diff --git a/server/src/main/java/org/elasticsearch/TransportVersions.java b/server/src/main/java/org/elasticsearch/TransportVersions.java index 57acb52341ff8..030fdaae38e38 100644 --- a/server/src/main/java/org/elasticsearch/TransportVersions.java +++ b/server/src/main/java/org/elasticsearch/TransportVersions.java @@ -53,7 +53,6 @@ static TransportVersion def(int id) { } // TODO: ES-10337 we can remove all transport versions earlier than 8.18 - public static final TransportVersion V_7_0_0 = def(7_00_00_99); public static final TransportVersion V_7_1_0 = def(7_01_00_99); public static final TransportVersion V_7_2_0 = def(7_02_00_99); public static final TransportVersion V_7_3_0 = def(7_03_00_99); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationSerializationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationSerializationTests.java index 0205cf43270b4..07bc8489fa500 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationSerializationTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationSerializationTests.java @@ -13,21 +13,17 @@ import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.TransportVersionUtils; import org.elasticsearch.transport.RemoteClusterPortSettings; -import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer; import org.elasticsearch.xpack.core.security.user.ElasticUser; import org.elasticsearch.xpack.core.security.user.InternalUsers; import org.elasticsearch.xpack.core.security.user.KibanaSystemUser; import org.elasticsearch.xpack.core.security.user.KibanaUser; import org.elasticsearch.xpack.core.security.user.User; -import java.io.IOException; import java.util.Arrays; import java.util.Map; import static org.elasticsearch.xpack.core.security.authc.Authentication.AuthenticationSerializationHelper; -import static org.hamcrest.Matchers.arrayContaining; import static org.hamcrest.Matchers.containsString; -import static org.hamcrest.Matchers.emptyArray; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.not; @@ -232,47 +228,4 @@ public void testReservedUserSerialization() throws Exception { assertEquals(kibanaSystemUser, readFrom); } - - public void testRolesRemovedFromUserForLegacyApiKeys() throws IOException { - TransportVersion transportVersion = TransportVersionUtils.randomVersionBetween( - random(), - TransportVersions.V_7_0_0, - TransportVersions.V_7_8_0 - ); - Subject authenticatingSubject = new Subject( - new User("foo", "role"), - new Authentication.RealmRef(AuthenticationField.API_KEY_REALM_NAME, AuthenticationField.API_KEY_REALM_TYPE, "node"), - transportVersion, - Map.of(AuthenticationField.API_KEY_ID_KEY, "abc") - ); - Subject effectiveSubject = new Subject( - new User("bar", "role"), - new Authentication.RealmRef("native", "native", "node"), - transportVersion, - Map.of() - ); - - { - Authentication actual = AuthenticationContextSerializer.decode( - Authentication.doEncode(authenticatingSubject, authenticatingSubject, Authentication.AuthenticationType.API_KEY) - ); - assertThat(actual.getAuthenticatingSubject().getUser().roles(), is(emptyArray())); - } - - { - Authentication actual = AuthenticationContextSerializer.decode( - Authentication.doEncode(effectiveSubject, authenticatingSubject, Authentication.AuthenticationType.API_KEY) - ); - assertThat(actual.getAuthenticatingSubject().getUser().roles(), is(emptyArray())); - assertThat(actual.getEffectiveSubject().getUser().roles(), is(arrayContaining("role"))); - } - - { - // do not strip roles for authentication methods other than API key - Authentication actual = AuthenticationContextSerializer.decode( - Authentication.doEncode(effectiveSubject, effectiveSubject, Authentication.AuthenticationType.REALM) - ); - assertThat(actual.getAuthenticatingSubject().getUser().roles(), is(arrayContaining("role"))); - } - } } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java index bd7f82501ce13..11815cc3a3683 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java @@ -1321,9 +1321,7 @@ public static Authentication randomAuthentication(User user, RealmRef realmRef, if (realmRef == null) { realmRef = randomRealmRef(false); } - // If the realm is expected to have a domain, we need a version that's at least compatible with domains - final TransportVersion minVersion = realmRef.getDomain() != null ? Authentication.VERSION_REALM_DOMAINS : TransportVersions.V_7_0_0; - final TransportVersion version = TransportVersionUtils.randomVersionBetween(random(), minVersion, TransportVersion.current()); + final TransportVersion version = TransportVersionUtils.randomCompatibleVersion(random()); final Map metadata; if (randomBoolean()) { metadata = Map.of(randomAlphaOfLengthBetween(3, 8), randomAlphaOfLengthBetween(3, 8)); @@ -1336,11 +1334,7 @@ public static Authentication randomAuthentication(User user, RealmRef realmRef, } public static Authentication randomApiKeyAuthentication(User user, String apiKeyId) { - return randomApiKeyAuthentication( - user, - apiKeyId, - TransportVersionUtils.randomVersionBetween(random(), TransportVersions.V_7_0_0, TransportVersion.current()) - ); + return randomApiKeyAuthentication(user, apiKeyId, TransportVersionUtils.randomCompatibleVersion(random())); } public static Authentication randomApiKeyAuthentication(User user, String apiKeyId, TransportVersion version) { diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/SubjectTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/SubjectTests.java index 625feca39cdb5..330b9d0883fd5 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/SubjectTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/SubjectTests.java @@ -8,21 +8,18 @@ package org.elasticsearch.xpack.core.security.authc; import org.elasticsearch.TransportVersion; -import org.elasticsearch.TransportVersions; import org.elasticsearch.common.Strings; import org.elasticsearch.common.bytes.BytesArray; import org.elasticsearch.common.bytes.BytesReference; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.ArrayUtils; import org.elasticsearch.test.ESTestCase; -import org.elasticsearch.test.TransportVersionUtils; import org.elasticsearch.xpack.core.security.action.apikey.ApiKey; import org.elasticsearch.xpack.core.security.authc.service.ServiceAccountSettings; import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection; import org.elasticsearch.xpack.core.security.authz.store.RoleKey; import org.elasticsearch.xpack.core.security.authz.store.RoleReference; import org.elasticsearch.xpack.core.security.authz.store.RoleReference.ApiKeyRoleReference; -import org.elasticsearch.xpack.core.security.authz.store.RoleReference.BwcApiKeyRoleReference; import org.elasticsearch.xpack.core.security.authz.store.RoleReference.FixedRoleReference; import org.elasticsearch.xpack.core.security.authz.store.RoleReference.NamedRoleReference; import org.elasticsearch.xpack.core.security.authz.store.RoleReference.ServiceAccountRoleReference; @@ -32,7 +29,6 @@ import org.elasticsearch.xpack.core.security.user.User; import java.util.Arrays; -import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -287,50 +283,6 @@ private static void expectFixedReferenceAtIndex(int index, List r assertThat(fixedRoleReference.id(), equalTo(expectedKey)); } - public void testGetRoleReferencesForApiKeyBwc() { - Map authMetadata = new HashMap<>(); - final String apiKeyId = randomAlphaOfLength(12); - authMetadata.put(AuthenticationField.API_KEY_ID_KEY, apiKeyId); - authMetadata.put(AuthenticationField.API_KEY_NAME_KEY, randomBoolean() ? null : randomAlphaOfLength(12)); - boolean emptyApiKeyRoleDescriptor = randomBoolean(); - Map roleARDMap = Map.of("cluster", List.of("monitor")); - authMetadata.put( - API_KEY_ROLE_DESCRIPTORS_KEY, - (emptyApiKeyRoleDescriptor) - ? randomFrom(Arrays.asList(null, Collections.emptyMap())) - : Collections.singletonMap("a role", roleARDMap) - ); - - Map limitedRdMap = Map.of("cluster", List.of("all")); - authMetadata.put(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY, Collections.singletonMap("limited role", limitedRdMap)); - - final Subject subject = new Subject( - new User("joe"), - new Authentication.RealmRef(API_KEY_REALM_NAME, API_KEY_REALM_TYPE, "node"), - TransportVersionUtils.randomVersionBetween(random(), TransportVersions.V_7_0_0, TransportVersions.V_7_8_1), - authMetadata - ); - - final RoleReferenceIntersection roleReferenceIntersection = subject.getRoleReferenceIntersection(getAnonymousUser()); - final List roleReferences = roleReferenceIntersection.getRoleReferences(); - - if (emptyApiKeyRoleDescriptor) { - assertThat(roleReferences, contains(isA(BwcApiKeyRoleReference.class))); - final BwcApiKeyRoleReference