-
Notifications
You must be signed in to change notification settings - Fork 282
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Test related to authentication with x.509 certificates. (#2227)
Signed-off-by: Lukasz Soszynski <[email protected]>
- Loading branch information
1 parent
25ea092
commit 7cad5e4
Showing
8 changed files
with
333 additions
and
9 deletions.
There are no files selected for viewing
145 changes: 145 additions & 0 deletions
145
src/integrationTest/java/org/opensearch/security/http/CertificateAuthenticationTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
/* | ||
* Copyright OpenSearch Contributors | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
*/ | ||
package org.opensearch.security.http; | ||
|
||
import java.util.List; | ||
import java.util.Map; | ||
|
||
import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; | ||
import org.junit.ClassRule; | ||
import org.junit.Test; | ||
import org.junit.runner.RunWith; | ||
|
||
import org.opensearch.test.framework.RolesMapping; | ||
import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain; | ||
import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.HttpAuthenticator; | ||
import org.opensearch.test.framework.TestSecurityConfig.Role; | ||
import org.opensearch.test.framework.TestSecurityConfig.User; | ||
import org.opensearch.test.framework.certificate.CertificateData; | ||
import org.opensearch.test.framework.certificate.TestCertificates; | ||
import org.opensearch.test.framework.cluster.ClusterManager; | ||
import org.opensearch.test.framework.cluster.LocalCluster; | ||
import org.opensearch.test.framework.cluster.TestRestClient; | ||
import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse; | ||
|
||
import static org.apache.hc.core5.http.HttpStatus.SC_OK; | ||
import static org.hamcrest.MatcherAssert.assertThat; | ||
import static org.hamcrest.Matchers.containsInAnyOrder; | ||
import static org.hamcrest.Matchers.hasSize; | ||
import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL; | ||
import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS; | ||
|
||
@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class) | ||
@ThreadLeakScope(ThreadLeakScope.Scope.NONE) | ||
public class CertificateAuthenticationTest { | ||
|
||
private static final User USER_ADMIN = new User("admin").roles(ALL_ACCESS); | ||
|
||
public static final String POINTER_BACKEND_ROLES = "/backend_roles"; | ||
public static final String POINTER_ROLES = "/roles"; | ||
|
||
private static final String USER_SPOCK = "spock"; | ||
private static final String USER_KIRK = "kirk"; | ||
|
||
private static final String BACKEND_ROLE_BRIDGE = "bridge"; | ||
private static final String BACKEND_ROLE_CAPTAIN = "captain"; | ||
|
||
private static final Role ROLE_ALL_INDEX_SEARCH = new Role("all-index-search").indexPermissions("indices:data/read/search") | ||
.on("*"); | ||
|
||
private static final Map<String, Object> CERT_AUTH_CONFIG = Map.of( | ||
"username_attribute", "cn", | ||
"roles_attribute", "ou" | ||
); | ||
|
||
@ClassRule | ||
public static final LocalCluster cluster = new LocalCluster.Builder() | ||
.nodeSettings(Map.of("plugins.security.ssl.http.clientauth_mode", "OPTIONAL")) | ||
.clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS).anonymousAuth(false) | ||
.authc(new AuthcDomain("clientcert_auth_domain", -1, true) | ||
.httpAuthenticator(new HttpAuthenticator("clientcert").challenge(false) | ||
.config(CERT_AUTH_CONFIG)).backend("noop")) | ||
.authc(AUTHC_HTTPBASIC_INTERNAL).roles(ROLE_ALL_INDEX_SEARCH).users(USER_ADMIN) | ||
.rolesMapping(new RolesMapping(ROLE_ALL_INDEX_SEARCH).backendRoles(BACKEND_ROLE_BRIDGE)).build(); | ||
|
||
private static final TestCertificates TEST_CERTIFICATES = cluster.getTestCertificates(); | ||
|
||
@Test | ||
public void shouldAuthenticateUserWithBasicAuthWhenCertificateAuthenticationIsConfigured() { | ||
try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) { | ||
|
||
HttpResponse response = client.getAuthInfo(); | ||
|
||
response.assertStatusCode(SC_OK); | ||
} | ||
} | ||
|
||
@Test | ||
public void shouldAuthenticateUserWithCertificate_positiveUserSpoke() { | ||
CertificateData userSpockCertificate = TEST_CERTIFICATES.issueUserCertificate(BACKEND_ROLE_BRIDGE, USER_SPOCK); | ||
try (TestRestClient client = cluster.getRestClient(userSpockCertificate)) { | ||
|
||
