Skip to content

Commit

Permalink
[Backport 2.x] Add render search template as a cluster permission (#3689
Browse files Browse the repository at this point in the history
) (#3872)

Manual backport of #3689 to 2.x.

CI will not pass until the companion core backport is merged:
opensearch-project/OpenSearch#11646
  • Loading branch information
cwperks authored Dec 21, 2023
1 parent 840bf8f commit 02881cd
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
import org.junit.runner.RunWith;

import org.opensearch.script.mustache.MustachePlugin;
import org.opensearch.script.mustache.RenderSearchTemplateAction;
import org.opensearch.test.framework.TestSecurityConfig;
import org.opensearch.test.framework.TestSecurityConfig.Role;
import org.opensearch.test.framework.cluster.ClusterManager;
Expand Down Expand Up @@ -49,15 +50,25 @@ public class PrivilegesEvaluatorTest {
new Role("search_template_role").indexPermissions("read").on("services").clusterPermissions("cluster_composite_ops")
);

protected final static TestSecurityConfig.User RENDER_SEARCH_TEMPLATE = new TestSecurityConfig.User("render_search_template_user")
.roles(
new Role("render_search_template_role").indexPermissions("read")
.on("services")
.clusterPermissions(RenderSearchTemplateAction.NAME)
);

private String TEST_QUERY =
"{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}";

private String TEST_DOC = "{\"source\": {\"title\": \"Spirited Away\"}}";

private String TEST_RENDER_SEARCH_TEMPLATE_QUERY =
"{\"params\":{\"status\":[\"pending\",\"published\"]},\"source\":\"{\\\"query\\\": {\\\"terms\\\": {\\\"status\\\": [\\\"{{#status}}\\\",\\\"{{.}}\\\",\\\"{{/status}}\\\"]}}}\"}";

@ClassRule
public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
.authc(AUTHC_HTTPBASIC_INTERNAL)
.users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE, TestSecurityConfig.User.USER_ADMIN)
.users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE, RENDER_SEARCH_TEMPLATE, TestSecurityConfig.User.USER_ADMIN)
.plugin(MustachePlugin.class)
.build();

Expand Down Expand Up @@ -118,4 +129,28 @@ public void testSearchTemplateRequestUnauthorizedAllIndices() {
assertThat(searchOnAllIndicesResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
}
}

@Test
public void testRenderSearchTemplateRequestFailure() {
try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) {
final String renderSearchTemplate = "_render/template";
final TestRestClient.HttpResponse renderSearchTemplateResponse = client.postJson(
renderSearchTemplate,
TEST_RENDER_SEARCH_TEMPLATE_QUERY
);
assertThat(renderSearchTemplateResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
}
}

@Test
public void testRenderSearchTemplateRequestSuccess() {
try (TestRestClient client = cluster.getRestClient(RENDER_SEARCH_TEMPLATE)) {
final String renderSearchTemplate = "_render/template";
final TestRestClient.HttpResponse renderSearchTemplateResponse = client.postJson(
renderSearchTemplate,
TEST_RENDER_SEARCH_TEMPLATE_QUERY
);
assertThat(renderSearchTemplateResponse.getStatusCode(), equalTo(HttpStatus.SC_OK));
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@
import org.opensearch.core.common.transport.TransportAddress;
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.index.reindex.ReindexAction;
import org.opensearch.script.mustache.RenderSearchTemplateAction;
import org.opensearch.security.auditlog.AuditLog;
import org.opensearch.security.configuration.ClusterInfoHolder;
import org.opensearch.security.configuration.ConfigurationRepository;
Expand Down Expand Up @@ -697,8 +698,7 @@ public static boolean isClusterPerm(String action0) {
|| (action0.startsWith(MultiSearchAction.NAME))
|| (action0.equals(MultiTermVectorsAction.NAME))
|| (action0.equals(ReindexAction.NAME))

);
|| (action0.equals(RenderSearchTemplateAction.NAME)));
}

@SuppressWarnings("unchecked")
Expand Down

0 comments on commit 02881cd

Please sign in to comment.