Tests for roles recursive search for LDAP.

Signed-off-by: Lukasz Soszynski <[email protected]>

src/integrationTest/java/org/opensearch/security/http/DirectoryInformationTrees.java

@@ -14,34 +14,40 @@
 
 class DirectoryInformationTrees {
 
+	public static final String DN_PEOPLE_TEST_ORG = "ou=people,o=test.org";
+	public static final String DN_OPEN_SEARCH_PEOPLE_TEST_ORG = "cn=Open Search,ou=people,o=test.org";
+	public static final String DN_CHRISTPHER_PEOPLE_TEST_ORG = "cn=Christpher,ou=people,o=test.org";
+	public static final String DN_KIRK_PEOPLE_TEST_ORG = "cn=Kirk,ou=people,o=test.org";
+	public static final String DN_CAPTAIN_SPOCK_PEOPLE_TEST_ORG = "cn=Captain Spock,ou=people,o=test.org";
+	public static final String DN_LEONARD_PEOPLE_TEST_ORG = "cn=Leonard,ou=people,o=test.org";
+	public static final String DN_JEAN_PEOPLE_TEST_ORG = "cn=Jean,ou=people,o=test.org";
+	public static final String DN_GROUPS_TEST_ORG = "ou=groups,o=test.org";
+	public static final String DN_BRIDGE_GROUPS_TEST_ORG = "cn=bridge,ou=groups,o=test.org";
+
 	public static final String USER_KIRK = "kirk";
 	public static final String PASSWORD_KIRK = "kirk-secret";
-
 	public static final String USER_SPOCK = "spock";
 	public static final String PASSWORD_SPOCK = "spocksecret";
-
-	public static final String DN_OPEN_SEARCH_PEOPLE_TEST_ORG = "cn=Open Search,ou=people,o=test.org";
-	public static final String PASSWORD_OPEN_SEARCH = "open_search-secret";
 	public static final String USER_OPENS = "opens";
-	public static final String DN_PEOPLE_TEST_ORG = "ou=people,o=test.org";
-
-	public static final String USER_SEARCH = "(uid={0})";
-	public static final String USERNAME_ATTRIBUTE = "uid";
-	public static final String DN_KIRK_PEOPLE_TEST_ORG = "cn=Kirk,ou=people,o=test.org";
-	public static final String DN_CAPTAIN_SPOCK_PEOPLE_TEST_ORG = "cn=Captain Spock,ou=people,o=test.org";
+	public static final String PASSWORD_OPEN_SEARCH = "open_search-secret";
+	public static final String USER_JEAN = "jean";
+	public static final String PASSWORD_JEAN = "jeansecret";
+	public static final String USER_LEONARD = "leonard";
+	public static final String PASSWORD_LEONARD = "Leonard-secret";
 	public static final String PASSWORD_CHRISTPHER = "christpher_secret";
-	public static final String DN_CHRISTPHER_PEOPLE_TEST_ORG = "cn=Christpher,ou=people,o=test.org";
+
 	public static final String CN_GROUP_ADMIN = "admin";
-	public static final String DN_GROUPS_TEST_ORG = "ou=groups,o=test.org";
-	public static final String PASSWORD_LEONARD = "Leonard-secret";
-	public static final String USER_LEONARD = "leonard";
-	public static final String DN_LEONARD_PEOPLE_TEST_ORG = "cn=Leonard,ou=people,o=test.org";
 	public static final String CN_GROUP_CREW = "crew";
+	public static final String CN_GROUP_BRIDGE = "bridge";
+
+	public static final String USER_SEARCH = "(uid={0})";
+	public static final String USERNAME_ATTRIBUTE = "uid";
+
 	static final LdifData LDIF_DATA = new LdifBuilder()
 		.root("o=test.org")
 			.dc("TEST")
 			.classes("top", "domain")
-		.newRecord(DN_PEOPLE_TEST_ORG)//"ou=people,o=test.org"
+		.newRecord(DN_PEOPLE_TEST_ORG)
 			.ou("people")
 			.classes("organizationalUnit", "top")
 		.newRecord(DN_OPEN_SEARCH_PEOPLE_TEST_ORG)
@@ -84,6 +90,14 @@ class DirectoryInformationTrees {
 			.userPassword(PASSWORD_LEONARD)
 			.mail("[email protected]")
 			.ou("Human Resources")
+		.newRecord(DN_JEAN_PEOPLE_TEST_ORG)
+			.classes("inetOrgPerson")
+			.cn("Jean")
+			.sn("Jean")
+			.uid(USER_JEAN)
+			.userPassword(PASSWORD_JEAN)
+			.mail("[email protected]")
+			.ou("Human Resources")
 		.newRecord(DN_GROUPS_TEST_ORG)
 			.ou("groups")
 			.cn("groupsRoot")
@@ -98,6 +112,12 @@ class DirectoryInformationTrees {
 			.cn(CN_GROUP_CREW)
 			.uniqueMember(DN_CAPTAIN_SPOCK_PEOPLE_TEST_ORG)
 			.uniqueMember(DN_CHRISTPHER_PEOPLE_TEST_ORG)
+			.uniqueMember(DN_BRIDGE_GROUPS_TEST_ORG)
+			.classes("groupofuniquenames", "top")
+		.newRecord(DN_BRIDGE_GROUPS_TEST_ORG)
+			.ou("groups")
+			.cn(CN_GROUP_BRIDGE)
+			.uniqueMember(DN_JEAN_PEOPLE_TEST_ORG)
 			.classes("groupofuniquenames", "top")
 		.buildRecord()
 		.buildLdif();

