From 15389bbff390ce6c28a4d3cc4b2959ed6cedcd02 Mon Sep 17 00:00:00 2001 From: Raj Chakravarthi Date: Wed, 6 Jul 2022 17:32:17 +0200 Subject: [PATCH 1/5] fixed security tests Signed-off-by: Raj Chakravarthi --- .../alerting/AlertingRestTestCase.kt | 25 ++++++ .../resthandler/SecureDestinationRestApiIT.kt | 2 +- .../SecureEmailAccountRestApiIT.kt | 14 +-- .../resthandler/SecureEmailGroupsRestApiIT.kt | 2 +- .../resthandler/SecureMonitorRestApiIT.kt | 89 +++++++++---------- 5 files changed, 73 insertions(+), 59 deletions(-) diff --git a/alerting/src/test/kotlin/org/opensearch/alerting/AlertingRestTestCase.kt b/alerting/src/test/kotlin/org/opensearch/alerting/AlertingRestTestCase.kt index 5cb99d04c..e73dcea77 100644 --- a/alerting/src/test/kotlin/org/opensearch/alerting/AlertingRestTestCase.kt +++ b/alerting/src/test/kotlin/org/opensearch/alerting/AlertingRestTestCase.kt @@ -1159,6 +1159,31 @@ abstract class AlertingRestTestCase : ODFERestTestCase() { client().performRequest(request) } + fun createCustomIndexRoleWithDocLevelSecurity(name: String, index: String, dlsQuery: String, clusterPermissions: String?) { + val request = Request("PUT", "/_plugins/_security/api/roles/$name") + var entity = "{\n" + + "\"cluster_permissions\": [\n" + + "\"$clusterPermissions\"\n" + + "],\n" + + "\"index_permissions\": [\n" + + "{\n" + + "\"index_patterns\": [\n" + + "\"$index\"\n" + + "],\n" + + "\"dls\": \"$dlsQuery\",\n" + + "\"fls\": [],\n" + + "\"masked_fields\": [],\n" + + "\"allowed_actions\": [\n" + + "\"crud\"\n" + + "]\n" + + "}\n" + + "],\n" + + "\"tenant_permissions\": []\n" + + "}" + request.setJsonEntity(entity) + client().performRequest(request) + } + fun createUserRolesMapping(role: String, users: Array) { val request = Request("PUT", "/_plugins/_security/api/rolesmapping/$role") val usersStr = users.joinToString { it -> "\"$it\"" } diff --git a/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureDestinationRestApiIT.kt b/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureDestinationRestApiIT.kt index 598b4f98c..1646578a6 100644 --- a/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureDestinationRestApiIT.kt +++ b/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureDestinationRestApiIT.kt @@ -41,7 +41,7 @@ class SecureDestinationRestApiIT : AlertingRestTestCase() { } } - val user = "userOne" + val user = "userA" var userClient: RestClient? = null @Before diff --git a/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureEmailAccountRestApiIT.kt b/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureEmailAccountRestApiIT.kt index 74bb75ff7..cdb75402b 100644 --- a/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureEmailAccountRestApiIT.kt +++ b/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureEmailAccountRestApiIT.kt @@ -13,6 +13,7 @@ import org.junit.After import org.junit.Before import org.junit.BeforeClass import org.opensearch.alerting.ALERTING_GET_EMAIL_ACCOUNT_ACCESS +import org.opensearch.alerting.ALERTING_NO_ACCESS_ROLE import org.opensearch.alerting.ALERTING_SEARCH_EMAIL_ACCOUNT_ACCESS import org.opensearch.alerting.AlertingPlugin import org.opensearch.alerting.AlertingRestTestCase @@ -20,6 +21,7 @@ import org.opensearch.alerting.TEST_HR_BACKEND_ROLE import org.opensearch.alerting.TEST_HR_INDEX import org.opensearch.alerting.TEST_HR_ROLE import org.opensearch.alerting.makeRequest +import org.opensearch.client.ResponseException import org.opensearch.client.RestClient