1717import org .junit .Test ;
1818import org .junit .runner .RunWith ;
1919
20+ import org .opensearch .script .mustache .MustacheModulePlugin ;
2021import org .opensearch .test .framework .TestSecurityConfig ;
2122import org .opensearch .test .framework .TestSecurityConfig .Role ;
2223import org .opensearch .test .framework .cluster .ClusterManager ;
@@ -45,16 +46,19 @@ public class PrivilegesEvaluatorTest {
4546 );
4647
4748 protected final static TestSecurityConfig .User SEARCH_TEMPLATE = new TestSecurityConfig .User ("search_template_user" ).roles (
48- new Role ("search_template_role" ).indexPermissions ("read" ).on ("services" )
49+ new Role ("search_template_role" ).indexPermissions ("read" ).on ("services" ). clusterPermissions ( "cluster_composite_ops" )
4950 );
5051
5152 private String TEST_QUERY =
5253 "{\" source\" :{\" query\" :{\" match\" :{\" service\" :\" {{service_name}}\" }}},\" params\" :{\" service_name\" :\" Oracle\" }}" ;
5354
55+ private String TEST_DOC = "{\" source\" : {\" title\" : \" Spirited Away\" }}" ;
56+
5457 @ ClassRule
5558 public static LocalCluster cluster = new LocalCluster .Builder ().clusterManager (ClusterManager .THREE_CLUSTER_MANAGERS )
5659 .authc (AUTHC_HTTPBASIC_INTERNAL )
57- .users (NEGATIVE_LOOKAHEAD , NEGATED_REGEX , SEARCH_TEMPLATE )
60+ .users (NEGATIVE_LOOKAHEAD , NEGATED_REGEX , SEARCH_TEMPLATE , TestSecurityConfig .User .USER_ADMIN )
61+ .plugin (MustacheModulePlugin .class )
5862 .build ();
5963
6064 @ Test
@@ -78,22 +82,40 @@ public void testRegexPattern() throws Exception {
7882
7983 @ Test
8084 public void testSearchTemplateRequestSuccess () {
85+ // Insert doc into services index with admin user
86+ try (TestRestClient client = cluster .getRestClient (TestSecurityConfig .User .USER_ADMIN )) {
87+ TestRestClient .HttpResponse response = client .postJson ("services/_doc" , TEST_DOC );
88+ assertThat (response .getStatusCode (), equalTo (HttpStatus .SC_CREATED ));
89+ }
90+
8191 try (TestRestClient client = cluster .getRestClient (SEARCH_TEMPLATE )) {
82- assertThat (client .getWithJsonBody ("services/_search/template" , TEST_QUERY ).getStatusCode (), equalTo (HttpStatus .SC_OK ));
92+ final String searchTemplateOnServicesIndex = "services/_search/template" ;
93+ final TestRestClient .HttpResponse searchTemplateOnAuthorizedIndexResponse = client .getWithJsonBody (
94+ searchTemplateOnServicesIndex ,
95+ TEST_QUERY
96+ );
97+ assertThat (searchTemplateOnAuthorizedIndexResponse .getStatusCode (), equalTo (HttpStatus .SC_OK ));
8398 }
8499 }
85100
86101 @ Test
87102 public void testSearchTemplateRequestUnauthorizedIndex () {
88103 try (TestRestClient client = cluster .getRestClient (SEARCH_TEMPLATE )) {
89- assertThat (client .getWithJsonBody ("movies/_search/template" , TEST_QUERY ).getStatusCode (), equalTo (HttpStatus .SC_FORBIDDEN ));
104+ final String searchTemplateOnMoviesIndex = "movies/_search/template" ;
105+ final TestRestClient .HttpResponse searchTemplateOnUnauthorizedIndexResponse = client .getWithJsonBody (
106+ searchTemplateOnMoviesIndex ,
107+ TEST_QUERY
108+ );
109+ assertThat (searchTemplateOnUnauthorizedIndexResponse .getStatusCode (), equalTo (HttpStatus .SC_FORBIDDEN ));
90110 }
91111 }
92112
93113 @ Test
94114 public void testSearchTemplateRequestUnauthorizedAllIndices () {
95115 try (TestRestClient client = cluster .getRestClient (SEARCH_TEMPLATE )) {
96- assertThat (client .getWithJsonBody ("_search/template" , TEST_QUERY ).getStatusCode (), equalTo (HttpStatus .SC_FORBIDDEN ));
116+ final String searchTemplateOnAllIndices = "_search/template" ;
117+ final TestRestClient .HttpResponse searchOnAllIndicesResponse = client .getWithJsonBody (searchTemplateOnAllIndices , TEST_QUERY );
118+ assertThat (searchOnAllIndicesResponse .getStatusCode (), equalTo (HttpStatus .SC_FORBIDDEN ));
97119 }
98120 }
99121}
0 commit comments