Test Restricted endpoints

Signed-off-by: Ryan Liang <jiallian@amazon.com>
opensearch-project · Oct 10, 2023 · e368dab · e368dab
1 parent eef1957
commit e368dab
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java b/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java
@@ -26,16 +26,21 @@
 import org.junit.Assert;
 import org.junit.Test;
 
+import org.mockito.Mockito;
 import org.opensearch.SpecialPermission;
 import org.opensearch.common.settings.Settings;
+import org.opensearch.rest.RestRequest;
 import org.opensearch.security.authtoken.jwt.EncryptionDecryptionUtil;
+import org.opensearch.security.filter.SecurityRequest;
 import org.opensearch.security.filter.SecurityResponse;
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.util.FakeRestRequest;
 
 import static org.hamcrest.Matchers.equalTo;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.*;
+import static org.opensearch.rest.RestRequest.Method.POST;
+import static org.opensearch.rest.RestRequest.Method.PUT;
 
 public class OnBehalfOfAuthenticatorTest {
     final static String clusterName = "cluster_0";
@@ -48,6 +53,9 @@ public class OnBehalfOfAuthenticatorTest {
     final static String signingKeyB64Encoded = BaseEncoding.base64().encode(signingKey.getBytes(StandardCharsets.UTF_8));
     final static SecretKey secretKey = Keys.hmacShaKeyFor(signingKeyB64Encoded.getBytes(StandardCharsets.UTF_8));
 
+    private static final String ON_BEHALF_OF_SUFFIX = "api/generateonbehalfoftoken";
+    private static final String ACCOUNT_SUFFIX = "api/account";
+
     @Test
     public void testReRequestAuthenticationReturnsEmptyOptional() {
         OnBehalfOfAuthenticator authenticator = new OnBehalfOfAuthenticator(defaultSettings(), clusterName);
@@ -460,6 +468,26 @@ public void testDifferentIssuer() throws Exception {
         Assert.assertNull(credentials);
     }
 
+    @Test
+    public void testExtractCredentialsForDisallowedRequest() {
+        OnBehalfOfAuthenticator jwtAuth = new OnBehalfOfAuthenticator(defaultSettings(), clusterName);
+
+        AuthCredentials credentials = testEndpoint(jwtAuth, ON_BEHALF_OF_SUFFIX, String.valueOf(POST));
+        Assert.assertNull(credentials);
+
+        credentials = testEndpoint(jwtAuth, ACCOUNT_SUFFIX, String.valueOf(PUT));
+        Assert.assertNull(credentials);
+    }
+
+    private AuthCredentials testEndpoint(OnBehalfOfAuthenticator jwtAuth, String endpoint, String httpMethod) {
+        SecurityRequest mockedRequest = Mockito.mock(SecurityRequest.class);
+        Mockito.when(mockedRequest.header(HttpHeaders.AUTHORIZATION)).thenReturn("Bearer someToken");
+        Mockito.when(mockedRequest.method()).thenReturn(RestRequest.Method.valueOf(httpMethod));
+        Mockito.when(mockedRequest.path()).thenReturn("/some_prefix/" + endpoint);
+
+        return jwtAuth.extractCredentials(mockedRequest, null);
+    }
+
     /** extracts a default user credential from a request header */
     private AuthCredentials extractCredentialsFromJwtHeader(
         final String signingKeyB64Encoded,