/* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the "Elastic License * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side * Public License v 1"; you may not use this file except in compliance with, at * your election, the "Elastic License 2.0", the "GNU Affero General Public * License v3.0 only", or the "Server Side Public License, v 1". */ package org.elasticsearch.example; import org.elasticsearch.action.search.SearchRequest; import org.elasticsearch.action.support.PlainActionFuture; import org.elasticsearch.action.support.SubscribableListener; import org.elasticsearch.cluster.metadata.IndexMetadata; import org.elasticsearch.cluster.metadata.ProjectMetadata; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.index.IndexVersion; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.transport.AbstractTransportRequest; import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationResult; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.IndexAuthorizationResult; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.RequestInfo; import org.elasticsearch.xpack.core.security.authz.ResolvedIndices; import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl; import org.elasticsearch.xpack.core.security.user.User; import java.util.Collections; import static org.hamcrest.Matchers.is; /** * Unit tests for the custom authorization engine. These are basic tests that validate the * engine's functionality outside of being used by the AuthorizationService */ public class CustomAuthorizationEngineTests extends ESTestCase { public void testGetAuthorizationInfo() { PlainActionFuture future = new PlainActionFuture<>(); CustomAuthorizationEngine engine = new CustomAuthorizationEngine(); engine.resolveAuthorizationInfo(getRequestInfo(), future); assertNotNull(future.actionGet()); } public void testAuthorizeRunAs() { final String action = "cluster:monitor/foo"; final TransportRequest request = new AbstractTransportRequest() { }; CustomAuthorizationEngine engine = new CustomAuthorizationEngine(); // unauthorized { Authentication authentication = Authentication.newRealmAuthentication( new User("bar", "not_superuser"), new RealmRef("test", "test", "node") ).runAs(new User("joe", "custom_superuser"), new RealmRef("test", "test", "node")); RequestInfo info = new RequestInfo(authentication, request, action, null); PlainActionFuture future = new PlainActionFuture<>(); engine.resolveAuthorizationInfo(info, future); AuthorizationInfo authzInfo = future.actionGet(); PlainActionFuture resultFuture = new PlainActionFuture<>(); engine.authorizeRunAs(info, authzInfo, resultFuture); AuthorizationResult result = resultFuture.actionGet(); assertThat(result.isGranted(), is(false)); } // authorized { Authentication authentication = Authentication.newRealmAuthentication( new User("bar", "custom_superuser"), new RealmRef("test", "test", "node") ).runAs(new User("joe", "not_superuser"), new RealmRef("test", "test", "node")); RequestInfo info = new RequestInfo(authentication, request, action, null); PlainActionFuture future = new PlainActionFuture<>(); engine.resolveAuthorizationInfo(info, future); AuthorizationInfo authzInfo = future.actionGet(); PlainActionFuture resultFuture = new PlainActionFuture<>(); engine.authorizeRunAs(info, authzInfo, resultFuture); AuthorizationResult result = resultFuture.actionGet(); assertThat(result.isGranted(), is(true)); } } public void testAuthorizeClusterAction() { CustomAuthorizationEngine engine = new CustomAuthorizationEngine(); RequestInfo requestInfo = getRequestInfo(); // authorized { PlainActionFuture future = new PlainActionFuture<>(); engine.resolveAuthorizationInfo(requestInfo, future); AuthorizationInfo authzInfo = future.actionGet(); PlainActionFuture resultFuture = new PlainActionFuture<>(); engine.authorizeClusterAction(requestInfo, authzInfo, resultFuture); AuthorizationResult result = resultFuture.actionGet(); assertThat(result.isGranted(), is(true)); } // unauthorized { RequestInfo unauthReqInfo = new RequestInfo( Authentication.newRealmAuthentication(new User("joe", "not_superuser"), new RealmRef("test", "test", "node")), requestInfo.getRequest(), requestInfo.getAction(), null ); PlainActionFuture future = new PlainActionFuture<>(); engine.resolveAuthorizationInfo(unauthReqInfo, future); AuthorizationInfo authzInfo = future.actionGet(); PlainActionFuture resultFuture = new PlainActionFuture<>(); engine.authorizeClusterAction(unauthReqInfo, authzInfo, resultFuture); AuthorizationResult result = resultFuture.actionGet(); assertThat(result.isGranted(), is(false)); } } public void testAuthorizeIndexAction() { CustomAuthorizationEngine engine = new CustomAuthorizationEngine(); ProjectMetadata project = ProjectMetadata.builder(randomProjectIdOrDefault()) .put( IndexMetadata.builder("index") .settings(Settings.builder().put("index.version.created", IndexVersion.current())) .numberOfShards(1) .numberOfReplicas(0) .build(), false ) .build(); // authorized { RequestInfo requestInfo = new RequestInfo( Authentication.newRealmAuthentication(new User("joe", "custom_superuser"), new RealmRef("test", "test", "node")), new SearchRequest(), "indices:data/read/search", null ); PlainActionFuture future = new PlainActionFuture<>(); engine.resolveAuthorizationInfo(requestInfo, future); AuthorizationInfo authzInfo = future.actionGet(); final SubscribableListener resultListener = engine.authorizeIndexAction( requestInfo, authzInfo, () -> SubscribableListener.newSucceeded(new ResolvedIndices(Collections.singletonList("index"), Collections.emptyList())), project ); IndexAuthorizationResult result = safeAwait(resultListener); assertThat(result.isGranted(), is(true)); IndicesAccessControl indicesAccessControl = result.getIndicesAccessControl(); assertNotNull(indicesAccessControl.getIndexPermissions("index")); } // unauthorized { RequestInfo requestInfo = new RequestInfo( Authentication.newRealmAuthentication(new User("joe", "not_superuser"), new RealmRef("test", "test", "node")), new SearchRequest(), "indices:data/read/search", null ); PlainActionFuture future = new PlainActionFuture<>(); engine.resolveAuthorizationInfo(requestInfo, future); AuthorizationInfo authzInfo = future.actionGet(); final SubscribableListener resultListener = engine.authorizeIndexAction( requestInfo, authzInfo, () -> SubscribableListener.newSucceeded(new ResolvedIndices(Collections.singletonList("index"), Collections.emptyList())), project ); IndexAuthorizationResult result = safeAwait(resultListener); assertThat(result.isGranted(), is(false)); IndicesAccessControl indicesAccessControl = result.getIndicesAccessControl(); assertNull(indicesAccessControl.getIndexPermissions("index")); } } private RequestInfo getRequestInfo() { final String action = "cluster:monitor/foo"; final TransportRequest request = new AbstractTransportRequest() { }; final Authentication authentication = Authentication.newRealmAuthentication( new User("joe", "custom_superuser"), new RealmRef("test", "test", "node") ); return new RequestInfo(authentication, request, action, null); } }