequest(".opendistro_security").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("internalusers").source("internalusers", FileHelper.readYamlContent("internal_users_spock_add_roles.yml"))).actionGet(); - ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config","roles","rolesmapping","internalusers","actiongroups"})).actionGet(); + tc.index( + new IndexRequest(".opendistro_security").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("internalusers") + .source("internalusers", FileHelper.readYamlContent("internal_users_spock_add_roles.yml")) + ).actionGet(); + ConfigUpdateResponse cur = tc.execute( + ConfigUpdateAction.INSTANCE, + new ConfigUpdateRequest(new String[] { "config", "roles", "rolesmapping", "internalusers", "actiongroups" }) + ).actionGet(); Assert.assertEquals(clusterInfo.numNodes, cur.getNodes().size()); } for (Iterator iterator = clusterInfo.httpAdresses.iterator(); iterator.hasNext();) { TransportAddress TransportAddress = (TransportAddress) iterator.next(); - log.debug("http://"+TransportAddress.getAddress()+":"+TransportAddress.getPort()); - HttpResponse res = rh.executeRequest(new HttpGet("http://"+TransportAddress.getAddress()+":"+TransportAddress.getPort() + "/" + "_opendistro/_security/authinfo?pretty=true"), spock); + log.debug("http://" + TransportAddress.getAddress() + ":" + TransportAddress.getPort()); + HttpResponse res = rh.executeRequest( + new HttpGet( + "http://" + + TransportAddress.getAddress() + + ":" + + TransportAddress.getPort() + + "/" + + "_opendistro/_security/authinfo?pretty=true" + ), + spock + ); Assert.assertTrue(res.getBody().contains("spock")); Assert.assertTrue(res.getBody().contains("additionalrole1")); Assert.assertTrue(res.getBody().contains("additionalrole2")); @@ -189,14 +245,28 @@ public void testConfigHotReload() throws Exception { try (Client tc = getClient()) { Assert.assertEquals(clusterInfo.numNodes, tc.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size()); - tc.index(new IndexRequest(".opendistro_security").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("config").source("config", FileHelper.readYamlContent("config_anon.yml"))).actionGet(); - ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config"})).actionGet(); + tc.index( + new IndexRequest(".opendistro_security").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("config") + .source("config", FileHelper.readYamlContent("config_anon.yml")) + ).actionGet(); + ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[] { "config" })) + .actionGet(); Assert.assertEquals(clusterInfo.numNodes, cur.getNodes().size()); } for (Iterator iterator = clusterInfo.httpAdresses.iterator(); iterator.hasNext();) { TransportAddress TransportAddress = (TransportAddress) iterator.next(); - HttpResponse res = rh.executeRequest(new HttpGet("http://"+TransportAddress.getAddress()+":"+TransportAddress.getPort() + "/" + "_opendistro/_security/authinfo?pretty=true")); + HttpResponse res = rh.executeRequest( + new HttpGet( + "http://" + + TransportAddress.getAddress() + + ":" + + TransportAddress.getPort() + + "/" + + "_opendistro/_security/authinfo?pretty=true" + ) + ); log.debug(res.getBody()); Assert.assertTrue(res.getBody().contains("role_host1")); Assert.assertTrue(res.getBody().contains("opendistro_security_anonymous")); @@ -208,9 +278,7 @@ public void testConfigHotReload() throws Exception { @Test public void testDefaultConfig() throws Exception { - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true) - .build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true).build(); setup(Settings.EMPTY, null, settings, false); RestHelper rh = nonSslRestHelper(); Thread.sleep(10000); @@ -223,14 +291,17 @@ public void testDefaultConfig() throws Exception { @Test public void testInvalidDefaultConfig() throws Exception { try { - final String defaultInitDirectory = ClusterHelper.updateDefaultDirectory(new File(TEST_RESOURCE_RELATIVE_PATH + "invalid_config").getAbsolutePath()); - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true) - .build(); + final String defaultInitDirectory = ClusterHelper.updateDefaultDirectory( + new File(TEST_RESOURCE_RELATIVE_PATH + "invalid_config").getAbsolutePath() + ); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true).build(); setup(Settings.EMPTY, null, settings, false); RestHelper rh = nonSslRestHelper(); Thread.sleep(10000); - Assert.assertEquals(HttpStatus.SC_SERVICE_UNAVAILABLE, rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_SERVICE_UNAVAILABLE, + rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode() + ); ClusterHelper.updateDefaultDirectory(defaultInitDirectory); restart(Settings.EMPTY, null, settings, false); @@ -258,7 +329,18 @@ public void testDisabled() throws Exception { @Test public void testDiscoveryWithoutInitialization() throws Exception { setup(Settings.EMPTY, null, Settings.EMPTY, false); - Assert.assertEquals(clusterInfo.numNodes, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes()); - Assert.assertEquals(ClusterHealthStatus.GREEN, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus()); + Assert.assertEquals( + clusterInfo.numNodes, + clusterHelper.nodeClient() + .admin() + .cluster() + .health(new ClusterHealthRequest().waitForGreenStatus()) + .actionGet() + .getNumberOfNodes() + ); + Assert.assertEquals( + ClusterHealthStatus.GREEN, + clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus() + ); } } diff --git a/src/test/java/org/opensearch/security/IntegrationTests.java b/src/test/java/org/opensearch/security/IntegrationTests.java index 8f2b0f7282..399d226bd9 100644 --- a/src/test/java/org/opensearch/security/IntegrationTests.java +++ b/src/test/java/org/opensearch/security/IntegrationTests.java @@ -63,41 +63,47 @@ public class IntegrationTests extends SingleClusterTest { @Test public void testSearchScroll() throws Exception { - final Settings settings = Settings.builder() - .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") + final Settings settings = Settings.builder() + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS + ".worf", "knuddel", "nonexists") .build(); - setup(settings); - final RestHelper rh = nonSslRestHelper(); + setup(settings); + final RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { - for(int i=0; i<3; i++) - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + for (int i = 0; i < 3; i++) + tc.index( + new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); } - System.out.println("########search"); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res=rh.executeGetRequest("vulcangov/_search?scroll=1m&pretty=true", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("vulcangov/_search?scroll=1m&pretty=true", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode() + ); System.out.println(res.getBody()); int start = res.getBody().indexOf("_scroll_id") + 15; - String scrollid = res.getBody().substring(start, res.getBody().indexOf("\"", start+1)); + String scrollid = res.getBody().substring(start, res.getBody().indexOf("\"", start + 1)); System.out.println(scrollid); System.out.println("########search scroll"); - Assert.assertEquals(HttpStatus.SC_OK, (res=rh.executePostRequest("/_search/scroll?pretty=true", "{\"scroll_id\" : \""+scrollid+"\"}", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); - + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest( + "/_search/scroll?pretty=true", + "{\"scroll_id\" : \"" + scrollid + "\"}", + encodeBasicHeader("nagilum", "nagilum") + )).getStatusCode() + ); System.out.println("########search done"); - } @Test public void testDnParsingCertAuth() throws Exception { - Settings settings = Settings.builder() - .put("username_attribute", "cn") - .put("roles_attribute", "l") - .build(); + Settings settings = Settings.builder().put("username_attribute", "cn").put("roles_attribute", "l").build(); HTTPClientCertAuthenticator auth = new HTTPClientCertAuthenticator(settings, null); Assert.assertEquals("abc", auth.extractCredentials(null, newThreadContext("cn=abc,cn=xxx,l=ert,st=zui,c=qwe")).getUsername()); Assert.assertEquals("abc", auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,st=zui,c=qwe")).getUsername()); @@ -107,13 +113,23 @@ public void testDnParsingCertAuth() throws Exception { Assert.assertEquals("abc", auth.extractCredentials(null, newThreadContext("l=ert,st=zui,c=qwe,cn=abc")).getUsername()); Assert.assertEquals("abc", auth.extractCredentials(null, newThreadContext("L=ert,st=zui,c=qwe,CN=abc")).getUsername()); Assert.assertEquals("L=ert,st=zui,c=qwe", auth.extractCredentials(null, newThreadContext("L=ert,st=zui,c=qwe")).getUsername()); - Assert.assertArrayEquals(new String[] {"ert"}, auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,st=zui,c=qwe")).getBackendRoles().toArray(new String[0])); - Assert.assertArrayEquals(new String[] {"bleh", "ert"}, new TreeSet<>(auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,L=bleh,st=zui,c=qwe")).getBackendRoles()).toArray(new String[0])); - - settings = Settings.builder() - .build(); + Assert.assertArrayEquals( + new String[] { "ert" }, + auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,st=zui,c=qwe")).getBackendRoles().toArray(new String[0]) + ); + Assert.assertArrayEquals( + new String[] { "bleh", "ert" }, + new TreeSet<>(auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,L=bleh,st=zui,c=qwe")).getBackendRoles()).toArray( + new String[0] + ) + ); + + settings = Settings.builder().build(); auth = new HTTPClientCertAuthenticator(settings, null); - Assert.assertEquals("cn=abc,l=ert,st=zui,c=qwe", auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,st=zui,c=qwe")).getUsername()); + Assert.assertEquals( + "cn=abc,l=ert,st=zui,c=qwe", + auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,st=zui,c=qwe")).getUsername() + ); } private ThreadContext newThreadContext(String sslPrincipal) { @@ -126,19 +142,30 @@ private ThreadContext newThreadContext(String sslPrincipal) { public void testDNSpecials() throws Exception { final Settings settings = Settings.builder() - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12")) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") - .putList(ConfigConstants.SECURITY_NODES_DN, "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") - .putList(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, "EMAILADDRESS=unt@xxx.com,CN=node-untspec6.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") - .put(ConfigConstants.SECURITY_CERT_OID,"1.2.3.4.5.6") - .build(); - + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12") + ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") + .putList( + ConfigConstants.SECURITY_NODES_DN, + "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE" + ) + .putList( + ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, + "EMAILADDRESS=unt@xxx.com,CN=node-untspec6.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE" + ) + .put(ConfigConstants.SECURITY_CERT_OID, "1.2.3.4.5.6") + .build(); Settings tcSettings = Settings.builder() - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12")) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") - .build(); + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12") + ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") + .build(); setup(tcSettings, new DynamicSecurityConfig(), settings, true); RestHelper rh = nonSslRestHelper(); @@ -152,19 +179,27 @@ public void testDNSpecials() throws Exception { public void testDNSpecials1() throws Exception { final Settings settings = Settings.builder() - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12")) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") - .putList("plugins.security.nodes_dn", "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") - .putList("plugins.security.authcz.admin_dn", "EMAILADDREss=unt@xxx.com, cn=node-untspec6.example.com, OU=SSL,O=Te\\, st,L=Test, c=DE") - .put("plugins.security.cert.oid","1.2.3.4.5.6") - .build(); - + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12") + ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") + .putList("plugins.security.nodes_dn", "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") + .putList( + "plugins.security.authcz.admin_dn", + "EMAILADDREss=unt@xxx.com, cn=node-untspec6.example.com, OU=SSL,O=Te\\, st,L=Test, c=DE" + ) + .put("plugins.security.cert.oid", "1.2.3.4.5.6") + .build(); Settings tcSettings = Settings.builder() - .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12")) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") - .build(); + .put( + "plugins.security.ssl.transport.keystore_filepath", + FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12") + ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") + .build(); setup(tcSettings, new DynamicSecurityConfig(), settings, true); RestHelper rh = nonSslRestHelper(); @@ -185,31 +220,34 @@ public void testMultiget() throws Exception { setup(); try (Client tc = getClient()) { - tc.index(new IndexRequest("mindex1").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("mindex2").id("2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("mindex1").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("mindex2").id("2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON) + ).actionGet(); } - //opendistro_security_multiget -> picard - - - String mgetBody = "{"+ - "\"docs\" : ["+ - "{"+ - "\"_index\" : \"mindex1\","+ - "\"_id\" : \"1\""+ - " },"+ - " {"+ - "\"_index\" : \"mindex2\","+ - " \"_id\" : \"2\""+ - "}"+ - "]"+ - "}"; + // opendistro_security_multiget -> picard + + String mgetBody = "{" + + "\"docs\" : [" + + "{" + + "\"_index\" : \"mindex1\"," + + "\"_id\" : \"1\"" + + " }," + + " {" + + "\"_index\" : \"mindex2\"," + + " \"_id\" : \"2\"" + + "}" + + "]" + + "}"; - RestHelper rh = nonSslRestHelper(); - HttpResponse resc = rh.executePostRequest("_mget?refresh=true", mgetBody, encodeBasicHeader("picard", "picard")); - System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - Assert.assertFalse(resc.getBody().contains("type2")); + RestHelper rh = nonSslRestHelper(); + HttpResponse resc = rh.executePostRequest("_mget?refresh=true", mgetBody, encodeBasicHeader("picard", "picard")); + System.out.println(resc.getBody()); + Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); + Assert.assertFalse(resc.getBody().contains("type2")); } @@ -217,29 +255,46 @@ public void testMultiget() throws Exception { public void testRestImpersonation() throws Exception { final Settings settings = Settings.builder() - .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".spock", "knuddel","userwhonotexists").build(); + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS + ".spock", "knuddel", "userwhonotexists") + .build(); setup(settings); RestHelper rh = nonSslRestHelper(); - //knuddel: - // hash: _rest_impersonation_only_ + // knuddel: + // hash: _rest_impersonation_only_ HttpResponse resp; - resp = rh.executeGetRequest("/_opendistro/_security/authinfo", new BasicHeader("opendistro_security_impersonate_as", "knuddel"), encodeBasicHeader("worf", "worf")); + resp = rh.executeGetRequest( + "/_opendistro/_security/authinfo", + new BasicHeader("opendistro_security_impersonate_as", "knuddel"), + encodeBasicHeader("worf", "worf") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resp.getStatusCode()); - resp = rh.executeGetRequest("/_opendistro/_security/authinfo", new BasicHeader("opendistro_security_impersonate_as", "knuddel"), encodeBasicHeader("spock", "spock")); + resp = rh.executeGetRequest( + "/_opendistro/_security/authinfo", + new BasicHeader("opendistro_security_impersonate_as", "knuddel"), + encodeBasicHeader("spock", "spock") + ); Assert.assertEquals(HttpStatus.SC_OK, resp.getStatusCode()); Assert.assertTrue(resp.getBody().contains("name=knuddel")); Assert.assertFalse(resp.getBody().contains("spock")); - resp = rh.executeGetRequest("/_opendistro/_security/authinfo", new BasicHeader("opendistro_security_impersonate_as", "userwhonotexists"), encodeBasicHeader("spock", "spock")); + resp = rh.executeGetRequest( + "/_opendistro/_security/authinfo", + new BasicHeader("opendistro_security_impersonate_as", "userwhonotexists"), + encodeBasicHeader("spock", "spock") + ); System.out.println(resp.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resp.getStatusCode()); - resp = rh.executeGetRequest("/_opendistro/_security/authinfo", new BasicHeader("opendistro_security_impersonate_as", "invalid"), encodeBasicHeader("spock", "spock")); + resp = rh.executeGetRequest( + "/_opendistro/_security/authinfo", + new BasicHeader("opendistro_security_impersonate_as", "invalid"), + encodeBasicHeader("spock", "spock") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resp.getStatusCode()); } @@ -249,14 +304,21 @@ public void testSingle() throws Exception { setup(); try (Client tc = getClient()) { - tc.index(new IndexRequest("shakespeare").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("shakespeare").id("1") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":1}", XContentType.JSON) + ).actionGet(); - ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config","roles","rolesmapping","internalusers","actiongroups"})).actionGet(); + ConfigUpdateResponse cur = tc.execute( + ConfigUpdateAction.INSTANCE, + new ConfigUpdateRequest(new String[] { "config", "roles", "rolesmapping", "internalusers", "actiongroups" }) + ).actionGet(); Assert.assertEquals(clusterInfo.numNodes, cur.getNodes().size()); } RestHelper rh = nonSslRestHelper(); - //opendistro_security_shakespeare -> picard + // opendistro_security_shakespeare -> picard HttpResponse resc = rh.executeGetRequest("shakespeare/_search", encodeBasicHeader("picard", "picard")); System.out.println(resc.getBody()); @@ -276,7 +338,10 @@ public void testSpecialUsernames() throws Exception { Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("bug.99", "nagilum")).getStatusCode()); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("", encodeBasicHeader("a", "b")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("\"'+-,;_?*@<>!$%&/()=#", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("", encodeBasicHeader("\"'+-,;_?*@<>!$%&/()=#", "nagilum")).getStatusCode() + ); Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("§ÄÖÜäöüß", "nagilum")).getStatusCode()); } @@ -286,7 +351,11 @@ public void testXff() throws Exception { setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_xff.yml"), Settings.EMPTY, true); RestHelper rh = nonSslRestHelper(); - HttpResponse resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader("x-forwarded-for", "10.0.0.7"), encodeBasicHeader("worf", "worf")); + HttpResponse resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader("x-forwarded-for", "10.0.0.7"), + encodeBasicHeader("worf", "worf") + ); Assert.assertEquals(200, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("10.0.0.7")); } @@ -297,19 +366,41 @@ public void testRegexExcludes() throws Exception { setup(Settings.EMPTY, new DynamicSecurityConfig(), Settings.EMPTY); try (Client tc = getClient()) { - tc.index(new IndexRequest("indexa").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"indexa\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("indexb").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"indexb\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("isallowed").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"isallowed\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("special").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"special\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("alsonotallowed").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"alsonotallowed\":1}", XContentType.JSON)).actionGet(); + tc.index(new IndexRequest("indexa").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"indexa\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("indexb").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"indexb\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("isallowed").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"isallowed\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("special").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"special\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("alsonotallowed").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"alsonotallowed\":1}", XContentType.JSON) + ).actionGet(); } RestHelper rh = nonSslRestHelper(); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("index*/_search",encodeBasicHeader("rexclude", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("indexa/_search",encodeBasicHeader("rexclude", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("isallowed/_search",encodeBasicHeader("rexclude", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("special/_search",encodeBasicHeader("rexclude", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("alsonotallowed/_search",encodeBasicHeader("rexclude", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("index*/_search", encodeBasicHeader("rexclude", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("indexa/_search", encodeBasicHeader("rexclude", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("isallowed/_search", encodeBasicHeader("rexclude", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeGetRequest("special/_search", encodeBasicHeader("rexclude", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executeGetRequest("alsonotallowed/_search", encodeBasicHeader("rexclude", "nagilum")).getStatusCode() + ); } @Test @@ -319,8 +410,10 @@ public void testMultiRoleSpan() throws Exception { final RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { - tc.index(new IndexRequest("mindex_1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("mindex_2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)).actionGet(); + tc.index(new IndexRequest("mindex_1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("mindex_2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)) + .actionGet(); } HttpResponse res = rh.executeGetRequest("/mindex_1,mindex_2/_search", encodeBasicHeader("mindex12", "nagilum")); @@ -330,9 +423,14 @@ public void testMultiRoleSpan() throws Exception { Assert.assertFalse(res.getBody().contains("\"content\":2")); try (Client tc = getClient()) { - tc.index(new IndexRequest(".opendistro_security").id("config").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("config", FileHelper.readYamlContent("config_multirolespan.yml"))).actionGet(); + tc.index( + new IndexRequest(".opendistro_security").id("config") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("config", FileHelper.readYamlContent("config_multirolespan.yml")) + ).actionGet(); - ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config"})).actionGet(); + ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[] { "config" })) + .actionGet(); Assert.assertEquals(clusterInfo.numNodes, cur.getNodes().size()); } @@ -351,10 +449,14 @@ public void testMultiRoleSpan2() throws Exception { final RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { - tc.index(new IndexRequest("mindex_1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("mindex_2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("mindex_3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("mindex_4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)).actionGet(); + tc.index(new IndexRequest("mindex_1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("mindex_2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("mindex_3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("mindex_4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)) + .actionGet(); } HttpResponse res = rh.executeGetRequest("/mindex_1,mindex_2/_search", encodeBasicHeader("mindex12", "nagilum")); @@ -374,10 +476,14 @@ public void testSecurityUnderscore() throws Exception { setup(); final RestHelper rh = nonSslRestHelper(); - HttpResponse res = rh.executePostRequest("abc_xyz_2018_05_24/_doc/1", "{\"content\":1}", encodeBasicHeader("underscore", "nagilum")); + HttpResponse res = rh.executePostRequest( + "abc_xyz_2018_05_24/_doc/1", + "{\"content\":1}", + encodeBasicHeader("underscore", "nagilum") + ); res = rh.executeGetRequest("abc_xyz_2018_05_24/_doc/1", encodeBasicHeader("underscore", "nagilum")); - Assert.assertTrue(res.getBody(),res.getBody().contains("\"content\":1")); + Assert.assertTrue(res.getBody(), res.getBody().contains("\"content\":1")); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); res = rh.executeGetRequest("abc_xyz_2018_05_24/_refresh", encodeBasicHeader("underscore", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); @@ -391,45 +497,52 @@ public void testDeleteByQueryDnfof() throws Exception { setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_dnfof.yml"), Settings.EMPTY); try (Client tc = getClient()) { - for(int i=0; i<3; i++) { - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + for (int i = 0; i < 3; i++) { + tc.index( + new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); } } RestHelper rh = nonSslRestHelper(); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res=rh.executePostRequest("/vulcango*/_delete_by_query?refresh=true&wait_for_completion=true&pretty=true", "{\"query\" : {\"match_all\" : {}}}", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest( + "/vulcango*/_delete_by_query?refresh=true&wait_for_completion=true&pretty=true", + "{\"query\" : {\"match_all\" : {}}}", + encodeBasicHeader("nagilum", "nagilum") + )).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"deleted\" : 3")); } @Test public void testUpdate() throws Exception { - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") - .build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH").build(); setup(settings); final RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { - tc.index(new IndexRequest("indexc").id("0") - .setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"content\":1}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("indexc").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); } - HttpResponse res = rh.executePostRequest("indexc/_update/0?pretty=true&refresh=true", "{\"doc\" : {\"content\":2}}", - encodeBasicHeader("user_c", "user_c")); + HttpResponse res = rh.executePostRequest( + "indexc/_update/0?pretty=true&refresh=true", + "{\"doc\" : {\"content\":2}}", + encodeBasicHeader("user_c", "user_c") + ); System.out.println(res.getBody()); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); } - @Test public void testDnfof() throws Exception { - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") - .build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH").build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_dnfof.yml"), settings); final RestHelper rh = nonSslRestHelper(); @@ -437,49 +550,95 @@ public void testDnfof() throws Exception { try (Client tc = getClient()) { tc.admin().indices().create(new CreateIndexRequest("copysf")).actionGet(); - tc.index(new IndexRequest("indexa").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":\"indexa\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("indexb").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":\"indexb\"}", XContentType.JSON)).actionGet(); - - - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet_library").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("spock").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("kirk").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("role01_role02").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("starfleet","starfleet_academy","starfleet_library").alias("sf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("klingonempire","vulcangov").alias("nonsf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("public").alias("unrestricted"))).actionGet(); + tc.index( + new IndexRequest("indexa").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":\"indexa\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("indexb").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":\"indexb\"}", XContentType.JSON) + ).actionGet(); + + tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("starfleet_library").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.index(new IndexRequest("spock").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("kirk").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("role01_role02").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + AliasActions.add().indices("starfleet", "starfleet_academy", "starfleet_library").alias("sf") + ) + ) + .actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("klingonempire", "vulcangov").alias("nonsf")) + ) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("public").alias("unrestricted"))) + .actionGet(); } HttpResponse resc; - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("indexa,indexb/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("indexa,indexb/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); Assert.assertTrue(resc.getBody(), resc.getBody().contains("indexa")); Assert.assertFalse(resc.getBody(), resc.getBody().contains("indexb")); Assert.assertFalse(resc.getBody(), resc.getBody().contains("exception")); Assert.assertFalse(resc.getBody(), resc.getBody().contains("permission")); - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("indexa,indexb/_search?pretty", encodeBasicHeader("user_b", "user_b"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("indexa,indexb/_search?pretty", encodeBasicHeader("user_b", "user_b"))).getStatusCode() + ); System.out.println(resc.getBody()); Assert.assertFalse(resc.getBody(), resc.getBody().contains("indexa")); Assert.assertTrue(resc.getBody(), resc.getBody().contains("indexb")); Assert.assertFalse(resc.getBody(), resc.getBody().contains("exception")); Assert.assertFalse(resc.getBody(), resc.getBody().contains("permission")); - String msearchBody = - "{\"index\":\"indexa\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator()+ - "{\"index\":\"indexb\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator()+ - "{\"index\":\"index*\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); + String msearchBody = "{\"index\":\"indexa\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator() + + "{\"index\":\"indexb\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator() + + "{\"index\":\"index*\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator(); System.out.println("#### msearch"); resc = rh.executePostRequest("_msearch?pretty", msearchBody, encodeBasicHeader("user_a", "user_a")); Assert.assertEquals(200, resc.getStatusCode()); @@ -501,106 +660,145 @@ public void testDnfof() throws Exception { Assert.assertEquals(3, resc.getBody().split("\"status\" : 200").length); Assert.assertEquals(2, resc.getBody().split("\"status\" : 403").length); - msearchBody = - "{\"index\":\"indexc\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator()+ - "{\"index\":\"indexd\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); + msearchBody = "{\"index\":\"indexc\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator() + + "{\"index\":\"indexd\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator(); resc = rh.executePostRequest("_msearch?pretty", msearchBody, encodeBasicHeader("user_b", "user_b")); Assert.assertEquals(403, resc.getStatusCode()); - String mgetBody = "{"+ - "\"docs\" : ["+ - "{"+ - "\"_index\" : \"indexa\","+ - "\"_id\" : \"0\""+ - " },"+ - " {"+ - "\"_index\" : \"indexb\","+ - " \"_id\" : \"0\""+ - "}"+ - "]"+ - "}"; + String mgetBody = "{" + + "\"docs\" : [" + + "{" + + "\"_index\" : \"indexa\"," + + "\"_id\" : \"0\"" + + " }," + + " {" + + "\"_index\" : \"indexb\"," + + " \"_id\" : \"0\"" + + "}" + + "]" + + "}"; System.out.println("#### mget"); - resc = rh.executePostRequest("_mget?pretty", mgetBody, encodeBasicHeader("user_b", "user_b")); + resc = rh.executePostRequest("_mget?pretty", mgetBody, encodeBasicHeader("user_b", "user_b")); Assert.assertEquals(200, resc.getStatusCode()); Assert.assertFalse(resc.getBody(), resc.getBody().contains("\"content\" : \"indexa\"")); Assert.assertTrue(resc.getBody(), resc.getBody().contains("\"content\" : \"indexb\"")); Assert.assertTrue(resc.getBody(), resc.getBody().contains("exception")); Assert.assertTrue(resc.getBody(), resc.getBody().contains("permission")); - mgetBody = "{"+ - "\"docs\" : ["+ - "{"+ - "\"_index\" : \"indexx\","+ - "\"_id\" : \"0\""+ - " },"+ - " {"+ - "\"_index\" : \"indexy\","+ - " \"_id\" : \"0\""+ - "}"+ - "]"+ - "}"; - - resc = rh.executePostRequest("_mget?pretty", mgetBody, encodeBasicHeader("user_b", "user_b")); + mgetBody = "{" + + "\"docs\" : [" + + "{" + + "\"_index\" : \"indexx\"," + + "\"_id\" : \"0\"" + + " }," + + " {" + + "\"_index\" : \"indexy\"," + + " \"_id\" : \"0\"" + + "}" + + "]" + + "}"; + + resc = rh.executePostRequest("_mget?pretty", mgetBody, encodeBasicHeader("user_b", "user_b")); Assert.assertEquals(403, resc.getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); Assert.assertTrue(resc.getBody(), resc.getBody().contains("indexa")); Assert.assertFalse(resc.getBody(), resc.getBody().contains("indexb")); - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("index*/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("index*/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); Assert.assertTrue(resc.getBody(), resc.getBody().contains("indexa")); Assert.assertFalse(resc.getBody(), resc.getBody().contains("indexb")); Assert.assertFalse(resc.getBody(), resc.getBody().contains("exception")); Assert.assertFalse(resc.getBody(), resc.getBody().contains("permission")); - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("indexa/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("indexa/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (resc=rh.executeGetRequest("indexb/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (resc = rh.executeGetRequest("indexb/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("_all/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("_all/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (resc=rh.executeGetRequest("notexists/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (resc = rh.executeGetRequest("notexists/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_NOT_FOUND, (resc=rh.executeGetRequest("permitnotexistentindex/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_NOT_FOUND, + (resc = rh.executeGetRequest("permitnotexistentindex/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("permitnotexistentindex*/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("permitnotexistentindex*/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_NOT_FOUND, (resc=rh.executeGetRequest("indexanbh,indexabb*/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_NOT_FOUND, + (resc = rh.executeGetRequest("indexanbh,indexabb*/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (resc=rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (resc = rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf"))).getStatusCode() + ); System.out.println(resc.getBody()); System.out.println("#### _all/_mapping/field/*"); - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("_all/_mapping/field/*", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("_all/_mapping/field/*", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode() + ); System.out.println(resc.getBody()); } - @Test public void testNoDnfof() throws Exception { - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") - .build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH").build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings); final RestHelper rh = nonSslRestHelper(); @@ -608,39 +806,83 @@ public void testNoDnfof() throws Exception { try (Client tc = getClient()) { tc.admin().indices().create(new CreateIndexRequest("copysf")).actionGet(); - tc.index(new IndexRequest("indexa").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":\"indexa\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("indexb").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":\"indexb\"}", XContentType.JSON)).actionGet(); - - - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet_library").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("spock").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("kirk").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("role01_role02").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("starfleet","starfleet_academy","starfleet_library").alias("sf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("klingonempire","vulcangov").alias("nonsf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("public").alias("unrestricted"))).actionGet(); + tc.index( + new IndexRequest("indexa").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":\"indexa\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("indexb").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":\"indexb\"}", XContentType.JSON) + ).actionGet(); + + tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("starfleet_library").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.index(new IndexRequest("spock").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("kirk").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("role01_role02").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + AliasActions.add().indices("starfleet", "starfleet_academy", "starfleet_library").alias("sf") + ) + ) + .actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("klingonempire", "vulcangov").alias("nonsf")) + ) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("public").alias("unrestricted"))) + .actionGet(); } HttpResponse resc; - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (resc=rh.executeGetRequest("indexa,indexb/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (resc = rh.executeGetRequest("indexa,indexb/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (resc=rh.executeGetRequest("indexa,indexb/_search?pretty", encodeBasicHeader("user_b", "user_b"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (resc = rh.executeGetRequest("indexa,indexb/_search?pretty", encodeBasicHeader("user_b", "user_b"))).getStatusCode() + ); System.out.println(resc.getBody()); - String msearchBody = - "{\"index\":\"indexa\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator()+ - "{\"index\":\"indexb\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); + String msearchBody = "{\"index\":\"indexa\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator() + + "{\"index\":\"indexb\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator(); System.out.println("#### msearch a"); resc = rh.executePostRequest("_msearch?pretty", msearchBody, encodeBasicHeader("user_a", "user_a")); Assert.assertEquals(200, resc.getStatusCode()); @@ -659,11 +901,14 @@ public void testNoDnfof() throws Exception { Assert.assertTrue(resc.getBody(), resc.getBody().contains("exception")); Assert.assertTrue(resc.getBody(), resc.getBody().contains("permission")); - msearchBody = - "{\"index\":\"indexc\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator()+ - "{\"index\":\"indexd\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); + msearchBody = "{\"index\":\"indexc\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator() + + "{\"index\":\"indexd\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator(); System.out.println("#### msearch b2"); resc = rh.executePostRequest("_msearch?pretty", msearchBody, encodeBasicHeader("user_b", "user_b")); @@ -676,82 +921,120 @@ public void testNoDnfof() throws Exception { int count = resc.getBody().split("\"status\" : 403").length; Assert.assertEquals(3, count); - String mgetBody = "{"+ - "\"docs\" : ["+ - "{"+ - "\"_index\" : \"indexa\","+ - "\"_id\" : \"0\""+ - " },"+ - " {"+ - "\"_index\" : \"indexb\","+ - " \"_id\" : \"0\""+ - "}"+ - "]"+ - "}"; - - resc = rh.executePostRequest("_mget?pretty", mgetBody, encodeBasicHeader("user_b", "user_b")); + String mgetBody = "{" + + "\"docs\" : [" + + "{" + + "\"_index\" : \"indexa\"," + + "\"_id\" : \"0\"" + + " }," + + " {" + + "\"_index\" : \"indexb\"," + + " \"_id\" : \"0\"" + + "}" + + "]" + + "}"; + + resc = rh.executePostRequest("_mget?pretty", mgetBody, encodeBasicHeader("user_b", "user_b")); Assert.assertEquals(200, resc.getStatusCode()); Assert.assertFalse(resc.getBody(), resc.getBody().contains("\"content\" : \"indexa\"")); Assert.assertTrue(resc.getBody(), resc.getBody().contains("indexb")); Assert.assertTrue(resc.getBody(), resc.getBody().contains("exception")); Assert.assertTrue(resc.getBody(), resc.getBody().contains("permission")); - mgetBody = "{"+ - "\"docs\" : ["+ - "{"+ - "\"_index\" : \"indexx\","+ - "\"_id\" : \"0\""+ - " },"+ - " {"+ - "\"_index\" : \"indexy\","+ - " \"_id\" : \"0\""+ - "}"+ - "]"+ - "}"; - - resc = rh.executePostRequest("_mget?pretty", mgetBody, encodeBasicHeader("user_b", "user_b")); + mgetBody = "{" + + "\"docs\" : [" + + "{" + + "\"_index\" : \"indexx\"," + + "\"_id\" : \"0\"" + + " }," + + " {" + + "\"_index\" : \"indexy\"," + + " \"_id\" : \"0\"" + + "}" + + "]" + + "}"; + + resc = rh.executePostRequest("_mget?pretty", mgetBody, encodeBasicHeader("user_b", "user_b")); Assert.assertEquals(200, resc.getStatusCode()); Assert.assertTrue(resc.getBody(), resc.getBody().contains("exception")); count = resc.getBody().split("root_cause").length; Assert.assertEquals(3, count); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (resc=rh.executeGetRequest("_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (resc=rh.executeGetRequest("index*/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (resc = rh.executeGetRequest("_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (resc = rh.executeGetRequest("index*/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("indexa/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("indexa/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (resc=rh.executeGetRequest("indexb/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (resc = rh.executeGetRequest("indexb/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (resc=rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (resc = rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (resc=rh.executeGetRequest("_all/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (resc = rh.executeGetRequest("_all/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (resc=rh.executeGetRequest("notexists/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (resc = rh.executeGetRequest("notexists/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_NOT_FOUND, (resc=rh.executeGetRequest("indexanbh,indexabb*/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_NOT_FOUND, + (resc = rh.executeGetRequest("indexanbh,indexabb*/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (resc=rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (resc = rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("user_a", "user_a"))).getStatusCode() + ); System.out.println(resc.getBody()); - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf"))).getStatusCode() + ); System.out.println(resc.getBody()); System.out.println("#### _all/_mapping/field/*"); - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("_all/_mapping/field/*", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("_all/_mapping/field/*", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode() + ); System.out.println(resc.getBody()); System.out.println("#### _mapping/field/*"); - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("_mapping/field/*", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("_mapping/field/*", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode() + ); System.out.println(resc.getBody()); System.out.println("#### */_mapping/field/*"); - Assert.assertEquals(HttpStatus.SC_OK, (resc=rh.executeGetRequest("*/_mapping/field/*", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (resc = rh.executeGetRequest("*/_mapping/field/*", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode() + ); System.out.println(resc.getBody()); } @@ -760,43 +1043,58 @@ public void testSecurityIndexSecurity() throws Exception { setup(); final RestHelper rh = nonSslRestHelper(); - HttpResponse res = rh.executePutRequest(".opendistro_security/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", - encodeBasicHeader("nagilum", "nagilum")); + HttpResponse res = rh.executePutRequest( + ".opendistro_security/_mapping?pretty", + "{\"properties\": {\"name\":{\"type\":\"text\"}}}", + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); - res = rh.executePutRequest("*dis*rit*/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", - encodeBasicHeader("nagilum", "nagilum")); + res = rh.executePutRequest( + "*dis*rit*/_mapping?pretty", + "{\"properties\": {\"name\":{\"type\":\"text\"}}}", + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); - res = rh.executePutRequest("*/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", - encodeBasicHeader("nagilum", "nagilum")); + res = rh.executePutRequest( + "*/_mapping?pretty", + "{\"properties\": {\"name\":{\"type\":\"text\"}}}", + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); - res = rh.executePutRequest("_all/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", - encodeBasicHeader("nagilum", "nagilum")); + res = rh.executePutRequest( + "_all/_mapping?pretty", + "{\"properties\": {\"name\":{\"type\":\"text\"}}}", + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); - res = rh.executePostRequest(".opendistro_security/_close", "", - encodeBasicHeader("nagilum", "nagilum")); + res = rh.executePostRequest(".opendistro_security/_close", "", encodeBasicHeader("nagilum", "nagilum")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); - res = rh.executeDeleteRequest(".opendistro_security", - encodeBasicHeader("nagilum", "nagilum")); - res = rh.executeDeleteRequest("_all", - encodeBasicHeader("nagilum", "nagilum")); + res = rh.executeDeleteRequest(".opendistro_security", encodeBasicHeader("nagilum", "nagilum")); + res = rh.executeDeleteRequest("_all", encodeBasicHeader("nagilum", "nagilum")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); - res = rh.executePutRequest(".opendistro_security/_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", - encodeBasicHeader("nagilum", "nagilum")); + res = rh.executePutRequest( + ".opendistro_security/_settings", + "{\"index\" : {\"number_of_replicas\" : 2}}", + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); - res = rh.executePutRequest(".opendistro_secur*/_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", - encodeBasicHeader("nagilum", "nagilum")); + res = rh.executePutRequest( + ".opendistro_secur*/_settings", + "{\"index\" : {\"number_of_replicas\" : 2}}", + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode()); -// res = rh.executePostRequest(".opendistro_security/_freeze", "", -// encodeBasicHeader("nagilum", "nagilum")); -// Assert.assertTrue(res.getStatusCode() >= 400); + // res = rh.executePostRequest(".opendistro_security/_freeze", "", + // encodeBasicHeader("nagilum", "nagilum")); + // Assert.assertTrue(res.getStatusCode() >= 400); String bulkBody = "{ \"index\" : { \"_index\" : \".opendistro_security\", \"_id\" : \"1\" } }\n" - + "{ \"field1\" : \"value1\" }\n" - + "{ \"index\" : { \"_index\" : \".opendistro_security\", \"_id\" : \"2\" } }\n" - + "{ \"field2\" : \"value2\" }\n" - + "{ \"index\" : { \"_index\" : \"myindex\", \"_id\" : \"2\" } }\n" - + "{ \"field2\" : \"value2\" }\n" - + "{ \"delete\" : { \"_index\" : \".opendistro_security\", \"_id\" : \"config\" } }\n"; + + "{ \"field1\" : \"value1\" }\n" + + "{ \"index\" : { \"_index\" : \".opendistro_security\", \"_id\" : \"2\" } }\n" + + "{ \"field2\" : \"value2\" }\n" + + "{ \"index\" : { \"_index\" : \"myindex\", \"_id\" : \"2\" } }\n" + + "{ \"field2\" : \"value2\" }\n" + + "{ \"delete\" : { \"_index\" : \".opendistro_security\", \"_id\" : \"config\" } }\n"; res = rh.executePostRequest("_bulk?refresh=true&pretty", bulkBody, encodeBasicHeader("nagilum", "nagilum")); JsonNode jsonNode = readTree(res.getBody()); System.out.println(res.getBody()); @@ -813,6 +1111,6 @@ public void testMonitorHealth() throws Exception { setup(Settings.EMPTY, new DynamicSecurityConfig(), Settings.EMPTY); RestHelper rh = nonSslRestHelper(); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_cat/health",encodeBasicHeader("picard", "picard")).getStatusCode()); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_cat/health", encodeBasicHeader("picard", "picard")).getStatusCode()); } } diff --git a/src/test/java/org/opensearch/security/PitIntegrationTests.java b/src/test/java/org/opensearch/security/PitIntegrationTests.java index 11c624eba6..035cc2ce3e 100644 --- a/src/test/java/org/opensearch/security/PitIntegrationTests.java +++ b/src/test/java/org/opensearch/security/PitIntegrationTests.java @@ -37,86 +37,75 @@ public void testPitExplicitAPIAccess() throws Exception { RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { // create alias - tc.admin().indices().create(new CreateIndexRequest("pit_1") - .alias(new Alias("alias"))) - .actionGet(); + tc.admin().indices().create(new CreateIndexRequest("pit_1").alias(new Alias("alias"))).actionGet(); // create index - tc.index(new IndexRequest("pit_2").id("2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE). - source("{\"content\":2}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("pit_2").id("2") + .setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .source("{\"content\":2}", XContentType.JSON) + ).actionGet(); } RestHelper.HttpResponse resc; // Create point in time in index should be successful since the user has permission for index - resc = rh.executePostRequest("/alias/_search/point_in_time?keep_alive=100m", "", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executePostRequest("/alias/_search/point_in_time?keep_alive=100m", "", encodeBasicHeader("pit-1", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - String pitId1 = resc.findValueInJson("pit_id"); + String pitId1 = resc.findValueInJson("pit_id"); // Create point in time in index for which the user does not have permission - resc = rh.executePostRequest("/pit_2/_search/point_in_time?keep_alive=100m", "", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executePostRequest("/pit_2/_search/point_in_time?keep_alive=100m", "", encodeBasicHeader("pit-1", "nagilum")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); // Create point in time in index for which the user has permission for - resc = rh.executePostRequest("/pit_2/_search/point_in_time?keep_alive=100m", "", - encodeBasicHeader("pit-2", "nagilum")); + resc = rh.executePostRequest("/pit_2/_search/point_in_time?keep_alive=100m", "", encodeBasicHeader("pit-2", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - String pitId2 = resc.findValueInJson("pit_id"); - resc = rh.executePostRequest("/pit*/_search/point_in_time?keep_alive=100m", "", - encodeBasicHeader("all-pit", "nagilum")); + String pitId2 = resc.findValueInJson("pit_id"); + resc = rh.executePostRequest("/pit*/_search/point_in_time?keep_alive=100m", "", encodeBasicHeader("all-pit", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); // PIT segments should work since there is atleast one PIT for which user has access for - resc = rh.executeGetRequest("/_cat/pit_segments", - "{\"pit_id\":\"" + pitId1 +"\"}", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executeGetRequest("/_cat/pit_segments", "{\"pit_id\":\"" + pitId1 + "\"}", encodeBasicHeader("pit-1", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); // PIT segments should work since there is atleast one PIT for which user has access for - resc = rh.executeGetRequest("/_cat/pit_segments", - "{\"pit_id\":\"" + pitId1 +"\"}", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executeGetRequest("/_cat/pit_segments", "{\"pit_id\":\"" + pitId1 + "\"}", encodeBasicHeader("pit-1", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); // Should throw error since user does not have access for pitId2 - resc = rh.executeGetRequest("/_cat/pit_segments", - "{\"pit_id\":\"" + pitId2 +"\"}", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executeGetRequest("/_cat/pit_segments", "{\"pit_id\":\"" + pitId2 + "\"}", encodeBasicHeader("pit-1", "nagilum")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); // Should throw error since user does not have access for pitId2 - resc = rh.executeGetRequest("/_cat/pit_segments", - "{\"pit_id\":[\"" + pitId1 +"\",\"" + pitId2 + "\"]}", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executeGetRequest( + "/_cat/pit_segments", + "{\"pit_id\":[\"" + pitId1 + "\",\"" + pitId2 + "\"]}", + encodeBasicHeader("pit-1", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); // Delete explicit PITs should work for PIT for which user has access for - resc = rh.executeDeleteRequest("/_search/point_in_time", - "{\"pit_id\":\"" + pitId1 +"\"}", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executeDeleteRequest("/_search/point_in_time", "{\"pit_id\":\"" + pitId1 + "\"}", encodeBasicHeader("pit-1", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertEquals(pitId1, resc.findValueInJson("pits[0].pit_id")); Assert.assertEquals("true", resc.findValueInJson("pits[0].successful")); // Should throw error since user does not have access for pitId2 - resc = rh.executeDeleteRequest("/_search/point_in_time", - "{\"pit_id\":\"" + pitId2 +"\"}", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executeDeleteRequest("/_search/point_in_time", "{\"pit_id\":\"" + pitId2 + "\"}", encodeBasicHeader("pit-1", "nagilum")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); // Should throw error since user does not have access for pitId2 - resc = rh.executeDeleteRequest("/_search/point_in_time", - "{\"pit_id\":[\"" + pitId1 +"\",\"" + pitId2 + "\"]}", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executeDeleteRequest( + "/_search/point_in_time", + "{\"pit_id\":[\"" + pitId1 + "\",\"" + pitId2 + "\"]}", + encodeBasicHeader("pit-1", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); // Delete explicit PITs should work for PIT for which user has access for - resc = rh.executeDeleteRequest("/_search/point_in_time", - "{\"pit_id\":\"" + pitId2 +"\"}", - encodeBasicHeader("pit-2", "nagilum")); + resc = rh.executeDeleteRequest("/_search/point_in_time", "{\"pit_id\":\"" + pitId2 + "\"}", encodeBasicHeader("pit-2", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertEquals(pitId2, resc.findValueInJson("pits[0].pit_id")); Assert.assertEquals("true", resc.findValueInJson("pits[0].successful")); @@ -130,40 +119,41 @@ public void testPitAllAPIAccess() throws Exception { // Create two indices try (Client tc = getClient()) { - tc.index(new IndexRequest("pit_1").id("1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE). - source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("pit_2").id("2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE). - source("{\"content\":2}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("pit_1").id("1") + .setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("pit_2").id("2") + .setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .source("{\"content\":2}", XContentType.JSON) + ).actionGet(); } RestHelper.HttpResponse resc; // Create point in time in index should be successful since the user has permission for index - resc = rh.executePostRequest("/pit_1/_search/point_in_time?keep_alive=100m", "", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executePostRequest("/pit_1/_search/point_in_time?keep_alive=100m", "", encodeBasicHeader("pit-1", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); String pitId1 = resc.findValueInJson("pit_id"); // Create point in time in index for which the user does not have permission - resc = rh.executePostRequest("/pit_2/_search/point_in_time?keep_alive=100m", "", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executePostRequest("/pit_2/_search/point_in_time?keep_alive=100m", "", encodeBasicHeader("pit-1", "nagilum")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); // Create point in time in index for which the user has permission for - resc = rh.executePostRequest("/pit_2/_search/point_in_time?keep_alive=100m", "", - encodeBasicHeader("pit-2", "nagilum")); + resc = rh.executePostRequest("/pit_2/_search/point_in_time?keep_alive=100m", "", encodeBasicHeader("pit-2", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); String pitId2 = resc.findValueInJson("pit_id"); // Throw security error if user does not have all index permission - resc = rh.executeGetRequest("/_search/point_in_time/_all", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executeGetRequest("/_search/point_in_time/_all", encodeBasicHeader("pit-1", "nagilum")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); // List all PITs should work for user with all index access - resc = rh.executeGetRequest("/_search/point_in_time/_all", - encodeBasicHeader("all-pit", "nagilum")); + resc = rh.executeGetRequest("/_search/point_in_time/_all", encodeBasicHeader("all-pit", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); List pitList = new ArrayList<>(); pitList.add(pitId1); @@ -172,24 +162,19 @@ public void testPitAllAPIAccess() throws Exception { pitList.contains(resc.findValueInJson("pits[1].pit_id")); // Throw security error if user does not have all index permission - resc = rh.executeGetRequest("/_cat/pit_segments/_all", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executeGetRequest("/_cat/pit_segments/_all", encodeBasicHeader("pit-1", "nagilum")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); // PIT segments should work for user with all index access - resc = rh.executeGetRequest("/_cat/pit_segments/_all", - encodeBasicHeader("all-pit", "nagilum")); + resc = rh.executeGetRequest("/_cat/pit_segments/_all", encodeBasicHeader("all-pit", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - // Throw security error if user does not have all index permission - resc = rh.executeDeleteRequest("/_search/point_in_time/_all", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executeDeleteRequest("/_search/point_in_time/_all", encodeBasicHeader("pit-1", "nagilum")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); // Delete all PITs should work for user with all index access - resc = rh.executeDeleteRequest("/_search/point_in_time/_all", - encodeBasicHeader("all-pit", "nagilum")); + resc = rh.executeDeleteRequest("/_search/point_in_time/_all", encodeBasicHeader("all-pit", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); pitList.contains(resc.findValueInJson("pits[0].pit_id")); pitList.contains(resc.findValueInJson("pits[1].pit_id")); @@ -202,8 +187,8 @@ public void testPitAllAPIAccess() throws Exception { public void testDataStreamWithPits() throws Exception { setup(); RestHelper rh = nonSslRestHelper(); - String indexTemplate = "{\"index_patterns\": [ \"my-data-stream*\" ], \"data_stream\": { }, \"priority\": 200, " + - "\"template\": {\"settings\": { } } }"; + String indexTemplate = "{\"index_patterns\": [ \"my-data-stream*\" ], \"data_stream\": { }, \"priority\": 200, " + + "\"template\": {\"settings\": { } } }"; rh.executePutRequest("/_index_template/my-data-stream-template", indexTemplate, encodeBasicHeader("ds1", "nagilum")); @@ -212,32 +197,25 @@ public void testDataStreamWithPits() throws Exception { RestHelper.HttpResponse resc; // create pit should work since user has permission on data stream - resc = rh.executePostRequest("/my-data-stream11/_search/point_in_time?keep_alive=100m", "", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executePostRequest("/my-data-stream11/_search/point_in_time?keep_alive=100m", "", encodeBasicHeader("pit-1", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - String pitId1 = resc.findValueInJson("pit_id"); + String pitId1 = resc.findValueInJson("pit_id"); // PIT segments works since the user has access for backing indices - resc = rh.executeGetRequest("/_cat/pit_segments", - "{\"pit_id\":\"" + pitId1 +"\"}", - encodeBasicHeader("pit-1", "nagilum")); + resc = rh.executeGetRequest("/_cat/pit_segments", "{\"pit_id\":\"" + pitId1 + "\"}", encodeBasicHeader("pit-1", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); // create pit should work since user has permission on data stream - resc = rh.executePostRequest("/my-data-stream21/_search/point_in_time?keep_alive=100m", "", - encodeBasicHeader("pit-2", "nagilum")); + resc = rh.executePostRequest("/my-data-stream21/_search/point_in_time?keep_alive=100m", "", encodeBasicHeader("pit-2", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - String pitId2 = resc.findValueInJson("pit_id"); + String pitId2 = resc.findValueInJson("pit_id"); // since pit-3 doesn't have permission to backing data stream indices, throw security error - resc = rh.executeGetRequest("/_cat/pit_segments", - "{\"pit_id\":\"" + pitId2 +"\"}", - encodeBasicHeader("pit-3", "nagilum")); + resc = rh.executeGetRequest("/_cat/pit_segments", "{\"pit_id\":\"" + pitId2 + "\"}", encodeBasicHeader("pit-3", "nagilum")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); // Delete all PITs should work for user with all index access - resc = rh.executeDeleteRequest("/_search/point_in_time/_all", - encodeBasicHeader("all-pit", "nagilum")); + resc = rh.executeDeleteRequest("/_search/point_in_time/_all", encodeBasicHeader("all-pit", "nagilum")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); } } diff --git a/src/test/java/org/opensearch/security/PrivilegesEvaluationTest.java b/src/test/java/org/opensearch/security/PrivilegesEvaluationTest.java index 1f9668c641..b7af395daa 100644 --- a/src/test/java/org/opensearch/security/PrivilegesEvaluationTest.java +++ b/src/test/java/org/opensearch/security/PrivilegesEvaluationTest.java @@ -31,21 +31,27 @@ public void resolveTestHidden() throws Exception { try (Client client = getClient()) { - client.index(new IndexRequest("hidden_test_not_hidden").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(XContentType.JSON, "index", - "hidden_test_not_hidden", "b", "y", "date", "1985/01/01")).actionGet(); - - client.admin().indices().create(new CreateIndexRequest(".hidden_test_actually_hidden").settings(ImmutableMap.of("index.hidden", true))) - .actionGet(); - client.index(new IndexRequest(".hidden_test_actually_hidden").id("test").source("a", "b").setRefreshPolicy(RefreshPolicy.IMMEDIATE)) - .actionGet(); + client.index( + new IndexRequest("hidden_test_not_hidden").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source(XContentType.JSON, "index", "hidden_test_not_hidden", "b", "y", "date", "1985/01/01") + ).actionGet(); + + client.admin() + .indices() + .create(new CreateIndexRequest(".hidden_test_actually_hidden").settings(ImmutableMap.of("index.hidden", true))) + .actionGet(); + client.index( + new IndexRequest(".hidden_test_actually_hidden").id("test").source("a", "b").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + ).actionGet(); } RestHelper rh = nonSslRestHelper(); - RestHelper.HttpResponse httpResponse = rh.executeGetRequest("/*hidden_test*/_search?expand_wildcards=all&pretty=true", - encodeBasicHeader("hidden_test", "nagilum")); + RestHelper.HttpResponse httpResponse = rh.executeGetRequest( + "/*hidden_test*/_search?expand_wildcards=all&pretty=true", + encodeBasicHeader("hidden_test", "nagilum") + ); Assert.assertEquals(httpResponse.getBody(), 403, httpResponse.getStatusCode()); - httpResponse = rh.executeGetRequest("/hidden_test_not_hidden?pretty=true", - encodeBasicHeader("hidden_test", "nagilum")); + httpResponse = rh.executeGetRequest("/hidden_test_not_hidden?pretty=true", encodeBasicHeader("hidden_test", "nagilum")); Assert.assertEquals(httpResponse.getBody(), 200, httpResponse.getStatusCode()); } } diff --git a/src/test/java/org/opensearch/security/ResolveAPITests.java b/src/test/java/org/opensearch/security/ResolveAPITests.java index a27c338dd1..088702acd9 100644 --- a/src/test/java/org/opensearch/security/ResolveAPITests.java +++ b/src/test/java/org/opensearch/security/ResolveAPITests.java @@ -32,7 +32,6 @@ import org.opensearch.security.test.SingleClusterTest; import org.opensearch.security.test.helper.rest.RestHelper; - public class ResolveAPITests extends SingleClusterTest { protected final Logger log = LogManager.getLogger(this.getClass()); @@ -48,7 +47,10 @@ public void testResolveDnfofFalse() throws Exception { final RestHelper rh = nonSslRestHelper(); RestHelper.HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("_resolve/index/*?pretty", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("_resolve/index/*?pretty", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode() + ); log.debug(res.getBody()); assertNotContains(res, "*xception*"); assertNotContains(res, "*erial*"); @@ -59,7 +61,10 @@ public void testResolveDnfofFalse() throws Exception { assertContains(res, "*xyz*"); assertContains(res, "*role01_role02*"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("_resolve/index/starfleet*?pretty", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("_resolve/index/starfleet*?pretty", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode() + ); log.debug(res.getBody()); assertNotContains(res, "*xception*"); assertNotContains(res, "*erial*"); @@ -72,10 +77,16 @@ public void testResolveDnfofFalse() throws Exception { assertContains(res, "*starfleet_academy*"); assertContains(res, "*starfleet_library*"); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executeGetRequest("_resolve/index/*?pretty", encodeBasicHeader("worf", "worf"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executeGetRequest("_resolve/index/*?pretty", encodeBasicHeader("worf", "worf"))).getStatusCode() + ); log.debug(res.getBody()); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("_resolve/index/starfleet*?pretty", encodeBasicHeader("worf", "worf"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("_resolve/index/starfleet*?pretty", encodeBasicHeader("worf", "worf"))).getStatusCode() + ); log.debug(res.getBody()); assertContains(res, "*starfleet*"); assertContains(res, "*starfleet_academy*"); @@ -92,7 +103,10 @@ public void testResolveDnfofTrue() throws Exception { final RestHelper rh = nonSslRestHelper(); RestHelper.HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("_resolve/index/*?pretty", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("_resolve/index/*?pretty", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode() + ); log.debug(res.getBody()); assertNotContains(res, "*xception*"); assertNotContains(res, "*erial*"); @@ -103,7 +117,10 @@ public void testResolveDnfofTrue() throws Exception { assertContains(res, "*xyz*"); assertContains(res, "*role01_role02*"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("_resolve/index/starfleet*?pretty", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("_resolve/index/starfleet*?pretty", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode() + ); log.debug(res.getBody()); assertNotContains(res, "*xception*"); assertNotContains(res, "*erial*"); @@ -116,7 +133,10 @@ public void testResolveDnfofTrue() throws Exception { assertContains(res, "*starfleet_academy*"); assertContains(res, "*starfleet_library*"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("_resolve/index/*?pretty", encodeBasicHeader("worf", "worf"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("_resolve/index/*?pretty", encodeBasicHeader("worf", "worf"))).getStatusCode() + ); log.debug(res.getBody()); assertNotContains(res, "*xception*"); assertNotContains(res, "*erial*"); @@ -127,7 +147,10 @@ public void testResolveDnfofTrue() throws Exception { assertContains(res, "*public*"); assertContains(res, "*xyz*"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("_resolve/index/starfleet*?pretty", encodeBasicHeader("worf", "worf"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("_resolve/index/starfleet*?pretty", encodeBasicHeader("worf", "worf"))).getStatusCode() + ); log.debug(res.getBody()); assertNotContains(res, "*xception*"); assertNotContains(res, "*erial*"); @@ -140,30 +163,87 @@ public void testResolveDnfofTrue() throws Exception { assertContains(res, "*starfleet_academy*"); assertContains(res, "*starfleet_library*"); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executeGetRequest("_resolve/index/vulcangov*?pretty", encodeBasicHeader("worf", "worf"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executeGetRequest("_resolve/index/vulcangov*?pretty", encodeBasicHeader("worf", "worf"))).getStatusCode() + ); log.debug(res.getBody()); } private void setupIndices() { try (Client tc = getClient()) { tc.admin().indices().create(new CreateIndexRequest("copysf")).actionGet(); - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet_academy").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet_library").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("klingonempire").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("public").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("spock").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("kirk").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("role01_role02").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("xyz").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(IndicesAliasesRequest.AliasActions.add().indices("starfleet","starfleet_academy","starfleet_library").alias("sf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(IndicesAliasesRequest.AliasActions.add().indices("klingonempire","vulcangov").alias("nonsf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(IndicesAliasesRequest.AliasActions.add().indices("public").alias("unrestricted"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(IndicesAliasesRequest.AliasActions.add().indices("xyz").alias("alias1"))).actionGet(); + tc.index( + new IndexRequest("vulcangov").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("starfleet").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("starfleet_academy").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("starfleet_library").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("klingonempire").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("public").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + + tc.index( + new IndexRequest("spock").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("kirk").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("role01_role02").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + + tc.index( + new IndexRequest("xyz").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + IndicesAliasesRequest.AliasActions.add().indices("starfleet", "starfleet_academy", "starfleet_library").alias("sf") + ) + ) + .actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + IndicesAliasesRequest.AliasActions.add().indices("klingonempire", "vulcangov").alias("nonsf") + ) + ) + .actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + IndicesAliasesRequest.AliasActions.add().indices("public").alias("unrestricted") + ) + ) + .actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction(IndicesAliasesRequest.AliasActions.add().indices("xyz").alias("alias1")) + ) + .actionGet(); } } } diff --git a/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java b/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java index af71d590bf..0ab9736378 100644 --- a/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java +++ b/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java @@ -63,14 +63,21 @@ public RolesInjectorPlugin(final Settings settings, final Path configPath) { } @Override - public Collection createComponents(Client client, ClusterService clusterService, ThreadPool threadPool, - ResourceWatcherService resourceWatcherService, ScriptService scriptService, - NamedXContentRegistry xContentRegistry, Environment environment, - NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry, - IndexNameExpressionResolver indexNameExpressionResolver, - Supplier repositoriesServiceSupplier) { - if(injectedRoles != null) - threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES, injectedRoles); + public Collection createComponents( + Client client, + ClusterService clusterService, + ThreadPool threadPool, + ResourceWatcherService resourceWatcherService, + ScriptService scriptService, + NamedXContentRegistry xContentRegistry, + Environment environment, + NodeEnvironment nodeEnvironment, + NamedWriteableRegistry namedWriteableRegistry, + IndexNameExpressionResolver indexNameExpressionResolver, + Supplier repositoriesServiceSupplier + ) { + if (injectedRoles != null) threadPool.getThreadContext() + .putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES, injectedRoles); return new ArrayList<>(); } } @@ -79,26 +86,42 @@ public Collection createComponents(Client client, ClusterService cluster public void testRolesInject() throws Exception { setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityRoles("roles.yml"), Settings.EMPTY); - Assert.assertEquals(clusterInfo.numNodes, clusterHelper.nodeClient().admin().cluster().health( - new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes()); - Assert.assertEquals(ClusterHealthStatus.GREEN, clusterHelper.nodeClient().admin().cluster(). - health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus()); + Assert.assertEquals( + clusterInfo.numNodes, + clusterHelper.nodeClient() + .admin() + .cluster() + .health(new ClusterHealthRequest().waitForGreenStatus()) + .actionGet() + .getNumberOfNodes() + ); + Assert.assertEquals( + ClusterHealthStatus.GREEN, + clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus() + ); final Settings tcSettings = AbstractSecurityUnitTest.nodeRolesSettings(Settings.builder(), false, false) - .put(minimumSecuritySettings(Settings.EMPTY).get(0)) - .put("cluster.name", clusterInfo.clustername) - .put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data") - .put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs") - .put("path.home", "./target") - .put("node.name", "testclient") - .put("discovery.initial_state_timeout", "8s") - .put("plugins.security.allow_default_init_securityindex", "true") - .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) - .build(); - - //1. Without roles injection. - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, - OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) { + .put(minimumSecuritySettings(Settings.EMPTY).get(0)) + .put("cluster.name", clusterInfo.clustername) + .put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data") + .put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs") + .put("path.home", "./target") + .put("node.name", "testclient") + .put("discovery.initial_state_timeout", "8s") + .put("plugins.security.allow_default_init_securityindex", "true") + .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) + .build(); + + // 1. Without roles injection. + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + RolesInjectorPlugin.class + ).start() + ) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet(); @@ -107,10 +130,18 @@ public void testRolesInject() throws Exception { Assert.assertTrue(ier.isExists()); } - //2. With invalid roles, must throw security exception. + // 2. With invalid roles, must throw security exception. RolesInjectorPlugin.injectedRoles = "invalid_user|invalid_role"; Exception exception = null; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + RolesInjectorPlugin.class + ).start() + ) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); @@ -122,9 +153,17 @@ public void testRolesInject() throws Exception { Assert.assertNotNull(exception); Assert.assertTrue(exception.getMessage().contains("indices:admin/create")); - //3. With valid roles - which has permission to create index. + // 3. With valid roles - which has permission to create index. RolesInjectorPlugin.injectedRoles = "valid_user|opendistro_security_all_access"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + RolesInjectorPlugin.class + ).start() + ) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-3")).actionGet(); diff --git a/src/test/java/org/opensearch/security/RolesValidationIntegTest.java b/src/test/java/org/opensearch/security/RolesValidationIntegTest.java index 9a8278804a..89e0cd2e45 100644 --- a/src/test/java/org/opensearch/security/RolesValidationIntegTest.java +++ b/src/test/java/org/opensearch/security/RolesValidationIntegTest.java @@ -57,14 +57,22 @@ public RolesValidationPlugin(final Settings settings, final Path configPath) { } @Override - public Collection createComponents(Client client, ClusterService clusterService, ThreadPool threadPool, - ResourceWatcherService resourceWatcherService, ScriptService scriptService, - NamedXContentRegistry xContentRegistry, Environment environment, - NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry, - IndexNameExpressionResolver indexNameExpressionResolver, - Supplier repositoriesServiceSupplier) { - if(rolesValidation != null) { - threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES, "test|opendistro_security_all_access"); + public Collection createComponents( + Client client, + ClusterService clusterService, + ThreadPool threadPool, + ResourceWatcherService resourceWatcherService, + ScriptService scriptService, + NamedXContentRegistry xContentRegistry, + Environment environment, + NodeEnvironment nodeEnvironment, + NamedWriteableRegistry namedWriteableRegistry, + IndexNameExpressionResolver indexNameExpressionResolver, + Supplier repositoriesServiceSupplier + ) { + if (rolesValidation != null) { + threadPool.getThreadContext() + .putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES, "test|opendistro_security_all_access"); threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES_VALIDATION, rolesValidation); } return new ArrayList<>(); @@ -76,20 +84,27 @@ public void testRolesValidation() throws Exception { setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityRoles("roles.yml"), Settings.EMPTY); final Settings tcSettings = AbstractSecurityUnitTest.nodeRolesSettings(Settings.builder(), false, false) - .put(minimumSecuritySettings(Settings.EMPTY).get(0)) - .put("cluster.name", clusterInfo.clustername) - .put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data") - .put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs") - .put("path.home", "./target") - .put("node.name", "testclient") - .put("discovery.initial_state_timeout", "8s") - .put("plugins.security.allow_default_init_securityindex", "true") - .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) - .build(); + .put(minimumSecuritySettings(Settings.EMPTY).get(0)) + .put("cluster.name", clusterInfo.clustername) + .put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data") + .put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs") + .put("path.home", "./target") + .put("node.name", "testclient") + .put("discovery.initial_state_timeout", "8s") + .put("plugins.security.allow_default_init_securityindex", "true") + .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) + .build(); // 1. Without roles validation - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, - OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + RolesValidationPlugin.class + ).start() + ) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet(); Assert.assertTrue(cir.isAcknowledged()); @@ -100,8 +115,15 @@ public void testRolesValidation() throws Exception { OpenSearchSecurityException exception = null; // 2. with roles invalid to the user RolesValidationPlugin.rolesValidation = "invalid_role"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, - OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + RolesValidationPlugin.class + ).start() + ) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); } catch (OpenSearchSecurityException ex) { @@ -112,8 +134,15 @@ public void testRolesValidation() throws Exception { // 3. with roles valid to the user RolesValidationPlugin.rolesValidation = "opendistro_security_all_access"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, - OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + RolesValidationPlugin.class + ).start() + ) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-3")).actionGet(); Assert.assertTrue(cir.isAcknowledged()); diff --git a/src/test/java/org/opensearch/security/SecurityAdminIEndpointsTests.java b/src/test/java/org/opensearch/security/SecurityAdminIEndpointsTests.java index bc5d174739..b8da89e2dc 100644 --- a/src/test/java/org/opensearch/security/SecurityAdminIEndpointsTests.java +++ b/src/test/java/org/opensearch/security/SecurityAdminIEndpointsTests.java @@ -28,35 +28,45 @@ public void testNoSSL() throws Exception { setup(settings); final RestHelper rh = nonSslRestHelper(); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, - rh.executePutRequest("_plugins/_security/configupdate?config_types=roles", "{}", encodeBasicHeader("nagilum", "nagilum")) - .getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest("_plugins/_security/configupdate?config_types=roles", "{}", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executePutRequest("_plugins/_security/configupdate", "").getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, - rh.executePutRequest("_plugins/_security/configupdate?config_types=xxx", "", encodeBasicHeader("nagilum", "nagilum")) - .getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest("_plugins/_security/configupdate?config_types=xxx", "", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest("_plugins/_security/whoami").getStatusCode()); } @Test public void testEndpoints() throws Exception { - final Settings settings = Settings.builder().put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .putList("plugins.security.nodes_dn", "CN=node-*.example.com,OU=SSL,O=Test,L=Test,C=DE").build(); + final Settings settings = Settings.builder() + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .putList("plugins.security.nodes_dn", "CN=node-*.example.com,OU=SSL,O=Test,L=Test,C=DE") + .build(); setup(settings); final RestHelper rh = restHelper(); rh.enableHTTPClientSSL = true; rh.trustHTTPServerCertificate = true; rh.sendAdminCertificate = false; - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, - rh.executePutRequest("_plugins/_security/configupdate?config_types=roles", "{}", encodeBasicHeader("nagilum", "nagilum")) - .getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest("_plugins/_security/configupdate?config_types=roles", "{}", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executePutRequest("_plugins/_security/configupdate", "").getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, - rh.executePutRequest("_plugins/_security/configupdate?config_types=xxx", "", encodeBasicHeader("nagilum", "nagilum")) - .getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest("_plugins/_security/configupdate?config_types=xxx", "", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); RestHelper.HttpResponse res; Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("_plugins/_security/whoami")).getStatusCode()); @@ -71,13 +81,17 @@ public void testEndpoints() throws Exception { assertContains(res, "*\"is_admin\":false*"); assertContains(res, "*\"is_node_certificate_request\":true*"); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, - rh.executePutRequest("_plugins/_security/configupdate?config_types=roles", "{}", encodeBasicHeader("nagilum", "nagilum")) - .getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest("_plugins/_security/configupdate?config_types=roles", "{}", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executePutRequest("_plugins/_security/configupdate", "").getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, - rh.executePutRequest("_plugins/_security/configupdate?config_types=xxx", "", encodeBasicHeader("nagilum", "nagilum")) - .getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest("_plugins/_security/configupdate?config_types=xxx", "", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); rh.keystore = "spock-keystore.jks"; @@ -87,13 +101,17 @@ public void testEndpoints() throws Exception { assertContains(res, "*\"is_admin\":false*"); assertContains(res, "*\"is_node_certificate_request\":false*"); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, - rh.executePutRequest("_plugins/_security/configupdate?config_types=roles", "{}", encodeBasicHeader("nagilum", "nagilum")) - .getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest("_plugins/_security/configupdate?config_types=roles", "{}", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executePutRequest("_plugins/_security/configupdate", "").getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, - rh.executePutRequest("_plugins/_security/configupdate?config_types=xxx", "", encodeBasicHeader("nagilum", "nagilum")) - .getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePutRequest("_plugins/_security/configupdate?config_types=xxx", "", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); rh.keystore = "kirk-keystore.jks"; @@ -103,14 +121,25 @@ public void testEndpoints() throws Exception { assertContains(res, "*\"is_admin\":true*"); assertContains(res, "*\"is_node_certificate_request\":false*"); - Assert.assertEquals(HttpStatus.SC_OK, - rh.executePutRequest("_plugins/_security/configupdate?config_types=roles", "{}", encodeBasicHeader("nagilum", "nagilum")) - .getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePutRequest("_plugins/_security/configupdate?config_types=roles", "{}", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, rh.executePutRequest("_plugins/_security/configupdate", "").getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executePutRequest("_plugins/_security/configupdate?config_types=roles", "").getStatusCode()); - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePutRequest("_plugins/_security/configupdate?config_types=unknown_xxx", "", - encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePutRequest("_plugins/_security/configupdate?config_types=roles", "").getStatusCode() + ); + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePutRequest( + "_plugins/_security/configupdate?config_types=unknown_xxx", + "", + encodeBasicHeader("nagilum", "nagilum") + )).getStatusCode() + ); assertContains(res, "*\"successful\":0*failed_node_exception*"); } diff --git a/src/test/java/org/opensearch/security/SecurityAdminInvalidConfigsTests.java b/src/test/java/org/opensearch/security/SecurityAdminInvalidConfigsTests.java index 18f5c06529..6cb89dc18f 100644 --- a/src/test/java/org/opensearch/security/SecurityAdminInvalidConfigsTests.java +++ b/src/test/java/org/opensearch/security/SecurityAdminInvalidConfigsTests.java @@ -42,133 +42,153 @@ public class SecurityAdminInvalidConfigsTests extends SingleClusterTest { - @Test - public void testSecurityAdminDuplicateKey() throws Exception { - final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); - setup(settings); - - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; - - List argsAsList = new ArrayList<>(); - argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); - argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); - argsAsList.add("-p"); - argsAsList.add(String.valueOf(clusterInfo.httpPort)); - argsAsList.add("-cn"); - argsAsList.add(clusterInfo.clustername); - argsAsList.add("-cd"); - argsAsList.add(new File("./src/test/resources/invalid_dupkey").getAbsolutePath()); - argsAsList.add("-nhnv"); - - - int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); - Assert.assertNotEquals(0, returnCode); - - RestHelper rh = restHelper(); - - Assert.assertEquals(HttpStatus.SC_OK, (rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - } - - @Test - public void testSecurityAdminDuplicateKeyReload() throws Exception { - testSecurityAdminDuplicateKey(); - - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; - - List argsAsList = new ArrayList<>(); - argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); - argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); - argsAsList.add("-p"); - argsAsList.add(String.valueOf(clusterInfo.httpPort)); - argsAsList.add("-cn"); - argsAsList.add(clusterInfo.clustername); - argsAsList.add("-rl"); - argsAsList.add("-nhnv"); - - - int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); - Assert.assertEquals(0, returnCode); - - RestHelper rh = restHelper(); - - Assert.assertEquals(HttpStatus.SC_OK, (rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - } - - @Test - public void testSecurityAdminDuplicateKeySingleFile() throws Exception { - final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); - setup(settings); - - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; - - List argsAsList = new ArrayList<>(); - argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); - argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); - argsAsList.add("-p"); - argsAsList.add(String.valueOf(clusterInfo.httpPort)); - argsAsList.add("-cn"); - argsAsList.add(clusterInfo.clustername); - argsAsList.add("-f"); - argsAsList.add(new File("./src/test/resources/invalid_dupkey/roles_mapping.yml").getAbsolutePath()); - argsAsList.add("-t"); - argsAsList.add("rolesmapping"); - argsAsList.add("-nhnv"); - - - int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); - Assert.assertNotEquals(0, returnCode); - - RestHelper rh = restHelper(); - - Assert.assertEquals(HttpStatus.SC_OK, (rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - } - - @Test - public void testSecurityAdminDuplicateKeyReloadSingleFile() throws Exception { - testSecurityAdminDuplicateKeySingleFile(); - - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; - - List argsAsList = new ArrayList<>(); - argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); - argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); - argsAsList.add("-p"); - argsAsList.add(String.valueOf(clusterInfo.httpPort)); - argsAsList.add("-cn"); - argsAsList.add(clusterInfo.clustername); - argsAsList.add("-rl"); - argsAsList.add("-nhnv"); - - - int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); - Assert.assertEquals(0, returnCode); - - RestHelper rh = restHelper(); - - Assert.assertEquals(HttpStatus.SC_OK, (rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - } + @Test + public void testSecurityAdminDuplicateKey() throws Exception { + final Settings settings = Settings.builder() + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); + setup(settings); + + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; + + List argsAsList = new ArrayList<>(); + argsAsList.add("-ts"); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); + argsAsList.add("-ks"); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add("-p"); + argsAsList.add(String.valueOf(clusterInfo.httpPort)); + argsAsList.add("-cn"); + argsAsList.add(clusterInfo.clustername); + argsAsList.add("-cd"); + argsAsList.add(new File("./src/test/resources/invalid_dupkey").getAbsolutePath()); + argsAsList.add("-nhnv"); + + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + Assert.assertNotEquals(0, returnCode); + + RestHelper rh = restHelper(); + + Assert.assertEquals(HttpStatus.SC_OK, (rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + } + + @Test + public void testSecurityAdminDuplicateKeyReload() throws Exception { + testSecurityAdminDuplicateKey(); + + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; + + List argsAsList = new ArrayList<>(); + argsAsList.add("-ts"); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); + argsAsList.add("-ks"); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add("-p"); + argsAsList.add(String.valueOf(clusterInfo.httpPort)); + argsAsList.add("-cn"); + argsAsList.add(clusterInfo.clustername); + argsAsList.add("-rl"); + argsAsList.add("-nhnv"); + + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + Assert.assertEquals(0, returnCode); + + RestHelper rh = restHelper(); + + Assert.assertEquals(HttpStatus.SC_OK, (rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + } + + @Test + public void testSecurityAdminDuplicateKeySingleFile() throws Exception { + final Settings settings = Settings.builder() + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); + setup(settings); + + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; + + List argsAsList = new ArrayList<>(); + argsAsList.add("-ts"); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); + argsAsList.add("-ks"); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add("-p"); + argsAsList.add(String.valueOf(clusterInfo.httpPort)); + argsAsList.add("-cn"); + argsAsList.add(clusterInfo.clustername); + argsAsList.add("-f"); + argsAsList.add(new File("./src/test/resources/invalid_dupkey/roles_mapping.yml").getAbsolutePath()); + argsAsList.add("-t"); + argsAsList.add("rolesmapping"); + argsAsList.add("-nhnv"); + + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + Assert.assertNotEquals(0, returnCode); + + RestHelper rh = restHelper(); + + Assert.assertEquals(HttpStatus.SC_OK, (rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + } + + @Test + public void testSecurityAdminDuplicateKeyReloadSingleFile() throws Exception { + testSecurityAdminDuplicateKeySingleFile(); + + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; + + List argsAsList = new ArrayList<>(); + argsAsList.add("-ts"); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); + argsAsList.add("-ks"); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add("-p"); + argsAsList.add(String.valueOf(clusterInfo.httpPort)); + argsAsList.add("-cn"); + argsAsList.add(clusterInfo.clustername); + argsAsList.add("-rl"); + argsAsList.add("-nhnv"); + + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + Assert.assertEquals(0, returnCode); + + RestHelper rh = restHelper(); + + Assert.assertEquals(HttpStatus.SC_OK, (rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + } } diff --git a/src/test/java/org/opensearch/security/SecurityAdminTests.java b/src/test/java/org/opensearch/security/SecurityAdminTests.java index 553ab0a5f2..681d04fc3e 100644 --- a/src/test/java/org/opensearch/security/SecurityAdminTests.java +++ b/src/test/java/org/opensearch/security/SecurityAdminTests.java @@ -47,19 +47,19 @@ public class SecurityAdminTests extends SingleClusterTest { @Test public void testSecurityAdmin() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); setup(Settings.EMPTY, null, settings, false); - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -67,8 +67,7 @@ public void testSecurityAdmin() throws Exception { addDirectoryPath(argsAsList, TEST_RESOURCE_ABSOLUTE_PATH); argsAsList.add("-nhnv"); - - int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(0, returnCode); RestHelper rh = restHelper(); @@ -79,79 +78,89 @@ public void testSecurityAdmin() throws Exception { @Test public void testSecurityAdminHostnameVerificationEnforced() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/root-ca.pem")) - .put("plugins.security.ssl.http.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.crt.pem")) - .put("plugins.security.ssl.http.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.key.pem")) - .putList("plugins.security.authcz.admin_dn", List.of("CN=kirk,OU=client,O=client,L=test,C=de")) - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put( + "plugins.security.ssl.http.pemtrustedcas_filepath", + FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/root-ca.pem") + ) + .put("plugins.security.ssl.http.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.crt.pem")) + .put("plugins.security.ssl.http.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.key.pem")) + .putList("plugins.security.authcz.admin_dn", List.of("CN=kirk,OU=client,O=client,L=test,C=de")) + .build(); setup(Settings.EMPTY, null, settings, false); - final String prefix = getResourceFolder()==null?"securityadmin/":getResourceFolder()+"/securityadmin/"; + final String prefix = getResourceFolder() == null ? "securityadmin/" : getResourceFolder() + "/securityadmin/"; List argsAsList = new ArrayList<>(); argsAsList.add("-cacert"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"root-ca.pem").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "root-ca.pem").toFile().getAbsolutePath()); argsAsList.add("-cert"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk.crt.pem").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk.crt.pem").toFile().getAbsolutePath()); argsAsList.add("-key"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk.key.pem").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk.key.pem").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-icl"); addDirectoryPath(argsAsList, TEST_RESOURCE_ABSOLUTE_PATH); - final IOException expectedException = assertThrows(IOException.class, () -> SecurityAdmin.execute(argsAsList.toArray(new String[0]))); - final String expectedMessagePattern = "Certificate for <.+> doesn't match any of the subject alternative names: \\[node-.\\.example\\.com\\]"; + final IOException expectedException = assertThrows( + IOException.class, + () -> SecurityAdmin.execute(argsAsList.toArray(new String[0])) + ); + final String expectedMessagePattern = + "Certificate for <.+> doesn't match any of the subject alternative names: \\[node-.\\.example\\.com\\]"; assertThat(expectedException.getMessage(), matchesPattern(expectedMessagePattern)); } @Test public void testSecurityAdminHostnameVerificationNotEnforced() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/root-ca.pem")) - .put("plugins.security.ssl.http.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.crt.pem")) - .put("plugins.security.ssl.http.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.key.pem")) - .putList("plugins.security.authcz.admin_dn", List.of("CN=kirk,OU=client,O=client,L=test,C=de")) - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put( + "plugins.security.ssl.http.pemtrustedcas_filepath", + FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/root-ca.pem") + ) + .put("plugins.security.ssl.http.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.crt.pem")) + .put("plugins.security.ssl.http.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.key.pem")) + .putList("plugins.security.authcz.admin_dn", List.of("CN=kirk,OU=client,O=client,L=test,C=de")) + .build(); setup(Settings.EMPTY, null, settings, false); - final String prefix = getResourceFolder()==null?"securityadmin/":getResourceFolder()+"/securityadmin/"; + final String prefix = getResourceFolder() == null ? "securityadmin/" : getResourceFolder() + "/securityadmin/"; List argsAsList = new ArrayList<>(); argsAsList.add("-cacert"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"root-ca.pem").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "root-ca.pem").toFile().getAbsolutePath()); argsAsList.add("-cert"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk.crt.pem").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk.crt.pem").toFile().getAbsolutePath()); argsAsList.add("-key"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk.key.pem").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk.key.pem").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-icl"); addDirectoryPath(argsAsList, TEST_RESOURCE_ABSOLUTE_PATH); argsAsList.add("-nhnv"); - int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(0, returnCode); } @Test public void testSecurityAdminInvalidCert() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); setup(Settings.EMPTY, null, settings, false); - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -159,7 +168,7 @@ public void testSecurityAdminInvalidCert() throws Exception { addDirectoryPath(argsAsList, TEST_RESOURCE_ABSOLUTE_PATH); argsAsList.add("-nhnv"); - int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(0, returnCode); RestHelper rh = restHelper(); @@ -168,9 +177,9 @@ public void testSecurityAdminInvalidCert() throws Exception { argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"spock-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "spock-keystore.jks").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -179,17 +188,16 @@ public void testSecurityAdminInvalidCert() throws Exception { argsAsList.add("--diagnose"); argsAsList.add("-nhnv"); - - returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(-1, returnCode); Assert.assertEquals(HttpStatus.SC_OK, (rh.executeGetRequest("_plugins/_security/health?pretty")).getStatusCode()); argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"node-0-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "node-0-keystore.jks").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -197,7 +205,7 @@ public void testSecurityAdminInvalidCert() throws Exception { addDirectoryPath(argsAsList, TEST_RESOURCE_ABSOLUTE_PATH); argsAsList.add("-nhnv"); - returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(-1, returnCode); Assert.assertEquals(HttpStatus.SC_OK, (rh.executeGetRequest("_plugins/_security/health?pretty")).getStatusCode()); @@ -206,19 +214,19 @@ public void testSecurityAdminInvalidCert() throws Exception { @Test public void testSecurityAdminV6Update() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); setup(Settings.EMPTY, null, settings, false); - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -226,35 +234,34 @@ public void testSecurityAdminV6Update() throws Exception { addDirectoryPath(argsAsList, new File("./legacy/securityconfig_v6").getAbsolutePath()); argsAsList.add("-nhnv"); - - int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertNotEquals(0, returnCode); RestHelper rh = restHelper(); Assert.assertEquals(HttpStatus.SC_SERVICE_UNAVAILABLE, rh.executeGetRequest("_opendistro/_security/health?pretty").getStatusCode()); - //System.out.println(res.getBody()); - //assertContains(res, "*UP*"); - //assertContains(res, "*strict*"); - //assertNotContains(res, "*DOWN*"); + // System.out.println(res.getBody()); + // assertContains(res, "*UP*"); + // assertContains(res, "*strict*"); + // assertNotContains(res, "*DOWN*"); } @Test public void testSecurityAdminRegularUpdate() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); setup(Settings.EMPTY, null, settings, true); - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -262,8 +269,7 @@ public void testSecurityAdminRegularUpdate() throws Exception { addDirectoryPath(argsAsList, TEST_RESOURCE_ABSOLUTE_PATH); argsAsList.add("-nhnv"); - - int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(0, returnCode); RestHelper rh = restHelper(); @@ -279,19 +285,19 @@ public void testSecurityAdminRegularUpdate() throws Exception { @Test public void testSecurityAdminSingularV7Updates() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true); - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -302,15 +308,14 @@ public void testSecurityAdminSingularV7Updates() throws Exception { argsAsList.add("config"); argsAsList.add("-nhnv"); - - int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(0, returnCode); argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -321,15 +326,14 @@ public void testSecurityAdminSingularV7Updates() throws Exception { argsAsList.add("rolesmapping"); argsAsList.add("-nhnv"); - - returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(0, returnCode); argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -340,8 +344,7 @@ public void testSecurityAdminSingularV7Updates() throws Exception { argsAsList.add("tenants"); argsAsList.add("-nhnv"); - - returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(0, returnCode); RestHelper rh = restHelper(); @@ -357,19 +360,19 @@ public void testSecurityAdminSingularV7Updates() throws Exception { @Test public void testSecurityAdminSingularV6Updates() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true); - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -380,10 +383,9 @@ public void testSecurityAdminSingularV6Updates() throws Exception { argsAsList.add("config"); argsAsList.add("-nhnv"); - int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertNotEquals(0, returnCode); - RestHelper rh = restHelper(); HttpResponse res; @@ -397,31 +399,30 @@ public void testSecurityAdminSingularV6Updates() throws Exception { @Test public void testSecurityAdminInvalidYml() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true); - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); argsAsList.add(clusterInfo.clustername); argsAsList.add("-f"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"roles_invalidxcontent.yml").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "roles_invalidxcontent.yml").toFile().getAbsolutePath()); argsAsList.add("-t"); argsAsList.add("roles"); argsAsList.add("-nhnv"); - - int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertNotEquals(0, returnCode); RestHelper rh = restHelper(); @@ -437,29 +438,34 @@ public void testSecurityAdminInvalidYml() throws Exception { @Test public void testSecurityAdminReloadInvalidConfig() throws Exception { final Settings settings = Settings.builder() - .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); + .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true); - final RestHelper rh = restHelper(); //ssl resthelper + final RestHelper rh = restHelper(); // ssl resthelper rh.enableHTTPClientSSL = true; rh.trustHTTPServerCertificate = true; rh.sendAdminCertificate = true; rh.keystore = "kirk-keystore.jks"; - System.out.println(rh.executePutRequest(".opendistro_security/_doc/roles", FileHelper.loadFile("roles_invalidxcontent.yml")).getBody());; - Assert.assertEquals(HttpStatus.SC_OK, rh.executePutRequest(".opendistro_security/_doc/roles", "{\"roles\":\"dummy\"}").getStatusCode()); - + System.out.println( + rh.executePutRequest(".opendistro_security/_doc/roles", FileHelper.loadFile("roles_invalidxcontent.yml")).getBody() + ); + ; + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePutRequest(".opendistro_security/_doc/roles", "{\"roles\":\"dummy\"}").getStatusCode() + ); - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -467,8 +473,7 @@ public void testSecurityAdminReloadInvalidConfig() throws Exception { argsAsList.add("-rl"); argsAsList.add("-nhnv"); - - int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertNotEquals(0, returnCode); HttpResponse res; @@ -485,7 +490,7 @@ public void testSecurityAdminValidateConfig() throws Exception { addDirectoryPath(argsAsList, TEST_RESOURCE_ABSOLUTE_PATH); argsAsList.add("-vc"); - int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(0, returnCode); argsAsList = new ArrayList<>(); @@ -493,7 +498,7 @@ public void testSecurityAdminValidateConfig() throws Exception { argsAsList.add(new File(PROJECT_ROOT_RELATIVE_PATH + "src/test/resources/roles.yml").getAbsolutePath()); argsAsList.add("-vc"); - returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(0, returnCode); argsAsList = new ArrayList<>(); @@ -501,15 +506,17 @@ public void testSecurityAdminValidateConfig() throws Exception { argsAsList.add(new File(PROJECT_ROOT_RELATIVE_PATH + "src/main/resources/static_config/static_roles.yml").getAbsolutePath()); argsAsList.add("-vc"); - returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(0, returnCode); argsAsList = new ArrayList<>(); argsAsList.add("-f"); - argsAsList.add(new File(PROJECT_ROOT_RELATIVE_PATH + "src/main/resources/static_config/static_action_groups.yml").getAbsolutePath()); + argsAsList.add( + new File(PROJECT_ROOT_RELATIVE_PATH + "src/main/resources/static_config/static_action_groups.yml").getAbsolutePath() + ); argsAsList.add("-vc"); - returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(0, returnCode); argsAsList = new ArrayList<>(); @@ -517,7 +524,7 @@ public void testSecurityAdminValidateConfig() throws Exception { argsAsList.add(new File(PROJECT_ROOT_RELATIVE_PATH + "src/main/resources/static_config/static_tenants.yml").getAbsolutePath()); argsAsList.add("-vc"); - returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(0, returnCode); argsAsList = new ArrayList<>(); @@ -527,7 +534,7 @@ public void testSecurityAdminValidateConfig() throws Exception { argsAsList.add("-t"); argsAsList.add("config"); - returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertNotEquals(0, returnCode); argsAsList = new ArrayList<>(); @@ -535,14 +542,14 @@ public void testSecurityAdminValidateConfig() throws Exception { argsAsList.add(TEST_RESOURCE_ABSOLUTE_PATH); argsAsList.add("-vc"); - returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertNotEquals(0, returnCode); argsAsList = new ArrayList<>(); addDirectoryPath(argsAsList, TEST_RESOURCE_ABSOLUTE_PATH + "legacy/securityconfig_v6"); argsAsList.add("-vc"); - returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertNotEquals(0, returnCode); argsAsList = new ArrayList<>(); @@ -550,7 +557,7 @@ public void testSecurityAdminValidateConfig() throws Exception { argsAsList.add("-vc"); argsAsList.add("6"); - returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertEquals(0, returnCode); argsAsList = new ArrayList<>(); @@ -558,26 +565,26 @@ public void testSecurityAdminValidateConfig() throws Exception { argsAsList.add("-vc"); argsAsList.add("8"); - returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); Assert.assertNotEquals(0, returnCode); } @Test public void testIsLegacySecurityIndexOnV7Index() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .build(); setup(Settings.EMPTY, null, settings, false); - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -600,7 +607,9 @@ public void testIsLegacySecurityIndexOnV7Index() throws Exception { System.out.flush(); System.setOut(old); String standardOut = baos.toString(); - String legacyIndexOutput = "Legacy index '"+ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX+"' (ES 6) detected (or forced). You should migrate the configuration!"; + String legacyIndexOutput = "Legacy index '" + + ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX + + "' (ES 6) detected (or forced). You should migrate the configuration!"; Assert.assertFalse(standardOut.contains(legacyIndexOutput)); } diff --git a/src/test/java/org/opensearch/security/SecurityRolesTests.java b/src/test/java/org/opensearch/security/SecurityRolesTests.java index ee8e1ea150..24a6bafbb8 100644 --- a/src/test/java/org/opensearch/security/SecurityRolesTests.java +++ b/src/test/java/org/opensearch/security/SecurityRolesTests.java @@ -40,76 +40,89 @@ public class SecurityRolesTests extends SingleClusterTest { - @Test - public void testSecurityRolesAnon() throws Exception { - - setup(Settings.EMPTY, new DynamicSecurityConfig() - .setSecurityInternalUsers("internal_users_sr.yml") - .setConfig("config_anon.yml"), Settings.EMPTY, true); - - RestHelper rh = nonSslRestHelper(); - - HttpResponse resc = rh.executeGetRequest("_opendistro/_security/authinfo?pretty"); - Assert.assertTrue(resc.getBody().contains("anonymous")); - Assert.assertFalse(resc.getBody().contains("xyz_sr")); - Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - - resc = rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("sr_user", "nagilum")); - Assert.assertTrue(resc.getBody().contains("sr_user")); - Assert.assertTrue(resc.getBody().contains("xyz_sr")); - Assert.assertFalse(resc.getBody().contains("opendistro_security_kibana_server")); - Assert.assertTrue(resc.getBody().contains("backend_roles=[abc_ber]")); - Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - } - - @Test - public void testSecurityRoles() throws Exception { - - setup(Settings.EMPTY, new DynamicSecurityConfig() - .setSecurityRolesMapping("roles_mapping.yml") - .setSecurityInternalUsers("internal_users_sr.yml"), Settings.EMPTY, true); - - RestHelper rh = nonSslRestHelper(); - rh.sendAdminCertificate = false; - - HttpResponse resc = rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("sr_user", "nagilum")); - Assert.assertTrue(resc.getBody().contains("sr_user")); - Assert.assertTrue(resc.getBody().contains("xyz_sr")); - - // Opendistro_security_roles cannot contain roles that don't exist. - Assert.assertFalse(resc.getBody().contains("xyz_sr_non_existent")); - - // Opendistro_security_roles can contain reserved roles. - Assert.assertTrue(resc.getBody().contains("xyz_sr_reserved")); - - // Opendistro_security_roles cannot contain roles that are hidden in rolesmapping.yml. - Assert.assertFalse(resc.getBody().contains("xyz_sr_hidden")); - - Assert.assertTrue(resc.getBody().contains("backend_roles=[abc_ber]")); - Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - } - - @Test - public void testSecurityRolesImpersonation() throws Exception { - - Settings settings = Settings.builder() - .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".sr_user", "sr_impuser") - .build(); - - setup(Settings.EMPTY, new DynamicSecurityConfig() - .setSecurityInternalUsers("internal_users_sr.yml"), settings, true); - - RestHelper rh = nonSslRestHelper(); - - HttpResponse resc = rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("sr_user", "nagilum"), new BasicHeader("opendistro_security_impersonate_as", "sr_impuser")); - Assert.assertFalse(resc.getBody().contains("sr_user")); - Assert.assertTrue(resc.getBody().contains("sr_impuser")); - Assert.assertFalse(resc.getBody().contains("xyz_sr")); - Assert.assertTrue(resc.getBody().contains("xyz_impsr")); - Assert.assertTrue(resc.getBody().contains("backend_roles=[ert_ber]")); - Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - - resc = rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("sr_user", "nagilum"), new BasicHeader("opendistro_security_impersonate_as", "sr_impuser")); - Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - } + @Test + public void testSecurityRolesAnon() throws Exception { + + setup( + Settings.EMPTY, + new DynamicSecurityConfig().setSecurityInternalUsers("internal_users_sr.yml").setConfig("config_anon.yml"), + Settings.EMPTY, + true + ); + + RestHelper rh = nonSslRestHelper(); + + HttpResponse resc = rh.executeGetRequest("_opendistro/_security/authinfo?pretty"); + Assert.assertTrue(resc.getBody().contains("anonymous")); + Assert.assertFalse(resc.getBody().contains("xyz_sr")); + Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); + + resc = rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("sr_user", "nagilum")); + Assert.assertTrue(resc.getBody().contains("sr_user")); + Assert.assertTrue(resc.getBody().contains("xyz_sr")); + Assert.assertFalse(resc.getBody().contains("opendistro_security_kibana_server")); + Assert.assertTrue(resc.getBody().contains("backend_roles=[abc_ber]")); + Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); + } + + @Test + public void testSecurityRoles() throws Exception { + + setup( + Settings.EMPTY, + new DynamicSecurityConfig().setSecurityRolesMapping("roles_mapping.yml").setSecurityInternalUsers("internal_users_sr.yml"), + Settings.EMPTY, + true + ); + + RestHelper rh = nonSslRestHelper(); + rh.sendAdminCertificate = false; + + HttpResponse resc = rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("sr_user", "nagilum")); + Assert.assertTrue(resc.getBody().contains("sr_user")); + Assert.assertTrue(resc.getBody().contains("xyz_sr")); + + // Opendistro_security_roles cannot contain roles that don't exist. + Assert.assertFalse(resc.getBody().contains("xyz_sr_non_existent")); + + // Opendistro_security_roles can contain reserved roles. + Assert.assertTrue(resc.getBody().contains("xyz_sr_reserved")); + + // Opendistro_security_roles cannot contain roles that are hidden in rolesmapping.yml. + Assert.assertFalse(resc.getBody().contains("xyz_sr_hidden")); + + Assert.assertTrue(resc.getBody().contains("backend_roles=[abc_ber]")); + Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); + } + + @Test + public void testSecurityRolesImpersonation() throws Exception { + + Settings settings = Settings.builder() + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS + ".sr_user", "sr_impuser") + .build(); + + setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityInternalUsers("internal_users_sr.yml"), settings, true); + + RestHelper rh = nonSslRestHelper(); + + HttpResponse resc = rh.executeGetRequest( + "_opendistro/_security/authinfo?pretty", + encodeBasicHeader("sr_user", "nagilum"), + new BasicHeader("opendistro_security_impersonate_as", "sr_impuser") + ); + Assert.assertFalse(resc.getBody().contains("sr_user")); + Assert.assertTrue(resc.getBody().contains("sr_impuser")); + Assert.assertFalse(resc.getBody().contains("xyz_sr")); + Assert.assertTrue(resc.getBody().contains("xyz_impsr")); + Assert.assertTrue(resc.getBody().contains("backend_roles=[ert_ber]")); + Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); + + resc = rh.executeGetRequest( + "*/_search?pretty", + encodeBasicHeader("sr_user", "nagilum"), + new BasicHeader("opendistro_security_impersonate_as", "sr_impuser") + ); + Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); + } } diff --git a/src/test/java/org/opensearch/security/SlowIntegrationTests.java b/src/test/java/org/opensearch/security/SlowIntegrationTests.java index b2efada0d8..0e7585a08d 100644 --- a/src/test/java/org/opensearch/security/SlowIntegrationTests.java +++ b/src/test/java/org/opensearch/security/SlowIntegrationTests.java @@ -55,38 +55,72 @@ public class SlowIntegrationTests extends SingleClusterTest { public void testCustomInterclusterRequestEvaluator() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, "org.opensearch.security.AlwaysFalseInterClusterRequestEvaluator") - .put("discovery.initial_state_timeout","8s") - .build(); - setup(Settings.EMPTY, null, settings, false, ClusterConfiguration.DEFAULT ,5,1); - Assert.assertEquals(1, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes()); - Assert.assertEquals(ClusterHealthStatus.GREEN, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus()); + .put( + ConfigConstants.SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, + "org.opensearch.security.AlwaysFalseInterClusterRequestEvaluator" + ) + .put("discovery.initial_state_timeout", "8s") + .build(); + setup(Settings.EMPTY, null, settings, false, ClusterConfiguration.DEFAULT, 5, 1); + Assert.assertEquals( + 1, + clusterHelper.nodeClient() + .admin() + .cluster() + .health(new ClusterHealthRequest().waitForGreenStatus()) + .actionGet() + .getNumberOfNodes() + ); + Assert.assertEquals( + ClusterHealthStatus.GREEN, + clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus() + ); } @SuppressWarnings("resource") @Test public void testNodeClientAllowedWithServerCertificate() throws Exception { setup(); - Assert.assertEquals(clusterInfo.numNodes, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes()); - Assert.assertEquals(ClusterHealthStatus.GREEN, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus()); - + Assert.assertEquals( + clusterInfo.numNodes, + clusterHelper.nodeClient() + .admin() + .cluster() + .health(new ClusterHealthRequest().waitForGreenStatus()) + .actionGet() + .getNumberOfNodes() + ); + Assert.assertEquals( + ClusterHealthStatus.GREEN, + clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus() + ); final Settings tcSettings = AbstractSecurityUnitTest.nodeRolesSettings(Settings.builder(), false, false) - .put(minimumSecuritySettings(Settings.EMPTY).get(0)) - .put("cluster.name", clusterInfo.clustername) - .put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data") - .put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs") - .put("path.home", "./target") - .put("node.name", "transportclient") - .put("discovery.initial_state_timeout","8s") - .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost+":"+clusterInfo.nodePort) - .build(); + .put(minimumSecuritySettings(Settings.EMPTY).get(0)) + .put("cluster.name", clusterInfo.clustername) + .put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data") + .put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs") + .put("path.home", "./target") + .put("node.name", "transportclient") + .put("discovery.initial_state_timeout", "8s") + .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) + .build(); log.debug("Start node client"); try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class).start()) { - Assert.assertFalse(node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes(String.valueOf(clusterInfo.numNodes+1))).actionGet().isTimedOut()); - Assert.assertEquals(clusterInfo.numNodes+1, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size()); + Assert.assertFalse( + node.client() + .admin() + .cluster() + .health(new ClusterHealthRequest().waitForNodes(String.valueOf(clusterInfo.numNodes + 1))) + .actionGet() + .isTimedOut() + ); + Assert.assertEquals( + clusterInfo.numNodes + 1, + node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size() + ); } } @@ -94,22 +128,32 @@ public void testNodeClientAllowedWithServerCertificate() throws Exception { @Test public void testNodeClientDisallowedWithNonServerCertificate() throws Exception { setup(); - Assert.assertEquals(clusterInfo.numNodes, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes()); - Assert.assertEquals(ClusterHealthStatus.GREEN, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus()); - + Assert.assertEquals( + clusterInfo.numNodes, + clusterHelper.nodeClient() + .admin() + .cluster() + .health(new ClusterHealthRequest().waitForGreenStatus()) + .actionGet() + .getNumberOfNodes() + ); + Assert.assertEquals( + ClusterHealthStatus.GREEN, + clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus() + ); final Settings tcSettings = AbstractSecurityUnitTest.nodeRolesSettings(Settings.builder(), false, false) - .put(minimumSecuritySettings(Settings.EMPTY).get(0)) - .put("cluster.name", clusterInfo.clustername) - .put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data") - .put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs") - .put("path.home", "./target") - .put("node.name", "transportclient") - .put("discovery.initial_state_timeout","8s") - .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost+":"+clusterInfo.nodePort) - .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("kirk-keystore.jks")) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"kirk") - .build(); + .put(minimumSecuritySettings(Settings.EMPTY).get(0)) + .put("cluster.name", clusterInfo.clustername) + .put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data") + .put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs") + .put("path.home", "./target") + .put("node.name", "transportclient") + .put("discovery.initial_state_timeout", "8s") + .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("kirk-keystore.jks")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "kirk") + .build(); log.debug("Start node client"); @@ -126,21 +170,32 @@ public void testNodeClientDisallowedWithNonServerCertificate() throws Exception @Test public void testNodeClientDisallowedWithNonServerCertificate2() throws Exception { setup(); - Assert.assertEquals(clusterInfo.numNodes, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes()); - Assert.assertEquals(ClusterHealthStatus.GREEN, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus()); + Assert.assertEquals( + clusterInfo.numNodes, + clusterHelper.nodeClient() + .admin() + .cluster() + .health(new ClusterHealthRequest().waitForGreenStatus()) + .actionGet() + .getNumberOfNodes() + ); + Assert.assertEquals( + ClusterHealthStatus.GREEN, + clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus() + ); final Settings tcSettings = AbstractSecurityUnitTest.nodeRolesSettings(Settings.builder(), false, false) - .put(minimumSecuritySettings(Settings.EMPTY).get(0)) - .put("cluster.name", clusterInfo.clustername) - .put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data") - .put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs") - .put("path.home", "./target") - .put("node.name", "transportclient") - .put("discovery.initial_state_timeout","8s") - .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost+":"+clusterInfo.nodePort) - .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") - .build(); + .put(minimumSecuritySettings(Settings.EMPTY).get(0)) + .put("cluster.name", clusterInfo.clustername) + .put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data") + .put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs") + .put("path.home", "./target") + .put("node.name", "transportclient") + .put("discovery.initial_state_timeout", "8s") + .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "spock") + .build(); log.debug("Start node client"); @@ -155,19 +210,26 @@ public void testNodeClientDisallowedWithNonServerCertificate2() throws Exception @Test public void testDelayInSecurityIndexInitialization() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true) - .put("cluster.routing.allocation.exclude._ip", "127.0.0.1") - .build(); + .put(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true) + .put("cluster.routing.allocation.exclude._ip", "127.0.0.1") + .build(); try { setup(Settings.EMPTY, null, settings, false); Assert.fail("Expected IOException here due to red cluster state"); } catch (IOException e) { // Index request has a default timeout of 1 minute, adding buffer between nodes initialization and cluster health check - Thread.sleep(1000*80); - // Ideally, we would want to remove this cluster setting, but default settings cannot be removed. So overriding with a reserved IP address - clusterHelper.nodeClient().admin().cluster().updateSettings( - new ClusterUpdateSettingsRequest().transientSettings(Settings.builder().put("cluster.routing.allocation.exclude._ip", "192.0.2.0").build())); - this.clusterInfo = clusterHelper.waitForCluster(ClusterHealthStatus.GREEN, TimeValue.timeValueSeconds(10),3); + Thread.sleep(1000 * 80); + // Ideally, we would want to remove this cluster setting, but default settings cannot be removed. So overriding with a reserved + // IP address + clusterHelper.nodeClient() + .admin() + .cluster() + .updateSettings( + new ClusterUpdateSettingsRequest().transientSettings( + Settings.builder().put("cluster.routing.allocation.exclude._ip", "192.0.2.0").build() + ) + ); + this.clusterInfo = clusterHelper.waitForCluster(ClusterHealthStatus.GREEN, TimeValue.timeValueSeconds(10), 3); } RestHelper rh = nonSslRestHelper(); Thread.sleep(10000); diff --git a/src/test/java/org/opensearch/security/SnapshotRestoreTests.java b/src/test/java/org/opensearch/security/SnapshotRestoreTests.java index 8e869e250d..1c884a8e5d 100644 --- a/src/test/java/org/opensearch/security/SnapshotRestoreTests.java +++ b/src/test/java/org/opensearch/security/SnapshotRestoreTests.java @@ -54,7 +54,6 @@ import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.not; - public class SnapshotRestoreTests extends SingleClusterTest { private ClusterConfiguration currentClusterConfig = ClusterConfiguration.DEFAULT; @@ -62,233 +61,711 @@ public class SnapshotRestoreTests extends SingleClusterTest { public void testSnapshotEnableSecurityIndexRestore() throws Exception { final Settings settings = Settings.builder() - .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) - .put("plugins.security.check_snapshot_restore_write_privileges", false) - .put("plugins.security.unsupported.restore.securityindex.enabled", true) - .build(); + .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) + .put("plugins.security.check_snapshot_restore_write_privileges", false) + .put("plugins.security.unsupported.restore.securityindex.enabled", true) + .build(); setup(settings, currentClusterConfig); try (Client tc = getClient()) { - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.admin().cluster().putRepository(new PutRepositoryRequest("vulcangov").type("fs").settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/vulcangov"))).actionGet(); - tc.admin().cluster().createSnapshot(new CreateSnapshotRequest("vulcangov", "vulcangov_1").indices("vulcangov").includeGlobalState(true).waitForCompletion(true)).actionGet(); - - tc.admin().cluster().putRepository(new PutRepositoryRequest(".opendistro_security").type("fs").settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/.opendistro_security"))).actionGet(); - tc.admin().cluster().createSnapshot(new CreateSnapshotRequest(".opendistro_security", "opendistro_security_1").indices(".opendistro_security").includeGlobalState(false).waitForCompletion(true)).actionGet(); - - tc.admin().cluster().putRepository(new PutRepositoryRequest("all").type("fs").settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/all"))).actionGet(); - tc.admin().cluster().createSnapshot(new CreateSnapshotRequest("all", "all_1").indices("*").includeGlobalState(false).waitForCompletion(true)).actionGet(); + tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.admin() + .cluster() + .putRepository( + new PutRepositoryRequest("vulcangov").type("fs") + .settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/vulcangov")) + ) + .actionGet(); + tc.admin() + .cluster() + .createSnapshot( + new CreateSnapshotRequest("vulcangov", "vulcangov_1").indices("vulcangov") + .includeGlobalState(true) + .waitForCompletion(true) + ) + .actionGet(); + + tc.admin() + .cluster() + .putRepository( + new PutRepositoryRequest(".opendistro_security").type("fs") + .settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/.opendistro_security")) + ) + .actionGet(); + tc.admin() + .cluster() + .createSnapshot( + new CreateSnapshotRequest(".opendistro_security", "opendistro_security_1").indices(".opendistro_security") + .includeGlobalState(false) + .waitForCompletion(true) + ) + .actionGet(); + + tc.admin() + .cluster() + .putRepository( + new PutRepositoryRequest("all").type("fs") + .settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/all")) + ) + .actionGet(); + tc.admin() + .cluster() + .createSnapshot(new CreateSnapshotRequest("all", "all_1").indices("*").includeGlobalState(false).waitForCompletion(true)) + .actionGet(); } RestHelper rh = nonSslRestHelper(); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/vulcangov", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/vulcangov/vulcangov_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"include_global_state\": true, \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_with_global_state_$1\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/vulcangov", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/vulcangov/vulcangov_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"include_global_state\": true, \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_with_global_state_$1\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // worf not allowed to restore vulcangov index - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","", encodeBasicHeader("worf", "worf")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "", + encodeBasicHeader("worf", "worf") + ).getStatusCode() + ); // Try to restore vulcangov index as .opendistro_security index, not possible since Security index is open - Assert.assertEquals(HttpStatus.SC_INTERNAL_SERVER_ERROR, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"indices\": \"vulcangov\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \".opendistro_security\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_INTERNAL_SERVER_ERROR, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"indices\": \"vulcangov\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \".opendistro_security\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Try to restore .opendistro_security index. - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/.opendistro_security", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/.opendistro_security/opendistro_security_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/.opendistro_security", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/.opendistro_security/opendistro_security_1", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); // 500 because Security index is open - Assert.assertEquals(HttpStatus.SC_INTERNAL_SERVER_ERROR, rh.executePostRequest("_snapshot/.opendistro_security/opendistro_security_1/_restore?wait_for_completion=true","", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_INTERNAL_SERVER_ERROR, + rh.executePostRequest( + "_snapshot/.opendistro_security/opendistro_security_1/_restore?wait_for_completion=true", + "", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Try to restore .opendistro_security index as .opendistro_security_copy index - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/.opendistro_security/opendistro_security_1/_restore?wait_for_completion=true","{ \"indices\": \".opendistro_security\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"opendistro_security_copy\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/.opendistro_security/opendistro_security_1/_restore?wait_for_completion=true", + "{ \"indices\": \".opendistro_security\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"opendistro_security_copy\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Try to restore all indices. - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/all", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/all/all_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/all", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/all/all_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); // 500 because Security index is open - Assert.assertEquals(HttpStatus.SC_INTERNAL_SERVER_ERROR, rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true","", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_INTERNAL_SERVER_ERROR, + rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true", "", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); // Try to restore vulcangov index as .opendistro_security index -> 500 because Security index is open - Assert.assertEquals(HttpStatus.SC_INTERNAL_SERVER_ERROR, rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true","{ \"indices\": \"vulcangov\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \".opendistro_security\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - // Try to restore .opendistro_security index as .opendistro_security_copy index. Delete opendistro_security_copy first, was created in test above - Assert.assertEquals(HttpStatus.SC_OK, rh.executeDeleteRequest("opendistro_security_copy", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true","{ \"indices\": \".opendistro_security\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"opendistro_security_copy\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_INTERNAL_SERVER_ERROR, + rh.executePostRequest( + "_snapshot/all/all_1/_restore?wait_for_completion=true", + "{ \"indices\": \"vulcangov\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \".opendistro_security\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); + // Try to restore .opendistro_security index as .opendistro_security_copy index. Delete opendistro_security_copy first, was created + // in test above + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeDeleteRequest("opendistro_security_copy", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/all/all_1/_restore?wait_for_completion=true", + "{ \"indices\": \".opendistro_security\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"opendistro_security_copy\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Try to restore an unknown snapshot - Assert.assertEquals(HttpStatus.SC_INTERNAL_SERVER_ERROR, rh.executePostRequest("_snapshot/all/unknown-snapshot/_restore?wait_for_completion=true", "", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_INTERNAL_SERVER_ERROR, + rh.executePostRequest( + "_snapshot/all/unknown-snapshot/_restore?wait_for_completion=true", + "", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // close and restore Security index - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest(".opendistro_security/_close", "", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/.opendistro_security/opendistro_security_1/_restore?wait_for_completion=true","", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest(".opendistro_security/_open", "", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest(".opendistro_security/_close", "", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/.opendistro_security/opendistro_security_1/_restore?wait_for_completion=true", + "", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest(".opendistro_security/_open", "", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); } @Test public void testSnapshot() throws Exception { final Settings settings = Settings.builder() - .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) - .put("plugins.security.check_snapshot_restore_write_privileges", false) - .build(); + .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) + .put("plugins.security.check_snapshot_restore_write_privileges", false) + .build(); setup(settings, currentClusterConfig); try (Client tc = getClient()) { - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.admin().cluster().putRepository(new PutRepositoryRequest("vulcangov").type("fs").settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/vulcangov"))).actionGet(); - tc.admin().cluster().createSnapshot(new CreateSnapshotRequest("vulcangov", "vulcangov_1").indices("vulcangov").includeGlobalState(true).waitForCompletion(true)).actionGet(); - - tc.admin().cluster().putRepository(new PutRepositoryRequest(".opendistro_security").type("fs").settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/.opendistro_security"))).actionGet(); - tc.admin().cluster().createSnapshot(new CreateSnapshotRequest(".opendistro_security", "opendistro_security_1").indices(".opendistro_security").includeGlobalState(false).waitForCompletion(true)).actionGet(); - - tc.admin().cluster().putRepository(new PutRepositoryRequest("all").type("fs").settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/all"))).actionGet(); - tc.admin().cluster().createSnapshot(new CreateSnapshotRequest("all", "all_1").indices("*").includeGlobalState(false).waitForCompletion(true)).actionGet(); + tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.admin() + .cluster() + .putRepository( + new PutRepositoryRequest("vulcangov").type("fs") + .settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/vulcangov")) + ) + .actionGet(); + tc.admin() + .cluster() + .createSnapshot( + new CreateSnapshotRequest("vulcangov", "vulcangov_1").indices("vulcangov") + .includeGlobalState(true) + .waitForCompletion(true) + ) + .actionGet(); + + tc.admin() + .cluster() + .putRepository( + new PutRepositoryRequest(".opendistro_security").type("fs") + .settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/.opendistro_security")) + ) + .actionGet(); + tc.admin() + .cluster() + .createSnapshot( + new CreateSnapshotRequest(".opendistro_security", "opendistro_security_1").indices(".opendistro_security") + .includeGlobalState(false) + .waitForCompletion(true) + ) + .actionGet(); + + tc.admin() + .cluster() + .putRepository( + new PutRepositoryRequest("all").type("fs") + .settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/all")) + ) + .actionGet(); + tc.admin() + .cluster() + .createSnapshot(new CreateSnapshotRequest("all", "all_1").indices("*").includeGlobalState(false).waitForCompletion(true)) + .actionGet(); } RestHelper rh = nonSslRestHelper(); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/vulcangov", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/vulcangov/vulcangov_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"include_global_state\": true, \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_with_global_state_$1\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","", encodeBasicHeader("worf", "worf")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/vulcangov", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/vulcangov/vulcangov_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"include_global_state\": true, \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_with_global_state_$1\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "", + encodeBasicHeader("worf", "worf") + ).getStatusCode() + ); // Try to restore vulcangov index as .opendistro_security index - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"indices\": \"vulcangov\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \".opendistro_security\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"indices\": \"vulcangov\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \".opendistro_security\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Try to restore .opendistro_security index. - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/.opendistro_security", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/.opendistro_security/opendistro_security_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/.opendistro_security/opendistro_security_1/_restore?wait_for_completion=true","", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/.opendistro_security", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/.opendistro_security/opendistro_security_1", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/.opendistro_security/opendistro_security_1/_restore?wait_for_completion=true", + "", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Try to restore .opendistro_security index as .opendistro_security_copy index - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/.opendistro_security/opendistro_security_1/_restore?wait_for_completion=true","{ \"indices\": \".opendistro_security\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"opendistro_security_copy\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/.opendistro_security/opendistro_security_1/_restore?wait_for_completion=true", + "{ \"indices\": \".opendistro_security\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"opendistro_security_copy\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Try to restore all indices. - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/all", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/all/all_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true","", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/all", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/all/all_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true", "", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); // Try to restore .opendistro_security index as .opendistro_security_copy index - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true","{ \"indices\": \"vulcangov\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \".opendistro_security\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/all/all_1/_restore?wait_for_completion=true", + "{ \"indices\": \"vulcangov\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \".opendistro_security\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Try to restore .opendistro_security index as .opendistro_security_copy index - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true","{ \"indices\": \".opendistro_security\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"opendistro_security_copy\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/all/all_1/_restore?wait_for_completion=true", + "{ \"indices\": \".opendistro_security\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"opendistro_security_copy\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Try to restore an unknown snapshot - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/all/unknown-snapshot/_restore?wait_for_completion=true", "", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - // Assert.assertEquals(HttpStatus.SC_FORBIDDEN, executePostRequest("_snapshot/all/unknown-snapshot/_restore?wait_for_completion=true","{ \"indices\": \"the-unknown-index\" }", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/all/unknown-snapshot/_restore?wait_for_completion=true", + "", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); + // Assert.assertEquals(HttpStatus.SC_FORBIDDEN, + // executePostRequest("_snapshot/all/unknown-snapshot/_restore?wait_for_completion=true","{ \"indices\": \"the-unknown-index\" }", + // encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); } @Test public void testSnapshotCheckWritePrivileges() throws Exception { - final Settings settings = Settings.builder() - .