import org.opensearch.commons.rest.SecureRestClientBuilder import org.opensearch.rest.RestStatus @@ -50,7 +52,7 @@ class SecureEmailAccountRestApiIT : AlertingRestTestCase() { } } - val user = "userOne" + val user = "userB" var userClient: RestClient? = null @Before @@ -126,7 +128,7 @@ class SecureEmailAccountRestApiIT : AlertingRestTestCase() { /* TODO: https://github.com/opensearch-project/alerting/issues/300 - + */ fun `test get email accounts with an user without get email account role`() { createUserWithTestDataAndCustomRole( user, @@ -135,9 +137,7 @@ class SecureEmailAccountRestApiIT : AlertingRestTestCase() { TEST_HR_BACKEND_ROLE, getClusterPermissionsFromCustomRole(ALERTING_NO_ACCESS_ROLE) ) - val emailAccount = createRandomEmailAccountWithGivenName(true, randomAlphaOfLength(5)) - try { userClient?.makeRequest( "GET", @@ -155,9 +155,7 @@ class SecureEmailAccountRestApiIT : AlertingRestTestCase() { deleteRoleAndRoleMapping(TEST_HR_ROLE) } } - fun `test search email accounts with an user without search email account role`() { - createUserWithTestDataAndCustomRole( user, TEST_HR_INDEX, @@ -165,9 +163,7 @@ class SecureEmailAccountRestApiIT : AlertingRestTestCase() { TEST_HR_BACKEND_ROLE, getClusterPermissionsFromCustomRole(ALERTING_NO_ACCESS_ROLE) ) - createRandomEmailAccountWithGivenName(true, randomAlphaOfLength(5)) - try { userClient?.makeRequest( "POST", @@ -182,6 +178,4 @@ class SecureEmailAccountRestApiIT : AlertingRestTestCase() { deleteRoleAndRoleMapping(TEST_HR_ROLE) } } - - */ } diff --git a/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureEmailGroupsRestApiIT.kt b/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureEmailGroupsRestApiIT.kt index 72fb317e1..6de7b0808 100644 --- a/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureEmailGroupsRestApiIT.kt +++ b/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureEmailGroupsRestApiIT.kt @@ -52,7 +52,7 @@ class SecureEmailGroupsRestApiIT : AlertingRestTestCase() { } } - val user = "userOne" + val user = "userC" var userClient: RestClient? = null @Before diff --git a/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt b/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt index 151be8d4d..aaa5dd519 100644 --- a/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt +++ b/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt @@ -20,21 +20,27 @@ import org.opensearch.alerting.ALERTING_FULL_ACCESS_ROLE import org.opensearch.alerting.ALERTING_GET_ALERTS_ACCESS import org.opensearch.alerting.ALERTING_GET_MONITOR_ACCESS import org.opensearch.alerting.ALERTING_INDEX_MONITOR_ACCESS +import org.opensearch.alerting.ALERTING_NO_ACCESS_ROLE +import org.opensearch.alerting.ALERTING_READ_ONLY_ACCESS import org.opensearch.alerting.ALERTING_SEARCH_MONITOR_ONLY_ACCESS import org.opensearch.alerting.ALL_ACCESS_ROLE import org.opensearch.alerting.ALWAYS_RUN import org.opensearch.alerting.AlertingRestTestCase import org.opensearch.alerting.DRYRUN_MONITOR +import org.opensearch.alerting.TERM_DLS_QUERY import org.opensearch.alerting.TEST_HR_BACKEND_ROLE import org.opensearch.alerting.TEST_HR_INDEX import org.opensearch.alerting.TEST_HR_ROLE import org.opensearch.alerting.TEST_NON_HR_INDEX +import org.opensearch.alerting.aggregation.bucketselectorext.BucketSelectorExtAggregationBuilder import org.opensearch.alerting.assertUserNull import org.opensearch.alerting.core.model.SearchInput import org.opensearch.alerting.makeRequest