fixup! Tests

elastic · Aug 13, 2024 · 049a387 · 049a387
1 parent 548da99
commit 049a387
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 19 deletions.
diff --git a/...ava/org/elasticsearch/xpack/core/security/authz/privilege/ManageRolesPrivilegesTests.java b/...ava/org/elasticsearch/xpack/core/security/authz/privilege/ManageRolesPrivilegesTests.java
@@ -63,22 +63,53 @@ public void testSimplePutRoleRequest() {
         );
     }
 
+    public void testDeleteRoleRequest() {
+        new ReservedRolesStore();
+        {
+            final ManageRolesPrivilege privilege = new ManageRolesPrivilege(
+                List.of(new ManageRolesPrivilege.ManageRolesIndexPermissionGroup(new String[] { "allowed*" }, new String[] { "manage" }))
+            );
+            final ClusterPermission permission = privilege.buildPermission(
+                new ClusterPermission.Builder(new RestrictedIndices(TestRestrictedIndices.RESTRICTED_INDICES.getAutomaton()))
+            ).build();
+
+            assertAllowedDeleteIndex(permission, randomArray(1, 10, String[]::new, () -> "allowed-" + randomAlphaOfLength(5)), true);
+            assertAllowedDeleteIndex(permission, randomArray(1, 10, String[]::new, () -> "not-allowed-" + randomAlphaOfLength(5)), false);
+            assertAllowedDeleteIndex(
+                permission,
+                new String[] { "allowed-" + randomAlphaOfLength(5), "not-allowed-" + randomAlphaOfLength(5) },
+                false
+            );
+        }
+        {
+            final ManageRolesPrivilege privilege = new ManageRolesPrivilege(
+                List.of(new ManageRolesPrivilege.ManageRolesIndexPermissionGroup(new String[] { "allowed*" }, new String[] { "read" }))
+            );
+            final ClusterPermission permission = privilege.buildPermission(
+                new ClusterPermission.Builder(new RestrictedIndices(TestRestrictedIndices.RESTRICTED_INDICES.getAutomaton()))
+            ).build();
+            assertAllowedDeleteIndex(permission, randomArray(1, 10, String[]::new, () -> "allowed-" + randomAlphaOfLength(5)), false);
+        }
+    }
+
     public void testSeveralIndexGroupsPutRoleRequest() {
         new ReservedRolesStore();
 
         final ManageRolesPrivilege privilege = new ManageRolesPrivilege(
             List.of(
-                new ManageRolesPrivilege.ManageRolesIndexPermissionGroup(new String[] { "a*" }, new String[] { "read" }),
-                new ManageRolesPrivilege.ManageRolesIndexPermissionGroup(new String[] { "b*" }, new String[] { "read" })
+                new ManageRolesPrivilege.ManageRolesIndexPermissionGroup(new String[] { "a*", "b*" }, new String[] { "read" }),
+                new ManageRolesPrivilege.ManageRolesIndexPermissionGroup(new String[] { "c*" }, new String[] { "read" }),
+                new ManageRolesPrivilege.ManageRolesIndexPermissionGroup(new String[] { "d*" }, new String[] { "read" })
             )
         );
 
         final ClusterPermission permission = privilege.buildPermission(
             new ClusterPermission.Builder(new RestrictedIndices(TestRestrictedIndices.RESTRICTED_INDICES.getAutomaton()))
         ).build();
 
-        assertAllowedIndexPatterns(permission, new String[] { "/[ab].*/" }, true);
-        assertAllowedIndexPatterns(permission, new String[] { "/[abc].*/" }, false);
+        assertAllowedIndexPatterns(permission, new String[] { "/[ab].*/" }, new String[] { "read" }, true);
+        // TODO Not yet supported
+        // assertAllowedIndexPatterns(permission, new String[] { "/[cd].*/" }, new String[] { "read" }, true);
     }
 
     public void testRestrictedIndexPutRoleRequest() {
@@ -166,10 +197,19 @@ private static boolean permissionCheck(ClusterPermission permission, String acti
     }
 
