From 94961bd9a0cb78474c41440b887db23133591966 Mon Sep 17 00:00:00 2001 From: Sam <128482925+samuelcostae@users.noreply.github.com> Date: Fri, 17 Nov 2023 15:13:16 +0000 Subject: [PATCH] Adds a new tab for Service Accounts (#1502) --------- Signed-off-by: Craig Perkins Signed-off-by: Sam Signed-off-by: Ryan Liang Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: Craig Perkins Signed-off-by: Darshit Chanpura Signed-off-by: Chang Liu Signed-off-by: leanneeliatra Signed-off-by: nursaadat Signed-off-by: Saadat Nursultan Signed-off-by: nurbqq Signed-off-by: nurbqq <106753054+nurbq@users.noreply.github.com> Signed-off-by: vamsi-amazon Signed-off-by: Sirazh Gabdullin Signed-off-by: Jochen Kressin Signed-off-by: Abhi Kalra Signed-off-by: opensearch-ci-bot Signed-off-by: Leanne Lacey-Byrne Signed-off-by: zhichao-aws Signed-off-by: Derek Ho Signed-off-by: leanneeliatra <131779422+leanneeliatra@users.noreply.github.com> Signed-off-by: Hailong Cui Signed-off-by: Peter Nied Signed-off-by: Peter Nied Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Darshit Chanpura <35282393+DarshitChanpura@users.noreply.github.com> Co-authored-by: Craig Perkins Co-authored-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Co-authored-by: Darshit Chanpura <35282393+DarshitChanpura@users.noreply.github.com> Co-authored-by: leanneeliatra <131779422+leanneeliatra@users.noreply.github.com> Co-authored-by: Chang Liu Co-authored-by: mattieserver <3049868+mattieserver@users.noreply.github.com> Co-authored-by: Saadat Nursultan <39532643+nurSaadat@users.noreply.github.com> Co-authored-by: nursaadat Co-authored-by: Saadat Nursultan Co-authored-by: Nurbakhyt Sembayev <106753054+nurbq@users.noreply.github.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Co-authored-by: Vamsi Manohar Co-authored-by: Sirazh Gabdullin Co-authored-by: Jochen Kressin <126353411+jochen-kressin@users.noreply.github.com> Co-authored-by: Abhi Kalra <99718513+abhivka7@users.noreply.github.com> Co-authored-by: Abhi Kalra Co-authored-by: opensearch-trigger-bot[bot] <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Co-authored-by: opensearch-ci-bot Co-authored-by: zhichao-aws Co-authored-by: Darshit Chanpura Co-authored-by: Derek Ho Co-authored-by: Hailong Cui Co-authored-by: Peter Nied Co-authored-by: Derek Ho --- DEVELOPER_GUIDE.md | 12 +- public/apps/configuration/app-router.tsx | 13 ++ public/apps/configuration/constants.tsx | 2 + .../panels/service-account-list.tsx | 220 ++++++++++++++++++ .../panels/test/service-account-list.test.tsx | 173 ++++++++++++++ .../apps/configuration/panels/user-list.tsx | 6 +- public/apps/configuration/types.ts | 1 + .../utils/internal-user-list-utils.tsx | 31 ++- ...pensearch_security_configuration_plugin.ts | 11 + server/routes/index.ts | 13 +- 10 files changed, 458 insertions(+), 24 deletions(-) create mode 100644 public/apps/configuration/panels/service-account-list.tsx create mode 100644 public/apps/configuration/panels/test/service-account-list.test.tsx diff --git a/DEVELOPER_GUIDE.md b/DEVELOPER_GUIDE.md index 67eb5c354..6c479f4b4 100644 --- a/DEVELOPER_GUIDE.md +++ b/DEVELOPER_GUIDE.md @@ -92,17 +92,9 @@ Next, go to the base directory (`cd ../..