diff --git a/.cspell b/.cspell index 900b6c40a..1fcd3199c 100644 --- a/.cspell +++ b/.cspell @@ -165,6 +165,7 @@ subqueries subschemas subword syserr +tcnative tdigest tenantinfo termvectors diff --git a/.github/workflows/test-spec.yml b/.github/workflows/test-spec.yml index d9ed81aea..13a218e29 100644 --- a/.github/workflows/test-spec.yml +++ b/.github/workflows/test-spec.yml @@ -34,10 +34,10 @@ jobs: tests: snapshot - version: 2.17.0 hub: opensearchstaging - ref: '@sha256:6398c27d7560626ed6b0ba28b3d6b20b7f00c6d94abf45ad3a820f8eeb3d61a3' + ref: '@sha256:ed4274522a50228f41b50f1a7ea86e6b52fa6737072fc151b2624d22aff80d56' - version: 3.0.0 hub: opensearchstaging - ref: '@sha256:101681eea630393f8caf5987dd023a975a9656b63090a07bfdfe6ad2f73f0640' + ref: '@sha256:cab6f71b284485c44306f8f4849ad520283c2a32ece617109b38183ba29cc401' name: test-opensearch-spec (version=${{ matrix.entry.version }}, hub=${{ matrix.entry.hub || 'opensearchproject' }}, tests=${{ matrix.entry.tests || 'default' }}) runs-on: ubuntu-latest diff --git a/CHANGELOG.md b/CHANGELOG.md index a5821316f..25a085e8a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -68,6 +68,8 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - Added `observability` namespace API specifications ([#474](https://github.com/opensearch-project/opensearch-api-specification/pull/474)) - Added support for reusing output variables as keys in payload expectations ([#471](https://github.com/opensearch-project/opensearch-api-specification/pull/471)) - Added support for running tests against Amazon OpenSearch ([#476](https://github.com/opensearch-project/opensearch-api-specification/pull/476)) +- Added API spec for security plugin ([#271](https://github.com/opensearch-project/opensearch-api-specification/pull/271)) +- Added `/_plugins/_security/api/certificates/` to API spec ([#439](https://github.com/opensearch-project/opensearch-api-specification/pull/439)) ### Changed @@ -111,6 +113,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - Fixed `_update_by_query` with a simple term ([#451](https://github.com/opensearch-project/opensearch-api-specification/pull/451)) - Fixed `Duration` to allow for non-integers ([#479](https://github.com/opensearch-project/opensearch-api-specification/pull/479)) - Fixed accuracy of the index stats schemas ([#491](https://github.com/opensearch-project/opensearch-api-specification/pull/491)) +- Fixed security spec to add support for 400 and 403s ([#439](https://github.com/opensearch-project/opensearch-api-specification/pull/439)) ### Security diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index f41647f59..72da8905e 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -60,8 +60,6 @@ paths: x-operation-group: security.post_dashboards_info x-version-added: '1.0' description: Updates the current security-dashboards plugin configuration. - requestBody: - $ref: '#/components/requestBodies/security.post_dashboards_info' responses: '200': $ref: '#/components/responses/security.post_dashboards_info@200' @@ -101,6 +99,8 @@ paths: responses: '200': $ref: '#/components/responses/security.tenant_info@200' + '403': + $ref: '#/components/responses/security.tenant_info@403' '500': $ref: '#/components/responses/security.tenant_info@500' post: @@ -111,13 +111,15 @@ paths: responses: '200': $ref: '#/components/responses/security.tenant_info@200' + '403': + $ref: '#/components/responses/security.tenant_info@403' '500': $ref: '#/components/responses/security.tenant_info@500' /_plugins/_security/whoami: get: operationId: security.who_am_i.0 x-operation-group: security.who_am_i - x-version-added: '1.0' + x-version-added: '2.0' description: Gets the user identity related information for currently logged in user. responses: '200': @@ -127,7 +129,7 @@ paths: post: operationId: security.who_am_i.1 x-operation-group: security.who_am_i - x-version-added: '1.0' + x-version-added: '2.0' description: Gets the user identity related information for currently logged in user. responses: '200': @@ -145,7 +147,7 @@ paths: $ref: '#/components/responses/security.who_am_i_protected@200' '500': $ref: '#/components/responses/security.who_am_i_protected@500' - /_plugins/_security/_upgrade_check: + /_plugins/_security/api/_upgrade_check: get: operationId: security.config_upgrade_check.0 x-operation-group: security.config_upgrade_check @@ -156,7 +158,7 @@ paths: responses: '200': $ref: '#/components/responses/security.config_upgrade_check@200' - /_plugins/_security/_upgrade_perform: + /_plugins/_security/api/_upgrade_perform: post: operationId: security.config_upgrade_perform.0 x-operation-group: security.config_upgrade_perform @@ -169,6 +171,8 @@ paths: responses: '200': $ref: '#/components/responses/security.config_upgrade_perform@200' + '400': + $ref: '#/components/responses/security.config_upgrade_perform@400' /_plugins/_security/api/account: get: operationId: security.get_account_details.0 @@ -192,6 +196,8 @@ paths: responses: '200': $ref: '#/components/responses/security.change_password@200' + '403': + $ref: '#/components/responses/security.change_password@403' /_plugins/_security/api/actiongroups: get: operationId: security.get_action_groups.0 @@ -242,6 +248,8 @@ paths: responses: '200': $ref: '#/components/responses/security.create_action_group@200' + '201': + $ref: '#/components/responses/security.create_action_group@201' patch: operationId: security.patch_action_group.0 x-operation-group: security.patch_action_group @@ -272,17 +280,19 @@ paths: get: operationId: security.get_allowlist.0 x-operation-group: security.get_allowlist - x-version-added: '1.0' + x-version-added: '2.1' description: Retrieves the current list of allowed API accessible to normal user. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#access-control-for-the-api responses: '200': $ref: '#/components/responses/security.get_allowlist@200' + '403': + $ref: '#/components/responses/security.get_allowlist@403' put: operationId: security.create_allowlist.0 x-operation-group: security.create_allowlist - x-version-added: '1.0' + x-version-added: '2.1' description: Creates or replaces the allowlisted APIs. Accessible via Super Admin certificate or REST API permission. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#access-control-for-the-api @@ -291,10 +301,12 @@ paths: responses: '200': $ref: '#/components/responses/security.create_allowlist@200' + '403': + $ref: '#/components/responses/security.create_allowlist@403' patch: operationId: security.patch_allowlist.0 x-operation-group: security.patch_allowlist - x-version-added: '1.0' + x-version-added: '2.1' description: Updates the current list of allowed API accessible to normal user. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#access-control-for-the-api @@ -303,6 +315,8 @@ paths: responses: '200': $ref: '#/components/responses/security.patch_allowlist@200' + '403': + $ref: '#/components/responses/security.patch_allowlist@403' /_plugins/_security/api/audit: get: operationId: security.get_audit_configuration.0 @@ -386,6 +400,39 @@ paths: responses: '200': $ref: '#/components/responses/security.flush_cache@200' + /_plugins/_security/api/certificates: + get: + operationId: security.get_all_certificates.0 + x-operation-group: security.get_all_certificates + x-version-added: '2.15' + description: Retrieves the cluster security certificates. + parameters: + - $ref: '#/components/parameters/security.get_all_certificates::query.cert_type' + - $ref: '#/components/parameters/security.get_all_certificates::query.timeout' + responses: + '200': + $ref: '#/components/responses/security.get_all_certificates@200' + '403': + $ref: '#/components/responses/security.get_all_certificates@403' + '500': + $ref: '#/components/responses/security.get_all_certificates@500' + /_plugins/_security/api/certificates/{node_id}: + get: + operationId: security.get_node_certificates.0 + x-operation-group: security.get_node_certificates + x-version-added: '2.15' + description: Retrieves the given node's security certificates. + parameters: + - $ref: '#/components/parameters/security.get_node_certificates::path.node_id' + - $ref: '#/components/parameters/security.get_node_certificates::query.cert_type' + - $ref: '#/components/parameters/security.get_node_certificates::query.timeout' + responses: + '200': + $ref: '#/components/responses/security.get_node_certificates@200' + '403': + $ref: '#/components/responses/security.get_node_certificates@403' + '500': + $ref: '#/components/responses/security.get_node_certificates@500' /_plugins/_security/api/generateonbehalfoftoken: post: operationId: security.generate_obo_token.0 @@ -481,7 +528,7 @@ paths: post: operationId: security.generate_user_token.0 x-operation-group: security.generate_user_token - x-version-added: '1.0' + x-version-added: '2.7' description: Generates authorization token for the given user. parameters: - $ref: '#/components/parameters/security.generate_user_token::path.username' @@ -514,6 +561,8 @@ paths: responses: '200': $ref: '#/components/responses/security.get_distinguished_names@200' + '400': + $ref: '#/components/responses/security.get_distinguished_names@400' '403': $ref: '#/components/responses/security.get_distinguished_names@403' patch: @@ -528,6 +577,8 @@ paths: responses: '200': $ref: '#/components/responses/security.patch_distinguished_names@200' + '400': + $ref: '#/components/responses/security.patch_distinguished_names@400' '403': $ref: '#/components/responses/security.patch_distinguished_names@403' /_plugins/_security/api/nodesdn/{cluster_name}: @@ -544,6 +595,8 @@ paths: responses: '200': $ref: '#/components/responses/security.get_distinguished_name@200' + '400': + $ref: '#/components/responses/security.get_distinguished_name@400' '403': $ref: '#/components/responses/security.get_distinguished_name@403' put: @@ -560,6 +613,8 @@ paths: responses: '200': $ref: '#/components/responses/security.update_distinguished_name@200' + '400': + $ref: '#/components/responses/security.update_distinguished_name@400' '403': $ref: '#/components/responses/security.update_distinguished_name@403' patch: @@ -574,6 +629,8 @@ paths: responses: '200': $ref: '#/components/responses/security.patch_distinguished_name@200' + '400': + $ref: '#/components/responses/security.patch_distinguished_name@400' '403': $ref: '#/components/responses/security.patch_distinguished_name@403' delete: @@ -588,6 +645,8 @@ paths: responses: '200': $ref: '#/components/responses/security.delete_distinguished_name@200' + '400': + $ref: '#/components/responses/security.delete_distinguished_name@400' '403': $ref: '#/components/responses/security.delete_distinguished_name@403' /_plugins/_security/api/permissionsinfo: @@ -653,6 +712,8 @@ paths: responses: '200': $ref: '#/components/responses/security.create_role@200' + '201': + $ref: '#/components/responses/security.create_role@201' patch: operationId: security.patch_role.0 x-operation-group: security.patch_role @@ -733,6 +794,8 @@ paths: responses: '200': $ref: '#/components/responses/security.create_role_mapping@200' + '201': + $ref: '#/components/responses/security.create_role_mapping@201' patch: operationId: security.patch_role_mapping.0 x-operation-group: security.patch_role_mapping @@ -765,7 +828,7 @@ paths: get: operationId: security.get_configuration.0 x-operation-group: security.get_configuration - x-version-added: '1.0' + x-version-added: '2.10' description: Returns the current Security plugin configuration in JSON format. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#get-configuration @@ -775,7 +838,7 @@ paths: patch: operationId: security.patch_configuration.0 x-operation-group: security.patch_configuration - x-version-added: '1.0' + x-version-added: '2.10' description: A PATCH call is used to update the existing configuration using the REST API. Only accessible by admins and users with rest api access and only when put or patch is enabled. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#patch-configuration @@ -784,11 +847,13 @@ paths: responses: '200': $ref: '#/components/responses/security.patch_configuration@200' + '403': + $ref: '#/components/responses/security.patch_configuration@403' /_plugins/_security/api/securityconfig/config: put: operationId: security.update_configuration.0 x-operation-group: security.update_configuration - x-version-added: '1.0' + x-version-added: '2.10' description: Adds or updates the existing configuration using the REST API. Only accessible by admins and users with rest api access and only when put or patch is enabled. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#update-configuration @@ -797,11 +862,13 @@ paths: responses: '200': $ref: '#/components/responses/security.update_configuration@200' + '403': + $ref: '#/components/responses/security.update_configuration@403' /_plugins/_security/api/ssl/certs: get: operationId: security.get_certificates.0 x-operation-group: security.get_certificates - x-version-added: '1.0' + x-version-added: '2.0' description: Retrieves the cluster security certificates. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#get-certificates @@ -810,11 +877,13 @@ paths: $ref: '#/components/responses/security.get_certificates@200' '400': $ref: '#/components/responses/security.get_certificates@400' + '403': + $ref: '#/components/responses/security.get_certificates@403' /_plugins/_security/api/ssl/http/reloadcerts: put: operationId: security.reload_http_certificates.0 x-operation-group: security.reload_http_certificates - x-version-added: '1.0' + x-version-added: '2.8' description: Reload HTTP layer communication certificates. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#reload-http-certificates @@ -823,11 +892,13 @@ paths: $ref: '#/components/responses/security.reload_http_certificates@200' '400': $ref: '#/components/responses/security.reload_http_certificates@400' + '403': + $ref: '#/components/responses/security.reload_http_certificates@403' /_plugins/_security/api/ssl/transport/reloadcerts: put: operationId: security.reload_transport_certificates.0 x-operation-group: security.reload_transport_certificates - x-version-added: '1.0' + x-version-added: '2.8' description: Reload Transport layer communication certificates. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#reload-transport-certificates @@ -836,6 +907,8 @@ paths: $ref: '#/components/responses/security.reload_transport_certificates@200' '400': $ref: '#/components/responses/security.reload_transport_certificates@400' + '403': + $ref: '#/components/responses/security.reload_transport_certificates@403' /_plugins/_security/api/tenancy/config: get: operationId: security.get_tenancy_config.0 @@ -917,6 +990,8 @@ paths: responses: '200': $ref: '#/components/responses/security.create_tenant@200' + '201': + $ref: '#/components/responses/security.create_tenant@201' '400': $ref: '#/components/responses/security.create_tenant@400' patch: @@ -981,6 +1056,8 @@ paths: responses: '200': $ref: '#/components/responses/security.create_user_legacy@200' + '201': + $ref: '#/components/responses/security.create_user_legacy@201' delete: operationId: security.delete_user_legacy.0 x-operation-group: security.delete_user_legacy @@ -995,15 +1072,13 @@ paths: post: operationId: security.generate_user_token_legacy.0 x-operation-group: security.generate_user_token_legacy - x-version-added: '1.0' - description: Generates authorization token for the given user. Legacy API. + x-version-added: '2.7' + description: Generates authorization token for the given user. Legacy API. Not Implemented. parameters: - $ref: '#/components/parameters/security.generate_user_token_legacy::path.username' responses: - '200': - $ref: '#/components/responses/security.generate_user_token_legacy@200' - '400': - $ref: '#/components/responses/security.generate_user_token_legacy@400' + '501': + $ref: '#/components/responses/security.generate_user_token_legacy@501' /_plugins/_security/api/validate: get: operationId: security.validate.0 @@ -1064,9 +1139,7 @@ components: content: application/json: schema: - type: array - items: - $ref: '../schemas/security._common.yaml#/components/schemas/MultiTenancyConfig' + $ref: '../schemas/security._common.yaml#/components/schemas/MultiTenancyConfig' required: true security.create_user: content: @@ -1203,12 +1276,6 @@ components: items: $ref: '../schemas/security._common.yaml#/components/schemas/PatchOperation' required: true - security.post_dashboards_info: - content: - application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/DashboardsInfo' - required: false security.update_audit_configuration: content: application/json: @@ -1225,7 +1292,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/PatchOperation' + $ref: '../schemas/security._common.yaml#/components/schemas/DistinguishedNames' responses: security.authinfo@200: content: @@ -1245,13 +1312,16 @@ components: security.cache@501: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/MethodNotImplemented' + schema: null security.change_password@200: content: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.change_password@403: + content: + application/json: + schema: null security.config_upgrade_check@200: content: application/json: @@ -1262,36 +1332,63 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/UpgradePerform' + security.config_upgrade_perform@400: + content: + application/json: + schema: null security.create_action_group@200: content: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.create_action_group@201: + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/Created' security.create_allowlist@200: content: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/AllowListConfig' + security.create_allowlist@403: + content: + application/json: + schema: null security.create_role@200: content: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.create_role@201: + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/Created' security.create_role_mapping@200: content: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.create_role_mapping@201: + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/Created' security.create_tenant@200: content: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' - security.create_tenant@400: + security.create_tenant@201: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + $ref: '../schemas/security._common.yaml#/components/schemas/Created' + security.create_tenant@400: + content: + application/json: + schema: null security.create_update_tenancy_config@200: content: application/json: @@ -1300,8 +1397,7 @@ components: security.create_update_tenancy_config@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null security.create_user@200: content: application/json: @@ -1312,6 +1408,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.create_user_legacy@201: + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/Created' security.delete_action_group@200: content: application/json: @@ -1322,11 +1423,14 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.delete_distinguished_name@400: + content: + application/json: + schema: null security.delete_distinguished_name@403: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + schema: null security.delete_role@200: content: application/json: @@ -1345,8 +1449,7 @@ components: security.delete_tenant@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null security.delete_user@200: content: application/json: @@ -1369,9 +1472,10 @@ components: $ref: '../schemas/security._common.yaml#/components/schemas/GenerateOBOToken' security.generate_obo_token@400: content: + text/plain: + type: string application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null security.generate_user_token@200: content: application/json: @@ -1380,18 +1484,11 @@ components: security.generate_user_token@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' - security.generate_user_token_legacy@200: - content: - application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Ok' - security.generate_user_token_legacy@400: + schema: null + security.generate_user_token_legacy@501: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null security.get_account_details@200: content: application/json: @@ -1412,6 +1509,10 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/AllowListConfig' + security.get_allowlist@403: + content: + application/json: + schema: null security.get_audit_configuration@200: content: application/json: @@ -1422,16 +1523,47 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/GetCertificates' + security.get_all_certificates@200: + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/GetCertificatesNew' + security.get_all_certificates@403: + content: + application/json: + schema: null + security.get_all_certificates@500: + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/InternalServerError' + security.get_node_certificates@200: + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/GetCertificatesNew' + security.get_node_certificates@403: + content: + application/json: + schema: null security.get_certificates@400: + content: + application/json: + schema: null + security.get_certificates@403: + content: + application/json: + schema: null + security.get_node_certificates@500: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + $ref: '../schemas/security._common.yaml#/components/schemas/InternalServerError' security.get_configuration@200: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/DynamicConfig' + $ref: '../schemas/security._common.yaml#/components/schemas/SecurityConfig' security.get_dashboards_info@200: content: application/json: @@ -1448,21 +1580,28 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/DistinguishedNames' + security.get_distinguished_name@400: + content: + application/json: + schema: null security.get_distinguished_name@403: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + schema: null security.get_distinguished_names@200: content: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/DistinguishedNamesMap' + security.get_distinguished_names@400: + description: Show nodesDn setting for given cluster. + content: + application/json: + schema: null security.get_distinguished_names@403: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + schema: null security.get_permissions_info@200: content: application/json: @@ -1516,8 +1655,7 @@ components: security.get_tenancy_config@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null security.get_tenants@200: content: application/json: @@ -1526,8 +1664,7 @@ components: security.get_tenants@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null security.get_user@200: content: application/json: @@ -1561,8 +1698,7 @@ components: security.migrate@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null security.patch_action_group@200: content: application/json: @@ -1578,6 +1714,10 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/AllowListConfig' + security.patch_allowlist@403: + content: + application/json: + schema: null security.patch_audit_configuration@200: content: application/json: @@ -1588,26 +1728,36 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.patch_configuration@403: + content: + application/json: + schema: null security.patch_distinguished_name@200: content: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.patch_distinguished_name@400: + content: + application/json: + schema: null security.patch_distinguished_name@403: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + schema: null security.patch_distinguished_names@200: content: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.patch_distinguished_names@400: + content: + application/json: + schema: null security.patch_distinguished_names@403: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + schema: null security.patch_role@200: content: application/json: @@ -1616,8 +1766,7 @@ components: security.patch_role@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null security.patch_role_mapping@200: content: application/json: @@ -1626,8 +1775,7 @@ components: security.patch_role_mapping@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null security.patch_role_mappings@200: content: application/json: @@ -1636,8 +1784,7 @@ components: security.patch_role_mappings@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null security.patch_roles@200: content: application/json: @@ -1646,8 +1793,7 @@ components: security.patch_roles@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null security.patch_tenant@200: content: application/json: @@ -1656,8 +1802,7 @@ components: security.patch_tenant@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null security.patch_tenants@200: content: application/json: @@ -1666,8 +1811,7 @@ components: security.patch_tenants@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null security.patch_user@200: content: application/json: @@ -1696,8 +1840,11 @@ components: security.reload_http_certificates@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + security.reload_http_certificates@403: + content: + application/json: + schema: null security.reload_transport_certificates@200: content: application/json: @@ -1706,13 +1853,22 @@ components: security.reload_transport_certificates@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + security.reload_transport_certificates@403: + content: + application/json: + schema: null security.tenant_info@200: content: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/TenantInfo' + security.tenant_info@403: + content: + text/plain: + type: string + application/json: + schema: null security.tenant_info@500: content: application/json: @@ -1728,16 +1884,23 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.update_configuration@403: + content: + application/json: + schema: null security.update_distinguished_name@200: content: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.update_distinguished_name@400: + content: + application/json: + schema: null security.update_distinguished_name@403: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + schema: null security.validate@200: content: application/json: @@ -1746,8 +1909,7 @@ components: security.validate@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null security.who_am_i@200: content: application/json: @@ -1789,117 +1951,165 @@ components: description: The name of the action group to create or replace. schema: type: string - description: The name of the action group to create or replace. required: true security.create_role::path.role: name: role in: path + description: The name of the role to be created. schema: type: string required: true security.create_role_mapping::path.role: name: role in: path + description: The name of the role to create a role mapping for. schema: type: string required: true security.create_tenant::path.tenant: name: tenant in: path + description: The name of the tenant to be created. schema: type: string required: true security.create_user::path.username: name: username in: path + description: The name of the user to be created. schema: type: string required: true security.create_user_legacy::path.username: name: username in: path + description: The name of the user to be created. schema: type: string required: true security.delete_action_group::path.action_group: name: action_group in: path - description: Action group to delete. + description: The name of the action group to delete. schema: type: string - description: Action group to