Skip to content

Commit 18258c1

Browse files
n1v0lgn1v0lg
committed
Beef up coverage
1 parent 2bc314e commit 18258c1

File tree

1 file changed

+253
-97
lines changed

1 file changed

+253
-97
lines changed

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java

Lines changed: 253 additions & 97 deletions
Original file line numberDiff line numberDiff line change
@@ -1554,23 +1554,48 @@ public void testBuildRoleWithReadFailureStorePrivilegeDuplicatesMerged() {
15541554
assumeTrue("requires failure store feature", DataStream.isFailureStoreFeatureFlagEnabled());
15551555
String indexPattern = randomAlphanumericOfLength(10);
15561556
boolean allowRestrictedIndices = randomBoolean();
1557-
final Role role = buildRole(
1558-
roleDescriptorWithIndicesPrivileges(
1559-
"r1",
1560-
new IndicesPrivileges[] {
1561-
IndicesPrivileges.builder()
1562-
.indices(indexPattern)
1563-
.privileges("read_failure_store")
1564-
.allowRestrictedIndices(allowRestrictedIndices)
1565-
.build(),
1566-
IndicesPrivileges.builder()
1567-
.indices(indexPattern)
1568-
.privileges("read_failure_store")
1569-
.allowRestrictedIndices(allowRestrictedIndices)
1570-
.build() }
1557+
final List<Role> roles = List.of(
1558+
buildRole(
1559+
roleDescriptorWithIndicesPrivileges(
1560+
"r1",
1561+
new IndicesPrivileges[] {
1562+
IndicesPrivileges.builder()
1563+
.indices(indexPattern)
1564+
.privileges("read_failure_store")
1565+
.allowRestrictedIndices(allowRestrictedIndices)
1566+
.build(),
1567+
IndicesPrivileges.builder()
1568+
.indices(indexPattern)
1569+
.privileges("read_failure_store")
1570+
.allowRestrictedIndices(allowRestrictedIndices)
1571+
.build() }
1572+
)
1573+
),
1574+
buildRole(
1575+
roleDescriptorWithIndicesPrivileges(
1576+
"r1",
1577+
new IndicesPrivileges[] {
1578+
IndicesPrivileges.builder()
1579+
.indices(indexPattern)
1580+
.privileges("read_failure_store")
1581+
.allowRestrictedIndices(allowRestrictedIndices)
1582+
.build() }
1583+
),
1584+
roleDescriptorWithIndicesPrivileges(
1585+
"r2",
1586+
new IndicesPrivileges[] {
1587+
IndicesPrivileges.builder()
1588+
.indices(indexPattern)
1589+
.privileges("read_failure_store")
1590+
.allowRestrictedIndices(allowRestrictedIndices)
1591+
.build() }
1592+
)
15711593
)
15721594
);
1573-
assertHasIndexGroups(role.indices(), indexGroup(IndexPrivilege.READ_FAILURE_STORE, allowRestrictedIndices, indexPattern));
1595+
// the roles are different "format" but the same so should produce the same index groups
1596+
for (var role : roles) {
1597+
assertHasIndexGroups(role.indices(), indexGroup(IndexPrivilege.READ_FAILURE_STORE, allowRestrictedIndices, indexPattern));
1598+
}
15741599
}
15751600

15761601
public void testBuildRoleWithReadFailureStoreAndReadPrivilegeSplit() {
@@ -1595,112 +1620,243 @@ public void testBuildRoleWithReadFailureStoreAndReadPrivilegeSplit() {
15951620
);
15961621
}
15971622

