opensearch-project · stephen-crawford · Aug 24, 2023 · Aug 18, 2023 · Aug 21, 2023 · Aug 21, 2023
@@ -0,0 +1,254 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.rest;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.apache.hc.core5.http.HttpStatus;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.opensearch.test.framework.AuditCompliance;
+import org.opensearch.test.framework.AuditConfiguration;
+import org.opensearch.test.framework.AuditFilters;
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.TestSecurityConfig.Role;
+import org.opensearch.test.framework.audit.AuditLogsRule;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+import org.opensearch.test.framework.testplugins.dummy.CustomLegacyTestPlugin;
+import org.opensearch.test.framework.testplugins.dummyprotected.CustomRestProtectedTestPlugin;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.rest.RestRequest.Method.GET;
+import static org.opensearch.rest.RestRequest.Method.POST;
+import static org.opensearch.security.auditlog.impl.AuditCategory.FAILED_LOGIN;
+import static org.opensearch.security.auditlog.impl.AuditCategory.GRANTED_PRIVILEGES;
+import static org.opensearch.security.auditlog.impl.AuditCategory.MISSING_PRIVILEGES;
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+import static org.opensearch.test.framework.audit.AuditMessagePredicate.privilegePredicateRESTLayer;
+import static org.opensearch.test.framework.audit.AuditMessagePredicate.privilegePredicateTransportLayer;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class AuthZinRestLayerTests {
+    protected final static TestSecurityConfig.User DUMMY_REST_ONLY = new TestSecurityConfig.User("dummy_rest_only").roles(
+        new Role("dummy_rest_only_role").clusterPermissions("security:dummy_protected/get")
+            .clusterPermissions("cluster:admin/dummy_plugin/dummy")
+    );
+
+    protected final static TestSecurityConfig.User DUMMY_WITH_TRANSPORT_PERM = new TestSecurityConfig.User("dummy_transport_perm").roles(
+        new Role("dummy_transport_perm_role").clusterPermissions("security:dummy_protected/get")
+            .clusterPermissions("cluster:admin/dummy_plugin/dummy", "cluster:admin/dummy_protected_plugin/dummy/get")
+    );
+
+    protected final static TestSecurityConfig.User DUMMY_LEGACY = new TestSecurityConfig.User("dummy_user_legacy").roles(
+        new Role("dummy_role_legacy").clusterPermissions("cluster:admin/dummy_plugin/dummy")
+    );
+
+    protected final static TestSecurityConfig.User DUMMY_NO_PERM = new TestSecurityConfig.User("dummy_user_no_perm").roles(
+        new Role("dummy_role_no_perm")
+    );
+
+    protected final static TestSecurityConfig.User DUMMY_UNREGISTERED = new TestSecurityConfig.User("dummy_user_not_registered");
+
+    public static final String DUMMY_BASE_ENDPOINT = "_plugins/_dummy";
+    public static final String DUMMY_PROTECTED_BASE_ENDPOINT = "_plugins/_dummy_protected";
+    public static final String DUMMY_API = DUMMY_BASE_ENDPOINT + "/dummy";
+    public static final String DUMMY_PROTECTED_API = DUMMY_PROTECTED_BASE_ENDPOINT + "/dummy";
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
+        .authc(AUTHC_HTTPBASIC_INTERNAL)
+        .users(DUMMY_REST_ONLY, DUMMY_WITH_TRANSPORT_PERM, DUMMY_LEGACY, DUMMY_NO_PERM)
+        .plugin(CustomLegacyTestPlugin.class)
+        .plugin(CustomRestProtectedTestPlugin.class)
+        .audit(
+            new AuditConfiguration(true).compliance(new AuditCompliance().enabled(true))
+                .filters(new AuditFilters().enabledRest(true).enabledTransport(true).resolveBulkRequests(true))
+        )
+        .build();
+
+    @Rule
+    public AuditLogsRule auditLogsRule = new AuditLogsRule();
+
+    /** Basic Access check */
+
+    @Test
+    public void testShouldFailForUnregisteredUsers() {
+        try (TestRestClient client = cluster.getRestClient(DUMMY_UNREGISTERED)) {
+            // Legacy plugin
+            assertThat(client.get(DUMMY_API).getStatusCode(), equalTo(HttpStatus.SC_UNAUTHORIZED));
+            auditLogsRule.assertExactlyOne(privilegePredicateRESTLayer(FAILED_LOGIN, DUMMY_UNREGISTERED, GET, "/" + DUMMY_API));
+
+            // Protected Routes plugin
+            assertThat(client.get(DUMMY_PROTECTED_API).getStatusCode(), equalTo(HttpStatus.SC_UNAUTHORIZED));
+            auditLogsRule.assertExactlyOne(privilegePredicateRESTLayer(FAILED_LOGIN, DUMMY_UNREGISTERED, GET, "/" + DUMMY_PROTECTED_API));
+        }
+    }
+
+    @Test