     private static void assertAllowedIndexPatterns(ClusterPermission permission, String[] indexPatterns, boolean expected) {
+        assertAllowedIndexPatterns(permission, indexPatterns, new String[] { "index", "write", "indices:data/read" }, expected);
+    }
+
+    private static void assertAllowedIndexPatterns(
+        ClusterPermission permission,
+        String[] indexPatterns,
+        String[] privileges,
+        boolean expected
+    ) {
         {
             final PutRoleRequest putRoleRequest = new PutRoleRequest();
             putRoleRequest.name(randomAlphaOfLength(3));
-            putRoleRequest.addIndex(indexPatterns, new String[] { "index", "write", "indices:data/read" }, null, null, null, false);
+            putRoleRequest.addIndex(indexPatterns, privileges, null, null, null, false);
             assertThat(permissionCheck(permission, "cluster:admin/xpack/security/role/put", putRoleRequest), is(expected));
         }
         {
@@ -179,23 +219,22 @@ private static void assertAllowedIndexPatterns(ClusterPermission permission, Str
                         randomAlphaOfLength(3),
                         new String[] {},
                         new RoleDescriptor.IndicesPrivileges[] {
-                            RoleDescriptor.IndicesPrivileges.builder()
-                                .indices(indexPatterns)
-                                .privileges("read", "read_cross_cluster", "view_index_metadata")
-                                .build() },
+                            RoleDescriptor.IndicesPrivileges.builder().indices(indexPatterns).privileges(privileges).build() },
                         new String[] {}
                     )
                 )
             );
             assertThat(permissionCheck(permission, "cluster:admin/xpack/security/role/bulk_put", bulkPutRolesRequest), is(expected));
         }
-        // Deletes do not contain patterns, but still need to make sure index name is within permissions
+    }
+
+    private static void assertAllowedDeleteIndex(ClusterPermission permission, String[] indices, boolean expected) {
         {
-            final BulkDeleteRolesRequest bulkDeleteRolesRequest = new BulkDeleteRolesRequest(List.of(indexPatterns));
+            final BulkDeleteRolesRequest bulkDeleteRolesRequest = new BulkDeleteRolesRequest(List.of(indices));
             assertThat(permissionCheck(permission, "cluster:admin/xpack/security/role/bulk_delete", bulkDeleteRolesRequest), is(expected));
         }
         {
-            assertThat(Arrays.stream(indexPatterns).allMatch(pattern -> {
+            assertThat(Arrays.stream(indices).allMatch(pattern -> {
                 final DeleteRoleRequest deleteRolesRequest = new DeleteRoleRequest();
                 deleteRolesRequest.name(pattern);
                 return permissionCheck(permission, "cluster:admin/xpack/security/role/delete", deleteRolesRequest);

diff --git a/...lling-upgrade/src/test/java/org/elasticsearch/upgrades/RolesBackwardsCompatibilityIT.java b/...lling-upgrade/src/test/java/org/elasticsearch/upgrades/RolesBackwardsCompatibilityIT.java
@@ -174,7 +174,7 @@ public void testRolesWithManageRoles() throws Exception {
                 );
                 assertThat(
                     createException.getMessage(),
-                    containsString("failed to parse privilege. expected field name [application] but found [role] instead")
+                    allOf(containsString("failed to parse privilege"), containsString("but found [role] instead"))
                 );
 
                 RestClient client = client();
@@ -184,7 +184,7 @@ public void testRolesWithManageRoles() throws Exception {
                 );
                 assertThat(
                     updateException.getMessage(),
-                    containsString("failed to parse privilege. expected field name [application] but found [role] instead")
+                    allOf(containsString("failed to parse privilege"), containsString("but found [role] instead"))
                 );
             }
             case MIXED -> {
@@ -206,10 +206,7 @@ public void testRolesWithManageRoles() throws Exception {
                         );
                         assertThat(
                             e.getMessage(),
-                            allOf(
-                                containsString("failed to parse privilege"),
-                                containsString("expected field name [application] but found [role] instead")
-                            )
+                            allOf(containsString("failed to parse privilege"), containsString("but found [role] instead"))
                         );
                     }
                     {
@@ -219,7 +216,7 @@ public void testRolesWithManageRoles() throws Exception {
                         );
                         assertThat(
                             e.getMessage(),
-                            containsString("failed to parse privilege. expected field name [application] but found [role] instead")
+                            allOf(containsString("failed to parse privilege"), containsString("but found [role] instead"))
                         );
                     }