Security test workflow only run security behavior tests (#1459)

bowenlan-amzn · web-flow · commit f12e05510934 · 2025-08-08T08:52:58.000+08:00
diff --git a/.github/workflows/security-test-workflow.yml b/.github/workflows/security-test-workflow.yml
@@ -45,7 +45,7 @@ jobs:
       - name: Run integration tests
         run: | 
           chown -R 1000:1000 `pwd`
-          su `id -un 1000` -c "./gradlew integTest -Dsecurity=true -Dhttps=true --tests '*IT'"
+          su `id -un 1000` -c "./gradlew integTest -Dsecurity=true -Dhttps=true --tests '*SecurityBehaviorIT'"
       - name: Upload failed logs
         uses: actions/upload-artifact@v4
         if: failure()
diff --git a/DEVELOPER_GUIDE.md b/DEVELOPER_GUIDE.md
@@ -6,6 +6,7 @@
     - [Build](#build)
         - [Building from the command line](#building-from-the-command-line)
         - [Code Coverage](#code-coverage)
+        - [Security Behavior Tests](#security-behavior-tests)
         - [Debugging](#debugging)
     - [Using IntelliJ IDEA](#using-intellij-idea)
     - [Submitting Changes](#submitting-changes)
@@ -61,6 +62,7 @@ However, to build the `index management` plugin project, we also use the OpenSea
 10. `./gradlew indexmanagementBwcCluster#fullRestartClusterTask -Dtests.security.manager=false` launches a cluster with three nodes of bwc version of OpenSearch with index management and tests backwards compatibility by performing a full restart on the cluster upgrading all the nodes with the current version of OpenSearch with index management.
 11. `./gradlew bwcTestSuite -Dtests.security.manager=false` runs all the above bwc tests combined.
 12. `./gradlew integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="docker-cluster" -Dhttps=true -Duser=admin -Dpassword=admin` launches integration tests against a local cluster and run tests with security
+13. `./gradlew integTest -Dsecurity=true -Dhttps=true --tests '*SecurityBehaviorIT'` runs all security behavior tests with security enabled
 
 When launching a cluster using one of the above commands, logs are placed in `build/testclusters/integTest-0/logs`. Though the logs are teed to the console, in practices it's best to check the actual log file.
 
@@ -89,6 +91,66 @@ After running with coverage enabled, reports are generated in:
 - **HTML Report**: `build/reports/jacoco/test/html/index.html` (human readable)
 - **XML Report**: `build/reports/jacoco/test/jacocoTestReport.xml` (for tools like Codecov)
 
+### Security Behavior Tests
+
+Security behavior tests ensure that the Index Management plugin properly enforces access controls and permissions. These tests validate that users can only perform operations they are authorized for and receive appropriate error responses when access is denied.
+
+#### Overview
+
+Security behavior tests extend the `SecurityRestTestCase` base class and test various permission scenarios:
+- API endpoint permission enforcement
+- Policy based authentication and authorization
+
+#### Running Security Tests
+
+Security tests require additional flags and must be run against a cluster with security enabled:
+
+```bash
+# Run all security behavior tests
+./gradlew integTest -Dsecurity=true -Dhttps=true --tests '*SecurityBehaviorIT'
+
+# Run a specific security test class
+./gradlew integTest -Dsecurity=true -Dhttps=true --tests '*PolicySecurityBehaviorIT'
+
+# Run security tests against a remote cluster with authentication
+./gradlew integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="docker-cluster" -Dhttps=true -Duser=admin -Dpassword=admin
+```
+
+#### Writing New Security Tests
+
+When adding new security tests, follow these guidelines:
+
+1. **Extend SecurityRestTestCase**: All security tests should extend this base class
+2. **Test both success and failure scenarios**: Verify authorized access works and unauthorized access is properly denied
+3. **Use appropriate HTTP status codes**: Expect 401 (Unauthorized) or 403 (Forbidden) for denied access
+4. **Test role-based permissions**: Create users with specific roles and test their access levels
+5. **Include cleanup**: Ensure users and roles created during tests are properly cleaned up
+
+Example test structure:
+```kotlin
+@TestLogging("level:DEBUG", reason = "Debug for tests.")
+class MyFeatureSecurityBehaviorIT : SecurityRestTestCase() {
+    
+    @Before
+    fun setupUsersAndRoles() {
+        // Create test users and roles
+    }
+    
+    @After  
+    fun cleanup() {
+        // Clean up test users and roles
+    }
+    
+    fun testAuthorizedAccess() {
+        // Test that authorized users can perform operations
+    }
+    
+    fun testUnauthorizedAccess() {
+        // Test that unauthorized users receive proper error responses
+    }
+}
+```
+
 ### Debugging
 