delete. required: true security.delete_distinguished_name::path.cluster_name: name: cluster_name in: path + description: The cluster-name to delete from list of distinguished names. schema: type: string required: true security.delete_role::path.role: name: role in: path + description: The name of the role to delete. schema: type: string required: true security.delete_role_mapping::path.role: name: role in: path + description: The name of the role whose mapping needs to delete. schema: type: string required: true security.delete_tenant::path.tenant: name: tenant in: path + description: The name of the tenant to delete. schema: type: string required: true security.delete_user::path.username: name: username in: path + description: The name of the user to delete. schema: type: string required: true security.delete_user_legacy::path.username: name: username in: path + description: The name of the user to delete. schema: type: string required: true security.generate_user_token::path.username: name: username in: path + description: The name of the user for whom an auth token is to be vended. schema: type: string required: true security.generate_user_token_legacy::path.username: name: username in: path + description: The name of the user for whom an auth token is to be vended. schema: type: string required: true security.get_action_group::path.action_group: name: action_group in: path - description: Action group to retrieve. + description: The name of the action group to retrieve. schema: type: string - description: Action group to retrieve. required: true + security.get_node_certificates::path.node_id: + name: node_id + in: path + description: The full-id of the node to retrieve certificates. + schema: + type: string + required: true + security.get_all_certificates::query.cert_type: + name: cert_type + in: query + description: The type of certificates (HTTP, TRANSPORT, ALL) to retrieve from all nodes. + schema: + type: string + required: false + security.get_node_certificates::query.cert_type: + name: cert_type + in: query + description: The type of certificates (HTTP, TRANSPORT, ALL) to retrieve for a node. + schema: + type: string + required: false + security.get_all_certificates::query.timeout: + name: timeout + in: query + description: The maximum duration, in seconds, to be spent to retrieve certificates from all nodes. + schema: + $ref: '../schemas/_common.yaml#/components/schemas/Duration' + required: false + security.get_node_certificates::query.timeout: + name: timeout + in: query + description: The maximum duration, in seconds, to be spent to retrieve a node's certificates. + schema: + $ref: '../schemas/_common.yaml#/components/schemas/Duration' + required: false security.get_distinguished_name::path.cluster_name: name: cluster_name in: path + description: The cluster-name to retrieve nodes DN setting for. schema: type: string required: true security.get_distinguished_name::query.show_all: name: show_all in: query + description: A boolean flag to include/exclude static nodes DN from final result. schema: type: boolean required: false security.get_distinguished_names::query.show_all: name: show_all in: query + description: A boolean flag to include/exclude static nodes DN from final result. schema: type: boolean required: false @@ -1918,80 +2128,91 @@ components: security.get_sslinfo::query.show_dn: name: show_dn in: query - description: The domain names from all certificates. + description: A boolean flag to indicate whether all domain names should be returned. schema: - type: string - description: A boolean flag to indicate whether all domain names should be returned. + type: [boolean, string] required: false security.get_tenant::path.tenant: name: tenant in: path + description: The name of the tenant to retrieve. schema: type: string required: true security.get_user::path.username: name: username in: path + description: The name of the user to retrieve. schema: type: string required: true security.get_user_legacy::path.username: name: username in: path + description: The name of the user to retrieve. schema: type: string required: true security.health::query.mode: name: mode in: query + description: A flag to indicate whether service should consider security-plugin's status before returning health response. `strict` mode indicates service should check security plugin status. schema: type: string required: false security.patch_action_group::path.action_group: name: action_group in: path + description: The name of the action group to update. schema: type: string required: true security.patch_distinguished_name::path.cluster_name: name: cluster_name in: path + description: The cluster-name to update nodesDn value. schema: type: string required: true security.patch_role::path.role: name: role in: path + description: The name of the role to update. schema: type: string required: true security.patch_role_mapping::path.role: name: role in: path + description: The name of the role to update role-mapping for. schema: type: string required: true security.patch_tenant::path.tenant: name: tenant in: path + description: The name of the tenant to update. schema: type: string required: true security.patch_user::path.username: name: username in: path + description: The name of the user to update. schema: type: string required: true security.update_distinguished_name::path.cluster_name: name: cluster_name in: path + description: The cluster-name to create/update nodesDn value for. schema: type: string required: true security.validate::query.accept_invalid: name: accept_invalid in: query + description: A boolean flag to indicate whether invalid v6 configuration should be allowed. schema: type: boolean required: false diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index 2fcce2ec2..36c976cb0 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -18,7 +18,7 @@ components: is_internal_user: type: boolean user_requested_tenant: - type: string + type: ['null', string] backend_roles: type: array items: @@ -58,12 +58,6 @@ components: $ref: '#/components/schemas/ActionGroup' AllowListConfig: - type: object - properties: - config: - $ref: '#/components/schemas/AllowConfig' - - AllowConfig: type: object properties: enabled: @@ -103,6 +97,14 @@ components: type: array items: type: string + ignore_headers: + type: array + items: + type: string + ignore_url_params: + type: array + items: + type: string disabled_rest_categories: type: array items: @@ -134,31 +136,37 @@ components: type: string description: User's name. user_requested_tenant: - type: string + type: ['null', string] description: Name of the tenant the user wants to switch to. remote_address: - type: string + type: ['null', string] description: The IP address of remote user. backend_roles: type: array description: Backend roles associated with the user. + items: + type: string custom_attribute_names: type: array description: Name of the attributes associated with the user. + items: + type: string roles: type: array description: Roles associated with the user. + items: + type: string tenants: type: object description: Tenants the user has access to with read-write or read-only access indicator. principal: - type: string + type: ['null', string] description: User principal. peer_certificates: - type: number + type: [number, string] description: Number of peer certificates. sso_logout_url: - type: string + type: ['null', string] description: Logout url. size_of_user: type: string @@ -170,16 +178,18 @@ components: type: string description: Size of backend roles in bytes. - BadRequest: + CertificateCountPerNode: type: object properties: - status: - type: string - enum: - - 400 - message: - type: string - description: Message returned as part of BAD_REQUEST response. + total: + type: number + description: Total number of nodes. + successful: + type: number + description: Number of nodes for which certificates could be fetched. + failed: + type: number + description: Number of nodes for which certificates could not be fetched. CertificatesDetail: type: object @@ -194,7 +204,34 @@ components: type: string not_after: type: string + + CertificatesPerNode: + type: object + properties: + name: + type: string + description: Name of the node. + certificates: + type: object + additionalProperties: + $ref: '#/components/schemas/CertificateTypes' + CertificateTypes: + type: object + properties: + http: + type: array + items: + type: object + additionalProperties: + $ref: '#/components/schemas/CertificatesDetail' + transport: + type: array + items: + type: object + additionalProperties: + $ref: '#/components/schemas/CertificatesDetail' + GetCertificates: type: object properties: @@ -206,6 +243,22 @@ components: type: array items: $ref: '#/components/schemas/CertificatesDetail' + + GetCertificatesNew: + type: object + properties: + _nodes: + type: object + additionalProperties: + $ref: '#/components/schemas/CertificateCountPerNode' + cluster_name: + type: string + description: Name of this cluster. + nodes: + type: object + additionalProperties: + $ref: '#/components/schemas/CertificatesPerNode' + ChangePasswordRequestContent: type: object @@ -255,6 +308,8 @@ components: config: type: array description: List of configs to be upgraded. + items: + type: string CreateTenantParams: type: object @@ -292,6 +347,8 @@ components: sign_in_options: type: array description: List of available sign-in options available. + items: + type: string password_validation_error_message: type: string description: Error message when password validation fails. @@ -321,27 +378,36 @@ components: DynamicOptions: type: object properties: - filteredAliasMode: + filtered_alias_mode: type: string - disableRestAuth: + disable_rest_auth: type: boolean - disableIntertransportAuth: + disable_intertransport_auth: type: boolean - respectRequestIndicesOptions: + respect_request_indices_options: type: boolean - kibana: {} - http: {} - authc: {} - authz: {} - authFailureListeners: {} - doNotFailOnForbidden: + opensearch-dashboards: + type: object + kibana: + type: object + http: + type: object + authc: + type: object + authz: + type: object + auth_failure_listeners: + type: object + do_not_fail_on_forbidden: type: boolean - multiRolespanEnabled: + multi_rolespan_enabled: type: boolean - hostsResolverMode: + hosts_resolver_mode: type: string - doNotFailOnForbiddenEmpty: + do_not_fail_on_forbidden_empty: type: boolean + on_behalf_of: + type: object GenerateOBOToken: type: object @@ -360,7 +426,7 @@ components: type: object properties: message: - type: string + type: ['null', string] mode: type: string status: @@ -395,17 +461,6 @@ components: type: string description: Error message during request execution. - MethodNotImplemented: - type: object - properties: - status: - type: string - enum: - - 501 - message: - type: string - description: Message returned as part of NOT_IMPLEMENTED response. - MultiTenancyConfig: type: object properties: @@ -419,7 +474,6 @@ components: type: array items: type: string - description: Value in seconds. OBOToken: type: object @@ -440,12 +494,19 @@ components: type: object properties: status: - type: string - enum: - - 200 + type: [number, string] message: type: string description: Message returned as part of OK response. + + Created: + type: object + properties: + status: + type: [number, string] + message: + type: string + description: Message returned as part of CREATED response. PatchOperation: type: object @@ -534,22 +595,32 @@ components: type: object additionalProperties: $ref: '#/components/schemas/Role' + + SecurityConfig: + type: object + properties: + config: + $ref: '#/components/schemas/DynamicConfig' SSLInfo: type: object properties: principal: - type: string + type: ['null', string] description: User principal. peer_certificates: - type: number + type: [number, string] description: Number of certificates. peer_certificates_list: - type: array + type: [array,'null'] description: List of domain names from peer certificates. + items: + type: string local_certificates_list: type: array description: List of domain names from local certificates. + items: + type: string ssl_protocol: type: string description: Protocol for this ssl setup. @@ -560,13 +631,13 @@ components: type: boolean description: A boolean to indicate if OpenSSL is available. ssl_openssl_version: - type: string + type: [number, string] description: Version of openssl. ssl_openssl_version_string: - type: string + type: ['null', string] description: Full version string for openssl version. ssl_openssl_non_available_cause: - type: string + type: ['null', string] description: Reason for openssl unavailability. ssl_openssl_supports_key_manager_factory: type: boolean @@ -583,6 +654,20 @@ components: ssl_provider_transport_client: type: string description: Returns transport client's name. + required: + - peer_certificates + - principal + - ssl_cipher + - ssl_openssl_available + - ssl_openssl_non_available_cause + - ssl_openssl_supports_hostname_validation + - ssl_openssl_supports_key_manager_factory + - ssl_openssl_version + - ssl_openssl_version_string + - ssl_protocol + - ssl_provider_http + - ssl_provider_transport_client + - ssl_provider_transport_server Tenant: type: object @@ -613,17 +698,6 @@ components: additionalProperties: $ref: '#/components/schemas/Tenant' - Unauthorized: - type: object - properties: - status: - type: string - enum: - - 403 - message: - type: string - description: Message returned as part of FORBIDDEN response. - UpgradeCheck: type: object properties: @@ -645,6 +719,8 @@ components: User: type: object properties: + password: + type: string hash: type: string reserved: @@ -690,11 +766,11 @@ components: type: object properties: dn: - type: string + type: ['null', string] is_admin: - type: string + type: boolean is_node_certificate_request: - type: string + type: boolean TenantInfo: type: object diff --git a/tests/default/security/api/_upgrade_check.yaml b/tests/default/security/api/_upgrade_check.yaml new file mode 100644 index 000000000..60d553753 --- /dev/null +++ b/tests/default/security/api/_upgrade_check.yaml @@ -0,0 +1,11 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test _upgrade_check endpoint. +version: '> 2.13' + +chapters: + - synopsis: Check whether an upgrade can be performed. + path: /_plugins/_security/api/_upgrade_check + method: GET + response: + status: 200 diff --git a/tests/default/security/api/_upgrade_perform.yaml b/tests/default/security/api/_upgrade_perform.yaml new file mode 100644 index 000000000..643f7896f --- /dev/null +++ b/tests/default/security/api/_upgrade_perform.yaml @@ -0,0 +1,14 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test _upgrade_perform endpoint. +version: '> 2.13' + +chapters: + - synopsis: Perform the upgrade. + path: /_plugins/_security/api/_upgrade_perform + method: POST + request: + payload: + config: [roles] + response: + status: 400 # Unable to upgrade, no differences found in 'roles' config. diff --git a/tests/default/security/api/account.yaml b/tests/default/security/api/account.yaml new file mode 100644 index 000000000..2fc10499f --- /dev/null +++ b/tests/default/security/api/account.yaml @@ -0,0 +1,21 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test account endpoint. + +chapters: + - synopsis: Get account details. + path: /_plugins/_security/api/account + method: GET + response: + status: 200 + # TODO: following test can be changed to interact with test user, to be created in prologues, once https://github.com/opensearch-project/opensearch-api-specification/issues/438 is implemented + # NOTE: this test should be updated to change test user's password created in epilogue. Until then this will be 403 since admin is a reserved user. + - synopsis: Change password. + path: /_plugins/_security/api/account + method: PUT + request: + payload: + current_password: myStrongPassword123! + password: myWeakPassword123! + response: + status: 403 diff --git a/tests/default/security/api/actiongroups.yaml b/tests/default/security/api/actiongroups.yaml new file mode 100644 index 000000000..0321d9022 --- /dev/null +++ b/tests/default/security/api/actiongroups.yaml @@ -0,0 +1,59 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test actiongroups endpoints. + +chapters: + - synopsis: Create action group. + path: /_plugins/_security/api/actiongroups/{action_group} + method: PUT + parameters: + action_group: test + request: + payload: + allowed_actions: [] + type: index + description: Test action group + response: + status: 201 + - synopsis: Get action groups bulk. + path: /_plugins/_security/api/actiongroups + method: GET + response: + status: 200 + - synopsis: Patch action groups bulk. + path: /_plugins/_security/api/actiongroups + method: PATCH + request: + payload: + - op: add + path: /test + value: + allowed_actions: ['indices:admin/create', 'indices:admin/mapping/put'] + response: + status: 200 + - synopsis: Get action group. + path: /_plugins/_security/api/actiongroups/{action_group} + method: GET + parameters: + action_group: test + response: + status: 200 + - synopsis: Patch action group. + path: /_plugins/_security/api/actiongroups/{action_group} + method: PATCH + parameters: + action_group: test + request: + payload: + - op: replace + path: /allowed_actions + value: ['indices:admin/create', 'indices:admin/mapping/get'] + response: + status: 200 + - synopsis: Delete action group. + path: /_plugins/_security/api/actiongroups/{action_group} + method: DELETE + parameters: + action_group: test + response: + status: 200 diff --git a/tests/default/security/api/allowlist.yaml b/tests/default/security/api/allowlist.yaml new file mode 100644 index 000000000..6808131d8 --- /dev/null +++ b/tests/default/security/api/allowlist.yaml @@ -0,0 +1,31 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test allowlist endpoints. +version: '> 2.0' + +# ADMIN-CERT only. These tests require explicit rest api admin privileges. +chapters: + - synopsis: Create an allowlist. + path: /_plugins/_security/api/allowlist + method: PUT + request: + payload: + enabled: true + requests: + /_cat/nodes: [GET] + response: + status: 403 + - synopsis: Get an allowlist. + path: /_plugins/_security/api/allowlist + method: GET + response: + status: 403 + - synopsis: Patch