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) - .build(); + final Settings settings = Settings.builder().putList("path.repo", repositoryPath.getRoot().getAbsolutePath()).build(); setup(settings, currentClusterConfig); try (Client tc = getClient()) { - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.admin().cluster().putRepository(new PutRepositoryRequest("vulcangov").type("fs").settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/vulcangov"))).actionGet(); - tc.admin().cluster().createSnapshot(new CreateSnapshotRequest("vulcangov", "vulcangov_1").indices("vulcangov").includeGlobalState(true).waitForCompletion(true)).actionGet(); - - tc.admin().cluster().putRepository(new PutRepositoryRequest(".opendistro_security").type("fs").settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/.opendistro_security"))).actionGet(); - tc.admin().cluster().createSnapshot(new CreateSnapshotRequest(".opendistro_security", "opendistro_security_1").indices(".opendistro_security").includeGlobalState(false).waitForCompletion(true)).actionGet(); - - tc.admin().cluster().putRepository(new PutRepositoryRequest("all").type("fs").settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/all"))).actionGet(); - tc.admin().cluster().createSnapshot(new CreateSnapshotRequest("all", "all_1").indices("*").includeGlobalState(false).waitForCompletion(true)).actionGet(); - - ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config","roles","rolesmapping","internalusers","actiongroups"})).actionGet(); + tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.admin() + .cluster() + .putRepository( + new PutRepositoryRequest("vulcangov").type("fs") + .settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/vulcangov")) + ) + .actionGet(); + tc.admin() + .cluster() + .createSnapshot( + new CreateSnapshotRequest("vulcangov", "vulcangov_1").indices("vulcangov") + .includeGlobalState(true) + .waitForCompletion(true) + ) + .actionGet(); + + tc.admin() + .cluster() + .putRepository( + new PutRepositoryRequest(".opendistro_security").type("fs") + .settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/.opendistro_security")) + ) + .actionGet(); + tc.admin() + .cluster() + .createSnapshot( + new CreateSnapshotRequest(".opendistro_security", "opendistro_security_1").indices(".opendistro_security") + .includeGlobalState(false) + .waitForCompletion(true) + ) + .actionGet(); + + tc.admin() + .cluster() + .putRepository( + new PutRepositoryRequest("all").type("fs") + .settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/all")) + ) + .actionGet(); + tc.admin() + .cluster() + .createSnapshot(new CreateSnapshotRequest("all", "all_1").indices("*").includeGlobalState(false).waitForCompletion(true)) + .actionGet(); + + ConfigUpdateResponse cur = tc.execute( + ConfigUpdateAction.INSTANCE, + new ConfigUpdateRequest(new String[] { "config", "roles", "rolesmapping", "internalusers", "actiongroups" }) + ).actionGet(); Assert.assertFalse(cur.hasFailures()); Assert.assertEquals(currentClusterConfig.getNodes(), cur.getNodes().size()); } RestHelper rh = nonSslRestHelper(); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/vulcangov", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/vulcangov/vulcangov_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"include_global_state\": true, \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_with_global_state_$1\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","", encodeBasicHeader("worf", "worf")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/vulcangov", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/vulcangov/vulcangov_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"include_global_state\": true, \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_with_global_state_$1\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "", + encodeBasicHeader("worf", "worf") + ).getStatusCode() + ); // Try to restore vulcangov index as .opendistro_security index - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"indices\": \"vulcangov\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \".opendistro_security\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"indices\": \"vulcangov\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \".opendistro_security\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Try to restore .opendistro_security index. - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/.opendistro_security", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/.opendistro_security/opendistro_security_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/.opendistro_security/opendistro_security_1/_restore?wait_for_completion=true","", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/.opendistro_security", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/.opendistro_security/opendistro_security_1", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/.opendistro_security/opendistro_security_1/_restore?wait_for_completion=true", + "", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Try to restore .opendistro_security index as .opendistro_security_copy index - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/.opendistro_security/opendistro_security_1/_restore?wait_for_completion=true","{ \"indices\": \".opendistro_security\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"opendistro_security_copy\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/.opendistro_security/opendistro_security_1/_restore?wait_for_completion=true", + "{ \"indices\": \".opendistro_security\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"opendistro_security_copy\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Try to restore all indices. - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/all", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/all/all_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true","", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/all", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/all/all_1", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true", "", encodeBasicHeader("nagilum", "nagilum")) + .getStatusCode() + ); // Try to restore .opendistro_security index as .opendistro_security_copy index - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true","{ \"indices\": \"vulcangov\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \".opendistro_security\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/all/all_1/_restore?wait_for_completion=true", + "{ \"indices\": \"vulcangov\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \".opendistro_security\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Try to restore .opendistro_security index as .opendistro_security_copy index - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true","{ \"indices\": \".opendistro_security\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"opendistro_security_copy\" }", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/all/all_1/_restore?wait_for_completion=true", + "{ \"indices\": \".opendistro_security\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"opendistro_security_copy\" }", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Try to restore an unknown snapshot - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/all/unknown-snapshot/_restore?wait_for_completion=true", "", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/all/unknown-snapshot/_restore?wait_for_completion=true", + "", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); // Tests snapshot with write permissions (OK) - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"$1_restore_1\" }", encodeBasicHeader("restoreuser", "restoreuser")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"$1_restore_2a\" }", encodeBasicHeader("restoreuser", "restoreuser")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"$1_restore_1\" }", + encodeBasicHeader("restoreuser", "restoreuser") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"$1_restore_2a\" }", + encodeBasicHeader("restoreuser", "restoreuser") + ).getStatusCode() + ); // Test snapshot with write permissions (OK) - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"$1_no_restore_1\" }", encodeBasicHeader("restoreuser", "restoreuser")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"$1_no_restore_2\" }", encodeBasicHeader("restoreuser", "restoreuser")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"$1_no_restore_3\" }", encodeBasicHeader("restoreuser", "restoreuser")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true","{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"$1_no_restore_4\" }", encodeBasicHeader("restoreuser", "restoreuser")).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"$1_no_restore_1\" }", + encodeBasicHeader("restoreuser", "restoreuser") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"$1_no_restore_2\" }", + encodeBasicHeader("restoreuser", "restoreuser") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"$1_no_restore_3\" }", + encodeBasicHeader("restoreuser", "restoreuser") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/vulcangov/vulcangov_1/_restore?wait_for_completion=true", + "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"$1_no_restore_4\" }", + encodeBasicHeader("restoreuser", "restoreuser") + ).getStatusCode() + ); } @Test public void testSnapshotRestore() throws Exception { - final Settings settings = Settings.builder() - .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) - .build(); + final Settings settings = Settings.builder().putList("path.repo", repositoryPath.getRoot().getAbsolutePath()).build(); - setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityActionGroups("action_groups_packaged.yml"), settings, true, currentClusterConfig); + setup( + Settings.EMPTY, + new DynamicSecurityConfig().setSecurityActionGroups("action_groups_packaged.yml"), + settings, + true, + currentClusterConfig + ); try (Client tc = getClient()) { - tc.index(new IndexRequest("testsnap1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("testsnap2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("testsnap3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("testsnap4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("testsnap5").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("testsnap6").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.admin().cluster().putRepository(new PutRepositoryRequest("bckrepo").type("fs").settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/bckrepo"))).actionGet(); + tc.index(new IndexRequest("testsnap1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("testsnap2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("testsnap3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("testsnap4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("testsnap5").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("testsnap6").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.admin() + .cluster() + .putRepository( + new PutRepositoryRequest("bckrepo").type("fs") + .settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/bckrepo")) + ) + .actionGet(); } RestHelper rh = nonSslRestHelper(); - String putSnapshot = - "{"+ - "\"indices\": \"testsnap1\","+ - "\"ignore_unavailable\": false,"+ - "\"include_global_state\": false"+ - "}"; - - Assert.assertEquals(HttpStatus.SC_OK, rh.executePutRequest("_snapshot/bckrepo/"+putSnapshot.hashCode()+"?wait_for_completion=true&pretty", putSnapshot, encodeBasicHeader("snapresuser", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/bckrepo/"+putSnapshot.hashCode()+"/_restore?wait_for_completion=true&pretty","{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", encodeBasicHeader("snapresuser", "nagilum")).getStatusCode()); - - putSnapshot = - "{"+ - "\"indices\": \".opendistro_security\","+ - "\"ignore_unavailable\": false,"+ - "\"include_global_state\": false"+ - "}"; - - Assert.assertEquals(HttpStatus.SC_OK, rh.executePutRequest("_snapshot/bckrepo/"+putSnapshot.hashCode()+"?wait_for_completion=true&pretty", putSnapshot, encodeBasicHeader("snapresuser", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/bckrepo/"+putSnapshot.hashCode()+"/_restore?wait_for_completion=true&pretty","{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", encodeBasicHeader("snapresuser", "nagilum")).getStatusCode()); - - - putSnapshot = - "{"+ - "\"indices\": \"testsnap2\","+ - "\"ignore_unavailable\": false,"+ - "\"include_global_state\": true"+ - "}"; - - Assert.assertEquals(HttpStatus.SC_OK, rh.executePutRequest("_snapshot/bckrepo/"+putSnapshot.hashCode()+"?wait_for_completion=true&pretty", putSnapshot, encodeBasicHeader("snapresuser", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/bckrepo/"+putSnapshot.hashCode()+"/_restore?wait_for_completion=true&pretty","{ \"include_global_state\": true, \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", encodeBasicHeader("snapresuser", "nagilum")).getStatusCode()); + String putSnapshot = "{" + + "\"indices\": \"testsnap1\"," + + "\"ignore_unavailable\": false," + + "\"include_global_state\": false" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePutRequest( + "_snapshot/bckrepo/" + putSnapshot.hashCode() + "?wait_for_completion=true&pretty", + putSnapshot, + encodeBasicHeader("snapresuser", "nagilum") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/bckrepo/" + putSnapshot.hashCode() + "/_restore?wait_for_completion=true&pretty", + "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", + encodeBasicHeader("snapresuser", "nagilum") + ).getStatusCode() + ); + + putSnapshot = "{" + + "\"indices\": \".opendistro_security\"," + + "\"ignore_unavailable\": false," + + "\"include_global_state\": false" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePutRequest( + "_snapshot/bckrepo/" + putSnapshot.hashCode() + "?wait_for_completion=true&pretty", + putSnapshot, + encodeBasicHeader("snapresuser", "nagilum") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/bckrepo/" + putSnapshot.hashCode() + "/_restore?wait_for_completion=true&pretty", + "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", + encodeBasicHeader("snapresuser", "nagilum") + ).getStatusCode() + ); + + putSnapshot = "{" + "\"indices\": \"testsnap2\"," + "\"ignore_unavailable\": false," + "\"include_global_state\": true" + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePutRequest( + "_snapshot/bckrepo/" + putSnapshot.hashCode() + "?wait_for_completion=true&pretty", + putSnapshot, + encodeBasicHeader("snapresuser", "nagilum") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/bckrepo/" + putSnapshot.hashCode() + "/_restore?wait_for_completion=true&pretty", + "{ \"include_global_state\": true, \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", + encodeBasicHeader("snapresuser", "nagilum") + ).getStatusCode() + ); } @Test @@ -297,33 +774,74 @@ public void testSnapshotRestoreSpecialIndicesPatterns() throws Exception { final List listOfIndexesToTest = Arrays.asList("foo", "bar", "baz"); - final Settings settings = Settings.builder() - .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) - .build(); + final Settings settings = Settings.builder().putList("path.repo", repositoryPath.getRoot().getAbsolutePath()).build(); - setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityActionGroups("action_groups_packaged.yml"), settings, true, currentClusterConfig); + setup( + Settings.EMPTY, + new DynamicSecurityConfig().setSecurityActionGroups("action_groups_packaged.yml"), + settings, + true, + currentClusterConfig + ); try (Client tc = getClient()) { for (String index : listOfIndexesToTest) { tc.admin().indices().create(new CreateIndexRequest(index)).actionGet(); - tc.index(new IndexRequest(index).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).id("document1").source("{ \"foo\": \"bar\" }", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest(index).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .id("document1") + .source("{ \"foo\": \"bar\" }", XContentType.JSON) + ).actionGet(); } } - try (Client tc = getClient()) { - tc.admin().cluster().putRepository(new PutRepositoryRequest("all").type("fs").settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/all"))).actionGet(); - tc.admin().cluster().createSnapshot(new CreateSnapshotRequest("all", "all_1").indices(listOfIndexesToTest).includeGlobalState(false).waitForCompletion(true)).actionGet(); - } + try (Client tc = getClient()) { + tc.admin() + .cluster() + .putRepository( + new PutRepositoryRequest("all").type("fs") + .settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/all")) + ) + .actionGet(); + tc.admin() + .cluster() + .createSnapshot( + new CreateSnapshotRequest("all", "all_1").indices(listOfIndexesToTest).includeGlobalState(false).waitForCompletion(true) + ) + .actionGet(); + } RestHelper rh = nonSslRestHelper(); - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true","{\"indices\": \"b*,-bar\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"wild_first_restored_index_$1\"}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true","{\"indices\": \"-bar,b*\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"neg_first_restored_index_$1\"}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()); - String wild_first_body = rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true","{\"indices\": \"b*,-bar\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"wild_first_restored_index_$1\"}", encodeBasicHeader("nagilum", "nagilum")).getBody(); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/all/all_1/_restore?wait_for_completion=true", + "{\"indices\": \"b*,-bar\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"wild_first_restored_index_$1\"}", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/all/all_1/_restore?wait_for_completion=true", + "{\"indices\": \"-bar,b*\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"neg_first_restored_index_$1\"}", + encodeBasicHeader("nagilum", "nagilum") + ).getStatusCode() + ); + String wild_first_body = rh.executePostRequest( + "_snapshot/all/all_1/_restore?wait_for_completion=true", + "{\"indices\": \"b*,-bar\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"wild_first_restored_index_$1\"}", + encodeBasicHeader("nagilum", "nagilum") + ).getBody(); assertThat(wild_first_body, not(containsString("wild_first_restored_index_foo"))); assertThat(wild_first_body, not(containsString("wild_first_restored_index_bar"))); assertThat(wild_first_body, containsString("wild_first_restored_index_baz")); - String neg_first_body = rh.executePostRequest("_snapshot/all/all_1/_restore?wait_for_completion=true","{\"indices\": \"-bar,b*\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"negate_first_restored_index_$1\"}", encodeBasicHeader("nagilum", "nagilum")).getBody(); + String neg_first_body = rh.executePostRequest( + "_snapshot/all/all_1/_restore?wait_for_completion=true", + "{\"indices\": \"-bar,b*\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"negate_first_restored_index_$1\"}", + encodeBasicHeader("nagilum", "nagilum") + ).getBody(); assertThat(neg_first_body, not(containsString("negate_first_restored_index_foo"))); assertThat(neg_first_body, not(containsString("negate_first_restored_index_bar"))); assertThat(neg_first_body, containsString("negate_first_restored_index_baz")); @@ -333,52 +851,105 @@ public void testSnapshotRestoreSpecialIndicesPatterns() throws Exception { public void testNoSnapshotRestore() throws Exception { final Settings settings = Settings.builder() - .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) - .put("plugins.security.enable_snapshot_restore_privilege", false) - .build(); - - setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityActionGroups("action_groups_packaged.yml"), settings, true, currentClusterConfig); + .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) + .put("plugins.security.enable_snapshot_restore_privilege", false) + .build(); + + setup( + Settings.EMPTY, + new DynamicSecurityConfig().setSecurityActionGroups("action_groups_packaged.yml"), + settings, + true, + currentClusterConfig + ); try (Client tc = getClient()) { - tc.index(new IndexRequest("testsnap1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("testsnap2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("testsnap3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("testsnap4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("testsnap5").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("testsnap6").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.admin().cluster().putRepository(new PutRepositoryRequest("bckrepo").type("fs").settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/bckrepo"))).actionGet(); + tc.index(new IndexRequest("testsnap1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("testsnap2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("testsnap3").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("testsnap4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("testsnap5").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("testsnap6").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.admin() + .cluster() + .putRepository( + new PutRepositoryRequest("bckrepo").type("fs") + .settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/bckrepo")) + ) + .actionGet(); } RestHelper rh = nonSslRestHelper(); - String putSnapshot = - "{"+ - "\"indices\": \"testsnap1\","+ - "\"ignore_unavailable\": false,"+ - "\"include_global_state\": false"+ - "}"; - - Assert.assertEquals(HttpStatus.SC_OK, rh.executePutRequest("_snapshot/bckrepo/"+putSnapshot.hashCode()+"?wait_for_completion=true&pretty", putSnapshot, encodeBasicHeader("snapresuser", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/bckrepo/"+putSnapshot.hashCode()+"/_restore?wait_for_completion=true&pretty","{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", encodeBasicHeader("snapresuser", "nagilum")).getStatusCode()); - - putSnapshot = - "{"+ - "\"indices\": \".opendistro_security\","+ - "\"ignore_unavailable\": false,"+ - "\"include_global_state\": false"+ - "}"; - - Assert.assertEquals(HttpStatus.SC_OK, rh.executePutRequest("_snapshot/bckrepo/"+putSnapshot.hashCode()+"?wait_for_completion=true&pretty", putSnapshot, encodeBasicHeader("snapresuser", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/bckrepo/"+putSnapshot.hashCode()+"/_restore?wait_for_completion=true&pretty","{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", encodeBasicHeader("snapresuser", "nagilum")).getStatusCode()); - - putSnapshot = - "{"+ - "\"indices\": \"testsnap2\","+ - "\"ignore_unavailable\": false,"+ - "\"include_global_state\": true"+ - "}"; - - Assert.assertEquals(HttpStatus.SC_OK, rh.executePutRequest("_snapshot/bckrepo/"+putSnapshot.hashCode()+"?wait_for_completion=true&pretty", putSnapshot, encodeBasicHeader("snapresuser", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executePostRequest("_snapshot/bckrepo/"+putSnapshot.hashCode()+"/_restore?wait_for_completion=true&pretty","{ \"include_global_state\": true, \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", encodeBasicHeader("snapresuser", "nagilum")).getStatusCode()); + String putSnapshot = "{" + + "\"indices\": \"testsnap1\"," + + "\"ignore_unavailable\": false," + + "\"include_global_state\": false" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePutRequest( + "_snapshot/bckrepo/" + putSnapshot.hashCode() + "?wait_for_completion=true&pretty", + putSnapshot, + encodeBasicHeader("snapresuser", "nagilum") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/bckrepo/" + putSnapshot.hashCode() + "/_restore?wait_for_completion=true&pretty", + "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", + encodeBasicHeader("snapresuser", "nagilum") + ).getStatusCode() + ); + + putSnapshot = "{" + + "\"indices\": \".opendistro_security\"," + + "\"ignore_unavailable\": false," + + "\"include_global_state\": false" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePutRequest( + "_snapshot/bckrepo/" + putSnapshot.hashCode() + "?wait_for_completion=true&pretty", + putSnapshot, + encodeBasicHeader("snapresuser", "nagilum") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/bckrepo/" + putSnapshot.hashCode() + "/_restore?wait_for_completion=true&pretty", + "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", + encodeBasicHeader("snapresuser", "nagilum") + ).getStatusCode() + ); + + putSnapshot = "{" + "\"indices\": \"testsnap2\"," + "\"ignore_unavailable\": false," + "\"include_global_state\": true" + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executePutRequest( + "_snapshot/bckrepo/" + putSnapshot.hashCode() + "?wait_for_completion=true&pretty", + putSnapshot, + encodeBasicHeader("snapresuser", "nagilum") + ).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + rh.executePostRequest( + "_snapshot/bckrepo/" + putSnapshot.hashCode() + "/_restore?wait_for_completion=true&pretty", + "{ \"include_global_state\": true, \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_$1\" }", + encodeBasicHeader("snapresuser", "nagilum") + ).getStatusCode() + ); } } diff --git a/src/test/java/org/opensearch/security/SystemIntegratorsTests.java b/src/test/java/org/opensearch/security/SystemIntegratorsTests.java index 6ccc11104a..8d287dd8a3 100644 --- a/src/test/java/org/opensearch/security/SystemIntegratorsTests.java +++ b/src/test/java/org/opensearch/security/SystemIntegratorsTests.java @@ -45,9 +45,9 @@ public class SystemIntegratorsTests extends SingleClusterTest { public void testInjectedUserMalformed() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) - .put("http.type", "org.opensearch.security.http.UserInjectingServerTransport") - .build(); + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) + .put("http.type", "org.opensearch.security.http.UserInjectingServerTransport") + .build(); setup(settings, ClusterConfiguration.USERINJECTOR); @@ -56,31 +56,58 @@ public void testInjectedUserMalformed() throws Exception { HttpResponse resc; - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, null)); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, null) + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "|||")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "|||") + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "||127.0.0:80|")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "||127.0.0:80|") + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||ip|")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||ip|") + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||ip:port|")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||ip:port|") + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||ip:80|")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||ip:80|") + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||127.0.x:80|")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||127.0.x:80|") + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||127.0.0:80|key1,value1,key2")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||127.0.0:80|key1,value1,key2") + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "||127.0.0:80|key1,value1,key2,value2")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "||127.0.0:80|key1,value1,key2,value2") + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); } @@ -89,9 +116,9 @@ public void testInjectedUserMalformed() throws Exception { public void testInjectedUser() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) - .put("http.type", "org.opensearch.security.http.UserInjectingServerTransport") - .build(); + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) + .put("http.type", "org.opensearch.security.http.UserInjectingServerTransport") + .build(); setup(settings, ClusterConfiguration.USERINJECTOR); @@ -100,21 +127,30 @@ public void testInjectedUser() throws Exception { HttpResponse resc; - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin||127.0.0:80|")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin||127.0.0:80|") + ); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=admin, backend_roles=[], requestedTenant=null]")); Assert.assertTrue(resc.getBody().contains("\"remote_address\":\"127.0.0.0:80\"")); Assert.assertTrue(resc.getBody().contains("\"backend_roles\":[]")); Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[]")); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin|role1|127.0.0:80|key1,value1")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin|role1|127.0.0:80|key1,value1") + ); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=admin, backend_roles=[role1], requestedTenant=null]")); Assert.assertTrue(resc.getBody().contains("\"remote_address\":\"127.0.0.0:80\"")); Assert.assertTrue(resc.getBody().contains("\"backend_roles\":[\"role1\"]")); Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[\"key1\"]")); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin|role1,role2||key1,value1")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin|role1,role2||key1,value1") + ); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=admin, backend_roles=[role1, role2], requestedTenant=null]")); // remote IP is assigned by XFFResolver @@ -122,7 +158,10 @@ public void testInjectedUser() throws Exception { Assert.assertTrue(resc.getBody().contains("\"backend_roles\":[\"role1\",\"role2\"]")); Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[\"key1\"]")); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin|role1,role2|8.8.8.8:8|key1,value1,key2,value2")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin|role1,role2|8.8.8.8:8|key1,value1,key2,value2") + ); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=admin, backend_roles=[role1, role2], requestedTenant=null]")); // remote IP is assigned by XFFResolver @@ -130,7 +169,10 @@ public void testInjectedUser() throws Exception { Assert.assertTrue(resc.getBody().contains("\"backend_roles\":[\"role1\",\"role2\"]")); Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[\"key1\",\"key2\"]")); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "nagilum|role1,role2|8.8.8.8:8|key1,value1,key2,value2")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "nagilum|role1,role2|8.8.8.8:8|key1,value1,key2,value2") + ); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=nagilum, backend_roles=[role1, role2], requestedTenant=null]")); // remote IP is assigned by XFFResolver @@ -140,7 +182,10 @@ public void testInjectedUser() throws Exception { Assert.assertTrue(resc.getBody().contains("\"roles\":[\"opendistro_security_all_access\"")); Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[\"key1\",\"key2\"]")); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "myuser|role1,vulcanadmin|8.8.8.8:8|key1,value1,key2,value2")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "myuser|role1,vulcanadmin|8.8.8.8:8|key1,value1,key2,value2") + ); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=myuser, backend_roles=[role1, vulcanadmin], requestedTenant=null]")); // remote IP is assigned by XFFResolver @@ -151,7 +196,13 @@ public void testInjectedUser() throws Exception { Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[\"key1\",\"key2\"]")); // add requested tenant - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "myuser|role1,vulcanadmin|8.8.8.8:8|key1,value1,key2,value2|")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader( + ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, + "myuser|role1,vulcanadmin|8.8.8.8:8|key1,value1,key2,value2|" + ) + ); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=myuser, backend_roles=[role1, vulcanadmin], requestedTenant=null]")); // remote IP is assigned by XFFResolver @@ -161,7 +212,13 @@ public void testInjectedUser() throws Exception { Assert.assertTrue(resc.getBody(), resc.getBody().contains("\"roles\":[\"public\",\"role_vulcans_admin\"]")); Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[\"key1\",\"key2\"]")); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "myuser|role1,vulcanadmin|8.8.8.8:8|key1,value1,key2,value2|mytenant")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader( + ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, + "myuser|role1,vulcanadmin|8.8.8.8:8|key1,value1,key2,value2|mytenant" + ) + ); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=myuser, backend_roles=[role1, vulcanadmin], requestedTenant=mytenant]")); // remote IP is assigned by XFFResolver @@ -171,24 +228,29 @@ public void testInjectedUser() throws Exception { Assert.assertTrue(resc.getBody().contains("\"roles\":[\"public\",\"role_vulcans_admin\"]")); Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[\"key1\",\"key2\"]")); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "myuser|role1,vulcanadmin|8.8.8.8:8||mytenant with whitespace")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader( + ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, + "myuser|role1,vulcanadmin|8.8.8.8:8||mytenant with whitespace" + ) + ); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - Assert.assertTrue(resc.getBody().contains("User [name=myuser, backend_roles=[role1, vulcanadmin], requestedTenant=mytenant with whitespace]")); + Assert.assertTrue( + resc.getBody().contains("User [name=myuser, backend_roles=[role1, vulcanadmin], requestedTenant=mytenant with whitespace]") + ); // remote IP is assigned by XFFResolver Assert.assertTrue(resc.getBody().contains("\"remote_address\":\"8.8.8.8:8\"")); Assert.assertTrue(resc.getBody().contains("\"backend_roles\":[\"role1\",\"vulcanadmin\"]")); // mapped by backend role "twitter" Assert.assertTrue(resc.getBody().contains("\"roles\":[\"public\",\"role_vulcans_admin\"]")); - } @Test public void testInjectedUserDisabled() throws Exception { - final Settings settings = Settings.builder() - .put("http.type", "org.opensearch.security.http.UserInjectingServerTransport") - .build(); + final Settings settings = Settings.builder().put("http.type", "org.opensearch.security.http.UserInjectingServerTransport").build(); setup(settings, ClusterConfiguration.USERINJECTOR); @@ -197,46 +259,61 @@ public void testInjectedUserDisabled() throws Exception { HttpResponse resc; - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin|role1|127.0.0:80|key1,value1")); + resc = rh.executeGetRequest( + "_opendistro/_security/authinfo", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin|role1|127.0.0:80|key1,value1") + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); } - @Test - public void testInjectedAdminUser() throws Exception { - - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) - .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED, true) - .putList(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, Lists.newArrayList("CN=kirk,OU=client,O=client,L=Test,C=DE","injectedadmin")) - .put("http.type", "org.opensearch.security.http.UserInjectingServerTransport") - .build(); + @Test + public void testInjectedAdminUser() throws Exception { - setup(settings, ClusterConfiguration.USERINJECTOR); + final Settings settings = Settings.builder() + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED, true) + .putList( + ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, + Lists.newArrayList("CN=kirk,OU=client,O=client,L=Test,C=DE", "injectedadmin") + ) + .put("http.type", "org.opensearch.security.http.UserInjectingServerTransport") + .build(); - final RestHelper rh = nonSslRestHelper(); - HttpResponse resc; + setup(settings, ClusterConfiguration.USERINJECTOR); - // injected user is admin, access to Security index must be allowed - resc = rh.executeGetRequest(".opendistro_security/_search?pretty", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "injectedadmin|role1|127.0.0:80|key1,value1")); - Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); - Assert.assertTrue(resc.getBody().contains("\"_id\" : \"config\"")); - Assert.assertTrue(resc.getBody().contains("\"_id\" : \"roles\"")); - Assert.assertTrue(resc.getBody().contains("\"_id\" : \"internalusers\"")); - Assert.assertTrue(resc.getBody().contains("\"total\" : 5")); + final RestHelper rh = nonSslRestHelper(); + HttpResponse resc; - resc = rh.executeGetRequest(".opendistro_security/_search?pretty", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "wrongadmin|role1|127.0.0:80|key1,value1")); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); + // injected user is admin, access to Security index must be allowed + resc = rh.executeGetRequest( + ".opendistro_security/_search?pretty", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "injectedadmin|role1|127.0.0:80|key1,value1") + ); + Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); + Assert.assertTrue(resc.getBody().contains("\"_id\" : \"config\"")); + Assert.assertTrue(resc.getBody().contains("\"_id\" : \"roles\"")); + Assert.assertTrue(resc.getBody().contains("\"_id\" : \"internalusers\"")); + Assert.assertTrue(resc.getBody().contains("\"total\" : 5")); + + resc = rh.executeGetRequest( + ".opendistro_security/_search?pretty", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "wrongadmin|role1|127.0.0:80|key1,value1") + ); + Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); - } + } @Test public void testInjectedAdminUserAdminInjectionDisabled() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) - .putList(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, Lists.newArrayList("CN=kirk,OU=client,O=client,L=Test,C=DE","injectedadmin")) - .put("http.type", "org.opensearch.security.http.UserInjectingServerTransport") - .build(); + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) + .putList( + ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, + Lists.newArrayList("CN=kirk,OU=client,O=client,L=Test,C=DE", "injectedadmin") + ) + .put("http.type", "org.opensearch.security.http.UserInjectingServerTransport") + .build(); setup(settings, ClusterConfiguration.USERINJECTOR); @@ -244,7 +321,10 @@ public void testInjectedAdminUserAdminInjectionDisabled() throws Exception { HttpResponse resc; // injected user is admin, access to Security index must be allowed - resc = rh.executeGetRequest(".opendistro_security/_search?pretty", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "injectedadmin|role1|127.0.0:80|key1,value1")); + resc = rh.executeGetRequest( + ".opendistro_security/_search?pretty", + new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "injectedadmin|role1|127.0.0:80|key1,value1") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); Assert.assertFalse(resc.getBody().contains("\"_id\" : \"config\"")); Assert.assertFalse(resc.getBody().contains("\"_id\" : \"roles\"")); diff --git a/src/test/java/org/opensearch/security/TaskTests.java b/src/test/java/org/opensearch/security/TaskTests.java index 3a86b7e2bf..784f5c7418 100644 --- a/src/test/java/org/opensearch/security/TaskTests.java +++ b/src/test/java/org/opensearch/security/TaskTests.java @@ -37,9 +37,14 @@ public void testXOpaqueIdHeader() throws Exception { RestHelper rh = nonSslRestHelper(); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("_tasks?group_by=parents&pretty" - , encodeBasicHeader("nagilum", "nagilum") - , new BasicHeader(Task.X_OPAQUE_ID, "myOpaqueId12"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest( + "_tasks?group_by=parents&pretty", + encodeBasicHeader("nagilum", "nagilum"), + new BasicHeader(Task.X_OPAQUE_ID, "myOpaqueId12") + )).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().split("X-Opaque-Id").length > 2); Assert.assertTrue(!res.getBody().contains("failures")); diff --git a/src/test/java/org/opensearch/security/TracingTests.java b/src/test/java/org/opensearch/security/TracingTests.java index 10372cf73b..2fefd33155 100644 --- a/src/test/java/org/opensearch/security/TracingTests.java +++ b/src/test/java/org/opensearch/security/TracingTests.java @@ -56,10 +56,22 @@ public void testAdvancedMapping() throws Exception { setup(Settings.EMPTY, new DynamicSecurityConfig(), Settings.EMPTY, true, ClusterConfiguration.DEFAULT); try (Client tc = getClient()) { - tc.admin().indices().create(new CreateIndexRequest("myindex1").mapping(FileHelper.loadFile("mapping1.json"), XContentType.JSON)).actionGet(); - tc.admin().indices().create(new CreateIndexRequest("myindex2").mapping(FileHelper.loadFile("mapping2.json"), XContentType.JSON)).actionGet(); - tc.admin().indices().create(new CreateIndexRequest("myindex3").mapping(FileHelper.loadFile("mapping3.json"), XContentType.JSON)).actionGet(); - tc.admin().indices().create(new CreateIndexRequest("myindex4").mapping(FileHelper.loadFile("mapping4.json"), XContentType.JSON)).actionGet(); + tc.admin() + .indices() + .create(new CreateIndexRequest("myindex1").mapping(FileHelper.loadFile("mapping1.json"), XContentType.JSON)) + .actionGet(); + tc.admin() + .indices() + .create(new CreateIndexRequest("myindex2").mapping(FileHelper.loadFile("mapping2.json"), XContentType.JSON)) + .actionGet(); + tc.admin() + .indices() + .create(new CreateIndexRequest("myindex3").mapping(FileHelper.loadFile("mapping3.json"), XContentType.JSON)) + .actionGet(); + tc.admin() + .indices() + .create(new CreateIndexRequest("myindex4").mapping(FileHelper.loadFile("mapping4.json"), XContentType.JSON)) + .actionGet(); } RestHelper rh = nonSslRestHelper(); @@ -94,69 +106,154 @@ public void testHTTPTraceNoSource() throws Exception { tc.admin().indices().create(new CreateIndexRequest("test")).actionGet(); tc.admin().indices().create(new CreateIndexRequest("u")).actionGet(); - tc.admin().indices().putMapping(new PutMappingRequest("a") - .source("_source","enabled=false","content","store=true,type=text","field1","store=true,type=text", "field2","store=true,type=text", "a","store=true,type=text", "b","store=true,type=text", "my.nested.field","store=true,type=text") - ).actionGet(); - - tc.admin().indices().putMapping(new PutMappingRequest("c") - .source("_source","enabled=false","content","store=true,type=text","field1","store=true,type=text", "field2","store=true,type=text", "a","store=true,type=text", "b","store=true,type=text", "my.nested.field","store=true,type=text") - ).actionGet(); - - tc.admin().indices().putMapping(new PutMappingRequest("test") - .source("_source","enabled=false","content","store=true,type=text","field1","store=true,type=text", "field2","store=true,type=text", "a","store=true,type=text", "b","store=true,type=text", "my.nested.field","store=true,type=text") - ).actionGet(); - - tc.admin().indices().putMapping(new PutMappingRequest("u") - .source("_source","enabled=false","content","store=true,type=text","field1","store=true,type=text", "field2","store=true,type=text", "a","store=true,type=text", "b","store=true,type=text", "my.nested.field","store=true,type=text") - ).actionGet(); - - for(int i=0; i<50;i++) { - tc.index(new IndexRequest("a").id(i+"").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":"+i+"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("c").id(i+"").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":"+i+"}", XContentType.JSON)).actionGet(); + tc.admin() + .indices() + .putMapping( + new PutMappingRequest("a").source( + "_source", + "enabled=false", + "content", + "store=true,type=text", + "field1", + "store=true,type=text", + "field2", + "store=true,type=text", + "a", + "store=true,type=text", + "b", + "store=true,type=text", + "my.nested.field", + "store=true,type=text" + ) + ) + .actionGet(); + + tc.admin() + .indices() + .putMapping( + new PutMappingRequest("c").source( + "_source", + "enabled=false", + "content", + "store=true,type=text", + "field1", + "store=true,type=text", + "field2", + "store=true,type=text", + "a", + "store=true,type=text", + "b", + "store=true,type=text", + "my.nested.field", + "store=true,type=text" + ) + ) + .actionGet(); + + tc.admin() + .indices() + .putMapping( + new PutMappingRequest("test").source( + "_source", + "enabled=false", + "content", + "store=true,type=text", + "field1", + "store=true,type=text", + "field2", + "store=true,type=text", + "a", + "store=true,type=text", + "b", + "store=true,type=text", + "my.nested.field", + "store=true,type=text" + ) + ) + .actionGet(); + + tc.admin() + .indices() + .putMapping( + new PutMappingRequest("u").source( + "_source", + "enabled=false", + "content", + "store=true,type=text", + "field1", + "store=true,type=text", + "field2", + "store=true,type=text", + "a", + "store=true,type=text", + "b", + "store=true,type=text", + "my.nested.field", + "store=true,type=text" + ) + ) + .actionGet(); + + for (int i = 0; i < 50; i++) { + tc.index( + new IndexRequest("a").id(i + "") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":" + i + "}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("c").id(i + "") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":" + i + "}", XContentType.JSON) + ).actionGet(); } } - //setup complex mapping with parent child and nested fields - + // setup complex mapping with parent child and nested fields RestHelper rh = nonSslRestHelper(); System.out.println("############ check shards"); System.out.println(rh.executeGetRequest("_cat/shards?v", encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ _bulk"); - String bulkBody = - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field1\" : \"value1\" }" +System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - "{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }"+System.lineSeparator(); + String bulkBody = "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field1\" : \"value1\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + "{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }" + + System.lineSeparator(); System.out.println(rh.executePostRequest("_bulk?refresh=true", bulkBody, encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ _bulk"); - bulkBody = - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field1\" : \"value1\" }" +System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - "{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }"+System.lineSeparator(); + bulkBody = "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field1\" : \"value1\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + "{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }" + + System.lineSeparator(); System.out.println(rh.executePostRequest("_bulk?refresh=true", bulkBody, encodeBasicHeader("nagilum", "nagilum"))); - System.out.println("############ cat indices"); - //cluster:monitor/state - //cluster:monitor/health - //indices:monitor/stats + // cluster:monitor/state + // cluster:monitor/health + // indices:monitor/stats System.out.println(rh.executeGetRequest("_cat/indices", encodeBasicHeader("nagilum", "nagilum"))); - System.out.println("############ _search"); - //indices:data/read/search + // indices:data/read/search System.out.println(rh.executeGetRequest("_search", encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ get 1"); - //indices:data/read/get + // indices:data/read/get System.out.println(rh.executeGetRequest("a/b/1", encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ get 5"); System.out.println(rh.executeGetRequest("a/b/5", encodeBasicHeader("nagilum", "nagilum"))); @@ -164,71 +261,68 @@ public void testHTTPTraceNoSource() throws Exception { System.out.println(rh.executeGetRequest("a/b/17", encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ index (+create index)"); - //indices:data/write/index - //indices:data/write/bulk - //indices:admin/create - //indices:data/write/bulk[s] - System.out.println(rh.executePostRequest("u/b/1?refresh=true", "{}",encodeBasicHeader("nagilum", "nagilum"))); + // indices:data/write/index + // indices:data/write/bulk + // indices:admin/create + // indices:data/write/bulk[s] + System.out.println(rh.executePostRequest("u/b/1?refresh=true", "{}", encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ index only"); - //indices:data/write/index - //indices:data/write/bulk - //indices:admin/create - //indices:data/write/bulk[s] - System.out.println(rh.executePostRequest("u/b/2?refresh=true", "{}",encodeBasicHeader("nagilum", "nagilum"))); - + // indices:data/write/index + // indices:data/write/bulk + // indices:admin/create + // indices:data/write/bulk[s] + System.out.println(rh.executePostRequest("u/b/2?refresh=true", "{}", encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ delete"); - //indices:data/write/index - //indices:data/write/bulk - //indices:admin/create - //indices:data/write/bulk[s] - System.out.println(rh.executeDeleteRequest("u/b/2?refresh=true",encodeBasicHeader("nagilum", "nagilum"))); + // indices:data/write/index + // indices:data/write/bulk + // indices:admin/create + // indices:data/write/bulk[s] + System.out.println(rh.executeDeleteRequest("u/b/2?refresh=true", encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ msearch"); - String msearchBody = - "{\"index\":\"a\", \"type\":\"b\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator()+ - "{\"index\":\"a\", \"type\":\"b\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator()+ - "{\"index\":\"public\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); - + String msearchBody = "{\"index\":\"a\", \"type\":\"b\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator() + + "{\"index\":\"a\", \"type\":\"b\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator() + + "{\"index\":\"public\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator(); System.out.println(rh.executePostRequest("_msearch", msearchBody, encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ mget"); - String mgetBody = "{"+ - "\"docs\" : ["+ - "{"+ - "\"_index\" : \"a\","+ - "\"_id\" : \"1\""+ - " },"+ - " {"+ - "\"_index\" : \"a\","+ - " \"_id\" : \"12\""+ - "},"+ - " {"+ - "\"_index\" : \"a\","+ - " \"_id\" : \"13\""+ - "},"+" {"+ - "\"_index\" : \"a\","+ - " \"_id\" : \"14\""+ - "}"+ - "]"+ - "}"; + String mgetBody = "{" + + "\"docs\" : [" + + "{" + + "\"_index\" : \"a\"," + + "\"_id\" : \"1\"" + + " }," + + " {" + + "\"_index\" : \"a\"," + + " \"_id\" : \"12\"" + + "}," + + " {" + + "\"_index\" : \"a\"," + + " \"_id\" : \"13\"" + + "}," + + " {" + + "\"_index\" : \"a\"," + + " \"_id\" : \"14\"" + + "}" + + "]" + + "}"; System.out.println(rh.executePostRequest("_mget?refresh=true", mgetBody, encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ delete by query"); - String dbqBody = "{"+ - ""+ - " \"query\": { "+ - " \"match\": {"+ - " \"content\": 12"+ - " }"+ - " }"+ - "}"; + String dbqBody = "{" + "" + " \"query\": { " + " \"match\": {" + " \"content\": 12" + " }" + " }" + "}"; System.out.println(rh.executePostRequest("a/b/_delete_by_query", dbqBody, encodeBasicHeader("nagilum", "nagilum"))); @@ -237,28 +331,56 @@ public void testHTTPTraceNoSource() throws Exception { @Test public void testHTTPSingle() throws Exception { - final Settings settings = Settings.builder() - .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") + final Settings settings = Settings.builder() + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS + ".worf", "knuddel", "nonexists") .build(); - setup(settings); - final RestHelper rh = nonSslRestHelper(); + setup(settings); + final RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { tc.admin().indices().create(new CreateIndexRequest("copysf")).actionGet(); - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet_library").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("spock").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("kirk").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("role01_role02").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("starfleet_library").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.index(new IndexRequest("spock").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("kirk").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("role01_role02").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("starfleet","starfleet_academy","starfleet_library").alias("sf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("klingonempire","vulcangov").alias("nonsf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("public").alias("unrestricted"))).actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + AliasActions.add().indices("starfleet", "starfleet_academy", "starfleet_library").alias("sf") + ) + ) + .actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("klingonempire", "vulcangov").alias("nonsf")) + ) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("public").alias("unrestricted"))) + .actionGet(); } @@ -275,16 +397,24 @@ public void testHTTPSingle() throws Exception { System.out.println("########end pause2"); System.out.println("############ _bulk"); - String bulkBody = - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field1\" : \"value1\" }" +System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - "{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }"+System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"myindex\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field1\" : \"value1\" }" +System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"myindex\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field1\" : \"value1\" }" +System.lineSeparator(); + String bulkBody = "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field1\" : \"value1\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + "{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"myindex\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field1\" : \"value1\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"myindex\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field1\" : \"value1\" }" + + System.lineSeparator(); System.out.println(rh.executePostRequest("_bulk?refresh=true", bulkBody, encodeBasicHeader("nagilum", "nagilum")).getBody()); System.out.println("############ _end"); @@ -293,33 +423,42 @@ public void testHTTPSingle() throws Exception { @Test public void testSearchScroll() throws Exception { - final Settings settings = Settings.builder() - .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") + final Settings settings = Settings.builder() + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS + ".worf", "knuddel", "nonexists") .build(); - setup(settings); - final RestHelper rh = nonSslRestHelper(); + setup(settings); + final RestHelper rh = nonSslRestHelper(); try (Client tc = getClient()) { - for(int i=0; i<3; i++) - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + for (int i = 0; i < 3; i++) + tc.index( + new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); } - System.out.println("########search"); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res=rh.executeGetRequest("vulcangov/_search?scroll=1m&pretty=true", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("vulcangov/_search?scroll=1m&pretty=true", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode() + ); System.out.println(res.getBody()); int start = res.getBody().indexOf("_scroll_id") + 15; - String scrollid = res.getBody().substring(start, res.getBody().indexOf("\"", start+1)); + String scrollid = res.getBody().substring(start, res.getBody().indexOf("\"", start + 1)); System.out.println(scrollid); System.out.println("########search scroll"); - Assert.assertEquals(HttpStatus.SC_OK, (res=rh.executePostRequest("/_search/scroll?pretty=true", "{\"scroll_id\" : \""+scrollid+"\"}", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); - + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest( + "/_search/scroll?pretty=true", + "{\"scroll_id\" : \"" + scrollid + "\"}", + encodeBasicHeader("nagilum", "nagilum") + )).getStatusCode() + ); System.out.println("########search done"); - } @Test @@ -329,53 +468,64 @@ public void testHTTPTrace() throws Exception { try (Client tc = getClient()) { - for(int i=0; i<50;i++) { - tc.index(new IndexRequest("a").id(i+"").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":"+i+"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("c").id(i+"").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":"+i+"}", XContentType.JSON)).actionGet(); + for (int i = 0; i < 50; i++) { + tc.index( + new IndexRequest("a").id(i + "") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":" + i + "}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("c").id(i + "") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"content\":" + i + "}", XContentType.JSON) + ).actionGet(); } } - - - RestHelper rh = nonSslRestHelper(); System.out.println("############ check shards"); System.out.println(rh.executeGetRequest("_cat/shards?v", encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ _bulk"); - String bulkBody = - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field1\" : \"value1\" }" +System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - "{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }"+System.lineSeparator(); + String bulkBody = "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field1\" : \"value1\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + "{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }" + + System.lineSeparator(); System.out.println(rh.executePostRequest("_bulk?refresh=true", bulkBody, encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ _bulk"); - bulkBody = - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field1\" : \"value1\" }" +System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - "{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }"+System.lineSeparator(); + bulkBody = "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field1\" : \"value1\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + "{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }" + + System.lineSeparator(); System.out.println(rh.executePostRequest("_bulk?refresh=true", bulkBody, encodeBasicHeader("nagilum", "nagilum"))); - System.out.println("############ cat indices"); - //cluster:monitor/state - //cluster:monitor/health - //indices:monitor/stats + // cluster:monitor/state + // cluster:monitor/health + // indices:monitor/stats System.out.println(rh.executeGetRequest("_cat/indices", encodeBasicHeader("nagilum", "nagilum"))); - System.out.println("############ _search"); - //indices:data/read/search + // indices:data/read/search System.out.println(rh.executeGetRequest("_search", encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ get 1"); - //indices:data/read/get + // indices:data/read/get System.out.println(rh.executeGetRequest("a/b/1", encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ get 5"); System.out.println(rh.executeGetRequest("a/b/5", encodeBasicHeader("nagilum", "nagilum"))); @@ -383,106 +533,107 @@ public void testHTTPTrace() throws Exception { System.out.println(rh.executeGetRequest("a/b/17", encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ index (+create index)"); - //indices:data/write/index - //indices:data/write/bulk - //indices:admin/create - //indices:data/write/bulk[s] - System.out.println(rh.executePostRequest("u/b/1?refresh=true", "{}",encodeBasicHeader("nagilum", "nagilum"))); + // indices:data/write/index + // indices:data/write/bulk + // indices:admin/create + // indices:data/write/bulk[s] + System.out.println(rh.executePostRequest("u/b/1?refresh=true", "{}", encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ index only"); - //indices:data/write/index - //indices:data/write/bulk - //indices:admin/create - //indices:data/write/bulk[s] - System.out.println(rh.executePostRequest("u/b/2?refresh=true", "{}",encodeBasicHeader("nagilum", "nagilum"))); + // indices:data/write/index + // indices:data/write/bulk + // indices:admin/create + // indices:data/write/bulk[s] + System.out.println(rh.executePostRequest("u/b/2?refresh=true", "{}", encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ update"); - //indices:data/write/index - //indices:data/write/bulk - //indices:admin/create - //indices:data/write/bulk[s] - System.out.println(rh.executePostRequest("u/b/2/_update?refresh=true", "{\"doc\" : {\"a\":1}}",encodeBasicHeader("nagilum", "nagilum"))); + // indices:data/write/index + // indices:data/write/bulk + // indices:admin/create + // indices:data/write/bulk[s] + System.out.println( + rh.executePostRequest("u/b/2/_update?refresh=true", "{\"doc\" : {\"a\":1}}", encodeBasicHeader("nagilum", "nagilum")) + ); System.out.println("############ update2"); - //indices:data/write/index - //indices:data/write/bulk - //indices:admin/create - //indices:data/write/bulk[s] - System.out.println(rh.executePostRequest("u/b/2/_update?refresh=true", "{\"doc\" : {\"a\":44, \"b\":55}}",encodeBasicHeader("nagilum", "nagilum"))); + // indices:data/write/index + // indices:data/write/bulk + // indices:admin/create + // indices:data/write/bulk[s] + System.out.println( + rh.executePostRequest("u/b/2/_update?refresh=true", "{\"doc\" : {\"a\":44, \"b\":55}}", encodeBasicHeader("nagilum", "nagilum")) + ); System.out.println("############ update3"); - //indices:data/write/index - //indices:data/write/bulk - //indices:admin/create - //indices:data/write/bulk[s] - System.out.println(rh.executePostRequest("u/b/2/_update?refresh=true", "{\"doc\" : {\"b\":66}}",encodeBasicHeader("nagilum", "nagilum"))); - + // indices:data/write/index + // indices:data/write/bulk + // indices:admin/create + // indices:data/write/bulk[s] + System.out.println( + rh.executePostRequest("u/b/2/_update?refresh=true", "{\"doc\" : {\"b\":66}}", encodeBasicHeader("nagilum", "nagilum")) + ); System.out.println("############ delete"); - //indices:data/write/index - //indices:data/write/bulk - //indices:admin/create - //indices:data/write/bulk[s] - System.out.println(rh.executeDeleteRequest("u/b/2?refresh=true",encodeBasicHeader("nagilum", "nagilum"))); + // indices:data/write/index + // indices:data/write/bulk + // indices:admin/create + // indices:data/write/bulk[s] + System.out.println(rh.executeDeleteRequest("u/b/2?refresh=true", encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ reindex"); - String reindex = - "{"+ - " \"source\": {"+ - " \"index\": \"a\""+ - " },"+ - " \"dest\": {"+ - " \"index\": \"new_a\""+ - " }"+ - "}"; + String reindex = "{" + + " \"source\": {" + + " \"index\": \"a\"" + + " }," + + " \"dest\": {" + + " \"index\": \"new_a\"" + + " }" + + "}"; System.out.println(rh.executePostRequest("_reindex", reindex, encodeBasicHeader("nagilum", "nagilum"))); - System.out.println("############ msearch"); - String msearchBody = - "{\"index\":\"a\", \"type\":\"b\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator()+ - "{\"index\":\"a\", \"type\":\"b\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator()+ - "{\"index\":\"public\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); - + String msearchBody = "{\"index\":\"a\", \"type\":\"b\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator() + + "{\"index\":\"a\", \"type\":\"b\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator() + + "{\"index\":\"public\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator(); System.out.println(rh.executePostRequest("_msearch", msearchBody, encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ mget"); - String mgetBody = "{"+ - "\"docs\" : ["+ - "{"+ - "\"_index\" : \"a\","+ - "\"_id\" : \"1\""+ - " },"+ - " {"+ - "\"_index\" : \"a\","+ - " \"_id\" : \"12\""+ - "},"+ - " {"+ - "\"_index\" : \"a\","+ - " \"_id\" : \"13\""+ - "},"+" {"+ - "\"_index\" : \"a\","+ - " \"_id\" : \"14\""+ - "}"+ - "]"+ - "}"; + String mgetBody = "{" + + "\"docs\" : [" + + "{" + + "\"_index\" : \"a\"," + + "\"_id\" : \"1\"" + + " }," + + " {" + + "\"_index\" : \"a\"," + + " \"_id\" : \"12\"" + + "}," + + " {" + + "\"_index\" : \"a\"," + + " \"_id\" : \"13\"" + + "}," + + " {" + + "\"_index\" : \"a\"," + + " \"_id\" : \"14\"" + + "}" + + "]" + + "}"; System.out.println(rh.executePostRequest("_mget?refresh=true", mgetBody, encodeBasicHeader("nagilum", "nagilum"))); System.out.println("############ delete by query"); - String dbqBody = "{"+ - ""+ - " \"query\": { "+ - " \"match\": {"+ - " \"content\": 12"+ - " }"+ - " }"+ - "}"; + String dbqBody = "{" + "" + " \"query\": { " + " \"match\": {" + " \"content\": 12" + " }" + " }" + "}"; System.out.println(rh.executePostRequest("a/b/_delete_by_query", dbqBody, encodeBasicHeader("nagilum", "nagilum"))); diff --git a/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java b/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java index fc61a3f127..8b5259eb81 100644 --- a/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java +++ b/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java @@ -55,52 +55,69 @@ public UserInjectorPlugin(final Settings settings, final Path configPath) { } @Override - public Collection createComponents(Client client, ClusterService clusterService, ThreadPool threadPool, - ResourceWatcherService resourceWatcherService, ScriptService scriptService, - NamedXContentRegistry xContentRegistry, Environment environment, - NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry, - IndexNameExpressionResolver indexNameExpressionResolver, - Supplier repositoriesServiceSupplier) { - if(injectedUser != null) - threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, injectedUser); + public Collection createComponents( + Client client, + ClusterService clusterService, + ThreadPool threadPool, + ResourceWatcherService resourceWatcherService, + ScriptService scriptService, + NamedXContentRegistry xContentRegistry, + Environment environment, + NodeEnvironment nodeEnvironment, + NamedWriteableRegistry namedWriteableRegistry, + IndexNameExpressionResolver indexNameExpressionResolver, + Supplier repositoriesServiceSupplier + ) { + if (injectedUser != null) threadPool.getThreadContext() + .putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, injectedUser); return new ArrayList<>(); } } @Test public void testSecurityUserInjection() throws Exception { - final Settings clusterNodeSettings = Settings.builder() - .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) - .build(); + final Settings clusterNodeSettings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true).build(); setup(clusterNodeSettings, new DynamicSecurityConfig().setSecurityRolesMapping("roles_transport_inject_user.yml"), Settings.EMPTY); final Settings tcSettings = AbstractSecurityUnitTest.nodeRolesSettings(Settings.builder(), false, false) - .put(minimumSecuritySettings(Settings.EMPTY).get(0)) - .put("cluster.name", clusterInfo.clustername) - .put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data") - .put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs") - .put("path.home", "./target") - .put("node.name", "testclient") - .put("discovery.initial_state_timeout", "8s") - .put("plugins.security.allow_default_init_securityindex", "true") - .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) - .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) - .build(); - + .put(minimumSecuritySettings(Settings.EMPTY).get(0)) + .put("cluster.name", clusterInfo.clustername) + .put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data") + .put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs") + .put("path.home", "./target") + .put("node.name", "testclient") + .put("discovery.initial_state_timeout", "8s") + .put("plugins.security.allow_default_init_securityindex", "true") + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) + .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) + .build(); // 1. without user injection - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, - OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + UserInjectorPlugin.class + ).start() + ) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet(); Assert.assertTrue(cir.isAcknowledged()); } - // 2. with invalid backend roles UserInjectorPlugin.injectedUser = "ttt|kkk"; Exception exception = null; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, - OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + UserInjectorPlugin.class + ).start() + ) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); Assert.fail("Expecting exception"); @@ -111,11 +128,17 @@ public void testSecurityUserInjection() throws Exception { Assert.assertTrue(exception.getMessage().toString().contains("no permissions for [indices:admin/create]")); } - // 3. with valid backend roles for injected user UserInjectorPlugin.injectedUser = "injectedadmin|injecttest"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, - OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + UserInjectorPlugin.class + ).start() + ) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); Assert.assertTrue(cir.isAcknowledged()); @@ -125,25 +148,32 @@ public void testSecurityUserInjection() throws Exception { @Test public void testSecurityUserInjectionWithConfigDisabled() throws Exception { final Settings clusterNodeSettings = Settings.builder() - .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false) - .build(); + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false) + .build(); setup(clusterNodeSettings, new DynamicSecurityConfig().setSecurityRolesMapping("roles_transport_inject_user.yml"), Settings.EMPTY); final Settings tcSettings = AbstractSecurityUnitTest.nodeRolesSettings(Settings.builder(), false, false) - .put(minimumSecuritySettings(Settings.EMPTY).get(0)) - .put("cluster.name", clusterInfo.clustername) - .put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data") - .put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs") - .put("path.home", "./target") - .put("node.name", "testclient") - .put("discovery.initial_state_timeout", "8s") - .put("plugins.security.allow_default_init_securityindex", "true") - .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false) - .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) - .build(); + .put(minimumSecuritySettings(Settings.EMPTY).get(0)) + .put("cluster.name", clusterInfo.clustername) + .put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data") + .put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs") + .put("path.home", "./target") + .put("node.name", "testclient") + .put("discovery.initial_state_timeout", "8s") + .put("plugins.security.allow_default_init_securityindex", "true") + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false) + .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) + .build(); // 1. without user injection - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, - OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + UserInjectorPlugin.class + ).start() + ) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet(); Assert.assertTrue(cir.isAcknowledged()); @@ -151,8 +181,15 @@ public void testSecurityUserInjectionWithConfigDisabled() throws Exception { // with invalid backend roles UserInjectorPlugin.injectedUser = "ttt|kkk"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, - OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + UserInjectorPlugin.class + ).start() + ) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); // Should pass as the user injection is disabled diff --git a/src/test/java/org/opensearch/security/UtilTests.java b/src/test/java/org/opensearch/security/UtilTests.java index 83728e165d..2127ada55f 100644 --- a/src/test/java/org/opensearch/security/UtilTests.java +++ b/src/test/java/org/opensearch/security/UtilTests.java @@ -86,29 +86,29 @@ public void testWildcardMatcherClassesCaseInsensitive() { @Test public void testWildcardMatchers() { - assertTrue(!WildcardMatcher.from("a*?").test( "a")); - assertTrue(WildcardMatcher.from("a*?").test( "aa")); - assertTrue(WildcardMatcher.from("a*?").test( "ab")); - //assertTrue(WildcardMatcher.pattern("a*?").test( "abb")); - assertTrue(WildcardMatcher.from("*my*index").test( "myindex")); - assertTrue(!WildcardMatcher.from("*my*index").test( "myindex1")); - assertTrue(WildcardMatcher.from("*my*index?").test( "myindex1")); - assertTrue(WildcardMatcher.from("*my*index").test( "this_is_my_great_index")); - assertTrue(!WildcardMatcher.from("*my*index").test( "MYindex")); - assertTrue(!WildcardMatcher.from("?kibana").test( "kibana")); - assertTrue(WildcardMatcher.from("?kibana").test( ".kibana")); - assertTrue(!WildcardMatcher.from("?kibana").test( "kibana.")); - assertTrue(WildcardMatcher.from("?kibana?").test( "?kibana.")); - assertTrue(WildcardMatcher.from("/(\\d{3}-?\\d{2}-?\\d{4})/").test( "123-45-6789")); - assertTrue(!WildcardMatcher.from("(\\d{3}-?\\d{2}-?\\d{4})").test( "123-45-6789")); - assertTrue(WildcardMatcher.from("/\\S*/").test( "abc")); - assertTrue(WildcardMatcher.from("abc").test( "abc")); - assertTrue(!WildcardMatcher.from("ABC").test( "abc")); + assertTrue(!WildcardMatcher.from("a*?").test("a")); + assertTrue(WildcardMatcher.from("a*?").test("aa")); + assertTrue(WildcardMatcher.from("a*?").test("ab")); + // assertTrue(WildcardMatcher.pattern("a*?").test( "abb")); + assertTrue(WildcardMatcher.from("*my*index").test("myindex")); + assertTrue(!WildcardMatcher.from("*my*index").test("myindex1")); + assertTrue(WildcardMatcher.from("*my*index?").test("myindex1")); + assertTrue(WildcardMatcher.from("*my*index").test("this_is_my_great_index")); + assertTrue(!WildcardMatcher.from("*my*index").test("MYindex")); + assertTrue(!WildcardMatcher.from("?kibana").test("kibana")); + assertTrue(WildcardMatcher.from("?kibana").test(".kibana")); + assertTrue(!WildcardMatcher.from("?kibana").test("kibana.")); + assertTrue(WildcardMatcher.from("?kibana?").test("?kibana.")); + assertTrue(WildcardMatcher.from("/(\\d{3}-?\\d{2}-?\\d{4})/").test("123-45-6789")); + assertTrue(!WildcardMatcher.from("(\\d{3}-?\\d{2}-?\\d{4})").test("123-45-6789")); + assertTrue(WildcardMatcher.from("/\\S*/").test("abc")); + assertTrue(WildcardMatcher.from("abc").test("abc")); + assertTrue(!WildcardMatcher.from("ABC").test("abc")); } @Test public void testMapFromArray() { - Map map = SecurityUtils.mapFromArray((Object)null); + Map map = SecurityUtils.mapFromArray((Object) null); assertTrue(map == null); map = SecurityUtils.mapFromArray("key"); @@ -138,32 +138,35 @@ public void testMapFromArray() { @Test public void testEnvReplace() { Settings settings = Settings.EMPTY; - assertEquals("abv${env.MYENV}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV}xyz",settings)); - assertEquals("abv${envbc.MYENV}xyz", SecurityUtils.replaceEnvVars("abv${envbc.MYENV}xyz",settings)); - assertEquals("abvtTtxyz", SecurityUtils.replaceEnvVars("abv${env.MYENV:-tTt}xyz",settings)); - assertTrue(OpenBSDBCrypt.checkPassword(SecurityUtils.replaceEnvVars("${envbc.MYENV:-tTt}",settings), "tTt".toCharArray())); - assertEquals("abvtTtxyzxxx", SecurityUtils.replaceEnvVars("abv${env.MYENV:-tTt}xyz${env.MYENV:-xxx}",settings)); - assertTrue(SecurityUtils.replaceEnvVars("abv${env.MYENV:-tTt}xyz${envbc.MYENV:-xxx}",settings).startsWith("abvtTtxyz$2y$")); - assertEquals("abv${env.MYENV:tTt}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV:tTt}xyz",settings)); - assertEquals("abv${env.MYENV-tTt}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV-tTt}xyz",settings)); - //assertEquals("abvabcdefgxyz", SecurityUtils.replaceEnvVars("abv${envbase64.B64TEST}xyz",settings)); + assertEquals("abv${env.MYENV}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV}xyz", settings)); + assertEquals("abv${envbc.MYENV}xyz", SecurityUtils.replaceEnvVars("abv${envbc.MYENV}xyz", settings)); + assertEquals("abvtTtxyz", SecurityUtils.replaceEnvVars("abv${env.MYENV:-tTt}xyz", settings)); + assertTrue(OpenBSDBCrypt.checkPassword(SecurityUtils.replaceEnvVars("${envbc.MYENV:-tTt}", settings), "tTt".toCharArray())); + assertEquals("abvtTtxyzxxx", SecurityUtils.replaceEnvVars("abv${env.MYENV:-tTt}xyz${env.MYENV:-xxx}", settings)); + assertTrue(SecurityUtils.replaceEnvVars("abv${env.MYENV:-tTt}xyz${envbc.MYENV:-xxx}", settings).startsWith("abvtTtxyz$2y$")); + assertEquals("abv${env.MYENV:tTt}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV:tTt}xyz", settings)); + assertEquals("abv${env.MYENV-tTt}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV-tTt}xyz", settings)); + // assertEquals("abvabcdefgxyz", SecurityUtils.replaceEnvVars("abv${envbase64.B64TEST}xyz",settings)); Map env = System.getenv(); assertTrue(env.size() > 0); boolean checked = false; - for(String k: env.keySet()) { - String val=System.getenv().get(k); - if(val == null || val.isEmpty()) { + for (String k : env.keySet()) { + String val = System.getenv().get(k); + if (val == null || val.isEmpty()) { continue; } - assertEquals("abv"+val+"xyz", SecurityUtils.replaceEnvVars("abv${env."+k+"}xyz",settings)); - assertEquals("abv${"+k+"}xyz", SecurityUtils.replaceEnvVars("abv${"+k+"}xyz",settings)); - assertEquals("abv"+val+"xyz", SecurityUtils.replaceEnvVars("abv${env."+k+":-k182765ggh}xyz",settings)); - assertEquals("abv"+val+"xyzabv"+val+"xyz", SecurityUtils.replaceEnvVars("abv${env."+k+"}xyzabv${env."+k+"}xyz",settings)); - assertEquals("abv"+val+"xyz", SecurityUtils.replaceEnvVars("abv${env."+k+":-k182765ggh}xyz",settings)); - assertTrue(OpenBSDBCrypt.checkPassword(SecurityUtils.replaceEnvVars("${envbc."+k+"}",settings), val.toCharArray())); + assertEquals("abv" + val + "xyz", SecurityUtils.replaceEnvVars("abv${env." + k + "}xyz", settings)); + assertEquals("abv${" + k + "}xyz", SecurityUtils.replaceEnvVars("abv${" + k + "}xyz", settings)); + assertEquals("abv" + val + "xyz", SecurityUtils.replaceEnvVars("abv${env." + k + ":-k182765ggh}xyz", settings)); + assertEquals( + "abv" + val + "xyzabv" + val + "xyz", + SecurityUtils.replaceEnvVars("abv${env." + k + "}xyzabv${env." + k + "}xyz", settings) + ); + assertEquals("abv" + val + "xyz", SecurityUtils.replaceEnvVars("abv${env." + k + ":-k182765ggh}xyz", settings)); + assertTrue(OpenBSDBCrypt.checkPassword(SecurityUtils.replaceEnvVars("${envbc." + k + "}", settings), val.toCharArray())); checked = true; } @@ -173,22 +176,34 @@ public void testEnvReplace() { @Test public void testNoEnvReplace() { Settings settings = Settings.builder().put(ConfigConstants.SECURITY_DISABLE_ENVVAR_REPLACEMENT, true).build(); - assertEquals("abv${env.MYENV}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV}xyz",settings)); - assertEquals("abv${envbc.MYENV}xyz", SecurityUtils.replaceEnvVars("abv${envbc.MYENV}xyz",settings)); - assertEquals("abv${env.MYENV:-tTt}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV:-tTt}xyz",settings)); - assertEquals("abv${env.MYENV:-tTt}xyz${env.MYENV:-xxx}", SecurityUtils.replaceEnvVars("abv${env.MYENV:-tTt}xyz${env.MYENV:-xxx}",settings)); - assertFalse(SecurityUtils.replaceEnvVars("abv${env.MYENV:-tTt}xyz${envbc.MYENV:-xxx}",settings).startsWith("abvtTtxyz$2y$")); - assertEquals("abv${env.MYENV:tTt}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV:tTt}xyz",settings)); - assertEquals("abv${env.MYENV-tTt}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV-tTt}xyz",settings)); + assertEquals("abv${env.MYENV}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV}xyz", settings)); + assertEquals("abv${envbc.MYENV}xyz", SecurityUtils.replaceEnvVars("abv${envbc.MYENV}xyz", settings)); + assertEquals("abv${env.MYENV:-tTt}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV:-tTt}xyz", settings)); + assertEquals( + "abv${env.MYENV:-tTt}xyz${env.MYENV:-xxx}", + SecurityUtils.replaceEnvVars("abv${env.MYENV:-tTt}xyz${env.MYENV:-xxx}", settings) + ); + assertFalse(SecurityUtils.replaceEnvVars("abv${env.MYENV:-tTt}xyz${envbc.MYENV:-xxx}", settings).startsWith("abvtTtxyz$2y$")); + assertEquals("abv${env.MYENV:tTt}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV:tTt}xyz", settings)); + assertEquals("abv${env.MYENV-tTt}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV-tTt}xyz", settings)); Map env = System.getenv(); assertTrue(env.size() > 0); - for(String k: env.keySet()) { - assertEquals("abv${env."+k+"}xyz", SecurityUtils.replaceEnvVars("abv${env."+k+"}xyz",settings)); - assertEquals("abv${"+k+"}xyz", SecurityUtils.replaceEnvVars("abv${"+k+"}xyz",settings)); - assertEquals("abv${env."+k+":-k182765ggh}xyz", SecurityUtils.replaceEnvVars("abv${env."+k+":-k182765ggh}xyz",settings)); - assertEquals("abv${env."+k+"}xyzabv${env."+k+"}xyz", SecurityUtils.replaceEnvVars("abv${env."+k+"}xyzabv${env."+k+"}xyz",settings)); - assertEquals("abv${env."+k+":-k182765ggh}xyz", SecurityUtils.replaceEnvVars("abv${env."+k+":-k182765ggh}xyz",settings)); + for (String k : env.keySet()) { + assertEquals("abv${env." + k + "}xyz", SecurityUtils.replaceEnvVars("abv${env." + k + "}xyz", settings)); + assertEquals("abv${" + k + "}xyz", SecurityUtils.replaceEnvVars("abv${" + k + "}xyz", settings)); + assertEquals( + "abv${env." + k + ":-k182765ggh}xyz", + SecurityUtils.replaceEnvVars("abv${env." + k + ":-k182765ggh}xyz", settings) + ); + assertEquals( + "abv${env." + k + "}xyzabv${env." + k + "}xyz", + SecurityUtils.replaceEnvVars("abv${env." + k + "}xyzabv${env." + k + "}xyz", settings) + ); + assertEquals( + "abv${env." + k + ":-k182765ggh}xyz", + SecurityUtils.replaceEnvVars("abv${env." + k + ":-k182765ggh}xyz", settings) + ); } } } diff --git a/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java b/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java index 14ae6aa81e..f567a90ec8 100644 --- a/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java +++ b/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java @@ -45,8 +45,10 @@ protected final void setup(Settings settings) throws Exception { // Separate the cluster defaults from audit settings that will be applied after the cluster is up settings.keySet().forEach(key -> { final boolean moveToAuditConfig = Arrays.stream(AuditConfig.Filter.FilterEntries.values()) - .anyMatch(entry -> entry.getKeyWithNamespace().equalsIgnoreCase(key) || entry.getLegacyKeyWithNamespace().equalsIgnoreCase(key)) - || DEPRECATED_KEYS.stream().anyMatch(key::equalsIgnoreCase); + .anyMatch( + entry -> entry.getKeyWithNamespace().equalsIgnoreCase(key) || entry.getLegacyKeyWithNamespace().equalsIgnoreCase(key) + ) + || DEPRECATED_KEYS.stream().anyMatch(key::equalsIgnoreCase); if (moveToAuditConfig) { auditConfigSettings.put(key, settings.get(key)); } else { @@ -64,10 +66,8 @@ protected Settings defaultNodeSettings(Settings additionalSettings) { Settings.Builder builder = Settings.builder(); builder.put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")); + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")); return builder.put(additionalSettings).build(); } @@ -87,7 +87,7 @@ protected void setupStarfleetIndex() throws Exception { protected boolean validateMsgs(final Collection msgs) { boolean valid = true; - for(AuditMessage msg: msgs) { + for (AuditMessage msg : msgs) { valid = validateMsg(msg) && valid; } return valid; @@ -99,15 +99,15 @@ protected boolean validateMsg(final AuditMessage msg) { protected boolean validateJson(final String json) { - if(json == null || json.isEmpty()) { + if (json == null || json.isEmpty()) { return false; } try { JsonNode node = DefaultObjectMapper.objectMapper.readTree(json); - if(node.get("audit_request_body") != null) { - System.out.println(" Check audit_request_body for validity: "+node.get("audit_request_body").asText()); + if (node.get("audit_request_body") != null) { + System.out.println(" Check audit_request_body for validity: " + node.get("audit_request_body").asText()); DefaultObjectMapper.objectMapper.readTree(node.get("audit_request_body").asText()); } diff --git a/src/test/java/org/opensearch/security/auditlog/AuditTestUtils.java b/src/test/java/org/opensearch/security/auditlog/AuditTestUtils.java index 507ebc1409..98f5fab88e 100644 --- a/src/test/java/org/opensearch/security/auditlog/AuditTestUtils.java +++ b/src/test/java/org/opensearch/security/auditlog/AuditTestUtils.java @@ -62,7 +62,8 @@ public static AbstractAuditLog createAuditLog( final Client clientProvider, final ThreadPool threadPool, final IndexNameExpressionResolver resolver, - final ClusterService clusterService) { + final ClusterService clusterService + ) { AuditLogImpl auditLog = new AuditLogImpl(settings, configPath, clientProvider, threadPool, resolver, clusterService); AuditConfig auditConfig = AuditConfig.from(settings); auditLog.setConfig(auditConfig); diff --git a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java index 96773dfee4..361c3cc313 100644 --- a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java @@ -54,14 +54,14 @@ public class ComplianceAuditlogTest extends AbstractAuditlogiUnitTest { @Test public void testSourceFilter() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "emp") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "emp") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .build(); setup(additionalSettings); final boolean sendAdminCertificate = rh.sendAdminCertificate; @@ -74,18 +74,18 @@ public void testSourceFilter() throws Exception { rh.sendAdminCertificate = sendAdminCertificate; rh.keystore = keystore; - String search = "{" + - " \"_source\":[" + - " \"Gender\""+ - " ]," + - " \"from\":0," + - " \"size\":3," + - " \"query\":{" + - " \"term\":{" + - " \"Salary\": 300" + - " }" + - " }" + - "}"; + String search = "{" + + " \"_source\":[" + + " \"Gender\"" + + " ]," + + " \"from\":0," + + " \"size\":3," + + " \"query\":{" + + " \"term\":{" + + " \"Salary\": 300" + + " }" + + " }" + + "}"; final AuditMessage message = TestAuditlogImpl.doThenWaitForMessage(() -> { final HttpResponse response = rh.executePostRequest("_search?pretty", search, encodeBasicHeader("admin", "admin")); @@ -102,9 +102,7 @@ public void testSourceFilter() throws Exception { @Test public void testComplianceEnable() throws Exception { - Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .build(); + Settings additionalSettings = Settings.builder().put("plugins.security.audit.type", TestAuditlogImpl.class.getName()).build(); setup(additionalSettings); @@ -112,7 +110,14 @@ public void testComplianceEnable() throws Exception { rh.keystore = "auditlog/kirk-keystore.jks"; // watch emp for write - AuditConfig auditConfig = new AuditConfig(true, AuditConfig.Filter.DEFAULT , ComplianceConfig.from(ImmutableMap.of("enabled", true, "write_watched_indices", Collections.singletonList("emp")), additionalSettings)); + AuditConfig auditConfig = new AuditConfig( + true, + AuditConfig.Filter.DEFAULT, + ComplianceConfig.from( + ImmutableMap.of("enabled", true, "write_watched_indices", Collections.singletonList("emp")), + additionalSettings + ) + ); updateAuditConfig(AuditTestUtils.createAuditPayload(auditConfig)); // make an event happen @@ -122,23 +127,36 @@ public void testComplianceEnable() throws Exception { rh.executePutRequest("emp/_doc/0?refresh", "{\"Designation\" : \"CEO\", \"Gender\" : \"female\", \"Salary\" : 100}"); System.out.println(rh.executeGetRequest("_cat/shards?v")); }, 7); - } catch (final MessagesNotFoundException ex) { + } catch (final MessagesNotFoundException ex) { // indices:admin/mapping/auto_put can be logged twice, this handles if they were not found assertThat("Too many missing audit log messages", ex.getMissingCount(), equalTo(2)); messages = ex.getFoundMessages(); } - messages.stream().filter(msg -> msg.getCategory().equals(AuditCategory.COMPLIANCE_DOC_WRITE)) - .findFirst().orElseThrow(() -> new RuntimeException("Missing COMPLIANCE message")); + messages.stream() + .filter(msg -> msg.getCategory().equals(AuditCategory.COMPLIANCE_DOC_WRITE)) + .findFirst() + .orElseThrow(() -> new RuntimeException("Missing COMPLIANCE message")); - final List indexCreation = messages.stream().filter(msg -> "indices:admin/auto_create".equals(msg.getPrivilege())).collect(Collectors.toList()); + final List indexCreation = messages.stream() + .filter(msg -> "indices:admin/auto_create".equals(msg.getPrivilege())) + .collect(Collectors.toList()); assertThat(indexCreation.size(), equalTo(2)); - final List mappingCreation = messages.stream().filter(msg -> "indices:admin/mapping/auto_put".equals(msg.getPrivilege())).collect(Collectors.toList()); + final List mappingCreation = messages.stream() + .filter(msg -> "indices:admin/mapping/auto_put".equals(msg.getPrivilege())) + .collect(Collectors.toList()); assertThat(mappingCreation.size(), anyOf(equalTo(4), equalTo(2))); // disable compliance - auditConfig = new AuditConfig(true, AuditConfig.Filter.DEFAULT , ComplianceConfig.from(ImmutableMap.of("enabled", false, "write_watched_indices", Collections.singletonList("emp")), additionalSettings)); + auditConfig = new AuditConfig( + true, + AuditConfig.Filter.DEFAULT, + ComplianceConfig.from( + ImmutableMap.of("enabled", false, "write_watched_indices", Collections.singletonList("emp")), + additionalSettings + ) + ); updateAuditConfig(AuditTestUtils.createAuditPayload(auditConfig)); // trigger an event that it not captured by the audit log @@ -154,15 +172,15 @@ public void testComplianceEnable() throws Exception { public void testSourceFilterMsearch() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - //.put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "emp") - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "emp") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + // .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "emp") + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "emp") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .build(); setup(additionalSettings); final boolean sendAdminCertificate = rh.sendAdminCertificate; @@ -175,33 +193,38 @@ public void testSourceFilterMsearch() throws Exception { rh.sendAdminCertificate = sendAdminCertificate; rh.keystore = keystore; - String search = "{}"+System.lineSeparator() - + "{" + - " \"_source\":[" + - " \"Gender\""+ - " ]," + - " \"from\":0," + - " \"size\":3," + - " \"query\":{" + - " \"term\":{" + - " \"Salary\": 300" + - " }" + - " }" + - "}"+System.lineSeparator()+ - - "{}"+System.lineSeparator() - + "{" + - " \"_source\":[" + - " \"Designation\""+ - " ]," + - " \"from\":0," + - " \"size\":3," + - " \"query\":{" + - " \"term\":{" + - " \"Salary\": 200" + - " }" + - " }" + - "}"+System.lineSeparator(); + String search = "{}" + + System.lineSeparator() + + "{" + + " \"_source\":[" + + " \"Gender\"" + + " ]," + + " \"from\":0," + + " \"size\":3," + + " \"query\":{" + + " \"term\":{" + + " \"Salary\": 300" + + " }" + + " }" + + "}" + + System.lineSeparator() + + + + "{}" + + System.lineSeparator() + + "{" + + " \"_source\":[" + + " \"Designation\"" + + " ]," + + " \"from\":0," + + " \"size\":3," + + " \"query\":{" + + " \"term\":{" + + " \"Salary\": 200" + + " }" + + " }" + + "}" + + System.lineSeparator(); final List messages = TestAuditlogImpl.doThenWaitForMessages(() -> { HttpResponse response = rh.executePostRequest("_msearch?pretty", search, encodeBasicHeader("admin", "admin")); @@ -209,8 +232,10 @@ public void testSourceFilterMsearch() throws Exception { Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); }, 2); - - final AuditMessage desginationMsg = messages.stream().filter(msg -> msg.getRequestBody().contains("Designation")).findFirst().orElseThrow(); + final AuditMessage desginationMsg = messages.stream() + .filter(msg -> msg.getRequestBody().contains("Designation")) + .findFirst() + .orElseThrow(); assertThat(desginationMsg.getCategory(), equalTo(AuditCategory.COMPLIANCE_DOC_READ)); assertThat(desginationMsg.getRequestBody(), containsString("Designation")); assertThat(desginationMsg.getRequestBody(), not(containsString("Salary"))); @@ -227,23 +252,31 @@ public void testSourceFilterMsearch() throws Exception { public void testInternalConfig() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .build(); setup(additionalSettings); - final List expectedDocumentsTypes = List.of("config", "actiongroups", "internalusers", "roles", "rolesmapping", "tenants", "audit"); + final List expectedDocumentsTypes = List.of( + "config", + "actiongroups", + "internalusers", + "roles", + "rolesmapping", + "tenants", + "audit" + ); final List messages = TestAuditlogImpl.doThenWaitForMessages(() -> { try (RestHighLevelClient restHighLevelClient = getRestClient(clusterInfo, "kirk-keystore.jks", "truststore.jks")) { - for (IndexRequest ir: new DynamicSecurityConfig().setSecurityRoles("roles_2.yml").getDynamicConfig(getResourceFolder())) { + for (IndexRequest ir : new DynamicSecurityConfig().setSecurityRoles("roles_2.yml").getDynamicConfig(getResourceFolder())) { restHighLevelClient.index(ir, RequestOptions.DEFAULT); GetResponse getDocumentResponse = restHighLevelClient.get(new GetRequest(ir.index(), ir.id()), RequestOptions.DEFAULT); assertThat(getDocumentResponse.isExists(), equalTo(true)); @@ -262,7 +295,8 @@ public void testInternalConfig() throws Exception { messages.stream().collect(Collectors.groupingBy(AuditMessage::getDocId)).entrySet().forEach((e) -> { final String docId = e.getKey(); final List messagesByDocId = e.getValue(); - assertThat("Doc " + docId + " should have a read/write config message", + assertThat( + "Doc " + docId + " should have a read/write config message", messagesByDocId.stream().map(AuditMessage::getCategory).collect(Collectors.toList()), equalTo(List.of(AuditCategory.COMPLIANCE_INTERNAL_CONFIG_WRITE, AuditCategory.COMPLIANCE_INTERNAL_CONFIG_READ)) ); @@ -275,15 +309,15 @@ public void testInternalConfig() throws Exception { public void testExternalConfig() throws Exception { final Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .build(); final List messages = TestAuditlogImpl.doThenWaitForMessages(() -> { try { @@ -293,7 +327,7 @@ public void testExternalConfig() throws Exception { } try (Client tc = getClient()) { - for(IndexRequest ir: new DynamicSecurityConfig().setSecurityRoles("roles_2.yml").getDynamicConfig(getResourceFolder())) { + for (IndexRequest ir : new DynamicSecurityConfig().setSecurityRoles("roles_2.yml").getDynamicConfig(getResourceFolder())) { tc.index(ir).actionGet(); } } @@ -319,41 +353,46 @@ public void testExternalConfig() throws Exception { public void testUpdate() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "finance") - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "humanresources,Designation,FirstName,LastName") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "finance") + .put( + ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, + "humanresources,Designation,FirstName,LastName" + ) + .build(); setup(additionalSettings); - try (Client tc = getClient()) { - tc.prepareIndex("humanresources") - .setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .setSource("Age", 456) - .execute() - .actionGet(); + tc.prepareIndex("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE).setSource("Age", 456).execute().actionGet(); } final MessagesNotFoundException ex1 = assertThrows(MessagesNotFoundException.class, () -> { TestAuditlogImpl.doThenWaitForMessage(() -> { final String body = "{\"doc\": {\"Age\":123}}"; - final HttpResponse response = rh.executePostRequest("humanresources/_doc/100?pretty", body, encodeBasicHeader("admin", "admin")); + final HttpResponse response = rh.executePostRequest( + "humanresources/_doc/100?pretty", + body, + encodeBasicHeader("admin", "admin") + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); }); }); assertThat(ex1.getMissingCount(), equalTo(1)); - final MessagesNotFoundException ex2 = assertThrows(MessagesNotFoundException.class, () -> { TestAuditlogImpl.doThenWaitForMessage(() -> { final String body = "{\"doc\": {\"Age\":456}}"; - final HttpResponse response = rh.executePostRequest("humanresources/_update/100?pretty", body, encodeBasicHeader("admin", "admin")); + final HttpResponse response = rh.executePostRequest( + "humanresources/_update/100?pretty", + body, + encodeBasicHeader("admin", "admin") + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); }); }); @@ -367,34 +406,38 @@ public void testUpdate() throws Exception { public void testWriteHistory() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "humanresources") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "humanresources") + .build(); setup(additionalSettings); try (Client tc = getClient()) { - tc.prepareIndex("humanresources") - .setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .setSource("Age", 456) - .execute() - .actionGet(); + tc.prepareIndex("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE).setSource("Age", 456).execute().actionGet(); } TestAuditlogImpl.doThenWaitForMessage(() -> { final String body = "{\"doc\": {\"Age\":123}}"; - final HttpResponse response = rh.executePostRequest("humanresources/_doc/100?pretty", body, encodeBasicHeader("admin", "admin")); + final HttpResponse response = rh.executePostRequest( + "humanresources/_doc/100?pretty", + body, + encodeBasicHeader("admin", "admin") + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); }); Assert.assertTrue(TestAuditlogImpl.sb.toString().split(".*audit_compliance_diff_content.*replace.*").length == 1); TestAuditlogImpl.doThenWaitForMessage(() -> { final String body = "{\"doc\": {\"Age\":555}}"; - final HttpResponse response = rh.executePostRequest("humanresources/_update/100?pretty", body, encodeBasicHeader("admin", "admin")); + final HttpResponse response = rh.executePostRequest( + "humanresources/_update/100?pretty", + body, + encodeBasicHeader("admin", "admin") + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); }); Assert.assertTrue(TestAuditlogImpl.sb.toString().split(".*audit_compliance_diff_content.*replace.*").length == 1); diff --git a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceConfigTest.java b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceConfigTest.java index a40e94ad28..467475212b 100644 --- a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceConfigTest.java +++ b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceConfigTest.java @@ -50,19 +50,21 @@ public void testConfig() { // arrange final String testSalt = "abcdefghijklmnop"; final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) - .put(ConfigConstants.SECURITY_COMPLIANCE_SALT, testSalt) - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "write_index1", "write_index_pattern*") - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "read_index1,field1,field2", "read_index_pattern*,field1,field_pattern*") - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, - "test-user-1", "test-user-2") - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, - "test-user-3", "test-user-4") - .build(); + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_SALT, testSalt) + .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "write_index1", "write_index_pattern*") + .putList( + ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, + "read_index1,field1,field2", + "read_index_pattern*,field1,field_pattern*" + ) + .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, "test-user-1", "test-user-2") + .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, "test-user-3", "test-user-4") + .build(); // act final ComplianceConfig complianceConfig = ComplianceConfig.from(settings); @@ -74,8 +76,14 @@ public void testConfig() { assertTrue(complianceConfig.shouldLogReadMetadataOnly()); assertTrue(complianceConfig.shouldLogWriteMetadataOnly()); assertFalse(complianceConfig.shouldLogDiffsForWrite()); - assertEquals(WildcardMatcher.from(ImmutableSet.of("test-user-1", "test-user-2")), complianceConfig.getIgnoredComplianceUsersForReadMatcher()); - assertEquals(WildcardMatcher.from(ImmutableSet.of("test-user-3", "test-user-4")), complianceConfig.getIgnoredComplianceUsersForWriteMatcher()); + assertEquals( + WildcardMatcher.from(ImmutableSet.of("test-user-1", "test-user-2")), + complianceConfig.getIgnoredComplianceUsersForReadMatcher() + ); + assertEquals( + WildcardMatcher.from(ImmutableSet.of("test-user-3", "test-user-4")), + complianceConfig.getIgnoredComplianceUsersForWriteMatcher() + ); // test write history assertTrue(complianceConfig.writeHistoryEnabledForIndex(".opendistro_security")); @@ -105,11 +113,9 @@ public void testConfig() { public void testNone() { // arrange final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, - "NONE") - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, - "NONE") - .build(); + .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, "NONE") + .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, "NONE") + .build(); // act final ComplianceConfig complianceConfig = ComplianceConfig.from(settings); // assert @@ -121,11 +127,9 @@ public void testNone() { public void testEmpty() { // arrange final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, - Collections.emptyList()) - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, - Collections.emptyList()) - .build(); + .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, Collections.emptyList()) + .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, Collections.emptyList()) + .build(); // act final ComplianceConfig complianceConfig = ComplianceConfig.from(settings); // assert diff --git a/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java index 37ef283ccb..519237bd8e 100644 --- a/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java @@ -29,25 +29,29 @@ public class RestApiComplianceAuditlogTest extends AbstractAuditlogiUnitTest { public void testRestApiRolesEnabled() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .build(); setup(additionalSettings); TestAuditlogImpl.clear(); String body = "{ \"password\":\"some new password\",\"backend_roles\":[\"role1\",\"role2\"] }"; - HttpResponse response = rh.executePutRequest("_opendistro/_security/api/internalusers/compuser?pretty", body, encodeBasicHeader("admin", "admin")); + HttpResponse response = rh.executePutRequest( + "_opendistro/_security/api/internalusers/compuser?pretty", + body, + encodeBasicHeader("admin", "admin") + ); Thread.sleep(1500); System.out.println(TestAuditlogImpl.sb.toString()); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); - Assert.assertTrue(TestAuditlogImpl.messages.size()+"",TestAuditlogImpl.messages.size() == 1); + Assert.assertTrue(TestAuditlogImpl.messages.size() + "", TestAuditlogImpl.messages.size() == 1); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("audit_request_effective_user")); Assert.assertFalse(TestAuditlogImpl.sb.toString().contains("COMPLIANCE_INTERNAL_CONFIG_READ")); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("COMPLIANCE_INTERNAL_CONFIG_WRITE")); @@ -59,15 +63,15 @@ public void testRestApiRolesEnabled() throws Exception { public void testRestApiRolesDisabled() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .build(); setup(additionalSettings); TestAuditlogImpl.clear(); @@ -82,7 +86,7 @@ public void testRestApiRolesDisabled() throws Exception { Thread.sleep(1500); System.out.println(TestAuditlogImpl.sb.toString()); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); - Assert.assertTrue(TestAuditlogImpl.messages.size()+"",TestAuditlogImpl.messages.size() == 1); + Assert.assertTrue(TestAuditlogImpl.messages.size() + "", TestAuditlogImpl.messages.size() == 1); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("audit_request_effective_user")); Assert.assertFalse(TestAuditlogImpl.sb.toString().contains("COMPLIANCE_INTERNAL_CONFIG_READ")); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("COMPLIANCE_INTERNAL_CONFIG_WRITE")); @@ -95,15 +99,15 @@ public void testRestApiRolesDisabled() throws Exception { public void testRestApiRolesDisabledGet() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .build(); setup(additionalSettings); TestAuditlogImpl.clear(); @@ -125,21 +129,19 @@ public void testRestApiRolesDisabledGet() throws Exception { Assert.assertTrue(validateMsgs(TestAuditlogImpl.messages)); } - - @Test public void testAutoInit() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .build(); setup(additionalSettings); @@ -157,42 +159,45 @@ public void testAutoInit() throws Exception { public void testRestApiNewUser() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, "admin") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, "admin") + .build(); setup(additionalSettings); TestAuditlogImpl.clear(); String body = "{ \"password\":\"some new password\",\"backend_roles\":[\"role1\",\"role2\"] }"; System.out.println("exec"); - HttpResponse response = rh.executePutRequest("_opendistro/_security/api/internalusers/compuser?pretty", - body, encodeBasicHeader("admin", "admin")); + HttpResponse response = rh.executePutRequest( + "_opendistro/_security/api/internalusers/compuser?pretty", + body, + encodeBasicHeader("admin", "admin") + ); Thread.sleep(1500); System.out.println(TestAuditlogImpl.sb.toString()); Assert.assertEquals(response.getBody(), HttpStatus.SC_CREATED, response.getStatusCode()); - Assert.assertTrue(TestAuditlogImpl.messages.size()+"", TestAuditlogImpl.messages.isEmpty()); + Assert.assertTrue(TestAuditlogImpl.messages.size() + "", TestAuditlogImpl.messages.isEmpty()); } @Test public void testRestInternalConfigRead() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .build(); setup(additionalSettings); TestAuditlogImpl.clear(); @@ -206,7 +211,7 @@ public void testRestInternalConfigRead() throws Exception { Thread.sleep(1500); System.out.println(TestAuditlogImpl.sb.toString()); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - Assert.assertTrue(TestAuditlogImpl.messages.size()+"",TestAuditlogImpl.messages.size() == 1); + Assert.assertTrue(TestAuditlogImpl.messages.size() + "", TestAuditlogImpl.messages.size() == 1); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("audit_request_effective_user")); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("COMPLIANCE_INTERNAL_CONFIG_READ")); Assert.assertFalse(TestAuditlogImpl.sb.toString().contains("COMPLIANCE_INTERNAL_CONFIG_WRITE")); @@ -217,13 +222,13 @@ public void testRestInternalConfigRead() throws Exception { @Test public void testBCryptHashRedaction() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) + .build(); setup(settings); rh.sendAdminCertificate = true; rh.keystore = "kirk-keystore.jks"; @@ -242,7 +247,7 @@ public void testBCryptHashRedaction() throws Exception { // create internal user and verify no BCrypt hash is present in audit logs TestAuditlogImpl.clear(); - rh.executePutRequest("/_opendistro/_security/api/internalusers/test", "{ \"password\":\"some new user password\"}"); + rh.executePutRequest("/_opendistro/_security/api/internalusers/test", "{ \"password\":\"some new user password\"}"); Assert.assertEquals(1, TestAuditlogImpl.messages.size()); Assert.assertFalse(AuditMessage.BCRYPT_HASH.matcher(TestAuditlogImpl.sb.toString()).matches()); } diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java index 4b4676d852..fad4cabbc5 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java @@ -65,19 +65,25 @@ public void testDefault() { public void testConfig() { // arrange final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, false) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, "test-request") - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "test-user") - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, - BAD_HEADERS.toString(), SSL_EXCEPTION.toString()) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, - FAILED_LOGIN.toString(), MISSING_PRIVILEGES.toString()) - .build(); + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, false) + .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, "test-request") + .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "test-user") + .putList( + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, + BAD_HEADERS.toString(), + SSL_EXCEPTION.toString() + ) + .putList( + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, + FAILED_LOGIN.toString(), + MISSING_PRIVILEGES.toString() + ) + .build(); // act final AuditConfig.Filter auditConfigFilter = AuditConfig.Filter.from(settings); // assert @@ -97,12 +103,10 @@ public void testConfig() { public void testNone() { // arrange final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "NONE") - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, - "None") - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, - "none") - .build(); + .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "NONE") + .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "None") + .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "none") + .build(); // act final AuditConfig.Filter auditConfigFilter = AuditConfig.Filter.from(settings); // assert @@ -115,13 +119,11 @@ public void testNone() { public void testEmpty() { // arrange final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, Collections.emptyList()) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList()) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, - Collections.emptyList()) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, - Collections.emptyList()) - .build(); + .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, Collections.emptyList()) + .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList()) + .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, Collections.emptyList()) + .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, Collections.emptyList()) + .build(); // act final AuditConfig.Filter auditConfigFilter = AuditConfig.Filter.from(settings); // assert @@ -130,7 +132,6 @@ public void testEmpty() { assertTrue(auditConfigFilter.getDisabledTransportCategories().isEmpty()); } - @Test public void testFilterEntries() { assertThat(FilterEntries.ENABLE_REST.getKey(), equalTo("enable_rest")); @@ -147,16 +148,14 @@ public void fromSettingBoolean() { .put(entry.getKeyWithNamespace(), false) .put(entry.getLegacyKeyWithNamespace(), true) .build(); - assertThat(AuditConfig.Filter.fromSettingBoolean(settings1, entry, true), equalTo(false)); + assertThat(AuditConfig.Filter.fromSettingBoolean(settings1, entry, true), equalTo(false)); // Use fallback key - final Settings settings2 = Settings.builder() - .put(entry.getLegacyKeyWithNamespace(), false) - .build(); - assertThat(AuditConfig.Filter.fromSettingBoolean(settings2, entry, true), equalTo(false)); + final Settings settings2 = Settings.builder().put(entry.getLegacyKeyWithNamespace(), false).build(); + assertThat(AuditConfig.Filter.fromSettingBoolean(settings2, entry, true), equalTo(false)); // Use default - assertThat(AuditConfig.Filter.fromSettingBoolean(Settings.builder().build(), entry, true), equalTo(true)); + assertThat(AuditConfig.Filter.fromSettingBoolean(Settings.builder().build(), entry, true), equalTo(true)); } @Test @@ -165,67 +164,65 @@ public void fromSettingStringSet() { // Use primary key final Settings settings1 = Settings.builder() - .putList(entry.getKeyWithNamespace(), "abc") - .putList(entry.getLegacyKeyWithNamespace(), "def") - .build(); + .putList(entry.getKeyWithNamespace(), "abc") + .putList(entry.getLegacyKeyWithNamespace(), "def") + .build(); assertThat(AuditConfig.Filter.fromSettingStringSet(settings1, entry, List.of("xyz")), equalTo(ImmutableSet.of("abc"))); // Use fallback key - final Settings settings2 = Settings.builder() - .putList(entry.getLegacyKeyWithNamespace(), "def") - .build(); + final Settings settings2 = Settings.builder().putList(entry.getLegacyKeyWithNamespace(), "def").build(); assertThat(AuditConfig.Filter.fromSettingStringSet(settings2, entry, List.of("xyz")), equalTo(ImmutableSet.of("def"))); // Use default - assertThat(AuditConfig.Filter.fromSettingStringSet(Settings.builder().build(), entry, List.of("xyz")), equalTo(ImmutableSet.of("xyz"))); + assertThat( + AuditConfig.Filter.fromSettingStringSet(Settings.builder().build(), entry, List.of("xyz")), + equalTo(ImmutableSet.of("xyz")) + ); } @Test public void fromSettingParseAuditCategory() { final FilterEntries entry = FilterEntries.DISABLE_REST_CATEGORIES; - final Function> parse = (settings) -> - AuditCategory.parse(AuditConfig.Filter.fromSettingStringSet(settings, entry, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); + final Function> parse = (settings) -> AuditCategory.parse( + AuditConfig.Filter.fromSettingStringSet(settings, entry, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT) + ); final Settings noValues = Settings.builder().build(); assertThat(parse.apply(noValues), equalTo(ImmutableSet.of(AUTHENTICATED, GRANTED_PRIVILEGES))); - final Settings legacySettingNone = Settings.builder() - .put(entry.getLegacyKeyWithNamespace(), "NONE") - .build(); + final Settings legacySettingNone = Settings.builder().put(entry.getLegacyKeyWithNamespace(), "NONE").build(); assertThat(parse.apply(legacySettingNone), equalTo(ImmutableSet.of())); - final Settings legacySettingValue = Settings.builder() - .put(entry.getLegacyKeyWithNamespace(), AUTHENTICATED.name()) - .build(); + final Settings legacySettingValue = Settings.builder().put(entry.getLegacyKeyWithNamespace(), AUTHENTICATED.name()).build(); assertThat(parse.apply(legacySettingValue), equalTo(ImmutableSet.of(AUTHENTICATED))); final Settings legacySettingMultipleValues = Settings.builder() - .putList(entry.getLegacyKeyWithNamespace(), AUTHENTICATED.name(), BAD_HEADERS.name()) - .build(); + .putList(entry.getLegacyKeyWithNamespace(), AUTHENTICATED.name(), BAD_HEADERS.name()) + .build(); assertThat(parse.apply(legacySettingMultipleValues), equalTo(ImmutableSet.of(AUTHENTICATED, BAD_HEADERS))); final Settings settingNone = Settings.builder() - .put(entry.getKeyWithNamespace(), "NONE") - .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) - .build(); + .put(entry.getKeyWithNamespace(), "NONE") + .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) + .build(); assertThat(parse.apply(settingNone), equalTo(ImmutableSet.of())); final Settings settingValue = Settings.builder() - .put(entry.getKeyWithNamespace(), AUTHENTICATED.name()) - .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) - .build(); + .put(entry.getKeyWithNamespace(), AUTHENTICATED.name()) + .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) + .build(); assertThat(parse.apply(settingValue), equalTo(ImmutableSet.of(AUTHENTICATED))); final Settings settingMultipleValues = Settings.builder() - .putList(entry.getKeyWithNamespace(), AUTHENTICATED.name(), BAD_HEADERS.name()) - .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) - .build(); + .putList(entry.getKeyWithNamespace(), AUTHENTICATED.name(), BAD_HEADERS.name()) + .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) + .build(); assertThat(parse.apply(settingMultipleValues), equalTo(ImmutableSet.of(AUTHENTICATED, BAD_HEADERS))); final Settings settingMultipleValuesString = Settings.builder() - .put(entry.getKeyWithNamespace(), AUTHENTICATED.name() + "," + BAD_HEADERS.name()) - .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) - .build(); + .put(entry.getKeyWithNamespace(), AUTHENTICATED.name() + "," + BAD_HEADERS.name()) + .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) + .build(); assertThat(parse.apply(settingMultipleValues), equalTo(ImmutableSet.of(AUTHENTICATED, BAD_HEADERS))); } } diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java index d7ba321ea9..8cc19fa0f5 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java @@ -60,33 +60,33 @@ public void testDefaultSerialize() throws IOException { final String json = objectMapper.writeValueAsString(audit); final XContentBuilder jsonBuilder = XContentFactory.jsonBuilder() - .startObject() - .field("enabled", true) - .startObject("audit") - .field("enable_rest", true) - .field("disabled_rest_categories", ImmutableList.of( "AUTHENTICATED", "GRANTED_PRIVILEGES")) - .field("enable_transport", true) - .field("disabled_transport_categories", ImmutableList.of( "AUTHENTICATED", "GRANTED_PRIVILEGES")) - .field("resolve_bulk_requests", false) - .field("log_request_body", true) - .field("resolve_indices", true) - .field("exclude_sensitive_headers", true) - .field("ignore_users", Collections.singletonList("kibanaserver")) - .field("ignore_requests", Collections.emptyList()) - .endObject() - .startObject("compliance") - .field("enabled", true) - .field("external_config", false) - .field("internal_config", false) - .field("read_metadata_only", false) - .field("read_watched_fields", Collections.emptyMap()) - .field("read_ignore_users", Collections.singletonList("kibanaserver")) - .field("write_metadata_only", false) - .field("write_log_diffs", false) - .field("write_watched_indices", Collections.emptyList()) - .field("write_ignore_users", Collections.singletonList("kibanaserver")) - .endObject() - .endObject(); + .startObject() + .field("enabled", true) + .startObject("audit") + .field("enable_rest", true) + .field("disabled_rest_categories", ImmutableList.of("AUTHENTICATED", "GRANTED_PRIVILEGES")) + .field("enable_transport", true) + .field("disabled_transport_categories", ImmutableList.of("AUTHENTICATED", "GRANTED_PRIVILEGES")) + .field("resolve_bulk_requests", false) + .field("log_request_body", true) + .field("resolve_indices", true) + .field("exclude_sensitive_headers", true) + .field("ignore_users", Collections.singletonList("kibanaserver")) + .field("ignore_requests", Collections.emptyList()) + .endObject() + .startObject("compliance") + .field("enabled", true) + .field("external_config", false) + .field("internal_config", false) + .field("read_metadata_only", false) + .field("read_watched_fields", Collections.emptyMap()) + .field("read_ignore_users", Collections.singletonList("kibanaserver")) + .field("write_metadata_only", false) + .field("write_log_diffs", false) + .field("write_watched_indices", Collections.emptyList()) + .field("write_ignore_users", Collections.singletonList("kibanaserver")) + .endObject() + .endObject(); assertTrue(compareJson(Strings.toString(jsonBuilder), json)); } @@ -121,33 +121,33 @@ public void testDefaultDeserialize() throws IOException { public void testDeserialize() throws IOException { // arrange final XContentBuilder jsonBuilder = XContentFactory.jsonBuilder() - .startObject() - .field("enabled", true) - .startObject("audit") - .field("enable_rest", true) - .field("disabled_rest_categories", Collections.singletonList("AUTHENTICATED")) - .field("enable_transport", true) - .field("disabled_transport_categories", Collections.singletonList("SSL_EXCEPTION")) - .field("resolve_bulk_requests", true) - .field("log_request_body", true) - .field("resolve_indices", true) - .field("exclude_sensitive_headers", true) - .field("ignore_users", Collections.singletonList("test-user-1")) - .field("ignore_requests", Collections.singletonList("test-request")) - .endObject() - .startObject("compliance") - .field("enabled", true) - .field("external_config", true) - .field("internal_config", true) - .field("read_metadata_only", true) - .field("read_watched_fields", Collections.singletonMap("test-read-watch-field", Collections.singleton("test-field-1"))) - .field("read_ignore_users", Collections.singletonList("test-user-2")) - .field("write_metadata_only", true) - .field("write_log_diffs", false) - .field("write_watched_indices", Collections.singletonList("test-write-watch-index")) - .field("write_ignore_users", Collections.singletonList("test-user-3")) - .endObject() - .endObject(); + .startObject() + .field("enabled", true) + .startObject("audit") + .field("enable_rest", true) + .field("disabled_rest_categories", Collections.singletonList("AUTHENTICATED")) + .field("enable_transport", true) + .field("disabled_transport_categories", Collections.singletonList("SSL_EXCEPTION")) + .field("resolve_bulk_requests", true) + .field("log_request_body", true) + .field("resolve_indices", true) + .field("exclude_sensitive_headers", true) + .field("ignore_users", Collections.singletonList("test-user-1")) + .field("ignore_requests", Collections.singletonList("test-request")) + .endObject() + .startObject("compliance") + .field("enabled", true) + .field("external_config", true) + .field("internal_config", true) + .field("read_metadata_only", true) + .field("read_watched_fields", Collections.singletonMap("test-read-watch-field", Collections.singleton("test-field-1"))) + .field("read_ignore_users", Collections.singletonList("test-user-2")) + .field("write_metadata_only", true) + .field("write_log_diffs", false) + .field("write_watched_indices", Collections.singletonList("test-write-watch-index")) + .field("write_ignore_users", Collections.singletonList("test-user-3")) + .endObject() + .endObject(); final String json = Strings.toString(jsonBuilder); // act @@ -168,48 +168,80 @@ public void testDeserialize() throws IOException { assertEquals(WildcardMatcher.from(Collections.singleton("test-user-1")), audit.getIgnoredAuditUsersMatcher()); assertEquals(WildcardMatcher.from(Collections.singleton("test-request")), audit.getIgnoredAuditRequestsMatcher()); assertTrue(configCompliance.shouldLogReadMetadataOnly()); - assertEquals(WildcardMatcher.from(Collections.singleton("test-user-2")), configCompliance.getIgnoredComplianceUsersForReadMatcher()); - assertEquals(Collections.singletonMap(WildcardMatcher.from("test-read-watch-field"), Collections.singleton("test-field-1")), configCompliance.getReadEnabledFields()); + assertEquals( + WildcardMatcher.from(Collections.singleton("test-user-2")), + configCompliance.getIgnoredComplianceUsersForReadMatcher() + ); + assertEquals( + Collections.singletonMap(WildcardMatcher.from("test-read-watch-field"), Collections.singleton("test-field-1")), + configCompliance.getReadEnabledFields() + ); assertTrue(configCompliance.shouldLogWriteMetadataOnly()); assertFalse(configCompliance.shouldLogDiffsForWrite()); - assertEquals(WildcardMatcher.from(Collections.singleton("test-user-3")), configCompliance.getIgnoredComplianceUsersForWriteMatcher()); + assertEquals( + WildcardMatcher.from(Collections.singleton("test-user-3")), + configCompliance.getIgnoredComplianceUsersForWriteMatcher() + ); assertEquals(WildcardMatcher.from("test-write-watch-index"), configCompliance.getWatchedWriteIndicesMatcher()); } @Test public void testSerialize() throws IOException { // arrange - final AuditConfig.Filter audit = new AuditConfig.Filter(true, true, true, true, true, true, ImmutableSet.of("ignore-user-1", "ignore-user-2"), ImmutableSet.of("ignore-request-1"), EnumSet.of(AuditCategory.FAILED_LOGIN, AuditCategory.GRANTED_PRIVILEGES), EnumSet.of(AUTHENTICATED)); - final ComplianceConfig compliance = new ComplianceConfig(true, true, true, true, Collections.singletonMap("test-read-watch-field-1", Collections.emptyList()), Collections.singleton("test-user-1"), true, false,Collections.singletonList("test-write-watch-index"), Collections.singleton("test-user-2"), Settings.EMPTY); + final AuditConfig.Filter audit = new AuditConfig.Filter( + true, + true, + true, + true, + true, + true, + ImmutableSet.of("ignore-user-1", "ignore-user-2"), + ImmutableSet.of("ignore-request-1"), + EnumSet.of(AuditCategory.FAILED_LOGIN, AuditCategory.GRANTED_PRIVILEGES), + EnumSet.of(AUTHENTICATED) + ); + final ComplianceConfig compliance = new ComplianceConfig( + true, + true, + true, + true, + Collections.singletonMap("test-read-watch-field-1", Collections.emptyList()), + Collections.singleton("test-user-1"), + true, + false, + Collections.singletonList("test-write-watch-index"), + Collections.singleton("test-user-2"), + Settings.EMPTY + ); final AuditConfig auditConfig = new AuditConfig(true, audit, compliance); final XContentBuilder jsonBuilder = XContentFactory.jsonBuilder() - .startObject() - .field("enabled", true) - .startObject("audit") - .field("enable_rest", true) - .field("disabled_rest_categories", ImmutableList.of("FAILED_LOGIN", "GRANTED_PRIVILEGES")) - .field("enable_transport", true) - .field("disabled_transport_categories", Collections.singletonList("AUTHENTICATED")) - .field("resolve_bulk_requests", true) - .field("log_request_body", true) - .field("resolve_indices", true) - .field("exclude_sensitive_headers", true) - .field("ignore_users", ImmutableList.of("ignore-user-1", "ignore-user-2")) - .field("ignore_requests", Collections.singletonList("ignore-request-1")) - .endObject() - .startObject("compliance") - .field("enabled", true) - .field("external_config", true) - .field("internal_config", true) - .field("read_metadata_only", true) - .field("read_watched_fields", Collections.singletonMap("test-read-watch-field-1", Collections.emptyList())) - .field("read_ignore_users", Collections.singletonList("test-user-1")) - .field("write_metadata_only", true) - .field("write_log_diffs", false) - .field("write_watched_indices", Collections.singletonList("test-write-watch-index")) - .field("write_ignore_users", Collections.singletonList("test-user-2")) - .endObject() - .endObject(); + .startObject() + .field("enabled", true) + .startObject("audit") + .field("enable_rest", true) + .field("disabled_rest_categories", ImmutableList.of("FAILED_LOGIN", "GRANTED_PRIVILEGES")) + .field("enable_transport", true) + .field("disabled_transport_categories", Collections.singletonList("AUTHENTICATED")) + .field("resolve_bulk_requests", true) + .field("log_request_body", true) + .field("resolve_indices", true) + .field("exclude_sensitive_headers", true) + .field("ignore_users", ImmutableList.of("ignore-user-1", "ignore-user-2")) + .field("ignore_requests", Collections.singletonList("ignore-request-1")) + .endObject() + .startObject("compliance") + .field("enabled", true) + .field("external_config", true) + .field("internal_config", true) + .field("read_metadata_only", true) + .field("read_watched_fields", Collections.singletonMap("test-read-watch-field-1", Collections.emptyList())) + .field("read_ignore_users", Collections.singletonList("test-user-1")) + .field("write_metadata_only", true) + .field("write_log_diffs", false) + .field("write_watched_indices", Collections.singletonList("test-write-watch-index")) + .field("write_ignore_users", Collections.singletonList("test-user-2")) + .endObject() + .endObject(); // act final String json = objectMapper.writeValueAsString(auditConfig); @@ -225,33 +257,33 @@ public void testNullSerialize() throws IOException { final ComplianceConfig compliance = ComplianceConfig.from(Collections.emptyMap(), Settings.EMPTY); final AuditConfig auditConfig = new AuditConfig(true, audit, compliance); final XContentBuilder jsonBuilder = XContentFactory.jsonBuilder() - .startObject() - .field("enabled", true) - .startObject("audit") - .field("enable_rest", true) - .field("disabled_rest_categories", ImmutableList.of("AUTHENTICATED", "GRANTED_PRIVILEGES")) - .field("enable_transport", true) - .field("disabled_transport_categories", ImmutableList.of("AUTHENTICATED", "GRANTED_PRIVILEGES")) - .field("resolve_bulk_requests", false) - .field("log_request_body", true) - .field("resolve_indices", true) - .field("exclude_sensitive_headers", true) - .field("ignore_users", ImmutableList.of("kibanaserver")) - .field("ignore_requests", Collections.emptyList()) - .endObject() - .startObject("compliance") - .field("enabled", true) - .field("external_config", false) - .field("internal_config", false) - .field("read_metadata_only", false) - .field("read_watched_fields", Collections.emptyMap()) - .field("read_ignore_users", Collections.singletonList("kibanaserver")) - .field("write_metadata_only", false) - .field("write_log_diffs", false) - .field("write_watched_indices", Collections.emptyList()) - .field("write_ignore_users", Collections.singletonList("kibanaserver")) - .endObject() - .endObject(); + .startObject() + .field("enabled", true) + .startObject("audit") + .field("enable_rest", true) + .field("disabled_rest_categories", ImmutableList.of("AUTHENTICATED", "GRANTED_PRIVILEGES")) + .field("enable_transport", true) + .field("disabled_transport_categories", ImmutableList.of("AUTHENTICATED", "GRANTED_PRIVILEGES")) + .field("resolve_bulk_requests", false) + .field("log_request_body", true) + .field("resolve_indices", true) + .field("exclude_sensitive_headers", true) + .field("ignore_users", ImmutableList.of("kibanaserver")) + .field("ignore_requests", Collections.emptyList()) + .endObject() + .startObject("compliance") + .field("enabled", true) + .field("external_config", false) + .field("internal_config", false) + .field("read_metadata_only", false) + .field("read_watched_fields", Collections.emptyMap()) + .field("read_ignore_users", Collections.singletonList("kibanaserver")) + .field("write_metadata_only", false) + .field("write_log_diffs", false) + .field("write_watched_indices", Collections.emptyList()) + .field("write_ignore_users", Collections.singletonList("kibanaserver")) + .endObject() + .endObject(); // act final String json = objectMapper.writeValueAsString(auditConfig); @@ -262,10 +294,7 @@ public void testNullSerialize() throws IOException { @Test public void testNullDeSerialize() throws IOException { // arrange - final String json = "{" + - "\"audit\":{}," + - "\"compliance\":{}" + - "}"; + final String json = "{" + "\"audit\":{}," + "\"compliance\":{}" + "}"; // act final AuditConfig auditConfig = objectMapper.readValue(json, AuditConfig.class); @@ -287,36 +316,38 @@ public void testNullDeSerialize() throws IOException { public void testCustomSettings() throws IOException { // arrange final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, "test-security-index") - .put(ConfigConstants.SECURITY_AUDIT_TYPE_DEFAULT, "internal_opensearch") - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_OPENSEARCH_INDEX, - "test-auditlog-index") - .build(); + .put(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, "test-security-index") + .put(ConfigConstants.SECURITY_AUDIT_TYPE_DEFAULT, "internal_opensearch") + .put( + ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_OPENSEARCH_INDEX, + "test-auditlog-index" + ) + .build(); final ObjectMapper customObjectMapper = new ObjectMapper(); InjectableValues.Std iv = new InjectableValues.Std(); iv.addValue(Settings.class, settings); customObjectMapper.setInjectableValues(iv); final XContentBuilder jsonBuilder = XContentFactory.jsonBuilder() - .startObject() - .field("enabled", true) - .startObject("audit") - .field("enable_rest", true) - .field("enable_transport", true) - .field("resolve_bulk_requests", true) - .field("log_request_body", true) - .field("resolve_indices", true) - .field("exclude_sensitive_headers", true) - .endObject() - .startObject("compliance") - .field("enabled", true) - .field("external_config", true) - .field("internal_config", true) - .field("read_metadata_only", true) - .field("write_metadata_only", true) - .field("write_log_diffs", false) - .endObject() - .endObject(); + .startObject() + .field("enabled", true) + .startObject("audit") + .field("enable_rest", true) + .field("enable_transport", true) + .field("resolve_bulk_requests", true) + .field("log_request_body", true) + .field("resolve_indices", true) + .field("exclude_sensitive_headers", true) + .endObject() + .startObject("compliance") + .field("enabled", true) + .field("external_config", true) + .field("internal_config", true) + .field("read_metadata_only", true) + .field("write_metadata_only", true) + .field("write_log_diffs", false) + .endObject() + .endObject(); final String json = Strings.toString(jsonBuilder); // act diff --git a/src/test/java/org/opensearch/security/auditlog/config/ThreadPoolConfigTest.java b/src/test/java/org/opensearch/security/auditlog/config/ThreadPoolConfigTest.java index 914163a7f3..83c5e9ae2a 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/ThreadPoolConfigTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/ThreadPoolConfigTest.java @@ -74,9 +74,9 @@ public void testConfig() { public void testGenerationFromSettings() { // arrange Settings settings = Settings.builder() - .put("plugins.security.audit.threadpool.size", "8") - .put("plugins.security.audit.threadpool.max_queue_len", "50") - .build(); + .put("plugins.security.audit.threadpool.size", "8") + .put("plugins.security.audit.threadpool.max_queue_len", "50") + .build(); // assert ThreadPoolConfig config = ThreadPoolConfig.getConfig(settings); diff --git a/src/test/java/org/opensearch/security/auditlog/helper/ErroneousHttpHandler.java b/src/test/java/org/opensearch/security/auditlog/helper/ErroneousHttpHandler.java index 120232825b..4ba106ddd9 100644 --- a/src/test/java/org/opensearch/security/auditlog/helper/ErroneousHttpHandler.java +++ b/src/test/java/org/opensearch/security/auditlog/helper/ErroneousHttpHandler.java @@ -17,8 +17,8 @@ import org.apache.hc.core5.http.protocol.HttpContext; public class ErroneousHttpHandler implements HttpRequestHandler { - @Override - public void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context) { - response.setCode(404); - } + @Override + public void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context) { + response.setCode(404); + } } diff --git a/src/test/java/org/opensearch/security/auditlog/helper/FailingSink.java b/src/test/java/org/opensearch/security/auditlog/helper/FailingSink.java index 8557314ab1..0c915810e1 100644 --- a/src/test/java/org/opensearch/security/auditlog/helper/FailingSink.java +++ b/src/test/java/org/opensearch/security/auditlog/helper/FailingSink.java @@ -21,10 +21,10 @@ public FailingSink(String name, Settings settings, String sinkPrefix, AuditLogSi super(name, settings, null, fallbackSink); } - @Override - protected boolean doStore(AuditMessage msg) { - return false; - } + @Override + protected boolean doStore(AuditMessage msg) { + return false; + } @Override public boolean isHandlingBackpressure() { diff --git a/src/test/java/org/opensearch/security/auditlog/helper/LoggingSink.java b/src/test/java/org/opensearch/security/auditlog/helper/LoggingSink.java index 63b4e71958..8125acd8c4 100644 --- a/src/test/java/org/opensearch/security/auditlog/helper/LoggingSink.java +++ b/src/test/java/org/opensearch/security/auditlog/helper/LoggingSink.java @@ -20,16 +20,15 @@ public class LoggingSink extends AuditLogSink { - public List messages = new ArrayList(100); + public List messages = new ArrayList(100); public StringBuffer sb = new StringBuffer(); public LoggingSink(String name, Settings settings, String settingsPrefix, AuditLogSink fallbackSink) { super(name, settings, null, fallbackSink); } - public boolean doStore(AuditMessage msg) { - sb.append(msg.toPrettyString()+System.lineSeparator()); + sb.append(msg.toPrettyString() + System.lineSeparator()); messages.add(msg); return true; } diff --git a/src/test/java/org/opensearch/security/auditlog/helper/MockAuditMessageFactory.java b/src/test/java/org/opensearch/security/auditlog/helper/MockAuditMessageFactory.java index c0c24107ef..7e67fc374c 100644 --- a/src/test/java/org/opensearch/security/auditlog/helper/MockAuditMessageFactory.java +++ b/src/test/java/org/opensearch/security/auditlog/helper/MockAuditMessageFactory.java @@ -26,14 +26,14 @@ public class MockAuditMessageFactory { - public static AuditMessage validAuditMessage() { - return validAuditMessage(AuditCategory.FAILED_LOGIN); - } + public static AuditMessage validAuditMessage() { + return validAuditMessage(AuditCategory.FAILED_LOGIN); + } - public static AuditMessage validAuditMessage(AuditCategory category) { + public static AuditMessage validAuditMessage(AuditCategory category) { - ClusterService cs = mock(ClusterService.class); - DiscoveryNode dn = mock(DiscoveryNode.class); + ClusterService cs = mock(ClusterService.class); + DiscoveryNode dn = mock(DiscoveryNode.class); when(dn.getHostAddress()).thenReturn("hostaddress"); when(dn.getId()).thenReturn("hostaddress"); @@ -41,13 +41,13 @@ public static AuditMessage validAuditMessage(AuditCategory category) { when(cs.localNode()).thenReturn(dn); when(cs.getClusterName()).thenReturn(new ClusterName("testcluster")); - TransportAddress ta = new TransportAddress(new InetSocketAddress("8.8.8.8",80)); + TransportAddress ta = new TransportAddress(new InetSocketAddress("8.8.8.8", 80)); - AuditMessage msg = new AuditMessage(category, cs, Origin.TRANSPORT, Origin.TRANSPORT); - msg.addEffectiveUser("John Doe"); - msg.addRemoteAddress(ta); - msg.addRequestType("IndexRequest"); - return msg; - } + AuditMessage msg = new AuditMessage(category, cs, Origin.TRANSPORT, Origin.TRANSPORT); + msg.addEffectiveUser("John Doe"); + msg.addRemoteAddress(ta); + msg.addRequestType("IndexRequest"); + return msg; + } } diff --git a/src/test/java/org/opensearch/security/auditlog/helper/MockRestRequest.java b/src/test/java/org/opensearch/security/auditlog/helper/MockRestRequest.java index 6328c94352..d2b15750ff 100644 --- a/src/test/java/org/opensearch/security/auditlog/helper/MockRestRequest.java +++ b/src/test/java/org/opensearch/security/auditlog/helper/MockRestRequest.java @@ -20,8 +20,8 @@ public class MockRestRequest extends RestRequest { public MockRestRequest() { - //NamedXContentRegistry xContentRegistry, Map params, String path, - //Map> headers, HttpRequest httpRequest, HttpChannel httpChannel + // NamedXContentRegistry xContentRegistry, Map params, String path, + // Map> headers, HttpRequest httpRequest, HttpChannel httpChannel super(NamedXContentRegistry.EMPTY, Collections.emptyMap(), "", Collections.emptyMap(), null, null); } diff --git a/src/test/java/org/opensearch/security/auditlog/helper/MyOwnAuditLog.java b/src/test/java/org/opensearch/security/auditlog/helper/MyOwnAuditLog.java index d1138c7c9b..8df27f0d1d 100644 --- a/src/test/java/org/opensearch/security/auditlog/helper/MyOwnAuditLog.java +++ b/src/test/java/org/opensearch/security/auditlog/helper/MyOwnAuditLog.java @@ -23,19 +23,26 @@ public class MyOwnAuditLog extends AuditLogSink { - public MyOwnAuditLog(final String name, final Settings settings, final String settingsPrefix, final Path configPath, final ThreadPool threadPool, - final IndexNameExpressionResolver resolver, final ClusterService clusterService, AuditLogSink fallbackSink) { + public MyOwnAuditLog( + final String name, + final Settings settings, + final String settingsPrefix, + final Path configPath, + final ThreadPool threadPool, + final IndexNameExpressionResolver resolver, + final ClusterService clusterService, + AuditLogSink fallbackSink + ) { super(name, settings, settingsPrefix, fallbackSink); } @Override - public void close() throws IOException { - - } + public void close() throws IOException { + } - public boolean doStore(AuditMessage msg) { - return true; - } + public boolean doStore(AuditMessage msg) { + return true; + } } diff --git a/src/test/java/org/opensearch/security/auditlog/helper/RetrySink.java b/src/test/java/org/opensearch/security/auditlog/helper/RetrySink.java index f26188bed7..0d41111f25 100644 --- a/src/test/java/org/opensearch/security/auditlog/helper/RetrySink.java +++ b/src/test/java/org/opensearch/security/auditlog/helper/RetrySink.java @@ -28,8 +28,8 @@ public RetrySink(String name, Settings settings, String sinkPrefix, AuditLogSink @Override protected synchronized boolean doStore(AuditMessage msg) { - if(failCount++ < 5) { - log.debug("Fail "+failCount); + if (failCount++ < 5) { + log.debug("Fail " + failCount); return false; } log.debug("doStore ok"); diff --git a/src/test/java/org/opensearch/security/auditlog/helper/SlowSink.java b/src/test/java/org/opensearch/security/auditlog/helper/SlowSink.java index f291b76cda..376c29cf80 100644 --- a/src/test/java/org/opensearch/security/auditlog/helper/SlowSink.java +++ b/src/test/java/org/opensearch/security/auditlog/helper/SlowSink.java @@ -21,13 +21,12 @@ public SlowSink(String name, Settings settings, Settings sinkSetting, AuditLogSi super(name, settings, null, fallbackSink); } - public boolean doStore(AuditMessage msg) { - try { - Thread.sleep(3000); - } catch (InterruptedException e) { - e.printStackTrace(); - } + try { + Thread.sleep(3000); + } catch (InterruptedException e) { + e.printStackTrace(); + } return true; } diff --git a/src/test/java/org/opensearch/security/auditlog/helper/TestHttpHandler.java b/src/test/java/org/opensearch/security/auditlog/helper/TestHttpHandler.java index d888949e46..d4f68e8291 100644 --- a/src/test/java/org/opensearch/security/auditlog/helper/TestHttpHandler.java +++ b/src/test/java/org/opensearch/security/auditlog/helper/TestHttpHandler.java @@ -23,22 +23,22 @@ import org.apache.hc.core5.http.protocol.HttpContext; public class TestHttpHandler implements HttpRequestHandler { - public String method; - public String uri; - public String body; + public String method; + public String uri; + public String body; - @Override - public void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context) throws HttpException, IOException { - this.method = request.getMethod(); - this.uri = request.getRequestUri(); + @Override + public void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context) throws HttpException, IOException { + this.method = request.getMethod(); + this.uri = request.getRequestUri(); - HttpEntity entity = request.getEntity(); - body = EntityUtils.toString(entity, StandardCharsets.UTF_8); - } + HttpEntity entity = request.getEntity(); + body = EntityUtils.toString(entity, StandardCharsets.UTF_8); + } - public void reset() { - this.body = null; - this.uri = null; - this.method = null; - } + public void reset() { + this.body = null; + this.uri = null; + this.method = null; + } } diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditCategoryTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditCategoryTest.java index abd8260fa7..18670f42cf 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/AuditCategoryTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditCategoryTest.java @@ -42,19 +42,32 @@ public AuditCategoryParseTest(List input, EnumSet expecte @Parameterized.Parameters public static Collection data() { - return Arrays.asList(new Object[][]{ - {Arrays.asList(), EnumSet.noneOf(AuditCategory.class)}, - {Arrays.asList("BAD_HEADERS"), EnumSet.of(BAD_HEADERS)}, - {Arrays.asList("bad_headers"), EnumSet.of(BAD_HEADERS)}, - {Arrays.asList("bAd_HeAdErS"), EnumSet.of(BAD_HEADERS)}, - {Arrays.asList("bAd_HeAdErS"), EnumSet.of(BAD_HEADERS)}, - {Arrays.asList("BAD_HEADERS", "AUTHENTICATED"), EnumSet.of(BAD_HEADERS, AUTHENTICATED)}, - {Arrays.asList("BAD_HEADERS", "FAILED_LOGIN", "MISSING_PRIVILEGES", "GRANTED_PRIVILEGES", - "OPENDISTRO_SECURITY_INDEX_ATTEMPT", "SSL_EXCEPTION", "AUTHENTICATED", "INDEX_EVENT", - "COMPLIANCE_DOC_READ", "COMPLIANCE_DOC_WRITE", "COMPLIANCE_EXTERNAL_CONFIG", - "COMPLIANCE_INTERNAL_CONFIG_READ", "COMPLIANCE_INTERNAL_CONFIG_WRITE" - ), EnumSet.allOf(AuditCategory.class)}, - }); + return Arrays.asList( + new Object[][] { + { Arrays.asList(), EnumSet.noneOf(AuditCategory.class) }, + { Arrays.asList("BAD_HEADERS"), EnumSet.of(BAD_HEADERS) }, + { Arrays.asList("bad_headers"), EnumSet.of(BAD_HEADERS) }, + { Arrays.asList("bAd_HeAdErS"), EnumSet.of(BAD_HEADERS) }, + { Arrays.asList("bAd_HeAdErS"), EnumSet.of(BAD_HEADERS) }, + { Arrays.asList("BAD_HEADERS", "AUTHENTICATED"), EnumSet.of(BAD_HEADERS, AUTHENTICATED) }, + { + Arrays.asList( + "BAD_HEADERS", + "FAILED_LOGIN", + "MISSING_PRIVILEGES", + "GRANTED_PRIVILEGES", + "OPENDISTRO_SECURITY_INDEX_ATTEMPT", + "SSL_EXCEPTION", + "AUTHENTICATED", + "INDEX_EVENT", + "COMPLIANCE_DOC_READ", + "COMPLIANCE_DOC_WRITE", + "COMPLIANCE_EXTERNAL_CONFIG", + "COMPLIANCE_INTERNAL_CONFIG_READ", + "COMPLIANCE_INTERNAL_CONFIG_WRITE" + ), + EnumSet.allOf(AuditCategory.class) }, } + ); } @Test @@ -75,10 +88,9 @@ public AuditCategoryExceptionTest(List input) { @Parameterized.Parameters public static Collection data() { - return Arrays.asList(new Object[][]{ - {Arrays.asList("BAD_INPUT")}, - {Arrays.asList("BAD_HEADERS", "bad_category", "AUTHENTICATED")}, - }); + return Arrays.asList( + new Object[][] { { Arrays.asList("BAD_INPUT") }, { Arrays.asList("BAD_HEADERS", "bad_category", "AUTHENTICATED") }, } + ); } @Test(expected = IllegalArgumentException.class) diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java index da408f1000..6bfaf32816 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java @@ -38,17 +38,25 @@ public class AuditMessageTest { private static final Map> TEST_REST_HEADERS = ImmutableMap.of( - "authorization", ImmutableList.of("test-1"), - "Authorization", ImmutableList.of("test-2"), - "AuThOrIzAtIoN", ImmutableList.of("test-3"), - "test-header", ImmutableList.of("test-4") + "authorization", + ImmutableList.of("test-1"), + "Authorization", + ImmutableList.of("test-2"), + "AuThOrIzAtIoN", + ImmutableList.of("test-3"), + "test-header", + ImmutableList.of("test-4") ); private static final Map TEST_TRANSPORT_HEADERS = ImmutableMap.of( - "authorization", "test-1", - "Authorization", "test-2", - "AuThOrIzAtIoN","test-3", - "test-header", "test-4" + "authorization", + "test-1", + "Authorization", + "test-2", + "AuThOrIzAtIoN", + "test-3", + "test-header", + "test-4" ); private AuditMessage message; @@ -58,10 +66,7 @@ public void setUp() { final ClusterService clusterServiceMock = mock(ClusterService.class); when(clusterServiceMock.localNode()).thenReturn(mock(DiscoveryNode.class)); when(clusterServiceMock.getClusterName()).thenReturn(mock(ClusterName.class)); - message = new AuditMessage(AuditCategory.AUTHENTICATED, - clusterServiceMock, - AuditLog.Origin.REST, - AuditLog.Origin.REST); + message = new AuditMessage(AuditCategory.AUTHENTICATED, clusterServiceMock, AuditLog.Origin.REST, AuditLog.Origin.REST); } @Test @@ -131,7 +136,7 @@ public void testBCryptHashIsRedacted() { assertEquals("Diff is __HASH__", message.getAsMap().get(AuditMessage.COMPLIANCE_DIFF_CONTENT)); // test tuple redaction - final ByteBuffer[] byteBuffers = new ByteBuffer[]{ ByteBuffer.wrap(("Hash in tuple is " + hash1).getBytes()) }; + final ByteBuffer[] byteBuffers = new ByteBuffer[] { ByteBuffer.wrap(("Hash in tuple is " + hash1).getBytes()) }; BytesReference ref = BytesReference.fromByteBuffers(byteBuffers); message.addSecurityConfigTupleToRequestBody(new Tuple<>(XContentType.JSON, ref), internalUsersDocId); assertEquals("Hash in tuple is __HASH__", message.getAsMap().get(AuditMessage.REQUEST_BODY)); diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java index e72b85694f..cd4ced3523 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java @@ -49,9 +49,9 @@ public void setup() { @Test public void testClusterHealthRequest() { Settings settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .build(); AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", new ClusterHealthRequest(), null); @@ -62,13 +62,13 @@ public void testClusterHealthRequest() { public void testSearchRequest() { SearchRequest sr = new SearchRequest(); - sr.indices("index1","logstash*"); + sr.indices("index1", "logstash*"); Settings settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .build(); - AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .build(); + AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); Assert.assertEquals(1, TestAuditlogImpl.messages.size()); @@ -78,12 +78,12 @@ public void testSearchRequest() { public void testSslException() { Settings settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .build(); - AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .build(); + AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); TestAuditlogImpl.clear(); al.logSSLException(null, new Exception("test rest")); al.logSSLException(null, new Exception("test rest"), null, null); @@ -97,14 +97,14 @@ public void testRetry() { RetrySink.init(); Settings settings = Settings.builder() - .put("plugins.security.audit.type", RetrySink.