Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement new extension points in IdentityPlugin and add ContextProvidingPluginSubject #34

Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
Original file line number Diff line number Diff line change
Expand Up @@ -19,15 +19,19 @@
import org.junit.runner.RunWith;

import org.opensearch.core.rest.RestStatus;
import org.opensearch.security.http.ExampleSystemIndexPlugin;
import org.opensearch.security.plugin.SystemIndexPlugin1;
import org.opensearch.security.plugin.SystemIndexPlugin2;
import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain;
import org.opensearch.test.framework.cluster.ClusterManager;
import org.opensearch.test.framework.cluster.LocalCluster;
import org.opensearch.test.framework.cluster.TestRestClient;
import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;

import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.opensearch.security.plugin.SystemIndexPlugin1.SYSTEM_INDEX_1;
import static org.opensearch.security.plugin.SystemIndexPlugin2.SYSTEM_INDEX_2;
import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED;
import static org.opensearch.security.support.ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_KEY;
import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
Expand All @@ -44,7 +48,7 @@ public class SystemIndexTests {
.anonymousAuth(false)
.authc(AUTHC_DOMAIN)
.users(USER_ADMIN)
.plugin(ExampleSystemIndexPlugin.class)
.plugin(SystemIndexPlugin1.class, SystemIndexPlugin2.class)
.nodeSettings(
Map.of(
SECURITY_RESTAPI_ROLES_ENABLED,
Expand Down Expand Up @@ -89,6 +93,95 @@ public void adminShouldNotBeAbleToDeleteSecurityIndex() {
}
}

@Test
public void testPluginShouldBeAbleToIndexDocumentIntoItsSystemIndex() {
try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
HttpResponse response = client.put("try-create-and-index/" + SYSTEM_INDEX_1);

assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
assertThat(response.getBody(), containsString(SystemIndexPlugin1.class.getCanonicalName()));
}
}

@Test
public void testPluginShouldNotBeAbleToIndexDocumentIntoSystemIndexRegisteredByOtherPlugin() {
try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
HttpResponse response = client.put("try-create-and-index/" + SYSTEM_INDEX_2);

assertThat(response.getStatusCode(), equalTo(RestStatus.FORBIDDEN.getStatus()));
assertThat(
response.getBody(),
containsString("no permissions for [] and User [name=plugin:org.opensearch.security.plugin.SystemIndexPlugin1")
);
}
}

@Test
public void testPluginShouldBeAbleToCreateSystemIndexButUserShouldNotBeAbleToIndex() {
try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
HttpResponse response = client.put("try-create-and-index/" + SYSTEM_INDEX_1 + "?runAs=user");

assertThat(response.getStatusCode(), equalTo(RestStatus.FORBIDDEN.getStatus()));
assertThat(response.getBody(), containsString("no permissions for [] and User [name=admin"));
}
}

@Test
public void testPluginShouldNotBeAbleToRunClusterActions() {
try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
HttpResponse response = client.get("try-cluster-health/plugin");

assertThat(response.getStatusCode(), equalTo(RestStatus.FORBIDDEN.getStatus()));
assertThat(
response.getBody(),
containsString("no permissions for [] and User [name=plugin:org.opensearch.security.plugin.SystemIndexPlugin1")
);
}
}

@Test
public void testAdminUserShouldBeAbleToRunClusterActions() {
try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
HttpResponse response = client.get("try-cluster-health/user");

assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
}
}

@Test
public void testAuthenticatedUserShouldBeAbleToRunClusterActions() {
try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
HttpResponse response = client.get("try-cluster-health/default");

assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
}
}

@Test
public void testPluginShouldBeAbleToBulkIndexDocumentIntoItsSystemIndex() {
try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
HttpResponse response = client.put("try-create-and-bulk-index/" + SYSTEM_INDEX_1);

assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
}
}

@Test
public void testPluginShouldNotBeAbleToBulkIndexDocumentIntoMixOfSystemIndexWhereAtLeastOneDoesNotBelongToPlugin() {
try (TestRestClient client = cluster.getRestClient(cluster.getAdminCertificate())) {
client.put(".system-index1");
client.put(".system-index2");
}
try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
HttpResponse response = client.put("try-create-and-bulk-mixed-index");

assertThat(
response.getBody(),
containsString("no permissions for [] and User [name=plugin:org.opensearch.security.plugin.SystemIndexPlugin1")
);
}
}

@Test
public void regularUserShouldGetNoResultsWhenSearchingSystemIndex() {
// Create system index and index a dummy document as the super admin user, data returned to super admin
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@
import org.opensearch.common.xcontent.XContentFactory;
import org.opensearch.core.rest.RestStatus;
import org.opensearch.core.xcontent.XContentBuilder;
import org.opensearch.security.http.ExampleSystemIndexPlugin;
import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain;
import org.opensearch.test.framework.cluster.ClusterManager;
import org.opensearch.test.framework.cluster.LocalCluster;
Expand All @@ -47,7 +46,6 @@ public class ThreadPoolTests {
.anonymousAuth(false)
.authc(AUTHC_DOMAIN)
.users(USER_ADMIN)
.plugin(ExampleSystemIndexPlugin.class)
.nodeSettings(Map.of(SECURITY_RESTAPI_ROLES_ENABLED, List.of("user_" + USER_ADMIN.getName() + "__" + ALL_ACCESS.getName())))
.build();

Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
/*
* Copyright OpenSearch Contributors
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
*/

package org.opensearch.security.plugin;

import org.opensearch.action.ActionType;

public class IndexDocumentIntoSystemIndexAction extends ActionType<IndexDocumentIntoSystemIndexResponse> {
public static final IndexDocumentIntoSystemIndexAction INSTANCE = new IndexDocumentIntoSystemIndexAction();
public static final String NAME = "cluster:mock/systemindex/index";

private IndexDocumentIntoSystemIndexAction() {
super(NAME, IndexDocumentIntoSystemIndexResponse::new);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
/*
* Copyright OpenSearch Contributors
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
*/

package org.opensearch.security.plugin;

import java.io.IOException;

import org.opensearch.action.ActionRequest;
import org.opensearch.action.ActionRequestValidationException;
import org.opensearch.core.common.io.stream.StreamInput;

public class IndexDocumentIntoSystemIndexRequest extends ActionRequest {

private final String indexName;

private final String runAs;

public IndexDocumentIntoSystemIndexRequest(String indexName, String runAs) {
this.indexName = indexName;
this.runAs = runAs;
}

public IndexDocumentIntoSystemIndexRequest(StreamInput in) throws IOException {
super(in);
this.indexName = in.readString();
this.runAs = in.readOptionalString();
}

@Override
public ActionRequestValidationException validate() {
return null;
}

public String getIndexName() {
return this.indexName;
}

public String getRunAs() {
return this.runAs;
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
/*
* Copyright OpenSearch Contributors
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
*/

package org.opensearch.security.plugin;

// CS-SUPPRESS-SINGLE: RegexpSingleline It is not possible to use phrase "cluster manager" instead of master here
import java.io.IOException;

import org.opensearch.action.support.master.AcknowledgedResponse;
import org.opensearch.core.common.io.stream.StreamInput;
import org.opensearch.core.common.io.stream.StreamOutput;
import org.opensearch.core.xcontent.ToXContent;
import org.opensearch.core.xcontent.ToXContentObject;
import org.opensearch.core.xcontent.XContentBuilder;
// CS-ENFORCE-SINGLE

public class IndexDocumentIntoSystemIndexResponse extends AcknowledgedResponse implements ToXContentObject {

private String plugin;

public IndexDocumentIntoSystemIndexResponse(boolean status, String plugin) {
super(status);
this.plugin = plugin;
}

public IndexDocumentIntoSystemIndexResponse(StreamInput in) throws IOException {
super(in);
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
out.writeString(plugin);
}

@Override
public void addCustomFields(XContentBuilder builder, ToXContent.Params params) throws IOException {
super.addCustomFields(builder, params);
builder.field("plugin", plugin);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
/*
* Copyright OpenSearch Contributors
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
*/

package org.opensearch.security.plugin;

import java.util.List;

import org.opensearch.action.bulk.BulkRequest;
import org.opensearch.action.bulk.BulkRequestBuilder;
import org.opensearch.action.index.IndexRequest;
import org.opensearch.action.support.WriteRequest;
import org.opensearch.client.Client;
import org.opensearch.client.node.NodeClient;
import org.opensearch.core.action.ActionListener;
import org.opensearch.core.rest.RestStatus;
import org.opensearch.core.xcontent.ToXContent;
import org.opensearch.rest.BaseRestHandler;
import org.opensearch.rest.BytesRestResponse;
import org.opensearch.rest.RestChannel;
import org.opensearch.rest.RestRequest;
import org.opensearch.security.identity.PluginContextSwitcher;

import static java.util.Collections.singletonList;
import static org.opensearch.rest.RestRequest.Method.PUT;
import static org.opensearch.security.plugin.SystemIndexPlugin1.SYSTEM_INDEX_1;
import static org.opensearch.security.plugin.SystemIndexPlugin2.SYSTEM_INDEX_2;

public class RestBulkIndexDocumentIntoMixOfSystemIndexAction extends BaseRestHandler {

private final Client client;
private final PluginContextSwitcher contextSwitcher;

public RestBulkIndexDocumentIntoMixOfSystemIndexAction(Client client, PluginContextSwitcher contextSwitcher) {
this.client = client;
this.contextSwitcher = contextSwitcher;
}

@Override
public List<Route> routes() {
return singletonList(new Route(PUT, "/try-create-and-bulk-mixed-index"));
}

@Override
public String getName() {
return "test_bulk_index_document_into_mix_of_system_index_action";
}

@Override
public RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) {
return new RestChannelConsumer() {

@Override
public void accept(RestChannel channel) throws Exception {
contextSwitcher.runAs(() -> {
BulkRequestBuilder builder = client.prepareBulk();
builder.add(new IndexRequest(SYSTEM_INDEX_1).source("content", 1));
builder.add(new IndexRequest(SYSTEM_INDEX_2).source("content", 1));
builder.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE);
BulkRequest bulkRequest = builder.request();
client.bulk(bulkRequest, ActionListener.wrap(r -> {
channel.sendResponse(
new BytesRestResponse(RestStatus.OK, r.toXContent(channel.newBuilder(), ToXContent.EMPTY_PARAMS))
);
}, fr -> { channel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN, String.valueOf(fr))); }));
return null;
});
}
};
}
}
Loading
Loading