Additional tests for old privilege evaluation code

Signed-off-by: Nils Bandener <nils.bandener@eliatra.com>

src/integrationTest/java/org/opensearch/security/SnapshotSteps.java

@@ -33,7 +33,7 @@
 import static java.util.Objects.requireNonNull;
 import static org.opensearch.client.RequestOptions.DEFAULT;
 
-class SnapshotSteps {
+public class SnapshotSteps {
 
     private final SnapshotClient snapshotClient;
 

src/integrationTest/java/org/opensearch/security/legacy/SecurityRolesTests.java

@@ -0,0 +1,67 @@
+/*
+* SPDX-License-Identifier: Apache-2.0
+*
+* The OpenSearch Contributors require contributions made to
+* this file be licensed under the Apache-2.0 license or a
+* compatible open source license.
+*
+* Modifications Copyright OpenSearch Contributors. See
+* GitHub history for details.
+*/
+
+package org.opensearch.security.legacy;
+
+import java.util.Map;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.apache.http.HttpStatus;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.security.privileges.PrivilegesEvaluator;
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.TestSecurityConfig.Role;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class SecurityRolesTests {
+
+    protected final static TestSecurityConfig.User USER_SR = new TestSecurityConfig.User("sr_user").roles(
+        new Role("abc_ber").indexPermissions("*").on("*").clusterPermissions("*"),
+        new Role("def_efg").indexPermissions("*").on("*").clusterPermissions("*")
+    );
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
+        .anonymousAuth(true)
+        .authc(AUTHC_HTTPBASIC_INTERNAL)
+        .users(USER_SR)
+        .nodeSettings(Map.of(PrivilegesEvaluator.USE_LEGACY_PRIVILEGE_EVALUATOR.getKey(), true))
+        .build();
+
+    @Test
+    public void testSecurityRoles() throws Exception {
+        try (TestRestClient client = cluster.getRestClient(USER_SR)) {
+            HttpResponse response = client.getAuthInfo();
+            response.assertStatusCode(HttpStatus.SC_OK);
+
+            // Check username
+            assertThat(response.getTextFromJsonBody("/user_name"), equalTo("sr_user"));
+
+            // Check security roles
+            assertThat(response.getTextFromJsonBody("/roles/0"), equalTo("user_sr_user__abc_ber"));
+            assertThat(response.getTextFromJsonBody("/roles/1"), equalTo("user_sr_user__def_efg"));
+
+        }
+    }
+
+}

src/integrationTest/java/org/opensearch/security/legacy/SystemIndexTests.java

@@ -0,0 +1,119 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security.legacy;
+
+import java.util.List;
+import java.util.Map;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.core.rest.RestStatus;
+import org.opensearch.security.http.ExampleSystemIndexPlugin;
+import org.opensearch.security.privileges.PrivilegesEvaluator;
+import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_KEY;
+import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
+import static org.opensearch.test.framework.TestSecurityConfig.User.USER_ADMIN;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class SystemIndexTests {
+
+    public static final AuthcDomain AUTHC_DOMAIN = new AuthcDomain("basic", 0).httpAuthenticatorWithChallenge("basic").backend("internal");
+
+    @ClassRule
+    public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+        .anonymousAuth(false)
+        .authc(AUTHC_DOMAIN)
+        .users(USER_ADMIN)
+        .plugin(ExampleSystemIndexPlugin.class)
+        .nodeSettings(
+            Map.of(
+                SECURITY_RESTAPI_ROLES_ENABLED,
+                List.of("user_" + USER_ADMIN.getName() + "__" + ALL_ACCESS.getName()),
+                SECURITY_SYSTEM_INDICES_ENABLED_KEY,
+                true,
+                PrivilegesEvaluator.USE_LEGACY_PRIVILEGE_EVALUATOR.getKey(),
+                true
+            )
+        )
+        .build();
+
+    @Before
+    public void setup() {
+        try (TestRestClient client = cluster.getRestClient(cluster.getAdminCertificate())) {
+            client.delete(".system-index1");
+        }
+    }
+
+    @Test
+    public void adminShouldNotBeAbleToDeleteSecurityIndex() {
+        try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+            HttpResponse response = client.delete(".opendistro_security");
+
+            assertThat(response.getStatusCode(), equalTo(RestStatus.FORBIDDEN.getStatus()));
+
+            // Create regular index
+            client.put("test-index");
+
+            // regular user can delete non-system index
+            HttpResponse response2 = client.delete("test-index");
+
+            assertThat(response2.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
+
+            // regular use can create system index
+            HttpResponse response3 = client.put(".system-index1");
+
+            assertThat(response3.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
+
+            // regular user cannot delete system index
+            HttpResponse response4 = client.delete(".system-index1");
+
+            assertThat(response4.getStatusCode(), equalTo(RestStatus.FORBIDDEN.getStatus()));
+        }
+    }
+
+    @Test
+    public void regularUserShouldGetNoResultsWhenSearchingSystemIndex() {
+        // Create system index and index a dummy document as the super admin user, data returned to super admin
+        try (TestRestClient client = cluster.getRestClient(cluster.getAdminCertificate())) {
+            HttpResponse response1 = client.put(".system-index1");
+
+            assertThat(response1.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
+            String doc = "{\"field\":\"value\"}";
+            HttpResponse adminPostResponse = client.postJson(".system-index1/_doc/1?refresh=true", doc);
+            assertThat(adminPostResponse.getStatusCode(), equalTo(RestStatus.CREATED.getStatus()));
+            HttpResponse response2 = client.get(".system-index1/_search");
+
+            assertThat(response2.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
+            assertThat(response2.getBody(), response2.getBody().contains("\"hits\":{\"total\":{\"value\":1,\"relation\":\"eq\"}"));
+        }
+
+        // Regular users should not be able to read it
+        try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+            // regular user cannot read system index
+            HttpResponse response1 = client.get(".system-index1/_search");
+
+            assertThat(response1.getBody(), response1.getBody().contains("\"hits\":{\"total\":{\"value\":0,\"relation\":\"eq\"}"));
+        }
+    }
+}

