Skip to content

Commit

Permalink
Fix RoleDescriptor test that fails randomly (elastic#116852)
Browse files Browse the repository at this point in the history 
This commit fixes a test fails based on the random seed.
The change updates the name of the test to match the updated name of the method it is testing.
It also re-implements the test to rely less on randomness and explicitly tests the possible inputs.

fixes elastic#116376

(cherry picked from commit 0795703)

# Conflicts:
#	x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptorTests.java
  • Loading branch information
@jakelandis
jakelandis committed Nov 19, 2024
1 parent 93baadf commit e2bdede
Showing 1 changed file with 173 additions and 16 deletions.
189 changes: 173 additions & 16 deletions ...n/core/src/test/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptorTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,12 @@
import org.elasticsearch.xpack.core.XPackClientPlugin;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor.ApplicationResourcePrivileges;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
import org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissionGroup;
import org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions;
import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivileges;
import org.elasticsearch.xpack.core.security.authz.restriction.Workflow;
import org.elasticsearch.xpack.core.security.authz.restriction.WorkflowResolver;
import org.hamcrest.Matchers;

import java.io.IOException;
Expand All @@ -45,8 +48,8 @@
import java.util.Map;

import static org.elasticsearch.xcontent.XContentFactory.jsonBuilder;
import static org.elasticsearch.xpack.core.security.authz.RoleDescriptor.SECURITY_ROLE_DESCRIPTION;
import static org.elasticsearch.xpack.core.security.authz.RoleDescriptor.WORKFLOWS_RESTRICTION_VERSION;
import static org.elasticsearch.xpack.core.security.authz.RoleDescriptorTestHelper.randomIndicesPrivileges;
import static org.elasticsearch.xpack.core.security.authz.RoleDescriptorTestHelper.randomIndicesPrivilegesBuilder;
import static org.elasticsearch.xpack.core.security.authz.RoleDescriptorTestHelper.randomRemoteClusterPermissions;
import static org.hamcrest.Matchers.arrayContaining;
Expand Down Expand Up @@ -1312,37 +1315,191 @@ public void testIsEmpty() {
}
}

public void testHasPrivilegesOtherThanIndex() {
public void testHasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster() {
// any index and some cluster privileges are allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]), // all of these are allowed
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
null,
null,
null,
null,
null,
null,
null,
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(false)
);
// any index and some cluster privileges are allowed
assertThat(
new RoleDescriptor(
"name",
new String[] { "manage_security" }, // unlikely we will ever support allowing manage security across clusters
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
null,
null,
null,
null,
null,
null,
null,
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(true)
);

// application privileges are not allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
new ApplicationResourcePrivileges[] {
ApplicationResourcePrivileges.builder().application("app").privileges("foo").resources("res").build() },
null,
null,
null,
null,
null,
null,
null,
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(true)
);

// configurable cluster privileges are not allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
new ConfigurableClusterPrivilege[] {
new ConfigurableClusterPrivileges.ManageApplicationPrivileges(Collections.singleton("foo")) },
null,
null,
null,
null,
null,
null,
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(true)
);

// run as is not allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
null,
new String[] { "foo" },
null,
null,
null,
null,
null,
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(true)
);

// workflows restriction is not allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
randomBoolean() ? null : randomIndicesPrivileges(1, 5),
null,
null,
null,
null,
null,
null,
new RoleDescriptor.Restriction(WorkflowResolver.allWorkflows().stream().map(Workflow::name).toArray(String[]::new)),
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(true)
);
// remote indices privileges are not allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
null,
null,
null,
null,
new RoleDescriptor.RemoteIndicesPrivileges[] {
RoleDescriptor.RemoteIndicesPrivileges.builder("rmt").indices("idx").privileges("foo").build() },
null,
null,
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(true)
);
// remote cluster privileges are not allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
null,
null,
null,
null,
null,
new RemoteClusterPermissions().addGroup(
new RemoteClusterPermissionGroup(
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new String[] { "rmt" }
)
),
null,
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(true)
);

// metadata, transient metadata and description are allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
null,
null,
Collections.singletonMap("foo", "bar"),
Collections.singletonMap("foo", "bar"),
null,
null,
null,
"description"
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(false)
);
final RoleDescriptor roleDescriptor = RoleDescriptorTestHelper.builder()
.allowReservedMetadata(true)
.allowRemoteIndices(true)
.allowRestriction(true)
.allowDescription(true)
.allowRemoteClusters(true)
.build();
final boolean expected = roleDescriptor.hasClusterPrivileges()
|| roleDescriptor.hasConfigurableClusterPrivileges()
|| roleDescriptor.hasApplicationPrivileges()
|| roleDescriptor.hasRunAs()
|| roleDescriptor.hasRemoteIndicesPrivileges();
assertThat(roleDescriptor.hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(), equalTo(expected));
}

private static void resetFieldPermssionsCache() {
Expand Down

0 comments on commit e2bdede

Please sign in to comment.