-
Notifications
You must be signed in to change notification settings - Fork 25k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Enterprise Search] Add .connector-secrets system index (#104766)
- Introduce new internal system index called .connector-secrets - Add GET and POST requests for connector secrets - Add permission sets for read and write connector secrets
- Loading branch information
1 parent
2743b4e
commit bed59ba
Showing
39 changed files
with
1,501 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
28 changes: 28 additions & 0 deletions
28
rest-api-spec/src/main/resources/rest-api-spec/api/connector_secret.get.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
{ | ||
"connector_secret.get": { | ||
"documentation": { | ||
"url": null, | ||
"description": "Retrieves a secret stored by Connectors." | ||
}, | ||
"stability": "experimental", | ||
"visibility":"private", | ||
"headers":{ | ||
"accept": [ "application/json"] | ||
}, | ||
"url":{ | ||
"paths":[ | ||
{ | ||
"path":"/_connector/_secret/{id}", | ||
"methods":[ "GET" ], | ||
"parts":{ | ||
"id":{ | ||
"type":"string", | ||
"description":"The ID of the secret" | ||
} | ||
} | ||
} | ||
] | ||
}, | ||
"params":{} | ||
} | ||
} |
26 changes: 26 additions & 0 deletions
26
rest-api-spec/src/main/resources/rest-api-spec/api/connector_secret.post.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
{ | ||
"connector_secret.post": { | ||
"documentation": { | ||
"url": null, | ||
"description": "Creates a secret for a Connector." | ||
}, | ||
"stability": "experimental", | ||
"visibility":"private", | ||
"headers":{ | ||
"accept": [ "application/json" ] | ||
}, | ||
"url":{ | ||
"paths":[ | ||
{ | ||
"path":"/_connector/_secret", | ||
"methods":[ "POST" ] | ||
} | ||
] | ||
}, | ||
"params":{}, | ||
"body": { | ||
"description":"The secret value to store", | ||
"required":true | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
x-pack/plugin/core/template-resources/src/main/resources/connector-secrets.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
{ | ||
"settings": { | ||
"index": { | ||
"auto_expand_replicas": "0-1", | ||
"number_of_shards": 1, | ||
"number_of_replicas": 0, | ||
"priority": 100, | ||
"refresh_interval": "1s" | ||
} | ||
}, | ||
"mappings": { | ||
"_doc" : { | ||
"dynamic": false, | ||
"_meta": { | ||
"version": "${connector-secrets.version}", | ||
"managed_index_mappings_version": ${connector-secrets.managed.index.version} | ||
}, | ||
"properties": { | ||
"value": { | ||
"type": "keyword", | ||
"index": false | ||
} | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
55 changes: 55 additions & 0 deletions
55
...est/src/yamlRestTest/resources/rest-api-spec/test/entsearch/500_connector_secret_post.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
setup: | ||
- skip: | ||
version: " - 8.12.99" | ||
reason: Introduced in 8.13.0 | ||
|
||
--- | ||
'Post connector secret - admin': | ||
- do: | ||
connector_secret.post: | ||
body: | ||
value: my-secret | ||
- set: { id: id } | ||
- match: { id: $id } | ||
- do: | ||
connector_secret.get: | ||
id: $id | ||
- match: { value: my-secret } | ||
|
||
--- | ||
'Post connector secret - authorized user': | ||
- skip: | ||
features: headers | ||
|
||
- do: | ||
headers: { Authorization: "Basic ZW50c2VhcmNoLXVzZXI6ZW50c2VhcmNoLXVzZXItcGFzc3dvcmQ=" } # user | ||
connector_secret.post: | ||
body: | ||
value: my-secret | ||
- set: { id: id } | ||
- match: { id: $id } | ||
- do: | ||
headers: { Authorization: "Basic ZW50c2VhcmNoLXVzZXI6ZW50c2VhcmNoLXVzZXItcGFzc3dvcmQ=" } # user | ||
connector_secret.get: | ||
id: $id | ||
- match: { value: my-secret } | ||
|
||
--- | ||
'Post connector secret - unauthorized user': | ||
- skip: | ||
features: headers | ||
|
||
- do: | ||
headers: { Authorization: "Basic ZW50c2VhcmNoLXVucHJpdmlsZWdlZDplbnRzZWFyY2gtdW5wcml2aWxlZ2VkLXVzZXI=" } # unprivileged | ||
connector_secret.post: | ||
body: | ||
value: my-secret | ||
catch: unauthorized | ||
|
||
--- | ||
'Post connector secret when id is missing should fail': | ||
- do: | ||
connector_secret.post: | ||
body: | ||
value: null | ||
catch: bad_request |
60 changes: 60 additions & 0 deletions
60
...rest/src/yamlRestTest/resources/rest-api-spec/test/entsearch/510_connector_secret_get.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
setup: | ||
- skip: | ||
version: " - 8.12.99" | ||
reason: Introduced in 8.13.0 | ||
|
||
--- | ||
'Get connector secret - admin': | ||
- do: | ||
connector_secret.post: | ||
body: | ||
value: my-secret | ||
- set: { id: id } | ||
- match: { id: $id } | ||
- do: | ||
connector_secret.get: | ||
id: $id | ||
- match: { value: my-secret } | ||
|
||
--- | ||
'Get connector secret - user with privileges': | ||
- skip: | ||
features: headers | ||
|
||
- do: | ||
headers: { Authorization: "Basic ZW50c2VhcmNoLXVzZXI6ZW50c2VhcmNoLXVzZXItcGFzc3dvcmQ=" } # user | ||
connector_secret.post: | ||
body: | ||
