From 1c8dbe5edca19075d7936d97fb7b8fea71026c17 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Wed, 19 Jul 2023 15:48:17 +0000 Subject: [PATCH] IT placeholders, refactor to support assuming identities Signed-off-by: Peter Nied --- .../identity/ApplicationScopeIT.java | 84 ++++++++++++++++ .../identity/IdentityServiceIT.java | 81 ++++++++++++++++ .../extensions/DiscoveryExtensionNode.java | 2 +- .../{ => identity}/Application.java | 2 +- .../identity/ApplicationAwareSubject.java | 54 +++++++---- .../identity/AssumeIdentityException.java | 17 ++++ .../opensearch/identity/IdentityService.java | 34 ++++++- .../java/org/opensearch/identity/Subject.java | 2 +- .../main/java/org/opensearch/node/Node.java | 4 +- .../org/opensearch/plugins/PluginInfo.java | 2 +- .../wrappers/ScopeProtectedActionPlugin.java | 24 ++--- .../opensearch/action/ActionModuleTests.java | 3 +- .../client/node/NodeClientHeadersTests.java | 22 ++--- .../extensions/ExtensionsManagerTests.java | 3 +- .../rest/RestSendToExtensionActionTests.java | 3 +- .../ApplicationAwareSubjectTests.java | 24 +++++ .../identity/ApplicationManagerTests.java | 3 + .../identity/IdentityPluginTests.java | 6 +- .../scopes/ExtensionPointScopeTests.java | 96 ------------------- ...{ActionScopeTests.java => ScopeTests.java} | 45 ++------- .../ScopeProtectedActionPluginTests.java | 91 ++++++++++++++++++ .../opensearch/rest/RestControllerTests.java | 6 +- .../rest/RestHttpResponseHeadersTests.java | 5 +- .../indices/RestValidateQueryActionTests.java | 12 +-- .../snapshots/SnapshotResiliencyTests.java | 3 +- 25 files changed, 421 insertions(+), 207 deletions(-) create mode 100644 server/src/internalClusterTest/java/org/opensearch/identity/ApplicationScopeIT.java create mode 100644 server/src/internalClusterTest/java/org/opensearch/identity/IdentityServiceIT.java rename server/src/main/java/org/opensearch/{ => identity}/Application.java (89%) create mode 100644 server/src/main/java/org/opensearch/identity/AssumeIdentityException.java create mode 100644 server/src/test/java/org/opensearch/identity/ApplicationAwareSubjectTests.java create mode 100644 server/src/test/java/org/opensearch/identity/ApplicationManagerTests.java delete mode 100644 server/src/test/java/org/opensearch/identity/scopes/ExtensionPointScopeTests.java rename server/src/test/java/org/opensearch/identity/scopes/{ActionScopeTests.java => ScopeTests.java} (74%) create mode 100644 server/src/test/java/org/opensearch/plugins/wrappers/ScopeProtectedActionPluginTests.java diff --git a/server/src/internalClusterTest/java/org/opensearch/identity/ApplicationScopeIT.java b/server/src/internalClusterTest/java/org/opensearch/identity/ApplicationScopeIT.java new file mode 100644 index 0000000000000..61765135148d6 --- /dev/null +++ b/server/src/internalClusterTest/java/org/opensearch/identity/ApplicationScopeIT.java @@ -0,0 +1,84 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +package org.opensearch.identity; + +import org.apache.lucene.index.LeafReaderContext; +import org.apache.lucene.search.CollectionTerminatedException; +import org.apache.lucene.search.ScoreMode; + +import org.opensearch.ExceptionsHelper; +import org.opensearch.action.ActionListener; +import org.opensearch.action.admin.cluster.node.stats.NodeStats; +import org.opensearch.action.admin.cluster.node.stats.NodesStatsRequest; +import org.opensearch.action.admin.cluster.node.stats.NodesStatsResponse; +import org.opensearch.action.index.IndexRequest; +import org.opensearch.action.index.IndexResponse; +import org.opensearch.action.support.IndicesOptions; +import org.opensearch.action.support.WriteRequest; +import org.opensearch.client.Client; +import org.opensearch.cluster.metadata.IndexMetadata; +import org.opensearch.common.breaker.CircuitBreaker; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.common.settings.Settings; +import org.opensearch.common.unit.TimeValue; +import org.opensearch.common.util.concurrent.AtomicArray; +import org.opensearch.core.common.Strings; +import org.opensearch.core.xcontent.ObjectParser; +import org.opensearch.core.xcontent.XContentBuilder; +import org.opensearch.index.IndexSettings; +import org.opensearch.index.query.QueryShardContext; +import org.opensearch.index.query.RangeQueryBuilder; +import org.opensearch.index.shard.IndexShard; +import org.opensearch.indices.IndicesService; +import org.opensearch.indices.replication.common.ReplicationType; +import org.opensearch.plugins.Plugin; +import org.opensearch.plugins.SearchPlugin; +import org.opensearch.core.rest.RestStatus; +import org.opensearch.search.DocValueFormat; +import org.opensearch.search.SearchHit; +import org.opensearch.search.aggregations.AbstractAggregationBuilder; +import org.opensearch.search.aggregations.AggregationBuilder; +import org.opensearch.search.aggregations.Aggregations; +import org.opensearch.search.aggregations.Aggregator; +import org.opensearch.search.aggregations.AggregatorBase; +import org.opensearch.search.aggregations.AggregatorFactories; +import org.opensearch.search.aggregations.AggregatorFactory; +import org.opensearch.search.aggregations.CardinalityUpperBound; +import org.opensearch.search.aggregations.InternalAggregation; +import org.opensearch.search.aggregations.LeafBucketCollector; +import org.opensearch.search.aggregations.bucket.terms.LongTerms; +import org.opensearch.search.aggregations.bucket.terms.TermsAggregationBuilder; +import org.opensearch.search.aggregations.metrics.InternalMax; +import org.opensearch.search.aggregations.support.ValueType; +import org.opensearch.search.builder.SearchSourceBuilder; +import org.opensearch.search.fetch.FetchSubPhase; +import org.opensearch.search.fetch.FetchSubPhaseProcessor; +import org.opensearch.search.internal.SearchContext; +import org.opensearch.test.OpenSearchIntegTestCase; + +import java.io.IOException; +import java.util.Collection; +import java.util.Collections; +import java.util.List; +import java.util.Map; +import java.util.concurrent.CountDownLatch; + +import static org.opensearch.test.hamcrest.OpenSearchAssertions.assertAcked; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; + +public