limitedByRoleReference = (BwcApiKeyRoleReference) roleReferences.get(0); - assertThat(limitedByRoleReference.getApiKeyId(), equalTo(apiKeyId)); - assertThat(limitedByRoleReference.getRoleDescriptorsMap(), equalTo(authMetadata.get(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY))); - } else { - assertThat(roleReferences, contains(isA(BwcApiKeyRoleReference.class), isA(BwcApiKeyRoleReference.class))); - final BwcApiKeyRoleReference roleReference = (BwcApiKeyRoleReference) roleReferences.get(0); - assertThat(roleReference.getApiKeyId(), equalTo(apiKeyId)); - assertThat(roleReference.getRoleDescriptorsMap(), equalTo(authMetadata.get(API_KEY_ROLE_DESCRIPTORS_KEY))); - - final BwcApiKeyRoleReference limitedByRoleReference = (BwcApiKeyRoleReference) roleReferences.get(1); - assertThat(limitedByRoleReference.getApiKeyId(), equalTo(apiKeyId)); - assertThat(limitedByRoleReference.getRoleDescriptorsMap(), equalTo(authMetadata.get(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY))); - } - } - public void testGetFleetApiKeyRoleReferenceBwcBugFix() { final BytesReference roleBytes = new BytesArray("{\"a role\": {\"cluster\": [\"all\"]}}"); final BytesReference limitedByRoleBytes = new BytesArray("{}"); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java index abd79f7e0ab1a..3a43464765045 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java @@ -243,16 +243,7 @@ public void setupClient() { } private static DiscoveryNode addAnother7071DataNode(ClusterService clusterService) { - Version version; - TransportVersion transportVersion; - if (randomBoolean()) { - version = Version.V_7_0_0; - transportVersion = TransportVersions.V_7_0_0; - } else { - version = Version.V_7_1_0; - transportVersion = TransportVersions.V_7_1_0; - } - return addAnotherDataNodeWithVersion(clusterService, version, transportVersion); + return addAnotherDataNodeWithVersion(clusterService, Version.V_7_1_0, TransportVersions.V_7_1_0); } private static DiscoveryNode addAnotherPre8500DataNode(ClusterService clusterService) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java index e34c70ecc3a75..ac5ca5f97b44e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java @@ -9,7 +9,6 @@ import org.apache.logging.log4j.Level; import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.TransportVersion; -import org.elasticsearch.TransportVersions; import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.admin.cluster.node.stats.TransportNodesStatsAction; import org.elasticsearch.action.admin.cluster.settings.ClusterUpdateSettingsAction; @@ -60,9 +59,7 @@ import org.elasticsearch.telemetry.metric.MeterRegistry; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.MockLog; -import org.elasticsearch.test.TransportVersionUtils; import org.elasticsearch.threadpool.ThreadPool; -import org.elasticsearch.transport.EmptyRequest; import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.xcontent.XContentBuilder; import org.elasticsearch.xcontent.XContentType; @@ -71,7 +68,6 @@ import org.elasticsearch.xpack.core.security.action.saml.SamlAuthenticateAction; import org.elasticsearch.xpack.core.security.action.user.PutUserAction; import org.elasticsearch.xpack.core.security.authc.Authentication; -import org.elasticsearch.xpack.core.security.authc.Authentication.AuthenticationType; import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef; import org.elasticsearch.xpack.core.security.authc.AuthenticationField; import org.elasticsearch.xpack.core.security.authc.AuthenticationTestHelper; @@ -164,7 +160,6 @@ import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_ID_KEY; import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY; import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY; -import static org.elasticsearch.xpack.security.authc.ApiKeyServiceTests.Utils.createApiKeyAuthentication; import static org.hamcrest.Matchers.aMapWithSize; import static org.hamcrest.Matchers.anyOf; import static org.hamcrest.Matchers.arrayContaining; @@ -189,7 +184,6 @@ import static org.hamcrest.Matchers.sameInstance; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyCollection; -import static org.mockito.ArgumentMatchers.anyMap; import static org.mockito.ArgumentMatchers.anySet; import static org.mockito.ArgumentMatchers.anyString; import static