Skip to content

Commit

Permalink
Added validation integration tests with security (#339)
Browse files Browse the repository at this point in the history
Signed-off-by: Amit Galitzky <[email protected]>
  • Loading branch information
amitgalitz authored and ylwu-amzn committed Jan 12, 2022
1 parent a7ad4f9 commit 6af14ce
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 1 deletion.
12 changes: 12 additions & 0 deletions src/test/java/org/opensearch/ad/AnomalyDetectorRestTestCase.java
Original file line number Diff line number Diff line change
Expand Up @@ -587,4 +587,16 @@ protected AnomalyDetector cloneDetector(AnomalyDetector anomalyDetector, String
return detector;
}

protected Response validateAnomalyDetector(AnomalyDetector detector, RestClient client) throws IOException {
return TestHelpers
.makeRequest(
client,
"POST",
TestHelpers.AD_BASE_DETECTORS_URI + "/_validate",
ImmutableMap.of(),
TestHelpers.toHttpEntity(detector),
null
);
}

}
53 changes: 52 additions & 1 deletion src/test/java/org/opensearch/ad/rest/SecureADRestIT.java
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ public class SecureADRestIT extends AnomalyDetectorRestTestCase {
RestClient fishClient;
String goatUser = "goat";
RestClient goatClient;
String lionUser = "lion";
RestClient lionClient;
private String indexAllAccessRole = "index_all_access";
private String indexSearchAccessRole = "index_all_search";

Expand Down Expand Up @@ -94,9 +96,14 @@ public void setupSecureTests() throws IOException {
.setSocketTimeout(60000)
.build();

createUser(lionUser, lionUser, new ArrayList<>(Arrays.asList("opensearch")));
lionClient = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), lionUser, lionUser)
.setSocketTimeout(60000)
.build();

createRoleMapping("anomaly_read_access", new ArrayList<>(Arrays.asList(bobUser)));
createRoleMapping("anomaly_full_access", new ArrayList<>(Arrays.asList(aliceUser, catUser, dogUser, elkUser, fishUser, goatUser)));
createRoleMapping(indexAllAccessRole, new ArrayList<>(Arrays.asList(aliceUser, bobUser, catUser, dogUser, fishUser)));
createRoleMapping(indexAllAccessRole, new ArrayList<>(Arrays.asList(aliceUser, bobUser, catUser, dogUser, fishUser, lionUser)));
createRoleMapping(indexSearchAccessRole, new ArrayList<>(Arrays.asList(goatUser)));
}

Expand All @@ -109,13 +116,15 @@ public void deleteUserSetup() throws IOException {
elkClient.close();
fishClient.close();
goatClient.close();
lionClient.close();
deleteUser(aliceUser);
deleteUser(bobUser);
deleteUser(catUser);
deleteUser(dogUser);
deleteUser(elkUser);
deleteUser(fishUser);
deleteUser(goatUser);
deleteUser(lionUser);
}

public void testCreateAnomalyDetectorWithWriteAccess() throws IOException {
Expand Down Expand Up @@ -378,4 +387,46 @@ public void testPreviewAnomalyDetectorWithNoReadPermissionOfIndex() throws IOExc
);
Assert.assertTrue(exception.getMessage().contains("no permissions for [indices:data/read/search]"));
}

public void testValidateAnomalyDetectorWithWriteAccess() throws IOException {
// User Alice has AD full access, should be able to validate a detector
AnomalyDetector aliceDetector = createRandomAnomalyDetector(false, false, aliceClient);
Response validateResponse = validateAnomalyDetector(aliceDetector, aliceClient);
Assert.assertNotNull("User alice validated detector successfully", validateResponse);
}

public void testValidateAnomalyDetectorWithNoADAccess() throws IOException {
// User Lion has no AD access at all, should not be able to validate a detector
AnomalyDetector detector = TestHelpers.randomAnomalyDetector(null, Instant.now());
Exception exception = expectThrows(IOException.class, () -> { validateAnomalyDetector(detector, lionClient); });
Assert.assertTrue(exception.getMessage().contains("no permissions for [cluster:admin/opendistro/ad/detector/validate]"));

}

public void testValidateAnomalyDetectorWithReadAccess() throws IOException {
// User Bob has AD read access, should still be able to validate a detector
AnomalyDetector detector = TestHelpers.randomAnomalyDetector(null, Instant.now());
Response validateResponse = validateAnomalyDetector(detector, bobClient);
Assert.assertNotNull("User bob validated detector successfully", validateResponse);
}

public void testValidateAnomalyDetectorWithNoReadPermissionOfIndex() throws IOException {
AnomalyDetector detector = TestHelpers.randomAnomalyDetector(null, Instant.now());
enableFilterBy();
// User elk has no read permission of index, can't validate detector
Exception exception = expectThrows(Exception.class, () -> { validateAnomalyDetector(detector, elkClient); });
Assert.assertTrue(exception.getMessage().contains("no permissions for [indices:data/read/search]"));
}

public void testValidateAnomalyDetectorWithNoBackendRole() throws IOException {
AnomalyDetector detector = TestHelpers.randomAnomalyDetector(null, Instant.now());
enableFilterBy();
// User Dog has AD full access, but has no backend role
// When filter by is enabled, we block validating Detectors
Exception exception = expectThrows(IOException.class, () -> { validateAnomalyDetector(detector, dogClient); });
Assert
.assertTrue(
exception.getMessage().contains("Filter by backend roles is enabled and User dog does not have backend roles configured")
);
}
}

0 comments on commit 6af14ce

Please sign in to comment.