 Sometimes it is useful to attach a debugger to either the OpenSearch cluster or the integ tests to see what's going on. When running unit tests, hit **Debug** from the IDE's gutter to debug the tests.  For the OpenSearch cluster or the integ tests, first, make sure start a debugger listening on port `5005`.
diff --git a/src/test/kotlin/org/opensearch/indexmanagement/security/IndexStateManagementSecurityBehaviorIT.kt b/src/test/kotlin/org/opensearch/indexmanagement/security/IndexStateManagementSecurityBehaviorIT.kt
@@ -1,21 +1,32 @@
 /*
+ * Copyright OpenSearch Contributors
  * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
  */
 
-package org.opensearch.indexmanagement
+package org.opensearch.indexmanagement.security
 
 import org.junit.After
 import org.junit.Before
 import org.opensearch.client.RestClient
 import org.opensearch.commons.rest.SecureRestClientBuilder
 import org.opensearch.core.rest.RestStatus
+import org.opensearch.indexmanagement.ADD_POLICY
+import org.opensearch.indexmanagement.BULK_WRITE_INDEX
+import org.opensearch.indexmanagement.CREATE_INDEX
+import org.opensearch.indexmanagement.DELETE_POLICY
+import org.opensearch.indexmanagement.EXPLAIN_INDEX
+import org.opensearch.indexmanagement.EXPLAIN_ROLLUP
+import org.opensearch.indexmanagement.GET_INDEX_MAPPING
+import org.opensearch.indexmanagement.GET_POLICIES
+import org.opensearch.indexmanagement.GET_POLICY
+import org.opensearch.indexmanagement.GET_ROLLUP
+import org.opensearch.indexmanagement.INDEX_ROLLUP
+import org.opensearch.indexmanagement.MANAGED_INDEX
+import org.opensearch.indexmanagement.PUT_INDEX_MAPPING
+import org.opensearch.indexmanagement.SEARCH_INDEX
+import org.opensearch.indexmanagement.UPDATE_ROLLUP
+import org.opensearch.indexmanagement.WRITE_INDEX
+import org.opensearch.indexmanagement.WRITE_POLICY
 import org.opensearch.indexmanagement.common.model.dimension.DateHistogram
 import org.opensearch.indexmanagement.common.model.dimension.Terms
 import org.opensearch.indexmanagement.indexstatemanagement.action.RollupAction
@@ -26,6 +37,7 @@ import org.opensearch.indexmanagement.indexstatemanagement.randomErrorNotificati
 import org.opensearch.indexmanagement.indexstatemanagement.settings.ManagedIndexSettings
 import org.opensearch.indexmanagement.indexstatemanagement.step.rollup.AttemptCreateRollupJobStep
 import org.opensearch.indexmanagement.indexstatemanagement.step.rollup.WaitForRollupCompletionStep
+import org.opensearch.indexmanagement.makeRequest
 import org.opensearch.indexmanagement.rollup.model.ISMRollup
 import org.opensearch.indexmanagement.rollup.model.RollupMetadata
 import org.opensearch.indexmanagement.rollup.model.RollupMetrics
@@ -34,6 +46,7 @@ import org.opensearch.indexmanagement.rollup.model.metric.Max
 import org.opensearch.indexmanagement.rollup.model.metric.Min
 import org.opensearch.indexmanagement.rollup.model.metric.Sum
 import org.opensearch.indexmanagement.rollup.model.metric.ValueCount
+import org.opensearch.indexmanagement.waitFor
 import org.opensearch.test.junit.annotations.TestLogging
 import java.time.Instant
 import java.time.temporal.ChronoUnit
@@ -53,7 +66,7 @@ class IndexStateManagementSecurityBehaviorIT : SecurityRestTestCase() {
 