an allowlist. + path: /_plugins/_security/api/allowlist + method: PATCH + request: + payload: + - op: remove + path: /config/requests + response: + status: 403 diff --git a/tests/default/security/api/audit.yaml b/tests/default/security/api/audit.yaml new file mode 100644 index 000000000..7c004b24b --- /dev/null +++ b/tests/default/security/api/audit.yaml @@ -0,0 +1,20 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test audit endpoints. + +chapters: + - synopsis: Get an audit config. + path: /_plugins/_security/api/audit + method: GET + response: + status: 200 + - synopsis: Patch an audit config. + path: /_plugins/_security/api/audit + method: PATCH + request: + payload: + - op: add + path: /config/enabled + value: true + response: + status: 200 diff --git a/tests/default/security/api/audit/config.yaml b/tests/default/security/api/audit/config.yaml new file mode 100644 index 000000000..97335168c --- /dev/null +++ b/tests/default/security/api/audit/config.yaml @@ -0,0 +1,39 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml + +description: Test audit/config endpoint. + +chapters: + - synopsis: Create an audit config. + path: /_plugins/_security/api/audit/config + method: PUT + request: + payload: + enabled: true + audit: + ignore_users: [] + ignore_requests: [] + disabled_rest_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + disabled_transport_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + log_request_body: false + resolve_indices: false + resolve_bulk_requests: false + exclude_sensitive_headers: true + enable_transport: false + enable_rest: true + compliance: + enabled: true + write_log_diffs: false + read_watched_fields: {} + read_ignore_users: [] + write_watched_indices: [] + write_ignore_users: [] + read_metadata_only: true + write_metadata_only: true + external_config: false + internal_config: true + response: + status: 200 diff --git a/tests/default/security/api/authtoken.yaml b/tests/default/security/api/authtoken.yaml new file mode 100644 index 000000000..4da5718b2 --- /dev/null +++ b/tests/default/security/api/authtoken.yaml @@ -0,0 +1,10 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test authtoken endpoint. + +chapters: + - synopsis: Create an auth token. + path: /_plugins/_security/api/authtoken + method: POST + response: + status: 200 diff --git a/tests/default/security/api/cache.yaml b/tests/default/security/api/cache.yaml new file mode 100644 index 000000000..d1f1d6d26 --- /dev/null +++ b/tests/default/security/api/cache.yaml @@ -0,0 +1,25 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test cache endpoint. + +chapters: + - synopsis: Get cache. + path: /_plugins/_security/api/cache + method: GET + response: + status: 501 + - synopsis: Create cache. + path: /_plugins/_security/api/cache + method: POST + response: + status: 501 + - synopsis: Update cache. + path: /_plugins/_security/api/cache + method: PUT + response: + status: 501 + - synopsis: Flush cache. + path: /_plugins/_security/api/cache + method: DELETE + response: + status: 200 diff --git a/tests/default/security/api/certificates.yaml b/tests/default/security/api/certificates.yaml new file mode 100644 index 000000000..f4f23e817 --- /dev/null +++ b/tests/default/security/api/certificates.yaml @@ -0,0 +1,35 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test certificates endpoints. +version: '> 2.14' + +# ADMIN-CERT only. These tests require explicit rest api admin privileges. +chapters: + - synopsis: Get node. + id: get_node + path: /_cat/nodes + method: GET + parameters: + h: + - id + full_id: true + response: + status: 200 + content_type: text/plain + output: + node_id: payload + - synopsis: Get all certificates. + path: /_plugins/_security/api/certificates + method: GET + parameters: + cert_type: all + response: + status: 403 + - synopsis: Get node certificates. + path: /_plugins/_security/api/certificates/{node_id} + method: GET + parameters: + node_id: ${get_node.node_id} + cert_type: all + response: + status: 403 diff --git a/tests/default/security/api/generateonbehalfoftoken.yaml b/tests/default/security/api/generateonbehalfoftoken.yaml new file mode 100644 index 000000000..41b5f1453 --- /dev/null +++ b/tests/default/security/api/generateonbehalfoftoken.yaml @@ -0,0 +1,18 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test generateonbehalfoftoken endpoint. +version: '> 2.11' + +chapters: + - synopsis: Create an On-Behalf-Of token. + # Feature is disabled by default. https://opensearch.org/docs/latest/security/access-control/authentication-tokens/#configuration + path: /_plugins/_security/api/generateonbehalfoftoken + method: POST + request: + payload: + description: Auth token for admin + service: '' + duration: '60' + response: + content_type: text/plain + status: 400 diff --git a/tests/default/security/api/internalusers.yaml b/tests/default/security/api/internalusers.yaml new file mode 100644 index 000000000..784db4fcd --- /dev/null +++ b/tests/default/security/api/internalusers.yaml @@ -0,0 +1,60 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test internalusers endpoints. + +chapters: + - synopsis: Get internal users bulk. + path: /_plugins/_security/api/internalusers + method: GET + response: + status: 200 + - synopsis: Patch internal users bulk. + path: /_plugins/_security/api/internalusers + method: PATCH + request: + payload: + - op: add + path: /test + value: + backend_roles: [admin] + response: + status: 200 + - synopsis: Create internal user. + path: /_plugins/_security/api/internalusers/{username} + method: PUT + parameters: + username: test + request: + payload: + password: myWeakPassword123! + opendistro_security_roles: [] + backend_roles: [] + attributes: {} + response: + status: 200 + - synopsis: Get internal user. + path: /_plugins/_security/api/internalusers/{username} + method: GET + parameters: + username: test + response: + status: 200 + - synopsis: Patch internal user. + path: /_plugins/_security/api/internalusers/{username} + method: PATCH + parameters: + username: test + request: + payload: + - op: add + path: /opendistro_security_roles + value: [all_access] + response: + status: 200 + - synopsis: Delete internal user. + path: /_plugins/_security/api/internalusers/{username} + method: DELETE + parameters: + username: test + response: + status: 200 diff --git a/tests/default/security/api/internalusers.yml/authtoken.yml b/tests/default/security/api/internalusers.yml/authtoken.yml new file mode 100644 index 000000000..2cfb3c6a1 --- /dev/null +++ b/tests/default/security/api/internalusers.yml/authtoken.yml @@ -0,0 +1,35 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml + +description: Test internalusers/authtoken endpoint. +version: '> 2.16' # Fixed via https://github.com/opensearch-project/security/pull/4628 + +prologues: + - path: /_plugins/_security/api/internalusers/{username} + method: PUT + parameters: + username: test + request: + payload: + opendistro_security_roles: [] + backend_roles: [] + attributes: + service: true + enabled: true + status: [201] + +chapters: + # Auth-tokens can only be vended for service accounts. + - synopsis: Create internal user token. + path: /_plugins/_security/api/internalusers/{username}/authtoken + method: POST + parameters: + username: test + response: + status: 200 + +epilogues: + - path: /_plugins/_security/api/internalusers/{username} + method: DELETE + parameters: + username: test + status: [200] diff --git a/tests/default/security/api/migrate.yaml b/tests/default/security/api/migrate.yaml new file mode 100644 index 000000000..3cf053554 --- /dev/null +++ b/tests/default/security/api/migrate.yaml @@ -0,0 +1,11 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test migrate endpoint. + +# BAD_REQUEST. Can not migrate configuration because it was already migrated. +chapters: + - synopsis: Migrate v6 to v7 config. + path: /_plugins/_security/api/migrate + method: POST + response: + status: 400 diff --git a/tests/default/security/api/nodesdn.yaml b/tests/default/security/api/nodesdn.yaml new file mode 100644 index 000000000..0cfcd1b43 --- /dev/null +++ b/tests/default/security/api/nodesdn.yaml @@ -0,0 +1,61 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test nodesdn endpoints. + +# ADMIN-CERT only. These tests require explicit rest api admin privileges. +# The setting `plugins. security. nodes_dn_dynamic_config_enabled` must be enabled. +chapters: + - synopsis: Get distinguished names. + path: /_plugins/_security/api/nodesdn + method: GET + parameters: + show_all: true + response: + status: 400 + - synopsis: Patch distinguished names. + path: /_plugins/_security/api/nodesdn + method: PATCH + request: + payload: + - op: replace + path: /cluster1/nodes_dn/0 + value: [''] + response: + status: 400 + - synopsis: Create distinguished name. + path: /_plugins/_security/api/nodesdn/{cluster_name} + method: PUT + parameters: + cluster_name: test + request: + payload: + nodes_dn: + - CN=cluster3.example.com + response: + status: 400 + - synopsis: Get distinguished name. + path: /_plugins/_security/api/nodesdn/{cluster_name} + method: GET + parameters: + cluster_name: test + response: + status: 400 + - synopsis: Patch distinguished name. + path: /_plugins/_security/api/nodesdn/{cluster_name} + method: PATCH + parameters: + cluster_name: test + request: + payload: + op: replace + path: /test/nodes_dn/0 + value: [CN=cluster2.example.com] + response: + status: 400 + - synopsis: Delete distinguished name. + path: /_plugins/_security/api/nodesdn/{cluster_name} + method: DELETE + parameters: + cluster_name: test + response: + status: 400 diff --git a/tests/default/security/api/permissionsinfo.yaml b/tests/default/security/api/permissionsinfo.yaml new file mode 100644 index 000000000..59e1f9062 --- /dev/null +++ b/tests/default/security/api/permissionsinfo.yaml @@ -0,0 +1,10 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test permissionsinfo endpoint. + +chapters: + - synopsis: Get evaluated permissions for currently logged in user. + path: /_plugins/_security/api/permissionsinfo + method: GET + response: + status: 200 diff --git a/tests/default/security/api/roles.yaml b/tests/default/security/api/roles.yaml new file mode 100644 index 000000000..a79ef6312 --- /dev/null +++ b/tests/default/security/api/roles.yaml @@ -0,0 +1,75 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test roles endpoints. + +chapters: + - synopsis: Create role. + path: /_plugins/_security/api/roles/{role} + method: PUT + parameters: + role: test + request: + payload: + cluster_permissions: + - cluster_composite_ops + - indices_monitor + index_permissions: + - index_patterns: + - 'movies*' + dls: '' + fls: [] + masked_fields: [] + allowed_actions: + - read + tenant_permissions: + - tenant_patterns: + - human_resources + allowed_actions: + - kibana_all_read + response: + status: 201 + - synopsis: Get roles bulk. + path: /_plugins/_security/api/roles + method: GET + response: + status: 200 + - synopsis: Patch roles bulk. + path: /_plugins/_security/api/roles + method: PATCH + request: + payload: + - op: add + path: /test/index_permissions/0/fls + value: + - 'random*' + - ~random1 + response: + status: 200 + - synopsis: Get role. + path: /_plugins/_security/api/roles/{role} + method: GET + parameters: + role: test + response: + status: 200 + - synopsis: Patch role. + path: /_plugins/_security/api/roles/{role} + method: PATCH + parameters: + role: test + request: + payload: + - op: add + path: /index_permissions/0/fls + value: + - 'random*' + - ~random1 + response: + status: 200 + - synopsis: Delete role. + path: /_plugins/_security/api/roles/{role} + method: DELETE + parameters: + role: test + response: + status: 200 diff --git a/tests/default/security/api/rolesmapping.yaml b/tests/default/security/api/rolesmapping.yaml new file mode 100644 index 000000000..8fed57e18 --- /dev/null +++ b/tests/default/security/api/rolesmapping.yaml @@ -0,0 +1,77 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test rolesmapping endpoint. + +prologues: + - path: /_plugins/_security/api/roles/{role} + method: PUT + parameters: + role: test + request: + payload: + cluster_permissions: + - cluster_composite_ops + status: [201] +chapters: + - synopsis: Get rolesmapping bulk. + path: /_plugins/_security/api/rolesmapping + method: GET + response: + status: 200 + - synopsis: Patch rolesmapping bulk. + path: /_plugins/_security/api/rolesmapping + method: PATCH + request: + payload: + - op: add + path: /all_access + value: + users: [test] + backend_roles: [admin] + response: + status: 200 + - synopsis: Create rolesmapping. + path: /_plugins/_security/api/rolesmapping/{role} + method: PUT + parameters: + role: test + request: + payload: + backend_roles: [captains] + hosts: + - '*.example.com' + users: [test] + response: + status: 201 + - synopsis: Get rolesmapping. + path: /_plugins/_security/api/rolesmapping/{role} + method: GET + parameters: + role: test + response: + status: 200 + - synopsis: Patch rolesmapping. + path: /_plugins/_security/api/rolesmapping/{role} + method: PATCH + parameters: + role: test + request: + payload: + - op: replace + path: /backend_roles + value: [admin] + response: + status: 200 + - synopsis: Delete rolesmapping. + path: /_plugins/_security/api/rolesmapping/{role} + method: DELETE + parameters: + role: test + response: + status: 200 +epilogues: + - path: /_plugins/_security/api/roles/{role} + method: DELETE + parameters: + role: test + status: [200] diff --git a/tests/default/security/api/securityconfig.yaml b/tests/default/security/api/securityconfig.yaml new file mode 100644 index 000000000..28c6573bd --- /dev/null +++ b/tests/default/security/api/securityconfig.yaml @@ -0,0 +1,22 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test securityconfig endpoints. +version: '> 2.9' + +# ADMIN-CERT only (except GET). These tests require explicit rest api admin privileges. +chapters: + - synopsis: Get a security config. + path: /_plugins/_security/api/securityconfig + method: GET + response: + status: 200 + - synopsis: Patch a security config. + path: /_plugins/_security/api/securityconfig + method: PATCH + request: + payload: + - op: replace + path: /config/dynamic/authc/basic_internal_auth_domain/transport_enabled + value: true + response: + status: 403 diff --git a/tests/default/security/api/securityconfig/config.yaml b/tests/default/security/api/securityconfig/config.yaml new file mode 100644 index 000000000..5bae694be --- /dev/null +++ b/tests/default/security/api/securityconfig/config.yaml @@ -0,0 +1,43 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml + +description: Test securityconfig/config endpoint. +version: '>2.9' + +# ADMIN-CERT only (except GET). These tests require explicit rest api admin privileges. +chapters: + - synopsis: Update a security config. + path: /_plugins/_security/api/securityconfig/config + method: PUT + request: + payload: + dynamic: + filtered_alias_mode: warn + disable_rest_auth: false + disable_intertransport_auth: false + respect_request_indices_options: false + opensearch-dashboards: + multitenancy_enabled: true + server_username: kibanaserver + index: .opensearch-dashboards + http: + anonymous_auth_enabled: false + authc: + basic_internal_auth_domain: + http_enabled: true + transport_enabled: true + order: 0 + http_authenticator: + challenge: true + type: basic + config: {} + authentication_backend: + type: intern + config: {} + description: Authenticate via HTTP Basic against internal users database + auth_failure_listeners: {} + do_not_fail_on_forbidden: false + multi_rolespan_enabled: true + hosts_resolver_mode: ip-only + do_not_fail_on_forbidden_empty: false + response: + status: 403 diff --git a/tests/default/security/api/ssl/certs.yml b/tests/default/security/api/ssl/certs.yml new file mode 100644 index 000000000..168ff0964 --- /dev/null +++ b/tests/default/security/api/ssl/certs.yml @@ -0,0 +1,12 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml + +description: Test ssl/certs endpoint. +version: '>= 2.0' + +# ADMIN-CERT only. These tests require explicit rest api admin privileges. +chapters: + - synopsis: Get ssl certificates. + path: /_plugins/_security/api/ssl/certs + method: GET + response: + status: 403 diff --git a/tests/default/security/api/ssl/http/reloadcerts.yaml b/tests/default/security/api/ssl/http/reloadcerts.yaml new file mode 100644 index 000000000..30f1f043b --- /dev/null +++ b/tests/default/security/api/ssl/http/reloadcerts.yaml @@ -0,0 +1,12 @@ +$schema: ../../../../../../json_schemas/test_story.schema.yaml + +description: Test ssl/http/reloadcerts endpoint. +version: '> 2.7' + +# ADMIN-CERT only. These tests require explicit rest api admin privileges. +chapters: + - synopsis: Reload http certs. + path: /_plugins/_security/api/ssl/http/reloadcerts + method: PUT + response: + status: 403 diff --git a/tests/default/security/api/ssl/transport/reloadcerts.yaml b/tests/default/security/api/ssl/transport/reloadcerts.yaml new file mode 100644 index 000000000..9585b1a17 --- /dev/null +++ b/tests/default/security/api/ssl/transport/reloadcerts.yaml @@ -0,0 +1,12 @@ +$schema: ../../../../../../json_schemas/test_story.schema.yaml + +description: Test ssl/transport/reloadcerts endpoint. +version: '> 2.7' + +# ADMIN-CERT only. These tests require explicit rest api admin privileges. +chapters: + - synopsis: Reload transport certs. + path: /_plugins/_security/api/ssl/transport/reloadcerts + method: PUT + response: + status: 403 diff --git a/tests/default/security/api/tenancy/config.yaml b/tests/default/security/api/tenancy/config.yaml new file mode 100644 index 000000000..1e3d95262 --- /dev/null +++ b/tests/default/security/api/tenancy/config.yaml @@ -0,0 +1,22 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml + +description: Test tenancy/config endpoints. +version: '> 2.6' + +chapters: + - synopsis: Get tenancy config. + path: /_plugins/_security/api/tenancy/config + method: GET + response: + status: 200 + - synopsis: Create or Update tenancy config. + path: /_plugins/_security/api/tenancy/config + method: PUT + request: + payload: + default_tenant: admin_tenant + private_tenant_enabled: false + multitenancy_enabled: true + sign_in_options: [] + response: + status: 