Skip to content

Commit

Permalink
Fix RoleDescriptor test that fails randomly (elastic#116852)
Browse files Browse the repository at this point in the history
This commit fixes a test fails based on the random seed.
The change updates the name of the test to match the updated name of the method it is testing.
It also re-implements the test to rely less on randomness and explicitly tests the possible inputs.

fixes elastic#116376

(cherry picked from commit 0795703)
  • Loading branch information
jakelandis committed Nov 19, 2024
1 parent 6f49773 commit fb6410f
Show file tree
Hide file tree
Showing 2 changed files with 172 additions and 19 deletions.
3 changes: 0 additions & 3 deletions muted-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -281,9 +281,6 @@ tests:
- class: org.elasticsearch.xpack.deprecation.DeprecationHttpIT
method: testDeprecatedSettingsReturnWarnings
issue: https://github.com/elastic/elasticsearch/issues/108628
- class: org.elasticsearch.xpack.core.security.authz.RoleDescriptorTests
method: testHasPrivilegesOtherThanIndex
issue: https://github.com/elastic/elasticsearch/issues/116376
- class: org.elasticsearch.xpack.esql.ccq.MultiClusterSpecIT
method: test {categorize.Categorize}
issue: https://github.com/elastic/elasticsearch/issues/116434
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,12 @@
import org.elasticsearch.xpack.core.XPackClientPlugin;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor.ApplicationResourcePrivileges;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
import org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissionGroup;
import org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions;
import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivileges;
import org.elasticsearch.xpack.core.security.authz.restriction.Workflow;
import org.elasticsearch.xpack.core.security.authz.restriction.WorkflowResolver;
import org.hamcrest.Matchers;

import java.io.IOException;
Expand All @@ -47,7 +50,6 @@
import static org.elasticsearch.xcontent.XContentFactory.jsonBuilder;
import static org.elasticsearch.xpack.core.security.authz.RoleDescriptor.SECURITY_ROLE_DESCRIPTION;
import static org.elasticsearch.xpack.core.security.authz.RoleDescriptor.WORKFLOWS_RESTRICTION_VERSION;
import static org.elasticsearch.xpack.core.security.authz.RoleDescriptorTestHelper.randomIndicesPrivileges;
import static org.elasticsearch.xpack.core.security.authz.RoleDescriptorTestHelper.randomIndicesPrivilegesBuilder;
import static org.elasticsearch.xpack.core.security.authz.RoleDescriptorTestHelper.randomRemoteClusterPermissions;
import static org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions.ROLE_REMOTE_CLUSTER_PRIVS;
Expand Down Expand Up @@ -1338,37 +1340,191 @@ public void testIsEmpty() {
}
}

public void testHasPrivilegesOtherThanIndex() {
public void testHasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster() {
// any index and some cluster privileges are allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]), // all of these are allowed
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
null,
null,
null,
null,
null,
null,
null,
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(false)
);
// any index and some cluster privileges are allowed
assertThat(
new RoleDescriptor(
"name",
new String[] { "manage_security" }, // unlikely we will ever support allowing manage security across clusters
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
null,
null,
null,
null,
null,
null,
null,
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(true)
);

// application privileges are not allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
new ApplicationResourcePrivileges[] {
ApplicationResourcePrivileges.builder().application("app").privileges("foo").resources("res").build() },
null,
null,
null,
null,
null,
null,
null,
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(true)
);

// configurable cluster privileges are not allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
new ConfigurableClusterPrivilege[] {
new ConfigurableClusterPrivileges.ManageApplicationPrivileges(Collections.singleton("foo")) },
null,
null,
null,
null,
null,
null,
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(true)
);

// run as is not allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
null,
new String[] { "foo" },
null,
null,
null,
null,
null,
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(true)
);

// workflows restriction is not allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
randomBoolean() ? null : randomIndicesPrivileges(1, 5),
null,
null,
null,
null,
null,
null,
new RoleDescriptor.Restriction(WorkflowResolver.allWorkflows().stream().map(Workflow::name).toArray(String[]::new)),
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(true)
);
// remote indices privileges are not allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
null,
null,
null,
null,
new RoleDescriptor.RemoteIndicesPrivileges[] {
RoleDescriptor.RemoteIndicesPrivileges.builder("rmt").indices("idx").privileges("foo").build() },
null,
null,
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(true)
);
// remote cluster privileges are not allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
null,
null,
null,
null,
null,
new RemoteClusterPermissions().addGroup(
new RemoteClusterPermissionGroup(
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new String[] { "rmt" }
)
),
null,
null
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(true)
);

// metadata, transient metadata and description are allowed
assertThat(
new RoleDescriptor(
"name",
RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]),
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() },
null,
null,
null,
Collections.singletonMap("foo", "bar"),
Collections.singletonMap("foo", "bar"),
null,
null,
null,
"description"
).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(),
is(false)
);
final RoleDescriptor roleDescriptor = RoleDescriptorTestHelper.builder()
.allowReservedMetadata(true)
.allowRemoteIndices(true)
.allowRestriction(true)
.allowDescription(true)
.allowRemoteClusters(true)
.build();
final boolean expected = roleDescriptor.hasClusterPrivileges()
|| roleDescriptor.hasConfigurableClusterPrivileges()
|| roleDescriptor.hasApplicationPrivileges()
|| roleDescriptor.hasRunAs()
|| roleDescriptor.hasRemoteIndicesPrivileges();
assertThat(roleDescriptor.hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(), equalTo(expected));
}

private static void resetFieldPermssionsCache() {
Expand Down

0 comments on commit fb6410f

Please sign in to comment.