`) and run `yarn osd bootstrap` to inst From the base directory, run `yarn start`. This should start dashboard UI successfully. `Cmd+click` the url in the console output (It should look something like `http://0:5601/omf`). Once the page loads, you should be able to log in with user `admin` and password `admin`. -## Testing +## Integration Tests -The security-dashboards-plugin project uses Jest, Cypress and Selenium and makes use of the [OpenSearch Dashboards Functional Test]( https://github.com/opensearch-project/opensearch-dashboards-functional-test) project. - -Make sure you have the OpenSearch and OpenSearch Dashboards running with the Security Plugin and that you can log in to it using a web browser. - -Clone [OpenSearch Dashboards Functional Test]( https://github.com/opensearch-project/opensearch-dashboards-functional-test) in your local machine and follow the instructions in its DEVELOPER_GUIDE.md - -### Integration Tests - -To run selenium based integration tests, download and export the firefox web-driver to your PATH. Also, run `node scripts/build_opensearch_dashboards_platform_plugins.js` or `yarn start` before running the tests. This is essential to generate the bundles. +To run selenium based integration tests, download and export the firefox web-driver to your PATH. Also, run `node scripts/build_opensearch_dashboards_platform_plugins.js` or `yarn start` before running the tests. This is essential to generate the bundles. The integration tests take advantage of [npm "pre" scripts](https://docs.npmjs.com/cli/v9/using-npm/scripts) to run a node based SAML IdP for integration tests related to SAML authentication. This will run a background process that listens on port 7000. diff --git a/public/apps/configuration/app-router.tsx b/public/apps/configuration/app-router.tsx index 6cb97ec0e..a10cec08e 100644 --- a/public/apps/configuration/app-router.tsx +++ b/public/apps/configuration/app-router.tsx @@ -35,6 +35,7 @@ import { RoleEditMappedUser } from './panels/role-mapping/role-edit-mapped-user' import { RoleView } from './panels/role-view/role-view'; import { TenantList } from './panels/tenant-list/tenant-list'; import { UserList } from './panels/user-list'; +import { ServiceAccountList } from './panels/service-account-list'; import { Action, ResourceType, RouteItem, SubAction } from './types'; import { buildHashUrl, buildUrl } from './utils/url-builder'; import { CrossPageToast } from './cross-page-toast'; @@ -54,6 +55,10 @@ const ROUTE_MAP: { [key: string]: RouteItem } = { name: 'Internal users', href: buildUrl(ResourceType.users), }, + [ResourceType.serviceAccounts]: { + name: 'Service Accounts', + href: buildUrl(ResourceType.serviceAccounts), + }, [ResourceType.permissions]: { name: 'Permissions', href: buildUrl(ResourceType.permissions), @@ -85,6 +90,7 @@ const ROUTE_LIST = [ ROUTE_MAP[ResourceType.auth], ROUTE_MAP[ResourceType.roles], ROUTE_MAP[ResourceType.users], + ROUTE_MAP[ResourceType.serviceAccounts], ROUTE_MAP[ResourceType.permissions], ROUTE_MAP[ResourceType.tenants], ROUTE_MAP[ResourceType.auditLogging], @@ -209,6 +215,13 @@ export function AppRouter(props: AppDependencies) { return ; }} /> + { + setGlobalBreadcrumbs(ResourceType.serviceAccounts); + return ; + }} + /> { diff --git a/public/apps/configuration/constants.tsx b/public/apps/configuration/constants.tsx index e789591cd..4dd107a91 100644 --- a/public/apps/configuration/constants.tsx +++ b/public/apps/configuration/constants.tsx @@ -25,6 +25,8 @@ export const API_ENDPOINT_MULTITENANCY = API_PREFIX + '/multitenancy/tenant'; export const API_ENDPOINT_TENANCY_CONFIGS = API_ENDPOINT + '/tenancy/config'; export const API_ENDPOINT_SECURITYCONFIG = API_ENDPOINT + '/securityconfig'; export const API_ENDPOINT_INTERNALUSERS = API_ENDPOINT + '/internalusers'; +export const API_ENDPOINT_INTERNALACCOUNTS = API_ENDPOINT + '/internalaccounts'; +export const API_ENDPOINT_SERVICEACCOUNTS = API_ENDPOINT + '/serviceaccounts'; export const API_ENDPOINT_AUDITLOGGING = API_ENDPOINT + '/audit'; export const API_ENDPOINT_AUDITLOGGING_UPDATE = API_ENDPOINT_AUDITLOGGING + '/config'; export const API_ENDPOINT_PERMISSIONS_INFO = API_PREFIX + '/restapiinfo'; diff --git a/public/apps/configuration/panels/service-account-list.tsx