src/test/java/org/opensearch/security/AggregationTests.java

@@ -26,6 +26,11 @@
 
 package org.opensearch.security;
 
+import java.util.Arrays;
+import java.util.Collection;
+
+import com.carrotsearch.randomizedtesting.annotations.Name;
+import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
 import org.apache.http.HttpStatus;
 import org.junit.Test;
 
@@ -37,6 +42,7 @@
 import org.opensearch.client.Client;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.xcontent.XContentType;
+import org.opensearch.security.privileges.PrivilegesEvaluator;
 import org.opensearch.security.test.SingleClusterTest;
 import org.opensearch.security.test.helper.rest.RestHelper;
 import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse;
@@ -45,10 +51,22 @@
 import static org.hamcrest.Matchers.is;
 
 public class AggregationTests extends SingleClusterTest {
+    private boolean useOldPrivilegeEvaluationImplementation;
+
+    @ParametersFactory()
+    public static Collection<Object[]> params() {
+        return Arrays.asList(new Object[] { false }, new Object[] { true });
+    }
+
+    public AggregationTests(@Name("useOldPrivilegeEvaluationImplementation") boolean useOldPrivilegeEvaluationImplementation) {
+        this.useOldPrivilegeEvaluationImplementation = useOldPrivilegeEvaluationImplementation;
+    }
 
     @Test
     public void testBasicAggregations() throws Exception {
-        final Settings settings = Settings.builder().build();
+        final Settings settings = Settings.builder()
+            .put(PrivilegesEvaluator.USE_LEGACY_PRIVILEGE_EVALUATOR.getKey(), useOldPrivilegeEvaluationImplementation)
+            .build();
 
         setup(settings);
         final RestHelper rh = nonSslRestHelper();

src/test/java/org/opensearch/security/DataStreamIntegrationTests.java

@@ -11,10 +11,17 @@
 
 package org.opensearch.security;
 
+import java.util.Arrays;
+import java.util.Collection;
+
+import com.carrotsearch.randomizedtesting.annotations.Name;
+import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
 import org.apache.http.HttpStatus;
 import org.junit.Assert;
 import org.junit.Test;
 
+import org.opensearch.common.settings.Settings;
+import org.opensearch.security.privileges.PrivilegesEvaluator;
 import org.opensearch.security.test.SingleClusterTest;
 import org.opensearch.security.test.helper.rest.RestHelper;
 import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse;
@@ -23,6 +30,16 @@
 import static org.hamcrest.Matchers.is;
 
 public class DataStreamIntegrationTests extends SingleClusterTest {
+    private boolean useOldPrivilegeEvaluationImplementation;
+
+    @ParametersFactory()
+    public static Collection<Object[]> params() {
+        return Arrays.asList(new Object[] { false }, new Object[] { true });
+    }
+
+    public DataStreamIntegrationTests(@Name("useOldPrivilegeEvaluationImplementation") boolean useOldPrivilegeEvaluationImplementation) {
+        this.useOldPrivilegeEvaluationImplementation = useOldPrivilegeEvaluationImplementation;
+    }
 
     final String bulkDocsBody = "{ \"create\" : {} }"
         + System.lineSeparator()
@@ -58,7 +75,12 @@ public void createSampleDataStreams(RestHelper rh) throws Exception {
     @Test
     public void testCreateDataStream() throws Exception {
 