value: my-secret | ||
- set: { id: id } | ||
- match: { id: $id } | ||
- do: | ||
headers: { Authorization: "Basic ZW50c2VhcmNoLXVzZXI6ZW50c2VhcmNoLXVzZXItcGFzc3dvcmQ=" } # user | ||
connector_secret.get: | ||
id: $id | ||
- match: { value: my-secret } | ||
|
||
--- | ||
'Get connector secret - user without privileges': | ||
- skip: | ||
features: headers | ||
|
||
- do: | ||
headers: { Authorization: "Basic ZW50c2VhcmNoLXVzZXI6ZW50c2VhcmNoLXVzZXItcGFzc3dvcmQ=" } # user | ||
connector_secret.post: | ||
body: | ||
value: my-secret | ||
- set: { id: id } | ||
- match: { id: $id } | ||
- do: | ||
headers: { Authorization: "Basic ZW50c2VhcmNoLXVucHJpdmlsZWdlZDplbnRzZWFyY2gtdW5wcml2aWxlZ2VkLXVzZXI=" } # unprivileged | ||
connector_secret.get: | ||
id: $id | ||
catch: unauthorized | ||
|
||
--- | ||
'Get connector secret - Missing secret id': | ||
- do: | ||
connector_secret.get: | ||
id: non-existing-secret-id | ||
catch: missing |
94 changes: 94 additions & 0 deletions
94
...rc/javaRestTest/java/org/elasticsearch/xpack/entsearch/ConnectorSecretsSystemIndexIT.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
package org.elasticsearch.xpack.entsearch; | ||
|
||
import org.apache.http.util.EntityUtils; | ||
import org.elasticsearch.client.Request; | ||
import org.elasticsearch.client.Response; | ||
import org.elasticsearch.client.ResponseException; | ||
import org.elasticsearch.common.bytes.BytesReference; | ||
import org.elasticsearch.common.settings.Settings; | ||
import org.elasticsearch.common.util.concurrent.ThreadContext; | ||
import org.elasticsearch.common.xcontent.XContentHelper; | ||
import org.elasticsearch.test.SecuritySettingsSourceField; | ||
import org.elasticsearch.test.rest.ESRestTestCase; | ||
import org.elasticsearch.xcontent.XContentBuilder; | ||
import org.elasticsearch.xcontent.XContentType; | ||
import org.elasticsearch.xcontent.json.JsonXContent; | ||
|
||
import java.io.IOException; | ||
import java.util.Map; | ||
|
||
import static org.hamcrest.Matchers.is; | ||
|
||
public class ConnectorSecretsSystemIndexIT extends ESRestTestCase { | ||
|
||
static final String BASIC_AUTH_VALUE = basicAuthHeaderValue( | ||
"x_pack_rest_user", | ||
SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING | ||
); | ||
|
||
@Override | ||
protected Settings restClientSettings() { | ||
return Settings.builder().put(ThreadContext.PREFIX + ".Authorization", BASIC_AUTH_VALUE).build(); | ||
} | ||
|
||
public void testConnectorSecretsCRUD() throws Exception { | ||
// post secret | ||
final String secretJson = getPostSecretJson(); | ||
Request postRequest = new Request("POST", "/_connector/_secret/"); | ||
postRequest.setJsonEntity(secretJson); | ||
Response postResponse = client().performRequest(postRequest); | ||
assertThat(postResponse.getStatusLine().getStatusCode(), is(200)); | ||
Map<String, Object> responseMap = getResponseMap(postResponse); | ||
assertThat(responseMap.size(), is(1)); | ||
assertTrue(responseMap.containsKey("id")); | ||
final String id = responseMap.get("id").toString(); | ||
|
||
// get secret | ||
Request getRequest = new Request("GET", "/_connector/_secret/" + id); | ||
Response getResponse = client().performRequest(getRequest); | ||
assertThat(getResponse.getStatusLine().getStatusCode(), is(200)); | ||
responseMap = getResponseMap(getResponse); | ||
assertThat(responseMap.size(), is(2)); | ||
assertTrue(responseMap.containsKey("id")); | ||
assertTrue(responseMap.containsKey("value")); | ||
assertThat(responseMap.get("value"), is("test secret")); | ||
} | ||
|
||
public void testPostInvalidSecretBody() throws Exception { | ||
Request postRequest = new Request("POST", "/_connector/_secret/"); | ||
postRequest.setJsonEntity(""" | ||
{"something":"else"}"""); | ||
ResponseException re = expectThrows(ResponseException.class, () -> client().performRequest(postRequest)); | ||
Response getResponse = re.getResponse(); | ||
assertThat(getResponse.getStatusLine().getStatusCode(), is(400)); | ||
} | ||
|
||
public void testGetNonExistingSecret() { | ||
Request getRequest = new Request("GET", "/_connector/_secret/123"); | ||
ResponseException re = expectThrows(ResponseException.class, () -> client().performRequest(getRequest)); | ||
Response getResponse = re.getResponse(); | ||
assertThat(getResponse.getStatusLine().getStatusCode(), is(404)); | ||
} | ||
|
||
private String getPostSecretJson() throws IOException { | ||
try (XContentBuilder builder = JsonXContent.contentBuilder()) { | ||
builder.startObject(); | ||
{ | ||
builder.field("value", "test secret"); | ||
} | ||
builder.endObject(); | ||
return BytesReference.bytes(builder).utf8ToString(); | ||
} | ||
} | ||
|
||
private Map<String, Object> getResponseMap(Response response) throws IOException { | ||
return XContentHelper.convertToMap(XContentType.JSON.xContent(), EntityUtils.toString(response.getEntity()), false); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.