b/public/apps/configuration/panels/service-account-list.tsx new file mode 100644 index 000000000..61c21a9e5 --- /dev/null +++ b/public/apps/configuration/panels/service-account-list.tsx @@ -0,0 +1,220 @@ +/* + * Copyright OpenSearch Contributors + * + * Licensed under the Apache License, Version 2.0 (the "License"). + * You may not use this file except in compliance with the License. + * A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the "license" file accompanying this file. This file is distributed + * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either + * express or implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import { + EuiBadge, + EuiButtonEmpty, + EuiFlexGroup, + EuiFlexItem, + EuiInMemoryTable, + EuiLink, + EuiPageBody, + EuiPageContent, + EuiPageContentHeader, + EuiPageContentHeaderSection, + EuiPageHeader, + EuiText, + EuiTitle, + Query, +} from '@elastic/eui'; +import { Dictionary, difference, isEmpty, map } from 'lodash'; +import React, { useState } from 'react'; +import { getAuthInfo } from '../../../utils/auth-info-utils'; +import { AppDependencies } from '../../types'; +import { API_ENDPOINT_SERVICEACCOUNTS, DocLinks } from '../constants'; +import { Action, ResourceType } from '../types'; +import { EMPTY_FIELD_VALUE } from '../ui-constants'; +import { useContextMenuState } from '../utils/context-menu'; +import { ExternalLink, tableItemsUIProps, truncatedListView } from '../utils/display-utils'; +import { getUserList, InternalUsersListing } from '../utils/internal-user-list-utils'; +import { showTableStatusMessage } from '../utils/loading-spinner-utils'; +import { buildHashUrl } from '../utils/url-builder'; + +export function dictView(items: Dictionary) { + if (isEmpty(items)) { + return EMPTY_FIELD_VALUE; + } + return ( + + {map(items, (v, k) => ( + + {k}: {`"${v}"`} + + ))} + + ); +} + +export function getColumns(currentUsername: string) { + return [ + { + field: 'username', + name: 'Username', + render: (username: string) => ( + <> + {username} + {username === currentUsername && ( + <> +   + Current + + )} + + ), + sortable: true, + }, + { + field: 'backend_roles', + name: 'Backend roles', + render: truncatedListView(tableItemsUIProps), + }, + { + field: 'attributes', + name: 'Attributes', + render: dictView, + truncateText: true, + }, + ]; +} + +export function ServiceAccountList(props: AppDependencies) { + const [userData, setUserData] = React.useState([]); + const [errorFlag, setErrorFlag] = React.useState(false); + const [selection, setSelection] = React.useState([]); + const [currentUsername, setCurrentUsername] = useState(''); + const [loading, setLoading] = useState(false); + const [query, setQuery] = useState(null); + + React.useEffect(() => { + const fetchData = async () => { + try { + setLoading(true); + const userDataPromise = getUserList(props.coreStart.http, ResourceType.serviceAccounts); + setCurrentUsername((await getAuthInfo(props.coreStart.http)).user_name); + setUserData(await userDataPromise); + } catch (e) { + console.log(e); + setErrorFlag(true); + } finally { + setLoading(false); + } + }; + + fetchData(); + }, [props.coreStart.http]); + + const actionsMenuItems = [ + { + window.location.href = buildHashUrl(ResourceType.users, Action.edit, selection[0].username); + }} + disabled={selection.length !== 1} + > + Edit + , + { + window.location.href = buildHashUrl( + ResourceType.users, + Action.duplicate, + selection[0].username + ); + }} + disabled={selection.length !== 1} + > + Duplicate + , + + Export JSON + , + ]; + + const [actionsMenu, closeActionsMenu] = useContextMenuState('Actions', {}, actionsMenuItems); + + return ( + <> + + +

Service accounts

+
+
+ + + + +