     @Before
     fun setupUsersAndRoles() {
-        updateClusterSetting(ManagedIndexSettings.JITTER.key, "0.0", false)
+        updateClusterSetting(ManagedIndexSettings.Companion.JITTER.key, "0.0", false)
 
         val helpdeskClusterPermissions =
             listOf(
@@ -301,7 +314,7 @@ class IndexStateManagementSecurityBehaviorIT : SecurityRestTestCase() {
         updateManagedIndexConfigStartTime(managedIndexConfig)
         waitFor {
             assertEquals(
-                AttemptCreateRollupJobStep.getSuccessMessage(rollupId, indexName),
+                AttemptCreateRollupJobStep.Companion.getSuccessMessage(rollupId, indexName),
                 getExplainManagedIndexMetaData(indexName).info?.get("message"),
             )
         }
@@ -317,7 +330,7 @@ class IndexStateManagementSecurityBehaviorIT : SecurityRestTestCase() {
         updateManagedIndexConfigStartTime(managedIndexConfig)
         waitFor {
             assertEquals(
-                WaitForRollupCompletionStep.getJobCompletionMessage(rollupId, indexName),
+                WaitForRollupCompletionStep.Companion.getJobCompletionMessage(rollupId, indexName),
                 getExplainManagedIndexMetaData(indexName).info?.get("message"),
             )
         }
diff --git a/src/test/kotlin/org/opensearch/indexmanagement/security/LRONConfigSecurityBehaviorIT.kt b/src/test/kotlin/org/opensearch/indexmanagement/security/LRONConfigSecurityBehaviorIT.kt
@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package org.opensearch.indexmanagement.controlcenter.notification
+package org.opensearch.indexmanagement.security
 
 import org.junit.After
 import org.junit.Before
@@ -15,7 +15,12 @@ import org.opensearch.indexmanagement.DELETE_LRON_CONFIG
 import org.opensearch.indexmanagement.GET_LRON_CONFIG
 import org.opensearch.indexmanagement.INDEX_LRON_CONFIG
 import org.opensearch.indexmanagement.IndexManagementPlugin
-import org.opensearch.indexmanagement.SecurityRestTestCase
+import org.opensearch.indexmanagement.controlcenter.notification.getResourceURI
+import org.opensearch.indexmanagement.controlcenter.notification.initNodeIdsInRestIT
+import org.opensearch.indexmanagement.controlcenter.notification.nodeIdsInRestIT
+import org.opensearch.indexmanagement.controlcenter.notification.randomLRONConfig
+import org.opensearch.indexmanagement.controlcenter.notification.randomTaskId
+import org.opensearch.indexmanagement.controlcenter.notification.toJsonString
 
 @Suppress("UNCHECKED_CAST")
 class LRONConfigSecurityBehaviorIT : SecurityRestTestCase() {
@@ -65,12 +70,12 @@ class LRONConfigSecurityBehaviorIT : SecurityRestTestCase() {
         testUserClient?.close()
         deleteUser(testUser)
         deleteRole(testRole)
-        deleteIndexByName(IndexManagementPlugin.CONTROL_CENTER_INDEX)
+        deleteIndexByName(IndexManagementPlugin.Companion.CONTROL_CENTER_INDEX)
     }
 
     fun `test index LRONConfig with security using POST`() {
         // super user
-        val request = Request("POST", IndexManagementPlugin.LRON_BASE_URI)
+        val request = Request("POST", IndexManagementPlugin.Companion.LRON_BASE_URI)
         request.setJsonEntity(randomLRONConfig(taskId = randomTaskId(nodeId = nodeIdsInRestIT.random())).toJsonString())
         executeRequest(request, RestStatus.OK, superUserClient!!)
         // test user
@@ -88,7 +93,7 @@ class LRONConfigSecurityBehaviorIT : SecurityRestTestCase() {
 
     fun `test index LRONConfig dry run with security using POST`() {
         // super user
-        val request = Request("POST", IndexManagementPlugin.LRON_BASE_URI)
+        val request = Request("POST", IndexManagementPlugin.Companion.LRON_BASE_URI)
         request.addParameter("dry_run", "true")
         request.setJsonEntity(randomLRONConfig(taskId = randomTaskId(nodeId = nodeIdsInRestIT.random())).toJsonString())
         executeRequest(request, RestStatus.OK, superUserClient!!)
@@ -107,7 +112,7 @@ class LRONConfigSecurityBehaviorIT : SecurityRestTestCase() {
     fun `test update LRONConfig with security using PUT`() {
         // super user
         val lronConfig = randomLRONConfig(taskId = randomTaskId(nodeId = nodeIdsInRestIT.random()))
-        val createRequest = Request("POST", IndexManagementPlugin.LRON_BASE_URI)
+        val createRequest = Request("POST", IndexManagementPlugin.Companion.LRON_BASE_URI)
         createRequest.setJsonEntity(lronConfig.toJsonString())
         executeRequest(createRequest, RestStatus.OK, superUserClient!!)
         val updateRequest = Request("PUT", getResourceURI(lronConfig.taskId, lronConfig.actionName))
@@ -129,7 +134,7 @@ class LRONConfigSecurityBehaviorIT : SecurityRestTestCase() {
     fun `test delete LRONConfig with security`() {
         // super user
         val lronConfig = randomLRONConfig(taskId = randomTaskId(nodeId = nodeIdsInRestIT.random()))
-        val createRequest = Request("POST", IndexManagementPlugin.LRON_BASE_URI)
+        val createRequest = Request("POST", IndexManagementPlugin.Companion.LRON_BASE_URI)
         createRequest.setJsonEntity(lronConfig.toJsonString())
         executeRequest(createRequest, RestStatus.OK, superUserClient!!)
         val deleteRequest = Request("DELETE", getResourceURI(lronConfig.taskId, lronConfig.actionName))
@@ -151,7 +156,7 @@ class LRONConfigSecurityBehaviorIT : SecurityRestTestCase() {
     fun `test get LRONConfig with security`() {
         // super user
         val lronConfig = randomLRONConfig(taskId = randomTaskId(nodeId = nodeIdsInRestIT.random()))
-        val createRequest = Request("POST", IndexManagementPlugin.LRON_BASE_URI)
+        val createRequest = Request("POST", IndexManagementPlugin.Companion.LRON_BASE_URI)
         createRequest.setJsonEntity(lronConfig.toJsonString())
         executeRequest(createRequest, RestStatus.OK, superUserClient!!)
         val getRequest = Request("GET", getResourceURI(lronConfig.taskId, lronConfig.actionName))
@@ -171,13 +176,13 @@ class LRONConfigSecurityBehaviorIT : SecurityRestTestCase() {
 
     fun `test get LRONConfigs with security`() {
         // super user
-        val createRequest = Request("POST", IndexManagementPlugin.LRON_BASE_URI)
+        val createRequest = Request("POST", IndexManagementPlugin.Companion.LRON_BASE_URI)
         randomList(1, 15) {
             createRequest.setJsonEntity(randomLRONConfig(taskId = randomTaskId(nodeId = nodeIdsInRestIT.random())).toJsonString())
             executeRequest(createRequest, RestStatus.OK, superUserClient!!).asMap()
         }
 
-        val getRequest = Request("GET", IndexManagementPlugin.LRON_BASE_URI)
+        val getRequest = Request("GET", IndexManagementPlugin.Companion.LRON_BASE_URI)
         executeRequest(getRequest, RestStatus.OK, superUserClient!!)
 
