From 8ecb683e51fdd1b85a9c4ec1b258348030d998ab Mon Sep 17 00:00:00 2001
From: Ryan Liang <jiallian@amazon.com>
Date: Fri, 27 Oct 2023 19:08:03 -0700
Subject: [PATCH] Add indices test case

Signed-off-by: Ryan Liang <jiallian@amazon.com>
---
 .../ServiceAccountAuthenticationTest.java     | 71 ++++++++++++++-----
 1 file changed, 55 insertions(+), 16 deletions(-)

diff --git a/src/integrationTest/java/org/opensearch/security/http/ServiceAccountAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/ServiceAccountAuthenticationTest.java
index 5802efc534..653870104a 100644
--- a/src/integrationTest/java/org/opensearch/security/http/ServiceAccountAuthenticationTest.java
+++ b/src/integrationTest/java/org/opensearch/security/http/ServiceAccountAuthenticationTest.java
@@ -18,6 +18,7 @@
 import org.junit.ClassRule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.opensearch.test.framework.TestIndex;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.cluster.ClusterManager;
 import org.opensearch.test.framework.cluster.LocalCluster;
@@ -38,6 +39,8 @@ public class ServiceAccountAuthenticationTest {
 
     public static final String DEFAULT_PASSWORD = "secret";
 
+    public static final String SERVICE_ATTRIBUTE = "service";
+
     static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS);
 
     public static final String SERVICE_ACCOUNT_USER_NAME = "admin-extension";
@@ -47,9 +50,20 @@ public class ServiceAccountAuthenticationTest {
         .indexPermissions("*", "system:admin/system_index")
         .on("*");
 
-    static final TestSecurityConfig.User SERVICE_ACCOUNT_ADMIN_USER = new TestSecurityConfig.User(SERVICE_ACCOUNT_USER_NAME).roles(
-        SERVICE_ACCOUNT_ADMIN_ROLE
-    ).attr("service", true);
+    static final TestSecurityConfig.User SERVICE_ACCOUNT_ADMIN_USER = new TestSecurityConfig.User(SERVICE_ACCOUNT_USER_NAME).attr(
+        SERVICE_ATTRIBUTE,
+        "true"
+    ).roles(SERVICE_ACCOUNT_ADMIN_ROLE);
+
+    private static final TestIndex TEST_NON_SYS_INDEX = TestIndex.name("test-non-sys-index")
+        .setting("index.number_of_shards", 1)
+        .setting("index.number_of_replicas", 0)
+        .build();
+
+    private static final TestIndex TEST_SYS_INDEX = TestIndex.name("test-sys-index")
+        .setting("index.number_of_shards", 1)
+        .setting("index.number_of_replicas", 0)
+        .build();
 
     @ClassRule
     public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
@@ -59,26 +73,18 @@ public class ServiceAccountAuthenticationTest {
             Map.of(
                 SECURITY_SYSTEM_INDICES_PERMISSIONS_ENABLED_KEY,
                 true,
-                SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX,
+                SECURITY_SYSTEM_INDICES_ENABLED_KEY,
                 true,
                 SECURITY_RESTAPI_ROLES_ENABLED,
-                List.of("user_admin__all_access")
+                List.of("user_admin__all_access"),
+                SECURITY_SYSTEM_INDICES_KEY,
+                List.of("test-sys-index")
             )
         )
         .authc(AUTHC_HTTPBASIC_INTERNAL)
+        .indices(TEST_NON_SYS_INDEX, TEST_SYS_INDEX)
         .build();
 
-    // TODO: REMOVE THIS DEBUGGING TEST CASE
-    @Test
-    public void testClusterHealthWithAdminCred() {
-        try (TestRestClient client = cluster.getRestClient("admin", DEFAULT_PASSWORD)) {
-            client.confirmCorrectCredentials("admin");
-            TestRestClient.HttpResponse response = client.get("_cluster/health");
-            response.assertStatusCode(HttpStatus.SC_OK);
-            System.out.println(response);
-        }
-    }
-
     @Test
     public void testClusterHealthWithServiceAccountCred() throws JsonProcessingException {
         try (TestRestClient client = cluster.getRestClient("admin-extension", DEFAULT_PASSWORD)) {
@@ -95,4 +101,37 @@ public void testClusterHealthWithServiceAccountCred() throws JsonProcessingExcep
             assertEquals("security_exception", typeField);
         }
     }
+
+    @Test
+    public void testReadSysIndexWithServiceAccountCred() {
+        try (TestRestClient client = cluster.getRestClient("admin-extension", DEFAULT_PASSWORD)) {
+            client.confirmCorrectCredentials("admin-extension");
+            TestRestClient.HttpResponse response = client.get("test-sys-index");
+            response.assertStatusCode(HttpStatus.SC_OK);
+            // TODO: REMOVE THIS AND PARSING/CHECKING THE RESPONSE
+            System.out.println(response);
+        }
+    }
+
+    @Test
+    public void testReadNonSysIndexWithServiceAccountCred() {
+        try (TestRestClient client = cluster.getRestClient("admin-extension", DEFAULT_PASSWORD)) {
+            client.confirmCorrectCredentials("admin-extension");
+            TestRestClient.HttpResponse response = client.get("test-non-sys-index");
+            response.assertStatusCode(HttpStatus.SC_FORBIDDEN);
+            // TODO: REMOVE THIS AND PARSING/CHECKING THE RESPONSE
+            System.out.println(response);
+        }
+    }
+
+    // TODO: REMOVE THIS DEBUGGING TEST CASE
+    @Test
+    public void testReadNonSysIndexWithAdminCred() {
+        try (TestRestClient client = cluster.getRestClient("admin", DEFAULT_PASSWORD)) {
+            client.confirmCorrectCredentials("admin");
+            TestRestClient.HttpResponse response = client.get("test-non-sys-index");
+            response.assertStatusCode(HttpStatus.SC_OK);
+            System.out.println(response);
+        }
+    }
 }