org.mockito.ArgumentMatchers.eq; @@ -2627,193 +2621,6 @@ public void testGetRolesForSystemUserThrowsException() { assertEquals("the internal user [_system] should never have its roles resolved", iae.getMessage()); } - public void testApiKeyAuthUsesApiKeyService() throws Exception { - final FileRolesStore fileRolesStore = mock(FileRolesStore.class); - doCallRealMethod().when(fileRolesStore).accept(anySet(), anyActionListener()); - final NativeRolesStore nativeRolesStore = mock(NativeRolesStore.class); - doCallRealMethod().when(nativeRolesStore).accept(anySet(), anyActionListener()); - when(fileRolesStore.roleDescriptors(anySet())).thenReturn(Collections.emptySet()); - doAnswer((invocationOnMock) -> { - @SuppressWarnings("unchecked") - ActionListener callback = (ActionListener) invocationOnMock.getArguments()[1]; - callback.onResponse(RoleRetrievalResult.failure(new RuntimeException("intentionally failed!"))); - return null; - }).when(nativeRolesStore).getRoleDescriptors(isASet(), anyActionListener()); - final ReservedRolesStore reservedRolesStore = spy(new ReservedRolesStore()); - ThreadContext threadContext = new ThreadContext(SECURITY_ENABLED_SETTINGS); - final ClusterService clusterService = mock(ClusterService.class); - when(clusterService.getClusterSettings()).thenReturn( - new ClusterSettings(SECURITY_ENABLED_SETTINGS, Set.of(ApiKeyService.DELETE_RETENTION_PERIOD, ApiKeyService.DELETE_INTERVAL)) - ); - ApiKeyService apiKeyService = spy( - new ApiKeyService( - SECURITY_ENABLED_SETTINGS, - Clock.systemUTC(), - mock(Client.class), - mock(SecurityIndexManager.class), - clusterService, - mock(CacheInvalidatorRegistry.class), - mock(ThreadPool.class), - MeterRegistry.NOOP, - mock(FeatureService.class) - ) - ); - NativePrivilegeStore nativePrivStore = mock(NativePrivilegeStore.class); - doAnswer(invocationOnMock -> { - @SuppressWarnings("unchecked") - ActionListener> listener = (ActionListener< - Collection>) invocationOnMock.getArguments()[3]; - listener.onResponse(Collections.emptyList()); - return Void.TYPE; - }).when(nativePrivStore).getPrivileges(anyCollection(), anyCollection(), eq(false), anyActionListener()); - - final AtomicReference> effectiveRoleDescriptors = new AtomicReference>(); - final CompositeRolesStore compositeRolesStore = buildCompositeRolesStore( - SECURITY_ENABLED_SETTINGS, - fileRolesStore, - nativeRolesStore, - reservedRolesStore, - nativePrivStore, - null, - apiKeyService, - null, - null, - rds -> effectiveRoleDescriptors.set(rds) - ); - AuditUtil.getOrGenerateRequestId(threadContext); - final TransportVersion version = randomFrom( - TransportVersion.current(), - TransportVersionUtils.randomVersionBetween(random(), TransportVersions.V_7_0_0, TransportVersions.V_7_8_1) - ); - final Authentication authentication = createApiKeyAuthentication( - apiKeyService, - randomValueOtherThanMany( - authc -> authc.getAuthenticationType() == AuthenticationType.API_KEY, - () -> AuthenticationTestHelper.builder().build() - ), - Collections.singleton(new RoleDescriptor("user_role_" + randomAlphaOfLength(4), new String[] { "manage" }, null, null)), - null, - version - ); - - PlainActionFuture roleFuture = new PlainActionFuture<>(); - compositeRolesStore.getRole(authentication.getEffectiveSubject(), roleFuture); - Role role = roleFuture.actionGet(); - assertThat(effectiveRoleDescriptors.get(), is(nullValue())); - - if (version == TransportVersion.current()) { - verify(apiKeyService, times(1)).parseRoleDescriptorsBytes(anyString(), any(BytesReference.class), any()); - } else { - verify(apiKeyService, times(1)).parseRoleDescriptors(anyString(), anyMap(), any()); - } - assertThat(role.names().length, is(1)); - assertThat(role.names()[0], containsString("user_role_")); - } - - @SuppressWarnings("unchecked") - public void testApiKeyAuthUsesApiKeyServiceWithScopedRole() throws Exception { - final FileRolesStore fileRolesStore = mock(FileRolesStore.class); - doCallRealMethod().when(fileRolesStore).accept(anySet(), anyActionListener()); - final NativeRolesStore nativeRolesStore = mock(NativeRolesStore.class); - doCallRealMethod().when(nativeRolesStore).accept(anySet(), anyActionListener()); - when(fileRolesStore.roleDescriptors(anySet())).thenReturn(Collections.emptySet()); - doAnswer((invocationOnMock) -> { - @SuppressWarnings("unchecked") - ActionListener