forked from opensearch-project/index-management
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
AddPolicyAction - Recursion removal (opensearch-project#779)
* recursion removal from AddPolicy Action Signed-off-by: Petar Dzepina <[email protected]> * added test Signed-off-by: Petar Dzepina <[email protected]> * debug logging Signed-off-by: Petar Dzepina <[email protected]> * removed single node testcase Signed-off-by: Petar Dzepina <[email protected]> * added security test; fixed index permission check Signed-off-by: Petar Dzepina <[email protected]> * test fix Signed-off-by: Petar Dzepina <[email protected]> * addressing comments Signed-off-by: Petar Dzepina <[email protected]> * test cleanup Signed-off-by: Petar Dzepina <[email protected]> * reverted security inject changes Signed-off-by: Petar Dzepina <[email protected]> * fixed weak password error when creating test user Signed-off-by: Petar Dzepina <[email protected]> * test tweak Signed-off-by: Petar Dzepina <[email protected]> --------- Signed-off-by: Petar Dzepina <[email protected]> (cherry picked from commit 45b1476)
- Loading branch information
Showing
8 changed files
with
166 additions
and
57 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
121 changes: 121 additions & 0 deletions
121
src/test/kotlin/org/opensearch/indexmanagement/PolicySecurityBehaviorIT.kt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,121 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
* Modifications Copyright OpenSearch Contributors. See | ||
* GitHub history for details. | ||
*/ | ||
|
||
package org.opensearch.indexmanagement | ||
|
||
import org.junit.After | ||
import org.junit.Before | ||
import org.opensearch.action.admin.indices.alias.IndicesAliasesRequest | ||
import org.opensearch.client.ResponseException | ||
import org.opensearch.client.RestClient | ||
import org.opensearch.commons.rest.SecureRestClientBuilder | ||
import org.opensearch.indexmanagement.IndexManagementPlugin.Companion.INDEX_MANAGEMENT_INDEX | ||
import org.opensearch.indexmanagement.indexstatemanagement.action.AliasAction | ||
import org.opensearch.indexmanagement.indexstatemanagement.model.Policy | ||
import org.opensearch.indexmanagement.indexstatemanagement.model.State | ||
import org.opensearch.indexmanagement.indexstatemanagement.randomErrorNotification | ||
import org.opensearch.indexmanagement.indexstatemanagement.transport.action.addpolicy.AddPolicyAction | ||
import org.opensearch.rest.RestStatus | ||
import org.opensearch.test.OpenSearchTestCase | ||
import org.opensearch.test.junit.annotations.TestLogging | ||
import java.time.Instant | ||
import java.time.temporal.ChronoUnit | ||
import java.util.Locale | ||
|
||
@TestLogging("level:DEBUG", reason = "Debug for tests.") | ||
class PolicySecurityBehaviorIT : SecurityRestTestCase() { | ||
private val password = "TestpgfhertergGd435AASA123!" | ||
|
||
private val ismUser = "john" | ||
private var ismUserClient: RestClient? = null | ||
|
||
private val permittedIndicesPrefix = "permitted-index" | ||
private val permittedIndicesPattern = "permitted-index*" | ||
@Before | ||
fun setupUsersAndRoles() { | ||
// updateClusterSetting(ManagedIndexSettings.JITTER.key, "0.0", false) | ||
|
||
val custerPermissions = listOf( | ||
AddPolicyAction.NAME | ||
) | ||
|
||
val indexPermissions = listOf( | ||
MANAGED_INDEX, | ||
CREATE_INDEX, | ||
WRITE_INDEX, | ||
BULK_WRITE_INDEX, | ||
GET_INDEX_MAPPING, | ||
SEARCH_INDEX, | ||
PUT_INDEX_MAPPING | ||
) | ||
createUser(ismUser, password, listOf(HELPDESK)) | ||
createRole(HELPDESK_ROLE, custerPermissions, indexPermissions, listOf(permittedIndicesPattern)) | ||
assignRoleToUsers(HELPDESK_ROLE, listOf(ismUser)) | ||
|
||
ismUserClient = | ||
SecureRestClientBuilder(clusterHosts.toTypedArray(), isHttps(), ismUser, password).setSocketTimeout(60000) | ||
.build() | ||
} | ||
|
||
@After | ||
fun cleanup() { | ||
// Remove user | ||
ismUserClient?.close() | ||
deleteUser(ismUser) | ||
deleteRole(HELPDESK_ROLE) | ||
|
||
deleteIndexByName("$INDEX_MANAGEMENT_INDEX") | ||
} | ||
|
||
fun `test add policy`() { | ||
|
||
val notPermittedIndexPrefix = OpenSearchTestCase.randomAlphaOfLength(10).lowercase(Locale.getDefault()) | ||
val policyId = OpenSearchTestCase.randomAlphaOfLength(10) | ||
|
||
val permittedindices = mutableListOf<String>() | ||
val notPermittedindices = mutableListOf<String>() | ||
for (i in 1..5) { | ||
createIndex("$notPermittedIndexPrefix-$i", """ "properties": { "field_a": { "type": "long" } }""", client()) | ||
createIndex("$permittedIndicesPrefix-$i", """ "properties": { "field_a": { "type": "long" } }""", client()) | ||
notPermittedindices += "$notPermittedIndexPrefix-$i" | ||
permittedindices += "$permittedIndicesPrefix-$i" | ||
} | ||
|
||
val allIndicesJoined = (notPermittedindices + permittedindices).joinToString(separator = ",") | ||
try { | ||
val actions = listOf(IndicesAliasesRequest.AliasActions.add().alias("aaa")) | ||
val actionConfig = AliasAction(actions = actions, index = 0) | ||
val states = listOf(State("alias", listOf(actionConfig), listOf())) | ||
val policy = Policy( | ||
id = policyId, | ||
description = "description", | ||
schemaVersion = 1L, | ||
lastUpdatedTime = Instant.now().truncatedTo(ChronoUnit.MILLIS), | ||
errorNotification = randomErrorNotification(), | ||
defaultState = "alias", | ||
states = states | ||
) | ||
createPolicy(policy, policy.id, true, client()) | ||
// Call AddPolicyAction as user | ||
addPolicyToIndex(index = allIndicesJoined, policyId = policy.id, expectedStatus = RestStatus.OK, client = ismUserClient!!) | ||
|
||
refreshAllIndices() | ||
|
||
val explainResponseAsMap = managedIndexExplainAllAsMap(client()) | ||
assertEquals(5, explainResponseAsMap["total_managed_indices"] as Int) | ||
} catch (e: ResponseException) { | ||
logger.error(e.message, e) | ||
} finally { | ||
deleteIndexByName("$permittedIndicesPrefix*") | ||
deleteIndexByName("$notPermittedIndexPrefix*") | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters