-
Notifications
You must be signed in to change notification settings - Fork 282
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Backport 2.x] [Refactor] Remove json-path from deps and use JsonPoin…
- Loading branch information
1 parent
b856568
commit 4c9e6eb
Showing
6 changed files
with
322 additions
and
59 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
80 changes: 80 additions & 0 deletions
80
...java/org/opensearch/security/dlic/rest/api/AuditApiActionRequestContentValidatorTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
* Modifications Copyright OpenSearch Contributors. See | ||
* GitHub history for details. | ||
*/ | ||
|
||
package org.opensearch.security.dlic.rest.api; | ||
|
||
import com.fasterxml.jackson.databind.InjectableValues; | ||
import org.junit.Test; | ||
import org.opensearch.common.settings.Settings; | ||
import org.opensearch.core.common.bytes.BytesArray; | ||
import org.opensearch.core.rest.RestStatus; | ||
import org.opensearch.security.DefaultObjectMapper; | ||
import org.opensearch.security.auditlog.config.AuditConfig; | ||
import org.opensearch.security.auditlog.impl.AuditCategory; | ||
import org.opensearch.security.compliance.ComplianceConfig; | ||
import org.opensearch.security.util.FakeRestRequest; | ||
|
||
import java.io.IOException; | ||
import java.util.Map; | ||
import java.util.stream.Collectors; | ||
import java.util.stream.Stream; | ||
|
||
import static org.junit.Assert.assertEquals; | ||
import static org.junit.Assert.assertFalse; | ||
|
||
public class AuditApiActionRequestContentValidatorTest extends AbstractApiActionValidationTest { | ||
|
||
@Test | ||
public void validateAuditDisabledRestCategories() throws IOException { | ||
InjectableValues.Std injectableValues = new InjectableValues.Std(); | ||
injectableValues.addValue(Settings.class, Settings.EMPTY); | ||
DefaultObjectMapper.inject(injectableValues); | ||
final var auditApiActionRequestContentValidator = new AuditApiAction(clusterService, threadPool, securityApiDependencies) | ||
.createEndpointValidator() | ||
.createRequestContentValidator(); | ||
|
||
final var disabledTransportCategories = AuditApiAction.AuditRequestContentValidator.DISABLED_TRANSPORT_CATEGORIES.stream() | ||
.map(Enum::name) | ||
.collect(Collectors.toList()); | ||
final var auditConfig = new AuditConfig( | ||
true, | ||
AuditConfig.Filter.from(Map.of("disabled_rest_categories", disabledTransportCategories)), | ||
ComplianceConfig.DEFAULT | ||
); | ||
final var content = DefaultObjectMapper.writeValueAsString(objectMapper.valueToTree(auditConfig), false); | ||
var result = auditApiActionRequestContentValidator.validate(FakeRestRequest.builder().withContent(new BytesArray(content)).build()); | ||
assertFalse(result.isValid()); | ||
assertEquals(RestStatus.BAD_REQUEST, result.status()); | ||
} | ||
|
||
@Test | ||
public void validateAuditDisabledTransportCategories() throws IOException { | ||
InjectableValues.Std injectableValues = new InjectableValues.Std(); | ||
injectableValues.addValue(Settings.class, Settings.EMPTY); | ||
DefaultObjectMapper.inject(injectableValues); | ||
final var auditApiActionRequestContentValidator = new AuditApiAction(clusterService, threadPool, securityApiDependencies) | ||
.createEndpointValidator() | ||
.createRequestContentValidator(); | ||
|
||
final var disabledRestCategories = Stream.of(AuditCategory.COMPLIANCE_DOC_WRITE, AuditCategory.COMPLIANCE_DOC_READ) | ||
.map(Enum::name) | ||
.collect(Collectors.toList()); | ||
final var auditConfig = new AuditConfig( | ||
true, | ||
AuditConfig.Filter.from(Map.of("disabled_transport_categories", disabledRestCategories)), | ||
ComplianceConfig.DEFAULT | ||
); | ||
final var content = DefaultObjectMapper.writeValueAsString(objectMapper.valueToTree(auditConfig), false); | ||
var result = auditApiActionRequestContentValidator.validate(FakeRestRequest.builder().withContent(new BytesArray(content)).build()); | ||
assertFalse(result.isValid()); | ||
assertEquals(RestStatus.BAD_REQUEST, result.status()); | ||
} | ||
} |
179 changes: 179 additions & 0 deletions
179
...java/org/opensearch/security/dlic/rest/api/RolesApiActionRequestContentValidatorTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,179 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
* Modifications Copyright OpenSearch Contributors. See | ||
* GitHub history for details. | ||
*/ | ||
|
||
package org.opensearch.security.dlic.rest.api; | ||
|
||
import com.fasterxml.jackson.databind.node.ObjectNode; | ||
import org.junit.Test; | ||
import org.opensearch.core.common.bytes.BytesArray; | ||
import org.opensearch.security.util.FakeRestRequest; | ||
|
||
import java.io.IOException; | ||
|
||
import static org.junit.Assert.assertFalse; | ||
import static org.junit.Assert.assertTrue; | ||
|
||
public class RolesApiActionRequestContentValidatorTest extends AbstractApiActionValidationTest { | ||
|
||
@Test | ||
public void doesNotValidateMaskedFields() throws IOException { | ||
|
||
final var requestContentValidator = new RolesApiAction(clusterService, threadPool, securityApiDependencies) | ||
.createEndpointValidator() | ||
.createRequestContentValidator(); | ||
|
||
// no masked fields | ||
