address feedback to add more tests

Author: ywangd

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Subject.java

@@ -175,7 +175,8 @@ private Map<String, Object> getRoleDescriptorMap(String key) {
 
     // This following fixed role descriptor is for fleet-server BWC on and before 7.14.
     // It is fixed and must NOT be updated when the fleet-server service account updates.
-    private static final BytesArray FLEET_SERVER_ROLE_DESCRIPTOR_BYTES_V_7_14 = new BytesArray(
+    // Package private for testing
+    static final BytesArray FLEET_SERVER_ROLE_DESCRIPTOR_BYTES_V_7_14 = new BytesArray(
         "{\"elastic/fleet-server\":{\"cluster\":[\"monitor\",\"manage_own_api_key\"],"
             + "\"indices\":[{\"names\":[\"logs-*\",\"metrics-*\",\"traces-*\",\"synthetics-*\","
             + "\".logs-endpoint.diagnostic.collection-*\"],"

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/SubjectTests.java

@@ -8,13 +8,20 @@
 package org.elasticsearch.xpack.core.security.authc;
 
 import org.elasticsearch.Version;
+import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.bytes.BytesReference;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.ArrayUtils;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.VersionUtils;
+import org.elasticsearch.xpack.core.security.authc.service.ServiceAccountSettings;
 import org.elasticsearch.xpack.core.security.authz.store.RoleReference;
 import org.elasticsearch.xpack.core.security.authz.store.RoleReference.ApiKeyRoleReference;
 import org.elasticsearch.xpack.core.security.authz.store.RoleReference.BwcApiKeyRoleReference;
+import org.elasticsearch.xpack.core.security.authz.store.RoleReference.NamedRoleReference;
+import org.elasticsearch.xpack.core.security.authz.store.RoleReference.ServiceAccountRoleReference;
+import org.elasticsearch.xpack.core.security.user.AnonymousUser;
 import org.elasticsearch.xpack.core.security.user.User;
 
 import java.util.Arrays;
@@ -27,12 +34,71 @@
 import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_REALM_NAME;
 import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_REALM_TYPE;
 import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY;
+import static org.elasticsearch.xpack.core.security.authc.Subject.FLEET_SERVER_ROLE_DESCRIPTOR_BYTES_V_7_14;
+import static org.hamcrest.Matchers.arrayContaining;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasSize;
+import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.isA;
 
 public class SubjectTests extends ESTestCase {
 
+    public void testGetRoleReferencesForRegularUser() {
+        final User user = new User("joe", "role_a", "role_b");
+        final Subject subject = new Subject(
+            user,
+            new Authentication.RealmRef(randomAlphaOfLength(5), randomAlphaOfLength(5), "node"),
+            Version.CURRENT,
+            Map.of()
+        );
+
+        final AnonymousUser anonymousUser = randomFrom(getAnonymousUser(), null);
+
+        final List<RoleReference> roleReferences = subject.getRoleReferences(anonymousUser);
+        assertThat(roleReferences, hasSize(1));
+        assertThat(roleReferences.get(0), instanceOf(NamedRoleReference.class));
+        final NamedRoleReference namedRoleReference = (NamedRoleReference) roleReferences.get(0);
+        assertThat(
+            namedRoleReference.getRoleNames(),
+            arrayContaining(ArrayUtils.concat(user.roles(), anonymousUser == null ? Strings.EMPTY_ARRAY : anonymousUser.roles()))
+        );
+    }
+
+    public void testGetRoleReferencesForAnonymousUser() {
+        final AnonymousUser anonymousUser = getAnonymousUser();
+
+        final Subject subject = new Subject(
+            anonymousUser,
+            new Authentication.RealmRef(randomAlphaOfLength(5), randomAlphaOfLength(5), "node"),
+            Version.CURRENT,
+            Map.of()
+        );
+
+        final List<RoleReference> roleReferences = subject.getRoleReferences(anonymousUser);
+        assertThat(roleReferences, hasSize(1));
+        assertThat(roleReferences.get(0), instanceOf(NamedRoleReference.class));
+        final NamedRoleReference namedRoleReference = (NamedRoleReference) roleReferences.get(0);
+        // Anonymous roles do not get applied again
+        assertThat(namedRoleReference.getRoleNames(), equalTo(anonymousUser.roles()));
+    }
+
+    public void testGetRoleReferencesForServiceAccount() {
+        final User serviceUser = new User(randomAlphaOfLength(5) + "/" + randomAlphaOfLength(5));
+        final Subject subject = new Subject(
+            serviceUser,
+            new Authentication.RealmRef(ServiceAccountSettings.REALM_NAME, ServiceAccountSettings.REALM_TYPE, "node"),
+            Version.CURRENT,
+            Map.of()
+        );
+
+        final List<RoleReference> roleReferences = subject.getRoleReferences(getAnonymousUser());
+        assertThat(roleReferences, hasSize(1));
+        assertThat(roleReferences.get(0), instanceOf(ServiceAccountRoleReference.class));
+        final ServiceAccountRoleReference serviceAccountRoleReference = (ServiceAccountRoleReference) roleReferences.get(0);
+        assertThat(serviceAccountRoleReference.getPrincipal(), equalTo(serviceUser.principal()));
+    }
+
     public void testGetRoleReferencesForApiKey() {
         Map<String, Object> authMetadata = new HashMap<>();
         final String apiKeyId = randomAlphaOfLength(12);
@@ -56,7 +122,7 @@ public void testGetRoleReferencesForApiKey() {
             authMetadata
         );
 
-        final List<RoleReference> roleReferences = subject.getRoleReferences(null);
+        final List<RoleReference> roleReferences = subject.getRoleReferences(getAnonymousUser());
         if (emptyRoleBytes) {
             assertThat(roleReferences, contains(isA(ApiKeyRoleReference.class)));
             final ApiKeyRoleReference roleReference = (ApiKeyRoleReference) roleReferences.get(0);
@@ -98,7 +164,7 @@ public void testGetRoleReferencesForApiKeyBwc() {
             authMetadata
         );
 
-        final List<RoleReference> roleReferences = subject.getRoleReferences(null);
+        final List<RoleReference> roleReferences = subject.getRoleReferences(getAnonymousUser());
 
         if (emptyApiKeyRoleDescriptor) {
             assertThat(roleReferences, contains(isA(BwcApiKeyRoleReference.class)));
@@ -117,4 +183,35 @@ public void testGetRoleReferencesForApiKeyBwc() {
         }
     }
 
+    public void testGetFleetApiKeyRoleReferenceBwcBugFix() {
+        final BytesReference roleBytes = new BytesArray("{\"a role\": {\"cluster\": [\"all\"]}}");
+        final BytesReference limitedByRoleBytes = new BytesArray("{}");
+        final Subject subject = new Subject(
+            new User("elastic/fleet-server"),
+            new Authentication.RealmRef(API_KEY_REALM_NAME, API_KEY_REALM_TYPE, "node"),
+            Version.CURRENT,
+            Map.of(
+                AuthenticationField.API_KEY_CREATOR_REALM_NAME,
+                ServiceAccountSettings.REALM_NAME,
+                AuthenticationField.API_KEY_ID_KEY,
+                randomAlphaOfLength(20),
+                AuthenticationField.API_KEY_NAME_KEY,
+                randomAlphaOfLength(12),
+                AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY,
+                roleBytes,
+                AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY,
+                limitedByRoleBytes
+            )
+        );
+
+        final List<RoleReference> roleReferences = subject.getRoleReferences(getAnonymousUser());
+        assertThat(roleReferences, contains(isA(ApiKeyRoleReference.class), isA(ApiKeyRoleReference.class)));
+        final ApiKeyRoleReference limitedByRoleReference = (ApiKeyRoleReference) roleReferences.get(1);
+        assertThat(limitedByRoleReference.getRoleDescriptorsBytes(), equalTo(FLEET_SERVER_ROLE_DESCRIPTOR_BYTES_V_7_14));
+    }
+
+    private AnonymousUser getAnonymousUser() {
+        final List<String> anonymousRoles = randomList(0, 2, () -> "role_anonymous_" + randomAlphaOfLength(8));
+        return new AnonymousUser(Settings.builder().putList("xpack.security.authc.anonymous.roles", anonymousRoles).build());
+    }
 }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/RoleReferenceTests.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.security.authz.store;
+
+import org.elasticsearch.common.bytes.BytesArray;
+import org.elasticsearch.common.hash.MessageDigests;
+import org.elasticsearch.test.ESTestCase;
+
+import java.util.Set;
+
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.Matchers.is;
+
+public class RoleReferenceTests extends ESTestCase {
+
+    public void testNamedRoleReference() {
+        final String[] roleNames = randomArray(0, 2, String[]::new, () -> randomAlphaOfLength(8));
+
+        final boolean hasSuperUserRole = roleNames.length > 0 && randomBoolean();
+        if (hasSuperUserRole) {
+            roleNames[randomIntBetween(0, roleNames.length - 1)] = "superuser";
+        }
+        final RoleReference.NamedRoleReference namedRoleReference = new RoleReference.NamedRoleReference(roleNames);
+
+        if (hasSuperUserRole) {
+            assertThat(namedRoleReference.id(), is(RoleKey.ROLE_KEY_SUPERUSER));
+        } else if (roleNames.length == 0) {
+            assertThat(namedRoleReference.id(), is(RoleKey.ROLE_KEY_EMPTY));
+        } else {
+            final RoleKey roleKey = namedRoleReference.id();
+            assertThat(roleKey.getNames(), equalTo(Set.of(roleNames)));
+            assertThat(roleKey.getSource(), equalTo(RoleKey.ROLES_STORE_SOURCE));
+        }
+    }
+
+    public void testApiKeyRoleReference() {
+        final String apiKeyId = randomAlphaOfLength(20);
+        final BytesArray roleDescriptorsBytes = new BytesArray(randomAlphaOfLength(50));
+        final String roleKeySource = randomAlphaOfLength(8);
+        final RoleReference.ApiKeyRoleReference apiKeyRoleReference = new RoleReference.ApiKeyRoleReference(
+            apiKeyId,
+            roleDescriptorsBytes,
+            roleKeySource
+        );
+
+        final RoleKey roleKey = apiKeyRoleReference.id();
+        assertThat(
+            roleKey.getNames(),
+            hasItem("apikey:" + MessageDigests.toHexString(MessageDigests.digest(roleDescriptorsBytes, MessageDigests.sha256())))
+        );
+        assertThat(roleKey.getSource(), equalTo(roleKeySource));
+    }
+
+    public void testServiceAccountRoleReference() {
+        final String principal = randomAlphaOfLength(8) + "/" + randomAlphaOfLength(8);
+        final RoleReference.ServiceAccountRoleReference serviceAccountRoleReference = new RoleReference.ServiceAccountRoleReference(
+            principal
+        );
+        final RoleKey roleKey = serviceAccountRoleReference.id();
+        assertThat(roleKey.getNames(), hasItem(principal));
+        assertThat(roleKey.getSource(), equalTo("service_account"));
+    }
+}