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.SECURITY_AUDIT_RETRY_COUNT, 10) - .put(ConfigConstants.SECURITY_AUDIT_RETRY_DELAY_MS, 500) - .build(); - AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); + .put("plugins.security.audit.type", RetrySink.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_RETRY_COUNT, 10) + .put(ConfigConstants.SECURITY_AUDIT_RETRY_DELAY_MS, 500) + .build(); + AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); al.logSSLException(null, new Exception("test retry")); Assert.assertNotNull(RetrySink.getMsg()); Assert.assertTrue(RetrySink.getMsg().toJson().contains("test retry")); @@ -116,36 +116,32 @@ public void testNoRetry() { RetrySink.init(); Settings settings = Settings.builder() - .put("plugins.security.audit.type", RetrySink.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.SECURITY_AUDIT_RETRY_COUNT, 0) - .put(ConfigConstants.SECURITY_AUDIT_RETRY_DELAY_MS, 500) - .build(); - AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); + .put("plugins.security.audit.type", RetrySink.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_RETRY_COUNT, 0) + .put(ConfigConstants.SECURITY_AUDIT_RETRY_DELAY_MS, 500) + .build(); + AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); al.logSSLException(null, new Exception("test retry")); Assert.assertNull(RetrySink.getMsg()); } @Test public void testRestFilterEnabledCheck() { - final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .build(); - final AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); - for (AuditCategory category: AuditCategory.values()) { + final Settings settings = Settings.builder().put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false).build(); + final AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); + for (AuditCategory category : AuditCategory.values()) { Assert.assertFalse(al.checkRestFilter(category, "user", mock(RestRequest.class))); } } @Test public void testTransportFilterEnabledCheck() { - final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .build(); - final AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); - for (AuditCategory category: AuditCategory.values()) { + final Settings settings = Settings.builder().put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false).build(); + final AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); + for (AuditCategory category : AuditCategory.values()) { Assert.assertFalse(al.checkTransportFilter(category, "action", "user", mock(TransportRequest.class))); } } @@ -153,11 +149,11 @@ public void testTransportFilterEnabledCheck() { @Test public void testTransportFilterMonitorActionsCheck() { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .build(); - final AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); - for (AuditCategory category: AuditCategory.values()) { + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .build(); + final AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); + for (AuditCategory category : AuditCategory.values()) { Assert.assertTrue(al.checkTransportFilter(category, "cluster:monitor/any", "user", mock(TransportRequest.class))); Assert.assertTrue(al.checkTransportFilter(category, "indices:data/any", "user", mock(TransportRequest.class))); Assert.assertFalse(al.checkTransportFilter(category, "internal:any", "user", mock(TransportRequest.class))); diff --git a/src/test/java/org/opensearch/security/auditlog/impl/DelegateTest.java b/src/test/java/org/opensearch/security/auditlog/impl/DelegateTest.java index a88c73e3bf..fa176a2011 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/DelegateTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/DelegateTest.java @@ -22,28 +22,28 @@ import org.opensearch.security.auditlog.sink.InternalOpenSearchSink; public class DelegateTest { - @Test - public void auditLogTypeTest() throws Exception{ - testAuditType("DeBUg", DebugSink.class); - testAuditType("intERnal_OpenSearch", InternalOpenSearchSink.class); - testAuditType("EXTERnal_OpenSearch", ExternalOpenSearchSink.class); - testAuditType("org.opensearch.security.auditlog.sink.MyOwnAuditLog", MyOwnAuditLog.class); - testAuditType("org.opensearch.security.auditlog.sink.MyOwnAuditLog", null); - testAuditType("idonotexist", null); - } + @Test + public void auditLogTypeTest() throws Exception { + testAuditType("DeBUg", DebugSink.class); + testAuditType("intERnal_OpenSearch", InternalOpenSearchSink.class); + testAuditType("EXTERnal_OpenSearch", ExternalOpenSearchSink.class); + testAuditType("org.opensearch.security.auditlog.sink.MyOwnAuditLog", MyOwnAuditLog.class); + testAuditType("org.opensearch.security.auditlog.sink.MyOwnAuditLog", null); + testAuditType("idonotexist", null); + } - private void testAuditType(String type, Class expectedClass) throws Exception { - Builder settingsBuilder = Settings.builder(); - settingsBuilder.put("plugins.security.audit.type", type); - settingsBuilder.put("path.home", "."); - AuditLogImpl auditLog = new AuditLogImpl(settingsBuilder.build(), null, null, null, null, null); - auditLog.close(); -// if (expectedClass != null) { -// Assert.assertNotNull("delegate is null for type: "+type,auditLog.delegate); -// Assert.assertEquals(expectedClass, auditLog.delegate.getClass()); -// } else { -// Assert.assertNull(auditLog.delegate); -// } + private void testAuditType(String type, Class expectedClass) throws Exception { + Builder settingsBuilder = Settings.builder(); + settingsBuilder.put("plugins.security.audit.type", type); + settingsBuilder.put("path.home", "."); + AuditLogImpl auditLog = new AuditLogImpl(settingsBuilder.build(), null, null, null, null, null); + auditLog.close(); + // if (expectedClass != null) { + // Assert.assertNotNull("delegate is null for type: "+type,auditLog.delegate); + // Assert.assertEquals(expectedClass, auditLog.delegate.getClass()); + // } else { + // Assert.assertNull(auditLog.delegate); + // } - } + } } diff --git a/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java b/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java index db7d3da0fb..2a37749fbe 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java @@ -45,8 +45,8 @@ public class DisabledCategoriesTest { ClusterService cs = mock(ClusterService.class); DiscoveryNode dn = mock(DiscoveryNode.class); - @Rule - public ExpectedException thrown = ExpectedException.none(); + @Rule + public ExpectedException thrown = ExpectedException.none(); @Before public void setup() { @@ -58,195 +58,220 @@ public void setup() { TestAuditlogImpl.clear(); } - @Test - public void invalidRestCategoryConfigurationTest() { - thrown.expect(IllegalArgumentException.class); + @Test + public void invalidRestCategoryConfigurationTest() { + thrown.expect(IllegalArgumentException.class); - Builder settingsBuilder = Settings.builder(); - settingsBuilder.put("plugins.security.audit.type", TestAuditlogImpl.class.getName()); + Builder settingsBuilder = Settings.builder(); + settingsBuilder.put("plugins.security.audit.type", TestAuditlogImpl.class.getName()); settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "nonexistent"); - AuditTestUtils.createAuditLog(settingsBuilder.build(), null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); - } - - @Test - public void invalidTransportCategoryConfigurationTest() { - thrown.expect(IllegalArgumentException.class); - - Builder settingsBuilder = Settings.builder(); - settingsBuilder.put("plugins.security.audit.type", TestAuditlogImpl.class.getName()); - settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "nonexistent"); - AuditTestUtils.createAuditLog(settingsBuilder.build(), null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); - } - - @Test - public void invalidConfigurationTest() { - Builder settingsBuilder = Settings.builder(); - settingsBuilder.put("plugins.security.audit.type", "debug"); - settingsBuilder.put("plugins.security.audit.config.disabled_categories", "nonexistant, bad_headers"); - AbstractAuditLog auditLog = AuditTestUtils.createAuditLog(settingsBuilder.build(), null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); - logAll(auditLog); - String result = TestAuditlogImpl.sb.toString(); - Assert.assertFalse(categoriesPresentInLog(result, AuditCategory.BAD_HEADERS)); - } - - @Test - public void enableAllCategoryTest() throws Exception { - final Builder settingsBuilder = Settings.builder(); - - settingsBuilder.put("plugins.security.audit.type", TestAuditlogImpl.class.getName()); - settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE"); + AuditTestUtils.createAuditLog(settingsBuilder.build(), null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); + } + + @Test + public void invalidTransportCategoryConfigurationTest() { + thrown.expect(IllegalArgumentException.class); + + Builder settingsBuilder = Settings.builder(); + settingsBuilder.put("plugins.security.audit.type", TestAuditlogImpl.class.getName()); + settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "nonexistent"); + AuditTestUtils.createAuditLog(settingsBuilder.build(), null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); + } + + @Test + public void invalidConfigurationTest() { + Builder settingsBuilder = Settings.builder(); + settingsBuilder.put("plugins.security.audit.type", "debug"); + settingsBuilder.put("plugins.security.audit.config.disabled_categories", "nonexistant, bad_headers"); + AbstractAuditLog auditLog = AuditTestUtils.createAuditLog( + settingsBuilder.build(), + null, + null, + AbstractSecurityUnitTest.MOCK_POOL, + null, + cs + ); + logAll(auditLog); + String result = TestAuditlogImpl.sb.toString(); + Assert.assertFalse(categoriesPresentInLog(result, AuditCategory.BAD_HEADERS)); + } + + @Test + public void enableAllCategoryTest() throws Exception { + final Builder settingsBuilder = Settings.builder(); + + settingsBuilder.put("plugins.security.audit.type", TestAuditlogImpl.class.getName()); + settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE"); settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE"); - // we use the debug output, no OpenSearch client is needed. Also, we - // do not need to close. - AbstractAuditLog auditLog = AuditTestUtils.createAuditLog(settingsBuilder.build(), null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); - logAll(auditLog); - - // we're using the ExecutorService in AuditLogImpl, so we need to wait - // until all tasks are finished before we can check the result - auditLog.close(); - - String result = TestAuditlogImpl.sb.toString(); - - Assert.assertTrue(AuditCategory.values()+"#"+result, categoriesPresentInLog(result, filterComplianceCategories(AuditCategory.values()))); - - Assert.assertThat(result, containsString("testuser.rest.succeededlogin")); - Assert.assertThat(result, containsString("testuser.rest.failedlogin")); - Assert.assertThat(result, containsString("privilege.missing")); - Assert.assertThat(result, containsString("action.indexattempt")); - Assert.assertThat(result, containsString("action.transport.ssl")); - Assert.assertThat(result, containsString("action.success")); - Assert.assertThat(result, containsString("Empty")); - } - - @Test - public void disableSingleCategoryTest() throws Exception { - for (AuditCategory category : AuditCategory.values()) { - TestAuditlogImpl.clear(); - checkCategoriesDisabled(category); - } - } - - @Test - public void disableAllCategoryTest() throws Exception{ - checkCategoriesDisabled(AuditCategory.values()); - } - - @Test - public void disableSomeCategoryTest() throws Exception{ - checkCategoriesDisabled(AuditCategory.AUTHENTICATED, AuditCategory.BAD_HEADERS, AuditCategory.FAILED_LOGIN); - } - - /*@After - public void restoreOut() { - System.setOut(new PrintStream(new FileOutputStream(FileDescriptor.out))); - }*/ - - protected void checkCategoriesDisabled(AuditCategory... disabledCategories) throws Exception { - - List categoryNames = new LinkedList<>(); - for (AuditCategory category : disabledCategories) { - categoryNames.add(category.name().toLowerCase()); - } - String disabledCategoriesString = Joiner.on(",").join(categoryNames); - - Builder settingsBuilder = Settings.builder(); - settingsBuilder.put("plugins.security.audit.type", TestAuditlogImpl.class.getName()); - settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, disabledCategoriesString); - settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, disabledCategoriesString); + // we use the debug output, no OpenSearch client is needed. Also, we + // do not need to close. + AbstractAuditLog auditLog = AuditTestUtils.createAuditLog( + settingsBuilder.build(), + null, + null, + AbstractSecurityUnitTest.MOCK_POOL, + null, + cs + ); + logAll(auditLog); + + // we're using the ExecutorService in AuditLogImpl, so we need to wait + // until all tasks are finished before we can check the result + auditLog.close(); + + String result = TestAuditlogImpl.sb.toString(); + + Assert.assertTrue( + AuditCategory.values() + "#" + result, + categoriesPresentInLog(result, filterComplianceCategories(AuditCategory.values())) + ); + + Assert.assertThat(result, containsString("testuser.rest.succeededlogin")); + Assert.assertThat(result, containsString("testuser.rest.failedlogin")); + Assert.assertThat(result, containsString("privilege.missing")); + Assert.assertThat(result, containsString("action.indexattempt")); + Assert.assertThat(result, containsString("action.transport.ssl")); + Assert.assertThat(result, containsString("action.success")); + Assert.assertThat(result, containsString("Empty")); + } + + @Test + public void disableSingleCategoryTest() throws Exception { + for (AuditCategory category : AuditCategory.values()) { + TestAuditlogImpl.clear(); + checkCategoriesDisabled(category); + } + } + + @Test + public void disableAllCategoryTest() throws Exception { + checkCategoriesDisabled(AuditCategory.values()); + } + @Test + public void disableSomeCategoryTest() throws Exception { + checkCategoriesDisabled(AuditCategory.AUTHENTICATED, AuditCategory.BAD_HEADERS, AuditCategory.FAILED_LOGIN); + } - // we use the debug output, no OpenSearch client is needed. Also, we - // do not need to close. - AbstractAuditLog auditLog = AuditTestUtils.createAuditLog(settingsBuilder.build(), null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); - logAll(auditLog); + /*@After + public void restoreOut() { + System.setOut(new PrintStream(new FileOutputStream(FileDescriptor.out))); + }*/ - auditLog.close(); + protected void checkCategoriesDisabled(AuditCategory... disabledCategories) throws Exception { - String result = TestAuditlogImpl.sb.toString(); + List categoryNames = new LinkedList<>(); + for (AuditCategory category : disabledCategories) { + categoryNames.add(category.name().toLowerCase()); + } + String disabledCategoriesString = Joiner.on(",").join(categoryNames); - List allButDisablesCategories = new LinkedList<>(Arrays.asList(AuditCategory.values())); - allButDisablesCategories.removeAll(Arrays.asList(disabledCategories)); + Builder settingsBuilder = Settings.builder(); + settingsBuilder.put("plugins.security.audit.type", TestAuditlogImpl.class.getName()); + settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, disabledCategoriesString); + settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, disabledCategoriesString); - System.out.println(result+"###"+disabledCategoriesString); - Assert.assertFalse(categoriesPresentInLog(result, disabledCategories)); - Assert.assertTrue(categoriesPresentInLog(result, filterComplianceCategories(allButDisablesCategories.toArray(new AuditCategory[] {})))); - } + // we use the debug output, no OpenSearch client is needed. Also, we + // do not need to close. + AbstractAuditLog auditLog = AuditTestUtils.createAuditLog( + settingsBuilder.build(), + null, + null, + AbstractSecurityUnitTest.MOCK_POOL, + null, + cs + ); + logAll(auditLog); + + auditLog.close(); + + String result = TestAuditlogImpl.sb.toString(); + + List allButDisablesCategories = new LinkedList<>(Arrays.asList(AuditCategory.values())); + allButDisablesCategories.removeAll(Arrays.asList(disabledCategories)); + + System.out.println(result + "###" + disabledCategoriesString); + Assert.assertFalse(categoriesPresentInLog(result, disabledCategories)); + Assert.assertTrue( + categoriesPresentInLog(result, filterComplianceCategories(allButDisablesCategories.toArray(new AuditCategory[] {}))) + ); + } - protected boolean categoriesPresentInLog(String result, AuditCategory... categories) { - // since we're logging a JSON structure, whitespaces between keys and - // values must not matter - result = result.replaceAll(" ", ""); - for (AuditCategory category : categories) { - if(!result.contains("\""+AuditMessage.CATEGORY+"\":\""+category.name()+"\"")) { - System.out.println("MISSING: "+category.name()); - return false; - } - } - return true; - } + protected boolean categoriesPresentInLog(String result, AuditCategory... categories) { + // since we're logging a JSON structure, whitespaces between keys and + // values must not matter + result = result.replaceAll(" ", ""); + for (AuditCategory category : categories) { + if (!result.contains("\"" + AuditMessage.CATEGORY + "\":\"" + category.name() + "\"")) { + System.out.println("MISSING: " + category.name()); + return false; + } + } + return true; + } - protected void logAll(AuditLog auditLog) { - logRestFailedLogin(auditLog); - logRestBadHeaders(auditLog); - logRestSSLException(auditLog); - logRestSucceededLogin(auditLog); + protected void logAll(AuditLog auditLog) { + logRestFailedLogin(auditLog); + logRestBadHeaders(auditLog); + logRestSSLException(auditLog); + logRestSucceededLogin(auditLog); - logMissingPrivileges(auditLog); - logSecurityIndexAttempt(auditLog); - logAuthenticatedRequest(auditLog); + logMissingPrivileges(auditLog); + logSecurityIndexAttempt(auditLog); + logAuthenticatedRequest(auditLog); - logTransportSSLException(auditLog); - logTransportBadHeaders(auditLog); + logTransportSSLException(auditLog); + logTransportBadHeaders(auditLog); - logIndexEvent(auditLog); + logIndexEvent(auditLog); } - protected void logRestSucceededLogin(AuditLog auditLog) { - auditLog.logSucceededLogin("testuser.rest.succeededlogin", false, "testuser.rest.succeededlogin", new MockRestRequest()); - } + protected void logRestSucceededLogin(AuditLog auditLog) { + auditLog.logSucceededLogin("testuser.rest.succeededlogin", false, "testuser.rest.succeededlogin", new MockRestRequest()); + } protected void logRestFailedLogin(AuditLog auditLog) { - auditLog.logFailedLogin("testuser.rest.failedlogin", false, "testuser.rest.failedlogin", new MockRestRequest()); + auditLog.logFailedLogin("testuser.rest.failedlogin", false, "testuser.rest.failedlogin", new MockRestRequest()); } protected void logMissingPrivileges(AuditLog auditLog) { - auditLog.logMissingPrivileges("privilege.missing", new TransportRequest.Empty(), null); + auditLog.logMissingPrivileges("privilege.missing", new TransportRequest.Empty(), null); } protected void logTransportBadHeaders(AuditLog auditLog) { - auditLog.logBadHeaders(new TransportRequest.Empty(),"action", null); + auditLog.logBadHeaders(new TransportRequest.Empty(), "action", null); } protected void logRestBadHeaders(AuditLog auditLog) { - auditLog.logBadHeaders(new MockRestRequest()); + auditLog.logBadHeaders(new MockRestRequest()); } protected void logSecurityIndexAttempt(AuditLog auditLog) { - auditLog.logSecurityIndexAttempt(new TransportRequest.Empty(), "action.indexattempt", null); + auditLog.logSecurityIndexAttempt(new TransportRequest.Empty(), "action.indexattempt", null); } protected void logRestSSLException(AuditLog auditLog) { - auditLog.logSSLException(new MockRestRequest(), new Exception()); + auditLog.logSSLException(new MockRestRequest(), new Exception()); } protected void logTransportSSLException(AuditLog auditLog) { - auditLog.logSSLException(new TransportRequest.Empty(), new Exception(), "action.transport.ssl", null); + auditLog.logSSLException(new TransportRequest.Empty(), new Exception(), "action.transport.ssl", null); } protected void logAuthenticatedRequest(AuditLog auditLog) { - auditLog.logGrantedPrivileges("action.success", new TransportRequest.Empty(), null); + auditLog.logGrantedPrivileges("action.success", new TransportRequest.Empty(), null); } - protected void logIndexEvent(AuditLog auditLog) { - auditLog.logIndexEvent("indices:admin/test/action", new TransportRequest.Empty(), null); - } + protected void logIndexEvent(AuditLog auditLog) { + auditLog.logIndexEvent("indices:admin/test/action", new TransportRequest.Empty(), null); + } private static final AuditCategory[] filterComplianceCategories(AuditCategory[] cats) { List retval = new ArrayList(); - for(AuditCategory c: cats) { - if(!c.toString().startsWith("COMPLIANCE")) { + for (AuditCategory c : cats) { + if (!c.toString().startsWith("COMPLIANCE")) { retval.add(c); } } diff --git a/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java b/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java index 9939db53d8..036482e8f3 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java @@ -61,16 +61,21 @@ public static void initSearchRequest() { sr.indices("index1", "logstash*"); } - - @Test public void testConfiguredIgnoreUser() { Settings settings = Settings.builder() - .put("opendistro_security.audit.ignore_users", ignoreUser) - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .build(); - AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_USER, ignoreUserObj), null, cs); + .put("opendistro_security.audit.ignore_users", ignoreUser) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .build(); + AbstractAuditLog al = AuditTestUtils.createAuditLog( + settings, + null, + null, + newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_USER, ignoreUserObj), + null, + cs + ); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); Assert.assertEquals(0, TestAuditlogImpl.messages.size()); @@ -79,12 +84,19 @@ public void testConfiguredIgnoreUser() { @Test public void testNonConfiguredIgnoreUser() { Settings settings = Settings.builder() - .put("opendistro_security.audit.ignore_users", nonIgnoreUser) - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .build(); - AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_USER, ignoreUserObj), null, cs); + .put("opendistro_security.audit.ignore_users", nonIgnoreUser) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .build(); + AbstractAuditLog al = AuditTestUtils.createAuditLog( + settings, + null, + null, + newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_USER, ignoreUserObj), + null, + cs + ); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); Assert.assertEquals(1, TestAuditlogImpl.messages.size()); @@ -93,11 +105,18 @@ public void testNonConfiguredIgnoreUser() { @Test public void testNonExistingIgnoreUser() { Settings settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .build(); - AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_USER, ignoreUserObj), null, cs); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .build(); + AbstractAuditLog al = AuditTestUtils.createAuditLog( + settings, + null, + null, + newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_USER, ignoreUserObj), + null, + cs + ); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); Assert.assertEquals(1, TestAuditlogImpl.messages.size()); @@ -108,78 +127,122 @@ public void testWildcards() { SearchRequest sr = new SearchRequest(); User user = new User("John Doe"); - //sr.putInContext(ConfigConstants.OPENDISTRO_SECURITY_USER, user); - //sr.putInContext(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, "8.8.8.8"); - //sr.putInContext(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE"); - //sr.putHeader("myheader", "hval"); - sr.indices("index1","logstash*"); - //sr.source("{\"query\": false}"); + // sr.putInContext(ConfigConstants.OPENDISTRO_SECURITY_USER, user); + // sr.putInContext(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, "8.8.8.8"); + // sr.putInContext(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE"); + // sr.putHeader("myheader", "hval"); + sr.indices("index1", "logstash*"); + // sr.source("{\"query\": false}"); Settings settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .putList("opendistro_security.audit.ignore_users", "*") - .build(); - - TransportAddress ta = new TransportAddress(new InetSocketAddress("8.8.8.8",80)); - - AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, ta, - ConfigConstants.OPENDISTRO_SECURITY_USER, new User("John Doe"), - ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE" - ), null, cs); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .putList("opendistro_security.audit.ignore_users", "*") + .build(); + + TransportAddress ta = new TransportAddress(new InetSocketAddress("8.8.8.8", 80)); + + AbstractAuditLog al = AuditTestUtils.createAuditLog( + settings, + null, + null, + newThreadPool( + ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, + ta, + ConfigConstants.OPENDISTRO_SECURITY_USER, + new User("John Doe"), + ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, + "CN=kirk,OU=client,O=client,L=test,C=DE" + ), + null, + cs + ); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); Assert.assertEquals(0, TestAuditlogImpl.messages.size()); settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .putList("opendistro_security.audit.ignore_users", "xxx") - .build(); - al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, ta, - ConfigConstants.OPENDISTRO_SECURITY_USER, new User("John Doe"), - ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE" - ), null, cs); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .putList("opendistro_security.audit.ignore_users", "xxx") + .build(); + al = AuditTestUtils.createAuditLog( + settings, + null, + null, + newThreadPool( + ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, + ta, + ConfigConstants.OPENDISTRO_SECURITY_USER, + new User("John Doe"), + ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, + "CN=kirk,OU=client,O=client,L=test,C=DE" + ), + null, + cs + ); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); Assert.assertEquals(1, TestAuditlogImpl.messages.size()); settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .putList("opendistro_security.audit.ignore_users", "John Doe","Capatin Kirk") - .build(); - al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, ta, - ConfigConstants.OPENDISTRO_SECURITY_USER, new User("John Doe"), - ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE" - ), null, cs); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .putList("opendistro_security.audit.ignore_users", "John Doe", "Capatin Kirk") + .build(); + al = AuditTestUtils.createAuditLog( + settings, + null, + null, + newThreadPool( + ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, + ta, + ConfigConstants.OPENDISTRO_SECURITY_USER, + new User("John Doe"), + ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, + "CN=kirk,OU=client,O=client,L=test,C=DE" + ), + null, + cs + ); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); al.logSecurityIndexAttempt(sr, "indices:data/read/search", null); - al.logMissingPrivileges("indices:data/read/search",sr, null); + al.logMissingPrivileges("indices:data/read/search", sr, null); Assert.assertEquals(TestAuditlogImpl.messages.toString(), 0, TestAuditlogImpl.messages.size()); settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .putList("opendistro_security.audit.ignore_users", "Wil Riker","Capatin Kirk") - .build(); - al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, ta, - ConfigConstants.OPENDISTRO_SECURITY_USER, new User("John Doe"), - ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE" - ), null, cs); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .putList("opendistro_security.audit.ignore_users", "Wil Riker", "Capatin Kirk") + .build(); + al = AuditTestUtils.createAuditLog( + settings, + null, + null, + newThreadPool( + ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, + ta, + ConfigConstants.OPENDISTRO_SECURITY_USER, + new User("John Doe"), + ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, + "CN=kirk,OU=client,O=client,L=test,C=DE" + ), + null, + cs + ); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); Assert.assertEquals(1, TestAuditlogImpl.messages.size()); } private static ThreadPool newThreadPool(Object... transients) { - ThreadPool tp = new ThreadPool(Settings.builder().put("node.name", "mock").build()); - for(int i=0;i 0); // disable - auditConfig = new AuditConfig(false, AuditConfig.Filter.from(ImmutableMap.of("disabled_rest_categories", Collections.emptySet(), "disabled_transport_categories", Collections.emptySet())) , ComplianceConfig.DEFAULT); + auditConfig = new AuditConfig( + false, + AuditConfig.Filter.from( + ImmutableMap.of("disabled_rest_categories", Collections.emptySet(), "disabled_transport_categories", Collections.emptySet()) + ), + ComplianceConfig.DEFAULT + ); updateAuditConfig(AuditTestUtils.createAuditPayload(auditConfig)); // assert no auditing @@ -99,13 +109,10 @@ public void testSimpleAuthenticatedLegacySetting() throws Exception { private void verifyAuthenticated(final Settings settings) throws Exception { setup(settings); - - final List messages = TestAuditlogImpl.doThenWaitForMessages( - () -> { - final HttpResponse response = rh.executeGetRequest("_search", encodeBasicHeader("admin", "admin")); - assertThat(response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - }, - /* expectedCount*/ 1); + final List messages = TestAuditlogImpl.doThenWaitForMessages(() -> { + final HttpResponse response = rh.executeGetRequest("_search", encodeBasicHeader("admin", "admin")); + assertThat(response.getStatusCode(), equalTo(HttpStatus.SC_OK)); + }, /* expectedCount*/ 1); assertThat(messages.size(), equalTo(1)); @@ -116,22 +123,24 @@ private void verifyAuthenticated(final Settings settings) throws Exception { @Test public void testSSLPlainText() throws Exception { - //if this fails permanently look in the logs for an abstract method error or method not found error. - //needs proper ssl plugin version + // if this fails permanently look in the logs for an abstract method error or method not found error. + // needs proper ssl plugin version Settings additionalSettings = Settings.builder() - .put("plugins.security.ssl.http.enabled",true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .build(); setup(additionalSettings); final List messages = TestAuditlogImpl.doThenWaitForMessages(() -> { - final RuntimeException ex = Assert.assertThrows(RuntimeException.class, - () -> nonSslRestHelper().executeGetRequest("_search", encodeBasicHeader("admin", "admin"))); + final RuntimeException ex = Assert.assertThrows( + RuntimeException.class, + () -> nonSslRestHelper().executeGetRequest("_search", encodeBasicHeader("admin", "admin")) + ); Assert.assertEquals("org.apache.hc.core5.http.NoHttpResponseException", ex.getCause().getClass().getName()); }, 1); /* no retry on NotSslRecordException exceptions */ @@ -139,7 +148,7 @@ public void testSSLPlainText() throws Exception { messages.stream().forEach((message) -> { Assert.assertEquals(AuditCategory.SSL_EXCEPTION, message.getCategory()); Assert.assertTrue(message.getExceptionStackTrace().contains("not an SSL/TLS record")); - }); + }); Assert.assertTrue(validateMsgs(messages)); } @@ -147,10 +156,10 @@ public void testSSLPlainText() throws Exception { public void testTaskId() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .build(); setup(additionalSettings); setupStarfleetIndex(); @@ -169,8 +178,10 @@ public void testTaskId() throws Exception { Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("\"audit_request_effective_user\" : \"admin\"")); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("REST")); Assert.assertFalse(TestAuditlogImpl.sb.toString().toLowerCase().contains("authorization")); - Assert.assertEquals(TestAuditlogImpl.messages.get(1).getAsMap().get(AuditMessage.TASK_ID), - TestAuditlogImpl.messages.get(1).getAsMap().get(AuditMessage.TASK_ID)); + Assert.assertEquals( + TestAuditlogImpl.messages.get(1).getAsMap().get(AuditMessage.TASK_ID), + TestAuditlogImpl.messages.get(1).getAsMap().get(AuditMessage.TASK_ID) + ); Assert.assertTrue(validateMsgs(TestAuditlogImpl.messages)); } @@ -178,10 +189,10 @@ public void testTaskId() throws Exception { public void testDefaultsRest() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .build(); setup(additionalSettings); setupStarfleetIndex(); @@ -206,11 +217,11 @@ public void testDefaultsRest() throws Exception { @Test public void testGrantedPrivilegesRest() throws Exception { final Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .build(); setup(additionalSettings); setupStarfleetIndex(); @@ -221,10 +232,10 @@ public void testGrantedPrivilegesRest() throws Exception { @Test public void testMissingPrivilegesRest() throws Exception { final Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .build(); setup(additionalSettings); setupStarfleetIndex(); @@ -237,7 +248,7 @@ private void testPrivilegeRest(final int expectedStatus, final String endpoint, Assert.assertEquals(expectedStatus, response.getStatusCode()); final String auditlog = TestAuditlogImpl.sb.toString(); Assert.assertEquals(1, TestAuditlogImpl.messages.size()); - Assert.assertTrue(auditlog.contains("\"audit_category\" : \"" + category +"\"")); + Assert.assertTrue(auditlog.contains("\"audit_category\" : \"" + category + "\"")); Assert.assertTrue(auditlog.contains("\"audit_rest_request_path\" : \"" + endpoint + "\"")); Assert.assertTrue(auditlog.contains("\"audit_request_effective_user\" : \"admin\"")); } @@ -246,12 +257,12 @@ private void testPrivilegeRest(final int expectedStatus, final String endpoint, public void testAuthenticated() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .build(); setup(additionalSettings); setupStarfleetIndex(); @@ -273,9 +284,7 @@ public void testAuthenticated() throws Exception { @Test public void testNonAuthenticated() throws Exception { - Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .build(); + Settings additionalSettings = Settings.builder().put("plugins.security.audit.type", TestAuditlogImpl.class.getName()).build(); setup(additionalSettings); setupStarfleetIndex(); @@ -303,28 +312,26 @@ public void testWrongUser() throws Exception { HttpResponse response = rh.executeGetRequest("", encodeBasicHeader("wronguser", "admin")); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, response.getStatusCode()); Thread.sleep(500); - Assert.assertTrue(TestAuditlogImpl.sb.toString(),TestAuditlogImpl.sb.toString().contains("FAILED_LOGIN")); - Assert.assertTrue(TestAuditlogImpl.sb.toString(),TestAuditlogImpl.sb.toString().contains("wronguser")); - Assert.assertTrue(TestAuditlogImpl.sb.toString(),TestAuditlogImpl.sb.toString().contains(AuditMessage.UTC_TIMESTAMP)); - Assert.assertFalse(TestAuditlogImpl.sb.toString(),TestAuditlogImpl.sb.toString().contains("AUTHENTICATED")); + Assert.assertTrue(TestAuditlogImpl.sb.toString(), TestAuditlogImpl.sb.toString().contains("FAILED_LOGIN")); + Assert.assertTrue(TestAuditlogImpl.sb.toString(), TestAuditlogImpl.sb.toString().contains("wronguser")); + Assert.assertTrue(TestAuditlogImpl.sb.toString(), TestAuditlogImpl.sb.toString().contains(AuditMessage.UTC_TIMESTAMP)); + Assert.assertFalse(TestAuditlogImpl.sb.toString(), TestAuditlogImpl.sb.toString().contains("AUTHENTICATED")); Assert.assertEquals(1, TestAuditlogImpl.messages.size()); Assert.assertTrue(validateMsgs(TestAuditlogImpl.messages)); } - public void testUnknownAuthorization() throws Exception { HttpResponse response = rh.executeGetRequest("", encodeBasicHeader("unknown", "unknown")); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, response.getStatusCode()); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("FAILED_LOGIN")); - Assert.assertFalse(TestAuditlogImpl.sb.toString(),TestAuditlogImpl.sb.toString().contains("Basic dW5rbm93bjp1bmtub3du")); + Assert.assertFalse(TestAuditlogImpl.sb.toString(), TestAuditlogImpl.sb.toString().contains("Basic dW5rbm93bjp1bmtub3du")); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains(AuditMessage.UTC_TIMESTAMP)); Assert.assertFalse(TestAuditlogImpl.sb.toString().contains("AUTHENTICATED")); Assert.assertEquals(1, TestAuditlogImpl.messages.size()); Assert.assertTrue(validateMsgs(TestAuditlogImpl.messages)); } - public void testUnauthenticated() throws Exception { System.out.println("#### testUnauthenticated"); @@ -349,7 +356,6 @@ public void testJustAuthenticated() throws Exception { Assert.assertTrue(validateMsgs(TestAuditlogImpl.messages)); } - public void testSecurityIndexAttempt() throws Exception { HttpResponse response = rh.executePutRequest(".opendistro_security/_doc/0", "{}", encodeBasicHeader("admin", "admin")); @@ -363,10 +369,13 @@ public void testSecurityIndexAttempt() throws Exception { Assert.assertTrue(validateMsgs(TestAuditlogImpl.messages)); } - public void testBadHeader() throws Exception { - HttpResponse response = rh.executeGetRequest("", new BasicHeader("_opendistro_security_bad", "bad"), encodeBasicHeader("admin", "admin")); + HttpResponse response = rh.executeGetRequest( + "", + new BasicHeader("_opendistro_security_bad", "bad"), + encodeBasicHeader("admin", "admin") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); Assert.assertFalse(TestAuditlogImpl.sb.toString(), TestAuditlogImpl.sb.toString().contains("AUTHENTICATED")); Assert.assertTrue(TestAuditlogImpl.sb.toString(), TestAuditlogImpl.sb.toString().contains("BAD_HEADERS")); @@ -375,7 +384,6 @@ public void testBadHeader() throws Exception { Assert.assertTrue(validateMsgs(TestAuditlogImpl.messages)); } - public void testMissingPriv() throws Exception { HttpResponse response = rh.executeGetRequest("sf/_search", encodeBasicHeader("worf", "worf")); @@ -390,13 +398,16 @@ public void testMissingPriv() throws Exception { Assert.assertTrue(validateMsgs(TestAuditlogImpl.messages)); } - public void testMsearch() throws Exception { + public void testMsearch() throws Exception { - String msearch = - "{\"index\":\"sf\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":0,\"query\":{\"match_all\":{}}}"+System.lineSeparator()+ - "{\"index\":\"sf\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":0,\"query\":{\"match_all\":{}}}"+System.lineSeparator(); + String msearch = "{\"index\":\"sf\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":0,\"query\":{\"match_all\":{}}}" + + System.lineSeparator() + + "{\"index\":\"sf\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":0,\"query\":{\"match_all\":{}}}" + + System.lineSeparator(); System.out.println("##### msaerch"); HttpResponse response = rh.executePostRequest("_msearch?pretty", msearch, encodeBasicHeader("admin", "admin")); @@ -409,24 +420,31 @@ public void testMsearch() throws Exception { Assert.assertEquals(TestAuditlogImpl.sb.toString(), 4, TestAuditlogImpl.messages.size()); Assert.assertFalse(TestAuditlogImpl.sb.toString().toLowerCase().contains("authorization")); Assert.assertTrue(validateMsgs(TestAuditlogImpl.messages)); - } - + } public void testBulkAuth() throws Exception { System.out.println("#### testBulkAuth"); - String bulkBody = - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field1\" : \"value1\" }" +System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"worf\", \"_id\" : \"2\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - - "{ \"update\" : {\"_id\" : \"1\", \"_index\" : \"test\"} }"+System.lineSeparator()+ - "{ \"doc\" : {\"field\" : \"valuex\"} }"+System.lineSeparator()+ - "{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"create\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field1\" : \"value3x\" }"+System.lineSeparator(); - + String bulkBody = "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field1\" : \"value1\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"worf\", \"_id\" : \"2\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + + + "{ \"update\" : {\"_id\" : \"1\", \"_index\" : \"test\"} }" + + System.lineSeparator() + + "{ \"doc\" : {\"field\" : \"valuex\"} }" + + System.lineSeparator() + + "{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"create\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field1\" : \"value3x\" }" + + System.lineSeparator(); HttpResponse response = rh.executePostRequest("_bulk", bulkBody, encodeBasicHeader("admin", "admin")); System.out.println(TestAuditlogImpl.sb.toString()); @@ -438,24 +456,33 @@ public void testBulkAuth() throws Exception { Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("IndexRequest")); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("audit_trace_task_parent_id")); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("audit_trace_task_id")); - //may vary because we log shardrequests which are not predictable here + // may vary because we log shardrequests which are not predictable here Assert.assertTrue(TestAuditlogImpl.messages.size() >= 17); Assert.assertTrue(validateMsgs(TestAuditlogImpl.messages)); } public void testBulkNonAuth() throws Exception { - String bulkBody = - "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field1\" : \"value1\" }" +System.lineSeparator()+ - "{ \"index\" : { \"_index\" : \"worf\", \"_id\" : \"2\" } }"+System.lineSeparator()+ - "{ \"field2\" : \"value2\" }"+System.lineSeparator()+ - - "{ \"update\" : {\"_id\" : \"1\", \"_index\" : \"test\"} }"+System.lineSeparator()+ - "{ \"doc\" : {\"field\" : \"valuex\"} }"+System.lineSeparator()+ - "{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"create\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }"+System.lineSeparator()+ - "{ \"field1\" : \"value3x\" }"+System.lineSeparator(); + String bulkBody = "{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field1\" : \"value1\" }" + + System.lineSeparator() + + "{ \"index\" : { \"_index\" : \"worf\", \"_id\" : \"2\" } }" + + System.lineSeparator() + + "{ \"field2\" : \"value2\" }" + + System.lineSeparator() + + + + "{ \"update\" : {\"_id\" : \"1\", \"_index\" : \"test\"} }" + + System.lineSeparator() + + "{ \"doc\" : {\"field\" : \"valuex\"} }" + + System.lineSeparator() + + "{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"create\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }" + + System.lineSeparator() + + "{ \"field1\" : \"value3x\" }" + + System.lineSeparator(); HttpResponse response = rh.executePostRequest("_bulk", bulkBody, encodeBasicHeader("worf", "worf")); System.out.println(response.getBody()); @@ -468,22 +495,21 @@ public void testBulkNonAuth() throws Exception { Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("MISSING_PRIVILEGES")); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("indices:data/write/bulk[s]")); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("IndexRequest")); - //may vary because we log shardrequests which are not predictable here + // may vary because we log shardrequests which are not predictable here Assert.assertTrue(TestAuditlogImpl.messages.size() >= 7); Assert.assertTrue(validateMsgs(TestAuditlogImpl.messages)); } public void testUpdateSettings() throws Exception { - String json = - "{"+ - "\"persistent\" : {"+ - "\"indices.recovery.*\" : null"+ - "},"+ - "\"transient\" : {"+ - "\"indices.recovery.*\" : null"+ - "}"+ - "}"; + String json = "{" + + "\"persistent\" : {" + + "\"indices.recovery.*\" : null" + + "}," + + "\"transient\" : {" + + "\"indices.recovery.*\" : null" + + "}" + + "}"; HttpResponse response = rh.executePutRequest("_cluster/settings", json, encodeBasicHeader("admin", "admin")); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); @@ -491,7 +517,7 @@ public void testUpdateSettings() throws Exception { Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("AUTHENTICATED")); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("cluster:admin/settings/update")); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("indices.recovery.*")); - //may vary because we log may hit cluster manager directly or not + // may vary because we log may hit cluster manager directly or not Assert.assertTrue(TestAuditlogImpl.messages.size() > 1); Assert.assertTrue(validateMsgs(TestAuditlogImpl.messages)); } @@ -500,14 +526,14 @@ public void testUpdateSettings() throws Exception { public void testIndexPattern() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", "internal_opensearch") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .put("plugins.security.audit.threadpool.size", 10) //must be greater 0 - .put("plugins.security.audit.config.index", "'auditlog-'YYYY.MM.dd.ss") - .build(); + .put("plugins.security.audit.type", "internal_opensearch") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put("plugins.security.audit.threadpool.size", 10) // must be greater 0 + .put("plugins.security.audit.config.index", "'auditlog-'YYYY.MM.dd.ss") + .build(); setup(additionalSettings); setupStarfleetIndex(); @@ -527,31 +553,59 @@ public void testIndexPattern() throws Exception { public void testAliases() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .build(); setup(additionalSettings); try (Client tc = getClient()) { tc.admin().indices().create(new CreateIndexRequest("copysf")).actionGet(); - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("starfleet_library").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("spock").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("kirk").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("role01_role02").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("starfleet","starfleet_academy","starfleet_library").alias("sf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("klingonempire","vulcangov").alias("nonsf"))).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("public").alias("unrestricted"))).actionGet(); + tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("starfleet").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("starfleet_academy").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("starfleet_library").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.index(new IndexRequest("public").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + + tc.index(new IndexRequest("spock").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index(new IndexRequest("kirk").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("role01_role02").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction( + AliasActions.add().indices("starfleet", "starfleet_academy", "starfleet_library").alias("sf") + ) + ) + .actionGet(); + tc.admin() + .indices() + .aliases( + new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("klingonempire", "vulcangov").alias("nonsf")) + ) + .actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("public").alias("unrestricted"))) + .actionGet(); } TestAuditlogImpl.clear(); @@ -571,34 +625,56 @@ public void testAliases() throws Exception { public void testScroll() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .build(); setup(additionalSettings); try (Client tc = getClient()) { - for(int i=0; i<3; i++) - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + for (int i = 0; i < 3; i++) + tc.index( + new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); } TestAuditlogImpl.clear(); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res=rh.executeGetRequest("vulcangov/_search?scroll=1m&pretty=true", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("vulcangov/_search?scroll=1m&pretty=true", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); int start = res.getBody().indexOf("_scroll_id") + 15; - String scrollid = res.getBody().substring(start, res.getBody().indexOf("\"", start+1)); - Assert.assertEquals(HttpStatus.SC_OK, (res=rh.executePostRequest("/_search/scroll?pretty=true", "{\"scroll_id\" : \""+scrollid+"\"}", encodeBasicHeader("admin", "admin"))).getStatusCode()); + String scrollid = res.getBody().substring(start, res.getBody().indexOf("\"", start + 1)); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest( + "/_search/scroll?pretty=true", + "{\"scroll_id\" : \"" + scrollid + "\"}", + encodeBasicHeader("admin", "admin") + )).getStatusCode() + ); Assert.assertEquals(4, TestAuditlogImpl.messages.size()); - Assert.assertEquals(HttpStatus.SC_OK, (res=rh.executeGetRequest("vulcangov/_search?scroll=1m&pretty=true", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("vulcangov/_search?scroll=1m&pretty=true", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); start = res.getBody().indexOf("_scroll_id") + 15; - scrollid = res.getBody().substring(start, res.getBody().indexOf("\"", start+1)); - TestAuditlogImpl.clear(); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res=rh.executePostRequest("/_search/scroll?pretty=true", "{\"scroll_id\" : \""+scrollid+"\"}", encodeBasicHeader("admin2", "admin"))).getStatusCode()); + scrollid = res.getBody().substring(start, res.getBody().indexOf("\"", start + 1)); + TestAuditlogImpl.clear(); + Assert.assertEquals( + HttpStatus.SC_FORBIDDEN, + (res = rh.executePostRequest( + "/_search/scroll?pretty=true", + "{\"scroll_id\" : \"" + scrollid + "\"}", + encodeBasicHeader("admin2", "admin") + )).getStatusCode() + ); Thread.sleep(1000); System.out.println(TestAuditlogImpl.sb.toString()); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("InternalScrollSearchRequest")); @@ -611,21 +687,25 @@ public void testScroll() throws Exception { public void testAliasResolution() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .build(); setup(additionalSettings); - try (Client tc = getClient()) { - for(int i=0; i<3; i++) - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().alias("thealias").index("vulcangov"))).actionGet(); + for (int i = 0; i < 3; i++) + tc.index( + new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().alias("thealias").index("vulcangov"))) + .actionGet(); } TestAuditlogImpl.clear(); @@ -644,17 +724,21 @@ public void testAliasResolution() throws Exception { public void testAliasBadHeaders() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .build(); setup(additionalSettings); TestAuditlogImpl.clear(); - HttpResponse response = rh.executeGetRequest("_search?pretty", new BasicHeader("_opendistro_security_user", "xxx"), encodeBasicHeader("admin", "admin")); + HttpResponse response = rh.executeGetRequest( + "_search?pretty", + new BasicHeader("_opendistro_security_user", "xxx"), + encodeBasicHeader("admin", "admin") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); System.out.println(TestAuditlogImpl.sb.toString()); Assert.assertFalse(TestAuditlogImpl.sb.toString().contains("YWRtaW46YWRtaW4")); @@ -669,13 +753,13 @@ public void testAliasBadHeaders() throws Exception { public void testIndexCloseDelete() throws Exception { Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .build(); setup(additionalSettings); @@ -701,24 +785,33 @@ public void testIndexCloseDelete() throws Exception { public void testDeleteByQuery() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .build(); setup(settings); try (Client tc = getClient()) { - for(int i=0; i<3; i++) - tc.index(new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); + for (int i = 0; i < 3; i++) + tc.index( + new IndexRequest("vulcangov").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON) + ).actionGet(); } TestAuditlogImpl.clear(); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res=rh.executePostRequest("/vulcango*/_delete_by_query?refresh=true&wait_for_completion=true&pretty=true", "{\"query\" : {\"match_all\" : {}}}", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest( + "/vulcango*/_delete_by_query?refresh=true&wait_for_completion=true&pretty=true", + "{\"query\" : {\"match_all\" : {}}}", + encodeBasicHeader("admin", "admin") + )).getStatusCode() + ); assertContains(res, "*\"deleted\" : 3,*"); String auditlogContents = TestAuditlogImpl.sb.toString(); Assert.assertTrue(auditlogContents.contains("indices:data/write/delete/byquery")); @@ -729,21 +822,29 @@ public void testDeleteByQuery() throws Exception { @Test public void testIndexRequests() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "AUTHENTICATED,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, true) - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "AUTHENTICATED,GRANTED_PRIVILEGES") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, true) + .build(); setup(settings); // test create index TestAuditlogImpl.clear(); - rh.executePutRequest("/twitter", "{\"settings\":{\"index\":{\"number_of_shards\":3,\"number_of_replicas\":2}}}", encodeBasicHeader("admin", "admin")); + rh.executePutRequest( + "/twitter", + "{\"settings\":{\"index\":{\"number_of_shards\":3,\"number_of_replicas\":2}}}", + encodeBasicHeader("admin", "admin") + ); String auditlogs = TestAuditlogImpl.sb.toString(); Assert.assertTrue(auditlogs.contains("\"audit_category\" : \"INDEX_EVENT\"")); Assert.assertTrue(auditlogs.contains("\"audit_transport_request_type\" : \"CreateIndexRequest\",")); - Assert.assertTrue(auditlogs.contains("\"audit_request_body\" : \"{\\\"index\\\":{\\\"number_of_shards\\\":\\\"3\\\",\\\"number_of_replicas\\\":\\\"2\\\"}}\"")); + Assert.assertTrue( + auditlogs.contains( + "\"audit_request_body\" : \"{\\\"index\\\":{\\\"number_of_shards\\\":\\\"3\\\",\\\"number_of_replicas\\\":\\\"2\\\"}}\"" + ) + ); // test update index TestAuditlogImpl.clear(); @@ -755,7 +856,11 @@ public void testIndexRequests() throws Exception { // test put mapping TestAuditlogImpl.clear(); - rh.executePutRequest("/twitter/_mapping", "{\"properties\":{\"message\":{\"type\":\"keyword\"}}}", encodeBasicHeader("admin", "admin")); + rh.executePutRequest( + "/twitter/_mapping", + "{\"properties\":{\"message\":{\"type\":\"keyword\"}}}", + encodeBasicHeader("admin", "admin") + ); auditlogs = TestAuditlogImpl.sb.toString(); Assert.assertTrue(auditlogs.contains("\"audit_category\" : \"INDEX_EVENT\"")); Assert.assertTrue(auditlogs.contains("\"audit_transport_request_type\" : \"PutMappingRequest\",")); @@ -776,50 +881,41 @@ private String messageRestRequestMethod(AuditMessage msg) { @Test public void testRestMethod() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .build(); setup(settings); final Header adminHeader = encodeBasicHeader("admin", "admin"); List messages; // test GET - messages = TestAuditlogImpl.doThenWaitForMessages(() -> { - rh.executeGetRequest("test", adminHeader); - }, 1); + messages = TestAuditlogImpl.doThenWaitForMessages(() -> { rh.executeGetRequest("test", adminHeader); }, 1); Assert.assertEquals(GET, messages.get(0).getRequestMethod()); // test PUT - messages = TestAuditlogImpl.doThenWaitForMessages(() -> { - rh.executePutRequest("test/_doc/0", "{}", adminHeader); - }, 1); + messages = TestAuditlogImpl.doThenWaitForMessages(() -> { rh.executePutRequest("test/_doc/0", "{}", adminHeader); }, 1); Assert.assertEquals(PUT, messages.get(0).getRequestMethod()); // test DELETE - messages = TestAuditlogImpl.doThenWaitForMessages(() -> { - rh.executeDeleteRequest("test", adminHeader); - }, 1); + messages = TestAuditlogImpl.doThenWaitForMessages(() -> { rh.executeDeleteRequest("test", adminHeader); }, 1); Assert.assertEquals(DELETE, messages.get(0).getRequestMethod()); // test POST - messages = TestAuditlogImpl.doThenWaitForMessages(() -> { - rh.executePostRequest("test/_doc", "{}", adminHeader); - }, 1); + messages = TestAuditlogImpl.doThenWaitForMessages(() -> { rh.executePostRequest("test/_doc", "{}", adminHeader); }, 1); Assert.assertEquals(POST, messages.get(0).getRequestMethod()); // test PATCH - messages = TestAuditlogImpl.doThenWaitForMessages(() -> { - rh.executePatchRequest("/_opendistro/_security/api/audit", "[]"); - }, 1); + messages = TestAuditlogImpl.doThenWaitForMessages(() -> { rh.executePatchRequest("/_opendistro/_security/api/audit", "[]"); }, 1); Assert.assertEquals(PATCH, messages.get(0).getRequestMethod()); // test MISSING_PRIVILEGES // admin does not have REST role here - messages = TestAuditlogImpl.doThenWaitForMessages(() -> { - rh.executePatchRequest("/_opendistro/_security/api/audit", "[]", adminHeader); - }, 2); + messages = TestAuditlogImpl.doThenWaitForMessages( + () -> { rh.executePatchRequest("/_opendistro/_security/api/audit", "[]", adminHeader); }, + 2 + ); // The intital request is authenicated Assert.assertEquals(PATCH, messages.get(0).getRequestMethod()); Assert.assertEquals(AuditCategory.AUTHENTICATED, messages.get(0).getCategory()); @@ -828,16 +924,15 @@ public void testRestMethod() throws Exception { Assert.assertEquals(AuditCategory.MISSING_PRIVILEGES, messages.get(1).getCategory()); // test AUTHENTICATED - messages = TestAuditlogImpl.doThenWaitForMessages(() -> { - rh.executeGetRequest("test", adminHeader); - }, 1); + messages = TestAuditlogImpl.doThenWaitForMessages(() -> { rh.executeGetRequest("test", adminHeader); }, 1); Assert.assertEquals(AuditCategory.AUTHENTICATED, messages.get(0).getCategory()); Assert.assertEquals(GET, messages.get(0).getRequestMethod()); // test FAILED_LOGIN - messages = TestAuditlogImpl.doThenWaitForMessages(() -> { - rh.executeGetRequest("test", encodeBasicHeader("random", "random")); - }, 1); + messages = TestAuditlogImpl.doThenWaitForMessages( + () -> { rh.executeGetRequest("test", encodeBasicHeader("random", "random")); }, + 1 + ); Assert.assertEquals(AuditCategory.FAILED_LOGIN, messages.get(0).getCategory()); Assert.assertEquals(GET, messages.get(0).getRequestMethod()); @@ -852,11 +947,11 @@ public void testRestMethod() throws Exception { @Test public void testSensitiveMethodRedaction() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .build(); setup(settings); rh.sendAdminCertificate = true; final String expectedRequestBody = "\"audit_request_body\" : \"__SENSITIVE__\""; @@ -869,19 +964,28 @@ public void testSensitiveMethodRedaction() throws Exception { // test PUT internal users API TestAuditlogImpl.clear(); - rh.executePutRequest("/_opendistro/_security/api/internalusers/test1", "{\"password\":\"new-pass\", \"backend_roles\":[], \"attributes\": {}}"); + rh.executePutRequest( + "/_opendistro/_security/api/internalusers/test1", + "{\"password\":\"new-pass\", \"backend_roles\":[], \"attributes\": {}}" + ); Assert.assertEquals(1, TestAuditlogImpl.messages.size()); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains(expectedRequestBody)); // test PATCH internal users API TestAuditlogImpl.clear(); - rh.executePatchRequest("/_opendistro/_security/api/internalusers/test1", "[{\"op\":\"add\", \"path\":\"/password\", \"value\": \"test-pass\"}]"); + rh.executePatchRequest( + "/_opendistro/_security/api/internalusers/test1", + "[{\"op\":\"add\", \"path\":\"/password\", \"value\": \"test-pass\"}]" + ); Assert.assertEquals(1, TestAuditlogImpl.messages.size()); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains(expectedRequestBody)); // test PUT users API TestAuditlogImpl.clear(); - rh.executePutRequest("/_opendistro/_security/api/user/test2", "{\"password\":\"new-pass\", \"backend_roles\":[], \"attributes\": {}}"); + rh.executePutRequest( + "/_opendistro/_security/api/user/test2", + "{\"password\":\"new-pass\", \"backend_roles\":[], \"attributes\": {}}" + ); Assert.assertEquals(1, TestAuditlogImpl.messages.size()); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains(expectedRequestBody)); } diff --git a/src/test/java/org/opensearch/security/auditlog/integration/SSLAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/integration/SSLAuditlogTest.java index 56fd17ddff..3eb49dc794 100644 --- a/src/test/java/org/opensearch/security/auditlog/integration/SSLAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/integration/SSLAuditlogTest.java @@ -31,7 +31,9 @@ public class SSLAuditlogTest extends AbstractAuditlogiUnitTest { private ClusterInfo monitoringClusterInfo; private RestHelper rhMon; - private final ClusterHelper monitoringCluster = new ClusterHelper("mon_n"+num.incrementAndGet()+"_f"+System.getProperty("forkno")+"_t"+System.nanoTime()); + private final ClusterHelper monitoringCluster = new ClusterHelper( + "mon_n" + num.incrementAndGet() + "_f" + System.getProperty("forkno") + "_t" + System.nanoTime() + ); @After @Override @@ -48,36 +50,53 @@ public void tearDown() { private void setupMonitoring() throws Exception { Assert.assertNull("No monitoring cluster", monitoringClusterInfo); - monitoringClusterInfo = monitoringCluster.startCluster(minimumSecuritySettings(defaultNodeSettings(Settings.EMPTY)), ClusterConfiguration.DEFAULT); + monitoringClusterInfo = monitoringCluster.startCluster( + minimumSecuritySettings(defaultNodeSettings(Settings.EMPTY)), + ClusterConfiguration.DEFAULT + ); initialize(monitoringCluster, monitoringClusterInfo, new DynamicSecurityConfig()); rhMon = new RestHelper(monitoringClusterInfo, getResourceFolder()); } - @Test public void testExternalPemUserPass() throws Exception { setupMonitoring(); Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", "external_opensearch") - .put("plugins.security.audit.config.http_endpoints", monitoringClusterInfo.httpHost+":"+monitoringClusterInfo.httpPort) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "*spock*","admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, true) - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH, false) - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/chain-ca.pem")) - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crtfull.pem")) - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.key.pem")) - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, - "admin") - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD, - "admin") - .build(); + .put("plugins.security.audit.type", "external_opensearch") + .put("plugins.security.audit.config.http_endpoints", monitoringClusterInfo.httpHost + ":" + monitoringClusterInfo.httpPort) + .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "*spock*", "admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, true) + .put( + ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH, + false + ) + .put( + ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/chain-ca.pem") + ) + .put( + ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crtfull.pem") + ) + .put( + ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.key.pem") + ) + .put( + ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, + "admin" + ) + .put( + ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD, + "admin" + ) + .build(); setup(additionalSettings); HttpResponse response = rh.executeGetRequest("_search"); @@ -99,20 +118,31 @@ public void testExternalPemClientAuth() throws Exception { setupMonitoring(); Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", "external_opensearch") - .put("plugins.security.audit.config.http_endpoints", monitoringClusterInfo.httpHost+":"+monitoringClusterInfo.httpPort) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "*spock*","admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, true) - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH, true) - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/chain-ca.pem")) - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/kirk.crtfull.pem")) - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/kirk.key.pem")) - .build(); + .put("plugins.security.audit.type", "external_opensearch") + .put("plugins.security.audit.config.http_endpoints", monitoringClusterInfo.httpHost + ":" + monitoringClusterInfo.httpPort) + .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "*spock*", "admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, true) + .put( + ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH, + true + ) + .put( + ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/chain-ca.pem") + ) + .put( + ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/kirk.crtfull.pem") + ) + .put( + ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/kirk.key.pem") + ) + .build(); setup(additionalSettings); HttpResponse response = rh.executeGetRequest("_search"); @@ -133,19 +163,26 @@ public void testExternalPemUserPassTp() throws Exception { setupMonitoring(); Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", "external_opensearch") - .put("plugins.security.audit.config.http_endpoints", monitoringClusterInfo.httpHost+":"+monitoringClusterInfo.httpPort) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "*spock*","admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, true) - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/chain-ca.pem")) - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, - "admin") - .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD, - "admin") - .build(); + .put("plugins.security.audit.type", "external_opensearch") + .put("plugins.security.audit.config.http_endpoints", monitoringClusterInfo.httpHost + ":" + monitoringClusterInfo.httpPort) + .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "*spock*", "admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, true) + .put( + ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/chain-ca.pem") + ) + .put( + ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, + "admin" + ) + .put( + ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD, + "admin" + ) + .build(); setup(additionalSettings); HttpResponse response = rh.executeGetRequest("_search"); diff --git a/src/test/java/org/opensearch/security/auditlog/integration/TestAuditlogImpl.java b/src/test/java/org/opensearch/security/auditlog/integration/TestAuditlogImpl.java index ba094e23a1..7a3cd45f5b 100644 --- a/src/test/java/org/opensearch/security/auditlog/integration/TestAuditlogImpl.java +++ b/src/test/java/org/opensearch/security/auditlog/integration/TestAuditlogImpl.java @@ -42,7 +42,7 @@ public synchronized boolean doStore(AuditMessage msg) { // Ignore any messages that are sent before TestAuditlogImpl is waiting. return true; } - sb.append(msg.toPrettyString()+System.lineSeparator()); + sb.append(msg.toPrettyString() + System.lineSeparator()); messagesRef.get().add(msg); countDownRef.get().countDown(); return true; @@ -81,14 +81,11 @@ public static List doThenWaitForMessages(final Runnable action, fi try { Thread.sleep(100); if (missedMessages.size() != 0) { - final String missedMessagesErrorMessage = new StringBuilder() - .append("Audit messages were missed! ") - .append("Found " + (missedMessages.size()) + " messages.") - .append("Messages found during this time: \n\n") - .append(missedMessages.stream() - .map(AuditMessage::toString) - .collect(Collectors.joining("\n"))) - .toString(); + final String missedMessagesErrorMessage = new StringBuilder().append("Audit messages were missed! ") + .append("Found " + (missedMessages.size()) + " messages.") + .append("Messages found during this time: \n\n") + .append(missedMessages.stream().map(AuditMessage::toString).collect(Collectors.joining("\n"))) + .toString(); throw new RuntimeException(missedMessagesErrorMessage); } @@ -134,6 +131,7 @@ public static class MessagesNotFoundException extends RuntimeException { private final int expectedCount; private final int missingCount; private final List foundMessages; + public MessagesNotFoundException(final int expectedCount, List foundMessages) { super(MessagesNotFoundException.createDetailMessage(expectedCount, foundMessages)); this.expectedCount = expectedCount; @@ -154,14 +152,11 @@ public List getFoundMessages() { } private static String createDetailMessage(final int expectedCount, final List foundMessages) { - return new StringBuilder() - .append("Did not receive all " + expectedCount + " audit messages after a short wait. ") - .append("Missing " + (expectedCount - foundMessages.size()) + " messages.") - .append("Messages found during this time: \n\n") - .append(foundMessages.stream() - .map(AuditMessage::toString) - .collect(Collectors.joining("\n"))) - .toString(); + return new StringBuilder().append("Did not receive all " + expectedCount + " audit messages after a short wait. ") + .append("Missing " + (expectedCount - foundMessages.size()) + " messages.") + .append("Messages found during this time: \n\n") + .append(foundMessages.stream().map(AuditMessage::toString).collect(Collectors.joining("\n"))) + .toString(); } } } diff --git a/src/test/java/org/opensearch/security/auditlog/routing/FallbackTest.java b/src/test/java/org/opensearch/security/auditlog/routing/FallbackTest.java index 0cd48f6009..cf76dbc343 100644 --- a/src/test/java/org/opensearch/security/auditlog/routing/FallbackTest.java +++ b/src/test/java/org/opensearch/security/auditlog/routing/FallbackTest.java @@ -32,96 +32,99 @@ public class FallbackTest extends AbstractAuditlogiUnitTest { - @Test - public void testFallback() throws Exception { - Settings.Builder settingsBuilder = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/fallback.yml")); - - Settings settings = settingsBuilder.put("path.home", ".").put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE").build(); - - AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); - - AuditMessage msg = MockAuditMessageFactory.validAuditMessage(AuditCategory.MISSING_PRIVILEGES); - router.route(msg); - - // endpoint 1 is failing, endoint2 and default work - List sinks = router.categorySinks.get(AuditCategory.MISSING_PRIVILEGES); - Assert.assertEquals(3, sinks.size()); - // this sink has failed, message must be logged to fallback sink - AuditLogSink sink = sinks.get(0); - Assert.assertEquals("endpoint1", sink.getName()); - Assert.assertEquals(FailingSink.class, sink.getClass()); - sink = sink.getFallbackSink(); - Assert.assertEquals("fallback", sink.getName()); - Assert.assertEquals(LoggingSink.class, sink.getClass()); - LoggingSink loggingSkin = (LoggingSink) sink; - Assert.assertEquals(msg, loggingSkin.messages.get(0)); - // this sink succeeds - sink = sinks.get(1); - Assert.assertEquals("endpoint2", sink.getName()); - Assert.assertEquals(LoggingSink.class, sink.getClass()); - loggingSkin = (LoggingSink) sink; - Assert.assertEquals(msg, loggingSkin.messages.get(0)); - // default sink also succeeds - sink = sinks.get(2); - Assert.assertEquals("default", sink.getName()); - Assert.assertEquals(LoggingSink.class, sink.getClass()); - loggingSkin = (LoggingSink) sink; - Assert.assertEquals(msg, loggingSkin.messages.get(0)); - - // has only one end point which fails - router = createMessageRouterComplianceEnabled(settings); - msg = MockAuditMessageFactory.validAuditMessage(AuditCategory.COMPLIANCE_DOC_READ); - router.route(msg); - sinks = router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_READ); - sink = sinks.get(0); - Assert.assertEquals("endpoint3", sink.getName()); - Assert.assertEquals(FailingSink.class, sink.getClass()); - sink = sink.getFallbackSink(); - Assert.assertEquals("fallback", sink.getName()); - Assert.assertEquals(LoggingSink.class, sink.getClass()); - loggingSkin = (LoggingSink) sink; - Assert.assertEquals(msg, loggingSkin.messages.get(0)); - - // has only default which succeeds - router = createMessageRouterComplianceEnabled(settings); - msg = MockAuditMessageFactory.validAuditMessage(AuditCategory.COMPLIANCE_DOC_WRITE); - router.route(msg); - sinks = router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_WRITE); - sink = sinks.get(0); - Assert.assertEquals("default", sink.getName()); - Assert.assertEquals(LoggingSink.class, sink.getClass()); - loggingSkin = (LoggingSink) sink; - Assert.assertEquals(1, loggingSkin.messages.size()); - Assert.assertEquals(msg, loggingSkin.messages.get(0)); - // fallback must be empty - sink = sink.getFallbackSink(); - Assert.assertEquals("fallback", sink.getName()); - Assert.assertEquals(LoggingSink.class, sink.getClass()); - loggingSkin = (LoggingSink) sink; - Assert.assertEquals(0, loggingSkin.messages.size()); - - // test non configured categories, must be logged to default only - router = createMessageRouterComplianceEnabled(settings); - msg = MockAuditMessageFactory.validAuditMessage(AuditCategory.FAILED_LOGIN); - router.route(msg); - Assert.assertNull(router.categorySinks.get(AuditCategory.FAILED_LOGIN)); - loggingSkin = (LoggingSink) router.defaultSink; - Assert.assertEquals(1, loggingSkin.messages.size()); - Assert.assertEquals(msg, loggingSkin.messages.get(0)); - // all others must be empty - assertLoggingSinksEmpty(router); - - } - - private void assertLoggingSinksEmpty(AuditMessageRouter router) { - // get all sinks - List allSinks = router.categorySinks.values().stream().flatMap(Collection::stream).collect(Collectors.toList()); - allSinks = allSinks.stream().filter(sink -> (sink instanceof LoggingSink)).collect(Collectors.toList()); - allSinks.removeAll(Collections.singleton(router.defaultSink)); - for(AuditLogSink sink : allSinks) { - LoggingSink loggingSink = (LoggingSink)sink; - Assert.assertEquals(0, loggingSink.messages.size()); - } - } + @Test + public void testFallback() throws Exception { + Settings.Builder settingsBuilder = Settings.builder() + .loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/fallback.yml")); + + Settings settings = settingsBuilder.put("path.home", ".") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .build(); + + AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); + + AuditMessage msg = MockAuditMessageFactory.validAuditMessage(AuditCategory.MISSING_PRIVILEGES); + router.route(msg); + + // endpoint 1 is failing, endoint2 and default work + List sinks = router.categorySinks.get(AuditCategory.MISSING_PRIVILEGES); + Assert.assertEquals(3, sinks.size()); + // this sink has failed, message must be logged to fallback sink + AuditLogSink sink = sinks.get(0); + Assert.assertEquals("endpoint1", sink.getName()); + Assert.assertEquals(FailingSink.class, sink.getClass()); + sink = sink.getFallbackSink(); + Assert.assertEquals("fallback", sink.getName()); + Assert.assertEquals(LoggingSink.class, sink.getClass()); + LoggingSink loggingSkin = (LoggingSink) sink; + Assert.assertEquals(msg, loggingSkin.messages.get(0)); + // this sink succeeds + sink = sinks.get(1); + Assert.assertEquals("endpoint2", sink.getName()); + Assert.assertEquals(LoggingSink.class, sink.getClass()); + loggingSkin = (LoggingSink) sink; + Assert.assertEquals(msg, loggingSkin.messages.get(0)); + // default sink also succeeds + sink = sinks.get(2); + Assert.assertEquals("default", sink.getName()); + Assert.assertEquals(LoggingSink.class, sink.getClass()); + loggingSkin = (LoggingSink) sink; + Assert.assertEquals(msg, loggingSkin.messages.get(0)); + + // has only one end point which fails + router = createMessageRouterComplianceEnabled(settings); + msg = MockAuditMessageFactory.validAuditMessage(AuditCategory.COMPLIANCE_DOC_READ); + router.route(msg); + sinks = router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_READ); + sink = sinks.get(0); + Assert.assertEquals("endpoint3", sink.getName()); + Assert.assertEquals(FailingSink.class, sink.getClass()); + sink = sink.getFallbackSink(); + Assert.assertEquals("fallback", sink.getName()); + Assert.assertEquals(LoggingSink.class, sink.getClass()); + loggingSkin = (LoggingSink) sink; + Assert.assertEquals(msg, loggingSkin.messages.get(0)); + + // has only default which succeeds + router = createMessageRouterComplianceEnabled(settings); + msg = MockAuditMessageFactory.validAuditMessage(AuditCategory.COMPLIANCE_DOC_WRITE); + router.route(msg); + sinks = router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_WRITE); + sink = sinks.get(0); + Assert.assertEquals("default", sink.getName()); + Assert.assertEquals(LoggingSink.class, sink.getClass()); + loggingSkin = (LoggingSink) sink; + Assert.assertEquals(1, loggingSkin.messages.size()); + Assert.assertEquals(msg, loggingSkin.messages.get(0)); + // fallback must be empty + sink = sink.getFallbackSink(); + Assert.assertEquals("fallback", sink.getName()); + Assert.assertEquals(LoggingSink.class, sink.getClass()); + loggingSkin = (LoggingSink) sink; + Assert.assertEquals(0, loggingSkin.messages.size()); + + // test non configured categories, must be logged to default only + router = createMessageRouterComplianceEnabled(settings); + msg = MockAuditMessageFactory.validAuditMessage(AuditCategory.FAILED_LOGIN); + router.route(msg); + Assert.assertNull(router.categorySinks.get(AuditCategory.FAILED_LOGIN)); + loggingSkin = (LoggingSink) router.defaultSink; + Assert.assertEquals(1, loggingSkin.messages.size()); + Assert.assertEquals(msg, loggingSkin.messages.get(0)); + // all others must be empty + assertLoggingSinksEmpty(router); + + } + + private void assertLoggingSinksEmpty(AuditMessageRouter router) { + // get all sinks + List allSinks = router.categorySinks.values().stream().flatMap(Collection::stream).collect(Collectors.toList()); + allSinks = allSinks.stream().filter(sink -> (sink instanceof LoggingSink)).collect(Collectors.toList()); + allSinks.removeAll(Collections.singleton(router.defaultSink)); + for (AuditLogSink sink : allSinks) { + LoggingSink loggingSink = (LoggingSink) sink; + Assert.assertEquals(0, loggingSink.messages.size()); + } + } } diff --git a/src/test/java/org/opensearch/security/auditlog/routing/PerfTest.java b/src/test/java/org/opensearch/security/auditlog/routing/PerfTest.java index c71a4dc951..f308db21fc 100644 --- a/src/test/java/org/opensearch/security/auditlog/routing/PerfTest.java +++ b/src/test/java/org/opensearch/security/auditlog/routing/PerfTest.java @@ -24,28 +24,28 @@ import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.test.helper.file.FileHelper; - public class PerfTest extends AbstractAuditlogiUnitTest { - @Test - @Ignore(value="jvm crash on cci") - public void testPerf() throws Exception { - Settings.Builder settingsBuilder = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/perftest.yml")); - - Settings settings = settingsBuilder.put("path.home", ".") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .build(); - - AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); - int limit = 150000; - while(limit > 0) { - AuditMessage msg = MockAuditMessageFactory.validAuditMessage(AuditCategory.MISSING_PRIVILEGES); - router.route(msg); - limit--; - } - LoggingSink loggingSink = (LoggingSink)router.defaultSink.getFallbackSink(); - int currentSize = loggingSink.messages.size(); - Assert.assertTrue(currentSize > 0); - } + @Test + @Ignore(value = "jvm crash on cci") + public void testPerf() throws Exception { + Settings.Builder settingsBuilder = Settings.builder() + .loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/perftest.yml")); + + Settings settings = settingsBuilder.put("path.home", ".") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .build(); + + AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); + int limit = 150000; + while (limit > 0) { + AuditMessage msg = MockAuditMessageFactory.validAuditMessage(AuditCategory.MISSING_PRIVILEGES); + router.route(msg); + limit--; + } + LoggingSink loggingSink = (LoggingSink) router.defaultSink.getFallbackSink(); + int currentSize = loggingSink.messages.size(); + Assert.assertTrue(currentSize > 0); + } } diff --git a/src/test/java/org/opensearch/security/auditlog/routing/RouterTest.java b/src/test/java/org/opensearch/security/auditlog/routing/RouterTest.java index 49d603884f..9ab7c0f93c 100644 --- a/src/test/java/org/opensearch/security/auditlog/routing/RouterTest.java +++ b/src/test/java/org/opensearch/security/auditlog/routing/RouterTest.java @@ -31,45 +31,46 @@ import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.test.helper.file.FileHelper; -public class RouterTest extends AbstractAuditlogiUnitTest{ - - - @Test - public void testValidConfiguration() throws Exception { - Settings settings = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/configuration_valid.yml")).build(); - AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); - // default - Assert.assertEquals("default", router.defaultSink.getName()); - Assert.assertEquals(ExternalOpenSearchSink.class, router.defaultSink.getClass()); - // test category sinks - List sinks = router.categorySinks.get(AuditCategory.MISSING_PRIVILEGES); - Assert.assertNotNull(sinks); - // 3, since we include default as well - Assert.assertEquals(3, sinks.size()); - Assert.assertEquals("endpoint1", sinks.get(0).getName()); - Assert.assertEquals(InternalOpenSearchSink.class, sinks.get(0).getClass()); - Assert.assertEquals("endpoint2", sinks.get(1).getName()); - Assert.assertEquals(ExternalOpenSearchSink.class, sinks.get(1).getClass()); - Assert.assertEquals("default", sinks.get(2).getName()); - Assert.assertEquals(ExternalOpenSearchSink.class, sinks.get(2).getClass()); - sinks = router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_READ); - // 1, since we do not include default - Assert.assertEquals(1, sinks.size()); - Assert.assertEquals("endpoint3", sinks.get(0).getName()); - Assert.assertEquals(DebugSink.class, sinks.get(0).getClass()); - } +public class RouterTest extends AbstractAuditlogiUnitTest { + + @Test + public void testValidConfiguration() throws Exception { + Settings settings = Settings.builder() + .loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/configuration_valid.yml")) + .build(); + AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); + // default + Assert.assertEquals("default", router.defaultSink.getName()); + Assert.assertEquals(ExternalOpenSearchSink.class, router.defaultSink.getClass()); + // test category sinks + List sinks = router.categorySinks.get(AuditCategory.MISSING_PRIVILEGES); + Assert.assertNotNull(sinks); + // 3, since we include default as well + Assert.assertEquals(3, sinks.size()); + Assert.assertEquals("endpoint1", sinks.get(0).getName()); + Assert.assertEquals(InternalOpenSearchSink.class, sinks.get(0).getClass()); + Assert.assertEquals("endpoint2", sinks.get(1).getName()); + Assert.assertEquals(ExternalOpenSearchSink.class, sinks.get(1).getClass()); + Assert.assertEquals("default", sinks.get(2).getName()); + Assert.assertEquals(ExternalOpenSearchSink.class, sinks.get(2).getClass()); + sinks = router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_READ); + // 1, since we do not include default + Assert.assertEquals(1, sinks.size()); + Assert.assertEquals("endpoint3", sinks.get(0).getName()); + Assert.assertEquals(DebugSink.class, sinks.get(0).getClass()); + } @Test public void testMessageRouting() throws Exception { - Settings.Builder settingsBuilder = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/routing.yml")); + Settings.Builder settingsBuilder = Settings.builder() + .loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/routing.yml")); - Settings settings = settingsBuilder - .put("path.home", ".") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .build(); + Settings settings = settingsBuilder.put("path.home", ".") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .build(); - AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); + AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); AuditMessage msg = MockAuditMessageFactory.validAuditMessage(AuditCategory.MISSING_PRIVILEGES); router.route(msg); testMessageDeliveredForCategory(router, msg, AuditCategory.MISSING_PRIVILEGES, "endpoint1", "endpoint2", "default"); @@ -96,35 +97,40 @@ public void testMessageRouting() throws Exception { } - private void testMessageDeliveredForCategory(AuditMessageRouter router, AuditMessage msg, AuditCategory categoryToCheck, String ... sinkNames) { - Map> sinksForCategory = router.categorySinks; - for(AuditCategory category : AuditCategory.values()) { - List sinks = sinksForCategory.get(category); - if (sinks == null) { - continue; - } - if (category.equals(categoryToCheck)) { - // each sink must contain our message - for(AuditLogSink sink : sinks) { - LoggingSink logSink = (LoggingSink)sink; - Assert.assertEquals(1, logSink.messages.size()); - Assert.assertEquals(msg, logSink.messages.get(0)); - Assert.assertTrue(logSink.sb.length() > 0); - Assert.assertTrue(Arrays.stream(sinkNames).anyMatch(sink.getName()::equals)); - } - } else { - // make sure sinks are empty for all other categories, exclude default - for(AuditLogSink sink : sinks) { - // default is configured for multiple categories, skip - if (sink.getName().equals("default")) { - continue; - } - LoggingSink logSink = (LoggingSink)sink; - Assert.assertEquals(0, logSink.messages.size()); - Assert.assertTrue(logSink.sb.length() == 0); - } - } - } + private void testMessageDeliveredForCategory( + AuditMessageRouter router, + AuditMessage msg, + AuditCategory categoryToCheck, + String... sinkNames + ) { + Map> sinksForCategory = router.categorySinks; + for (AuditCategory category : AuditCategory.values()) { + List sinks = sinksForCategory.get(category); + if (sinks == null) { + continue; + } + if (category.equals(categoryToCheck)) { + // each sink must contain our message + for (AuditLogSink sink : sinks) { + LoggingSink logSink = (LoggingSink) sink; + Assert.assertEquals(1, logSink.messages.size()); + Assert.assertEquals(msg, logSink.messages.get(0)); + Assert.assertTrue(logSink.sb.length() > 0); + Assert.assertTrue(Arrays.stream(sinkNames).anyMatch(sink.getName()::equals)); + } + } else { + // make sure sinks are empty for all other categories, exclude default + for (AuditLogSink sink : sinks) { + // default is configured for multiple categories, skip + if (sink.getName().equals("default")) { + continue; + } + LoggingSink logSink = (LoggingSink) sink; + Assert.assertEquals(0, logSink.messages.size()); + Assert.assertTrue(logSink.sb.length() == 0); + } + } + } } } diff --git a/src/test/java/org/opensearch/security/auditlog/routing/RoutingConfigurationTest.java b/src/test/java/org/opensearch/security/auditlog/routing/RoutingConfigurationTest.java index f33d52c663..8ddb79bcba 100644 --- a/src/test/java/org/opensearch/security/auditlog/routing/RoutingConfigurationTest.java +++ b/src/test/java/org/opensearch/security/auditlog/routing/RoutingConfigurationTest.java @@ -28,139 +28,155 @@ import org.opensearch.security.auditlog.sink.InternalOpenSearchSink; import org.opensearch.security.test.helper.file.FileHelper; -public class RoutingConfigurationTest extends AbstractAuditlogiUnitTest{ - - @Test - public void testValidConfiguration() throws Exception { - Settings settings = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/configuration_valid.yml")).build(); - AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); - // default - Assert.assertEquals("default", router.defaultSink.getName()); - Assert.assertEquals(ExternalOpenSearchSink.class, router.defaultSink.getClass()); - // test category sinks - List sinks = router.categorySinks.get(AuditCategory.MISSING_PRIVILEGES); - Assert.assertNotNull(sinks); - // 3, since we include default as well - Assert.assertEquals(3, sinks.size()); - Assert.assertEquals("endpoint1", sinks.get(0).getName()); - Assert.assertEquals(InternalOpenSearchSink.class, sinks.get(0).getClass()); - Assert.assertEquals("endpoint2", sinks.get(1).getName()); - Assert.assertEquals(ExternalOpenSearchSink.class, sinks.get(1).getClass()); - Assert.assertEquals("default", sinks.get(2).getName()); - Assert.assertEquals(ExternalOpenSearchSink.class, sinks.get(2).getClass()); - sinks = router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_READ); - // 1, since we do not include default - Assert.assertEquals(1, sinks.size()); - Assert.assertEquals("endpoint3", sinks.get(0).getName()); - Assert.assertEquals(DebugSink.class, sinks.get(0).getClass()); - } - - @Test - public void testNoDefaultSink() throws Exception { - Settings settings = Settings.builder().loadFromPath(Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/configuration_no_default.yml"))).build(); - AuditMessageRouter router = new AuditMessageRouter(settings, null, null, null); - // no default sink, audit log not enabled - Assert.assertEquals(false, router.isEnabled()); - Assert.assertEquals(null, router.defaultSink); - Assert.assertEquals(null, router.categorySinks); - // make sure no exception is thrown - router.route(MockAuditMessageFactory.validAuditMessage()); - } - - @Test - public void testMissingEndpoints() throws Exception { - Settings settings = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/configuration_wrong_endpoint_names.yml")).build(); - AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); - // fallback to debug sink if no default is given - Assert.assertEquals(InternalOpenSearchSink.class, router.defaultSink.getClass()); - // missing configuration for endpoint2 / External ES. Fallback to - // localhost - List sinks = router.categorySinks.get(AuditCategory.MISSING_PRIVILEGES); - // 2 valid endpoints - Assert.assertEquals(2, sinks.size()); - Assert.assertEquals("endpoint1", sinks.get(0).getName()); - Assert.assertEquals(InternalOpenSearchSink.class, sinks.get(0).getClass()); - Assert.assertEquals("endpoint3", sinks.get(1).getName()); - Assert.assertEquals(DebugSink.class, sinks.get(1).getClass()); - sinks = router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_WRITE); - Assert.assertEquals(1, sinks.size()); - Assert.assertEquals("default", sinks.get(0).getName()); - Assert.assertEquals(InternalOpenSearchSink.class, sinks.get(0).getClass()); - // no valid end points for category, must use default - Assert.assertNull(router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_READ)); - } - - @Test - public void testWrongCategories() throws Exception { - Settings settings = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/configuration_wrong_categories.yml")).build(); - AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); - // no default sink, we fall back to debug sink - Assert.assertEquals(DebugSink.class, router.defaultSink.getClass()); - - List sinks = router.categorySinks.get(AuditCategory.MISSING_PRIVILEGES); - // 3, since default is not valid but replaced with Debug - Assert.assertEquals(3, sinks.size()); - Assert.assertEquals("default", sinks.get(0).getName()); - Assert.assertEquals(DebugSink.class, sinks.get(0).getClass()); - Assert.assertEquals("endpoint1", sinks.get(1).getName()); - Assert.assertEquals(InternalOpenSearchSink.class, sinks.get(1).getClass()); - Assert.assertEquals("endpoint2", sinks.get(2).getName()); - Assert.assertEquals(ExternalOpenSearchSink.class, sinks.get(2).getClass()); - - sinks = router.categorySinks.get(AuditCategory.GRANTED_PRIVILEGES); - Assert.assertEquals(3, sinks.size()); - Assert.assertEquals("endpoint1", sinks.get(0).getName()); - Assert.assertEquals(InternalOpenSearchSink.class, sinks.get(0).getClass()); - Assert.assertEquals("endpoint3", sinks.get(1).getName()); - Assert.assertEquals(DebugSink.class, sinks.get(1).getClass()); - Assert.assertEquals("default", sinks.get(2).getName()); - Assert.assertEquals(DebugSink.class, sinks.get(2).getClass()); - - sinks = router.categorySinks.get(AuditCategory.AUTHENTICATED); - Assert.assertEquals(1, sinks.size()); - Assert.assertEquals("endpoint1", sinks.get(0).getName()); - Assert.assertEquals(InternalOpenSearchSink.class, sinks.get(0).getClass()); - - // bad headers has no valid endpoint, so we use default - Assert.assertNull(router.categorySinks.get(AuditCategory.BAD_HEADERS)); - - // failed login has no endpoint configuration, so we use default - Assert.assertNull(router.categorySinks.get(AuditCategory.FAILED_LOGIN)); - - } - - @Test - public void testWrongEndpointTypes() throws Exception { - Settings settings = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/configuration_wrong_endpoint_types.yml")).build(); - AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); - // debug sink not valid, fallback to debug - Assert.assertEquals(DebugSink.class, router.defaultSink.getClass()); - - List sinks = router.categorySinks.get(AuditCategory.MISSING_PRIVILEGES); - // 2 valid endpoints in config, default falls back to debug - Assert.assertEquals(3, sinks.size()); - Assert.assertEquals("endpoint2", sinks.get(0).getName()); - Assert.assertEquals(ExternalOpenSearchSink.class, sinks.get(0).getClass()); - Assert.assertEquals("endpoint3", sinks.get(1).getName()); - Assert.assertEquals(DebugSink.class, sinks.get(1).getClass()); - Assert.assertEquals("default", sinks.get(2).getName()); - Assert.assertEquals(DebugSink.class, sinks.get(2).getClass()); - - sinks = router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_WRITE); - Assert.assertEquals(1, sinks.size()); - Assert.assertEquals("default", sinks.get(0).getName()); - Assert.assertEquals(DebugSink.class, sinks.get(0).getClass()); - - // no valid endpoints for category, must fallback to default - Assert.assertNull(router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_READ)); - } - - @Test - public void testNoMultipleEndpointsConfiguration() throws Exception { - Settings settings = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/sink/configuration_no_multiple_endpoints.yml")).build(); - AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); - ThreadPoolConfig config = router.storagePool.getConfig(); - Assert.assertEquals(5, config.getThreadPoolSize()); - Assert.assertEquals(200000, config.getThreadPoolMaxQueueLen()); - } +public class RoutingConfigurationTest extends AbstractAuditlogiUnitTest { + + @Test + public void testValidConfiguration() throws Exception { + Settings settings = Settings.builder() + .loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/configuration_valid.yml")) + .build(); + AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); + // default + Assert.assertEquals("default", router.defaultSink.getName()); + Assert.assertEquals(ExternalOpenSearchSink.class, router.defaultSink.getClass()); + // test category sinks + List sinks = router.categorySinks.get(AuditCategory.MISSING_PRIVILEGES); + Assert.assertNotNull(sinks); + // 3, since we include default as well + Assert.assertEquals(3, sinks.size()); + Assert.assertEquals("endpoint1", sinks.get(0).getName()); + Assert.assertEquals(InternalOpenSearchSink.class, sinks.get(0).getClass()); + Assert.assertEquals("endpoint2", sinks.get(1).getName()); + Assert.assertEquals(ExternalOpenSearchSink.class, sinks.get(1).getClass()); + Assert.assertEquals("default", sinks.get(2).getName()); + Assert.assertEquals(ExternalOpenSearchSink.class, sinks.get(2).getClass()); + sinks = router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_READ); + // 1, since we do not include default + Assert.assertEquals(1, sinks.size()); + Assert.assertEquals("endpoint3", sinks.get(0).getName()); + Assert.assertEquals(DebugSink.class, sinks.get(0).getClass()); + } + + @Test + public void testNoDefaultSink() throws Exception { + Settings settings = Settings.builder() + .loadFromPath( + Objects.requireNonNull( + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/configuration_no_default.yml") + ) + ) + .build(); + AuditMessageRouter router = new AuditMessageRouter(settings, null, null, null); + // no default sink, audit log not enabled + Assert.assertEquals(false, router.isEnabled()); + Assert.assertEquals(null, router.defaultSink); + Assert.assertEquals(null, router.categorySinks); + // make sure no exception is thrown + router.route(MockAuditMessageFactory.validAuditMessage()); + } + + @Test + public void testMissingEndpoints() throws Exception { + Settings settings = Settings.builder() + .loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/configuration_wrong_endpoint_names.yml")) + .build(); + AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); + // fallback to debug sink if no default is given + Assert.assertEquals(InternalOpenSearchSink.class, router.defaultSink.getClass()); + // missing configuration for endpoint2 / External ES. Fallback to + // localhost + List sinks = router.categorySinks.get(AuditCategory.MISSING_PRIVILEGES); + // 2 valid endpoints + Assert.assertEquals(2, sinks.size()); + Assert.assertEquals("endpoint1", sinks.get(0).getName()); + Assert.assertEquals(InternalOpenSearchSink.class, sinks.get(0).getClass()); + Assert.assertEquals("endpoint3", sinks.get(1).getName()); + Assert.assertEquals(DebugSink.class, sinks.get(1).getClass()); + sinks = router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_WRITE); + Assert.assertEquals(1, sinks.size()); + Assert.assertEquals("default", sinks.get(0).getName()); + Assert.assertEquals(InternalOpenSearchSink.class, sinks.get(0).getClass()); + // no valid end points for category, must use default + Assert.assertNull(router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_READ)); + } + + @Test + public void testWrongCategories() throws Exception { + Settings settings = Settings.builder() + .loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/configuration_wrong_categories.yml")) + .build(); + AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); + // no default sink, we fall back to debug sink + Assert.assertEquals(DebugSink.class, router.defaultSink.getClass()); + + List sinks = router.categorySinks.get(AuditCategory.MISSING_PRIVILEGES); + // 3, since default is not valid but replaced with Debug + Assert.assertEquals(3, sinks.size()); + Assert.assertEquals("default", sinks.get(0).getName()); + Assert.assertEquals(DebugSink.class, sinks.get(0).getClass()); + Assert.assertEquals("endpoint1", sinks.get(1).getName()); + Assert.assertEquals(InternalOpenSearchSink.class, sinks.get(1).getClass()); + Assert.assertEquals("endpoint2", sinks.get(2).getName()); + Assert.assertEquals(ExternalOpenSearchSink.class, sinks.get(2).getClass()); + + sinks = router.categorySinks.get(AuditCategory.GRANTED_PRIVILEGES); + Assert.assertEquals(3, sinks.size()); + Assert.assertEquals("endpoint1", sinks.get(0).getName()); + Assert.assertEquals(InternalOpenSearchSink.class, sinks.get(0).getClass()); + Assert.assertEquals("endpoint3", sinks.get(1).getName()); + Assert.assertEquals(DebugSink.class, sinks.get(1).getClass()); + Assert.assertEquals("default", sinks.get(2).getName()); + Assert.assertEquals(DebugSink.class, sinks.get(2).getClass()); + + sinks = router.categorySinks.get(AuditCategory.AUTHENTICATED); + Assert.assertEquals(1, sinks.size()); + Assert.assertEquals("endpoint1", sinks.get(0).getName()); + Assert.assertEquals(InternalOpenSearchSink.class, sinks.get(0).getClass()); + + // bad headers has no valid endpoint, so we use default + Assert.assertNull(router.categorySinks.get(AuditCategory.BAD_HEADERS)); + + // failed login has no endpoint configuration, so we use default + Assert.assertNull(router.categorySinks.get(AuditCategory.FAILED_LOGIN)); + + } + + @Test + public void testWrongEndpointTypes() throws Exception { + Settings settings = Settings.builder() + .loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/configuration_wrong_endpoint_types.yml")) + .build(); + AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); + // debug sink not valid, fallback to debug + Assert.assertEquals(DebugSink.class, router.defaultSink.getClass()); + + List sinks = router.categorySinks.get(AuditCategory.MISSING_PRIVILEGES); + // 2 valid endpoints in config, default falls back to debug + Assert.assertEquals(3, sinks.size()); + Assert.assertEquals("endpoint2", sinks.get(0).getName()); + Assert.assertEquals(ExternalOpenSearchSink.class, sinks.get(0).getClass()); + Assert.assertEquals("endpoint3", sinks.get(1).getName()); + Assert.assertEquals(DebugSink.class, sinks.get(1).getClass()); + Assert.assertEquals("default", sinks.get(2).getName()); + Assert.assertEquals(DebugSink.class, sinks.get(2).getClass()); + + sinks = router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_WRITE); + Assert.assertEquals(1, sinks.size()); + Assert.assertEquals("default", sinks.get(0).getName()); + Assert.assertEquals(DebugSink.class, sinks.get(0).getClass()); + + // no valid endpoints for category, must fallback to default + Assert.assertNull(router.categorySinks.get(AuditCategory.COMPLIANCE_DOC_READ)); + } + + @Test + public void testNoMultipleEndpointsConfiguration() throws Exception { + Settings settings = Settings.builder() + .loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/sink/configuration_no_multiple_endpoints.yml")) + .build(); + AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); + ThreadPoolConfig config = router.storagePool.getConfig(); + Assert.assertEquals(5, config.getThreadPoolSize()); + Assert.assertEquals(200000, config.getThreadPoolMaxQueueLen()); + } } diff --git a/src/test/java/org/opensearch/security/auditlog/sink/KafkaSinkTest.java b/src/test/java/org/opensearch/security/auditlog/sink/KafkaSinkTest.java index b074dd2b62..bf567c6ebe 100644 --- a/src/test/java/org/opensearch/security/auditlog/sink/KafkaSinkTest.java +++ b/src/test/java/org/opensearch/security/auditlog/sink/KafkaSinkTest.java @@ -37,6 +37,7 @@ public class KafkaSinkTest extends AbstractAuditlogiUnitTest { public static EmbeddedKafkaRule embeddedKafka = new EmbeddedKafkaRule(1, true, 1, "compliance") { // Prevents test exceptions from randomized runner, see https://bit.ly/3y17IkI private UncaughtExceptionHandler currentHandler; + @Override public void before() { currentHandler = Thread.getDefaultUncaughtExceptionHandler(); @@ -53,9 +54,9 @@ public void after() { @Test public void testKafka() throws Exception { String configYml = FileHelper.loadFile("auditlog/endpoints/sink/configuration_kafka.yml"); - configYml = configYml.replace("_RPLC_BOOTSTRAP_SERVERS_",embeddedKafka.getEmbeddedKafka().getBrokersAsString()); + configYml = configYml.replace("_RPLC_BOOTSTRAP_SERVERS_", embeddedKafka.getEmbeddedKafka().getBrokersAsString()); Settings.Builder settingsBuilder = Settings.builder().loadFromSource(configYml, YamlXContent.yamlXContent.mediaType()); - try(KafkaConsumer consumer = createConsumer()) { + try (KafkaConsumer consumer = createConsumer()) { consumer.subscribe(Arrays.asList("compliance")); Settings settings = settingsBuilder.put("path.home", ".").build(); @@ -78,7 +79,7 @@ private KafkaConsumer createConsumer() { Properties props = new Properties(); props.put("bootstrap.servers", embeddedKafka.getEmbeddedKafka().getBrokersAsString()); props.put("auto.offset.reset", "earliest"); - props.put("group.id", "mygroup"+System.currentTimeMillis()+"_"+new Random().nextDouble()); + props.put("group.id", "mygroup" + System.currentTimeMillis() + "_" + new Random().nextDouble()); props.put("key.deserializer", "org.apache.kafka.common.serialization.LongDeserializer"); props.put("value.deserializer", "org.apache.kafka.common.serialization.StringDeserializer"); return new KafkaConsumer<>(props); diff --git a/src/test/java/org/opensearch/security/auditlog/sink/MockWebhookAuditLog.java b/src/test/java/org/opensearch/security/auditlog/sink/MockWebhookAuditLog.java index b93904574e..6dd019e733 100644 --- a/src/test/java/org/opensearch/security/auditlog/sink/MockWebhookAuditLog.java +++ b/src/test/java/org/opensearch/security/auditlog/sink/MockWebhookAuditLog.java @@ -15,23 +15,22 @@ public class MockWebhookAuditLog extends WebhookSink { - public String payload = null; - public String url = null; - - public MockWebhookAuditLog(Settings settings, String settingsPrefix, AuditLogSink fallback) throws Exception { - super("test", settings, settingsPrefix, null, fallback); - } - - @Override - protected boolean doPost(String url, String payload) { - this.payload = payload; - return true; - } - - - @Override - protected boolean doGet(String url) { - this.url = url; - return true; - } + public String payload = null; + public String url = null; + + public MockWebhookAuditLog(Settings settings, String settingsPrefix, AuditLogSink fallback) throws Exception { + super("test", settings, settingsPrefix, null, fallback); + } + + @Override + protected boolean doPost(String url, String payload) { + this.payload = payload; + return true; + } + + @Override + protected boolean doGet(String url) { + this.url = url; + return true; + } } diff --git a/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTLSTest.java b/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTLSTest.java index fb0f665b16..467cce5fe9 100644 --- a/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTLSTest.java +++ b/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTLSTest.java @@ -39,119 +39,132 @@ public class SinkProviderTLSTest { - protected HttpServer server = null; - - @Before - @After - public void tearDown() { - if (server != null) { - try { - server.stop(); - } catch (Exception e) { - // ignore - } - } - } - - @Test - public void testTlsConfigurationNoFallback() throws Exception { - - TestHttpHandler handler = new TestHttpHandler(); - - int port = findFreePort(); - server = ServerBootstrap.bootstrap().setListenerPort(port).setHttpProcessor(HttpProcessors.server("Test/1.1")).setSslContext(createSSLContext()).register("*", handler).create(); - - server.start(); - - Builder builder = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/sink/configuration_tls.yml")); - builder.put("path.home", "/"); - - // replace some values with absolute paths for unit tests - builder.put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem")); - builder.put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem")); - builder.put("plugins.security.audit.endpoints.endpoint2.config.webhook.ssl.pemtrustedcas_content", FileHelper.loadFile("auditlog/root-ca.pem")); - - builder.put("plugins.security.audit.config.webhook.url", "https://localhost:" + port); - builder.put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", "https://localhost:" + port); - builder.put("plugins.security.audit.endpoints.endpoint2.config.webhook.url", "https://localhost:" + port); - - - SinkProvider provider = new SinkProvider(builder.build(), null, null, null); - WebhookSink defaultSink = (WebhookSink) provider.defaultSink; - Assert.assertEquals(true, defaultSink.verifySSL); - - AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); - provider.allSinks.get("endpoint1").store(msg); - - Assert.assertTrue(handler.method.equals("POST")); + protected HttpServer server = null; + + @Before + @After + public void tearDown() { + if (server != null) { + try { + server.stop(); + } catch (Exception e) { + // ignore + } + } + } + + @Test + public void testTlsConfigurationNoFallback() throws Exception { + + TestHttpHandler handler = new TestHttpHandler(); + + int port = findFreePort(); + server = ServerBootstrap.bootstrap() + .setListenerPort(port) + .setHttpProcessor(HttpProcessors.server("Test/1.1")) + .setSslContext(createSSLContext()) + .register("*", handler) + .create(); + + server.start(); + + Builder builder = Settings.builder() + .loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/sink/configuration_tls.yml")); + builder.put("path.home", "/"); + + // replace some values with absolute paths for unit tests + builder.put( + "plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem") + ); + builder.put( + "plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_filepath", + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem") + ); + builder.put( + "plugins.security.audit.endpoints.endpoint2.config.webhook.ssl.pemtrustedcas_content", + FileHelper.loadFile("auditlog/root-ca.pem") + ); + + builder.put("plugins.security.audit.config.webhook.url", "https://localhost:" + port); + builder.put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", "https://localhost:" + port); + builder.put("plugins.security.audit.endpoints.endpoint2.config.webhook.url", "https://localhost:" + port); + + SinkProvider provider = new SinkProvider(builder.build(), null, null, null); + WebhookSink defaultSink = (WebhookSink) provider.defaultSink; + Assert.assertEquals(true, defaultSink.verifySSL); + + AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); + provider.allSinks.get("endpoint1").store(msg); + + Assert.assertTrue(handler.method.equals("POST")); Assert.assertTrue(handler.body != null); Assert.assertTrue(handler.body.contains("{")); assertStringContainsAllKeysAndValues(handler.body); - handler.reset(); + handler.reset(); - provider.allSinks.get("endpoint2").store(msg); + provider.allSinks.get("endpoint2").store(msg); - Assert.assertTrue(handler.method.equals("POST")); + Assert.assertTrue(handler.method.equals("POST")); Assert.assertTrue(handler.body != null); Assert.assertTrue(handler.body.contains("{")); assertStringContainsAllKeysAndValues(handler.body); - handler.reset(); + handler.reset(); - provider.defaultSink.store(msg); + provider.defaultSink.store(msg); - Assert.assertTrue(handler.method.equals("POST")); + Assert.assertTrue(handler.method.equals("POST")); Assert.assertTrue(handler.body != null); Assert.assertTrue(handler.body.contains("{")); assertStringContainsAllKeysAndValues(handler.body); server.stop(); - } - - // for TLS support on our in-memory server - private SSLContext createSSLContext() throws Exception { - final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory - .getDefaultAlgorithm()); - final KeyStore trustStore = KeyStore.getInstance("JKS"); - InputStream trustStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks").toFile()); - trustStore.load(trustStream, "changeit".toCharArray()); - tmf.init(trustStore); - - final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - final KeyStore keyStore = KeyStore.getInstance("JKS"); - InputStream keyStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks").toFile()); - - keyStore.load(keyStream, "changeit".toCharArray()); - kmf.init(keyStore, "changeit".toCharArray()); - - SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); - sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); - return sslContext; - } - - private void assertStringContainsAllKeysAndValues(String in) { - System.out.println(in); - Assert.assertTrue(in, in.contains(AuditMessage.FORMAT_VERSION)); - Assert.assertTrue(in, in.contains(AuditMessage.CATEGORY)); - Assert.assertTrue(in, in.contains(AuditMessage.FORMAT_VERSION)); - Assert.assertTrue(in, in.contains(AuditMessage.REMOTE_ADDRESS)); - Assert.assertTrue(in, in.contains(AuditMessage.ORIGIN)); - Assert.assertTrue(in, in.contains(AuditMessage.REQUEST_LAYER)); - Assert.assertTrue(in, in.contains(AuditMessage.TRANSPORT_REQUEST_TYPE)); - Assert.assertTrue(in, in.contains(AuditMessage.UTC_TIMESTAMP)); - Assert.assertTrue(in, in.contains(AuditCategory.FAILED_LOGIN.name())); - Assert.assertTrue(in, in.contains("FAILED_LOGIN")); - Assert.assertTrue(in, in.contains("John Doe")); - Assert.assertTrue(in, in.contains("8.8.8.8")); - //Assert.assertTrue(in, in.contains("CN=kirk,OU=client,O=client,L=test,C=DE")); - } - - private int findFreePort() { - try (ServerSocket serverSocket = new ServerSocket(0)) { - return serverSocket.getLocalPort(); - } catch (IOException e) { - throw new RuntimeException("Failed to find free port", e); - } - } + } + + // for TLS support on our in-memory server + private SSLContext createSSLContext() throws Exception { + final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + final KeyStore trustStore = KeyStore.getInstance("JKS"); + InputStream trustStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks").toFile()); + trustStore.load(trustStream, "changeit".toCharArray()); + tmf.init(trustStore); + + final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); + final KeyStore keyStore = KeyStore.getInstance("JKS"); + InputStream keyStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks").toFile()); + + keyStore.load(keyStream, "changeit".toCharArray()); + kmf.init(keyStore, "changeit".toCharArray()); + + SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); + sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); + return sslContext; + } + + private void assertStringContainsAllKeysAndValues(String in) { + System.out.println(in); + Assert.assertTrue(in, in.contains(AuditMessage.FORMAT_VERSION)); + Assert.assertTrue(in, in.contains(AuditMessage.CATEGORY)); + Assert.assertTrue(in, in.contains(AuditMessage.FORMAT_VERSION)); + Assert.assertTrue(in, in.contains(AuditMessage.REMOTE_ADDRESS)); + Assert.assertTrue(in, in.contains(AuditMessage.ORIGIN)); + Assert.assertTrue(in, in.contains(AuditMessage.REQUEST_LAYER)); + Assert.assertTrue(in, in.contains(AuditMessage.TRANSPORT_REQUEST_TYPE)); + Assert.assertTrue(in, in.contains(AuditMessage.UTC_TIMESTAMP)); + Assert.assertTrue(in, in.contains(AuditCategory.FAILED_LOGIN.name())); + Assert.assertTrue(in, in.contains("FAILED_LOGIN")); + Assert.assertTrue(in, in.contains("John Doe")); + Assert.assertTrue(in, in.contains("8.8.8.8")); + // Assert.assertTrue(in, in.contains("CN=kirk,OU=client,O=client,L=test,C=DE")); + } + + private int findFreePort() { + try (ServerSocket serverSocket = new ServerSocket(0)) { + return serverSocket.getLocalPort(); + } catch (IOException e) { + throw new RuntimeException("Failed to find free port", e); + } + } } diff --git a/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTest.java b/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTest.java index 029192e097..5e3203261f 100644 --- a/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTest.java +++ b/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTest.java @@ -20,82 +20,85 @@ public class SinkProviderTest { - @Test - public void testConfiguration() throws Exception { - - Settings settings = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/sink/configuration_all_variants.yml")).build(); - SinkProvider provider = new SinkProvider(settings, null, null, null); - - // make sure we have a debug sink as fallback - Assert.assertEquals(DebugSink.class, provider.fallbackSink.getClass() ); - - AuditLogSink sink = provider.getSink("DefaULT"); - Assert.assertEquals(sink.getClass(), DebugSink.class); - - sink = provider.getSink("endpoint1"); - Assert.assertEquals(InternalOpenSearchSink.class, sink.getClass()); - - sink = provider.getSink("endpoint2"); - Assert.assertEquals(ExternalOpenSearchSink.class, sink.getClass()); - // todo: sink does not work - - sink = provider.getSink("endpoinT3"); - Assert.assertEquals(DebugSink.class, sink.getClass()); - - // no valid type - sink = provider.getSink("endpoint4"); - Assert.assertEquals(null, sink); - - sink = provider.getSink("endpoint2"); - Assert.assertEquals(ExternalOpenSearchSink.class, sink.getClass()); - // todo: sink does not work, no valid config - - // no valid type - sink = provider.getSink("endpoint6"); - Assert.assertEquals(null, sink); - - // no valid type - sink = provider.getSink("endpoint7"); - Assert.assertEquals(null, sink); - - sink = provider.getSink("endpoint8"); - Assert.assertEquals(DebugSink.class, sink.getClass()); - - // wrong type in config - sink = provider.getSink("endpoint9"); - Assert.assertEquals(ExternalOpenSearchSink.class, sink.getClass()); - - // log4j, valid configuration - sink = provider.getSink("endpoint10"); - Assert.assertEquals(Log4JSink.class, sink.getClass()); - Log4JSink lsink = (Log4JSink)sink; - Assert.assertEquals("loggername", lsink.loggerName); - Assert.assertEquals(Level.WARN, lsink.logLevel); - - // log4j, no level, fallback to default - sink = provider.getSink("endpoint11"); - Assert.assertEquals(Log4JSink.class, sink.getClass()); - lsink = (Log4JSink)sink; - Assert.assertEquals("loggername", lsink.loggerName); - Assert.assertEquals(Level.INFO, lsink.logLevel); - - // log4j, wrong level, fallback to log4j default - sink = provider.getSink("endpoint12"); - Assert.assertEquals(Log4JSink.class, sink.getClass()); - lsink = (Log4JSink)sink; - Assert.assertEquals("loggername", lsink.loggerName); - Assert.assertEquals(Level.DEBUG, lsink.logLevel); - - } - - @Test - public void testNoMultipleEndpointsConfiguration() throws Exception { - Settings settings = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/sink/configuration_no_multiple_endpoints.yml")).build(); - SinkProvider provider = new SinkProvider(settings, null, null, null); - InternalOpenSearchSink sink = (InternalOpenSearchSink)provider.defaultSink; - Assert.assertEquals("myownindex", sink.index); - Assert.assertEquals("auditevents", sink.type); - } - + @Test + public void testConfiguration() throws Exception { + + Settings settings = Settings.builder() + .loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/sink/configuration_all_variants.yml")) + .build(); + SinkProvider provider = new SinkProvider(settings, null, null, null); + + // make sure we have a debug sink as fallback + Assert.assertEquals(DebugSink.class, provider.fallbackSink.getClass()); + + AuditLogSink sink = provider.getSink("DefaULT"); + Assert.assertEquals(sink.getClass(), DebugSink.class); + + sink = provider.getSink("endpoint1"); + Assert.assertEquals(InternalOpenSearchSink.class, sink.getClass()); + + sink = provider.getSink("endpoint2"); + Assert.assertEquals(ExternalOpenSearchSink.class, sink.getClass()); + // todo: sink does not work + + sink = provider.getSink("endpoinT3"); + Assert.assertEquals(DebugSink.class, sink.getClass()); + + // no valid type + sink = provider.getSink("endpoint4"); + Assert.assertEquals(null, sink); + + sink = provider.getSink("endpoint2"); + Assert.assertEquals(ExternalOpenSearchSink.class, sink.getClass()); + // todo: sink does not work, no valid config + + // no valid type + sink = provider.getSink("endpoint6"); + Assert.assertEquals(null, sink); + + // no valid type + sink = provider.getSink("endpoint7"); + Assert.assertEquals(null, sink); + + sink = provider.getSink("endpoint8"); + Assert.assertEquals(DebugSink.class, sink.getClass()); + + // wrong type in config + sink = provider.getSink("endpoint9"); + Assert.assertEquals(ExternalOpenSearchSink.class, sink.getClass()); + + // log4j, valid configuration + sink = provider.getSink("endpoint10"); + Assert.assertEquals(Log4JSink.class, sink.getClass()); + Log4JSink lsink = (Log4JSink) sink; + Assert.assertEquals("loggername", lsink.loggerName); + Assert.assertEquals(Level.WARN, lsink.logLevel); + + // log4j, no level, fallback to default + sink = provider.getSink("endpoint11"); + Assert.assertEquals(Log4JSink.class, sink.getClass()); + lsink = (Log4JSink) sink; + Assert.assertEquals("loggername", lsink.loggerName); + Assert.assertEquals(Level.INFO, lsink.logLevel); + + // log4j, wrong level, fallback to log4j default + sink = provider.getSink("endpoint12"); + Assert.assertEquals(Log4JSink.class, sink.getClass()); + lsink = (Log4JSink) sink; + Assert.assertEquals("loggername", lsink.loggerName); + Assert.assertEquals(Level.DEBUG, lsink.logLevel); + + } + + @Test + public void testNoMultipleEndpointsConfiguration() throws Exception { + Settings settings = Settings.builder() + .loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/sink/configuration_no_multiple_endpoints.yml")) + .build(); + SinkProvider provider = new SinkProvider(settings, null, null, null); + InternalOpenSearchSink sink = (InternalOpenSearchSink) provider.defaultSink; + Assert.assertEquals("myownindex", sink.index); + Assert.assertEquals("auditevents", sink.type); + } } diff --git a/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java b/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java index 1e327750b6..2c2af154a0 100644 --- a/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java @@ -51,326 +51,354 @@ public class WebhookAuditLogTest { @Before @After public void tearDown() { - if(server != null) { + if (server != null) { try { server.stop(); } catch (Exception e) { - //ignore + // ignore } } } - @Test - public void invalidConfFallbackTest() throws Exception { - AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); - - // provide no settings, fallback must be used - Settings settings = Settings.builder() - .put("path.home", ".") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .build(); - LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); - MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, fallback); - auditlog.store(msg); - // Webhook sink has failed ... - Assert.assertEquals(null, auditlog.webhookFormat); - // ... so message must be stored in fallback - Assert.assertEquals(1, fallback.messages.size()); - Assert.assertEquals(msg, fallback.messages.get(0)); - - } - - @Test - public void formatsTest() throws Exception { - - String url = "http://localhost"; - AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); - - // provide no format, defaults to TEXT - Settings settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("path.home", ".") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("plugins.security.ssl.transport.enforce_hostname_verification", false) - .build(); - - MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); - auditlog.store(msg); - Assert.assertEquals(WebhookFormat.TEXT, auditlog.webhookFormat); - Assert.assertEquals(ContentType.TEXT_PLAIN, auditlog.webhookFormat.getContentType()); - Assert.assertTrue(auditlog.payload, !auditlog.payload.startsWith("{\"text\":")); - - // provide faulty format, defaults to TEXT - settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "idonotexist") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("path.home", ".") - .build(); - auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); - auditlog.store(msg); - Assert.assertEquals(WebhookFormat.TEXT, auditlog.webhookFormat); - Assert.assertEquals(ContentType.TEXT_PLAIN, auditlog.webhookFormat.getContentType()); - Assert.assertTrue(auditlog.payload, !auditlog.payload.startsWith("{\"text\":")); - auditlog.close(); - - // TEXT - settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "text") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("path.home", ".") - .build(); - auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); - auditlog.store(msg); - Assert.assertEquals(WebhookFormat.TEXT, auditlog.webhookFormat); - Assert.assertEquals(ContentType.TEXT_PLAIN, auditlog.webhookFormat.getContentType()); - Assert.assertTrue(auditlog.payload, !auditlog.payload.startsWith("{\"text\":")); - Assert.assertTrue(auditlog.payload, auditlog.payload.contains(AuditMessage.UTC_TIMESTAMP)); - Assert.assertTrue(auditlog.payload, auditlog.payload.contains("audit_request_remote_address")); - - // JSON - settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "json") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("path.home", ".") - .build(); - auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); - auditlog.store(msg); - System.out.println(auditlog.payload); - Assert.assertEquals(WebhookFormat.JSON, auditlog.webhookFormat); - Assert.assertEquals(ContentType.APPLICATION_JSON, auditlog.webhookFormat.getContentType()); - Assert.assertTrue(auditlog.payload, !auditlog.payload.startsWith("{\"text\":")); - Assert.assertTrue(auditlog.payload, auditlog.payload.contains(AuditMessage.UTC_TIMESTAMP)); + @Test + public void invalidConfFallbackTest() throws Exception { + AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); + + // provide no settings, fallback must be used + Settings settings = Settings.builder() + .put("path.home", ".") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .build(); + LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); + MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, fallback); + auditlog.store(msg); + // Webhook sink has failed ... + Assert.assertEquals(null, auditlog.webhookFormat); + // ... so message must be stored in fallback + Assert.assertEquals(1, fallback.messages.size()); + Assert.assertEquals(msg, fallback.messages.get(0)); + + } + + @Test + public void formatsTest() throws Exception { + + String url = "http://localhost"; + AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); + + // provide no format, defaults to TEXT + Settings settings = Settings.builder() + .put("plugins.security.audit.config.webhook.url", url) + .put("path.home", ".") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .build(); + + MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); + auditlog.store(msg); + Assert.assertEquals(WebhookFormat.TEXT, auditlog.webhookFormat); + Assert.assertEquals(ContentType.TEXT_PLAIN, auditlog.webhookFormat.getContentType()); + Assert.assertTrue(auditlog.payload, !auditlog.payload.startsWith("{\"text\":")); + + // provide faulty format, defaults to TEXT + settings = Settings.builder() + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "idonotexist") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .put("path.home", ".") + .build(); + auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); + auditlog.store(msg); + Assert.assertEquals(WebhookFormat.TEXT, auditlog.webhookFormat); + Assert.assertEquals(ContentType.TEXT_PLAIN, auditlog.webhookFormat.getContentType()); + Assert.assertTrue(auditlog.payload, !auditlog.payload.startsWith("{\"text\":")); + auditlog.close(); + + // TEXT + settings = Settings.builder() + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "text") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .put("path.home", ".") + .build(); + auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); + auditlog.store(msg); + Assert.assertEquals(WebhookFormat.TEXT, auditlog.webhookFormat); + Assert.assertEquals(ContentType.TEXT_PLAIN, auditlog.webhookFormat.getContentType()); + Assert.assertTrue(auditlog.payload, !auditlog.payload.startsWith("{\"text\":")); + Assert.assertTrue(auditlog.payload, auditlog.payload.contains(AuditMessage.UTC_TIMESTAMP)); + Assert.assertTrue(auditlog.payload, auditlog.payload.contains("audit_request_remote_address")); + + // JSON + settings = Settings.builder() + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "json") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .put("path.home", ".") + .build(); + auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); + auditlog.store(msg); + System.out.println(auditlog.payload); + Assert.assertEquals(WebhookFormat.JSON, auditlog.webhookFormat); + Assert.assertEquals(ContentType.APPLICATION_JSON, auditlog.webhookFormat.getContentType()); + Assert.assertTrue(auditlog.payload, !auditlog.payload.startsWith("{\"text\":")); + Assert.assertTrue(auditlog.payload, auditlog.payload.contains(AuditMessage.UTC_TIMESTAMP)); Assert.assertTrue(auditlog.payload, auditlog.payload.contains("audit_request_remote_address")); - // SLACK - settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "slack") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("path.home", ".") - .build(); - auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); - auditlog.store(msg); - Assert.assertEquals(WebhookFormat.SLACK, auditlog.webhookFormat); - Assert.assertEquals(ContentType.APPLICATION_JSON, auditlog.webhookFormat.getContentType()); - Assert.assertTrue(auditlog.payload, auditlog.payload.startsWith("{\"text\":")); - Assert.assertTrue(auditlog.payload, auditlog.payload.contains(AuditMessage.UTC_TIMESTAMP)); + // SLACK + settings = Settings.builder() + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "slack") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .put("path.home", ".") + .build(); + auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); + auditlog.store(msg); + Assert.assertEquals(WebhookFormat.SLACK, auditlog.webhookFormat); + Assert.assertEquals(ContentType.APPLICATION_JSON, auditlog.webhookFormat.getContentType()); + Assert.assertTrue(auditlog.payload, auditlog.payload.startsWith("{\"text\":")); + Assert.assertTrue(auditlog.payload, auditlog.payload.contains(AuditMessage.UTC_TIMESTAMP)); Assert.assertTrue(auditlog.payload, auditlog.payload.contains("audit_request_remote_address")); - } - - - - @Test - public void invalidUrlTest() throws Exception { - - String url = "faultyurl"; - - final Settings settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "slack") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("path.home", ".") - .build(); - LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null);; - MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, fallback); - AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); - auditlog.store(msg); - Assert.assertEquals(null, auditlog.url); - Assert.assertEquals(null, auditlog.payload); - Assert.assertEquals(null, auditlog.webhookUrl); - // message must be stored in fallback - Assert.assertEquals(1, fallback.messages.size()); - Assert.assertEquals(msg, fallback.messages.get(0)); - } - - @Test - public void noServerRunningHttpTest() throws Exception { - String url = "http://localhost:8080/endpoint"; - - Settings settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "slack") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("path.home", ".") - .build(); - - LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null);; - WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); - AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); - auditlog.store(msg); - // can't connect, no server running ... - Assert.assertEquals("http://localhost:8080/endpoint", auditlog.webhookUrl); - // ... message must be stored in fallback - Assert.assertEquals(1, fallback.messages.size()); - Assert.assertEquals(msg, fallback.messages.get(0)); - } - - - @Test - public void postGetHttpTest() throws Exception { - TestHttpHandler handler = new TestHttpHandler(); - - int port = findFreePort(); - server = ServerBootstrap.bootstrap() - .setListenerPort(port) - .setHttpProcessor(HttpProcessors.server("Test/1.1")) - .register("*", handler) - .create(); - - server.start(); - - String url = "http://localhost:" + port + "/endpoint"; - - // SLACK - Settings settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "slack") - .put("path.home", ".") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .build(); - - LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null);; - WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); - AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); - auditlog.store(msg); - Assert.assertTrue(handler.method.equals("POST")); - Assert.assertTrue(handler.body != null); - Assert.assertTrue(handler.body.startsWith("{\"text\":")); - assertStringContainsAllKeysAndValues(handler.body); - // no message stored on fallback - Assert.assertEquals(0, fallback.messages.size()); - handler.reset(); - - // TEXT - settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "texT") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("path.home", ".") - .build(); - - auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); - auditlog.store(msg); - Assert.assertTrue(handler.method.equals("POST")); - Assert.assertTrue(handler.body != null); - System.out.println(handler.body); - Assert.assertFalse(handler.body.contains("{")); - assertStringContainsAllKeysAndValues(handler.body); - handler.reset(); - - // JSON - settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "JSon") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("path.home", ".") - .build(); - - auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); - auditlog.store(msg); - Assert.assertTrue(handler.method.equals("POST")); - Assert.assertTrue(handler.body != null); - Assert.assertTrue(handler.body.contains("{")); - assertStringContainsAllKeysAndValues(handler.body); - handler.reset(); - - // URL POST - settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "URL_PARAMETER_POST") - .put("path.home", ".") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .build(); - - auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); - auditlog.store(msg); - Assert.assertTrue(handler.method.equals("POST")); - Assert.assertTrue(handler.body.equals("")); - Assert.assertTrue(!handler.body.contains("{")); - assertStringContainsAllKeysAndValues(URLDecoder.decode(handler.uri, StandardCharsets.UTF_8.displayName())); - handler.reset(); - - // URL GET - settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "URL_PARAMETER_GET") - .put("path.home", ".") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .build(); - - auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); - auditlog.store(msg); - Assert.assertTrue(handler.method.equals("GET")); - Assert.assertEquals(null, handler.body); - assertStringContainsAllKeysAndValues(URLDecoder.decode(handler.uri, StandardCharsets.UTF_8.displayName())); - server.awaitTermination(TimeValue.ofSeconds(3)); - } - - @Test - public void httpsTestWithoutTLSServer() throws Exception { - - TestHttpHandler handler = new TestHttpHandler(); - - int port = findFreePort(); - server = ServerBootstrap.bootstrap() - .setListenerPort(port) - .setHttpProcessor(HttpProcessors.server("Test/1.1")) - .register("*", handler) - .create(); - - server.start(); - - String url = "https://localhost:" + port + "/endpoint"; - - Settings settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "slack") - .put("path.home", ".") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .build(); - - LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null);; - WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); - AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); - auditlog.store(msg); - Assert.assertTrue(handler.method == null); - Assert.assertTrue(handler.body == null); - Assert.assertTrue(handler.uri == null); - // ... so message must be stored in fallback - Assert.assertEquals(1, fallback.messages.size()); - Assert.assertEquals(msg, fallback.messages.get(0)); - server.awaitTermination(TimeValue.ofSeconds(3)); - } - - - @Test + } + + @Test + public void invalidUrlTest() throws Exception { + + String url = "faultyurl"; + + final Settings settings = Settings.builder() + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "slack") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .put("path.home", ".") + .build(); + LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); + ; + MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, fallback); + AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); + auditlog.store(msg); + Assert.assertEquals(null, auditlog.url); + Assert.assertEquals(null, auditlog.payload); + Assert.assertEquals(null, auditlog.webhookUrl); + // message must be stored in fallback + Assert.assertEquals(1, fallback.messages.size()); + Assert.assertEquals(msg, fallback.messages.get(0)); + } + + @Test + public void noServerRunningHttpTest() throws Exception { + String url = "http://localhost:8080/endpoint"; + + Settings settings = Settings.builder() + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "slack") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .put("path.home", ".") + .build(); + + LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); + ; + WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); + auditlog.store(msg); + // can't connect, no server running ... + Assert.assertEquals("http://localhost:8080/endpoint", auditlog.webhookUrl); + // ... message must be stored in fallback + Assert.assertEquals(1, fallback.messages.size()); + Assert.assertEquals(msg, fallback.messages.get(0)); + } + + @Test + public void postGetHttpTest() throws Exception { + TestHttpHandler handler = new TestHttpHandler(); + + int port = findFreePort(); + server = ServerBootstrap.bootstrap() + .setListenerPort(port) + .setHttpProcessor(HttpProcessors.server("Test/1.1")) + .register("*", handler) + .create(); + + server.start(); + + String url = "http://localhost:" + port + "/endpoint"; + + // SLACK + Settings settings = Settings.builder() + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "slack") + .put("path.home", ".") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .build(); + + LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); + ; + WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); + auditlog.store(msg); + Assert.assertTrue(handler.method.equals("POST")); + Assert.assertTrue(handler.body != null); + Assert.assertTrue(handler.body.startsWith("{\"text\":")); + assertStringContainsAllKeysAndValues(handler.body); + // no message stored on fallback + Assert.assertEquals(0, fallback.messages.size()); + handler.reset(); + + // TEXT + settings = Settings.builder() + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "texT") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .put("path.home", ".") + .build(); + + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog.store(msg); + Assert.assertTrue(handler.method.equals("POST")); + Assert.assertTrue(handler.body != null); + System.out.println(handler.body); + Assert.assertFalse(handler.body.contains("{")); + assertStringContainsAllKeysAndValues(handler.body); + handler.reset(); + + // JSON + settings = Settings.builder() + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "JSon") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .put("path.home", ".") + .build(); + + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog.store(msg); + Assert.assertTrue(handler.method.equals("POST")); + Assert.assertTrue(handler.body != null); + Assert.assertTrue(handler.body.contains("{")); + assertStringContainsAllKeysAndValues(handler.body); + handler.reset(); + + // URL POST + settings = Settings.builder() + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "URL_PARAMETER_POST") + .put("path.home", ".") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .build(); + + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog.store(msg); + Assert.assertTrue(handler.method.equals("POST")); + Assert.assertTrue(handler.body.equals("")); + Assert.assertTrue(!handler.body.contains("{")); + assertStringContainsAllKeysAndValues(URLDecoder.decode(handler.uri, StandardCharsets.UTF_8.displayName())); + handler.reset(); + + // URL GET + settings = Settings.builder() + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "URL_PARAMETER_GET") + .put("path.home", ".") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .build(); + + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog.store(msg); + Assert.assertTrue(handler.method.equals("GET")); + Assert.assertEquals(null, handler.body); + assertStringContainsAllKeysAndValues(URLDecoder.decode(handler.uri, StandardCharsets.UTF_8.displayName())); + server.awaitTermination(TimeValue.ofSeconds(3)); + } + + @Test + public void httpsTestWithoutTLSServer() throws Exception { + + TestHttpHandler handler = new TestHttpHandler(); + + int port = findFreePort(); + server = ServerBootstrap.bootstrap() + .setListenerPort(port) + .setHttpProcessor(HttpProcessors.server("Test/1.1")) + .register("*", handler) + .create(); + + server.start(); + + String url = "https://localhost:" + port + "/endpoint"; + + Settings settings = Settings.builder() + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "slack") + .put("path.home", ".") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .build(); + + LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); + ; + WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); + auditlog.store(msg); + Assert.assertTrue(handler.method == null); + Assert.assertTrue(handler.body == null); + Assert.assertTrue(handler.uri == null); + // ... so message must be stored in fallback + Assert.assertEquals(1, fallback.messages.size()); + Assert.assertEquals(msg, fallback.messages.get(0)); + server.awaitTermination(TimeValue.ofSeconds(3)); + } + + @Test public void httpsTest() throws Exception { TestHttpHandler handler = new TestHttpHandler(); - int port = findFreePort(); + int port = findFreePort(); server = ServerBootstrap.bootstrap() - .setListenerPort(port) - .setHttpProcessor(HttpProcessors.server("Test/1.1")) - .setSslContext(createSSLContext()) - .register("*", handler) - .create(); + .setListenerPort(port) + .setHttpProcessor(HttpProcessors.server("Test/1.1")) + .setSslContext(createSSLContext()) + .register("*", handler) + .create(); server.start(); AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); @@ -379,30 +407,30 @@ public void httpsTest() throws Exception { // try with ssl verification on, no trust ca, must fail Settings settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "slack") - .put("path.home", ".") - .put("plugins.security.audit.config.webhook.ssl.verify", true) - .build(); - - LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); - WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "slack") + .put("path.home", ".") + .put("plugins.security.audit.config.webhook.ssl.verify", true) + .build(); + + LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); + WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); Assert.assertNull(handler.body); Assert.assertNull(handler.body); - // message must be stored in fallback - Assert.assertEquals(1, fallback.messages.size()); - Assert.assertEquals(msg, fallback.messages.get(0)); + // message must be stored in fallback + Assert.assertEquals(1, fallback.messages.size()); + Assert.assertEquals(msg, fallback.messages.get(0)); // disable ssl verification, no ca, call must succeed handler.reset(); settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "jSoN") - .put("plugins.security.audit.config.webhook.ssl.verify", false) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put("plugins.security.audit.config.webhook.ssl.verify", false) + .put("path.home", ".") + .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); @@ -413,12 +441,15 @@ public void httpsTest() throws Exception { // enable ssl verification, provide correct trust ca, call must succeed handler.reset(); settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "jSoN") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("plugins.security.audit.config.webhook.ssl.verify", true) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .put("plugins.security.audit.config.webhook.ssl.verify", true) + .put("path.home", ".") + .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); @@ -429,48 +460,54 @@ public void httpsTest() throws Exception { // enable ssl verification, provide wrong trust ca, call must succeed handler.reset(); settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "jSoN") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks")) - .put("plugins.security.audit.config.webhook.ssl.verify", true) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks") + ) + .put("plugins.security.audit.config.webhook.ssl.verify", true) + .put("path.home", ".") + .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); Assert.assertNull(handler.body); Assert.assertNull(handler.body); - server.awaitTermination(TimeValue.ofSeconds(3)); + server.awaitTermination(TimeValue.ofSeconds(3)); } - @Test + @Test public void httpsTestPemDefault() throws Exception { final int port = findFreePort(); - TestHttpHandler handler = new TestHttpHandler(); + TestHttpHandler handler = new TestHttpHandler(); server = ServerBootstrap.bootstrap() - .setListenerPort(port) - .setHttpProcessor(HttpProcessors.server("Test/1.1")) - .setSslContext(createSSLContext()) - .register("*", handler) - .create(); + .setListenerPort(port) + .setHttpProcessor(HttpProcessors.server("Test/1.1")) + .setSslContext(createSSLContext()) + .register("*", handler) + .create(); server.start(); AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); - LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); + LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); String url = "https://localhost:" + port + "/endpoint"; // test default with filepath handler.reset(); Settings settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "jSoN") - .put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem")) - .put("plugins.security.audit.config.webhook.ssl.verify", true) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put( + "plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem") + ) + .put("plugins.security.audit.config.webhook.ssl.verify", true) + .put("path.home", ".") + .build(); AuditLogSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); @@ -481,12 +518,15 @@ public void httpsTestPemDefault() throws Exception { // test default with missing filepath and fallback to correct Security settings handler.reset(); settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "jSoN") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("plugins.security.audit.config.webhook.ssl.verify", true) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .put("plugins.security.audit.config.webhook.ssl.verify", true) + .put("path.home", ".") + .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); @@ -497,13 +537,16 @@ public void httpsTestPemDefault() throws Exception { // test default with wrong filepath and fallback to wrong Security settings handler.reset(); settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "jSoN") - .put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", "wrong") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks")) - .put("plugins.security.audit.config.webhook.ssl.verify", true) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", "wrong") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks") + ) + .put("plugins.security.audit.config.webhook.ssl.verify", true) + .put("path.home", ".") + .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); @@ -513,12 +556,12 @@ public void httpsTestPemDefault() throws Exception { // test default with wrong/no filepath and no fallback to Security settings, must fail handler.reset(); settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", "wrong") - .put("plugins.security.audit.config.webhook.format", "jSoN") - .put("plugins.security.audit.config.webhook.ssl.verify", true) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", "wrong") + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put("plugins.security.audit.config.webhook.ssl.verify", true) + .put("path.home", ".") + .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); @@ -528,12 +571,15 @@ public void httpsTestPemDefault() throws Exception { // test default with existing but wrong PEM, no fallback handler.reset(); settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "jSoN") - .put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crt.pem")) - .put("plugins.security.audit.config.webhook.ssl.verify", true) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put( + "plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crt.pem") + ) + .put("plugins.security.audit.config.webhook.ssl.verify", true) + .put("path.home", ".") + .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); @@ -543,49 +589,58 @@ public void httpsTestPemDefault() throws Exception { // test default with existing but wrong PEM, fallback present but pemtrustedcas_filepath takes precedence and must fail handler.reset(); settings = Settings.builder() - .put("plugins.security.audit.config.webhook.url", url) - .put("plugins.security.audit.config.webhook.format", "jSoN") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crt.pem")) - .put("plugins.security.audit.config.webhook.ssl.verify", true) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .put( + "plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crt.pem") + ) + .put("plugins.security.audit.config.webhook.ssl.verify", true) + .put("path.home", ".") + .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); Assert.assertNull(handler.body); Assert.assertNull(handler.body); - server.awaitTermination(TimeValue.ofSeconds(3)); - } + server.awaitTermination(TimeValue.ofSeconds(3)); + } - @Test + @Test public void httpsTestPemEndpoint() throws Exception { TestHttpHandler handler = new TestHttpHandler(); - int port = findFreePort(); + int port = findFreePort(); server = ServerBootstrap.bootstrap() - .setListenerPort(port) - .setHttpProcessor(HttpProcessors.server("Test/1.1")) - .setSslContext(createSSLContext()) - .register("*", handler) - .create(); + .setListenerPort(port) + .setHttpProcessor(HttpProcessors.server("Test/1.1")) + .setSslContext(createSSLContext()) + .register("*", handler) + .create(); server.start(); AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); - LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); + LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); String url = "https://localhost:" + port + "/endpoint"; // test default with filepath handler.reset(); Settings settings = Settings.builder() - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem")) - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") + .put( + "plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_filepath", + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem") + ) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) + .put("path.home", ".") + .build(); AuditLogSink auditlog = new WebhookSink("name", settings, "plugins.security.audit.endpoints.endpoint1.config", null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); @@ -596,12 +651,15 @@ public void httpsTestPemEndpoint() throws Exception { // test default with missing filepath and fallback to correct Security settings handler.reset(); settings = Settings.builder() - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") + ) + .put("path.home", ".") + .build(); auditlog = new WebhookSink("name", settings, "plugins.security.audit.endpoints.endpoint1.config", null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); @@ -612,12 +670,15 @@ public void httpsTestPemEndpoint() throws Exception { // test default with wrong filepath and fallback to wrong Security settings handler.reset(); settings = Settings.builder() - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks")) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks") + ) + .put("path.home", ".") + .build(); auditlog = new WebhookSink("name", settings, "plugins.security.audit.endpoints.endpoint1.config", null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); @@ -627,11 +688,11 @@ public void httpsTestPemEndpoint() throws Exception { // test default with wrong/no filepath and no fallback to Security settings, must fail handler.reset(); settings = Settings.builder() - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) + .put("path.home", ".") + .build(); auditlog = new WebhookSink("name", settings, "plugins.security.audit.endpoints.endpoint1.config", null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); @@ -641,49 +702,55 @@ public void httpsTestPemEndpoint() throws Exception { // test default with existing but wrong PEM, no fallback handler.reset(); settings = Settings.builder() - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crt.pem")) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) + .put( + "plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_filepath", + FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crt.pem") + ) + .put("path.home", ".") + .build(); auditlog = new WebhookSink("name", settings, "plugins.security.audit.endpoints.endpoint1.config", null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); Assert.assertNull(handler.body); Assert.assertNull(handler.body); - server.awaitTermination(TimeValue.ofSeconds(3)); - } + server.awaitTermination(TimeValue.ofSeconds(3)); + } - @Test + @Test public void httpsTestPemContentEndpoint() throws Exception { TestHttpHandler handler = new TestHttpHandler(); - int port = findFreePort(); + int port = findFreePort(); server = ServerBootstrap.bootstrap() - .setListenerPort(port) - .setHttpProcessor(HttpProcessors.server("Test/1.1")) - .setSslContext(createSSLContext()) - .register("*", handler) - .create(); + .setListenerPort(port) + .setHttpProcessor(HttpProcessors.server("Test/1.1")) + .setSslContext(createSSLContext()) + .register("*", handler) + .create(); server.start(); AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); - LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); + LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); String url = "https://localhost:" + port + "/endpoint"; - // test with filecontent + // test with filecontent handler.reset(); Settings settings = Settings.builder() - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_content", FileHelper.loadFile("auditlog/root-ca.pem")) - .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) - .put("path.home", ".") - .build(); + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") + .put( + "plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_content", + FileHelper.loadFile("auditlog/root-ca.pem") + ) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) + .put("path.home", ".") + .build(); AuditLogSink auditlog = new WebhookSink("name", settings, "plugins.security.audit.endpoints.endpoint1.config", null, fallback); auditlog.store(msg); @@ -692,52 +759,51 @@ public void httpsTestPemContentEndpoint() throws Exception { Assert.assertTrue(handler.body.contains("{")); assertStringContainsAllKeysAndValues(handler.body); - server.awaitTermination(TimeValue.ofSeconds(3)); - } - - // for TLS support on our in-memory server - private SSLContext createSSLContext() throws Exception { - final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory - .getDefaultAlgorithm()); - final KeyStore trustStore = KeyStore.getInstance("JKS"); - InputStream trustStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks").toFile()); - trustStore.load(trustStream, "changeit".toCharArray()); - tmf.init(trustStore); - - final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - final KeyStore keyStore = KeyStore.getInstance("JKS"); - InputStream keyStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks").toFile()); - - keyStore.load(keyStream, "changeit".toCharArray()); - kmf.init(keyStore, "changeit".toCharArray()); - - SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); - sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); - return sslContext; - } - - private void assertStringContainsAllKeysAndValues(String in) { - System.out.println(in); - Assert.assertTrue(in, in.contains(AuditMessage.FORMAT_VERSION)); - Assert.assertTrue(in, in.contains(AuditMessage.CATEGORY)); - Assert.assertTrue(in, in.contains(AuditMessage.FORMAT_VERSION)); - Assert.assertTrue(in, in.contains(AuditMessage.REMOTE_ADDRESS)); - Assert.assertTrue(in, in.contains(AuditMessage.ORIGIN)); - Assert.assertTrue(in, in.contains(AuditMessage.REQUEST_LAYER)); - Assert.assertTrue(in, in.contains(AuditMessage.TRANSPORT_REQUEST_TYPE)); - Assert.assertTrue(in, in.contains(AuditMessage.UTC_TIMESTAMP)); - Assert.assertTrue(in, in.contains(AuditCategory.FAILED_LOGIN.name())); - Assert.assertTrue(in, in.contains("FAILED_LOGIN")); - Assert.assertTrue(in, in.contains("John Doe")); - Assert.assertTrue(in, in.contains("8.8.8.8")); - //Assert.assertTrue(in, in.contains("CN=kirk,OU=client,O=client,L=test,C=DE")); - } - - private int findFreePort() { - try (ServerSocket serverSocket = new ServerSocket(0)) { - return serverSocket.getLocalPort(); - } catch (IOException e) { - throw new RuntimeException("Failed to find free port", e); - } - } + server.awaitTermination(TimeValue.ofSeconds(3)); + } + + // for TLS support on our in-memory server + private SSLContext createSSLContext() throws Exception { + final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + final KeyStore trustStore = KeyStore.getInstance("JKS"); + InputStream trustStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks").toFile()); + trustStore.load(trustStream, "changeit".toCharArray()); + tmf.init(trustStore); + + final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); + final KeyStore keyStore = KeyStore.getInstance("JKS"); + InputStream keyStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks").toFile()); + + keyStore.load(keyStream, "changeit".toCharArray()); + kmf.init(keyStore, "changeit".toCharArray()); + + SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); + sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); + return sslContext; + } + + private void assertStringContainsAllKeysAndValues(String in) { + System.out.println(in); + Assert.assertTrue(in, in.contains(AuditMessage.FORMAT_VERSION)); + Assert.assertTrue(in, in.contains(AuditMessage.CATEGORY)); + Assert.assertTrue(in, in.contains(AuditMessage.FORMAT_VERSION)); + Assert.assertTrue(in, in.contains(AuditMessage.REMOTE_ADDRESS)); + Assert.assertTrue(in, in.contains(AuditMessage.ORIGIN)); + Assert.assertTrue(in, in.contains(AuditMessage.REQUEST_LAYER)); + Assert.assertTrue(in, in.contains(AuditMessage.TRANSPORT_REQUEST_TYPE)); + Assert.assertTrue(in, in.contains(AuditMessage.UTC_TIMESTAMP)); + Assert.assertTrue(in, in.contains(AuditCategory.FAILED_LOGIN.name())); + Assert.assertTrue(in, in.contains("FAILED_LOGIN")); + Assert.assertTrue(in, in.contains("John Doe")); + Assert.assertTrue(in, in.contains("8.8.8.8")); + // Assert.assertTrue(in, in.contains("CN=kirk,OU=client,O=client,L=test,C=DE")); + } + + private int findFreePort() { + try (ServerSocket serverSocket = new ServerSocket(0)) { + return serverSocket.getLocalPort(); + } catch (IOException e) { + throw new RuntimeException("Failed to find free port", e); + } + } } diff --git a/src/test/java/org/opensearch/security/auth/InternalAuthBackendTests.java b/src/test/java/org/opensearch/security/auth/InternalAuthBackendTests.java index 3821be7038..c059c890ab 100644 --- a/src/test/java/org/opensearch/security/auth/InternalAuthBackendTests.java +++ b/src/test/java/org/opensearch/security/auth/InternalAuthBackendTests.java @@ -51,7 +51,7 @@ private char[] createArrayFromPasswordBytes(byte[] password) { CharBuffer buf = StandardCharsets.UTF_8.decode(wrap); char[] array = new char[buf.limit()]; buf.get(array); - Arrays.fill(password, (byte)0); + Arrays.fill(password, (byte) 0); return array; } @@ -68,12 +68,11 @@ public void testHashActionWithValidUserValidPassword() { char[] array = createArrayFromPasswordBytes(validPasswordBytes); - when(internalUsersModel.getHash(validUsernameAuth.getUsername())).thenReturn(hash); when(internalUsersModel.exists(validUsernameAuth.getUsername())).thenReturn(true); doReturn(true).when(internalAuthenticationBackend).passwordMatchesHash(Mockito.any(String.class), Mockito.any(char[].class)); - //Act + // Act internalAuthenticationBackend.authenticate(validUsernameAuth); verify(internalAuthenticationBackend, times(1)).passwordMatchesHash(hash, array); @@ -95,9 +94,11 @@ public void testHashActionWithValidUserInvalidPassword() { when(internalUsersModel.getHash("admin")).thenReturn(hash); when(internalUsersModel.exists("admin")).thenReturn(true); - OpenSearchSecurityException ex = Assert.assertThrows(OpenSearchSecurityException.class, - () -> internalAuthenticationBackend.authenticate(validUsernameAuth)); - assert(ex.getMessage().contains("password does not match")); + OpenSearchSecurityException ex = Assert.assertThrows( + OpenSearchSecurityException.class, + () -> internalAuthenticationBackend.authenticate(validUsernameAuth) + ); + assert (ex.getMessage().contains("password does not match")); verify(internalAuthenticationBackend, times(1)).passwordMatchesHash(hash, array); } @@ -114,11 +115,13 @@ public void testHashActionWithInvalidUserValidPassword() { char[] array = createArrayFromPasswordBytes(validPasswordBytes); when(internalUsersModel.exists("ertyuiykgjjfguyifdghc")).thenReturn(false); - when(internalAuthenticationBackend.passwordMatchesHash(hash, array)).thenReturn(true); //Say that the password is correct + when(internalAuthenticationBackend.passwordMatchesHash(hash, array)).thenReturn(true); // Say that the password is correct - OpenSearchSecurityException ex = Assert.assertThrows(OpenSearchSecurityException.class, - () -> internalAuthenticationBackend.authenticate(invalidUsernameAuth)); - assert(ex.getMessage().contains("not found")); + OpenSearchSecurityException ex = Assert.assertThrows( + OpenSearchSecurityException.class, + () -> internalAuthenticationBackend.authenticate(invalidUsernameAuth) + ); + assert (ex.getMessage().contains("not found")); verify(internalAuthenticationBackend, times(1)).passwordMatchesHash(hash, array); } @@ -136,10 +139,11 @@ public void testHashActionWithInvalidUserInvalidPassword() { when(internalUsersModel.exists("ertyuiykgjjfguyifdghc")).thenReturn(false); - - OpenSearchSecurityException ex = Assert.assertThrows(OpenSearchSecurityException.class, - () -> internalAuthenticationBackend.authenticate(invalidUsernameAuth)); + OpenSearchSecurityException ex = Assert.assertThrows( + OpenSearchSecurityException.class, + () -> internalAuthenticationBackend.authenticate(invalidUsernameAuth) + ); verify(internalAuthenticationBackend, times(1)).passwordMatchesHash(hash, array); - assert(ex.getMessage().contains("not found")); + assert (ex.getMessage().contains("not found")); } } diff --git a/src/test/java/org/opensearch/security/auth/RolesInjectorTest.java b/src/test/java/org/opensearch/security/auth/RolesInjectorTest.java index 0656f9ccd1..63eb32f862 100644 --- a/src/test/java/org/opensearch/security/auth/RolesInjectorTest.java +++ b/src/test/java/org/opensearch/security/auth/RolesInjectorTest.java @@ -34,7 +34,6 @@ import static org.mockito.Mockito.mock; import static org.opensearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES; - public class RolesInjectorTest { private TransportRequest transportRequest; @@ -76,13 +75,7 @@ public void testInjected() { @Test public void testCorruptedInjection() { - List corruptedStrs = Arrays.asList( - "invalid", - "role_1,role_2", - " | ", - " ", - "|" - ); + List corruptedStrs = Arrays.asList("invalid", "role_1,role_2", " | ", " ", "|"); corruptedStrs.forEach(name -> { ThreadContext threadContext = new ThreadContext(Settings.EMPTY); diff --git a/src/test/java/org/opensearch/security/auth/UserInjectorTest.java b/src/test/java/org/opensearch/security/auth/UserInjectorTest.java index 09bc1653a4..e9570b1455 100644 --- a/src/test/java/org/opensearch/security/auth/UserInjectorTest.java +++ b/src/test/java/org/opensearch/security/auth/UserInjectorTest.java @@ -43,9 +43,7 @@ public class UserInjectorTest { @Before public void setup() { threadPool = mock(ThreadPool.class); - Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) - .build(); + Settings settings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true).build(); threadContext = new ThreadContext(settings); Mockito.when(threadPool.getThreadContext()).thenReturn(threadContext); transportRequest = mock(TransportRequest.class); diff --git a/src/test/java/org/opensearch/security/auth/limiting/HeapBasedRateTrackerTest.java b/src/test/java/org/opensearch/security/auth/limiting/HeapBasedRateTrackerTest.java index 2e8ddec15b..c92c328564 100644 --- a/src/test/java/org/opensearch/security/auth/limiting/HeapBasedRateTrackerTest.java +++ b/src/test/java/org/opensearch/security/auth/limiting/HeapBasedRateTrackerTest.java @@ -76,7 +76,6 @@ public void expiryTest() throws Exception { assertFalse(tracker.track("c")); assertTrue(tracker.track("c")); - } @Test diff --git a/src/test/java/org/opensearch/security/cache/CachingTest.java b/src/test/java/org/opensearch/security/cache/CachingTest.java index 5276196856..4bff91a1f3 100644 --- a/src/test/java/org/opensearch/security/cache/CachingTest.java +++ b/src/test/java/org/opensearch/security/cache/CachingTest.java @@ -23,7 +23,7 @@ import org.opensearch.security.test.helper.rest.RestHelper; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class CachingTest extends SingleClusterTest{ +public class CachingTest extends SingleClusterTest { @Override protected String getResourceFolder() { @@ -84,16 +84,28 @@ public void testRestCachingWithImpersonation() throws Exception { final Settings settings = Settings.builder().putList("plugins.security.authcz.rest_impersonation_user.dummy", "*").build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings); final RestHelper rh = nonSslRestHelper(); - HttpResponse res = rh.executeGetRequest("_opendistro/_security/authinfo?pretty", new BasicHeader("opendistro_security_impersonate_as", "impuser")); + HttpResponse res = rh.executeGetRequest( + "_opendistro/_security/authinfo?pretty", + new BasicHeader("opendistro_security_impersonate_as", "impuser") + ); System.out.println(res.getBody()); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - res = rh.executeGetRequest("_opendistro/_security/authinfo?pretty", new BasicHeader("opendistro_security_impersonate_as", "impuser")); + res = rh.executeGetRequest( + "_opendistro/_security/authinfo?pretty", + new BasicHeader("opendistro_security_impersonate_as", "impuser") + ); System.out.println(res.getBody()); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - res = rh.executeGetRequest("_opendistro/_security/authinfo?pretty", new BasicHeader("opendistro_security_impersonate_as", "impuser")); + res = rh.executeGetRequest( + "_opendistro/_security/authinfo?pretty", + new BasicHeader("opendistro_security_impersonate_as", "impuser") + ); System.out.println(res.getBody()); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - res = rh.executeGetRequest("_opendistro/_security/authinfo?pretty", new BasicHeader("opendistro_security_impersonate_as", "impuser2")); + res = rh.executeGetRequest( + "_opendistro/_security/authinfo?pretty", + new BasicHeader("opendistro_security_impersonate_as", "impuser2") + ); System.out.println(res.getBody()); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); diff --git a/src/test/java/org/opensearch/security/cache/DummyAuthenticationBackend.java b/src/test/java/org/opensearch/security/cache/DummyAuthenticationBackend.java index f41ddade65..5e7980f431 100644 --- a/src/test/java/org/opensearch/security/cache/DummyAuthenticationBackend.java +++ b/src/test/java/org/opensearch/security/cache/DummyAuthenticationBackend.java @@ -19,14 +19,12 @@ import org.opensearch.security.user.AuthCredentials; import org.opensearch.security.user.User; - public class DummyAuthenticationBackend implements AuthenticationBackend { private static volatile long authCount; private static volatile long existsCount; - public DummyAuthenticationBackend(final Settings settings, final Path configPath) { - } + public DummyAuthenticationBackend(final Settings settings, final Path configPath) {} @Override public String getType() { @@ -54,7 +52,7 @@ public static long getExistsCount() { } public static void reset() { - authCount=0; - existsCount=0; + authCount = 0; + existsCount = 0; } } diff --git a/src/test/java/org/opensearch/security/cache/DummyAuthorizer.java b/src/test/java/org/opensearch/security/cache/DummyAuthorizer.java index 4c489f0c00..8f8a507cb8 100644 --- a/src/test/java/org/opensearch/security/cache/DummyAuthorizer.java +++ b/src/test/java/org/opensearch/security/cache/DummyAuthorizer.java @@ -19,13 +19,11 @@ import org.opensearch.security.user.AuthCredentials; import org.opensearch.security.user.User; - public class DummyAuthorizer implements AuthorizationBackend { private static volatile long count; - public DummyAuthorizer(final Settings settings, final Path configPath) { - } + public DummyAuthorizer(final Settings settings, final Path configPath) {} @Override public String getType() { @@ -44,7 +42,7 @@ public static long getCount() { } public static void reset() { - count=0; + count = 0; } } diff --git a/src/test/java/org/opensearch/security/cache/DummyHTTPAuthenticator.java b/src/test/java/org/opensearch/security/cache/DummyHTTPAuthenticator.java index 48bead257b..55c2e789c6 100644 --- a/src/test/java/org/opensearch/security/cache/DummyHTTPAuthenticator.java +++ b/src/test/java/org/opensearch/security/cache/DummyHTTPAuthenticator.java @@ -25,8 +25,7 @@ public class DummyHTTPAuthenticator implements HTTPAuthenticator { private static volatile long count; - public DummyHTTPAuthenticator(final Settings settings, final Path configPath) { - } + public DummyHTTPAuthenticator(final Settings settings, final Path configPath) {} @Override public String getType() { @@ -49,6 +48,6 @@ public static long getCount() { } public static void reset() { - count=0; + count = 0; } } diff --git a/src/test/java/org/opensearch/security/ccstest/CrossClusterMinimalRoundtripSearchTests.java b/src/test/java/org/opensearch/security/ccstest/CrossClusterMinimalRoundtripSearchTests.java index 292a0d38d8..db948b77df 100644 --- a/src/test/java/org/opensearch/security/ccstest/CrossClusterMinimalRoundtripSearchTests.java +++ b/src/test/java/org/opensearch/security/ccstest/CrossClusterMinimalRoundtripSearchTests.java @@ -13,5 +13,7 @@ public class CrossClusterMinimalRoundtripSearchTests extends CrossClusterSearchTests { @Override - protected boolean ccsMinimizeRoundtrips() { return true; } + protected boolean ccsMinimizeRoundtrips() { + return true; + } } diff --git a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java index b9b4d22d49..fad6c77a1a 100644 --- a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java +++ b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java @@ -68,14 +68,20 @@ public class CrossClusterSearchTests extends AbstractSecurityUnitTest { - private final ClusterHelper cl1 = new ClusterHelper("crl1_n"+num.incrementAndGet()+"_f"+System.getProperty("forkno")+"_t"+System.nanoTime()); - private final ClusterHelper cl2 = new ClusterHelper("crl2_n"+num.incrementAndGet()+"_f"+System.getProperty("forkno")+"_t"+System.nanoTime()); + private final ClusterHelper cl1 = new ClusterHelper( + "crl1_n" + num.incrementAndGet() + "_f" + System.getProperty("forkno") + "_t" + System.nanoTime() + ); + private final ClusterHelper cl2 = new ClusterHelper( + "crl2_n" + num.incrementAndGet() + "_f" + System.getProperty("forkno") + "_t" + System.nanoTime() + ); private ClusterInfo cl1Info; private ClusterInfo cl2Info; private RestHelper rh1; private RestHelper rh2; - protected boolean ccsMinimizeRoundtrips() { return false; }; + protected boolean ccsMinimizeRoundtrips() { + return false; + }; private static class ClusterTransportClientSettings extends Tuple { @@ -84,9 +90,7 @@ public ClusterTransportClientSettings() { } public ClusterTransportClientSettings(Settings clusterSettings, Settings transportSettings) { - super(Settings.builder() - .put(clusterSettings) - .putList("node.roles", "remote_cluster_client").build(), transportSettings); + super(Settings.builder().put(clusterSettings).putList("node.roles", "remote_cluster_client").build(), transportSettings); } public Settings clusterSettings() { @@ -106,10 +110,13 @@ private void setupCcs(DynamicSecurityConfig dynamicSecurityConfig) throws Except setupCcs(dynamicSecurityConfig, new ClusterTransportClientSettings(), new ClusterTransportClientSettings()); } - private void setupCcs(DynamicSecurityConfig dynamicSecurityConfig, - ClusterTransportClientSettings cluster1Settings, ClusterTransportClientSettings cluster2Settings) throws Exception { + private void setupCcs( + DynamicSecurityConfig dynamicSecurityConfig, + ClusterTransportClientSettings cluster1Settings, + ClusterTransportClientSettings cluster2Settings + ) throws Exception { - System.setProperty("security.display_lic_none","true"); + System.setProperty("security.display_lic_none", "true"); Tuple cluster2 = setupCluster(cl2, cluster2Settings, dynamicSecurityConfig); cl2Info = cluster2.v1(); @@ -120,19 +127,17 @@ private void setupCcs(DynamicSecurityConfig dynamicSecurityConfig, rh1 = cluster1.v2(); final String seed = cl2Info.nodeHost + ":" + cl2Info.nodePort; - String json = - "{" + - "\"persistent\" : {" + - "\"cluster.remote.cross_cluster_two.seeds\" : [\"" + seed + "\"]" + - "}" + - "}"; - + String json = "{" + "\"persistent\" : {" + "\"cluster.remote.cross_cluster_two.seeds\" : [\"" + seed + "\"]" + "}" + "}"; HttpResponse response = rh1.executePutRequest("_cluster/settings", json, encodeBasicHeader("sarek", "sarek")); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); } - private Tuple setupCluster(ClusterHelper ch, ClusterTransportClientSettings cluster, DynamicSecurityConfig dynamicSecurityConfig) throws Exception { + private Tuple setupCluster( + ClusterHelper ch, + ClusterTransportClientSettings cluster, + DynamicSecurityConfig dynamicSecurityConfig + ) throws Exception { NodeSettingsSupplier settings = minimumSecuritySettings(cluster.clusterSettings()); ClusterInfo clusterInfo = ch.startCluster(settings, ClusterConfiguration.DEFAULT); initialize(ch, clusterInfo, dynamicSecurityConfig); @@ -154,52 +159,82 @@ public void tearDown() throws Exception { public void testCcs() throws Exception { setupCcs(); - final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("nagilum","nagilum")).getBody(); + final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("nagilum", "nagilum") + ).getBody(); Assert.assertTrue(cl1BodyMain.contains("crl1")); try (Client tc = cl1.nodeClient()) { - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } - final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("nagilum","nagilum")).getBody(); + final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("nagilum", "nagilum") + ).getBody(); Assert.assertTrue(cl2BodyMain.contains("crl2")); try (Client tc = cl2.nodeClient()) { - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } HttpResponse ccs = null; System.out.println("###################### query 1"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:*/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:*/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("nagilum", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("crl1")); Assert.assertTrue(ccs.getBody().contains("crl2")); Assert.assertTrue(ccs.getBody().contains("twitter")); - System.out.println("###################### query 4"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:xx,xx/xx/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:xx,xx/xx/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("nagilum", "nagilum") + ); System.out.println(ccs.getBody()); - //TODO fix exception nesting - //Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, ccs.getStatusCode()); - //Assert.assertTrue(ccs.getBody().contains("Can not filter indices; index cross_cluster_two:xx exists but there is also a remote cluster named: cross_cluster_two")); + // TODO fix exception nesting + // Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, ccs.getStatusCode()); + // Assert.assertTrue(ccs.getBody().contains("Can not filter indices; index cross_cluster_two:xx exists but there is also a remote + // cluster named: cross_cluster_two")); System.out.println("###################### query 5"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:abcnonext/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:abcnonext/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("nagilum", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, ccs.getStatusCode()); Assert.assertTrue(ccs.getBody().contains("index_not_found_exception")); System.out.println("###################### query 6"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twitter,twutter/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twitter,twutter/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("nagilum", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); @@ -213,168 +248,279 @@ public void testCcs() throws Exception { public void testCcsNonadmin() throws Exception { setupCcs(); - final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("twitter", "nagilum") + ).getBody(); Assert.assertTrue(cl1BodyMain.contains("crl1")); try (Client tc = cl1.nodeClient()) { - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("twitter").alias("coordalias"))).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("twitter").alias("coordalias"))) + .actionGet(); } - final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("twitter", "nagilum") + ).getBody(); Assert.assertTrue(cl2BodyMain.contains("crl2")); try (Client tc = cl2.nodeClient()) { - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("twitter").alias("remotealias"))).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("twitter").alias("remotealias"))) + .actionGet(); } HttpResponse ccs = null; System.out.println("###################### query 1"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:*/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:*/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); System.out.println("###################### query 2"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twit*/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twit*/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twitter/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twitter/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - System.out.println("###################### query 3"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twitter,twitter,twutter/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twitter,twitter,twutter/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); System.out.println("###################### query 4"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twitter,twitter/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twitter,twitter/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertTrue(ccs.getBody().contains("crl1_")); Assert.assertTrue(ccs.getBody().contains("crl2_")); System.out.println("###################### query 5"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twutter,twitter/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twutter,twitter/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); System.out.println("###################### query 6"); - String msearchBody = - "{}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); + String msearchBody = "{}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator(); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:twitter,twitter/_msearch?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), msearchBody, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:twitter,twitter/_msearch?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + msearchBody, + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); System.out.println("###################### query 7"); - msearchBody = - "{}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); + msearchBody = "{}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator(); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:twitter/_msearch?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), msearchBody, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:twitter/_msearch?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + msearchBody, + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("_all/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "_all/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("*/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "*/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twitter,twitter/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twitter,twitter/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:*/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:*/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("*:*/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "*:*/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("hfghgtdhfhuth/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "hfghgtdhfhuth/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("hfghgtdhfhuth*/_search", encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "hfghgtdhfhuth*/_search", + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - Assert.assertTrue(ccs.getBody().contains("\"hits\":[]")); //TODO: Change for 25.0 to be forbidden (Indices options) + Assert.assertTrue(ccs.getBody().contains("\"hits\":[]")); // TODO: Change for 25.0 to be forbidden (Indices options) - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest(":*/_search", encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest(":*/_search", encodeBasicHeader("worf", "worf")); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - Assert.assertTrue(ccs.getBody().contains("\"hits\":[]")); //TODO: Change for 25.0 to be forbidden (Indices options) + Assert.assertTrue(ccs.getBody().contains("\"hits\":[]")); // TODO: Change for 25.0 to be forbidden (Indices options) - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("*:/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "*:/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:%3Clogstash-%7Bnow%2Fd%7D%3E,%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:%3Clogstash-%7Bnow%2Fd%7D%3E,%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty&ccs_minimize_roundtrips=" + + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:remotealias/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:remotealias/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("coordalias/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "coordalias/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:remotealias,coordalias/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:remotealias,coordalias/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:remotealias/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:remotealias/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("coordalias/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "coordalias/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); System.out.println("#### Alias both"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:remotealias,coordalias/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:remotealias,coordalias/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("notexist,coordalias/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "notexist,coordalias/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - //TODO Fix for 25.0 to resolve coordalias (Indices options) + // TODO Fix for 25.0 to resolve coordalias (Indices options) - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twitter/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("crusherw","crusherw")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twitter/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("crusherw", "crusherw") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); @@ -384,176 +530,291 @@ public void testCcsNonadmin() throws Exception { public void testCcsNonadminDnfof() throws Exception { setupCcs(new DynamicSecurityConfig().setConfig("config_dnfof.yml")); - final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("twitter", "nagilum") + ).getBody(); Assert.assertTrue(cl1BodyMain.contains("crl1")); try (Client tc = cl1.nodeClient()) { - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("twitter").alias("coordalias"))).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("twitter").alias("coordalias"))) + .actionGet(); } - final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("twitter", "nagilum") + ).getBody(); Assert.assertTrue(cl2BodyMain.contains("crl2")); try (Client tc = cl2.nodeClient()) { - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("twitter").alias("remotealias"))).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("twitter").alias("remotealias"))) + .actionGet(); } HttpResponse ccs = null; System.out.println("###################### query 1"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:*/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:*/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("crl1_")); Assert.assertTrue(ccs.getBody().contains("crl2_")); System.out.println("###################### query 2"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twit*/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twit*/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - System.out.println("###################### query 3"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twitter,twitter,twutter/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twitter,twitter,twutter/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("twutter")); System.out.println("###################### query 4"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twitter,twitter/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twitter,twitter/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertTrue(ccs.getBody().contains("crl1_")); Assert.assertTrue(ccs.getBody().contains("crl2_")); System.out.println("###################### query 5"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twutter,twitter/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twutter,twitter/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); System.out.println("###################### query 6"); - String msearchBody = - "{}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); + String msearchBody = "{}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator(); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:twitter,twitter/_msearch?pretty", msearchBody, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:twitter,twitter/_msearch?pretty", + msearchBody, + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); System.out.println("###################### query 7"); - msearchBody = - "{}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); + msearchBody = "{}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator(); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:twitter/_msearch?pretty", msearchBody, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:twitter/_msearch?pretty", + msearchBody, + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("_all/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "_all/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("*/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "*/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twitter,twitter/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twitter,twitter/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:*/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:*/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); System.out.println("#####*"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:*,*/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:*,*/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertTrue(ccs.getBody().contains("crl1_")); Assert.assertTrue(ccs.getBody().contains("crl2_")); - //wildcard in remote cluster names - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("*cross*:*twit*,*/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + // wildcard in remote cluster names + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "*cross*:*twit*,*/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twitter,t*/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twitter,t*/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("*:*/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "*:*/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("hfghgtdhfhuth/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "hfghgtdhfhuth/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("hfghgtdhfhuth*/_search", encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "hfghgtdhfhuth*/_search", + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - Assert.assertTrue(ccs.getBody().contains("\"hits\":[]")); //TODO: Change for 25.0 to be forbidden (Indices options) + Assert.assertTrue(ccs.getBody().contains("\"hits\":[]")); // TODO: Change for 25.0 to be forbidden (Indices options) - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest(":*/_search", encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest(":*/_search", encodeBasicHeader("worf", "worf")); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - Assert.assertTrue(ccs.getBody().contains("\"hits\":[]")); //TODO: Change for 25.0 to be forbidden (Indices options) + Assert.assertTrue(ccs.getBody().contains("\"hits\":[]")); // TODO: Change for 25.0 to be forbidden (Indices options) - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("*:/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "*:/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:%3Clogstash-%7Bnow%2Fd%7D%3E,%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:%3Clogstash-%7Bnow%2Fd%7D%3E,%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty&ccs_minimize_roundtrips=" + + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:remotealias/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:remotealias/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("coordalias/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "coordalias/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:remotealias,coordalias/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("worf","worf")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:remotealias,coordalias/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("worf", "worf") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:remotealias/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:remotealias/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("coordalias/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "coordalias/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:remotealias,coordalias/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:remotealias,coordalias/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twitter/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("crusherw","crusherw")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twitter/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("crusherw", "crusherw") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); } @@ -562,21 +823,33 @@ public void testCcsNonadminDnfof() throws Exception { public void testCcsEmptyCoord() throws Exception { setupCcs(); - final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("twitter", "nagilum") + ).getBody(); Assert.assertTrue(cl1BodyMain.contains("crl1")); - final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("twitter", "nagilum") + ).getBody(); Assert.assertTrue(cl2BodyMain.contains("crl2")); try (Client tc = cl2.nodeClient()) { - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } HttpResponse ccs = null; System.out.println("###################### query 1"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:twitter/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:twitter/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("twitter", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); @@ -590,74 +863,120 @@ public void testCcsEmptyCoord() throws Exception { public void testCcsDashboardsAggregations() throws Exception { setupCcs(); - final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("twitter", "nagilum") + ).getBody(); Assert.assertTrue(cl1BodyMain.contains("crl1")); - final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("twitter", "nagilum") + ).getBody(); Assert.assertTrue(cl2BodyMain.contains("crl2")); try (Client tc = cl1.nodeClient()) { - tc.index(new IndexRequest("coordinating").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("abc").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("coordinating").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("abc").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } - try (Client tc = cl2.nodeClient()) { - tc.index(new IndexRequest("remote").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("remote").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } HttpResponse ccs = null; System.out.println("###################### kibana indices agg"); String dashboardsIndicesAgg = "{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":100}}}}"; - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("*/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "*/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertFalse(ccs.getBody().contains("cross_cluster_two")); Assert.assertTrue(ccs.getBody().contains("coordinating")); Assert.assertTrue(ccs.getBody().contains("abc")); Assert.assertFalse(ccs.getBody().contains("remote")); - ccs = new RestHelper(cl2Info, false, false, getResourceFolder()).executePostRequest("*/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl2Info, false, false, getResourceFolder()).executePostRequest( + "*/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertFalse(ccs.getBody().contains("cross_cluster_two")); Assert.assertFalse(ccs.getBody().contains("coordinating")); Assert.assertFalse(ccs.getBody().contains("abc")); Assert.assertTrue(ccs.getBody().contains("remote")); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:remo*,coo*/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:remo*,coo*/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertTrue(ccs.getBody().contains("cross_cluster_two")); Assert.assertTrue(ccs.getBody().contains("remote")); Assert.assertTrue(ccs.getBody().contains("coordinating")); Assert.assertFalse(ccs.getBody().contains("abc")); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:remote/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:remote/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertTrue(ccs.getBody().contains("cross_cluster_two")); Assert.assertTrue(ccs.getBody().contains("remote")); Assert.assertFalse(ccs.getBody().contains("coordinating")); Assert.assertFalse(ccs.getBody().contains("abc")); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:*/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:*/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertTrue(ccs.getBody().contains("cross_cluster_two")); Assert.assertTrue(ccs.getBody().contains("remote")); Assert.assertFalse(ccs.getBody().contains("coordinating")); Assert.assertFalse(ccs.getBody().contains("abc")); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:*,*/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:*,*/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertTrue(ccs.getBody().contains("cross_cluster_two")); Assert.assertTrue(ccs.getBody().contains("remote")); Assert.assertTrue(ccs.getBody().contains("coordinating")); Assert.assertTrue(ccs.getBody().contains("abc")); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:remo*,ab*/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:remo*,ab*/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertTrue(ccs.getBody().contains("cross_cluster_two")); @@ -670,35 +989,59 @@ public void testCcsDashboardsAggregations() throws Exception { public void testCcsDashboardsAggregationsNonAdminDnfof() throws Exception { setupCcs(new DynamicSecurityConfig().setConfig("config_dnfof.yml")); - final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("twitter", "nagilum") + ).getBody(); Assert.assertTrue(cl1BodyMain.contains("crl1")); - final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("twitter", "nagilum") + ).getBody(); Assert.assertTrue(cl2BodyMain.contains("crl2")); try (Client tc = cl1.nodeClient()) { - tc.index(new IndexRequest("coordinating").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("abc").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("coordinating").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("abc").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } - try (Client tc = cl2.nodeClient()) { - tc.index(new IndexRequest("remote").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("analytics").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("remote").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + + tc.index( + new IndexRequest("analytics").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } HttpResponse ccs = null; System.out.println("###################### kibana indices agg"); String dashboardsIndicesAgg = "{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":100}}}}"; - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("*/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "*/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertFalse(ccs.getBody().contains("cross_cluster_two")); @@ -708,7 +1051,11 @@ public void testCcsDashboardsAggregationsNonAdminDnfof() throws Exception { Assert.assertFalse(ccs.getBody().contains("coordinating")); Assert.assertFalse(ccs.getBody().contains("abc")); Assert.assertFalse(ccs.getBody().contains("remote")); - ccs = new RestHelper(cl2Info, false, false, getResourceFolder()).executePostRequest("*/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl2Info, false, false, getResourceFolder()).executePostRequest( + "*/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertFalse(ccs.getBody().contains("cross_cluster_two")); @@ -718,7 +1065,11 @@ public void testCcsDashboardsAggregationsNonAdminDnfof() throws Exception { Assert.assertFalse(ccs.getBody().contains("coordinating")); Assert.assertFalse(ccs.getBody().contains("abc")); Assert.assertFalse(ccs.getBody().contains("remote")); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:*,*/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:*,*/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertTrue(ccs.getBody().contains("cross_cluster_two:analytics")); @@ -726,9 +1077,17 @@ public void testCcsDashboardsAggregationsNonAdminDnfof() throws Exception { Assert.assertFalse(ccs.getBody().contains("coordinating")); Assert.assertFalse(ccs.getBody().contains("abc")); Assert.assertFalse(ccs.getBody().contains("remote")); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:remo*,coo*/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:remo*,coo*/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:ana*,twi*/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:ana*,twi*/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertTrue(ccs.getBody().contains("cross_cluster_two:analytics")); @@ -736,7 +1095,11 @@ public void testCcsDashboardsAggregationsNonAdminDnfof() throws Exception { Assert.assertFalse(ccs.getBody().contains("coordinating")); Assert.assertFalse(ccs.getBody().contains("abc")); Assert.assertFalse(ccs.getBody().contains("remote")); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:ana*,xyz*/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:ana*,xyz*/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertTrue(ccs.getBody().contains("cross_cluster_two:analytics")); @@ -744,9 +1107,17 @@ public void testCcsDashboardsAggregationsNonAdminDnfof() throws Exception { Assert.assertFalse(ccs.getBody().contains("coordinating")); Assert.assertFalse(ccs.getBody().contains("abc")); Assert.assertFalse(ccs.getBody().contains("remote")); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:ana*,xyz/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:ana*,xyz/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:*/_search?pretty", dashboardsIndicesAgg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:*/_search?pretty", + dashboardsIndicesAgg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertTrue(ccs.getBody().contains("cross_cluster_two:analytics")); @@ -760,30 +1131,48 @@ public void testCcsDashboardsAggregationsNonAdminDnfof() throws Exception { public void testCcsAggregations() throws Exception { setupCcs(); - final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("twitter", "nagilum") + ).getBody(); Assert.assertTrue(cl1BodyMain.contains("crl1")); - final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("twitter", "nagilum") + ).getBody(); Assert.assertTrue(cl2BodyMain.contains("crl2")); try (Client tc = cl1.nodeClient()) { - tc.index(new IndexRequest("coordinating").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("abc").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("coordinating").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("abc").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } - try (Client tc = cl2.nodeClient()) { - tc.index(new IndexRequest("remote").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("remote").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } HttpResponse ccs = null; System.out.println("###################### aggs"); final String agg = "{\"size\":0,\"aggs\":{\"clusteragg\":{\"terms\":{\"field\":\"cluster.keyword\",\"size\":100}}}}"; - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("*:*,*/_search?pretty", agg, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "*:*,*/_search?pretty", + agg, + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertTrue(ccs.getBody().contains("\"timed_out\" : false")); @@ -791,7 +1180,11 @@ public void testCcsAggregations() throws Exception { Assert.assertTrue(ccs.getBody().contains("crl2")); Assert.assertTrue(ccs.getBody().contains("\"doc_count\" : 2")); Assert.assertTrue(ccs.getBody().contains("\"doc_count\" : 1")); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("coordin*/_search?pretty", agg, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "coordin*/_search?pretty", + agg, + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertTrue(ccs.getBody().contains("\"timed_out\" : false")); @@ -799,7 +1192,11 @@ public void testCcsAggregations() throws Exception { Assert.assertFalse(ccs.getBody().contains("crl2")); Assert.assertFalse(ccs.getBody().contains("\"doc_count\" : 2")); Assert.assertTrue(ccs.getBody().contains("\"doc_count\" : 1")); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:remo*/_search?pretty", agg, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:remo*/_search?pretty", + agg, + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertTrue(ccs.getBody().contains("\"timed_out\" : false")); @@ -807,55 +1204,107 @@ public void testCcsAggregations() throws Exception { Assert.assertTrue(ccs.getBody().contains("crl2")); Assert.assertFalse(ccs.getBody().contains("\"doc_count\" : 2")); Assert.assertTrue(ccs.getBody().contains("\"doc_count\" : 1")); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:notfound,*/_search?pretty", agg, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:notfound,*/_search?pretty", + agg, + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:*,notfound/_search?pretty", agg, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:*,notfound/_search?pretty", + agg, + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:notfound,notfound/_search?pretty", agg, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:notfound,notfound/_search?pretty", + agg, + encodeBasicHeader("nagilum", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:notfou*,*/_search?pretty", agg, encodeBasicHeader("nagilum","nagilum")); - Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode());//TODO: Change for 25.0 to be forbidden (Indices options) - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:*,notfou*/_search?pretty", agg, encodeBasicHeader("nagilum","nagilum")); - Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode());//TODO: Change for 25.0 to be forbidden (Indices options) - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:not*,notf*/_search?pretty", agg, encodeBasicHeader("nagilum","nagilum")); - Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode());//TODO: Change for 25.0 to be forbidden (Indices options) + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:notfou*,*/_search?pretty", + agg, + encodeBasicHeader("nagilum", "nagilum") + ); + Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode());// TODO: Change for 25.0 to be forbidden (Indices options) + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:*,notfou*/_search?pretty", + agg, + encodeBasicHeader("nagilum", "nagilum") + ); + Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode());// TODO: Change for 25.0 to be forbidden (Indices options) + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:not*,notf*/_search?pretty", + agg, + encodeBasicHeader("nagilum", "nagilum") + ); + Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode());// TODO: Change for 25.0 to be forbidden (Indices options) } @Test public void testCcsAggregationsDnfof() throws Exception { setupCcs(new DynamicSecurityConfig().setConfig("config_dnfof.yml")); - final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("twitter", "nagilum") + ).getBody(); Assert.assertTrue(cl1BodyMain.contains("crl1")); - final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("twitter", "nagilum") + ).getBody(); Assert.assertTrue(cl2BodyMain.contains("crl2")); try (Client tc = cl1.nodeClient()) { - tc.index(new IndexRequest("coordinating").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("abc").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("coordinating").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("abc").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } - try (Client tc = cl2.nodeClient()) { - tc.index(new IndexRequest("remote").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("analytics").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("remote").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + + tc.index( + new IndexRequest("analytics").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } HttpResponse ccs = null; System.out.println("###################### aggs"); final String agg = "{\"size\":0,\"aggs\":{\"clusteragg\":{\"terms\":{\"field\":\"cluster.keyword\",\"size\":100}}}}"; - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:notfound,*/_search?pretty", agg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:notfound,*/_search?pretty", + agg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:notfound*,*/_search?pretty", agg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:notfound*,*/_search?pretty", + agg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("security_exception")); Assert.assertTrue(ccs.getBody().contains("\"timed_out\" : false")); @@ -863,58 +1312,97 @@ public void testCcsAggregationsDnfof() throws Exception { Assert.assertFalse(ccs.getBody().contains("crl2")); Assert.assertFalse(ccs.getBody().contains("\"doc_count\" : 2")); Assert.assertTrue(ccs.getBody().contains("\"doc_count\" : 1")); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:*,notfound/_search?pretty", agg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:*,notfound/_search?pretty", + agg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:notfound,notfound/_search?pretty", agg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:notfound,notfound/_search?pretty", + agg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:notfou*,*/_search?pretty", agg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:notfou*,*/_search?pretty", + agg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:*,notfou*/_search?pretty", agg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:*,notfou*/_search?pretty", + agg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("cross_cluster_two:not*,notf*/_search?pretty", agg, encodeBasicHeader("twitter","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "cross_cluster_two:not*,notf*/_search?pretty", + agg, + encodeBasicHeader("twitter", "nagilum") + ); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); } - private ClusterTransportClientSettings getBaseSettingsWithDifferentCert() { Settings cluster = Settings.builder() .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12")) + .put( + SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks") + ) + .put( + SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks") + ) + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12") + ) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") .put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") - .putList(ConfigConstants.SECURITY_NODES_DN, - "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE")//, "CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE") - .putList(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, + .putList( + ConfigConstants.SECURITY_NODES_DN, + "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE" + )// , "CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE") + .putList( + ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, "EMAILADDRESS=unt@xxx.com,CN=node-untspec6.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE", - "CN=kirk,OU=client,O=client,l=tEst, C=De") - .put(ConfigConstants.SECURITY_CERT_OID,"1.2.3.4.5.6") + "CN=kirk,OU=client,O=client,l=tEst, C=De" + ) + .put(ConfigConstants.SECURITY_CERT_OID, "1.2.3.4.5.6") .build(); Settings transport = Settings.builder() - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12")) + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12") + ) .build(); return new ClusterTransportClientSettings(cluster, transport); } private void populateBaseData(ClusterTransportClientSettings cluster1, ClusterTransportClientSettings cluster2) throws Exception { - final String cl1BodyMain = rh1.executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl1BodyMain = rh1.executeGetRequest("", encodeBasicHeader("twitter", "nagilum")).getBody(); Assert.assertTrue(cl1BodyMain, cl1BodyMain.contains("crl1")); - final String cl2BodyMain = rh2.executeGetRequest("", encodeBasicHeader("twitter","nagilum")).getBody(); + final String cl2BodyMain = rh2.executeGetRequest("", encodeBasicHeader("twitter", "nagilum")).getBody(); Assert.assertTrue(cl2BodyMain.contains("crl2")); try (Client tc = cl1.nodeClient()) { - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } try (Client tc = cl2.nodeClient()) { - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } } @@ -939,9 +1427,11 @@ public void testCcsWithDiffCertsWithNodesDnStaticallyAdded() throws Exception { ClusterTransportClientSettings cluster2 = getBaseSettingsWithDifferentCert(); Settings updatedCluster2 = Settings.builder() .put(cluster2.clusterSettings()) - .putList(ConfigConstants.SECURITY_NODES_DN, + .putList( + ConfigConstants.SECURITY_NODES_DN, "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE", - "CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE") + "CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE" + ) .build(); cluster2 = new ClusterTransportClientSettings(updatedCluster2, cluster2.transportClientSettings()); @@ -966,9 +1456,11 @@ public void testCcsWithDiffCertsWithNodesDnDynamicallyAdded() throws Exception { setupCcs(new DynamicSecurityConfig().setSecurityNodesDn("nodes_dn_empty.yml"), cluster1, cluster2); - HttpResponse response = rh2.executePutRequest("_opendistro/_security/api/nodesdn/connection1", + HttpResponse response = rh2.executePutRequest( + "_opendistro/_security/api/nodesdn/connection1", "{\"nodes_dn\": [\"CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE\"]}", - encodeBasicHeader("sarek", "sarek")); + encodeBasicHeader("sarek", "sarek") + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_CREATED)); populateBaseData(cluster1, cluster2); @@ -988,41 +1480,59 @@ public void testCcsWithDiffCertsWithNodesDnDynamicallyAdded() throws Exception { public void testCcsWithRoleInjection() throws Exception { setupCcs(new DynamicSecurityConfig().setSecurityRoles("roles.yml")); - Assert.assertEquals(cl1Info.numNodes, cl1.nodeClient().admin().cluster().health( - new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes()); - Assert.assertEquals(ClusterHealthStatus.GREEN, cl1.nodeClient().admin().cluster(). - health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus()); - - Assert.assertEquals(cl2Info.numNodes, cl2.nodeClient().admin().cluster().health( - new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes()); - Assert.assertEquals(ClusterHealthStatus.GREEN, cl2.nodeClient().admin().cluster(). - health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus()); + Assert.assertEquals( + cl1Info.numNodes, + cl1.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes() + ); + Assert.assertEquals( + ClusterHealthStatus.GREEN, + cl1.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus() + ); + + Assert.assertEquals( + cl2Info.numNodes, + cl2.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes() + ); + Assert.assertEquals( + ClusterHealthStatus.GREEN, + cl2.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus() + ); try (Client tc = cl2.nodeClient()) { - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } final Settings.Builder clusterClientSettings = Settings.builder().putList("node.roles", "remote_cluster_client"); final Settings tcSettings = AbstractSecurityUnitTest.nodeRolesSettings(clusterClientSettings, false, false) - .put(minimumSecuritySettings(Settings.EMPTY).get(0)) - .put("cluster.name", cl1Info.clustername) - .put("path.data", "./target/data/" + cl1Info.clustername + "/cert/data") - .put("path.logs", "./target/data/" + cl1Info.clustername + "/cert/logs") - .put("path.home", "./target") - .put("node.name", "testclient") - .put("discovery.initial_state_timeout", "8s") - .put("plugins.security.allow_default_init_securityindex", "true") - .putList("discovery.zen.ping.unicast.hosts", cl1Info.nodeHost + ":" + cl1Info.nodePort) - .build(); + .put(minimumSecuritySettings(Settings.EMPTY).get(0)) + .put("cluster.name", cl1Info.clustername) + .put("path.data", "./target/data/" + cl1Info.clustername + "/cert/data") + .put("path.logs", "./target/data/" + cl1Info.clustername + "/cert/logs") + .put("path.home", "./target") + .put("node.name", "testclient") + .put("discovery.initial_state_timeout", "8s") + .put("plugins.security.allow_default_init_securityindex", "true") + .putList("discovery.zen.ping.unicast.hosts", cl1Info.nodeHost + ":" + cl1Info.nodePort) + .build(); OpenSearchSecurityException exception = null; System.out.println("###################### with invalid role injection"); - //1. With invalid roles injection + // 1. With invalid roles injection RolesInjectorIntegTest.RolesInjectorPlugin.injectedRoles = "invalid_user|invalid_role"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, - OpenSearchSecurityPlugin.class, RolesInjectorIntegTest.RolesInjectorPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + RolesInjectorIntegTest.RolesInjectorPlugin.class + ).start() + ) { waitForInit(node.client()); Client remoteClient = node.client().getRemoteClusterClient("cross_cluster_two"); GetRequest getReq = new GetRequest("twitter", "0"); @@ -1039,10 +1549,17 @@ public void testCcsWithRoleInjection() throws Exception { Assert.assertTrue(exception.getMessage().contains("no permissions for")); System.out.println("###################### with valid role injection"); - //2. With valid roles injection + // 2. With valid roles injection RolesInjectorIntegTest.RolesInjectorPlugin.injectedRoles = "valid_user|opendistro_security_all_access"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, - OpenSearchSecurityPlugin.class, RolesInjectorIntegTest.RolesInjectorPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + RolesInjectorIntegTest.RolesInjectorPlugin.class + ).start() + ) { waitForInit(node.client()); Client remoteClient = node.client().getRemoteClusterClient("cross_cluster_two"); GetRequest getReq = new GetRequest("twitter", "0"); diff --git a/src/test/java/org/opensearch/security/ccstest/RemoteReindexTests.java b/src/test/java/org/opensearch/security/ccstest/RemoteReindexTests.java index ad449aa20b..3c49548cf3 100644 --- a/src/test/java/org/opensearch/security/ccstest/RemoteReindexTests.java +++ b/src/test/java/org/opensearch/security/ccstest/RemoteReindexTests.java @@ -46,14 +46,18 @@ public class RemoteReindexTests extends AbstractSecurityUnitTest { - private final ClusterHelper cl1 = new ClusterHelper("crl1_n"+num.incrementAndGet()+"_f"+System.getProperty("forkno")+"_t"+System.nanoTime()); - private final ClusterHelper cl2 = new ClusterHelper("crl2_n"+num.incrementAndGet()+"_f"+System.getProperty("forkno")+"_t"+System.nanoTime()); + private final ClusterHelper cl1 = new ClusterHelper( + "crl1_n" + num.incrementAndGet() + "_f" + System.getProperty("forkno") + "_t" + System.nanoTime() + ); + private final ClusterHelper cl2 = new ClusterHelper( + "crl2_n" + num.incrementAndGet() + "_f" + System.getProperty("forkno") + "_t" + System.nanoTime() + ); private ClusterInfo cl1Info; private ClusterInfo cl2Info; private void setupReindex() throws Exception { - System.setProperty("security.display_lic_none","true"); + System.setProperty("security.display_lic_none", "true"); cl2Info = cl2.startCluster(minimumSecuritySettings(Settings.EMPTY), ClusterConfiguration.DEFAULT); initialize(cl2, cl2Info); @@ -69,54 +73,70 @@ public void tearDown() throws Exception { } private Settings crossClusterNodeSettings(ClusterInfo remote) { - Settings.Builder builder = Settings.builder() - .putList("reindex.remote.whitelist", remote.httpHost+":"+remote.httpPort); + Settings.Builder builder = Settings.builder().putList("reindex.remote.whitelist", remote.httpHost + ":" + remote.httpPort); return builder.build(); } - //TODO add ssl tests - //https://github.com/elastic/elasticsearch/issues/27267 + // TODO add ssl tests + // https://github.com/elastic/elasticsearch/issues/27267 @Test public void testNonSSLReindex() throws Exception { setupReindex(); - final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("nagilum","nagilum")).getBody(); + final String cl1BodyMain = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("nagilum", "nagilum") + ).getBody(); Assert.assertTrue(cl1BodyMain.contains("crl1")); try (Client tc = cl1.nodeClient()) { tc.admin().indices().create(new CreateIndexRequest("twutter")).actionGet(); } - final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest("", encodeBasicHeader("nagilum","nagilum")).getBody(); + final String cl2BodyMain = new RestHelper(cl2Info, false, false, getResourceFolder()).executeGetRequest( + "", + encodeBasicHeader("nagilum", "nagilum") + ).getBody(); Assert.assertTrue(cl2BodyMain.contains("crl2")); try (Client tc = cl2.nodeClient()) { - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } - String reindex = "{"+ - "\"source\": {"+ - "\"remote\": {"+ - "\"host\": \"http://"+cl2Info.httpHost+":"+cl2Info.httpPort+"\","+ - "\"username\": \"nagilum\","+ - "\"password\": \"nagilum\""+ - "},"+ - "\"index\": \"twitter\","+ - "\"size\": 10"+ - "},"+ - "\"dest\": {"+ - "\"index\": \"twutter\""+ - "}"+ - "}"; + String reindex = "{" + + "\"source\": {" + + "\"remote\": {" + + "\"host\": \"http://" + + cl2Info.httpHost + + ":" + + cl2Info.httpPort + + "\"," + + "\"username\": \"nagilum\"," + + "\"password\": \"nagilum\"" + + "}," + + "\"index\": \"twitter\"," + + "\"size\": 10" + + "}," + + "\"dest\": {" + + "\"index\": \"twutter\"" + + "}" + + "}"; System.out.println(reindex); HttpResponse ccs = null; System.out.println("###################### reindex"); - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest("_reindex?pretty", reindex, encodeBasicHeader("nagilum","nagilum")); + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executePostRequest( + "_reindex?pretty", + reindex, + encodeBasicHeader("nagilum", "nagilum") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertTrue(ccs.getBody().contains("created\" : 1")); diff --git a/src/test/java/org/opensearch/security/configuration/SaltTest.java b/src/test/java/org/opensearch/security/configuration/SaltTest.java index 01ddf3de56..8af7501810 100644 --- a/src/test/java/org/opensearch/security/configuration/SaltTest.java +++ b/src/test/java/org/opensearch/security/configuration/SaltTest.java @@ -44,9 +44,7 @@ public void testDefault() { public void testConfig() { // arrange final String testSalt = "abcdefghijklmnop"; - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_COMPLIANCE_SALT, testSalt) - .build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_COMPLIANCE_SALT, testSalt).build(); // act final Salt salt = Salt.from(settings); @@ -60,9 +58,7 @@ public void testConfig() { public void testSaltUsesOnlyFirst16Bytes() { // arrange final String testSalt = "abcdefghijklmnopqrstuvwxyz"; - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_COMPLIANCE_SALT, testSalt) - .build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_COMPLIANCE_SALT, testSalt).build(); // act final Salt salt = Salt.from(settings); @@ -79,9 +75,7 @@ public void testSaltThrowsExceptionWhenInsufficientBytesProvided() { // arrange final String testSalt = "abcd"; - final Settings settings = Settings.builder() - .put(ConfigConstants.SECURITY_COMPLIANCE_SALT, testSalt) - .build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_COMPLIANCE_SALT, testSalt).build(); // act final Salt salt = Salt.from(settings); } @@ -93,7 +87,7 @@ public void testSaltThrowsExceptionWhenInsufficientBytesArrayProvided() { thrown.expectMessage("Provided compliance salt must contain 16 bytes"); // act - new Salt(new byte[]{1, 2, 3, 4, 5}); + new Salt(new byte[] { 1, 2, 3, 4, 5 }); } @Test @@ -103,12 +97,12 @@ public void testSaltThrowsExceptionWhenExcessBytesArrayProvided() { thrown.expectMessage("Provided compliance salt must contain 16 bytes"); // act - new Salt(new byte[]{1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5}); + new Salt(new byte[] { 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5 }); } @Test public void testSaltThrowsNoExceptionWhenCorrectBytesArrayProvided() { // act - new Salt(new byte[]{1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1}); + new Salt(new byte[] { 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1 }); } } diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/AbstractDlsFlsTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/AbstractDlsFlsTest.java index 2e1eedcf57..dfe96bb55d 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/AbstractDlsFlsTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/AbstractDlsFlsTest.java @@ -58,7 +58,7 @@ protected final void setup(Settings override, DynamicSecurityConfig dynamicSecur Settings settings = Settings.builder().put(ConfigConstants.SECURITY_AUDIT_TYPE_DEFAULT, "debug").put(override).build(); setup(Settings.EMPTY, dynamicSecurityConfig, settings, true); - try(Client tc = getClient()) { + try (Client tc = getClient()) { populateData(tc); } @@ -66,50 +66,48 @@ protected final void setup(Settings override, DynamicSecurityConfig dynamicSecur } protected SearchResponse executeSearch(String indexName, String user, String password) throws Exception { - HttpResponse response = rh.executeGetRequest("/"+indexName+"/_search?from=0&size=50&pretty", - encodeBasicHeader(user, password)); - Assert.assertEquals(200, response.getStatusCode()); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, - LoggingDeprecationHandler.INSTANCE, response.getBody()); - return SearchResponse.fromXContent(xcp); + HttpResponse response = rh.executeGetRequest("/" + indexName + "/_search?from=0&size=50&pretty", encodeBasicHeader(user, password)); + Assert.assertEquals(200, response.getStatusCode()); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + return SearchResponse.fromXContent(xcp); } protected GetResponse executeGet(String indexName, String id, String user, String password) throws Exception { - HttpResponse response = rh.executeGetRequest("/"+indexName+"/_doc/"+id, encodeBasicHeader(user, password)); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, - LoggingDeprecationHandler.INSTANCE, response.getBody()); - return GetResponse.fromXContent(xcp); + HttpResponse response = rh.executeGetRequest("/" + indexName + "/_doc/" + id, encodeBasicHeader(user, password)); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + return GetResponse.fromXContent(xcp); } - protected MultiSearchResponse executeMSearchMatchAll(String user, String password, String ... indexName) throws Exception { - StringBuilder body = new StringBuilder(); + protected MultiSearchResponse executeMSearchMatchAll(String user, String password, String... indexName) throws Exception { + StringBuilder body = new StringBuilder(); - for (String index : indexName) { - body.append("{\"index\": \"").append(index).append("\"}\n"); - body.append("{\"query\" : {\"match_all\" : {}}}\n"); - } + for (String index : indexName) { + body.append("{\"index\": \"").append(index).append("\"}\n"); + body.append("{\"query\" : {\"match_all\" : {}}}\n"); + } - HttpResponse response = rh.executePostRequest("/_msearch?pretty", body.toString(), - encodeBasicHeader(user, password)); - Assert.assertEquals(200, response.getStatusCode()); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, - LoggingDeprecationHandler.INSTANCE, response.getBody()); - return MultiSearchResponse.fromXContext(xcp); + HttpResponse response = rh.executePostRequest("/_msearch?pretty", body.toString(), encodeBasicHeader(user, password)); + Assert.assertEquals(200, response.getStatusCode()); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + return MultiSearchResponse.fromXContext(xcp); } protected MultiGetResponse executeMGet(String user, String password, Map indicesAndIds) throws Exception { - Set indexAndIdJson = new HashSet<>(); - for (Map.Entry indexAndId : indicesAndIds.entrySet()) { - indexAndIdJson.add("{ \"_index\": \""+indexAndId.getKey()+"\", \"_id\": \""+indexAndId.getValue()+"\" }"); - } - String body = "{ \"docs\": ["+ String.join(",", indexAndIdJson) +"] }"; - - HttpResponse response = rh.executePostRequest("/_mget?pretty", body,encodeBasicHeader(user, password)); - Assert.assertEquals(200, response.getStatusCode()); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, - LoggingDeprecationHandler.INSTANCE, response.getBody()); - return MultiGetResponse.fromXContent(xcp); + Set indexAndIdJson = new HashSet<>(); + for (Map.Entry indexAndId : indicesAndIds.entrySet()) { + indexAndIdJson.add("{ \"_index\": \"" + indexAndId.getKey() + "\", \"_id\": \"" + indexAndId.getValue() + "\" }"); + } + String body = "{ \"docs\": [" + String.join(",", indexAndIdJson) + "] }"; + + HttpResponse response = rh.executePostRequest("/_mget?pretty", body, encodeBasicHeader(user, password)); + Assert.assertEquals(200, response.getStatusCode()); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + return MultiGetResponse.fromXContent(xcp); } abstract void populateData(Client tc); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/CCReplicationTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/CCReplicationTest.java index 4ac8077c34..079afa65bd 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/CCReplicationTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/CCReplicationTest.java @@ -73,18 +73,24 @@ public class CCReplicationTest extends AbstractDlsFlsTest { public static class MockReplicationPlugin extends Plugin implements ActionPlugin { public static String injectedRoles = null; - public MockReplicationPlugin() { - } + public MockReplicationPlugin() {} @Override - public Collection createComponents(Client client, ClusterService clusterService, ThreadPool threadPool, - ResourceWatcherService resourceWatcherService, ScriptService scriptService, - NamedXContentRegistry xContentRegistry, Environment environment, - NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry, + public Collection createComponents( + Client client, + ClusterService clusterService, + ThreadPool threadPool, + ResourceWatcherService resourceWatcherService, + ScriptService scriptService, + NamedXContentRegistry xContentRegistry, + Environment environment, + NodeEnvironment nodeEnvironment, + NamedWriteableRegistry namedWriteableRegistry, IndexNameExpressionResolver indexNameExpressionResolver, - Supplier repositoriesServiceSupplier) { - if(injectedRoles != null) - threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES, injectedRoles); + Supplier repositoriesServiceSupplier + ) { + if (injectedRoles != null) threadPool.getThreadContext() + .putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES, injectedRoles); return new ArrayList<>(); } @@ -97,6 +103,7 @@ public Collection createComponents(Client client, ClusterService cluster public static class MockReplicationAction extends ActionType { public static final MockReplicationAction INSTANCE = new MockReplicationAction(); public static final String NAME = "indices:admin/plugins/replication/file_chunk"; + private MockReplicationAction() { super(NAME, AcknowledgedResponse::new); } @@ -104,6 +111,7 @@ private MockReplicationAction() { public static class MockReplicationRequest extends AcknowledgedRequest implements Replaceable { private String index; + public MockReplicationRequest(String index) { this.index = index; } @@ -131,7 +139,7 @@ public IndicesRequest indices(String... strings) { @Override public String[] indices() { - return new String[]{index}; + return new String[] { index }; } @Override @@ -148,8 +156,7 @@ public boolean includeDataStreams() { public static class TransportMockReplicationAction extends HandledTransportAction { @Inject - public TransportMockReplicationAction(TransportService transportService, - ActionFilters actionFilters) { + public TransportMockReplicationAction(TransportService transportService, ActionFilters actionFilters) { super(MockReplicationAction.NAME, transportService, actionFilters, MockReplicationRequest::new); } @@ -159,31 +166,52 @@ protected void doExecute(Task task, MockReplicationRequest request, ActionListen } } - //Wait for the security plugin to load roles. + // Wait for the security plugin to load roles. private void waitOrThrow(Client client, String index) throws Exception { waitForInit(client); client.execute(MockReplicationAction.INSTANCE, new MockReplicationRequest(index)).actionGet(); } void populateData(Client tc) { - tc.index(new IndexRequest("hr-dls").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"User\": \"testuser\",\"Date\":\"2021-01-18T17:27:20Z\",\"Designation\":\"HR\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("hr-fls").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"User\": \"adminuser\",\"Date\":\"2021-01-18T17:27:20Z\",\"Designation\":\"CEO\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("hr-masking").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"User\": \"maskeduser\",\"Date\":\"2021-01-18T17:27:20Z\",\"Designation\":\"CEO\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("hr-normal").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"User\": \"employee1\",\"Date\":\"2021-01-18T17:27:20Z\",\"Designation\":\"EMPLOYEE\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("hr-dls").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"User\": \"testuser\",\"Date\":\"2021-01-18T17:27:20Z\",\"Designation\":\"HR\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("hr-fls").id("1") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"User\": \"adminuser\",\"Date\":\"2021-01-18T17:27:20Z\",\"Designation\":\"CEO\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("hr-masking").id("1") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"User\": \"maskeduser\",\"Date\":\"2021-01-18T17:27:20Z\",\"Designation\":\"CEO\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("hr-normal").id("1") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"User\": \"employee1\",\"Date\":\"2021-01-18T17:27:20Z\",\"Designation\":\"EMPLOYEE\"}", XContentType.JSON) + ).actionGet(); } @Test public void testReplication() throws Exception { setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityRoles("roles_ccreplication.yml"), Settings.EMPTY); - Assert.assertEquals(clusterInfo.numNodes, clusterHelper.nodeClient().admin().cluster().health( - new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes()); - Assert.assertEquals(ClusterHealthStatus.GREEN, clusterHelper.nodeClient().admin().cluster(). - health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus()); + Assert.assertEquals( + clusterInfo.numNodes, + clusterHelper.nodeClient() + .admin() + .cluster() + .health(new ClusterHealthRequest().waitForGreenStatus()) + .actionGet() + .getNumberOfNodes() + ); + Assert.assertEquals( + ClusterHealthStatus.GREEN, + clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus() + ); final Settings tcSettings = AbstractSecurityUnitTest.nodeRolesSettings(Settings.builder(), false, false) .put(minimumSecuritySettings(Settings.EMPTY).get(0)) @@ -199,39 +227,79 @@ public void testReplication() throws Exception { // Set roles for the user MockReplicationPlugin.injectedRoles = "ccr_user|opendistro_security_human_resources_trainee"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + MockReplicationPlugin.class + ).start() + ) { waitOrThrow(node.client(), "hr-dls"); Assert.fail("Expecting exception"); } catch (OpenSearchSecurityException ex) { log.warn(ex.getMessage()); Assert.assertNotNull(ex); - Assert.assertTrue(ex.getMessage().contains("Cross Cluster Replication is not supported when FLS or DLS or Fieldmasking is activated")); + Assert.assertTrue( + ex.getMessage().contains("Cross Cluster Replication is not supported when FLS or DLS or Fieldmasking is activated") + ); Assert.assertEquals(ex.status(), RestStatus.FORBIDDEN); } - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + MockReplicationPlugin.class + ).start() + ) { waitOrThrow(node.client(), "hr-fls"); Assert.fail("Expecting exception"); } catch (OpenSearchSecurityException ex) { log.warn(ex.getMessage()); Assert.assertNotNull(ex); - Assert.assertTrue(ex.getMessage().contains("Cross Cluster Replication is not supported when FLS or DLS or Fieldmasking is activated")); + Assert.assertTrue( + ex.getMessage().contains("Cross Cluster Replication is not supported when FLS or DLS or Fieldmasking is activated") + ); Assert.assertEquals(ex.status(), RestStatus.FORBIDDEN); } - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + MockReplicationPlugin.class + ).start() + ) { waitOrThrow(node.client(), "hr-masking"); Assert.fail("Expecting exception"); } catch (OpenSearchSecurityException ex) { log.warn(ex.getMessage()); Assert.assertNotNull(ex); - Assert.assertTrue(ex.getMessage().contains("Cross Cluster Replication is not supported when FLS or DLS or Fieldmasking is activated")); + Assert.assertTrue( + ex.getMessage().contains("Cross Cluster Replication is not supported when FLS or DLS or Fieldmasking is activated") + ); Assert.assertEquals(ex.status(), RestStatus.FORBIDDEN); } - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { + try ( + Node node = new PluginAwareNode( + false, + tcSettings, + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + MockReplicationPlugin.class + ).start() + ) { waitOrThrow(node.client(), "hr-normal"); - AcknowledgedResponse res = node.client().execute(MockReplicationAction.INSTANCE, new MockReplicationRequest("hr-normal")).actionGet(); + AcknowledgedResponse res = node.client() + .execute(MockReplicationAction.INSTANCE, new MockReplicationRequest("hr-normal")) + .actionGet(); Assert.assertTrue(res.isAcknowledged()); } } diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/CustomFieldMaskedComplexMappingTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/CustomFieldMaskedComplexMappingTest.java index bbc7bd5479..9be61b30b7 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/CustomFieldMaskedComplexMappingTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/CustomFieldMaskedComplexMappingTest.java @@ -25,19 +25,20 @@ import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class CustomFieldMaskedComplexMappingTest extends AbstractDlsFlsTest{ - +public class CustomFieldMaskedComplexMappingTest extends AbstractDlsFlsTest { @Override protected void populateData(Client tc) { try { - tc.admin().indices().create(new CreateIndexRequest("logs").mapping(FileHelper.loadFile("dlsfls/masked_field_mapping.json"), XContentType.JSON)).actionGet(); - + tc.admin() + .indices() + .create(new CreateIndexRequest("logs").mapping(FileHelper.loadFile("dlsfls/masked_field_mapping.json"), XContentType.JSON)) + .actionGet(); byte[] data = FileHelper.loadFile("dlsfls/logs_bulk_data.json").getBytes(StandardCharsets.UTF_8); BulkRequest br = new BulkRequest().add(data, 0, data.length, XContentType.JSON).setRefreshPolicy(RefreshPolicy.IMMEDIATE); - if(tc.bulk(br).actionGet().hasFailures()) { + if (tc.bulk(br).actionGet().hasFailures()) { Assert.fail("bulk import failed"); } Thread.sleep(1000); @@ -54,17 +55,17 @@ public void testComplexMappingAggregationsRace() throws Exception { setup(); - - String query = "{"+ - "\"aggs\" : {"+ - "\"ips\" : { \"terms\" : { \"field\" : \"machine.os.keyword\", \"size\": 1002, \"show_term_doc_count_error\": true } }"+ - "}"+ - "}"; - - + String query = "{" + + "\"aggs\" : {" + + "\"ips\" : { \"terms\" : { \"field\" : \"machine.os.keyword\", \"size\": 1002, \"show_term_doc_count_error\": true } }" + + "}" + + "}"; HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/logs/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/logs/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("win 8")); @@ -84,16 +85,22 @@ public void testComplexMappingAggregationsRace() throws Exception { Assert.assertFalse(res.getBody().contains("88783587fef7")); Assert.assertFalse(res.getBody().contains("c1f04335d9f41")); - for(int i=0;i<10;i++) { - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/logs/_search?pretty&size=0", query, encodeBasicHeader("user_masked_nowc1", "password"))).getStatusCode()); + for (int i = 0; i < 10; i++) { + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/logs/_search?pretty&size=0", query, encodeBasicHeader("user_masked_nowc1", "password"))) + .getStatusCode() + ); System.out.println(res.getBody()); } + for (int i = 0; i < 10; i++) { - - for(int i=0;i<10;i++) { - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/logs/_search?pretty&size=0", query, encodeBasicHeader("user_masked_nowc", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/logs/_search?pretty&size=0", query, encodeBasicHeader("user_masked_nowc", "password"))) + .getStatusCode() + ); System.out.println(res.getBody()); Assert.assertFalse(res.getBody().contains("\"aaa")); @@ -115,21 +122,18 @@ public void testComplexMappingAggregationsRace() throws Exception { Assert.assertFalse(res.getBody().contains("osx")); Assert.assertFalse(res.getBody().contains("win 7")); - - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/logs/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); - - + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/logs/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); } - - - - - - for(int i=0;i<10;i++) { - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/logs/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + for (int i = 0; i < 10; i++) { + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/logs/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("win 8")); Assert.assertTrue(res.getBody().contains("win xp")); Assert.assertTrue(res.getBody().contains("ios")); @@ -157,14 +161,27 @@ public void testComplexMappingSearch() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logs/_search?pretty&size=100", encodeBasicHeader("admin", "admin"))).getStatusCode()); - Assert.assertFalse(res.getBody().contains("88783587fef740690c4fa39476fb86314d034fa3370e1a1fa186f6d9d4644a18ad85063c1e3161f8929f7ca019bb8740611eaf337709113901e7c3a6b59f4166")); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logs/_search?pretty&size=100", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); + Assert.assertFalse( + res.getBody() + .contains( + "88783587fef740690c4fa39476fb86314d034fa3370e1a1fa186f6d9d4644a18ad85063c1e3161f8929f7ca019bb8740611eaf337709113901e7c3a6b59f4166" + ) + ); Assert.assertFalse(res.getBody().contains("e90a2fdf7b1939ec06e294321fd7d23e1a70d8fc080a3f85d0f3bf08c205b53")); Assert.assertFalse(res.getBody().contains("*.*.*.*")); Assert.assertFalse(res.getBody().contains("430a65d4b9c51de7192e048b2639db0de5c56f1901afccc2a01ef97f6a769a38")); Assert.assertFalse(res.getBody().contains("7f48bb3636edf546a75968ca7cd0bdfe63e9ce7af04ef7cb642931fa15d2d7a3")); Assert.assertFalse(res.getBody().contains("https://www.static.co/downloads/beats/metricbeat")); - Assert.assertFalse(res.getBody().contains("eb551beb79792f3366b3623495bb0d9acf85055e63d4f48ade024289f9aa782fc7bd215b6ed3452d3d3ff3eccd8a7f5e8f55b8d0ef245c7ccbf8b747e0be9807")); + Assert.assertFalse( + res.getBody() + .contains( + "eb551beb79792f3366b3623495bb0d9acf85055e63d4f48ade024289f9aa782fc7bd215b6ed3452d3d3ff3eccd8a7f5e8f55b8d0ef245c7ccbf8b747e0be9807" + ) + ); Assert.assertFalse(res.getBody().contains("XXX.XXX.XXX.XXX")); Assert.assertFalse(res.getBody().contains("ANONYMIZED_BROWSER")); Assert.assertFalse(res.getBody().contains("69ce5643cf2abe2dec163330161e669")); @@ -172,32 +189,59 @@ public void testComplexMappingSearch() throws Exception { Assert.assertTrue(res.getBody().contains("win xp")); Assert.assertTrue(res.getBody().contains("\"timestamp\" : \"2018-07-22T20:45:16.163Z")); - for(int i=0;i<10;i++) { - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logs/_search?pretty&size=100", encodeBasicHeader("user_masked_nowc", "password"))).getStatusCode()); - Assert.assertTrue(res.getBody().contains("88783587fef740690c4fa39476fb86314d034fa3370e1a1fa186f6d9d4644a18ad85063c1e3161f8929f7ca019bb8740611eaf337709113901e7c3a6b59f4166")); - Assert.assertTrue(res.getBody().contains("e90a2fdf7b1939ec06e294321fd7d23e1a70d8fc080a3f85d0f3bf08c205b53")); - Assert.assertTrue(res.getBody().contains("*.*.*.*")); - Assert.assertTrue(res.getBody().contains("430a65d4b9c51de7192e048b2639db0de5c56f1901afccc2a01ef97f6a769a38")); - Assert.assertTrue(res.getBody().contains("7f48bb3636edf546a75968ca7cd0bdfe63e9ce7af04ef7cb642931fa15d2d7a3")); - Assert.assertTrue(res.getBody().contains("https://www.static.co/downloads/beats/metricbeat")); - Assert.assertTrue(res.getBody().contains("eb551beb79792f3366b3623495bb0d9acf85055e63d4f48ade024289f9aa782fc7bd215b6ed3452d3d3ff3eccd8a7f5e8f55b8d0ef245c7ccbf8b747e0be9807")); - Assert.assertTrue(res.getBody().contains("XXX.XXX.XXX.XXX")); - Assert.assertTrue(res.getBody().contains("ANONYMIZED_BROWSER")); - Assert.assertTrue(res.getBody().contains("69ce5643cf2abe2dec163330161e669")); - Assert.assertTrue(res.getBody().contains("0b50856e97a54df444ff8f7c73c67fc3109aa234")); - Assert.assertFalse(res.getBody().contains("win xp")); - Assert.assertFalse(res.getBody().contains("\"timestamp\" : \"2018-07-22T20:45:16.163Z")); + for (int i = 0; i < 10; i++) { + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logs/_search?pretty&size=100", encodeBasicHeader("user_masked_nowc", "password"))) + .getStatusCode() + ); + Assert.assertTrue( + res.getBody() + .contains( + "88783587fef740690c4fa39476fb86314d034fa3370e1a1fa186f6d9d4644a18ad85063c1e3161f8929f7ca019bb8740611eaf337709113901e7c3a6b59f4166" + ) + ); + Assert.assertTrue(res.getBody().contains("e90a2fdf7b1939ec06e294321fd7d23e1a70d8fc080a3f85d0f3bf08c205b53")); + Assert.assertTrue(res.getBody().contains("*.*.*.*")); + Assert.assertTrue(res.getBody().contains("430a65d4b9c51de7192e048b2639db0de5c56f1901afccc2a01ef97f6a769a38")); + Assert.assertTrue(res.getBody().contains("7f48bb3636edf546a75968ca7cd0bdfe63e9ce7af04ef7cb642931fa15d2d7a3")); + Assert.assertTrue(res.getBody().contains("https://www.static.co/downloads/beats/metricbeat")); + Assert.assertTrue( + res.getBody() + .contains( + "eb551beb79792f3366b3623495bb0d9acf85055e63d4f48ade024289f9aa782fc7bd215b6ed3452d3d3ff3eccd8a7f5e8f55b8d0ef245c7ccbf8b747e0be9807" + ) + ); + Assert.assertTrue(res.getBody().contains("XXX.XXX.XXX.XXX")); + Assert.assertTrue(res.getBody().contains("ANONYMIZED_BROWSER")); + Assert.assertTrue(res.getBody().contains("69ce5643cf2abe2dec163330161e669")); + Assert.assertTrue(res.getBody().contains("0b50856e97a54df444ff8f7c73c67fc3109aa234")); + Assert.assertFalse(res.getBody().contains("win xp")); + Assert.assertFalse(res.getBody().contains("\"timestamp\" : \"2018-07-22T20:45:16.163Z")); } - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logs/_search?pretty&size=100", encodeBasicHeader("admin", "admin"))).getStatusCode()); - Assert.assertFalse(res.getBody().contains("88783587fef740690c4fa39476fb86314d034fa3370e1a1fa186f6d9d4644a18ad85063c1e3161f8929f7ca019bb8740611eaf337709113901e7c3a6b59f4166")); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logs/_search?pretty&size=100", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); + Assert.assertFalse( + res.getBody() + .contains( + "88783587fef740690c4fa39476fb86314d034fa3370e1a1fa186f6d9d4644a18ad85063c1e3161f8929f7ca019bb8740611eaf337709113901e7c3a6b59f4166" + ) + ); Assert.assertFalse(res.getBody().contains("e90a2fdf7b1939ec06e294321fd7d23e1a70d8fc080a3f85d0f3bf08c205b53")); Assert.assertFalse(res.getBody().contains("*.*.*.*")); Assert.assertFalse(res.getBody().contains("430a65d4b9c51de7192e048b2639db0de5c56f1901afccc2a01ef97f6a769a38")); Assert.assertFalse(res.getBody().contains("7f48bb3636edf546a75968ca7cd0bdfe63e9ce7af04ef7cb642931fa15d2d7a3")); Assert.assertFalse(res.getBody().contains("https://www.static.co/downloads/beats/metricbeat")); - Assert.assertFalse(res.getBody().contains("eb551beb79792f3366b3623495bb0d9acf85055e63d4f48ade024289f9aa782fc7bd215b6ed3452d3d3ff3eccd8a7f5e8f55b8d0ef245c7ccbf8b747e0be9807")); + Assert.assertFalse( + res.getBody() + .contains( + "eb551beb79792f3366b3623495bb0d9acf85055e63d4f48ade024289f9aa782fc7bd215b6ed3452d3d3ff3eccd8a7f5e8f55b8d0ef245c7ccbf8b747e0be9807" + ) + ); Assert.assertFalse(res.getBody().contains("XXX.XXX.XXX.XXX")); Assert.assertFalse(res.getBody().contains("ANONYMIZED_BROWSER")); Assert.assertFalse(res.getBody().contains("69ce5643cf2abe2dec163330161e669")); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/CustomFieldMaskedTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/CustomFieldMaskedTest.java index 9d48e0309f..91c6115695 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/CustomFieldMaskedTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/CustomFieldMaskedTest.java @@ -25,18 +25,35 @@ public class CustomFieldMaskedTest extends AbstractDlsFlsTest { protected void populateData(Client tc) { - tc.index(new IndexRequest("deals").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust1\", \"street\":\"testroad\"}, \"ip_source\": \"100.100.1.1\",\"ip_dest\": \"123.123.1.1\",\"amount\": 10, \"mynum\": 1000000000000000000}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("deals").id("2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust2\", \"street\":\"testroad\"}, \"ip_source\": \"100.100.2.2\",\"ip_dest\": \"123.123.2.2\",\"amount\": 20, \"mynum\": 1000000000000000000}", XContentType.JSON)).actionGet(); - - - for (int i=0; i<30;i++) { - tc.index(new IndexRequest("deals").id("a"+i).setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust1\", \"street\":\"testroad\"}, \"ip_source\": \"200.100.1.1\",\"ip_dest\": \"123.123.1.1\",\"amount\": 10, \"mynum\": 1000000000000000000}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("deals").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"customer\": {\"name\":\"cust1\", \"street\":\"testroad\"}, \"ip_source\": \"100.100.1.1\",\"ip_dest\": \"123.123.1.1\",\"amount\": 10, \"mynum\": 1000000000000000000}", + XContentType.JSON + ) + ).actionGet(); + tc.index( + new IndexRequest("deals").id("2") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"customer\": {\"name\":\"cust2\", \"street\":\"testroad\"}, \"ip_source\": \"100.100.2.2\",\"ip_dest\": \"123.123.2.2\",\"amount\": 20, \"mynum\": 1000000000000000000}", + XContentType.JSON + ) + ).actionGet(); + + for (int i = 0; i < 30; i++) { + tc.index( + new IndexRequest("deals").id("a" + i) + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"customer\": {\"name\":\"cust1\", \"street\":\"testroad\"}, \"ip_source\": \"200.100.1.1\",\"ip_dest\": \"123.123.1.1\",\"amount\": 10, \"mynum\": 1000000000000000000}", + XContentType.JSON + ) + ).actionGet(); } - } + } @Test public void testMaskedAggregations() throws Exception { @@ -45,23 +62,23 @@ public void testMaskedAggregations() throws Exception { String query; HttpResponse res; - //Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); - //Assert.assertTrue(res.getBody().contains("100.100")); - - query = - "{" + - "\"query\" : {" + - "\"match_all\": {" + - "}" + - "}," + - "\"aggs\" : {" + - "\"ips\" : {" + - "\"terms\" : {" + - "\"field\" : \"ip_source.keyword\"" + - "}" + - "}" + - "}"+ - "}"; + // Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, + // encodeBasicHeader("admin", "admin"))).getStatusCode()); + // Assert.assertTrue(res.getBody().contains("100.100")); + + query = "{" + + "\"query\" : {" + + "\"match_all\": {" + + "}" + + "}," + + "\"aggs\" : {" + + "\"ips\" : {" + + "\"terms\" : {" + + "\"field\" : \"ip_source.keyword\"" + + "}" + + "}" + + "}" + + "}"; res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("user_masked_custom", "password")); System.out.println(res.getBody()); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); @@ -69,23 +86,22 @@ public void testMaskedAggregations() throws Exception { Assert.assertTrue(res.getBody().contains("***")); Assert.assertTrue(res.getBody().contains("XXX")); - query = - "{" + - "\"query\" : {" + - "\"match_all\": {" + - "}" + - "}," + - "\"aggs\": {" + - "\"ips\" : {" + - "\"terms\" : {" + - "\"field\" : \"ip_source.keyword\"," + - "\"order\": {" + - "\"_term\" : \"asc\"" + - "}" + - "}" + - "}" + - "}" + - "}"; + query = "{" + + "\"query\" : {" + + "\"match_all\": {" + + "}" + + "}," + + "\"aggs\": {" + + "\"ips\" : {" + + "\"terms\" : {" + + "\"field\" : \"ip_source.keyword\"," + + "\"order\": {" + + "\"_term\" : \"asc\"" + + "}" + + "}" + + "}" + + "}" + + "}"; res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("user_masked_custom", "password")); System.out.println(res.getBody()); @@ -94,23 +110,22 @@ public void testMaskedAggregations() throws Exception { Assert.assertTrue(res.getBody().contains("***")); Assert.assertTrue(res.getBody().contains("XXX")); - query = - "{" + - "\"query\" : {" + - "\"match_all\": {" + - "}" + - "}," + - "\"aggs\": {" + - "\"ips\" : {" + - "\"terms\" : {" + - "\"field\" : \"ip_source.keyword\"," + - "\"order\": {" + - "\"_term\" : \"desc\"" + - "}" + - "}" + - "}" + - "}" + - "}"; + query = "{" + + "\"query\" : {" + + "\"match_all\": {" + + "}" + + "}," + + "\"aggs\": {" + + "\"ips\" : {" + + "\"terms\" : {" + + "\"field\" : \"ip_source.keyword\"," + + "\"order\": {" + + "\"_term\" : \"desc\"" + + "}" + + "}" + + "}" + + "}" + + "}"; res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("user_masked_custom", "password")); System.out.println(res.getBody()); @@ -126,36 +141,41 @@ public void testCustomMaskedAggregationsRace() throws Exception { setup(); + String query = "{" + + "\"aggs\" : {" + + "\"ips\" : { \"terms\" : { \"field\" : \"ip_source.keyword\", \"size\": 1002, \"show_term_doc_count_error\": true } }" + + "}" + + "}"; - String query = "{"+ - "\"aggs\" : {"+ - "\"ips\" : { \"terms\" : { \"field\" : \"ip_source.keyword\", \"size\": 1002, \"show_term_doc_count_error\": true } }"+ - "}"+ - "}"; - - - - HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); - Assert.assertTrue(res.getBody().contains("100.100")); - Assert.assertTrue(res.getBody().contains("200.100")); - Assert.assertTrue(res.getBody().contains("\"doc_count\" : 30")); - Assert.assertTrue(res.getBody().contains("\"doc_count\" : 1")); - Assert.assertFalse(res.getBody().contains("***")); - Assert.assertFalse(res.getBody().contains("XXX")); - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("user_masked_custom", "password"))).getStatusCode()); - Assert.assertTrue(res.getBody().contains("\"doc_count\" : 31")); - Assert.assertTrue(res.getBody().contains("\"doc_count\" : 1")); - Assert.assertFalse(res.getBody().contains("100.100")); - Assert.assertFalse(res.getBody().contains("200.100")); - Assert.assertTrue(res.getBody().contains("***.100.1.XXX")); - Assert.assertTrue(res.getBody().contains("***.100.2.XXX")); - + HttpResponse res; + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); + Assert.assertTrue(res.getBody().contains("100.100")); + Assert.assertTrue(res.getBody().contains("200.100")); + Assert.assertTrue(res.getBody().contains("\"doc_count\" : 30")); + Assert.assertTrue(res.getBody().contains("\"doc_count\" : 1")); + Assert.assertFalse(res.getBody().contains("***")); + Assert.assertFalse(res.getBody().contains("XXX")); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("user_masked_custom", "password"))) + .getStatusCode() + ); + Assert.assertTrue(res.getBody().contains("\"doc_count\" : 31")); + Assert.assertTrue(res.getBody().contains("\"doc_count\" : 1")); + Assert.assertFalse(res.getBody().contains("100.100")); + Assert.assertFalse(res.getBody().contains("200.100")); + Assert.assertTrue(res.getBody().contains("***.100.1.XXX")); + Assert.assertTrue(res.getBody().contains("***.100.2.XXX")); - for(int i=0;i<10;i++) { - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + for (int i = 0; i < 10; i++) { + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("100.100")); Assert.assertTrue(res.getBody().contains("200.100")); Assert.assertTrue(res.getBody().contains("\"doc_count\" : 30")); @@ -173,18 +193,30 @@ public void testCustomMaskedSearch() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=100", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=100", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 32,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); Assert.assertTrue(res.getBody().contains("cust1")); Assert.assertTrue(res.getBody().contains("cust2")); Assert.assertTrue(res.getBody().contains("100.100.1.1")); Assert.assertTrue(res.getBody().contains("100.100.2.2")); - Assert.assertFalse(res.getBody().contains("8976994d0491e35f74fcac67ede9c83334a6ad34dae07c176df32f10225f93c5077ddd302c02ddd618b2406b1e4dfe50a727cbc880cfe264c552decf2d224ffc")); + Assert.assertFalse( + res.getBody() + .contains( + "8976994d0491e35f74fcac67ede9c83334a6ad34dae07c176df32f10225f93c5077ddd302c02ddd618b2406b1e4dfe50a727cbc880cfe264c552decf2d224ffc" + ) + ); Assert.assertFalse(res.getBody().contains("***")); Assert.assertFalse(res.getBody().contains("XXX")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=100", encodeBasicHeader("user_masked_custom", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=100", encodeBasicHeader("user_masked_custom", "password"))) + .getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 32,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -192,7 +224,12 @@ public void testCustomMaskedSearch() throws Exception { Assert.assertFalse(res.getBody().contains("cust2")); Assert.assertFalse(res.getBody().contains("100.100.1.1")); Assert.assertFalse(res.getBody().contains("100.100.2.2")); - Assert.assertTrue(res.getBody().contains("8976994d0491e35f74fcac67ede9c83334a6ad34dae07c176df32f10225f93c5077ddd302c02ddd618b2406b1e4dfe50a727cbc880cfe264c552decf2d224ffc")); + Assert.assertTrue( + res.getBody() + .contains( + "8976994d0491e35f74fcac67ede9c83334a6ad34dae07c176df32f10225f93c5077ddd302c02ddd618b2406b1e4dfe50a727cbc880cfe264c552decf2d224ffc" + ) + ); Assert.assertTrue(res.getBody().contains("***.100.1.XXX")); Assert.assertTrue(res.getBody().contains("123.123.1.XXX")); @@ -205,27 +242,41 @@ public void testCustomMaskedGet() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_doc/0?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_doc/0?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"found\" : true")); Assert.assertTrue(res.getBody().contains("cust1")); Assert.assertFalse(res.getBody().contains("cust2")); Assert.assertTrue(res.getBody().contains("100.100.1.1")); Assert.assertFalse(res.getBody().contains("100.100.2.2")); - Assert.assertFalse(res.getBody().contains("8976994d0491e35f74fcac67ede9c83334a6ad34dae07c176df32f10225f93c5077ddd302c02ddd618b2406b1e4dfe50a727cbc880cfe264c552decf2d224ffc")); + Assert.assertFalse( + res.getBody() + .contains( + "8976994d0491e35f74fcac67ede9c83334a6ad34dae07c176df32f10225f93c5077ddd302c02ddd618b2406b1e4dfe50a727cbc880cfe264c552decf2d224ffc" + ) + ); Assert.assertFalse(res.getBody().contains("***")); Assert.assertFalse(res.getBody().contains("XXX")); - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_doc/0?pretty", encodeBasicHeader("user_masked_custom", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_doc/0?pretty", encodeBasicHeader("user_masked_custom", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"found\" : true")); Assert.assertFalse(res.getBody().contains("cust1")); Assert.assertFalse(res.getBody().contains("cust2")); Assert.assertFalse(res.getBody().contains("100.100.1.1")); Assert.assertFalse(res.getBody().contains("100.100.2.2")); - Assert.assertTrue(res.getBody().contains("8976994d0491e35f74fcac67ede9c83334a6ad34dae07c176df32f10225f93c5077ddd302c02ddd618b2406b1e4dfe50a727cbc880cfe264c552decf2d224ffc")); + Assert.assertTrue( + res.getBody() + .contains( + "8976994d0491e35f74fcac67ede9c83334a6ad34dae07c176df32f10225f93c5077ddd302c02ddd618b2406b1e4dfe50a727cbc880cfe264c552decf2d224ffc" + ) + ); Assert.assertTrue(res.getBody().contains("***.100.1.XXX")); Assert.assertTrue(res.getBody().contains("123.123.1.XXX")); } - } diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DateMathTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DateMathTest.java index 54110e911f..da4d9db867 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/DateMathTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/DateMathTest.java @@ -26,8 +26,7 @@ import org.opensearch.security.support.SecurityUtils; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class DateMathTest extends AbstractDlsFlsTest{ - +public class DateMathTest extends AbstractDlsFlsTest { protected void populateData(Client tc) { @@ -35,17 +34,25 @@ protected void populateData(Client tc) { sdf.setTimeZone(TimeZone.getTimeZone("UTC")); String date = sdf.format(new Date()); - tc.index(new IndexRequest("logstash-"+date).setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"message\":\"mymsg1a\", \"ipaddr\": \"10.0.0.0\",\"msgid\": \"12\"}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("logstash-"+date).setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"message\":\"mymsg1b\", \"ipaddr\": \"10.0.0.1\",\"msgid\": \"14\"}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("logstash-1-"+date).setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"message\":\"mymsg1c\", \"ipaddr\": \"10.0.0.2\",\"msgid\": \"12\"}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("logstash-1-"+date).setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"message\":\"mymsg1d\", \"ipaddr\": \"10.0.0.3\",\"msgid\": \"14\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("logstash-" + date).setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"message\":\"mymsg1a\", \"ipaddr\": \"10.0.0.0\",\"msgid\": \"12\"}", XContentType.JSON) + ).actionGet(); + + tc.index( + new IndexRequest("logstash-" + date).setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"message\":\"mymsg1b\", \"ipaddr\": \"10.0.0.1\",\"msgid\": \"14\"}", XContentType.JSON) + ).actionGet(); + + tc.index( + new IndexRequest("logstash-1-" + date).setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"message\":\"mymsg1c\", \"ipaddr\": \"10.0.0.2\",\"msgid\": \"12\"}", XContentType.JSON) + ).actionGet(); + + tc.index( + new IndexRequest("logstash-1-" + date).setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"message\":\"mymsg1d\", \"ipaddr\": \"10.0.0.3\",\"msgid\": \"14\"}", XContentType.JSON) + ).actionGet(); } @Test @@ -55,7 +62,10 @@ public void testSearch() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -64,7 +74,13 @@ public void testSearch() throws Exception { Assert.assertTrue(res.getBody().contains("mymsg")); Assert.assertTrue(res.getBody().contains("msgid")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty", encodeBasicHeader("opendistro_security_logstash", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest( + "%3Clogstash-%7Bnow%2Fd%7D%3E/_search?pretty", + encodeBasicHeader("opendistro_security_logstash", "password") + )).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -81,13 +97,23 @@ public void testFieldCaps() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("%3Clogstash-%7Bnow%2Fd%7D%3E/_field_caps?fields=*&pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("%3Clogstash-%7Bnow%2Fd%7D%3E/_field_caps?fields=*&pretty", encodeBasicHeader("admin", "admin"))) + .getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("ipaddr")); Assert.assertTrue(res.getBody().contains("message")); Assert.assertTrue(res.getBody().contains("msgid")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("%3Clogstash-%7Bnow%2Fd%7D%3E/_field_caps?fields=*&pretty", encodeBasicHeader("opendistro_security_logstash", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest( + "%3Clogstash-%7Bnow%2Fd%7D%3E/_field_caps?fields=*&pretty", + encodeBasicHeader("opendistro_security_logstash", "password") + )).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertFalse(res.getBody().contains("ipaddr")); Assert.assertFalse(res.getBody().contains("message")); @@ -101,7 +127,10 @@ public void testSearchWc() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("logstash-*/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("logstash-*/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 4,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -110,7 +139,11 @@ public void testSearchWc() throws Exception { Assert.assertTrue(res.getBody().contains("mymsg")); Assert.assertTrue(res.getBody().contains("msgid")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("logstash-*/_search?pretty", encodeBasicHeader("opendistro_security_logstash", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("logstash-*/_search?pretty", encodeBasicHeader("opendistro_security_logstash", "password"))) + .getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -127,7 +160,10 @@ public void testSearchWc2() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("logstash-1-*,logstash-20*/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("logstash-1-*,logstash-20*/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 4,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -136,7 +172,10 @@ public void testSearchWc2() throws Exception { Assert.assertTrue(res.getBody().contains("mymsg")); Assert.assertTrue(res.getBody().contains("msgid")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("logstash-1-*,logstash-20*/_search?pretty", encodeBasicHeader("regex", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("logstash-1-*,logstash-20*/_search?pretty", encodeBasicHeader("regex", "password"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DfmOverwritesAllTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DfmOverwritesAllTest.java index aafffb141f..580cabc66b 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/DfmOverwritesAllTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/DfmOverwritesAllTest.java @@ -37,17 +37,41 @@ public class DfmOverwritesAllTest extends AbstractDlsFlsTest { protected void populateData(Client tc) { - tc.index(new IndexRequest("index1-1").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"field1\": 1, \"field2\": \"value-2-1\", \"field3\": \"value-3-1\", \"field4\": \"value-4-1\" }", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("index1-2").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"field1\": 2, \"field2\": \"value-2-2\", \"field3\": \"value-3-2\", \"field4\": \"value-4-2\" }", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("index1-3").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"field1\": 3, \"field2\": \"value-2-3\", \"field3\": \"value-3-3\", \"field4\": \"value-4-3\" }", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("index1-4").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"field1\": 4, \"field2\": \"value-2-4\", \"field3\": \"value-3-4\", \"field4\": \"value-4-4\" }", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("index1-1").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"field1\": 1, \"field2\": \"value-2-1\", \"field3\": \"value-3-1\", \"field4\": \"value-4-1\" }", + XContentType.JSON + ) + ).actionGet(); + + tc.index( + new IndexRequest("index1-2").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"field1\": 2, \"field2\": \"value-2-2\", \"field3\": \"value-3-2\", \"field4\": \"value-4-2\" }", + XContentType.JSON + ) + ).actionGet(); + + tc.index( + new IndexRequest("index1-3").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"field1\": 3, \"field2\": \"value-2-3\", \"field3\": \"value-3-3\", \"field4\": \"value-4-3\" }", + XContentType.JSON + ) + ).actionGet(); + + tc.index( + new IndexRequest("index1-4").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"field1\": 4, \"field2\": \"value-2-4\", \"field3\": \"value-3-4\", \"field4\": \"value-4-4\" }", + XContentType.JSON + ) + ).actionGet(); } @@ -59,15 +83,17 @@ protected void populateData(Client tc) { public void testDFMUnrestrictedUser() throws Exception { final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, true).build(); - setup(settings, new DynamicSecurityConfig().setConfig("securityconfig_dfm_empty_overwrites_all.yml") + setup( + settings, + new DynamicSecurityConfig().setConfig("securityconfig_dfm_empty_overwrites_all.yml") .setSecurityInternalUsers("internal_users_dfm_empty_overwrites_all.yml") .setSecurityRoles("roles_dfm_empty_overwrites_all.yml") - .setSecurityRolesMapping("rolesmapping_dfm_empty_overwrites_all.yml")); + .setSecurityRolesMapping("rolesmapping_dfm_empty_overwrites_all.yml") + ); HttpResponse response; - response = rh.executeGetRequest("/index1-*/_search?pretty", - encodeBasicHeader("admin", "password")); + response = rh.executeGetRequest("/index1-*/_search?pretty", encodeBasicHeader("admin", "password")); Assert.assertEquals(200, response.getStatusCode()); // the only document in index1-1 is filtered by DLS query, so normally no hit in index-1-1 @@ -99,21 +125,23 @@ public void testDFMUnrestrictedUser() throws Exception { public void testDFMRestrictedUser() throws Exception { final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, true).build(); - setup(settings, new DynamicSecurityConfig().setConfig("securityconfig_dfm_empty_overwrites_all.yml") + setup( + settings, + new DynamicSecurityConfig().setConfig("securityconfig_dfm_empty_overwrites_all.yml") .setSecurityInternalUsers("internal_users_dfm_empty_overwrites_all.yml") .setSecurityRoles("roles_dfm_empty_overwrites_all.yml") - .setSecurityRolesMapping("rolesmapping_dfm_empty_overwrites_all.yml")); + .setSecurityRolesMapping("rolesmapping_dfm_empty_overwrites_all.yml") + ); HttpResponse response; - response = rh.executeGetRequest("/index1-*/_search?pretty", - encodeBasicHeader("dfm_restricted_role", "password")); + response = rh.executeGetRequest("/index1-*/_search?pretty", encodeBasicHeader("dfm_restricted_role", "password")); Assert.assertEquals(200, response.getStatusCode()); - // the only document in index1-1 is filtered by DLS query, so no hit in index-1-1 + // the only document in index1-1 is filtered by DLS query, so no hit in index-1-1 Assert.assertFalse(response.getBody().contains("index1-1")); - // field3 and field4 - filtered out by FLS + // field3 and field4 - filtered out by FLS Assert.assertFalse(response.getBody().contains("value-3-1")); Assert.assertFalse(response.getBody().contains("value-4-1")); Assert.assertFalse(response.getBody().contains("value-3-2")); @@ -146,15 +174,20 @@ public void testDFMRestrictedAndUnrestrictedAllIndices() throws Exception { final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, true).build(); - setup(settings, new DynamicSecurityConfig().setConfig("securityconfig_dfm_empty_overwrites_all.yml") + setup( + settings, + new DynamicSecurityConfig().setConfig("securityconfig_dfm_empty_overwrites_all.yml") .setSecurityInternalUsers("internal_users_dfm_empty_overwrites_all.yml") .setSecurityRoles("roles_dfm_empty_overwrites_all.yml") - .setSecurityRolesMapping("rolesmapping_dfm_empty_overwrites_all.yml")); + .setSecurityRolesMapping("rolesmapping_dfm_empty_overwrites_all.yml") + ); HttpResponse response; - response = rh.executeGetRequest("/index1-*/_search?pretty", - encodeBasicHeader("dfm_restricted_and_unrestricted_all_indices_role", "password")); + response = rh.executeGetRequest( + "/index1-*/_search?pretty", + encodeBasicHeader("dfm_restricted_and_unrestricted_all_indices_role", "password") + ); Assert.assertEquals(200, response.getStatusCode()); // the only document in index1-1 is filtered by DLS query, so normally no hit in index-1-1 @@ -187,18 +220,25 @@ public void testDFMRestrictedAndUnrestrictedAllIndices() throws Exception { @Test public void testDFMRestrictedAndUnrestrictedOneIndex() throws Exception { final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, true).build(); - setup(settings, new DynamicSecurityConfig().setConfig("securityconfig_dfm_empty_overwrites_all.yml") + setup( + settings, + new DynamicSecurityConfig().setConfig("securityconfig_dfm_empty_overwrites_all.yml") .setSecurityInternalUsers("internal_users_dfm_empty_overwrites_all.yml") .setSecurityRoles("roles_dfm_empty_overwrites_all.yml") - .setSecurityRolesMapping("rolesmapping_dfm_empty_overwrites_all.yml")); + .setSecurityRolesMapping("rolesmapping_dfm_empty_overwrites_all.yml") + ); HttpResponse response; - response = rh.executeGetRequest("/_plugins/_security/authinfo?pretty", - encodeBasicHeader("dfm_restricted_and_unrestricted_one_index_role", "password")); + response = rh.executeGetRequest( + "/_plugins/_security/authinfo?pretty", + encodeBasicHeader("dfm_restricted_and_unrestricted_one_index_role", "password") + ); - response = rh.executeGetRequest("/index1-*/_search?pretty", - encodeBasicHeader("dfm_restricted_and_unrestricted_one_index_role", "password")); + response = rh.executeGetRequest( + "/index1-*/_search?pretty", + encodeBasicHeader("dfm_restricted_and_unrestricted_one_index_role", "password") + ); Assert.assertEquals(200, response.getStatusCode()); // we have a role that places no restrictions on index-1-1, lifting the DLS from the restricted role diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsDateMathTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsDateMathTest.java index bfd0773f44..cbd1e09e56 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsDateMathTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsDateMathTest.java @@ -27,41 +27,52 @@ import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class DlsDateMathTest extends AbstractDlsFlsTest{ - +public class DlsDateMathTest extends AbstractDlsFlsTest { @Override protected void populateData(Client tc) { - - LocalDateTime yesterday = LocalDateTime.now(ZoneId.of("UTC")).minusDays(1); LocalDateTime today = LocalDateTime.now(ZoneId.of("UTC")); LocalDateTime tomorrow = LocalDateTime.now(ZoneId.of("UTC")).plusDays(1); DateTimeFormatter formatter = DateTimeFormatter.ofPattern("yyyy/MM/dd"); - tc.index(new IndexRequest("logstash").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"@timestamp\": \""+formatter.format(yesterday)+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("logstash").id("2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"@timestamp\": \""+formatter.format(today)+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("logstash").id("3").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"@timestamp\": \""+formatter.format(tomorrow)+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("logstash").id("1") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"@timestamp\": \"" + formatter.format(yesterday) + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("logstash").id("2") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"@timestamp\": \"" + formatter.format(today) + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("logstash").id("3") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"@timestamp\": \"" + formatter.format(tomorrow) + "\"}", XContentType.JSON) + ).actionGet(); } - @Test public void testDlsDateMathQuery() throws Exception { - final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS,true).build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS, true).build(); setup(settings); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logstash/_search?pretty", encodeBasicHeader("date_math", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logstash/_search?pretty", encodeBasicHeader("date_math", "password"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logstash/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logstash/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 3,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -73,12 +84,18 @@ public void testDlsDateMathQueryNotAllowed() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, (res = rh.executeGetRequest("/logstash/_search?pretty", encodeBasicHeader("date_math", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_BAD_REQUEST, + (res = rh.executeGetRequest("/logstash/_search?pretty", encodeBasicHeader("date_math", "password"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("'now' is not allowed in DLS queries")); Assert.assertTrue(res.getBody().contains("error")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logstash/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logstash/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 3,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsFlsCrossClusterMinimalRoundtripSearchTests.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsFlsCrossClusterMinimalRoundtripSearchTests.java index 86b97c1afe..81610b0ee4 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsFlsCrossClusterMinimalRoundtripSearchTests.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsFlsCrossClusterMinimalRoundtripSearchTests.java @@ -13,5 +13,7 @@ public class DlsFlsCrossClusterMinimalRoundtripSearchTests extends DlsFlsCrossClusterSearchTest { @Override - protected boolean ccsMinimizeRoundtrips() { return true; } + protected boolean ccsMinimizeRoundtrips() { + return true; + } } diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsFlsCrossClusterSearchTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsFlsCrossClusterSearchTest.java index 8fcd85f873..a86c49d21d 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsFlsCrossClusterSearchTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsFlsCrossClusterSearchTest.java @@ -31,12 +31,18 @@ public class DlsFlsCrossClusterSearchTest extends AbstractSecurityUnitTest { - private final ClusterHelper cl1 = new ClusterHelper("crl1_n"+num.incrementAndGet()+"_f"+System.getProperty("forkno")+"_t"+System.nanoTime()); - private final ClusterHelper cl2 = new ClusterHelper("crl2_n"+num.incrementAndGet()+"_f"+System.getProperty("forkno")+"_t"+System.nanoTime()); + private final ClusterHelper cl1 = new ClusterHelper( + "crl1_n" + num.incrementAndGet() + "_f" + System.getProperty("forkno") + "_t" + System.nanoTime() + ); + private final ClusterHelper cl2 = new ClusterHelper( + "crl2_n" + num.incrementAndGet() + "_f" + System.getProperty("forkno") + "_t" + System.nanoTime() + ); private ClusterInfo cl1Info; private ClusterInfo cl2Info; - protected boolean ccsMinimizeRoundtrips() { return false; }; + protected boolean ccsMinimizeRoundtrips() { + return false; + }; @Override protected String getResourceFolder() { @@ -45,13 +51,16 @@ protected String getResourceFolder() { private void setupCcs(String remoteRoles) throws Exception { - System.setProperty("security.display_lic_none","true"); + System.setProperty("security.display_lic_none", "true"); - cl2Info = cl2.startCluster(minimumSecuritySettings(Settings.builder().putList("node.roles", "remote_cluster_client").build()), ClusterConfiguration.DEFAULT); + cl2Info = cl2.startCluster( + minimumSecuritySettings(Settings.builder().putList("node.roles", "remote_cluster_client").build()), + ClusterConfiguration.DEFAULT + ); initialize(cl2, cl2Info, new DynamicSecurityConfig().setSecurityRoles(remoteRoles)); System.out.println("### cl2 complete ###"); - //cl1 is coordinating + // cl1 is coordinating cl1Info = cl1.startCluster(minimumSecuritySettings(crossClusterNodeSettings(cl2Info)), ClusterConfiguration.DEFAULT); System.out.println("### cl1 start ###"); initialize(cl1, cl1Info, new DynamicSecurityConfig().setSecurityRoles("roles_983.yml")); @@ -66,8 +75,8 @@ public void tearDown() throws Exception { private Settings crossClusterNodeSettings(ClusterInfo remote) { Settings.Builder builder = Settings.builder() - .putList("cluster.remote.cross_cluster_two.seeds", remote.nodeHost+":"+remote.nodePort) - .putList("node.roles", "remote_cluster_client"); + .putList("cluster.remote.cross_cluster_two.seeds", remote.nodeHost + ":" + remote.nodePort) + .putList("node.roles", "remote_cluster_client"); return builder.build(); } @@ -76,42 +85,71 @@ public void testCcs() throws Exception { setupCcs("roles_983.yml"); try (Client tc = cl1.nodeClient()) { - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } try (Client tc = cl2.nodeClient()) { - tc.index(new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\","+ - "\"Designation\": \"CEO\","+ - "\"FirstName\": \"__fn__"+cl2Info.clustername+"\","+ - "\"LastName\": \"lastname0\","+ - "\"Salary\": \"salary0\","+ - "\"SecretFiled\": \"secret0\","+ - "\"AnotherSecredField\": \"anothersecret0\","+ - "\"XXX\": \"xxx0\"" - + "}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("1") - .source("{\"cluster\": \""+cl2Info.clustername+"\","+ - "\"Designation\": \"someoneelse\","+ - "\"FirstName\": \"__fn__"+cl2Info.clustername+"\","+ - "\"LastName\": \"lastname1\","+ - "\"Salary\": \"salary1\","+ - "\"SecretFiled\": \"secret1\","+ - "\"AnotherSecredField\": \"anothersecret1\","+ - "\"XXX\": \"xxx1\"" - + "}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source( + "{\"cluster\": \"" + + cl2Info.clustername + + "\"," + + "\"Designation\": \"CEO\"," + + "\"FirstName\": \"__fn__" + + cl2Info.clustername + + "\"," + + "\"LastName\": \"lastname0\"," + + "\"Salary\": \"salary0\"," + + "\"SecretFiled\": \"secret0\"," + + "\"AnotherSecredField\": \"anothersecret0\"," + + "\"XXX\": \"xxx0\"" + + "}", + XContentType.JSON + ) + ).actionGet(); + + tc.index( + new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("1") + .source( + "{\"cluster\": \"" + + cl2Info.clustername + + "\"," + + "\"Designation\": \"someoneelse\"," + + "\"FirstName\": \"__fn__" + + cl2Info.clustername + + "\"," + + "\"LastName\": \"lastname1\"," + + "\"Salary\": \"salary1\"," + + "\"SecretFiled\": \"secret1\"," + + "\"AnotherSecredField\": \"anothersecret1\"," + + "\"XXX\": \"xxx1\"" + + "}", + XContentType.JSON + ) + ).actionGet(); } HttpResponse ccs = null; System.out.println("###################### query 1"); - //on coordinating cluster - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:humanresources/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("human_resources_trainee", "password")); + // on coordinating cluster + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:humanresources/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("human_resources_trainee", "password") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("crl1")); @@ -134,42 +172,71 @@ public void testCcsDifferentConfig() throws Exception { setupCcs("roles_ccs2.yml"); try (Client tc = cl1.nodeClient()) { - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); } try (Client tc = cl2.nodeClient()) { - tc.index(new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\","+ - "\"Designation\": \"CEO\","+ - "\"FirstName\": \"__fn__"+cl2Info.clustername+"\","+ - "\"LastName\": \"lastname0\","+ - "\"Salary\": \"salary0\","+ - "\"SecretFiled\": \"secret0\","+ - "\"AnotherSecredField\": \"anothersecret0\","+ - "\"XXX\": \"xxx0\"" - + "}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("1") - .source("{\"cluster\": \""+cl2Info.clustername+"\","+ - "\"Designation\": \"someoneelse\","+ - "\"FirstName\": \"__fn__"+cl2Info.clustername+"\","+ - "\"LastName\": \"lastname1\","+ - "\"Salary\": \"salary1\","+ - "\"SecretFiled\": \"secret1\","+ - "\"AnotherSecredField\": \"anothersecret1\","+ - "\"XXX\": \"xxx1\"" - + "}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source( + "{\"cluster\": \"" + + cl2Info.clustername + + "\"," + + "\"Designation\": \"CEO\"," + + "\"FirstName\": \"__fn__" + + cl2Info.clustername + + "\"," + + "\"LastName\": \"lastname0\"," + + "\"Salary\": \"salary0\"," + + "\"SecretFiled\": \"secret0\"," + + "\"AnotherSecredField\": \"anothersecret0\"," + + "\"XXX\": \"xxx0\"" + + "}", + XContentType.JSON + ) + ).actionGet(); + + tc.index( + new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("1") + .source( + "{\"cluster\": \"" + + cl2Info.clustername + + "\"," + + "\"Designation\": \"someoneelse\"," + + "\"FirstName\": \"__fn__" + + cl2Info.clustername + + "\"," + + "\"LastName\": \"lastname1\"," + + "\"Salary\": \"salary1\"," + + "\"SecretFiled\": \"secret1\"," + + "\"AnotherSecredField\": \"anothersecret1\"," + + "\"XXX\": \"xxx1\"" + + "}", + XContentType.JSON + ) + ).actionGet(); } HttpResponse ccs = null; System.out.println("###################### query 1"); - //on coordinating cluster - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:humanresources/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("human_resources_trainee", "password")); + // on coordinating cluster + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:humanresources/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("human_resources_trainee", "password") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertFalse(ccs.getBody().contains("crl1")); @@ -192,64 +259,113 @@ public void testCcsDifferentConfigBoth() throws Exception { setupCcs("roles_ccs2.yml"); try (Client tc = cl1.nodeClient()) { - tc.index(new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\"}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl1Info.clustername+"\","+ - "\"Designation\": \"CEO\","+ - "\"FirstName\": \"__fn__"+cl1Info.clustername+"\","+ - "\"LastName\": \"lastname0\","+ - "\"Salary\": \"salary0\","+ - "\"SecretFiled\": \"secret3\","+ - "\"AnotherSecredField\": \"anothersecret3\","+ - "\"XXX\": \"xxx0\"" - + "}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("1") - .source("{\"cluster\": \""+cl1Info.clustername+"\","+ - "\"Designation\": \"someoneelse\","+ - "\"FirstName\": \"__fn__"+cl1Info.clustername+"\","+ - "\"LastName\": \"lastname1\","+ - "\"Salary\": \"salary1\","+ - "\"SecretFiled\": \"secret4\","+ - "\"AnotherSecredField\": \"anothersecret4\","+ - "\"XXX\": \"xxx1\"" - + "}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("twitter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl1Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + + tc.index( + new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source( + "{\"cluster\": \"" + + cl1Info.clustername + + "\"," + + "\"Designation\": \"CEO\"," + + "\"FirstName\": \"__fn__" + + cl1Info.clustername + + "\"," + + "\"LastName\": \"lastname0\"," + + "\"Salary\": \"salary0\"," + + "\"SecretFiled\": \"secret3\"," + + "\"AnotherSecredField\": \"anothersecret3\"," + + "\"XXX\": \"xxx0\"" + + "}", + XContentType.JSON + ) + ).actionGet(); + + tc.index( + new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("1") + .source( + "{\"cluster\": \"" + + cl1Info.clustername + + "\"," + + "\"Designation\": \"someoneelse\"," + + "\"FirstName\": \"__fn__" + + cl1Info.clustername + + "\"," + + "\"LastName\": \"lastname1\"," + + "\"Salary\": \"salary1\"," + + "\"SecretFiled\": \"secret4\"," + + "\"AnotherSecredField\": \"anothersecret4\"," + + "\"XXX\": \"xxx1\"" + + "}", + XContentType.JSON + ) + ).actionGet(); } try (Client tc = cl2.nodeClient()) { - tc.index(new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("0") - .source("{\"cluster\": \""+cl2Info.clustername+"\","+ - "\"Designation\": \"CEO\","+ - "\"FirstName\": \"__fn__"+cl2Info.clustername+"\","+ - "\"LastName\": \"lastname0\","+ - "\"Salary\": \"salary0\","+ - "\"SecretFiled\": \"secret0\","+ - "\"AnotherSecredField\": \"anothersecret0\","+ - "\"XXX\": \"xxx0\"" - + "}", XContentType.JSON)).actionGet(); - - tc.index(new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE).id("1") - .source("{\"cluster\": \""+cl2Info.clustername+"\","+ - "\"Designation\": \"someoneelse\","+ - "\"FirstName\": \"__fn__"+cl2Info.clustername+"\","+ - "\"LastName\": \"lastname1\","+ - "\"Salary\": \"salary1\","+ - "\"SecretFiled\": \"secret1\","+ - "\"AnotherSecredField\": \"anothersecret1\","+ - "\"XXX\": \"xxx1\"" - + "}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("twutter").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source("{\"cluster\": \"" + cl2Info.clustername + "\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("0") + .source( + "{\"cluster\": \"" + + cl2Info.clustername + + "\"," + + "\"Designation\": \"CEO\"," + + "\"FirstName\": \"__fn__" + + cl2Info.clustername + + "\"," + + "\"LastName\": \"lastname0\"," + + "\"Salary\": \"salary0\"," + + "\"SecretFiled\": \"secret0\"," + + "\"AnotherSecredField\": \"anothersecret0\"," + + "\"XXX\": \"xxx0\"" + + "}", + XContentType.JSON + ) + ).actionGet(); + + tc.index( + new IndexRequest("humanresources").