src/integrationTest/java/org/opensearch/security/http/LdapTlsAuthenticationTest.java

@@ -42,22 +42,28 @@
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.contains;
+import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasSize;
+import static org.hamcrest.Matchers.not;
 import static org.opensearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.opensearch.client.RequestOptions.DEFAULT;
 import static org.opensearch.rest.RestStatus.FORBIDDEN;
 import static org.opensearch.security.Song.SONGS;
 import static org.opensearch.security.http.DirectoryInformationTrees.CN_GROUP_ADMIN;
+import static org.opensearch.security.http.DirectoryInformationTrees.CN_GROUP_BRIDGE;
 import static org.opensearch.security.http.DirectoryInformationTrees.CN_GROUP_CREW;
 import static org.opensearch.security.http.DirectoryInformationTrees.DN_GROUPS_TEST_ORG;
 import static org.opensearch.security.http.DirectoryInformationTrees.DN_OPEN_SEARCH_PEOPLE_TEST_ORG;
 import static org.opensearch.security.http.DirectoryInformationTrees.DN_PEOPLE_TEST_ORG;
 import static org.opensearch.security.http.DirectoryInformationTrees.LDIF_DATA;
+import static org.opensearch.security.http.DirectoryInformationTrees.PASSWORD_JEAN;
 import static org.opensearch.security.http.DirectoryInformationTrees.PASSWORD_KIRK;
 import static org.opensearch.security.http.DirectoryInformationTrees.PASSWORD_LEONARD;
 import static org.opensearch.security.http.DirectoryInformationTrees.PASSWORD_OPEN_SEARCH;
 import static org.opensearch.security.http.DirectoryInformationTrees.PASSWORD_SPOCK;
 import static org.opensearch.security.http.DirectoryInformationTrees.USERNAME_ATTRIBUTE;
+import static org.opensearch.security.http.DirectoryInformationTrees.USER_JEAN;
 import static org.opensearch.security.http.DirectoryInformationTrees.USER_KIRK;
 import static org.opensearch.security.http.DirectoryInformationTrees.USER_LEONARD;
 import static org.opensearch.security.http.DirectoryInformationTrees.USER_SEARCH;
@@ -80,6 +86,9 @@ public class LdapTlsAuthenticationTest {
 	public static final String PERSONAL_INDEX_NAME_SPOCK = "personal-" + USER_SPOCK;
 	public static final String PERSONAL_INDEX_NAME_KIRK = "personal-" + USER_KIRK;
 
