|
| 1 | +/* |
| 2 | + * SPDX-License-Identifier: Apache-2.0 |
| 3 | + * |
| 4 | + * The OpenSearch Contributors require contributions made to |
| 5 | + * this file be licensed under the Apache-2.0 license or a |
| 6 | + * compatible open source license. |
| 7 | + * |
| 8 | + * Modifications Copyright OpenSearch Contributors. See |
| 9 | + * GitHub history for details. |
| 10 | + */ |
| 11 | + |
| 12 | +package org.opensearch.security.api; |
| 13 | + |
| 14 | +import java.util.Map; |
| 15 | + |
| 16 | +import org.apache.http.HttpStatus; |
| 17 | +import org.junit.Before; |
| 18 | +import org.junit.Test; |
| 19 | + |
| 20 | +import org.opensearch.test.framework.cluster.TestRestClient; |
| 21 | + |
| 22 | +import static org.hamcrest.MatcherAssert.assertThat; |
| 23 | +import static org.hamcrest.Matchers.containsString; |
| 24 | +import static org.hamcrest.Matchers.equalTo; |
| 25 | +import static org.hamcrest.Matchers.is; |
| 26 | +import static org.hamcrest.Matchers.isOneOf; |
| 27 | +import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; |
| 28 | +import static org.opensearch.security.support.ConfigConstants.SECURITY_CONFIG_VERSION_INDEX_ENABLED; |
| 29 | + |
| 30 | +public class RollbackVersionApiIntegrationTest extends AbstractApiIntegrationTest { |
| 31 | + |
| 32 | + private String endpointPrefix() { |
| 33 | + return PLUGINS_PREFIX + "/api"; |
| 34 | + } |
| 35 | + |
| 36 | + private String RollbackBase() { |
| 37 | + return endpointPrefix() + "/rollback"; |
| 38 | + } |
| 39 | + |
| 40 | + private String RollbackVersion(String versionId) { |
| 41 | + return RollbackBase() + "/version/" + versionId; |
| 42 | + } |
| 43 | + |
| 44 | + @Override |
| 45 | + protected Map<String, Object> getClusterSettings() { |
| 46 | + Map<String, Object> settings = super.getClusterSettings(); |
| 47 | + settings.put(SECURITY_CONFIG_VERSION_INDEX_ENABLED, true); |
| 48 | + return settings; |
| 49 | + } |
| 50 | + |
| 51 | + @Before |
| 52 | + public void setupConfigVersionsIndex() throws Exception { |
| 53 | + try (TestRestClient client = localCluster.getRestClient(ADMIN_USER_NAME, DEFAULT_PASSWORD)) { |
| 54 | + client.get("/_cluster/health?wait_for_status=yellow&timeout=30s"); |
| 55 | + client.delete("/.opendistro_security_config_versions"); |
| 56 | + client.put("/.opendistro_security_config_versions"); |
| 57 | + client.post("/_refresh"); |
| 58 | + client.get("/_cluster/health/.opendistro_security_config_versions?wait_for_status=yellow&timeout=5s"); |
| 59 | + |
| 60 | + String bulkPayload = |
| 61 | + "{ \"index\": { \"_index\": \".opendistro_security_config_versions\", \"_id\": \"opendistro_security_config_versions\" } }\n" |
| 62 | + + "{ \"versions\": [" |
| 63 | + + " {" |
| 64 | + + " \"version_id\": \"v1\"," |
| 65 | + + " \"timestamp\": \"2025-04-03T00:00:00Z\"," |
| 66 | + + " \"modified_by\": \"admin\"," |
| 67 | + + " \"security_configs\": {" |
| 68 | + + " \"internalusers\": {" |
| 69 | + + " \"lastUpdated\": \"2025-04-03T00:00:00Z\"," |
| 70 | + + " \"configData\": { \"admin\": { \"hash\": \"$2y$12$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" } }" |
| 71 | + + " }" |
| 72 | + + " }" |
| 73 | + + " }," |
| 74 | + + " {" |
| 75 | + + " \"version_id\": \"v2\"," |
| 76 | + + " \"timestamp\": \"2025-04-04T00:00:00Z\"," |
| 77 | + + " \"modified_by\": \"admin\"," |
| 78 | + + " \"security_configs\": {" |
| 79 | + + " \"internalusers\": {" |
| 80 | + + " \"lastUpdated\": \"2025-04-04T00:00:00Z\"," |
| 81 | + + " \"configData\": { \"admin\": { \"hash\": \"$2y$12$bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\" } }" |
| 82 | + + " }" |
| 83 | + + " }" |
| 84 | + + " }" |
| 85 | + + "] }\n"; |
| 86 | + |
| 87 | + var response = client.postJson("/_bulk?refresh=true", bulkPayload); |