+    public void testShouldFailForBothPlugins() {
+        try (TestRestClient client = cluster.getRestClient(DUMMY_NO_PERM)) {
+            // fail at Transport
+            assertThat(client.get(DUMMY_API).getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateTransportLayer(MISSING_PRIVILEGES, DUMMY_NO_PERM, "DummyRequest", "cluster:admin/dummy_plugin/dummy")
+            );
+
+            // fail at REST
+            assertThat(client.get(DUMMY_PROTECTED_API).getStatusCode(), equalTo(HttpStatus.SC_UNAUTHORIZED));
+            auditLogsRule.assertExactlyOne(privilegePredicateRESTLayer(MISSING_PRIVILEGES, DUMMY_NO_PERM, GET, "/" + DUMMY_PROTECTED_API));
+        }
+    }
+
+    /** AuthZ in REST Layer check */
+
+    @Test
+    public void testShouldFailAtTransportLayerWithRestOnlyPermission() {
+        try (TestRestClient client = cluster.getRestClient(DUMMY_REST_ONLY)) {
+            assertThat(client.get(DUMMY_PROTECTED_API).getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
+            // granted at Rest layer
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateRESTLayer(GRANTED_PRIVILEGES, DUMMY_REST_ONLY, GET, "/" + DUMMY_PROTECTED_API)
+            );
+            // missing at Transport layer
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateTransportLayer(
+                    MISSING_PRIVILEGES,
+                    DUMMY_REST_ONLY,
+                    "DummyRequest",
+                    "cluster:admin/dummy_protected_plugin/dummy/get"
+                )
+            );
+        }
+    }
+
+    @Test
+    public void testShouldPassWithRequiredPermissions() {
+        try (TestRestClient client = cluster.getRestClient(DUMMY_WITH_TRANSPORT_PERM)) {
+            assertOKResponseFromProtectedPlugin(client);
+
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateRESTLayer(GRANTED_PRIVILEGES, DUMMY_WITH_TRANSPORT_PERM, GET, "/" + DUMMY_PROTECTED_API)
+            );
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateTransportLayer(
+                    GRANTED_PRIVILEGES,
+                    DUMMY_WITH_TRANSPORT_PERM,
+                    "DummyRequest",
+                    "cluster:admin/dummy_protected_plugin/dummy/get"
+                )
+            );
+        }
+    }
+
+    @Test
+    public void testShouldFailForPOST() {
+        try (TestRestClient client = cluster.getRestClient(DUMMY_REST_ONLY)) {
+            assertThat(client.post(DUMMY_PROTECTED_API).getStatusCode(), equalTo(HttpStatus.SC_UNAUTHORIZED));
+
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateRESTLayer(MISSING_PRIVILEGES, DUMMY_REST_ONLY, POST, "/" + DUMMY_PROTECTED_API)
+            );
+        }
+
+        try (TestRestClient client = cluster.getRestClient(DUMMY_WITH_TRANSPORT_PERM)) {
+            assertThat(client.post(DUMMY_PROTECTED_API).getStatusCode(), equalTo(HttpStatus.SC_UNAUTHORIZED));
+
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateRESTLayer(MISSING_PRIVILEGES, DUMMY_WITH_TRANSPORT_PERM, POST, "/" + DUMMY_PROTECTED_API)
+            );
+        }
+    }
+
+    /** Backwards compatibility check */
+
+    @Test
+    public void testBackwardsCompatibility() {
+
+        // DUMMY_LEGACY should have access to legacy endpoint, but not protected endpoint
+        try (TestRestClient client = cluster.getRestClient(DUMMY_LEGACY)) {
+            TestRestClient.HttpResponse res = client.get(DUMMY_PROTECTED_API);
+            assertThat(res.getStatusCode(), equalTo(HttpStatus.SC_UNAUTHORIZED));
+            auditLogsRule.assertExactlyOne(privilegePredicateRESTLayer(MISSING_PRIVILEGES, DUMMY_LEGACY, GET, "/" + DUMMY_PROTECTED_API));
+
+            assertOKResponseFromLegacyPlugin(client);
+            // check that there is no log for REST layer AuthZ since this is an unprotected endpoint
+            auditLogsRule.assertExactly(0, privilegePredicateRESTLayer(GRANTED_PRIVILEGES, DUMMY_LEGACY, GET, DUMMY_API));
+            // check that there is exactly 1 message for Transport Layer privilege evaluation
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateTransportLayer(GRANTED_PRIVILEGES, DUMMY_LEGACY, "DummyRequest", "cluster:admin/dummy_plugin/dummy")
+            );
+        }
+
+        // DUMMY_REST_ONLY should have access to legacy endpoint (protected endpoint already tested above)
+        try (TestRestClient client = cluster.getRestClient(DUMMY_REST_ONLY)) {
+            assertOKResponseFromLegacyPlugin(client);
+            auditLogsRule.assertExactly(0, privilegePredicateRESTLayer(GRANTED_PRIVILEGES, DUMMY_REST_ONLY, GET, DUMMY_API));
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateTransportLayer(GRANTED_PRIVILEGES, DUMMY_REST_ONLY, "DummyRequest", "cluster:admin/dummy_plugin/dummy")
+            );
+        }
+
+        // DUMMY_WITH_TRANSPORT_PERM should have access to legacy endpoint (protected endpoint already tested above)
+        try (TestRestClient client = cluster.getRestClient(DUMMY_WITH_TRANSPORT_PERM)) {
+            assertOKResponseFromLegacyPlugin(client);
+            auditLogsRule.assertExactly(0, privilegePredicateRESTLayer(GRANTED_PRIVILEGES, DUMMY_WITH_TRANSPORT_PERM, GET, DUMMY_API));
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateTransportLayer(
+                    GRANTED_PRIVILEGES,
+                    DUMMY_WITH_TRANSPORT_PERM,
+                    "DummyRequest",
+                    "cluster:admin/dummy_plugin/dummy"
+                )
+            );
+        }
+
+        // DUMMY_NO_PERM should not have access to legacy endpoint (protected endpoint already tested above)
+        try (TestRestClient client = cluster.getRestClient(DUMMY_NO_PERM)) {
+            assertThat(client.get(DUMMY_API).getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
+            auditLogsRule.assertExactly(0, privilegePredicateRESTLayer(MISSING_PRIVILEGES, DUMMY_NO_PERM, GET, DUMMY_API));
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateTransportLayer(MISSING_PRIVILEGES, DUMMY_NO_PERM, "DummyRequest", "cluster:admin/dummy_plugin/dummy")
+            );
+        }
+
+        // DUMMY_UNREGISTERED should not have access to legacy endpoint (protected endpoint already tested above)
+        try (TestRestClient client = cluster.getRestClient(DUMMY_UNREGISTERED)) {
+            assertThat(client.get(DUMMY_API).getStatusCode(), equalTo(HttpStatus.SC_UNAUTHORIZED));
+            auditLogsRule.assertExactly(0, privilegePredicateRESTLayer(MISSING_PRIVILEGES, DUMMY_UNREGISTERED, GET, DUMMY_API));
+            auditLogsRule.assertExactly(
+                0,
+                privilegePredicateTransportLayer(MISSING_PRIVILEGES, DUMMY_UNREGISTERED, "DummyRequest", "cluster:admin/dummy_plugin/dummy")
+            );
+            auditLogsRule.assertExactly(0, privilegePredicateRESTLayer(FAILED_LOGIN, DUMMY_UNREGISTERED, GET, DUMMY_API));
+        }
+    }
+
+    /** Helper Methods */
+    private void assertOKResponseFromLegacyPlugin(TestRestClient client) {
+        String expectedResponseFromLegacyPlugin = "{\"response_string\":\"Hello from dummy plugin\"}";
+        TestRestClient.HttpResponse res = client.get(DUMMY_API);
+        assertThat(res.getStatusCode(), equalTo(HttpStatus.SC_OK));
+        assertThat(res.getBody(), equalTo(expectedResponseFromLegacyPlugin));
+    }
+
+    private void assertOKResponseFromProtectedPlugin(TestRestClient client) {
+        String expectedResponseFromProtectedPlugin = "{\"response_string\":\"Hello from dummy protected plugin\"}";
+        TestRestClient.HttpResponse res = client.get(DUMMY_PROTECTED_API);
+        assertThat(res.getStatusCode(), equalTo(HttpStatus.SC_OK));
+        assertThat(res.getBody(), equalTo(expectedResponseFromProtectedPlugin));
+    }
+}
@@ -18,9 +18,6 @@
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import org.opensearch.rest.RestRequest;
-import org.opensearch.security.auditlog.AuditLog;
-import org.opensearch.security.auditlog.impl.AuditCategory;
 import org.opensearch.security.auditlog.impl.AuditMessage;
 import org.opensearch.test.framework.AuditCompliance;
 import org.opensearch.test.framework.AuditConfiguration;
@@ -47,12 +44,13 @@
 import static org.hamcrest.Matchers.greaterThan;
 import static org.hamcrest.Matchers.lessThan;
 import static org.junit.Assert.assertTrue;
+import static org.opensearch.rest.RestRequest.Method.GET;
 import static org.opensearch.security.auditlog.impl.AuditCategory.GRANTED_PRIVILEGES;
 import static org.opensearch.security.auditlog.impl.AuditCategory.MISSING_PRIVILEGES;
 import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
-import static org.opensearch.test.framework.audit.AuditMessagePredicate.auditPredicate;
 import static org.opensearch.test.framework.audit.AuditMessagePredicate.grantedPrivilege;
-import static org.opensearch.test.framework.audit.AuditMessagePredicate.userAuthenticated;
+import static org.opensearch.test.framework.audit.AuditMessagePredicate.privilegePredicateRESTLayer;
+import static org.opensearch.test.framework.audit.AuditMessagePredicate.userAuthenticatedPredicate;
 
