|
31 | 31 | import org.elasticsearch.xpack.core.XPackClientPlugin; |
32 | 32 | import org.elasticsearch.xpack.core.security.authz.RoleDescriptor.ApplicationResourcePrivileges; |
33 | 33 | import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache; |
| 34 | +import org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissionGroup; |
34 | 35 | import org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions; |
35 | 36 | import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivilege; |
36 | 37 | import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivileges; |
| 38 | +import org.elasticsearch.xpack.core.security.authz.restriction.Workflow; |
| 39 | +import org.elasticsearch.xpack.core.security.authz.restriction.WorkflowResolver; |
37 | 40 | import org.hamcrest.Matchers; |
38 | 41 |
|
39 | 42 | import java.io.IOException; |
|
47 | 50 | import static org.elasticsearch.xcontent.XContentFactory.jsonBuilder; |
48 | 51 | import static org.elasticsearch.xpack.core.security.authz.RoleDescriptor.SECURITY_ROLE_DESCRIPTION; |
49 | 52 | import static org.elasticsearch.xpack.core.security.authz.RoleDescriptor.WORKFLOWS_RESTRICTION_VERSION; |
50 | | -import static org.elasticsearch.xpack.core.security.authz.RoleDescriptorTestHelper.randomIndicesPrivileges; |
51 | 53 | import static org.elasticsearch.xpack.core.security.authz.RoleDescriptorTestHelper.randomIndicesPrivilegesBuilder; |
52 | 54 | import static org.elasticsearch.xpack.core.security.authz.RoleDescriptorTestHelper.randomRemoteClusterPermissions; |
53 | 55 | import static org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions.ROLE_REMOTE_CLUSTER_PRIVS; |
@@ -1338,38 +1340,191 @@ public void testIsEmpty() { |
1338 | 1340 | } |
1339 | 1341 | } |
1340 | 1342 |
|
1341 | | - public void testHasPrivilegesOtherThanIndex() { |
| 1343 | + public void testHasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster() { |
| 1344 | + // any index and some cluster privileges are allowed |
1342 | 1345 | assertThat( |
1343 | 1346 | new RoleDescriptor( |
1344 | 1347 | "name", |
| 1348 | + RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]), // all of these are allowed |
| 1349 | + new RoleDescriptor.IndicesPrivileges[] { |
| 1350 | + RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() }, |
| 1351 | + null, |
| 1352 | + null, |
| 1353 | + null, |
| 1354 | + null, |
| 1355 | + null, |
| 1356 | + null, |
| 1357 | + null, |
| 1358 | + null, |
| 1359 | + null |
| 1360 | + ).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(), |
| 1361 | + is(false) |
| 1362 | + ); |
| 1363 | + // any index and some cluster privileges are allowed |
| 1364 | + assertThat( |
| 1365 | + new RoleDescriptor( |
| 1366 | + "name", |
| 1367 | + new String[] { "manage_security" }, // unlikely we will ever support allowing manage security across clusters |
| 1368 | + new RoleDescriptor.IndicesPrivileges[] { |
| 1369 | + RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() }, |
| 1370 | + null, |
| 1371 | + null, |
| 1372 | + null, |
| 1373 | + null, |
| 1374 | + null, |
| 1375 | + null, |
| 1376 | + null, |
| 1377 | + null, |
| 1378 | + null |
| 1379 | + ).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(), |
| 1380 | + is(true) |
| 1381 | + ); |
| 1382 | + |
| 1383 | + // application privileges are not allowed |
| 1384 | + assertThat( |
| 1385 | + new RoleDescriptor( |
| 1386 | + "name", |
| 1387 | + RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]), |
| 1388 | + new RoleDescriptor.IndicesPrivileges[] { |
| 1389 | + RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() }, |
| 1390 | + new ApplicationResourcePrivileges[] { |
| 1391 | + ApplicationResourcePrivileges.builder().application("app").privileges("foo").resources("res").build() }, |
| 1392 | + null, |
| 1393 | + null, |
| 1394 | + null, |
| 1395 | + null, |
| 1396 | + null, |
| 1397 | + null, |
| 1398 | + null, |
| 1399 | + null |
| 1400 | + ).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(), |
| 1401 | + is(true) |
| 1402 | + ); |
| 1403 | + |
| 1404 | + // configurable cluster privileges are not allowed |
| 1405 | + assertThat( |
| 1406 | + new RoleDescriptor( |
| 1407 | + "name", |
| 1408 | + RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]), |
| 1409 | + new RoleDescriptor.IndicesPrivileges[] { |
| 1410 | + RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() }, |
| 1411 | + null, |
| 1412 | + new ConfigurableClusterPrivilege[] { |
| 1413 | + new ConfigurableClusterPrivileges.ManageApplicationPrivileges(Collections.singleton("foo")) }, |
| 1414 | + null, |
| 1415 | + null, |
| 1416 | + null, |
| 1417 | + null, |
| 1418 | + null, |
| 1419 | + null, |
| 1420 | + null |
| 1421 | + ).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(), |
| 1422 | + is(true) |
