diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageRolesPrivilegesTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageRolesPrivilegesTests.java index 5ac3787a99d8a..b54567cee45ab 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageRolesPrivilegesTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageRolesPrivilegesTests.java @@ -63,13 +63,43 @@ public void testSimplePutRoleRequest() { ); } + public void testDeleteRoleRequest() { + new ReservedRolesStore(); + { + final ManageRolesPrivilege privilege = new ManageRolesPrivilege( + List.of(new ManageRolesPrivilege.ManageRolesIndexPermissionGroup(new String[] { "allowed*" }, new String[] { "manage" })) + ); + final ClusterPermission permission = privilege.buildPermission( + new ClusterPermission.Builder(new RestrictedIndices(TestRestrictedIndices.RESTRICTED_INDICES.getAutomaton())) + ).build(); + + assertAllowedDeleteIndex(permission, randomArray(1, 10, String[]::new, () -> "allowed-" + randomAlphaOfLength(5)), true); + assertAllowedDeleteIndex(permission, randomArray(1, 10, String[]::new, () -> "not-allowed-" + randomAlphaOfLength(5)), false); + assertAllowedDeleteIndex( + permission, + new String[] { "allowed-" + randomAlphaOfLength(5), "not-allowed-" + randomAlphaOfLength(5) }, + false + ); + } + { + final ManageRolesPrivilege privilege = new ManageRolesPrivilege( + List.of(new ManageRolesPrivilege.ManageRolesIndexPermissionGroup(new String[] { "allowed*" }, new String[] { "read" })) + ); + final ClusterPermission permission = privilege.buildPermission( + new ClusterPermission.Builder(new RestrictedIndices(TestRestrictedIndices.RESTRICTED_INDICES.getAutomaton())) + ).build(); + assertAllowedDeleteIndex(permission, randomArray(1, 10, String[]::new, () -> "allowed-" + randomAlphaOfLength(5)), false); + } + } + public void testSeveralIndexGroupsPutRoleRequest() { new ReservedRolesStore(); final ManageRolesPrivilege privilege = new ManageRolesPrivilege( List.of( - new ManageRolesPrivilege.ManageRolesIndexPermissionGroup(new String[] { "a*" }, new String[] { "read" }), - new ManageRolesPrivilege.ManageRolesIndexPermissionGroup(new String[] { "b*" }, new String[] { "read" }) + new ManageRolesPrivilege.ManageRolesIndexPermissionGroup(new String[] { "a*", "b*" }, new String[] { "read" }), + new ManageRolesPrivilege.ManageRolesIndexPermissionGroup(new String[] { "c*" }, new String[] { "read" }), + new ManageRolesPrivilege.ManageRolesIndexPermissionGroup(new String[] { "d*" }, new String[] { "read" }) ) ); @@ -77,8 +107,9 @@ public void testSeveralIndexGroupsPutRoleRequest() { new ClusterPermission.Builder(new RestrictedIndices(TestRestrictedIndices.RESTRICTED_INDICES.getAutomaton())) ).build(); - assertAllowedIndexPatterns(permission, new String[] { "/[ab].*/" }, true); - assertAllowedIndexPatterns(permission, new String[] { "/[abc].*/" }, false); + assertAllowedIndexPatterns(permission, new String[] { "/[ab].*/" }, new String[] { "read" }, true); + // TODO Not yet supported + // assertAllowedIndexPatterns(permission, new String[] { "/[cd].*/" }, new String[] { "read" }, true); } public void testRestrictedIndexPutRoleRequest() { @@ -166,10 +197,19 @@ private static boolean permissionCheck(ClusterPermission permission, String acti } private static void assertAllowedIndexPatterns(ClusterPermission permission, String[] indexPatterns, boolean expected) { + assertAllowedIndexPatterns(permission, indexPatterns, new String[] { "index", "write", "indices:data/read" }, expected); + } + + private static void assertAllowedIndexPatterns( + ClusterPermission permission, + String[] indexPatterns, + String[] privileges, + boolean expected + ) { { final PutRoleRequest putRoleRequest = new