import org.opensearch.alerting.model.Alert import org.opensearch.alerting.randomAction import org.opensearch.alerting.randomAlert +import org.opensearch.alerting.randomBucketLevelMonitor +import org.opensearch.alerting.randomBucketLevelTrigger import org.opensearch.alerting.randomQueryLevelMonitor import org.opensearch.alerting.randomQueryLevelTrigger import org.opensearch.alerting.randomTemplateScript @@ -49,6 +55,9 @@ import org.opensearch.commons.authuser.User import org.opensearch.commons.rest.SecureRestClientBuilder import org.opensearch.index.query.QueryBuilders import org.opensearch.rest.RestStatus +import org.opensearch.script.Script +import org.opensearch.search.aggregations.bucket.composite.CompositeAggregationBuilder +import org.opensearch.search.aggregations.bucket.composite.TermsValuesSourceBuilder import org.opensearch.search.builder.SearchSourceBuilder import org.opensearch.test.junit.annotations.TestLogging @@ -65,7 +74,7 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { } } - val user = "userOne" + val user = "userD" var userClient: RestClient? = null @Before @@ -85,7 +94,6 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { } // Create Monitor related security tests - fun `test create monitor with an user with alerting role`() { createUserWithTestData(user, TEST_HR_INDEX, TEST_HR_ROLE, TEST_HR_BACKEND_ROLE) @@ -105,11 +113,13 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { assertUserNull(createResponse?.asMap()!!["monitor"] as HashMap) } finally { deleteRoleAndRoleMapping(TEST_HR_ROLE) + deleteRoleMapping(ALERTING_FULL_ACCESS_ROLE) } } /* TODO: https://github.com/opensearch-project/alerting/issues/300 + */ fun `test create monitor with an user without alerting role`() { createUserWithTestDataAndCustomRole( @@ -138,13 +148,9 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { fun `test create monitor with an user with read-only role`() { - createUserWithTestDataAndCustomRole( - user, - TEST_HR_INDEX, - TEST_HR_ROLE, - TEST_HR_BACKEND_ROLE, - getClusterPermissionsFromCustomRole(ALERTING_READ_ONLY_ACCESS) - ) + createUserWithTestData(user, TEST_HR_INDEX, TEST_HR_ROLE, TEST_HR_BACKEND_ROLE) + createUserRolesMapping(ALERTING_READ_ONLY_ACCESS, arrayOf(user)) + try { val monitor = randomQueryLevelMonitor().copy( inputs = listOf( @@ -159,9 +165,9 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { assertEquals("Unexpected status", RestStatus.FORBIDDEN, e.response.restStatus()) } finally { deleteRoleAndRoleMapping(TEST_HR_ROLE) + deleteRoleMapping(ALERTING_READ_ONLY_ACCESS) } } - */ fun `test query monitors with an user with only search monitor cluster permission`() { @@ -186,10 +192,12 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { val hits = xcp.map()["hits"]!! as Map> val numberDocsFound = hits["total"]?.get("value") assertEquals("Monitor not found during search", 1, numberDocsFound) + deleteRoleAndRoleMapping(TEST_HR_ROLE) } /* TODO: https://github.com/opensearch-project/alerting/issues/300 + */ fun `test query monitors with an user without search monitor cluster permission`() { createUserWithTestDataAndCustomRole( @@ -215,7 +223,6 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { deleteRoleAndRoleMapping(TEST_HR_ROLE) } } - */ fun `test create monitor with an user without index read role`() { @@ -278,6 +285,7 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { /* TODO: https://github.com/opensearch-project/alerting/issues/300 + */ fun `test get monitor with an user without get monitor role`() { createUserWithTestDataAndCustomRole( user, @@ -303,7 +311,6 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { deleteRoleAndRoleMapping(TEST_HR_ROLE) } } - */ fun getDocs(response: Response?): Any? { val hits = createParser( @@ -414,8 +421,8 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { /* TODO: https://github.com/opensearch-project/alerting/issues/300 + */ fun `test query monitors with disable filter by`() { - disableFilterBy() // creates monitor as "admin" user. @@ -440,10 +447,9 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { NStringEntity(search, ContentType.APPLICATION_JSON) ) fail("Expected 403 FORBIDDEN response") - } catch (e: AssertionError) { - assertEquals("Unexpected status", "Expected 403 FORBIDDEN response", e.message) + } catch (e: ResponseException) { + assertEquals("Unexpected status", RestStatus.FORBIDDEN, e.response.restStatus()) } - // add alerting roles and search as userOne - must return 1 docs createUserRolesMapping(ALERTING_FULL_ACCESS_ROLE, arrayOf(user)) try { @@ -486,8 +492,8 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { NStringEntity(search, ContentType.APPLICATION_JSON) ) fail("Expected 403 FORBIDDEN response") - } catch (e: AssertionError) { - assertEquals("Unexpected status", "Expected 403 FORBIDDEN response", e.message) + } catch (e: ResponseException) { + assertEquals("Unexpected status", RestStatus.FORBIDDEN, e.response.restStatus()) } // add alerting roles and search as userOne - must return 0 docs @@ -506,8 +512,6 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { } } - */ - fun `test execute monitor with an user with execute monitor access`() { createUserWithTestDataAndCustomRole( user, @@ -533,6 +537,7 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { /* TODO: https://github.com/opensearch-project/alerting/issues/300 + */ fun `test execute monitor with an user without execute monitor access`() { createUserWithTestDataAndCustomRole( user, @@ -558,7 +563,6 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { deleteRoleAndRoleMapping(TEST_HR_ROLE) } } - */ fun `test delete monitor with an user with delete monitor access`() { createUserWithTestDataAndCustomRole( @@ -587,6 +591,7 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { /* TODO: https://github.com/opensearch-project/alerting/issues/300 + */ fun `test delete monitor with an user without delete monitor access`() { createUserWithTestDataAndCustomRole( user, @@ -636,8 +641,8 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { try { getAlerts(userClient as RestClient, inputMap).asMap() fail("Expected 403 FORBIDDEN response") - } catch (e: AssertionError) { - assertEquals("Unexpected status", "Expected 403 FORBIDDEN response", e.message) + } catch (e: ResponseException) { + assertEquals("Unexpected status", RestStatus.FORBIDDEN, e.response.restStatus()) } // add alerting roles and search as userOne - must return 0 docs @@ -673,10 +678,9 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { try { getAlerts(userClient as RestClient, inputMap).asMap() fail("Expected 403 FORBIDDEN response") - } catch (e: AssertionError) { - assertEquals("Unexpected status", "Expected 403 FORBIDDEN response", e.message) + } catch (e: ResponseException) { + assertEquals("Unexpected status", RestStatus.FORBIDDEN, e.response.restStatus()) } - // add alerting roles and search as userOne - must return 0 