         // test user
diff --git a/src/test/kotlin/org/opensearch/indexmanagement/security/PolicySecurityBehaviorIT.kt b/src/test/kotlin/org/opensearch/indexmanagement/security/PolicySecurityBehaviorIT.kt
@@ -1,15 +1,9 @@
 /*
+ * Copyright OpenSearch Contributors
  * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
  */
 
-package org.opensearch.indexmanagement
+package org.opensearch.indexmanagement.security
 
 import org.junit.After
 import org.junit.Before
@@ -18,17 +12,25 @@ import org.opensearch.client.ResponseException
 import org.opensearch.client.RestClient
 import org.opensearch.commons.rest.SecureRestClientBuilder
 import org.opensearch.core.rest.RestStatus
-import org.opensearch.indexmanagement.IndexManagementPlugin.Companion.INDEX_MANAGEMENT_INDEX
+import org.opensearch.indexmanagement.BULK_WRITE_INDEX
+import org.opensearch.indexmanagement.CREATE_INDEX
+import org.opensearch.indexmanagement.GET_INDEX_MAPPING
+import org.opensearch.indexmanagement.IndexManagementPlugin
+import org.opensearch.indexmanagement.MANAGED_INDEX
+import org.opensearch.indexmanagement.PUT_INDEX_MAPPING
+import org.opensearch.indexmanagement.SEARCH_INDEX
+import org.opensearch.indexmanagement.WRITE_INDEX
 import org.opensearch.indexmanagement.indexstatemanagement.action.AliasAction
 import org.opensearch.indexmanagement.indexstatemanagement.model.Policy
 import org.opensearch.indexmanagement.indexstatemanagement.model.State
 import org.opensearch.indexmanagement.indexstatemanagement.randomErrorNotification
+import org.opensearch.indexmanagement.indexstatemanagement.settings.ManagedIndexSettings
 import org.opensearch.indexmanagement.indexstatemanagement.transport.action.addpolicy.AddPolicyAction
-import org.opensearch.test.OpenSearchTestCase
 import org.opensearch.test.junit.annotations.TestLogging
 import java.time.Instant
 import java.time.temporal.ChronoUnit
 import java.util.Locale
+import kotlin.collections.get
 
 @TestLogging("level:DEBUG", reason = "Debug for tests.")
 class PolicySecurityBehaviorIT : SecurityRestTestCase() {
@@ -42,11 +44,11 @@ class PolicySecurityBehaviorIT : SecurityRestTestCase() {
 
     @Before
     fun setupUsersAndRoles() {
-//        updateClusterSetting(ManagedIndexSettings.JITTER.key, "0.0", false)
+        updateClusterSetting(ManagedIndexSettings.Companion.JITTER.key, "0.0", false)
 
         val custerPermissions =
             listOf(
-                AddPolicyAction.NAME,
+                AddPolicyAction.Companion.NAME,
             )
 
         val indexPermissions =
@@ -75,12 +77,12 @@ class PolicySecurityBehaviorIT : SecurityRestTestCase() {
         deleteUser(ismUser)
         deleteRole(HELPDESK_ROLE)
 