| 88 | + assertThat("Bulk insert failed", response.getStatusCode(), is(200)); |
| 89 | + } |
| 90 | + } |
| 91 | + |
| 92 | + @Test |
| 93 | + public void testRollbackToPreviousVersion_success() throws Exception { |
| 94 | + withUser(ADMIN_USER_NAME, DEFAULT_PASSWORD, client -> { |
| 95 | + var response = client.post(RollbackBase()); |
| 96 | + assertThat(response.getStatusCode(), is(HttpStatus.SC_OK)); |
| 97 | + assertThat(response.getTextFromJsonBody("/status"), equalTo("OK")); |
| 98 | + assertThat(response.getTextFromJsonBody("/message"), containsString("config rolled back to version")); |
| 99 | + }); |
| 100 | + } |
| 101 | + |
| 102 | + @Test |
| 103 | + public void testRollbackToSpecificVersion_success() throws Exception { |
| 104 | + String versionId = "v1"; |
| 105 | + withUser(ADMIN_USER_NAME, DEFAULT_PASSWORD, client -> { |
| 106 | + var response = client.post(RollbackVersion(versionId)); |
| 107 | + assertThat(response.getStatusCode(), is(HttpStatus.SC_OK)); |
| 108 | + assertThat(response.getTextFromJsonBody("/status"), equalTo("OK")); |
| 109 | + assertThat(response.getTextFromJsonBody("/message"), containsString("config rolled back to version " + versionId)); |
| 110 | + }); |
| 111 | + } |
| 112 | + |
| 113 | + @Test |
| 114 | + public void testRollbackWithNonAdmin_shouldBeUnauthorized() throws Exception { |
| 115 | + withUser(NEW_USER, DEFAULT_PASSWORD, client -> { |
| 116 | + var response = client.post(RollbackBase()); |
| 117 | + assertThat(response.getStatusCode(), isOneOf(HttpStatus.SC_FORBIDDEN, HttpStatus.SC_UNAUTHORIZED)); |
| 118 | + }); |
| 119 | + } |
| 120 | + |
| 121 | + @Test |
| 122 | + public void testRollbackToInvalidVersion_shouldReturnNotFound() throws Exception { |
| 123 | + withUser(ADMIN_USER_NAME, DEFAULT_PASSWORD, client -> { |
| 124 | + var response = client.post(RollbackVersion("does-not-exist")); |
| 125 | + assertThat(response.getStatusCode(), is(HttpStatus.SC_NOT_FOUND)); |
| 126 | + assertThat(response.getTextFromJsonBody("/message"), containsString("not found")); |
| 127 | + }); |
| 128 | + } |
| 129 | + |
| 130 | + @Test |
| 131 | + public void testRollbackWhenOnlyOneVersion_shouldFail() throws Exception { |
| 132 | + withUser(ADMIN_USER_NAME, DEFAULT_PASSWORD, client -> { |
| 133 | + client.delete("/.opendistro_security_config_versions"); |
| 134 | + client.put("/.opendistro_security_config_versions"); |
| 135 | + client.post("/_refresh"); |
| 136 | + client.get("/_cluster/health/.opendistro_security_config_versions?wait_for_status=yellow&timeout=30s"); |
| 137 | + |
| 138 | + String bulkPayload = "" |
| 139 | + + "{ \"index\": { \"_index\": \".opendistro_security_config_versions\", \"_id\": \"opendistro_security_config_versions\" } }\n" |
| 140 | + + "{ \"versions\": [ {" |
| 141 | + + " \"version_id\": \"v1\"," |
| 142 | + + " \"timestamp\": \"2025-04-03T00:00:00Z\"," |
| 143 | + + " \"modified_by\": \"admin\"," |
| 144 | + + " \"security_configs\": {" |
| 145 | + + " \"config_type_1\": {" |
| 146 | + + " \"lastUpdated\": \"2025-04-03T00:00:00Z\"," |
| 147 | + + " \"configData\": {" |
| 148 | + + " \"key1\": { \"dummy\": \"value1\" }" |
| 149 | + + " }" |
| 150 | + + " }" |
| 151 | + + " }" |
| 152 | + + "} ] }\n"; |
| 153 | + |
| 154 | + var bulkResponse = client.postJson("/_bulk?refresh=true", bulkPayload); |
| 155 | + assertThat("Bulk insert failed: " + bulkResponse.getBody(), bulkResponse.getStatusCode(), is(200)); |
| 156 | + |
| 157 | + client.post("/_refresh"); |
| 158 | + |
| 159 | + var response = client.post(RollbackBase()); |
| 160 | + assertThat(response.getStatusCode(), is(404)); |
| 161 | + assertThat(response.getBody(), containsString("No previous version available to rollback")); |
| 162 | + }); |
| 163 | + } |
| 164 | + |
| 165 | +} |
0 commit comments