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .id("1") + .source( + "{\"cluster\": \"" + + cl2Info.clustername + + "\"," + + "\"Designation\": \"someoneelse\"," + + "\"FirstName\": \"__fn__" + + cl2Info.clustername + + "\"," + + "\"LastName\": \"lastname1\"," + + "\"Salary\": \"salary1\"," + + "\"SecretFiled\": \"secret1\"," + + "\"AnotherSecredField\": \"anothersecret1\"," + + "\"XXX\": \"xxx1\"" + + "}", + XContentType.JSON + ) + ).actionGet(); } HttpResponse ccs = null; System.out.println("###################### query 1"); - //on coordinating cluster - ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest("cross_cluster_two:humanresources,humanresources/_search?pretty&ccs_minimize_roundtrips="+ccsMinimizeRoundtrips(), encodeBasicHeader("human_resources_trainee", "password")); + // on coordinating cluster + ccs = new RestHelper(cl1Info, false, false, getResourceFolder()).executeGetRequest( + "cross_cluster_two:humanresources,humanresources/_search?pretty&ccs_minimize_roundtrips=" + ccsMinimizeRoundtrips(), + encodeBasicHeader("human_resources_trainee", "password") + ); System.out.println(ccs.getBody()); Assert.assertEquals(HttpStatus.SC_OK, ccs.getStatusCode()); Assert.assertTrue(ccs.getBody().contains("crl1")); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsNestedTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsNestedTest.java index a89d12770d..afb42d9a4a 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsNestedTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsNestedTest.java @@ -23,35 +23,47 @@ import org.opensearch.common.xcontent.XContentType; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class DlsNestedTest extends AbstractDlsFlsTest{ +public class DlsNestedTest extends AbstractDlsFlsTest { @Override protected void populateData(Client tc) { - String mapping = "{" + - " \"mytype\" : {" + - " \"properties\" : {" + - " \"amount\" : {\"type\": \"integer\"}," + - " \"owner\" : {\"type\": \"text\"}," + - " \"my_nested_object\" : {\"type\" : \"nested\"}" + - " }" + - " }" + - " }" + - ""; - - tc.admin().indices().create(new CreateIndexRequest("deals") - .simpleMapping("amount", "type=integer", "owner", "type=text", "my_nested_object", "type=nested") - .settings(Settings.builder().put("number_of_shards", 1).put("number_of_replicas", 0).build())) - .actionGet(); - - //tc.index(new IndexRequest("deals").id("3").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - // .source("{\"amount\": 7,\"owner\": \"a\", \"my_nested_object\" : {\"name\": \"spock\"}}", XContentType.JSON)).actionGet(); - //tc.index(new IndexRequest("deals").id("4").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - // .source("{\"amount\": 8, \"my_nested_object\" : {\"name\": \"spock\"}}", XContentType.JSON)).actionGet(); - //tc.index(new IndexRequest("deals").id("5").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - // .source("{\"amount\": 1400,\"owner\": \"a\", \"my_nested_object\" : {\"name\": \"spock\"}}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("deals").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"amount\": 1500,\"owner\": \"b\", \"my_nested_object\" : {\"name\": \"spock\"}}", XContentType.JSON)).actionGet(); + String mapping = "{" + + " \"mytype\" : {" + + " \"properties\" : {" + + " \"amount\" : {\"type\": \"integer\"}," + + " \"owner\" : {\"type\": \"text\"}," + + " \"my_nested_object\" : {\"type\" : \"nested\"}" + + " }" + + " }" + + " }" + + ""; + + tc.admin() + .indices() + .create( + new CreateIndexRequest("deals").simpleMapping( + "amount", + "type=integer", + "owner", + "type=text", + "my_nested_object", + "type=nested" + ).settings(Settings.builder().put("number_of_shards", 1).put("number_of_replicas", 0).build()) + ) + .actionGet(); + + // tc.index(new IndexRequest("deals").id("3").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + // .source("{\"amount\": 7,\"owner\": \"a\", \"my_nested_object\" : {\"name\": \"spock\"}}", XContentType.JSON)).actionGet(); + // tc.index(new IndexRequest("deals").id("4").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + // .source("{\"amount\": 8, \"my_nested_object\" : {\"name\": \"spock\"}}", XContentType.JSON)).actionGet(); + // tc.index(new IndexRequest("deals").id("5").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + // .source("{\"amount\": 1400,\"owner\": \"a\", \"my_nested_object\" : {\"name\": \"spock\"}}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("deals").id("1") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"amount\": 1500,\"owner\": \"b\", \"my_nested_object\" : {\"name\": \"spock\"}}", XContentType.JSON) + ).actionGet(); } @Test @@ -59,34 +71,35 @@ public void testNestedQuery() throws Exception { setup(); - - String query = "{" + - " \"query\": {" + - " \"nested\": {" + - " \"path\": \"my_nested_object\"," + - " \"query\": {" + - " \"match\": {\"my_nested_object.name\" : \"spock\"}" + - " }," + - " \"inner_hits\": {} " + - " }" + - " }" + - "}"; - + String query = "{" + + " \"query\": {" + + " \"nested\": {" + + " \"path\": \"my_nested_object\"," + + " \"query\": {" + + " \"match\": {\"my_nested_object.name\" : \"spock\"}" + + " }," + + " \"inner_hits\": {} " + + " }" + + " }" + + "}"; HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"my_nested_object\" : {")); Assert.assertTrue(res.getBody().contains("\"field\" : \"my_nested_object\",")); Assert.assertTrue(res.getBody().contains("\"offset\" : 0")); - //Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); - //System.out.println(res.getBody()); - //Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); - //Assert.assertTrue(res.getBody().contains("\"value\" : 1510.0")); - //Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); + // Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", + // "admin"))).getStatusCode()); + // System.out.println(res.getBody()); + // Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); + // Assert.assertTrue(res.getBody().contains("\"value\" : 1510.0")); + // Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); } - } diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsPropsReplaceTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsPropsReplaceTest.java index 43d5ecfc5f..2e23a11d2d 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsPropsReplaceTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsPropsReplaceTest.java @@ -21,28 +21,40 @@ import org.opensearch.common.xcontent.XContentType; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class DlsPropsReplaceTest extends AbstractDlsFlsTest{ - +public class DlsPropsReplaceTest extends AbstractDlsFlsTest { protected void populateData(Client tc) { - tc.index(new IndexRequest("prop1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"prop_replace\": \"yes\", \"amount\": 1010}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("prop1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"prop_replace\": \"no\", \"amount\": 2020}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("prop2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"role\": \"prole1\", \"amount\": 3030}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("prop2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"role\": \"prole2\", \"amount\": 4040}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("prop2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"role\": \"prole3\", \"amount\": 5050}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("prop-mapped").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"securityRole\": \"opendistro_security_mapped\", \"amount\": 6060}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("prop-mapped").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"securityRole\": \"not_assigned\", \"amount\": 7070}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("prop1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"prop_replace\": \"yes\", \"amount\": 1010}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("prop1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"prop_replace\": \"no\", \"amount\": 2020}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("prop2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"role\": \"prole1\", \"amount\": 3030}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("prop2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"role\": \"prole2\", \"amount\": 4040}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("prop2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"role\": \"prole3\", \"amount\": 5050}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("prop-mapped").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"securityRole\": \"opendistro_security_mapped\", \"amount\": 6060}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("prop-mapped").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"securityRole\": \"not_assigned\", \"amount\": 7070}", XContentType.JSON) + ).actionGet(); } - @Test public void testDlsProps() throws Exception { @@ -50,15 +62,26 @@ public void testDlsProps() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/prop1,prop2/_search?pretty&size=100", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/prop1,prop2/_search?pretty&size=100", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 5,\n \"relation")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/prop1,prop2/_search?pretty&size=100", encodeBasicHeader("prop_replace", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/prop1,prop2/_search?pretty&size=100", encodeBasicHeader("prop_replace", "password"))) + .getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 3,\n \"relation")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/prop-mapped/_search?pretty&size=100", encodeBasicHeader("prop_replace", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/prop-mapped/_search?pretty&size=100", encodeBasicHeader("prop_replace", "password"))) + .getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"amount\" : 6060")); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsScrollTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsScrollTest.java index b1d87734e5..cc7b9e305d 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsScrollTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsScrollTest.java @@ -21,53 +21,67 @@ import org.opensearch.common.xcontent.XContentType; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class DlsScrollTest extends AbstractDlsFlsTest{ - +public class DlsScrollTest extends AbstractDlsFlsTest { @Override protected void populateData(Client tc) { - tc.index(new IndexRequest("deals").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"amount\": 3}", XContentType.JSON)).actionGet(); //not in + tc.index(new IndexRequest("deals").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"amount\": 3}", XContentType.JSON)) + .actionGet(); // not in - tc.index(new IndexRequest("deals").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"amount\": 10}", XContentType.JSON)).actionGet(); //not in + tc.index(new IndexRequest("deals").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"amount\": 10}", XContentType.JSON)) + .actionGet(); // not in - tc.index(new IndexRequest("deals").id("2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"amount\": 1500}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("deals").id("2").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"amount\": 1500}", XContentType.JSON) + ).actionGet(); - tc.index(new IndexRequest("deals").id("4").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"amount\": 21500}", XContentType.JSON)).actionGet(); //not in + tc.index( + new IndexRequest("deals").id("4").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"amount\": 21500}", XContentType.JSON) + ).actionGet(); // not in - for(int i=0; i<100; i++) { - tc.index(new IndexRequest("deals").id("gen"+i).setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"amount\": 1500}", XContentType.JSON)).actionGet(); + for (int i = 0; i < 100; i++) { + tc.index( + new IndexRequest("deals").id("gen" + i) + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"amount\": 1500}", XContentType.JSON) + ).actionGet(); } } - @Test public void testDlsScroll() throws Exception { setup(); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res=rh.executeGetRequest("/deals/_search?scroll=1m&pretty=true&size=5", encodeBasicHeader("dept_manager", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?scroll=1m&pretty=true&size=5", encodeBasicHeader("dept_manager", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 101,")); - int c=0; + int c = 0; - while(true) { + while (true) { int start = res.getBody().indexOf("_scroll_id") + 15; - String scrollid = res.getBody().substring(start, res.getBody().indexOf("\"", start+1)); - Assert.assertEquals(HttpStatus.SC_OK, (res=rh.executePostRequest("/_search/scroll?pretty=true", "{\"scroll\" : \"1m\", \"scroll_id\" : \""+scrollid+"\"}", encodeBasicHeader("dept_manager", "password"))).getStatusCode()); + String scrollid = res.getBody().substring(start, res.getBody().indexOf("\"", start + 1)); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest( + "/_search/scroll?pretty=true", + "{\"scroll\" : \"1m\", \"scroll_id\" : \"" + scrollid + "\"}", + encodeBasicHeader("dept_manager", "password") + )).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 101,")); Assert.assertFalse(res.getBody().contains("\"amount\" : 3")); Assert.assertFalse(res.getBody().contains("\"amount\" : 10")); Assert.assertFalse(res.getBody().contains("\"amount\" : 21500")); c++; - if(res.getBody().contains("\"hits\" : [ ]")) { + if (res.getBody().contains("\"hits\" : [ ]")) { break; } } diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTermLookupQueryTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTermLookupQueryTest.java index 098d659d88..76112f533c 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTermLookupQueryTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTermLookupQueryTest.java @@ -54,543 +54,701 @@ public class DlsTermLookupQueryTest extends AbstractDlsFlsTest { - protected void populateData(Client client) { - // user access codes, basis for TLQ query - client.index(new IndexRequest("user_access_codes").id("tlq_1337").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"access_codes\": [1337] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("user_access_codes").id("tlq_42").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"access_codes\": [42] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("user_access_codes").id("tlq_1337_42").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"access_codes\": [1337, 42] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("user_access_codes").id("tlq_999").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"access_codes\": [999] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("user_access_codes").id("tlq_empty_access_codes") - .setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{ \"access_codes\": [] }", XContentType.JSON)) - .actionGet(); - client.index(new IndexRequest("user_access_codes").id("tlq_no_codes").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bla\": \"blub\" }", XContentType.JSON)).actionGet(); - - // need to have keyword for bu field since we're testing aggregations - client.admin().indices().create(new CreateIndexRequest("tlqdocuments")).actionGet(); - client.admin().indices() - .putMapping(new PutMappingRequest("tlqdocuments").source("bu", "type=keyword")) - .actionGet(); - - // tlqdocuments, protected by TLQ - client.index(new IndexRequest("tlqdocuments").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"AAA\", \"access_codes\": [1337] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"AAA\", \"access_codes\": [42] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("3").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"AAA\", \"access_codes\": [1337, 42] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("4").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"BBB\", \"access_codes\": [1337] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("5").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"BBB\", \"access_codes\": [42] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("6").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"BBB\", \"access_codes\": [1337, 42] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("7").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"CCC\", \"access_codes\": [1337] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("8").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"CCC\", \"access_codes\": [42] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("9").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"CCC\", \"access_codes\": [1337, 42] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("10").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"DDD\", \"access_codes\": [1337] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("11").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"DDD\", \"access_codes\": [42] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("12").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"DDD\", \"access_codes\": [1337, 42] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("13").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"EEE\", \"access_codes\": [1337] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("14").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"EEE\", \"access_codes\": [42] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("15").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"EEE\", \"access_codes\": [1337, 42] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("16").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"FFF\" }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("17").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"FFF\", \"access_codes\": [12345] }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdocuments").id("18").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"bu\": \"FFF\", \"access_codes\": [12345, 6789] }", XContentType.JSON)).actionGet(); - - // we use a "bu" field here as well to test aggregations over multiple indices - client.admin().indices().create(new CreateIndexRequest("tlqdummy")).actionGet(); - client.admin().indices().putMapping(new PutMappingRequest("tlqdummy").source("bu", "type=keyword")) - .actionGet(); - - // tlqdummy, not protected by TLQ - client.index(new IndexRequest("tlqdummy").id("101").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"mykey\": \"101\", \"bu\": \"GGG\" }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdummy").id("102").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"mykey\": \"102\", \"bu\": \"GGG\" }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdummy").id("103").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"mykey\": \"103\", \"bu\": \"GGG\" }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdummy").id("104").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"mykey\": \"104\", \"bu\": \"GGG\" }", XContentType.JSON)).actionGet(); - client.index(new IndexRequest("tlqdummy").id("105").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{ \"mykey\": \"105\", \"bu\": \"GGG\" }", XContentType.JSON)).actionGet(); - - } - - // ------------------------ - // Test search and msearch - // ------------------------ - - @Test - public void testSimpleSearch_AccessCode_1337() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - HttpResponse response = rh.executeGetRequest("/tlqdocuments/_search?pretty", - encodeBasicHeader("tlq_1337", "password")); - Assert.assertEquals(200, response.getStatusCode()); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, - LoggingDeprecationHandler.INSTANCE, response.getBody()); - SearchResponse searchResponse = SearchResponse.fromXContent(xcp); - // 10 docs, all need to have access code 1337 - Assert.assertEquals(searchResponse.toString(), 10, searchResponse.getHits().getTotalHits().value); - // fields need to have 1337 access code - assertAccessCodesMatch(searchResponse.getHits().getHits(), new Integer[] { 1337 }); - } - - @Test - public void testSimpleSearch_AccessCode_42() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - HttpResponse response = rh.executeGetRequest("/tlqdocuments/_search?pretty", - encodeBasicHeader("tlq_42", "password")); - Assert.assertEquals(200, response.getStatusCode()); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, - LoggingDeprecationHandler.INSTANCE, response.getBody()); - SearchResponse searchResponse = SearchResponse.fromXContent(xcp); - - // 10 docs, all need to have access code 42 - Assert.assertEquals(searchResponse.toString(), 10, searchResponse.getHits().getTotalHits().value); - // fields need to have 42 access code - assertAccessCodesMatch(searchResponse.getHits().getHits(), new Integer[] { 42 }); - - } - - @Test - public void testSimpleSearch_AccessCodes_1337_42() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - HttpResponse response = rh.executeGetRequest("/tlqdocuments/_search?pretty", - encodeBasicHeader("tlq_1337_42", "password")); - Assert.assertEquals(200, response.getStatusCode()); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, - LoggingDeprecationHandler.INSTANCE, response.getBody()); - SearchResponse searchResponse = SearchResponse.fromXContent(xcp); - - // 15 docs, all need to have either access code 1337 or 42 - Assert.assertEquals(searchResponse.toString(), 15, searchResponse.getHits().getTotalHits().value); - // fields need to have 42 or 1337 access code - assertAccessCodesMatch(searchResponse.getHits().getHits(), new Integer[] { 42, 1337 }); - - } - - @Test - public void testSimpleSearch_AccessCodes_999() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - HttpResponse response = rh.executeGetRequest("/tlqdocuments/_search?pretty", - encodeBasicHeader("tlq_999", "password")); - Assert.assertEquals(200, response.getStatusCode()); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, - LoggingDeprecationHandler.INSTANCE, response.getBody()); - SearchResponse searchResponse = SearchResponse.fromXContent(xcp); - - Assert.assertEquals(searchResponse.toString(), 0, searchResponse.getHits().getTotalHits().value); - } - - @Test - public void testSimpleSearch_AccessCodes_emptyAccessCodes() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - SearchResponse searchResponse = executeSearch("tlqdocuments", "tlq_empty_access_codes", "password"); - Assert.assertEquals(searchResponse.toString(), 0, searchResponse.getHits().getTotalHits().value); - } - - @Test - public void testSimpleSearch_AccessCodes_noAccessCodes() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - SearchResponse searchResponse = executeSearch("tlqdocuments", "tlq_no_codes", "password"); - - Assert.assertEquals(searchResponse.toString(), 0, searchResponse.getHits().getTotalHits().value); - } - - @Test - public void testSimpleSearch_AllIndices_All_AccessCodes_1337() throws Exception { - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - SearchResponse searchResponse = executeSearch("_all", "tlq_1337", "password"); - - // assume hits from 2 indices: - // - tlqdocuments, must contain only docs with access code 1337 - // - tlqdummy, contains all documents - // no access to user_access_codes must be granted - - // check all 5 tlqdummy entries present, index is not protected by DLS - Set tlqdummyHits = Arrays.asList(searchResponse.getHits().getHits()).stream() - .filter((h) -> h.getIndex().equals("tlqdummy")).collect(Collectors.toSet()); - Assert.assertEquals(searchResponse.toString(), 5, tlqdummyHits.size()); - - // check 10 hits with code 1337 from tlqdocuments index. All other documents - // must be filtered - Set tlqdocumentHits = Arrays.asList(searchResponse.getHits().getHits()).stream() - .filter((h) -> h.getIndex().equals("tlqdocuments")).collect(Collectors.toSet()); - Assert.assertEquals(searchResponse.toString(), 10, tlqdocumentHits.size()); - assertAccessCodesMatch(tlqdocumentHits, new Integer[] { 1337 }); - - // check no access to user_access_codes index - Set userAccessCodesHits = Arrays.asList(searchResponse.getHits().getHits()).stream() - .filter((h) -> h.getIndex().equals("user_access_codes")).collect(Collectors.toSet()); - Assert.assertEquals(searchResponse.toString(), 0, userAccessCodesHits.size()); - } - - @Test - public void testSimpleSearch_AllIndicesWildcard_AccessCodes_1337() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - SearchResponse searchResponse = executeSearch("*", "tlq_1337", "password"); - - // assume hits from 2 indices: - // - tlqdocuments, must contain only docs with access code 1337 - // - tlqdummy, contains all documents - // no access to user_access_codes must be granted - - // check all 5 tlqdummy entries present, index is not protected by DLS - Set tlqdummyHits = Arrays.asList(searchResponse.getHits().getHits()).stream() - .filter((h) -> h.getIndex().equals("tlqdummy")).collect(Collectors.toSet()); - Assert.assertEquals(searchResponse.toString(), 5, tlqdummyHits.size()); - - // check 10 hits with code 1337 from tlqdocuments index. All other documents - // must be filtered - Set tlqdocumentHits = Arrays.asList(searchResponse.getHits().getHits()).stream() - .filter((h) -> h.getIndex().equals("tlqdocuments")).collect(Collectors.toSet()); - Assert.assertEquals(searchResponse.toString(), 10, tlqdocumentHits.size()); - assertAccessCodesMatch(tlqdocumentHits, new Integer[] { 1337 }); - - // check no access to user_access_codes index - Set userAccessCodesHits = Arrays.asList(searchResponse.getHits().getHits()).stream() - .filter((h) -> h.getIndex().equals("user_access_codes")).collect(Collectors.toSet()); - Assert.assertEquals(searchResponse.toString(), 0, userAccessCodesHits.size()); - } - - @Test - public void testSimpleSearch_ThreeIndicesWildcard_AccessCodes_1337() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - SearchResponse searchResponse = executeSearch("tlq*,user*", "tlq_1337", "password"); - - // assume hits from 2 indices: - // - tlqdocuments, must contain only docs with access code 1337 - // - tlqdummy, contains all documents - // no access to user_access_codes must be granted - - // check all 5 tlqdummy entries present, index is not protected by DLS - Set tlqdummyHits = Arrays.asList(searchResponse.getHits().getHits()).stream() - .filter((h) -> h.getIndex().equals("tlqdummy")).collect(Collectors.toSet()); - Assert.assertEquals(searchResponse.toString(), 5, tlqdummyHits.size()); - - // check 10 hits with code 1337 from tlqdocuments index. All other documents - // must be filtered - Set tlqdocumentHits = Arrays.asList(searchResponse.getHits().getHits()).stream() - .filter((h) -> h.getIndex().equals("tlqdocuments")).collect(Collectors.toSet()); - Assert.assertEquals(searchResponse.toString(), 10, tlqdocumentHits.size()); - assertAccessCodesMatch(tlqdocumentHits, new Integer[] { 1337 }); - - // check no access to user_access_codes index - Set userAccessCodesHits = Arrays.asList(searchResponse.getHits().getHits()).stream() - .filter((h) -> h.getIndex().equals("user_access_codes")).collect(Collectors.toSet()); - Assert.assertEquals(searchResponse.toString(), 0, userAccessCodesHits.size()); - - } - - @Test - public void testSimpleSearch_TwoIndicesConcreteNames_AccessCodes_1337() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - SearchResponse searchResponse = executeSearch("tlqdocuments,tlqdummy", "tlq_1337", "password"); - - // assume hits from 2 indices: - // - tlqdocuments, must contains only 10 docs with access code 1337 - // - tlqdummy, must contains all 5 documents - - // check all 5 tlqdummy entries present, index is not protected by DLS - Set tlqdummyHits = Arrays.asList(searchResponse.getHits().getHits()).stream() - .filter((h) -> h.getIndex().equals("tlqdummy")).collect(Collectors.toSet()); - Assert.assertEquals(searchResponse.toString(), 5, tlqdummyHits.size()); - - // ccheck 10 hits with code 1337 from tlqdocuments index. All other documents - // must be filtered - Set tlqdocumentHits = Arrays.asList(searchResponse.getHits().getHits()).stream() - .filter((h) -> h.getIndex().equals("tlqdocuments")).collect(Collectors.toSet()); - Assert.assertEquals(searchResponse.toString(), 10, tlqdocumentHits.size()); - assertAccessCodesMatch(tlqdocumentHits, new Integer[] { 1337 }); - } - - @Test - public void testMSearch_ThreeIndices_AccessCodes_1337() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - MultiSearchResponse searchResponse = executeMSearchMatchAll("tlq_1337", "password", "tlqdummy", "tlqdocuments", - "user_access_codes"); - - Item[] responseItems = searchResponse.getResponses(); - - // as per API order in response is the same as in the msearch request - - // check all 5 tlqdummy entries present - List tlqdummyHits = Arrays.asList(responseItems[0].getResponse().getHits().getHits()); - Assert.assertEquals(searchResponse.toString(), 5, tlqdummyHits.size()); - - // check 10 hits with code 1337 from tlqdocuments index. All other documents - // must be filtered - List tlqdocumentHits = Arrays.asList(responseItems[1].getResponse().getHits().getHits()); - Assert.assertEquals(searchResponse.toString(), 10, tlqdocumentHits.size()); - assertAccessCodesMatch(tlqdocumentHits, new Integer[] { 1337 }); - - // check no access to user_access_codes index, just two indices in the response - Assert.assertTrue(responseItems[2].getResponse() == null); - Assert.assertTrue(responseItems[2].getFailure() != null); - - } - - // ------------------------ - // Test get and mget - // ------------------------ - - @Test - public void testGet_TlqDocumentsIndex_1337() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - // user has 1337, document has 1337 - GetResponse searchResponse = executeGet("tlqdocuments", "1", "tlq_1337", "password"); - Assert.assertTrue(searchResponse != null); - Assert.assertTrue(searchResponse.isExists()); - assertAccessCodesMatch(searchResponse.getSourceAsMap(), "access_codes", new Integer[] { 1337 }); - - // user has 1337, document has 42, not visible - searchResponse = executeGet("tlqdocuments", "2", "tlq_1337", "password"); - Assert.assertFalse(searchResponse.isExists()); - - // user has 1337, document has 42 and 1337 - searchResponse = executeGet("tlqdocuments", "3", "tlq_1337", "password"); - Assert.assertTrue(searchResponse != null); - Assert.assertTrue(searchResponse.isExists()); - assertAccessCodesMatch(searchResponse.getSourceAsMap(), "access_codes", new Integer[] { 1337 }); - - // user has 1337, document has no access codes, not visible - searchResponse = executeGet("tlqdocuments", "16", "tlq_1337", "password"); - Assert.assertFalse(searchResponse.isExists()); - - // user has 1337, document has 12345, not visible - searchResponse = executeGet("tlqdocuments", "17", "tlq_1337", "password"); - Assert.assertFalse(searchResponse.isExists()); - - // user has 1337, document has 12345 and 6789, not visible - searchResponse = executeGet("tlqdocuments", "18", "tlq_1337", "password"); - Assert.assertFalse(searchResponse.isExists()); - - } - - @Test - public void testGet_TlqDocumentsIndex_1337_42() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - // user has 1337 and 42, document has 1337 - GetResponse searchResponse = executeGet("tlqdocuments", "1", "tlq_1337_42", "password"); - Assert.assertTrue(searchResponse != null); - Assert.assertTrue(searchResponse.isExists()); - assertAccessCodesMatch(searchResponse.getSourceAsMap(), "access_codes", new Integer[] { 1337, 42 }); - - // user has 1337 and 42, document has 42 - searchResponse = executeGet("tlqdocuments", "2", "tlq_1337_42", "password"); - Assert.assertTrue(searchResponse != null); - Assert.assertTrue(searchResponse.isExists()); - assertAccessCodesMatch(searchResponse.getSourceAsMap(), "access_codes", new Integer[] { 1337, 42 }); - - // user has 1337 and 42, document has 42 and 1337 - searchResponse = executeGet("tlqdocuments", "3", "tlq_1337_42", "password"); - Assert.assertTrue(searchResponse != null); - Assert.assertTrue(searchResponse.isExists()); - assertAccessCodesMatch(searchResponse.getSourceAsMap(), "access_codes", new Integer[] { 1337, 42 }); - - // user has 1337 and 42, document has no access codes, not visible - searchResponse = executeGet("tlqdocuments", "16", "tlq_1337_42", "password"); - Assert.assertFalse(searchResponse.isExists()); - - // user has 1337 and 42, document has 12345, not visible - searchResponse = executeGet("tlqdocuments", "17", "tlq_1337_42", "password"); - Assert.assertFalse(searchResponse.isExists()); - - // user has 1337 and 42, document has 12345 and 6789, not visible - searchResponse = executeGet("tlqdocuments", "18", "tlq_1337_42", "password"); - Assert.assertFalse(searchResponse.isExists()); - - } - - @Test - public void testGet_TlqDummyIndex_1337() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - // no restrictions on this index - GetResponse searchResponse = executeGet("tlqdummy", "101", "tlq_1337", "password"); - Assert.assertTrue(searchResponse != null); - Assert.assertTrue(searchResponse.isExists()); - - searchResponse = executeGet("tlqdummy", "102", "tlq_1337", "password"); - Assert.assertTrue(searchResponse != null); - Assert.assertTrue(searchResponse.isExists()); - - } - - @Test - public void testGet_UserAccessCodesIndex_1337() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - // we expect a security exception here, user has no direct access to - // user_access_codes index - HttpResponse response = rh.executeGetRequest("/user_access_codes/_doc/tlq_1337", - encodeBasicHeader("tlq_1337", "password")); - Assert.assertEquals(403, response.getStatusCode()); - } - - @Test - public void testMGet_1337() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - Map indicesAndIds = new HashMap<>(); - indicesAndIds.put("tlqdocuments", "1"); - indicesAndIds.put("tlqdocuments", "2"); - indicesAndIds.put("tlqdocuments", "3"); - indicesAndIds.put("tlqdocuments", "16"); - indicesAndIds.put("tlqdocuments", "17"); - indicesAndIds.put("tlqdocuments", "18"); - indicesAndIds.put("tlqdummy", "101"); - indicesAndIds.put("user_access_codes", "tlq_1337"); - - MultiGetResponse searchResponse = executeMGet("tlq_1337", "password", indicesAndIds); - - for (MultiGetItemResponse response : searchResponse.getResponses()) { - // no response from index "user_access_codes" - Assert.assertFalse(response.getIndex().equals("user_access_codes")); - switch (response.getIndex()) { - case "tlqdocuments": - Assert.assertTrue(response.getId(), response.getId().equals("1") | response.getId().equals("3")); - break; - case "tlqdummy": - Assert.assertTrue(response.getId(), response.getId().equals("101")); - break; - default: - Assert.fail("Index " + response.getIndex() + " present in mget response, but should not"); - } - } - } - -// ------------------------ -// Test aggregations -// ------------------------ - - @Test - public void testSimpleAggregation_tlqdocuments_AccessCode_1337() throws Exception { - - setup(new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") - .setSecurityInternalUsers("internal_users_tlq.yml").setSecurityRoles("roles_tlq.yml") - .setSecurityRolesMapping("roles_mapping_tlq.yml")); - - String body = "" - + " {\n" - + " \"aggs\": {\n" - + " \"buaggregation\": {\n" - + " \"terms\": {\n" - + " \"field\": \"bu\"\n" - + " }\n" - + " }\n" - + " }\n" - + " }\n" - + ""; - - // need to add typed_keys so aggregations can be parsed - // see for example: - // https://stackoverflow.com/questions/49798654/how-do-you-convert-an-elasticsearch-json-string-response-with-an-aggregation-t - HttpResponse response = rh.executePostRequest("/tlqdocuments/_search?pretty&typed_keys", body, - encodeBasicHeader("tlq_1337", "password")); - Assert.assertTrue(response.getStatusCode() == 200); - NamedXContentRegistry registry = new NamedXContentRegistry(getDefaultNamedXContents()); - XContentParser xcp = XContentType.JSON.xContent().createParser(registry, LoggingDeprecationHandler.INSTANCE, - response.getBody()); - SearchResponse searchResponse = SearchResponse.fromXContent(xcp); - - Aggregations aggs = searchResponse.getAggregations(); - Assert.assertNotNull(searchResponse.toString(), aggs); - Terms agg = aggs.get("buaggregation"); - Assert.assertTrue("Expected aggregation with name 'buaggregation'", agg != null); - // expect AAA - EEE (FFF does not match) with 2 docs each - for (String bucketName : new String[] { "AAA", "BBB", "CCC", "DDD", "EEE" }) { - Bucket bucket = agg.getBucketByKey(bucketName); - Assert.assertNotNull("Expected bucket " + bucketName + " to be present in agregations", bucket); - Assert.assertTrue("Expected doc count in bucket " + bucketName + " to be 2", bucket.getDocCount() == 2); - } - // expect FFF to be absent - Assert.assertNull("Expected bucket FFF to be absent", agg.getBucketByKey("FFF")); - } - - - public static List getDefaultNamedXContents() { - Map> map = new HashMap<>(); - map.put(TopHitsAggregationBuilder.NAME, (p, c) -> ParsedTopHits.fromXContent(p, (String) c)); - map.put(StringTerms.NAME, (p, c) -> ParsedStringTerms.fromXContent(p, (String) c)); - List entries = map.entrySet().stream() - .map(entry -> new NamedXContentRegistry.Entry(Aggregation.class, new ParseField(entry.getKey()), entry.getValue())) - .collect(Collectors.toList()); - return entries; - } + protected void populateData(Client client) { + // user access codes, basis for TLQ query + client.index( + new IndexRequest("user_access_codes").id("tlq_1337") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"access_codes\": [1337] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("user_access_codes").id("tlq_42") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"access_codes\": [42] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("user_access_codes").id("tlq_1337_42") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"access_codes\": [1337, 42] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("user_access_codes").id("tlq_999") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"access_codes\": [999] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("user_access_codes").id("tlq_empty_access_codes") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"access_codes\": [] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("user_access_codes").id("tlq_no_codes") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bla\": \"blub\" }", XContentType.JSON) + ).actionGet(); + + // need to have keyword for bu field since we're testing aggregations + client.admin().indices().create(new CreateIndexRequest("tlqdocuments")).actionGet(); + client.admin().indices().putMapping(new PutMappingRequest("tlqdocuments").source("bu", "type=keyword")).actionGet(); + + // tlqdocuments, protected by TLQ + client.index( + new IndexRequest("tlqdocuments").id("1") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"AAA\", \"access_codes\": [1337] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("2") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"AAA\", \"access_codes\": [42] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("3") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"AAA\", \"access_codes\": [1337, 42] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("4") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"BBB\", \"access_codes\": [1337] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("5") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"BBB\", \"access_codes\": [42] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("6") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"BBB\", \"access_codes\": [1337, 42] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("7") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"CCC\", \"access_codes\": [1337] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("8") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"CCC\", \"access_codes\": [42] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("9") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"CCC\", \"access_codes\": [1337, 42] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("10") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"DDD\", \"access_codes\": [1337] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("11") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"DDD\", \"access_codes\": [42] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("12") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"DDD\", \"access_codes\": [1337, 42] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("13") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"EEE\", \"access_codes\": [1337] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("14") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"EEE\", \"access_codes\": [42] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("15") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"EEE\", \"access_codes\": [1337, 42] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("16") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"FFF\" }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("17") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"FFF\", \"access_codes\": [12345] }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdocuments").id("18") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"bu\": \"FFF\", \"access_codes\": [12345, 6789] }", XContentType.JSON) + ).actionGet(); + + // we use a "bu" field here as well to test aggregations over multiple indices + client.admin().indices().create(new CreateIndexRequest("tlqdummy")).actionGet(); + client.admin().indices().putMapping(new PutMappingRequest("tlqdummy").source("bu", "type=keyword")).actionGet(); + + // tlqdummy, not protected by TLQ + client.index( + new IndexRequest("tlqdummy").id("101") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"mykey\": \"101\", \"bu\": \"GGG\" }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdummy").id("102") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"mykey\": \"102\", \"bu\": \"GGG\" }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdummy").id("103") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"mykey\": \"103\", \"bu\": \"GGG\" }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdummy").id("104") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"mykey\": \"104\", \"bu\": \"GGG\" }", XContentType.JSON) + ).actionGet(); + client.index( + new IndexRequest("tlqdummy").id("105") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{ \"mykey\": \"105\", \"bu\": \"GGG\" }", XContentType.JSON) + ).actionGet(); + + } + + // ------------------------ + // Test search and msearch + // ------------------------ + + @Test + public void testSimpleSearch_AccessCode_1337() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + HttpResponse response = rh.executeGetRequest("/tlqdocuments/_search?pretty", encodeBasicHeader("tlq_1337", "password")); + Assert.assertEquals(200, response.getStatusCode()); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + SearchResponse searchResponse = SearchResponse.fromXContent(xcp); + // 10 docs, all need to have access code 1337 + Assert.assertEquals(searchResponse.toString(), 10, searchResponse.getHits().getTotalHits().value); + // fields need to have 1337 access code + assertAccessCodesMatch(searchResponse.getHits().getHits(), new Integer[] { 1337 }); + } + + @Test + public void testSimpleSearch_AccessCode_42() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + HttpResponse response = rh.executeGetRequest("/tlqdocuments/_search?pretty", encodeBasicHeader("tlq_42", "password")); + Assert.assertEquals(200, response.getStatusCode()); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + SearchResponse searchResponse = SearchResponse.fromXContent(xcp); + + // 10 docs, all need to have access code 42 + Assert.assertEquals(searchResponse.toString(), 10, searchResponse.getHits().getTotalHits().value); + // fields need to have 42 access code + assertAccessCodesMatch(searchResponse.getHits().getHits(), new Integer[] { 42 }); + + } + + @Test + public void testSimpleSearch_AccessCodes_1337_42() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + HttpResponse response = rh.executeGetRequest("/tlqdocuments/_search?pretty", encodeBasicHeader("tlq_1337_42", "password")); + Assert.assertEquals(200, response.getStatusCode()); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + SearchResponse searchResponse = SearchResponse.fromXContent(xcp); + + // 15 docs, all need to have either access code 1337 or 42 + Assert.assertEquals(searchResponse.toString(), 15, searchResponse.getHits().getTotalHits().value); + // fields need to have 42 or 1337 access code + assertAccessCodesMatch(searchResponse.getHits().getHits(), new Integer[] { 42, 1337 }); + + } + + @Test + public void testSimpleSearch_AccessCodes_999() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + HttpResponse response = rh.executeGetRequest("/tlqdocuments/_search?pretty", encodeBasicHeader("tlq_999", "password")); + Assert.assertEquals(200, response.getStatusCode()); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + SearchResponse searchResponse = SearchResponse.fromXContent(xcp); + + Assert.assertEquals(searchResponse.toString(), 0, searchResponse.getHits().getTotalHits().value); + } + + @Test + public void testSimpleSearch_AccessCodes_emptyAccessCodes() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + SearchResponse searchResponse = executeSearch("tlqdocuments", "tlq_empty_access_codes", "password"); + Assert.assertEquals(searchResponse.toString(), 0, searchResponse.getHits().getTotalHits().value); + } + + @Test + public void testSimpleSearch_AccessCodes_noAccessCodes() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + SearchResponse searchResponse = executeSearch("tlqdocuments", "tlq_no_codes", "password"); + + Assert.assertEquals(searchResponse.toString(), 0, searchResponse.getHits().getTotalHits().value); + } + + @Test + public void testSimpleSearch_AllIndices_All_AccessCodes_1337() throws Exception { + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + SearchResponse searchResponse = executeSearch("_all", "tlq_1337", "password"); + + // assume hits from 2 indices: + // - tlqdocuments, must contain only docs with access code 1337 + // - tlqdummy, contains all documents + // no access to user_access_codes must be granted + + // check all 5 tlqdummy entries present, index is not protected by DLS + Set tlqdummyHits = Arrays.asList(searchResponse.getHits().getHits()) + .stream() + .filter((h) -> h.getIndex().equals("tlqdummy")) + .collect(Collectors.toSet()); + Assert.assertEquals(searchResponse.toString(), 5, tlqdummyHits.size()); + + // check 10 hits with code 1337 from tlqdocuments index. All other documents + // must be filtered + Set tlqdocumentHits = Arrays.asList(searchResponse.getHits().getHits()) + .stream() + .filter((h) -> h.getIndex().equals("tlqdocuments")) + .collect(Collectors.toSet()); + Assert.assertEquals(searchResponse.toString(), 10, tlqdocumentHits.size()); + assertAccessCodesMatch(tlqdocumentHits, new Integer[] { 1337 }); + + // check no access to user_access_codes index + Set userAccessCodesHits = Arrays.asList(searchResponse.getHits().getHits()) + .stream() + .filter((h) -> h.getIndex().equals("user_access_codes")) + .collect(Collectors.toSet()); + Assert.assertEquals(searchResponse.toString(), 0, userAccessCodesHits.size()); + } + + @Test + public void testSimpleSearch_AllIndicesWildcard_AccessCodes_1337() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + SearchResponse searchResponse = executeSearch("*", "tlq_1337", "password"); + + // assume hits from 2 indices: + // - tlqdocuments, must contain only docs with access code 1337 + // - tlqdummy, contains all documents + // no access to user_access_codes must be granted + + // check all 5 tlqdummy entries present, index is not protected by DLS + Set tlqdummyHits = Arrays.asList(searchResponse.getHits().getHits()) + .stream() + .filter((h) -> h.getIndex().equals("tlqdummy")) + .collect(Collectors.toSet()); + Assert.assertEquals(searchResponse.toString(), 5, tlqdummyHits.size()); + + // check 10 hits with code 1337 from tlqdocuments index. All other documents + // must be filtered + Set tlqdocumentHits = Arrays.asList(searchResponse.getHits().getHits()) + .stream() + .filter((h) -> h.getIndex().equals("tlqdocuments")) + .collect(Collectors.toSet()); + Assert.assertEquals(searchResponse.toString(), 10, tlqdocumentHits.size()); + assertAccessCodesMatch(tlqdocumentHits, new Integer[] { 1337 }); + + // check no access to user_access_codes index + Set userAccessCodesHits = Arrays.asList(searchResponse.getHits().getHits()) + .stream() + .filter((h) -> h.getIndex().equals("user_access_codes")) + .collect(Collectors.toSet()); + Assert.assertEquals(searchResponse.toString(), 0, userAccessCodesHits.size()); + } + + @Test + public void testSimpleSearch_ThreeIndicesWildcard_AccessCodes_1337() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + SearchResponse searchResponse = executeSearch("tlq*,user*", "tlq_1337", "password"); + + // assume hits from 2 indices: + // - tlqdocuments, must contain only docs with access code 1337 + // - tlqdummy, contains all documents + // no access to user_access_codes must be granted + + // check all 5 tlqdummy entries present, index is not protected by DLS + Set tlqdummyHits = Arrays.asList(searchResponse.getHits().getHits()) + .stream() + .filter((h) -> h.getIndex().equals("tlqdummy")) + .collect(Collectors.toSet()); + Assert.assertEquals(searchResponse.toString(), 5, tlqdummyHits.size()); + + // check 10 hits with code 1337 from tlqdocuments index. All other documents + // must be filtered + Set tlqdocumentHits = Arrays.asList(searchResponse.getHits().getHits()) + .stream() + .filter((h) -> h.getIndex().equals("tlqdocuments")) + .collect(Collectors.toSet()); + Assert.assertEquals(searchResponse.toString(), 10, tlqdocumentHits.size()); + assertAccessCodesMatch(tlqdocumentHits, new Integer[] { 1337 }); + + // check no access to user_access_codes index + Set userAccessCodesHits = Arrays.asList(searchResponse.getHits().getHits()) + .stream() + .filter((h) -> h.getIndex().equals("user_access_codes")) + .collect(Collectors.toSet()); + Assert.assertEquals(searchResponse.toString(), 0, userAccessCodesHits.size()); + + } + + @Test + public void testSimpleSearch_TwoIndicesConcreteNames_AccessCodes_1337() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + SearchResponse searchResponse = executeSearch("tlqdocuments,tlqdummy", "tlq_1337", "password"); + + // assume hits from 2 indices: + // - tlqdocuments, must contains only 10 docs with access code 1337 + // - tlqdummy, must contains all 5 documents + + // check all 5 tlqdummy entries present, index is not protected by DLS + Set tlqdummyHits = Arrays.asList(searchResponse.getHits().getHits()) + .stream() + .filter((h) -> h.getIndex().equals("tlqdummy")) + .collect(Collectors.toSet()); + Assert.assertEquals(searchResponse.toString(), 5, tlqdummyHits.size()); + + // ccheck 10 hits with code 1337 from tlqdocuments index. All other documents + // must be filtered + Set tlqdocumentHits = Arrays.asList(searchResponse.getHits().getHits()) + .stream() + .filter((h) -> h.getIndex().equals("tlqdocuments")) + .collect(Collectors.toSet()); + Assert.assertEquals(searchResponse.toString(), 10, tlqdocumentHits.size()); + assertAccessCodesMatch(tlqdocumentHits, new Integer[] { 1337 }); + } + + @Test + public void testMSearch_ThreeIndices_AccessCodes_1337() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + MultiSearchResponse searchResponse = executeMSearchMatchAll( + "tlq_1337", + "password", + "tlqdummy", + "tlqdocuments", + "user_access_codes" + ); + + Item[] responseItems = searchResponse.getResponses(); + + // as per API order in response is the same as in the msearch request + + // check all 5 tlqdummy entries present + List tlqdummyHits = Arrays.asList(responseItems[0].getResponse().getHits().getHits()); + Assert.assertEquals(searchResponse.toString(), 5, tlqdummyHits.size()); + + // check 10 hits with code 1337 from tlqdocuments index. All other documents + // must be filtered + List tlqdocumentHits = Arrays.asList(responseItems[1].getResponse().getHits().getHits()); + Assert.assertEquals(searchResponse.toString(), 10, tlqdocumentHits.size()); + assertAccessCodesMatch(tlqdocumentHits, new Integer[] { 1337 }); + + // check no access to user_access_codes index, just two indices in the response + Assert.assertTrue(responseItems[2].getResponse() == null); + Assert.assertTrue(responseItems[2].getFailure() != null); + + } + + // ------------------------ + // Test get and mget + // ------------------------ + + @Test + public void testGet_TlqDocumentsIndex_1337() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + // user has 1337, document has 1337 + GetResponse searchResponse = executeGet("tlqdocuments", "1", "tlq_1337", "password"); + Assert.assertTrue(searchResponse != null); + Assert.assertTrue(searchResponse.isExists()); + assertAccessCodesMatch(searchResponse.getSourceAsMap(), "access_codes", new Integer[] { 1337 }); + + // user has 1337, document has 42, not visible + searchResponse = executeGet("tlqdocuments", "2", "tlq_1337", "password"); + Assert.assertFalse(searchResponse.isExists()); + + // user has 1337, document has 42 and 1337 + searchResponse = executeGet("tlqdocuments", "3", "tlq_1337", "password"); + Assert.assertTrue(searchResponse != null); + Assert.assertTrue(searchResponse.isExists()); + assertAccessCodesMatch(searchResponse.getSourceAsMap(), "access_codes", new Integer[] { 1337 }); + + // user has 1337, document has no access codes, not visible + searchResponse = executeGet("tlqdocuments", "16", "tlq_1337", "password"); + Assert.assertFalse(searchResponse.isExists()); + + // user has 1337, document has 12345, not visible + searchResponse = executeGet("tlqdocuments", "17", "tlq_1337", "password"); + Assert.assertFalse(searchResponse.isExists()); + + // user has 1337, document has 12345 and 6789, not visible + searchResponse = executeGet("tlqdocuments", "18", "tlq_1337", "password"); + Assert.assertFalse(searchResponse.isExists()); + + } + + @Test + public void testGet_TlqDocumentsIndex_1337_42() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + // user has 1337 and 42, document has 1337 + GetResponse searchResponse = executeGet("tlqdocuments", "1", "tlq_1337_42", "password"); + Assert.assertTrue(searchResponse != null); + Assert.assertTrue(searchResponse.isExists()); + assertAccessCodesMatch(searchResponse.getSourceAsMap(), "access_codes", new Integer[] { 1337, 42 }); + + // user has 1337 and 42, document has 42 + searchResponse = executeGet("tlqdocuments", "2", "tlq_1337_42", "password"); + Assert.assertTrue(searchResponse != null); + Assert.assertTrue(searchResponse.isExists()); + assertAccessCodesMatch(searchResponse.getSourceAsMap(), "access_codes", new Integer[] { 1337, 42 }); + + // user has 1337 and 42, document has 42 and 1337 + searchResponse = executeGet("tlqdocuments", "3", "tlq_1337_42", "password"); + Assert.assertTrue(searchResponse != null); + Assert.assertTrue(searchResponse.isExists()); + assertAccessCodesMatch(searchResponse.getSourceAsMap(), "access_codes", new Integer[] { 1337, 42 }); + + // user has 1337 and 42, document has no access codes, not visible + searchResponse = executeGet("tlqdocuments", "16", "tlq_1337_42", "password"); + Assert.assertFalse(searchResponse.isExists()); + + // user has 1337 and 42, document has 12345, not visible + searchResponse = executeGet("tlqdocuments", "17", "tlq_1337_42", "password"); + Assert.assertFalse(searchResponse.isExists()); + + // user has 1337 and 42, document has 12345 and 6789, not visible + searchResponse = executeGet("tlqdocuments", "18", "tlq_1337_42", "password"); + Assert.assertFalse(searchResponse.isExists()); + + } + + @Test + public void testGet_TlqDummyIndex_1337() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + // no restrictions on this index + GetResponse searchResponse = executeGet("tlqdummy", "101", "tlq_1337", "password"); + Assert.assertTrue(searchResponse != null); + Assert.assertTrue(searchResponse.isExists()); + + searchResponse = executeGet("tlqdummy", "102", "tlq_1337", "password"); + Assert.assertTrue(searchResponse != null); + Assert.assertTrue(searchResponse.isExists()); + + } + + @Test + public void testGet_UserAccessCodesIndex_1337() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + // we expect a security exception here, user has no direct access to + // user_access_codes index + HttpResponse response = rh.executeGetRequest("/user_access_codes/_doc/tlq_1337", encodeBasicHeader("tlq_1337", "password")); + Assert.assertEquals(403, response.getStatusCode()); + } + + @Test + public void testMGet_1337() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + Map indicesAndIds = new HashMap<>(); + indicesAndIds.put("tlqdocuments", "1"); + indicesAndIds.put("tlqdocuments", "2"); + indicesAndIds.put("tlqdocuments", "3"); + indicesAndIds.put("tlqdocuments", "16"); + indicesAndIds.put("tlqdocuments", "17"); + indicesAndIds.put("tlqdocuments", "18"); + indicesAndIds.put("tlqdummy", "101"); + indicesAndIds.put("user_access_codes", "tlq_1337"); + + MultiGetResponse searchResponse = executeMGet("tlq_1337", "password", indicesAndIds); + + for (MultiGetItemResponse response : searchResponse.getResponses()) { + // no response from index "user_access_codes" + Assert.assertFalse(response.getIndex().equals("user_access_codes")); + switch (response.getIndex()) { + case "tlqdocuments": + Assert.assertTrue(response.getId(), response.getId().equals("1") | response.getId().equals("3")); + break; + case "tlqdummy": + Assert.assertTrue(response.getId(), response.getId().equals("101")); + break; + default: + Assert.fail("Index " + response.getIndex() + " present in mget response, but should not"); + } + } + } + + // ------------------------ + // Test aggregations + // ------------------------ + + @Test + public void testSimpleAggregation_tlqdocuments_AccessCode_1337() throws Exception { + + setup( + new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml") + .setSecurityInternalUsers("internal_users_tlq.yml") + .setSecurityRoles("roles_tlq.yml") + .setSecurityRolesMapping("roles_mapping_tlq.yml") + ); + + String body = "" + + " {\n" + + " \"aggs\": {\n" + + " \"buaggregation\": {\n" + + " \"terms\": {\n" + + " \"field\": \"bu\"\n" + + " }\n" + + " }\n" + + " }\n" + + " }\n" + + ""; + + // need to add typed_keys so aggregations can be parsed + // see for example: + // https://stackoverflow.com/questions/49798654/how-do-you-convert-an-elasticsearch-json-string-response-with-an-aggregation-t + HttpResponse response = rh.executePostRequest( + "/tlqdocuments/_search?pretty&typed_keys", + body, + encodeBasicHeader("tlq_1337", "password") + ); + Assert.assertTrue(response.getStatusCode() == 200); + NamedXContentRegistry registry = new NamedXContentRegistry(getDefaultNamedXContents()); + XContentParser xcp = XContentType.JSON.xContent().createParser(registry, LoggingDeprecationHandler.INSTANCE, response.getBody()); + SearchResponse searchResponse = SearchResponse.fromXContent(xcp); + + Aggregations aggs = searchResponse.getAggregations(); + Assert.assertNotNull(searchResponse.toString(), aggs); + Terms agg = aggs.get("buaggregation"); + Assert.assertTrue("Expected aggregation with name 'buaggregation'", agg != null); + // expect AAA - EEE (FFF does not match) with 2 docs each + for (String bucketName : new String[] { "AAA", "BBB", "CCC", "DDD", "EEE" }) { + Bucket bucket = agg.getBucketByKey(bucketName); + Assert.assertNotNull("Expected bucket " + bucketName + " to be present in agregations", bucket); + Assert.assertTrue("Expected doc count in bucket " + bucketName + " to be 2", bucket.getDocCount() == 2); + } + // expect FFF to be absent + Assert.assertNull("Expected bucket FFF to be absent", agg.getBucketByKey("FFF")); + } + + public static List getDefaultNamedXContents() { + Map> map = new HashMap<>(); + map.put(TopHitsAggregationBuilder.NAME, (p, c) -> ParsedTopHits.fromXContent(p, (String) c)); + map.put(StringTerms.NAME, (p, c) -> ParsedStringTerms.fromXContent(p, (String) c)); + List entries = map.entrySet() + .stream() + .map(entry -> new NamedXContentRegistry.Entry(Aggregation.class, new ParseField(entry.getKey()), entry.getValue())) + .collect(Collectors.toList()); + return entries; + } } diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java index 5405146263..a9361d275a 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java @@ -24,16 +24,16 @@ import org.opensearch.common.xcontent.XContentType; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class DlsTest extends AbstractDlsFlsTest{ - +public class DlsTest extends AbstractDlsFlsTest { @Override protected void populateData(Client tc) { - tc.index(new IndexRequest("deals").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"amount\": 10}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("deals").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"amount\": 1500}", XContentType.JSON)).actionGet(); + tc.index(new IndexRequest("deals").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"amount\": 10}", XContentType.JSON)) + .actionGet(); + tc.index( + new IndexRequest("deals").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"amount\": 1500}", XContentType.JSON) + ).actionGet(); try { Thread.sleep(3000); @@ -51,23 +51,28 @@ public void testDlsAggregations() throws Exception { setup(); - - String query = "{"+ - "\"query\" : {"+ - "\"match_all\": {}"+ - "},"+ - "\"aggs\" : {"+ - "\"thesum\" : { \"sum\" : { \"field\" : \"amount\" } }"+ - "}"+ - "}"; + String query = "{" + + "\"query\" : {" + + "\"match_all\": {}" + + "}," + + "\"aggs\" : {" + + "\"thesum\" : { \"sum\" : { \"field\" : \"amount\" } }" + + "}" + + "}"; HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"value\" : 1500.0")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"value\" : 1510.0")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -93,67 +98,88 @@ public void testDls() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=0", encodeBasicHeader("dept_manager", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=0", encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("dept_manager", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); Assert.assertEquals(res.getHeaders().toString(), 2, res.getHeaders().size()); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=0", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=0", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - String query = - "{"+ - "\"query\": {"+ - "\"range\" : {"+ - "\"amount\" : {"+ - "\"gte\" : 8,"+ - "\"lte\" : 20,"+ - "\"boost\" : 3.0"+ - "}"+ - "}"+ - "}"+ - "}"; - + "{" + + "\"query\": {" + + "\"range\" : {" + + "\"amount\" : {" + + "\"gte\" : 8," + + "\"lte\" : 20," + + "\"boost\" : 3.0" + + "}" + + "}" + + "}" + + "}"; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query,encodeBasicHeader("dept_manager", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 0,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); query = - "{"+ - "\"query\": {"+ - "\"range\" : {"+ - "\"amount\" : {"+ - "\"gte\" : 100,"+ - "\"lte\" : 2000,"+ - "\"boost\" : 2.0"+ - "}"+ - "}"+ - "}"+ - "}"; - + "{" + + "\"query\": {" + + "\"range\" : {" + + "\"amount\" : {" + + "\"gte\" : 100," + + "\"lte\" : 2000," + + "\"boost\" : 2.0" + + "}" + + "}" + + "}" + + "}"; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query,encodeBasicHeader("dept_manager", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query,encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?q=amount:10&pretty", encodeBasicHeader("dept_manager", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?q=amount:10&pretty", encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 0,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -166,45 +192,57 @@ public void testDls() throws Exception { res = rh.executeGetRequest("/deals/_doc/1?pretty", encodeBasicHeader("dept_manager", "password")); Assert.assertTrue(res.getBody().contains("\"found\" : true")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_count?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_count?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"count\" : 2,")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_count?pretty", encodeBasicHeader("dept_manager", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_count?pretty", encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"count\" : 1,")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - - //mget - //msearch - String msearchBody = - "{\"index\":\"deals\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator()+ - "{\"index\":\"deals\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); - - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("_msearch?pretty", msearchBody, encodeBasicHeader("dept_manager", "password"))).getStatusCode()); + // mget + // msearch + String msearchBody = "{\"index\":\"deals\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator() + + "{\"index\":\"deals\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator(); + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("_msearch?pretty", msearchBody, encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); Assert.assertFalse(res.getBody().contains("_opendistro_security_dls_query")); Assert.assertFalse(res.getBody().contains("_opendistro_security_fls_fields")); Assert.assertTrue(res.getBody().contains("\"amount\" : 1500")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - - String mgetBody = "{"+ - "\"docs\" : ["+ - "{"+ - "\"_index\" : \"deals\","+ - "\"_id\" : \"1\""+ - " },"+ - " {"+ - "\"_index\" : \"deals\","+ - " \"_id\" : \"2\""+ - "}"+ - "]"+ - "}"; - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("_mget?pretty", mgetBody, encodeBasicHeader("dept_manager", "password"))).getStatusCode()); + String mgetBody = "{" + + "\"docs\" : [" + + "{" + + "\"_index\" : \"deals\"," + + "\"_id\" : \"1\"" + + " }," + + " {" + + "\"_index\" : \"deals\"," + + " \"_id\" : \"2\"" + + "}" + + "]" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("_mget?pretty", mgetBody, encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); Assert.assertFalse(res.getBody().contains("_opendistro_security_dls_query")); Assert.assertFalse(res.getBody().contains("_opendistro_security_fls_fields")); Assert.assertTrue(res.getBody().contains("amount")); @@ -220,26 +258,26 @@ public void testNonDls() throws Exception { HttpResponse res; String query = - "{"+ - "\"_source\": false,"+ - "\"query\": {"+ - "\"range\" : {"+ - "\"amount\" : {"+ - "\"gte\" : 100,"+ - "\"lte\" : 2000,"+ - "\"boost\" : 2.0"+ - "}"+ - "}"+ - "}"+ - "}"; - - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query,encodeBasicHeader("dept_manager", "password"))).getStatusCode()); + "{" + + "\"_source\": false," + + "\"query\": {" + + "\"range\" : {" + + "\"amount\" : {" + + "\"gte\" : 100," + + "\"lte\" : 2000," + + "\"boost\" : 2.0" + + "}" + + "}" + + "}" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - - } @Test @@ -248,11 +286,17 @@ public void testDlsCache() throws Exception { setup(); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("dept_manager", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -271,69 +315,86 @@ public void testDlsWithMinDocCountZeroAggregations() throws Exception { client.admin().indices().create(new CreateIndexRequest("logs").simpleMapping("termX", "type=keyword")).actionGet(); for (int i = 0; i < 3; i++) { - client.index(new IndexRequest("logs").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("amount", i, "termX", "A", "timestamp", "2022-01-06T09:05:00Z")).actionGet(); - client.index(new IndexRequest("logs").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("amount", i, "termX", "B", "timestamp", "2022-01-06T09:08:00Z")).actionGet(); - client.index(new IndexRequest("logs").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("amount", i, "termX", "C", "timestamp", "2022-01-06T09:09:00Z")).actionGet(); - client.index(new IndexRequest("logs").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("amount", i, "termX", "D", "timestamp", "2022-01-06T09:10:00Z")).actionGet(); + client.index( + new IndexRequest("logs").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("amount", i, "termX", "A", "timestamp", "2022-01-06T09:05:00Z") + ).actionGet(); + client.index( + new IndexRequest("logs").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("amount", i, "termX", "B", "timestamp", "2022-01-06T09:08:00Z") + ).actionGet(); + client.index( + new IndexRequest("logs").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("amount", i, "termX", "C", "timestamp", "2022-01-06T09:09:00Z") + ).actionGet(); + client.index( + new IndexRequest("logs").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("amount", i, "termX", "D", "timestamp", "2022-01-06T09:10:00Z") + ).actionGet(); } - client.index(new IndexRequest("logs").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("amount", 0, "termX", "E", "timestamp", "2022-01-06T09:11:00Z")).actionGet(); + client.index( + new IndexRequest("logs").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("amount", 0, "termX", "E", "timestamp", "2022-01-06T09:11:00Z") + ).actionGet(); } // Terms Aggregation - // Non-admin user with setting "min_doc_count":0. Expected to get error message "min_doc_count 0 is not supported when DLS is activated". + // Non-admin user with setting "min_doc_count":0. Expected to get error message "min_doc_count 0 is not supported when DLS is + // activated". String query1 = "{\n" - + " \"size\":0,\n" - + " \"query\":{\n" - + " \"bool\":{\n" - + " \"must\":[\n" - + " {\n" - + " \"range\":{\n" - + " \"amount\":{\"gte\":1,\"lte\":100}\n" - + " }\n" - + " }\n" - + " ]\n" - + " }\n" - + " },\n" - + " \"aggs\":{\n" - + " \"a\": {\n" - + " \"terms\": {\n" - + " \"field\": \"termX\",\n" - + " \"min_doc_count\":0,\n" - + "\"size\": 10,\n" - + "\"order\": { \"_count\": \"desc\" }\n" - + " }\n" - + " }\n" - + " }\n" - + "}"; + + " \"size\":0,\n" + + " \"query\":{\n" + + " \"bool\":{\n" + + " \"must\":[\n" + + " {\n" + + " \"range\":{\n" + + " \"amount\":{\"gte\":1,\"lte\":100}\n" + + " }\n" + + " }\n" + + " ]\n" + + " }\n" + + " },\n" + + " \"aggs\":{\n" + + " \"a\": {\n" + + " \"terms\": {\n" + + " \"field\": \"termX\",\n" + + " \"min_doc_count\":0,\n" + + "\"size\": 10,\n" + + "\"order\": { \"_count\": \"desc\" }\n" + + " }\n" + + " }\n" + + " }\n" + + "}"; HttpResponse response1 = rh.executePostRequest("logs*/_search", query1, encodeBasicHeader("dept_manager", "password")); Assert.assertEquals(HttpStatus.SC_INTERNAL_SERVER_ERROR, response1.getStatusCode()); Assert.assertTrue(response1.getBody(), response1.getBody().contains("min_doc_count 0 is not supported when DLS is activated")); - // Non-admin user without setting "min_doc_count". Expected to only have access to buckets for dept_manager excluding E with 0 doc_count". + // Non-admin user without setting "min_doc_count". Expected to only have access to buckets for dept_manager excluding E with 0 + // doc_count". String query2 = "{\n" - + " \"size\":0,\n" - + " \"query\":{\n" - + " \"bool\":{\n" - + " \"must\":[\n" - + " {\n" - + " \"range\":{\n" - + " \"amount\":{\"gte\":1,\"lte\":100}\n" - + " }\n" - + " }\n" - + " ]\n" - + " }\n" - + " },\n" - + " \"aggs\":{\n" - + " \"a\": {\n" - + " \"terms\": {\n" - + " \"field\": \"termX\",\n" - + "\"size\": 10,\n" - + "\"order\": { \"_count\": \"desc\" }\n" - + " }\n" - + " }\n" - + " }\n" - + "}"; + + " \"size\":0,\n" + + " \"query\":{\n" + + " \"bool\":{\n" + + " \"must\":[\n" + + " {\n" + + " \"range\":{\n" + + " \"amount\":{\"gte\":1,\"lte\":100}\n" + + " }\n" + + " }\n" + + " ]\n" + + " }\n" + + " },\n" + + " \"aggs\":{\n" + + " \"a\": {\n" + + " \"terms\": {\n" + + " \"field\": \"termX\",\n" + + "\"size\": 10,\n" + + "\"order\": { \"_count\": \"desc\" }\n" + + " }\n" + + " }\n" + + " }\n" + + "}"; HttpResponse response2 = rh.executePostRequest("logs*/_search", query2, encodeBasicHeader("dept_manager", "password")); @@ -366,7 +427,8 @@ public void testDlsWithMinDocCountZeroAggregations() throws Exception { // Significant Text Aggregation is not impacted. // Non-admin user with setting "min_doc_count=0". Expected to only have access to buckets for dept_manager". - String query3 = "{\"size\":100,\"aggregations\":{\"significant_termX\":{\"significant_terms\":{\"field\":\"termX.keyword\",\"min_doc_count\":0}}}}"; + String query3 = + "{\"size\":100,\"aggregations\":{\"significant_termX\":{\"significant_terms\":{\"field\":\"termX.keyword\",\"min_doc_count\":0}}}}"; HttpResponse response5 = rh.executePostRequest("logs*/_search", query3, encodeBasicHeader("dept_manager", "password")); Assert.assertEquals(HttpStatus.SC_OK, response5.getStatusCode()); @@ -443,7 +505,6 @@ public void testDlsWithMinDocCountZeroAggregations() throws Exception { Assert.assertTrue(response11.getBody(), response11.getBody().contains("\"termX\":\"D\"")); Assert.assertTrue(response11.getBody(), response11.getBody().contains("\"termX\":\"E\"")); - // Admin without setting "min_doc_count". Expected to have access to all buckets". HttpResponse response12 = rh.executePostRequest("logs*/_search", query6, encodeBasicHeader("admin", "admin")); @@ -456,7 +517,8 @@ public void testDlsWithMinDocCountZeroAggregations() throws Exception { // Date Histogram Aggregation is not impacted. // Non-admin user with setting "min_doc_count=0". Expected to only have access to buckets for dept_manager". - String query7 = "{\"size\":100,\"aggs\":{\"timestamp\":{\"date_histogram\":{\"field\":\"timestamp\",\"calendar_interval\":\"month\",\"min_doc_count\":0}}}}"; + String query7 = + "{\"size\":100,\"aggs\":{\"timestamp\":{\"date_histogram\":{\"field\":\"timestamp\",\"calendar_interval\":\"month\",\"min_doc_count\":0}}}}"; HttpResponse response13 = rh.executePostRequest("logs*/_search", query7, encodeBasicHeader("dept_manager", "password")); @@ -468,7 +530,8 @@ public void testDlsWithMinDocCountZeroAggregations() throws Exception { Assert.assertFalse(response13.getBody(), response13.getBody().contains("\"termX\":\"E\"")); // Non-admin user without setting "min_doc_count". Expected to only have access to buckets for dept_manager". - String query8 = "{\"size\":100,\"aggs\":{\"timestamp\":{\"date_histogram\":{\"field\":\"timestamp\",\"calendar_interval\":\"month\"}}}}"; + String query8 = + "{\"size\":100,\"aggs\":{\"timestamp\":{\"date_histogram\":{\"field\":\"timestamp\",\"calendar_interval\":\"month\"}}}}"; HttpResponse response14 = rh.executePostRequest("logs*/_search", query8, encodeBasicHeader("dept_manager", "password")); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/FieldMaskedTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/FieldMaskedTest.java index 40542e76b7..2628bebbc0 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/FieldMaskedTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/FieldMaskedTest.java @@ -23,21 +23,37 @@ public class FieldMaskedTest extends AbstractDlsFlsTest { - protected void populateData(Client tc) { - tc.index(new IndexRequest("deals").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust1\"}, \"ip_source\": \"100.100.1.1\",\"ip_dest\": \"123.123.1.1\",\"amount\": 10}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("deals").id("2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust2\"}, \"ip_source\": \"100.100.2.2\",\"ip_dest\": \"123.123.2.2\",\"amount\": 20}", XContentType.JSON)).actionGet(); - - - for (int i=0; i<30;i++) { - tc.index(new IndexRequest("deals").id("a"+i).setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust1\"}, \"ip_source\": \"200.100.1.1\",\"ip_dest\": \"123.123.1.1\",\"amount\": 10}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("deals").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"customer\": {\"name\":\"cust1\"}, \"ip_source\": \"100.100.1.1\",\"ip_dest\": \"123.123.1.1\",\"amount\": 10}", + XContentType.JSON + ) + ).actionGet(); + tc.index( + new IndexRequest("deals").id("2") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"customer\": {\"name\":\"cust2\"}, \"ip_source\": \"100.100.2.2\",\"ip_dest\": \"123.123.2.2\",\"amount\": 20}", + XContentType.JSON + ) + ).actionGet(); + + for (int i = 0; i < 30; i++) { + tc.index( + new IndexRequest("deals").id("a" + i) + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"customer\": {\"name\":\"cust1\"}, \"ip_source\": \"200.100.1.1\",\"ip_dest\": \"123.123.1.1\",\"amount\": 10}", + XContentType.JSON + ) + ).actionGet(); } - } + } @Test public void testMaskedAggregations() throws Exception { @@ -46,61 +62,72 @@ public void testMaskedAggregations() throws Exception { String query; HttpResponse res; - query = "{"+ - "\"query\" : {"+ - "\"match_all\": {}"+ - "},"+ - "\"aggs\" : {"+ - "\"ips\" : { \"terms\" : { \"field\" : \"ip_source.keyword\" } }"+ - "}"+ - "}"; - - //Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); - //Assert.assertTrue(res.getBody().contains("100.100")); - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("user_masked", "password"))).getStatusCode()); + query = "{" + + "\"query\" : {" + + "\"match_all\": {}" + + "}," + + "\"aggs\" : {" + + "\"ips\" : { \"terms\" : { \"field\" : \"ip_source.keyword\" } }" + + "}" + + "}"; + + // Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, + // encodeBasicHeader("admin", "admin"))).getStatusCode()); + // Assert.assertTrue(res.getBody().contains("100.100")); + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("user_masked", "password"))) + .getStatusCode() + ); Assert.assertFalse(res.getBody().contains("100.100")); - query = - "{" + - "\"query\" : {" + - "\"match_all\": {" + - "}" + - "}," + - "\"aggs\": {" + - "\"ips\" : {" + - "\"terms\" : {" + - "\"field\" : \"ip_source.keyword\"," + - "\"order\": {" + - "\"_term\" : \"asc\"" + - "}" + - "}" + - "}" + - "}" + - "}"; - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("user_masked", "password"))).getStatusCode()); + query = "{" + + "\"query\" : {" + + "\"match_all\": {" + + "}" + + "}," + + "\"aggs\": {" + + "\"ips\" : {" + + "\"terms\" : {" + + "\"field\" : \"ip_source.keyword\"," + + "\"order\": {" + + "\"_term\" : \"asc\"" + + "}" + + "}" + + "}" + + "}" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("user_masked", "password"))) + .getStatusCode() + ); Assert.assertFalse(res.getBody().contains("100.100")); - query = - "{" + - "\"query\" : {" + - "\"match_all\": {" + - "}" + - "}," + - "\"aggs\": {" + - "\"ips\" : {" + - "\"terms\" : {" + - "\"field\" : \"ip_source.keyword\"," + - "\"order\": {" + - "\"_term\" : \"desc\"" + - "}" + - "}" + - "}" + - "}" + - "}"; - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("user_masked", "password"))).getStatusCode()); + query = "{" + + "\"query\" : {" + + "\"match_all\": {" + + "}" + + "}," + + "\"aggs\": {" + + "\"ips\" : {" + + "\"terms\" : {" + + "\"field\" : \"ip_source.keyword\"," + + "\"order\": {" + + "\"_term\" : \"desc\"" + + "}" + + "}" + + "}" + + "}" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("user_masked", "password"))) + .getStatusCode() + ); Assert.assertFalse(res.getBody().contains("100.100")); } @@ -109,15 +136,17 @@ public void testMaskedAggregationsRace() throws Exception { setup(); - - String query = "{"+ - "\"aggs\" : {"+ - "\"ips\" : { \"terms\" : { \"field\" : \"ip_source.keyword\", \"size\": 1002, \"show_term_doc_count_error\": true } }"+ - "}"+ - "}"; + String query = "{" + + "\"aggs\" : {" + + "\"ips\" : { \"terms\" : { \"field\" : \"ip_source.keyword\", \"size\": 1002, \"show_term_doc_count_error\": true } }" + + "}" + + "}"; HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("100.100")); Assert.assertTrue(res.getBody().contains("200.100")); Assert.assertTrue(res.getBody().contains("\"doc_count\" : 30")); @@ -126,7 +155,11 @@ public void testMaskedAggregationsRace() throws Exception { Assert.assertFalse(res.getBody().contains("26a8671e57fefc13504f8c61ced67ac98338261ace1e5bf462038b2f2caae16e")); Assert.assertFalse(res.getBody().contains("87873bdb698e5f0f60e0b02b76dad1ec11b2787c628edbc95b7ff0e82274b140")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("user_masked", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("user_masked", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"doc_count\" : 30")); Assert.assertTrue(res.getBody().contains("\"doc_count\" : 1")); Assert.assertFalse(res.getBody().contains("100.100")); @@ -135,8 +168,11 @@ public void testMaskedAggregationsRace() throws Exception { Assert.assertTrue(res.getBody().contains("26a8671e57fefc13504f8c61ced67ac98338261ace1e5bf462038b2f2caae16e")); Assert.assertTrue(res.getBody().contains("87873bdb698e5f0f60e0b02b76dad1ec11b2787c628edbc95b7ff0e82274b140")); - for(int i=0;i<10;i++) { - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + for (int i = 0; i < 10; i++) { + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty&size=0", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("100.100")); Assert.assertTrue(res.getBody().contains("200.100")); Assert.assertTrue(res.getBody().contains("\"doc_count\" : 30")); @@ -155,7 +191,10 @@ public void testMaskedSearch() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=100", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=100", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 32,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); Assert.assertTrue(res.getBody().contains("cust1")); @@ -164,8 +203,10 @@ public void testMaskedSearch() throws Exception { Assert.assertTrue(res.getBody().contains("100.100.2.2")); Assert.assertFalse(res.getBody().contains("87873bdb698e5f0f60e0b02b76dad1ec11b2787c628edbc95b7ff0e82274b140")); - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=100", encodeBasicHeader("user_masked", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=100", encodeBasicHeader("user_masked", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 32,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); Assert.assertTrue(res.getBody().contains("cust1")); @@ -183,7 +224,10 @@ public void testMaskedGet() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_doc/0?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_doc/0?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"found\" : true")); Assert.assertTrue(res.getBody().contains("cust1")); Assert.assertFalse(res.getBody().contains("cust2")); @@ -191,8 +235,10 @@ public void testMaskedGet() throws Exception { Assert.assertFalse(res.getBody().contains("100.100.2.2")); Assert.assertFalse(res.getBody().contains("87873bdb698e5f0f60e0b02b76dad1ec11b2787c628edbc95b7ff0e82274b140")); - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_doc/0?pretty", encodeBasicHeader("user_masked", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_doc/0?pretty", encodeBasicHeader("user_masked", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"found\" : true")); Assert.assertTrue(res.getBody().contains("cust1")); Assert.assertFalse(res.getBody().contains("cust2")); @@ -201,5 +247,4 @@ public void testMaskedGet() throws Exception { Assert.assertTrue(res.getBody().contains("87873bdb698e5f0f60e0b02b76dad1ec11b2787c628edbc95b7ff0e82274b140")); } - } diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/Fls983Test.java b/src/test/java/org/opensearch/security/dlic/dlsfls/Fls983Test.java index 6f00dfd348..61bc9b53b3 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/Fls983Test.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/Fls983Test.java @@ -22,13 +22,11 @@ import org.opensearch.security.test.DynamicSecurityConfig; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class Fls983Test extends AbstractDlsFlsTest{ - +public class Fls983Test extends AbstractDlsFlsTest { protected void populateData(Client tc) { - tc.index(new IndexRequest(".kibana").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{}", XContentType.JSON)).actionGet(); + tc.index(new IndexRequest(".kibana").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{}", XContentType.JSON)).actionGet(); } @Test @@ -38,11 +36,13 @@ public void test() throws Exception { HttpResponse res; - String doc = "{\"doc\" : {"+ - "\"x\" : \"y\""+ - "}}"; + String doc = "{\"doc\" : {" + "\"x\" : \"y\"" + "}}"; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/.kibana/_update/0?pretty", doc, encodeBasicHeader("human_resources_trainee", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/.kibana/_update/0?pretty", doc, encodeBasicHeader("human_resources_trainee", "password"))) + .getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("updated")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsDlsTestAB.java b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsDlsTestAB.java index 9cc5cc8b3b..aabe2e4add 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsDlsTestAB.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsDlsTestAB.java @@ -23,28 +23,48 @@ import org.opensearch.common.xcontent.XContentType; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class FlsDlsTestAB extends AbstractDlsFlsTest{ - +public class FlsDlsTestAB extends AbstractDlsFlsTest { protected void populateData(Client tc) { - //aaa - tc.index(new IndexRequest("aaa").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"f1\": \"f1_a0\", \"f2\": \"f2_a0\", \"f3\": \"f3_a0\", \"f4\": \"f4_a0\",\"type\": \"a\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("aaa").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"f1\": \"f1_a1\", \"f2\": \"f2_a1\", \"f3\": \"f3_a1\", \"f4\": \"f4_a1\",\"type\": \"a\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("aaa").id("2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"f1\": \"f1_a2\", \"f2\": \"f2_a2\", \"f3\": \"f3_a2\", \"f4\": \"f4_a2\",\"type\": \"x\"}", XContentType.JSON)).actionGet(); - - //bbb - tc.index(new IndexRequest("bbb").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"f1\": \"f1_b0\", \"f2\": \"f2_b0\", \"f3\": \"f3_b0\", \"f4\": \"f4_b0\",\"type\": \"b\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("bbb").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"f1\": \"f1_b1\", \"f2\": \"f2_b1\", \"f3\": \"f3_b1\", \"f4\": \"f4_b1\",\"type\": \"b\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("bbb").id("2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"f1\": \"f1_b2\", \"f2\": \"f2_b2\", \"f3\": \"f3_b2\", \"f4\": \"f4_b2\",\"type\": \"x\"}", XContentType.JSON)).actionGet(); - - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("aaa","bbb").alias("abalias"))).actionGet(); + // aaa + tc.index( + new IndexRequest("aaa").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"f1\": \"f1_a0\", \"f2\": \"f2_a0\", \"f3\": \"f3_a0\", \"f4\": \"f4_a0\",\"type\": \"a\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("aaa").id("1") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"f1\": \"f1_a1\", \"f2\": \"f2_a1\", \"f3\": \"f3_a1\", \"f4\": \"f4_a1\",\"type\": \"a\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("aaa").id("2") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"f1\": \"f1_a2\", \"f2\": \"f2_a2\", \"f3\": \"f3_a2\", \"f4\": \"f4_a2\",\"type\": \"x\"}", XContentType.JSON) + ).actionGet(); + + // bbb + tc.index( + new IndexRequest("bbb").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"f1\": \"f1_b0\", \"f2\": \"f2_b0\", \"f3\": \"f3_b0\", \"f4\": \"f4_b0\",\"type\": \"b\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("bbb").id("1") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"f1\": \"f1_b1\", \"f2\": \"f2_b1\", \"f3\": \"f3_b1\", \"f4\": \"f4_b1\",\"type\": \"b\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("bbb").id("2") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"f1\": \"f1_b2\", \"f2\": \"f2_b2\", \"f3\": \"f3_b2\", \"f4\": \"f4_b2\",\"type\": \"x\"}", XContentType.JSON) + ).actionGet(); + + tc.admin() + .indices() + .aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("aaa", "bbb").alias("abalias"))) + .actionGet(); } @@ -55,7 +75,10 @@ public void testDlsFlsAB() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/aaa,bbb/_search?pretty", encodeBasicHeader("user_aaa", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/aaa,bbb/_search?pretty", encodeBasicHeader("user_aaa", "password"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 4,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -69,8 +92,10 @@ public void testDlsFlsAB() throws Exception { Assert.assertTrue(res.getBody().contains("f3_b")); Assert.assertFalse(res.getBody().contains("f1_b")); - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/abalias/_search?pretty", encodeBasicHeader("user_aaa", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/abalias/_search?pretty", encodeBasicHeader("user_aaa", "password"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 4,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -84,7 +109,10 @@ public void testDlsFlsAB() throws Exception { Assert.assertTrue(res.getBody().contains("f3_b")); Assert.assertFalse(res.getBody().contains("f1_b")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/aaa,bbb/_search?pretty", encodeBasicHeader("user_bbb", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/aaa,bbb/_search?pretty", encodeBasicHeader("user_bbb", "password"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 4,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -98,8 +126,10 @@ public void testDlsFlsAB() throws Exception { Assert.assertFalse(res.getBody().contains("f3_b")); Assert.assertTrue(res.getBody().contains("f1_b")); - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/abalias/_search?pretty", encodeBasicHeader("user_bbb", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/abalias/_search?pretty", encodeBasicHeader("user_bbb", "password"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 4,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsDlsTestForbiddenField.java b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsDlsTestForbiddenField.java index 6df02c2e22..840f574a9f 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsDlsTestForbiddenField.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsDlsTestForbiddenField.java @@ -21,15 +21,23 @@ import org.opensearch.common.xcontent.XContentType; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class FlsDlsTestForbiddenField extends AbstractDlsFlsTest{ - +public class FlsDlsTestForbiddenField extends AbstractDlsFlsTest { protected void populateData(Client tc) { - tc.index(new IndexRequest("deals").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust1\"}, \"zip\": \"12345\",\"secret\": \"tellnoone\",\"amount\": 10}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("deals").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust2\", \"ctype\":\"industry\"}, \"amount\": 1500}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("deals").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"customer\": {\"name\":\"cust1\"}, \"zip\": \"12345\",\"secret\": \"tellnoone\",\"amount\": 10}", + XContentType.JSON + ) + ).actionGet(); + tc.index( + new IndexRequest("deals").id("1") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"customer\": {\"name\":\"cust2\", \"ctype\":\"industry\"}, \"amount\": 1500}", XContentType.JSON) + ).actionGet(); } @@ -38,23 +46,29 @@ public void testDlsAggregations() throws Exception { setup(); - - String query = "{"+ - "\"query\" : {"+ - "\"match_all\": {}"+ - "},"+ - "\"aggs\" : {"+ - "\"thesum\" : { \"sum\" : { \"field\" : \"amount\" } }"+ - "}"+ - "}"; + String query = "{" + + "\"query\" : {" + + "\"match_all\": {}" + + "}," + + "\"aggs\" : {" + + "\"thesum\" : { \"sum\" : { \"field\" : \"amount\" } }" + + "}" + + "}"; HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager_fls_dls", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager_fls_dls", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 0,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"value\" : 0")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"value\" : 1510.0")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -66,58 +80,77 @@ public void testDls() throws Exception { setup(); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=0", encodeBasicHeader("dept_manager_fls_dls", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=0", encodeBasicHeader("dept_manager_fls_dls", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 0,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=0", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=0", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - String query = - "{"+ - "\"query\": {"+ - "\"range\" : {"+ - "\"amount\" : {"+ - "\"gte\" : 8,"+ - "\"lte\" : 20,"+ - "\"boost\" : 3.0"+ - "}"+ - "}"+ - "}"+ - "}"; - - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query,encodeBasicHeader("dept_manager_fls_dls", "password"))).getStatusCode()); + "{" + + "\"query\": {" + + "\"range\" : {" + + "\"amount\" : {" + + "\"gte\" : 8," + + "\"lte\" : 20," + + "\"boost\" : 3.0" + + "}" + + "}" + + "}" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager_fls_dls", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 0,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); query = - "{"+ - "\"query\": {"+ - "\"range\" : {"+ - "\"amount\" : {"+ - "\"gte\" : 100,"+ - "\"lte\" : 2000,"+ - "\"boost\" : 2.0"+ - "}"+ - "}"+ - "}"+ - "}"; - - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query,encodeBasicHeader("dept_manager_fls_dls", "password"))).getStatusCode()); + "{" + + "\"query\": {" + + "\"range\" : {" + + "\"amount\" : {" + + "\"gte\" : 100," + + "\"lte\" : 2000," + + "\"boost\" : 2.0" + + "}" + + "}" + + "}" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager_fls_dls", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 0,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query,encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?q=amount:10&pretty", encodeBasicHeader("dept_manager_fls_dls", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?q=amount:10&pretty", encodeBasicHeader("dept_manager_fls_dls", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 0,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -133,11 +166,17 @@ public void testDls() throws Exception { res = rh.executeGetRequest("/deals/_doc/1?pretty", encodeBasicHeader("dept_manager_fls_dls", "password")); Assert.assertTrue(res.getBody().contains("\"found\" : false")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_count?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_count?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"count\" : 2,")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_count?pretty", encodeBasicHeader("dept_manager_fls_dls", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_count?pretty", encodeBasicHeader("dept_manager_fls_dls", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"count\" : 0,")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); } @@ -149,7 +188,10 @@ public void testCombined() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("user_combined", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("user_combined", "password"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsDlsTestMulti.java b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsDlsTestMulti.java index b177f1d346..e9d32f18ea 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsDlsTestMulti.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsDlsTestMulti.java @@ -21,21 +21,33 @@ import org.opensearch.common.xcontent.XContentType; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class FlsDlsTestMulti extends AbstractDlsFlsTest{ - +public class FlsDlsTestMulti extends AbstractDlsFlsTest { protected void populateData(Client tc) { - tc.index(new IndexRequest("deals").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust1\"}, \"zip\": \"12345\",\"secret\": \"tellnoone\",\"amount\": 10}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("deals").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust2\", \"ctype\":\"industry\"}, \"amount\": 1500}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("deals").id("2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust3\", \"ctype\":\"industry\"}, \"amount\": 200}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("deals").id("3").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust4\", \"ctype\":\"industry\"}, \"amount\": 20001}", XContentType.JSON)).actionGet(); - - + tc.index( + new IndexRequest("deals").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"customer\": {\"name\":\"cust1\"}, \"zip\": \"12345\",\"secret\": \"tellnoone\",\"amount\": 10}", + XContentType.JSON + ) + ).actionGet(); + tc.index( + new IndexRequest("deals").id("1") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"customer\": {\"name\":\"cust2\", \"ctype\":\"industry\"}, \"amount\": 1500}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("deals").id("2") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"customer\": {\"name\":\"cust3\", \"ctype\":\"industry\"}, \"amount\": 200}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("deals").id("3") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"customer\": {\"name\":\"cust4\", \"ctype\":\"industry\"}, \"amount\": 20001}", XContentType.JSON) + ).actionGet(); } @@ -44,29 +56,34 @@ public void testDlsAggregations() throws Exception { setup(); - - String query = "{"+ - "\"query\" : {"+ - "\"match_all\": {}"+ - "},"+ - "\"aggs\" : {"+ - "\"thesum\" : { \"sum\" : { \"field\" : \"amount\" } }"+ - "}"+ - "}"; + String query = "{" + + "\"query\" : {" + + "\"match_all\": {}" + + "}," + + "\"aggs\" : {" + + "\"thesum\" : { \"sum\" : { \"field\" : \"amount\" } }" + + "}" + + "}"; HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager_multi", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager_multi", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 3,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"value\" : 1710.0")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 4,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"value\" : 21711.0")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); } - @Test public void testDlsFls() throws Exception { @@ -74,63 +91,85 @@ public void testDlsFls() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("dept_manager_multi", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("dept_manager_multi", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("ctype")); Assert.assertFalse(res.getBody().contains("secret")); Assert.assertTrue(res.getBody().contains("zip")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=0", encodeBasicHeader("dept_manager_multi", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=0", encodeBasicHeader("dept_manager_multi", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 3,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=0", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=0", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 4,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - String query = - "{"+ - "\"query\": {"+ - "\"range\" : {"+ - "\"amount\" : {"+ - "\"gte\" : 8,"+ - "\"lte\" : 20,"+ - "\"boost\" : 3.0"+ - "}"+ - "}"+ - "}"+ - "}"; - - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query,encodeBasicHeader("dept_manager_multi", "password"))).getStatusCode()); + "{" + + "\"query\": {" + + "\"range\" : {" + + "\"amount\" : {" + + "\"gte\" : 8," + + "\"lte\" : 20," + + "\"boost\" : 3.0" + + "}" + + "}" + + "}" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager_multi", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); query = - "{"+ - "\"query\": {"+ - "\"range\" : {"+ - "\"amount\" : {"+ - "\"gte\" : 100,"+ - "\"lte\" : 2000,"+ - "\"boost\" : 2.0"+ - "}"+ - "}"+ - "}"+ - "}"; - - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query,encodeBasicHeader("dept_manager_multi", "password"))).getStatusCode()); + "{" + + "\"query\": {" + + "\"range\" : {" + + "\"amount\" : {" + + "\"gte\" : 100," + + "\"lte\" : 2000," + + "\"boost\" : 2.0" + + "}" + + "}" + + "}" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager_multi", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query,encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?q=amount:10&pretty", encodeBasicHeader("dept_manager_multi", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?q=amount:10&pretty", encodeBasicHeader("dept_manager_multi", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -143,23 +182,34 @@ public void testDlsFls() throws Exception { res = rh.executeGetRequest("/deals/_doc/1?pretty", encodeBasicHeader("dept_manager_multi", "password")); Assert.assertTrue(res.getBody().contains("\"found\" : true")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_count?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_count?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"count\" : 4,")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_count?pretty", encodeBasicHeader("dept_manager_multi", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_count?pretty", encodeBasicHeader("dept_manager_multi", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"count\" : 3,")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - //mget - //msearch - String msearchBody = - "{\"index\":\"deals\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); - //"{\"index\":\".opendistro_security\", \"type\":\"_doc\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - //"{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("_msearch?pretty", msearchBody, encodeBasicHeader("dept_manager_multi", "password"))).getStatusCode()); + // mget + // msearch + String msearchBody = "{\"index\":\"deals\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator(); + // "{\"index\":\".opendistro_security\", \"type\":\"_doc\", \"ignore_unavailable\": true}"+System.lineSeparator()+ + // "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("_msearch?pretty", msearchBody, encodeBasicHeader("dept_manager_multi", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody(), res.getBody().contains("\"value\" : 3,\n \"relation")); Assert.assertFalse(res.getBody().contains("_opendistro_security_dls_query")); Assert.assertFalse(res.getBody().contains("_opendistro_security_fls_fields")); @@ -169,29 +219,31 @@ public void testDlsFls() throws Exception { Assert.assertTrue(res.getBody().contains("\"amount\" : 20")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); - - String mgetBody = "{"+ - "\"docs\" : ["+ - "{"+ - "\"_index\" : \"deals\","+ - "\"_id\" : \"0\""+ - " },"+ - " {"+ - "\"_index\" : \"deals\","+ - " \"_id\" : \"1\""+ - "},"+ - " {"+ - "\"_index\" : \"deals\","+ - " \"_id\" : \"2\""+ - "},"+ - " {"+ - "\"_index\" : \"deals\","+ - " \"_id\" : \"3\""+ - "}"+ - "]"+ - "}"; - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("_mget?pretty", mgetBody, encodeBasicHeader("dept_manager_multi", "password"))).getStatusCode()); + String mgetBody = "{" + + "\"docs\" : [" + + "{" + + "\"_index\" : \"deals\"," + + "\"_id\" : \"0\"" + + " }," + + " {" + + "\"_index\" : \"deals\"," + + " \"_id\" : \"1\"" + + "}," + + " {" + + "\"_index\" : \"deals\"," + + " \"_id\" : \"2\"" + + "}," + + " {" + + "\"_index\" : \"deals\"," + + " \"_id\" : \"3\"" + + "}" + + "]" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("_mget?pretty", mgetBody, encodeBasicHeader("dept_manager_multi", "password"))).getStatusCode() + ); Assert.assertFalse(res.getBody().contains("_opendistro_security_dls_query")); Assert.assertFalse(res.getBody().contains("_opendistro_security_fls_fields")); Assert.assertTrue(res.getBody().contains("\"amount\" : 1500")); @@ -209,30 +261,37 @@ public void testDlsSuggest() throws Exception { HttpResponse res; String query = - "{"+ - "\"query\": {"+ - "\"range\" : {"+ - "\"amount\" : {"+ - "\"gte\" : 11,"+ - "\"lte\" : 50000,"+ - "\"boost\" : 1.0"+ - "}"+ - "}"+ - "},"+ - "\"suggest\" : {\n" + - " \"thesuggestion\" : {\n" + - " \"text\" : \"cust\",\n" + - " \"term\" : {\n" + - " \"field\" : \"customer.name\"\n" + - " }\n" + - " }\n" + - " }"+ - "}"; - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + "{" + + "\"query\": {" + + "\"range\" : {" + + "\"amount\" : {" + + "\"gte\" : 11," + + "\"lte\" : 50000," + + "\"boost\" : 1.0" + + "}" + + "}" + + "}," + + "\"suggest\" : {\n" + + " \"thesuggestion\" : {\n" + + " \"text\" : \"cust\",\n" + + " \"term\" : {\n" + + " \"field\" : \"customer.name\"\n" + + " }\n" + + " }\n" + + " }" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("thesuggestion")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager_multi", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager_multi", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("thesuggestion")); } @@ -244,21 +303,28 @@ public void testDlsSuggestOnly() throws Exception { HttpResponse res; String query = - "{"+ - "\"suggest\" : {\n" + - " \"thesuggestion\" : {\n" + - " \"text\" : \"cust\",\n" + - " \"term\" : {\n" + - " \"field\" : \"customer.name\"\n" + - " }\n" + - " }\n" + - " }"+ - "}"; - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + "{" + + "\"suggest\" : {\n" + + " \"thesuggestion\" : {\n" + + " \"text\" : \"cust\",\n" + + " \"term\" : {\n" + + " \"field\" : \"customer.name\"\n" + + " }\n" + + " }\n" + + " }" + + "}"; + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("thesuggestion")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager_multi", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("dept_manager_multi", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("thesuggestion")); } diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsExistsFieldsTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsExistsFieldsTest.java index 8f056c8244..32cc44efc0 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsExistsFieldsTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsExistsFieldsTest.java @@ -26,33 +26,49 @@ public class FlsExistsFieldsTest extends AbstractDlsFlsTest { protected void populateData(Client tc) { - tc.admin().indices().create(new CreateIndexRequest("data") - .simpleMapping("@timestamp", "type=date", "host", "type=text,norms=false", "response", "type=text,norms=false", "non-existing", "type=text,norms=false")) - .actionGet(); + tc.admin() + .indices() + .create( + new CreateIndexRequest("data").simpleMapping( + "@timestamp", + "type=date", + "host", + "type=text,norms=false", + "response", + "type=text,norms=false", + "non-existing", + "type=text,norms=false" + ) + ) + .actionGet(); for (int i = 0; i < 1; i++) { - String doc = "{\"host\" : \"myhost"+i+"\",\n" + - " \"@timestamp\" : \"2018-01-18T09:03:25.877Z\",\n" + - " \"response\": \"404\"}"; - tc.index(new IndexRequest("data").id("a-normal-" + i).setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(doc, - XContentType.JSON)).actionGet(); + String doc = "{\"host\" : \"myhost" + + i + + "\",\n" + + " \"@timestamp\" : \"2018-01-18T09:03:25.877Z\",\n" + + " \"response\": \"404\"}"; + tc.index(new IndexRequest("data").id("a-normal-" + i).setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(doc, XContentType.JSON)) + .actionGet(); } for (int i = 0; i < 1; i++) { - String doc = "{" + - " \"@timestamp\" : \"2017-01-18T09:03:25.877Z\",\n" + - " \"response\": \"200\"}"; - tc.index(new IndexRequest("data").id("b-missing1-" + i).setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(doc, - XContentType.JSON)).actionGet(); + String doc = "{" + " \"@timestamp\" : \"2017-01-18T09:03:25.877Z\",\n" + " \"response\": \"200\"}"; + tc.index( + new IndexRequest("data").id("b-missing1-" + i).setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(doc, XContentType.JSON) + ).actionGet(); } for (int i = 0; i < 1; i++) { - String doc = "{\"host\" : \"myhost"+i+"\",\n" + - " \"@timestamp\" : \"2018-01-18T09:03:25.877Z\",\n" + - " \"non-existing\": \"xxx\","+ - " \"response\": \"403\"}"; - tc.index(new IndexRequest("data").id("c-missing2-" + i).setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(doc, - XContentType.JSON)).actionGet(); + String doc = "{\"host\" : \"myhost" + + i + + "\",\n" + + " \"@timestamp\" : \"2018-01-18T09:03:25.877Z\",\n" + + " \"non-existing\": \"xxx\"," + + " \"response\": \"403\"}"; + tc.index( + new IndexRequest("data").id("c-missing2-" + i).setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(doc, XContentType.JSON) + ).actionGet(); } } @@ -61,47 +77,50 @@ protected void populateData(Client tc) { public void testExistsField() throws Exception { setup(); - String query = "{\n" + - " \"query\": {\n" + - " \"bool\": {\n" + - - " \"must_not\": \n" + - " {\n" + - " \"exists\": {\n" + - " \"field\": \"non-existing\"\n" + - " \n" + - " }\n" + - " },\n" + - - " \"must\": [\n" + - " {\n" + - " \"exists\": {\n" + - " \"field\": \"@timestamp\"\n" + - " }\n" + - " },\n" + - " {\n" + - " \"exists\": {\n" + - " \"field\": \"host\"\n" + - " }\n" + - " }\n" + - " ]\n" + - " }\n" + - " }\n" + - "}"; + String query = "{\n" + " \"query\": {\n" + " \"bool\": {\n" + + + " \"must_not\": \n" + + " {\n" + + " \"exists\": {\n" + + " \"field\": \"non-existing\"\n" + + " \n" + + " }\n" + + " },\n" + + + + " \"must\": [\n" + + " {\n" + + " \"exists\": {\n" + + " \"field\": \"@timestamp\"\n" + + " }\n" + + " },\n" + + " {\n" + + " \"exists\": {\n" + + " \"field\": \"host\"\n" + + " }\n" + + " }\n" + + " ]\n" + + " }\n" + + " }\n" + + "}"; HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, - (res = rh.executePostRequest("/data/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/data/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("a-normal-0")); Assert.assertTrue(res.getBody().contains("response")); Assert.assertTrue(res.getBody().contains("404")); - //only see's - timestamp and host field - //therefore non-existing does not exist so we expect c-missing2-0 to be returned - Assert.assertEquals(HttpStatus.SC_OK, - (res = rh.executePostRequest("/data/_search?pretty", query, encodeBasicHeader("fls_exists", "password"))).getStatusCode()); + // only see's - timestamp and host field + // therefore non-existing does not exist so we expect c-missing2-0 to be returned + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/data/_search?pretty", query, encodeBasicHeader("fls_exists", "password"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("a-normal-0")); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsFieldsTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsFieldsTest.java index d4826222fa..a910cf5663 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsFieldsTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsFieldsTest.java @@ -25,19 +25,22 @@ import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class FlsFieldsTest extends AbstractDlsFlsTest{ - +public class FlsFieldsTest extends AbstractDlsFlsTest { protected void populateData(Client tc) { - tc.admin().indices().create(new CreateIndexRequest("deals").simpleMapping("timestamp", "type=date", "@timestamp", "type=date")).actionGet(); + tc.admin() + .indices() + .create(new CreateIndexRequest("deals").simpleMapping("timestamp", "type=date", "@timestamp", "type=date")) + .actionGet(); try { String doc = FileHelper.loadFile("dlsfls/doc1.json"); for (int i = 0; i < 10; i++) { final String moddoc = doc.replace("", "cust" + i).replace("", "" + i).replace("", "1970-01-02"); - tc.index(new IndexRequest("deals").id("0" + i).setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(moddoc, XContentType.JSON)).actionGet(); + tc.index(new IndexRequest("deals").id("0" + i).setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(moddoc, XContentType.JSON)) + .actionGet(); } } catch (IOException e) { @@ -46,7 +49,6 @@ protected void populateData(Client tc) { } - @Test public void testFields() throws Exception { setup(); @@ -54,13 +56,19 @@ public void testFields() throws Exception { String query = FileHelper.loadFile("dlsfls/flsquery.json"); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("secret")); Assert.assertTrue(res.getBody().contains("@timestamp")); Assert.assertTrue(res.getBody().contains("\"timestamp")); Assert.assertTrue(res.getBody().contains("numfield5")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("fls_fields", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("fls_fields", "password"))).getStatusCode() + ); Assert.assertFalse(res.getBody().contains("customer")); Assert.assertFalse(res.getBody().contains("secret")); Assert.assertFalse(res.getBody().contains("timestamp")); @@ -74,12 +82,18 @@ public void testFields2() throws Exception { String query = FileHelper.loadFile("dlsfls/flsquery2.json"); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty=true", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty=true", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("secret")); Assert.assertTrue(res.getBody().contains("@timestamp")); Assert.assertTrue(res.getBody().contains("\"timestamp")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty=true", query, encodeBasicHeader("fls_fields", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty=true", query, encodeBasicHeader("fls_fields", "password"))).getStatusCode() + ); Assert.assertFalse(res.getBody().contains("customer")); Assert.assertFalse(res.getBody().contains("secret")); Assert.assertFalse(res.getBody().contains("timestamp")); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsFieldsWcTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsFieldsWcTest.java index 951e786891..f6cfd036fd 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsFieldsWcTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsFieldsWcTest.java @@ -25,19 +25,22 @@ import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class FlsFieldsWcTest extends AbstractDlsFlsTest{ - +public class FlsFieldsWcTest extends AbstractDlsFlsTest { protected void populateData(Client tc) { - tc.admin().indices().create(new CreateIndexRequest("deals").simpleMapping("timestamp", "type=date", "@timestamp", "type=date")).actionGet(); + tc.admin() + .indices() + .create(new CreateIndexRequest("deals").simpleMapping("timestamp", "type=date", "@timestamp", "type=date")) + .actionGet(); try { String doc = FileHelper.loadFile("dlsfls/doc1.json"); for (int i = 0; i < 10; i++) { final String moddoc = doc.replace("", "cust" + i).replace("", "" + i).replace("", "1970-01-02"); - tc.index(new IndexRequest("deals").id("0" + i).setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(moddoc, XContentType.JSON)).actionGet(); + tc.index(new IndexRequest("deals").id("0" + i).setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(moddoc, XContentType.JSON)) + .actionGet(); } } catch (IOException e) { @@ -46,7 +49,6 @@ protected void populateData(Client tc) { } - @Test public void testFields() throws Exception { setup(); @@ -54,12 +56,18 @@ public void testFields() throws Exception { String query = FileHelper.loadFile("dlsfls/flsquery.json"); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("secret")); Assert.assertTrue(res.getBody().contains("@timestamp")); Assert.assertTrue(res.getBody().contains("\"timestamp")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("fls_fields_wc", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("fls_fields_wc", "password"))).getStatusCode() + ); Assert.assertFalse(res.getBody().contains("customer")); Assert.assertFalse(res.getBody().contains("secret")); Assert.assertFalse(res.getBody().contains("timestamp")); @@ -73,12 +81,18 @@ public void testFields2() throws Exception { String query = FileHelper.loadFile("dlsfls/flsquery2.json"); HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("secret")); Assert.assertTrue(res.getBody().contains("@timestamp")); Assert.assertTrue(res.getBody().contains("\"timestamp")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("fls_fields_wc", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_search?pretty", query, encodeBasicHeader("fls_fields_wc", "password"))).getStatusCode() + ); Assert.assertFalse(res.getBody().contains("customer")); Assert.assertFalse(res.getBody().contains("secret")); Assert.assertFalse(res.getBody().contains("timestamp")); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsIndexingTests.java b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsIndexingTests.java index a3b5d2809e..2d7ed0efcf 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsIndexingTests.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsIndexingTests.java @@ -32,16 +32,24 @@ public class FlsIndexingTests extends AbstractDlsFlsTest { protected void populateData(final Client tc) { // Create several documents in different indices with shared field names, // different roles will have different levels of FLS restrictions - tc.index(new IndexRequest("yellow-pages").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"phone-all\":1001,\"phone-some\":1002,\"phone-one\":1003}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("green-pages").id("2").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"phone-all\":2001,\"phone-some\":2002,\"phone-one\":2003}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("blue-book").id("3").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"phone-all\":3001,\"phone-some\":3002,\"phone-one\":3003}", XContentType.JSON)).actionGet(); - - // Seperate index used to test aliasing - tc.index(new IndexRequest(".hidden").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("yellow-pages").id("1") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"phone-all\":1001,\"phone-some\":1002,\"phone-one\":1003}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("green-pages").id("2") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"phone-all\":2001,\"phone-some\":2002,\"phone-one\":2003}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("blue-book").id("3") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"phone-all\":3001,\"phone-some\":3002,\"phone-one\":3003}", XContentType.JSON) + ).actionGet(); + + // Seperate index used to test aliasing + tc.index(new IndexRequest(".hidden").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{}", XContentType.JSON)).actionGet(); } private Header asPhoneOneUser = encodeBasicHeader("user_aaa", "password"); @@ -52,9 +60,9 @@ protected void populateData(final Client tc) { @Test public void testSingleIndexFlsApplied() throws Exception { - setup(new DynamicSecurityConfig() - .setSecurityRoles("roles_fls_indexing.yml") - .setSecurityRolesMapping("roles_mapping_fls_indexing.yml")); + setup( + new DynamicSecurityConfig().setSecurityRoles("roles_fls_indexing.yml").setSecurityRolesMapping("roles_mapping_fls_indexing.yml") + ); final HttpResponse phoneOneFilteredResponse = rh.executeGetRequest(searchQuery, asPhoneOneUser); assertThat(phoneOneFilteredResponse.getStatusCode(), equalTo(HttpStatus.SC_OK)); @@ -73,11 +81,14 @@ public void testSingleIndexFlsApplied() throws Exception { @Test public void testSingleIndexFlsAppliedForLimitedResults() throws Exception { - setup(new DynamicSecurityConfig() - .setSecurityRoles("roles_fls_indexing.yml") - .setSecurityRolesMapping("roles_mapping_fls_indexing.yml")); - - final HttpResponse phoneOneFilteredResponse = rh.executeGetRequest("/yellow-pages/_search?filter_path=hits.hits&pretty", asPhoneOneUser); + setup( + new DynamicSecurityConfig().setSecurityRoles("roles_fls_indexing.yml").setSecurityRolesMapping("roles_mapping_fls_indexing.yml") + ); + + final HttpResponse phoneOneFilteredResponse = rh.executeGetRequest( + "/yellow-pages/_search?filter_path=hits.hits&pretty", + asPhoneOneUser + ); assertThat(phoneOneFilteredResponse.getStatusCode(), equalTo(HttpStatus.SC_OK)); assertThat(phoneOneFilteredResponse.getBody(), not(containsString("1003"))); assertThat(phoneOneFilteredResponse.getBody(), containsString("1002")); @@ -94,9 +105,9 @@ public void testSingleIndexFlsAppliedForLimitedResults() throws Exception { @Test public void testSeveralIndexFlsApplied() throws Exception { - setup(new DynamicSecurityConfig() - .setSecurityRoles("roles_fls_indexing.yml") - .setSecurityRolesMapping("roles_mapping_fls_indexing.yml")); + setup( + new DynamicSecurityConfig().setSecurityRoles("roles_fls_indexing.yml").setSecurityRolesMapping("roles_mapping_fls_indexing.yml") + ); final HttpResponse phoneSomeFilteredResponse = rh.executeGetRequest(searchQuery, asPhoneSomeUser); assertThat(phoneSomeFilteredResponse.getStatusCode(), equalTo(HttpStatus.SC_OK)); @@ -115,9 +126,9 @@ public void testSeveralIndexFlsApplied() throws Exception { @Test public void testAllIndexFlsApplied() throws Exception { - setup(new DynamicSecurityConfig() - .setSecurityRoles("roles_fls_indexing.yml") - .setSecurityRolesMapping("roles_mapping_fls_indexing.yml")); + setup( + new DynamicSecurityConfig().setSecurityRoles("roles_fls_indexing.yml").setSecurityRolesMapping("roles_mapping_fls_indexing.yml") + ); final HttpResponse phoneAllFilteredResponse = rh.executeGetRequest(searchQuery, asPhoneAllUser); assertThat(phoneAllFilteredResponse.getStatusCode(), equalTo(HttpStatus.SC_OK)); @@ -136,11 +147,15 @@ public void testAllIndexFlsApplied() throws Exception { @Test public void testAllIndexFlsAppliedWithAlias() throws Exception { - setup(new DynamicSecurityConfig() - .setSecurityRoles("roles_fls_indexing.yml") - .setSecurityRolesMapping("roles_mapping_fls_indexing.yml")); - - final HttpResponse createAlias = rh.executePostRequest("_aliases", "{\"actions\":[{\"add\":{\"index\":\".hidden\",\"alias\":\"ducky\"}}]}", asPhoneAllUser); + setup( + new DynamicSecurityConfig().setSecurityRoles("roles_fls_indexing.yml").setSecurityRolesMapping("roles_mapping_fls_indexing.yml") + ); + + final HttpResponse createAlias = rh.executePostRequest( + "_aliases", + "{\"actions\":[{\"add\":{\"index\":\".hidden\",\"alias\":\"ducky\"}}]}", + asPhoneAllUser + ); assertThat(createAlias.getStatusCode(), equalTo(HttpStatus.SC_OK)); final HttpResponse phoneAllFilteredResponse = rh.executeGetRequest(searchQuery, asPhoneAllUser); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsKeywordTests.java b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsKeywordTests.java index 25069e48ef..1c51ec99b7 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsKeywordTests.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsKeywordTests.java @@ -32,20 +32,24 @@ public class FlsKeywordTests extends AbstractDlsFlsTest { protected void populateData(Client tc) { - tc.index(new IndexRequest("movies").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"year\": 2013, \"title\": \"Rush\", \"actors\": [\"Daniel Br\u00FChl\", \"Chris Hemsworth\", \"Olivia Wilde\"]}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("movies").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"year\": 2013, \"title\": \"Rush\", \"actors\": [\"Daniel Br\u00FChl\", \"Chris Hemsworth\", \"Olivia Wilde\"]}", + XContentType.JSON + ) + ).actionGet(); } private Header movieUser = encodeBasicHeader("user_aaa", "password"); private Header movieNoActorUser = encodeBasicHeader("user_bbb", "password"); - private String[] actors = new String[] {"Daniel Br\u00FChl", "Chris Hemsworth", "Olivia Wilde"}; + private String[] actors = new String[] { "Daniel Br\u00FChl", "Chris Hemsworth", "Olivia Wilde" }; @Test public void testKeywordsAreAutomaticallyFiltered() throws Exception { - setup(new DynamicSecurityConfig() - .setSecurityRoles("roles_keyword.yml") - .setSecurityRolesMapping("roles_mappings_keyword.yml")); + setup(new DynamicSecurityConfig().setSecurityRoles("roles_keyword.yml").setSecurityRolesMapping("roles_mappings_keyword.yml")); final String searchQuery = "/movies/_search?filter_path=hits.hits._source"; final String aggQuery = "/movies/_search?filter_path=aggregations.actors.buckets.key"; @@ -73,14 +77,10 @@ public void testKeywordsAreAutomaticallyFiltered() throws Exception { } private void assertActorsPresent(final HttpResponse response) { - Arrays.stream(actors).forEach(actor -> { - assertThat(response.getBody(), containsString(actor)); - }); + Arrays.stream(actors).forEach(actor -> { assertThat(response.getBody(), containsString(actor)); }); } private void assertActorsNotPresent(final HttpResponse response) { - Arrays.stream(actors).forEach(actor -> { - assertThat(response.getBody(), not(containsString(actor))); - }); + Arrays.stream(actors).forEach(actor -> { assertThat(response.getBody(), not(containsString(actor))); }); } } diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsPerfTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsPerfTest.java index 565dbdde9c..4fde195860 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsPerfTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsPerfTest.java @@ -30,30 +30,27 @@ import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; @Ignore -public class FlsPerfTest extends AbstractDlsFlsTest{ - +public class FlsPerfTest extends AbstractDlsFlsTest { protected void populateData(Client tc) { Map indexSettings = new HashMap<>(3); - indexSettings.put("index.mapping.total_fields.limit",50000); + indexSettings.put("index.mapping.total_fields.limit", 50000); indexSettings.put("number_of_shards", 10); indexSettings.put("number_of_replicas", 0); - tc.admin().indices().create(new CreateIndexRequest("deals") - .settings(indexSettings)) - .actionGet(); + tc.admin().indices().create(new CreateIndexRequest("deals").settings(indexSettings)).actionGet(); try { - IndexRequest ir = new IndexRequest("deals").id("idx1"); + IndexRequest ir = new IndexRequest("deals").id("idx1"); XContentBuilder b = XContentBuilder.builder(JsonXContent.jsonXContent); b.startObject(); - b.field("amount",1000); + b.field("amount", 1000); b.startObject("xyz"); - b.field("abc","val"); + b.field("abc", "val"); b.endObject(); b.endObject(); @@ -61,13 +58,13 @@ protected void populateData(Client tc) { tc.index(ir).actionGet(); - for(int i=0; i<1500; i++) { + for (int i = 0; i < 1500; i++) { - ir = new IndexRequest("deals").id("id"+i); + ir = new IndexRequest("deals").id("id" + i); b = XContentBuilder.builder(JsonXContent.jsonXContent); b.startObject(); - for(int j=0; j<2000;j++) { - b.field("field"+j,"val"+j); + for (int j = 0; j < 2000; j++) { + b.field("field" + j, "val" + j); } b.endObject(); @@ -94,7 +91,10 @@ public void testFlsPerfNamed() throws Exception { StopWatch sw = new StopWatch("testFlsPerfNamed"); sw.start("non fls"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); sw.stop(); Assert.assertTrue(res.getBody().contains("field1\"")); Assert.assertTrue(res.getBody().contains("field2\"")); @@ -102,7 +102,11 @@ public void testFlsPerfNamed() throws Exception { Assert.assertTrue(res.getBody().contains("field997\"")); sw.start("with fls"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_named_only", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_named_only", "password"))) + .getStatusCode() + ); sw.stop(); Assert.assertFalse(res.getBody().contains("field1\"")); Assert.assertFalse(res.getBody().contains("field2\"")); @@ -111,7 +115,11 @@ public void testFlsPerfNamed() throws Exception { sw.start("with fls 2 after warmup"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_named_only", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_named_only", "password"))) + .getStatusCode() + ); sw.stop(); Assert.assertFalse(res.getBody().contains("field1\"")); @@ -121,7 +129,11 @@ public void testFlsPerfNamed() throws Exception { sw.start("with fls 3 after warmup"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_named_only", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_named_only", "password"))) + .getStatusCode() + ); sw.stop(); Assert.assertFalse(res.getBody().contains("field1\"")); @@ -141,7 +153,10 @@ public void testFlsPerfWcEx() throws Exception { StopWatch sw = new StopWatch("testFlsPerfWcEx"); sw.start("non fls"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); sw.stop(); Assert.assertTrue(res.getBody().contains("field1\"")); Assert.assertTrue(res.getBody().contains("field2\"")); @@ -149,7 +164,10 @@ public void testFlsPerfWcEx() throws Exception { Assert.assertTrue(res.getBody().contains("field997\"")); sw.start("with fls"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_wc_ex", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_wc_ex", "password"))).getStatusCode() + ); sw.stop(); Assert.assertTrue(res.getBody().contains("field1\"")); Assert.assertTrue(res.getBody().contains("field2\"")); @@ -158,7 +176,10 @@ public void testFlsPerfWcEx() throws Exception { sw.start("with fls 2 after warmup"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_wc_ex", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_wc_ex", "password"))).getStatusCode() + ); sw.stop(); Assert.assertTrue(res.getBody().contains("field1\"")); @@ -168,7 +189,10 @@ public void testFlsPerfWcEx() throws Exception { sw.start("with fls 3 after warmup"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_wc_ex", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_wc_ex", "password"))).getStatusCode() + ); sw.stop(); Assert.assertTrue(res.getBody().contains("field1\"")); @@ -188,7 +212,10 @@ public void testFlsPerfNamedEx() throws Exception { StopWatch sw = new StopWatch("testFlsPerfNamedEx"); sw.start("non fls"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); sw.stop(); Assert.assertTrue(res.getBody().contains("field1\"")); Assert.assertTrue(res.getBody().contains("field2\"")); @@ -196,7 +223,10 @@ public void testFlsPerfNamedEx() throws Exception { Assert.assertTrue(res.getBody().contains("field997\"")); sw.start("with fls"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_named_ex", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_named_ex", "password"))).getStatusCode() + ); sw.stop(); Assert.assertTrue(res.getBody().contains("field1\"")); Assert.assertTrue(res.getBody().contains("field2\"")); @@ -205,7 +235,10 @@ public void testFlsPerfNamedEx() throws Exception { sw.start("with fls 2 after warmup"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_named_ex", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_named_ex", "password"))).getStatusCode() + ); sw.stop(); Assert.assertTrue(res.getBody().contains("field1\"")); @@ -215,7 +248,10 @@ public void testFlsPerfNamedEx() throws Exception { sw.start("with fls 3 after warmup"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_named_ex", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_named_ex", "password"))).getStatusCode() + ); sw.stop(); Assert.assertTrue(res.getBody().contains("field1\"")); @@ -235,7 +271,10 @@ public void testFlsWcIn() throws Exception { StopWatch sw = new StopWatch("testFlsWcIn"); sw.start("non fls"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); sw.stop(); Assert.assertTrue(res.getBody().contains("field1\"")); Assert.assertTrue(res.getBody().contains("field2\"")); @@ -243,7 +282,10 @@ public void testFlsWcIn() throws Exception { Assert.assertTrue(res.getBody().contains("field997\"")); sw.start("with fls"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_wc_in", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_wc_in", "password"))).getStatusCode() + ); sw.stop(); Assert.assertFalse(res.getBody().contains("field0\"")); Assert.assertTrue(res.getBody().contains("field50\"")); @@ -251,7 +293,10 @@ public void testFlsWcIn() throws Exception { sw.start("with fls 2 after warmup"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_wc_in", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_wc_in", "password"))).getStatusCode() + ); sw.stop(); Assert.assertFalse(res.getBody().contains("field0\"")); @@ -260,7 +305,10 @@ public void testFlsWcIn() throws Exception { sw.start("with fls 3 after warmup"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_wc_in", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty&size=1000", encodeBasicHeader("perf_wc_in", "password"))).getStatusCode() + ); sw.stop(); Assert.assertFalse(res.getBody().contains("field0\"")); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsTest.java index c31650e734..180256efd9 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/FlsTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/FlsTest.java @@ -21,15 +21,23 @@ import org.opensearch.common.xcontent.XContentType; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class FlsTest extends AbstractDlsFlsTest{ - +public class FlsTest extends AbstractDlsFlsTest { protected void populateData(Client tc) { - tc.index(new IndexRequest("deals").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust1\"}, \"zip\": \"12345\",\"secret\": \"tellnoone\",\"amount\": 10}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("deals").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust2\", \"ctype\":\"industry\"}, \"amount\": 1500}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("deals").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"customer\": {\"name\":\"cust1\"}, \"zip\": \"12345\",\"secret\": \"tellnoone\",\"amount\": 10}", + XContentType.JSON + ) + ).actionGet(); + tc.index( + new IndexRequest("deals").id("1") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"customer\": {\"name\":\"cust2\", \"ctype\":\"industry\"}, \"amount\": 1500}", XContentType.JSON) + ).actionGet(); } @Test @@ -39,8 +47,10 @@ public void testFieldCapabilities() throws Exception { HttpResponse res; - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_field_caps?fields=*&pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_field_caps?fields=*&pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("customer")); Assert.assertTrue(res.getBody().contains("customer.name")); Assert.assertTrue(res.getBody().contains("zip")); @@ -48,7 +58,11 @@ public void testFieldCapabilities() throws Exception { Assert.assertTrue(res.getBody().contains("amount")); Assert.assertTrue(res.getBody().contains("secret")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_field_caps?fields=*&pretty", encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_field_caps?fields=*&pretty", encodeBasicHeader("dept_manager_fls", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("customer")); Assert.assertTrue(res.getBody().contains("customer.name")); Assert.assertTrue(res.getBody().contains("zip")); @@ -56,7 +70,13 @@ public void testFieldCapabilities() throws Exception { Assert.assertFalse(res.getBody().contains("amount")); Assert.assertFalse(res.getBody().contains("secret")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_field_caps?fields=*&pretty", encodeBasicHeader("dept_manager_fls_reversed_fields", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest( + "/deals/_field_caps?fields=*&pretty", + encodeBasicHeader("dept_manager_fls_reversed_fields", "password") + )).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertFalse(res.getBody().contains("customer")); Assert.assertFalse(res.getBody().contains("customer.name")); @@ -73,8 +93,10 @@ public void testMapping() throws Exception { HttpResponse res; - - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_mapping?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_mapping?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("customer")); Assert.assertTrue(res.getBody().contains("name")); Assert.assertTrue(res.getBody().contains("zip")); @@ -82,7 +104,10 @@ public void testMapping() throws Exception { Assert.assertTrue(res.getBody().contains("amount")); Assert.assertTrue(res.getBody().contains("secret")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_mapping?pretty", encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_mapping?pretty", encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("customer")); Assert.assertTrue(res.getBody().contains("name")); Assert.assertTrue(res.getBody().contains("zip")); @@ -90,7 +115,11 @@ public void testMapping() throws Exception { Assert.assertFalse(res.getBody().contains("amount")); Assert.assertFalse(res.getBody().contains("secret")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_mapping?pretty", encodeBasicHeader("dept_manager_fls_reversed_fields", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_mapping?pretty", encodeBasicHeader("dept_manager_fls_reversed_fields", "password"))) + .getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("customer")); Assert.assertFalse(res.getBody().contains("name")); @@ -100,7 +129,6 @@ public void testMapping() throws Exception { Assert.assertTrue(res.getBody().contains("secret")); } - @Test public void testFlsSearch() throws Exception { @@ -108,7 +136,10 @@ public void testFlsSearch() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); Assert.assertTrue(res.getBody().contains("cust1")); @@ -118,7 +149,10 @@ public void testFlsSearch() throws Exception { Assert.assertTrue(res.getBody().contains("amount")); Assert.assertTrue(res.getBody().contains("secret")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); Assert.assertTrue(res.getBody().contains("cust1")); @@ -128,7 +162,11 @@ public void testFlsSearch() throws Exception { Assert.assertFalse(res.getBody().contains("amount")); Assert.assertFalse(res.getBody().contains("secret")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("dept_manager_fls_reversed_fields", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_search?pretty", encodeBasicHeader("dept_manager_fls_reversed_fields", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); Assert.assertFalse(res.getBody().contains("cust1")); @@ -146,7 +184,10 @@ public void testFlsGet() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_doc/0?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_doc/0?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"found\" : true")); Assert.assertTrue(res.getBody().contains("cust1")); Assert.assertFalse(res.getBody().contains("cust2")); @@ -154,7 +195,10 @@ public void testFlsGet() throws Exception { Assert.assertFalse(res.getBody().contains("ctype")); Assert.assertTrue(res.getBody().contains("amount")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_doc/0?pretty", encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_doc/0?pretty", encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"found\" : true")); Assert.assertTrue(res.getBody().contains("cust1")); Assert.assertFalse(res.getBody().contains("cust2")); @@ -162,7 +206,11 @@ public void testFlsGet() throws Exception { Assert.assertFalse(res.getBody().contains("ctype")); Assert.assertFalse(res.getBody().contains("amount")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_doc/0?realtime=true&pretty", encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/deals/_doc/0?realtime=true&pretty", encodeBasicHeader("dept_manager_fls", "password"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"found\" : true")); Assert.assertTrue(res.getBody().contains("cust1")); Assert.assertFalse(res.getBody().contains("cust2")); @@ -170,7 +218,13 @@ public void testFlsGet() throws Exception { Assert.assertFalse(res.getBody().contains("ctype")); Assert.assertFalse(res.getBody().contains("amount")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/deals/_doc/0?realtime=true&pretty", encodeBasicHeader("dept_manager_fls_reversed_fields", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest( + "/deals/_doc/0?realtime=true&pretty", + encodeBasicHeader("dept_manager_fls_reversed_fields", "password") + )).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"found\" : true")); Assert.assertFalse(res.getBody().contains("cust1")); Assert.assertFalse(res.getBody().contains("cust2")); @@ -187,11 +241,22 @@ public void testFlsUpdate() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/deals/_update/0?pretty", "{\"doc\": {\"zip\": \"98765\"}}", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("/deals/_update/0?pretty", "{\"doc\": {\"zip\": \"98765\"}}", encodeBasicHeader("admin", "admin"))) + .getStatusCode() + ); Assert.assertTrue(res.getBody().contains("\"_version\" : 2")); Assert.assertFalse(res.getBody(), res.getBody().contains("\"successful\" : 0")); - Assert.assertEquals(HttpStatus.SC_INTERNAL_SERVER_ERROR, (res = rh.executePostRequest("/deals/_update/0?pretty", "{\"doc\": {\"zip\": \"98765000\"}}", encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_INTERNAL_SERVER_ERROR, + (res = rh.executePostRequest( + "/deals/_update/0?pretty", + "{\"doc\": {\"zip\": \"98765000\"}}", + encodeBasicHeader("dept_manager_fls", "password") + )).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("Update is not supported")); } @@ -202,7 +267,14 @@ public void testFlsUpdateIndex() throws Exception { HttpResponse res = null; - Assert.assertEquals(HttpStatus.SC_INTERNAL_SERVER_ERROR, (res = rh.executePostRequest("/deals/_update/0?pretty", "{\"doc\": {\"zip\": \"98765000\"}}", encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_INTERNAL_SERVER_ERROR, + (res = rh.executePostRequest( + "/deals/_update/0?pretty", + "{\"doc\": {\"zip\": \"98765000\"}}", + encodeBasicHeader("dept_manager_fls", "password") + )).getStatusCode() + ); Assert.assertTrue(res.getBody().contains("Update is not supported")); } } diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/IndexPatternTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/IndexPatternTest.java index 7348b11341..9b075e0600 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/IndexPatternTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/IndexPatternTest.java @@ -21,20 +21,27 @@ import org.opensearch.common.xcontent.XContentType; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class IndexPatternTest extends AbstractDlsFlsTest{ - +public class IndexPatternTest extends AbstractDlsFlsTest { protected void populateData(Client tc) { - tc.index(new IndexRequest("logstash-2016").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"message\":\"mymsg1a\", \"ipaddr\": \"10.0.0.0\",\"msgid\": \"12\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("logstash-2016").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"message\":\"mymsg1b\", \"ipaddr\": \"10.0.0.1\",\"msgid\": \"14\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("logstash-2018").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"message\":\"mymsg1c\", \"ipaddr\": \"10.0.0.2\",\"msgid\": \"12\"}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("logstash-2018").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"message\":\"mymsg1d\", \"ipaddr\": \"10.0.0.3\",\"msgid\": \"14\"}", XContentType.JSON)).actionGet(); - } + tc.index( + new IndexRequest("logstash-2016").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"message\":\"mymsg1a\", \"ipaddr\": \"10.0.0.0\",\"msgid\": \"12\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("logstash-2016").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"message\":\"mymsg1b\", \"ipaddr\": \"10.0.0.1\",\"msgid\": \"14\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("logstash-2018").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"message\":\"mymsg1c\", \"ipaddr\": \"10.0.0.2\",\"msgid\": \"12\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("logstash-2018").setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source("{\"message\":\"mymsg1d\", \"ipaddr\": \"10.0.0.3\",\"msgid\": \"14\"}", XContentType.JSON) + ).actionGet(); + } @Test public void testSearch() throws Exception { @@ -43,7 +50,10 @@ public void testSearch() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logstash-2016/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logstash-2016/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -52,7 +62,11 @@ public void testSearch() throws Exception { Assert.assertTrue(res.getBody().contains("mymsg")); Assert.assertTrue(res.getBody().contains("msgid")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logstash-2016/_search?pretty", encodeBasicHeader("opendistro_security_logstash", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logstash-2016/_search?pretty", encodeBasicHeader("opendistro_security_logstash", "password"))) + .getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -69,13 +83,22 @@ public void testFieldCaps() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logstash-2016/_field_caps?fields=*&pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logstash-2016/_field_caps?fields=*&pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("ipaddr")); Assert.assertTrue(res.getBody().contains("message")); Assert.assertTrue(res.getBody().contains("msgid")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logstash-2016/_field_caps?fields=*&pretty", encodeBasicHeader("opendistro_security_logstash", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest( + "/logstash-2016/_field_caps?fields=*&pretty", + encodeBasicHeader("opendistro_security_logstash", "password") + )).