 @RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
 @ThreadLeakScope(ThreadLeakScope.Scope.NONE)
@@ -102,8 +100,8 @@ public void testWhoAmIWithGetPermissions() {
             assertResponse(client.get(WHOAMI_PROTECTED_ENDPOINT), HttpStatus.SC_OK, expectedAuthorizedBody);
 
             // audit log, named route
-            assertExactlyOneAuthenticatedLogMessage(WHO_AM_I);
-            assertExactlyOnePrivilegeEvaluationMessage(GRANTED_PRIVILEGES, WHO_AM_I);
+            auditLogsRule.assertExactlyOne(userAuthenticatedPredicate(WHO_AM_I, GET, "/" + WHOAMI_PROTECTED_ENDPOINT));
+            auditLogsRule.assertExactlyOne(privilegePredicateRESTLayer(GRANTED_PRIVILEGES, WHO_AM_I, GET, "/" + WHOAMI_PROTECTED_ENDPOINT));
 
             assertResponse(client.get(WHOAMI_ENDPOINT), HttpStatus.SC_OK, expectedAuthorizedBody);
         }
@@ -115,8 +113,10 @@ public void testWhoAmIWithGetPermissionsLegacy() {
             assertResponse(client.get(WHOAMI_PROTECTED_ENDPOINT), HttpStatus.SC_OK, expectedAuthorizedBody);
 