-        setup();
+        setup(
+            Settings.builder()
+                .put(PrivilegesEvaluator.USE_LEGACY_PRIVILEGE_EVALUATOR.getKey(), useOldPrivilegeEvaluationImplementation)
+                .build()
+        );
+
         RestHelper rh = nonSslRestHelper();
         HttpResponse response;
 
@@ -95,7 +117,11 @@ public void testCreateDataStream() throws Exception {
     @Test
     public void testGetDataStream() throws Exception {
 
-        setup();
+        setup(
+            Settings.builder()
+                .put(PrivilegesEvaluator.USE_LEGACY_PRIVILEGE_EVALUATOR.getKey(), useOldPrivilegeEvaluationImplementation)
+                .build()
+        );
         RestHelper rh = nonSslRestHelper();
         createSampleDataStreams(rh);
         HttpResponse response;
@@ -140,7 +166,11 @@ public void testGetDataStream() throws Exception {
     @Test
     public void testDeleteDataStream() throws Exception {
 
-        setup();
+        setup(
+            Settings.builder()
+                .put(PrivilegesEvaluator.USE_LEGACY_PRIVILEGE_EVALUATOR.getKey(), useOldPrivilegeEvaluationImplementation)
+                .build()
+        );
         RestHelper rh = nonSslRestHelper();
         createSampleDataStreams(rh);
         HttpResponse response;
@@ -188,7 +218,11 @@ public void testDeleteDataStream() throws Exception {
     @Test
     public void testDataStreamStats() throws Exception {
 
-        setup();
+        setup(
+            Settings.builder()
+                .put(PrivilegesEvaluator.USE_LEGACY_PRIVILEGE_EVALUATOR.getKey(), useOldPrivilegeEvaluationImplementation)
+                .build()
+        );
         RestHelper rh = nonSslRestHelper();
         createSampleDataStreams(rh);
         HttpResponse response;
@@ -236,7 +270,11 @@ public void testDataStreamStats() throws Exception {
     @Test
     public void testGetIndexOnBackingIndicesOfDataStream() throws Exception {
 
-        setup();
+        setup(
+            Settings.builder()
+                .put(PrivilegesEvaluator.USE_LEGACY_PRIVILEGE_EVALUATOR.getKey(), useOldPrivilegeEvaluationImplementation)
+                .build()
+        );
         RestHelper rh = nonSslRestHelper();
         createSampleDataStreams(rh);
         HttpResponse response;
@@ -281,7 +319,11 @@ public void testGetIndexOnBackingIndicesOfDataStream() throws Exception {
     @Test
     public void testDocumentLevelSecurityOnDataStream() throws Exception {
 
-        setup();
+        setup(
+            Settings.builder()
+                .put(PrivilegesEvaluator.USE_LEGACY_PRIVILEGE_EVALUATOR.getKey(), useOldPrivilegeEvaluationImplementation)
+                .build()
+        );
         RestHelper rh = nonSslRestHelper();
         createSampleDataStreams(rh);
         HttpResponse response;
@@ -350,7 +392,11 @@ public void testDocumentLevelSecurityOnDataStream() throws Exception {
     @Test
     public void testFLSOnBackingIndicesOfDataStream() throws Exception {
 
-        setup();
+        setup(
+            Settings.builder()
+                .put(PrivilegesEvaluator.USE_LEGACY_PRIVILEGE_EVALUATOR.getKey(), useOldPrivilegeEvaluationImplementation)
+                .build()
+        );
         RestHelper rh = nonSslRestHelper();
         createSampleDataStreams(rh);
         HttpResponse response;
@@ -428,7 +474,11 @@ public void testFLSOnBackingIndicesOfDataStream() throws Exception {
     @Test
     public void testFieldMaskingOnDataStream() throws Exception {
 
-        setup();
+        setup(
+            Settings.builder()
+                .put(PrivilegesEvaluator.USE_LEGACY_PRIVILEGE_EVALUATOR.getKey(), useOldPrivilegeEvaluationImplementation)
+                .build()
+        );
         RestHelper rh = nonSslRestHelper();
         createSampleDataStreams(rh);
         HttpResponse response;