From 0122b60d35ece8bd57002bb6c204ed8679eb3b75 Mon Sep 17 00:00:00 2001 From: Derek Ho Date: Thu, 29 Jun 2023 17:33:36 -0400 Subject: [PATCH 1/8] fix search template auth to allow for search template requests on indices you have access to Signed-off-by: Derek Ho --- .../security/privileges/PrivilegesEvaluatorTest.java | 10 ++++++++++ .../security/privileges/PrivilegesEvaluator.java | 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java index a896376d4d..c5b2ce8537 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java @@ -17,6 +17,7 @@ import org.junit.Test; import org.junit.runner.RunWith; +import org.opensearch.script.mustache.MustacheModulePlugin; import org.opensearch.test.framework.TestSecurityConfig; import org.opensearch.test.framework.TestSecurityConfig.Role; import org.opensearch.test.framework.cluster.ClusterManager; @@ -48,6 +49,7 @@ public class PrivilegesEvaluatorTest { public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS) .authc(AUTHC_HTTPBASIC_INTERNAL) .users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX) + .plugin(MustacheModulePlugin.class) .build(); @Test @@ -68,4 +70,12 @@ public void testRegexPattern() throws Exception { } } + + @Test + public void testSearchTemplateRequest() { + try (TestRestClient client = cluster.getRestClient(NEGATED_REGEX)) { + assertThat(client.getWithJsonBody("r*/_search/template", "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}").getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); +// assertThat(client.getWithJsonBody("logs-123/_search/template", "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}").getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); + } + } } diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java index a3738dadac..f6dbbfc1b5 100644 --- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java @@ -83,6 +83,7 @@ import org.opensearch.core.common.Strings; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.index.reindex.ReindexAction; +import org.opensearch.script.mustache.SearchTemplateAction; import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.configuration.ClusterInfoHolder; import org.opensearch.security.configuration.ConfigurationRepository; @@ -671,7 +672,7 @@ public static boolean isClusterPerm(String action0) { || (action0.startsWith(MultiSearchAction.NAME)) || (action0.equals(MultiTermVectorsAction.NAME)) || (action0.equals(ReindexAction.NAME)) - + || (action0.equals(SearchTemplateAction.NAME)) ); } From 24aa368936cd4217ddaef4fe91fb9dcdd58561bf Mon Sep 17 00:00:00 2001 From: Derek Ho Date: Thu, 29 Jun 2023 17:52:55 -0400 Subject: [PATCH 2/8] fix and add tests Signed-off-by: Derek Ho --- .../privileges/PrivilegesEvaluatorTest.java | 14 ++++++++------ .../privileges/PrivilegesEvaluatorUnitTest.java | 2 ++ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java index c5b2ce8537..17e188f071 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java @@ -45,11 +45,14 @@ public class PrivilegesEvaluatorTest { new Role("negated_regex_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("cluster_composite_ops") ); + protected final static TestSecurityConfig.User SEARCH_TEMPLATE = new TestSecurityConfig.User("search_template_user").roles( + new Role("search_template_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("indices:data/read/search/template") + ); + @ClassRule - public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS) + public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS).plugin(MustacheModulePlugin.class) .authc(AUTHC_HTTPBASIC_INTERNAL) - .users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX) - .plugin(MustacheModulePlugin.class) + .users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE) .build(); @Test @@ -73,9 +76,8 @@ public void testRegexPattern() throws Exception { @Test public void testSearchTemplateRequest() { - try (TestRestClient client = cluster.getRestClient(NEGATED_REGEX)) { - assertThat(client.getWithJsonBody("r*/_search/template", "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}").getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); -// assertThat(client.getWithJsonBody("logs-123/_search/template", "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}").getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); + try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) { + assertThat(client.getWithJsonBody("r*/_search/template", "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}").getStatusCode(), equalTo(HttpStatus.SC_OK)); } } } diff --git a/src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorUnitTest.java b/src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorUnitTest.java index e7412f43b4..5c05c553de 100644 --- a/src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorUnitTest.java +++ b/src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorUnitTest.java @@ -23,11 +23,13 @@ public void