Add Integration Test to confirm Core Change to Fix Search template re…

…quest Auth (#2921) Adds integration test to verify change in core, allowing proper authorization of search template request related to: #1678 ### Description [Describe what this change achieves] * Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) * Why these changes are required? * What is the old behavior before changes and new behavior after changes? ### Issues Resolved [List any issues this PR will resolve] Is this a backport? If so, please add backport PR # and/or commits # ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Derek Ho <[email protected]>
opensearch-project · Aug 16, 2023 · bd084c8 · bd084c8
1 parent 5e8f12c
commit bd084c8
Showing 1 changed file with 51 additions and 1 deletion.
diff --git a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java
@@ -17,6 +17,7 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
+import org.opensearch.script.mustache.MustacheModulePlugin;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.TestSecurityConfig.Role;
 import org.opensearch.test.framework.cluster.ClusterManager;
@@ -44,10 +45,20 @@ public class PrivilegesEvaluatorTest {
         new Role("negated_regex_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("cluster_composite_ops")
     );
 
+    protected final static TestSecurityConfig.User SEARCH_TEMPLATE = new TestSecurityConfig.User("search_template_user").roles(
+        new Role("search_template_role").indexPermissions("read").on("services").clusterPermissions("cluster_composite_ops")
+    );
+
+    private String TEST_QUERY =
+        "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}";
+
+    private String TEST_DOC = "{\"source\": {\"title\": \"Spirited Away\"}}";
+
     @ClassRule
     public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
         .authc(AUTHC_HTTPBASIC_INTERNAL)
-        .users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX)
+        .users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE, TestSecurityConfig.User.USER_ADMIN)
+        .plugin(MustacheModulePlugin.class)
         .build();
 
     @Test
@@ -68,4 +79,43 @@ public void testRegexPattern() throws Exception {
         }
 
     }
+
+    @Test
+    public void testSearchTemplateRequestSuccess() {
+        // Insert doc into services index with admin user
+        try (TestRestClient client = cluster.getRestClient(TestSecurityConfig.User.USER_ADMIN)) {
+            TestRestClient.HttpResponse response = client.postJson("services/_doc", TEST_DOC);
+            assertThat(response.getStatusCode(), equalTo(HttpStatus.SC_CREATED));
+        }
+
+        try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) {
+            final String searchTemplateOnServicesIndex = "services/_search/template";
+            final TestRestClient.HttpResponse searchTemplateOnAuthorizedIndexResponse = client.getWithJsonBody(
+                searchTemplateOnServicesIndex,
+                TEST_QUERY
+            );
+            assertThat(searchTemplateOnAuthorizedIndexResponse.getStatusCode(), equalTo(HttpStatus.SC_OK));
+        }
+    }
+
+    @Test
+    public void testSearchTemplateRequestUnauthorizedIndex() {
+        try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) {
+            final String searchTemplateOnMoviesIndex = "movies/_search/template";
+            final TestRestClient.HttpResponse searchTemplateOnUnauthorizedIndexResponse = client.getWithJsonBody(
+                searchTemplateOnMoviesIndex,
+                TEST_QUERY
+            );
+            assertThat(searchTemplateOnUnauthorizedIndexResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
+        }
+    }
+
+    @Test
+    public void testSearchTemplateRequestUnauthorizedAllIndices() {
+        try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) {
+            final String searchTemplateOnAllIndices = "_search/template";
+            final TestRestClient.HttpResponse searchOnAllIndicesResponse = client.getWithJsonBody(searchTemplateOnAllIndices, TEST_QUERY);
+            assertThat(searchOnAllIndicesResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
+        }
+    }
 }