Adds test to verify that index-template update is a cluster level per…

…mission

Signed-off-by: Darshit Chanpura <[email protected]>

src/test/java/org/opensearch/security/IndexTemplateClusterPermissionsCheckTest.java

@@ -0,0 +1,52 @@
+
+
+/*
+     * Copyright OpenSearch Contributors
+     *
+     * Licensed under the Apache License, Version 2.0 (the \"License\").
+     * You may not use this file except in compliance with the License.
+     * A copy of the License is located at
+     *
+     * http://www.apache.org/licenses/LICENSE-2.0
+     *
+     * or in the \"license\" file accompanying this file. This file is distributed
+     * on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+     * express or implied. See the License for the specific language governing
+     * permissions and limitations under the License.
+     */
+
+package org.opensearch.security;
+
+import org.apache.http.HttpStatus;
+import org.junit.Assert;
+import org.junit.Test;
+
+import org.opensearch.security.test.SingleClusterTest;
+import org.opensearch.security.test.helper.rest.RestHelper;
+import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse;
+
+public class IndexTemplateClusterPermissionsCheckTest extends SingleClusterTest{
+        public String getIndexTemplateBody() {
+            return "{ \"index_patterns\": [\"sem1234*\"], \"template\": { \"settings\": { \"number_of_shards\": 2, \"number_of_replicas\": 1 }, \"mappings\": { \"properties\": { \"timestamp\": { \"type\": \"date\", \"format\": \"yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis\" }, \"value\": { \"type\": \"double\" } } } } }";
+        }
+
+        @Test
+        public void testPutIndexTemplate() throws Exception {
+            setup();
+            RestHelper rh = nonSslRestHelper();
+            HttpResponse response;
+
+            String expectedFailureResponse = "{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:admin/index_template/put] and User [name=ds3, backend_roles=[], requestedTenant=null]\"}],\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:admin/index_template/put] and User [name=ds3, backend_roles=[], requestedTenant=null]\"},\"status\":403}";
+
+            // should fail, as `ds3` user doesn't have correct permissions
+            response = rh.executePutRequest("/_index_template/sem1234", getIndexTemplateBody(), encodeBasicHeader("ds3", "nagilum"));
+            Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
+            Assert.assertEquals(expectedFailureResponse, response.getBody());
+
+            // should pass, as `sem-user` user has correct permissions
+            response = rh.executePutRequest("/_index_template/sem1234", getIndexTemplateBody(), encodeBasicHeader("sem-user", "nagilum"));
+            Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode());
+        }
+
+
+    }

src/test/resources/internal_users.yml

@@ -350,3 +350,6 @@ hidden_test:
   hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
   opendistro_security_roles:
   - hidden_test
+sem-user:
+  hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
+  #password is: nagilum

src/test/resources/roles.yml

@@ -1137,3 +1137,14 @@ hidden_test:
     - hidden_test_not_hidden
     allowed_actions:
     - "*"
+
+sem-role:
+  reserved: true
+  hidden: false
+  description: "Migrated from v6 (all types mapped)"
+  cluster_permissions: [ "cluster_monitor", "indices:admin/index_template/put" ]
+  index_permissions:
+    - index_patterns:
+        - "sem*"
+      allowed_actions:
+        - "*"

src/test/resources/roles_mapping.yml

@@ -413,3 +413,8 @@ data_stream_3:
   hidden: false
   users:
     - "ds3"
+sem-role:
+  reserved: false
+  hidden: false
+  users:
+    - "sem-user"