200 diff --git a/tests/default/security/api/tenants.yaml b/tests/default/security/api/tenants.yaml new file mode 100644 index 000000000..3e41617ee --- /dev/null +++ b/tests/default/security/api/tenants.yaml @@ -0,0 +1,56 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test tenants endpoints. + +chapters: + - synopsis: Create tenant. + path: /_plugins/_security/api/tenants/{tenant} + method: PUT + parameters: + tenant: test + request: + payload: + description: A test tenant. + response: + status: 201 + - synopsis: Get tenants bulk. + path: /_plugins/_security/api/tenants + method: GET + response: + status: 200 + - synopsis: Patch tenants bulk. + path: /_plugins/_security/api/tenants + method: PATCH + request: + payload: + - op: replace + path: /test/description + value: A very good description + response: + status: 200 + - synopsis: Get tenant. + path: /_plugins/_security/api/tenants/{tenant} + method: GET + parameters: + tenant: test + response: + status: 200 + - synopsis: Patch tenant. + path: /_plugins/_security/api/tenants/{tenant} + method: PATCH + parameters: + tenant: test + request: + payload: + - op: replace + path: /description + value: An updated description + response: + status: 200 + - synopsis: Delete tenant. + path: /_plugins/_security/api/tenants/{tenant} + method: DELETE + parameters: + tenant: test + response: + status: 200 diff --git a/tests/default/security/api/user.yaml b/tests/default/security/api/user.yaml new file mode 100644 index 000000000..4c676f39a --- /dev/null +++ b/tests/default/security/api/user.yaml @@ -0,0 +1,37 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test user endpoints. + +chapters: + - synopsis: Get user bulk. + path: /_plugins/_security/api/user + method: GET + response: + status: 200 + - synopsis: Create user. + path: /_plugins/_security/api/user/{username} + method: PUT + parameters: + username: test + request: + payload: + password: myWeakPassword123! + opendistro_security_roles: [] + backend_roles: [] + attributes: {} + response: + status: 201 + - synopsis: Get user. + path: /_plugins/_security/api/user/{username} + method: GET + parameters: + username: test + response: + status: 200 + - synopsis: Delete user. + path: /_plugins/_security/api/user/{username} + method: DELETE + parameters: + username: test + response: + status: 200 diff --git a/tests/default/security/api/user/authtoken.yaml b/tests/default/security/api/user/authtoken.yaml new file mode 100644 index 000000000..edf450fb6 --- /dev/null +++ b/tests/default/security/api/user/authtoken.yaml @@ -0,0 +1,35 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml + +description: Test authtoken endpoints for user. +version: '> 2.16' # Fixed via https://github.com/opensearch-project/security/pull/4628 + +prologues: + - path: /_plugins/_security/api/user/{username} + method: PUT + parameters: + username: test + request: + payload: + opendistro_security_roles: [] + backend_roles: [] + attributes: + service: true + enabled: true + status: [201] + +chapters: + # Auth-tokens can only be vended for service accounts. + - synopsis: Create user token. + path: /_plugins/_security/api/user/{username}/authtoken + method: POST + parameters: + username: test + response: + status: 501 + +epilogues: + - path: /_plugins/_security/api/user/{username} + method: DELETE + parameters: + username: test + status: [200] diff --git a/tests/default/security/api/validate.yaml b/tests/default/security/api/validate.yaml new file mode 100644 index 000000000..5c4cbdfc4 --- /dev/null +++ b/tests/default/security/api/validate.yaml @@ -0,0 +1,13 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test validate endpoint. + +# BAD_REQUEST. Can not migrate configuration because it was already migrated. +chapters: + - synopsis: Check whether v6 configuration is valid. + path: /_plugins/_security/api/validate + method: GET + parameters: + accept_invalid: false + response: + status: 400 diff --git a/tests/default/security/authinfo.yaml b/tests/default/security/authinfo.yaml new file mode 100644 index 000000000..1d65c31f0 --- /dev/null +++ b/tests/default/security/authinfo.yaml @@ -0,0 +1,34 @@ +$schema: ../../../json_schemas/test_story.schema.yaml + +description: Test authinfo endpoint. + +chapters: + - synopsis: Get auth info. + path: /_plugins/_security/authinfo + method: GET + version: < 2.13 + response: + status: 200 + - synopsis: Get auth info via POST. + path: /_plugins/_security/authinfo + method: POST + version: < 2.13 + response: + status: 200 + - synopsis: Get auth info. + path: /_plugins/_security/authinfo + method: GET + version: = 2.13 + parameters: + verbose: false + response: + status: 200 + - synopsis: Get auth info. + path: /_plugins/_security/authinfo + method: GET + version: '> 2.13' + parameters: + verbose: false + auth_type: basic + response: + status: 200 diff --git a/tests/default/security/dashboardsinfo.yaml b/tests/default/security/dashboardsinfo.yaml new file mode 100644 index 000000000..fb28a9914 --- /dev/null +++ b/tests/default/security/dashboardsinfo.yaml @@ -0,0 +1,15 @@ +$schema: ../../../json_schemas/test_story.schema.yaml + +description: Test dashboardsinfo endpoint. + +chapters: + - synopsis: Get dashboards info. + path: /_plugins/_security/dashboardsinfo + method: GET + response: + status: 200 + - synopsis: Get dashboards info via POST. + path: /_plugins/_security/dashboardsinfo + method: POST + response: + status: 200 diff --git a/tests/default/security/health.yaml b/tests/default/security/health.yaml new file mode 100644 index 000000000..b1c42b037 --- /dev/null +++ b/tests/default/security/health.yaml @@ -0,0 +1,27 @@ +$schema: ../../../json_schemas/test_story.schema.yaml + +description: Test health endpoint. + +chapters: + - synopsis: Get security health info. + path: /_plugins/_security/health + method: GET + parameters: + mode: strict + response: + status: 200 + payload: + message: null + mode: strict + status: UP + - synopsis: Get security health info via POST. + path: /_plugins/_security/health + method: POST + parameters: + mode: strict + response: + status: 200 + payload: + message: null + mode: strict + status: UP diff --git a/tests/default/security/sslinfo.yaml b/tests/default/security/sslinfo.yaml new file mode 100644 index 000000000..b73d18ee4 --- /dev/null +++ b/tests/default/security/sslinfo.yaml @@ -0,0 +1,25 @@ +$schema: ../../../json_schemas/test_story.schema.yaml + +description: Test sslinfo endpoint. + +chapters: + - synopsis: Get ssl info. + path: /_opendistro/_security/sslinfo + method: GET + parameters: + show_dn: false + response: + status: 200 + payload: + principal: null + peer_certificates: '0' + ssl_protocol: TLSv1.3 + ssl_openssl_available: false + ssl_openssl_version: -1 + ssl_openssl_version_string: null + ssl_openssl_non_available_cause: 'java.lang.ClassNotFoundException: io.netty.internal.tcnative.SSLContext' + ssl_openssl_supports_key_manager_factory: false + ssl_openssl_supports_hostname_validation: false + ssl_provider_http: JDK + ssl_provider_transport_server: JDK + ssl_provider_transport_client: JDK diff --git a/tests/default/security/tenantinfo.yaml b/tests/default/security/tenantinfo.yaml new file mode 100644 index 000000000..8b0aeee54 --- /dev/null +++ b/tests/default/security/tenantinfo.yaml @@ -0,0 +1,17 @@ +$schema: ../../../json_schemas/test_story.schema.yaml + +description: Test tenantinfo endpoint. + +chapters: + - synopsis: Get tenant info. + path: /_plugins/_security/tenantinfo + method: GET + response: + status: 403 # only allowed for super-admin or dashboards-server role mapping + content_type: text/plain + - synopsis: Get tenant info via POST. + path: /_plugins/_security/tenantinfo + method: POST + response: + status: 403 # only allowed for super-admin or dashboards-server role mapping + content_type: text/plain diff --git a/tests/default/security/whoami.yaml b/tests/default/security/whoami.yaml new file mode 100644 index 000000000..3e2c5016b --- /dev/null +++ b/tests/default/security/whoami.yaml @@ -0,0 +1,24 @@ +$schema: ../../../json_schemas/test_story.schema.yaml + +description: Test whoami endpoints. +version: '>= 2.0' + +chapters: + - synopsis: Get current user info. + path: /_plugins/_security/whoami + method: GET + response: + status: 200 + payload: + dn: null + is_admin: false + is_node_certificate_request: false + - synopsis: Get current user info via POST. + path: /_plugins/_security/whoami + method: POST + response: + status: 200 + payload: + dn: null + is_admin: false + is_node_certificate_request: false diff --git a/tests/default/security/whoamiprotected.yaml b/tests/default/security/whoamiprotected.yaml new file mode 100644 index 000000000..a3771fb7c --- /dev/null +++ b/tests/default/security/whoamiprotected.yaml @@ -0,0 +1,15 @@ +$schema: ../../../json_schemas/test_story.schema.yaml + +description: Test whoamiprotected endpoint. +version: '> 2.10' + +chapters: + - synopsis: Get current user info from protected endpoint. + path: /_plugins/_security/whoamiprotected + method: GET + response: + status: 200 + payload: + dn: null + is_admin: false + is_node_certificate_request: false