class ApplicationScopeIT extends OpenSearchIntegTestCase { + + // TODO: Test case, verify that application with no scopes cannot SEARCH + + // TODO: Test case, verify that allowed application can SEARCH + + // TODO: Test case, verify that SUPER_USER access application can SEARCH,... +} diff --git a/server/src/internalClusterTest/java/org/opensearch/identity/IdentityServiceIT.java b/server/src/internalClusterTest/java/org/opensearch/identity/IdentityServiceIT.java new file mode 100644 index 0000000000000..e114259a3890b --- /dev/null +++ b/server/src/internalClusterTest/java/org/opensearch/identity/IdentityServiceIT.java @@ -0,0 +1,81 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +package org.opensearch.identity; + +import org.apache.lucene.index.LeafReaderContext; +import org.apache.lucene.search.CollectionTerminatedException; +import org.apache.lucene.search.ScoreMode; + +import org.opensearch.ExceptionsHelper; +import org.opensearch.action.ActionListener; +import org.opensearch.action.admin.cluster.node.stats.NodeStats; +import org.opensearch.action.admin.cluster.node.stats.NodesStatsRequest; +import org.opensearch.action.admin.cluster.node.stats.NodesStatsResponse; +import org.opensearch.action.index.IndexRequest; +import org.opensearch.action.index.IndexResponse; +import org.opensearch.action.support.IndicesOptions; +import org.opensearch.action.support.WriteRequest; +import org.opensearch.client.Client; +import org.opensearch.cluster.metadata.IndexMetadata; +import org.opensearch.common.breaker.CircuitBreaker; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.common.settings.Settings; +import org.opensearch.common.unit.TimeValue; +import org.opensearch.common.util.concurrent.AtomicArray; +import org.opensearch.core.common.Strings; +import org.opensearch.core.xcontent.ObjectParser; +import org.opensearch.core.xcontent.XContentBuilder; +import org.opensearch.index.IndexSettings; +import org.opensearch.index.query.QueryShardContext; +import org.opensearch.index.query.RangeQueryBuilder; +import org.opensearch.index.shard.IndexShard; +import org.opensearch.indices.IndicesService; +import org.opensearch.indices.replication.common.ReplicationType; +import org.opensearch.plugins.Plugin; +import org.opensearch.plugins.SearchPlugin; +import org.opensearch.core.rest.RestStatus; +import org.opensearch.search.DocValueFormat; +import org.opensearch.search.SearchHit; +import org.opensearch.search.aggregations.AbstractAggregationBuilder; +import org.opensearch.search.aggregations.AggregationBuilder; +import org.opensearch.search.aggregations.Aggregations; +import org.opensearch.search.aggregations.Aggregator; +import org.opensearch.search.aggregations.AggregatorBase; +import org.opensearch.search.aggregations.AggregatorFactories; +import org.opensearch.search.aggregations.AggregatorFactory; +import org.opensearch.search.aggregations.CardinalityUpperBound; +import org.opensearch.search.aggregations.InternalAggregation; +import org.opensearch.search.aggregations.LeafBucketCollector; +import org.opensearch.search.aggregations.bucket.terms.LongTerms; +import org.opensearch.search.aggregations.bucket.terms.TermsAggregationBuilder; +import org.opensearch.search.aggregations.metrics.InternalMax; +import org.opensearch.search.aggregations.support.ValueType; +import org.opensearch.search.builder.SearchSourceBuilder; +import org.opensearch.search.fetch.FetchSubPhase; +import org.opensearch.search.fetch.FetchSubPhaseProcessor; +import org.opensearch.search.internal.SearchContext; +import org.opensearch.test.OpenSearchIntegTestCase; + +import java.io.IOException; +import java.util.Collection; +import java.util.Collections; +import java.util.List; +import java.util.Map; +import java.util.concurrent.CountDownLatch; + +import static org.opensearch.test.hamcrest.OpenSearchAssertions.assertAcked; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; + +public class IdentityServiceIT extends OpenSearchIntegTestCase { + + // TODO: Verify that application aware subject is persisted on the same request + +} \ No newline at end of file diff --git a/server/src/main/java/org/opensearch/extensions/DiscoveryExtensionNode.java b/server/src/main/java/org/opensearch/extensions/DiscoveryExtensionNode.java index 801c9bfb195a4..95e17426cf119 100644 --- a/server/src/main/java/org/opensearch/extensions/DiscoveryExtensionNode.java +++ b/server/src/main/java/org/opensearch/extensions/DiscoveryExtensionNode.java @@ -15,7 +15,7 @@ import java.util.List; import java.util.Map; import java.util.Set; -import org.opensearch.Application; +import org.opensearch.identity.Application; import org.opensearch.OpenSearchException; import org.opensearch.Version; import org.opensearch.cluster.node.DiscoveryNode; diff --git a/server/src/main/java/org/opensearch/Application.java b/server/src/main/java/org/opensearch/identity/Application.java similarity index 89% rename from server/src/main/java/org/opensearch/Application.java rename to server/src/main/java/org/opensearch/identity/Application.java index d32b73a04cb91..3d88deaf13401 100644 --- a/server/src/main/java/org/opensearch/Application.java +++ b/server/src/main/java/org/opensearch/identity/Application.java @@ -3,7 +3,7 @@ * SPDX-License-Identifier: Apache-2.0 */ -package org.opensearch; +package org.opensearch.identity; import java.security.Principal; diff --git a/server/src/main/java/org/opensearch/identity/ApplicationAwareSubject.java b/server/src/main/java/org/opensearch/identity/ApplicationAwareSubject.java index 9bdca99396238..cc923a721c763 100644 --- a/server/src/main/java/org/opensearch/identity/ApplicationAwareSubject.java +++ b/server/src/main/java/org/opensearch/identity/ApplicationAwareSubject.java @@ -16,7 +16,13 @@ import java.util.Objects; import java.util.Optional; import java.util.Set; +import java.util.concurrent.Callable; +import java.util.function.Supplier; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.atomic.AtomicBoolean; +import java.util.concurrent.atomic.AtomicReference; +import org.opensearch.identity.scopes.ApplicationScope; import org.opensearch.identity.scopes.ApplicationScope; import