Skip to content

Add Integration Test to confirm Core Change to Fix Search template request Auth #2921

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
willyborankin merged 10 commits into from
Aug 16, 2023
Merged

Add Integration Test to confirm Core Change to Fix Search template request Auth #2921

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
0122b60
fix search template auth to allow for search template requests on ind…
derek-ho Jun 29, 2023
24aa368
fix and add tests
derek-ho Jun 29, 2023
b640386
spotless
derek-ho Jun 29, 2023
445835d
Merge branch 'opensearch-project:main' into fix-search-template
derek-ho Jun 30, 2023
bbb1b86
revert PR to only be tests
derek-ho Aug 9, 2023
e78def3
add tests for other situations
derek-ho Aug 9, 2023
387f1a6
spotless
derek-ho Aug 9, 2023
c4a3d5d
extract query to a constant
derek-ho Aug 9, 2023
4e78c8d
Merge branch 'main' of github.com:opensearch-project/security into fi…
derek-ho Aug 15, 2023
f3e5d46
update integration tests
derek-ho Aug 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 51 additions & 1 deletion src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import org.junit.Test;
import org.junit.runner.RunWith;

import org.opensearch.script.mustache.MustacheModulePlugin;
import org.opensearch.test.framework.TestSecurityConfig;
import org.opensearch.test.framework.TestSecurityConfig.Role;
import org.opensearch.test.framework.cluster.ClusterManager;
Expand Down Expand Up @@ -44,10 +45,20 @@ public class PrivilegesEvaluatorTest {
new Role("negated_regex_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("cluster_composite_ops")
);

protected final static TestSecurityConfig.User SEARCH_TEMPLATE = new TestSecurityConfig.User("search_template_user").roles(
new Role("search_template_role").indexPermissions("read").on("services").clusterPermissions("cluster_composite_ops")
);

private String TEST_QUERY =
"{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}";

private String TEST_DOC = "{\"source\": {\"title\": \"Spirited Away\"}}";

@ClassRule
public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
.authc(AUTHC_HTTPBASIC_INTERNAL)
.users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX)
.users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE, TestSecurityConfig.User.USER_ADMIN)
.plugin(MustacheModulePlugin.class)
.build();

@Test
Expand All @@ -68,4 +79,43 @@ public void testRegexPattern() throws Exception {
}

}

@Test
public void testSearchTemplateRequestSuccess() {
// Insert doc into services index with admin user
try (TestRestClient client = cluster.getRestClient(TestSecurityConfig.User.USER_ADMIN)) {
TestRestClient.HttpResponse response = client.postJson("services/_doc", TEST_DOC);
assertThat(response.getStatusCode(), equalTo(HttpStatus.SC_CREATED));
}

try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) {
final String searchTemplateOnServicesIndex = "services/_search/template";
final TestRestClient.HttpResponse searchTemplateOnAuthorizedIndexResponse = client.getWithJsonBody(
searchTemplateOnServicesIndex,
TEST_QUERY
);
assertThat(searchTemplateOnAuthorizedIndexResponse.getStatusCode(), equalTo(HttpStatus.SC_OK));
}
}

@Test
public void testSearchTemplateRequestUnauthorizedIndex() {
try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) {
final String searchTemplateOnMoviesIndex = "movies/_search/template";
final TestRestClient.HttpResponse searchTemplateOnUnauthorizedIndexResponse = client.getWithJsonBody(
searchTemplateOnMoviesIndex,
TEST_QUERY
);
assertThat(searchTemplateOnUnauthorizedIndexResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
}
}

@Test
public void testSearchTemplateRequestUnauthorizedAllIndices() {
try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) {
final String searchTemplateOnAllIndices = "_search/template";
final TestRestClient.HttpResponse searchOnAllIndicesResponse = client.getWithJsonBody(searchTemplateOnAllIndices, TEST_QUERY);
assertThat(searchOnAllIndicesResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
}
}
}