1598-
public void testBuildRoleWithMultipleReadFailureStoreAndReadPrivilegeSplit() {
1623+
public void testBuildRoleWithReadFailureStoreAndReadPrivilegeAndMultipleIndexPatternsSplit() {
15991624
assumeTrue("requires failure store feature", DataStream.isFailureStoreFeatureFlagEnabled());
16001625
String indexPattern = randomAlphanumericOfLength(10);
1626+
String otherIndexPattern = randomValueOtherThan(indexPattern, () -> randomAlphanumericOfLength(10));
16011627
boolean allowRestrictedIndices = randomBoolean();
1602-
final Role role = buildRole(
1603-
roleDescriptorWithIndicesPrivileges(
1604-
"r1",
1605-
new IndicesPrivileges[] {
1606-
IndicesPrivileges.builder()
1607-
.indices(indexPattern)
1608-
.privileges("read")
1609-
.allowRestrictedIndices(allowRestrictedIndices)
1610-
.build(),
1611-
IndicesPrivileges.builder()
1612-
.indices(indexPattern)
1613-
.privileges("read_failure_store")
1614-
.allowRestrictedIndices(allowRestrictedIndices)
1615-
.build() }
1628+
List<Role> roles = List.of(
1629+
buildRole(
1630+
roleDescriptorWithIndicesPrivileges(
1631+
"r1",
1632+
new IndicesPrivileges[] {
1633+
IndicesPrivileges.builder()
1634+
.indices(indexPattern)
1635+
.privileges("read", "write")
1636+
.allowRestrictedIndices(allowRestrictedIndices)
1637+
.build(),
1638+
IndicesPrivileges.builder()
1639+
.indices(otherIndexPattern)
1640+
.privileges("read", "read_failure_store")
1641+
.allowRestrictedIndices(allowRestrictedIndices)
1642+
.build() }
1643+
)
1644+
),
1645+
buildRole(
1646+
roleDescriptorWithIndicesPrivileges(
1647+
"r1",
1648+
new IndicesPrivileges[] {
1649+
IndicesPrivileges.builder()
1650+
.indices(indexPattern)
1651+
.privileges("read", "write")
1652+
.allowRestrictedIndices(allowRestrictedIndices)
1653+
.build() }
1654+
),
1655+
roleDescriptorWithIndicesPrivileges(
1656+
"r2",
1657+
new IndicesPrivileges[] {
1658+
IndicesPrivileges.builder()
1659+
.indices(otherIndexPattern)
1660+
.privileges("read", "read_failure_store")
1661+
.allowRestrictedIndices(allowRestrictedIndices)
1662+
.build() }
1663+
)
16161664
)
16171665
);
1618-
assertHasIndexGroups(
1619-
role.indices(),
1620-
indexGroup(IndexPrivilege.READ_FAILURE_STORE, allowRestrictedIndices, indexPattern),
1621-
indexGroup(IndexPrivilege.READ, allowRestrictedIndices, indexPattern)
1622-
);
1666+
// the roles are different "format" but the same so should produce the same index groups
1667+
for (var role : roles) {
1668+
assertHasIndexGroups(
1669+
role.indices(),
1670+
indexGroup(IndexPrivilege.getWithSingleSelectorAccess(Set.of("read", "write")), allowRestrictedIndices, indexPattern),
1671+
indexGroup(IndexPrivilege.READ, allowRestrictedIndices, otherIndexPattern),
1672+
indexGroup(IndexPrivilege.READ_FAILURE_STORE, allowRestrictedIndices, otherIndexPattern)
1673+
);
1674+
}
16231675
}
16241676

1625-
public void testBuildRoleWithAllPrivilegeIsNeverSplit() {
1677+
public void testBuildRoleWithMultipleReadFailureStoreAndReadPrivilegeSplit() {
16261678
assumeTrue("requires failure store feature", DataStream.isFailureStoreFeatureFlagEnabled());
16271679
String indexPattern = randomAlphanumericOfLength(10);
16281680
boolean allowRestrictedIndices = randomBoolean();
1629-
final Role role = buildRole(
1630-
roleDescriptorWithIndicesPrivileges(
1631-
"r1",
1632-
new IndicesPrivileges[] {
1633-
IndicesPrivileges.builder()
1634-
.indices(indexPattern)
1635-
.privileges("read", "read_failure_store", "all")
1636-
.allowRestrictedIndices(allowRestrictedIndices)
1637-
.build(),
1638-
IndicesPrivileges.builder()
1639-
.indices(indexPattern)
1640-
.privileges("read_failure_store")
1641-
.allowRestrictedIndices(allowRestrictedIndices)
1642-
.build() }
1681+
final List<Role> roles = List.of(
1682+
buildRole(
1683+
roleDescriptorWithIndicesPrivileges(
1684+
"r1",
1685+
new IndicesPrivileges[] {
1686+
IndicesPrivileges.builder()
1687+
.indices(indexPattern)
1688+
.privileges("read")
1689+
.allowRestrictedIndices(allowRestrictedIndices)
1690+
.build(),
1691+
IndicesPrivileges.builder()
1692+
.indices(indexPattern)
1693+
.privileges("read_failure_store")
1694+
.allowRestrictedIndices(allowRestrictedIndices)
1695+
.build() }
1696+
)
1697+
),
1698+
buildRole(
1699+
roleDescriptorWithIndicesPrivileges(
1700+
"r1",
1701+
new IndicesPrivileges[] {
1702+
IndicesPrivileges.builder()
1703+
.indices(indexPattern)
1704+
.privileges("read")
1705+
.allowRestrictedIndices(allowRestrictedIndices)
1706+
.build() }
1707+
),
1708+
roleDescriptorWithIndicesPrivileges(
1709+
"r2",
1710+
new IndicesPrivileges[] {
1711+
IndicesPrivileges.builder()
1712+
.indices(indexPattern)
1713+
.privileges("read_failure_store")
1714+
.allowRestrictedIndices(allowRestrictedIndices)
1715+
.build() }
1716+
)
16431717
)
16441718
);
1645-
assertHasIndexGroups(
1646-
role.indices(),
1647-
indexGroup(
1648-
IndexPrivilege.getWithSingleSelectorAccess(Set.of("read", "read_failure_store", "all")),
1649-
allowRestrictedIndices,
1650-
indexPattern
1719+
// the roles are different "format" but the same so should produce the same index groups
1720+
for (var role : roles) {
1721+
assertHasIndexGroups(
1722+
role.indices(),
1723+
indexGroup(IndexPrivilege.READ_FAILURE_STORE, allowRestrictedIndices, indexPattern),
1724+
indexGroup(IndexPrivilege.READ, allowRestrictedIndices, indexPattern)
1725+
);
1726+
}
1727+
}
1728+
1729+
public void testBuildRoleWithAllPrivilegeIsNeverSplit() {
1730+
assumeTrue("requires failure store feature", DataStream.isFailureStoreFeatureFlagEnabled());
1731+
String indexPattern = randomAlphanumericOfLength(10);
1732+
boolean allowRestrictedIndices = randomBoolean();
1733+
final List<Role> roles = List.of(
1734+
buildRole(
1735+
roleDescriptorWithIndicesPrivileges(
1736+
"r1",
1737+
new IndicesPrivileges[] {
1738+
IndicesPrivileges.builder()
1739+
.indices(indexPattern)
1740+
.privileges("read", "read_failure_store", "all")
1741+
.allowRestrictedIndices(allowRestrictedIndices)
1742+
.build(),
1743+
IndicesPrivileges.builder()
1744+
.indices(indexPattern)
1745+
.privileges("read_failure_store")
1746+
.allowRestrictedIndices(allowRestrictedIndices)
1747+
.build() }
1748+
)
1749+
),
1750+
buildRole(
1751+
roleDescriptorWithIndicesPrivileges(
1752+
"r1",
1753+
new IndicesPrivileges[] {
1754+
IndicesPrivileges.builder()
1755+
.indices(indexPattern)
1756+
.privileges("read", "read_failure_store", "all")
1757+
.allowRestrictedIndices(allowRestrictedIndices)
1758+
.build() }
1759+
),
1760+
roleDescriptorWithIndicesPrivileges(
1761+
"r2",
1762+
new IndicesPrivileges[] {
1763+
IndicesPrivileges.builder()
1764+
.indices(indexPattern)
1765+
.privileges("read_failure_store")
1766+
.allowRestrictedIndices(allowRestrictedIndices)
1767+
.build() }
1768+
)
16511769
)
16521770
);
1771+
// the roles are different "format" but the same so should produce the same index groups
1772+
for (var role : roles) {
1773+
assertHasIndexGroups(
1774+
role.indices(),
1775+
indexGroup(
1776+
IndexPrivilege.getWithSingleSelectorAccess(Set.of("read", "read_failure_store", "all")),
1777+
allowRestrictedIndices,
1778+
indexPattern
1779+
)
1780+
);
1781+
}
16531782
}
16541783