             // audit log, named route
-            assertExactlyOneAuthenticatedLogMessage(WHO_AM_I_LEGACY);
-            assertExactlyOnePrivilegeEvaluationMessage(GRANTED_PRIVILEGES, WHO_AM_I_LEGACY);
+            auditLogsRule.assertExactlyOne(userAuthenticatedPredicate(WHO_AM_I_LEGACY, GET, "/" + WHOAMI_PROTECTED_ENDPOINT));
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateRESTLayer(GRANTED_PRIVILEGES, WHO_AM_I_LEGACY, GET, "/" + WHOAMI_PROTECTED_ENDPOINT)
+            );
 
             assertResponse(client.get(WHOAMI_ENDPOINT), HttpStatus.SC_OK, expectedAuthorizedBody);
         }
@@ -127,8 +127,10 @@ public void testWhoAmIWithoutGetPermissions() {
         try (TestRestClient client = cluster.getRestClient(WHO_AM_I_NO_PERM)) {
             assertResponse(client.get(WHOAMI_PROTECTED_ENDPOINT), HttpStatus.SC_UNAUTHORIZED, expectedUnuauthorizedBody);
             // audit log, named route
-            assertExactlyOneAuthenticatedLogMessage(WHO_AM_I_NO_PERM);
-            assertExactlyOnePrivilegeEvaluationMessage(MISSING_PRIVILEGES, WHO_AM_I_NO_PERM);
+            auditLogsRule.assertExactlyOne(userAuthenticatedPredicate(WHO_AM_I_NO_PERM, GET, "/" + WHOAMI_PROTECTED_ENDPOINT));
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateRESTLayer(MISSING_PRIVILEGES, WHO_AM_I_NO_PERM, GET, "/" + WHOAMI_PROTECTED_ENDPOINT)
+            );
 
             assertResponse(client.get(WHOAMI_ENDPOINT), HttpStatus.SC_OK, expectedAuthorizedBody);
         }
@@ -152,13 +154,17 @@ public void testWhoAmIPost() {
             assertThat(client.post(WHOAMI_ENDPOINT).getStatusCode(), equalTo(HttpStatus.SC_OK));
         }
 
+        // No audit logs generated because `/whoami` is passthrough at Transport Layer, and POST route is not a NamedRoute
+        auditLogsRule.assertAuditLogsCount(0, 0);
     }
 
     @Test
     public void testAuditLogSimilarityWithTransportLayer() {
         try (TestRestClient client = cluster.getRestClient(AUDIT_LOG_VERIFIER)) {
             assertResponse(client.get(WHOAMI_PROTECTED_ENDPOINT), HttpStatus.SC_OK, expectedAuthorizedBody);
-            assertExactlyOnePrivilegeEvaluationMessage(GRANTED_PRIVILEGES, AUDIT_LOG_VERIFIER);
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateRESTLayer(GRANTED_PRIVILEGES, AUDIT_LOG_VERIFIER, GET, "/" + WHOAMI_PROTECTED_ENDPOINT)
+            );
 
             assertThat(client.get("_cat/indices").getStatusCode(), equalTo(HttpStatus.SC_OK));
 
@@ -179,26 +185,6 @@ private void assertResponse(TestRestClient.HttpResponse response, int expectedSt
         assertThat(response.getBody(), equalTo(expectedBody));
     }
 
-    private void assertExactlyOneAuthenticatedLogMessage(TestSecurityConfig.User user) {
-        auditLogsRule.assertExactly(
-            1,
-            userAuthenticated(user).withLayer(AuditLog.Origin.REST)
-                .withRestMethod(RestRequest.Method.GET)
-                .withRequestPath("/" + WhoAmITests.WHOAMI_PROTECTED_ENDPOINT)
-                .withInitiatingUser(user)
-        );
-    }
-
-    private void assertExactlyOnePrivilegeEvaluationMessage(AuditCategory privileges, TestSecurityConfig.User user) {
-        auditLogsRule.assertExactly(
-            1,
-            auditPredicate(privileges).withLayer(AuditLog.Origin.REST)
-                .withRestMethod(RestRequest.Method.GET)
-                .withRequestPath("/" + WhoAmITests.WHOAMI_PROTECTED_ENDPOINT)
-                .withEffectiveUser(user)
-        );
-    }
-
     private void verifyAuditLogSimilarity(List<AuditMessage> currentTestAuditMessages) {
         List<AuditMessage> restSet = new ArrayList<>();
         List<AuditMessage> transportSet = new ArrayList<>();