testClusterPerm() { String writeIndex = "indices:data/write/reindex"; String adminClose = "indices:admin/close"; String monitorUpgrade = "indices:monitor/upgrade"; + String searchTemplate = "indices:data/read/search/template"; // Cluster Permissions assertTrue(isClusterPerm(multiSearchTemplate)); assertTrue(isClusterPerm(writeIndex)); assertTrue(isClusterPerm(monitorHealth)); + assertTrue(isClusterPerm(searchTemplate)); // Index Permissions assertFalse(isClusterPerm(adminClose)); From b640386ed167bd07470690b46b0a1a9784aee191 Mon Sep 17 00:00:00 2001 From: Derek Ho Date: Thu, 29 Jun 2023 17:55:49 -0400 Subject: [PATCH 3/8] spotless Signed-off-by: Derek Ho --- .../privileges/PrivilegesEvaluatorTest.java | 13 ++++++++++--- .../security/privileges/PrivilegesEvaluator.java | 3 +-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java index 17e188f071..a46493da20 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java @@ -46,11 +46,12 @@ public class PrivilegesEvaluatorTest { ); protected final static TestSecurityConfig.User SEARCH_TEMPLATE = new TestSecurityConfig.User("search_template_user").roles( - new Role("search_template_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("indices:data/read/search/template") + new Role("search_template_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("indices:data/read/search/template") ); @ClassRule - public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS).plugin(MustacheModulePlugin.class) + public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS) + .plugin(MustacheModulePlugin.class) .authc(AUTHC_HTTPBASIC_INTERNAL) .users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE) .build(); @@ -77,7 +78,13 @@ public void testRegexPattern() throws Exception { @Test public void testSearchTemplateRequest() { try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) { - assertThat(client.getWithJsonBody("r*/_search/template", "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}").getStatusCode(), equalTo(HttpStatus.SC_OK)); + assertThat( + client.getWithJsonBody( + "r*/_search/template", + "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}" + ).getStatusCode(), + equalTo(HttpStatus.SC_OK) + ); } } } diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java index f6dbbfc1b5..6d1a6d824c 100644 --- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java @@ -672,8 +672,7 @@ public static boolean isClusterPerm(String action0) { || (action0.startsWith(MultiSearchAction.NAME)) || (action0.equals(MultiTermVectorsAction.NAME)) || (action0.equals(ReindexAction.NAME)) - || (action0.equals(SearchTemplateAction.NAME)) - ); + || (action0.equals(SearchTemplateAction.NAME))); } @SuppressWarnings("unchecked") From bbb1b8633b3ead60781c210c7130f04f2e8a3445 Mon Sep 17 00:00:00 2001 From: Derek Ho Date: Wed, 9 Aug 2023 10:20:13 -0400 Subject: [PATCH 4/8] revert PR to only be tests Signed-off-by: Derek Ho --- .../security/privileges/PrivilegesEvaluatorTest.java | 2 -- .../opensearch/security/privileges/PrivilegesEvaluator.java | 4 ++-- .../security/privileges/PrivilegesEvaluatorUnitTest.java | 2 -- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java index a46493da20..e013c5f10d 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java @@ -17,7 +17,6 @@ import org.junit.Test; import org.junit.runner.RunWith; -import org.opensearch.script.mustache.MustacheModulePlugin; import org.opensearch.test.framework.TestSecurityConfig; import org.opensearch.test.framework.TestSecurityConfig.Role; import org.opensearch.test.framework.cluster.ClusterManager; @@ -51,7 +50,6 @@ public class PrivilegesEvaluatorTest { @ClassRule public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS) - .plugin(MustacheModulePlugin.class) .authc(AUTHC_HTTPBASIC_INTERNAL) .users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE) .build(); diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java index 6d1a6d824c..a3738dadac 100644 --- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java @@ -83,7 +83,6 @@ import org.opensearch.core.common.Strings; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.index.reindex.ReindexAction; -import org.opensearch.script.mustache.SearchTemplateAction; import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.configuration.ClusterInfoHolder; import org.opensearch.security.configuration.ConfigurationRepository; @@ -672,7 +671,8 @@ public static boolean isClusterPerm(String action0) { || (action0.startsWith(MultiSearchAction.NAME)) || (action0.equals(MultiTermVectorsAction.NAME)) || (action0.equals(ReindexAction.NAME)) - || (action0.equals(SearchTemplateAction.NAME))); + + ); } @SuppressWarnings("unchecked") diff --git a/src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorUnitTest.java b/src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorUnitTest.java index 5c05c553de..e7412f43b4 100644 --- a/src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorUnitTest.java +++ b/src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorUnitTest.java @@ -23,13 +23,11 @@ public void testClusterPerm() { String writeIndex = "indices:data/write/reindex"; String adminClose = "indices:admin/close"; String monitorUpgrade = "indices:monitor/upgrade"; - String searchTemplate = "indices:data/read/search/template"; // Cluster Permissions assertTrue(isClusterPerm(multiSearchTemplate)); assertTrue(isClusterPerm(writeIndex)); assertTrue(isClusterPerm(monitorHealth)); - assertTrue(isClusterPerm(searchTemplate)); // Index Permissions assertFalse(isClusterPerm(adminClose)); From e78def344a8b2c00e0b26becfe4550b4a9b85e46 Mon Sep 17 00:00:00 2001 From: Derek Ho Date: Wed, 9 Aug 2023 14:48:05 -0400 Subject: [PATCH 5/8] add tests for other situations Signed-off-by: Derek Ho --- .../privileges/PrivilegesEvaluatorTest.java | 32 +++++++++++++++++-- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java index e013c5f10d..ae7944d826 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java @@ -45,7 +45,7 @@ public class PrivilegesEvaluatorTest { ); protected final static TestSecurityConfig.User SEARCH_TEMPLATE = new TestSecurityConfig.User("search_template_user").roles( - new Role("search_template_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("indices:data/read/search/template") + new Role("search_template_role").indexPermissions("read").on("services") ); @ClassRule @@ -74,15 +74,41 @@ public void testRegexPattern() throws Exception { } @Test - public void testSearchTemplateRequest() { + public void testSearchTemplateRequestSuccess() { try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) { assertThat( client.getWithJsonBody( - "r*/_search/template", + "services/_search/template", "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}" ).getStatusCode(), equalTo(HttpStatus.SC_OK) ); } } + + @Test + public void testSearchTemplateRequestUnauthorizedIndex() { + try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) { + assertThat( + client.getWithJsonBody( + "movies/_search/template", + "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}" + ).getStatusCode(), + equalTo(HttpStatus.SC_FORBIDDEN) + ); + } + } + + @Test + public void testSearchTemplateRequestUnauthorizedAllIndices() { + try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) { + assertThat( + client.getWithJsonBody( + "_search/template", + "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}" + ).getStatusCode(), + equalTo(HttpStatus.SC_FORBIDDEN) + ); + } + } } From 387f1a67b9ffa5b30cbca3104a5b5846a1f845b1 Mon Sep 17 00:00:00 2001 From: Derek Ho Date: Wed, 9 Aug 2023 14:54:06 -0400 Subject: [PATCH 6/8] spotless Signed-off-by: Derek Ho --- .../privileges/PrivilegesEvaluatorTest.java | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java index ae7944d826..ebaa696db0 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java @@ -90,11 +90,11 @@ public void testSearchTemplateRequestSuccess() { public void testSearchTemplateRequestUnauthorizedIndex() { try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) { assertThat( - client.getWithJsonBody( - "movies/_search/template", - "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}" - ).getStatusCode(), - equalTo(HttpStatus.SC_FORBIDDEN) + client.getWithJsonBody( + "movies/_search/template", + "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}" + ).getStatusCode(), + equalTo(HttpStatus.SC_FORBIDDEN) ); } } @@ -103,11 +103,11 @@ public void testSearchTemplateRequestUnauthorizedIndex() { public void testSearchTemplateRequestUnauthorizedAllIndices() { try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) { assertThat( - client.getWithJsonBody( - "_search/template", - "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}" - ).getStatusCode(), - equalTo(HttpStatus.SC_FORBIDDEN) + client.getWithJsonBody( + "_search/template", + "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}" + ).getStatusCode(), + equalTo(HttpStatus.SC_FORBIDDEN) ); } } From c4a3d5ddacc84a678e762d2402339464aa9348e8 Mon Sep 17 00:00:00 2001 From: Derek Ho Date: Wed, 9 Aug 2023 16:13:41 -0400 Subject: [PATCH 7/8] extract query to a constant Signed-off-by: Derek Ho --- .../privileges/PrivilegesEvaluatorTest.java | 27 +++++-------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java index ebaa696db0..f7ee9bf4e3 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java @@ -48,6 +48,9 @@ public class PrivilegesEvaluatorTest { new Role("search_template_role").indexPermissions("read").on("services") ); + private String TEST_QUERY = + "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}"; + @ClassRule public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS) .authc(AUTHC_HTTPBASIC_INTERNAL) @@ -76,39 +79,21 @@ public void testRegexPattern() throws Exception { @Test public void