| 1423 | + ); |
| 1424 | + |
| 1425 | + // run as is not allowed |
| 1426 | + assertThat( |
| 1427 | + new RoleDescriptor( |
| 1428 | + "name", |
| 1429 | + RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]), |
| 1430 | + new RoleDescriptor.IndicesPrivileges[] { |
| 1431 | + RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() }, |
| 1432 | + null, |
| 1433 | + null, |
| 1434 | + new String[] { "foo" }, |
| 1435 | + null, |
| 1436 | + null, |
| 1437 | + null, |
| 1438 | + null, |
| 1439 | + null, |
| 1440 | + null |
| 1441 | + ).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(), |
| 1442 | + is(true) |
| 1443 | + ); |
| 1444 | + |
| 1445 | + // workflows restriction is not allowed |
| 1446 | + assertThat( |
| 1447 | + new RoleDescriptor( |
| 1448 | + "name", |
| 1449 | + RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]), |
| 1450 | + new RoleDescriptor.IndicesPrivileges[] { |
| 1451 | + RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() }, |
1345 | 1452 | null, |
1346 | | - randomBoolean() ? null : randomIndicesPrivileges(1, 5), |
1347 | 1453 | null, |
1348 | 1454 | null, |
1349 | 1455 | null, |
1350 | 1456 | null, |
1351 | 1457 | null, |
1352 | 1458 | null, |
| 1459 | + new RoleDescriptor.Restriction(WorkflowResolver.allWorkflows().stream().map(Workflow::name).toArray(String[]::new)), |
| 1460 | + null |
| 1461 | + ).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(), |
| 1462 | + is(true) |
| 1463 | + ); |
| 1464 | + // remote indices privileges are not allowed |
| 1465 | + assertThat( |
| 1466 | + new RoleDescriptor( |
| 1467 | + "name", |
| 1468 | + RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]), |
| 1469 | + new RoleDescriptor.IndicesPrivileges[] { |
| 1470 | + RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() }, |
| 1471 | + null, |
| 1472 | + null, |
| 1473 | + null, |
| 1474 | + null, |
| 1475 | + null, |
| 1476 | + new RoleDescriptor.RemoteIndicesPrivileges[] { |
| 1477 | + RoleDescriptor.RemoteIndicesPrivileges.builder("rmt").indices("idx").privileges("foo").build() }, |
1353 | 1478 | null, |
1354 | 1479 | null, |
1355 | 1480 | null |
1356 | 1481 | ).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(), |
| 1482 | + is(true) |
| 1483 | + ); |
| 1484 | + // remote cluster privileges are not allowed |
| 1485 | + assertThat( |
| 1486 | + new RoleDescriptor( |
| 1487 | + "name", |
| 1488 | + RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]), |
| 1489 | + new RoleDescriptor.IndicesPrivileges[] { |
| 1490 | + RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() }, |
| 1491 | + null, |
| 1492 | + null, |
| 1493 | + null, |
| 1494 | + null, |
| 1495 | + null, |
| 1496 | + null, |
| 1497 | + new RemoteClusterPermissions().addGroup( |
| 1498 | + new RemoteClusterPermissionGroup( |
| 1499 | + RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]), |
| 1500 | + new String[] { "rmt" } |
| 1501 | + ) |
| 1502 | + ), |
| 1503 | + null, |
| 1504 | + null |
| 1505 | + ).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(), |
| 1506 | + is(true) |
| 1507 | + ); |
| 1508 | + |
| 1509 | + // metadata, transient metadata and description are allowed |
| 1510 | + assertThat( |
| 1511 | + new RoleDescriptor( |
| 1512 | + "name", |
| 1513 | + RemoteClusterPermissions.getSupportedRemoteClusterPermissions().toArray(new String[0]), |
| 1514 | + new RoleDescriptor.IndicesPrivileges[] { |
| 1515 | + RoleDescriptor.IndicesPrivileges.builder().indices("idx").privileges("foo").build() }, |
| 1516 | + null, |
| 1517 | + null, |
| 1518 | + null, |
| 1519 | + Collections.singletonMap("foo", "bar"), |
| 1520 | + Collections.singletonMap("foo", "bar"), |
| 1521 | + null, |
| 1522 | + null, |
| 1523 | + null, |
| 1524 | + "description" |
| 1525 | + ).hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(), |
1357 | 1526 | is(false) |
1358 | 1527 | ); |
1359 | | - final RoleDescriptor roleDescriptor = RoleDescriptorTestHelper.builder() |
1360 | | - .allowReservedMetadata(true) |
1361 | | - .allowRemoteIndices(true) |
1362 | | - .allowRestriction(true) |
1363 | | - .allowDescription(true) |
1364 | | - .allowRemoteClusters(true) |
1365 | | - .build(); |
1366 | | - final boolean expected = roleDescriptor.hasClusterPrivileges() |
1367 | | - || roleDescriptor.hasConfigurableClusterPrivileges() |
1368 | | - || roleDescriptor.hasApplicationPrivileges() |
1369 | | - || roleDescriptor.hasRunAs() |
1370 | | - || roleDescriptor.hasRemoteIndicesPrivileges() |
1371 | | - || roleDescriptor.hasWorkflowsRestriction(); |
1372 | | - assertThat(roleDescriptor.hasUnsupportedPrivilegesInsideAPIKeyConnectedRemoteCluster(), equalTo(expected)); |
1373 | 1528 | } |
1374 | 1529 |
|
1375 | 1530 | private static void resetFieldPermssionsCache() { |
|
0 commit comments