Moved user.indexMatcher() to user.reference()

Signed-off-by: Nils Bandener <[email protected]>

Author: nibix

src/integrationTest/java/org/opensearch/security/privileges/int_tests/DataStreamAuthorizationReadOnlyIntTests.java

@@ -30,14 +30,15 @@
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.cluster.LocalCluster;
 import org.opensearch.test.framework.cluster.TestRestClient;
+import org.opensearch.test.framework.matcher.RestIndexMatchers;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
 import static org.opensearch.test.framework.cluster.TestRestClient.json;
-import static org.opensearch.test.framework.matcher.IndexApiResponseMatchers.OnResponseIndexMatcher.containsExactly;
-import static org.opensearch.test.framework.matcher.IndexApiResponseMatchers.OnUserIndexMatcher.limitedTo;
-import static org.opensearch.test.framework.matcher.IndexApiResponseMatchers.OnUserIndexMatcher.limitedToNone;
-import static org.opensearch.test.framework.matcher.IndexApiResponseMatchers.OnUserIndexMatcher.unlimitedIncludingOpenSearchSecurityIndex;
+import static org.opensearch.test.framework.matcher.RestIndexMatchers.OnResponseIndexMatcher.containsExactly;
+import static org.opensearch.test.framework.matcher.RestIndexMatchers.OnUserIndexMatcher.limitedTo;
+import static org.opensearch.test.framework.matcher.RestIndexMatchers.OnUserIndexMatcher.limitedToNone;
+import static org.opensearch.test.framework.matcher.RestIndexMatchers.OnUserIndexMatcher.unlimitedIncludingOpenSearchSecurityIndex;
 import static org.opensearch.test.framework.matcher.RestMatchers.isForbidden;
 import static org.opensearch.test.framework.matcher.RestMatchers.isOk;
 
@@ -65,6 +66,23 @@ public class SnapshotAuthorizationIntTests {
     static final TestIndex index_bwx1 = TestIndex.name("index_bwx1").documentCount(10).seed(13).build(); // not initially created
     static final TestIndex index_bwx2 = TestIndex.name("index_bwx2").documentCount(10).seed(14).build(); // not initially created
 
+    /**
+     * This key identifies assertion reference data for index search/read permissions of individual users.
+     */
+    static final TestSecurityConfig.User.MetadataKey<RestIndexMatchers.IndexMatcher> READ = new TestSecurityConfig.User.MetadataKey<>(
+        "read",
+        RestIndexMatchers.IndexMatcher.class
+    );
+
+    /**
+     * This key identifies assertion reference data for index write permissions of individual users. This does
+     * not include index creation permissions.
+     */
+    static final TestSecurityConfig.User.MetadataKey<RestIndexMatchers.IndexMatcher> WRITE = new TestSecurityConfig.User.MetadataKey<>(
+        "write",
+        RestIndexMatchers.IndexMatcher.class
+    );
+
     static TestSecurityConfig.User LIMITED_USER_A = new TestSecurityConfig.User("limited_user_A")//
         .description("index_a*")//
         .roles(
@@ -75,8 +93,8 @@ public class SnapshotAuthorizationIntTests {
                 .indexPermissions("write", "manage")
                 .on("index_aw*")
         )//
-        .indexMatcher("read", limitedTo(index_a1, index_a2, index_awx1, index_awx2))//
-        .indexMatcher("write", limitedTo(index_awx1, index_awx2));
+        .reference(READ, limitedTo(index_a1, index_a2, index_awx1, index_awx2))//
+        .reference(WRITE, limitedTo(index_awx1, index_awx2));
 
     static TestSecurityConfig.User LIMITED_USER_B = new TestSecurityConfig.User("limited_user_B")//
         .description("index_b*")//
@@ -88,8 +106,8 @@ public class SnapshotAuthorizationIntTests {
                 .indexPermissions("write", "manage")
                 .on("index_bw*")
         )//
-        .indexMatcher("read", limitedTo(index_b1, index_b2, index_bwx1, index_bwx2))//
-        .indexMatcher("write", limitedTo(index_bwx1, index_bwx2));
+        .reference(READ, limitedTo(index_b1, index_b2, index_bwx1, index_bwx2))//
+        .reference(WRITE, limitedTo(index_bwx1, index_bwx2));
 
     static TestSecurityConfig.User LIMITED_USER_B_SYSTEM_INDEX = new TestSecurityConfig.User("limited_user_B_system_index")//
         .description("index_b*, .system_index_plugin")//
@@ -106,8 +124,8 @@ public class SnapshotAuthorizationIntTests {
                 .on(".system_index_plugin_not_existing")
 