callback = (ActionListener) invocationOnMock.getArguments()[1]; - callback.onResponse(RoleRetrievalResult.failure(new RuntimeException("intentionally failed!"))); - return null; - }).when(nativeRolesStore).getRoleDescriptors(isASet(), anyActionListener()); - final ReservedRolesStore reservedRolesStore = spy(new ReservedRolesStore()); - ThreadContext threadContext = new ThreadContext(SECURITY_ENABLED_SETTINGS); - - final ClusterService clusterService = mock(ClusterService.class); - when(clusterService.getClusterSettings()).thenReturn( - new ClusterSettings(SECURITY_ENABLED_SETTINGS, Set.of(ApiKeyService.DELETE_RETENTION_PERIOD, ApiKeyService.DELETE_INTERVAL)) - ); - ApiKeyService apiKeyService = spy( - new ApiKeyService( - SECURITY_ENABLED_SETTINGS, - Clock.systemUTC(), - mock(Client.class), - mock(SecurityIndexManager.class), - clusterService, - mock(CacheInvalidatorRegistry.class), - mock(ThreadPool.class), - MeterRegistry.NOOP, - mock(FeatureService.class) - ) - ); - NativePrivilegeStore nativePrivStore = mock(NativePrivilegeStore.class); - doAnswer(invocationOnMock -> { - @SuppressWarnings("unchecked") - ActionListener> listener = (ActionListener< - Collection>) invocationOnMock.getArguments()[3]; - listener.onResponse(Collections.emptyList()); - return Void.TYPE; - }).when(nativePrivStore).getPrivileges(anyCollection(), anyCollection(), eq(false), anyActionListener()); - - final AtomicReference> effectiveRoleDescriptors = new AtomicReference>(); - final CompositeRolesStore compositeRolesStore = buildCompositeRolesStore( - SECURITY_ENABLED_SETTINGS, - fileRolesStore, - nativeRolesStore, - reservedRolesStore, - nativePrivStore, - null, - apiKeyService, - null, - null, - rds -> effectiveRoleDescriptors.set(rds) - ); - AuditUtil.getOrGenerateRequestId(threadContext); - final TransportVersion version = randomFrom( - TransportVersion.current(), - TransportVersionUtils.randomVersionBetween(random(), TransportVersions.V_7_0_0, TransportVersions.V_7_8_1) - ); - final Authentication authentication = createApiKeyAuthentication( - apiKeyService, - randomValueOtherThanMany( - authc -> authc.getAuthenticationType() == AuthenticationType.API_KEY, - () -> AuthenticationTestHelper.builder().build() - ), - Collections.singleton(new RoleDescriptor("user_role_" + randomAlphaOfLength(4), new String[] { "manage" }, null, null)), - Collections.singletonList(new RoleDescriptor("key_role_" + randomAlphaOfLength(8), new String[] { "monitor" }, null, null)), - version - ); - final String apiKeyId = (String) authentication.getAuthenticatingSubject().getMetadata().get(API_KEY_ID_KEY); - - PlainActionFuture roleFuture = new PlainActionFuture<>(); - compositeRolesStore.getRole(authentication.getEffectiveSubject(), roleFuture); - Role role = roleFuture.actionGet(); - assertThat(role.checkClusterAction("cluster:admin/foo", new EmptyRequest(), AuthenticationTestHelper.builder().build()), is(false)); - assertThat(effectiveRoleDescriptors.get(), is(nullValue())); - if (version == TransportVersion.current()) { - verify(apiKeyService).parseRoleDescriptorsBytes( - apiKeyId, - (BytesReference) authentication.getAuthenticatingSubject().getMetadata().get(API_KEY_ROLE_DESCRIPTORS_KEY), - RoleReference.ApiKeyRoleType.ASSIGNED - ); - verify(apiKeyService).parseRoleDescriptorsBytes( - apiKeyId, - (BytesReference) authentication.getAuthenticatingSubject().getMetadata().get(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY), - RoleReference.ApiKeyRoleType.LIMITED_BY - ); - } else { - verify(apiKeyService).parseRoleDescriptors( - apiKeyId, - (Map) authentication.getAuthenticatingSubject().getMetadata().get(API_KEY_ROLE_DESCRIPTORS_KEY), - RoleReference.ApiKeyRoleType.ASSIGNED - ); - verify(apiKeyService).parseRoleDescriptors( - apiKeyId, - (Map) authentication.getAuthenticatingSubject().getMetadata().get(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY), - RoleReference.ApiKeyRoleType.LIMITED_BY - ); - } - assertThat(role.names().length, is(1)); - assertThat(role.names()[0], containsString("user_role_")); - } - public void testGetRoleForCrossClusterAccessAuthentication() throws Exception { final FileRolesStore fileRolesStore = mock(FileRolesStore.class); doCallRealMethod().when(fileRolesStore).accept(anySet(), anyActionListener());