testSearchTemplateRequestSuccess() { try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) { - assertThat( - client.getWithJsonBody( - "services/_search/template", - "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}" - ).getStatusCode(), - equalTo(HttpStatus.SC_OK) - ); + assertThat(client.getWithJsonBody("services/_search/template", TEST_QUERY).getStatusCode(), equalTo(HttpStatus.SC_OK)); } } @Test public void testSearchTemplateRequestUnauthorizedIndex() { try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) { - assertThat( - client.getWithJsonBody( - "movies/_search/template", - "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}" - ).getStatusCode(), - equalTo(HttpStatus.SC_FORBIDDEN) - ); + assertThat(client.getWithJsonBody("movies/_search/template", TEST_QUERY).getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); } } @Test public void testSearchTemplateRequestUnauthorizedAllIndices() { try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) { - assertThat( - client.getWithJsonBody( - "_search/template", - "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}" - ).getStatusCode(), - equalTo(HttpStatus.SC_FORBIDDEN) - ); + assertThat(client.getWithJsonBody("_search/template", TEST_QUERY).getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); } } } From f3e5d46f1bd69f952c2eb82d12cf370a3bd1e58c Mon Sep 17 00:00:00 2001 From: Derek Ho Date: Wed, 16 Aug 2023 10:03:32 -0400 Subject: [PATCH 8/8] update integration tests Signed-off-by: Derek Ho --- .../privileges/PrivilegesEvaluatorTest.java | 32 ++++++++++++++++--- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java index f7ee9bf4e3..9f9da4366c 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java @@ -17,6 +17,7 @@ import org.junit.Test; import org.junit.runner.RunWith; +import org.opensearch.script.mustache.MustacheModulePlugin; import org.opensearch.test.framework.TestSecurityConfig; import org.opensearch.test.framework.TestSecurityConfig.Role; import org.opensearch.test.framework.cluster.ClusterManager; @@ -45,16 +46,19 @@ public class PrivilegesEvaluatorTest { ); protected final static TestSecurityConfig.User SEARCH_TEMPLATE = new TestSecurityConfig.User("search_template_user").roles( - new Role("search_template_role").indexPermissions("read").on("services") + new Role("search_template_role").indexPermissions("read").on("services").clusterPermissions("cluster_composite_ops") ); private String TEST_QUERY = "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}"; + private String TEST_DOC = "{\"source\": {\"title\": \"Spirited Away\"}}"; + @ClassRule public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS) .authc(AUTHC_HTTPBASIC_INTERNAL) - .users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE) + .users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE, TestSecurityConfig.User.USER_ADMIN) + .plugin(MustacheModulePlugin.class) .build(); @Test @@ -78,22 +82,40 @@ public void testRegexPattern() throws Exception { @Test public void testSearchTemplateRequestSuccess() { + // Insert doc into services index with admin user + try (TestRestClient client = cluster.getRestClient(TestSecurityConfig.User.USER_ADMIN)) { + TestRestClient.HttpResponse response = client.postJson("services/_doc", TEST_DOC); + assertThat(response.getStatusCode(), equalTo(HttpStatus.SC_CREATED)); + } + try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) { - assertThat(client.getWithJsonBody("services/_search/template", TEST_QUERY).getStatusCode(), equalTo(HttpStatus.SC_OK)); + final String searchTemplateOnServicesIndex = "services/_search/template"; + final TestRestClient.HttpResponse searchTemplateOnAuthorizedIndexResponse = client.getWithJsonBody( + searchTemplateOnServicesIndex, + TEST_QUERY + ); + assertThat(searchTemplateOnAuthorizedIndexResponse.getStatusCode(), equalTo(HttpStatus.SC_OK)); } } @Test public void testSearchTemplateRequestUnauthorizedIndex() { try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) { - assertThat(client.getWithJsonBody("movies/_search/template", TEST_QUERY).getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); + final String searchTemplateOnMoviesIndex = "movies/_search/template"; + final TestRestClient.HttpResponse searchTemplateOnUnauthorizedIndexResponse = client.getWithJsonBody( + searchTemplateOnMoviesIndex, + TEST_QUERY + ); + assertThat(searchTemplateOnUnauthorizedIndexResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); } } @Test public void testSearchTemplateRequestUnauthorizedAllIndices() { try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) { - assertThat(client.getWithJsonBody("_search/template", TEST_QUERY).getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); + final String searchTemplateOnAllIndices = "_search/template"; + final TestRestClient.HttpResponse searchOnAllIndicesResponse = client.getWithJsonBody(searchTemplateOnAllIndices, TEST_QUERY); + assertThat(searchOnAllIndicesResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); } } }