org.opensearch.identity.scopes.Scope; import org.opensearch.identity.tokens.AuthToken; @@ -32,14 +38,15 @@ @SuppressWarnings("overrides") public class ApplicationAwareSubject implements Subject { - private final Subject wrapped; + private final AtomicReference assumedApplication = new AtomicReference<>(); + private final Supplier wrapped; private final ApplicationManager applicationManager; /** * We wrap a basic Subject object to create an ApplicationAwareSubject -- this should come from the IdentityService * @param wrapped The Subject to be wrapped */ - public ApplicationAwareSubject(final Subject wrapped, final ApplicationManager applicationManager) { + public ApplicationAwareSubject(final Supplier wrapped, final ApplicationManager applicationManager) { this.wrapped = wrapped; this.applicationManager = applicationManager; } @@ -50,8 +57,16 @@ public ApplicationAwareSubject(final Subject wrapped, final ApplicationManager a * @return true if allowed, false if none of the scopes are allowed. */ public boolean isAllowed(final List scopes) { + final boolean isSubjectApplicationAllowed = isAllowed(getApplication(), scopes); + + final Optional assumedApplicationPrincipal = Optional.ofNullable(assumedApplication.get()) + .map(Application::getPrincipal); + final boolean isAssumedApplicationAllowed = isAllowed(assumedApplicationPrincipal, scopes); + + return isSubjectApplicationAllowed && isAssumedApplicationAllowed; + } - final Optional application = this.getApplication(); + private boolean isAllowed(final Optional application, final List scopes) { if (application.isEmpty()) { // If there is no application, actions are allowed by default return true; @@ -76,29 +91,28 @@ public boolean isAllowed(final List scopes) { return hasMatchingScopes; } - // Passthroughs for wrapped subject + public synchronized T runAs(final Application application, final Callable callable) { + if (!assumedApplication.compareAndSet(null, application)) { + throw new AssumeIdentityException("Subject is already running as another application, " + assumedApplication.get() + ", tried to become " + application); + } + try { + return callable.call(); + } catch (final Exception e) { + throw new RuntimeException(e); + } finally { + assumedApplication.set(null); + } + } + public Principal getPrincipal() { - return wrapped.getPrincipal(); + return wrapped.get().getPrincipal(); } public void authenticate(final AuthToken token) { - wrapped.authenticate(token); + wrapped.get().authenticate(token); } public Optional getApplication() { - return wrapped.getApplication(); - } - // end Passthroughs for wrapped subject - - @Override - public boolean equals(Object obj) { - if (this == obj) { - return true; - } - if (!(obj instanceof ApplicationAwareSubject)) { - return false; - } - final ApplicationAwareSubject other = (ApplicationAwareSubject) obj; - return Objects.equals(this.wrapped, other.wrapped); + return wrapped.get().getApplication(); } } diff --git a/server/src/main/java/org/opensearch/identity/AssumeIdentityException.java b/server/src/main/java/org/opensearch/identity/AssumeIdentityException.java new file mode 100644 index 0000000000000..0dbe126b9a0f4 --- /dev/null +++ b/server/src/main/java/org/opensearch/identity/AssumeIdentityException.java @@ -0,0 +1,17 @@ +/* + * Copyright OpenSearch Contributors + * SPDX-License-Identifier: Apache-2.0 + */ + +package org.opensearch.identity; + +/** + * An exception thrown when the subject is not authorized for the given permission + * + * @opensearch.experimental + */ +public class AssumeIdentityException extends RuntimeException { + public AssumeIdentityException(final String message) { + super(message); + } +} \ No newline at end of file diff --git a/server/src/main/java/org/opensearch/identity/IdentityService.java b/server/src/main/java/org/opensearch/identity/IdentityService.java index 47162a6e678fe..cd80133e2ae86 100644 --- a/server/src/main/java/org/opensearch/identity/IdentityService.java +++ b/server/src/main/java/org/opensearch/identity/IdentityService.java @@ -5,16 +5,20 @@ package org.opensearch.identity; +import java.security.Principal; import java.util.List; +import java.util.Optional; +import java.util.concurrent.atomic.AtomicReference; import java.util.stream.Collectors; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchException; import org.opensearch.common.settings.Settings; import org.opensearch.identity.noop.NoopIdentityPlugin; +import org.opensearch.identity.noop.NoopSubject; import org.opensearch.identity.tokens.TokenManager; import org.opensearch.plugins.IdentityPlugin; - +import org.opensearch.common.util.concurrent.ThreadContext; /** * Identity and access control for OpenSearch * @@ -26,6 +30,7 @@ public class IdentityService { private final Settings settings; private final IdentityPlugin identityPlugin; private final ApplicationManager applicationManager; + private final AtomicReference threadContext = new AtomicReference<>(); public IdentityService( final Settings settings, @@ -49,11 +54,17 @@ public IdentityService( } } + public void associateThreadContext(final ThreadContext threadContext) { + if (!this.threadContext.compareAndSet(null, threadContext)) { + throw new OpenSearchException("Thread context was already associated to identity service"); + } + } + /** * Gets the current Subject */ public ApplicationAwareSubject getSubject() { - return new ApplicationAwareSubject(identityPlugin.getSubject(), applicationManager); + return getSubjectFromContext().orElseGet(this::createSubjectAndPutInContext); } /** @@ -62,4 +73,23 @@ public ApplicationAwareSubject getSubject() { public TokenManager getTokenManager() { return identityPlugin.getTokenManager(); } + + private static final String SUBJECT_CONTEXT_KEY = "application_aware_subject"; + private Optional getSubjectFromContext() { + return Optional.ofNullable(threadContext.get()) + .map(context -> context.getPersistent(SUBJECT_CONTEXT_KEY)) + .map(sub -> { + if (sub instanceof ApplicationAwareSubject) { + return (ApplicationAwareSubject)sub; + } + return null; + }); + } + + private ApplicationAwareSubject createSubjectAndPutInContext() { + final ApplicationAwareSubject