Skip to content

Commit

Permalink
Test extended to verify audit logs.
Browse files Browse the repository at this point in the history
  • Loading branch information
lukasz-soszynski-eliatra committed Oct 13, 2022
1 parent 16b1676 commit 095812b
Show file tree
Hide file tree
Showing 13 changed files with 1,094 additions and 17 deletions.

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,8 @@ public class TestSecurityConfig {
private Map<String, User> internalUsers = new LinkedHashMap<>();
private Map<String, Role> roles = new LinkedHashMap<>();

private AuditConfiguration auditConfiguration;

private String indexName = ".opendistro_security";

public TestSecurityConfig() {
Expand Down Expand Up @@ -119,6 +121,11 @@ public TestSecurityConfig roles(Role... roles) {
return this;
}

public TestSecurityConfig audit(AuditConfiguration auditConfiguration) {
this.auditConfiguration = auditConfiguration;
return this;
}

public static class Config implements ToXContentObject {
private boolean anonymousAuth;
private Map<String, AuthcDomain> authcDomainMap = new LinkedHashMap<>();
Expand Down Expand Up @@ -217,6 +224,242 @@ public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params
}
}

public static class AuditFilters implements ToXContentObject {

private Boolean enabledRest;

private Boolean enabledTransport;

private Boolean logRequestBody;

private Boolean resolveIndices;

private Boolean resolveBulkRequests;

private Boolean excludeSensitiveHeaders;

private List<String> ignoreUsers;

private List<String> ignoreRequests;

private List<String> disabledRestCategories;

private List<String> disabledTransportCategories;

public AuditFilters(){
this.enabledRest = false;
this.enabledTransport = false;

this.logRequestBody = true;
this.resolveIndices = true;
this.resolveBulkRequests = false;
this.excludeSensitiveHeaders = true;

this.ignoreUsers = Collections.emptyList();
this.ignoreRequests = Collections.emptyList();
this.disabledRestCategories = Collections.emptyList();
this.disabledTransportCategories = Collections.emptyList();
}

public AuditFilters enabledRest(boolean enabled) {
this.enabledRest = enabled;
return this;
}

public AuditFilters enabledTransport(boolean enabled) {
this.enabledTransport = enabled;
return this;
}

public AuditFilters logRequestBody(boolean logRequestBody){
this.logRequestBody = logRequestBody;
return this;
}

public AuditFilters resolveIndices(boolean resolveIndices) {
this.resolveIndices = resolveIndices;
return this;
}

public AuditFilters resolveBulkRequests(boolean resolveBulkRequests) {
this.resolveBulkRequests = resolveBulkRequests;
return this;
}

public AuditFilters excludeSensitiveHeaders(boolean excludeSensitiveHeaders) {
this.excludeSensitiveHeaders = excludeSensitiveHeaders;
return this;
}

public AuditFilters ignoreUsers(List<String> ignoreUsers) {
this.ignoreUsers = ignoreUsers;
return this;
}

public AuditFilters ignoreRequests(List<String> ignoreRequests) {
this.ignoreRequests =ignoreRequests;
return this;
}

public AuditFilters disabledRestCategories(List<String> disabledRestCategories) {
this.disabledRestCategories = disabledRestCategories;
return this;
}

public AuditFilters disabledTransportCategories(List<String> disabledTransportCategories) {
this.disabledTransportCategories = disabledTransportCategories;
return this;
}

@Override
public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params) throws IOException {
xContentBuilder.startObject();
xContentBuilder.field("enable_rest", enabledRest);
xContentBuilder.field("enable_transport", enabledTransport);
xContentBuilder.field("resolve_indices", resolveIndices);
xContentBuilder.field("log_request_body", logRequestBody);
xContentBuilder.field("resolve_bulk_requests", resolveBulkRequests);
xContentBuilder.field("exclude_sensitive_headers", excludeSensitiveHeaders);
xContentBuilder.field("ignore_users", ignoreUsers);
xContentBuilder.field("ignore_requests", ignoreRequests);
xContentBuilder.field("disabled_rest_categories", disabledRestCategories);
xContentBuilder.field("disabled_transport_categories", disabledTransportCategories);
xContentBuilder.endObject();
return xContentBuilder;
}
}

public static class AuditCompliance implements ToXContentObject {

private boolean enabled = false;

private Boolean writeLogDiffs;

private List<String> readIgnoreUsers;

private List<String> writeWatchedIndices;

private List<String> writeIgnoreUsers;

private Boolean readMetadataOnly;

private Boolean writeMetadataOnly;

private Boolean externalConfig;

private Boolean internalConfig;

public AuditCompliance enabled(boolean enabled) {
this.enabled = enabled;
this.writeLogDiffs = false;
this.readIgnoreUsers = Collections.emptyList();
this.writeWatchedIndices = Collections.emptyList();
this.writeIgnoreUsers = Collections.emptyList();
this.readMetadataOnly = false;
this.writeMetadataOnly = false;
this.externalConfig = false;
this.internalConfig = false;
return this;
}