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertFalse(res.getBody().contains("ipaddr")); Assert.assertFalse(res.getBody().contains("message")); @@ -89,7 +112,10 @@ public void testSearchWc() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logstash-20*/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logstash-20*/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 4,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -98,7 +124,11 @@ public void testSearchWc() throws Exception { Assert.assertTrue(res.getBody().contains("mymsg")); Assert.assertTrue(res.getBody().contains("msgid")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logstash-20*/_search?pretty", encodeBasicHeader("opendistro_security_logstash", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logstash-20*/_search?pretty", encodeBasicHeader("opendistro_security_logstash", "password"))) + .getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -115,7 +145,10 @@ public void testSearchWcRegex() throws Exception { HttpResponse res; - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logstash-20*/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logstash-20*/_search?pretty", encodeBasicHeader("admin", "admin"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 4,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); @@ -124,7 +157,10 @@ public void testSearchWcRegex() throws Exception { Assert.assertTrue(res.getBody().contains("mymsg")); Assert.assertTrue(res.getBody().contains("msgid")); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("/logstash-20*/_search?pretty", encodeBasicHeader("regex", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/logstash-20*/_search?pretty", encodeBasicHeader("regex", "password"))).getStatusCode() + ); System.out.println(res.getBody()); Assert.assertTrue(res.getBody().contains("\"value\" : 2,\n \"relation")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/MFlsTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/MFlsTest.java index b7305ee48c..81a2c50fc6 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/MFlsTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/MFlsTest.java @@ -21,15 +21,26 @@ import org.opensearch.common.xcontent.XContentType; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -public class MFlsTest extends AbstractDlsFlsTest{ - +public class MFlsTest extends AbstractDlsFlsTest { protected void populateData(Client tc) { - tc.index(new IndexRequest("deals").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"customer\": {\"name\":\"cust1\"}, \"zip\": \"12345\",\"secret\": \"tellnoone\",\"amount\": 10}", XContentType.JSON)).actionGet(); - tc.index(new IndexRequest("finance").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source("{\"finfield2\":\"fff\",\"xcustomer\": {\"name\":\"cust2\", \"ctype\":\"industry\"}, \"famount\": 1500}", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest("deals").id("0") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"customer\": {\"name\":\"cust1\"}, \"zip\": \"12345\",\"secret\": \"tellnoone\",\"amount\": 10}", + XContentType.JSON + ) + ).actionGet(); + tc.index( + new IndexRequest("finance").id("1") + .setRefreshPolicy(RefreshPolicy.IMMEDIATE) + .source( + "{\"finfield2\":\"fff\",\"xcustomer\": {\"name\":\"cust2\", \"ctype\":\"industry\"}, \"famount\": 1500}", + XContentType.JSON + ) + ).actionGet(); } @Test @@ -40,7 +51,10 @@ public void testFlsMGetSearch() throws Exception { HttpResponse res; System.out.println("### normal search"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executeGetRequest("deals,finance/_search?pretty", encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("deals,finance/_search?pretty", encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode() + ); Assert.assertFalse(res.getBody().contains("_opendistro_security_")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); Assert.assertFalse(res.getBody().contains("xception")); @@ -50,16 +64,22 @@ public void testFlsMGetSearch() throws Exception { Assert.assertFalse(res.getBody().contains("amount")); Assert.assertFalse(res.getBody().contains("secret")); - //mget - //msearch - String msearchBody = - "{\"index\":\"deals\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator()+ - "{\"index\":\"finance\", \"ignore_unavailable\": true}"+System.lineSeparator()+ - "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}"+System.lineSeparator(); + // mget + // msearch + String msearchBody = "{\"index\":\"deals\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator() + + "{\"index\":\"finance\", \"ignore_unavailable\": true}" + + System.lineSeparator() + + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + + System.lineSeparator(); System.out.println("### msearch"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("_msearch?pretty", msearchBody, encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("_msearch?pretty", msearchBody, encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode() + ); Assert.assertFalse(res.getBody().contains("_opendistro_security_")); Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); Assert.assertFalse(res.getBody().contains("xception")); @@ -69,22 +89,24 @@ public void testFlsMGetSearch() throws Exception { Assert.assertFalse(res.getBody().contains("amount")); Assert.assertFalse(res.getBody().contains("secret")); - - String mgetBody = "{"+ - "\"docs\" : ["+ - "{"+ - "\"_index\" : \"deals\","+ - "\"_id\" : \"0\""+ - " },"+ - " {"+ - "\"_index\" : \"finance\","+ - " \"_id\" : \"1\""+ - "}"+ - "]"+ - "}"; + String mgetBody = "{" + + "\"docs\" : [" + + "{" + + "\"_index\" : \"deals\"," + + "\"_id\" : \"0\"" + + " }," + + " {" + + "\"_index\" : \"finance\"," + + " \"_id\" : \"1\"" + + "}" + + "]" + + "}"; System.out.println("### mget"); - Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("_mget?pretty", mgetBody, encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executePostRequest("_mget?pretty", mgetBody, encodeBasicHeader("dept_manager_fls", "password"))).getStatusCode() + ); Assert.assertFalse(res.getBody().contains("_opendistro_security_")); Assert.assertTrue(res.getBody().contains("\"found\" : true")); Assert.assertFalse(res.getBody().contains("\"found\" : false")); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java index 7b590f1d46..e7752c21d1 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java @@ -44,8 +44,8 @@ public abstract class AbstractRestApiUnitTest extends SingleClusterTest { - protected RestHelper rh = null; - protected boolean init = true; + protected RestHelper rh = null; + protected boolean init = true; @Override protected String getResourceFolder() { @@ -53,247 +53,259 @@ protected String getResourceFolder() { } @Override - protected final void setup() throws Exception { - Settings.Builder builder = Settings.builder(); + protected final void setup() throws Exception { + Settings.Builder builder = Settings.builder(); - builder.put("plugins.security.ssl.http.enabled", true) - .put(SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH, PasswordValidator.ScoreStrength.FAIR.name()) - .put("plugins.security.ssl.http.keystore_filepath", - FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", - FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")); + builder.put("plugins.security.ssl.http.enabled", true) + .put(SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH, PasswordValidator.ScoreStrength.FAIR.name()) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")); - setup(Settings.EMPTY, new DynamicSecurityConfig(), builder.build(), init); - rh = restHelper(); - rh.keystore = "restapi/kirk-keystore.jks"; - } + setup(Settings.EMPTY, new DynamicSecurityConfig(), builder.build(), init); + rh = restHelper(); + rh.keystore = "restapi/kirk-keystore.jks"; + } @Override - protected final void setup(Settings nodeOverride) throws Exception { - Settings.Builder builder = Settings.builder(); + protected final void setup(Settings nodeOverride) throws Exception { + Settings.Builder builder = Settings.builder(); - builder.put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", - FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", - FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")) - .put(nodeOverride); + builder.put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")) + .put(nodeOverride); - System.out.println(builder.toString()); + System.out.println(builder.toString()); - setup(Settings.EMPTY, new DynamicSecurityConfig(), builder.build(), init); - rh = restHelper(); - rh.keystore = "restapi/kirk-keystore.jks"; - } + setup(Settings.EMPTY, new DynamicSecurityConfig(), builder.build(), init); + rh = restHelper(); + rh.keystore = "restapi/kirk-keystore.jks"; + } - protected final void setupWithRestRoles() throws Exception { + protected final void setupWithRestRoles() throws Exception { setupWithRestRoles(null); } - protected final void setupWithRestRoles(Settings nodeOverride) throws Exception { - Settings.Builder builder = Settings.builder(); - - builder.put("plugins.security.ssl.http.enabled", true) - .put(SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH, PasswordValidator.ScoreStrength.FAIR.name()) - .put("plugins.security.ssl.http.keystore_filepath", - FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", - FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")); - - builder.put(rolesSettings()); - - if (null != nodeOverride) { - builder.put(nodeOverride); - } - - setup(Settings.EMPTY, new DynamicSecurityConfig(), builder.build(), init); - rh = restHelper(); - rh.keystore = "restapi/kirk-keystore.jks"; - - AuditTestUtils.updateAuditConfig(rh, nodeOverride != null ? nodeOverride : Settings.EMPTY); - } - - protected Settings rolesSettings() { - return Settings.builder() - .put("plugins.security.restapi.roles_enabled.0", "opendistro_security_role_klingons") - .put("plugins.security.restapi.roles_enabled.1", "opendistro_security_role_vulcans") - .put("plugins.security.restapi.roles_enabled.2", "opendistro_security_test") - .put("plugins.security.restapi.endpoints_disabled.global.CACHE.0", "*") - .put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.conFiGuration.0", "*") - .put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.wRongType.0", "WRONGType") - .put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.ROLESMAPPING.0", "PUT") - .put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.ROLESMAPPING.1", "DELETE") - .put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_vulcans.CONFIG.0", "*") - .build(); - } - - protected void deleteUser(String username) throws Exception { - boolean sendAdminCertificate = rh.sendAdminCertificate; - rh.sendAdminCertificate = true; - HttpResponse response = rh.executeDeleteRequest("/_opendistro/_security/api/internalusers/" + username, new Header[0]); - Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - rh.sendAdminCertificate = sendAdminCertificate; - } - - protected void addUserWithPassword(String username, String password, int status) throws Exception { - addUserWithPassword(username, password, status, null); - } - - protected void addUserWithPassword(String username, String password, int status, String message) throws Exception { - boolean sendAdminCertificate = rh.sendAdminCertificate; - rh.sendAdminCertificate = true; - HttpResponse response = rh.executePutRequest("/_opendistro/_security/api/internalusers/" + username, - "{\"password\": \"" + password + "\"}", new Header[0]); - Assert.assertEquals(status, response.getStatusCode()); - rh.sendAdminCertificate = sendAdminCertificate; - if (Objects.nonNull(message)) { - Assert.assertTrue(response.getBody().contains(message)); - } - } - - protected void addUserWithPassword(String username, String password, String[] roles, int status) throws Exception { - boolean sendAdminCertificate = rh.sendAdminCertificate; - rh.sendAdminCertificate = true; - String payload = "{" + "\"password\": \"" + password + "\"," + "\"backend_roles\": ["; - for (int i = 0; i < roles.length; i++) { - payload += "\"" + roles[i] + "\""; - if (i + 1 < roles.length) { - payload += ","; - } - } - payload += "]}"; - HttpResponse response = rh.executePutRequest("/_opendistro/_security/api/internalusers/" + username, payload, new Header[0]); - Assert.assertEquals(status, response.getStatusCode()); - rh.sendAdminCertificate = sendAdminCertificate; - } - - protected void addUserWithoutPasswordOrHash(String username, String[] roles, int status) throws Exception { - boolean sendAdminCertificate = rh.sendAdminCertificate; - rh.sendAdminCertificate = true; - String payload = "{ \"backend_roles\": ["; - for (int i = 0; i < roles.length; i++) { - payload += "\" " + roles[i] + " \""; - if (i + 1 < roles.length) { - payload += ","; - } - } - payload += "]}"; - HttpResponse response = rh.executePutRequest("/_opendistro/_security/api/internalusers/" + username, payload, new Header[0]); - Assert.assertEquals(status, response.getStatusCode()); - rh.sendAdminCertificate = sendAdminCertificate; - } - - protected void addUserWithHash(String username, String hash) throws Exception { - addUserWithHash(username, hash, HttpStatus.SC_OK); - } - - protected void addUserWithHash(String username, String hash, int status) throws Exception { - boolean sendAdminCertificate = rh.sendAdminCertificate; - rh.sendAdminCertificate = true; - HttpResponse response = rh.executePutRequest("/_opendistro/_security/api/internalusers/" + username, "{\"hash\": \"" + hash + "\"}", - new Header[0]); - Assert.assertEquals(status, response.getStatusCode()); - rh.sendAdminCertificate = sendAdminCertificate; - } - - protected void addUserWithPasswordAndHash(String username, String password, String hash, int status) throws Exception { - boolean sendAdminCertificate = rh.sendAdminCertificate; - rh.sendAdminCertificate = true; - HttpResponse response = rh.executePutRequest("/_opendistro/_security/api/internalusers/" + username, "{\"hash\": \"" + hash + "\", \"password\": \"" + password + "\"}", - new Header[0]); - Assert.assertEquals(status, response.getStatusCode()); - rh.sendAdminCertificate = sendAdminCertificate; - } - - protected void checkGeneralAccess(int status, String username, String password) throws Exception { - boolean sendAdminCertificate = rh.sendAdminCertificate; - rh.sendAdminCertificate = false; - Assert.assertEquals(status, - rh.executeGetRequest("", - encodeBasicHeader(username, password)) - .getStatusCode()); - rh.sendAdminCertificate = sendAdminCertificate; - } - - protected String checkReadAccess(int status, String username, String password, String indexName, String actionType, - int id) throws Exception { - rh.sendAdminCertificate = false; - String action = indexName + "/" + actionType + "/" + id; - HttpResponse response = rh.executeGetRequest(action, encodeBasicHeader(username, password)); - int returnedStatus = response.getStatusCode(); - Assert.assertEquals(status, returnedStatus); - return response.getBody(); - - } - - protected String checkWriteAccess(int status, String username, String password, String indexName, String actionType, - int id) throws Exception { - rh.sendAdminCertificate = false; - String action = indexName + "/" + actionType + "/" + id; - String payload = "{\"value\" : \"true\"}"; - HttpResponse response = rh.executePutRequest(action, payload, encodeBasicHeader(username, password)); - int returnedStatus = response.getStatusCode(); - Assert.assertEquals(response.getBody(), status, returnedStatus); - return response.getBody(); - } - - protected void setupStarfleetIndex() throws Exception { - boolean sendAdminCertificate = rh.sendAdminCertificate; - rh.sendAdminCertificate = true; - rh.executePutRequest("sf", null, new Header[0]); - rh.executePutRequest("sf/_doc/0", "{\"number\" : \"NCC-1701-D\"}", new Header[0]); - rh.executePutRequest("sf/_doc/0", "{\"some\" : \"value\"}", new Header[0]); - rh.sendAdminCertificate = sendAdminCertificate; - } - - protected void assertHealthy() throws Exception { - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_opendistro/_security/health?pretty").getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("admin", "admin")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("admin", "admin")).getStatusCode()); - } - - protected Settings defaultNodeSettings(boolean enableRestSSL) { - Settings.Builder builder = Settings.builder(); - - if (enableRestSSL) { - builder.put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", - FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", - FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")); - } - return builder.build(); - } - - protected Map jsonStringToMap(String json) throws JsonParseException, JsonMappingException, IOException { - TypeReference> typeRef = new TypeReference>() {}; - return DefaultObjectMapper.objectMapper.readValue(json, typeRef); - } - - protected static Collection> asCollection(Class... plugins) { - return Arrays.asList(plugins); - } - - String createRestAdminPermissionsPayload(String... additionPerms) throws JsonProcessingException { - final ObjectNode rootNode = (ObjectNode) DefaultObjectMapper.objectMapper.createObjectNode(); - rootNode.set("cluster_permissions", clusterPermissionsForRestAdmin(additionPerms)); - return DefaultObjectMapper.objectMapper.writeValueAsString(rootNode); - } - - ArrayNode clusterPermissionsForRestAdmin(String... additionPerms) { - final ArrayNode permissionsArray = (ArrayNode) DefaultObjectMapper.objectMapper.createArrayNode(); - for (final Map.Entry entry : RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS.entrySet()) { - if (entry.getKey() == Endpoint.SSL) { - permissionsArray - .add(entry.getValue().build("certs")) - .add(entry.getValue().build("reloadcerts")); - } else { - permissionsArray.add(entry.getValue().build()); - } - } - if (additionPerms.length != 0) { - Stream.of(additionPerms).forEach(permissionsArray::add); - } - return permissionsArray; - } + protected final void setupWithRestRoles(Settings nodeOverride) throws Exception { + Settings.Builder builder = Settings.builder(); + + builder.put("plugins.security.ssl.http.enabled", true) + .put(SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH, PasswordValidator.ScoreStrength.FAIR.name()) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")); + + builder.put(rolesSettings()); + + if (null != nodeOverride) { + builder.put(nodeOverride); + } + + setup(Settings.EMPTY, new DynamicSecurityConfig(), builder.build(), init); + rh = restHelper(); + rh.keystore = "restapi/kirk-keystore.jks"; + + AuditTestUtils.updateAuditConfig(rh, nodeOverride != null ? nodeOverride : Settings.EMPTY); + } + + protected Settings rolesSettings() { + return Settings.builder() + .put("plugins.security.restapi.roles_enabled.0", "opendistro_security_role_klingons") + .put("plugins.security.restapi.roles_enabled.1", "opendistro_security_role_vulcans") + .put("plugins.security.restapi.roles_enabled.2", "opendistro_security_test") + .put("plugins.security.restapi.endpoints_disabled.global.CACHE.0", "*") + .put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.conFiGuration.0", "*") + .put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.wRongType.0", "WRONGType") + .put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.ROLESMAPPING.0", "PUT") + .put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.ROLESMAPPING.1", "DELETE") + .put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_vulcans.CONFIG.0", "*") + .build(); + } + + protected void deleteUser(String username) throws Exception { + boolean sendAdminCertificate = rh.sendAdminCertificate; + rh.sendAdminCertificate = true; + HttpResponse response = rh.executeDeleteRequest("/_opendistro/_security/api/internalusers/" + username, new Header[0]); + Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); + rh.sendAdminCertificate = sendAdminCertificate; + } + + protected void addUserWithPassword(String username, String password, int status) throws Exception { + addUserWithPassword(username, password, status, null); + } + + protected void addUserWithPassword(String username, String password, int status, String message) throws Exception { + boolean sendAdminCertificate = rh.sendAdminCertificate; + rh.sendAdminCertificate = true; + HttpResponse response = rh.executePutRequest( + "/_opendistro/_security/api/internalusers/" + username, + "{\"password\": \"" + password + "\"}", + new Header[0] + ); + Assert.assertEquals(status, response.getStatusCode()); + rh.sendAdminCertificate = sendAdminCertificate; + if (Objects.nonNull(message)) { + Assert.assertTrue(response.getBody().contains(message)); + } + } + + protected void addUserWithPassword(String username, String password, String[] roles, int status) throws Exception { + boolean sendAdminCertificate = rh.sendAdminCertificate; + rh.sendAdminCertificate = true; + String payload = "{" + "\"password\": \"" + password + "\"," + "\"backend_roles\": ["; + for (int i = 0; i < roles.length; i++) { + payload += "\"" + roles[i] + "\""; + if (i + 1 < roles.length) { + payload += ","; + } + } + payload += "]}"; + HttpResponse response = rh.executePutRequest("/_opendistro/_security/api/internalusers/" + username, payload, new Header[0]); + Assert.assertEquals(status, response.getStatusCode()); + rh.sendAdminCertificate = sendAdminCertificate; + } + + protected void addUserWithoutPasswordOrHash(String username, String[] roles, int status) throws Exception { + boolean sendAdminCertificate = rh.sendAdminCertificate; + rh.sendAdminCertificate = true; + String payload = "{ \"backend_roles\": ["; + for (int i = 0; i < roles.length; i++) { + payload += "\" " + roles[i] + " \""; + if (i + 1 < roles.length) { + payload += ","; + } + } + payload += "]}"; + HttpResponse response = rh.executePutRequest("/_opendistro/_security/api/internalusers/" + username, payload, new Header[0]); + Assert.assertEquals(status, response.getStatusCode()); + rh.sendAdminCertificate = sendAdminCertificate; + } + + protected void addUserWithHash(String username, String hash) throws Exception { + addUserWithHash(username, hash, HttpStatus.SC_OK); + } + + protected void addUserWithHash(String username, String hash, int status) throws Exception { + boolean sendAdminCertificate = rh.sendAdminCertificate; + rh.sendAdminCertificate = true; + HttpResponse response = rh.executePutRequest( + "/_opendistro/_security/api/internalusers/" + username, + "{\"hash\": \"" + hash + "\"}", + new Header[0] + ); + Assert.assertEquals(status, response.getStatusCode()); + rh.sendAdminCertificate = sendAdminCertificate; + } + + protected void addUserWithPasswordAndHash(String username, String password, String hash, int status) throws Exception { + boolean sendAdminCertificate = rh.sendAdminCertificate; + rh.sendAdminCertificate = true; + HttpResponse response = rh.executePutRequest( + "/_opendistro/_security/api/internalusers/" + username, + "{\"hash\": \"" + hash + "\", \"password\": \"" + password + "\"}", + new Header[0] + ); + Assert.assertEquals(status, response.getStatusCode()); + rh.sendAdminCertificate = sendAdminCertificate; + } + + protected void checkGeneralAccess(int status, String username, String password) throws Exception { + boolean sendAdminCertificate = rh.sendAdminCertificate; + rh.sendAdminCertificate = false; + Assert.assertEquals(status, rh.executeGetRequest("", encodeBasicHeader(username, password)).getStatusCode()); + rh.sendAdminCertificate = sendAdminCertificate; + } + + protected String checkReadAccess(int status, String username, String password, String indexName, String actionType, int id) + throws Exception { + rh.sendAdminCertificate = false; + String action = indexName + "/" + actionType + "/" + id; + HttpResponse response = rh.executeGetRequest(action, encodeBasicHeader(username, password)); + int returnedStatus = response.getStatusCode(); + Assert.assertEquals(status, returnedStatus); + return response.getBody(); + + } + + protected String checkWriteAccess(int status, String username, String password, String indexName, String actionType, int id) + throws Exception { + rh.sendAdminCertificate = false; + String action = indexName + "/" + actionType + "/" + id; + String payload = "{\"value\" : \"true\"}"; + HttpResponse response = rh.executePutRequest(action, payload, encodeBasicHeader(username, password)); + int returnedStatus = response.getStatusCode(); + Assert.assertEquals(response.getBody(), status, returnedStatus); + return response.getBody(); + } + + protected void setupStarfleetIndex() throws Exception { + boolean sendAdminCertificate = rh.sendAdminCertificate; + rh.sendAdminCertificate = true; + rh.executePutRequest("sf", null, new Header[0]); + rh.executePutRequest("sf/_doc/0", "{\"number\" : \"NCC-1701-D\"}", new Header[0]); + rh.executePutRequest("sf/_doc/0", "{\"some\" : \"value\"}", new Header[0]); + rh.sendAdminCertificate = sendAdminCertificate; + } + + protected void assertHealthy() throws Exception { + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_opendistro/_security/health?pretty").getStatusCode()); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("admin", "admin")).getStatusCode() + ); + Assert.assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("admin", "admin")).getStatusCode() + ); + } + + protected Settings defaultNodeSettings(boolean enableRestSSL) { + Settings.Builder builder = Settings.builder(); + + if (enableRestSSL) { + builder.put("plugins.security.ssl.http.enabled", true) + .put( + "plugins.security.ssl.http.keystore_filepath", + FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks") + ) + .put( + "plugins.security.ssl.http.truststore_filepath", + FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks") + ); + } + return builder.build(); + } + + protected Map jsonStringToMap(String json) throws JsonParseException, JsonMappingException, IOException { + TypeReference> typeRef = new TypeReference>() { + }; + return DefaultObjectMapper.objectMapper.readValue(json, typeRef); + } + + protected static Collection> asCollection(Class... plugins) { + return Arrays.asList(plugins); + } + + String createRestAdminPermissionsPayload(String... additionPerms) throws JsonProcessingException { + final ObjectNode rootNode = (ObjectNode) DefaultObjectMapper.objectMapper.createObjectNode(); + rootNode.set("cluster_permissions", clusterPermissionsForRestAdmin(additionPerms)); + return DefaultObjectMapper.objectMapper.writeValueAsString(rootNode); + } + + ArrayNode clusterPermissionsForRestAdmin(String... additionPerms) { + final ArrayNode permissionsArray = (ArrayNode) DefaultObjectMapper.objectMapper.createArrayNode(); + for (final Map.Entry< + Endpoint, + RestApiAdminPrivilegesEvaluator.PermissionBuilder> entry : RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS + .entrySet()) { + if (entry.getKey() == Endpoint.SSL) { + permissionsArray.add(entry.getValue().build("certs")).add(entry.getValue().build("reloadcerts")); + } else { + permissionsArray.add(entry.getValue().build()); + } + } + if (additionPerms.length != 0) { + Stream.of(additionPerms).forEach(permissionsArray::add); + } + return permissionsArray; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AccountApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AccountApiTest.java index 25974e322f..c07b0f1333 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AccountApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AccountApiTest.java @@ -31,11 +31,12 @@ public class AccountApiTest extends AbstractRestApiUnitTest { private final String BASE_ENDPOINT; private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public AccountApiTest(){ + public AccountApiTest() { BASE_ENDPOINT = getEndpointPrefix() + "/api/"; ENDPOINT = getEndpointPrefix() + "/api/account"; } @@ -189,14 +190,16 @@ public void testPutAccountRetainsAccountInformation() throws Exception { final String testUsername = "test"; final String testPassword = "test-password"; final String newPassword = "new-password"; - final String createInternalUserPayload = "{\n" + - " \"password\": \"" + testPassword + "\",\n" + - " \"backend_roles\": [\"test-backend-role-1\"],\n" + - " \"opendistro_security_roles\": [\"opendistro_security_all_access\"],\n" + - " \"attributes\": {\n" + - " \"attribute1\": \"value1\"\n" + - " }\n" + - "}"; + final String createInternalUserPayload = "{\n" + + " \"password\": \"" + + testPassword + + "\",\n" + + " \"backend_roles\": [\"test-backend-role-1\"],\n" + + " \"opendistro_security_roles\": [\"opendistro_security_all_access\"],\n" + + " \"attributes\": {\n" + + " \"attribute1\": \"value1\"\n" + + " }\n" + + "}"; final String changePasswordPayload = "{\"password\":\"" + newPassword + "\", \"current_password\":\"" + testPassword + "\"}"; final String internalUserEndpoint = BASE_ENDPOINT + "internalusers/" + testUsername; @@ -215,9 +218,9 @@ public void testPutAccountRetainsAccountInformation() throws Exception { response = rh.executeGetRequest(internalUserEndpoint); assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Settings responseBody = Settings.builder() - .loadFromSource(response.getBody(), XContentType.JSON) - .build() - .getAsSettings(testUsername); + .loadFromSource(response.getBody(), XContentType.JSON) + .build() + .getAsSettings(testUsername); assertTrue(responseBody.getAsList("backend_roles").contains("test-backend-role-1")); assertTrue(responseBody.getAsList("opendistro_security_roles").contains("opendistro_security_all_access")); assertEquals(responseBody.getAsSettings("attributes").get("attribute1"), "value1"); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java index 8030703197..c87698155f 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java @@ -33,11 +33,12 @@ public class ActionGroupsApiTest extends AbstractRestApiUnitTest { private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public ActionGroupsApiTest(){ + public ActionGroupsApiTest() { ENDPOINT = getEndpointPrefix() + "/api/actiongroups"; } @@ -69,7 +70,7 @@ public void testActionGroupsApi() throws Exception { void verifyGetForSuperAdmin(final Header[] header) throws Exception { // --- GET_UT // GET_UT, actiongroup exists - HttpResponse response = rh.executeGetRequest(ENDPOINT+"/CRUD_UT", header); + HttpResponse response = rh.executeGetRequest(ENDPOINT + "/CRUD_UT", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); List permissions = settings.getAsList("CRUD_UT.allowed_actions"); @@ -79,7 +80,7 @@ void verifyGetForSuperAdmin(final Header[] header) throws Exception { Assert.assertTrue(permissions.contains("OPENDISTRO_SECURITY_WRITE")); // GET_UT, actiongroup does not exist - response = rh.executeGetRequest(ENDPOINT+"/nothinghthere", header); + response = rh.executeGetRequest(ENDPOINT + "/nothinghthere", header); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // GET_UT, old endpoint @@ -112,13 +113,13 @@ void verifyDeleteForSuperAdmin(final Header[] header, final boolean userAdminCer // Non-existing role rh.sendAdminCertificate = userAdminCert; - HttpResponse response = rh.executeDeleteRequest(ENDPOINT+"/idonotexist", header); + HttpResponse response = rh.executeDeleteRequest(ENDPOINT + "/idonotexist", header); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // remove action group READ_UT, read access not possible since // opendistro_security_role_starfleet // uses this action group. - response = rh.executeDeleteRequest(ENDPOINT+"/READ_UT", header); + response = rh.executeDeleteRequest(ENDPOINT + "/READ_UT", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); rh.sendAdminCertificate = false; @@ -133,7 +134,7 @@ void verifyDeleteForSuperAdmin(final Header[] header, final boolean userAdminCer // now remove also CRUD_UT groups, write also not possible anymore rh.sendAdminCertificate = true; - response = rh.executeDeleteRequest(ENDPOINT+"/CRUD_UT", new Header[0]); + response = rh.executeDeleteRequest(ENDPOINT + "/CRUD_UT", new Header[0]); rh.sendAdminCertificate = false; checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picardpicardpicard", "sf", "_doc", 0); checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picardpicardpicard", "sf", "_doc", 0); @@ -143,19 +144,18 @@ void verifyPutForSuperAdmin(final Header[] header, final boolean userAdminCert) // -- PUT // put with empty payload, must fail rh.sendAdminCertificate = userAdminCert; - HttpResponse response = rh.executePutRequest(ENDPOINT+"/SOMEGROUP", "", header); + HttpResponse response = rh.executePutRequest(ENDPOINT + "/SOMEGROUP", "", header); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.PAYLOAD_MANDATORY.getMessage(), settings.get("reason")); // put new configuration with invalid payload, must fail - response = rh.executePutRequest(ENDPOINT+"/SOMEGROUP", FileHelper.loadFile("restapi/actiongroup_not_parseable.json"), - header); + response = rh.executePutRequest(ENDPOINT + "/SOMEGROUP", FileHelper.loadFile("restapi/actiongroup_not_parseable.json"), header); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.BODY_NOT_PARSEABLE.getMessage(), settings.get("reason")); - response = rh.executePutRequest(ENDPOINT+"/CRUD_UT", FileHelper.loadFile("restapi/actiongroup_crud.json"), header); + response = rh.executePutRequest(ENDPOINT + "/CRUD_UT", FileHelper.loadFile("restapi/actiongroup_crud.json"), header); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); rh.sendAdminCertificate = false; @@ -166,7 +166,7 @@ void verifyPutForSuperAdmin(final Header[] header, final boolean userAdminCert) // restore READ_UT action groups rh.sendAdminCertificate = userAdminCert; - response = rh.executePutRequest(ENDPOINT+"/READ_UT", FileHelper.loadFile("restapi/actiongroup_read.json"), header); + response = rh.executePutRequest(ENDPOINT + "/READ_UT", FileHelper.loadFile("restapi/actiongroup_read.json"), header); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); rh.sendAdminCertificate = false; @@ -176,49 +176,51 @@ void verifyPutForSuperAdmin(final Header[] header, final boolean userAdminCert) // -- PUT, new JSON format including readonly flag, disallowed in REST API rh.sendAdminCertificate = userAdminCert; - response = rh.executePutRequest(ENDPOINT+"/CRUD_UT", FileHelper.loadFile("restapi/actiongroup_readonly.json"), header); + response = rh.executePutRequest(ENDPOINT + "/CRUD_UT", FileHelper.loadFile("restapi/actiongroup_readonly.json"), header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); // -- DELETE read only resource, must be forbidden // superAdmin can delete read only resource rh.sendAdminCertificate = userAdminCert; - response = rh.executeDeleteRequest(ENDPOINT+"/GET_UT", header); + response = rh.executeDeleteRequest(ENDPOINT + "/GET_UT", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); // -- PUT read only resource, must be forbidden // superAdmin can add/update read only resource rh.sendAdminCertificate = userAdminCert; - response = rh.executePutRequest(ENDPOINT+"/GET_UT", FileHelper.loadFile("restapi/actiongroup_read.json"), header); + response = rh.executePutRequest(ENDPOINT + "/GET_UT", FileHelper.loadFile("restapi/actiongroup_read.json"), header); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); Assert.assertFalse(response.getBody().contains("Resource 'GET_UT' is read-only.")); // PUT with role name rh.sendAdminCertificate = userAdminCert; - response = rh.executePutRequest(ENDPOINT+"/kibana_user", FileHelper.loadFile("restapi/actiongroup_read.json"), header); + response = rh.executePutRequest(ENDPOINT + "/kibana_user", FileHelper.loadFile("restapi/actiongroup_read.json"), header); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); - Assert.assertTrue(response.getBody().contains("kibana_user is an existing role. A action group cannot be named with an existing role name.")); + Assert.assertTrue( + response.getBody().contains("kibana_user is an existing role. A action group cannot be named with an existing role name.") + ); // PUT with self-referencing action groups rh.sendAdminCertificate = userAdminCert; - response = rh.executePutRequest(ENDPOINT+"/reference_itself", "{\"allowed_actions\": [\"reference_itself\"]}", header); + response = rh.executePutRequest(ENDPOINT + "/reference_itself", "{\"allowed_actions\": [\"reference_itself\"]}", header); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertTrue(response.getBody().contains("reference_itself cannot be an allowed_action of itself")); // -- GET_UT hidden resource, must be 404 but super admin can find it rh.sendAdminCertificate = userAdminCert; - response = rh.executeGetRequest(ENDPOINT+"/INTERNAL", header); + response = rh.executeGetRequest(ENDPOINT + "/INTERNAL", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Assert.assertTrue(response.getBody().contains("\"hidden\":true")); // -- DELETE hidden resource, must be 404 rh.sendAdminCertificate = userAdminCert; - response = rh.executeDeleteRequest(ENDPOINT+"/INTERNAL", header); + response = rh.executeDeleteRequest(ENDPOINT + "/INTERNAL", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Assert.assertTrue(response.getBody().contains("'INTERNAL' deleted.")); // -- PUT hidden resource, must be forbidden rh.sendAdminCertificate = userAdminCert; - response = rh.executePutRequest(ENDPOINT+"/INTERNAL", FileHelper.loadFile("restapi/actiongroup_read.json"), header); + response = rh.executePutRequest(ENDPOINT + "/INTERNAL", FileHelper.loadFile("restapi/actiongroup_read.json"), header); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); } @@ -226,52 +228,79 @@ void verifyPatchForSuperAdmin(final Header[] header, final boolean userAdminCert // -- PATCH // PATCH on non-existing resource rh.sendAdminCertificate = userAdminCert; - HttpResponse response = rh.executePatchRequest(ENDPOINT+"/imnothere", - "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", header); + HttpResponse response = rh.executePatchRequest( + ENDPOINT + "/imnothere", + "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", + header + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // PATCH read only resource, must be forbidden // SuperAdmin can patch read only resource rh.sendAdminCertificate = userAdminCert; - response = rh.executePatchRequest(ENDPOINT+"/GET_UT", "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\" }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/GET_UT", + "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); // PATCH with self-referencing action groups rh.sendAdminCertificate = userAdminCert; - response = rh.executePatchRequest(ENDPOINT+"/GET_UT", "[{ \"op\": \"add\", \"path\": \"/allowed_actions/-\", \"value\": \"GET_UT\" }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/GET_UT", + "[{ \"op\": \"add\", \"path\": \"/allowed_actions/-\", \"value\": \"GET_UT\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertTrue(response.getBody().contains("GET_UT cannot be an allowed_action of itself")); // bulk PATCH with self-referencing action groups - response = rh.executePatchRequest(ENDPOINT, "[{ \"op\": \"add\", \"path\": \"/BULKNEW1\", \"value\": {\"allowed_actions\": [\"BULKNEW1\"] } }," + - "{ \"op\": \"add\", \"path\": \"/BULKNEW2\", \"value\": {\"allowed_actions\": [\"READ_UT\"] } }]", header); + response = rh.executePatchRequest( + ENDPOINT, + "[{ \"op\": \"add\", \"path\": \"/BULKNEW1\", \"value\": {\"allowed_actions\": [\"BULKNEW1\"] } }," + + "{ \"op\": \"add\", \"path\": \"/BULKNEW2\", \"value\": {\"allowed_actions\": [\"READ_UT\"] } }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertTrue(response.getBody().contains("BULKNEW1 cannot be an allowed_action of itself")); // PATCH hidden resource, must be not found, can be found by superadmin, but fails with no path exist error rh.sendAdminCertificate = userAdminCert; - response = rh.executePatchRequest(ENDPOINT+"/INTERNAL", - "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/INTERNAL", + "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH value of hidden flag, must fail with validation error rh.sendAdminCertificate = userAdminCert; - response = rh.executePatchRequest(ENDPOINT+"/CRUD_UT", "[{ \"op\": \"add\", \"path\": \"/hidden\", \"value\": true }]", header); + response = rh.executePatchRequest(ENDPOINT + "/CRUD_UT", "[{ \"op\": \"add\", \"path\": \"/hidden\", \"value\": true }]", header); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); - Assert.assertTrue(response.getBody(), response.getBody().matches(".*\"invalid_keys\"\\s*:\\s*\\{\\s*\"keys\"\\s*:\\s*\"hidden\"\\s*\\}.*")); + Assert.assertTrue( + response.getBody(), + response.getBody().matches(".*\"invalid_keys\"\\s*:\\s*\\{\\s*\"keys\"\\s*:\\s*\"hidden\"\\s*\\}.*") + ); // PATCH with relative JSON pointer, must fail rh.sendAdminCertificate = userAdminCert; - response = rh.executePatchRequest(ENDPOINT+"/CRUD_UT", "[{ \"op\": \"add\", \"path\": \"1/INTERNAL/allowed_actions/-\", " + - "\"value\": \"OPENDISTRO_SECURITY_DELETE\" }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/CRUD_UT", + "[{ \"op\": \"add\", \"path\": \"1/INTERNAL/allowed_actions/-\", " + "\"value\": \"OPENDISTRO_SECURITY_DELETE\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH new format rh.sendAdminCertificate = userAdminCert; - response = rh.executePatchRequest(ENDPOINT+"/CRUD_UT", "[{ \"op\": \"add\", \"path\": \"/allowed_actions/-\", " + - "\"value\": \"OPENDISTRO_SECURITY_DELETE\" }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/CRUD_UT", + "[{ \"op\": \"add\", \"path\": \"/allowed_actions/-\", " + "\"value\": \"OPENDISTRO_SECURITY_DELETE\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - response = rh.executeGetRequest(ENDPOINT+"/CRUD_UT", header); + response = rh.executeGetRequest(ENDPOINT + "/CRUD_UT", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); List permissions = settings.getAsList("CRUD_UT.allowed_actions"); @@ -281,12 +310,15 @@ void verifyPatchForSuperAdmin(final Header[] header, final boolean userAdminCert Assert.assertTrue(permissions.contains("OPENDISTRO_SECURITY_WRITE")); Assert.assertTrue(permissions.contains("OPENDISTRO_SECURITY_DELETE")); - // -- PATCH on whole config resource // PATCH read only resource, must be forbidden // SuperAdmin can patch read only resource rh.sendAdminCertificate = userAdminCert; - response = rh.executePatchRequest(ENDPOINT, "[{ \"op\": \"add\", \"path\": \"/GET_UT/a\", \"value\": [ \"foo\", \"bar\" ] }]", header); + response = rh.executePatchRequest( + ENDPOINT, + "[{ \"op\": \"add\", \"path\": \"/GET_UT/a\", \"value\": [ \"foo\", \"bar\" ] }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); rh.sendAdminCertificate = userAdminCert; @@ -295,7 +327,11 @@ void verifyPatchForSuperAdmin(final Header[] header, final boolean userAdminCert // PATCH hidden resource, must be bad request rh.sendAdminCertificate = userAdminCert; - response = rh.executePatchRequest(ENDPOINT, "[{ \"op\": \"add\", \"path\": \"/INTERNAL/a\", \"value\": [ \"foo\", \"bar\" ] }]", header); + response = rh.executePatchRequest( + ENDPOINT, + "[{ \"op\": \"add\", \"path\": \"/INTERNAL/a\", \"value\": [ \"foo\", \"bar\" ] }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH delete read only resource, must be forbidden @@ -310,7 +346,6 @@ void verifyPatchForSuperAdmin(final Header[] header, final boolean userAdminCert Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Assert.assertTrue(response.getBody().contains("\"message\":\"Resource updated.")); - // PATCH value of hidden flag, must fail with validation error rh.sendAdminCertificate = userAdminCert; response = rh.executePatchRequest(ENDPOINT, "[{ \"op\": \"add\", \"path\": \"/CRUD_UT/hidden\", \"value\": true }]", header); @@ -319,16 +354,24 @@ void verifyPatchForSuperAdmin(final Header[] header, final boolean userAdminCert // add new resource with hidden flag, must fail with validation error rh.sendAdminCertificate = userAdminCert; - response = rh.executePatchRequest(ENDPOINT, - "[{ \"op\": \"add\", \"path\": \"/NEWNEWNEW\", \"value\": {\"allowed_actions\": [\"indices:data/write*\"], \"hidden\":true }}]", header); + response = rh.executePatchRequest( + ENDPOINT, + "[{ \"op\": \"add\", \"path\": \"/NEWNEWNEW\", \"value\": {\"allowed_actions\": [\"indices:data/write*\"], \"hidden\":true }}]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertTrue(response.getBody().matches(".*\"invalid_keys\"\\s*:\\s*\\{\\s*\"keys\"\\s*:\\s*\"hidden\"\\s*\\}.*")); // add new valid resources rh.sendAdminCertificate = userAdminCert; - response = rh.executePatchRequest(ENDPOINT, "[{ \"op\": \"add\", \"path\": \"/BULKNEW1\", \"value\": {\"allowed_actions\": [\"indices:data/*\", \"cluster:monitor/*\"] } }," + "{ \"op\": \"add\", \"path\": \"/BULKNEW2\", \"value\": {\"allowed_actions\": [\"READ_UT\"] } }]", header); + response = rh.executePatchRequest( + ENDPOINT, + "[{ \"op\": \"add\", \"path\": \"/BULKNEW1\", \"value\": {\"allowed_actions\": [\"indices:data/*\", \"cluster:monitor/*\"] } }," + + "{ \"op\": \"add\", \"path\": \"/BULKNEW2\", \"value\": {\"allowed_actions\": [\"READ_UT\"] } }]", + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - response = rh.executeGetRequest(ENDPOINT+"/BULKNEW1", header); + response = rh.executeGetRequest(ENDPOINT + "/BULKNEW1", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); permissions = settings.getAsList("BULKNEW1.allowed_actions"); @@ -337,7 +380,7 @@ void verifyPatchForSuperAdmin(final Header[] header, final boolean userAdminCert Assert.assertTrue(permissions.contains("indices:data/*")); Assert.assertTrue(permissions.contains("cluster:monitor/*")); - response = rh.executeGetRequest(ENDPOINT+"/BULKNEW2", header); + response = rh.executeGetRequest(ENDPOINT + "/BULKNEW2", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); permissions = settings.getAsList("BULKNEW2.allowed_actions"); @@ -348,11 +391,11 @@ void verifyPatchForSuperAdmin(final Header[] header, final boolean userAdminCert // delete resource response = rh.executePatchRequest(ENDPOINT, "[{ \"op\": \"remove\", \"path\": \"/BULKNEW1\" }]", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - response = rh.executeGetRequest(ENDPOINT+"/BULKNEW1", header); + response = rh.executeGetRequest(ENDPOINT + "/BULKNEW1", header); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // assert other resource is still there - response = rh.executeGetRequest(ENDPOINT+"/BULKNEW2", header); + response = rh.executeGetRequest(ENDPOINT + "/BULKNEW2", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); permissions = settings.getAsList("BULKNEW2.allowed_actions"); @@ -373,10 +416,10 @@ public void testActionGroupsApiForRestAdmin() throws Exception { addUserWithPassword("picard", "picardpicardpicard", new String[] { "starfleet" }, HttpStatus.SC_CREATED); checkReadAccess(HttpStatus.SC_OK, "picard", "picardpicardpicard", "sf", "_doc", 0); checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picardpicardpicard", "sf", "_doc", 0); - verifyGetForSuperAdmin(new Header[] {restApiAdminHeader}); - verifyDeleteForSuperAdmin(new Header[]{restApiAdminHeader}, false); - verifyPutForSuperAdmin(new Header[]{restApiAdminHeader}, false); - verifyPatchForSuperAdmin(new Header[]{restApiAdminHeader}, false); + verifyGetForSuperAdmin(new Header[] { restApiAdminHeader }); + verifyDeleteForSuperAdmin(new Header[] { restApiAdminHeader }, false); + verifyPutForSuperAdmin(new Header[] { restApiAdminHeader }, false); + verifyPatchForSuperAdmin(new Header[] { restApiAdminHeader }, false); } @Test @@ -391,10 +434,10 @@ public void testActionGroupsApiForActionGroupsRestApiAdmin() throws Exception { addUserWithPassword("picard", "picardpicardpicard", new String[] { "starfleet" }, HttpStatus.SC_CREATED); checkReadAccess(HttpStatus.SC_OK, "picard", "picardpicardpicard", "sf", "_doc", 0); checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picardpicardpicard", "sf", "_doc", 0); - verifyGetForSuperAdmin(new Header[] {restApiAdminActionGroupsHeader}); - verifyDeleteForSuperAdmin(new Header[]{restApiAdminActionGroupsHeader}, false); - verifyPutForSuperAdmin(new Header[]{restApiAdminActionGroupsHeader}, false); - verifyPatchForSuperAdmin(new Header[]{restApiAdminActionGroupsHeader}, false); + verifyGetForSuperAdmin(new Header[] { restApiAdminActionGroupsHeader }); + verifyDeleteForSuperAdmin(new Header[] { restApiAdminActionGroupsHeader }, false); + verifyPutForSuperAdmin(new Header[] { restApiAdminActionGroupsHeader }, false); + verifyPatchForSuperAdmin(new Header[] { restApiAdminActionGroupsHeader }, false); } @Test @@ -405,8 +448,7 @@ public void testCreateActionGroupWithRestAdminPermissionsForbidden() throws Exce final Header restApiAdminActionGroupsHeader = encodeBasicHeader("rest_api_admin_actiongroups", "rest_api_admin_actiongroups"); final Header restApiHeader = encodeBasicHeader("test", "test"); - HttpResponse response = rh.executePutRequest(ENDPOINT + "/rest_api_admin_group", restAdminAllowedActions(), - restApiAdminHeader); + HttpResponse response = rh.executePutRequest(ENDPOINT + "/rest_api_admin_group", restAdminAllowedActions(), restApiAdminHeader); Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode()); response = rh.executePutRequest(ENDPOINT + "/rest_api_admin_group", restAdminAllowedActions(), restApiAdminActionGroupsHeader); Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode()); @@ -432,10 +474,7 @@ String restAdminPatchBody() throws JsonProcessingException { final ObjectNode opAddRootNode = DefaultObjectMapper.objectMapper.createObjectNode(); final ObjectNode allowedActionsNode = DefaultObjectMapper.objectMapper.createObjectNode(); allowedActionsNode.set("allowed_actions", clusterPermissionsForRestAdmin("cluster/*")); - opAddRootNode - .put("op", "add") - .put("path", "/rest_api_admin_group") - .set("value", allowedActionsNode); + opAddRootNode.put("op", "add").put("path", "/rest_api_admin_group").set("value", allowedActionsNode); rootNode.add(opAddRootNode); return DefaultObjectMapper.objectMapper.writeValueAsString(rootNode); } @@ -452,44 +491,60 @@ public void testActionGroupsApiForNonSuperAdmin() throws Exception { HttpResponse response; // Delete read only actiongroups - response = rh.executeDeleteRequest(ENDPOINT+"/create_index" , new Header[0]); + response = rh.executeDeleteRequest(ENDPOINT + "/create_index", new Header[0]); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // Put read only actiongroups - response = rh.executePutRequest(ENDPOINT+"/create_index", FileHelper.loadFile("restapi/actiongroup_crud.json"), new Header[0]); + response = rh.executePutRequest(ENDPOINT + "/create_index", FileHelper.loadFile("restapi/actiongroup_crud.json"), new Header[0]); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // Patch single read only actiongroups - response = rh.executePatchRequest(ENDPOINT+"/create_index", "[{ \"op\": \"replace\", \"path\": \"/description\", \"value\": \"foo\" }]", new Header[0]); + response = rh.executePatchRequest( + ENDPOINT + "/create_index", + "[{ \"op\": \"replace\", \"path\": \"/description\", \"value\": \"foo\" }]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // Patch multiple read only actiongroups - response = rh.executePatchRequest(ENDPOINT, "[{ \"op\": \"replace\", \"path\": \"/create_index/description\", \"value\": \"foo\" }]", new Header[0]); + response = rh.executePatchRequest( + ENDPOINT, + "[{ \"op\": \"replace\", \"path\": \"/create_index/description\", \"value\": \"foo\" }]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); - response = rh.executeGetRequest(ENDPOINT+"/INTERNAL" , new Header[0]); + response = rh.executeGetRequest(ENDPOINT + "/INTERNAL", new Header[0]); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Delete hidden actiongroups - response = rh.executeDeleteRequest(ENDPOINT+"/INTERNAL" , new Header[0]); + response = rh.executeDeleteRequest(ENDPOINT + "/INTERNAL", new Header[0]); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Put hidden actiongroups - response = rh.executePutRequest(ENDPOINT+"/INTERNAL", FileHelper.loadFile("restapi/actiongroup_crud.json"), new Header[0]); + response = rh.executePutRequest(ENDPOINT + "/INTERNAL", FileHelper.loadFile("restapi/actiongroup_crud.json"), new Header[0]); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Patch hidden actiongroups - response = rh.executePatchRequest(ENDPOINT+"/INTERNAL", "[{ \"op\": \"replace\", \"path\": \"/description\", \"value\": \"foo\" }]", new Header[0]); + response = rh.executePatchRequest( + ENDPOINT + "/INTERNAL", + "[{ \"op\": \"replace\", \"path\": \"/description\", \"value\": \"foo\" }]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Patch multiple hidden actiongroups - response = rh.executePatchRequest(ENDPOINT, "[{ \"op\": \"replace\", \"path\": \"/INTERNAL/description\", \"value\": \"foo\" }]", new Header[0]); + response = rh.executePatchRequest( + ENDPOINT, + "[{ \"op\": \"replace\", \"path\": \"/INTERNAL/description\", \"value\": \"foo\" }]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); } @Test - public void checkNullElementsInArray() throws Exception{ + public void checkNullElementsInArray() throws Exception { setup(); rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AllowlistApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AllowlistApiTest.java index 50090fcfcc..79ce591723 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AllowlistApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AllowlistApiTest.java @@ -11,7 +11,6 @@ package org.opensearch.security.dlic.rest.api; - import java.util.Map; import java.util.stream.Collectors; @@ -60,24 +59,32 @@ public class AllowlistApiTest extends AbstractRestApiUnitTest { * * @throws Exception */ - private void checkGetAndPutAllowlistPermissions(final int expectedStatus, final boolean sendAdminCertificate, final Header... headers) throws Exception { + private void checkGetAndPutAllowlistPermissions(final int expectedStatus, final boolean sendAdminCertificate, final Header... headers) + throws Exception { final boolean prevSendAdminCertificate = rh.sendAdminCertificate; rh.sendAdminCertificate = sendAdminCertificate; - //CHECK GET REQUEST + // CHECK GET REQUEST response = rh.executeGetRequest(ENDPOINT, headers); assertThat(response.getBody(), response.getStatusCode(), equalTo(expectedStatus)); if (expectedStatus == HttpStatus.SC_OK) { - //Note: the response has no whitespaces, so the .json file does not have whitespaces - Assert.assertEquals(FileHelper.loadFile("restapi/whitelist_response_success.json"), FileHelper.loadFile("restapi/whitelist_response_success.json")); + // Note: the response has no whitespaces, so the .json file does not have whitespaces + Assert.assertEquals( + FileHelper.loadFile("restapi/whitelist_response_success.json"), + FileHelper.loadFile("restapi/whitelist_response_success.json") + ); } - //FORBIDDEN FOR NON SUPER ADMIN + // FORBIDDEN FOR NON SUPER ADMIN if (expectedStatus == HttpStatus.SC_FORBIDDEN) { assertTrue(response.getBody().contains("API allowed only for super admin.")); } - //CHECK PUT REQUEST - response = rh.executePutRequest(ENDPOINT, "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", headers); + // CHECK PUT REQUEST + response = rh.executePutRequest( + ENDPOINT, + "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", + headers + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(expectedStatus)); rh.sendAdminCertificate = prevSendAdminCertificate; @@ -100,7 +107,10 @@ public void testPutUnknownKey() throws Exception { setup(); rh.sendAdminCertificate = true; - RestHelper.HttpResponse response = rh.executePutRequest(ENDPOINT, "{ \"unknownkey\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}"); + RestHelper.HttpResponse response = rh.executePutRequest( + ENDPOINT, + "{ \"unknownkey\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}" + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); assertTrue(response.getBody().contains("invalid_keys")); assertHealthy(); @@ -111,7 +121,10 @@ public void testPutInvalidJson() throws Exception { setup(); rh.sendAdminCertificate = true; - RestHelper.HttpResponse response = rh.executePutRequest(ENDPOINT, "{ \"invalid\"::{{ [\"*\"], \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}"); + RestHelper.HttpResponse response = rh.executePutRequest( + ENDPOINT, + "{ \"invalid\"::{{ [\"*\"], \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}" + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); assertHealthy(); } @@ -147,7 +160,7 @@ public void testAllowlistApi() throws Exception { // No creds, no admin certificate - UNAUTHORIZED checkGetAndPutAllowlistPermissions(HttpStatus.SC_UNAUTHORIZED, false); - //non admin creds, no admin certificate - FORBIDDEN + // non admin creds, no admin certificate - FORBIDDEN checkGetAndPutAllowlistPermissions(HttpStatus.SC_FORBIDDEN, false, nonAdminCredsHeader); // admin creds, no admin certificate - FORBIDDEN @@ -183,37 +196,45 @@ public void testAllowlistApiWithAllowListPermissions() throws Exception { @Test public void testAllowlistAuditComplianceLogging() throws Exception { Settings settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .build(); setupWithRestRoles(settings); TestAuditlogImpl.clear(); // any creds, admin certificate - OK checkGetAndPutAllowlistPermissions(HttpStatus.SC_OK, true, nonAdminCredsHeader); - //TESTS THAT 1 READ AND 1 WRITE HAPPENS IN testGetAndPut() + // TESTS THAT 1 READ AND 1 WRITE HAPPENS IN testGetAndPut() final Map expectedCategoryCounts = ImmutableMap.of( - AuditCategory.COMPLIANCE_INTERNAL_CONFIG_READ, 1L, - AuditCategory.COMPLIANCE_INTERNAL_CONFIG_WRITE, 1L); - Map actualCategoryCounts = TestAuditlogImpl.messages.stream().collect(Collectors.groupingBy(AuditMessage::getCategory, Collectors.counting())); + AuditCategory.COMPLIANCE_INTERNAL_CONFIG_READ, + 1L, + AuditCategory.COMPLIANCE_INTERNAL_CONFIG_WRITE, + 1L + ); + Map actualCategoryCounts = TestAuditlogImpl.messages.stream() + .collect(Collectors.groupingBy(AuditMessage::getCategory, Collectors.counting())); assertThat(actualCategoryCounts, equalTo(expectedCategoryCounts)); } @Test - public void testAllowlistInvalidHttpRequestMethod() throws Exception{ + public void testAllowlistInvalidHttpRequestMethod() throws Exception { setup(); rh.sendAdminCertificate = true; - response = rh.executePutRequest(ENDPOINT, "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GE\"],\"/_cat/indices\": [\"PUT\"] }}", adminCredsHeader); + response = rh.executePutRequest( + ENDPOINT, + "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GE\"],\"/_cat/indices\": [\"PUT\"] }}", + adminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_INTERNAL_SERVER_ERROR)); assertTrue(response.getBody().contains("\\\"GE\\\": not one of the values accepted for Enum class")); } @@ -226,37 +247,53 @@ public void testAllowlistInvalidHttpRequestMethod() throws Exception{ * @throws Exception */ @Test - public void testPatchApi() throws Exception{ + public void testPatchApi() throws Exception { setup(); rh.sendAdminCertificate = true; - //PATCH entire config entry - response = rh.executePatchRequest(ENDPOINT, "[{ \"op\": \"replace\", \"path\": \"/config\", \"value\": {\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"PUT\"] }}}]", new Header[0]); + // PATCH entire config entry + response = rh.executePatchRequest( + ENDPOINT, + "[{ \"op\": \"replace\", \"path\": \"/config\", \"value\": {\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"PUT\"] }}}]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT, adminCredsHeader); - assertEquals(response.getBody(),"{\"config\":{\"enabled\":true,\"requests\":{\"/_cat/nodes\":[\"GET\"],\"/_cat/indices\":[\"PUT\"]}}}"); - - //PATCH just requests - response = rh.executePatchRequest(ENDPOINT, "[{ \"op\": \"replace\", \"path\": \"/config/requests\", \"value\": {\"/_cat/nodes\": [\"GET\"]}}]", new Header[0]); + assertEquals( + response.getBody(), + "{\"config\":{\"enabled\":true,\"requests\":{\"/_cat/nodes\":[\"GET\"],\"/_cat/indices\":[\"PUT\"]}}}" + ); + + // PATCH just requests + response = rh.executePatchRequest( + ENDPOINT, + "[{ \"op\": \"replace\", \"path\": \"/config/requests\", \"value\": {\"/_cat/nodes\": [\"GET\"]}}]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT, adminCredsHeader); assertTrue(response.getBody().contains("\"requests\":{\"/_cat/nodes\":[\"GET\"]}")); - //PATCH just allowlisted_enabled using "replace" operation - works when enabled is already true - response = rh.executePatchRequest(ENDPOINT, "[{ \"op\": \"replace\", \"path\": \"/config/enabled\", \"value\": false}]", new Header[0]); + // PATCH just allowlisted_enabled using "replace" operation - works when enabled is already true + response = rh.executePatchRequest( + ENDPOINT, + "[{ \"op\": \"replace\", \"path\": \"/config/enabled\", \"value\": false}]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT, adminCredsHeader); assertTrue(response.getBody().contains("\"enabled\":false")); - //PATCH just enabled using "add" operation when it is currently false - works correctly + // PATCH just enabled using "add" operation when it is currently false - works correctly response = rh.executePatchRequest(ENDPOINT, "[{ \"op\": \"add\", \"path\": \"/config/enabled\", \"value\": true}]", new Header[0]); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT, adminCredsHeader); assertTrue(response.getBody().contains("\"enabled\":true")); - //PATCH just enabled using "add" operation when it is currently true - works correctly + // PATCH just enabled using "add" operation when it is currently true - works correctly response = rh.executePatchRequest(ENDPOINT, "[{ \"op\": \"add\", \"path\": \"/config/enabled\", \"value\": false}]", new Header[0]); - Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode());response = rh.executeGetRequest(ENDPOINT, adminCredsHeader); + Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); + response = rh.executeGetRequest(ENDPOINT, adminCredsHeader); response = rh.executeGetRequest(ENDPOINT, adminCredsHeader); assertTrue(response.getBody().contains("\"enabled\":false")); } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java index 018af18293..3f97bae693 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java @@ -53,11 +53,12 @@ public class AuditApiActionTest extends AbstractRestApiUnitTest { private final String ENDPOINT; private final String CONFIG_ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public AuditApiActionTest(){ + public AuditApiActionTest() { ENDPOINT = getEndpointPrefix() + "/api/audit"; CONFIG_ENDPOINT = ENDPOINT + "/config"; } @@ -106,16 +107,18 @@ public void testDisabledCategoryOrder() throws Exception { setup(); final List testCategories = ImmutableList.of("SSL_EXCEPTION", "AUTHENTICATED", "BAD_HEADERS"); - final AuditConfig auditConfig = new AuditConfig(true, AuditConfig.Filter.from( - ImmutableMap.of("disabled_rest_categories", testCategories) - ), ComplianceConfig.DEFAULT); + final AuditConfig auditConfig = new AuditConfig( + true, + AuditConfig.Filter.from(ImmutableMap.of("disabled_rest_categories", testCategories)), + ComplianceConfig.DEFAULT + ); final ObjectNode json = DefaultObjectMapper.objectMapper.valueToTree(auditConfig); testPutRequest(json, HttpStatus.SC_OK, true); RestHelper.HttpResponse response = rh.executeGetRequest(ENDPOINT, adminCredsHeader); List actual = Streams.stream(readTree(response.getBody()).at("/config/audit/disabled_rest_categories").iterator()) - .map(JsonNode::textValue) - .collect(Collectors.toList()); + .map(JsonNode::textValue) + .collect(Collectors.toList()); assertEquals(testCategories, actual); } @@ -125,36 +128,69 @@ public void testInvalidDisabledCategories() throws Exception { rh.sendAdminCertificate = true; // test bad request for REST disabled categories - AuditConfig auditConfig = new AuditConfig(true, AuditConfig.Filter.from( - ImmutableMap.of("disabled_rest_categories", ImmutableList.of("INDEX_EVENT", "COMPLIANCE_DOC_READ")) - ), ComplianceConfig.DEFAULT); + AuditConfig auditConfig = new AuditConfig( + true, + AuditConfig.Filter.from(ImmutableMap.of("disabled_rest_categories", ImmutableList.of("INDEX_EVENT", "COMPLIANCE_DOC_READ"))), + ComplianceConfig.DEFAULT + ); ObjectNode json = DefaultObjectMapper.objectMapper.valueToTree(auditConfig); RestHelper.HttpResponse response = rh.executePutRequest(CONFIG_ENDPOINT, writeValueAsString(json, false)); assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // test success for REST disabled categories - auditConfig = new AuditConfig(true, AuditConfig.Filter.from( - ImmutableMap.of("disabled_rest_categories", - ImmutableList.of("BAD_HEADERS", "SSL_EXCEPTION", "AUTHENTICATED", "FAILED_LOGIN", "GRANTED_PRIVILEGES", "MISSING_PRIVILEGES")) - ), ComplianceConfig.DEFAULT); + auditConfig = new AuditConfig( + true, + AuditConfig.Filter.from( + ImmutableMap.of( + "disabled_rest_categories", + ImmutableList.of( + "BAD_HEADERS", + "SSL_EXCEPTION", + "AUTHENTICATED", + "FAILED_LOGIN", + "GRANTED_PRIVILEGES", + "MISSING_PRIVILEGES" + ) + ) + ), + ComplianceConfig.DEFAULT + ); json = DefaultObjectMapper.objectMapper.valueToTree(auditConfig); response = rh.executePutRequest(CONFIG_ENDPOINT, writeValueAsString(json, false)); assertEquals(HttpStatus.SC_OK, response.getStatusCode()); // test bad request for transport disabled categories - auditConfig = new AuditConfig(true, AuditConfig.Filter.from( - ImmutableMap.of("disabled_transport_categories", - ImmutableList.of("COMPLIANCE_DOC_READ", "COMPLIANCE_DOC_WRITE")) - ), ComplianceConfig.DEFAULT); + auditConfig = new AuditConfig( + true, + AuditConfig.Filter.from( + ImmutableMap.of("disabled_transport_categories", ImmutableList.of("COMPLIANCE_DOC_READ", "COMPLIANCE_DOC_WRITE")) + ), + ComplianceConfig.DEFAULT + ); json = DefaultObjectMapper.objectMapper.valueToTree(auditConfig); response = rh.executePutRequest(CONFIG_ENDPOINT, writeValueAsString(json, false)); assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // test success for transport disabled categories - auditConfig = new AuditConfig(true, AuditConfig.Filter.from( - ImmutableMap.of("disabled_transport_categories", - ImmutableList.of("BAD_HEADERS", "SSL_EXCEPTION", "AUTHENTICATED", "FAILED_LOGIN", "GRANTED_PRIVILEGES", "MISSING_PRIVILEGES", "INDEX_EVENT", "OPENDISTRO_SECURITY_INDEX_ATTEMPT")) - ), ComplianceConfig.DEFAULT); + auditConfig = new AuditConfig( + true, + AuditConfig.Filter.from( + ImmutableMap.of( + "disabled_transport_categories", + ImmutableList.of( + "BAD_HEADERS", + "SSL_EXCEPTION", + "AUTHENTICATED", + "FAILED_LOGIN", + "GRANTED_PRIVILEGES", + "MISSING_PRIVILEGES", + "INDEX_EVENT", + "OPENDISTRO_SECURITY_INDEX_ATTEMPT" + ) + ) + ), + ComplianceConfig.DEFAULT + ); json = DefaultObjectMapper.objectMapper.valueToTree(auditConfig); response = rh.executePutRequest(CONFIG_ENDPOINT, writeValueAsString(json, false)); assertEquals(HttpStatus.SC_OK, response.getStatusCode()); @@ -162,7 +198,12 @@ public void testInvalidDisabledCategories() throws Exception { @Test public void testReadonlyApi() throws Exception { - final List readonlyFields = ImmutableList.of("/audit/enable_rest", "/audit/disabled_rest_categories", "/audit/ignore_requests", "/compliance/read_watched_fields"); + final List readonlyFields = ImmutableList.of( + "/audit/enable_rest", + "/audit/disabled_rest_categories", + "/audit/ignore_requests", + "/compliance/read_watched_fields" + ); updateStaticResourceReadonly(readonlyFields); setupWithRestRoles(null); @@ -172,8 +213,8 @@ public void testReadonlyApi() throws Exception { RestHelper.HttpResponse response = rh.executeGetRequest(ENDPOINT, adminCredsHeader); assertEquals(HttpStatus.SC_OK, response.getStatusCode()); List actual = Streams.stream(readTree(response.getBody()).get("_readonly").iterator()) - .map(JsonNode::textValue) - .collect(Collectors.toList()); + .map(JsonNode::textValue) + .collect(Collectors.toList()); assertEquals(readonlyFields, actual); // test config @@ -209,13 +250,15 @@ public void testReadonlyApi() throws Exception { private void updateStaticResourceReadonly(List readonly) throws IOException { // create audit config - final Map result = ImmutableMap.of( - AuditApiAction.READONLY_FIELD, readonly + final Map result = ImmutableMap.of(AuditApiAction.READONLY_FIELD, readonly); + DefaultObjectMapper.YAML_MAPPER.writeValue( + FileHelper.getAbsoluteFilePathFromClassPath(AuditApiAction.STATIC_RESOURCE.substring(1)).toFile(), + result ); - DefaultObjectMapper.YAML_MAPPER.writeValue(FileHelper.getAbsoluteFilePathFromClassPath(AuditApiAction.STATIC_RESOURCE.substring(1)).toFile(), result); } - private void testPutRequest(final JsonNode json, final int expectedStatus, final boolean sendAdminCertificate, final Header... header) throws Exception { + private void testPutRequest(final JsonNode json, final int expectedStatus, final boolean sendAdminCertificate, final Header... header) + throws Exception { rh.sendAdminCertificate = sendAdminCertificate; RestHelper.HttpResponse response = rh.executePutRequest(CONFIG_ENDPOINT, writeValueAsString(json, false), header); assertEquals(expectedStatus, response.getStatusCode()); @@ -223,12 +266,12 @@ private void testPutRequest(final JsonNode json, final int expectedStatus, final private void testReadonlyBoolean(final ObjectNode json, final String config, final String resource) throws Exception { final String resourcePath = "/config" + config + "/" + resource; - ((ObjectNode)json.at(config)).put(resource, true); + ((ObjectNode) json.at(config)).put(resource, true); testPutRequest(json, HttpStatus.SC_OK, true); - ((ObjectNode)json.at(config)).put(resource, false); + ((ObjectNode) json.at(config)).put(resource, false); testPutRequest(json, HttpStatus.SC_CONFLICT, false, adminCredsHeader); testBooleanPatch(resourcePath, false, HttpStatus.SC_CONFLICT, adminCredsHeader); - ((ObjectNode)json.at(config)).put(resource, true); + ((ObjectNode) json.at(config)).put(resource, true); testPutRequest(json, HttpStatus.SC_OK, true); testBooleanPatch(resourcePath, true, HttpStatus.SC_OK, adminCredsHeader); testBooleanPatch(resourcePath, true, HttpStatus.SC_OK, adminCredsHeader); @@ -236,79 +279,96 @@ private void testReadonlyBoolean(final ObjectNode json, final String config, fin private void testReadonlyList(final ObjectNode json, final String config, final String resource) throws Exception { final String resourcePath = "/config" + config + "/" + resource; - ((ObjectNode)json.at(config)).putPOJO(resource, ImmutableList.of("test-resource-1", "test-resource-2")); + ((ObjectNode) json.at(config)).putPOJO(resource, ImmutableList.of("test-resource-1", "test-resource-2")); testPutRequest(json, HttpStatus.SC_OK, true); // change order List testList = ImmutableList.of("test-resource-2", "test-resource-1"); - ((ObjectNode)json.at(config)).putPOJO(resource, testList); + ((ObjectNode) json.at(config)).putPOJO(resource, testList); testPutRequest(json, HttpStatus.SC_CONFLICT, false, adminCredsHeader); testList(resourcePath, testList, HttpStatus.SC_CONFLICT, adminCredsHeader); // change values testList = ImmutableList.of("test-resource-3", "test-resource-4"); - ((ObjectNode)json.at(config)).putPOJO(resource, testList); + ((ObjectNode) json.at(config)).putPOJO(resource, testList); testPutRequest(json, HttpStatus.SC_CONFLICT, false, adminCredsHeader); testList(resourcePath, testList, HttpStatus.SC_CONFLICT, adminCredsHeader); // change values testList = Collections.emptyList(); - ((ObjectNode)json.at(config)).putPOJO(resource, testList); + ((ObjectNode) json.at(config)).putPOJO(resource, testList); testPutRequest(json, HttpStatus.SC_CONFLICT, false, adminCredsHeader); testList(resourcePath, testList, HttpStatus.SC_CONFLICT, adminCredsHeader); } private void testReadonlyMap(final ObjectNode json, final String config, final String resource) throws Exception { final String resourcePath = "/config" + config + "/" + resource; - ((ObjectNode)json.at(config)).putPOJO(resource, ImmutableMap.of("test-read-index-1", Collections.singletonList("test-field-1"), "test-read-index-2", Collections.singletonList("test-field-2"))); + ((ObjectNode) json.at(config)).putPOJO( + resource, + ImmutableMap.of( + "test-read-index-1", + Collections.singletonList("test-field-1"), + "test-read-index-2", + Collections.singletonList("test-field-2") + ) + ); testPutRequest(json, HttpStatus.SC_OK, true); // change values - Map> testMap = ImmutableMap.of("test-read-index-1", Collections.singletonList("test-field-1")); - ((ObjectNode)json.at(config)).putPOJO(resource, testMap); + Map> testMap = ImmutableMap.of("test-read-index-1", Collections.singletonList("test-field-1")); + ((ObjectNode) json.at(config)).putPOJO(resource, testMap); testPutRequest(json, HttpStatus.SC_CONFLICT, false, adminCredsHeader); testMap(resourcePath, testMap, HttpStatus.SC_CONFLICT, adminCredsHeader); // change values - testMap = ImmutableMap.of("test-read-index-1", ImmutableList.of("test-field-1", "test-field-2")); - ((ObjectNode)json.at(config)).putPOJO(resource, testMap); + testMap = ImmutableMap.of("test-read-index-1", ImmutableList.of("test-field-1", "test-field-2")); + ((ObjectNode) json.at(config)).putPOJO(resource, testMap); testPutRequest(json, HttpStatus.SC_CONFLICT, false, adminCredsHeader); testMap(resourcePath, testMap, HttpStatus.SC_CONFLICT, adminCredsHeader); // change values testMap = ImmutableMap.of("test-read-index", ImmutableList.of("test-field")); - ((ObjectNode)json.at(config)).putPOJO(resource, testMap); + ((ObjectNode) json.at(config)).putPOJO(resource, testMap); testPutRequest(json, HttpStatus.SC_CONFLICT, false, adminCredsHeader); testMap(resourcePath, testMap, HttpStatus.SC_CONFLICT, adminCredsHeader); // same object different order is valid - testMap = ImmutableMap.of("test-read-index-2", Collections.singletonList("test-field-2"), "test-read-index-1", Collections.singletonList("test-field-1")); - ((ObjectNode)json.at(config)).putPOJO(resource, testMap); + testMap = ImmutableMap.of( + "test-read-index-2", + Collections.singletonList("test-field-2"), + "test-read-index-1", + Collections.singletonList("test-field-1") + ); + ((ObjectNode) json.at(config)).putPOJO(resource, testMap); testPutRequest(json, HttpStatus.SC_OK, false, adminCredsHeader); - RestHelper.HttpResponse response = rh.executePatchRequest(ENDPOINT, "[{\"op\": \"add\",\"path\": \"" + resourcePath + "\",\"value\": " + writeValueAsString(testMap, false) + "}]", adminCredsHeader); + RestHelper.HttpResponse response = rh.executePatchRequest( + ENDPOINT, + "[{\"op\": \"add\",\"path\": \"" + resourcePath + "\",\"value\": " + writeValueAsString(testMap, false) + "}]", + adminCredsHeader + ); assertEquals(HttpStatus.SC_OK, response.getStatusCode()); } private void testReadonlyCategories(final ObjectNode json, final String config, final String resource) throws Exception { final String resourcePath = "/config" + config + "/" + resource; // change disabled_rest_categories readonly property - ((ObjectNode)json.at(config)).putPOJO(resource, ImmutableList.of("SSL_EXCEPTION", "AUTHENTICATED")); + ((ObjectNode) json.at(config)).putPOJO(resource, ImmutableList.of("SSL_EXCEPTION", "AUTHENTICATED")); testPutRequest(json, HttpStatus.SC_OK, true); // change order List testList = ImmutableList.of("AUTHENTICATED", "SSL_EXCEPTION"); - ((ObjectNode)json.at(config)).putPOJO(resource, testList); + ((ObjectNode) json.at(config)).putPOJO(resource, testList); testPutRequest(json, HttpStatus.SC_CONFLICT, false, adminCredsHeader); testList(resourcePath, testList, HttpStatus.SC_CONFLICT, adminCredsHeader); // change values testList = ImmutableList.of("AUTHENTICATED", "SSL_EXCEPTION", "FAILED_LOGIN"); - ((ObjectNode)json.at(config)).putPOJO(resource, testList); + ((ObjectNode) json.at(config)).putPOJO(resource, testList); testPutRequest(json, HttpStatus.SC_CONFLICT, false, adminCredsHeader); testList(resourcePath, testList, HttpStatus.SC_CONFLICT, adminCredsHeader); // change values testList = null; - ((ObjectNode)json.at(config)).putPOJO(resource, testList); + ((ObjectNode) json.at(config)).putPOJO(resource, testList); testPutRequest(json, HttpStatus.SC_CONFLICT, false, adminCredsHeader); testList(resourcePath, testList, HttpStatus.SC_CONFLICT, adminCredsHeader); } @@ -332,9 +392,15 @@ public void testBadRequest() throws Exception { // incorrect category final String jsonValue = DefaultObjectMapper.writeValueAsString(ImmutableList.of("RANDOM", "Test"), true); RestHelper.HttpResponse response; - response = rh.executePatchRequest(ENDPOINT, "[{\"op\": \"add\",\"path\": \"" + "/config/audit/disabled_rest_categories" + "\",\"value\": " + jsonValue + "}]"); + response = rh.executePatchRequest( + ENDPOINT, + "[{\"op\": \"add\",\"path\": \"" + "/config/audit/disabled_rest_categories" + "\",\"value\": " + jsonValue + "}]" + ); assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); - response = rh.executePatchRequest(ENDPOINT, "[{\"op\": \"add\",\"path\": \"" + "/config/audit/disabled_transport_categories" + "\",\"value\": " + jsonValue + "}]"); + response = rh.executePatchRequest( + ENDPOINT, + "[{\"op\": \"add\",\"path\": \"" + "/config/audit/disabled_transport_categories" + "\",\"value\": " + jsonValue + "}]" + ); assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); } @@ -432,15 +498,25 @@ private void testPatchAction(final int expectedStatus, final Header... headers) testBoolean("/config/compliance/external_config", expectedStatus, headers); testBoolean("/config/compliance/read_metadata_only", expectedStatus, headers); testList("/config/compliance/read_ignore_users", ImmutableList.of("test-user-1"), expectedStatus, headers); - testMap("/config/compliance/read_watched_fields", ImmutableMap.of("test-index-1", Collections.singletonList("test-field")), expectedStatus, headers); + testMap( + "/config/compliance/read_watched_fields", + ImmutableMap.of("test-index-1", Collections.singletonList("test-field")), + expectedStatus, + headers + ); testBoolean("/config/compliance/write_metadata_only", expectedStatus, headers); testBoolean("/config/compliance/write_log_diffs", expectedStatus, headers); testList("/config/compliance/write_ignore_users", ImmutableList.of("test-user-1"), expectedStatus, headers); testList("/config/compliance/write_watched_indices", ImmutableList.of("test-index-1"), expectedStatus, headers); } - private void testBooleanPatch(final String patchResource, final boolean value, final int expected, final Header... headers) throws Exception { - RestHelper.HttpResponse response = rh.executePatchRequest(ENDPOINT, "[{\"op\": \"add\",\"path\": \"" + patchResource + "\",\"value\": " + value + "}]", headers); + private void testBooleanPatch(final String patchResource, final boolean value, final int expected, final Header... headers) + throws Exception { + RestHelper.HttpResponse response = rh.executePatchRequest( + ENDPOINT, + "[{\"op\": \"add\",\"path\": \"" + patchResource + "\",\"value\": " + value + "}]", + headers + ); assertEquals(expected, response.getStatusCode()); if (expected == HttpStatus.SC_OK) { assertEquals(value, readTree(rh.executeGetRequest(ENDPOINT, headers).getBody()).at(patchResource).asBoolean()); @@ -458,22 +534,35 @@ private void testBoolean(final String patchResource, final int expected, final H testBooleanPatch(patchResource, true, expected, headers); } - private void testList(final String patchResource, final List expectedList, final int expectedStatus, final Header... headers) throws Exception { + private void testList(final String patchResource, final List expectedList, final int expectedStatus, final Header... headers) + throws Exception { final String jsonValue = DefaultObjectMapper.writeValueAsString(expectedList, true); // make empty - RestHelper.HttpResponse response = rh.executePatchRequest(ENDPOINT, "[{\"op\": \"add\",\"path\": \"" + patchResource + "\",\"value\": []}]", headers); + RestHelper.HttpResponse response = rh.executePatchRequest( + ENDPOINT, + "[{\"op\": \"add\",\"path\": \"" + patchResource + "\",\"value\": []}]", + headers + ); assertEquals(expectedStatus, response.getStatusCode()); if (expectedStatus == HttpStatus.SC_OK) { assertEquals(0, readTree(rh.executeGetRequest(ENDPOINT, headers).getBody()).at(patchResource).size()); } // add value - response = rh.executePatchRequest(ENDPOINT, "[{\"op\": \"add\",\"path\": \"" + patchResource + "\",\"value\": " + jsonValue + "}]", headers); + response = rh.executePatchRequest( + ENDPOINT, + "[{\"op\": \"add\",\"path\": \"" + patchResource + "\",\"value\": " + jsonValue + "}]", + headers + ); assertEquals(expectedStatus, response.getStatusCode()); if (expectedStatus == HttpStatus.SC_OK) { final JsonNode responseJson = readTree(rh.executeGetRequest(ENDPOINT, headers).getBody()); - final List actualList = DefaultObjectMapper.readValue(responseJson.at(patchResource).toString(), new TypeReference>(){}); + final List actualList = DefaultObjectMapper.readValue( + responseJson.at(patchResource).toString(), + new TypeReference>() { + } + ); assertEquals(expectedList.size(), actualList.size()); assertTrue(actualList.containsAll(expectedList)); } @@ -486,22 +575,39 @@ private void testList(final String patchResource, final List expectedLis } } - private void testMap(final String patchResource, final Map> expectedMap, final int expectedStatus, final Header... headers) throws Exception { + private void testMap( + final String patchResource, + final Map> expectedMap, + final int expectedStatus, + final Header... headers + ) throws Exception { final String jsonValue = DefaultObjectMapper.writeValueAsString(expectedMap, true); // make empty - RestHelper.HttpResponse response = rh.executePatchRequest(ENDPOINT, "[{\"op\": \"add\",\"path\": \"" + patchResource + "\",\"value\": {}}]", headers); + RestHelper.HttpResponse response = rh.executePatchRequest( + ENDPOINT, + "[{\"op\": \"add\",\"path\": \"" + patchResource + "\",\"value\": {}}]", + headers + ); assertEquals(expectedStatus, response.getStatusCode()); if (expectedStatus == HttpStatus.SC_OK) { assertEquals(0, readTree(rh.executeGetRequest(ENDPOINT, headers).getBody()).at(patchResource).size()); } // add value - response = rh.executePatchRequest(ENDPOINT, "[{\"op\": \"add\",\"path\": \"" + patchResource + "\",\"value\": " + jsonValue + "}]", headers); + response = rh.executePatchRequest( + ENDPOINT, + "[{\"op\": \"add\",\"path\": \"" + patchResource + "\",\"value\": " + jsonValue + "}]", + headers + ); assertEquals(expectedStatus, response.getStatusCode()); if (expectedStatus == HttpStatus.SC_OK) { final JsonNode responseJson = readTree(rh.executeGetRequest(ENDPOINT, headers).getBody()); - final Map> actualMap = DefaultObjectMapper.readValue(responseJson.at(patchResource).toString(), new TypeReference>>(){}); + final Map> actualMap = DefaultObjectMapper.readValue( + responseJson.at(patchResource).toString(), + new TypeReference>>() { + } + ); assertEquals(actualMap, expectedMap); } @@ -520,32 +626,38 @@ public void testPatchRequest() throws Exception { rh.sendAdminCertificate = true; // update with non-default configuration - AuditConfig auditConfig = new AuditConfig(true, AuditConfig.Filter.from( + AuditConfig auditConfig = new AuditConfig( + true, + AuditConfig.Filter.from( ImmutableMap.builder() - .put("enable_rest", false) - .put("disabled_rest_categories", Collections.emptyList()) - .put("enable_transport", false) - .put("disabled_transport_categories", Collections.emptyList()) - .put("resolve_bulk_requests", false) - .put("resolve_indices", false) - .put("log_request_body", false) - .put("exclude_sensitive_headers", false) - .put("ignore_users", Collections.emptyList()) - .put("ignore_requests", Collections.emptyList()) - .build()) - , ComplianceConfig.from( + .put("enable_rest", false) + .put("disabled_rest_categories", Collections.emptyList()) + .put("enable_transport", false) + .put("disabled_transport_categories", Collections.emptyList()) + .put("resolve_bulk_requests", false) + .put("resolve_indices", false) + .put("log_request_body", false) + .put("exclude_sensitive_headers", false) + .put("ignore_users", Collections.emptyList()) + .put("ignore_requests", Collections.emptyList()) + .build() + ), + ComplianceConfig.from( ImmutableMap.builder() - .put("enabled", true) - .put("external_config", false) - .put("internal_config", false) - .put("read_metadata_only", false) - .put("read_watched_fields", Collections.emptyMap()) - .put("read_ignore_users", Collections.emptyList()) - .put("write_metadata_only", true) - .put("write_log_diffs", true) - .put("write_watched_indices", Collections.emptyList()) - .put("write_ignore_users", Collections.emptyList()) - .build(), Settings.EMPTY)); + .put("enabled", true) + .put("external_config", false) + .put("internal_config", false) + .put("read_metadata_only", false) + .put("read_watched_fields", Collections.emptyMap()) + .put("read_ignore_users", Collections.emptyList()) + .put("write_metadata_only", true) + .put("write_log_diffs", true) + .put("write_watched_indices", Collections.emptyList()) + .put("write_ignore_users", Collections.emptyList()) + .build(), + Settings.EMPTY + ) + ); final String payload = DefaultObjectMapper.writeValueAsString(auditConfig, false); // update config @@ -566,18 +678,18 @@ public void testPatchRequest() throws Exception { } private String getTestPayload() { - return "{" + - "\"enabled\":true," + - "\"audit\":{" + - "\"enable_rest\":true,\"disabled_rest_categories\":[\"AUTHENTICATED\"]," + - "\"enable_transport\":true,\"disabled_transport_categories\":[\"SSL_EXCEPTION\"]," + - "\"resolve_bulk_requests\":true,\"log_request_body\":true,\"resolve_indices\":true,\"exclude_sensitive_headers\":true," + - "\"ignore_users\":[\"test-user-1\"],\"ignore_requests\":[\"test-request\"]}," + - "\"compliance\":{" + - "\"enabled\":true," + - "\"internal_config\":true,\"external_config\":true," + - "\"read_metadata_only\":true,\"read_watched_fields\":{\"test-read-watch-field\":[]},\"read_ignore_users\":[\"test-user-2\"]," + - "\"write_metadata_only\":true,\"write_log_diffs\":true,\"write_watched_indices\":[\"test-write-watch-index\"],\"write_ignore_users\":[\"test-user-3\"]}" + - "}"; + return "{" + + "\"enabled\":true," + + "\"audit\":{" + + "\"enable_rest\":true,\"disabled_rest_categories\":[\"AUTHENTICATED\"]," + + "\"enable_transport\":true,\"disabled_transport_categories\":[\"SSL_EXCEPTION\"]," + + "\"resolve_bulk_requests\":true,\"log_request_body\":true,\"resolve_indices\":true,\"exclude_sensitive_headers\":true," + + "\"ignore_users\":[\"test-user-1\"],\"ignore_requests\":[\"test-request\"]}," + + "\"compliance\":{" + + "\"enabled\":true," + + "\"internal_config\":true,\"external_config\":true," + + "\"read_metadata_only\":true,\"read_watched_fields\":{\"test-read-watch-field\":[]},\"read_ignore_users\":[\"test-user-2\"]," + + "\"write_metadata_only\":true,\"write_log_diffs\":true,\"write_watched_indices\":[\"test-write-watch-index\"],\"write_ignore_users\":[\"test-user-3\"]}" + + "}"; } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/DashboardsInfoActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/DashboardsInfoActionTest.java index 7d2396ecb0..46128f5a71 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/DashboardsInfoActionTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/DashboardsInfoActionTest.java @@ -23,17 +23,20 @@ public class DashboardsInfoActionTest extends AbstractRestApiUnitTest { private final String ENDPOINT; + protected String getEndpoint() { return PLUGINS_PREFIX + "/dashboardsinfo"; } - public DashboardsInfoActionTest(){ + public DashboardsInfoActionTest() { ENDPOINT = getEndpoint(); } @Test public void testDashboardsInfo() throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true).build(); + Settings settings = Settings.builder() + .put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true) + .build(); setup(settings); rh.keystore = "restapi/kirk-keystore.jks"; diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/FlushCacheApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/FlushCacheApiTest.java index 1d25b7dee2..120596f046 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/FlushCacheApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/FlushCacheApiTest.java @@ -24,10 +24,12 @@ public class FlushCacheApiTest extends AbstractRestApiUnitTest { private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public FlushCacheApiTest(){ + + public FlushCacheApiTest() { ENDPOINT = getEndpointPrefix() + "/api/cache"; } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/GetConfigurationApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/GetConfigurationApiTest.java index 9f767fd7a6..09c4a762b5 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/GetConfigurationApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/GetConfigurationApiTest.java @@ -25,11 +25,12 @@ public class GetConfigurationApiTest extends AbstractRestApiUnitTest { private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public GetConfigurationApiTest(){ + public GetConfigurationApiTest() { ENDPOINT = getEndpointPrefix() + "/api"; } @@ -48,9 +49,7 @@ public void testGetConfiguration() throws Exception { response = rh.executeGetRequest(ENDPOINT + "/securityconfig"); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); - Assert.assertEquals( - settings.getAsBoolean("config.dynamic.authc.authentication_domain_basic_internal.http_enabled", false), - true); + Assert.assertEquals(settings.getAsBoolean("config.dynamic.authc.authentication_domain_basic_internal.http_enabled", false), true); Assert.assertNull(settings.get("_opendistro_security_meta.type")); // internalusers diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/IndexMissingTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/IndexMissingTest.java index 1b403760f8..22035bba28 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/IndexMissingTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/IndexMissingTest.java @@ -25,11 +25,12 @@ public class IndexMissingTest extends AbstractRestApiUnitTest { private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public IndexMissingTest(){ + public IndexMissingTest() { ENDPOINT = getEndpointPrefix() + "/api"; } @@ -81,7 +82,11 @@ protected void testHttpOperations() throws Exception { Assert.assertEquals("{\"status\":\"INTERNAL_SERVER_ERROR\",\"message\":\"Security index not initialized\"}", errorString); // PUT request - response = rh.executePutRequest(ENDPOINT + "/actiongroups/READ", FileHelper.loadFile("restapi/actiongroup_read.json"), new Header[0]); + response = rh.executePutRequest( + ENDPOINT + "/actiongroups/READ", + FileHelper.loadFile("restapi/actiongroup_read.json"), + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_INTERNAL_SERVER_ERROR, response.getStatusCode()); // DELETE request @@ -95,7 +100,10 @@ protected void testHttpOperations() throws Exception { response = rh.executeGetRequest(ENDPOINT + "/roles"); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); SecurityJsonNode securityJsonNode = new SecurityJsonNode(DefaultObjectMapper.readTree(response.getBody())); - Assert.assertEquals("OPENDISTRO_SECURITY_CLUSTER_ALL", securityJsonNode.get("opendistro_security_admin").get("cluster_permissions").get(0).asString()); + Assert.assertEquals( + "OPENDISTRO_SECURITY_CLUSTER_ALL", + securityJsonNode.get("opendistro_security_admin").get("cluster_permissions").get(0).asString() + ); } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiTest.java index 24aa8737c6..7132dcc491 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiTest.java @@ -31,27 +31,28 @@ private void verifyTenantUpdate(final Header... header) throws Exception { final HttpResponse getSettingResponse = rh.executeGetRequest("/_plugins/_security/api/tenancy/config", header); assertThat(getSettingResponse.getBody(), getSettingResponse.getStatusCode(), equalTo(HttpStatus.SC_OK)); assertThat( - getSettingResponse.getBody(), - getSettingResponse.findValueInJson("default_tenant"), - equalTo(ConfigConstants.TENANCY_GLOBAL_TENANT_DEFAULT_NAME) + getSettingResponse.getBody(), + getSettingResponse.findValueInJson("default_tenant"), + equalTo(ConfigConstants.TENANCY_GLOBAL_TENANT_DEFAULT_NAME) ); HttpResponse getDashboardsinfoResponse = rh.executeGetRequest("/_plugins/_security/dashboardsinfo", header); assertThat(getDashboardsinfoResponse.getStatusCode(), equalTo(HttpStatus.SC_OK)); assertThat( - getDashboardsinfoResponse.getBody(), - getDashboardsinfoResponse.findValueInJson("default_tenant"), - equalTo(ConfigConstants.TENANCY_GLOBAL_TENANT_DEFAULT_NAME) + getDashboardsinfoResponse.getBody(), + getDashboardsinfoResponse.findValueInJson("default_tenant"), + equalTo(ConfigConstants.TENANCY_GLOBAL_TENANT_DEFAULT_NAME) ); final HttpResponse setPrivateTenantAsDefaultResponse = rh.executePutRequest( - "/_plugins/_security/api/tenancy/config", - "{\"default_tenant\": \"Private\"}", header + "/_plugins/_security/api/tenancy/config", + "{\"default_tenant\": \"Private\"}", + header ); assertThat( - setPrivateTenantAsDefaultResponse.getBody(), - setPrivateTenantAsDefaultResponse.getStatusCode(), - equalTo(HttpStatus.SC_OK) + setPrivateTenantAsDefaultResponse.getBody(), + setPrivateTenantAsDefaultResponse.getStatusCode(), + equalTo(HttpStatus.SC_OK) ); getDashboardsinfoResponse = rh.executeGetRequest("/_plugins/_security/dashboardsinfo", ADMIN_FULL_ACCESS_USER); assertThat(getDashboardsinfoResponse.getStatusCode(), equalTo(HttpStatus.SC_OK)); @@ -73,67 +74,79 @@ public void testUpdateRestAPIAdmin() throws Exception { verifyTenantUpdate(ADMIN_FULL_ACCESS_USER); } - private void verifyTenantUpdateFailed(final Header... header) throws Exception { final HttpResponse disablePrivateTenantResponse = rh.executePutRequest( - "/_plugins/_security/api/tenancy/config", - "{\"private_tenant_enabled\":false}", header + "/_plugins/_security/api/tenancy/config", + "{\"private_tenant_enabled\":false}", + header ); assertThat(disablePrivateTenantResponse.getBody(), disablePrivateTenantResponse.getStatusCode(), equalTo(HttpStatus.SC_OK)); final HttpResponse setPrivateTenantAsDefaultFailResponse = rh.executePutRequest( - "/_plugins/_security/api/tenancy/config", - "{\"default_tenant\": \"Private\"}", header + "/_plugins/_security/api/tenancy/config", + "{\"default_tenant\": \"Private\"}", + header + ); + assertThat( + setPrivateTenantAsDefaultFailResponse.getBody(), + setPrivateTenantAsDefaultFailResponse.getStatusCode(), + equalTo(HttpStatus.SC_BAD_REQUEST) ); - assertThat(setPrivateTenantAsDefaultFailResponse.getBody(), setPrivateTenantAsDefaultFailResponse.getStatusCode(), equalTo(HttpStatus.SC_BAD_REQUEST)); assertThat( - setPrivateTenantAsDefaultFailResponse.getBody(), - setPrivateTenantAsDefaultFailResponse.findValueInJson("error.reason"), - containsString("Private tenant can not be disabled if it is the default tenant.") + setPrivateTenantAsDefaultFailResponse.getBody(), + setPrivateTenantAsDefaultFailResponse.findValueInJson("error.reason"), + containsString("Private tenant can not be disabled if it is the default tenant.") ); final HttpResponse enablePrivateTenantResponse = rh.executePutRequest( - "/_plugins/_security/api/tenancy/config", - "{\"private_tenant_enabled\":true}", - header + "/_plugins/_security/api/tenancy/config", + "{\"private_tenant_enabled\":true}", + header ); assertThat(enablePrivateTenantResponse.getBody(), enablePrivateTenantResponse.getStatusCode(), equalTo(HttpStatus.SC_OK)); final HttpResponse setPrivateTenantAsDefaultResponse = rh.executePutRequest( - "/_plugins/_security/api/tenancy/config", - "{\"default_tenant\": \"Private\"}", - header + "/_plugins/_security/api/tenancy/config", + "{\"default_tenant\": \"Private\"}", + header + ); + assertThat( + setPrivateTenantAsDefaultResponse.getBody(), + setPrivateTenantAsDefaultResponse.getStatusCode(), + equalTo(HttpStatus.SC_OK) + ); + final HttpResponse updatePrivateSettingResponse = rh.executePutRequest( + "/_plugins/_security/api/tenancy/config", + "{\"private_tenant_enabled\":false}", + header ); - assertThat(setPrivateTenantAsDefaultResponse.getBody(), setPrivateTenantAsDefaultResponse.getStatusCode(), equalTo(HttpStatus.SC_OK)); - final HttpResponse updatePrivateSettingResponse = - rh.executePutRequest("/_plugins/_security/api/tenancy/config", "{\"private_tenant_enabled\":false}", header); assertThat(updatePrivateSettingResponse.getStatusCode(), equalTo(HttpStatus.SC_BAD_REQUEST)); - assertThat(updatePrivateSettingResponse.findValueInJson("error.reason"), containsString("Private tenant can not be disabled if it is the default tenant.")); + assertThat( + updatePrivateSettingResponse.findValueInJson("error.reason"), + containsString("Private tenant can not be disabled if it is the default tenant.") + ); final HttpResponse getSettingResponseAfterUpdate = rh.executeGetRequest("/_plugins/_security/api/tenancy/config", header); assertThat(getSettingResponseAfterUpdate.getBody(), getSettingResponseAfterUpdate.getStatusCode(), equalTo(HttpStatus.SC_OK)); assertThat( - getSettingResponseAfterUpdate.getBody(), - getSettingResponseAfterUpdate.findValueInJson("default_tenant"), - equalTo("Private") + getSettingResponseAfterUpdate.getBody(), + getSettingResponseAfterUpdate.findValueInJson("default_tenant"), + equalTo("Private") ); final HttpResponse getDashboardsinfoResponse = rh.executeGetRequest("/_plugins/_security/dashboardsinfo", header); - assertThat( - getDashboardsinfoResponse.getBody(), - getDashboardsinfoResponse.findValueInJson("default_tenant"), - equalTo("Private") - ); + assertThat(getDashboardsinfoResponse.getBody(), getDashboardsinfoResponse.findValueInJson("default_tenant"), equalTo("Private")); final HttpResponse setRandomStringAsDefaultTenant = rh.executePutRequest( - "/_plugins/_security/api/tenancy/config", - "{\"default_tenant\": \"NonExistentTenant\"}", - header + "/_plugins/_security/api/tenancy/config", + "{\"default_tenant\": \"NonExistentTenant\"}", + header ); assertThat(setRandomStringAsDefaultTenant.getStatusCode(), equalTo(HttpStatus.SC_BAD_REQUEST)); - assertThat(setPrivateTenantAsDefaultFailResponse.getBody(), - setRandomStringAsDefaultTenant.findValueInJson("error.reason"), - containsString("Default tenant should be selected from one of the available tenants.") + assertThat( + setPrivateTenantAsDefaultFailResponse.getBody(), + setRandomStringAsDefaultTenant.findValueInJson("error.reason"), + containsString("Default tenant should be selected from one of the available tenants.") ); } @@ -160,11 +173,11 @@ public void testForbiddenAccess() throws Exception { HttpResponse getSettingResponse = rh.executeGetRequest("/_plugins/_security/api/tenancy/config", USER_NO_REST_API_ACCESS); assertThat(getSettingResponse.getBody(), getSettingResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); HttpResponse updateSettingResponse = rh.executePutRequest( - "/_plugins/_security/api/tenancy/config", - "{\"default_tenant\": \"Private\"}", USER_NO_REST_API_ACCESS + "/_plugins/_security/api/tenancy/config", + "{\"default_tenant\": \"Private\"}", + USER_NO_REST_API_ACCESS ); assertThat(getSettingResponse.getBody(), updateSettingResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); } - } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java index 1f752bd0b2..a549ad4dd9 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java @@ -43,11 +43,12 @@ public class NodesDnApiTest extends AbstractRestApiUnitTest { private HttpResponse response; private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper(); private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public NodesDnApiTest(){ + public NodesDnApiTest() { ENDPOINT = getEndpointPrefix() + "/api"; } @@ -55,7 +56,7 @@ private JsonNode asJsonNode(T t) throws Exception { return OBJECT_MAPPER.readTree(OBJECT_MAPPER.writeValueAsString(t)); } - private Map> nodesDnEntry(String...nodesDn) { + private Map> nodesDnEntry(String... nodesDn) { return ImmutableMap.of("nodes_dn", Arrays.asList(nodesDn)); } @@ -63,9 +64,14 @@ private void testCrudScenarios(final int expectedStatus, final Header... headers response = rh.executeGetRequest(ENDPOINT + "/nodesdn?show_all=true", headers); assertThat(response.getStatusCode(), equalTo(expectedStatus)); if (expectedStatus == HttpStatus.SC_OK) { - JsonNode expected = asJsonNode(ImmutableMap.of( - "cluster1", nodesDnEntry("cn=popeye"), - NodesDnApiAction.STATIC_OPENSEARCH_YML_NODES_DN, nodesDnEntry("CN=example.com"))); + JsonNode expected = asJsonNode( + ImmutableMap.of( + "cluster1", + nodesDnEntry("cn=popeye"), + NodesDnApiAction.STATIC_OPENSEARCH_YML_NODES_DN, + nodesDnEntry("CN=example.com") + ) + ); JsonNode node = OBJECT_MAPPER.readTree(response.getBody()); assertThat(node, equalTo(asJsonNode(expected))); @@ -98,7 +104,11 @@ private void testCrudScenarios(final int expectedStatus, final Header... headers response = rh.executePutRequest(ENDPOINT + "/nodesdn/cluster1", "{\"nodes_dn\": [\"cn=popeye\"]}", headers); assertThat(response.getBody(), response.getStatusCode(), equalTo(expectedStatus)); - response = rh.executePatchRequest(ENDPOINT + "/nodesdn/cluster1", "[{ \"op\": \"add\", \"path\": \"/nodes_dn/-\", \"value\": \"bluto\" }]", headers); + response = rh.executePatchRequest( + ENDPOINT + "/nodesdn/cluster1", + "[{ \"op\": \"add\", \"path\": \"/nodes_dn/-\", \"value\": \"bluto\" }]", + headers + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(expectedStatus)); response = rh.executePatchRequest(ENDPOINT + "/nodesdn", "[{ \"op\": \"remove\", \"path\": \"/cluster1/nodes_dn/0\"}]", headers); @@ -108,7 +118,7 @@ private void testCrudScenarios(final int expectedStatus, final Header... headers assertThat(response.getBody(), response.getStatusCode(), equalTo(expectedStatus)); } - private void checkNullElementsInArray(final Header headers) throws Exception{ + private void checkNullElementsInArray(final Header headers) throws Exception { String body = FileHelper.loadFile("restapi/nodesdn_null_array_element.json"); HttpResponse response = rh.executePutRequest(ENDPOINT + "/nodesdn/cluster1", body, headers); @@ -128,7 +138,8 @@ public void testNodesDnApiWithDynamicConfigDisabled() throws Exception { @Test public void testNodesDnApi() throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) + Settings settings = Settings.builder() + .put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) .putList(ConfigConstants.SECURITY_NODES_DN, "CN=example.com") .build(); setupWithRestRoles(settings); @@ -170,67 +181,70 @@ public void testNodesDnApi() throws Exception { final int expectedStatus = HttpStatus.SC_FORBIDDEN; - response = rh.executePutRequest(ENDPOINT + "/nodesdn/" + NodesDnApiAction.STATIC_OPENSEARCH_YML_NODES_DN, "{\"nodes_dn\": [\"cn=popeye\"]}", nonAdminCredsHeader); + response = rh.executePutRequest( + ENDPOINT + "/nodesdn/" + NodesDnApiAction.STATIC_OPENSEARCH_YML_NODES_DN, + "{\"nodes_dn\": [\"cn=popeye\"]}", + nonAdminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(expectedStatus)); - response = rh.executePatchRequest(ENDPOINT + "/nodesdn/" + NodesDnApiAction.STATIC_OPENSEARCH_YML_NODES_DN, - "[{ \"op\": \"add\", \"path\": \"/nodes_dn/-\", \"value\": \"bluto\" }]" , nonAdminCredsHeader); + response = rh.executePatchRequest( + ENDPOINT + "/nodesdn/" + NodesDnApiAction.STATIC_OPENSEARCH_YML_NODES_DN, + "[{ \"op\": \"add\", \"path\": \"/nodes_dn/-\", \"value\": \"bluto\" }]", + nonAdminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(expectedStatus)); - response = rh.executeDeleteRequest(ENDPOINT + "/nodesdn/" + NodesDnApiAction.STATIC_OPENSEARCH_YML_NODES_DN, nonAdminCredsHeader); + response = rh.executeDeleteRequest( + ENDPOINT + "/nodesdn/" + NodesDnApiAction.STATIC_OPENSEARCH_YML_NODES_DN, + nonAdminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(expectedStatus)); } } - @Test public void testNodesDnApiWithPermissions() throws Exception { - Settings settings = - Settings.builder() - .put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) - .put(SECURITY_RESTAPI_ADMIN_ENABLED, true) - .build(); + Settings settings = Settings.builder() + .put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) + .put(SECURITY_RESTAPI_ADMIN_ENABLED, true) + .build(); setupWithRestRoles(settings); final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"); final Header restApiNodesDnHeader = encodeBasicHeader("rest_api_admin_nodesdn", "rest_api_admin_nodesdn"); final Header restApiUserHeader = encodeBasicHeader("test", "test"); - //full access admin + // full access admin { rh.sendAdminCertificate = false; - response = rh.executeGetRequest( - ENDPOINT + "/nodesdn", restApiAdminHeader); + response = rh.executeGetRequest(ENDPOINT + "/nodesdn", restApiAdminHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - response = rh.executePutRequest( - ENDPOINT + "/nodesdn/c1", "{\"nodes_dn\": [\"cn=popeye\"]}", - restApiAdminHeader); + response = rh.executePutRequest(ENDPOINT + "/nodesdn/c1", "{\"nodes_dn\": [\"cn=popeye\"]}", restApiAdminHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_CREATED)); response = rh.executePatchRequest( - ENDPOINT + "/nodesdn/c1", - "[{ \"op\": \"add\", \"path\": \"/nodes_dn/-\", \"value\": \"bluto\" }]", - restApiAdminHeader + ENDPOINT + "/nodesdn/c1", + "[{ \"op\": \"add\", \"path\": \"/nodes_dn/-\", \"value\": \"bluto\" }]", + restApiAdminHeader ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); response = rh.executeDeleteRequest(ENDPOINT + "/nodesdn/c1", restApiAdminHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); } - //NodesDN only + // NodesDN only { rh.sendAdminCertificate = false; response = rh.executeGetRequest(ENDPOINT + "/nodesdn", restApiNodesDnHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - response = rh.executePutRequest( - ENDPOINT + "/nodesdn/c1", "{\"nodes_dn\": [\"cn=popeye\"]}", - restApiNodesDnHeader); + response = rh.executePutRequest(ENDPOINT + "/nodesdn/c1", "{\"nodes_dn\": [\"cn=popeye\"]}", restApiNodesDnHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_CREATED)); response = rh.executePatchRequest( - ENDPOINT + "/nodesdn/c1", - "[{ \"op\": \"add\", \"path\": \"/nodes_dn/-\", \"value\": \"bluto\" }]", - restApiNodesDnHeader + ENDPOINT + "/nodesdn/c1", + "[{ \"op\": \"add\", \"path\": \"/nodes_dn/-\", \"value\": \"bluto\" }]", + restApiNodesDnHeader ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); @@ -240,21 +254,19 @@ public void testNodesDnApiWithPermissions() throws Exception { response = rh.executeGetRequest(ENDPOINT + "/actiongroups", restApiNodesDnHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); } - //rest api user + // rest api user { rh.sendAdminCertificate = false; response = rh.executeGetRequest(ENDPOINT + "/nodesdn", restApiUserHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - response = rh.executePutRequest( - ENDPOINT + "/nodesdn/c1", "{\"nodes_dn\": [\"cn=popeye\"]}", - restApiUserHeader); + response = rh.executePutRequest(ENDPOINT + "/nodesdn/c1", "{\"nodes_dn\": [\"cn=popeye\"]}", restApiUserHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); response = rh.executePatchRequest( - ENDPOINT + "/nodesdn/c1", - "[{ \"op\": \"add\", \"path\": \"/nodes_dn/-\", \"value\": \"bluto\" }]", - restApiUserHeader + ENDPOINT + "/nodesdn/c1", + "[{ \"op\": \"add\", \"path\": \"/nodes_dn/-\", \"value\": \"bluto\" }]", + restApiUserHeader ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); @@ -266,7 +278,8 @@ public void testNodesDnApiWithPermissions() throws Exception { @Test public void testNodesDnApiAuditComplianceLogging() throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) + Settings settings = Settings.builder() + .put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) .putList(ConfigConstants.SECURITY_NODES_DN, "CN=example.com") .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) @@ -293,9 +306,13 @@ public void testNodesDnApiAuditComplianceLogging() throws Exception { System.out.println(TestAuditlogImpl.sb.toString()); final Map expectedCategoryCounts = ImmutableMap.of( - AuditCategory.COMPLIANCE_INTERNAL_CONFIG_READ, 4L, - AuditCategory.COMPLIANCE_INTERNAL_CONFIG_WRITE, 4L); - Map actualCategoryCounts = TestAuditlogImpl.messages.stream().collect(Collectors.groupingBy(AuditMessage::getCategory, Collectors.counting())); + AuditCategory.COMPLIANCE_INTERNAL_CONFIG_READ, + 4L, + AuditCategory.COMPLIANCE_INTERNAL_CONFIG_WRITE, + 4L + ); + Map actualCategoryCounts = TestAuditlogImpl.messages.stream() + .collect(Collectors.groupingBy(AuditMessage::getCategory, Collectors.counting())); assertThat(actualCategoryCounts, equalTo(expectedCategoryCounts)); } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluatorTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluatorTest.java index 6573082e5b..bbe1bf90f8 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluatorTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluatorTest.java @@ -34,12 +34,14 @@ public class RestApiPrivilegesEvaluatorTest { @Before public void setUp() { - this.privilegesEvaluator = new RestApiPrivilegesEvaluator(Settings.EMPTY, - mock(AdminDNs.class), - mock(PrivilegesEvaluator.class), - mock(PrincipalExtractor.class), - mock(Path.class), - mock(ThreadPool.class)); + this.privilegesEvaluator = new RestApiPrivilegesEvaluator( + Settings.EMPTY, + mock(AdminDNs.class), + mock(PrivilegesEvaluator.class), + mock(PrincipalExtractor.class), + mock(Path.class), + mock(ThreadPool.class) + ); } @Test diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RoleBasedAccessTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RoleBasedAccessTest.java index 9b5c7dc8c5..fc5c59d36f 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/RoleBasedAccessTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/RoleBasedAccessTest.java @@ -26,11 +26,12 @@ public class RoleBasedAccessTest extends AbstractRestApiUnitTest { private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public RoleBasedAccessTest(){ + public RoleBasedAccessTest() { ENDPOINT = getEndpointPrefix() + "/api"; } @@ -100,7 +101,6 @@ public void testActionGroupsApi() throws Exception { Assert.assertEquals("", settings.getAsList("opendistro_security_role_starfleet_library.backend_roles").get(0), "starfleet*"); Assert.assertEquals("", settings.getAsList("opendistro_security_zdummy_all.users").get(0), "bug108"); - // Deprecated get configuration API, acessible for sarek // response = rh.executeGetRequest("_opendistro/_security/api/configuration/internalusers", encodeBasicHeader("sarek", "sarek")); // settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); @@ -119,9 +119,9 @@ public void testActionGroupsApi() throws Exception { // Assert.assertEquals("", settings.getAsList("CRUD.permissions").get(0), "READ_UT"); // configuration API, not accessible for worf -// response = rh.executeGetRequest("_opendistro/_security/api/configuration/actiongroups", encodeBasicHeader("worf", "worf")); -// Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); -// Assert.assertTrue(response.getBody().contains("does not have any access to endpoint CONFIGURATION")); + // response = rh.executeGetRequest("_opendistro/_security/api/configuration/actiongroups", encodeBasicHeader("worf", "worf")); + // Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); + // Assert.assertTrue(response.getBody().contains("does not have any access to endpoint CONFIGURATION")); // cache API, not accessible for worf since it's disabled globally response = rh.executeDeleteRequest("_opendistro/_security/api/cache", encodeBasicHeader("worf", "worf")); @@ -173,10 +173,18 @@ public void testActionGroupsApi() throws Exception { // Worf, has access to roles API, get captains role response = rh.executeGetRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", encodeBasicHeader("worf", "worf")); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - Assert.assertEquals(new SecurityJsonNode(DefaultObjectMapper.readTree(response.getBody())).getDotted("opendistro_security_role_starfleet_captains.cluster_permissions").get(0).asString(), "cluster:monitor*"); + Assert.assertEquals( + new SecurityJsonNode(DefaultObjectMapper.readTree(response.getBody())).getDotted( + "opendistro_security_role_starfleet_captains.cluster_permissions" + ).get(0).asString(), + "cluster:monitor*" + ); // Worf, has access to roles API, able to delete - response = rh.executeDeleteRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", encodeBasicHeader("worf", "worf")); + response = rh.executeDeleteRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", + encodeBasicHeader("worf", "worf") + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Assert.assertTrue(response.getBody().contains("'opendistro_security_role_starfleet_captains' deleted")); @@ -196,20 +204,31 @@ public void testActionGroupsApi() throws Exception { // --- PUT --- // admin, no access - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/roles_captains_tenants.json"), encodeBasicHeader("admin", "admin")); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/roles_captains_tenants.json"), + encodeBasicHeader("admin", "admin") + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // worf, restore role starfleet captains - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/roles_captains_different_content.json"), encodeBasicHeader("worf", "worf")); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/roles_captains_different_content.json"), + encodeBasicHeader("worf", "worf") + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); // starfleet role present again response = rh.executeGetRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", encodeBasicHeader("worf", "worf")); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - Assert.assertEquals(new SecurityJsonNode(DefaultObjectMapper.readTree(response.getBody())).getDotted("opendistro_security_role_starfleet_captains.index_permissions").get(0).get("allowed_actions").get(0).asString(), "blafasel"); + Assert.assertEquals( + new SecurityJsonNode(DefaultObjectMapper.readTree(response.getBody())).getDotted( + "opendistro_security_role_starfleet_captains.index_permissions" + ).get(0).get("allowed_actions").get(0).asString(), + "blafasel" + ); // Try the same, but now with admin certificate rh.sendAdminCertificate = true; @@ -245,8 +264,11 @@ public void testActionGroupsApi() throws Exception { Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // PUT roles - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/roles_captains_different_content.json"), encodeBasicHeader("test", "test")); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/roles_captains_different_content.json"), + encodeBasicHeader("test", "test") + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); // GET captions role @@ -254,7 +276,10 @@ public void testActionGroupsApi() throws Exception { Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); // Delete captions role - response = rh.executeDeleteRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", encodeBasicHeader("test", "test")); + response = rh.executeDeleteRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", + encodeBasicHeader("test", "test") + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Assert.assertTrue(response.getBody().contains("'opendistro_security_role_starfleet_captains' deleted")); @@ -262,6 +287,5 @@ public void testActionGroupsApi() throws Exception { response = rh.executeGetRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", encodeBasicHeader("test", "test")); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); - } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java index a85566dc91..bf703fea35 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java @@ -81,7 +81,7 @@ public void testAllRolesForRestAdmin() throws Exception { setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"); rh.sendAdminCertificate = false; - checkSuperAdminRoles(new Header[]{restApiAdminHeader}); + checkSuperAdminRoles(new Header[] { restApiAdminHeader }); } @Test @@ -89,7 +89,7 @@ public void testAllRolesForRolesRestAdmin() throws Exception { setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); final Header restApiAdminRolesHeader = encodeBasicHeader("rest_api_admin_roles", "rest_api_admin_roles"); rh.sendAdminCertificate = false; - checkSuperAdminRoles(new Header[]{restApiAdminRolesHeader}); + checkSuperAdminRoles(new Header[] { restApiAdminRolesHeader }); } void checkSuperAdminRoles(final Header[] header) { @@ -108,12 +108,14 @@ public void testPutDuplicateKeys() throws Exception { rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - HttpResponse response = rh.executePutRequest(ENDPOINT + "/roles/dup", "{ \"cluster_permissions\": [\"*\"], \"cluster_permissions\": [\"*\"] }"); + HttpResponse response = rh.executePutRequest( + ENDPOINT + "/roles/dup", + "{ \"cluster_permissions\": [\"*\"], \"cluster_permissions\": [\"*\"] }" + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); assertHealthy(); } - @Test public void testPutUnknownKey() throws Exception { @@ -121,7 +123,10 @@ public void testPutUnknownKey() throws Exception { rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - HttpResponse response = rh.executePutRequest(ENDPOINT + "/roles/dup", "{ \"unknownkey\": [\"*\"], \"cluster_permissions\": [\"*\"] }"); + HttpResponse response = rh.executePutRequest( + ENDPOINT + "/roles/dup", + "{ \"unknownkey\": [\"*\"], \"cluster_permissions\": [\"*\"] }" + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertTrue(response.getBody().contains("invalid_keys")); assertHealthy(); @@ -134,7 +139,10 @@ public void testPutInvalidJson() throws Exception { rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - HttpResponse response = rh.executePutRequest(ENDPOINT + "/roles/dup", "{ \"invalid\"::{{ [\"*\"], \"cluster_permissions\": [\"*\"] }"); + HttpResponse response = rh.executePutRequest( + ENDPOINT + "/roles/dup", + "{ \"invalid\"::{{ [\"*\"], \"cluster_permissions\": [\"*\"] }" + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); assertHealthy(); } @@ -151,7 +159,7 @@ public void testRolesApi() throws Exception { setupStarfleetIndex(); // add user picard, role starfleet, maps to opendistro_security_role_starfleet - addUserWithPassword("picard", "picardpicardpicardpicard", new String[]{"starfleet", "captains"}, HttpStatus.SC_CREATED); + addUserWithPassword("picard", "picardpicardpicardpicard", new String[] { "starfleet", "captains" }, HttpStatus.SC_CREATED); checkReadAccess(HttpStatus.SC_OK, "picard", "picardpicardpicardpicard", "sf", "_doc", 0); checkWriteAccess(HttpStatus.SC_OK, "picard", "picardpicardpicardpicard", "sf", "_doc", 0); @@ -242,25 +250,37 @@ void verifyPutForSuperAdmin(final Header[] header, final boolean sendAdminCert) Assert.assertEquals(AbstractConfigurationValidator.ErrorType.PAYLOAD_MANDATORY.getMessage(), settings.get("reason").asText()); // put new configuration with invalid payload, must fail - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet", - FileHelper.loadFile("restapi/roles_not_parseable.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet", + FileHelper.loadFile("restapi/roles_not_parseable.json"), + header + ); settings = DefaultObjectMapper.readTree(response.getBody()); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.BODY_NOT_PARSEABLE.getMessage(), settings.get("reason").asText()); // put new configuration with invalid keys, must fail - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet", - FileHelper.loadFile("restapi/roles_invalid_keys.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet", + FileHelper.loadFile("restapi/roles_invalid_keys.json"), + header + ); settings = DefaultObjectMapper.readTree(response.getBody()); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.INVALID_CONFIGURATION.getMessage(), settings.get("reason").asText()); - Assert.assertTrue(settings.get(AbstractConfigurationValidator.INVALID_KEYS_KEY).get("keys").asText().contains("indexx_permissions")); Assert.assertTrue( - settings.get(AbstractConfigurationValidator.INVALID_KEYS_KEY).get("keys").asText().contains("kluster_permissions")); + settings.get(AbstractConfigurationValidator.INVALID_KEYS_KEY).get("keys").asText().contains("indexx_permissions") + ); + Assert.assertTrue( + settings.get(AbstractConfigurationValidator.INVALID_KEYS_KEY).get("keys").asText().contains("kluster_permissions") + ); // put new configuration with wrong datatypes, must fail - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet", - FileHelper.loadFile("restapi/roles_wrong_datatype.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet", + FileHelper.loadFile("restapi/roles_wrong_datatype.json"), + header + ); settings = DefaultObjectMapper.readTree(response.getBody()); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.WRONG_DATATYPE.getMessage(), settings.get("reason").asText()); @@ -268,18 +288,27 @@ void verifyPutForSuperAdmin(final Header[] header, final boolean sendAdminCert) // put read only role, must be forbidden // But SuperAdmin can still create it - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_transport_client", - FileHelper.loadFile("restapi/roles_captains.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_transport_client", + FileHelper.loadFile("restapi/roles_captains.json"), + header + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); // put hidden role, must be forbidden, but allowed for super admin - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_internal", - FileHelper.loadFile("restapi/roles_captains.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_internal", + FileHelper.loadFile("restapi/roles_captains.json"), + header + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); // restore starfleet role - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet", - FileHelper.loadFile("restapi/roles_starfleet.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet", + FileHelper.loadFile("restapi/roles_starfleet.json"), + header + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); rh.sendAdminCertificate = false; checkReadAccess(HttpStatus.SC_OK, "picard", "picardpicardpicardpicard", "sf", "_doc", 0); @@ -287,53 +316,94 @@ void verifyPutForSuperAdmin(final Header[] header, final boolean sendAdminCert) // now picard is only in opendistro_security_role_starfleet, which has write access to // all indices. We collapse all document types in ODFE7 so this permission in the // starfleet role grants all permissions: - // _doc: - // - 'indices:*' + // _doc: + // - 'indices:*' checkWriteAccess(HttpStatus.SC_OK, "picard", "picardpicardpicardpicard", "sf", "_doc", 0); rh.sendAdminCertificate = sendAdminCert; // restore captains role - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/roles_captains.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/roles_captains.json"), + header + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); rh.sendAdminCertificate = false; checkReadAccess(HttpStatus.SC_OK, "picard", "picardpicardpicardpicard", "sf", "_doc", 0); checkWriteAccess(HttpStatus.SC_OK, "picard", "picardpicardpicardpicard", "sf", "_doc", 0); rh.sendAdminCertificate = sendAdminCert; - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/roles_complete_invalid.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/roles_complete_invalid.json"), + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/roles_multiple_2.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/roles_multiple_2.json"), + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // check tenants rh.sendAdminCertificate = sendAdminCert; - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/roles_captains_tenants.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/roles_captains_tenants.json"), + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); settings = DefaultObjectMapper.readTree(response.getBody()); Assert.assertEquals(2, settings.size()); Assert.assertEquals(settings.get("status").asText(), "OK"); - response = rh.executeGetRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); System.out.println(response.getBody()); settings = DefaultObjectMapper.readTree(response.getBody()); Assert.assertEquals(1, settings.size()); - Assert.assertEquals(new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions").get(1).get("tenant_patterns").get(0).asString(), "tenant1"); - Assert.assertEquals(new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions").get(1).get("allowed_actions").get(0).asString(), "kibana_all_read"); + Assert.assertEquals( + new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions") + .get(1) + .get("tenant_patterns") + .get(0) + .asString(), + "tenant1" + ); + Assert.assertEquals( + new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions") + .get(1) + .get("allowed_actions") + .get(0) + .asString(), + "kibana_all_read" + ); + + Assert.assertEquals( + new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions") + .get(0) + .get("tenant_patterns") + .get(0) + .asString(), + "tenant2" + ); + Assert.assertEquals( + new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions") + .get(0) + .get("allowed_actions") + .get(0) + .asString(), + "kibana_all_write" + ); - Assert.assertEquals(new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions").get(0).get("tenant_patterns").get(0).asString(), "tenant2"); - Assert.assertEquals(new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions").get(0).get("allowed_actions").get(0).asString(), "kibana_all_write"); - - - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/roles_captains_tenants2.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/roles_captains_tenants2.json"), + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); settings = DefaultObjectMapper.readTree(response.getBody()); Assert.assertEquals(2, settings.size()); @@ -344,18 +414,63 @@ void verifyPutForSuperAdmin(final Header[] header, final boolean sendAdminCert) settings = DefaultObjectMapper.readTree(response.getBody()); Assert.assertEquals(1, settings.size()); - Assert.assertEquals(new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions").get(0).get("tenant_patterns").get(0).asString(), "tenant2"); - Assert.assertEquals(new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions").get(0).get("tenant_patterns").get(1).asString(), "tenant4"); - - Assert.assertEquals(new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions").get(0).get("allowed_actions").get(0).asString(), "kibana_all_write"); - - Assert.assertEquals(new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions").get(1).get("tenant_patterns").get(0).asString(), "tenant1"); - Assert.assertEquals(new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions").get(1).get("tenant_patterns").get(1).asString(), "tenant3"); - Assert.assertEquals(new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions").get(1).get("allowed_actions").get(0).asString(), "kibana_all_read"); + Assert.assertEquals( + new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions") + .get(0) + .get("tenant_patterns") + .get(0) + .asString(), + "tenant2" + ); + Assert.assertEquals( + new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions") + .get(0) + .get("tenant_patterns") + .get(1) + .asString(), + "tenant4" + ); + + Assert.assertEquals( + new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions") + .get(0) + .get("allowed_actions") + .get(0) + .asString(), + "kibana_all_write" + ); + + Assert.assertEquals( + new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions") + .get(1) + .get("tenant_patterns") + .get(0) + .asString(), + "tenant1" + ); + Assert.assertEquals( + new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions") + .get(1) + .get("tenant_patterns") + .get(1) + .asString(), + "tenant3" + ); + Assert.assertEquals( + new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions") + .get(1) + .get("allowed_actions") + .get(0) + .asString(), + "kibana_all_read" + ); // remove tenants from role - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/roles_captains_no_tenants.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/roles_captains_no_tenants.json"), + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); settings = DefaultObjectMapper.readTree(response.getBody()); Assert.assertEquals(2, settings.size()); @@ -365,11 +480,18 @@ void verifyPutForSuperAdmin(final Header[] header, final boolean sendAdminCert) Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); settings = DefaultObjectMapper.readTree(response.getBody()); Assert.assertEquals(1, settings.size()); - Assert.assertFalse(new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.cluster_permissions").get(0).isNull()); - Assert.assertTrue(new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions").get(0).isNull()); + Assert.assertFalse( + new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.cluster_permissions").get(0).isNull() + ); + Assert.assertTrue( + new SecurityJsonNode(settings).getDotted("opendistro_security_role_starfleet_captains.tenant_permissions").get(0).isNull() + ); - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/roles_captains_tenants_malformed.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/roles_captains_tenants_malformed.json"), + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); settings = DefaultObjectMapper.readTree(response.getBody()); Assert.assertEquals(settings.get("status").asText(), "error"); @@ -381,36 +503,43 @@ void verifyPatchForSuperAdmin(final Header[] header, final boolean sendAdminCert // PATCH on non-existing resource rh.sendAdminCertificate = sendAdminCert; HttpResponse response = rh.executePatchRequest( - ENDPOINT + "/roles/imnothere", - "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", - header); + ENDPOINT + "/roles/imnothere", + "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", + header + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // PATCH read only resource, must be forbidden // SuperAdmin can patch it rh.sendAdminCertificate = sendAdminCert; response = rh.executePatchRequest( - ENDPOINT + "/roles/opendistro_security_transport_client", - "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\" }]", - header); + ENDPOINT + "/roles/opendistro_security_transport_client", + "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); // PATCH hidden resource, must be not found, can be found for superadmin, but will fail with no path present exception rh.sendAdminCertificate = sendAdminCert; response = rh.executePatchRequest( - ENDPOINT + "/roles/opendistro_security_internal", - "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", - header); + ENDPOINT + "/roles/opendistro_security_internal", + "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH value of hidden flag, must fail with validation error rh.sendAdminCertificate = sendAdminCert; response = rh.executePatchRequest( - ENDPOINT + "/roles/opendistro_security_role_starfleet", - "[{ \"op\": \"add\", \"path\": \"/hidden\", \"value\": true }]", - header); + ENDPOINT + "/roles/opendistro_security_role_starfleet", + "[{ \"op\": \"add\", \"path\": \"/hidden\", \"value\": true }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); - Assert.assertTrue(response.getBody(), response.getBody().matches(".*\"invalid_keys\"\\s*:\\s*\\{\\s*\"keys\"\\s*:\\s*\"hidden\"\\s*\\}.*")); + Assert.assertTrue( + response.getBody(), + response.getBody().matches(".*\"invalid_keys\"\\s*:\\s*\\{\\s*\"keys\"\\s*:\\s*\"hidden\"\\s*\\}.*") + ); List permissions = null; @@ -433,61 +562,69 @@ void verifyPatchForSuperAdmin(final Header[] header, final boolean sendAdminCert // PATCH on non-existing resource rh.sendAdminCertificate = sendAdminCert; response = rh.executePatchRequest( - ENDPOINT + "/roles", - "[{ \"op\": \"add\", \"path\": \"/imnothere/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", - header); + ENDPOINT + "/roles", + "[{ \"op\": \"add\", \"path\": \"/imnothere/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH read only resource, must be forbidden rh.sendAdminCertificate = sendAdminCert; response = rh.executePatchRequest( - ENDPOINT + "/roles", - "[{ \"op\": \"add\", \"path\": \"/opendistro_security_transport_client/a\", \"value\": [ \"foo\", \"bar\" ] }]", - header); + ENDPOINT + "/roles", + "[{ \"op\": \"add\", \"path\": \"/opendistro_security_transport_client/a\", \"value\": [ \"foo\", \"bar\" ] }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH hidden resource, must be bad request rh.sendAdminCertificate = sendAdminCert; response = rh.executePatchRequest( - ENDPOINT + "/roles", - "[{ \"op\": \"add\", \"path\": \"/opendistro_security_internal/a\", \"value\": [ \"foo\", \"bar\" ] }]", - header); + ENDPOINT + "/roles", + "[{ \"op\": \"add\", \"path\": \"/opendistro_security_internal/a\", \"value\": [ \"foo\", \"bar\" ] }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH delete read only resource, must be forbidden // SuperAdmin can delete read only user rh.sendAdminCertificate = sendAdminCert; response = rh.executePatchRequest( - ENDPOINT + "/roles", "[{ \"op\": \"remove\", \"path\": \"/opendistro_security_transport_client\" }]", - header); + ENDPOINT + "/roles", + "[{ \"op\": \"remove\", \"path\": \"/opendistro_security_transport_client\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); // PATCH hidden resource, must be bad request, but allowed for superadmin rh.sendAdminCertificate = sendAdminCert; response = rh.executePatchRequest( - ENDPOINT + "/roles", - "[{ \"op\": \"remove\", \"path\": \"/opendistro_security_internal\"}]", - header); + ENDPOINT + "/roles", + "[{ \"op\": \"remove\", \"path\": \"/opendistro_security_internal\"}]", + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Assert.assertTrue(response.getBody().contains("\"message\":\"Resource updated.")); // PATCH value of hidden flag, must fail with validation error rh.sendAdminCertificate = sendAdminCert; response = rh.executePatchRequest( - ENDPOINT + "/roles", - "[{ \"op\": \"add\", \"path\": \"/newnewnew\", \"value\": { \"hidden\": true, \"index_permissions\" : " + - "[ {\"index_patterns\" : [ \"sf\" ],\"allowed_actions\" : [ \"OPENDISTRO_SECURITY_READ\" ]}] }}]", - header); + ENDPOINT + "/roles", + "[{ \"op\": \"add\", \"path\": \"/newnewnew\", \"value\": { \"hidden\": true, \"index_permissions\" : " + + "[ {\"index_patterns\" : [ \"sf\" ],\"allowed_actions\" : [ \"OPENDISTRO_SECURITY_READ\" ]}] }}]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertTrue(response.getBody().matches(".*\"invalid_keys\"\\s*:\\s*\\{\\s*\"keys\"\\s*:\\s*\"hidden\"\\s*\\}.*")); // PATCH rh.sendAdminCertificate = sendAdminCert; response = rh.executePatchRequest( - ENDPOINT + "/roles", - "[{ \"op\": \"add\", \"path\": \"/bulknew1\", \"value\": { \"index_permissions\" : " + - "[ {\"index_patterns\" : [ \"sf\" ],\"allowed_actions\" : [ \"OPENDISTRO_SECURITY_READ\" ]}] }}]", - header); + ENDPOINT + "/roles", + "[{ \"op\": \"add\", \"path\": \"/bulknew1\", \"value\": { \"index_permissions\" : " + + "[ {\"index_patterns\" : [ \"sf\" ],\"allowed_actions\" : [ \"OPENDISTRO_SECURITY_READ\" ]}] }}]", + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT + "/roles/bulknew1", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); @@ -505,13 +642,19 @@ void verifyPatchForSuperAdmin(final Header[] header, final boolean sendAdminCert Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // put valid field masks - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_field_mask_valid", - FileHelper.loadFile("restapi/roles_field_masks_valid.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_field_mask_valid", + FileHelper.loadFile("restapi/roles_field_masks_valid.json"), + header + ); Assert.assertEquals(response.getBody(), HttpStatus.SC_CREATED, response.getStatusCode()); // put invalid field masks - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_field_mask_invalid", - FileHelper.loadFile("restapi/roles_field_masks_invalid.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_field_mask_invalid", + FileHelper.loadFile("restapi/roles_field_masks_invalid.json"), + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); } @@ -525,14 +668,14 @@ public void testRolesApiWithAllRestApiPermissions() throws Exception { setupStarfleetIndex(); // add user picard, role starfleet, maps to opendistro_security_role_starfleet - addUserWithPassword("picard", "picardpicardpicardpicard", new String[]{"starfleet", "captains"}, HttpStatus.SC_CREATED); + addUserWithPassword("picard", "picardpicardpicardpicard", new String[] { "starfleet", "captains" }, HttpStatus.SC_CREATED); checkReadAccess(HttpStatus.SC_OK, "picard", "picardpicardpicardpicard", "sf", "_doc", 0); checkWriteAccess(HttpStatus.SC_OK, "picard", "picardpicardpicardpicard", "sf", "_doc", 0); - verifyGetForSuperAdmin(new Header[]{restApiAdminHeader}); - verifyDeleteForSuperAdmin(new Header[]{restApiAdminHeader}, false); - verifyPutForSuperAdmin(new Header[]{restApiAdminHeader}, false); - verifyPatchForSuperAdmin(new Header[]{restApiAdminHeader}, false); + verifyGetForSuperAdmin(new Header[] { restApiAdminHeader }); + verifyDeleteForSuperAdmin(new Header[] { restApiAdminHeader }, false); + verifyPutForSuperAdmin(new Header[] { restApiAdminHeader }, false); + verifyPatchForSuperAdmin(new Header[] { restApiAdminHeader }, false); } @Test @@ -545,15 +688,14 @@ public void testRolesApiWithRestApiRolePermission() throws Exception { setupStarfleetIndex(); // add user picard, role starfleet, maps to opendistro_security_role_starfleet - addUserWithPassword("picard", "picardpicardpicardpicard", new String[]{"starfleet", "captains"}, HttpStatus.SC_CREATED); + addUserWithPassword("picard", "picardpicardpicardpicard", new String[] { "starfleet", "captains" }, HttpStatus.SC_CREATED); checkReadAccess(HttpStatus.SC_OK, "picard", "picardpicardpicardpicard", "sf", "_doc", 0); checkWriteAccess(HttpStatus.SC_OK, "picard", "picardpicardpicardpicard", "sf", "_doc", 0); - - verifyGetForSuperAdmin(new Header[]{restApiRolesHeader}); - verifyDeleteForSuperAdmin(new Header[]{restApiRolesHeader}, false); - verifyPutForSuperAdmin(new Header[]{restApiRolesHeader}, false); - verifyPatchForSuperAdmin(new Header[]{restApiRolesHeader}, false); + verifyGetForSuperAdmin(new Header[] { restApiRolesHeader }); + verifyDeleteForSuperAdmin(new Header[] { restApiRolesHeader }, false); + verifyPutForSuperAdmin(new Header[] { restApiRolesHeader }, false); + verifyPatchForSuperAdmin(new Header[] { restApiRolesHeader }, false); } @Test @@ -567,63 +709,45 @@ public void testCreateOrUpdateRestApiAdminRoleForbiddenForNonSuperAdmin() throws final String restAdminPermissionsPayload = createRestAdminPermissionsPayload("cluster/*"); HttpResponse response = rh.executePutRequest( - ENDPOINT + "/roles/new_rest_admin_role", restAdminPermissionsPayload, restApiAdminHeader); + ENDPOINT + "/roles/new_rest_admin_role", + restAdminPermissionsPayload, + restApiAdminHeader + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); - response = rh.executePutRequest( - ENDPOINT + "/roles/rest_admin_role_to_delete", restAdminPermissionsPayload, restApiAdminHeader); + response = rh.executePutRequest(ENDPOINT + "/roles/rest_admin_role_to_delete", restAdminPermissionsPayload, restApiAdminHeader); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); // attempt to create a new rest admin role by admin - response = rh.executePutRequest( - ENDPOINT + "/roles/some_rest_admin_role", - restAdminPermissionsPayload, - adminHeader); + response = rh.executePutRequest(ENDPOINT + "/roles/some_rest_admin_role", restAdminPermissionsPayload, adminHeader); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // attempt to update exiting admin role - response = rh.executePutRequest( - ENDPOINT + "/roles/new_rest_admin_role", - restAdminPermissionsPayload, - adminHeader); + response = rh.executePutRequest(ENDPOINT + "/roles/new_rest_admin_role", restAdminPermissionsPayload, adminHeader); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // attempt to patch exiting admin role response = rh.executePatchRequest( - ENDPOINT + "/roles/new_rest_admin_role", - createPatchRestAdminPermissionsPayload("replace"), - adminHeader); + ENDPOINT + "/roles/new_rest_admin_role", + createPatchRestAdminPermissionsPayload("replace"), + adminHeader + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // attempt to update exiting admin role - response = rh.executePutRequest( - ENDPOINT + "/roles/new_rest_admin_role", - restAdminPermissionsPayload, - restApiHeader); + response = rh.executePutRequest(ENDPOINT + "/roles/new_rest_admin_role", restAdminPermissionsPayload, restApiHeader); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // attempt to create a new rest admin role by admin - response = rh.executePutRequest( - ENDPOINT + "/roles/some_rest_admin_role", - restAdminPermissionsPayload, - restApiHeader); + response = rh.executePutRequest(ENDPOINT + "/roles/some_rest_admin_role", restAdminPermissionsPayload, restApiHeader); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // attempt to patch exiting admin role and crate a new one - response = rh.executePatchRequest( - ENDPOINT + "/roles", - createPatchRestAdminPermissionsPayload("replace"), - restApiHeader); + response = rh.executePatchRequest(ENDPOINT + "/roles", createPatchRestAdminPermissionsPayload("replace"), restApiHeader); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); - response = rh.executePatchRequest( - ENDPOINT + "/roles", - createPatchRestAdminPermissionsPayload("add"), - restApiHeader); + response = rh.executePatchRequest(ENDPOINT + "/roles", createPatchRestAdminPermissionsPayload("add"), restApiHeader); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); - response = rh.executePatchRequest( - ENDPOINT + "/roles", - createPatchRestAdminPermissionsPayload("remove"), - restApiHeader); + response = rh.executePatchRequest(ENDPOINT + "/roles", createPatchRestAdminPermissionsPayload("remove"), restApiHeader); System.out.println("RESPONSE: " + response.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); } @@ -640,51 +764,42 @@ public void testDeleteRestApiAdminRoleForbiddenForNonSuperAdmin() throws Excepti final String allRestAdminPermissionsPayload = createRestAdminPermissionsPayload("cluster/*"); HttpResponse response = rh.executePutRequest( - ENDPOINT + "/roles/new_rest_admin_role", allRestAdminPermissionsPayload, restApiAdminHeader); + ENDPOINT + "/roles/new_rest_admin_role", + allRestAdminPermissionsPayload, + restApiAdminHeader + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); // attempt to update exiting admin role - response = rh.executeDeleteRequest( - ENDPOINT + "/roles/new_rest_admin_role", - adminHeader); + response = rh.executeDeleteRequest(ENDPOINT + "/roles/new_rest_admin_role", adminHeader); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); - //true to change - response = rh.executeDeleteRequest( - ENDPOINT + "/roles/new_rest_admin_role", - allRestAdminPermissionsPayload, - restApiHeader); + // true to change + response = rh.executeDeleteRequest(ENDPOINT + "/roles/new_rest_admin_role", allRestAdminPermissionsPayload, restApiHeader); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); } - private String createPatchRestAdminPermissionsPayload(final String op) throws JsonProcessingException { final ArrayNode rootNode = (ArrayNode) DefaultObjectMapper.objectMapper.createArrayNode(); final ObjectNode opAddObjectNode = DefaultObjectMapper.objectMapper.createObjectNode(); final ObjectNode clusterPermissionsNode = DefaultObjectMapper.objectMapper.createObjectNode(); clusterPermissionsNode.set("cluster_permissions", clusterPermissionsForRestAdmin("cluster/*")); if ("add".equals(op)) { - opAddObjectNode - .put("op", "add") - .put("path", "/some_rest_admin_role") - .set("value", clusterPermissionsNode); + opAddObjectNode.put("op", "add").put("path", "/some_rest_admin_role").set("value", clusterPermissionsNode); rootNode.add(opAddObjectNode); } if ("remove".equals(op)) { final ObjectNode opRemoveObjectNode = DefaultObjectMapper.objectMapper.createObjectNode(); - opRemoveObjectNode - .put("op", "remove") - .put("path", "/rest_admin_role_to_delete"); + opRemoveObjectNode.put("op", "remove").put("path", "/rest_admin_role_to_delete"); rootNode.add(opRemoveObjectNode); } if ("replace".equals(op)) { final ObjectNode replaceRemoveObjectNode = DefaultObjectMapper.objectMapper.createObjectNode(); - replaceRemoveObjectNode - .put("op", "replace") - .put("path", "/new_rest_admin_role/cluster_permissions") - .set("value", clusterPermissionsForRestAdmin("*")); + replaceRemoveObjectNode.put("op", "replace") + .put("path", "/new_rest_admin_role/cluster_permissions") + .set("value", clusterPermissionsForRestAdmin("*")); rootNode.add(replaceRemoveObjectNode); } @@ -709,21 +824,27 @@ void checkNonSuperAdminRoles(final Header[] header) throws Exception { Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // Put read only roles - response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_transport_client", - FileHelper.loadFile("restapi/roles_captains.