+	public static final String POINTER_BACKEND_ROLES = "/backend_roles";
+	public static final String POINTER_ROLES = "/roles";
+
 	public static final String SONG_ID_1 = "l0001";
 	public static final String SONG_ID_2 = "l0002";
 	public static final String SONG_ID_3 = "l0003";
@@ -136,13 +145,12 @@ public class LdapTlsAuthenticationTest {
 					.userRoleAttribute(null)
 					.userRoleName("disabled")
 					.roleName("cn")
-					.resolveNestedRoles(false)
+					.resolveNestedRoles(true)
 					.build())))
 		.build();
 
 	@ClassRule
 	public static final RuleChain ruleChain = RuleChain.outerRule(embeddedLDAPServer).around(cluster);
-	public static final String POINTER_BACKEND_ROLES = "/backend_roles";
 
 	@BeforeClass
 	public static void createTestData() {
@@ -217,7 +225,7 @@ public void shouldResolveUserRolesAgainstLdapBackend_positiveSpockUser() {
 			response.assertStatusCode(200);
 			List<String> backendRoles = response.getTextArrayFromJsonBody(POINTER_BACKEND_ROLES);
 			assertThat(backendRoles, contains(CN_GROUP_CREW));
-			assertThat(response.getTextArrayFromJsonBody("/roles"), contains(ROLE_PERSONAL_INDEX_ACCESS.getName()));
+			assertThat(response.getTextArrayFromJsonBody(POINTER_ROLES), contains(ROLE_PERSONAL_INDEX_ACCESS.getName()));
 		}
 	}
 
@@ -229,7 +237,7 @@ public void shouldResolveUserRolesAgainstLdapBackend_positiveKirkUser() {
 
 			response.assertStatusCode(200);
 			assertThat(response.getTextArrayFromJsonBody(POINTER_BACKEND_ROLES), contains(CN_GROUP_ADMIN));
-			assertThat(response.getTextArrayFromJsonBody("/roles"), contains(ROLE_INDEX_ADMINISTRATOR.getName()));
+			assertThat(response.getTextArrayFromJsonBody(POINTER_ROLES), contains(ROLE_INDEX_ADMINISTRATOR.getName()));
 		}
 	}
 
@@ -276,4 +284,29 @@ public void shouldResolveUserAttributesLoadedFromLdap_negative() throws IOExcept
 			assertThatThrownBy(() -> client.search(request, DEFAULT), statusException(FORBIDDEN));
 		}
 	}
+
+	@Test
+	public void shouldResolveNestedGroups_positive() {
+		try (TestRestClient client = cluster.getRestClient(USER_JEAN, PASSWORD_JEAN)) {
+			HttpResponse response = client.getAuthInfo();
+
+			response.assertStatusCode(200);
+			List<String> backendRoles = response.getTextArrayFromJsonBody(POINTER_BACKEND_ROLES);
+			assertThat(backendRoles, hasSize(2));
+			//CN_GROUP_CREW is retrieved recursively: cn=Jean,ou=people,o=test.org -> cn=bridge,ou=groups,o=test.org -> cn=crew,ou=groups,o=test.org
+			assertThat(backendRoles,  containsInAnyOrder(CN_GROUP_CREW, CN_GROUP_BRIDGE));
+			assertThat(response.getTextArrayFromJsonBody(POINTER_ROLES), contains(ROLE_PERSONAL_INDEX_ACCESS.getName()));
+		}
+	}
+
+	@Test
+	public void shouldResolveNestedGroups_negative() {
+		try (TestRestClient client = cluster.getRestClient(USER_KIRK, PASSWORD_KIRK)) {
+			HttpResponse response = client.getAuthInfo();
+
+			response.assertStatusCode(200);
+			List<String> backendRoles = response.getTextArrayFromJsonBody(POINTER_BACKEND_ROLES);
+			assertThat(backendRoles,  not(containsInAnyOrder(CN_GROUP_CREW)));
+		}
+	}
 }

src/integrationTest/java/org/opensearch/test/framework/LdapAuthenticationConfigBuilder.java

@@ -1,10 +1,24 @@
+/*
+* Copyright OpenSearch Contributors
+* SPDX-License-Identifier: Apache-2.0
+*
+* The OpenSearch Contributors require contributions made to
+* this file be licensed under the Apache-2.0 license or a
+* compatible open source license.
+*
+*/
 package org.opensearch.test.framework;
 