docs createUserRolesMapping(ALERTING_FULL_ACCESS_ROLE, arrayOf(user)) try { @@ -687,8 +691,6 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { } } - */ - fun `test get alerts with an user with get alerts role`() { putAlertMappings() @@ -809,21 +811,19 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { assertEquals("Delete monitor failed", RestStatus.OK, adminDeleteResponse.restStatus()) } finally { deleteRoleAndRoleMapping(TEST_HR_ROLE) + deleteRoleMapping(ALERTING_FULL_ACCESS_ROLE) } } /* TODO: https://github.com/opensearch-project/alerting/issues/300 + */ fun `test execute query-level monitor with user having partial index permissions`() { - createUserWithDocLevelSecurityTestDataAndCustomRole( - user, - TEST_HR_INDEX, - TEST_HR_ROLE, - TEST_HR_BACKEND_ROLE, - TERM_DLS_QUERY, - getClusterPermissionsFromCustomRole(ALERTING_FULL_ACCESS_ROLE) - ) + createUser(user, user, arrayOf(TEST_HR_BACKEND_ROLE)) + createTestIndex(TEST_HR_INDEX) + createCustomIndexRoleWithDocLevelSecurity(TEST_HR_ROLE, TEST_HR_INDEX, TERM_DLS_QUERY, getClusterPermissionsFromCustomRole(ALERTING_INDEX_MONITOR_ACCESS)) + createUserRolesMapping(TEST_HR_ROLE, arrayOf(user)) // Add a doc that is accessible to the user indexDoc( @@ -831,7 +831,7 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { """ { "test_field": "a", - "accessible": true + "accessible": true } """.trimIndent() ) @@ -850,7 +850,7 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { val input = SearchInput(indices = listOf(TEST_HR_INDEX), query = SearchSourceBuilder().query(QueryBuilders.matchAllQuery())) val triggerScript = """ // make sure there is exactly one hit - return ctx.results[0].hits.hits.size() == 1 + return ctx.results[0].hits.hits.size() == 1 """.trimIndent() val trigger = randomQueryLevelTrigger(condition = Script(triggerScript)).copy(actions = listOf()) @@ -870,14 +870,10 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { fun `test execute bucket-level monitor with user having partial index permissions`() { - createUserWithDocLevelSecurityTestDataAndCustomRole( - user, - TEST_HR_INDEX, - TEST_HR_ROLE, - TEST_HR_BACKEND_ROLE, - TERM_DLS_QUERY, - getClusterPermissionsFromCustomRole(ALERTING_FULL_ACCESS_ROLE) - ) + createUser(user, user, arrayOf(TEST_HR_BACKEND_ROLE)) + createTestIndex(TEST_HR_INDEX) + createCustomIndexRoleWithDocLevelSecurity(TEST_HR_ROLE, TEST_HR_INDEX, TERM_DLS_QUERY, getClusterPermissionsFromCustomRole(ALERTING_INDEX_MONITOR_ACCESS)) + createUserRolesMapping(TEST_HR_ROLE, arrayOf(user)) // Add a doc that is accessible to the user indexDoc( @@ -937,5 +933,4 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { deleteRoleAndRoleMapping(TEST_HR_ROLE) } } - */ } From 72d9a4433534ed3125f62195680db75677aec4b0 Mon Sep 17 00:00:00 2001 From: Raj Chakravarthi Date: Mon, 15 Aug 2022 21:16:04 +0200 Subject: [PATCH 2/5] changes on comments to PR Signed-off-by: Raj Chakravarthi --- .../alerting/AlertingRestTestCase.kt | 26 +------------------ .../resthandler/SecureMonitorRestApiIT.kt | 24 ++++++++++++----- 2 files changed, 18 insertions(+), 32 deletions(-) diff --git a/alerting/src/test/kotlin/org/opensearch/alerting/AlertingRestTestCase.kt b/alerting/src/test/kotlin/org/opensearch/alerting/AlertingRestTestCase.kt index e73dcea77..46579aa01 100644 --- a/alerting/src/test/kotlin/org/opensearch/alerting/AlertingRestTestCase.kt +++ b/alerting/src/test/kotlin/org/opensearch/alerting/AlertingRestTestCase.kt @@ -1135,31 +1135,7 @@ abstract class AlertingRestTestCase : ODFERestTestCase() { client().performRequest(request) } - fun createIndexRoleWithDocLevelSecurity(name: String, index: String, dlsQuery: String) { - val request = Request("PUT", "/_plugins/_security/api/roles/$name") - var entity = "{\n" + - "\"cluster_permissions\": [\n" + - "],\n" + - "\"index_permissions\": [\n" + - "{\n" + - "\"index_patterns\": [\n" + - "\"$index\"\n" + - "],\n" + - "\"dls\": \"$dlsQuery\",\n" + - "\"fls\": [],\n" + - "\"masked_fields\": [],\n" + - "\"allowed_actions\": [\n" + - "\"crud\"\n" + - "]\n" + - "}\n" + - "],\n" + - "\"tenant_permissions\": []\n" + - "}" - request.setJsonEntity(entity) - client().performRequest(request) - } - - fun createCustomIndexRoleWithDocLevelSecurity(name: String, index: String, dlsQuery: String, clusterPermissions: String?) { + fun createIndexRoleWithDocLevelSecurity(name: String, index: String, dlsQuery: String, clusterPermissions: String? = "") { val request = Request("PUT", "/_plugins/_security/api/roles/$name") var entity = "{\n" + "\"cluster_permissions\": [\n" + diff --git a/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt b/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt index aaa5dd519..95a67536c 100644 --- a/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt +++ b/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt @@ -96,8 +96,13 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { // Create Monitor related security tests fun `test create monitor with an user with alerting role`() { - createUserWithTestData(user, TEST_HR_INDEX, TEST_HR_ROLE, TEST_HR_BACKEND_ROLE) - createUserRolesMapping(ALERTING_FULL_ACCESS_ROLE, arrayOf(user)) + createUserWithTestDataAndCustomRole( + user, + TEST_HR_INDEX, + TEST_HR_ROLE, + TEST_HR_BACKEND_ROLE, + getClusterPermissionsFromCustomRole(ALERTING_INDEX_MONITOR_ACCESS) + ) try { // randomMonitor has a dummy user, api ignores the User passed as part of monitor, it picks user info from the logged-in user. val monitor = randomQueryLevelMonitor().copy( @@ -113,7 +118,6 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { assertUserNull(createResponse?.asMap()!!["monitor"] as HashMap) } finally { deleteRoleAndRoleMapping(TEST_HR_ROLE) - deleteRoleMapping(ALERTING_FULL_ACCESS_ROLE) } } @@ -451,7 +455,13 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { assertEquals("Unexpected status", RestStatus.FORBIDDEN, e.response.restStatus()) } // add alerting roles and search as userOne - must return 1 docs - createUserRolesMapping(ALERTING_FULL_ACCESS_ROLE, arrayOf(user)) + createUserWithTestDataAndCustomRole( + user, + TEST_HR_INDEX, + TEST_HR_ROLE, + TEST_HR_BACKEND_ROLE, + getClusterPermissionsFromCustomRole(ALERTING_SEARCH_MONITOR_ONLY_ACCESS) + ) try { val userOneSearchResponse = userClient?.makeRequest( "POST", @@ -462,7 +472,7 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { assertEquals("Search monitor failed", RestStatus.OK, userOneSearchResponse?.restStatus()) assertEquals("Monitor not found during search", 1, getDocs(userOneSearchResponse)) } finally { - deleteRoleMapping(ALERTING_FULL_ACCESS_ROLE) + deleteRoleAndRoleMapping(TEST_HR_ROLE) } } @@ -822,7 +832,7 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { createUser(user, user, arrayOf(TEST_HR_BACKEND_ROLE)) createTestIndex(TEST_HR_INDEX) - createCustomIndexRoleWithDocLevelSecurity(TEST_HR_ROLE, TEST_HR_INDEX, TERM_DLS_QUERY, getClusterPermissionsFromCustomRole(ALERTING_INDEX_MONITOR_ACCESS)) + createIndexRoleWithDocLevelSecurity(TEST_HR_ROLE, TEST_HR_INDEX, TERM_DLS_QUERY, getClusterPermissionsFromCustomRole(ALERTING_INDEX_MONITOR_ACCESS)) createUserRolesMapping(TEST_HR_ROLE, arrayOf(user)) // Add a doc that is accessible to the user @@ -872,7 +882,7 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { createUser(user, user, arrayOf(TEST_HR_BACKEND_ROLE)) createTestIndex(TEST_HR_INDEX) - createCustomIndexRoleWithDocLevelSecurity(TEST_HR_ROLE, TEST_HR_INDEX, TERM_DLS_QUERY, getClusterPermissionsFromCustomRole(ALERTING_INDEX_MONITOR_ACCESS)) + createIndexRoleWithDocLevelSecurity(TEST_HR_ROLE, TEST_HR_INDEX, TERM_DLS_QUERY, getClusterPermissionsFromCustomRole(ALERTING_INDEX_MONITOR_ACCESS)) createUserRolesMapping(TEST_HR_ROLE, arrayOf(user)) // Add a doc that is accessible to the user From 0b2238bee1e896070dcf9c0f8b3d1f9e1e7b162e Mon Sep 17 00:00:00 2001 From: Raj Chakravarthi Date: Tue, 31 Jan 2023 14:11:52 -0500 Subject: [PATCH 3/5] indentation issues after resolving conflicts Signed-off-by: Raj Chakravarthi --- .../resthandler/SecureMonitorRestApiIT.kt | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt b/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt index 841dafb42..ef2452632 100644 --- a/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt +++ b/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt @@ -27,8 +27,8 @@ import org.opensearch.alerting.ALL_ACCESS_ROLE import org.opensearch.alerting.ALWAYS_RUN import org.opensearch.alerting.AlertingRestTestCase import org.opensearch.alerting.DRYRUN_MONITOR -import org.opensearch.alerting.TERM_DLS_QUERY import org.opensearch.alerting.READALL_AND_MONITOR_ROLE +import org.opensearch.alerting.TERM_DLS_QUERY import org.opensearch.alerting.TEST_HR_BACKEND_ROLE import org.opensearch.alerting.TEST_HR_INDEX import org.opensearch.alerting.TEST_HR_ROLE @@ -159,7 +159,6 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { createUserWithTestData(user, TEST_HR_INDEX, TEST_HR_ROLE, TEST_HR_BACKEND_ROLE) createUserRolesMapping(ALERTING_READ_ONLY_ACCESS, arrayOf(user)) - try { val monitor = randomQueryLevelMonitor().copy( inputs = listOf( @@ -1359,7 +1358,12 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { createUser(user, user, arrayOf(TEST_HR_BACKEND_ROLE)) createTestIndex(TEST_HR_INDEX) - createIndexRoleWithDocLevelSecurity(TEST_HR_ROLE, TEST_HR_INDEX, TERM_DLS_QUERY, getClusterPermissionsFromCustomRole(ALERTING_INDEX_MONITOR_ACCESS)) + createIndexRoleWithDocLevelSecurity( + TEST_HR_ROLE, + TEST_HR_INDEX, + TERM_DLS_QUERY, + getClusterPermissionsFromCustomRole(ALERTING_INDEX_MONITOR_ACCESS) + ) createUserRolesMapping(TEST_HR_ROLE, arrayOf(user)) // Add a doc that is accessible to the user @@ -1409,7 +1413,12 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { createUser(user, user, arrayOf(TEST_HR_BACKEND_ROLE)) createTestIndex(TEST_HR_INDEX) - createIndexRoleWithDocLevelSecurity(TEST_HR_ROLE, TEST_HR_INDEX, TERM_DLS_QUERY, getClusterPermissionsFromCustomRole(ALERTING_INDEX_MONITOR_ACCESS)) + createIndexRoleWithDocLevelSecurity( + TEST_HR_ROLE, + TEST_HR_INDEX, + TERM_DLS_QUERY, + getClusterPermissionsFromCustomRole(ALERTING_INDEX_MONITOR_ACCESS) + ) createUserRolesMapping(TEST_HR_ROLE, arrayOf(user)) // Add a doc that is accessible to the user From 1ce7e2ce8159a3515738d945c68062a4e72e1c58 Mon Sep 17 00:00:00 2001 From: Raj Chakravarthi Date: Tue, 31 Jan 2023 16:18:21 -0500 Subject: [PATCH 4/5] mock version and wrong import Signed-off-by: Raj Chakravarthi --- alerting/build.gradle | 2 +- .../alerting/resthandler/SecureMonitorRestApiIT.kt | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/alerting/build.gradle b/alerting/build.gradle index 9df2b5a08..b54e7c42f 100644 --- a/alerting/build.gradle +++ b/alerting/build.gradle @@ -96,7 +96,7 @@ dependencies { implementation "com.github.seancfoley:ipaddress:5.3.3" testImplementation "org.jetbrains.kotlin:kotlin-test:${kotlin_version}" - testImplementation "org.mockito:mockito-core:4.7.0" + testImplementation "org.mockito:mockito-core:5.1.0" testImplementation "org.opensearch.plugin:reindex-client:${opensearch_version}" } diff --git a/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt b/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt index ef2452632..32c58e77c 100644 --- a/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt +++ b/alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt @@ -33,7 +33,6 @@ import org.opensearch.alerting.TEST_HR_BACKEND_ROLE import org.opensearch.alerting.TEST_HR_INDEX import org.opensearch.alerting.TEST_HR_ROLE import org.opensearch.alerting.TEST_NON_HR_INDEX -import org.opensearch.alerting.aggregation.bucketselectorext.BucketSelectorExtAggregationBuilder import org.opensearch.alerting.assertUserNull import org.opensearch.alerting.makeRequest import org.opensearch.alerting.randomAction @@ -50,6 +49,7 @@ import org.opensearch.common.xcontent.LoggingDeprecationHandler import org.opensearch.common.xcontent.NamedXContentRegistry import org.opensearch.common.xcontent.XContentType import org.opensearch.common.xcontent.json.JsonXContent +import org.opensearch.commons.alerting.aggregation.bucketselectorext.BucketSelectorExtAggregationBuilder import org.opensearch.commons.alerting.model.Alert import org.opensearch.commons.alerting.model.SearchInput import org.opensearch.commons.authuser.User @@ -104,7 +104,7 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { user, TEST_HR_INDEX, TEST_HR_ROLE, - TEST_HR_BACKEND_ROLE, + listOf(TEST_HR_BACKEND_ROLE), getClusterPermissionsFromCustomRole(ALERTING_INDEX_MONITOR_ACCESS) ) try { @@ -985,7 +985,7 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { user, TEST_HR_INDEX, TEST_HR_ROLE, - TEST_HR_BACKEND_ROLE, + listOf(TEST_HR_BACKEND_ROLE), getClusterPermissionsFromCustomRole(ALERTING_SEARCH_MONITOR_ONLY_ACCESS) ) try { From a12dd3234eadb80fa24c61f2110ec2345899a2f9 Mon Sep 17 00:00:00 2001 From: Raj Chakravarthi Date: Tue, 31 Jan 2023 16:33:38 -0500 Subject: [PATCH 5/5] changed SetOnce import to opensearch Signed-off-by: Raj Chakravarthi --- .../org/opensearch/percolator/PercolateQueryBuilderExt.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/alerting/src/main/java/org/opensearch/percolator/PercolateQueryBuilderExt.java b/alerting/src/main/java/org/opensearch/percolator/PercolateQueryBuilderExt.java index 33f67641e..e74b84c0e 100644 --- a/alerting/src/main/java/org/opensearch/percolator/PercolateQueryBuilderExt.java +++ b/alerting/src/main/java/org/opensearch/percolator/PercolateQueryBuilderExt.java @@ -54,7 +54,7 @@ import org.apache.lucene.util.BitDocIdSet; import org.apache.lucene.util.BitSet; import org.apache.lucene.util.BytesRef; -import org.apache.lucene.util.SetOnce; +import org.opensearch.common.SetOnce; import org.opensearch.OpenSearchException; import org.opensearch.ResourceNotFoundException; import org.opensearch.Version;