16551784
public void testBuildRoleWithFailureStorePrivilegeCollatesToRemoveDlsFlsFromAnotherGroup() {
16561785
assumeTrue("requires failure store feature", DataStream.isFailureStoreFeatureFlagEnabled());
16571786
String indexPattern = randomAlphanumericOfLength(10);
16581787
boolean allowRestrictedIndices = randomBoolean();
1659-
final Role role = buildRole(
1660-
roleDescriptorWithIndicesPrivileges(
1661-
"r1",
1662-
new IndicesPrivileges[] {
1663-
IndicesPrivileges.builder()
1664-
.indices(indexPattern)
1665-
.privileges("read_failure_store")
1666-
.allowRestrictedIndices(allowRestrictedIndices)
1667-
.build(),
1668-
IndicesPrivileges.builder()
1669-
.indices(indexPattern)
1670-
.privileges("read", "view_index_metadata")
1671-
.query("{\"match\":{\"field\":\"a\"}}")
1672-
.grantedFields("field")
1673-
.allowRestrictedIndices(allowRestrictedIndices)
1674-
.build() }
1675-
)
1676-
);
1677-
assertHasIndexGroups(
1678-
role.indices(),
1679-
indexGroup(
1680-
IndexPrivilege.getWithSingleSelectorAccess(Set.of("read_failure_store")),
1681-
allowRestrictedIndices,
1682-
null,
1683-
new FieldPermissionsDefinition(
1684-
Set.of(
1685-
new FieldPermissionsDefinition.FieldGrantExcludeGroup(null, null),
1686-
new FieldPermissionsDefinition.FieldGrantExcludeGroup(new String[] { "field" }, null)
1687-
)
1688-
),
1689-
indexPattern
1788+
final List<Role> roles = List.of(
1789+
buildRole(
1790+
roleDescriptorWithIndicesPrivileges(
1791+
"r1",
1792+
new IndicesPrivileges[] {
1793+
IndicesPrivileges.builder()
1794+
.indices(indexPattern)
1795+
.privileges("read_failure_store")
1796+
.allowRestrictedIndices(allowRestrictedIndices)
1797+
.build(),
1798+
IndicesPrivileges.builder()
1799+
.indices(indexPattern)
1800+
.privileges("read", "view_index_metadata")
1801+
.query("{\"match\":{\"field\":\"a\"}}")
1802+
.grantedFields("field")
1803+
.allowRestrictedIndices(allowRestrictedIndices)
1804+
.build() }
1805+
)
16901806
),
1691-
indexGroup(
1692-
IndexPrivilege.getWithSingleSelectorAccess(Set.of("read", "view_index_metadata")),
1693-
allowRestrictedIndices,
1694-
null,
1695-
new FieldPermissionsDefinition(
1696-
Set.of(
1697-
new FieldPermissionsDefinition.FieldGrantExcludeGroup(null, null),
1698-
new FieldPermissionsDefinition.FieldGrantExcludeGroup(new String[] { "field" }, null)
1699-
)
1807+
buildRole(
1808+
roleDescriptorWithIndicesPrivileges(
1809+
"r1",
1810+
new IndicesPrivileges[] {
1811+
IndicesPrivileges.builder()
1812+
.indices(indexPattern)
1813+
.privileges("read_failure_store")
1814+
.allowRestrictedIndices(allowRestrictedIndices)
1815+
.build() }
17001816
),
1701-
indexPattern
1817+
roleDescriptorWithIndicesPrivileges(
1818+
"r2",
1819+
new IndicesPrivileges[] {
1820+
IndicesPrivileges.builder()
1821+
.indices(indexPattern)
1822+
.privileges("read", "view_index_metadata")
1823+
.query("{\"match\":{\"field\":\"a\"}}")
1824+
.grantedFields("field")
1825+
.allowRestrictedIndices(allowRestrictedIndices)
1826+
.build() }
1827+
)
17021828
)
17031829
);
1830+
for (var role : roles) {
1831+
assertHasIndexGroups(
1832+
role.indices(),
1833+
indexGroup(
1834+
IndexPrivilege.getWithSingleSelectorAccess(Set.of("read_failure_store")),
1835+
allowRestrictedIndices,
1836+
null,
1837+
new FieldPermissionsDefinition(
1838+
Set.of(
1839+
new FieldPermissionsDefinition.FieldGrantExcludeGroup(null, null),
1840+
new FieldPermissionsDefinition.FieldGrantExcludeGroup(new String[] { "field" }, null)
1841+
)
1842+
),
1843+
indexPattern
1844+
),
1845+
indexGroup(
1846+
IndexPrivilege.getWithSingleSelectorAccess(Set.of("read", "view_index_metadata")),
1847+
allowRestrictedIndices,
1848+
null,
1849+
new FieldPermissionsDefinition(
1850+
Set.of(
1851+
new FieldPermissionsDefinition.FieldGrantExcludeGroup(null, null),
1852+
new FieldPermissionsDefinition.FieldGrantExcludeGroup(new String[] { "field" }, null)
1853+
)
1854+
),
1855+
indexPattern
1856+
)
1857+
);
1858+
1859+
}
17041860
}
17051861

17061862
public void testBuildRoleWithFailureStorePrivilegeCollatesToKeepDlsFlsFromAnotherGroup() {

0 commit comments

Comments
 (0)