PutRoleRequest(); putRoleRequest.name(randomAlphaOfLength(3)); - putRoleRequest.addIndex(indexPatterns, new String[] { "index", "write", "indices:data/read" }, null, null, null, false); + putRoleRequest.addIndex(indexPatterns, privileges, null, null, null, false); assertThat(permissionCheck(permission, "cluster:admin/xpack/security/role/put", putRoleRequest), is(expected)); } { @@ -179,23 +219,22 @@ private static void assertAllowedIndexPatterns(ClusterPermission permission, Str randomAlphaOfLength(3), new String[] {}, new RoleDescriptor.IndicesPrivileges[] { - RoleDescriptor.IndicesPrivileges.builder() - .indices(indexPatterns) - .privileges("read", "read_cross_cluster", "view_index_metadata") - .build() }, + RoleDescriptor.IndicesPrivileges.builder().indices(indexPatterns).privileges(privileges).build() }, new String[] {} ) ) ); assertThat(permissionCheck(permission, "cluster:admin/xpack/security/role/bulk_put", bulkPutRolesRequest), is(expected)); } - // Deletes do not contain patterns, but still need to make sure index name is within permissions + } + + private static void assertAllowedDeleteIndex(ClusterPermission permission, String[] indices, boolean expected) { { - final BulkDeleteRolesRequest bulkDeleteRolesRequest = new BulkDeleteRolesRequest(List.of(indexPatterns)); + final BulkDeleteRolesRequest bulkDeleteRolesRequest = new BulkDeleteRolesRequest(List.of(indices)); assertThat(permissionCheck(permission, "cluster:admin/xpack/security/role/bulk_delete", bulkDeleteRolesRequest), is(expected)); } { - assertThat(Arrays.stream(indexPatterns).allMatch(pattern -> { + assertThat(Arrays.stream(indices).allMatch(pattern -> { final DeleteRoleRequest deleteRolesRequest = new DeleteRoleRequest(); deleteRolesRequest.name(pattern); return permissionCheck(permission, "cluster:admin/xpack/security/role/delete", deleteRolesRequest); diff --git a/x-pack/qa/rolling-upgrade/src/test/java/org/elasticsearch/upgrades/RolesBackwardsCompatibilityIT.java b/x-pack/qa/rolling-upgrade/src/test/java/org/elasticsearch/upgrades/RolesBackwardsCompatibilityIT.java index 07958fe3c9161..67ba2bc809824 100644 --- a/x-pack/qa/rolling-upgrade/src/test/java/org/elasticsearch/upgrades/RolesBackwardsCompatibilityIT.java +++ b/x-pack/qa/rolling-upgrade/src/test/java/org/elasticsearch/upgrades/RolesBackwardsCompatibilityIT.java @@ -174,7 +174,7 @@ public void testRolesWithManageRoles() throws Exception { ); assertThat( createException.getMessage(), - containsString("failed to parse privilege. expected field name [application] but found [role] instead") + allOf(containsString("failed to parse privilege"), containsString("but found [role] instead")) ); RestClient client = client(); @@ -184,7 +184,7 @@ public void testRolesWithManageRoles() throws Exception { ); assertThat( updateException.getMessage(), - containsString("failed to parse privilege. expected field name [application] but found [role] instead") + allOf(containsString("failed to parse privilege"), containsString("but found [role] instead")) ); } case MIXED -> { @@ -206,10 +206,7 @@ public void testRolesWithManageRoles() throws Exception { ); assertThat( e.getMessage(), - allOf( - containsString("failed to parse privilege"), - containsString("expected field name [application] but found [role] instead") - ) + allOf(containsString("failed to parse privilege"), containsString("but found [role] instead")) ); } { @@ -219,7 +216,7 @@ public void testRolesWithManageRoles() throws Exception { ); assertThat( e.getMessage(), - containsString("failed to parse privilege. expected field name [application] but found [role] instead") + allOf(containsString("failed to parse privilege"), containsString("but found [role] instead")) ); }