-        deleteIndexByName("$INDEX_MANAGEMENT_INDEX")
+        deleteIndexByName("${IndexManagementPlugin.Companion.INDEX_MANAGEMENT_INDEX}")
     }
 
     fun `test add policy`() {
-        val notPermittedIndexPrefix = OpenSearchTestCase.randomAlphaOfLength(10).lowercase(Locale.getDefault())
-        val policyId = OpenSearchTestCase.randomAlphaOfLength(10)
+        val notPermittedIndexPrefix = randomAlphaOfLength(10).lowercase(Locale.getDefault())
+        val policyId = randomAlphaOfLength(10)
 
         val permittedindices = mutableListOf<String>()
         val notPermittedindices = mutableListOf<String>()
diff --git a/src/test/kotlin/org/opensearch/indexmanagement/security/RollupSecurityBehaviorIT.kt b/src/test/kotlin/org/opensearch/indexmanagement/security/RollupSecurityBehaviorIT.kt
@@ -1,21 +1,27 @@
 /*
+ * Copyright OpenSearch Contributors
  * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
  */
 
-package org.opensearch.indexmanagement
+package org.opensearch.indexmanagement.security
 
 import org.junit.After
 import org.junit.Before
 import org.opensearch.client.RestClient
 import org.opensearch.commons.rest.SecureRestClientBuilder
 import org.opensearch.core.rest.RestStatus
+import org.opensearch.indexmanagement.BULK_WRITE_INDEX
+import org.opensearch.indexmanagement.CREATE_INDEX
+import org.opensearch.indexmanagement.DELETE_ROLLUP
+import org.opensearch.indexmanagement.EXPLAIN_ROLLUP
+import org.opensearch.indexmanagement.GET_INDEX_MAPPING
+import org.opensearch.indexmanagement.GET_ROLLUP
+import org.opensearch.indexmanagement.INDEX_ROLLUP
+import org.opensearch.indexmanagement.MANAGED_INDEX
+import org.opensearch.indexmanagement.PUT_INDEX_MAPPING
+import org.opensearch.indexmanagement.SEARCH_INDEX
+import org.opensearch.indexmanagement.UPDATE_ROLLUP
+import org.opensearch.indexmanagement.WRITE_INDEX
 import org.opensearch.indexmanagement.common.model.dimension.DateHistogram
 import org.opensearch.indexmanagement.indexstatemanagement.settings.ManagedIndexSettings
 import org.opensearch.indexmanagement.rollup.model.Rollup
@@ -27,6 +33,7 @@ import org.opensearch.indexmanagement.rollup.model.metric.Min
 import org.opensearch.indexmanagement.rollup.model.metric.Sum
 import org.opensearch.indexmanagement.rollup.model.metric.ValueCount
 import org.opensearch.indexmanagement.rollup.randomRollup
+import org.opensearch.indexmanagement.waitFor
 import org.opensearch.jobscheduler.spi.schedule.IntervalSchedule
 import org.opensearch.test.junit.annotations.TestLogging
 import java.time.Instant
@@ -45,7 +52,7 @@ class RollupSecurityBehaviorIT : SecurityRestTestCase() {
 
     @Before
     fun setupUsersAndRoles() {
-        updateClusterSetting(ManagedIndexSettings.JITTER.key, "0.0", false)
+        updateClusterSetting(ManagedIndexSettings.Companion.JITTER.key, "0.0", false)
 
         // Init super transform user
         val helpdeskClusterPermissions =
diff --git a/src/test/kotlin/org/opensearch/indexmanagement/security/SecurityBehaviorIT.kt b/src/test/kotlin/org/opensearch/indexmanagement/security/SecurityBehaviorIT.kt
diff --git a/src/test/kotlin/org/opensearch/indexmanagement/security/SecurityRestTestCase.kt b/src/test/kotlin/org/opensearch/indexmanagement/security/SecurityRestTestCase.kt
diff --git a/src/test/kotlin/org/opensearch/indexmanagement/security/TransformSecurityBehaviorIT.kt b/src/test/kotlin/org/opensearch/indexmanagement/security/TransformSecurityBehaviorIT.kt