+ Service accounts + + {' '} + ({Query.execute(query || '', userData).length}) + +

+
+ + Here you have a list of special accounts that represent services like extensions, + plugins or other third party applications. You can map an account to a role from + Roles + “Manage mapping” + + +
+ + + {actionsMenu} + + +
+ + { + setQuery(arg.query); + return true; + }, + }} + // @ts-ignore + selection={{ onSelectionChange: setSelection }} + sorting + error={ + errorFlag ? 'Load data failed, please check the console log for more details.' : '' + } + message={showTableStatusMessage(loading, userData)} + /> + +
+ + ); +} diff --git a/public/apps/configuration/panels/test/service-account-list.test.tsx b/public/apps/configuration/panels/test/service-account-list.test.tsx new file mode 100644 index 000000000..2ffe595e8 --- /dev/null +++ b/public/apps/configuration/panels/test/service-account-list.test.tsx @@ -0,0 +1,173 @@ +/* + * Copyright OpenSearch Contributors + * + * Licensed under the Apache License, Version 2.0 (the "License"). + * You may not use this file except in compliance with the License. + * A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the "license" file accompanying this file. This file is distributed + * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either + * express or implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import { EuiBadge, EuiText, EuiInMemoryTable } from '@elastic/eui'; +import { shallow } from 'enzyme'; +import React from 'react'; +import { EMPTY_FIELD_VALUE } from '../../ui-constants'; +import { getUserList, InternalUsersListing } from '../../utils/internal-user-list-utils'; +import { dictView, getColumns, ServiceAccountList } from '../service-account-list'; + +jest.mock('../../utils/internal-user-list-utils'); +jest.mock('../../../../utils/auth-info-utils', () => ({ + getAuthInfo: jest.fn().mockReturnValue({ user_name: 'user' }), +})); +jest.mock('../../utils/context-menu', () => ({ + useContextMenuState: jest + .fn() + .mockImplementation((buttonText, buttonProps, children) => [children, jest.fn()]), +})); + +import { getAuthInfo } from '../../../../utils/auth-info-utils'; +import { buildHashUrl } from '../../utils/url-builder'; +import { ResourceType, Action } from '../../types'; + +describe('User list', () => { + describe('dictView', () => { + it('- empty', () => { + const result = dictView({}); + + expect(result).toEqual(EMPTY_FIELD_VALUE); + }); + + it('dictView - non-empty', () => { + const attr1 = 'attr1'; + const attr2 = 'attr2'; + const value1 = 'value1'; + const value2 = 'value2'; + const result = shallow(dictView({ [attr1]: value1, [attr2]: value2 })); + + expect(result.find(EuiText).at(0).prop('children')).toEqual([attr1, ': ', `"${value1}"`]); + expect(result.find(EuiText).at(1).prop('children')).toEqual([attr2, ': ', `"${value2}"`]); + }); + }); + + describe('getColumns', () => { + it('current user', () => { + const columns = getColumns('user1'); + const usernameRenderer = columns[0].render as (usename: string) => JSX.Element; + const Container = (props: { username: string }) => usernameRenderer(props.username); + const result = shallow(); + + expect(result.find(EuiBadge).length).toBe(1); + }); + + it('not current user', () => { + const columns = getColumns('user1'); + const usernameRenderer = columns[0].render as (usename: string) => JSX.Element; + const Container = (props: { username: string }) => usernameRenderer(props.username); + const result = shallow(); + + expect(result.find(EuiBadge).length).toBe(0); + }); + }); + + describe('ServiceAccountList', () => { + const mockCoreStart = { + http: 1, + }; + const setState = jest.fn(); + jest.spyOn(React, 'useState').mockImplementation((initValue) => [initValue, setState]); + + it('render