From fa96656e310b08882c018b0c7dd7ba7c6af26e05 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 13 Dec 2023 15:55:18 +0000 Subject: [PATCH 1/2] Fix issue when scroll is created with LDAP user (#3805) Signed-off-by: Craig Perkins (cherry picked from commit 1846fd157847ee08ffea88a849d5c43c46269335) Signed-off-by: github-actions[bot] --- .../security/http/LdapAuthenticationTest.java | 74 +++++++++++++++++++ .../org/opensearch/security/user/User.java | 2 +- 2 files changed, 75 insertions(+), 1 deletion(-) diff --git a/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java index 299b2cc7d2..dbb1724a55 100644 --- a/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java +++ b/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java @@ -10,8 +10,10 @@ package org.opensearch.security.http; import java.util.List; +import java.util.Map; import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; +import org.apache.hc.core5.http.message.BasicHeader; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.junit.ClassRule; @@ -20,7 +22,12 @@ import org.junit.rules.RuleChain; import org.junit.runner.RunWith; +import org.opensearch.security.support.ConfigConstants; +import org.opensearch.test.framework.AuthorizationBackend; +import org.opensearch.test.framework.AuthzDomain; import org.opensearch.test.framework.LdapAuthenticationConfigBuilder; +import org.opensearch.test.framework.LdapAuthorizationConfigBuilder; +import org.opensearch.test.framework.RolesMapping; import org.opensearch.test.framework.TestSecurityConfig; import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain; import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AuthenticationBackend; @@ -32,13 +39,20 @@ import org.opensearch.test.framework.ldap.EmbeddedLDAPServer; import org.opensearch.test.framework.log.LogsRule; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.contains; +import static org.opensearch.security.http.CertificateAuthenticationTest.POINTER_BACKEND_ROLES; +import static org.opensearch.security.http.DirectoryInformationTrees.CN_GROUP_ADMIN; import static org.opensearch.security.http.DirectoryInformationTrees.DN_CAPTAIN_SPOCK_PEOPLE_TEST_ORG; +import static org.opensearch.security.http.DirectoryInformationTrees.DN_GROUPS_TEST_ORG; import static org.opensearch.security.http.DirectoryInformationTrees.DN_OPEN_SEARCH_PEOPLE_TEST_ORG; import static org.opensearch.security.http.DirectoryInformationTrees.DN_PEOPLE_TEST_ORG; import static org.opensearch.security.http.DirectoryInformationTrees.LDIF_DATA; +import static org.opensearch.security.http.DirectoryInformationTrees.PASSWORD_KIRK; import static org.opensearch.security.http.DirectoryInformationTrees.PASSWORD_OPEN_SEARCH; import static org.opensearch.security.http.DirectoryInformationTrees.PASSWORD_SPOCK; import static org.opensearch.security.http.DirectoryInformationTrees.USERNAME_ATTRIBUTE; +import static org.opensearch.security.http.DirectoryInformationTrees.USER_KIRK; import static org.opensearch.security.http.DirectoryInformationTrees.USER_SEARCH; import static org.opensearch.security.http.DirectoryInformationTrees.USER_SPOCK; import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL; @@ -54,6 +68,8 @@ public class LdapAuthenticationTest { private static final Logger log = LogManager.getLogger(LdapAuthenticationTest.class); + private static final String HEADER_NAME_IMPERSONATE = "opendistro_security_impersonate_as"; + private static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS); private static final TestCertificates TEST_CERTIFICATES = new TestCertificates(); @@ -67,6 +83,7 @@ public class LdapAuthenticationTest { public static LocalCluster cluster = new LocalCluster.Builder().testCertificates(TEST_CERTIFICATES) .clusterManager(ClusterManager.SINGLENODE) .anonymousAuth(false) + .nodeSettings(Map.of(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS + "." + ADMIN_USER.getName(), List.of(USER_KIRK))) .authc( new AuthcDomain("ldap", BASIC_AUTH_DOMAIN_ORDER + 1, true).httpAuthenticator(new HttpAuthenticator("basic").challenge(false)) .backend( @@ -89,6 +106,29 @@ public class LdapAuthenticationTest { ) .authc(AUTHC_HTTPBASIC_INTERNAL) .users(ADMIN_USER) + .rolesMapping(new RolesMapping(ALL_ACCESS).backendRoles(CN_GROUP_ADMIN)) + .authz( + new AuthzDomain("ldap_roles").httpEnabled(true) + .transportEnabled(true) + .authorizationBackend( + new AuthorizationBackend("ldap").config( + () -> new LdapAuthorizationConfigBuilder().hosts(List.of("localhost:" + embeddedLDAPServer.getLdapNonTlsPort())) + .enableSsl(false) + .bindDn(DN_OPEN_SEARCH_PEOPLE_TEST_ORG) + .password(PASSWORD_OPEN_SEARCH) + .userBase(DN_PEOPLE_TEST_ORG) + .userSearch(USER_SEARCH) + .usernameAttribute(USERNAME_ATTRIBUTE) + .roleBase(DN_GROUPS_TEST_ORG) + .roleSearch("(uniqueMember={0})") + .userRoleAttribute(null) + .userRoleName("disabled") + .roleName("cn") + .resolveNestedRoles(true) + .build() + ) + ) + ) .build(); @ClassRule @@ -117,4 +157,38 @@ public void shouldAuthenticateUserWithLdap_negativeWhenIncorrectPassword() { logsRule.assertThatStackTraceContain(expectedStackTraceFragment); } } + + @Test + public void testShouldCreateScrollWithLdapUserAndImpersonateWithAdmin() { + try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) { + TestRestClient.HttpResponse response = client.put("movies"); + + response.assertStatusCode(200); + } + + String scrollId; + + try (TestRestClient client = cluster.getRestClient(USER_KIRK, PASSWORD_KIRK)) { + TestRestClient.HttpResponse authinfo = client.getAuthInfo(); + + List backendRoles = authinfo.getTextArrayFromJsonBody(POINTER_BACKEND_ROLES); + assertThat(backendRoles, contains(CN_GROUP_ADMIN)); + + TestRestClient.HttpResponse response = client.getWithJsonBody("movies/_search?scroll=10m", "{\"size\": 1}"); + + response.assertStatusCode(200); + + scrollId = response.getTextFromJsonBody("/_scroll_id"); + } + + try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) { + TestRestClient.HttpResponse scrollResponse = client.getWithJsonBody( + "_search/scroll", + "{\"scroll\": \"10m\", \"scroll_id\": \"" + scrollId + "\"}", + new BasicHeader(HEADER_NAME_IMPERSONATE, USER_KIRK) + ); + + scrollResponse.assertStatusCode(200); + } + } } diff --git a/src/main/java/org/opensearch/security/user/User.java b/src/main/java/org/opensearch/security/user/User.java index aa9c09a469..6abba3d734 100644 --- a/src/main/java/org/opensearch/security/user/User.java +++ b/src/main/java/org/opensearch/security/user/User.java @@ -229,7 +229,7 @@ public final boolean equals(final Object obj) { if (obj == null) { return false; } - if (getClass() != obj.getClass()) { + if (!(obj instanceof User)) { return false; } final User other = (User) obj; From 40192383a809ecb91849b7e044c5db0f58dd32f4 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Wed, 13 Dec 2023 11:34:34 -0500 Subject: [PATCH 2/2] Change BasicHeader import Signed-off-by: Craig Perkins --- .../org/opensearch/security/http/LdapAuthenticationTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java index dbb1724a55..2d14b95a2a 100644 --- a/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java +++ b/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java @@ -13,7 +13,7 @@ import java.util.Map; import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; -import org.apache.hc.core5.http.message.BasicHeader; +import org.apache.http.message.BasicHeader; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.junit.ClassRule;