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.function.Function;
 
+/**
+* @param <T> is related to subclasses thus method defined in the class <code>LdapAuthenticationConfigBuilder</code> return proper subclass
+*           type so that all method defined in subclass are available in one of builder superclass method is invoked. Please see
+*           {@link LdapAuthorizationConfigBuilder}
+*/
 public class LdapAuthenticationConfigBuilder<T extends LdapAuthenticationConfigBuilder> {
 	private boolean enableSsl = false;
 	private boolean enableStartTls = false;

src/integrationTest/java/org/opensearch/test/framework/certificate/TestCertificates.java

@@ -144,7 +144,8 @@ private CertificateData createNodeCertificate(Integer node) {
 	private CertificateData createLdapCertificate() {
 		String subject = "DC=de,L=test,O=node,OU=node,CN=ldap.example.com";
 		CertificateMetadata metadata = CertificateMetadata.basicMetadata(subject, CERTIFICATE_VALIDITY_DAYS)
-			.withKeyUsage(false, DIGITAL_SIGNATURE, NON_REPUDIATION, KEY_ENCIPHERMENT, CLIENT_AUTH, SERVER_AUTH);
+			.withKeyUsage(false, DIGITAL_SIGNATURE, NON_REPUDIATION, KEY_ENCIPHERMENT, CLIENT_AUTH, SERVER_AUTH)
+			.withSubjectAlternativeName(null, List.of("localhost"), "127.0.0.1");
 		return CertificatesIssuerFactory
 			.rsaBaseCertificateIssuer()
 			.issueSignedCertificate(metadata, caCertificate);

src/integrationTest/java/org/opensearch/test/framework/ldap/LdifBuilder.java

@@ -1,3 +1,12 @@
+/*
+* Copyright OpenSearch Contributors
+* SPDX-License-Identifier: Apache-2.0
+*
+* The OpenSearch Contributors require contributions made to
+* this file be licensed under the Apache-2.0 license or a
+* compatible open source license.
+*
+*/
 package org.opensearch.test.framework.ldap;
 
 import java.util.ArrayList;

src/integrationTest/java/org/opensearch/test/framework/ldap/LdifData.java

@@ -1,3 +1,12 @@
+/*
+* Copyright OpenSearch Contributors
+* SPDX-License-Identifier: Apache-2.0
+*
+* The OpenSearch Contributors require contributions made to
+* this file be licensed under the Apache-2.0 license or a
+* compatible open source license.
+*
+*/
 package org.opensearch.test.framework.ldap;
 
 import org.apache.commons.lang3.StringUtils;

src/integrationTest/java/org/opensearch/test/framework/ldap/Record.java

@@ -1,3 +1,12 @@
+/*
+* Copyright OpenSearch Contributors
+* SPDX-License-Identifier: Apache-2.0
+*
+* The OpenSearch Contributors require contributions made to
+* this file be licensed under the Apache-2.0 license or a
+* compatible open source license.
+*
+*/
 package org.opensearch.test.framework.ldap;
 
 import java.util.ArrayList;

src/integrationTest/java/org/opensearch/test/framework/ldap/RecordBuilder.java

@@ -1,3 +1,12 @@
+/*
+* Copyright OpenSearch Contributors
+* SPDX-License-Identifier: Apache-2.0
+*
+* The OpenSearch Contributors require contributions made to
+* this file be licensed under the Apache-2.0 license or a
+* compatible open source license.
+*
+*/
 package org.opensearch.test.framework.ldap;
 
 import java.util.Objects;

src/integrationTest/resources/log4j2-test.properties

@@ -19,10 +19,3 @@ logger.testsecconfig.name=org.opensearch.test.framework.TestSecurityConfig
 logger.testsecconfig.level = info
 logger.localopensearchcluster.name=org.opensearch.test.framework.cluster.LocalOpenSearchCluster
 logger.localopensearchcluster.level = info
-# com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend
-
-logger.ldap.name=com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend
-logger.ldap.level=TRACE
-
-logger.testframework.name=org.opensearch.test.framework
-logger.testframework.level=DEBUG