[Test] Service account tokens should work when TokenService is disabl…

…ed (#72518) Add a test to ensure that service account tokens always work with basic license for which oauth2 token service is disabled.
elastic · May 17, 2021 · a9229ab · a9229ab
1 parent bf23f76
commit a9229ab
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/...c/src/javaRestTest/java/org/elasticsearch/xpack/security/SecurityInBasicRestTestCase.java b/...c/src/javaRestTest/java/org/elasticsearch/xpack/security/SecurityInBasicRestTestCase.java
@@ -15,8 +15,6 @@
 
 import java.util.List;
 
-import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
-
 public abstract class SecurityInBasicRestTestCase extends ESRestTestCase {
     private RestHighLevelClient highLevelAdminClient;
 

diff --git a/...ic/src/javaRestTest/java/org/elasticsearch/xpack/security/SecurityWithBasicLicenseIT.java b/...ic/src/javaRestTest/java/org/elasticsearch/xpack/security/SecurityWithBasicLicenseIT.java
@@ -39,6 +39,10 @@ public void testWithBasicLicense() throws Exception {
         assertAuthenticateWithApiKey(keyAndId, true);
 
         assertFailToGetToken();
+        // Service account token works independently to oauth2 token service
+        final String bearerString = createServiceAccountToken();
+        assertAuthenticateWithServiceAccountToken(bearerString);
+
         assertAddRoleWithDLS(false);
         assertAddRoleWithFLS(false);
     }
@@ -222,6 +226,23 @@ private void assertAuthenticateWithApiKey(Tuple<String, String> keyAndId, boolea
         }
     }
 
+    private String createServiceAccountToken() throws IOException {
+        final Request request = new Request("POST", "_security/service/elastic/fleet-server/credential/token/api-token-1");
+        final Response response = adminClient().performRequest(request);
+        assertOK(response);
+        @SuppressWarnings("unchecked")
+        final Map<String, ?> tokenMap = (Map<String, ?>) responseAsMap(response).get("token");
+        return String.valueOf(tokenMap.get("value"));
+    }
+
+    private void assertAuthenticateWithServiceAccountToken(String bearerString) throws IOException {
+        Request request = new Request("GET", "/_security/_authenticate");
+        request.setOptions(RequestOptions.DEFAULT.toBuilder().addHeader("Authorization", "Bearer " + bearerString));
+        final Response response = client().performRequest(request);
+        assertOK(response);
+        assertEquals("elastic/fleet-server", responseAsMap(response).get("username"));
+    }
+
     private void assertAddRoleWithDLS(boolean shouldSucceed) throws IOException {
         final Request addRole = new Request("POST", "/_security/role/dlsrole");
         addRole.setJsonEntity("{\n" +