final var noMaskedFields = objectMapper.createObjectNode() | ||
.set( | ||
"index_permissions", | ||
objectMapper.createArrayNode() | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("a*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("read")) | ||
) | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("b*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("write")) | ||
) | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("c*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("read").add("write")) | ||
|
||
) | ||
); | ||
|
||
var result = requestContentValidator.validate( | ||
FakeRestRequest.builder().withContent(new BytesArray(noMaskedFields.toString())).build() | ||
); | ||
assertTrue(result.isValid()); | ||
result = requestContentValidator.validate( | ||
FakeRestRequest.builder().withContent(new BytesArray(noMaskedFields.toString())).build(), | ||
noMaskedFields | ||
); | ||
assertTrue(result.isValid()); | ||
} | ||
|
||
@Test | ||
public void validateOnlySpecifiedMaskedFields() throws IOException { | ||
final var requestContentValidator = new RolesApiAction(clusterService, threadPool, securityApiDependencies) | ||
.createEndpointValidator() | ||
.createRequestContentValidator(); | ||
final var specifiedMaskedFields = objectMapper.createObjectNode() | ||
.set( | ||
"index_permissions", | ||
objectMapper.createArrayNode() | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("a*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.<ObjectNode>set("masked_fields", objectMapper.nullNode()) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("read")) | ||
) | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("b*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("write")) | ||
) | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("c*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.<ObjectNode>set("masked_fields", objectMapper.createArrayNode().add("aaa::").add("bbb")) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("read").add("write")) | ||
|
||
) | ||
); | ||
var result = requestContentValidator.validate( | ||
FakeRestRequest.builder().withContent(new BytesArray(specifiedMaskedFields.toString())).build() | ||
); | ||
assertFalse(result.isValid()); | ||
var errorMessage = xContentToJsonNode(result.errorMessage()); | ||
assertTrue(errorMessage.toString(), errorMessage.toString().contains("aaa::")); | ||
|
||
result = requestContentValidator.validate( | ||
FakeRestRequest.builder().withContent(new BytesArray(specifiedMaskedFields.toString())).build(), | ||
specifiedMaskedFields | ||
); | ||
assertFalse(result.isValid()); | ||
errorMessage = xContentToJsonNode(result.errorMessage()); | ||
assertTrue(errorMessage.toString(), errorMessage.toString().contains("aaa::")); | ||
} | ||
|
||
@Test | ||
public void validateAllMaskedFields() throws IOException { | ||
final var requestContentValidator = new RolesApiAction(clusterService, threadPool, securityApiDependencies) | ||
.createEndpointValidator() | ||
.createRequestContentValidator(); | ||
final var invalidMaskedFields = objectMapper.createObjectNode() | ||
.set( | ||
"index_permissions", | ||
objectMapper.createArrayNode() | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("a*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.<ObjectNode>set("masked_fields", objectMapper.createArrayNode().add("aaa").add("bbb")) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("read")) | ||
) | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("b*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.<ObjectNode>set("masked_fields", objectMapper.createArrayNode().add("aaa::").add("bbb::").add("ccc:::")) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("write")) | ||
) | ||
.add( | ||
objectMapper.createObjectNode() | ||
.<ObjectNode>set("index_patterns", objectMapper.createArrayNode().add("c*")) | ||
.put("dls", "") | ||
.<ObjectNode>set("fls", objectMapper.createArrayNode()) | ||
.<ObjectNode>set("masked_fields", objectMapper.createArrayNode().add("ddd::").add("eee")) | ||
.set("allowed_actions", objectMapper.createArrayNode().add("read").add("write")) | ||
|
||
) | ||
); | ||
var result = requestContentValidator.validate( | ||
FakeRestRequest.builder().withContent(new BytesArray(invalidMaskedFields.toString())).build() | ||
); | ||
assertFalse(result.isValid()); | ||
var errorMessage = xContentToJsonNode(result.errorMessage()).toString(); | ||
assertTrue(errorMessage, errorMessage.contains("aaa::")); | ||
assertTrue(errorMessage, errorMessage.contains("bbb::")); | ||
assertTrue(errorMessage, errorMessage.contains("ccc:::")); | ||
assertTrue(errorMessage, errorMessage.contains("ddd::")); | ||
|
||
result = requestContentValidator.validate( | ||
FakeRestRequest.builder().withContent(new BytesArray(invalidMaskedFields.toString())).build(), | ||
invalidMaskedFields | ||
); | ||
assertFalse(result.isValid()); | ||
errorMessage = xContentToJsonNode(result.errorMessage()).toString(); | ||
assertTrue(errorMessage, errorMessage.contains("aaa::")); | ||
assertTrue(errorMessage, errorMessage.contains("bbb::")); | ||
assertTrue(errorMessage, errorMessage.contains("ccc:::")); | ||
assertTrue(errorMessage, errorMessage.contains("ddd::")); | ||
} | ||
} |
Oops, something went wrong.