Tests IpBruteForceAttacksPreventionTests and UserBruteForceAttacksPre…

…ventionTests extended to verify unauthorized response reason. Signed-off-by: Lukasz Soszynski <lukasz.soszynski@eliatra.com>
opensearch-project · Nov 21, 2022 · c95fbdb · c95fbdb
1 parent 3f4a665
commit c95fbdb
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 5 deletions.
diff --git a/src/integrationTest/java/org/opensearch/security/IpBruteForceAttacksPreventionTests.java b/src/integrationTest/java/org/opensearch/security/IpBruteForceAttacksPreventionTests.java
@@ -13,6 +13,7 @@
 
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
 import org.junit.ClassRule;
+import org.junit.Rule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
@@ -24,6 +25,7 @@
 import org.opensearch.test.framework.cluster.TestRestClient;
 import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
 import org.opensearch.test.framework.cluster.TestRestClientConfiguration;
+import org.opensearch.test.framework.log.LogsRule;
 
 import static org.apache.hc.core5.http.HttpStatus.SC_OK;
 import static org.apache.hc.core5.http.HttpStatus.SC_UNAUTHORIZED;
@@ -59,6 +61,9 @@ public class IpBruteForceAttacksPreventionTests {
 		.clusterManager(ClusterManager.SINGLENODE).anonymousAuth(false).authFailureListeners(listener)
 		.authc(AUTHC_HTTPBASIC_INTERNAL_WITHOUT_CHALLENGE).users(USER_1, USER_2).build();
 
+	@Rule
+	public LogsRule logsRule = new LogsRule("org.opensearch.security.auth.BackendRegistry");
+
 	@Test
 	public void shouldAuthenticateUserWhenBlockadeIsNotActive() {
 		try(TestRestClient client = cluster.createGenericClientRestClient(userWithSourceIp(USER_1, CLIENT_IP_2))) {
@@ -77,6 +82,7 @@ public void shouldBlockIpAddress() {
 			HttpResponse response = client.getAuthInfo();
 
 			response.assertStatusCode(SC_UNAUTHORIZED);
+			logsRule.assertThatContain("Rejecting REST request because of blocked address: /" + CLIENT_IP_3);
 		}
 	}
 
@@ -88,6 +94,7 @@ public void shouldBlockUsersWhoUseTheSameIpAddress() {
 			HttpResponse response = client.getAuthInfo();
 
 			response.assertStatusCode(SC_UNAUTHORIZED);
+			logsRule.assertThatContain("Rejecting REST request because of blocked address: /" + CLIENT_IP_4);
 		}
 	}
 
@@ -120,6 +127,7 @@ public void shouldBlockIpWhenFailureAuthenticationCountIsGraterThanAllowedTries(
 			HttpResponse response = client.getAuthInfo();
 
 			response.assertStatusCode(SC_UNAUTHORIZED);
+			logsRule.assertThatContain("Rejecting REST request because of blocked address: /" + CLIENT_IP_8);
 		}
 	}
 
@@ -132,6 +140,7 @@ public void shouldReleaseIpAddressLock() throws InterruptedException {
 			HttpResponse response = client.getAuthInfo();
 
 			response.assertStatusCode(SC_OK);
+			logsRule.assertThatContain("Rejecting REST request because of blocked address: /" + CLIENT_IP_9);
 		}
 	}
 

diff --git a/src/integrationTest/java/org/opensearch/security/UserBruteForceAttacksPreventionTests.java b/src/integrationTest/java/org/opensearch/security/UserBruteForceAttacksPreventionTests.java
@@ -13,6 +13,7 @@
 
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
 import org.junit.ClassRule;
+import org.junit.Rule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
@@ -23,6 +24,7 @@
 import org.opensearch.test.framework.cluster.LocalCluster;
 import org.opensearch.test.framework.cluster.TestRestClient;
 import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
+import org.opensearch.test.framework.log.LogsRule;
 
 import static org.apache.hc.core5.http.HttpStatus.SC_OK;
 import static org.apache.hc.core5.http.HttpStatus.SC_UNAUTHORIZED;
@@ -51,6 +53,9 @@ public class UserBruteForceAttacksPreventionTests {
 		.clusterManager(ClusterManager.SINGLENODE).anonymousAuth(false).authFailureListeners(listener)
 		.authc(AUTHC_HTTPBASIC_INTERNAL).users(USER_1, USER_2, USER_3, USER_4, USER_5).build();
 
+	@Rule
+	public LogsRule logsRule = new LogsRule("org.opensearch.security.auth.BackendRegistry");
+
 	@Test
 	public void shouldAuthenticateUserWhenBlockadeIsNotActive() {
 		try(TestRestClient client = cluster.getRestClient(USER_1)) {
@@ -69,6 +74,8 @@ public void shouldBlockUserWhenNumberOfFailureLoginAttemptIsEqualToLimit() {
 
 				response.assertStatusCode(SC_UNAUTHORIZED);
 		}
+		//Rejecting REST request because of blocked user:
+		logsRule.assertThatContain("Rejecting REST request because of blocked user: " + USER_2.getName());
 	}
 