newSubject = new ApplicationAwareSubject(identityPlugin::getSubject, applicationManager); + Optional.ofNullable(threadContext.get()) + .ifPresent(context -> context.putPersistent(SUBJECT_CONTEXT_KEY, newSubject)); + return newSubject; + } } diff --git a/server/src/main/java/org/opensearch/identity/Subject.java b/server/src/main/java/org/opensearch/identity/Subject.java index b679341d1d62c..cbf9ee0253449 100644 --- a/server/src/main/java/org/opensearch/identity/Subject.java +++ b/server/src/main/java/org/opensearch/identity/Subject.java @@ -10,7 +10,7 @@ import java.util.Optional; /** - * An individual, process, or device that causes information to flow among objects or change to the system state. + * An individual, process, or device that causes information to flow among objects or changes to the system state. * * @opensearch.experimental */ diff --git a/server/src/main/java/org/opensearch/node/Node.java b/server/src/main/java/org/opensearch/node/Node.java index 0f0664148583f..c9bb542035f77 100644 --- a/server/src/main/java/org/opensearch/node/Node.java +++ b/server/src/main/java/org/opensearch/node/Node.java @@ -531,6 +531,7 @@ protected Node( // adds the context to the DeprecationLogger so that it does not need to be injected everywhere HeaderWarning.setThreadContext(threadPool.getThreadContext()); resourcesToClose.add(() -> HeaderWarning.removeThreadContext(threadPool.getThreadContext())); + identityService.associateThreadContext(threadPool.getThreadContext()); final List> additionalSettings = new ArrayList<>(); // register the node.data, node.ingest, node.master, node.remote_cluster_client settings here so we can mark them private @@ -804,9 +805,10 @@ protected Node( ) .collect(Collectors.toList()); + //TODO MOVE INTO MODULE final List scopeProtectedActionPlugin = pluginsService.filterPlugins(ActionPlugin.class) .stream() - .map(plugin -> new ScopeProtectedActionPlugin(plugin, identityService)) + .map(plugin -> new ScopeProtectedActionPlugin(null, plugin, identityService)) .collect(Collectors.toList()); ActionModule actionModule = new ActionModule( diff --git a/server/src/main/java/org/opensearch/plugins/PluginInfo.java b/server/src/main/java/org/opensearch/plugins/PluginInfo.java index 51520fb7c7ef5..c69615de27f56 100644 --- a/server/src/main/java/org/opensearch/plugins/PluginInfo.java +++ b/server/src/main/java/org/opensearch/plugins/PluginInfo.java @@ -45,7 +45,7 @@ import java.util.Properties; import java.util.function.Function; import java.util.stream.Collectors; -import org.opensearch.Application; +import org.opensearch.identity.Application; import org.opensearch.Version; import org.opensearch.bootstrap.JarHell; import org.opensearch.core.common.Strings; diff --git a/server/src/main/java/org/opensearch/plugins/wrappers/ScopeProtectedActionPlugin.java b/server/src/main/java/org/opensearch/plugins/wrappers/ScopeProtectedActionPlugin.java index 7ea835a71d51b..1c196ab6395e0 100644 --- a/server/src/main/java/org/opensearch/plugins/wrappers/ScopeProtectedActionPlugin.java +++ b/server/src/main/java/org/opensearch/plugins/wrappers/ScopeProtectedActionPlugin.java @@ -36,6 +36,8 @@ import java.util.List; import java.util.function.Supplier; import java.util.function.UnaryOperator; + +import org.opensearch.identity.Application; import org.opensearch.OpenSearchException; import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionResponse; @@ -51,6 +53,7 @@ import org.opensearch.common.settings.Settings; import org.opensearch.common.settings.SettingsFilter; import org.opensearch.common.util.concurrent.ThreadContext; +import org.opensearch.identity.ApplicationAwareSubject; import org.opensearch.identity.IdentityService; import org.opensearch.identity.scopes.ExtensionPointScope; import org.opensearch.plugins.ActionPlugin; @@ -63,31 +66,30 @@ * * @opensearch.experimental */ -public class ScopeProtectedActionPlugin implements ActionPlugin { +public final class ScopeProtectedActionPlugin implements ActionPlugin { + private final Application application; private final ActionPlugin plugin; private final IdentityService identity; String INVALID_EXTENSION_POINT_SCOPE_MESSAGE = "Unable to identify extension point scope: "; - public ScopeProtectedActionPlugin(final ActionPlugin plugin, final IdentityService identity) { + public ScopeProtectedActionPlugin(final Application application, final ActionPlugin plugin, final IdentityService identity) { + this.application = application; this.plugin = plugin; this.identity = identity; } - private void throwIfNotAllowed() { + private void checkIfAllowed() { if (!(identity.getSubject().isAllowed(List.of(ExtensionPointScope.ACTION)))) { throw new OpenSearchException(INVALID_EXTENSION_POINT_SCOPE_MESSAGE + ExtensionPointScope.ACTION.asPermissionString()); } } - // Have to wrap with a Public Method for testing - public void checkIfAllowed() { - throwIfNotAllowed(); - } - public List> getActions() { - checkIfAllowed(); - return plugin.getActions(); + return identity.getSubject().runAs(application, () -> { + checkIfAllowed(); + return plugin.getActions(); + }); } public List> getClientActions() { @@ -109,7 +111,7 @@ public List getRestHandlers( final IndexNameExpressionResolver indexNameExpressionResolver, final Supplier nodesInCluster ) { - throwIfNotAllowed(); + checkIfAllowed(); return plugin.getRestHandlers( settings, restController, diff --git a/server/src/test/java/org/opensearch/action/ActionModuleTests.java b/server/src/test/java/org/opensearch/action/ActionModuleTests.java index 688b48736e87f..d54334fa4e213 100644 --- a/server/src/test/java/org/opensearch/action/ActionModuleTests.java +++ b/server/src/test/java/org/opensearch/action/ActionModuleTests.java @@ -66,6 +66,7 @@ import org.opensearch.threadpool.TestThreadPool; import org.opensearch.threadpool.ThreadPool; import org.opensearch.usage.UsageService; +import org.opensearch.identity.ApplicationManager; import static java.util.Collections.emptyList; import static java.util.Collections.singletonList; import static org.hamcrest.Matchers.hasEntry; @@ -138,7 +139,7 @@ public void testSetupRestHandlerContainsKnownBuiltin() throws IOException { null, usageService, null, - new IdentityService(new ExtensionsManager(Set.of()), Settings.EMPTY, new ArrayList<>()), + new IdentityService(Settings.EMPTY, new ArrayList<>(), new ApplicationManager()), new ExtensionsManager(Set.of()) ); actionModule.initRestHandlers(null); diff --git a/server/src/test/java/org/opensearch/client/node/NodeClientHeadersTests.java b/server/src/test/java/org/opensearch/client/node/NodeClientHeadersTests.java index abea2a51bd5da..0799614f9fd4c 100644 --- a/server/src/test/java/org/opensearch/client/node/NodeClientHeadersTests.java +++ b/server/src/test/java/org/opensearch/client/node/NodeClientHeadersTests.java @@ -36,7 +36,6 @@ import java.util.Collections; import java.util.HashMap; import java.util.List; -import java.util.Set; import org.opensearch.action.ActionListener; import org.opensearch.action.ActionModule.DynamicActionRegistry; import org.opensearch.action.ActionRequest; @@ -47,7 +46,7 @@ import org.opensearch.client.Client; import org.opensearch.common.settings.Settings; import org.opensearch.core.common.io.stream.NamedWriteableRegistry; -import org.opensearch.extensions.ExtensionsManager; +import org.opensearch.identity.ApplicationManager; import org.opensearch.identity.IdentityService; import org.opensearch.tasks.Task; import org.opensearch.tasks.TaskManager; @@ -64,17 +63,14 @@ protected Client buildClient(Settings headersSettings, ActionType[] testedAction NodeClient client = new NodeClient(settings, threadPool); DynamicActionRegistry dynamicActionRegistry = new DynamicActionRegistry(); dynamicActionRegistry.registerUnmodifiableActionMap(actions); - try { - client.initialize( - dynamicActionRegistry, - () -> "test", - null, - new NamedWriteableRegistry(Collections.emptyList()), - new IdentityService(new ExtensionsManager(Set.of()), Settings.EMPTY, List.of()) - ); - } catch (IOException e) { - throw new RuntimeException(e); - } + client.initialize( + dynamicActionRegistry, + () -> "test", + null, + new NamedWriteableRegistry(Collections.emptyList()), + new IdentityService(Settings.EMPTY, List.of(), new ApplicationManager()) + ); + return client; } diff --git a/server/src/test/java/org/opensearch/extensions/ExtensionsManagerTests.java b/server/src/test/java/org/opensearch/extensions/ExtensionsManagerTests.java index 3dd10777b2ed3..4efa58e7e9090 100644 --- a/server/src/test/java/org/opensearch/extensions/ExtensionsManagerTests.java +++ b/server/src/test/java/org/opensearch/extensions/ExtensionsManagerTests.java @@ -69,6 +69,7 @@ import org.opensearch.transport.TransportService; import org.opensearch.transport.nio.MockNioTransport; import org.opensearch.usage.UsageService; +import org.opensearch.identity.ApplicationManager; import static java.util.Collections.emptyList; import static java.util.Collections.emptyMap; import static java.util.Collections.emptySet; @@ -147,7 +148,7 @@ public List> getExtensionSettings() { new NodeClient(Settings.EMPTY, threadPool), new NoneCircuitBreakerService(), new UsageService(), - new IdentityService(new ExtensionsManager(Set.of()), Settings.EMPTY, List.of()) + new IdentityService(Settings.EMPTY, List.of(), new ApplicationManager()) ); when(actionModule.getDynamicActionRegistry()).thenReturn(mock(DynamicActionRegistry.class)); when(actionModule.getRestController()).thenReturn(restController); diff --git a/server/src/test/java/org/opensearch/extensions/rest/RestSendToExtensionActionTests.java b/server/src/test/java/org/opensearch/extensions/rest/RestSendToExtensionActionTests.java index f8df18addfe40..13d94ba1dbb58 100644 --- a/server/src/test/java/org/opensearch/extensions/rest/RestSendToExtensionActionTests.java +++ b/server/src/test/java/org/opensearch/extensions/rest/RestSendToExtensionActionTests.java @@ -39,6 +39,7 @@ import org.opensearch.extensions.ExtensionsManager; import org.opensearch.extensions.action.ExtensionAction; import org.opensearch.extensions.action.ExtensionTransportAction; +import org.opensearch.identity.ApplicationManager; import org.opensearch.identity.IdentityService; import org.opensearch.indices.breaker.NoneCircuitBreakerService; import org.opensearch.rest.NamedRoute; @@ -118,7 +119,7 @@ public void setup() throws Exception { null, usageService, null, - new IdentityService(extensionsManager, Settings.EMPTY, new ArrayList<>()), + new IdentityService(Settings.EMPTY, new ArrayList<>(), new ApplicationManager()), extensionsManager ); dynamicActionRegistry = actionModule.getDynamicActionRegistry(); diff --git a/server/src/test/java/org/opensearch/identity/ApplicationAwareSubjectTests.java b/server/src/test/java/org/opensearch/identity/ApplicationAwareSubjectTests.java new file mode 100644 index 0000000000000..28707a73e834c --- /dev/null +++ b/server/src/test/java/org/opensearch/identity/ApplicationAwareSubjectTests.java @@ -0,0 +1,24 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +package org.opensearch.identity; + +import java.io.IOException; +import java.util.List; +import org.opensearch.OpenSearchException; +import org.opensearch.common.settings.Settings; +import org.opensearch.identity.noop.NoopIdentityPlugin; +import org.opensearch.identity.noop.NoopTokenManager; +import org.opensearch.plugins.IdentityPlugin; +import org.opensearch.test.OpenSearchTestCase; +import static org.hamcrest.Matchers.instanceOf; +import static org.hamcrest.Matchers.is; + +public class ApplicationAwareSubjectTests extends OpenSearchTestCase { + +} diff --git a/server/src/test/java/org/opensearch/identity/ApplicationManagerTests.java b/server/src/test/java/org/opensearch/identity/ApplicationManagerTests.java new file mode 100644 index 0000000000000..e8dbc4c1f0d51 --- /dev/null +++ b/server/src/test/java/org/opensearch/identity/ApplicationManagerTests.java @@ -0,0 +1,3 @@ +public class ApplicationManagerTests { + +} diff --git a/server/src/test/java/org/opensearch/identity/IdentityPluginTests.java b/server/src/test/java/org/opensearch/identity/IdentityPluginTests.java index 26a854f3f78af..c4999c97eca10 100644 --- a/server/src/test/java/org/opensearch/identity/IdentityPluginTests.java +++ b/server/src/test/java/org/opensearch/identity/IdentityPluginTests.java @@ -10,10 +10,8 @@ import java.io.IOException; import java.util.List; -import java.util.Set; import org.opensearch.OpenSearchException; import org.opensearch.common.settings.Settings; -import org.opensearch.extensions.ExtensionsManager; import org.opensearch.identity.noop.NoopIdentityPlugin; import org.opensearch.identity.noop.NoopTokenManager; import org.opensearch.plugins.IdentityPlugin; @@ -26,7 +24,7 @@ public class IdentityPluginTests extends OpenSearchTestCase { public void testSingleIdentityPluginSucceeds() throws IOException { IdentityPlugin identityPlugin1 = new NoopIdentityPlugin(); List pluginList1 = List.of(identityPlugin1); - IdentityService identityService1 = new IdentityService(new ExtensionsManager(Set.of()), Settings.EMPTY, pluginList1); + IdentityService identityService1 = new IdentityService(Settings.EMPTY, pluginList1, new ApplicationManager()); assertTrue(identityService1.getSubject().getPrincipal().getName().equalsIgnoreCase("Unauthenticated")); assertThat(identityService1.getTokenManager(), is(instanceOf(NoopTokenManager.class))); } @@ -38,7 +36,7 @@ public void testMultipleIdentityPluginsFail() { List pluginList = List.of(identityPlugin1, identityPlugin2, identityPlugin3); Exception ex = assertThrows( OpenSearchException.class, - () -> new IdentityService(new ExtensionsManager(Set.of()), Settings.EMPTY, pluginList) + () -> new IdentityService(Settings.EMPTY, pluginList, new ApplicationManager()) ); assert (ex.getMessage().contains("Multiple identity plugins are not supported,")); } diff --git a/server/src/test/java/org/opensearch/identity/scopes/ExtensionPointScopeTests.java b/server/src/test/java/org/opensearch/identity/scopes/ExtensionPointScopeTests.java deleted file mode 100644 index 2bd57d4597b84..0000000000000 --- a/server/src/test/java/org/opensearch/identity/scopes/ExtensionPointScopeTests.java +++ /dev/null @@ -1,96 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - */ - -package org.opensearch.identity.scopes; - -import java.io.IOException; -import java.util.Arrays; -import java.util.Collections; -import java.util.List; -import java.util.Set; -import org.junit.Before; -import org.opensearch.OpenSearchException; -import org.opensearch.action.ActionRequest; -import org.opensearch.action.ActionResponse; -import org.opensearch.action.get.GetAction; -import org.opensearch.action.get.TransportGetAction; -import org.opensearch.common.settings.Settings; -import org.opensearch.extensions.ExtensionsManager; -import org.opensearch.extensions.ExtensionsSettings; -import org.opensearch.identity.ApplicationAwareSubject; -import org.opensearch.identity.IdentityService; -import org.opensearch.plugins.ActionPlugin; -import org.opensearch.plugins.wrappers.ScopeProtectedActionPlugin; -import org.opensearch.test.OpenSearchTestCase; -import static org.mockito.Mockito.spy; -import static org.mockito.Mockito.when; - -public class ExtensionPointScopeTests extends OpenSearchTestCase { - - private ExtensionsManager extensionsManager; - private IdentityService identityService; - private ActionPlugin actionPlugin; - private ApplicationAwareSubject appSubject; - - ExtensionsSettings.Extension expectedExtensionNode1 = new ExtensionsSettings.Extension( - "firstExtension", - "uniqueid1", - "127.0.0.1", - "9300", - "0.0.7", - "3.0.0", - "3.0.0", - Collections.emptyList(), - null, - List.of(ActionScope.READ) - ); - - ExtensionsSettings.Extension expectedExtensionNode2 = new ExtensionsSettings.Extension( - "secondExtension", - "uniqueid2", - "127.0.0.1", - "9300", - "0.0.7", - "3.0.0", - "3.0.0", - Collections.emptyList(), - null, - List.of(ExtensionPointScope.ACTION) - ); - - @Before - public void setup() throws IOException { - - extensionsManager = new ExtensionsManager(Set.of()); - extensionsManager.loadExtension(expectedExtensionNode1); - extensionsManager.loadExtension(expectedExtensionNode2); - identityService = spy(new IdentityService(extensionsManager, Settings.EMPTY, List.of())); - actionPlugin = new ActionPlugin() { - @Override - public List> getActions() { - return Arrays.asList(new ActionHandler<>(GetAction.INSTANCE, TransportGetAction.class)); - } - }; - - } - - public void testExtensionPointProtectedSubjectShouldPass() { - appSubject = spy(new ApplicationAwareSubject(extensionsManager.getExtensionIdMap().get("uniqueid1"), extensionsManager)); - ScopeProtectedActionPlugin scopeProtectedActionPlugin = spy(new ScopeProtectedActionPlugin(actionPlugin, identityService)); - when(identityService.getSubject()).thenReturn(appSubject); - Exception ex = assertThrows(OpenSearchException.class, scopeProtectedActionPlugin::getActions); - assertTrue(ex.getMessage().contains("Unable to identify extension point scope: ")); - } - - public void testExtensionPointProtectedSubjectShouldFail() { - appSubject = spy(new ApplicationAwareSubject(extensionsManager.getExtensionIdMap().get("uniqueid2"), extensionsManager)); - ScopeProtectedActionPlugin scopeProtectedActionPlugin = spy(new ScopeProtectedActionPlugin(actionPlugin, identityService)); - when(identityService.getSubject()).thenReturn(appSubject); - assertEquals(scopeProtectedActionPlugin.getActions(), actionPlugin.getActions()); - } -} diff --git a/server/src/test/java/org/opensearch/identity/scopes/ActionScopeTests.java b/server/src/test/java/org/opensearch/identity/scopes/ScopeTests.java similarity index 74% rename from server/src/test/java/org/opensearch/identity/scopes/ActionScopeTests.java rename to server/src/test/java/org/opensearch/identity/scopes/ScopeTests.java index c64f3b529b5f7..4fa844f6d4a33 100644 --- a/server/src/test/java/org/opensearch/identity/scopes/ActionScopeTests.java +++ b/server/src/test/java/org/opensearch/identity/scopes/ScopeTests.java @@ -20,50 +20,21 @@ import org.opensearch.action.get.MultiGetAction; import org.opensearch.extensions.ExtensionsManager; import org.opensearch.extensions.ExtensionsSettings; +import org.opensearch.identity.ApplicationManager; import org.opensearch.identity.ApplicationAwareSubject; import org.opensearch.test.OpenSearchTestCase; import static org.mockito.Mockito.spy; +import static org.hamcrest.MatcherAssert.assertThat; -public class ActionScopeTests extends OpenSearchTestCase { +public class ScopeTests extends OpenSearchTestCase { - private ExtensionsManager extensionsManager; - - ExtensionsSettings.Extension expectedExtensionNode = new ExtensionsSettings.Extension( - "firstExtension", - "uniqueid1", - "127.0.0.1", - "9300", - "0.0.7", - "3.0.0", - "3.0.0", - Collections.emptyList(), - null, - List.of(ActionScope.READ) - ); + private final ApplicationManager applicationManager; @Before public void setup() throws IOException { - - extensionsManager = new ExtensionsManager(Set.of()); - extensionsManager.loadExtension(expectedExtensionNode); - } - public void testApplicationAwareSubject() { - ApplicationAwareSubject appSubject1 = new ApplicationAwareSubject( - extensionsManager.getExtensionIdMap().get("uniqueid1"), - extensionsManager - ); - ApplicationAwareSubject appSubject2 = new ApplicationAwareSubject( - extensionsManager.getExtensionIdMap().get("uniqueid1"), - extensionsManager - ); - - assertTrue(appSubject1.getScopes().contains(ActionScope.READ)); - assertTrue(appSubject1.equals(appSubject2)); - assertEquals(appSubject1, appSubject1); // Code coverage... - - } + //TODO: Review coverage public void testScopes() { assertEquals(ActionScope.ALL.asPermissionString(), "ACTION.CLUSTER.ALL"); @@ -88,7 +59,7 @@ public void testAssignActionScopes() { Set allowedScopes = Set.of(ActionScope.READ); ApplicationAwareSubject appSubject = spy( - new ApplicationAwareSubject(extensionsManager.getExtensionIdMap().get("uniqueid1"), extensionsManager) + new ApplicationAwareSubject(, applicationManager) ); assertEquals(appSubject.getScopes(), allowedScopes); @@ -98,7 +69,7 @@ public void testCallActionShouldFail() { Set allowedScopes = Set.of(ActionScope.READ); ApplicationAwareSubject appSubject = spy( - new ApplicationAwareSubject(extensionsManager.getExtensionIdMap().get("uniqueid1"), extensionsManager) + new ApplicationAwareSubject(extensionsManager.getExtensionIdMap().get("uniqueid1"), applicationManager) ); assertEquals(appSubject.getScopes(), allowedScopes); @@ -115,7 +86,7 @@ public void testCallActionShouldPass() { Set allowedScopes = Set.of(ActionScope.READ); ApplicationAwareSubject appSubject = spy( - new ApplicationAwareSubject(extensionsManager.getExtensionIdMap().get("uniqueid1"), extensionsManager) + new ApplicationAwareSubject(extensionsManager.getExtensionIdMap().get("uniqueid1"), applicationManager) ); assertEquals(appSubject.getScopes(), allowedScopes); diff --git a/server/src/test/java/org/opensearch/plugins/wrappers/ScopeProtectedActionPluginTests.java b/server/src/test/java/org/opensearch/plugins/wrappers/ScopeProtectedActionPluginTests.java new file mode 100644 index 0000000000000..4c5c9aa49c31c --- /dev/null +++ b/server/src/test/java/org/opensearch/plugins/wrappers/ScopeProtectedActionPluginTests.java @@ -0,0 +1,91 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +package org.opensearch.plugins.wrappers; + +import java.io.IOException; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; +import java.util.Set; +import org.junit.Before; +import org.opensearch.OpenSearchException; +import org.opensearch.action.ActionRequest; +import org.opensearch.action.ActionResponse; +import org.opensearch.action.get.GetAction; +import org.opensearch.action.get.TransportGetAction; +import org.opensearch.action.support.ActionFilter; +import org.opensearch.common.settings.Settings; +import org.opensearch.extensions.ExtensionsManager; +import org.opensearch.extensions.ExtensionsSettings; +import org.opensearch.identity.ApplicationAwareSubject; +import org.opensearch.identity.ApplicationManager; +import org.opensearch.identity.IdentityService; +import org.opensearch.plugins.ActionPlugin; +import org.opensearch.plugins.wrappers.ScopeProtectedActionPlugin; +import org.opensearch.test.OpenSearchTestCase; + +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.spy; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.when; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.verifyNoInteractions; +import static org.mockito.Mockito.verifyNoMoreInteractions; + +public class ScopeProtectedActionPluginTests extends OpenSearchTestCase { + + private IdentityService identityService; + private ActionPlugin actionPlugin; + private ApplicationAwareSubject appSubject; + + @Before + public void setup() throws IOException { + identityService = mock(IdentityService.class); + actionPlugin = mock(ActionPlugin.class); + } + + public void testExtensionPointProtectedSubjectShouldPass() { + final List expectedActions = List.of(mock(ActionFilter.class)); + when(actionPlugin.getActionFilters()).thenReturn(expectedActions); + final List getActionsFilters = actionPlugin.getActionFilters(); + verify(actionPlugin).getActionFilters(); + assertThat(getActionsFilters, equalTo(expectedActions)); + + final ActionPlugin scopeProtectedActionPlugin = new ScopeProtectedActionPlugin(null, actionPlugin, identityService); + final ApplicationAwareSubject subject = mock(ApplicationAwareSubject.class); + when(identityService.getSubject()).thenReturn(subject); + when(subject.isAllowed(any())).thenReturn(true); + + final List getActionsProtecedFilters = scopeProtectedActionPlugin.getActionFilters(); + assertThat(getActionsProtecedFilters, equalTo(expectedActions)); + + verify(actionPlugin, times(2)).getActionFilters(); + verifyNoMoreInteractions(actionPlugin); + verify(identityService).getSubject(); + verify(subject).isAllowed(any()); + } + + public void testExtensionPointProtectedSubjectShouldFail() { + final ActionPlugin scopeProtectedActionPlugin = new ScopeProtectedActionPlugin(null, actionPlugin, identityService); + final ApplicationAwareSubject subject = mock(ApplicationAwareSubject.class); + when(identityService.getSubject()).thenReturn(subject); + when(subject.isAllowed(any())).thenReturn(false); + + final Exception exception = assertThrows(OpenSearchException.class, scopeProtectedActionPlugin::getActionFilters); + assertThat(exception.getMessage(), containsString("EXTENSION_POINT.ACTION_PLUGIN.IMPLEMENT")); + + verifyNoInteractions(actionPlugin); + verify(identityService).getSubject(); + verify(subject).isAllowed(any()); + } +} diff --git a/server/src/test/java/org/opensearch/rest/RestControllerTests.java b/server/src/test/java/org/opensearch/rest/RestControllerTests.java index 8956d1b34870b..4f2e63d539a9b 100644 --- a/server/src/test/java/org/opensearch/rest/RestControllerTests.java +++ b/server/src/test/java/org/opensearch/rest/RestControllerTests.java @@ -62,12 +62,12 @@ import org.opensearch.core.common.bytes.BytesReference; import org.opensearch.core.rest.RestStatus; import org.opensearch.core.xcontent.NamedXContentRegistry; -import org.opensearch.extensions.ExtensionsManager; import org.opensearch.http.HttpInfo; import org.opensearch.http.HttpRequest; import org.opensearch.http.HttpResponse; import org.opensearch.http.HttpServerTransport; import org.opensearch.http.HttpStats; +import org.opensearch.identity.ApplicationManager; import org.opensearch.identity.IdentityService; import org.opensearch.indices.breaker.HierarchyCircuitBreakerService; import org.opensearch.rest.action.admin.indices.RestCreateIndexAction; @@ -78,6 +78,8 @@ import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasItem; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.eq; import static org.mockito.Mockito.any; import static org.mockito.Mockito.doCallRealMethod; import static org.mockito.Mockito.eq; @@ -111,7 +113,7 @@ public void setup() throws IOException { // we can do this here only because we know that we don't adjust breaker settings dynamically in the test inFlightRequestsBreaker = circuitBreakerService.getBreaker(CircuitBreaker.IN_FLIGHT_REQUESTS); - identityService = new IdentityService(new ExtensionsManager(Set.of()), Settings.EMPTY, List.of()); + identityService = new IdentityService(Settings.EMPTY, List.of(), new ApplicationManager()); HttpServerTransport httpServerTransport = new TestHttpServerTransport(); client = new NoOpNodeClient(this.getTestName()); diff --git a/server/src/test/java/org/opensearch/rest/RestHttpResponseHeadersTests.java b/server/src/test/java/org/opensearch/rest/RestHttpResponseHeadersTests.java index 859b424080289..43d00c268d3cb 100644 --- a/server/src/test/java/org/opensearch/rest/RestHttpResponseHeadersTests.java +++ b/server/src/test/java/org/opensearch/rest/RestHttpResponseHeadersTests.java @@ -36,7 +36,6 @@ import java.util.Arrays; import java.util.Collections; import java.util.List; -import java.util.Set; import java.util.stream.Collectors; import org.opensearch.client.node.NodeClient; import org.opensearch.common.settings.ClusterSettings; @@ -44,7 +43,7 @@ import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.core.common.bytes.BytesReference; import org.opensearch.core.rest.RestStatus; -import org.opensearch.extensions.ExtensionsManager; +import org.opensearch.identity.ApplicationManager; import org.opensearch.identity.IdentityService; import org.opensearch.indices.breaker.CircuitBreakerService; import org.opensearch.indices.breaker.HierarchyCircuitBreakerService; @@ -106,7 +105,7 @@ public void testUnsupportedMethodResponseHttpHeader() throws Exception { final Settings settings = Settings.EMPTY; UsageService usageService = new UsageService(); - final IdentityService identityService = new IdentityService(new ExtensionsManager(Set.of()), settings, List.of()); + final IdentityService identityService = new IdentityService(settings, List.of(), new ApplicationManager()); RestController restController = new RestController( Collections.emptySet(), null, diff --git a/server/src/test/java/org/opensearch/rest/action/admin/indices/RestValidateQueryActionTests.java b/server/src/test/java/org/opensearch/rest/action/admin/indices/RestValidateQueryActionTests.java index b84ca4e8ef54a..405ef419c89d2 100644 --- a/server/src/test/java/org/opensearch/rest/action/admin/indices/RestValidateQueryActionTests.java +++ b/server/src/test/java/org/opensearch/rest/action/admin/indices/RestValidateQueryActionTests.java @@ -52,7 +52,7 @@ import org.opensearch.common.xcontent.XContentType; import org.opensearch.core.common.bytes.BytesArray; import org.opensearch.core.common.io.stream.NamedWriteableRegistry; -import org.opensearch.extensions.ExtensionsManager; +import org.opensearch.identity.ApplicationManager; import org.opensearch.identity.IdentityService; import org.opensearch.indices.breaker.NoneCircuitBreakerService; import org.opensearch.rest.RestController; @@ -76,15 +76,7 @@ public class RestValidateQueryActionTests extends AbstractSearchTestCase { private static NodeClient client = new NodeClient(Settings.EMPTY, threadPool); private static UsageService usageService = new UsageService(); - private static IdentityService identityService; - - static { - try { - identityService = new IdentityService(new ExtensionsManager(Set.of()), Settings.EMPTY, List.of()); - } catch (IOException e) { - throw new RuntimeException(e); - } - } + private static IdentityService identityService = new IdentityService(Settings.EMPTY, List.of(), new ApplicationManager()); private static RestController controller = new RestController( emptySet(), diff --git a/server/src/test/java/org/opensearch/snapshots/SnapshotResiliencyTests.java b/server/src/test/java/org/opensearch/snapshots/SnapshotResiliencyTests.java index 5f8ed4d6393c8..30a60375ed1be 100644 --- a/server/src/test/java/org/opensearch/snapshots/SnapshotResiliencyTests.java +++ b/server/src/test/java/org/opensearch/snapshots/SnapshotResiliencyTests.java @@ -243,6 +243,7 @@ import org.opensearch.transport.TransportRequest; import org.opensearch.transport.TransportRequestHandler; import org.opensearch.transport.TransportService; +import org.opensearch.identity.ApplicationManager; import static java.util.Collections.emptyMap; import static java.util.Collections.emptySet; import static org.hamcrest.Matchers.contains; @@ -2184,7 +2185,7 @@ public void onFailure(final Exception e) { () -> clusterService.localNode().getId(), transportService.getRemoteClusterService(), new NamedWriteableRegistry(Collections.emptyList()), - new IdentityService(new ExtensionsManager(Set.of()), Settings.EMPTY, List.of()) + new IdentityService(Settings.EMPTY, List.of(), new ApplicationManager()) ); }