Skip to content

Commit

Permalink
Tests for support of permissions for REST admin user
Browse files Browse the repository at this point in the history
Signed-off-by: Andrey Pleskach <[email protected]>
  • Loading branch information
willyborankin committed Jan 20, 2023
1 parent 7246b62 commit 0bb277f
Show file tree
Hide file tree
Showing 14 changed files with 1,463 additions and 446 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,14 @@
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.stream.Stream;

import com.fasterxml.jackson.core.JsonParseException;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.JsonMappingException;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import org.apache.hc.core5.http.Header;
import org.apache.hc.core5.http.HttpStatus;
import org.junit.Assert;
Expand Down Expand Up @@ -90,18 +94,7 @@ protected final void setupWithRestRoles(Settings nodeOverride) throws Exception
.put("plugins.security.ssl.http.truststore_filepath",
FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks"));

builder.put("plugins.security.restapi.roles_enabled.0", "opendistro_security_role_klingons");
builder.put("plugins.security.restapi.roles_enabled.1", "opendistro_security_role_vulcans");
builder.put("plugins.security.restapi.roles_enabled.2", "opendistro_security_test");

builder.put("plugins.security.restapi.endpoints_disabled.global.CACHE.0", "*");

builder.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.conFiGuration.0", "*");
builder.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.wRongType.0", "WRONGType");
builder.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.ROLESMAPPING.0", "PUT");
builder.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.ROLESMAPPING.1", "DELETE");

builder.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_vulcans.CONFIG.0", "*");
builder.put(rolesSettings());

if (null != nodeOverride) {
builder.put(nodeOverride);
Expand All @@ -114,6 +107,20 @@ protected final void setupWithRestRoles(Settings nodeOverride) throws Exception
AuditTestUtils.updateAuditConfig(rh, nodeOverride != null ? nodeOverride : Settings.EMPTY);
}

protected Settings rolesSettings() {
return Settings.builder()
.put("plugins.security.restapi.roles_enabled.0", "opendistro_security_role_klingons")
.put("plugins.security.restapi.roles_enabled.1", "opendistro_security_role_vulcans")
.put("plugins.security.restapi.roles_enabled.2", "opendistro_security_test")
.put("plugins.security.restapi.endpoints_disabled.global.CACHE.0", "*")
.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.conFiGuration.0", "*")
.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.wRongType.0", "WRONGType")
.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.ROLESMAPPING.0", "PUT")
.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.ROLESMAPPING.1", "DELETE")
.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_vulcans.CONFIG.0", "*")
.build();
}

protected void deleteUser(String username) throws Exception {
boolean sendAdminCertificate = rh.sendAdminCertificate;
rh.sendAdminCertificate = true;
Expand Down Expand Up @@ -197,30 +204,23 @@ protected void checkGeneralAccess(int status, String username, String password)

protected String checkReadAccess(int status, String username, String password, String indexName, String actionType,
int id) throws Exception {
boolean sendAdminCertificate = rh.sendAdminCertificate;
rh.sendAdminCertificate = false;
String action = indexName + "/" + actionType + "/" + id;
HttpResponse response = rh.executeGetRequest(action,
encodeBasicHeader(username, password));
HttpResponse response = rh.executeGetRequest(action, encodeBasicHeader(username, password));
int returnedStatus = response.getStatusCode();
Assert.assertEquals(status, returnedStatus);
rh.sendAdminCertificate = sendAdminCertificate;
return response.getBody();

}

protected String checkWriteAccess(int status, String username, String password, String indexName, String actionType,
int id) throws Exception {

boolean sendAdminCertificate = rh.sendAdminCertificate;
rh.sendAdminCertificate = false;
String action = indexName + "/" + actionType + "/" + id;
String payload = "{\"value\" : \"true\"}";
HttpResponse response = rh.executePutRequest(action, payload,
encodeBasicHeader(username, password));
HttpResponse response = rh.executePutRequest(action, payload, encodeBasicHeader(username, password));
int returnedStatus = response.getStatusCode();
Assert.assertEquals(status, returnedStatus);
rh.sendAdminCertificate = sendAdminCertificate;
return response.getBody();
}

Expand Down Expand Up @@ -260,4 +260,27 @@ protected Map<String, String> jsonStringToMap(String json) throws JsonParseExcep
protected static Collection<Class<? extends Plugin>> asCollection(Class<? extends Plugin>... plugins) {
return Arrays.asList(plugins);
}

String createRestAdminPermissionsPayload(String... additionPerms) throws JsonProcessingException {
final ObjectNode rootNode = (ObjectNode) DefaultObjectMapper.objectMapper.createObjectNode();
rootNode.set("cluster_permissions", clusterPermissionsForRestAdmin(additionPerms));
return DefaultObjectMapper.objectMapper.writeValueAsString(rootNode);
}

ArrayNode clusterPermissionsForRestAdmin(String... additionPerms) {
final ArrayNode permissionsArray = (ArrayNode) DefaultObjectMapper.objectMapper.createArrayNode();
for (final Endpoint endpoint : RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS) {
if (endpoint == Endpoint.SSL) {
permissionsArray
.add(RestApiAdminPrivilegesEvaluator.PERMISSION_BUILDER.build(endpoint, "certs"))
.add(RestApiAdminPrivilegesEvaluator.PERMISSION_BUILDER.build(endpoint, "reloadcerts"));
} else {
permissionsArray.add(RestApiAdminPrivilegesEvaluator.PERMISSION_BUILDER.build(endpoint, null));
}
}
if (additionPerms.length != 0) {
Stream.of(additionPerms).forEach(permissionsArray::add);
}
return permissionsArray;
}
}
Loading

0 comments on commit 0bb277f

Please sign in to comment.