 	@Test
@@ -79,6 +86,7 @@ public void shouldBlockUserWhenNumberOfFailureLoginAttemptIsGraterThanLimit() {
 
 			response.assertStatusCode(SC_UNAUTHORIZED);
 		}
+		logsRule.assertThatContain("Rejecting REST request because of blocked user: " + USER_3.getName());
 	}
 
 	@Test
@@ -103,6 +111,7 @@ public void shouldReleaseLock() throws InterruptedException {
 
 			response.assertStatusCode(SC_OK);
 		}
+		logsRule.assertThatContain("Rejecting REST request because of blocked user: " + USER_5.getName());
 	}
 
 	private static void authenticateUserWithIncorrectPassword(User user, int numberOfAttempts) {

diff --git a/src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationTests.java b/src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationTests.java
@@ -164,7 +164,7 @@ public void shouldAuthenticateWithJwtToken_failureLackingUserName() {
 			HttpResponse response = client.getAuthInfo();
 
 			response.assertStatusCode(401);
-			logsRule.assertThatContain("No subject found in JWT token");
+			logsRule.assertThatContainExactly("No subject found in JWT token");
 		}
 	}
 
@@ -175,7 +175,7 @@ public void shouldAuthenticateWithJwtToken_failureExpiredToken() {
 			HttpResponse response = client.getAuthInfo();
 
 			response.assertStatusCode(401);
-			logsRule.assertThatContain("Invalid or expired JWT token.");
+			logsRule.assertThatContainExactly("Invalid or expired JWT token.");
 		}
 	}
 
@@ -187,7 +187,7 @@ public void shouldAuthenticateWithJwtToken_failureIncorrectFormatOfToken() {
 			HttpResponse response = client.getAuthInfo();
 
 			response.assertStatusCode(401);
-			logsRule.assertThatContain(String.format("No JWT token found in '%s' header header", JWT_AUTH_HEADER));
+			logsRule.assertThatContainExactly(String.format("No JWT token found in '%s' header header", JWT_AUTH_HEADER));
 		}
 	}
 
@@ -200,7 +200,7 @@ public void shouldAuthenticateWithJwtToken_failureIncorrectSignature() {
 			HttpResponse response = client.getAuthInfo();
 
 			response.assertStatusCode(401);
-			logsRule.assertThatContain("Invalid or expired JWT token.");
+			logsRule.assertThatContainExactly("Invalid or expired JWT token.");
 		}
 	}
 

diff --git a/src/integrationTest/java/org/opensearch/test/framework/log/LogsRule.java b/src/integrationTest/java/org/opensearch/test/framework/log/LogsRule.java
@@ -16,6 +16,7 @@
 import org.junit.rules.ExternalResource;
 
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.hasItem;
 
 /**
@@ -50,12 +51,22 @@ protected void after() {
 	* Check if during the tests certain log message was logged
 	* @param expectedLogMessage expected log message
 	*/
-	public void assertThatContain(String expectedLogMessage) {
+	public void assertThatContainExactly(String expectedLogMessage) {
 		List<String> messages = LogCapturingAppender.getLogMessages();
 		String reason = reasonMessage(expectedLogMessage, messages);
 		assertThat(reason, messages, hasItem(expectedLogMessage));
 	}
 
+	/**
+	* Check if during the tests certain log message was logged
+	* @param messageFragment expected log message fragment
+	*/
+	public void assertThatContain(String messageFragment) {
+		List<String> messages = LogCapturingAppender.getLogMessages();
+		String reason = reasonMessage(messageFragment, messages);
+		assertThat(reason, messages, hasItem(containsString(messageFragment)));
+	}
+
 	private static String reasonMessage(String expectedLogMessage, List<String> messages) {
 		String concatenatedLogMessages = messages.stream()
 			.map(message -> String.format("'%s'", message))

diff --git a/src/integrationTest/resources/log4j2-test.properties b/src/integrationTest/resources/log4j2-test.properties
@@ -28,3 +28,10 @@ logger.auditlogs.level = info
 logger.httpjwtauthenticator.name = com.amazon.dlic.auth.http.jwt.HTTPJwtAuthenticator
 logger.httpjwtauthenticator.level = debug
 logger.httpjwtauthenticator.appenderRef.capturing.ref = logCapturingAppender
+
+#Required by tests:
+# org.opensearch.security.IpBruteForceAttacksPreventionTests
+# org.opensearch.security.UserBruteForceAttacksPreventionTests
+logger.backendreg.name = org.opensearch.security.auth.BackendRegistry
+logger.backendreg.level = debug
+logger.backendreg.appenderRef.capturing.ref = logCapturingAppender