client.assertCorrectCredentials(USER_SPOCK); | ||
} | ||
} | ||
|
||
@Test | ||
public void shouldAuthenticateUserWithCertificate_positiveUserKirk() { | ||
CertificateData userSpockCertificate = TEST_CERTIFICATES.issueUserCertificate(BACKEND_ROLE_BRIDGE, USER_KIRK); | ||
try (TestRestClient client = cluster.getRestClient(userSpockCertificate)) { | ||
|
||
client.assertCorrectCredentials(USER_KIRK); | ||
} | ||
} | ||
|
||
@Test | ||
public void shouldAuthenticateUserWithCertificate_negative() { | ||
CertificateData untrustedUserCertificate = TEST_CERTIFICATES.createSelfSignedCertificate("CN=untrusted"); | ||
try (TestRestClient client = cluster.getRestClient(untrustedUserCertificate)) { | ||
|
||
HttpResponse response = client.getAuthInfo(); | ||
|
||
response.assertStatusCode(401); | ||
} | ||
} | ||
|
||
@Test | ||
public void shouldRetrieveBackendRoleFromCertificate_positiveRoleBridge() { | ||
CertificateData userSpockCertificate = TEST_CERTIFICATES.issueUserCertificate(BACKEND_ROLE_BRIDGE, USER_KIRK); | ||
try (TestRestClient client = cluster.getRestClient(userSpockCertificate)) { | ||
|
||
HttpResponse response = client.getAuthInfo(); | ||
|
||
response.assertStatusCode(200); | ||
List<String> backendRoles = response.getTextArrayFromJsonBody(POINTER_BACKEND_ROLES); | ||
assertThat(backendRoles, hasSize(1)); | ||
assertThat(backendRoles, containsInAnyOrder(BACKEND_ROLE_BRIDGE)); | ||
List<String> roles = response.getTextArrayFromJsonBody(POINTER_ROLES); | ||
assertThat(roles, hasSize(1)); | ||
assertThat(roles, containsInAnyOrder(ROLE_ALL_INDEX_SEARCH.getName())); | ||
} | ||
} | ||
|
||
@Test | ||
public void shouldRetrieveBackendRoleFromCertificate_positiveRoleCaptain() { | ||
CertificateData userSpockCertificate = TEST_CERTIFICATES.issueUserCertificate(BACKEND_ROLE_CAPTAIN, USER_KIRK); | ||
try (TestRestClient client = cluster.getRestClient(userSpockCertificate)) { | ||
|
||
HttpResponse response = client.getAuthInfo(); | ||
|
||
response.assertStatusCode(200); | ||
List<String> backendRoles = response.getTextArrayFromJsonBody(POINTER_BACKEND_ROLES); | ||
assertThat(backendRoles, hasSize(1)); | ||
assertThat(backendRoles, containsInAnyOrder(BACKEND_ROLE_CAPTAIN)); | ||
List<String> roles = response.getTextArrayFromJsonBody(POINTER_ROLES); | ||
assertThat(roles, hasSize(0)); | ||
} | ||
} | ||
} |
69 changes: 69 additions & 0 deletions
69
src/integrationTest/java/org/opensearch/test/framework/RolesMapping.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
/* | ||
* Copyright OpenSearch Contributors | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
*/ | ||
package org.opensearch.test.framework; | ||
|
||
import java.io.IOException; | ||
import java.util.ArrayList; | ||
import java.util.Arrays; | ||
import java.util.List; | ||
|
||
import org.opensearch.common.xcontent.ToXContentObject; | ||
import org.opensearch.common.xcontent.XContentBuilder; | ||
import org.opensearch.test.framework.TestSecurityConfig.Role; | ||
|
||
import static java.util.Objects.requireNonNull; | ||
|
||
public class RolesMapping implements ToXContentObject { | ||
private String roleName; | ||
private List<String> backendRoles; | ||
private List<String> hosts; | ||
private List<String> users; | ||
|
||
private boolean reserved = false; | ||
|
||
public RolesMapping(Role role) { | ||
requireNonNull(role); | ||
this.roleName = requireNonNull(role.getName()); | ||
this.backendRoles = new ArrayList<>(); | ||
} | ||
|
||
public RolesMapping backendRoles(String...backendRoles) { | ||
this.backendRoles.addAll(Arrays.asList(backendRoles)); | ||
return this; | ||
} | ||
|
||
public RolesMapping hosts(List<String> hosts) { | ||
this.hosts = hosts; | ||
return this; | ||
} | ||
|
||
public RolesMapping users(List<String> users) { | ||
this.users = users; | ||
return this; | ||
} | ||
|
||
public RolesMapping reserved(boolean reserved) { | ||
this.reserved = reserved; | ||
return this; | ||
} | ||
|
||
public String getRoleName() { | ||
return roleName; | ||
} | ||
|
||
@Override | ||
public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params) throws IOException { | ||
xContentBuilder.startObject(); | ||
xContentBuilder.field("reserved", reserved); | ||
xContentBuilder.field("backend_roles", backendRoles); | ||
xContentBuilder.endObject(); | ||
return xContentBuilder; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.