forked from opensearch-project/security
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Refactor] Remove json-path from deps and use JsonPointer instead (op…
…ensearch-project#3262) ### Description After RFC 6901 was introduced and the implementation was added to Jackson, there is no need to keep the `com.jayway.jsonpath:json-path` library in our source code, so we can replace current validation with Jackson's `JsonPointer` class. Besides added missing tests for: - `RoleRequestContentValidator` - `AuditRequestContentValidator` ### Issues Resolved opensearch-project#3245 ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). Signed-off-by: Andrey Pleskach <ples@aiven.io> (cherry picked from commit 14574dd)
- Loading branch information
1 parent
1d6b5bf
commit 8372287
Showing
6 changed files
with
322 additions
and
59 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
80 changes: 80 additions & 0 deletions
80
...java/org/opensearch/security/dlic/rest/api/AuditApiActionRequestContentValidatorTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
* Modifications Copyright OpenSearch Contributors. See | ||
* GitHub history for details. | ||
*/ | ||
|
||
package org.opensearch.security.dlic.rest.api; | ||
|
||
import com.fasterxml.jackson.databind.InjectableValues; | ||
import org.junit.Test; | ||
import org.opensearch.common.settings.Settings; | ||
import org.opensearch.core.common.bytes.BytesArray; | ||
import org.opensearch.core.rest.RestStatus; | ||
import org.opensearch.security.DefaultObjectMapper; | ||
import org.opensearch.security.auditlog.config.AuditConfig; | ||
import org.opensearch.security.auditlog.impl.AuditCategory; | ||
import org.opensearch.security.compliance.ComplianceConfig; | ||
import org.opensearch.security.util.FakeRestRequest; | ||
|
||
import java.io.IOException; | ||
import java.util.Map; | ||
import java.util.stream.Collectors; | ||
import java.util.stream.Stream; | ||
|
||
import static org.junit.Assert.assertEquals; | ||
import static org.junit.Assert.assertFalse; | ||
|
||
public class AuditApiActionRequestContentValidatorTest extends AbstractApiActionValidationTest { | ||
|
||
@Test | ||
public void validateAuditDisabledRestCategories() throws IOException { | ||
InjectableValues.Std injectableValues = new InjectableValues.Std(); | ||
injectableValues.addValue(Settings.class, Settings.EMPTY); | ||
DefaultObjectMapper.inject(injectableValues); | ||
final var auditApiActionRequestContentValidator = new AuditApiAction(clusterService, threadPool, securityApiDependencies) | ||
.createEndpointValidator() | ||
.createRequestContentValidator(); | ||
|
||
final var disabledTransportCategories = AuditApiAction.AuditRequestContentValidator.DISABLED_TRANSPORT_CATEGORIES.stream() | ||
.map(Enum::name) | ||
.collect(Collectors.toList()); | ||
final var auditConfig = new AuditConfig( | ||
true, | ||
AuditConfig.Filter.from(Map.of("disabled_rest_categories", disabledTransportCategories)), | ||
ComplianceConfig.DEFAULT | ||
); | ||
final var content = DefaultObjectMapper.writeValueAsString(objectMapper.valueToTree(auditConfig), false); | ||
var result = auditApiActionRequestContentValidator.validate(FakeRestRequest.builder().withContent(new BytesArray(content)).build()); | ||
assertFalse(result.isValid()); | ||
assertEquals(RestStatus.BAD_REQUEST, result.status()); | ||
} | ||
|
||
@Test | ||
public void validateAuditDisabledTransportCategories() throws IOException { | ||
InjectableValues.Std injectableValues = new InjectableValues.Std(); | ||
injectableValues.addValue(Settings.class, Settings.EMPTY); | ||
DefaultObjectMapper.inject(injectableValues); | ||
final var auditApiActionRequestContentValidator = new AuditApiAction(clusterService, threadPool, securityApiDependencies) | ||
.createEndpointValidator() | ||
.createRequestContentValidator(); | ||
|
||
final var disabledRestCategories = Stream.of(AuditCategory.COMPLIANCE_DOC_WRITE, AuditCategory.COMPLIANCE_DOC_READ) | ||
.map(Enum::name) | ||
.collect(Collectors.toList()); | ||
final var auditConfig = new AuditConfig( | ||
true, | ||
AuditConfig.Filter.from(Map.of("disabled_transport_categories", disabledRestCategories)), | ||
ComplianceConfig.DEFAULT | ||
); | ||
final var content = DefaultObjectMapper.writeValueAsString(objectMapper.valueToTree(auditConfig), false); | ||
var result = auditApiActionRequestContentValidator.validate(FakeRestRequest.builder().withContent(new BytesArray(content)).build()); | ||
assertFalse(result.isValid()); | ||
assertEquals(RestStatus.BAD_REQUEST, result.status()); | ||
} | ||
} |
179 changes: 179 additions & 0 deletions
179
...java/org/opensearch/security/dlic/rest/api/RolesApiActionRequestContentValidatorTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,179 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
* Modifications Copyright OpenSearch Contributors. See | ||
* GitHub history for details. | ||
*/ | ||
|
||
package org.opensearch.security.dlic.rest.api; | ||
|
||
import com.fasterxml.jackson.databind.node.ObjectNode; | ||
import org.junit.Test; | ||
import org.opensearch.core.common.bytes.BytesArray; | ||
import org.opensearch.security.util.FakeRestRequest; | ||
|
||
import java.io.IOException; | ||
|
||
import static org.junit.Assert.assertFalse; | ||
import static org.junit.Assert.assertTrue; | ||
|
||
public class RolesApiActionRequestContentValidatorTest extends AbstractApiActionValidationTest { | ||
|
||
@Test | ||
public void doesNotValidateMaskedFields() throws IOException { | ||
|
||
final var requestContentValidator = new RolesApiAction(clusterService, threadPool, securityApiDependencies) | ||
.createEndpointValidator() | ||
.createRequestContentValidator(); | ||
|
||
// no masked fields | ||
final var noMaskedFields = objectMapper.createObjectNode() | ||
.set( | ||
"index_permissions", | ||
objectMapper.createArrayNode() | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("a*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("read")) | ||
) | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("b*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("write")) | ||
) | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("c*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("read").add("write")) | ||
|
||
) | ||
); | ||
|
||
var result = requestContentValidator.validate( | ||
FakeRestRequest.builder().withContent(new BytesArray(noMaskedFields.toString())).build() | ||
); | ||
assertTrue(result.isValid()); | ||
result = requestContentValidator.validate( | ||
FakeRestRequest.builder().withContent(new BytesArray(noMaskedFields.toString())).build(), | ||
noMaskedFields | ||
); | ||
assertTrue(result.isValid()); | ||
} | ||
|
||
@Test | ||
public void validateOnlySpecifiedMaskedFields() throws IOException { | ||
final var requestContentValidator = new RolesApiAction(clusterService, threadPool, securityApiDependencies) | ||
.createEndpointValidator() | ||
.createRequestContentValidator(); | ||
final var specifiedMaskedFields = objectMapper.createObjectNode() | ||
.set( | ||
"index_permissions", | ||
objectMapper.createArrayNode() | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("a*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.<ObjectNode>set("masked_fields", objectMapper.nullNode()) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("read")) | ||
) | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("b*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("write")) | ||
) | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("c*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.<ObjectNode>set("masked_fields", objectMapper.createArrayNode().add("aaa::").add("bbb")) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("read").add("write")) | ||
|
||
) | ||
); | ||
var result = requestContentValidator.validate( | ||
FakeRestRequest.builder().withContent(new BytesArray(specifiedMaskedFields.toString())).build() | ||
); | ||
assertFalse(result.isValid()); | ||
var errorMessage = xContentToJsonNode(result.errorMessage()); | ||
assertTrue(errorMessage.toString(), errorMessage.toString().contains("aaa::")); | ||
|
||
result = requestContentValidator.validate( | ||
FakeRestRequest.builder().withContent(new BytesArray(specifiedMaskedFields.toString())).build(), | ||
specifiedMaskedFields | ||
); | ||
assertFalse(result.isValid()); | ||
errorMessage = xContentToJsonNode(result.errorMessage()); | ||
assertTrue(errorMessage.toString(), errorMessage.toString().contains("aaa::")); | ||
} | ||
|
||
@Test | ||
public void validateAllMaskedFields() throws IOException { | ||
final var requestContentValidator = new RolesApiAction(clusterService, threadPool, securityApiDependencies) | ||
.createEndpointValidator() | ||
.createRequestContentValidator(); | ||
final var invalidMaskedFields = objectMapper.createObjectNode() | ||
.set( | ||
"index_permissions", | ||
objectMapper.createArrayNode() | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("a*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.<ObjectNode>set("masked_fields", objectMapper.createArrayNode().add("aaa").add("bbb")) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("read")) | ||
) | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("b*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.<ObjectNode>set("masked_fields", objectMapper.createArrayNode().add("aaa::").add("bbb::").add("ccc:::")) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("write")) | ||
) | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("c*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.<ObjectNode>set("masked_fields", objectMapper.createArrayNode().add("ddd::").add("eee")) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("read").add("write")) | ||
|
||
) | ||
); | ||
var result = requestContentValidator.validate( | ||
FakeRestRequest.builder().withContent(new BytesArray(invalidMaskedFields.toString())).build() | ||
); | ||
assertFalse(result.isValid()); | ||
var errorMessage = xContentToJsonNode(result.errorMessage()).toString(); | ||
assertTrue(errorMessage, errorMessage.contains("aaa::")); | ||
assertTrue(errorMessage, errorMessage.contains("bbb::")); | ||
assertTrue(errorMessage, errorMessage.contains("ccc:::")); | ||
assertTrue(errorMessage, errorMessage.contains("ddd::")); | ||
|
||
result = requestContentValidator.validate( | ||
FakeRestRequest.builder().withContent(new BytesArray(invalidMaskedFields.toString())).build(), | ||
invalidMaskedFields | ||
); | ||
assertFalse(result.isValid()); | ||
errorMessage = xContentToJsonNode(result.errorMessage()).toString(); | ||
assertTrue(errorMessage, errorMessage.contains("aaa::")); | ||
assertTrue(errorMessage, errorMessage.contains("bbb::")); | ||
assertTrue(errorMessage, errorMessage.contains("ccc:::")); | ||
assertTrue(errorMessage, errorMessage.contains("ddd::")); | ||
} | ||
} |
Oops, something went wrong.