public AuditCompliance writeLogDiffs(boolean writeLogDiffs) {
this.writeLogDiffs = writeLogDiffs;
return this;
}

public AuditCompliance readIgnoreUsers(List<String> list) {
this.readIgnoreUsers = list;
return this;
}

public AuditCompliance writeWatchedIndices(List<String> list) {
this.writeWatchedIndices = list;
return this;
}

public AuditCompliance writeIgnoreUsers(List<String> list) {
this.writeIgnoreUsers = list;
return this;
}

public AuditCompliance readMetadataOnly(boolean readMetadataOnly) {
this.readMetadataOnly = readMetadataOnly;
return this;
}

public AuditCompliance writeMetadataOnly(boolean writeMetadataOnly) {
this.writeMetadataOnly = writeMetadataOnly;
return this;
}

public AuditCompliance externalConfig(boolean externalConfig) {
this.externalConfig = externalConfig;
return this;
}

public AuditCompliance internalConfig(boolean internalConfig) {
this.internalConfig = internalConfig;
return this;
}

@Override
public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params) throws IOException {
xContentBuilder.startObject();
xContentBuilder.field("enabled", enabled);
xContentBuilder.field("write_log_diffs", writeLogDiffs);
xContentBuilder.field("read_ignore_users", readIgnoreUsers);
xContentBuilder.field("write_watched_indices", writeWatchedIndices);
xContentBuilder.field("write_ignore_users", writeIgnoreUsers);
xContentBuilder.field("read_metadata_only", readMetadataOnly);
xContentBuilder.field("write_metadata_only", writeMetadataOnly);
xContentBuilder.field("external_config", externalConfig);
xContentBuilder.field("internal_config", internalConfig);
xContentBuilder.endObject();
return xContentBuilder;
}
}

public static class AuditConfiguration implements ToXContentObject {
private final boolean enabled;

private AuditFilters filters;

private AuditCompliance compliance;

public AuditConfiguration(boolean enabled) {
this.filters = new AuditFilters();
this.compliance = new AuditCompliance();
this.enabled = enabled;
}

public boolean isEnabled() {
return enabled;
}

public AuditConfiguration filters(AuditFilters filters) {
this.filters = filters;
return this;
}

public AuditConfiguration compliance(AuditCompliance auditCompliance) {
this.compliance = auditCompliance;
return this;
}

@Override
public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params) throws IOException {
// json built here must be deserialized to org.opensearch.security.auditlog.config.AuditConfig
xContentBuilder.startObject();
xContentBuilder.field("enabled", enabled);

xContentBuilder.field("audit", filters);
xContentBuilder.field("compliance", compliance);

xContentBuilder.endObject();
return xContentBuilder;
}
}

public static class Role implements ToXContentObject {
public static Role ALL_ACCESS = new Role("all_access").clusterPermissions("*").indexPermissions("*").on("*");

Expand Down Expand Up @@ -494,12 +737,15 @@ public void initIndex(Client client) {
client.admin().indices().create(new CreateIndexRequest(indexName).settings(settings)).actionGet();

writeSingleEntryConfigToIndex(client, CType.CONFIG, config);
if(auditConfiguration != null) {
writeSingleEntryConfigToIndex(client, CType.AUDIT, "config", auditConfiguration);
}
writeConfigToIndex(client, CType.ROLES, roles);
writeConfigToIndex(client, CType.INTERNALUSERS, internalUsers);
writeEmptyConfigToIndex(client, CType.ROLESMAPPING);
writeEmptyConfigToIndex(client, CType.ACTIONGROUPS);
writeEmptyConfigToIndex(client, CType.TENANTS);

ConfigUpdateResponse configUpdateResponse = client.execute(ConfigUpdateAction.INSTANCE,
new ConfigUpdateRequest(CType.lcStringValues().toArray(new String[0]))).actionGet();

Expand Down Expand Up @@ -552,6 +798,10 @@ private void writeConfigToIndex(Client client, CType configType, Map<String, ? e
}

private void writeSingleEntryConfigToIndex(Client client, CType configType, ToXContentObject config) {
writeSingleEntryConfigToIndex(client, configType, configType.toLCString(), config);
}

private void writeSingleEntryConfigToIndex(Client client, CType configType, String configurationRoot, ToXContentObject config) {
try {
XContentBuilder builder = XContentFactory.jsonBuilder();

Expand All @@ -561,13 +811,13 @@ private void writeSingleEntryConfigToIndex(Client client, CType configType, ToXC
builder.field("config_version", 2);
builder.endObject();

builder.field(configType.toLCString(), config);
builder.field(configurationRoot, config);

builder.endObject();

String json = Strings.toString(builder);

log.info("Writing " + configType + ":\n" + json);
log.info("Writing security plugin configuration into index " + configType + ":\n" + json);

client.index(new IndexRequest(indexName).id(configType.toLCString())
.setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(configType.toLCString(),
Expand Down
Loading

0 comments on commit 095812b

Please sign in to comment.