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/roles/opendistro_security_transport_client", + FileHelper.loadFile("restapi/roles_captains.json"), + header + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // Patch single read only roles response = rh.executePatchRequest( - ENDPOINT + "/roles/opendistro_security_transport_client", - "[{ \"op\": \"replace\", \"path\": \"/description\", \"value\": \"foo\" }]", - header); + ENDPOINT + "/roles/opendistro_security_transport_client", + "[{ \"op\": \"replace\", \"path\": \"/description\", \"value\": \"foo\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // Patch multiple read only roles - response = rh.executePatchRequest(ENDPOINT + "/roles/", - "[{ \"op\": \"add\", \"path\": \"/opendistro_security_transport_client/description\", \"value\": \"foo\" }]", - header); + response = rh.executePatchRequest( + ENDPOINT + "/roles/", + "[{ \"op\": \"add\", \"path\": \"/opendistro_security_transport_client/description\", \"value\": \"foo\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // get hidden role @@ -740,14 +861,19 @@ void checkNonSuperAdminRoles(final Header[] header) throws Exception { Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Patch single hidden roles - response = rh.executePatchRequest(ENDPOINT + "/roles/opendistro_security_internal", - "[{ \"op\": \"replace\", \"path\": \"/description\", \"value\": \"foo\" }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/roles/opendistro_security_internal", + "[{ \"op\": \"replace\", \"path\": \"/description\", \"value\": \"foo\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Patch multiple hidden roles - response = rh.executePatchRequest(ENDPOINT + "/roles/", - "[{ \"op\": \"add\", \"path\": \"/opendistro_security_internal/description\", \"value\": \"foo\" }]", - header); + response = rh.executePatchRequest( + ENDPOINT + "/roles/", + "[{ \"op\": \"add\", \"path\": \"/opendistro_security_internal/description\", \"value\": \"foo\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiTest.java index c15651fcc8..42fb111281 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiTest.java @@ -33,11 +33,12 @@ public class RolesMappingApiTest extends AbstractRestApiUnitTest { private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public RolesMappingApiTest(){ + public RolesMappingApiTest() { ENDPOINT = getEndpointPrefix() + "/api"; } @@ -56,7 +57,7 @@ public void testRolesMappingApi() throws Exception { addUserWithPassword("picard", "picardpicardpicard", new String[] { "captains" }, HttpStatus.SC_CREATED); checkWriteAccess(HttpStatus.SC_CREATED, "picard", "picardpicardpicard", "sf", "_doc", 1); // TODO: only one doctype allowed for ES6 - //checkWriteAccess(HttpStatus.SC_CREATED, "picard", "picard", "sf", "_doc", 1); + // checkWriteAccess(HttpStatus.SC_CREATED, "picard", "picard", "sf", "_doc", 1); rh.sendAdminCertificate = true; verifyGetForSuperAdmin(new Header[0]); rh.sendAdminCertificate = true; @@ -65,35 +66,35 @@ public void testRolesMappingApi() throws Exception { verifyPutForSuperAdmin(new Header[0]); verifyPatchForSuperAdmin(new Header[0]); // mapping with several backend roles, one of the is captain - deleteAndPutNewMapping(new Header[0],"rolesmapping_backendroles_captains_list.json", true); + deleteAndPutNewMapping(new Header[0], "rolesmapping_backendroles_captains_list.json", true); checkAllSfAllowed(); // mapping with one backend role, captain - deleteAndPutNewMapping(new Header[0],"rolesmapping_backendroles_captains_single.json", true); + deleteAndPutNewMapping(new Header[0], "rolesmapping_backendroles_captains_single.json", true); checkAllSfAllowed(); // mapping with several users, one is picard - deleteAndPutNewMapping(new Header[0],"rolesmapping_users_picard_list.json", true); + deleteAndPutNewMapping(new Header[0], "rolesmapping_users_picard_list.json", true); checkAllSfAllowed(); // just user picard - deleteAndPutNewMapping(new Header[0],"rolesmapping_users_picard_single.json", true); + deleteAndPutNewMapping(new Header[0], "rolesmapping_users_picard_single.json", true); checkAllSfAllowed(); // hosts - deleteAndPutNewMapping(new Header[0],"rolesmapping_hosts_list.json", true); + deleteAndPutNewMapping(new Header[0], "rolesmapping_hosts_list.json", true); checkAllSfAllowed(); // hosts - deleteAndPutNewMapping(new Header[0],"rolesmapping_hosts_single.json", true); + deleteAndPutNewMapping(new Header[0], "rolesmapping_hosts_single.json", true); checkAllSfAllowed(); // full settings, access - deleteAndPutNewMapping(new Header[0],"rolesmapping_all_access.json", true); + deleteAndPutNewMapping(new Header[0], "rolesmapping_all_access.json", true); checkAllSfAllowed(); // full settings, no access - deleteAndPutNewMapping(new Header[0],"rolesmapping_all_noaccess.json", true); + deleteAndPutNewMapping(new Header[0], "rolesmapping_all_noaccess.json", true); checkAllSfForbidden(); } @@ -110,42 +111,42 @@ public void testRolesMappingApiWithFullPermissions() throws Exception { addUserWithPassword("picard", "picardpicardpicard", new String[] { "captains" }, HttpStatus.SC_CREATED); checkWriteAccess(HttpStatus.SC_CREATED, "picard", "picardpicardpicard", "sf", "_doc", 1); // TODO: only one doctype allowed for ES6 - //checkWriteAccess(HttpStatus.SC_CREATED, "picard", "picard", "sf", "_doc", 1); + // checkWriteAccess(HttpStatus.SC_CREATED, "picard", "picard", "sf", "_doc", 1); - verifyGetForSuperAdmin(new Header[]{restApiAdminHeader}); - verifyDeleteForSuperAdmin(new Header[]{restApiAdminHeader}, false); - verifyPutForSuperAdmin(new Header[]{restApiAdminHeader}); - verifyPatchForSuperAdmin(new Header[]{restApiAdminHeader}); + verifyGetForSuperAdmin(new Header[] { restApiAdminHeader }); + verifyDeleteForSuperAdmin(new Header[] { restApiAdminHeader }, false); + verifyPutForSuperAdmin(new Header[] { restApiAdminHeader }); + verifyPatchForSuperAdmin(new Header[] { restApiAdminHeader }); // mapping with several backend roles, one of the is captain - deleteAndPutNewMapping(new Header[]{restApiAdminHeader}, "rolesmapping_backendroles_captains_list.json", false); + deleteAndPutNewMapping(new Header[] { restApiAdminHeader }, "rolesmapping_backendroles_captains_list.json", false); checkAllSfAllowed(); // mapping with one backend role, captain - deleteAndPutNewMapping(new Header[]{restApiAdminHeader},"rolesmapping_backendroles_captains_single.json", true); + deleteAndPutNewMapping(new Header[] { restApiAdminHeader }, "rolesmapping_backendroles_captains_single.json", true); checkAllSfAllowed(); // mapping with several users, one is picard - deleteAndPutNewMapping(new Header[]{restApiAdminHeader},"rolesmapping_users_picard_list.json", true); + deleteAndPutNewMapping(new Header[] { restApiAdminHeader }, "rolesmapping_users_picard_list.json", true); checkAllSfAllowed(); // just user picard - deleteAndPutNewMapping(new Header[]{restApiAdminHeader},"rolesmapping_users_picard_single.json", true); + deleteAndPutNewMapping(new Header[] { restApiAdminHeader }, "rolesmapping_users_picard_single.json", true); checkAllSfAllowed(); // hosts - deleteAndPutNewMapping(new Header[]{restApiAdminHeader},"rolesmapping_hosts_list.json", true); + deleteAndPutNewMapping(new Header[] { restApiAdminHeader }, "rolesmapping_hosts_list.json", true); checkAllSfAllowed(); // hosts - deleteAndPutNewMapping(new Header[]{restApiAdminHeader},"rolesmapping_hosts_single.json", true); + deleteAndPutNewMapping(new Header[] { restApiAdminHeader }, "rolesmapping_hosts_single.json", true); checkAllSfAllowed(); // full settings, access - deleteAndPutNewMapping(new Header[]{restApiAdminHeader},"rolesmapping_all_access.json", true); + deleteAndPutNewMapping(new Header[] { restApiAdminHeader }, "rolesmapping_all_access.json", true); checkAllSfAllowed(); // full settings, no access - deleteAndPutNewMapping(new Header[]{restApiAdminHeader},"rolesmapping_all_noaccess.json", true); + deleteAndPutNewMapping(new Header[] { restApiAdminHeader }, "rolesmapping_all_noaccess.json", true); checkAllSfForbidden(); } @@ -166,7 +167,6 @@ void verifyGetForSuperAdmin(final Header[] header) throws Exception { // Superadmin should be able to see reserved rolesmapping Assert.assertTrue(response.getBody().contains("opendistro_security_reserved")); - // -- GET // GET opendistro_security_role_starfleet, exists response = rh.executeGetRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet", header); @@ -242,26 +242,34 @@ void verifyPutForSuperAdmin(final Header[] header) throws Exception { Assert.assertEquals(AbstractConfigurationValidator.ErrorType.PAYLOAD_MANDATORY.getMessage(), settings.get("reason")); // put new configuration with invalid payload, must fail - response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/rolesmapping_not_parseable.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/rolesmapping_not_parseable.json"), + header + ); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.BODY_NOT_PARSEABLE.getMessage(), settings.get("reason")); // put new configuration with invalid keys, must fail - response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/rolesmapping_invalid_keys.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/rolesmapping_invalid_keys.json"), + header + ); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.INVALID_CONFIGURATION.getMessage(), settings.get("reason")); Assert.assertTrue(settings.get(AbstractConfigurationValidator.INVALID_KEYS_KEY + ".keys").contains("theusers")); - Assert.assertTrue( - settings.get(AbstractConfigurationValidator.INVALID_KEYS_KEY + ".keys").contains("thebackendroles")); + Assert.assertTrue(settings.get(AbstractConfigurationValidator.INVALID_KEYS_KEY + ".keys").contains("thebackendroles")); Assert.assertTrue(settings.get(AbstractConfigurationValidator.INVALID_KEYS_KEY + ".keys").contains("thehosts")); // wrong datatypes - response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/rolesmapping_backendroles_captains_single_wrong_datatype.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/rolesmapping_backendroles_captains_single_wrong_datatype.json"), + header + ); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.WRONG_DATATYPE.getMessage(), settings.get("reason")); @@ -269,8 +277,11 @@ void verifyPutForSuperAdmin(final Header[] header) throws Exception { Assert.assertTrue(settings.get("hosts") == null); Assert.assertTrue(settings.get("users") == null); - response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/rolesmapping_hosts_single_wrong_datatype.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/rolesmapping_hosts_single_wrong_datatype.json"), + header + ); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.WRONG_DATATYPE.getMessage(), settings.get("reason")); @@ -278,8 +289,11 @@ void verifyPutForSuperAdmin(final Header[] header) throws Exception { Assert.assertTrue(settings.get("backend_roles") == null); Assert.assertTrue(settings.get("users") == null); - response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/rolesmapping_users_picard_single_wrong_datatype.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/rolesmapping_users_picard_single_wrong_datatype.json"), + header + ); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.WRONG_DATATYPE.getMessage(), settings.get("reason")); @@ -289,46 +303,70 @@ void verifyPutForSuperAdmin(final Header[] header) throws Exception { // Read only role mapping // SuperAdmin can add read only roles - mappings - response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_library", - FileHelper.loadFile("restapi/rolesmapping_all_access.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_library", + FileHelper.loadFile("restapi/rolesmapping_all_access.json"), + header + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); // hidden role, allowed for super admin - response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_internal", - FileHelper.loadFile("restapi/rolesmapping_all_access.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/rolesmapping/opendistro_security_internal", + FileHelper.loadFile("restapi/rolesmapping_all_access.json"), + header + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); - response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/rolesmapping_all_access.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/rolesmapping_all_access.json"), + header + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); } void verifyPatchForSuperAdmin(final Header[] header) throws Exception { // PATCH on non-existing resource - HttpResponse response = rh.executePatchRequest(ENDPOINT + "/rolesmapping/imnothere", "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", header); + HttpResponse response = rh.executePatchRequest( + ENDPOINT + "/rolesmapping/imnothere", + "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", + header + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // PATCH read only resource, must be forbidden // SuperAdmin can patch read-only resource - response = rh.executePatchRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_library", - "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\"] }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_library", + "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\"] }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH hidden resource, must be not found, can be found by super admin - response = rh.executePatchRequest(ENDPOINT + "/rolesmapping/opendistro_security_internal", - "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ " + - "\"foo\", \"bar\" ] }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/rolesmapping/opendistro_security_internal", + "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ " + "\"foo\", \"bar\" ] }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH value of hidden flag, must fail with validation error - response = rh.executePatchRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_vulcans", - "[{ \"op\": \"add\", \"path\": \"/hidden\", \"value\": true }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/rolesmapping/opendistro_security_role_vulcans", + "[{ \"op\": \"add\", \"path\": \"/hidden\", \"value\": true }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertTrue(response.getBody().matches(".*\"invalid_keys\"\\s*:\\s*\\{\\s*\"keys\"\\s*:\\s*\"hidden\"\\s*\\}.*")); // PATCH - response = rh.executePatchRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_vulcans", - "[{ \"op\": \"add\", \"path\": \"/backend_roles/-\", \"value\": \"spring\" }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/rolesmapping/opendistro_security_role_vulcans", + "[{ \"op\": \"add\", \"path\": \"/backend_roles/-\", \"value\": \"spring\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_vulcans", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); @@ -339,32 +377,48 @@ void verifyPatchForSuperAdmin(final Header[] header) throws Exception { // -- PATCH on whole config resource // PATCH on non-existing resource - response = rh.executePatchRequest(ENDPOINT + "/rolesmapping", - "[{ \"op\": \"add\", \"path\": \"/imnothere/a\", \"value\": [ \"foo\", \"bar\" ] }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/rolesmapping", + "[{ \"op\": \"add\", \"path\": \"/imnothere/a\", \"value\": [ \"foo\", \"bar\" ] }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH read only resource, must be forbidden // SuperAdmin can patch read only resource rh.sendAdminCertificate = true; - response = rh.executePatchRequest(ENDPOINT + "/rolesmapping", - "[{ \"op\": \"add\", \"path\": \"/opendistro_security_role_starfleet_library/description\", \"value\": \"foo\" }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/rolesmapping", + "[{ \"op\": \"add\", \"path\": \"/opendistro_security_role_starfleet_library/description\", \"value\": \"foo\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); // PATCH hidden resource, must be bad request rh.sendAdminCertificate = true; - response = rh.executePatchRequest(ENDPOINT + "/rolesmapping", "[{ \"op\": \"add\", \"path\": \"/opendistro_security_internal/a\", \"value\": [ \"foo\", \"bar\" ] }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/rolesmapping", + "[{ \"op\": \"add\", \"path\": \"/opendistro_security_internal/a\", \"value\": [ \"foo\", \"bar\" ] }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH value of hidden flag, must fail with validation error rh.sendAdminCertificate = true; - response = rh.executePatchRequest(ENDPOINT + "/rolesmapping", - "[{ \"op\": \"add\", \"path\": \"/opendistro_security_role_vulcans/hidden\", \"value\": true }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/rolesmapping", + "[{ \"op\": \"add\", \"path\": \"/opendistro_security_role_vulcans/hidden\", \"value\": true }]", + header + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertTrue(response.getBody().matches(".*\"invalid_keys\"\\s*:\\s*\\{\\s*\"keys\"\\s*:\\s*\"hidden\"\\s*\\}.*")); // PATCH - response = rh.executePatchRequest(ENDPOINT + "/rolesmapping", - "[{ \"op\": \"add\", \"path\": \"/bulknew1\", \"value\": { \"backend_roles\":[\"vulcanadmin\"]} }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/rolesmapping", + "[{ \"op\": \"add\", \"path\": \"/bulknew1\", \"value\": { \"backend_roles\":[\"vulcanadmin\"]} }]", + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT + "/rolesmapping/bulknew1", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); @@ -394,11 +448,13 @@ private void checkAllSfForbidden() throws Exception { private HttpResponse deleteAndPutNewMapping(final Header[] header, final String fileName, final boolean useAdminCert) throws Exception { rh.sendAdminCertificate = useAdminCert; - HttpResponse response = rh.executeDeleteRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", - header); + HttpResponse response = rh.executeDeleteRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", - FileHelper.loadFile("restapi/"+fileName), header); + response = rh.executePutRequest( + ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", + FileHelper.loadFile("restapi/" + fileName), + header + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); rh.sendAdminCertificate = false; return response; @@ -421,27 +477,38 @@ public void testRolesMappingApiForNonSuperAdminRestApiUser() throws Exception { setupWithRestRoles(); rh.sendAdminCertificate = false; final Header restApiHeader = encodeBasicHeader("test", "test"); - verifyNonSuperAdminUser(new Header[] {restApiHeader}); + verifyNonSuperAdminUser(new Header[] { restApiHeader }); } void verifyNonSuperAdminUser(final Header[] header) throws Exception { HttpResponse response; // Delete read only roles mapping - response = rh.executeDeleteRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_library" , header); + response = rh.executeDeleteRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_library", header); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // Put read only roles mapping - response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_library", - FileHelper.loadFile("restapi/rolesmapping_all_access.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_library", + FileHelper.loadFile("restapi/rolesmapping_all_access.json"), + header + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // Patch single read only roles mapping - response = rh.executePatchRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_library", "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\" }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_library", + "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // Patch multiple read only roles mapping - response = rh.executePatchRequest(ENDPOINT + "/rolesmapping", "[{ \"op\": \"add\", \"path\": \"/opendistro_security_role_starfleet_library/description\", \"value\": \"foo\" }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/rolesmapping", + "[{ \"op\": \"add\", \"path\": \"/opendistro_security_role_starfleet_library/description\", \"value\": \"foo\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // GET, rolesmapping is hidden, allowed for super admin @@ -449,21 +516,33 @@ void verifyNonSuperAdminUser(final Header[] header) throws Exception { Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Delete hidden roles mapping - response = rh.executeDeleteRequest(ENDPOINT + "/rolesmapping/opendistro_security_internal" , header); + response = rh.executeDeleteRequest(ENDPOINT + "/rolesmapping/opendistro_security_internal", header); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Put hidden roles mapping - response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_internal", - FileHelper.loadFile("restapi/rolesmapping_all_access.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/rolesmapping/opendistro_security_internal", + FileHelper.loadFile("restapi/rolesmapping_all_access.json"), + header + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Patch hidden roles mapping - response = rh.executePatchRequest(ENDPOINT + "/rolesmapping/opendistro_security_internal", "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\" }]", header); + response = rh.executePatchRequest( + ENDPOINT + "/rolesmapping/opendistro_security_internal", + "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\" }]", + header + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Patch multiple hidden roles mapping - response = rh.executePatchRequest(ENDPOINT + "/rolesmapping", "[{ \"op\": \"add\", \"path\": \"/opendistro_security_internal/description\", \"value\": \"foo\" }]", header); - Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); } + response = rh.executePatchRequest( + ENDPOINT + "/rolesmapping", + "[{ \"op\": \"add\", \"path\": \"/opendistro_security_internal/description\", \"value\": \"foo\" }]", + header + ); + Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); + } @Test public void testChangeRestApiAdminRoleMappingForbiddenForNonSuperAdmin() throws Exception { @@ -475,16 +554,22 @@ public void testChangeRestApiAdminRoleMappingForbiddenForNonSuperAdmin() throws final Header restApiHeader = encodeBasicHeader("test", "test"); HttpResponse response = rh.executePutRequest( - ENDPOINT + "/roles/new_rest_api_role", - createRestAdminPermissionsPayload(), restApiAdminHeader); + ENDPOINT + "/roles/new_rest_api_role", + createRestAdminPermissionsPayload(), + restApiAdminHeader + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); response = rh.executePutRequest( - ENDPOINT + "/roles/new_rest_api_role_without_mapping", - createRestAdminPermissionsPayload(), restApiAdminHeader); + ENDPOINT + "/roles/new_rest_api_role_without_mapping", + createRestAdminPermissionsPayload(), + restApiAdminHeader + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); response = rh.executePutRequest( - ENDPOINT + "/rolesmapping/new_rest_api_role", - createUsersPayload("a", "b", "c"), restApiAdminHeader); + ENDPOINT + "/rolesmapping/new_rest_api_role", + createUsersPayload("a", "b", "c"), + restApiAdminHeader + ); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); verifyRestApiPutAndDeleteForNonRestApiAdmin(adminHeader); @@ -497,11 +582,13 @@ public void testChangeRestApiAdminRoleMappingForbiddenForNonSuperAdmin() throws private void verifyRestApiPutAndDeleteForNonRestApiAdmin(final Header header) throws Exception { HttpResponse response = rh.executePutRequest( - ENDPOINT + "/rolesmapping/new_rest_api_role", createUsersPayload("a", "b", "c"), header); + ENDPOINT + "/rolesmapping/new_rest_api_role", + createUsersPayload("a", "b", "c"), + header + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); - response = rh.executeDeleteRequest( - ENDPOINT + "/rolesmapping/new_rest_api_role", "", header); + response = rh.executeDeleteRequest(ENDPOINT + "/rolesmapping/new_rest_api_role", "", header); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); } @@ -552,28 +639,29 @@ private String createPathPayload(final String op) throws JsonProcessingException } @Test - public void checkNullElementsInArray() throws Exception{ + public void checkNullElementsInArray() throws Exception { setup(); rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; String body = FileHelper.loadFile("restapi/rolesmapping_null_array_element_users.json"); - HttpResponse response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", - body, new Header[0]); + HttpResponse response = rh.executePutRequest( + ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", + body, + new Header[0] + ); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.NULL_ARRAY_ELEMENT.getMessage(), settings.get("reason")); body = FileHelper.loadFile("restapi/rolesmapping_null_array_element_backend_roles.json"); - response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", - body, new Header[0]); + response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", body, new Header[0]); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.NULL_ARRAY_ELEMENT.getMessage(), settings.get("reason")); body = FileHelper.loadFile("restapi/rolesmapping_null_array_element_hosts.json"); - response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", - body, new Header[0]); + response = rh.executePutRequest(ENDPOINT + "/rolesmapping/opendistro_security_role_starfleet_captains", body, new Header[0]); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.NULL_ARRAY_ELEMENT.getMessage(), settings.get("reason")); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityApiAccessTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityApiAccessTest.java index 53c6ff2e96..81fad7d4ff 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityApiAccessTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityApiAccessTest.java @@ -19,11 +19,12 @@ public class SecurityApiAccessTest extends AbstractRestApiUnitTest { private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public SecurityApiAccessTest(){ + public SecurityApiAccessTest() { ENDPOINT = getEndpointPrefix() + "/api/internalusers"; } @@ -33,22 +34,14 @@ public void testRestApi() throws Exception { setup(); // test with no cert, must fail - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, - rh.executeGetRequest(ENDPOINT).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, - rh.executeGetRequest(ENDPOINT, - encodeBasicHeader("admin", "admin")) - .getStatusCode()); + Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest(ENDPOINT).getStatusCode()); + Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest(ENDPOINT, encodeBasicHeader("admin", "admin")).getStatusCode()); // test with non-admin cert, must fail rh.keystore = "restapi/node-0-keystore.jks"; rh.sendAdminCertificate = true; - Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, - rh.executeGetRequest(ENDPOINT).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_FORBIDDEN, - rh.executeGetRequest(ENDPOINT, - encodeBasicHeader("admin", "admin")) - .getStatusCode()); + Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest(ENDPOINT).getStatusCode()); + Assert.assertEquals(HttpStatus.SC_FORBIDDEN, rh.executeGetRequest(ENDPOINT, encodeBasicHeader("admin", "admin")).getStatusCode()); } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiTest.java index 50014993c1..8fc6ae1dd8 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiTest.java @@ -26,11 +26,12 @@ public class SecurityConfigApiTest extends AbstractRestApiUnitTest { private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public SecurityConfigApiTest(){ + public SecurityConfigApiTest() { ENDPOINT = getEndpointPrefix() + "/api"; } @@ -61,7 +62,9 @@ public void testSecurityConfigApiRead() throws Exception { @Test public void testSecurityConfigApiWrite() throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true).build(); + Settings settings = Settings.builder() + .put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true) + .build(); setup(settings); rh.keystore = "restapi/kirk-keystore.jks"; @@ -70,13 +73,25 @@ public void testSecurityConfigApiWrite() throws Exception { HttpResponse response = rh.executeGetRequest(ENDPOINT + "/securityconfig", new Header[0]); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - response = rh.executePutRequest(ENDPOINT + "/securityconfig/xxx", FileHelper.loadFile("restapi/securityconfig.json"), new Header[0]); + response = rh.executePutRequest( + ENDPOINT + "/securityconfig/xxx", + FileHelper.loadFile("restapi/securityconfig.json"), + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); - response = rh.executePutRequest(ENDPOINT + "/securityconfig/config", FileHelper.loadFile("restapi/securityconfig.json"), new Header[0]); + response = rh.executePutRequest( + ENDPOINT + "/securityconfig/config", + FileHelper.loadFile("restapi/securityconfig.json"), + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - response = rh.executePutRequest(ENDPOINT + "/securityconfig/config", FileHelper.loadFile("restapi/invalid_config.json"), new Header[0]); + response = rh.executePutRequest( + ENDPOINT + "/securityconfig/config", + FileHelper.loadFile("restapi/invalid_config.json"), + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_INTERNAL_SERVER_ERROR, response.getStatusCode()); Assert.assertTrue(response.getContentType(), response.isJsonContentType()); Assert.assertTrue(response.getBody().contains("Unrecognized field")); @@ -87,7 +102,11 @@ public void testSecurityConfigApiWrite() throws Exception { response = rh.executePostRequest(ENDPOINT + "/securityconfig", "{\"xxx\": 1}", new Header[0]); Assert.assertEquals(HttpStatus.SC_METHOD_NOT_ALLOWED, response.getStatusCode()); - response = rh.executePatchRequest(ENDPOINT + "/securityconfig", "[{\"op\": \"replace\",\"path\": \"/config/dynamic/hosts_resolver_mode\",\"value\": \"other\"}]", new Header[0]); + response = rh.executePatchRequest( + ENDPOINT + "/securityconfig", + "[{\"op\": \"replace\",\"path\": \"/config/dynamic/hosts_resolver_mode\",\"value\": \"other\"}]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeDeleteRequest(ENDPOINT + "/securityconfig", new Header[0]); @@ -98,30 +117,35 @@ public void testSecurityConfigApiWrite() throws Exception { @Test public void testSecurityConfigForHTTPPatch() throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true).build(); + Settings settings = Settings.builder() + .put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true) + .build(); setup(settings); rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - //non-default config + // non-default config String updatedConfig = FileHelper.loadFile("restapi/securityconfig_nondefault.json"); - //update config + // update config HttpResponse response = rh.executePutRequest(ENDPOINT + "/securityconfig/config", updatedConfig, new Header[0]); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - //make patch request - response = rh.executePatchRequest(ENDPOINT + "/securityconfig", "[{\"op\": \"add\",\"path\": \"/config/dynamic/do_not_fail_on_forbidden\",\"value\": \"false\"}]", new Header[0]); + // make patch request + response = rh.executePatchRequest( + ENDPOINT + "/securityconfig", + "[{\"op\": \"add\",\"path\": \"/config/dynamic/do_not_fail_on_forbidden\",\"value\": \"false\"}]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - //get config + // get config response = rh.executeGetRequest(ENDPOINT + "/securityconfig", new Header[0]); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); // verify configs are same Assert.assertEquals(DefaultObjectMapper.readTree(updatedConfig), DefaultObjectMapper.readTree(response.getBody()).get("config")); - } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityHealthActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityHealthActionTest.java index 93371b548a..d7a6edfea9 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityHealthActionTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityHealthActionTest.java @@ -23,17 +23,20 @@ public class SecurityHealthActionTest extends AbstractRestApiUnitTest { private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public SecurityHealthActionTest(){ + public SecurityHealthActionTest() { ENDPOINT = getEndpointPrefix(); } @Test public void testSecurityHealthAPI() throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true).build(); + Settings settings = Settings.builder() + .put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true) + .build(); setup(settings); rh.keystore = "restapi/kirk-keystore.jks"; diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityInfoActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityInfoActionTest.java index 654e0c6230..db27be85ee 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityInfoActionTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityInfoActionTest.java @@ -23,17 +23,20 @@ public class SecurityInfoActionTest extends AbstractRestApiUnitTest { private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public SecurityInfoActionTest(){ + public SecurityInfoActionTest() { ENDPOINT = getEndpointPrefix() + "/authinfo"; } @Test public void testSecurityInfoAPI() throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true).build(); + Settings settings = Settings.builder() + .put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true) + .build(); setup(settings); rh.keystore = "restapi/kirk-keystore.jks"; diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/SslCertsApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/SslCertsApiTest.java index 425c2dca50..8797d196f5 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/SslCertsApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/SslCertsApiTest.java @@ -36,32 +36,38 @@ public class SslCertsApiTest extends AbstractRestApiUnitTest { static final String TRANSPORT_CERTS = "transport"; - private final static List> EXPECTED_CERTIFICATES = - ImmutableList.of( - ImmutableMap.of( - "issuer_dn", "CN=Example Com Inc. Signing CA,OU=Example Com Inc. Signing CA,O=Example Com Inc.,DC=example,DC=com", - "subject_dn", "CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE", - "san", "[[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]", - "not_before", "2018-05-05T14:37:09Z", - "not_after", "2028-05-02T14:37:09Z" - ), - ImmutableMap.of( - "issuer_dn", "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com", - "subject_dn", "CN=Example Com Inc. Signing CA,OU=Example Com Inc. Signing CA,O=Example Com Inc.,DC=example,DC=com", - "san", "", - "not_before", "2018-05-05T14:37:08Z", - "not_after", "2028-05-04T14:37:08Z" - ) - ); + private final static List> EXPECTED_CERTIFICATES = ImmutableList.of( + ImmutableMap.of( + "issuer_dn", + "CN=Example Com Inc. Signing CA,OU=Example Com Inc. Signing CA,O=Example Com Inc.,DC=example,DC=com", + "subject_dn", + "CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE", + "san", + "[[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]", + "not_before", + "2018-05-05T14:37:09Z", + "not_after", + "2028-05-02T14:37:09Z" + ), + ImmutableMap.of( + "issuer_dn", + "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com", + "subject_dn", + "CN=Example Com Inc. Signing CA,OU=Example Com Inc. Signing CA,O=Example Com Inc.,DC=example,DC=com", + "san", + "", + "not_before", + "2018-05-05T14:37:08Z", + "not_after", + "2028-05-04T14:37:08Z" + ) + ); private final static String EXPECTED_CERTIFICATES_BY_TYPE; static { try { EXPECTED_CERTIFICATES_BY_TYPE = DefaultObjectMapper.objectMapper.writeValueAsString( - ImmutableMap.of( - "http_certificates_list", EXPECTED_CERTIFICATES, - "transport_certificates_list", EXPECTED_CERTIFICATES - ) + ImmutableMap.of("http_certificates_list", EXPECTED_CERTIFICATES, "transport_certificates_list", EXPECTED_CERTIFICATES) ); } catch (JsonProcessingException e) { throw new RuntimeException(e); @@ -71,11 +77,13 @@ public class SslCertsApiTest extends AbstractRestApiUnitTest { private final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"); private final Header restApiCertsInfoAdminHeader = encodeBasicHeader("rest_api_admin_ssl_info", "rest_api_admin_ssl_info"); - private final Header restApiReloadCertsAdminHeader = encodeBasicHeader("rest_api_admin_ssl_reloadcerts", "rest_api_admin_ssl_reloadcerts"); + private final Header restApiReloadCertsAdminHeader = encodeBasicHeader( + "rest_api_admin_ssl_reloadcerts", + "rest_api_admin_ssl_reloadcerts" + ); private final Header restApiHeader = encodeBasicHeader("test", "test"); - public String certsInfoEndpoint() { return PLUGINS_PREFIX + "/api/ssl/certs"; } @@ -165,9 +173,7 @@ private void sendAdminCert() { } Settings reloadEnabled() { - return Settings.builder() - .put(ConfigConstants.SECURITY_SSL_CERT_RELOAD_ENABLED, true) - .build(); + return Settings.builder().put(ConfigConstants.SECURITY_SSL_CERT_RELOAD_ENABLED, true).build(); } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/TenantInfoActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/TenantInfoActionTest.java index 00e983cc4f..2c6a45faf7 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/TenantInfoActionTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/TenantInfoActionTest.java @@ -23,23 +23,26 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; public class TenantInfoActionTest extends AbstractRestApiUnitTest { - private String payload = "{\"hosts\":[],\"users\":[\"sarek\"]," + - "\"backend_roles\":[\"starfleet*\",\"ambassador\"],\"and_backend_roles\":[],\"description\":\"Migrated " + - "from v6\"}"; + private String payload = "{\"hosts\":[],\"users\":[\"sarek\"]," + + "\"backend_roles\":[\"starfleet*\",\"ambassador\"],\"and_backend_roles\":[],\"description\":\"Migrated " + + "from v6\"}"; private final String BASE_ENDPOINT; private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public TenantInfoActionTest(){ + public TenantInfoActionTest() { BASE_ENDPOINT = getEndpointPrefix(); ENDPOINT = getEndpointPrefix() + "/tenantinfo"; } @Test public void testTenantInfoAPIAccess() throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true).build(); + Settings settings = Settings.builder() + .put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true) + .build(); setup(settings); rh.keystore = "restapi/kirk-keystore.jks"; @@ -58,16 +61,21 @@ public void testTenantInfoAPIAccess() throws Exception { @Test public void testTenantInfoAPIUpdate() throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true).build(); + Settings settings = Settings.builder() + .put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true) + .build(); setup(settings); rh.keystore = "restapi/kirk-keystore.jks"; rh.sendHTTPClientCredentials = true; rh.sendAdminCertificate = true; - //update security config - RestHelper.HttpResponse response = rh.executePatchRequest(BASE_ENDPOINT + "/api/securityconfig", "[{\"op\": \"add\",\"path\": \"/config/dynamic/kibana/opendistro_role\"," + - "\"value\": \"opendistro_security_internal\"}]", new Header[0]); + // update security config + RestHelper.HttpResponse response = rh.executePatchRequest( + BASE_ENDPOINT + "/api/securityconfig", + "[{\"op\": \"add\",\"path\": \"/config/dynamic/kibana/opendistro_role\"," + "\"value\": \"opendistro_security_internal\"}]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executePutRequest(BASE_ENDPOINT + "/api/rolesmapping/opendistro_security_internal", payload, new Header[0]); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java index abcda9a69c..895f65bc81 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java @@ -37,43 +37,42 @@ import static org.opensearch.security.dlic.rest.api.InternalUsersApiAction.RESTRICTED_FROM_USERNAME; import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; - public class UserApiTest extends AbstractRestApiUnitTest { private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - final int USER_SETTING_SIZE = 7 * 19; // Lines per account entry * number of accounts - private static final String ENABLED_SERVICE_ACCOUNT_BODY = "{" - + " \"attributes\": { \"service\": \"true\", " - + "\"enabled\": \"true\"}" - + " }\n"; + private static final String ENABLED_SERVICE_ACCOUNT_BODY = "{" + + " \"attributes\": { \"service\": \"true\", " + + "\"enabled\": \"true\"}" + + " }\n"; private static final String DISABLED_SERVICE_ACCOUNT_BODY = "{" - + " \"attributes\": { \"service\": \"true\", " - + "\"enabled\": \"false\"}" - + " }\n"; + + " \"attributes\": { \"service\": \"true\", " + + "\"enabled\": \"false\"}" + + " }\n"; private static final String ENABLED_NOT_SERVICE_ACCOUNT_BODY = "{" - + " \"attributes\": { \"service\": \"false\", " - + "\"enabled\": \"true\"}" - + " }\n"; + + " \"attributes\": { \"service\": \"false\", " + + "\"enabled\": \"true\"}" + + " }\n"; private static final String PASSWORD_SERVICE = "{ \"password\" : \"test\"," - + " \"attributes\": { \"service\": \"true\", " - + "\"enabled\": \"true\"}" - + " }\n"; + + " \"attributes\": { \"service\": \"true\", " + + "\"enabled\": \"true\"}" + + " }\n"; private static final String HASH_SERVICE = "{ \"owner\" : \"test_owner\"," - + " \"attributes\": { \"service\": \"true\", " - + "\"enabled\": \"true\"}" - + " }\n"; + + " \"attributes\": { \"service\": \"true\", " + + "\"enabled\": \"true\"}" + + " }\n"; private static final String PASSWORD_HASH_SERVICE = "{ \"password\" : \"test\", \"hash\" : \"123\"," - + " \"attributes\": { \"service\": \"true\", " - + "\"enabled\": \"true\"}" - + " }\n"; + + " \"attributes\": { \"service\": \"true\", " + + "\"enabled\": \"true\"}" + + " }\n"; - public UserApiTest(){ + public UserApiTest() { ENDPOINT = getEndpointPrefix() + "/api"; } @@ -86,17 +85,16 @@ public void testSecurityRoles() throws Exception { rh.sendAdminCertificate = true; // initial configuration, 6 users - HttpResponse response = rh - .executeGetRequest(ENDPOINT + "/" + CType.INTERNALUSERS.toLCString()); + HttpResponse response = rh.executeGetRequest(ENDPOINT + "/" + CType.INTERNALUSERS.toLCString()); Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(133, settings.size()); response = rh.executePatchRequest( - ENDPOINT + "/internalusers", - "[{ \"op\": \"add\", \"path\": \"/newuser\", " + - "\"value\": {\"password\": \"fair password for the user\", " + - "\"opendistro_security_roles\": [\"opendistro_security_all_access\"] } }]", - new Header[0] + ENDPOINT + "/internalusers", + "[{ \"op\": \"add\", \"path\": \"/newuser\", " + + "\"value\": {\"password\": \"fair password for the user\", " + + "\"opendistro_security_roles\": [\"opendistro_security_all_access\"] } }]", + new Header[0] ); Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode()); @@ -116,8 +114,11 @@ public void testParallelPutRequests() throws Exception { rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - HttpResponse[] responses = rh.executeMultipleAsyncPutRequest(10, - ENDPOINT + "/internalusers/test1", "{\"password\":\"test1test1test1test1test1test1\"}"); + HttpResponse[] responses = rh.executeMultipleAsyncPutRequest( + 10, + ENDPOINT + "/internalusers/test1", + "{\"password\":\"test1test1test1test1test1test1\"}" + ); boolean created = false; for (HttpResponse response : responses) { int sc = response.getStatusCode(); @@ -188,8 +189,7 @@ private void verifyPut(final Header... header) throws Exception { Assert.assertEquals(HttpStatus.SC_METHOD_NOT_ALLOWED, response.getStatusCode()); // Faulty JSON payload - response = rh.executePutRequest(ENDPOINT + "/internalusers/nagilum", "{some: \"thing\" asd other: \"thing\"}", - header); + response = rh.executePutRequest(ENDPOINT + "/internalusers/nagilum", "{some: \"thing\" asd other: \"thing\"}", header); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(settings.get("reason"), AbstractConfigurationValidator.ErrorType.BODY_NOT_PARSEABLE.getMessage()); @@ -198,37 +198,44 @@ private void verifyPut(final Header... header) throws Exception { response = rh.executePutRequest(ENDPOINT + "/internalusers/nagilum", "{some: \"thing\", other: \"thing\"}", header); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); - //JK: this should be "Could not parse content of request." because JSON is truly invalid - //Assert.assertEquals(settings.get("reason"), AbstractConfigurationValidator.ErrorType.INVALID_CONFIGURATION.getMessage()); - //Assert.assertTrue(settings.get(AbstractConfigurationValidator.INVALID_KEYS_KEY + ".keys").contains("some")); - //Assert.assertTrue(settings.get(AbstractConfigurationValidator.INVALID_KEYS_KEY + ".keys").contains("other")); + // JK: this should be "Could not parse content of request." because JSON is truly invalid + // Assert.assertEquals(settings.get("reason"), AbstractConfigurationValidator.ErrorType.INVALID_CONFIGURATION.getMessage()); + // Assert.assertTrue(settings.get(AbstractConfigurationValidator.INVALID_KEYS_KEY + ".keys").contains("some")); + // Assert.assertTrue(settings.get(AbstractConfigurationValidator.INVALID_KEYS_KEY + ".keys").contains("other")); // Get hidden role - response = rh.executeGetRequest(ENDPOINT + "/internalusers/hide" , header); + response = rh.executeGetRequest(ENDPOINT + "/internalusers/hide", header); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Assert.assertTrue(response.getBody().contains("\"hidden\":true")); // Associating with hidden role is allowed (for superadmin) - response = rh.executePutRequest(ENDPOINT + "/internalusers/test", "{ \"opendistro_security_roles\": " + - "[\"opendistro_security_hidden\"]}", header); + response = rh.executePutRequest( + ENDPOINT + "/internalusers/test", + "{ \"opendistro_security_roles\": " + "[\"opendistro_security_hidden\"]}", + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); // Associating with reserved role is allowed (for superadmin) - response = rh.executePutRequest(ENDPOINT + "/internalusers/test", "{ \"opendistro_security_roles\": [\"opendistro_security_reserved\"], " + - "\"hash\": \"123\"}", - header); + response = rh.executePutRequest( + ENDPOINT + "/internalusers/test", + "{ \"opendistro_security_roles\": [\"opendistro_security_reserved\"], " + "\"hash\": \"123\"}", + header + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); // Associating with non-existent role is not allowed - response = rh.executePutRequest(ENDPOINT + "/internalusers/nagilum", "{ \"opendistro_security_roles\": [\"non_existent\"]}", - header); + response = rh.executePutRequest( + ENDPOINT + "/internalusers/nagilum", + "{ \"opendistro_security_roles\": [\"non_existent\"]}", + header + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(settings.get("message"), "Role 'non_existent' is not available for role-mapping."); // Wrong config keys - response = rh.executePutRequest(ENDPOINT + "/internalusers/nagilum", "{\"some\": \"thing\", \"other\": \"thing\"}", - header); + response = rh.executePutRequest(ENDPOINT + "/internalusers/nagilum", "{\"some\": \"thing\", \"other\": \"thing\"}", header); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(settings.get("reason"), AbstractConfigurationValidator.ErrorType.INVALID_CONFIGURATION.getMessage()); @@ -241,29 +248,49 @@ private void verifyPatch(final boolean sendAdminCert, Header... restAdminHeader) // -- PATCH // PATCH on non-existing resource rh.sendAdminCertificate = sendAdminCert; - HttpResponse response = rh.executePatchRequest(ENDPOINT + "/internalusers/imnothere", "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", restAdminHeader); + HttpResponse response = rh.executePatchRequest( + ENDPOINT + "/internalusers/imnothere", + "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", + restAdminHeader + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // PATCH read only resource, must be forbidden, // but SuperAdmin can PATCH read-only resource rh.sendAdminCertificate = sendAdminCert; - response = rh.executePatchRequest(ENDPOINT + "/internalusers/sarek", "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\" }]", restAdminHeader); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers/sarek", + "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\" }]", + restAdminHeader + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); // PATCH hidden resource, must be not found, can be found for super admin rh.sendAdminCertificate = sendAdminCert; - response = rh.executePatchRequest(ENDPOINT + "/internalusers/q", "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", restAdminHeader); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers/q", + "[{ \"op\": \"add\", \"path\": \"/a/b/c\", \"value\": [ \"foo\", \"bar\" ] }]", + restAdminHeader + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH value of hidden flag, must fail with validation error rh.sendAdminCertificate = sendAdminCert; - response = rh.executePatchRequest(ENDPOINT + "/internalusers/test", "[{ \"op\": \"add\", \"path\": \"/hidden\", \"value\": true }]", restAdminHeader); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers/test", + "[{ \"op\": \"add\", \"path\": \"/hidden\", \"value\": true }]", + restAdminHeader + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertTrue(response.getBody().matches(".*\"invalid_keys\"\\s*:\\s*\\{\\s*\"keys\"\\s*:\\s*\"hidden\"\\s*\\}.*")); // PATCH password rh.sendAdminCertificate = sendAdminCert; - response = rh.executePatchRequest(ENDPOINT + "/internalusers/test", "[{ \"op\": \"add\", \"path\": \"/password\", \"value\": \"neu password 42\" }]", restAdminHeader); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers/test", + "[{ \"op\": \"add\", \"path\": \"/password\", \"value\": \"neu password 42\" }]", + restAdminHeader + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT + "/internalusers/test", restAdminHeader); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); @@ -274,34 +301,56 @@ private void verifyPatch(final boolean sendAdminCert, Header... restAdminHeader) // -- PATCH on whole config resource // PATCH on non-existing resource rh.sendAdminCertificate = sendAdminCert; - response = rh.executePatchRequest(ENDPOINT + "/internalusers", "[{ \"op\": \"add\", \"path\": \"/imnothere/a\", \"value\": [ \"foo\", \"bar\" ] }]", restAdminHeader); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers", + "[{ \"op\": \"add\", \"path\": \"/imnothere/a\", \"value\": [ \"foo\", \"bar\" ] }]", + restAdminHeader + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH read only resource, must be forbidden, // but SuperAdmin can PATCH read only resouce rh.sendAdminCertificate = sendAdminCert; - response = rh.executePatchRequest(ENDPOINT + "/internalusers", "[{ \"op\": \"add\", \"path\": \"/sarek/description\", \"value\": \"foo\" }]", restAdminHeader); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers", + "[{ \"op\": \"add\", \"path\": \"/sarek/description\", \"value\": \"foo\" }]", + restAdminHeader + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); rh.sendAdminCertificate = false; - response = rh.executePatchRequest(ENDPOINT + "/internalusers", "[{ \"op\": \"add\", \"path\": \"/sarek/a\", \"value\": [ \"foo\", \"bar\" ] }]"); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers", + "[{ \"op\": \"add\", \"path\": \"/sarek/a\", \"value\": [ \"foo\", \"bar\" ] }]" + ); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, response.getStatusCode()); // PATCH hidden resource, must be bad request rh.sendAdminCertificate = sendAdminCert; - response = rh.executePatchRequest(ENDPOINT + "/internalusers", "[{ \"op\": \"add\", \"path\": \"/q/a\", \"value\": [ \"foo\", \"bar\" ] }]", restAdminHeader); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers", + "[{ \"op\": \"add\", \"path\": \"/q/a\", \"value\": [ \"foo\", \"bar\" ] }]", + restAdminHeader + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH value of hidden flag, must fail with validation error rh.sendAdminCertificate = sendAdminCert; - response = rh.executePatchRequest(ENDPOINT + "/internalusers", "[{ \"op\": \"add\", \"path\": \"/test/hidden\", \"value\": true }]", restAdminHeader); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers", + "[{ \"op\": \"add\", \"path\": \"/test/hidden\", \"value\": true }]", + restAdminHeader + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertTrue(response.getBody().matches(".*\"invalid_keys\"\\s*:\\s*\\{\\s*\"keys\"\\s*:\\s*\"hidden\"\\s*\\}.*")); // PATCH rh.sendAdminCertificate = sendAdminCert; - response = rh.executePatchRequest(ENDPOINT + "/internalusers", - "[{ \"op\": \"add\", \"path\": \"/bulknew1\", \"value\": {\"password\": \"bla bla bla password 42\", \"backend_roles\": [\"vulcan\"] } }]", restAdminHeader); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers", + "[{ \"op\": \"add\", \"path\": \"/bulknew1\", \"value\": {\"password\": \"bla bla bla password 42\", \"backend_roles\": [\"vulcan\"] } }]", + restAdminHeader + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT + "/internalusers/bulknew1", restAdminHeader); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); @@ -320,46 +369,36 @@ private void verifyPatch(final boolean sendAdminCert, Header... restAdminHeader) // add/update user, user is read only, forbidden // SuperAdmin can add read only users rh.sendAdminCertificate = sendAdminCert; - addUserWithHash("sarek", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", - HttpStatus.SC_OK); + addUserWithHash("sarek", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", HttpStatus.SC_OK); // add/update user, user is hidden, forbidden, allowed for super admin rh.sendAdminCertificate = sendAdminCert; - addUserWithHash("q", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", - HttpStatus.SC_OK); + addUserWithHash("q", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", HttpStatus.SC_OK); // add users rh.sendAdminCertificate = sendAdminCert; - addUserWithHash("nagilum", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", - HttpStatus.SC_CREATED); + addUserWithHash("nagilum", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", HttpStatus.SC_CREATED); // Add enabled service account then get it - response = rh.executePutRequest(ENDPOINT + "/internalusers/happyServiceLive", - ENABLED_SERVICE_ACCOUNT_BODY, restAdminHeader); + response = rh.executePutRequest(ENDPOINT + "/internalusers/happyServiceLive", ENABLED_SERVICE_ACCOUNT_BODY, restAdminHeader); Assert.assertEquals(response.getBody(), HttpStatus.SC_CREATED, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT + "/internalusers/happyServiceLive", restAdminHeader); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - // Add disabled service account - response = rh.executePutRequest(ENDPOINT + "/internalusers/happyServiceDead", - DISABLED_SERVICE_ACCOUNT_BODY, restAdminHeader); + response = rh.executePutRequest(ENDPOINT + "/internalusers/happyServiceDead", DISABLED_SERVICE_ACCOUNT_BODY, restAdminHeader); Assert.assertEquals(response.getBody(), HttpStatus.SC_CREATED, response.getStatusCode()); - // Add service account with password -- Should Fail - response = rh.executePutRequest(ENDPOINT + "/internalusers/passwordService", - PASSWORD_SERVICE, restAdminHeader); + response = rh.executePutRequest(ENDPOINT + "/internalusers/passwordService", PASSWORD_SERVICE, restAdminHeader); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); - //Add service with hash -- should fail - response = rh.executePutRequest(ENDPOINT + "/internalusers/hashService", - HASH_SERVICE, restAdminHeader); + // Add service with hash -- should fail + response = rh.executePutRequest(ENDPOINT + "/internalusers/hashService", HASH_SERVICE, restAdminHeader); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // Add Service account with password & Hash -- should fail - response = rh.executePutRequest(ENDPOINT + "/internalusers/passwordHashService", - PASSWORD_HASH_SERVICE, restAdminHeader); + response = rh.executePutRequest(ENDPOINT + "/internalusers/passwordHashService", PASSWORD_HASH_SERVICE, restAdminHeader); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // access must be allowed now @@ -403,12 +442,11 @@ private void verifyPatch(final boolean sendAdminCert, Header... restAdminHeader) rh.sendAdminCertificate = sendAdminCert; // new user, password or hash is mandatory - addUserWithoutPasswordOrHash("nagilum", new String[]{"starfleet"}, HttpStatus.SC_BAD_REQUEST); + addUserWithoutPasswordOrHash("nagilum", new String[] { "starfleet" }, HttpStatus.SC_BAD_REQUEST); // new user, add hash - addUserWithHash("nagilum", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", - HttpStatus.SC_CREATED); + addUserWithHash("nagilum", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", HttpStatus.SC_CREATED); // update user, do not specify hash or password, hash must remain the same - addUserWithoutPasswordOrHash("nagilum", new String[]{"starfleet"}, HttpStatus.SC_OK); + addUserWithoutPasswordOrHash("nagilum", new String[] { "starfleet" }, HttpStatus.SC_OK); // get user, check hash, must be untouched response = rh.executeGetRequest(ENDPOINT + "/internalusers/nagilum", restAdminHeader); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); @@ -421,42 +459,51 @@ private void verifyAuthToken(final boolean sendAdminCert, Header... restAdminHea // Add enabled service account then generate auth token rh.sendAdminCertificate = sendAdminCert; - HttpResponse response = rh.executePutRequest(ENDPOINT + "/internalusers/happyServiceLive", - ENABLED_SERVICE_ACCOUNT_BODY, restAdminHeader); + HttpResponse response = rh.executePutRequest( + ENDPOINT + "/internalusers/happyServiceLive", + ENABLED_SERVICE_ACCOUNT_BODY, + restAdminHeader + ); Assert.assertEquals(response.getBody(), HttpStatus.SC_CREATED, response.getStatusCode()); rh.sendAdminCertificate = sendAdminCert; response = rh.executeGetRequest(ENDPOINT + "/internalusers/happyServiceLive", restAdminHeader); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - response = rh.executePostRequest(ENDPOINT + "/internalusers/happyServiceLive/authtoken", - ENABLED_SERVICE_ACCOUNT_BODY, restAdminHeader); + response = rh.executePostRequest( + ENDPOINT + "/internalusers/happyServiceLive/authtoken", + ENABLED_SERVICE_ACCOUNT_BODY, + restAdminHeader + ); Assert.assertEquals(response.getBody(), HttpStatus.SC_CREATED, response.getStatusCode()); String tokenFromResponse = response.getBody(); byte[] decodedResponse = Base64.getUrlDecoder().decode(tokenFromResponse); String[] decodedResponseString = new String(decodedResponse).split(":", 2); String username = decodedResponseString[0]; String password = decodedResponseString[1]; - Assert.assertEquals("Username is: " + username,username, "happyServiceLive"); + Assert.assertEquals("Username is: " + username, username, "happyServiceLive"); // Add disabled service account then try to get its auth token rh.sendAdminCertificate = sendAdminCert; - response = rh.executePutRequest(ENDPOINT + "/internalusers/happyServiceDead", - DISABLED_SERVICE_ACCOUNT_BODY, restAdminHeader); + response = rh.executePutRequest(ENDPOINT + "/internalusers/happyServiceDead", DISABLED_SERVICE_ACCOUNT_BODY, restAdminHeader); Assert.assertEquals(response.getBody(), HttpStatus.SC_CREATED, response.getStatusCode()); - response = rh.executePostRequest(ENDPOINT + "/internalusers/happyServiceDead/authtoken", - ENABLED_SERVICE_ACCOUNT_BODY, restAdminHeader); + response = rh.executePostRequest( + ENDPOINT + "/internalusers/happyServiceDead/authtoken", + ENABLED_SERVICE_ACCOUNT_BODY, + restAdminHeader + ); Assert.assertEquals(response.getBody(), HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); - // Add enabled non-service account rh.sendAdminCertificate = sendAdminCert; - response = rh.executePutRequest(ENDPOINT + "/internalusers/user_is_owner_1", - ENABLED_NOT_SERVICE_ACCOUNT_BODY, restAdminHeader); + response = rh.executePutRequest(ENDPOINT + "/internalusers/user_is_owner_1", ENABLED_NOT_SERVICE_ACCOUNT_BODY, restAdminHeader); Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode()); - response = rh.executePostRequest(ENDPOINT + "/internalusers/user_is_owner_1/authtoken", - ENABLED_SERVICE_ACCOUNT_BODY, restAdminHeader); + response = rh.executePostRequest( + ENDPOINT + "/internalusers/user_is_owner_1/authtoken", + ENABLED_SERVICE_ACCOUNT_BODY, + restAdminHeader + ); Assert.assertEquals(response.getBody(), HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); } @@ -464,7 +511,11 @@ private void verifyAuthToken(final boolean sendAdminCert, Header... restAdminHea private void verifyRoles(final boolean sendAdminCert, Header... header) throws Exception { // wrong datatypes in roles file rh.sendAdminCertificate = sendAdminCert; - HttpResponse response = rh.executePutRequest(ENDPOINT + "/internalusers/picard", FileHelper.loadFile("restapi/users_wrong_datatypes.json"), header); + HttpResponse response = rh.executePutRequest( + ENDPOINT + "/internalusers/picard", + FileHelper.loadFile("restapi/users_wrong_datatypes.json"), + header + ); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.WRONG_DATATYPE.getMessage(), settings.get("reason")); @@ -472,7 +523,11 @@ private void verifyRoles(final boolean sendAdminCert, Header... header) throws E rh.sendAdminCertificate = false; rh.sendAdminCertificate = sendAdminCert; - response = rh.executePutRequest(ENDPOINT + "/internalusers/picard", FileHelper.loadFile("restapi/users_wrong_datatypes.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/internalusers/picard", + FileHelper.loadFile("restapi/users_wrong_datatypes.json"), + header + ); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.WRONG_DATATYPE.getMessage(), settings.get("reason")); @@ -480,7 +535,11 @@ private void verifyRoles(final boolean sendAdminCert, Header... header) throws E rh.sendAdminCertificate = false; rh.sendAdminCertificate = sendAdminCert; - response = rh.executePutRequest(ENDPOINT + "/internalusers/picard", FileHelper.loadFile("restapi/users_wrong_datatypes2.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/internalusers/picard", + FileHelper.loadFile("restapi/users_wrong_datatypes2.json"), + header + ); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.WRONG_DATATYPE.getMessage(), settings.get("reason")); @@ -489,7 +548,11 @@ private void verifyRoles(final boolean sendAdminCert, Header... header) throws E rh.sendAdminCertificate = false; rh.sendAdminCertificate = sendAdminCert; - response = rh.executePutRequest(ENDPOINT + "/internalusers/picard", FileHelper.loadFile("restapi/users_wrong_datatypes3.json"), header); + response = rh.executePutRequest( + ENDPOINT + "/internalusers/picard", + FileHelper.loadFile("restapi/users_wrong_datatypes3.json"), + header + ); settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.WRONG_DATATYPE.getMessage(), settings.get("reason")); @@ -507,14 +570,14 @@ private void verifyRoles(final boolean sendAdminCert, Header... header) throws E checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picardpicardpicardpicardpicard", "sf", "_doc", 0); // overwrite user picard, and give him role "starfleet". - addUserWithPassword("picard", "picardpicardpicardpicardpicard", new String[]{"starfleet"}, HttpStatus.SC_OK); + addUserWithPassword("picard", "picardpicardpicardpicardpicard", new String[] { "starfleet" }, HttpStatus.SC_OK); checkReadAccess(HttpStatus.SC_OK, "picard", "picardpicardpicardpicardpicard", "sf", "_doc", 0); checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picardpicardpicardpicardpicard", "sf", "_doc", 1); // overwrite user picard, and give him role "starfleet" plus "captains. Now // document can be created. - addUserWithPassword("picard", "picardpicardpicardpicardpicard", new String[]{"starfleet", "captains"}, HttpStatus.SC_OK); + addUserWithPassword("picard", "picardpicardpicardpicardpicard", new String[] { "starfleet", "captains" }, HttpStatus.SC_OK); checkReadAccess(HttpStatus.SC_OK, "picard", "picardpicardpicardpicardpicard", "sf", "_doc", 0); checkWriteAccess(HttpStatus.SC_CREATED, "picard", "picardpicardpicardpicardpicard", "sf", "_doc", 1); @@ -576,14 +639,11 @@ public void testUserApiWithRestInternalUsersAdminPermissions() throws Exception @Test public void testRegExpPasswordRules() throws Exception { - Settings nodeSettings = - Settings.builder() - .put(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, "xxx") - .put(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, - "(?=.*[A-Z])(?=.*[^a-zA-Z\\\\d])(?=.*[0-9])(?=.*[a-z]).{8,}") - .put(ConfigConstants.SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH, - PasswordValidator.ScoreStrength.FAIR.name()) - .build(); + Settings nodeSettings = Settings.builder() + .put(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, "xxx") + .put(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, "(?=.*[A-Z])(?=.*[^a-zA-Z\\\\d])(?=.*[0-9])(?=.*[a-z]).{8,}") + .put(ConfigConstants.SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH, PasswordValidator.ScoreStrength.FAIR.name()) + .build(); setup(nodeSettings); @@ -591,8 +651,7 @@ public void testRegExpPasswordRules() throws Exception { rh.sendAdminCertificate = true; // initial configuration, 6 users - HttpResponse response = rh - .executeGetRequest("_plugins/_security/api/" + CType.INTERNALUSERS.toLCString()); + HttpResponse response = rh.executeGetRequest("_plugins/_security/api/" + CType.INTERNALUSERS.toLCString()); Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(USER_SETTING_SIZE, settings.size()); @@ -611,7 +670,7 @@ public void testRegExpPasswordRules() throws Exception { private void verifyCouldNotCreatePasswords(final int expectedStatus) throws Exception { addUserWithPassword("tooshoort", "", expectedStatus); - addUserWithPassword("tooshoort", "123",expectedStatus); + addUserWithPassword("tooshoort", "123", expectedStatus); addUserWithPassword("tooshoort", "1234567", expectedStatus); addUserWithPassword("tooshoort", "1Aa%", expectedStatus); addUserWithPassword("no-nonnumeric", "123456789", expectedStatus); @@ -619,39 +678,65 @@ private void verifyCouldNotCreatePasswords(final int expectedStatus) throws Exce addUserWithPassword("no-lowercase", "A123456789", expectedStatus); addUserWithPassword("empty_password_no_hash", "", expectedStatus); HttpResponse response = rh.executePatchRequest( - PLUGINS_PREFIX + "/api/internalusers", - "[{ \"op\": \"add\", \"path\": \"/ok4\", \"value\": {\"password\": \"bla\", \"backend_roles\": [\"vulcan\"] } }]", - new Header[0] + PLUGINS_PREFIX + "/api/internalusers", + "[{ \"op\": \"add\", \"path\": \"/ok4\", \"value\": {\"password\": \"bla\", \"backend_roles\": [\"vulcan\"] } }]", + new Header[0] ); Assert.assertEquals(response.getBody(), expectedStatus, response.getStatusCode()); - response = rh.executePatchRequest(PLUGINS_PREFIX + "/api/internalusers", "[{ \"op\": \"replace\", \"path\": \"/ok4\", \"value\": {\"password\": \"bla\", \"backend_roles\": [\"vulcan\"] } }]", new Header[0]); + response = rh.executePatchRequest( + PLUGINS_PREFIX + "/api/internalusers", + "[{ \"op\": \"replace\", \"path\": \"/ok4\", \"value\": {\"password\": \"bla\", \"backend_roles\": [\"vulcan\"] } }]", + new Header[0] + ); Assert.assertEquals(response.getBody(), expectedStatus, response.getStatusCode()); addUserWithPassword("ok4", "123", expectedStatus); - //its not allowed to use the username as password (case insensitive) - response = rh.executePatchRequest(PLUGINS_PREFIX + "/api/internalusers", "[{ \"op\": \"add\", \"path\": \"/$1aAAAAAAAAB\", \"value\": {\"password\": \"$1aAAAAAAAAB\", \"backend_roles\": [\"vulcan\"] } }]", new Header[0]); + // its not allowed to use the username as password (case insensitive) + response = rh.executePatchRequest( + PLUGINS_PREFIX + "/api/internalusers", + "[{ \"op\": \"add\", \"path\": \"/$1aAAAAAAAAB\", \"value\": {\"password\": \"$1aAAAAAAAAB\", \"backend_roles\": [\"vulcan\"] } }]", + new Header[0] + ); Assert.assertEquals(response.getBody(), expectedStatus, response.getStatusCode()); addUserWithPassword("$1aAAAAAAAAC", "$1aAAAAAAAAC", expectedStatus); addUserWithPassword("$1aAAAAAAAac", "$1aAAAAAAAAC", expectedStatus); addUserWithPassword(URLEncoder.encode("$1aAAAAAAAac%", "UTF-8"), "$1aAAAAAAAAC%", expectedStatus); - addUserWithPassword(URLEncoder.encode("$1aAAAAAAAac%!=\"/\\;:test&~@^", "UTF-8").replace("+", "%2B"), "$1aAAAAAAAac%!=\\\"/\\\\;:test&~@^", expectedStatus); - addUserWithPassword(URLEncoder.encode("$1aAAAAAAAac%!=\"/\\;: test&", "UTF-8"), "$1aAAAAAAAac%!=\\\"/\\\\;: test&123", expectedStatus); - String patchPayload = "[ " + - "{ \"op\": \"add\", \"path\": \"/testuser1\", \"value\": { \"password\": \"$aA123456789\", \"backend_roles\": [\"testrole1\"] } }," + - "{ \"op\": \"add\", \"path\": \"/testuser2\", \"value\": { \"password\": \"testpassword2\", \"backend_roles\": [\"testrole2\"] } }" + - "]"; - - response = rh.executePatchRequest(PLUGINS_PREFIX + "/api/internalusers", patchPayload, new BasicHeader("Content-Type", "application/json")); + addUserWithPassword( + URLEncoder.encode("$1aAAAAAAAac%!=\"/\\;:test&~@^", "UTF-8").replace("+", "%2B"), + "$1aAAAAAAAac%!=\\\"/\\\\;:test&~@^", + expectedStatus + ); + addUserWithPassword( + URLEncoder.encode("$1aAAAAAAAac%!=\"/\\;: test&", "UTF-8"), + "$1aAAAAAAAac%!=\\\"/\\\\;: test&123", + expectedStatus + ); + String patchPayload = "[ " + + "{ \"op\": \"add\", \"path\": \"/testuser1\", \"value\": { \"password\": \"$aA123456789\", \"backend_roles\": [\"testrole1\"] } }," + + "{ \"op\": \"add\", \"path\": \"/testuser2\", \"value\": { \"password\": \"testpassword2\", \"backend_roles\": [\"testrole2\"] } }" + + "]"; + + response = rh.executePatchRequest( + PLUGINS_PREFIX + "/api/internalusers", + patchPayload, + new BasicHeader("Content-Type", "application/json") + ); Assert.assertEquals(expectedStatus, response.getStatusCode()); Assert.assertTrue(response.getBody().contains("error")); Assert.assertTrue(response.getBody().contains("xxx")); - response = rh.executePutRequest(PLUGINS_PREFIX + "/api/internalusers/ok1", "{\"backend_roles\":[\"my-backend-role\"],\"attributes\":{},\"password\":\"\"}", new Header[0]); + response = rh.executePutRequest( + PLUGINS_PREFIX + "/api/internalusers/ok1", + "{\"backend_roles\":[\"my-backend-role\"],\"attributes\":{},\"password\":\"\"}", + new Header[0] + ); Assert.assertEquals(expectedStatus, response.getStatusCode()); - response = rh.executePutRequest(PLUGINS_PREFIX + "/api/internalusers/ok1", - "{\"backend_roles\":[\"my-backend-role\"],\"attributes\":{},\"password\":\"bla\"}", - new Header[0]); + response = rh.executePutRequest( + PLUGINS_PREFIX + "/api/internalusers/ok1", + "{\"backend_roles\":[\"my-backend-role\"],\"attributes\":{},\"password\":\"bla\"}", + new Header[0] + ); Assert.assertEquals(expectedStatus, response.getStatusCode()); } @@ -662,35 +747,35 @@ private void verifyCanCreatePasswords() throws Exception { addUserWithPassword("ok4", "$1aAAAAAAAAA", HttpStatus.SC_CREATED); addUserWithPassword("ok4", "$1aAAAAAAAAC", HttpStatus.SC_OK); HttpResponse response = rh.executePatchRequest( - PLUGINS_PREFIX + "/api/internalusers", - "[{ \"op\": \"add\", \"path\": \"/ok4\", \"value\": {\"password\": \"$1aAAAAAAAAB\", \"backend_roles\": [\"vulcan\"] } }]", - new Header[0] + PLUGINS_PREFIX + "/api/internalusers", + "[{ \"op\": \"add\", \"path\": \"/ok4\", \"value\": {\"password\": \"$1aAAAAAAAAB\", \"backend_roles\": [\"vulcan\"] } }]", + new Header[0] ); Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode()); - response = rh.executePutRequest(PLUGINS_PREFIX + "/api/internalusers/ok1", "{\"backend_roles\":[\"my-backend-role\"],\"attributes\":{},\"password\":\"Admin_123\"}", new Header[0]); + response = rh.executePutRequest( + PLUGINS_PREFIX + "/api/internalusers/ok1", + "{\"backend_roles\":[\"my-backend-role\"],\"attributes\":{},\"password\":\"Admin_123\"}", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - response = rh.executePutRequest(PLUGINS_PREFIX + "/api/internalusers/ok1", "{\"backend_roles\":[\"my-backend-role\"],\"attributes\":{}}", new Header[0]); + response = rh.executePutRequest( + PLUGINS_PREFIX + "/api/internalusers/ok1", + "{\"backend_roles\":[\"my-backend-role\"],\"attributes\":{}}", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); } - private void verifySimilarity(final String expectedMessage) throws Exception { - addUserWithPassword( - "some_user_name", "H3235,cc,some_User_Name", - HttpStatus.SC_BAD_REQUEST, - expectedMessage - ); + addUserWithPassword("some_user_name", "H3235,cc,some_User_Name", HttpStatus.SC_BAD_REQUEST, expectedMessage); } @Test public void testScoreBasedPasswordRules() throws Exception { - Settings nodeSettings = - Settings.builder() - .put(ConfigConstants.SECURITY_RESTAPI_PASSWORD_MIN_LENGTH, 9) - .build(); + Settings nodeSettings = Settings.builder().put(ConfigConstants.SECURITY_RESTAPI_PASSWORD_MIN_LENGTH, 9).build(); setup(nodeSettings); @@ -698,28 +783,25 @@ public void testScoreBasedPasswordRules() throws Exception { rh.sendAdminCertificate = true; // initial configuration, 6 users - HttpResponse response = rh - .executeGetRequest("_plugins/_security/api/" + CType.INTERNALUSERS.toLCString()); + HttpResponse response = rh.executeGetRequest("_plugins/_security/api/" + CType.INTERNALUSERS.toLCString()); Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(133, settings.size()); addUserWithPassword( - "admin", "password89", - HttpStatus.SC_BAD_REQUEST, - AbstractConfigurationValidator.ErrorType.WEAK_PASSWORD.getMessage() + "admin", + "password89", + HttpStatus.SC_BAD_REQUEST, + AbstractConfigurationValidator.ErrorType.WEAK_PASSWORD.getMessage() ); addUserWithPassword( - "admin", "A123456789", - HttpStatus.SC_BAD_REQUEST, - AbstractConfigurationValidator.ErrorType.WEAK_PASSWORD.getMessage() + "admin", + "A123456789", + HttpStatus.SC_BAD_REQUEST, + AbstractConfigurationValidator.ErrorType.WEAK_PASSWORD.getMessage() ); - addUserWithPassword( - "admin", "pas", - HttpStatus.SC_BAD_REQUEST, - "Password does not match minimum criteria" - ); + addUserWithPassword("admin", "pas", HttpStatus.SC_BAD_REQUEST, "Password does not match minimum criteria"); verifySimilarity(AbstractConfigurationValidator.ErrorType.SIMILAR_PASSWORD.getMessage()); @@ -735,23 +817,18 @@ public void testUserApiWithDots() throws Exception { rh.sendAdminCertificate = true; // initial configuration, 6 users - HttpResponse response = rh - .executeGetRequest(ENDPOINT + "/" + CType.INTERNALUSERS.toLCString()); + HttpResponse response = rh.executeGetRequest(ENDPOINT + "/" + CType.INTERNALUSERS.toLCString()); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(USER_SETTING_SIZE, settings.size()); - addUserWithPassword(".my.dotuser0", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", - HttpStatus.SC_CREATED); + addUserWithPassword(".my.dotuser0", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", HttpStatus.SC_CREATED); - addUserWithPassword(".my.dot.user0", "12345678Sd", - HttpStatus.SC_CREATED); + addUserWithPassword(".my.dot.user0", "12345678Sd", HttpStatus.SC_CREATED); - addUserWithHash(".my.dotuser1", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", - HttpStatus.SC_CREATED); + addUserWithHash(".my.dotuser1", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", HttpStatus.SC_CREATED); - addUserWithPassword(".my.dot.user2", "12345678Sd", - HttpStatus.SC_CREATED); + addUserWithPassword(".my.dot.user2", "12345678Sd", HttpStatus.SC_CREATED); } @@ -766,25 +843,32 @@ public void testUserApiNoPasswordChange() throws Exception { // initial configuration, 5 users HttpResponse response; - addUserWithHash("user1", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", - HttpStatus.SC_CREATED); + addUserWithHash("user1", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", HttpStatus.SC_CREATED); - response = rh.executePutRequest(ENDPOINT + "/internalusers/user1", "{\"hash\":\"$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m\",\"password\":\"\",\"backend_roles\":[\"admin\",\"rolea\"]}"); + response = rh.executePutRequest( + ENDPOINT + "/internalusers/user1", + "{\"hash\":\"$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m\",\"password\":\"\",\"backend_roles\":[\"admin\",\"rolea\"]}" + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); - response = rh.executePutRequest(ENDPOINT + "/internalusers/user1", "{\"hash\":\"$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m\",\"password\":\"Admin_123345Yq\",\"backend_roles\":[\"admin\",\"rolea\"]}"); + response = rh.executePutRequest( + ENDPOINT + "/internalusers/user1", + "{\"hash\":\"$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m\",\"password\":\"Admin_123345Yq\",\"backend_roles\":[\"admin\",\"rolea\"]}" + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT + "/internalusers/user1"); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - addUserWithHash("user2", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", - HttpStatus.SC_CREATED); + addUserWithHash("user2", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", HttpStatus.SC_CREATED); response = rh.executePutRequest(ENDPOINT + "/internalusers/user2", "{\"password\":\"\",\"backend_roles\":[\"admin\",\"rolex\"]}"); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); - response = rh.executePutRequest(ENDPOINT + "/internalusers/user2", "{\"password\":\"Admin_123Qerty\",\"backend_roles\":[\"admin\",\"rolex\"]}"); + response = rh.executePutRequest( + ENDPOINT + "/internalusers/user2", + "{\"password\":\"Admin_123Qerty\",\"backend_roles\":[\"admin\",\"rolex\"]}" + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT + "/internalusers/user2"); @@ -803,54 +887,89 @@ public void testUserApiForNonSuperAdmin() throws Exception { HttpResponse response; // Delete read only user - response = rh.executeDeleteRequest(ENDPOINT + "/internalusers/sarek" , new Header[0]); + response = rh.executeDeleteRequest(ENDPOINT + "/internalusers/sarek", new Header[0]); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // Patch read only users - response = rh.executePatchRequest(ENDPOINT + "/internalusers/sarek", "[{ \"op\": \"add\", \"path\": \"/sarek/description\", \"value\": \"foo\" }]", new Header[0]); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers/sarek", + "[{ \"op\": \"add\", \"path\": \"/sarek/description\", \"value\": \"foo\" }]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // Put read only users - response = rh.executePutRequest(ENDPOINT + "/internalusers/sarek", "{ \"opendistro_security_roles\": [\"opendistro_security_reserved\"]}", new Header[0]); + response = rh.executePutRequest( + ENDPOINT + "/internalusers/sarek", + "{ \"opendistro_security_roles\": [\"opendistro_security_reserved\"]}", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // Patch single read only user - response = rh.executePatchRequest(ENDPOINT + "/internalusers/sarek", "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\" }]", new Header[0]); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers/sarek", + "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\" }]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // Patch multiple read only users - response = rh.executePatchRequest(ENDPOINT + "/internalusers", "[{ \"op\": \"add\", \"path\": \"/sarek/description\", \"value\": \"foo\" }]", new Header[0]); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers", + "[{ \"op\": \"add\", \"path\": \"/sarek/description\", \"value\": \"foo\" }]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); // Get hidden role - response = rh.executeGetRequest(ENDPOINT + "/internalusers/hide" , new Header[0]); + response = rh.executeGetRequest(ENDPOINT + "/internalusers/hide", new Header[0]); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Delete hidden user - response = rh.executeDeleteRequest(ENDPOINT + "/internalusers/hide" , new Header[0]); + response = rh.executeDeleteRequest(ENDPOINT + "/internalusers/hide", new Header[0]); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Patch hidden users - response = rh.executePatchRequest(ENDPOINT + "/internalusers/hide", "[{ \"op\": \"add\", \"path\": \"/sarek/description\", \"value\": \"foo\" }]", new Header[0]); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers/hide", + "[{ \"op\": \"add\", \"path\": \"/sarek/description\", \"value\": \"foo\" }]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Put hidden users - response = rh.executePutRequest(ENDPOINT + "/internalusers/hide", "{ \"opendistro_security_roles\": [\"opendistro_security_reserved\"]}", new Header[0]); + response = rh.executePutRequest( + ENDPOINT + "/internalusers/hide", + "{ \"opendistro_security_roles\": [\"opendistro_security_reserved\"]}", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Put reserved role is forbidden for non-superadmin - response = rh.executePutRequest(ENDPOINT + "/internalusers/nagilum", "{ \"opendistro_security_roles\": [\"opendistro_security_reserved\"]}", - new Header[0]); + response = rh.executePutRequest( + ENDPOINT + "/internalusers/nagilum", + "{ \"opendistro_security_roles\": [\"opendistro_security_reserved\"]}", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); Assert.assertEquals(settings.get("message"), "Resource 'opendistro_security_reserved' is read-only."); // Patch single hidden user - response = rh.executePatchRequest(ENDPOINT + "/internalusers/hide", "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\" }]", new Header[0]); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers/hide", + "[{ \"op\": \"add\", \"path\": \"/description\", \"value\": \"foo\" }]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); // Patch multiple hidden users - response = rh.executePatchRequest(ENDPOINT + "/internalusers", "[{ \"op\": \"add\", \"path\": \"/hide/description\", \"value\": \"foo\" }]", new Header[0]); + response = rh.executePatchRequest( + ENDPOINT + "/internalusers", + "[{ \"op\": \"add\", \"path\": \"/hide/description\", \"value\": \"foo\" }]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); } @@ -873,7 +992,7 @@ public void restrictedUsernameContents() throws Exception { } @Test - public void checkNullElementsInArray() throws Exception{ + public void checkNullElementsInArray() throws Exception { setup(); rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java index cc148393c1..371341147e 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java @@ -52,11 +52,12 @@ public class WhitelistApiTest extends AbstractRestApiUnitTest { private final Header adminCredsHeader = encodeBasicHeader("admin_all_access", "admin_all_access"); private final Header nonAdminCredsHeader = encodeBasicHeader("sarek", "sarek"); private final String ENDPOINT; + protected String getEndpointPrefix() { return PLUGINS_PREFIX; } - public WhitelistApiTest(){ + public WhitelistApiTest() { ENDPOINT = getEndpointPrefix() + "/api"; } @@ -65,24 +66,32 @@ public WhitelistApiTest(){ * * @throws Exception */ - private void checkGetAndPutWhitelistPermissions(final int expectedStatus, final boolean sendAdminCertificate, final Header... headers) throws Exception { + private void checkGetAndPutWhitelistPermissions(final int expectedStatus, final boolean sendAdminCertificate, final Header... headers) + throws Exception { final boolean prevSendAdminCertificate = rh.sendAdminCertificate; rh.sendAdminCertificate = sendAdminCertificate; - //CHECK GET REQUEST + // CHECK GET REQUEST response = rh.executeGetRequest(ENDPOINT + "/whitelist", headers); assertThat(response.getBody(), response.getStatusCode(), equalTo(expectedStatus)); if (expectedStatus == HttpStatus.SC_OK) { - //Note: the response has no whitespaces, so the .json file does not have whitespaces - Assert.assertEquals(FileHelper.loadFile("restapi/whitelist_response_success.json"), FileHelper.loadFile("restapi/whitelist_response_success.json")); + // Note: the response has no whitespaces, so the .json file does not have whitespaces + Assert.assertEquals( + FileHelper.loadFile("restapi/whitelist_response_success.json"), + FileHelper.loadFile("restapi/whitelist_response_success.json") + ); } - //FORBIDDEN FOR NON SUPER ADMIN + // FORBIDDEN FOR NON SUPER ADMIN if (expectedStatus == HttpStatus.SC_FORBIDDEN) { assertTrue(response.getBody().contains("API allowed only for super admin.")); } - //CHECK PUT REQUEST - response = rh.executePutRequest(ENDPOINT + "/whitelist", "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", headers); + // CHECK PUT REQUEST + response = rh.executePutRequest( + ENDPOINT + "/whitelist", + "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", + headers + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(expectedStatus)); rh.sendAdminCertificate = prevSendAdminCertificate; @@ -105,7 +114,10 @@ public void testPutUnknownKey() throws Exception { setup(); rh.sendAdminCertificate = true; - RestHelper.HttpResponse response = rh.executePutRequest(ENDPOINT + "/whitelist", "{ \"unknownkey\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}"); + RestHelper.HttpResponse response = rh.executePutRequest( + ENDPOINT + "/whitelist", + "{ \"unknownkey\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}" + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); assertTrue(response.getBody().contains("invalid_keys")); assertHealthy(); @@ -116,7 +128,10 @@ public void testPutInvalidJson() throws Exception { setup(); rh.sendAdminCertificate = true; - RestHelper.HttpResponse response = rh.executePutRequest(ENDPOINT + "/whitelist", "{ \"invalid\"::{{ [\"*\"], \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}"); + RestHelper.HttpResponse response = rh.executePutRequest( + ENDPOINT + "/whitelist", + "{ \"invalid\"::{{ [\"*\"], \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}" + ); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); assertHealthy(); } @@ -152,7 +167,7 @@ public void testWhitelistApi() throws Exception { // No creds, no admin certificate - UNAUTHORIZED checkGetAndPutWhitelistPermissions(HttpStatus.SC_UNAUTHORIZED, false); - //non admin creds, no admin certificate - FORBIDDEN + // non admin creds, no admin certificate - FORBIDDEN checkGetAndPutWhitelistPermissions(HttpStatus.SC_FORBIDDEN, false, nonAdminCredsHeader); // admin creds, no admin certificate - FORBIDDEN @@ -165,37 +180,45 @@ public void testWhitelistApi() throws Exception { @Test public void testWhitelistAuditComplianceLogging() throws Exception { Settings settings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .build(); + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .build(); setupWithRestRoles(settings); TestAuditlogImpl.clear(); // any creds, admin certificate - OK checkGetAndPutWhitelistPermissions(HttpStatus.SC_OK, true, nonAdminCredsHeader); - //TESTS THAT 1 READ AND 1 WRITE HAPPENS IN testGetAndPut() + // TESTS THAT 1 READ AND 1 WRITE HAPPENS IN testGetAndPut() final Map expectedCategoryCounts = ImmutableMap.of( - AuditCategory.COMPLIANCE_INTERNAL_CONFIG_READ, 1L, - AuditCategory.COMPLIANCE_INTERNAL_CONFIG_WRITE, 1L); - Map actualCategoryCounts = TestAuditlogImpl.messages.stream().collect(Collectors.groupingBy(AuditMessage::getCategory, Collectors.counting())); + AuditCategory.COMPLIANCE_INTERNAL_CONFIG_READ, + 1L, + AuditCategory.COMPLIANCE_INTERNAL_CONFIG_WRITE, + 1L + ); + Map actualCategoryCounts = TestAuditlogImpl.messages.stream() + .collect(Collectors.groupingBy(AuditMessage::getCategory, Collectors.counting())); assertThat(actualCategoryCounts, equalTo(expectedCategoryCounts)); } @Test - public void testWhitelistInvalidHttpRequestMethod() throws Exception{ + public void testWhitelistInvalidHttpRequestMethod() throws Exception { setup(); rh.sendAdminCertificate = true; - response = rh.executePutRequest(ENDPOINT + "/whitelist", "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GE\"],\"/_cat/indices\": [\"PUT\"] }}", adminCredsHeader); + response = rh.executePutRequest( + ENDPOINT + "/whitelist", + "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GE\"],\"/_cat/indices\": [\"PUT\"] }}", + adminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_INTERNAL_SERVER_ERROR)); assertTrue(response.getBody().contains("\\\"GE\\\": not one of the values accepted for Enum class")); } @@ -208,37 +231,61 @@ public void testWhitelistInvalidHttpRequestMethod() throws Exception{ * @throws Exception */ @Test - public void testPatchApi() throws Exception{ + public void testPatchApi() throws Exception { setup(); rh.sendAdminCertificate = true; - //PATCH entire config entry - response = rh.executePatchRequest(ENDPOINT + "/whitelist", "[{ \"op\": \"replace\", \"path\": \"/config\", \"value\": {\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"PUT\"] }}}]", new Header[0]); + // PATCH entire config entry + response = rh.executePatchRequest( + ENDPOINT + "/whitelist", + "[{ \"op\": \"replace\", \"path\": \"/config\", \"value\": {\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"PUT\"] }}}]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT + "/whitelist", adminCredsHeader); - assertEquals(response.getBody(),"{\"config\":{\"enabled\":true,\"requests\":{\"/_cat/nodes\":[\"GET\"],\"/_cat/indices\":[\"PUT\"]}}}"); - - //PATCH just requests - response = rh.executePatchRequest(ENDPOINT + "/whitelist", "[{ \"op\": \"replace\", \"path\": \"/config/requests\", \"value\": {\"/_cat/nodes\": [\"GET\"]}}]", new Header[0]); + assertEquals( + response.getBody(), + "{\"config\":{\"enabled\":true,\"requests\":{\"/_cat/nodes\":[\"GET\"],\"/_cat/indices\":[\"PUT\"]}}}" + ); + + // PATCH just requests + response = rh.executePatchRequest( + ENDPOINT + "/whitelist", + "[{ \"op\": \"replace\", \"path\": \"/config/requests\", \"value\": {\"/_cat/nodes\": [\"GET\"]}}]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT + "/whitelist", adminCredsHeader); assertTrue(response.getBody().contains("\"requests\":{\"/_cat/nodes\":[\"GET\"]}")); - //PATCH just whitelisted_enabled using "replace" operation - works when enabled is already true - response = rh.executePatchRequest(ENDPOINT + "/whitelist", "[{ \"op\": \"replace\", \"path\": \"/config/enabled\", \"value\": false}]", new Header[0]); + // PATCH just whitelisted_enabled using "replace" operation - works when enabled is already true + response = rh.executePatchRequest( + ENDPOINT + "/whitelist", + "[{ \"op\": \"replace\", \"path\": \"/config/enabled\", \"value\": false}]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT + "/whitelist", adminCredsHeader); assertTrue(response.getBody().contains("\"enabled\":false")); - //PATCH just enabled using "add" operation when it is currently false - works correctly - response = rh.executePatchRequest(ENDPOINT + "/whitelist", "[{ \"op\": \"add\", \"path\": \"/config/enabled\", \"value\": true}]", new Header[0]); + // PATCH just enabled using "add" operation when it is currently false - works correctly + response = rh.executePatchRequest( + ENDPOINT + "/whitelist", + "[{ \"op\": \"add\", \"path\": \"/config/enabled\", \"value\": true}]", + new Header[0] + ); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest(ENDPOINT + "/whitelist", adminCredsHeader); assertTrue(response.getBody().contains("\"enabled\":true")); - //PATCH just enabled using "add" operation when it is currently true - works correctly - response = rh.executePatchRequest(ENDPOINT + "/whitelist", "[{ \"op\": \"add\", \"path\": \"/config/enabled\", \"value\": false}]", new Header[0]); - Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode());response = rh.executeGetRequest(ENDPOINT + "/whitelist", adminCredsHeader); + // PATCH just enabled using "add" operation when it is currently true - works correctly + response = rh.executePatchRequest( + ENDPOINT + "/whitelist", + "[{ \"op\": \"add\", \"path\": \"/config/enabled\", \"value\": false}]", + new Header[0] + ); + Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); + response = rh.executeGetRequest(ENDPOINT + "/whitelist", adminCredsHeader); response = rh.executeGetRequest(ENDPOINT + "/whitelist", adminCredsHeader); assertTrue(response.getBody().contains("\"enabled\":false")); } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAccountApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAccountApiTests.java index a48a7d2e3a..925d90ccba 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAccountApiTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAccountApiTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacyAccountApiTests extends AccountApiTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyActionGroupsApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyActionGroupsApiTests.java index 9aa4b70c77..e92f046f65 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyActionGroupsApiTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyActionGroupsApiTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacyActionGroupsApiTests extends ActionGroupsApiTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAuditApiActionTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAuditApiActionTests.java index 4d97da8bbb..fbde68e911 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAuditApiActionTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAuditApiActionTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacyAuditApiActionTests extends AuditApiActionTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyDashboardsInfoActionTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyDashboardsInfoActionTests.java index a9baec37bd..ee39f93ee0 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyDashboardsInfoActionTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyDashboardsInfoActionTests.java @@ -16,7 +16,7 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacyDashboardsInfoActionTests extends DashboardsInfoActionTest { - @Override + @Override protected String getEndpoint() { return LEGACY_OPENDISTRO_PREFIX + "/kibanainfo"; } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyFlushCacheApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyFlushCacheApiTests.java index ab09a6e2f2..df9cc3d59d 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyFlushCacheApiTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyFlushCacheApiTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacyFlushCacheApiTests extends FlushCacheApiTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyGetConfigurationApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyGetConfigurationApiTests.java index cca6739733..07983bad0d 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyGetConfigurationApiTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyGetConfigurationApiTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacyGetConfigurationApiTests extends GetConfigurationApiTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyIndexMissingTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyIndexMissingTests.java index 0680aa2c2e..fef436f4d7 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyIndexMissingTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyIndexMissingTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacyIndexMissingTests extends IndexMissingTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyNodesDnApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyNodesDnApiTests.java index 22237ece3f..a316785f02 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyNodesDnApiTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyNodesDnApiTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacyNodesDnApiTests extends NodesDnApiTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRoleBasedAccessTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRoleBasedAccessTests.java index c9f421058c..329404dfe7 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRoleBasedAccessTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRoleBasedAccessTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacyRoleBasedAccessTests extends RoleBasedAccessTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRolesApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRolesApiTests.java index b4ec33a2d5..118f8e1ebe 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRolesApiTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRolesApiTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacyRolesApiTests extends RolesApiTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRolesMappingApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRolesMappingApiTests.java index c659fb57bc..dd29b524c1 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRolesMappingApiTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRolesMappingApiTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacyRolesMappingApiTests extends RolesMappingApiTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityApiAccessTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityApiAccessTests.java index 72b6086c1e..85428d645d 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityApiAccessTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityApiAccessTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacySecurityApiAccessTests extends SecurityApiAccessTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityConfigApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityConfigApiTests.java index fd03e7248a..6175809b4a 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityConfigApiTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityConfigApiTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacySecurityConfigApiTests extends SecurityConfigApiTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityHealthActionTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityHealthActionTests.java index 470db0a526..99fa4a99ae 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityHealthActionTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityHealthActionTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacySecurityHealthActionTests extends SecurityHealthActionTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityInfoActionTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityInfoActionTests.java index 8480787423..75c5238f7f 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityInfoActionTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityInfoActionTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacySecurityInfoActionTests extends SecurityInfoActionTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyTenantInfoActionTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyTenantInfoActionTests.java index 1f2ac9a77d..49963d7d55 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyTenantInfoActionTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyTenantInfoActionTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacyTenantInfoActionTests extends TenantInfoActionTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyUserApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyUserApiTests.java index 5753688097..449bce270d 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyUserApiTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyUserApiTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacyUserApiTests extends UserApiTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyWhitelistApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyWhitelistApiTests.java index 3ae501f9a4..689981aa2a 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyWhitelistApiTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyWhitelistApiTests.java @@ -16,8 +16,8 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; public class LegacyWhitelistApiTests extends WhitelistApiTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } + @Override + protected String getEndpointPrefix() { + return LEGACY_OPENDISTRO_PREFIX; + } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/validation/PasswordValidatorTest.java b/src/test/java/org/opensearch/security/dlic/rest/validation/PasswordValidatorTest.java index b5d27827b8..7ea6f23898 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/validation/PasswordValidatorTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/validation/PasswordValidatorTest.java @@ -25,126 +25,120 @@ public class PasswordValidatorTest { - static final List WEAK_PASSWORDS = ImmutableList.of( - "q", "5", "&", "admin", "123456", "password" - ); + static final List WEAK_PASSWORDS = ImmutableList.of("q", "5", "&", "admin", "123456", "password"); static final List FAIR_PASSWORDS = ImmutableList.of( - "p@$$word@dmin", "qwertyuiop@[", - "zxcvbnm,./_", "asdfghjkl;:]", "20300101", - "pandapandapandapandapandapandapandapandapandaa", - "appleappleappleappleappleappleappleappleapplea", - "aelppaaelppaaelppaaelppaaelppaaelppaaelppaaelppa" + "p@$$word@dmin", + "qwertyuiop@[", + "zxcvbnm,./_", + "asdfghjkl;:]", + "20300101", + "pandapandapandapandapandapandapandapandapandaa", + "appleappleappleappleappleappleappleappleapplea", + "aelppaaelppaaelppaaelppaaelppaaelppaaelppaaelppa" ); static final List GOOD_PASSWORDS = ImmutableList.of( - "xsw234rfvb", "yaq123edc", "cde345tgbn", "yaqwedcvb", - "Tr0ub4dour&3", "qwER43@!" + "xsw234rfvb", + "yaq123edc", + "cde345tgbn", + "yaqwedcvb", + "Tr0ub4dour&3", + "qwER43@!" ); - static final List STRONG_PASSWORDS = ImmutableList.of( - "YWert,H90", "Admincc,H90", "Hadmin,120" - ); + static final List STRONG_PASSWORDS = ImmutableList.of("YWert,H90", "Admincc,H90", "Hadmin,120"); static final List VERY_STRONG_PASSWORDS = ImmutableList.of( - "AeTq($%u-44c_j9NJB45a#2#JP7sH", "IB7~EOw!51gug+7s#+%A9P1O/w8f", - "1v_f%7JvS8w!_t398+ON-CObI#v0", "8lFmfc0!w)&iU9DM6~4_w)D)Y44J" + "AeTq($%u-44c_j9NJB45a#2#JP7sH", + "IB7~EOw!51gug+7s#+%A9P1O/w8f", + "1v_f%7JvS8w!_t398+ON-CObI#v0", + "8lFmfc0!w)&iU9DM6~4_w)D)Y44J" ); static final List SIMILAR_PASSWORDS = ImmutableList.of( - "some_user_name,H2344cc", "H3235,Some_User_Name,cc", - "H3235,cc,some_User_Name", "H3235,SOME_User_Name,cc", - "H3235,eman_resu_emos,cc" + "some_user_name,H2344cc", + "H3235,Some_User_Name,cc", + "H3235,cc,some_User_Name", + "H3235,SOME_User_Name,cc", + "H3235,eman_resu_emos,cc" ); - public void verifyWeakPasswords(final PasswordValidator passwordValidator, - final AbstractConfigurationValidator.ErrorType expectedValidationResult) { + public void verifyWeakPasswords( + final PasswordValidator passwordValidator, + final AbstractConfigurationValidator.ErrorType expectedValidationResult + ) { for (final String password : WEAK_PASSWORDS) - assertEquals( - password, - expectedValidationResult, - passwordValidator.validate("some_user_name", password) - ); + assertEquals(password, expectedValidationResult, passwordValidator.validate("some_user_name", password)); } - public void verifyFairPasswords(final PasswordValidator passwordValidator, - final AbstractConfigurationValidator.ErrorType expectedValidationResult) { + public void verifyFairPasswords( + final PasswordValidator passwordValidator, + final AbstractConfigurationValidator.ErrorType expectedValidationResult + ) { for (final String password : FAIR_PASSWORDS) - assertEquals( - password, - expectedValidationResult, - passwordValidator.validate("some_user_name", password) - ); + assertEquals(password, expectedValidationResult, passwordValidator.validate("some_user_name", password)); } - public void verifyGoodPasswords(final PasswordValidator passwordValidator, - final AbstractConfigurationValidator.ErrorType expectedValidationResult) { + public void verifyGoodPasswords( + final PasswordValidator passwordValidator, + final AbstractConfigurationValidator.ErrorType expectedValidationResult + ) { for (final String password : GOOD_PASSWORDS) - assertEquals( - password, - expectedValidationResult, - passwordValidator.validate("some_user_name", password) - ); + assertEquals(password, expectedValidationResult, passwordValidator.validate("some_user_name", password)); } - public void verifyStrongPasswords(final PasswordValidator passwordValidator, - final AbstractConfigurationValidator.ErrorType expectedValidationResult) { + public void verifyStrongPasswords( + final PasswordValidator passwordValidator, + final AbstractConfigurationValidator.ErrorType expectedValidationResult + ) { for (final String password : STRONG_PASSWORDS) - assertEquals( - password, - expectedValidationResult, - passwordValidator.validate("some_user_name", password) - ); + assertEquals(password, expectedValidationResult, passwordValidator.validate("some_user_name", password)); } - public void verifyVeryStrongPasswords(final PasswordValidator passwordValidator, - final AbstractConfigurationValidator.ErrorType expectedValidationResult) { + public void verifyVeryStrongPasswords( + final PasswordValidator passwordValidator, + final AbstractConfigurationValidator.ErrorType expectedValidationResult + ) { for (final String password : VERY_STRONG_PASSWORDS) - assertEquals( - password, - expectedValidationResult, - passwordValidator.validate("some_user_name", password) - ); + assertEquals(password, expectedValidationResult, passwordValidator.validate("some_user_name", password)); } public void verifySimilarPasswords(final PasswordValidator passwordValidator) { for (final String password : SIMILAR_PASSWORDS) assertEquals( - password, - AbstractConfigurationValidator.ErrorType.SIMILAR_PASSWORD, - passwordValidator.validate("some_user_name", password) + password, + AbstractConfigurationValidator.ErrorType.SIMILAR_PASSWORD, + passwordValidator.validate("some_user_name", password) ); } @Test public void testRegExpBasedValidation() { - final PasswordValidator passwordValidator = - PasswordValidator.of( - Settings.builder() - .put( - SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, - "(?=.*[A-Z])(?=.*[^a-zA-Z\\\\d])(?=.*[0-9])(?=.*[a-z]).{8,}") - .build() - ); + final PasswordValidator passwordValidator = PasswordValidator.of( + Settings.builder() + .put(SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, "(?=.*[A-Z])(?=.*[^a-zA-Z\\\\d])(?=.*[0-9])(?=.*[a-z]).{8,}") + .build() + ); verifyWeakPasswords(passwordValidator, AbstractConfigurationValidator.ErrorType.INVALID_PASSWORD); verifyFairPasswords(passwordValidator, AbstractConfigurationValidator.ErrorType.INVALID_PASSWORD); for (final String password : GOOD_PASSWORDS.subList(0, GOOD_PASSWORDS.size() - 2)) assertEquals( - password, - AbstractConfigurationValidator.ErrorType.INVALID_PASSWORD, - passwordValidator.validate("some_user_name", password) + password, + AbstractConfigurationValidator.ErrorType.INVALID_PASSWORD, + passwordValidator.validate("some_user_name", password) ); - for (final String password: GOOD_PASSWORDS.subList(GOOD_PASSWORDS.size() - 2, GOOD_PASSWORDS.size())) + for (final String password : GOOD_PASSWORDS.subList(GOOD_PASSWORDS.size() - 2, GOOD_PASSWORDS.size())) assertEquals( - password, - AbstractConfigurationValidator.ErrorType.WEAK_PASSWORD, - passwordValidator.validate("some_user_name", password) + password, + AbstractConfigurationValidator.ErrorType.WEAK_PASSWORD, + passwordValidator.validate("some_user_name", password) ); verifyStrongPasswords(passwordValidator, AbstractConfigurationValidator.ErrorType.NONE); verifyVeryStrongPasswords(passwordValidator, AbstractConfigurationValidator.ErrorType.NONE); @@ -153,17 +147,11 @@ public void testRegExpBasedValidation() { @Test public void testMinLength() { - final PasswordValidator passwordValidator = - PasswordValidator.of( - Settings.builder() - .put(SECURITY_RESTAPI_PASSWORD_MIN_LENGTH, 15) - .build() - ); - for (final String password: STRONG_PASSWORDS) { - assertEquals( - AbstractConfigurationValidator.ErrorType.INVALID_PASSWORD, - passwordValidator.validate(password, "some_user_name") - ); + final PasswordValidator passwordValidator = PasswordValidator.of( + Settings.builder().put(SECURITY_RESTAPI_PASSWORD_MIN_LENGTH, 15).build() + ); + for (final String password : STRONG_PASSWORDS) { + assertEquals(AbstractConfigurationValidator.ErrorType.INVALID_PASSWORD, passwordValidator.validate(password, "some_user_name")); } } @@ -178,13 +166,11 @@ public void testScoreBasedValidation() { verifyVeryStrongPasswords(passwordValidator, AbstractConfigurationValidator.ErrorType.NONE); verifySimilarPasswords(passwordValidator); - passwordValidator = - PasswordValidator.of( - Settings.builder() - .put( - SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH, - PasswordValidator.ScoreStrength.FAIR.name() - ).build()); + passwordValidator = PasswordValidator.of( + Settings.builder() + .put(SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH, PasswordValidator.ScoreStrength.FAIR.name()) + .build() + ); verifyWeakPasswords(passwordValidator, AbstractConfigurationValidator.ErrorType.WEAK_PASSWORD); verifyFairPasswords(passwordValidator, AbstractConfigurationValidator.ErrorType.NONE); diff --git a/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java b/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java index 161e8aab72..3e9cfe4b5e 100644 --- a/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java +++ b/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java @@ -59,32 +59,33 @@ public SecurityFilterTest(Settings settings, WildcardMatcher expected) { @Parameterized.Parameters public static Collection data() { - return Arrays.asList(new Object[][]{ - {Settings.EMPTY, WildcardMatcher.NONE}, - {Settings.builder() - .putList(ConfigConstants.SECURITY_COMPLIANCE_IMMUTABLE_INDICES, "immutable1", "immutable2") - .build(), - WildcardMatcher.from(ImmutableSet.of("immutable1", "immutable2"))}, - {Settings.builder() + return Arrays.asList( + new Object[][] { + { Settings.EMPTY, WildcardMatcher.NONE }, + { + Settings.builder().putList(ConfigConstants.SECURITY_COMPLIANCE_IMMUTABLE_INDICES, "immutable1", "immutable2").build(), + WildcardMatcher.from(ImmutableSet.of("immutable1", "immutable2")) }, + { + Settings.builder() .putList(ConfigConstants.SECURITY_COMPLIANCE_IMMUTABLE_INDICES, "immutable1", "immutable2", "immutable2") .build(), - WildcardMatcher.from(ImmutableSet.of("immutable1", "immutable2"))}, - }); + WildcardMatcher.from(ImmutableSet.of("immutable1", "immutable2")) }, } + ); } @Test public void testImmutableIndicesWildcardMatcher() { final SecurityFilter filter = new SecurityFilter( - settings, - mock(PrivilegesEvaluator.class), - mock(AdminDNs.class), - mock(DlsFlsRequestValve.class), - mock(AuditLog.class), - mock(ThreadPool.class), - mock(ClusterService.class), - mock(CompatConfig.class), - mock(IndexResolverReplacer.class), - mock(XFFResolver.class) + settings, + mock(PrivilegesEvaluator.class), + mock(AdminDNs.class), + mock(DlsFlsRequestValve.class), + mock(AuditLog.class), + mock(ThreadPool.class), + mock(ClusterService.class), + mock(CompatConfig.class), + mock(IndexResolverReplacer.class), + mock(XFFResolver.class) ); assertThat(expected, equalTo(filter.getImmutableIndicesMatcher())); } @@ -103,7 +104,7 @@ public void testUnexepectedCausesAreNotSendToCallers() { mock(AdminDNs.class), mock(DlsFlsRequestValve.class), auditLog, - new ThreadPool(Settings.builder().put("node.name", "mock").build()), + new ThreadPool(Settings.builder().put("node.name", "mock").build()), mock(ClusterService.class), mock(CompatConfig.class), mock(IndexResolverReplacer.class), @@ -120,7 +121,11 @@ public void testUnexepectedCausesAreNotSendToCallers() { verify(listener).onFailure(cap.capture()); assertThat("The cause should never be included as it will leak to callers", cap.getValue().getCause(), nullValue()); - assertThat("Make sure the cause exception wasn't toStringed in the method", cap.getValue().getMessage(), not(containsString("ABC!"))); + assertThat( + "Make sure the cause exception wasn't toStringed in the method", + cap.getValue().getMessage(), + not(containsString("ABC!")) + ); verifyNoMoreInteractions(auditLog, listener); } diff --git a/src/test/java/org/opensearch/security/filter/SecurityRestFilterTest.java b/src/test/java/org/opensearch/security/filter/SecurityRestFilterTest.java index 1a087887d8..692a950fb1 100644 --- a/src/test/java/org/opensearch/security/filter/SecurityRestFilterTest.java +++ b/src/test/java/org/opensearch/security/filter/SecurityRestFilterTest.java @@ -48,25 +48,29 @@ public void checkWhitelistedApisAreAccessible() throws Exception { setup(); - //ADD SOME WHITELISTED APIs + // ADD SOME WHITELISTED APIs rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_opendistro/_security/api/whitelist", "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", adminCredsHeader); + response = rh.executePutRequest( + "_opendistro/_security/api/whitelist", + "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", + adminCredsHeader + ); log.warn("the response is:" + rh.executeGetRequest("_opendistro/_security/api/whitelist", adminCredsHeader)); - //NON ADMIN TRIES ACCESSING A WHITELISTED API - OK + // NON ADMIN TRIES ACCESSING A WHITELISTED API - OK rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/nodes", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //ADMIN TRIES ACCESSING A WHITELISTED API - OK + // ADMIN TRIES ACCESSING A WHITELISTED API - OK rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/nodes", adminCredsHeader); log.warn("the second response is:{}", response); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //SUPERADMIN TRIES ACCESSING A WHITELISTED API - OK + // SUPERADMIN TRIES ACCESSING A WHITELISTED API - OK rh.sendAdminCertificate = true; response = rh.executeGetRequest("_cat/nodes", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); @@ -82,25 +86,29 @@ public void checkAllowlistedApisAreAccessible() throws Exception { setup(); - //ADD SOME ALLOWLISTED APIs + // ADD SOME ALLOWLISTED APIs rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_plugins/_security/api/allowlist", "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", adminCredsHeader); + response = rh.executePutRequest( + "_plugins/_security/api/allowlist", + "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", + adminCredsHeader + ); log.warn("the response is:" + rh.executeGetRequest("_plugins/_security/api/allowlist", adminCredsHeader)); - //NON ADMIN TRIES ACCESSING A ALLOWLISTED API - OK + // NON ADMIN TRIES ACCESSING A ALLOWLISTED API - OK rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/nodes", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //ADMIN TRIES ACCESSING A ALLOWLISTED API - OK + // ADMIN TRIES ACCESSING A ALLOWLISTED API - OK rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/nodes", adminCredsHeader); log.warn("the second response is:{}", response); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //SUPERADMIN TRIES ACCESSING A ALLOWLISTED API - OK + // SUPERADMIN TRIES ACCESSING A ALLOWLISTED API - OK rh.sendAdminCertificate = true; response = rh.executeGetRequest("_cat/nodes", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); @@ -115,22 +123,26 @@ public void checkAllowlistedApisAreAccessible() throws Exception { public void checkNonWhitelistedApisAccessibleOnlyBySuperAdmin() throws Exception { setup(); - //ADD SOME WHITELISTED APIs - /_cat/nodes and /_cat/indices + // ADD SOME WHITELISTED APIs - /_cat/nodes and /_cat/indices rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_opendistro/_security/api/whitelist", "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", nonAdminCredsHeader); + response = rh.executePutRequest( + "_opendistro/_security/api/whitelist", + "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", + nonAdminCredsHeader + ); - //NON ADMIN TRIES ACCESSING A NON-WHITELISTED API - FORBIDDEN + // NON ADMIN TRIES ACCESSING A NON-WHITELISTED API - FORBIDDEN rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/plugins", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - //ADMIN TRIES ACCESSING A NON-WHITELISTED API - FORBIDDEN + // ADMIN TRIES ACCESSING A NON-WHITELISTED API - FORBIDDEN rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/plugins", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - //SUPERADMIN TRIES ACCESSING A NON-WHITELISTED API - OK + // SUPERADMIN TRIES ACCESSING A NON-WHITELISTED API - OK rh.sendAdminCertificate = true; response = rh.executeGetRequest("_cat/plugins", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); @@ -145,22 +157,26 @@ public void checkNonWhitelistedApisAccessibleOnlyBySuperAdmin() throws Exception public void checkNonAllowlistedApisAccessibleOnlyBySuperAdmin() throws Exception { setup(); - //ADD SOME ALLOWLISTED APIs - /_cat/nodes and /_cat/indices + // ADD SOME ALLOWLISTED APIs - /_cat/nodes and /_cat/indices rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_plugins/_security/api/allowlist", "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", nonAdminCredsHeader); + response = rh.executePutRequest( + "_plugins/_security/api/allowlist", + "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", + nonAdminCredsHeader + ); - //NON ADMIN TRIES ACCESSING A NON-ALLOWLISTED API - FORBIDDEN + // NON ADMIN TRIES ACCESSING A NON-ALLOWLISTED API - FORBIDDEN rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/plugins", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - //ADMIN TRIES ACCESSING A NON-ALLOWLISTED API - FORBIDDEN + // ADMIN TRIES ACCESSING A NON-ALLOWLISTED API - FORBIDDEN rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/plugins", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - //SUPERADMIN TRIES ACCESSING A NON-ALLOWLISTED API - OK + // SUPERADMIN TRIES ACCESSING A NON-ALLOWLISTED API - OK rh.sendAdminCertificate = true; response = rh.executeGetRequest("_cat/plugins", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); @@ -173,26 +189,30 @@ public void checkNonAllowlistedApisAccessibleOnlyBySuperAdmin() throws Exception public void checkAllApisWhenWhitelistingNotEnabled() throws Exception { setup(); - //DISABLE WHITELISTING BUT ADD SOME WHITELISTED APIs - /_cat/nodes and /_cat/plugins + // DISABLE WHITELISTING BUT ADD SOME WHITELISTED APIs - /_cat/nodes and /_cat/plugins rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_opendistro/_security/api/whitelist", "{\"enabled\": false, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", nonAdminCredsHeader); + response = rh.executePutRequest( + "_opendistro/_security/api/whitelist", + "{\"enabled\": false, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", + nonAdminCredsHeader + ); - //NON-ADMIN TRIES ACCESSING 2 APIs: One in the list and one outside - OK for both (Because whitelisting is off) + // NON-ADMIN TRIES ACCESSING 2 APIs: One in the list and one outside - OK for both (Because whitelisting is off) rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/plugins", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); response = rh.executeGetRequest("_cat/nodes", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //ADMIN USER TRIES ACCESSING 2 APIs: One in the list and one outside - OK for both (Because whitelisting is off) + // ADMIN USER TRIES ACCESSING 2 APIs: One in the list and one outside - OK for both (Because whitelisting is off) rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/plugins", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); response = rh.executeGetRequest("_cat/nodes", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //SUPERADMIN TRIES ACCESSING 2 APIS - OK (would work even if whitelisting was on) + // SUPERADMIN TRIES ACCESSING 2 APIS - OK (would work even if whitelisting was on) rh.sendAdminCertificate = true; response = rh.executeGetRequest("_cat/plugins", adminCredsHeader); @@ -208,26 +228,30 @@ public void checkAllApisWhenWhitelistingNotEnabled() throws Exception { public void checkAllApisWhenAllowlistingNotEnabled() throws Exception { setup(); - //DISABLE ALLOWLISTED BUT ADD SOME ALLOWLISTED APIs - /_cat/nodes and /_cat/plugins + // DISABLE ALLOWLISTED BUT ADD SOME ALLOWLISTED APIs - /_cat/nodes and /_cat/plugins rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_plugins/_security/api/allowlist", "{\"enabled\": false, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", nonAdminCredsHeader); + response = rh.executePutRequest( + "_plugins/_security/api/allowlist", + "{\"enabled\": false, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", + nonAdminCredsHeader + ); - //NON-ADMIN TRIES ACCESSING 2 APIs: One in the list and one outside - OK for both (Because allowlisting is off) + // NON-ADMIN TRIES ACCESSING 2 APIs: One in the list and one outside - OK for both (Because allowlisting is off) rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/plugins", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); response = rh.executeGetRequest("_cat/nodes", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //ADMIN USER TRIES ACCESSING 2 APIs: One in the list and one outside - OK for both (Because allowlisting is off) + // ADMIN USER TRIES ACCESSING 2 APIs: One in the list and one outside - OK for both (Because allowlisting is off) rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/plugins", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); response = rh.executeGetRequest("_cat/nodes", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //SUPERADMIN TRIES ACCESSING 2 APIS - OK (would work even if allowlisting was on) + // SUPERADMIN TRIES ACCESSING 2 APIS - OK (would work even if allowlisting was on) rh.sendAdminCertificate = true; response = rh.executeGetRequest("_cat/plugins", adminCredsHeader); @@ -245,34 +269,50 @@ public void checkAllApisWhenAllowlistingNotEnabled() throws Exception { * */ @Test - public void checkSpecificRequestMethodWhitelisting() throws Exception{ + public void checkSpecificRequestMethodWhitelisting() throws Exception { setup(); - //WHITELIST GET /_cluster/settings + // WHITELIST GET /_cluster/settings rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_opendistro/_security/api/whitelist", "{\"enabled\": true, \"requests\": {\"/_cluster/settings\": [\"GET\"]}}", nonAdminCredsHeader); + response = rh.executePutRequest( + "_opendistro/_security/api/whitelist", + "{\"enabled\": true, \"requests\": {\"/_cluster/settings\": [\"GET\"]}}", + nonAdminCredsHeader + ); - //NON-ADMIN TRIES ACCESSING GET - OK, PUT - FORBIDDEN + // NON-ADMIN TRIES ACCESSING GET - OK, PUT - FORBIDDEN rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cluster/settings", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - response = rh.executePutRequest("_cluster/settings","{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", nonAdminCredsHeader); + response = rh.executePutRequest( + "_cluster/settings", + "{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", + nonAdminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - //ADMIN USER TRIES ACCESSING GET - OK, PUT - FORBIDDEN + // ADMIN USER TRIES ACCESSING GET - OK, PUT - FORBIDDEN rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cluster/settings", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - response = rh.executePutRequest("_cluster/settings","{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", adminCredsHeader); + response = rh.executePutRequest( + "_cluster/settings", + "{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", + adminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - //SUPERADMIN TRIES ACCESSING GET - OK, PUT - OK + // SUPERADMIN TRIES ACCESSING GET - OK, PUT - OK rh.sendAdminCertificate = true; response = rh.executeGetRequest("_cluster/settings", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - response = rh.executePutRequest("_cluster/settings","{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", adminCredsHeader); + response = rh.executePutRequest( + "_cluster/settings", + "{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", + adminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); } @@ -285,38 +325,53 @@ public void checkSpecificRequestMethodWhitelisting() throws Exception{ * */ @Test - public void checkSpecificRequestMethodAllowlisting() throws Exception{ + public void checkSpecificRequestMethodAllowlisting() throws Exception { setup(); - //WHITELIST GET /_cluster/settings + // WHITELIST GET /_cluster/settings rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_plugins/_security/api/allowlist", "{\"enabled\": true, \"requests\": {\"/_cluster/settings\": [\"GET\"]}}", nonAdminCredsHeader); + response = rh.executePutRequest( + "_plugins/_security/api/allowlist", + "{\"enabled\": true, \"requests\": {\"/_cluster/settings\": [\"GET\"]}}", + nonAdminCredsHeader + ); - //NON-ADMIN TRIES ACCESSING GET - OK, PUT - FORBIDDEN + // NON-ADMIN TRIES ACCESSING GET - OK, PUT - FORBIDDEN rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cluster/settings", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - response = rh.executePutRequest("_cluster/settings","{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", nonAdminCredsHeader); + response = rh.executePutRequest( + "_cluster/settings", + "{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", + nonAdminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - //ADMIN USER TRIES ACCESSING GET - OK, PUT - FORBIDDEN + // ADMIN USER TRIES ACCESSING GET - OK, PUT - FORBIDDEN rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cluster/settings", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - response = rh.executePutRequest("_cluster/settings","{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", adminCredsHeader); + response = rh.executePutRequest( + "_cluster/settings", + "{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", + adminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - //SUPERADMIN TRIES ACCESSING GET - OK, PUT - OK + // SUPERADMIN TRIES ACCESSING GET - OK, PUT - OK rh.sendAdminCertificate = true; response = rh.executeGetRequest("_cluster/settings", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - response = rh.executePutRequest("_cluster/settings","{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", adminCredsHeader); + response = rh.executePutRequest( + "_cluster/settings", + "{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", + adminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); } - /** * Tests that a whitelisted API with an extra '/' does not cause an issue * i.e if only GET /_cluster/settings/ is whitelisted, then: @@ -327,29 +382,41 @@ public void checkSpecificRequestMethodAllowlisting() throws Exception{ * @throws Exception */ @Test - public void testWhitelistedApiWithExtraSlash() throws Exception{ + public void testWhitelistedApiWithExtraSlash() throws Exception { setup(); - //WHITELIST GET /_cluster/settings/ - extra / in the request + // WHITELIST GET /_cluster/settings/ - extra / in the request rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_opendistro/_security/api/whitelist", "{\"enabled\": true, \"requests\": {\"/_cluster/settings/\": [\"GET\"]}}", nonAdminCredsHeader); + response = rh.executePutRequest( + "_opendistro/_security/api/whitelist", + "{\"enabled\": true, \"requests\": {\"/_cluster/settings/\": [\"GET\"]}}", + nonAdminCredsHeader + ); - //NON ADMIN ACCESS GET /_cluster/settings/ - OK + // NON ADMIN ACCESS GET /_cluster/settings/ - OK rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cluster/settings/", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //NON ADMIN ACCESS GET /_cluster/settings - OK + // NON ADMIN ACCESS GET /_cluster/settings - OK response = rh.executeGetRequest("_cluster/settings", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //NON ADMIN ACCESS PUT /_cluster/settings/ - FORBIDDEN - response = rh.executePutRequest("_cluster/settings/","{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", adminCredsHeader); + // NON ADMIN ACCESS PUT /_cluster/settings/ - FORBIDDEN + response = rh.executePutRequest( + "_cluster/settings/", + "{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", + adminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - //NON ADMIN ACCESS PUT /_cluster/settings - FORBIDDEN - response = rh.executePutRequest("_cluster/settings","{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", adminCredsHeader); + // NON ADMIN ACCESS PUT /_cluster/settings - FORBIDDEN + response = rh.executePutRequest( + "_cluster/settings", + "{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", + adminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); } @@ -364,29 +431,41 @@ public void testWhitelistedApiWithExtraSlash() throws Exception{ * @throws Exception */ @Test - public void testAllowlistedApiWithExtraSlash() throws Exception{ + public void testAllowlistedApiWithExtraSlash() throws Exception { setup(); - //WHITELIST GET /_cluster/settings/ - extra / in the request + // WHITELIST GET /_cluster/settings/ - extra / in the request rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_plugins/_security/api/allowlist", "{\"enabled\": true, \"requests\": {\"/_cluster/settings/\": [\"GET\"]}}", nonAdminCredsHeader); + response = rh.executePutRequest( + "_plugins/_security/api/allowlist", + "{\"enabled\": true, \"requests\": {\"/_cluster/settings/\": [\"GET\"]}}", + nonAdminCredsHeader + ); - //NON ADMIN ACCESS GET /_cluster/settings/ - OK + // NON ADMIN ACCESS GET /_cluster/settings/ - OK rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cluster/settings/", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //NON ADMIN ACCESS GET /_cluster/settings - OK + // NON ADMIN ACCESS GET /_cluster/settings - OK response = rh.executeGetRequest("_cluster/settings", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //NON ADMIN ACCESS PUT /_cluster/settings/ - FORBIDDEN - response = rh.executePutRequest("_cluster/settings/","{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", adminCredsHeader); + // NON ADMIN ACCESS PUT /_cluster/settings/ - FORBIDDEN + response = rh.executePutRequest( + "_cluster/settings/", + "{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", + adminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - //NON ADMIN ACCESS PUT /_cluster/settings - FORBIDDEN - response = rh.executePutRequest("_cluster/settings","{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", adminCredsHeader); + // NON ADMIN ACCESS PUT /_cluster/settings - FORBIDDEN + response = rh.executePutRequest( + "_cluster/settings", + "{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", + adminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); } @@ -401,29 +480,41 @@ public void testAllowlistedApiWithExtraSlash() throws Exception{ * @throws Exception */ @Test - public void testWhitelistedApiWithoutExtraSlash() throws Exception{ + public void testWhitelistedApiWithoutExtraSlash() throws Exception { setup(); - //WHITELIST GET /_cluster/settings (no extra / in request) + // WHITELIST GET /_cluster/settings (no extra / in request) rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_opendistro/_security/api/whitelist", "{\"enabled\": true, \"requests\": {\"/_cluster/settings\": [\"GET\"]}}", nonAdminCredsHeader); + response = rh.executePutRequest( + "_opendistro/_security/api/whitelist", + "{\"enabled\": true, \"requests\": {\"/_cluster/settings\": [\"GET\"]}}", + nonAdminCredsHeader + ); - //NON ADMIN ACCESS GET /_cluster/settings/ - OK + // NON ADMIN ACCESS GET /_cluster/settings/ - OK rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cluster/settings/", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //NON ADMIN ACCESS GET /_cluster/settings - OK + // NON ADMIN ACCESS GET /_cluster/settings - OK response = rh.executeGetRequest("_cluster/settings", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //NON ADMIN ACCESS PUT /_cluster/settings/ - FORBIDDEN - response = rh.executePutRequest("_cluster/settings/","{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", adminCredsHeader); + // NON ADMIN ACCESS PUT /_cluster/settings/ - FORBIDDEN + response = rh.executePutRequest( + "_cluster/settings/", + "{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", + adminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - //NON ADMIN ACCESS PUT /_cluster/settings - FORBIDDEN - response = rh.executePutRequest("_cluster/settings","{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", adminCredsHeader); + // NON ADMIN ACCESS PUT /_cluster/settings - FORBIDDEN + response = rh.executePutRequest( + "_cluster/settings", + "{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", + adminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); } @@ -437,29 +528,41 @@ public void testWhitelistedApiWithoutExtraSlash() throws Exception{ * @throws Exception */ @Test - public void testAllowlistedApiWithoutExtraSlash() throws Exception{ + public void testAllowlistedApiWithoutExtraSlash() throws Exception { setup(); - //WHITELIST GET /_cluster/settings (no extra / in request) + // WHITELIST GET /_cluster/settings (no extra / in request) rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_plugins/_security/api/allowlist", "{\"enabled\": true, \"requests\": {\"/_cluster/settings\": [\"GET\"]}}", nonAdminCredsHeader); + response = rh.executePutRequest( + "_plugins/_security/api/allowlist", + "{\"enabled\": true, \"requests\": {\"/_cluster/settings\": [\"GET\"]}}", + nonAdminCredsHeader + ); - //NON ADMIN ACCESS GET /_cluster/settings/ - OK + // NON ADMIN ACCESS GET /_cluster/settings/ - OK rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cluster/settings/", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //NON ADMIN ACCESS GET /_cluster/settings - OK + // NON ADMIN ACCESS GET /_cluster/settings - OK response = rh.executeGetRequest("_cluster/settings", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //NON ADMIN ACCESS PUT /_cluster/settings/ - FORBIDDEN - response = rh.executePutRequest("_cluster/settings/","{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", adminCredsHeader); + // NON ADMIN ACCESS PUT /_cluster/settings/ - FORBIDDEN + response = rh.executePutRequest( + "_cluster/settings/", + "{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", + adminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - //NON ADMIN ACCESS PUT /_cluster/settings - FORBIDDEN - response = rh.executePutRequest("_cluster/settings","{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", adminCredsHeader); + // NON ADMIN ACCESS PUT /_cluster/settings - FORBIDDEN + response = rh.executePutRequest( + "_cluster/settings", + "{\"persistent\": { }, \"transient\": {\"indices.recovery.max_bytes_per_sec\": \"15mb\" }}", + adminCredsHeader + ); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); } } diff --git a/src/test/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticatorTest.java b/src/test/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticatorTest.java index 487da55767..47d779cd12 100644 --- a/src/test/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticatorTest.java +++ b/src/test/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticatorTest.java @@ -65,9 +65,7 @@ public class HTTPExtendedProxyAuthenticatorTest { @Before public void setup() { context.putTransient(ConfigConstants.OPENDISTRO_SECURITY_XFF_DONE, Boolean.TRUE); - settings = Settings.builder() - .put("user_header","user") - .build(); + settings = Settings.builder().put("user_header", "user").build(); authenticator = new HTTPExtendedProxyAuthenticator(settings, null); } @@ -79,7 +77,7 @@ public void testGetType() { @Test(expected = OpenSearchSecurityException.class) public void testThrowsExceptionWhenMissingXFFDone() { authenticator = new HTTPExtendedProxyAuthenticator(Settings.EMPTY, null); - authenticator.extractCredentials(new TestRestRequest(), new ThreadContext(Settings.EMPTY)); + authenticator.extractCredentials(new TestRestRequest(), new ThreadContext(Settings.EMPTY)); } @Test @@ -93,6 +91,7 @@ public void testReturnsNullWhenUserHeaderIsMissing() { assertNull(authenticator.extractCredentials(new TestRestRequest(), context)); } + @Test public void testReturnsCredentials() { @@ -104,8 +103,8 @@ public void testReturnsCredentials() { headers.get("proxy_uid").add("456"); headers.get("proxy_other").add("someothervalue"); - settings = Settings.builder().put(settings).put("attr_header_prefix","proxy_").build(); - authenticator = new HTTPExtendedProxyAuthenticator(settings,null); + settings = Settings.builder().put(settings).put("attr_header_prefix", "proxy_").build(); + authenticator = new HTTPExtendedProxyAuthenticator(settings, null); AuthCredentials creds = authenticator.extractCredentials(new TestRestRequest(headers), context); assertNotNull(creds); assertEquals("aValidUser", creds.getUsername()); @@ -116,16 +115,13 @@ public void testReturnsCredentials() { @Test public void testTrimOnRoles() { - headers.put("user", new ArrayList<>()); + headers.put("user", new ArrayList<>()); headers.put("roles", new ArrayList<>()); headers.get("user").add("aValidUser"); headers.get("roles").add("role1, role2,\t"); - settings = Settings.builder().put(settings) - .put("roles_header","roles") - .put("roles_separator", ",") - .build(); - authenticator = new HTTPExtendedProxyAuthenticator(settings,null); + settings = Settings.builder().put(settings).put("roles_header", "roles").put("roles_separator", ",").build(); + authenticator = new HTTPExtendedProxyAuthenticator(settings, null); AuthCredentials creds = authenticator.extractCredentials(new TestRestRequest(headers), context); assertNotNull(creds); assertEquals("aValidUser", creds.getUsername()); @@ -136,14 +132,20 @@ public void testTrimOnRoles() { static class TestRestRequest extends RestRequest { public TestRestRequest() { - super(NamedXContentRegistry.EMPTY, new HashMap<>(), "", new HashMap<>(),new HttpRequestImpl(),new HttpChannelImpl()); + super(NamedXContentRegistry.EMPTY, new HashMap<>(), "", new HashMap<>(), new HttpRequestImpl(), new HttpChannelImpl()); } + public TestRestRequest(Map> headers) { - super(NamedXContentRegistry.EMPTY, new HashMap<>(), "", headers, new HttpRequestImpl(),new HttpChannelImpl()); + super(NamedXContentRegistry.EMPTY, new HashMap<>(), "", headers, new HttpRequestImpl(), new HttpChannelImpl()); } - public TestRestRequest(NamedXContentRegistry xContentRegistry, Map params, String path, - Map> headers) { - super(xContentRegistry, params, path, headers, new HttpRequestImpl(),new HttpChannelImpl()); + + public TestRestRequest( + NamedXContentRegistry xContentRegistry, + Map params, + String path, + Map> headers + ) { + super(xContentRegistry, params, path, headers, new HttpRequestImpl(), new HttpChannelImpl()); } @Override diff --git a/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java b/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java index 96d41b6735..3da6ad3d7f 100644 --- a/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java +++ b/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java @@ -30,38 +30,44 @@ protected String getResourceFolder() { @Test public void testPlainConnection() throws Exception { - final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled", false) - .build(); + final Settings settings = Settings.builder().put("plugins.security.ssl.http.enabled", false).build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings); Thread.sleep(1000); - try(final HttpClient httpClient = HttpClient.builder(clusterInfo.httpHost+":"+clusterInfo.httpPort) - .setBasicCredentials("admin", "admin").build()) { + try ( + final HttpClient httpClient = HttpClient.builder(clusterInfo.httpHost + ":" + clusterInfo.httpPort) + .setBasicCredentials("admin", "admin") + .build() + ) { Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", false)); Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true)); Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true)); } - try(final HttpClient httpClient = HttpClient.builder("unknownhost:6654") - .setBasicCredentials("admin", "admin").build()) { + try (final HttpClient httpClient = HttpClient.builder("unknownhost:6654").setBasicCredentials("admin", "admin").build()) { Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", false)); Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", true)); Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", true)); } - try(final HttpClient httpClient = HttpClient.builder("unknownhost:6654", clusterInfo.httpHost+":"+clusterInfo.httpPort) - .enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore.jks","changeit"), false) - .setBasicCredentials("admin", "admin").build()) { + try ( + final HttpClient httpClient = HttpClient.builder("unknownhost:6654", clusterInfo.httpHost + ":" + clusterInfo.httpPort) + .enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore.jks", "changeit"), false) + .setBasicCredentials("admin", "admin") + .build() + ) { Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", false)); Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", true)); Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", true)); } - try(final HttpClient httpClient = HttpClient.builder("unknownhost:6654", clusterInfo.httpHost+":"+clusterInfo.httpPort) - .setBasicCredentials("admin", "admin").build()) { + try ( + final HttpClient httpClient = HttpClient.builder("unknownhost:6654", clusterInfo.httpHost + ":" + clusterInfo.httpPort) + .setBasicCredentials("admin", "admin") + .build() + ) { Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", false)); Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true)); Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true)); @@ -73,27 +79,33 @@ public void testPlainConnection() throws Exception { public void testSslConnection() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled", true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, false) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, false) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) + .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings); Thread.sleep(1000); - try(final HttpClient httpClient = HttpClient.builder(clusterInfo.httpHost+":"+clusterInfo.httpPort) - .enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore.jks","changeit"), false) - .setBasicCredentials("admin", "admin").build()) { + try ( + final HttpClient httpClient = HttpClient.builder(clusterInfo.httpHost + ":" + clusterInfo.httpPort) + .enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore.jks", "changeit"), false) + .setBasicCredentials("admin", "admin") + .build() + ) { Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", false)); Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true)); Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true)); } - try(final HttpClient httpClient = HttpClient.builder(clusterInfo.httpHost+":"+clusterInfo.httpPort) - .setBasicCredentials("admin", "admin").build()) { + try ( + final HttpClient httpClient = HttpClient.builder(clusterInfo.httpHost + ":" + clusterInfo.httpPort) + .setBasicCredentials("admin", "admin") + .build() + ) { Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", false)); Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", true)); Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", true)); @@ -105,22 +117,28 @@ public void testSslConnection() throws Exception { public void testSslConnectionPKIAuth() throws Exception { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, false) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .build(); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, false) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) + .