empty', () => { + const component = shallow( + + ); + + expect(component.find(EuiInMemoryTable).prop('items')).toEqual([]); + }); + + it('fetch data', () => { + jest.spyOn(React, 'useEffect').mockImplementationOnce((f) => f()); + shallow( + + ); + + expect(getUserList).toBeCalled(); + expect(getAuthInfo).toBeCalled(); + }); + + it('fetch data error', () => { + jest.spyOn(React, 'useEffect').mockImplementationOnce((f) => f()); + getUserList.mockImplementationOnce(() => { + throw new Error(); + }); + // Hide the error message + jest.spyOn(console, 'log').mockImplementationOnce(() => {}); + shallow( + + ); + + // Expect error flag set to true + expect(setState).toBeCalledWith(true); + }); + }); + + describe('Action menu click', () => { + const mockCoreStart = { + http: { + basePath: { + serverBasePath: '', + }, + }, + }; + let component; + const mockUserListingData: InternalUsersListing = { + username: 'user_1', + attributes: { service: 'true' }, + backend_roles: ['backend_role1'], + }; + beforeEach(() => { + jest.spyOn(React, 'useState').mockImplementation(() => [[mockUserListingData], jest.fn()]); + component = shallow( + + ); + }); + + it('Edit click', () => { + component.find('[data-test-subj="edit"]').simulate('click'); + expect(window.location.hash).toBe( + buildHashUrl(ResourceType.users, Action.edit, mockUserListingData.username) + ); + }); + + it('Duplicate click', () => { + component.find('[data-test-subj="duplicate"]').simulate('click'); + expect(window.location.hash).toBe( + buildHashUrl(ResourceType.users, Action.duplicate, mockUserListingData.username) + ); + }); + }); +}); diff --git a/public/apps/configuration/panels/user-list.tsx b/public/apps/configuration/panels/user-list.tsx index 8cb627f8b..eb369f7ad 100644 --- a/public/apps/configuration/panels/user-list.tsx +++ b/public/apps/configuration/panels/user-list.tsx @@ -107,7 +107,7 @@ export function UserList(props: AppDependencies) { const fetchData = async () => { try { setLoading(true); - const userDataPromise = getUserList(props.coreStart.http); + const userDataPromise = getUserList(props.coreStart.http, ResourceType.users); setCurrentUsername((await getAuthInfo(props.coreStart.http)).user_name); setUserData(await userDataPromise); } catch (e) { @@ -213,7 +213,7 @@ export function UserList(props: AppDependencies) { The Security plugin includes an internal user database. Use this database in place of, or in addition to, an external authentication system such as LDAP server or Active - Directory. You can map an internal user to a role from{' '} + Directory. You can map an user account to a role from{' '} Roles . First, click into the detail page of the role. Then, under “Mapped users”, click “Manage mapping” @@ -224,7 +224,7 @@ export function UserList(props: AppDependencies) { {actionsMenu} - Create internal user + Create user account diff --git a/public/apps/configuration/types.ts b/public/apps/configuration/types.ts index 06ef44369..fd64e1095 100644 --- a/public/apps/configuration/types.ts +++ b/public/apps/configuration/types.ts @@ -22,6 +22,7 @@ export type FieldLevelSecurityMethod = 'exclude' | 'include'; export enum ResourceType { roles = 'roles', users = 'users', + serviceAccounts = 'serviceAccounts', permissions = 'permissions', tenants = 'tenants', tenantsManageTab = 'tenantsManageTab', diff --git a/public/apps/configuration/utils/internal-user-list-utils.tsx b/public/apps/configuration/utils/internal-user-list-utils.tsx index 9a893eeb9..02042e928 100644 --- a/public/apps/configuration/utils/internal-user-list-utils.tsx +++ b/public/apps/configuration/utils/internal-user-list-utils.tsx @@ -15,8 +15,12 @@ import { map } from 'lodash'; import { HttpStart } from '../../../../../../src/core/public'; -import { API_ENDPOINT_INTERNALUSERS } from '../constants'; -import { DataObject, InternalUser, ObjectsMessage } from '../types'; +import { + API_ENDPOINT_INTERNALACCOUNTS, + API_ENDPOINT_INTERNALUSERS, + API_ENDPOINT_SERVICEACCOUNTS, +} from '../constants'; +import { DataObject, InternalUser, ObjectsMessage, ResourceType } from '../types'; import { httpDelete, httpGet } from './request-utils'; import { getResourceUrl } from './resource-utils'; @@ -38,15 +42,26 @@ export async function requestDeleteUsers(http: HttpStart, users: string[]) { } } -async function getUserListRaw(http: HttpStart): Promise> { - return await httpGet>(http, API_ENDPOINT_INTERNALUSERS); +async function getUserListRaw( + http: HttpStart, + userType: string +): Promise> { + let ENDPOINT = API_ENDPOINT_INTERNALACCOUNTS; + if (userType === ResourceType.serviceAccounts) { + ENDPOINT = API_ENDPOINT_SERVICEACCOUNTS; + } + + return await httpGet>(http, ENDPOINT); } -export async function getUserList(http: HttpStart): Promise { - const rawData = await getUserListRaw(http); +export async function getUserList( + http: HttpStart, + userType: string +): Promise { + const rawData = await getUserListRaw(http, userType); return transformUserData(rawData.data); } -export async function fetchUserNameList(http: HttpStart): Promise { - return Object.keys((await getUserListRaw(http)).data); +export async function fetchUserNameList(http: HttpStart, userType: string): Promise { + return Object.keys((await getUserListRaw(http, userType)).data); } diff --git a/server/backend/opensearch_security_configuration_plugin.ts b/server/backend/opensearch_security_configuration_plugin.ts index ff0ccfe21..3b87863b8 100644 --- a/server/backend/opensearch_security_configuration_plugin.ts +++ b/server/backend/opensearch_security_configuration_plugin.ts @@ -59,6 +59,17 @@ export default function (Client: any, config: any, components: any) { }, }); + Client.prototype.opensearch_security.prototype.listInternalAccounts = ca({ + url: { + fmt: '/_plugins/_security/api/internalusers?filterBy=internal', + }, + }); + Client.prototype.opensearch_security.prototype.listServiceAccounts = ca({ + url: { + fmt: '/_plugins/_security/api/internalusers?filterBy=service', + }, + }); + /** * Creates a Security resource instance. * diff --git a/server/routes/index.ts b/server/routes/index.ts index 8331c1200..ad3dfbd58 100644 --- a/server/routes/index.ts +++ b/server/routes/index.ts @@ -21,6 +21,7 @@ import { OpenSearchDashboardsResponseFactory, } from 'opensearch-dashboards/server'; import { API_PREFIX, CONFIGURATION_API_PREFIX, isValidResourceName } from '../../common'; +import { ResourceType } from '../../public/apps/configuration/types'; // TODO: consider to extract entity CRUD operations and put it into a client class export function defineRoutes(router: IRouter) { @@ -248,9 +249,15 @@ export function defineRoutes(router: IRouter) { const client = context.security_plugin.esClient.asScoped(request); let esResp; try { - esResp = await client.callAsCurrentUser('opensearch_security.listResource', { - resourceName: request.params.resourceName, - }); + if (request.params.resourceName === ResourceType.serviceAccounts.toLowerCase()) { + esResp = await client.callAsCurrentUser('opensearch_security.listServiceAccounts'); + } else if (request.params.resourceName === 'internalaccounts') { + esResp = await client.callAsCurrentUser('opensearch_security.listInternalAccounts'); + } else { + esResp = await client.callAsCurrentUser('opensearch_security.listResource', { + resourceName: request.params.resourceName, + }); + } return response.ok({ body: { total: Object.keys(esResp).length,