Skip to content

Add Integration Test to confirm Core Change to Fix Search template request Auth #2921

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
willyborankin merged 10 commits into from
Aug 16, 2023
Merged

Add Integration Test to confirm Core Change to Fix Search template request Auth #2921

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
0122b60
fix search template auth to allow for search template requests on ind…
derek-ho Jun 29, 2023
24aa368
fix and add tests
derek-ho Jun 29, 2023
b640386
spotless
derek-ho Jun 29, 2023
445835d
Merge branch 'opensearch-project:main' into fix-search-template
derek-ho Jun 30, 2023
bbb1b86
revert PR to only be tests
derek-ho Aug 9, 2023
e78def3
add tests for other situations
derek-ho Aug 9, 2023
387f1a6
spotless
derek-ho Aug 9, 2023
c4a3d5d
extract query to a constant
derek-ho Aug 9, 2023
4e78c8d
Merge branch 'main' of github.com:opensearch-project/security into fi…
derek-ho Aug 15, 2023
f3e5d46
update integration tests
derek-ho Aug 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 20 additions & 1 deletion src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import org.junit.Test;
import org.junit.runner.RunWith;

import org.opensearch.script.mustache.MustacheModulePlugin;
import org.opensearch.test.framework.TestSecurityConfig;
import org.opensearch.test.framework.TestSecurityConfig.Role;
import org.opensearch.test.framework.cluster.ClusterManager;
Expand Down Expand Up @@ -44,10 +45,15 @@ public class PrivilegesEvaluatorTest {
new Role("negated_regex_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("cluster_composite_ops")
);

protected final static TestSecurityConfig.User SEARCH_TEMPLATE = new TestSecurityConfig.User("search_template_user").roles(
new Role("search_template_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("indices:data/read/search/template")
Copy link
Member

@cwperks cwperks Jun 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @derek-ho ! This change looks good to me. I only have one concern about breaking existing roles that are unknowingly working with the bug in place, but since it is a bug fix I think its alright to provide documentation on how to update a role to make it so that SearchTemplateRequests are working properly. I also think it is worthwhile to modify the cluster_composite_ops_ro static action group to include search template and msearch template.

To be clear, the role below allows SearchTemplateRequests to work even with the bug in place:

search_all:
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - "read"

and after this change the role would need to be changed to:

search_all:
  cluster_permissions:
    - "indices:data/read/search/template" or "cluster_composite_ops_ro" <- action group containing the underlying cluster perm
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - "read"

With the bug in place the following role would not permit search template requests to work properly

logs_search:
  index_permissions:
    - index_patterns:
        - "logs-*"
      allowed_actions:
        - "read"

but that would be achievable now with the following role definition:

logs_search:
  cluster_permissions:
    - "indices:data/read/search/template"
  index_permissions:
    - index_patterns:
        - "logs-*"
      allowed_actions:
        - "read"

Copy link
Contributor

@stephen-crawford stephen-crawford Jul 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we can make the change for 2.x since it will be a breaking change. While it is an edge case, I don't think it matters if it is for a bug fix or not. Unless I am mistaken, semantic versioning would dictate we wait until 3.0 to make this available.

Copy link
Member

@cwperks cwperks Aug 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you remove the clusterPermissions section for this role?

);

@ClassRule
public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
.plugin(MustacheModulePlugin.class)
.authc(AUTHC_HTTPBASIC_INTERNAL)
.users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX)
.users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE)
.build();

@Test
Expand All @@ -68,4 +74,17 @@ public void testRegexPattern() throws Exception {
}

}

@Test
public void testSearchTemplateRequest() {
Copy link
Collaborator Author

@derek-ho derek-ho Jun 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before adding search template into isClusterPerm function this would fail since it would come back with a 403 response code

try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) {
assertThat(
client.getWithJsonBody(
"r*/_search/template",
"{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}"
).getStatusCode(),
equalTo(HttpStatus.SC_OK)
);
}
}
}
4 changes: 2 additions & 2 deletions src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@
import org.opensearch.core.common.Strings;
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.index.reindex.ReindexAction;
import org.opensearch.script.mustache.SearchTemplateAction;
import org.opensearch.security.auditlog.AuditLog;
import org.opensearch.security.configuration.ClusterInfoHolder;
import org.opensearch.security.configuration.ConfigurationRepository;
Expand Down Expand Up @@ -671,8 +672,7 @@ public static boolean isClusterPerm(String action0) {
|| (action0.startsWith(MultiSearchAction.NAME))
|| (action0.equals(MultiTermVectorsAction.NAME))
|| (action0.equals(ReindexAction.NAME))

);
|| (action0.equals(SearchTemplateAction.NAME)));
}

@SuppressWarnings("unchecked")
Expand Down
2 changes: 2 additions & 0 deletions src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorUnitTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,13 @@ public void testClusterPerm() {
String writeIndex = "indices:data/write/reindex";
String adminClose = "indices:admin/close";
String monitorUpgrade = "indices:monitor/upgrade";
String searchTemplate = "indices:data/read/search/template";

// Cluster Permissions
assertTrue(isClusterPerm(multiSearchTemplate));
assertTrue(isClusterPerm(writeIndex));
assertTrue(isClusterPerm(monitorHealth));
assertTrue(isClusterPerm(searchTemplate));

// Index Permissions
assertFalse(isClusterPerm(adminClose));
Expand Down