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings); Thread.sleep(1000); - try(final HttpClient httpClient = HttpClient.builder(clusterInfo.httpHost+":"+clusterInfo.httpPort) - .enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore.jks","changeit"), false) - .setPkiCredentials(FileHelper.getKeystoreFromClassPath("auditlog/spock-keystore.jks", "changeit"), "changeit".toCharArray(), null) - .build()) { + try ( + final HttpClient httpClient = HttpClient.builder(clusterInfo.httpHost + ":" + clusterInfo.httpPort) + .enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore.jks", "changeit"), false) + .setPkiCredentials( + FileHelper.getKeystoreFromClassPath("auditlog/spock-keystore.jks", "changeit"), + "changeit".toCharArray(), + null + ) + .build() + ) { Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", false)); Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true)); Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true)); diff --git a/src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java b/src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java index ba265bcf2e..b953ac8ddb 100644 --- a/src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java +++ b/src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java @@ -26,15 +26,15 @@ public class PrivilegesEvaluatorTest extends SingleClusterTest { private static final Header NegatedRegexUserHeader = encodeBasicHeader("negated_regex_user", "negated_regex_user"); public void setupSettingsIndexPattern() throws Exception { - Settings settings = Settings.builder() - .build(); - setup(Settings.EMPTY, - new DynamicSecurityConfig() - .setSecurityRoles("roles_index_patterns.yml") - .setSecurityInternalUsers("internal_users_index_patterns.yml") - .setSecurityRolesMapping("roles_mapping_index_patterns.yml"), - settings, - true); + Settings settings = Settings.builder().build(); + setup( + Settings.EMPTY, + new DynamicSecurityConfig().setSecurityRoles("roles_index_patterns.yml") + .setSecurityInternalUsers("internal_users_index_patterns.yml") + .setSecurityRolesMapping("roles_mapping_index_patterns.yml"), + settings, + true + ); } @Test @@ -42,9 +42,9 @@ public void testNegativeLookaheadPattern() throws Exception { setupSettingsIndexPattern(); RestHelper rh = nonSslRestHelper(); - RestHelper.HttpResponse response = rh.executeGetRequest( "*/_search", NegativeLookaheadUserHeader); + RestHelper.HttpResponse response = rh.executeGetRequest("*/_search", NegativeLookaheadUserHeader); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); - response = rh.executeGetRequest( "r*/_search", NegativeLookaheadUserHeader); + response = rh.executeGetRequest("r*/_search", NegativeLookaheadUserHeader); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); } @@ -53,9 +53,9 @@ public void testRegexPattern() throws Exception { setupSettingsIndexPattern(); RestHelper rh = nonSslRestHelper(); - RestHelper.HttpResponse response = rh.executeGetRequest( "*/_search", NegatedRegexUserHeader); + RestHelper.HttpResponse response = rh.executeGetRequest("*/_search", NegatedRegexUserHeader); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); - response = rh.executeGetRequest( "r*/_search", NegatedRegexUserHeader); + response = rh.executeGetRequest("r*/_search", NegatedRegexUserHeader); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); } } diff --git a/src/test/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluatorTest.java b/src/test/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluatorTest.java index d84d62c6b4..14c5eabb73 100644 --- a/src/test/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluatorTest.java +++ b/src/test/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluatorTest.java @@ -55,7 +55,6 @@ public class SecurityIndexAccessEvaluatorTest { @Mock private Logger log; - private SecurityIndexAccessEvaluator evaluator; private static final String UNPROTECTED_ACTION = "indices:data/read"; @@ -69,7 +68,8 @@ public void before() { .put("plugins.security.system_indices.enabled", true) .build(), auditLog, - irr); + irr + ); evaluator.log = log; when(log.isDebugEnabled()).thenReturn(true); @@ -140,13 +140,16 @@ public void protectedActionSystemIndex() { verify(presponse).markComplete(); verify(log).isDebugEnabled(); - verify(log).warn( - "{} for '{}' index is not allowed for a regular user", - "indices:data/write", - ".opendistro_security, .test"); + verify(log).warn("{} for '{}' index is not allowed for a regular user", "indices:data/write", ".opendistro_security, .test"); } private Resolved createResolved(final String... indexes) { - return new Resolved(ImmutableSet.of(), ImmutableSet.copyOf(indexes), ImmutableSet.copyOf(indexes), ImmutableSet.of(), IndicesOptions.STRICT_EXPAND_OPEN); + return new Resolved( + ImmutableSet.of(), + ImmutableSet.copyOf(indexes), + ImmutableSet.copyOf(indexes), + ImmutableSet.of(), + IndicesOptions.STRICT_EXPAND_OPEN + ); } } diff --git a/src/test/java/org/opensearch/security/protected_indices/ProtectedIndicesTests.java b/src/test/java/org/opensearch/security/protected_indices/ProtectedIndicesTests.java index 52f66f3462..0ff7d64de9 100644 --- a/src/test/java/org/opensearch/security/protected_indices/ProtectedIndicesTests.java +++ b/src/test/java/org/opensearch/security/protected_indices/ProtectedIndicesTests.java @@ -66,7 +66,10 @@ public class ProtectedIndicesTests extends SingleClusterTest { // This user is mapped to all_access, but is not mapped to any protectedIndexRoles private static final String indexAccessNoRoleUser = "indexAccessNoRoleUser"; private static final Header indexAccessNoRoleUserHeader = encodeBasicHeader(indexAccessNoRoleUser, indexAccessNoRoleUser); - private static final String generalErrorMessage = String.format("no permissions for [] and User [name=%s, backend_roles=[], requestedTenant=null]", indexAccessNoRoleUser); + private static final String generalErrorMessage = String.format( + "no permissions for [] and User [name=%s, backend_roles=[], requestedTenant=null]", + indexAccessNoRoleUser + ); // This user is mapped to all_access and protected_index_role1 private static final String protectedIndexUser = "protectedIndexUser"; private static final Header protectedIndexUserHeader = encodeBasicHeader(protectedIndexUser, protectedIndexUser); @@ -81,35 +84,37 @@ public class ProtectedIndicesTests extends SingleClusterTest { public void setupSettingsEnabled() throws Exception { // Setup settings Settings protectedIndexSettings = Settings.builder() - .put(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, true) - .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, listOfIndexesToTest) - .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) - .build(); - setup(Settings.EMPTY, - new DynamicSecurityConfig() - .setConfig("config_protected_indices.yml") - .setSecurityRoles("roles_protected_indices.yml") - .setSecurityInternalUsers("internal_users_protected_indices.yml") - .setSecurityRolesMapping("roles_mapping_protected_indices.yml"), - protectedIndexSettings, - true); + .put(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, true) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, listOfIndexesToTest) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) + .build(); + setup( + Settings.EMPTY, + new DynamicSecurityConfig().setConfig("config_protected_indices.yml") + .setSecurityRoles("roles_protected_indices.yml") + .setSecurityInternalUsers("internal_users_protected_indices.yml") + .setSecurityRolesMapping("roles_mapping_protected_indices.yml"), + protectedIndexSettings, + true + ); } public void setupSettingsIndexPatterns() throws Exception { // Setup settings Settings protectedIndexSettings = Settings.builder() - .put(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, true) - .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, listOfIndexPatternsToTest) - .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) - .build(); - setup(Settings.EMPTY, - new DynamicSecurityConfig() - .setConfig("config_protected_indices.yml") - .setSecurityRoles("roles_protected_indices.yml") - .setSecurityInternalUsers("internal_users_protected_indices.yml") - .setSecurityRolesMapping("roles_mapping_protected_indices.yml"), - protectedIndexSettings, - true); + .put(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, true) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, listOfIndexPatternsToTest) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) + .build(); + setup( + Settings.EMPTY, + new DynamicSecurityConfig().setConfig("config_protected_indices.yml") + .setSecurityRoles("roles_protected_indices.yml") + .setSecurityInternalUsers("internal_users_protected_indices.yml") + .setSecurityRolesMapping("roles_mapping_protected_indices.yml"), + protectedIndexSettings, + true + ); } /** @@ -122,35 +127,38 @@ public void setupSettingsIndexPatterns() throws Exception { public void setupSettingsDisabled() throws Exception { // Setup settings Settings protectedIndexSettings = Settings.builder() - .put(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, false) - .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, listOfIndexesToTest) - .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) - .build(); - setup(Settings.EMPTY, - new DynamicSecurityConfig() - .setConfig("config_protected_indices.yml") - .setSecurityRoles("roles_protected_indices.yml") - .setSecurityInternalUsers("internal_users_protected_indices.yml") - .setSecurityRolesMapping("roles_mapping_protected_indices.yml"), - protectedIndexSettings, - true); + .put(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, false) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, listOfIndexesToTest) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) + .build(); + setup( + Settings.EMPTY, + new DynamicSecurityConfig().setConfig("config_protected_indices.yml") + .setSecurityRoles("roles_protected_indices.yml") + .setSecurityInternalUsers("internal_users_protected_indices.yml") + .setSecurityRolesMapping("roles_mapping_protected_indices.yml"), + protectedIndexSettings, + true + ); } public void setupSettingsEnabledSnapshot() throws Exception { final Settings settings = Settings.builder() - .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) - .put(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, true) - .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, listOfIndexesToTest) - .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) - .build(); - - setup(Settings.EMPTY, new DynamicSecurityConfig() - .setConfig("config_protected_indices.yml") + .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) + .put(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, true) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, listOfIndexesToTest) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) + .build(); + + setup( + Settings.EMPTY, + new DynamicSecurityConfig().setConfig("config_protected_indices.yml") .setSecurityRoles("roles_protected_indices.yml") .setSecurityInternalUsers("internal_users_protected_indices.yml") .setSecurityRolesMapping("roles_mapping_protected_indices.yml"), - settings, - true); + settings, + true + ); } /** @@ -162,7 +170,11 @@ public void createTestIndicesAndDocs() { try (Client tc = getClient()) { for (String index : listOfIndexesToTest) { tc.admin().indices().create(new CreateIndexRequest(index)).actionGet(); - tc.index(new IndexRequest(index).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).id("document1").source("{ \"foo\": \"bar\" }", XContentType.JSON)).actionGet(); + tc.index( + new IndexRequest(index).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .id("document1") + .source("{ \"foo\": \"bar\" }", XContentType.JSON) + ).actionGet(); } } } @@ -170,8 +182,19 @@ public void createTestIndicesAndDocs() { public void createSnapshots() { try (Client tc = getClient()) { for (String index : listOfIndexesToTest) { - tc.admin().cluster().putRepository(new PutRepositoryRequest(index).type("fs").settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/" + index))).actionGet(); - tc.admin().cluster().createSnapshot(new CreateSnapshotRequest(index, index + "_1").indices(index).includeGlobalState(true).waitForCompletion(true)).actionGet(); + tc.admin() + .cluster() + .putRepository( + new PutRepositoryRequest(index).type("fs") + .settings(Settings.builder().put("location", repositoryPath.getRoot().getAbsolutePath() + "/" + index)) + ) + .actionGet(); + tc.admin() + .cluster() + .createSnapshot( + new CreateSnapshotRequest(index, index + "_1").indices(index).includeGlobalState(true).waitForCompletion(true) + ) + .actionGet(); } } } @@ -192,7 +215,8 @@ public void testNoSearchResults() throws Exception { // Test direct index query. for (String index : listOfIndexesToTest) { RestHelper.HttpResponse response = rh.executePostRequest(index + "/_search", matchAllQuery, indexAccessNoRoleUserHeader); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); SearchResponse searchResponse = SearchResponse.fromXContent(xcp); // confirm good response. assertTrue(searchResponse.status() == RestStatus.OK); @@ -207,7 +231,8 @@ public void testNoSearchResults() throws Exception { // Test index pattern for (String indexPattern : listOfIndexPatternsToTest) { RestHelper.HttpResponse response = rh.executePostRequest(indexPattern + "/_search", matchAllQuery, indexAccessNoRoleUserHeader); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); SearchResponse searchResponse = SearchResponse.fromXContent(xcp); // confirm good response. assertTrue(searchResponse.status() == RestStatus.OK); @@ -231,7 +256,8 @@ public void testSearchWithSettingDisabled() throws Exception { // Test direct index query. for (String index : listOfIndexesToTest) { RestHelper.HttpResponse response = rh.executePostRequest(index + "/_search", matchAllQuery, protectedIndexUserHeader); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); SearchResponse searchResponse = SearchResponse.fromXContent(xcp); // confirm good response. assertTrue(searchResponse.status() == RestStatus.OK); @@ -246,7 +272,8 @@ public void testSearchWithSettingDisabled() throws Exception { // Test index pattern for (String indexPattern : listOfIndexPatternsToTest) { RestHelper.HttpResponse response = rh.executePostRequest(indexPattern + "/_search", matchAllQuery, protectedIndexUserHeader); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); SearchResponse searchResponse = SearchResponse.fromXContent(xcp); // confirm good response. assertTrue(searchResponse.status() == RestStatus.OK); @@ -268,10 +295,9 @@ public void testNoResultsAlias() throws Exception { try (Client tc = getClient()) { for (String index : listOfIndexesToTest) { IndicesAliasesRequest request = new IndicesAliasesRequest(); - IndicesAliasesRequest.AliasActions aliasAction = - new IndicesAliasesRequest.AliasActions(IndicesAliasesRequest.AliasActions.Type.ADD) - .index(index) - .alias("alias" + i); + IndicesAliasesRequest.AliasActions aliasAction = new IndicesAliasesRequest.AliasActions( + IndicesAliasesRequest.AliasActions.Type.ADD + ).index(index).alias("alias" + i); request.addAliasAction(aliasAction); tc.admin().indices().aliases(request).actionGet(); i++; @@ -282,8 +308,13 @@ public void testNoResultsAlias() throws Exception { RestHelper rh = nonSslRestHelper(); for (int aliasNumber = 0; aliasNumber < i; aliasNumber++) { - RestHelper.HttpResponse response = rh.executePostRequest("alias" + aliasNumber + "/_search", matchAllQuery, indexAccessNoRoleUserHeader); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + RestHelper.HttpResponse response = rh.executePostRequest( + "alias" + aliasNumber + "/_search", + matchAllQuery, + indexAccessNoRoleUserHeader + ); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); SearchResponse searchResponse = SearchResponse.fromXContent(xcp); // confirm good response. assertTrue(searchResponse.status() == RestStatus.OK); @@ -303,14 +334,14 @@ public void testNoAccessCreateIndexDisabled() throws Exception { // Create rest client RestHelper rh = nonSslRestHelper(); - String indexSettings = "{\n" + - " \"settings\" : {\n" + - " \"index\" : {\n" + - " \"number_of_shards\" : 3, \n" + - " \"number_of_replicas\" : 2 \n" + - " }\n" + - " }\n" + - "}"; + String indexSettings = "{\n" + + " \"settings\" : {\n" + + " \"index\" : {\n" + + " \"number_of_shards\" : 3, \n" + + " \"number_of_replicas\" : 2 \n" + + " }\n" + + " }\n" + + "}"; for (String index : listOfIndexesToTest) { RestHelper.HttpResponse response = rh.executePutRequest(index, indexSettings, indexAccessNoRoleUserHeader); assertTrue(response.getStatusCode() == RestStatus.OK.getStatus()); @@ -446,10 +477,7 @@ public void testNonAccessUpdateMappings() throws Exception { setupSettingsEnabled(); createTestIndicesAndDocs(); - String newMappings = "{\"properties\": {" + - "\"user_name\": {" + - "\"type\": \"text\"" + - "}}}"; + String newMappings = "{\"properties\": {" + "\"user_name\": {" + "\"type\": \"text\"" + "}}}"; // Create rest client RestHelper rh = nonSslRestHelper(); @@ -467,10 +495,7 @@ public void testNonAccessUpdateMappingsDisabled() throws Exception { setupSettingsDisabled(); createTestIndicesAndDocs(); - String newMappings = "{\"properties\": {" + - "\"user_name\": {" + - "\"type\": \"text\"" + - "}}}"; + String newMappings = "{\"properties\": {" + "\"user_name\": {" + "\"type\": \"text\"" + "}}}"; // Create rest client RestHelper rh = nonSslRestHelper(); @@ -510,7 +535,11 @@ public void testNonAccessAliasOperations() throws Exception { String aliasTemplate = "{\"actions\" : [{ \"add\" : { \"index\" : \"%s\", \"alias\" : \"foobar\" } }]}"; for (String index : listOfIndexesToTest) { - RestHelper.HttpResponse response = rh.executePostRequest("_aliases", String.format(aliasTemplate, index), indexAccessNoRoleUserHeader); + RestHelper.HttpResponse response = rh.executePostRequest( + "_aliases", + String.format(aliasTemplate, index), + indexAccessNoRoleUserHeader + ); assertTrue(response.getStatusCode() == RestStatus.FORBIDDEN.getStatus()); assertTrue(response.getBody().contains(generalErrorMessage)); } @@ -519,7 +548,11 @@ public void testNonAccessAliasOperations() throws Exception { aliasTemplate = "{\"actions\" : [{ \"remove\" : { \"index\" : \"%s\", \"alias\" : \"foobar\" } }]}"; for (String index : listOfIndexesToTest) { - RestHelper.HttpResponse response = rh.executePostRequest("_aliases", String.format(aliasTemplate, index), indexAccessNoRoleUserHeader); + RestHelper.HttpResponse response = rh.executePostRequest( + "_aliases", + String.format(aliasTemplate, index), + indexAccessNoRoleUserHeader + ); assertTrue(response.getStatusCode() == RestStatus.FORBIDDEN.getStatus()); assertTrue(response.getBody().contains(generalErrorMessage)); } @@ -528,7 +561,11 @@ public void testNonAccessAliasOperations() throws Exception { aliasTemplate = "{\"actions\" : [{ \"remove_index\" : { \"index\" : \"%s\"} }]}"; for (String index : listOfIndexesToTest) { - RestHelper.HttpResponse response = rh.executePostRequest("_aliases", String.format(aliasTemplate, index), indexAccessNoRoleUserHeader); + RestHelper.HttpResponse response = rh.executePostRequest( + "_aliases", + String.format(aliasTemplate, index), + indexAccessNoRoleUserHeader + ); assertTrue(response.getStatusCode() == RestStatus.FORBIDDEN.getStatus()); assertTrue(response.getBody().contains(generalErrorMessage)); } @@ -543,14 +580,14 @@ public void testNonAccessUpdateIndexSettings() throws Exception { // Create rest client RestHelper rh = nonSslRestHelper(); - String indexSettings = "{\n" + - " \"settings\" : {\n" + - " \"index\" : {\n" + - " \"number_of_shards\" : 30, \n" + - " \"number_of_replicas\" : 20 \n" + - " }\n" + - " }\n" + - "}"; + String indexSettings = "{\n" + + " \"settings\" : {\n" + + " \"index\" : {\n" + + " \"number_of_shards\" : 30, \n" + + " \"number_of_replicas\" : 20 \n" + + " }\n" + + " }\n" + + "}"; for (String index : listOfIndexesToTest) { RestHelper.HttpResponse response = rh.executePutRequest(index + "/_settings", indexSettings, indexAccessNoRoleUserHeader); @@ -575,7 +612,8 @@ public void testSearchResults() throws Exception { // Test direct index query. for (String index : listOfIndexesToTest) { RestHelper.HttpResponse response = rh.executePostRequest(index + "/_search", matchAllQuery, protectedIndexUserHeader); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); SearchResponse searchResponse = SearchResponse.fromXContent(xcp); // confirm good response. assertTrue(searchResponse.status() == RestStatus.OK); @@ -590,7 +628,8 @@ public void testSearchResults() throws Exception { // Test index pattern for (String indexPattern : listOfIndexPatternsToTest) { RestHelper.HttpResponse response = rh.executePostRequest(indexPattern + "/_search", matchAllQuery, protectedIndexUserHeader); - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); SearchResponse searchResponse = SearchResponse.fromXContent(xcp); // confirm good response. assertTrue(searchResponse.status() == RestStatus.OK); @@ -612,10 +651,9 @@ public void testResultsAlias() throws Exception { try (Client tc = getClient()) { for (String index : listOfIndexesToTest) { IndicesAliasesRequest request = new IndicesAliasesRequest(); - IndicesAliasesRequest.AliasActions aliasAction = - new IndicesAliasesRequest.AliasActions(IndicesAliasesRequest.AliasActions.Type.ADD) - .index(index) - .alias("alias" + i); + IndicesAliasesRequest.AliasActions aliasAction = new IndicesAliasesRequest.AliasActions( + IndicesAliasesRequest.AliasActions.Type.ADD + ).index(index).alias("alias" + i); request.addAliasAction(aliasAction); tc.admin().indices().aliases(request).actionGet(); i++; @@ -626,9 +664,14 @@ public void testResultsAlias() throws Exception { RestHelper rh = nonSslRestHelper(); for (int aliasNumber = 0; aliasNumber < i; aliasNumber++) { - RestHelper.HttpResponse response = rh.executePostRequest("alias" + aliasNumber + "/_search", matchAllQuery, protectedIndexUserHeader); - - XContentParser xcp = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); + RestHelper.HttpResponse response = rh.executePostRequest( + "alias" + aliasNumber + "/_search", + matchAllQuery, + protectedIndexUserHeader + ); + + XContentParser xcp = XContentType.JSON.xContent() + .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, response.getBody()); SearchResponse searchResponse = SearchResponse.fromXContent(xcp); // confirm good response. assertTrue(searchResponse.status() == RestStatus.OK); @@ -648,14 +691,14 @@ public void testCreateIndex() throws Exception { // Create rest client RestHelper rh = nonSslRestHelper(); - String indexSettings = "{\n" + - " \"settings\" : {\n" + - " \"index\" : {\n" + - " \"number_of_shards\" : 3, \n" + - " \"number_of_replicas\" : 2 \n" + - " }\n" + - " }\n" + - "}"; + String indexSettings = "{\n" + + " \"settings\" : {\n" + + " \"index\" : {\n" + + " \"number_of_shards\" : 3, \n" + + " \"number_of_replicas\" : 2 \n" + + " }\n" + + " }\n" + + "}"; for (String index : listOfIndexesToTest) { RestHelper.HttpResponse response = rh.executePutRequest(index, indexSettings, protectedIndexUserHeader); assertTrue(response.getStatusCode() == RestStatus.OK.getStatus()); @@ -716,10 +759,7 @@ public void testUpdateMappings() throws Exception { setupSettingsEnabled(); createTestIndicesAndDocs(); - String newMappings = "{\"properties\": {" + - "\"user_name\": {" + - "\"type\": \"text\"" + - "}}}"; + String newMappings = "{\"properties\": {" + "\"user_name\": {" + "\"type\": \"text\"" + "}}}"; // Create rest client RestHelper rh = nonSslRestHelper(); @@ -775,7 +815,11 @@ public void testAliasOperations() throws Exception { String aliasTemplate = "{\"actions\" : [{ \"add\" : { \"index\" : \"%s\", \"alias\" : \"foobar\" } }]}"; for (String index : listOfIndexesToTest) { - RestHelper.HttpResponse response = rh.executePostRequest("_aliases", String.format(aliasTemplate, index), protectedIndexUserHeader); + RestHelper.HttpResponse response = rh.executePostRequest( + "_aliases", + String.format(aliasTemplate, index), + protectedIndexUserHeader + ); assertTrue(response.getStatusCode() == RestStatus.OK.getStatus()); } @@ -783,7 +827,11 @@ public void testAliasOperations() throws Exception { aliasTemplate = "{\"actions\" : [{ \"remove\" : { \"index\" : \"%s\", \"alias\" : \"foobar\" } }]}"; for (String index : listOfIndexesToTest) { - RestHelper.HttpResponse response = rh.executePostRequest("_aliases", String.format(aliasTemplate, index), protectedIndexUserHeader); + RestHelper.HttpResponse response = rh.executePostRequest( + "_aliases", + String.format(aliasTemplate, index), + protectedIndexUserHeader + ); assertTrue(response.getStatusCode() == RestStatus.OK.getStatus()); } @@ -791,7 +839,11 @@ public void testAliasOperations() throws Exception { aliasTemplate = "{\"actions\" : [{ \"remove_index\" : { \"index\" : \"%s\"} }]}"; for (String index : listOfIndexesToTest) { - RestHelper.HttpResponse response = rh.executePostRequest("_aliases", String.format(aliasTemplate, index), protectedIndexUserHeader); + RestHelper.HttpResponse response = rh.executePostRequest( + "_aliases", + String.format(aliasTemplate, index), + protectedIndexUserHeader + ); assertTrue(response.getStatusCode() == RestStatus.OK.getStatus()); } } @@ -805,11 +857,7 @@ public void testUpdateIndexSettings() throws Exception { // Create rest client RestHelper rh = nonSslRestHelper(); - String indexSettings = "{\n" + - " \"index\" : {\n" + - " \"refresh_interval\" : null\n" + - " }\n" + - "}"; + String indexSettings = "{\n" + " \"index\" : {\n" + " \"refresh_interval\" : null\n" + " }\n" + "}"; for (String index : listOfIndexesToTest) { RestHelper.HttpResponse response = rh.executePutRequest(index + "/_settings", indexSettings, protectedIndexUserHeader); @@ -833,21 +881,48 @@ public void testAccessSnapshot() throws Exception { } } - String putSnapshot = "{"+ - "\"indices\": \"%s\"," + - "\"ignore_unavailable\": false," + - "\"include_global_state\": false" + - "}"; + String putSnapshot = "{" + "\"indices\": \"%s\"," + "\"ignore_unavailable\": false," + "\"include_global_state\": false" + "}"; // Create rest client RestHelper rh = nonSslRestHelper(); for (String index : listOfIndexesToTest) { - assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("_snapshot/" + index + "/" + index + "_1", protectedIndexUserHeader).getStatusCode()); - assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/" + index + "/" + index + "_1/_restore?wait_for_completion=true","{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_with_global_state_$1\" }", protectedIndexUserHeader).getStatusCode()); - assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/" + index + "/" + index + "_1/_restore?wait_for_completion=true", "", protectedIndexUserHeader).getStatusCode()); - assertEquals(HttpStatus.SC_OK, rh.executePostRequest("_snapshot/" + index + "/" + index + "_1/_restore?wait_for_completion=true","{ \"indices\": \"" + index + "\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"" + index + "_1\" }", protectedIndexUserHeader).getStatusCode()); - assertEquals(HttpStatus.SC_OK, rh.executePutRequest("_snapshot/" + index + "/" + index + "_2?wait_for_completion=true", String.format(putSnapshot, index), protectedIndexUserHeader).getStatusCode()); + assertEquals( + HttpStatus.SC_OK, + rh.executeGetRequest("_snapshot/" + index + "/" + index + "_1", protectedIndexUserHeader).getStatusCode() + ); + assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/" + index + "/" + index + "_1/_restore?wait_for_completion=true", + "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_with_global_state_$1\" }", + protectedIndexUserHeader + ).getStatusCode() + ); + assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/" + index + "/" + index + "_1/_restore?wait_for_completion=true", + "", + protectedIndexUserHeader + ).getStatusCode() + ); + assertEquals( + HttpStatus.SC_OK, + rh.executePostRequest( + "_snapshot/" + index + "/" + index + "_1/_restore?wait_for_completion=true", + "{ \"indices\": \"" + index + "\", \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"" + index + "_1\" }", + protectedIndexUserHeader + ).getStatusCode() + ); + assertEquals( + HttpStatus.SC_OK, + rh.executePutRequest( + "_snapshot/" + index + "/" + index + "_2?wait_for_completion=true", + String.format(putSnapshot, index), + protectedIndexUserHeader + ).getStatusCode() + ); } } } diff --git a/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java b/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java index 950409a3e3..975db57701 100644 --- a/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java +++ b/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java @@ -109,26 +109,32 @@ public abstract class AbstractSecurityUnitTest extends RandomizedTest { static { - System.out.println("OS: " + System.getProperty("os.name") + " " + System.getProperty("os.arch") + " " - + System.getProperty("os.version")); System.out.println( - "Java Version: " + System.getProperty("java.version") + " " + System.getProperty("java.vendor")); - System.out.println("JVM Impl.: " + System.getProperty("java.vm.version") + " " - + System.getProperty("java.vm.vendor") + " " + System.getProperty("java.vm.name")); + "OS: " + System.getProperty("os.name") + " " + System.getProperty("os.arch") + " " + System.getProperty("os.version") + ); + System.out.println("Java Version: " + System.getProperty("java.version") + " " + System.getProperty("java.vendor")); + System.out.println( + "JVM Impl.: " + + System.getProperty("java.vm.version") + + " " + + System.getProperty("java.vm.vendor") + + " " + + System.getProperty("java.vm.name") + ); System.out.println("Open SSL available: " + OpenSsl.isAvailable()); System.out.println("Open SSL version: " + OpenSsl.versionString()); withRemoteCluster = Boolean.parseBoolean(System.getenv("TESTARG_unittests_with_remote_cluster")); System.out.println("With remote cluster: " + withRemoteCluster); - //System.setProperty("security.display_lic_none","true"); + // System.setProperty("security.display_lic_none","true"); } protected final Logger log = LogManager.getLogger(this.getClass()); - public static final ThreadPool MOCK_POOL = new ThreadPool(Settings.builder().put("node.name", "mock").build()); + public static final ThreadPool MOCK_POOL = new ThreadPool(Settings.builder().put("node.name", "mock").build()); - //TODO Test Matrix - protected boolean allowOpenSSL = false; //disabled, we test this already in SSL Plugin - //enable//disable enterprise modules - //1node and 3 node + // TODO Test Matrix + protected boolean allowOpenSSL = false; // disabled, we test this already in SSL Plugin + // enable//disable enterprise modules + // 1node and 3 node @Rule public TestName name = new TestName(); @@ -136,63 +142,68 @@ public abstract class AbstractSecurityUnitTest extends RandomizedTest { @Rule public final TemporaryFolder repositoryPath = new TemporaryFolder(); - @Rule - public final TestWatcher testWatcher = new SecurityTestWatcher(); + @Rule + public final TestWatcher testWatcher = new SecurityTestWatcher(); public static Header encodeBasicHeader(final String username, final String password) { - return new BasicHeader("Authorization", "Basic "+Base64.getEncoder().encodeToString( - (username + ":" + Objects.requireNonNull(password)).getBytes(StandardCharsets.UTF_8))); + return new BasicHeader( + "Authorization", + "Basic " + + Base64.getEncoder().encodeToString((username + ":" + Objects.requireNonNull(password)).getBytes(StandardCharsets.UTF_8)) + ); } protected RestHighLevelClient getRestClient(ClusterInfo info, String keyStoreName, String trustStoreName) { return getRestClient(info, keyStoreName, trustStoreName, null); } - protected RestHighLevelClient getRestClient(ClusterInfo info, String keyStoreName, String trustStoreName, HttpVersionPolicy httpVersionPolicy) { - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; + protected RestHighLevelClient getRestClient( + ClusterInfo info, + String keyStoreName, + String trustStoreName, + HttpVersionPolicy httpVersionPolicy + ) { + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; try { SSLContextBuilder sslContextBuilder = SSLContexts.custom(); File keyStoreFile = FileHelper.getAbsoluteFilePathFromClassPath(prefix + keyStoreName).toFile(); - KeyStore keyStore = KeyStore.getInstance(keyStoreName.endsWith(".jks")?"JKS":"PKCS12"); + KeyStore keyStore = KeyStore.getInstance(keyStoreName.endsWith(".jks") ? "JKS" : "PKCS12"); keyStore.load(new FileInputStream(keyStoreFile), null); sslContextBuilder.loadKeyMaterial(keyStore, "changeit".toCharArray()); - KeyStore trustStore = KeyStore.getInstance(trustStoreName.endsWith(".jks")?"JKS":"PKCS12"); + KeyStore trustStore = KeyStore.getInstance(trustStoreName.endsWith(".jks") ? "JKS" : "PKCS12"); File trustStoreFile = FileHelper.getAbsoluteFilePathFromClassPath(prefix + trustStoreName).toFile(); - trustStore.load(new FileInputStream(trustStoreFile), - "changeit".toCharArray()); + trustStore.load(new FileInputStream(trustStoreFile), "changeit".toCharArray()); sslContextBuilder.loadTrustMaterial(trustStore, null); SSLContext sslContext = sslContextBuilder.build(); HttpHost httpHost = new HttpHost("https", info.httpHost, info.httpPort); - RestClientBuilder restClientBuilder = RestClient.builder(httpHost) - .setHttpClientConfigCallback( - builder -> { - TlsStrategy tlsStrategy = ClientTlsStrategyBuilder.create() - .setSslContext(sslContext) - .setTlsVersions(new String[] { "TLSv1", "TLSv1.1", "TLSv1.2", "SSLv3"}) - .setHostnameVerifier(NoopHostnameVerifier.INSTANCE) - // See please https://issues.apache.org/jira/browse/HTTPCLIENT-2219 - .setTlsDetailsFactory(new Factory() { - @Override - public TlsDetails create(final SSLEngine sslEngine) { - return new TlsDetails(sslEngine.getSession(), sslEngine.getApplicationProtocol()); - } - }) - .build(); - - final AsyncClientConnectionManager cm = PoolingAsyncClientConnectionManagerBuilder.create() - .setTlsStrategy(tlsStrategy) - .build(); - builder.setConnectionManager(cm); - if (httpVersionPolicy != null) { - builder.setVersionPolicy(httpVersionPolicy); - } - return builder; - }); + RestClientBuilder restClientBuilder = RestClient.builder(httpHost).setHttpClientConfigCallback(builder -> { + TlsStrategy tlsStrategy = ClientTlsStrategyBuilder.create() + .setSslContext(sslContext) + .setTlsVersions(new String[] { "TLSv1", "TLSv1.1", "TLSv1.2", "SSLv3" }) + .setHostnameVerifier(NoopHostnameVerifier.INSTANCE) + // See please https://issues.apache.org/jira/browse/HTTPCLIENT-2219 + .setTlsDetailsFactory(new Factory() { + @Override + public TlsDetails create(final SSLEngine sslEngine) { + return new TlsDetails(sslEngine.getSession(), sslEngine.getApplicationProtocol()); + } + }) + .build(); + + final AsyncClientConnectionManager cm = PoolingAsyncClientConnectionManagerBuilder.create() + .setTlsStrategy(tlsStrategy) + .build(); + builder.setConnectionManager(cm); + if (httpVersionPolicy != null) { + builder.setVersionPolicy(httpVersionPolicy); + } + return builder; + }); return new RestHighLevelClient(restClientBuilder); } catch (Exception e) { log.error("Cannot create client", e); @@ -210,7 +221,7 @@ public void waitForInit(Client client) { retainedException = Optional.empty(); return; } catch (OpenSearchSecurityException ex) { - if(ex.getMessage().contains("OpenSearch Security not initialized")) { + if (ex.getMessage().contains("OpenSearch Security not initialized")) { retainedException = Optional.of(ex); try { Thread.sleep(500); @@ -227,7 +238,11 @@ public void waitForInit(Client client) { } } - public static Settings.Builder nodeRolesSettings(final Settings.Builder settingsBuilder, final boolean isClusterManager, final boolean isDataNode) { + public static Settings.Builder nodeRolesSettings( + final Settings.Builder settingsBuilder, + final boolean isClusterManager, + final boolean isDataNode + ) { final ImmutableList.Builder nodeRolesBuilder = ImmutableList.builder(); if (isDataNode) { nodeRolesBuilder.add(DiscoveryNodeRole.DATA_ROLE.roleName()); @@ -245,29 +260,29 @@ public static Settings.Builder mergeNodeRolesAndSettings(final Settings.Builder .addAll(settingsBuilder.build().getAsList(NODE_ROLE_KEY, ImmutableList.of())) .addAll(otherSettings.getAsList(NODE_ROLE_KEY, ImmutableList.of())); - return settingsBuilder.put(otherSettings) - .putList(NODE_ROLE_KEY, originalRoles.build().asList()); + return settingsBuilder.put(otherSettings).putList(NODE_ROLE_KEY, originalRoles.build().asList()); } - protected void initialize(ClusterHelper clusterHelper, ClusterInfo clusterInfo, DynamicSecurityConfig securityConfig) throws IOException { + protected void initialize(ClusterHelper clusterHelper, ClusterInfo clusterInfo, DynamicSecurityConfig securityConfig) + throws IOException { try (Client tc = clusterHelper.nodeClient()) { - Assert.assertEquals(clusterInfo.numNodes, - tc.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size()); + Assert.assertEquals(clusterInfo.numNodes, tc.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size()); try { tc.admin().indices().create(new CreateIndexRequest(".opendistro_security")).actionGet(); } catch (Exception e) { - //ignore + // ignore } List indexRequests = securityConfig.getDynamicConfig(getResourceFolder()); - for(IndexRequest ir: indexRequests) { + for (IndexRequest ir : indexRequests) { tc.index(ir).actionGet(); } - ConfigUpdateResponse cur = tc - .execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(CType.lcStringValues().toArray(new String[0]))) - .actionGet(); + ConfigUpdateResponse cur = tc.execute( + ConfigUpdateAction.INSTANCE, + new ConfigUpdateRequest(CType.lcStringValues().toArray(new String[0])) + ).actionGet(); Assert.assertFalse(cur.failures().toString(), cur.hasFailures()); Assert.assertEquals(clusterInfo.numNodes, cur.getNodes().size()); @@ -278,22 +293,27 @@ protected void initialize(ClusterHelper clusterHelper, ClusterInfo clusterInfo, protected Settings.Builder minimumSecuritySettingsBuilder(int node, boolean sslOnly, Settings other) { - final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; + final String prefix = getResourceFolder() == null ? "" : getResourceFolder() + "/"; Settings.Builder builder = Settings.builder() - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL); + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL); // If custom transport settings are not defined use defaults if (!hasCustomTransportSettings(other)) { builder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath(prefix+"node-0-keystore.jks")) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks")) + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath(prefix + "node-0-keystore.jks") + ) + .put( + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks") + ) .put("plugins.security.ssl.transport.enforce_hostname_verification", false); } - if(!sslOnly) { + if (!sslOnly) { builder.putList("plugins.security.authcz.admin_dn", "CN=kirk,OU=client,O=client,l=tEst, C=De"); builder.put(ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, false); } @@ -340,8 +360,8 @@ protected NodeSettingsSupplier genericMinimumSecuritySettings(List oth assert i > 0; // i is 1-indexed // Set to default if input does not have value at (i-1) index - boolean sslOnlyFlag = i > sslOnly.size() ? false : sslOnly.get(i-1); - Settings settings = i > others.size() ? Settings.EMPTY : others.get(i-1); + boolean sslOnlyFlag = i > sslOnly.size() ? false : sslOnly.get(i - 1); + Settings settings = i > others.size() ? Settings.EMPTY : others.get(i - 1); return minimumSecuritySettingsBuilder(i, sslOnlyFlag, settings).build(); }; @@ -363,7 +383,6 @@ protected String getResourceFolder() { return null; } - /** * Check if transport certs are is mentioned in the custom settings * @param customSettings custom settings from the test class @@ -371,7 +390,7 @@ protected String getResourceFolder() { */ protected boolean hasCustomTransportSettings(Settings customSettings) { // If Transport key extended usage is enabled this is true - return Boolean.parseBoolean(customSettings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED)) || - customSettings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH) != null; + return Boolean.parseBoolean(customSettings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED)) + || customSettings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH) != null; } } diff --git a/src/test/java/org/opensearch/security/test/DynamicSecurityConfig.java b/src/test/java/org/opensearch/security/test/DynamicSecurityConfig.java index 3573c7c274..9213d36070 100644 --- a/src/test/java/org/opensearch/security/test/DynamicSecurityConfig.java +++ b/src/test/java/org/opensearch/security/test/DynamicSecurityConfig.java @@ -45,8 +45,8 @@ public class DynamicSecurityConfig { private String securityInternalUsers = "internal_users.yml"; private String securityActionGroups = "action_groups.yml"; private String securityNodesDn = "nodes_dn.yml"; - private String securityWhitelist= "whitelist.yml"; - private String securityAllowlist= "allowlist.yml"; + private String securityWhitelist = "whitelist.yml"; + private String securityAllowlist = "allowlist.yml"; private String securityAudit = "audit.yml"; private String securityConfigAsYamlString = null; private String legacyConfigFolder = ""; @@ -95,12 +95,12 @@ public DynamicSecurityConfig setSecurityNodesDn(String nodesDn) { return this; } - public DynamicSecurityConfig setSecurityWhitelist(String whitelist){ + public DynamicSecurityConfig setSecurityWhitelist(String whitelist) { this.securityWhitelist = whitelist; return this; } - public DynamicSecurityConfig setSecurityAllowlist(String allowlist){ + public DynamicSecurityConfig setSecurityAllowlist(String allowlist) { this.securityAllowlist = allowlist; return this; } @@ -117,71 +117,86 @@ public DynamicSecurityConfig setLegacy() { public List getDynamicConfig(String folder) { - final String prefix = legacyConfigFolder+(folder == null?"":folder+"/"); + final String prefix = legacyConfigFolder + (folder == null ? "" : folder + "/"); List ret = new ArrayList(); - ret.add(new IndexRequest(securityIndexName) - .id(CType.CONFIG.toLCString()) + ret.add( + new IndexRequest(securityIndexName).id(CType.CONFIG.toLCString()) .setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source(CType.CONFIG.toLCString(), securityConfigAsYamlString==null? FileHelper.readYamlContent(prefix+securityConfig):FileHelper.readYamlContentFromString(securityConfigAsYamlString))); - - ret.add(new IndexRequest(securityIndexName) - .id(CType.ACTIONGROUPS.toLCString()) + .source( + CType.CONFIG.toLCString(), + securityConfigAsYamlString == null + ? FileHelper.readYamlContent(prefix + securityConfig) + : FileHelper.readYamlContentFromString(securityConfigAsYamlString) + ) + ); + + ret.add( + new IndexRequest(securityIndexName).id(CType.ACTIONGROUPS.toLCString()) .setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source(CType.ACTIONGROUPS.toLCString(), FileHelper.readYamlContent(prefix+securityActionGroups))); + .source(CType.ACTIONGROUPS.toLCString(), FileHelper.readYamlContent(prefix + securityActionGroups)) + ); - ret.add(new IndexRequest(securityIndexName) - .id(CType.INTERNALUSERS.toLCString()) + ret.add( + new IndexRequest(securityIndexName).id(CType.INTERNALUSERS.toLCString()) .setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source(CType.INTERNALUSERS.toLCString(), FileHelper.readYamlContent(prefix+securityInternalUsers))); + .source(CType.INTERNALUSERS.toLCString(), FileHelper.readYamlContent(prefix + securityInternalUsers)) + ); - ret.add(new IndexRequest(securityIndexName) - .id(CType.ROLES.toLCString()) + ret.add( + new IndexRequest(securityIndexName).id(CType.ROLES.toLCString()) .setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source(CType.ROLES.toLCString(), FileHelper.readYamlContent(prefix+securityRoles))); + .source(CType.ROLES.toLCString(), FileHelper.readYamlContent(prefix + securityRoles)) + ); - ret.add(new IndexRequest(securityIndexName) - .id(CType.ROLESMAPPING.toLCString()) + ret.add( + new IndexRequest(securityIndexName).id(CType.ROLESMAPPING.toLCString()) .setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source(CType.ROLESMAPPING.toLCString(), FileHelper.readYamlContent(prefix+securityRolesMapping))); - if("".equals(legacyConfigFolder)) { - ret.add(new IndexRequest(securityIndexName) - .id(CType.TENANTS.toLCString()) + .source(CType.ROLESMAPPING.toLCString(), FileHelper.readYamlContent(prefix + securityRolesMapping)) + ); + if ("".equals(legacyConfigFolder)) { + ret.add( + new IndexRequest(securityIndexName).id(CType.TENANTS.toLCString()) .setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source(CType.TENANTS.toLCString(), FileHelper.readYamlContent(prefix+securityTenants))); + .source(CType.TENANTS.toLCString(), FileHelper.readYamlContent(prefix + securityTenants)) + ); } if (null != FileHelper.getAbsoluteFilePathFromClassPath(prefix + securityNodesDn)) { - ret.add(new IndexRequest(securityIndexName) - .id(CType.NODESDN.toLCString()) + ret.add( + new IndexRequest(securityIndexName).id(CType.NODESDN.toLCString()) .setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source(CType.NODESDN.toLCString(), FileHelper.readYamlContent(prefix + securityNodesDn))); + .source(CType.NODESDN.toLCString(), FileHelper.readYamlContent(prefix + securityNodesDn)) + ); } final String whitelistYmlFile = prefix + securityWhitelist; if (null != FileHelper.getAbsoluteFilePathFromClassPath(whitelistYmlFile)) { - ret.add(new IndexRequest(securityIndexName) - .id(CType.WHITELIST.toLCString()) + ret.add( + new IndexRequest(securityIndexName).id(CType.WHITELIST.toLCString()) .setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source(CType.WHITELIST.toLCString(), FileHelper.readYamlContent(whitelistYmlFile))); + .source(CType.WHITELIST.toLCString(), FileHelper.readYamlContent(whitelistYmlFile)) + ); } final String allowlistYmlFile = prefix + securityAllowlist; if (null != FileHelper.getAbsoluteFilePathFromClassPath(allowlistYmlFile)) { - ret.add(new IndexRequest(securityIndexName) - .id(CType.ALLOWLIST.toLCString()) + ret.add( + new IndexRequest(securityIndexName).id(CType.ALLOWLIST.toLCString()) .setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source(CType.ALLOWLIST.toLCString(), FileHelper.readYamlContent(allowlistYmlFile))); + .source(CType.ALLOWLIST.toLCString(), FileHelper.readYamlContent(allowlistYmlFile)) + ); } final String auditYmlFile = prefix + securityAudit; if (null != FileHelper.getAbsoluteFilePathFromClassPath(auditYmlFile)) { - ret.add(new IndexRequest(securityIndexName) - .id(CType.AUDIT.toLCString()) + ret.add( + new IndexRequest(securityIndexName).id(CType.AUDIT.toLCString()) .setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source(CType.AUDIT.toLCString(), FileHelper.readYamlContent(auditYmlFile))); + .source(CType.AUDIT.toLCString(), FileHelper.readYamlContent(auditYmlFile)) + ); } return Collections.unmodifiableList(ret); diff --git a/src/test/java/org/opensearch/security/test/SingleClusterTest.java b/src/test/java/org/opensearch/security/test/SingleClusterTest.java index 0c2f3bfc07..2839e1e283 100644 --- a/src/test/java/org/opensearch/security/test/SingleClusterTest.java +++ b/src/test/java/org/opensearch/security/test/SingleClusterTest.java @@ -48,10 +48,13 @@ public abstract class SingleClusterTest extends AbstractSecurityUnitTest { private static final int DEFAULT_CLUSTER_MANAGER_NODE_NUM = 3; private static final int DEFAULT_FIRST_DATA_NODE_NUM = 2; - protected ClusterHelper clusterHelper = new ClusterHelper("utest_n"+num.incrementAndGet()+"_f"+System.getProperty("forkno")+"_t"+System.nanoTime()); + protected ClusterHelper clusterHelper = new ClusterHelper( + "utest_n" + num.incrementAndGet() + "_f" + System.getProperty("forkno") + "_t" + System.nanoTime() + ); protected ClusterInfo clusterInfo; - private ClusterHelper remoteClusterHelper = withRemoteCluster ? - new ClusterHelper("crl2_n"+num.incrementAndGet()+"_f"+System.getProperty("forkno")+"_t"+System.nanoTime()) : null; + private ClusterHelper remoteClusterHelper = withRemoteCluster + ? new ClusterHelper("crl2_n" + num.incrementAndGet() + "_f" + System.getProperty("forkno") + "_t" + System.nanoTime()) + : null; private ClusterInfo remoteClusterInfo; protected void setup(Settings nodeOverride) throws Exception { @@ -66,48 +69,71 @@ protected void setup() throws Exception { setup(Settings.EMPTY, new DynamicSecurityConfig(), Settings.EMPTY, true); } - protected void setup(Settings initTransportClientSettings, DynamicSecurityConfig dynamicSecuritySettings, Settings nodeOverride) throws Exception { + protected void setup(Settings initTransportClientSettings, DynamicSecurityConfig dynamicSecuritySettings, Settings nodeOverride) + throws Exception { setup(initTransportClientSettings, dynamicSecuritySettings, nodeOverride, true); } - protected void setup(Settings initTransportClientSettings, DynamicSecurityConfig dynamicSecuritySettings, Settings nodeOverride, boolean initSecurityIndex) throws Exception { + protected void setup( + Settings initTransportClientSettings, + DynamicSecurityConfig dynamicSecuritySettings, + Settings nodeOverride, + boolean initSecurityIndex + ) throws Exception { setup(initTransportClientSettings, dynamicSecuritySettings, nodeOverride, initSecurityIndex, ClusterConfiguration.DEFAULT); } - protected void restart(Settings initTransportClientSettings, DynamicSecurityConfig dynamicSecuritySettings, Settings nodeOverride, boolean initOpendistroSecurityIndex) throws Exception { + protected void restart( + Settings initTransportClientSettings, + DynamicSecurityConfig dynamicSecuritySettings, + Settings nodeOverride, + boolean initOpendistroSecurityIndex + ) throws Exception { clusterInfo = clusterHelper.startCluster(minimumSecuritySettings(ccs(nodeOverride)), ClusterConfiguration.DEFAULT); - if(initOpendistroSecurityIndex && dynamicSecuritySettings != null) { + if (initOpendistroSecurityIndex && dynamicSecuritySettings != null) { initialize(clusterHelper, clusterInfo, dynamicSecuritySettings); } } private Settings ccs(Settings nodeOverride) throws Exception { - if(remoteClusterHelper != null) { + if (remoteClusterHelper != null) { Assert.assertNull("No remote clusters", remoteClusterInfo); remoteClusterInfo = remoteClusterHelper.startCluster(minimumSecuritySettings(Settings.EMPTY), ClusterConfiguration.SINGLENODE); Settings.Builder builder = Settings.builder() - .put(nodeOverride) - .putList("cluster.remote.cross_cluster_two.seeds", remoteClusterInfo.nodeHost+":"+remoteClusterInfo.nodePort); + .put(nodeOverride) + .putList("cluster.remote.cross_cluster_two.seeds", remoteClusterInfo.nodeHost + ":" + remoteClusterInfo.nodePort); return builder.build(); } else { return nodeOverride; } } - - protected void setup(Settings initTransportClientSettings, DynamicSecurityConfig dynamicSecuritySettings, Settings nodeOverride, boolean initSecurityIndex, ClusterConfiguration clusterConfiguration) throws Exception { + protected void setup( + Settings initTransportClientSettings, + DynamicSecurityConfig dynamicSecuritySettings, + Settings nodeOverride, + boolean initSecurityIndex, + ClusterConfiguration clusterConfiguration + ) throws Exception { Assert.assertNull("No cluster", clusterInfo); clusterInfo = clusterHelper.startCluster(minimumSecuritySettings(ccs(nodeOverride)), clusterConfiguration); - if(initSecurityIndex && dynamicSecuritySettings != null) { + if (initSecurityIndex && dynamicSecuritySettings != null) { initialize(clusterHelper, clusterInfo, dynamicSecuritySettings); } } - protected void setup(Settings initTransportClientSettings, DynamicSecurityConfig dynamicSecuritySettings, Settings nodeOverride - , boolean initSecurityIndex, ClusterConfiguration clusterConfiguration, int timeout, Integer nodes) throws Exception { + protected void setup( + Settings initTransportClientSettings, + DynamicSecurityConfig dynamicSecuritySettings, + Settings nodeOverride, + boolean initSecurityIndex, + ClusterConfiguration clusterConfiguration, + int timeout, + Integer nodes + ) throws Exception { Assert.assertNull("No cluster", clusterInfo); clusterInfo = clusterHelper.startCluster(minimumSecuritySettings(ccs(nodeOverride)), clusterConfiguration, timeout, nodes); - if(initSecurityIndex) { + if (initSecurityIndex) { initialize(clusterHelper, clusterInfo, dynamicSecuritySettings); } } @@ -119,20 +145,24 @@ protected void setupSslOnlyMode(Settings nodeOverride) throws Exception { protected void setupSslOnlyModeWithClusterManagerNodeWithoutSSL(Settings nodeOverride) throws Exception { Assert.assertNull("No cluster", clusterInfo); - clusterInfo = clusterHelper.startCluster(minimumSecuritySettingsSslOnlyWithOneNodeNonSSL(nodeOverride, - DEFAULT_CLUSTER_MANAGER_NODE_NUM), ClusterConfiguration.DEFAULT_CLUSTER_MANAGER_WITHOUT_SECURITY_PLUGIN); + clusterInfo = clusterHelper.startCluster( + minimumSecuritySettingsSslOnlyWithOneNodeNonSSL(nodeOverride, DEFAULT_CLUSTER_MANAGER_NODE_NUM), + ClusterConfiguration.DEFAULT_CLUSTER_MANAGER_WITHOUT_SECURITY_PLUGIN + ); } protected void setupSslOnlyModeWithDataNodeWithoutSSL(Settings nodeOverride) throws Exception { Assert.assertNull("No cluster", clusterInfo); - clusterInfo = clusterHelper.startCluster(minimumSecuritySettingsSslOnlyWithOneNodeNonSSL(nodeOverride, - DEFAULT_FIRST_DATA_NODE_NUM), ClusterConfiguration.DEFAULT_ONE_DATA_NODE_WITHOUT_SECURITY_PLUGIN); + clusterInfo = clusterHelper.startCluster( + minimumSecuritySettingsSslOnlyWithOneNodeNonSSL(nodeOverride, DEFAULT_FIRST_DATA_NODE_NUM), + ClusterConfiguration.DEFAULT_ONE_DATA_NODE_WITHOUT_SECURITY_PLUGIN + ); } - protected void setupGenericNodes(List nodeOverride, List sslOnly, ClusterConfiguration clusterConfiguration) throws Exception { + protected void setupGenericNodes(List nodeOverride, List sslOnly, ClusterConfiguration clusterConfiguration) + throws Exception { Assert.assertNull("No cluster", clusterInfo); - clusterInfo = clusterHelper.startCluster(genericMinimumSecuritySettings(nodeOverride, sslOnly), - clusterConfiguration); + clusterInfo = clusterHelper.startCluster(genericMinimumSecuritySettings(nodeOverride, sslOnly), clusterConfiguration); } protected RestHelper restHelper() { @@ -147,11 +177,10 @@ protected Client getClient() { return clusterHelper.nodeClient(); } - @After public void tearDown() { - if(remoteClusterInfo != null) { + if (remoteClusterInfo != null) { try { remoteClusterHelper.stopCluster(); } catch (Exception e) { @@ -161,7 +190,7 @@ public void tearDown() { remoteClusterInfo = null; } - if(clusterInfo != null) { + if (clusterInfo != null) { try { clusterHelper.stopCluster(); } catch (Exception e) { diff --git a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterConfiguration.java b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterConfiguration.java index 5a0c41fd33..e9b503e669 100644 --- a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterConfiguration.java +++ b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterConfiguration.java @@ -45,90 +45,111 @@ import org.opensearch.transport.Netty4ModulePlugin; public enum ClusterConfiguration { - //first one needs to be a cluster manager - //HUGE(new NodeSettings(true, false, false), new NodeSettings(true, false, false), new NodeSettings(true, false, false), new NodeSettings(false, true,false), new NodeSettings(false, true, false)), + // first one needs to be a cluster manager + // HUGE(new NodeSettings(true, false, false), new NodeSettings(true, false, false), new NodeSettings(true, false, false), new + // NodeSettings(false, true,false), new NodeSettings(false, true, false)), - //3 nodes (1m, 2d) + // 3 nodes (1m, 2d) DEFAULT(new NodeSettings(true, false), new NodeSettings(false, true), new NodeSettings(false, true)), - //2 nodes (1m, 3d) - ONE_CLUSTER_MANAGER_THREE_DATA(new NodeSettings(true, false), new NodeSettings(false, true), new NodeSettings(false, true), new NodeSettings(false, true)), - - DEFAULT_CLUSTER_MANAGER_WITHOUT_SECURITY_PLUGIN(new NodeSettings(true, false) - .removePluginIfPresent(OpenSearchSecurityPlugin.class) - , new NodeSettings(false, true) - , new NodeSettings(false, true)), - - DEFAULT_ONE_DATA_NODE_WITHOUT_SECURITY_PLUGIN(new NodeSettings(true, false) - , new NodeSettings(false, true).removePluginIfPresent(OpenSearchSecurityPlugin.class) - , new NodeSettings(false, true)), - - //1 node (1md) - SINGLENODE(new NodeSettings(true, true)), - - //4 node (1m, 2d, 1c) - CLIENTNODE(new NodeSettings(true, false), new NodeSettings(false, true), new NodeSettings(false, true), new NodeSettings(false, false)), - - //3 nodes (1m, 2d) plus additional UserInjectorPlugin - USERINJECTOR(new NodeSettings(true, false, Lists.newArrayList(UserInjectorPlugin.class)), new NodeSettings(false, true, Lists.newArrayList(UserInjectorPlugin.class)), new NodeSettings(false, true, Lists.newArrayList(UserInjectorPlugin.class))); - - private List nodeSettings = new LinkedList<>(); - - private ClusterConfiguration(NodeSettings ... settings) { - nodeSettings.addAll(Arrays.asList(settings)); - } + // 2 nodes (1m, 3d) + ONE_CLUSTER_MANAGER_THREE_DATA( + new NodeSettings(true, false), + new NodeSettings(false, true), + new NodeSettings(false, true), + new NodeSettings(false, true) + ), + + DEFAULT_CLUSTER_MANAGER_WITHOUT_SECURITY_PLUGIN( + new NodeSettings(true, false).removePluginIfPresent(OpenSearchSecurityPlugin.class), + new NodeSettings(false, true), + new NodeSettings(false, true) + ), + + DEFAULT_ONE_DATA_NODE_WITHOUT_SECURITY_PLUGIN( + new NodeSettings(true, false), + new NodeSettings(false, true).removePluginIfPresent(OpenSearchSecurityPlugin.class), + new NodeSettings(false, true) + ), + + // 1 node (1md) + SINGLENODE(new NodeSettings(true, true)), + + // 4 node (1m, 2d, 1c) + CLIENTNODE(new NodeSettings(true, false), new NodeSettings(false, true), new NodeSettings(false, true), new NodeSettings(false, false)), + + // 3 nodes (1m, 2d) plus additional UserInjectorPlugin + USERINJECTOR( + new NodeSettings(true, false, Lists.newArrayList(UserInjectorPlugin.class)), + new NodeSettings(false, true, Lists.newArrayList(UserInjectorPlugin.class)), + new NodeSettings(false, true, Lists.newArrayList(UserInjectorPlugin.class)) + ); + + private List nodeSettings = new LinkedList<>(); + + private ClusterConfiguration(NodeSettings... settings) { + nodeSettings.addAll(Arrays.asList(settings)); + } - public List getNodeSettings() { - return Collections.unmodifiableList(nodeSettings); - } + public List getNodeSettings() { + return Collections.unmodifiableList(nodeSettings); + } - public List getClusterManagerNodeSettings() { - return Collections.unmodifiableList(nodeSettings.stream().filter(a->a.clusterManagerNode).collect(Collectors.toList())); + public List getClusterManagerNodeSettings() { + return Collections.unmodifiableList(nodeSettings.stream().filter(a -> a.clusterManagerNode).collect(Collectors.toList())); } - public List getNonClusterManagerNodeSettings() { - return Collections.unmodifiableList(nodeSettings.stream().filter(a->!a.clusterManagerNode).collect(Collectors.toList())); + public List getNonClusterManagerNodeSettings() { + return Collections.unmodifiableList(nodeSettings.stream().filter(a -> !a.clusterManagerNode).collect(Collectors.toList())); } - public int getNodes() { + public int getNodes() { return nodeSettings.size(); } - public int getClusterManagerNodes() { - return (int) nodeSettings.stream().filter(a->a.clusterManagerNode).count(); + public int getClusterManagerNodes() { + return (int) nodeSettings.stream().filter(a -> a.clusterManagerNode).count(); } - public int getDataNodes() { - return (int) nodeSettings.stream().filter(a->a.dataNode).count(); + public int getDataNodes() { + return (int) nodeSettings.stream().filter(a -> a.dataNode).count(); } - public int getClientNodes() { - return (int) nodeSettings.stream().filter(a->!a.clusterManagerNode && !a.dataNode).count(); + public int getClientNodes() { + return (int) nodeSettings.stream().filter(a -> !a.clusterManagerNode && !a.dataNode).count(); } - public static class NodeSettings { - public boolean clusterManagerNode; - public boolean dataNode; - public List> plugins = Lists.newArrayList(Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MatrixAggregationModulePlugin.class, MustacheModulePlugin.class, ParentJoinModulePlugin.class, PercolatorModulePlugin.class, ReindexModulePlugin.class); - - public NodeSettings(boolean clusterManagerNode, boolean dataNode) { - super(); - this.clusterManagerNode = clusterManagerNode; - this.dataNode = dataNode; - } + public static class NodeSettings { + public boolean clusterManagerNode; + public boolean dataNode; + public List> plugins = Lists.newArrayList( + Netty4ModulePlugin.class, + OpenSearchSecurityPlugin.class, + MatrixAggregationModulePlugin.class, + MustacheModulePlugin.class, + ParentJoinModulePlugin.class, + PercolatorModulePlugin.class, + ReindexModulePlugin.class + ); + + public NodeSettings(boolean clusterManagerNode, boolean dataNode) { + super(); + this.clusterManagerNode = clusterManagerNode; + this.dataNode = dataNode; + } - public NodeSettings(boolean clusterManagerNode, boolean dataNode, List> additionalPlugins) { + public NodeSettings(boolean clusterManagerNode, boolean dataNode, List> additionalPlugins) { this(clusterManagerNode, dataNode); this.plugins.addAll(additionalPlugins); } - public NodeSettings removePluginIfPresent(Class pluginToRemove){ - this.plugins.remove(pluginToRemove); - return this; - } + public NodeSettings removePluginIfPresent(Class pluginToRemove) { + this.plugins.remove(pluginToRemove); + return this; + } - public Class[] getPlugins() { - return plugins.toArray(new Class[0] ); - } - } + public Class[] getPlugins() { + return plugins.toArray(new Class[0]); + } + } } diff --git a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterHelper.java b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterHelper.java index efa0a8f89d..e60fab8e48 100644 --- a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterHelper.java +++ b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterHelper.java @@ -78,7 +78,7 @@ public final class ClusterHelper { /** Resets all system properties associated with a cluster */ public static void resetSystemProperties() { System.setProperty("opensearch.enforce.bootstrap.checks", "true"); - updateDefaultDirectory(new File( SingleClusterTest.PROJECT_ROOT_RELATIVE_PATH + "config").getAbsolutePath()); + updateDefaultDirectory(new File(SingleClusterTest.PROJECT_ROOT_RELATIVE_PATH + "config").getAbsolutePath()); } /** @@ -115,12 +115,17 @@ public String getClusterName() { * @throws Exception */ - public final ClusterInfo startCluster(final NodeSettingsSupplier nodeSettingsSupplier, ClusterConfiguration clusterConfiguration) throws Exception { + public final ClusterInfo startCluster(final NodeSettingsSupplier nodeSettingsSupplier, ClusterConfiguration clusterConfiguration) + throws Exception { return startCluster(nodeSettingsSupplier, clusterConfiguration, 10, null); } - public final synchronized ClusterInfo startCluster(final NodeSettingsSupplier nodeSettingsSupplier, ClusterConfiguration clusterConfiguration, int timeout, Integer nodes) - throws Exception { + public final synchronized ClusterInfo startCluster( + final NodeSettingsSupplier nodeSettingsSupplier, + ClusterConfiguration clusterConfiguration, + int timeout, + Integer nodes + ) throws Exception { switch (clusterState) { case UNINITIALIZED: @@ -140,27 +145,40 @@ public final synchronized ClusterInfo startCluster(final NodeSettingsSupplier no final String forkno = System.getProperty("forkno"); int forkNumber = 1; - if(forkno != null && forkno.length() > 0) { + if (forkno != null && forkno.length() > 0) { forkNumber = Integer.parseInt(forkno.split("_")[1]); } - final int min = SocketUtils.PORT_RANGE_MIN+(forkNumber*5000); - final int max = SocketUtils.PORT_RANGE_MIN+((forkNumber+1)*5000)-1; + final int min = SocketUtils.PORT_RANGE_MIN + (forkNumber * 5000); + final int max = SocketUtils.PORT_RANGE_MIN + ((forkNumber + 1) * 5000) - 1; - final SortedSet freePorts = SocketUtils.findAvailableTcpPorts(internalNodeSettings.size()*2, min, max); - assert freePorts.size() == internalNodeSettings.size()*2; + final SortedSet freePorts = SocketUtils.findAvailableTcpPorts(internalNodeSettings.size() * 2, min, max); + assert freePorts.size() == internalNodeSettings.size() * 2; final SortedSet tcpClusterManagerPortsOnly = new TreeSet(); final SortedSet tcpAllPorts = new TreeSet(); - freePorts.stream().limit(clusterConfiguration.getClusterManagerNodes()).forEach(el->tcpClusterManagerPortsOnly.add(el)); - freePorts.stream().limit(internalNodeSettings.size()).forEach(el->tcpAllPorts.add(el)); + freePorts.stream().limit(clusterConfiguration.getClusterManagerNodes()).forEach(el -> tcpClusterManagerPortsOnly.add(el)); + freePorts.stream().limit(internalNodeSettings.size()).forEach(el -> tcpAllPorts.add(el)); final Iterator tcpPortsAllIt = tcpAllPorts.iterator(); final SortedSet httpPorts = new TreeSet(); - freePorts.stream().skip(internalNodeSettings.size()).limit(internalNodeSettings.size()).forEach(el->httpPorts.add(el)); + freePorts.stream().skip(internalNodeSettings.size()).limit(internalNodeSettings.size()).forEach(el -> httpPorts.add(el)); final Iterator httpPortsIt = httpPorts.iterator(); - System.out.println("tcpClusterManagerPorts: "+tcpClusterManagerPortsOnly+"/tcpAllPorts: "+tcpAllPorts+"/httpPorts: "+httpPorts+" for ("+min+"-"+max+") fork "+forkNumber); + System.out.println( + "tcpClusterManagerPorts: " + + tcpClusterManagerPortsOnly + + "/tcpAllPorts: " + + tcpAllPorts + + "/httpPorts: " + + httpPorts + + " for (" + + min + + "-" + + max + + ") fork " + + forkNumber + ); final CountDownLatch latch = new CountDownLatch(internalNodeSettings.size()); @@ -174,7 +192,15 @@ public final synchronized ClusterInfo startCluster(final NodeSettingsSupplier no for (int i = 0; i < internalClusterManagerNodeSettings.size(); i++) { NodeSettings setting = internalClusterManagerNodeSettings.get(i); int nodeNum = nodeNumCounter--; - final Settings.Builder nodeSettingsBuilder = getMinimumNonSecurityNodeSettingsBuilder(nodeNum, setting.clusterManagerNode, setting.dataNode, internalNodeSettings.size(), tcpClusterManagerPortsOnly, tcpPortsAllIt.next(), httpPortsIt.next()); + final Settings.Builder nodeSettingsBuilder = getMinimumNonSecurityNodeSettingsBuilder( + nodeNum, + setting.clusterManagerNode, + setting.dataNode, + internalNodeSettings.size(), + tcpClusterManagerPortsOnly, + tcpPortsAllIt.next(), + httpPortsIt.next() + ); final Settings settingsForNode; if (nodeSettingsSupplier != null) { final Settings suppliedSettings = nodeSettingsSupplier.get(nodeNum); @@ -206,7 +232,15 @@ public void run() { for (int i = 0; i < internalNonClusterManagerNodeSettings.size(); i++) { NodeSettings setting = internalNonClusterManagerNodeSettings.get(i); int nodeNum = nodeNumCounter--; - final Settings.Builder nodeSettingsBuilder = getMinimumNonSecurityNodeSettingsBuilder(nodeNum, setting.clusterManagerNode, setting.dataNode, internalNodeSettings.size(), tcpClusterManagerPortsOnly, tcpPortsAllIt.next(), httpPortsIt.next()); + final Settings.Builder nodeSettingsBuilder = getMinimumNonSecurityNodeSettingsBuilder( + nodeNum, + setting.clusterManagerNode, + setting.dataNode, + internalNodeSettings.size(), + tcpClusterManagerPortsOnly, + tcpPortsAllIt.next(), + httpPortsIt.next() + ); final Settings settingsForNode; if (nodeSettingsSupplier != null) { final Settings suppliedSettings = nodeSettingsSupplier.get(nodeNum); @@ -239,27 +273,34 @@ public void run() { latch.await(); - if(err.get() != null) { - throw new RuntimeException("Could not start all nodes "+err.get(),err.get()); + if (err.get() != null) { + throw new RuntimeException("Could not start all nodes " + err.get(), err.get()); } - ClusterInfo cInfo = waitForCluster(ClusterHealthStatus.GREEN, TimeValue.timeValueSeconds(timeout), nodes == null?opensearchNodes.size():nodes.intValue()); + ClusterInfo cInfo = waitForCluster( + ClusterHealthStatus.GREEN, + TimeValue.timeValueSeconds(timeout), + nodes == null ? opensearchNodes.size() : nodes.intValue() + ); cInfo.numNodes = internalNodeSettings.size(); cInfo.clustername = clustername; - cInfo.tcpClusterManagerPortsOnly = tcpClusterManagerPortsOnly.stream().map(s->"127.0.0.1:"+s).collect(Collectors.toList()); - - final String defaultTemplate = "{\n" + - " \"index_patterns\": [\"*\"],\n" + - " \"order\": -1,\n" + - " \"settings\": {\n" + - " \"number_of_shards\": \"5\",\n" + - " \"number_of_replicas\": \"1\"\n" + - " }\n" + - " }"; - - final AcknowledgedResponse templateAck = nodeClient().admin().indices().putTemplate(new PutIndexTemplateRequest("default").source(defaultTemplate, XContentType.JSON)).actionGet(); - - if(!templateAck.isAcknowledged()) { + cInfo.tcpClusterManagerPortsOnly = tcpClusterManagerPortsOnly.stream().map(s -> "127.0.0.1:" + s).collect(Collectors.toList()); + + final String defaultTemplate = "{\n" + + " \"index_patterns\": [\"*\"],\n" + + " \"order\": -1,\n" + + " \"settings\": {\n" + + " \"number_of_shards\": \"5\",\n" + + " \"number_of_replicas\": \"1\"\n" + + " }\n" + + " }"; + + final AcknowledgedResponse templateAck = nodeClient().admin() + .indices() + .putTemplate(new PutIndexTemplateRequest("default").source(defaultTemplate, XContentType.JSON)) + .actionGet(); + + if (!templateAck.isAcknowledged()) { throw new RuntimeException("Default template could not be created"); } @@ -269,15 +310,15 @@ public void run() { public final void stopCluster() throws Exception { closeAllNodes(); - FileUtils.deleteDirectory(new File("./target/data/"+clustername)); + FileUtils.deleteDirectory(new File("./target/data/" + clustername)); } - private void closeAllNodes() throws Exception { - //close non cluster manager nodes - opensearchNodes.stream().filter(n->!n.isClusterManagerEligible()).forEach(ClusterHelper::closeNode); + private void closeAllNodes() throws Exception { + // close non cluster manager nodes + opensearchNodes.stream().filter(n -> !n.isClusterManagerEligible()).forEach(ClusterHelper::closeNode); - //close cluster manager nodes - opensearchNodes.stream().filter(n->n.isClusterManagerEligible()).forEach(ClusterHelper::closeNode); + // close cluster manager nodes + opensearchNodes.stream().filter(n -> n.isClusterManagerEligible()).forEach(ClusterHelper::closeNode); opensearchNodes.clear(); clusterState = ClusterState.STOPPED; } @@ -287,16 +328,16 @@ private static void closeNode(Node node) { node.close(); node.awaitClose(250, TimeUnit.MILLISECONDS); } catch (Throwable e) { - //ignore + // ignore } } - public Client nodeClient() { return opensearchNodes.get(0).client(); } - public ClusterInfo waitForCluster(final ClusterHealthStatus status, final TimeValue timeout, final int expectedNodeCount) throws IOException { + public ClusterInfo waitForCluster(final ClusterHealthStatus status, final TimeValue timeout, final int expectedNodeCount) + throws IOException { if (opensearchNodes.isEmpty()) { throw new RuntimeException("List of nodes was empty."); } @@ -307,12 +348,19 @@ public ClusterInfo waitForCluster(final ClusterHealthStatus status, final TimeVa Client client = node.client(); try { log.debug("waiting for cluster state {} and {} nodes", status.name(), expectedNodeCount); - final ClusterHealthResponse healthResponse = client.admin().cluster().prepareHealth() - .setWaitForStatus(status).setTimeout(timeout).setClusterManagerNodeTimeout(timeout).setWaitForNodes("" + expectedNodeCount).execute() - .actionGet(); + final ClusterHealthResponse healthResponse = client.admin() + .cluster() + .prepareHealth() + .setWaitForStatus(status) + .setTimeout(timeout) + .setClusterManagerNodeTimeout(timeout) + .setWaitForNodes("" + expectedNodeCount) + .execute() + .actionGet(); if (healthResponse.isTimedOut()) { - throw new IOException("cluster state is " + healthResponse.getStatus().name() + " with " - + healthResponse.getNumberOfNodes() + " nodes"); + throw new IOException( + "cluster state is " + healthResponse.getStatus().name() + " with " + healthResponse.getNumberOfNodes() + " nodes" + ); } else { log.debug("... cluster state ok {} with {} nodes", healthResponse.getStatus().name(), healthResponse.getNumberOfNodes()); } @@ -323,21 +371,32 @@ public ClusterInfo waitForCluster(final ClusterHealthStatus status, final TimeVa final List nodes = res.getNodes(); - final List clusterManagerNodes = nodes.stream().filter(n->n.getNode().getRoles().contains(DiscoveryNodeRole.CLUSTER_MANAGER_ROLE)).collect(Collectors.toList()); - final List dataNodes = nodes.stream().filter(n->n.getNode().getRoles().contains(DiscoveryNodeRole.DATA_ROLE) && !n.getNode().getRoles().contains(DiscoveryNodeRole.CLUSTER_MANAGER_ROLE)).collect(Collectors.toList()); + final List clusterManagerNodes = nodes.stream() + .filter(n -> n.getNode().getRoles().contains(DiscoveryNodeRole.CLUSTER_MANAGER_ROLE)) + .collect(Collectors.toList()); + final List dataNodes = nodes.stream() + .filter( + n -> n.getNode().getRoles().contains(DiscoveryNodeRole.DATA_ROLE) + && !n.getNode().getRoles().contains(DiscoveryNodeRole.CLUSTER_MANAGER_ROLE) + ) + .collect(Collectors.toList()); // Sorting the nodes so that the node receiving the http requests is always deterministic dataNodes.sort(Comparator.comparing(nodeInfo -> nodeInfo.getNode().getName())); - final List clientNodes = nodes.stream().filter(n->!n.getNode().getRoles().contains(DiscoveryNodeRole.CLUSTER_MANAGER_ROLE) && !n.getNode().getRoles().contains(DiscoveryNodeRole.DATA_ROLE)).collect(Collectors.toList()); - - - for (NodeInfo nodeInfo: clusterManagerNodes) { + final List clientNodes = nodes.stream() + .filter( + n -> !n.getNode().getRoles().contains(DiscoveryNodeRole.CLUSTER_MANAGER_ROLE) + && !n.getNode().getRoles().contains(DiscoveryNodeRole.DATA_ROLE) + ) + .collect(Collectors.toList()); + + for (NodeInfo nodeInfo : clusterManagerNodes) { final TransportInfo transportInfo = nodeInfo.getInfo(TransportInfo.class); final TransportAddress transportAddress = transportInfo.getAddress().publishAddress(); clusterInfo.nodePort = transportAddress.getPort(); clusterInfo.nodeHost = transportAddress.getAddress(); } - if(!clientNodes.isEmpty()) { + if (!clientNodes.isEmpty()) { NodeInfo nodeInfo = clientNodes.get(0); final HttpInfo httpInfo = nodeInfo.getInfo(HttpInfo.class); if (httpInfo != null && httpInfo.address() != null) { @@ -348,9 +407,9 @@ public ClusterInfo waitForCluster(final ClusterHealthStatus status, final TimeVa } else { throw new RuntimeException("no http host/port for client node"); } - } else if(!dataNodes.isEmpty()) { + } else if (!dataNodes.isEmpty()) { - for (NodeInfo nodeInfo: dataNodes) { + for (NodeInfo nodeInfo : dataNodes) { final HttpInfo httpInfo = nodeInfo.getInfo(HttpInfo.class); if (httpInfo != null && httpInfo.address() != null) { final TransportAddress transportAddress = httpInfo.address().publishAddress(); @@ -360,9 +419,9 @@ public ClusterInfo waitForCluster(final ClusterHealthStatus status, final TimeVa break; } } - } else { + } else { - for (NodeInfo nodeInfo: nodes) { + for (NodeInfo nodeInfo : nodes) { final HttpInfo httpInfo = nodeInfo.getInfo(HttpInfo.class); if (httpInfo != null && httpInfo.address() != null) { final TransportAddress transportAddress = httpInfo.address().publishAddress(); @@ -374,32 +433,41 @@ public ClusterInfo waitForCluster(final ClusterHealthStatus status, final TimeVa } } } catch (final OpenSearchTimeoutException e) { - throw new IOException( - "timeout, cluster does not respond to health request, cowardly refusing to continue with operations"); + throw new IOException("timeout, cluster does not respond to health request, cowardly refusing to continue with operations"); } return clusterInfo; } // @formatter:off - private Settings.Builder getMinimumNonSecurityNodeSettingsBuilder(final int nodenum, final boolean isClusterManagerNode, - final boolean isDataNode, int nodeCount, SortedSet clusterManagerTcpPorts, int tcpPort, int httpPort) { + private Settings.Builder getMinimumNonSecurityNodeSettingsBuilder( + final int nodenum, + final boolean isClusterManagerNode, + final boolean isDataNode, + int nodeCount, + SortedSet clusterManagerTcpPorts, + int tcpPort, + int httpPort + ) { return AbstractSecurityUnitTest.nodeRolesSettings(Settings.builder(), isClusterManagerNode, isDataNode) - .put("node.name", "node_"+clustername+ "_num" + nodenum) - .put("cluster.name", clustername) - .put("path.data", "./target/data/"+clustername+"/data") - .put("path.logs", "./target/data/"+clustername+"/logs") - .put("node.max_local_storage_nodes", nodeCount) - .putList("cluster.initial_cluster_manager_nodes", clusterManagerTcpPorts.stream().map(s->"127.0.0.1:"+s).collect(Collectors.toList())) - .put("discovery.initial_state_timeout","8s") - .putList("discovery.seed_hosts", clusterManagerTcpPorts.stream().map(s->"127.0.0.1:"+s).collect(Collectors.toList())) - .put("transport.tcp.port", tcpPort) - .put("http.port", httpPort) - .put("http.cors.enabled", true) - .put("path.home", "./target"); + .put("node.name", "node_" + clustername + "_num" + nodenum) + .put("cluster.name", clustername) + .put("path.data", "./target/data/" + clustername + "/data") + .put("path.logs", "./target/data/" + clustername + "/logs") + .put("node.max_local_storage_nodes", nodeCount) + .putList( + "cluster.initial_cluster_manager_nodes", + clusterManagerTcpPorts.stream().map(s -> "127.0.0.1:" + s).collect(Collectors.toList()) + ) + .put("discovery.initial_state_timeout", "8s") + .putList("discovery.seed_hosts", clusterManagerTcpPorts.stream().map(s -> "127.0.0.1:" + s).collect(Collectors.toList())) + .put("transport.tcp.port", tcpPort) + .put("http.port", httpPort) + .put("http.cors.enabled", true) + .put("path.home", "./target"); } - private enum ClusterState{ + private enum ClusterState { UNINITIALIZED, STARTED, STOPPED diff --git a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterInfo.java b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterInfo.java index bb59450752..d50274e0e0 100644 --- a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterInfo.java +++ b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterInfo.java @@ -33,12 +33,12 @@ import org.opensearch.common.transport.TransportAddress; public class ClusterInfo { - public int numNodes; - public String httpHost = null; - public int httpPort = -1; - public Set httpAdresses = new HashSet(); - public String nodeHost; - public int nodePort; - public String clustername; + public int numNodes; + public String httpHost = null; + public int httpPort = -1; + public Set httpAdresses = new HashSet(); + public String nodeHost; + public int nodePort; + public String clustername; public List tcpClusterManagerPortsOnly; } diff --git a/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java b/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java index 803088771a..acb4a7d217 100644 --- a/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java +++ b/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java @@ -57,90 +57,90 @@ public class FileHelper { - protected final static Logger log = LogManager.getLogger(FileHelper.class); - - public static KeyStore getKeystoreFromClassPath(final String fileNameFromClasspath, String password) throws Exception { - Path path = getAbsoluteFilePathFromClassPath(fileNameFromClasspath); - if(path==null) { - return null; - } - - KeyStore ks = KeyStore.getInstance("JKS"); - try (FileInputStream fin = new FileInputStream(path.toFile())) { - ks.load(fin, password==null||password.isEmpty()?null:password.toCharArray()); - } - return ks; - } - - public static Path getAbsoluteFilePathFromClassPath(final String fileNameFromClasspath) { - File file = null; - final URL fileUrl = FileHelper.class.getClassLoader().getResource(fileNameFromClasspath); - if (fileUrl != null) { - try { - file = new File(URLDecoder.decode(fileUrl.getFile(), "UTF-8")); - } catch (final UnsupportedEncodingException e) { - return null; - } - - if (file.exists() && file.canRead()) { - return Paths.get(file.getAbsolutePath()); - } else { - log.error("Cannot read from {}, maybe the file does not exists? ", file.getAbsolutePath()); - } - - } else { - log.error("Failed to load {}", fileNameFromClasspath); - } - return null; - } - - public static final String loadFile(final String file) throws IOException { - final StringWriter sw = new StringWriter(); - IOUtils.copy(FileHelper.class.getResourceAsStream("/" + file), sw, StandardCharsets.UTF_8); - return sw.toString(); - } + protected final static Logger log = LogManager.getLogger(FileHelper.class); + + public static KeyStore getKeystoreFromClassPath(final String fileNameFromClasspath, String password) throws Exception { + Path path = getAbsoluteFilePathFromClassPath(fileNameFromClasspath); + if (path == null) { + return null; + } + + KeyStore ks = KeyStore.getInstance("JKS"); + try (FileInputStream fin = new FileInputStream(path.toFile())) { + ks.load(fin, password == null || password.isEmpty() ? null : password.toCharArray()); + } + return ks; + } + + public static Path getAbsoluteFilePathFromClassPath(final String fileNameFromClasspath) { + File file = null; + final URL fileUrl = FileHelper.class.getClassLoader().getResource(fileNameFromClasspath); + if (fileUrl != null) { + try { + file = new File(URLDecoder.decode(fileUrl.getFile(), "UTF-8")); + } catch (final UnsupportedEncodingException e) { + return null; + } + + if (file.exists() && file.canRead()) { + return Paths.get(file.getAbsolutePath()); + } else { + log.error("Cannot read from {}, maybe the file does not exists? ", file.getAbsolutePath()); + } + + } else { + log.error("Failed to load {}", fileNameFromClasspath); + } + return null; + } + + public static final String loadFile(final String file) throws IOException { + final StringWriter sw = new StringWriter(); + IOUtils.copy(FileHelper.class.getResourceAsStream("/" + file), sw, StandardCharsets.UTF_8); + return sw.toString(); + } public static BytesReference readYamlContent(final String file) { XContentParser parser = null; try { - parser = XContentFactory.xContent(XContentType.YAML).createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, new StringReader(loadFile(file))); + parser = XContentFactory.xContent(XContentType.YAML) + .createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, new StringReader(loadFile(file))); parser.nextToken(); final XContentBuilder builder = XContentFactory.jsonBuilder(); builder.copyCurrentStructure(parser); return BytesReference.bytes(builder); } catch (Exception e) { throw new RuntimeException(e); - } - finally { + } finally { if (parser != null) { try { parser.close(); } catch (IOException e) { - //ignore + // ignore } } } - } + } public static BytesReference readYamlContentFromString(final String yaml) { XContentParser parser = null; try { - parser = XContentFactory.xContent(XContentType.YAML).createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, new StringReader(yaml)); + parser = XContentFactory.xContent(XContentType.YAML) + .createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, new StringReader(yaml)); parser.nextToken(); final XContentBuilder builder = XContentFactory.jsonBuilder(); builder.copyCurrentStructure(parser); return BytesReference.bytes(builder); } catch (Exception e) { throw new RuntimeException(e); - } - finally { + } finally { if (parser != null) { try { parser.close(); } catch (IOException e) { - //ignore + // ignore } } } diff --git a/src/test/java/org/opensearch/security/test/helper/network/SocketUtils.java b/src/test/java/org/opensearch/security/test/helper/network/SocketUtils.java index 1d264025e0..b9f014960c 100644 --- a/src/test/java/org/opensearch/security/test/helper/network/SocketUtils.java +++ b/src/test/java/org/opensearch/security/test/helper/network/SocketUtils.java @@ -79,10 +79,8 @@ public class SocketUtils { */ public static final int PORT_RANGE_MAX = 65535; - private static final Random random = new Random(System.currentTimeMillis()); - /** * Although {@code SocketUtils} consists solely of static utility methods, * this constructor is intentionally {@code public}. @@ -103,7 +101,6 @@ public SocketUtils() { /* no-op */ } - /** * Find an available TCP port randomly selected from the range * [{@value #PORT_RANGE_MIN}, {@value #PORT_RANGE_MAX}]. @@ -218,19 +215,17 @@ public static SortedSet findAvailableUdpPorts(int numRequested, int min return SocketType.UDP.findAvailablePorts(numRequested, minPort, maxPort); } - private enum SocketType { TCP { @Override protected boolean isPortAvailable(int port) { try { - ServerSocket serverSocket = ServerSocketFactory.getDefault().createServerSocket( - port, 1, InetAddress.getByName("localhost")); + ServerSocket serverSocket = ServerSocketFactory.getDefault() + .createServerSocket(port, 1, InetAddress.getByName("localhost")); serverSocket.close(); return true; - } - catch (Exception ex) { + } catch (Exception ex) { return false; } } @@ -243,8 +238,7 @@ protected boolean isPortAvailable(int port) { DatagramSocket socket = new DatagramSocket(port, InetAddress.getByName("localhost")); socket.close(); return true; - } - catch (Exception ex) { + } catch (Exception ex) { return false; } } @@ -277,23 +271,28 @@ private int findRandomPort(int minPort, int maxPort) { * @throws IllegalStateException if no available port could be found */ int findAvailablePort(int minPort, int maxPort) { - //Assert.assertTrue(minPort > 0, "'minPort' must be greater than 0"); - //Assert.isTrue(maxPort >= minPort, "'maxPort' must be greater than or equal to 'minPort'"); - //Assert.isTrue(maxPort <= PORT_RANGE_MAX, "'maxPort' must be less than or equal to " + PORT_RANGE_MAX); + // Assert.assertTrue(minPort > 0, "'minPort' must be greater than 0"); + // Assert.isTrue(maxPort >= minPort, "'maxPort' must be greater than or equal to 'minPort'"); + // Assert.isTrue(maxPort <= PORT_RANGE_MAX, "'maxPort' must be less than or equal to " + PORT_RANGE_MAX); int portRange = maxPort - minPort; int candidatePort; int searchCounter = 0; do { if (searchCounter > portRange) { - throw new IllegalStateException(String.format( + throw new IllegalStateException( + String.format( "Could not find an available %s port in the range [%d, %d] after %d attempts", - name(), minPort, maxPort, searchCounter)); + name(), + minPort, + maxPort, + searchCounter + ) + ); } candidatePort = findRandomPort(minPort, maxPort); searchCounter++; - } - while (!isPortAvailable(candidatePort)); + } while (!isPortAvailable(candidatePort)); return candidatePort; } @@ -308,12 +307,12 @@ int findAvailablePort(int minPort, int maxPort) { * @throws IllegalStateException if the requested number of available ports could not be found */ SortedSet findAvailablePorts(int numRequested, int minPort, int maxPort) { - //Assert.isTrue(minPort > 0, "'minPort' must be greater than 0"); - //Assert.isTrue(maxPort > minPort, "'maxPort' must be greater than 'minPort'"); - //Assert.isTrue(maxPort <= PORT_RANGE_MAX, "'maxPort' must be less than or equal to " + PORT_RANGE_MAX); - //Assert.isTrue(numRequested > 0, "'numRequested' must be greater than 0"); - //Assert.isTrue((maxPort - minPort) >= numRequested, - // "'numRequested' must not be greater than 'maxPort' - 'minPort'"); + // Assert.isTrue(minPort > 0, "'minPort' must be greater than 0"); + // Assert.isTrue(maxPort > minPort, "'maxPort' must be greater than 'minPort'"); + // Assert.isTrue(maxPort <= PORT_RANGE_MAX, "'maxPort' must be less than or equal to " + PORT_RANGE_MAX); + // Assert.isTrue(numRequested > 0, "'numRequested' must be greater than 0"); + // Assert.isTrue((maxPort - minPort) >= numRequested, + // "'numRequested' must not be greater than 'maxPort' - 'minPort'"); SortedSet availablePorts = new TreeSet<>(); int attemptCount = 0; @@ -322,9 +321,9 @@ SortedSet findAvailablePorts(int numRequested, int minPort, int maxPort } if (availablePorts.size() != numRequested) { - throw new IllegalStateException(String.format( - "Could not find %d available %s ports in the range [%d, %d]", - numRequested, name(), minPort, maxPort)); + throw new IllegalStateException( + String.format("Could not find %d available %s ports in the range [%d, %d]", numRequested, name(), minPort, maxPort) + ); } return availablePorts; diff --git a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java index 7ed23b9c73..730a22f18f 100644 --- a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java +++ b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java @@ -94,450 +94,479 @@ public class RestHelper { - protected final Logger log = LogManager.getLogger(RestHelper.class); - - public boolean enableHTTPClientSSL = true; - public boolean enableHTTPClientSSLv3Only = false; - public boolean sendAdminCertificate = false; - public boolean trustHTTPServerCertificate = true; - public boolean sendHTTPClientCredentials = false; - public String keystore = "node-0-keystore.jks"; - public final String prefix; - //public String truststore = "truststore.jks"; - private ClusterInfo clusterInfo; - - public RestHelper(ClusterInfo clusterInfo, String prefix) { - this.clusterInfo = clusterInfo; - this.prefix = prefix; - } - - public RestHelper(ClusterInfo clusterInfo, boolean enableHTTPClientSSL, boolean trustHTTPServerCertificate, String prefix) { - this.clusterInfo = clusterInfo; - this.enableHTTPClientSSL = enableHTTPClientSSL; - this.trustHTTPServerCertificate = trustHTTPServerCertificate; - this.prefix = prefix; - } - public String executeSimpleRequest(final String request) throws Exception { - - CloseableHttpAsyncClient httpClient = null; - - try { - httpClient = getHTTPClient(); - httpClient.start(); - - final CompletableFuture future = new CompletableFuture<>(); - final SimpleHttpRequest simpleRequest = SimpleRequestBuilder.copy(new HttpGet(getRequestUri(request))).build(); - httpClient.execute(simpleRequest, new FutureCallback() { - @Override - public void completed(SimpleHttpResponse result) { - future.complete(result); - } - - @Override - public void failed(Exception ex) { - future.completeExceptionally(ex); - } - - @Override - public void cancelled() { - future.cancel(true); - } - }); - - final SimpleHttpResponse response = future.join(); - if (response.getCode() >= 300) { - throw new Exception("Statuscode " + response.getCode()); - } - - if (enableHTTPClientSSL && !response.getVersion().equals(HttpVersion.HTTP_2)) { - throw new IllegalStateException("HTTP/2 expected for HTTPS communication but " + response.getVersion() + " was used"); - } - - return response.getBodyText(); - } catch (final CompletionException e) { - final Throwable cause = e.getCause(); - // Make it compatible with DefaultHttpResponseParser::createConnectionClosedException() - if (cause instanceof ConnectionClosedException) { - throw new NoHttpResponseException(cause.getMessage(), cause); - } else { - throw (Exception)cause; - } - } finally { - if (httpClient != null) { - httpClient.close(); - } - } - } - - public HttpResponse[] executeMultipleAsyncPutRequest(final int numOfRequests, final String request, String body) throws Exception { - final ExecutorService executorService = Executors.newFixedThreadPool(numOfRequests); - Future[] futures = new Future[numOfRequests]; - for (int i = 0; i < numOfRequests; i++) { - futures[i] = executorService.submit(() -> executePutRequest(request, body, new Header[0])); - } - executorService.shutdown(); - return Arrays.stream(futures) - .map(HttpResponse::from) - .toArray(s -> new HttpResponse[s]); - } - - public HttpResponse executeGetRequest(final String request, Header... header) { - return executeRequest(new HttpGet(getRequestUri(request)), header); - } - - public HttpResponse executeGetRequest(final String request, String body, Header... header) { - HttpGet getRequest = new HttpGet(getRequestUri(request)); - getRequest.setEntity(createStringEntity(body)); - getRequest.addHeader(HttpHeaders.CONTENT_TYPE, "application/json"); - return executeRequest(getRequest, header); - } - - public HttpResponse executeHeadRequest(final String request, Header... header) { - return executeRequest(new HttpHead(getRequestUri(request)), header); - } - - public HttpResponse executeOptionsRequest(final String request) { - return executeRequest(new HttpOptions(getRequestUri(request))); - } - - public HttpResponse executePutRequest(final String request, String body, Header... header) { - HttpPut uriRequest = new HttpPut(getRequestUri(request)); - if (body != null && !body.isEmpty()) { - uriRequest.setEntity(createStringEntity(body)); - } - return executeRequest(uriRequest, header); - } - - public HttpResponse executeDeleteRequest(final String request, Header... header) { - return executeRequest(new HttpDelete(getRequestUri(request)), header); - } - - public HttpResponse executeDeleteRequest(final String request, String body, Header... header) { - HttpDelete delRequest = new HttpDelete(getRequestUri(request)); - delRequest.setEntity(createStringEntity(body)); - delRequest.setHeader(HttpHeaders.CONTENT_TYPE, "application/json"); - return executeRequest(delRequest, header); - } - - - public HttpResponse executePostRequest(final String request, String body, Header... header) { - HttpPost uriRequest = new HttpPost(getRequestUri(request)); - if (body != null && !body.isEmpty()) { - uriRequest.setEntity(createStringEntity(body)); - } - - return executeRequest(uriRequest, header); - } - - public HttpResponse executePatchRequest(final String request, String body, Header... header) { - HttpPatch uriRequest = new HttpPatch(getRequestUri(request)); - if (body != null && !body.isEmpty()) { - uriRequest.setEntity(createStringEntity(body)); - } - return executeRequest(uriRequest, header); - } - - public HttpResponse executeRequest(HttpUriRequest uriRequest, Header... header) { - - CloseableHttpAsyncClient httpClient = null; - try { - - httpClient = getHTTPClient(); - httpClient.start(); - - if (header != null && header.length > 0) { - for (int i = 0; i < header.length; i++) { - Header h = header[i]; - uriRequest.addHeader(h); - } - } - - if (!uriRequest.containsHeader("Content-Type")) { - uriRequest.addHeader("Content-Type","application/json"); - } - - final CompletableFuture future = new CompletableFuture<>(); - final SimpleHttpRequest simpleRequest = SimpleRequestBuilder.copy(uriRequest).build(); - if (uriRequest.getEntity() != null) { - simpleRequest.setBody(EntityUtils.toByteArray(uriRequest.getEntity()), - ContentType.parse(uriRequest.getEntity().getContentType())); - } - httpClient.execute(simpleRequest, new FutureCallback() { - @Override - public void completed(SimpleHttpResponse result) { - future.complete(result); - } - - @Override - public void failed(Exception ex) { - future.completeExceptionally(ex); - } - - @Override - public void cancelled() { - future.cancel(true); - } - }); - - final HttpResponse res = new HttpResponse(future.join()); - if (enableHTTPClientSSL && !res.getProtocolVersion().equals(HttpVersion.HTTP_2)) { - throw new IllegalStateException("HTTP/2 expected for HTTPS communication but " + res.getProtocolVersion() + " was used"); - } - - log.debug(res.getBody()); - return res; - } catch (final CompletionException e) { - final Throwable cause = e.getCause(); - // Make it compatible with DefaultHttpResponseParser::createConnectionClosedException() - if (cause instanceof ConnectionClosedException) { - throw new RuntimeException(new NoHttpResponseException(cause.getMessage(), cause)); - } else if (cause instanceof RuntimeException) { - throw (RuntimeException)cause; - } else { - throw new RuntimeException(cause); - } - } catch (final Exception e) { - throw new RuntimeException(e); - } finally { - - if (httpClient != null) { - try { - httpClient.close(); - } catch (final Exception e) { - throw new RuntimeException(e); - } - } - } - } - - private HttpEntity createStringEntity(String body) { - return new StringEntity(body); - } - - protected final String getHttpServerUri() { - final String address = "http" + (enableHTTPClientSSL ? "s" : "") + "://" + clusterInfo.httpHost + ":" + clusterInfo.httpPort; - log.debug("Connect to {}", address); - return address; - } - - protected final String getRequestUri(String request) { - return getHttpServerUri() + "/" + StringUtils.strip(request, "/"); - } - - protected final CloseableHttpAsyncClient getHTTPClient() throws Exception { - - final HttpAsyncClientBuilder hcb = HttpAsyncClients.custom(); - - if (sendHTTPClientCredentials) { - UsernamePasswordCredentials credentials = new UsernamePasswordCredentials("sarek", "sarek".toCharArray()); - BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider(); - credentialsProvider.setCredentials(new AuthScope(null, -1), credentials); - hcb.setDefaultCredentialsProvider(credentialsProvider); - } - - if (enableHTTPClientSSL) { - - log.debug("Configure HTTP client with SSL"); - - if(prefix != null && !keystore.contains("/")) { - keystore = prefix+"/"+keystore; - } - - final String keyStorePath = FileHelper.getAbsoluteFilePathFromClassPath(keystore).toFile().getParent(); - - final KeyStore myTrustStore = KeyStore.getInstance("JKS"); - myTrustStore.load(new FileInputStream(keyStorePath+"/truststore.jks"), - "changeit".toCharArray()); - - final KeyStore keyStore = KeyStore.getInstance("JKS"); - keyStore.load(new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath(keystore).toFile()), "changeit".toCharArray()); - - final SSLContextBuilder sslContextbBuilder = SSLContexts.custom(); - - if (trustHTTPServerCertificate) { - sslContextbBuilder.loadTrustMaterial(myTrustStore, null); - } - - if (sendAdminCertificate) { - sslContextbBuilder.loadKeyMaterial(keyStore, "changeit".toCharArray()); - } - - final SSLContext sslContext = sslContextbBuilder.build(); - - String[] protocols = null; - - if (enableHTTPClientSSLv3Only) { - protocols = new String[] { "SSLv3" }; - } else { - protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" }; - } - - final TlsStrategy tlsStrategy = ClientTlsStrategyBuilder - .create() - .setSslContext(sslContext) - .setTlsVersions(protocols) - .setHostnameVerifier(NoopHostnameVerifier.INSTANCE) - // See please https://issues.apache.org/jira/browse/HTTPCLIENT-2219 - .setTlsDetailsFactory(new Factory() { - @Override - public TlsDetails create(final SSLEngine sslEngine) { - return new TlsDetails(sslEngine.getSession(), sslEngine.getApplicationProtocol()); - } - }) - .build(); - - final AsyncClientConnectionManager cm = PoolingAsyncClientConnectionManagerBuilder.create() - .setTlsStrategy(tlsStrategy) - .build(); - - hcb.setConnectionManager(cm); - } - - final RequestConfig.Builder requestConfigBuilder = RequestConfig.custom() - .setResponseTimeout(Timeout.ofSeconds(60)); - - return hcb.setDefaultRequestConfig(requestConfigBuilder.build()).disableAutomaticRetries().build(); - } - - - public static class HttpResponse { - private final SimpleHttpResponse inner; - private final String body; - private final Header[] header; - private final int statusCode; - private final String statusReason; - private final ProtocolVersion protocolVersion; - - public HttpResponse(SimpleHttpResponse inner) throws IllegalStateException, IOException { - super(); - this.inner = inner; - if(inner.getBody() == null) { //head request does not have a entity - this.body = ""; - } else { - this.body = inner.getBodyText(); - } - this.header = inner.getHeaders(); - this.statusCode = inner.getCode(); - this.statusReason = inner.getReasonPhrase(); - this.protocolVersion = inner.getVersion(); - } - - public String getContentType() { - Header h = getInner().getFirstHeader("content-type"); - if(h!= null) { - return h.getValue(); - } - return null; - } - - public boolean isJsonContentType() { - String ct = getContentType(); - if(ct == null) { - return false; - } - return ct.contains("application/json"); - } - - public SimpleHttpResponse getInner() { - return inner; - } - - public String getBody() { - return body; - } - - public Header[] getHeader() { - return header; - } - - public int getStatusCode() { - return statusCode; - } - - public String getStatusReason() { - return statusReason; - } - - public List
getHeaders() { - return header==null?Collections.emptyList():Arrays.asList(header); - } - - public ProtocolVersion getProtocolVersion() { - return protocolVersion; - } - - @Override - public String toString() { - return "HttpResponse [inner=" + inner + ", body=" + body + ", header=" + Arrays.toString(header) + ", statusCode=" + statusCode - + ", statusReason=" + statusReason + "]"; - } - - /** - * Given a json path with dots delimiated returns the object at the leaf - */ - public String findValueInJson(final String jsonDotPath) { - // Make sure its json / then parse it - if (!isJsonContentType()) { - throw new RuntimeException("Response was expected to be JSON, body was: \n" + body); - } - JsonNode currentNode = null; - try { - currentNode = DefaultObjectMapper.readTree(body); - } catch (final Exception e) { - throw new RuntimeException(e); - } - - // Break the path into parts, and scan into the json object - try (final Scanner jsonPathScanner = new Scanner(jsonDotPath).useDelimiter("\\.")) { - if (!jsonPathScanner.hasNext()) { - throw new RuntimeException("Invalid json dot path '" + jsonDotPath + "', rewrite with '.' characters between path elements."); - } - do { - String pathEntry = jsonPathScanner.next(); - // if pathEntry is an array lookup - int arrayEntryIdx = -1; - - // Looks for an array-lookup pattern in the path - // e.g. root_cause[1] -> will match - // e.g. root_cause[2aasd] -> won't match - final Pattern r = Pattern.compile("(.+?)\\[(\\d+)\\]"); - final Matcher m = r.matcher(pathEntry); - if(m.find()) { - pathEntry = m.group(1); - arrayEntryIdx = Integer.parseInt(m.group(2)); - } - - if (!currentNode.has(pathEntry)) { - throw new RuntimeException("Unable to resolve '" + jsonDotPath + "', on path entry '" + pathEntry + "' from available fields " + currentNode.toPrettyString()); - } - currentNode = currentNode.get(pathEntry); - - // if it's an Array lookup we get the requested index item - if (arrayEntryIdx > -1) { - if(!currentNode.isArray()) { - throw new RuntimeException("Unable to resolve '" + jsonDotPath + "', the '" + pathEntry + "' field is not an array " + currentNode.toPrettyString()); - } else if (!currentNode.has(arrayEntryIdx)) { - throw new RuntimeException("Unable to resolve '" + jsonDotPath + "', index '" + arrayEntryIdx + "' is out of bounds for array '" + pathEntry + "' \n" + currentNode.toPrettyString()); - } - currentNode = currentNode.get(arrayEntryIdx); - } - } while (jsonPathScanner.hasNext()); - - if (!currentNode.isValueNode()) { - throw new RuntimeException("Unexpected value note, index directly to the object to reference, object\n" + currentNode.toPrettyString()); - } - return currentNode.asText(); - } - } - - private static HttpResponse from(Future future) { - try { - return future.get(); - } catch (Exception e) { - throw new RuntimeException(e); - } - } - } - + protected final Logger log = LogManager.getLogger(RestHelper.class); + + public boolean enableHTTPClientSSL = true; + public boolean enableHTTPClientSSLv3Only = false; + public boolean sendAdminCertificate = false; + public boolean trustHTTPServerCertificate = true; + public boolean sendHTTPClientCredentials = false; + public String keystore = "node-0-keystore.jks"; + public final String prefix; + // public String truststore = "truststore.jks"; + private ClusterInfo clusterInfo; + + public RestHelper(ClusterInfo clusterInfo, String prefix) { + this.clusterInfo = clusterInfo; + this.prefix = prefix; + } + + public RestHelper(ClusterInfo clusterInfo, boolean enableHTTPClientSSL, boolean trustHTTPServerCertificate, String prefix) { + this.clusterInfo = clusterInfo; + this.enableHTTPClientSSL = enableHTTPClientSSL; + this.trustHTTPServerCertificate = trustHTTPServerCertificate; + this.prefix = prefix; + } + + public String executeSimpleRequest(final String request) throws Exception { + + CloseableHttpAsyncClient httpClient = null; + + try { + httpClient = getHTTPClient(); + httpClient.start(); + + final CompletableFuture future = new CompletableFuture<>(); + final SimpleHttpRequest simpleRequest = SimpleRequestBuilder.copy(new HttpGet(getRequestUri(request))).build(); + httpClient.execute(simpleRequest, new FutureCallback() { + @Override + public void completed(SimpleHttpResponse result) { + future.complete(result); + } + + @Override + public void failed(Exception ex) { + future.completeExceptionally(ex); + } + + @Override + public void cancelled() { + future.cancel(true); + } + }); + + final SimpleHttpResponse response = future.join(); + if (response.getCode() >= 300) { + throw new Exception("Statuscode " + response.getCode()); + } + + if (enableHTTPClientSSL && !response.getVersion().equals(HttpVersion.HTTP_2)) { + throw new IllegalStateException("HTTP/2 expected for HTTPS communication but " + response.getVersion() + " was used"); + } + + return response.getBodyText(); + } catch (final CompletionException e) { + final Throwable cause = e.getCause(); + // Make it compatible with DefaultHttpResponseParser::createConnectionClosedException() + if (cause instanceof ConnectionClosedException) { + throw new NoHttpResponseException(cause.getMessage(), cause); + } else { + throw (Exception) cause; + } + } finally { + if (httpClient != null) { + httpClient.close(); + } + } + } + + public HttpResponse[] executeMultipleAsyncPutRequest(final int numOfRequests, final String request, String body) throws Exception { + final ExecutorService executorService = Executors.newFixedThreadPool(numOfRequests); + Future[] futures = new Future[numOfRequests]; + for (int i = 0; i < numOfRequests; i++) { + futures[i] = executorService.submit(() -> executePutRequest(request, body, new Header[0])); + } + executorService.shutdown(); + return Arrays.stream(futures).map(HttpResponse::from).toArray(s -> new HttpResponse[s]); + } + + public HttpResponse executeGetRequest(final String request, Header... header) { + return executeRequest(new HttpGet(getRequestUri(request)), header); + } + + public HttpResponse executeGetRequest(final String request, String body, Header... header) { + HttpGet getRequest = new HttpGet(getRequestUri(request)); + getRequest.setEntity(createStringEntity(body)); + getRequest.addHeader(HttpHeaders.CONTENT_TYPE, "application/json"); + return executeRequest(getRequest, header); + } + + public HttpResponse executeHeadRequest(final String request, Header... header) { + return executeRequest(new HttpHead(getRequestUri(request)), header); + } + + public HttpResponse executeOptionsRequest(final String request) { + return executeRequest(new HttpOptions(getRequestUri(request))); + } + + public HttpResponse executePutRequest(final String request, String body, Header... header) { + HttpPut uriRequest = new HttpPut(getRequestUri(request)); + if (body != null && !body.isEmpty()) { + uriRequest.setEntity(createStringEntity(body)); + } + return executeRequest(uriRequest, header); + } + + public HttpResponse executeDeleteRequest(final String request, Header... header) { + return executeRequest(new HttpDelete(getRequestUri(request)), header); + } + + public HttpResponse executeDeleteRequest(final String request, String body, Header... header) { + HttpDelete delRequest = new HttpDelete(getRequestUri(request)); + delRequest.setEntity(createStringEntity(body)); + delRequest.setHeader(HttpHeaders.CONTENT_TYPE, "application/json"); + return executeRequest(delRequest, header); + } + + public HttpResponse executePostRequest(final String request, String body, Header... header) { + HttpPost uriRequest = new HttpPost(getRequestUri(request)); + if (body != null && !body.isEmpty()) { + uriRequest.setEntity(createStringEntity(body)); + } + + return executeRequest(uriRequest, header); + } + + public HttpResponse executePatchRequest(final String request, String body, Header... header) { + HttpPatch uriRequest = new HttpPatch(getRequestUri(request)); + if (body != null && !body.isEmpty()) { + uriRequest.setEntity(createStringEntity(body)); + } + return executeRequest(uriRequest, header); + } + + public HttpResponse executeRequest(HttpUriRequest uriRequest, Header... header) { + + CloseableHttpAsyncClient httpClient = null; + try { + + httpClient = getHTTPClient(); + httpClient.start(); + + if (header != null && header.length > 0) { + for (int i = 0; i < header.length; i++) { + Header h = header[i]; + uriRequest.addHeader(h); + } + } + + if (!uriRequest.containsHeader("Content-Type")) { + uriRequest.addHeader("Content-Type", "application/json"); + } + + final CompletableFuture future = new CompletableFuture<>(); + final SimpleHttpRequest simpleRequest = SimpleRequestBuilder.copy(uriRequest).build(); + if (uriRequest.getEntity() != null) { + simpleRequest.setBody( + EntityUtils.toByteArray(uriRequest.getEntity()), + ContentType.parse(uriRequest.getEntity().getContentType()) + ); + } + httpClient.execute(simpleRequest, new FutureCallback() { + @Override + public void completed(SimpleHttpResponse result) { + future.complete(result); + } + + @Override + public void failed(Exception ex) { + future.completeExceptionally(ex); + } + + @Override + public void cancelled() { + future.cancel(true); + } + }); + + final HttpResponse res = new HttpResponse(future.join()); + if (enableHTTPClientSSL && !res.getProtocolVersion().equals(HttpVersion.HTTP_2)) { + throw new IllegalStateException("HTTP/2 expected for HTTPS communication but " + res.getProtocolVersion() + " was used"); + } + + log.debug(res.getBody()); + return res; + } catch (final CompletionException e) { + final Throwable cause = e.getCause(); + // Make it compatible with DefaultHttpResponseParser::createConnectionClosedException() + if (cause instanceof ConnectionClosedException) { + throw new RuntimeException(new NoHttpResponseException(cause.getMessage(), cause)); + } else if (cause instanceof RuntimeException) { + throw (RuntimeException) cause; + } else { + throw new RuntimeException(cause); + } + } catch (final Exception e) { + throw new RuntimeException(e); + } finally { + + if (httpClient != null) { + try { + httpClient.close(); + } catch (final Exception e) { + throw new RuntimeException(e); + } + } + } + } + + private HttpEntity createStringEntity(String body) { + return new StringEntity(body); + } + + protected final String getHttpServerUri() { + final String address = "http" + (enableHTTPClientSSL ? "s" : "") + "://" + clusterInfo.httpHost + ":" + clusterInfo.httpPort; + log.debug("Connect to {}", address); + return address; + } + + protected final String getRequestUri(String request) { + return getHttpServerUri() + "/" + StringUtils.strip(request, "/"); + } + + protected final CloseableHttpAsyncClient getHTTPClient() throws Exception { + + final HttpAsyncClientBuilder hcb = HttpAsyncClients.custom(); + + if (sendHTTPClientCredentials) { + UsernamePasswordCredentials credentials = new UsernamePasswordCredentials("sarek", "sarek".toCharArray()); + BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider(); + credentialsProvider.setCredentials(new AuthScope(null, -1), credentials); + hcb.setDefaultCredentialsProvider(credentialsProvider); + } + + if (enableHTTPClientSSL) { + + log.debug("Configure HTTP client with SSL"); + + if (prefix != null && !keystore.contains("/")) { + keystore = prefix + "/" + keystore; + } + + final String keyStorePath = FileHelper.getAbsoluteFilePathFromClassPath(keystore).toFile().getParent(); + + final KeyStore myTrustStore = KeyStore.getInstance("JKS"); + myTrustStore.load(new FileInputStream(keyStorePath + "/truststore.jks"), "changeit".toCharArray()); + + final KeyStore keyStore = KeyStore.getInstance("JKS"); + keyStore.load(new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath(keystore).toFile()), "changeit".toCharArray()); + + final SSLContextBuilder sslContextbBuilder = SSLContexts.custom(); + + if (trustHTTPServerCertificate) { + sslContextbBuilder.loadTrustMaterial(myTrustStore, null); + } + + if (sendAdminCertificate) { + sslContextbBuilder.loadKeyMaterial(keyStore, "changeit".toCharArray()); + } + + final SSLContext sslContext = sslContextbBuilder.build(); + + String[] protocols = null; + + if (enableHTTPClientSSLv3Only) { + protocols = new String[] { "SSLv3" }; + } else { + protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" }; + } + + final TlsStrategy tlsStrategy = ClientTlsStrategyBuilder.create() + .setSslContext(sslContext) + .setTlsVersions(protocols) + .setHostnameVerifier(NoopHostnameVerifier.INSTANCE) + // See please https://issues.apache.org/jira/browse/HTTPCLIENT-2219 + .setTlsDetailsFactory(new Factory() { + @Override + public TlsDetails create(final SSLEngine sslEngine) { + return new TlsDetails(sslEngine.getSession(), sslEngine.getApplicationProtocol()); + } + }) + .build(); + + final AsyncClientConnectionManager cm = PoolingAsyncClientConnectionManagerBuilder.create().setTlsStrategy(tlsStrategy).build(); + + hcb.setConnectionManager(cm); + } + + final RequestConfig.Builder requestConfigBuilder = RequestConfig.custom().setResponseTimeout(Timeout.ofSeconds(60)); + + return hcb.setDefaultRequestConfig(requestConfigBuilder.build()).disableAutomaticRetries().build(); + } + + public static class HttpResponse { + private final SimpleHttpResponse inner; + private final String body; + private final Header[] header; + private final int statusCode; + private final String statusReason; + private final ProtocolVersion protocolVersion; + + public HttpResponse(SimpleHttpResponse inner) throws IllegalStateException, IOException { + super(); + this.inner = inner; + if (inner.getBody() == null) { // head request does not have a entity + this.body = ""; + } else { + this.body = inner.getBodyText(); + } + this.header = inner.getHeaders(); + this.statusCode = inner.getCode(); + this.statusReason = inner.getReasonPhrase(); + this.protocolVersion = inner.getVersion(); + } + + public String getContentType() { + Header h = getInner().getFirstHeader("content-type"); + if (h != null) { + return h.getValue(); + } + return null; + } + + public boolean isJsonContentType() { + String ct = getContentType(); + if (ct == null) { + return false; + } + return ct.contains("application/json"); + } + + public SimpleHttpResponse getInner() { + return inner; + } + + public String getBody() { + return body; + } + + public Header[] getHeader() { + return header; + } + + public int getStatusCode() { + return statusCode; + } + + public String getStatusReason() { + return statusReason; + } + + public List
getHeaders() { + return header == null ? Collections.emptyList() : Arrays.asList(header); + } + + public ProtocolVersion getProtocolVersion() { + return protocolVersion; + } + + @Override + public String toString() { + return "HttpResponse [inner=" + + inner + + ", body=" + + body + + ", header=" + + Arrays.toString(header) + + ", statusCode=" + + statusCode + + ", statusReason=" + + statusReason + + "]"; + } + + /** + * Given a json path with dots delimiated returns the object at the leaf + */ + public String findValueInJson(final String jsonDotPath) { + // Make sure its json / then parse it + if (!isJsonContentType()) { + throw new RuntimeException("Response was expected to be JSON, body was: \n" + body); + } + JsonNode currentNode = null; + try { + currentNode = DefaultObjectMapper.readTree(body); + } catch (final Exception e) { + throw new RuntimeException(e); + } + + // Break the path into parts, and scan into the json object + try (final Scanner jsonPathScanner = new Scanner(jsonDotPath).useDelimiter("\\.")) { + if (!jsonPathScanner.hasNext()) { + throw new RuntimeException( + "Invalid json dot path '" + jsonDotPath + "', rewrite with '.' characters between path elements." + ); + } + do { + String pathEntry = jsonPathScanner.next(); + // if pathEntry is an array lookup + int arrayEntryIdx = -1; + + // Looks for an array-lookup pattern in the path + // e.g. root_cause[1] -> will match + // e.g. root_cause[2aasd] -> won't match + final Pattern r = Pattern.compile("(.+?)\\[(\\d+)\\]"); + final Matcher m = r.matcher(pathEntry); + if (m.find()) { + pathEntry = m.group(1); + arrayEntryIdx = Integer.parseInt(m.group(2)); + } + + if (!currentNode.has(pathEntry)) { + throw new RuntimeException( + "Unable to resolve '" + + jsonDotPath + + "', on path entry '" + + pathEntry + + "' from available fields " + + currentNode.toPrettyString() + ); + } + currentNode = currentNode.get(pathEntry); + + // if it's an Array lookup we get the requested index item + if (arrayEntryIdx > -1) { + if (!currentNode.isArray()) { + throw new RuntimeException( + "Unable to resolve '" + + jsonDotPath + + "', the '" + + pathEntry + + "' field is not an array " + + currentNode.toPrettyString() + ); + } else if (!currentNode.has(arrayEntryIdx)) { + throw new RuntimeException( + "Unable to resolve '" + + jsonDotPath + + "', index '" + + arrayEntryIdx + + "' is out of bounds for array '" + + pathEntry + + "' \n" + + currentNode.toPrettyString() + ); + } + currentNode = currentNode.get(arrayEntryIdx); + } + } while (jsonPathScanner.hasNext()); + + if (!currentNode.isValueNode()) { + throw new RuntimeException( + "Unexpected value note, index directly to the object to reference, object\n" + currentNode.toPrettyString() + ); + } + return currentNode.asText(); + } + } + + private static HttpResponse from(Future future) { + try { + return future.get(); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + } } diff --git a/src/test/java/org/opensearch/security/test/helper/rules/SecurityTestWatcher.java b/src/test/java/org/opensearch/security/test/helper/rules/SecurityTestWatcher.java index c194d7e6de..b888bfbc35 100644 --- a/src/test/java/org/opensearch/security/test/helper/rules/SecurityTestWatcher.java +++ b/src/test/java/org/opensearch/security/test/helper/rules/SecurityTestWatcher.java @@ -29,27 +29,27 @@ import org.junit.rules.TestWatcher; import org.junit.runner.Description; -public class SecurityTestWatcher extends TestWatcher{ - - @Override - protected void starting(final Description description) { - final String methodName = description.getMethodName(); - String className = description.getClassName(); - className = className.substring(className.lastIndexOf('.') + 1); - System.out.println("---------------- Starting JUnit-test: " + className + " " + methodName + " ----------------"); - } - - @Override - protected void failed(final Throwable e, final Description description) { - final String methodName = description.getMethodName(); - String className = description.getClassName(); - className = className.substring(className.lastIndexOf('.') + 1); - System.out.println(">>>> " + className + " " + methodName + " FAILED due to " + e); - } - - @Override - protected void finished(final Description description) { - // System.out.println("-----------------------------------------------------------------------------------------"); - } +public class SecurityTestWatcher extends TestWatcher { + + @Override + protected void starting(final Description description) { + final String methodName = description.getMethodName(); + String className = description.getClassName(); + className = className.substring(className.lastIndexOf('.') + 1); + System.out.println("---------------- Starting JUnit-test: " + className + " " + methodName + " ----------------"); + } + + @Override + protected void failed(final Throwable e, final Description description) { + final String methodName = description.getMethodName(); + String className = description.getClassName(); + className = className.substring(className.lastIndexOf('.') + 1); + System.out.println(">>>> " + className + " " + methodName + " FAILED due to " + e); + } + + @Override + protected void finished(final Description description) { + // System.out.println("-----------------------------------------------------------------------------------------"); + } } diff --git a/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java b/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java index f0059d50fb..227dd6699d 100644 --- a/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java +++ b/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java @@ -69,19 +69,46 @@ public UserInjectorPlugin(final Settings settings, final Path configPath) { } @Override - public Map> getHttpTransports(Settings settings, ThreadPool threadPool, BigArrays bigArrays, - PageCacheRecycler pageCacheRecycler, CircuitBreakerService circuitBreakerService, NamedXContentRegistry xContentRegistry, - NetworkService networkService, Dispatcher dispatcher, ClusterSettings clusterSettings) { + public Map> getHttpTransports( + Settings settings, + ThreadPool threadPool, + BigArrays bigArrays, + PageCacheRecycler pageCacheRecycler, + CircuitBreakerService circuitBreakerService, + NamedXContentRegistry xContentRegistry, + NetworkService networkService, + Dispatcher dispatcher, + ClusterSettings clusterSettings + ) { final UserInjectingDispatcher validatingDispatcher = new UserInjectingDispatcher(dispatcher); - return ImmutableMap.of("org.opensearch.security.http.UserInjectingServerTransport", - () -> new UserInjectingServerTransport(settings, networkService, bigArrays, threadPool, xContentRegistry, validatingDispatcher, clusterSettings, sharedGroupFactory)); + return ImmutableMap.of( + "org.opensearch.security.http.UserInjectingServerTransport", + () -> new UserInjectingServerTransport( + settings, + networkService, + bigArrays, + threadPool, + xContentRegistry, + validatingDispatcher, + clusterSettings, + sharedGroupFactory + ) + ); } class UserInjectingServerTransport extends Netty4HttpServerTransport { - public UserInjectingServerTransport(final Settings settings, final NetworkService networkService, final BigArrays bigArrays, - final ThreadPool threadPool, final NamedXContentRegistry namedXContentRegistry, final Dispatcher dispatcher, ClusterSettings clusterSettings, SharedGroupFactory sharedGroupFactory) { + public UserInjectingServerTransport( + final Settings settings, + final NetworkService networkService, + final BigArrays bigArrays, + final ThreadPool threadPool, + final NamedXContentRegistry namedXContentRegistry, + final Dispatcher dispatcher, + ClusterSettings clusterSettings, + SharedGroupFactory sharedGroupFactory + ) { super(settings, networkService, bigArrays, threadPool, namedXContentRegistry, dispatcher, clusterSettings, sharedGroupFactory); } } @@ -97,14 +124,20 @@ public UserInjectingDispatcher(final Dispatcher originalDispatcher) { @Override public void dispatchRequest(RestRequest request, RestChannel channel, ThreadContext threadContext) { - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, request.header(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER)); + threadContext.putTransient( + ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, + request.header(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER) + ); originalDispatcher.dispatchRequest(request, channel, threadContext); } @Override public void dispatchBadRequest(RestChannel channel, ThreadContext threadContext, Throwable cause) { - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, channel.request().header(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER)); + threadContext.putTransient( + ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, + channel.request().header(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER) + ); originalDispatcher.dispatchBadRequest(channel, threadContext, cause); } } diff --git a/src/test/java/org/opensearch/security/util/FakeRestRequest.java b/src/test/java/org/opensearch/security/util/FakeRestRequest.java index 989b775709..05e69ef614 100644 --- a/src/test/java/org/opensearch/security/util/FakeRestRequest.java +++ b/src/test/java/org/opensearch/security/util/FakeRestRequest.java @@ -21,11 +21,10 @@ public class FakeRestRequest extends RestRequest { - //private final Map headers; + // private final Map headers; private final BytesReference content; private final Method method; - public FakeRestRequest() { this(new HashMap<>(), new HashMap<>(), null, Method.GET, "/"); } @@ -35,10 +34,10 @@ public FakeRestRequest(Map headers, Map params) } private FakeRestRequest(Map headers, Map params, BytesReference content, Method method, String path) { - //NamedXContentRegistry xContentRegistry, Map params, String path, - //Map> headers, HttpRequest httpRequest, HttpChannel httpChannel + // NamedXContentRegistry xContentRegistry, Map params, String path, + // Map> headers, HttpRequest httpRequest, HttpChannel httpChannel super(null, params, path, convert(headers), null, null); - //this.headers = headers; + // this.headers = headers; this.content = content; this.method = method; } @@ -108,7 +107,7 @@ public FakeRestRequest build() { private static Map> convert(Map headers) { Map> ret = new HashMap>(); - for (String h:headers.keySet()) { + for (String h : headers.keySet()) { ret.put(h, Collections.singletonList(headers.get(h))); } return ret; diff --git a/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java b/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java index cc75ec6eb0..976f085ce4 100644 --- a/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java +++ b/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java @@ -84,25 +84,32 @@ public class SettingsBasedSSLConfiguratorV4Test { @Test public void testPemTrust() throws Exception { - try (TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", - "sslConfigurator/pem/node1-keystore.jks", "secret", false)) { + try ( + TestServer testServer = new TestServer( + "sslConfigurator/pem/truststore.jks", + "sslConfigurator/pem/node1-keystore.jks", + "secret", + false + ) + ) { Path rootCaPemPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem"); Assert.assertTrue(rootCaPemPath.toFile().exists()); Settings settings = Settings.builder() - .put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()) - .put("prefix.enable_ssl", "true") - .put("path.home", rootCaPemPath.getParent().toString()) - .build(); + .put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()) + .put("prefix.enable_ssl", "true") + .put("path.home", rootCaPemPath.getParent().toString()) + .build(); Path configPath = rootCaPemPath.getParent(); SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - try (CloseableHttpClient httpClient = HttpClients.custom() - .setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build()) { + try ( + CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() + ) { try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) { // Success @@ -115,23 +122,30 @@ public void testPemTrust() throws Exception { @Test public void testPemWrongTrust() throws Exception { - try (TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", - "sslConfigurator/pem/node1-keystore.jks", "secret", false)) { + try ( + TestServer testServer = new TestServer( + "sslConfigurator/pem/truststore.jks", + "sslConfigurator/pem/node1-keystore.jks", + "secret", + false + ) + ) { Path rootCaPemPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/other-root-ca.pem"); Settings settings = Settings.builder() - .put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()) - .put("prefix.enable_ssl", "true") - .put("path.home", rootCaPemPath.getParent().toString()) - .build(); + .put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()) + .put("prefix.enable_ssl", "true") + .put("path.home", rootCaPemPath.getParent().toString()) + .build(); Path configPath = rootCaPemPath.getParent(); SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - try (CloseableHttpClient httpClient = HttpClients.custom() - .setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build()) { + try ( + CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() + ) { thrown.expect(SSLHandshakeException.class); @@ -146,27 +160,34 @@ public void testPemWrongTrust() throws Exception { @Test public void testPemClientAuth() throws Exception { - try (TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", - "sslConfigurator/pem/node1-keystore.jks", "secret", true)) { + try ( + TestServer testServer = new TestServer( + "sslConfigurator/pem/truststore.jks", + "sslConfigurator/pem/node1-keystore.jks", + "secret", + true + ) + ) { Path rootCaPemPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem"); Settings settings = Settings.builder() - .put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()) - .put("prefix.enable_ssl", "true") - .put("path.home", rootCaPemPath.getParent().toString()) - .put("prefix.enable_ssl_client_auth", "true") - .put("prefix.pemcert_filepath", "kirk.pem") - .put("prefix.pemkey_filepath", "kirk.key") - .put("prefix.pemkey_password", "secret") - .build(); + .put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()) + .put("prefix.enable_ssl", "true") + .put("path.home", rootCaPemPath.getParent().toString()) + .put("prefix.enable_ssl_client_auth", "true") + .put("prefix.pemcert_filepath", "kirk.pem") + .put("prefix.pemkey_filepath", "kirk.key") + .put("prefix.pemkey_password", "secret") + .build(); Path configPath = rootCaPemPath.getParent(); SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - try (CloseableHttpClient httpClient = HttpClients.custom() - .setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build()) { + try ( + CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() + ) { try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) { // Success @@ -179,33 +200,43 @@ public void testPemClientAuth() throws Exception { @Test public void testPemClientAuthFailure() throws Exception { - try (TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", - "sslConfigurator/pem/node1-keystore.jks", "secret", true)) { + try ( + TestServer testServer = new TestServer( + "sslConfigurator/pem/truststore.jks", + "sslConfigurator/pem/node1-keystore.jks", + "secret", + true + ) + ) { Path rootCaPemPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem"); Settings settings = Settings.builder() - .put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()) - .put("prefix.enable_ssl", "true") - .put("path.home", rootCaPemPath.getParent().toString()) - .put("prefix.enable_ssl_client_auth", "true") - .put("prefix.pemcert_filepath", "wrong-kirk.pem") - .put("prefix.pemkey_filepath", "wrong-kirk.key") - .put("prefix.pemkey_password", "G0CVtComen4a") - .build(); + .put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()) + .put("prefix.enable_ssl", "true") + .put("path.home", rootCaPemPath.getParent().toString()) + .put("prefix.enable_ssl_client_auth", "true") + .put("prefix.pemcert_filepath", "wrong-kirk.pem") + .put("prefix.pemkey_filepath", "wrong-kirk.key") + .put("prefix.pemkey_password", "G0CVtComen4a") + .build(); Path configPath = rootCaPemPath.getParent(); SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - try (CloseableHttpClient httpClient = HttpClients.custom() - .setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build()) { + try ( + CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() + ) { // Due to some race condition in Java's internal network stack, this can be one // of the following exceptions - thrown.expect(either(instanceOf(SocketException.class)).or(instanceOf(SSLHandshakeException.class)) - .or(instanceOf(SSLException.class)) // Java 11: javax.net.ssl.SSLException: readHandshakeRecord + thrown.expect( + either(instanceOf(SocketException.class)).or(instanceOf(SSLHandshakeException.class)).or(instanceOf(SSLException.class)) // Java + // 11: + // javax.net.ssl.SSLException: + // readHandshakeRecord ); try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) { @@ -218,24 +249,31 @@ public void testPemClientAuthFailure() throws Exception { @Test public void testPemHostnameVerificationFailure() throws Exception { - try (TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", - "sslConfigurator/pem/node-wrong-hostname-keystore.jks", "secret", false)) { + try ( + TestServer testServer = new TestServer( + "sslConfigurator/pem/truststore.jks", + "sslConfigurator/pem/node-wrong-hostname-keystore.jks", + "secret", + false + ) + ) { Path rootCaPemPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem"); Settings settings = Settings.builder() - .put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()) - .put("prefix.enable_ssl", "true") - .put("prefix.verify_hostnames", "true") - .put("path.home", rootCaPemPath.getParent().toString()) - .build(); + .put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()) + .put("prefix.enable_ssl", "true") + .put("prefix.verify_hostnames", "true") + .put("path.home", rootCaPemPath.getParent().toString()) + .build(); Path configPath = rootCaPemPath.getParent(); SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - try (CloseableHttpClient httpClient = HttpClients.custom() - .setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build()) { + try ( + CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() + ) { thrown.expect(SSLPeerUnverifiedException.class); @@ -249,24 +287,31 @@ public void testPemHostnameVerificationFailure() throws Exception { @Test public void testPemHostnameVerificationOff() throws Exception { - try (TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", - "sslConfigurator/pem/node-wrong-hostname-keystore.jks", "secret", false)) { + try ( + TestServer testServer = new TestServer( + "sslConfigurator/pem/truststore.jks", + "sslConfigurator/pem/node-wrong-hostname-keystore.jks", + "secret", + false + ) + ) { Path rootCaPemPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem"); Settings settings = Settings.builder() - .put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()) - .put("prefix.enable_ssl", "true") - .put("prefix.verify_hostnames", "false") - .put("path.home", rootCaPemPath.getParent().toString()) - .build(); + .put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()) + .put("prefix.enable_ssl", "true") + .put("prefix.verify_hostnames", "false") + .put("path.home", rootCaPemPath.getParent().toString()) + .build(); Path configPath = rootCaPemPath.getParent(); SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - try (CloseableHttpClient httpClient = HttpClients.custom() - .setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build()) { + try ( + CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() + ) { try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) { // Success @@ -278,26 +323,33 @@ public void testPemHostnameVerificationOff() throws Exception { @Test public void testJksTrust() throws Exception { - try (TestServer testServer = new TestServer("sslConfigurator/jks/truststore.jks", - "sslConfigurator/jks/node1-keystore.jks", "secret", false)) { + try ( + TestServer testServer = new TestServer( + "sslConfigurator/jks/truststore.jks", + "sslConfigurator/jks/node1-keystore.jks", + "secret", + false + ) + ) { Path rootCaJksPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/jks/truststore.jks"); MockSecureSettings mockSecureSettings = new MockSecureSettings(); mockSecureSettings.setString(SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.propertyName, "secret"); Settings settings = Settings.builder() - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, rootCaJksPath.getFileName().toString()) - .put("prefix.enable_ssl", "true") - .put("path.home", rootCaJksPath.getParent().toString()) - .setSecureSettings(mockSecureSettings) - .build(); + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, rootCaJksPath.getFileName().toString()) + .put("prefix.enable_ssl", "true") + .put("path.home", rootCaJksPath.getParent().toString()) + .setSecureSettings(mockSecureSettings) + .build(); Path configPath = rootCaJksPath.getParent(); SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - try (CloseableHttpClient httpClient = HttpClients.custom() - .setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build()) { + try ( + CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() + ) { try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) { // Success @@ -310,26 +362,33 @@ public void testJksTrust() throws Exception { @Test public void testJksWrongTrust() throws Exception { - try (TestServer testServer = new TestServer("sslConfigurator/jks/truststore.jks", - "sslConfigurator/jks/node1-keystore.jks", "secret", false)) { + try ( + TestServer testServer = new TestServer( + "sslConfigurator/jks/truststore.jks", + "sslConfigurator/jks/node1-keystore.jks", + "secret", + false + ) + ) { Path rootCaJksPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/jks/other-root-ca.jks"); MockSecureSettings mockSecureSettings = new MockSecureSettings(); mockSecureSettings.setString(SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.propertyName, "secret"); Settings settings = Settings.builder() - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, rootCaJksPath.getFileName().toString()) - .put("prefix.enable_ssl", "true") - .put("path.home", rootCaJksPath.getParent().toString()) - .setSecureSettings(mockSecureSettings) - .build(); + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, rootCaJksPath.getFileName().toString()) + .put("prefix.enable_ssl", "true") + .put("path.home", rootCaJksPath.getParent().toString()) + .setSecureSettings(mockSecureSettings) + .build(); Path configPath = rootCaJksPath.getParent(); SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - try (CloseableHttpClient httpClient = HttpClients.custom() - .setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build()) { + try ( + CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() + ) { thrown.expect(SSLHandshakeException.class); @@ -342,23 +401,30 @@ public void testJksWrongTrust() throws Exception { @Test public void testTrustAll() throws Exception { - try (TestServer testServer = new TestServer("sslConfigurator/jks/truststore.jks", - "sslConfigurator/jks/node1-keystore.jks", "secret", false)) { + try ( + TestServer testServer = new TestServer( + "sslConfigurator/jks/truststore.jks", + "sslConfigurator/jks/node1-keystore.jks", + "secret", + false + ) + ) { Path rootCaJksPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/jks/other-root-ca.jks"); Settings settings = Settings.builder() - .put("prefix.enable_ssl", "true") - .put("prefix.trust_all", "true") - .put("path.home", rootCaJksPath.getParent().toString()) - .build(); + .put("prefix.enable_ssl", "true") + .put("prefix.trust_all", "true") + .put("path.home", rootCaJksPath.getParent().toString()) + .build(); Path configPath = rootCaJksPath.getParent(); SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - try (CloseableHttpClient httpClient = HttpClients.custom() - .setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build()) { + try ( + CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() + ) { try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) { // Success @@ -379,43 +445,50 @@ String getUri() { return "https://localhost:" + port + "/test"; } - private void createHttpServer(String trustStore, String keyStore, String password, boolean clientAuth) - throws IOException { + private void createHttpServer(String trustStore, String keyStore, String password, boolean clientAuth) throws IOException { this.port = SocketUtils.findAvailableTcpPort(); - ServerBootstrap serverBootstrap = ServerBootstrap.bootstrap().setListenerPort(port).registerHandler("test", - new HttpRequestHandler() { + ServerBootstrap serverBootstrap = ServerBootstrap.bootstrap() + .setListenerPort(port) + .registerHandler("test", new HttpRequestHandler() { - @Override - public void handle(HttpRequest request, HttpResponse response, HttpContext context) - throws HttpException, IOException { + @Override + public void handle(HttpRequest request, HttpResponse response, HttpContext context) throws HttpException, IOException { - } - }); + } + }); serverBootstrap = serverBootstrap.setSslContext(createSSLContext(trustStore, keyStore, password)) - .setSslSetupHandler(new SSLServerSetupHandler() { + .setSslSetupHandler(new SSLServerSetupHandler() { - @Override - public void initialize(SSLServerSocket socket) throws SSLException { - if (clientAuth) { - socket.setNeedClientAuth(true); - } - } - }).setConnectionFactory(new HttpConnectionFactory() { - - private ConnectionConfig cconfig = ConnectionConfig.DEFAULT; - - @Override - public DefaultBHttpServerConnection createConnection(final Socket socket) throws IOException { - final SSLTestHttpServerConnection conn = new SSLTestHttpServerConnection( - this.cconfig.getBufferSize(), this.cconfig.getFragmentSizeHint(), - ConnSupport.createDecoder(this.cconfig), ConnSupport.createEncoder(this.cconfig), - this.cconfig.getMessageConstraints(), null, null, null, null); - conn.bind(socket); - return conn; + @Override + public void initialize(SSLServerSocket socket) throws SSLException { + if (clientAuth) { + socket.setNeedClientAuth(true); } - }); + } + }) + .setConnectionFactory(new HttpConnectionFactory() { + + private ConnectionConfig cconfig = ConnectionConfig.DEFAULT; + + @Override + public DefaultBHttpServerConnection createConnection(final Socket socket) throws IOException { + final SSLTestHttpServerConnection conn = new SSLTestHttpServerConnection( + this.cconfig.getBufferSize(), + this.cconfig.getFragmentSizeHint(), + ConnSupport.createDecoder(this.cconfig), + ConnSupport.createEncoder(this.cconfig), + this.cconfig.getMessageConstraints(), + null, + null, + null, + null + ); + conn.bind(socket); + return conn; + } + }); this.httpServer = serverBootstrap.create(); @@ -434,8 +507,7 @@ private SSLContext createSSLContext(String trustStorePath, String keyStorePath, try { TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); KeyStore trustStore = KeyStore.getInstance("JKS"); - InputStream trustStream = new FileInputStream( - FileHelper.getAbsoluteFilePathFromClassPath(trustStorePath).toFile()); + InputStream trustStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath(trustStorePath).toFile()); trustStore.load(trustStream, password.toCharArray()); tmf.init(trustStore); @@ -472,14 +544,28 @@ public String chooseAlias(Map aliases, Socket socket) } static class SSLTestHttpServerConnection extends DefaultBHttpServerConnection { - public SSLTestHttpServerConnection(final int buffersize, final int fragmentSizeHint, - final CharsetDecoder chardecoder, final CharsetEncoder charencoder, - final MessageConstraints constraints, final ContentLengthStrategy incomingContentStrategy, - final ContentLengthStrategy outgoingContentStrategy, - final HttpMessageParserFactory requestParserFactory, - final HttpMessageWriterFactory responseWriterFactory) { - super(buffersize, fragmentSizeHint, chardecoder, charencoder, constraints, incomingContentStrategy, - outgoingContentStrategy, requestParserFactory, responseWriterFactory); + public SSLTestHttpServerConnection( + final int buffersize, + final int fragmentSizeHint, + final CharsetDecoder chardecoder, + final CharsetEncoder charencoder, + final MessageConstraints constraints, + final ContentLengthStrategy incomingContentStrategy, + final ContentLengthStrategy outgoingContentStrategy, + final HttpMessageParserFactory requestParserFactory, + final HttpMessageWriterFactory responseWriterFactory + ) { + super( + buffersize, + fragmentSizeHint, + chardecoder, + charencoder, + constraints, + incomingContentStrategy, + outgoingContentStrategy, + requestParserFactory, + responseWriterFactory + ); } public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {