Skip to content

Commit

Permalink
SecurityRestFilter, authorizeRequest() audit log tests (#3084)
Browse files Browse the repository at this point in the history 
### Description

Adding tests for
#2700, relevant PR:
DarshitChanpura#5. The goal is to test
audit logs hit in authorizeRequest() method from
SecurityRestFilterExtension class.
Issues Resolved:

#2700
### Testing
Integration testing added
### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff



Signed-off-by: Maciej Mierzwa <dev.maciej.mierzwa@gmail.com>
  • Loading branch information
@MaciejMierzwa
MaciejMierzwa authored Aug 7, 2023
1 parent 1822e13 commit 07f791a
Showing 1 changed file with 69 additions and 4 deletions.
73 changes: 69 additions & 4 deletions src/integrationTest/java/org/opensearch/security/rest/WhoAmITests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,17 +14,28 @@
import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
import org.apache.hc.core5.http.HttpStatus;
import org.junit.ClassRule;
import org.junit.Rule;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.opensearch.rest.RestRequest;
import org.opensearch.security.auditlog.AuditLog;
import org.opensearch.test.framework.AuditCompliance;
import org.opensearch.test.framework.AuditConfiguration;
import org.opensearch.test.framework.AuditFilters;
import org.opensearch.test.framework.TestSecurityConfig;
import org.opensearch.test.framework.TestSecurityConfig.Role;
import org.opensearch.test.framework.audit.AuditLogsRule;
import org.opensearch.test.framework.cluster.ClusterManager;
import org.opensearch.test.framework.cluster.LocalCluster;
import org.opensearch.test.framework.cluster.TestRestClient;

import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.equalTo;
import static org.opensearch.security.auditlog.impl.AuditCategory.GRANTED_PRIVILEGES;
import static org.opensearch.security.auditlog.impl.AuditCategory.MISSING_PRIVILEGES;
import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
import static org.opensearch.test.framework.audit.AuditMessagePredicate.auditPredicate;
import static org.opensearch.test.framework.audit.AuditMessagePredicate.userAuthenticated;

@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
Expand All @@ -50,12 +61,35 @@ public class WhoAmITests {
public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
.authc(AUTHC_HTTPBASIC_INTERNAL)
.users(WHO_AM_I, WHO_AM_I_LEGACY, WHO_AM_I_NO_PERM)
.audit(
new AuditConfiguration(true).compliance(new AuditCompliance().enabled(true))
.filters(new AuditFilters().enabledRest(true).enabledTransport(true).resolveBulkRequests(true))
)
.build();

@Rule
public AuditLogsRule auditLogsRule = new AuditLogsRule();

@Test
public void testWhoAmIWithGetPermissions() throws Exception {
public void testWhoAmIWithGetPermissions() {
try (TestRestClient client = cluster.getRestClient(WHO_AM_I)) {
assertThat(client.get(WHOAMI_PROTECTED_ENDPOINT).getStatusCode(), equalTo(HttpStatus.SC_OK));

// audit log, named route
auditLogsRule.assertExactly(
1,
userAuthenticated(WHO_AM_I).withLayer(AuditLog.Origin.REST)
.withRestMethod(RestRequest.Method.GET)
.withRequestPath("/" + WHOAMI_PROTECTED_ENDPOINT)
.withInitiatingUser(WHO_AM_I)
);
auditLogsRule.assertExactly(
1,
auditPredicate(GRANTED_PRIVILEGES).withLayer(AuditLog.Origin.REST)
.withRestMethod(RestRequest.Method.GET)
.withRequestPath("/" + WHOAMI_PROTECTED_ENDPOINT)
.withEffectiveUser(WHO_AM_I)
);
}

try (TestRestClient client = cluster.getRestClient(WHO_AM_I)) {
Expand All @@ -64,29 +98,60 @@ public void testWhoAmIWithGetPermissions() throws Exception {
}

@Test
public void testWhoAmIWithGetPermissionsLegacy() throws Exception {
public void testWhoAmIWithGetPermissionsLegacy() {
try (TestRestClient client = cluster.getRestClient(WHO_AM_I_LEGACY)) {
assertThat(client.get(WHOAMI_ENDPOINT).getStatusCode(), equalTo(HttpStatus.SC_OK));
}

try (TestRestClient client = cluster.getRestClient(WHO_AM_I_LEGACY)) {
assertThat(client.get(WHOAMI_PROTECTED_ENDPOINT).getStatusCode(), equalTo(HttpStatus.SC_OK));

// audit log, named route
auditLogsRule.assertExactly(
1,
userAuthenticated(WHO_AM_I_LEGACY).withLayer(AuditLog.Origin.REST)
.withRestMethod(RestRequest.Method.GET)
.withRequestPath("/" + WHOAMI_PROTECTED_ENDPOINT)
.withInitiatingUser(WHO_AM_I_LEGACY)
);
auditLogsRule.assertExactly(
1,
auditPredicate(GRANTED_PRIVILEGES).withLayer(AuditLog.Origin.REST)
.withRestMethod(RestRequest.Method.GET)
.withRequestPath("/" + WHOAMI_PROTECTED_ENDPOINT)
.withEffectiveUser(WHO_AM_I_LEGACY)
);
}
}

@Test
public void testWhoAmIWithoutGetPermissions() throws Exception {
public void testWhoAmIWithoutGetPermissions() {
try (TestRestClient client = cluster.getRestClient(WHO_AM_I_NO_PERM)) {
assertThat(client.get(WHOAMI_ENDPOINT).getStatusCode(), equalTo(HttpStatus.SC_OK));
}

try (TestRestClient client = cluster.getRestClient(WHO_AM_I_NO_PERM)) {
assertThat(client.get(WHOAMI_PROTECTED_ENDPOINT).getStatusCode(), equalTo(HttpStatus.SC_UNAUTHORIZED));

// audit log, named route
auditLogsRule.assertExactly(
1,
userAuthenticated(WHO_AM_I_NO_PERM).withLayer(AuditLog.Origin.REST)
.withRestMethod(RestRequest.Method.GET)
.withRequestPath("/" + WHOAMI_PROTECTED_ENDPOINT)
);
auditLogsRule.assertExactly(
1,
auditPredicate(MISSING_PRIVILEGES).withLayer(AuditLog.Origin.REST)
.withRestMethod(RestRequest.Method.GET)
.withRequestPath("/" + WHOAMI_PROTECTED_ENDPOINT)
.withEffectiveUser(WHO_AM_I_NO_PERM)
);
}
}

@Test
public void testWhoAmIPost() throws Exception {
public void testWhoAmIPost() {
try (TestRestClient client = cluster.getRestClient(WHO_AM_I)) {
assertThat(client.post(WHOAMI_ENDPOINT).getStatusCode(), equalTo(HttpStatus.SC_OK));
}
Expand Down

0 comments on commit 07f791a

Please sign in to comment.