         )//
-        .indexMatcher("read", limitedTo(index_b1, index_b2, index_bwx1, index_bwx2))//
-        .indexMatcher("write", limitedTo(index_bwx1, index_bwx2, system_index_plugin_not_existing));
+        .reference(READ, limitedTo(index_b1, index_b2, index_bwx1, index_bwx2))//
+        .reference(WRITE, limitedTo(index_bwx1, index_bwx2, system_index_plugin_not_existing));
 
     static TestSecurityConfig.User LIMITED_USER_AB = new TestSecurityConfig.User("limited_user_AB")//
         .description("index_a*, index_b*")//
@@ -119,17 +137,17 @@ public class SnapshotAuthorizationIntTests {
                 .indexPermissions("write", "manage")
                 .on("index_aw*", "index_bw*")
         )//
-        .indexMatcher("read", limitedTo(index_a1, index_a2, index_awx1, index_awx2, index_b1, index_b2, index_bwx1, index_bwx2))//
-        .indexMatcher("write", limitedTo(index_awx1, index_awx2, index_bwx1, index_bwx2));
+        .reference(READ, limitedTo(index_a1, index_a2, index_awx1, index_awx2, index_b1, index_b2, index_bwx1, index_bwx2))//
+        .reference(WRITE, limitedTo(index_awx1, index_awx2, index_bwx1, index_bwx2));
 
     static final TestSecurityConfig.User LIMITED_USER_NONE = new TestSecurityConfig.User("limited_user_none")//
         .description("no index privileges")//
         .roles(
             new TestSecurityConfig.Role("r1")//
                 .clusterPermissions("cluster_composite_ops_ro", "cluster_monitor")
         )//
-        .indexMatcher("read", limitedToNone())//
-        .indexMatcher("write", limitedToNone());
+        .reference(READ, limitedToNone())//
+        .reference(WRITE, limitedToNone());
 
     static final TestSecurityConfig.User UNLIMITED_USER = new TestSecurityConfig.User("unlimited_user")//
         .description("unlimited")//
@@ -140,12 +158,12 @@ public class SnapshotAuthorizationIntTests {
                 .on("*")//
 
         )//
-        .indexMatcher(
-            "read",
+        .reference(
+            READ,
             limitedTo(index_a1, index_a2, index_a3, index_awx1, index_awx2, index_b1, index_b2, index_b3, index_bwx1, index_bwx2)
         )//
-        .indexMatcher(
-            "write",
+        .reference(
+            WRITE,
             limitedTo(index_a1, index_a2, index_a3, index_awx1, index_awx2, index_b1, index_b2, index_b3, index_bwx1, index_bwx2)
         );
 
@@ -156,8 +174,8 @@ public class SnapshotAuthorizationIntTests {
     static final TestSecurityConfig.User SUPER_UNLIMITED_USER = new TestSecurityConfig.User("super_unlimited_user")//
         .description("super unlimited (admin cert)")//
         .adminCertUser()//
-        .indexMatcher("read", unlimitedIncludingOpenSearchSecurityIndex())//
-        .indexMatcher("write", unlimitedIncludingOpenSearchSecurityIndex());
+        .reference(READ, unlimitedIncludingOpenSearchSecurityIndex())//
+        .reference(WRITE, unlimitedIncludingOpenSearchSecurityIndex());
 
     static final List<TestSecurityConfig.User> USERS = ImmutableList.of(
         LIMITED_USER_A,
@@ -201,10 +219,7 @@ public void restore_singleIndex() throws Exception {
                 "_snapshot/test_repository/single_index_snapshot/_restore?wait_for_completion=true"
             );
 
-            assertThat(
-                httpResponse,
-                containsExactly(index_awx1).at("snapshot.indices").butForbiddenIfIncomplete(user.indexMatcher("write"))
-            );
+            assertThat(httpResponse, containsExactly(index_awx1).at("snapshot.indices").butForbiddenIfIncomplete(user.reference(WRITE)));
 
         } finally {
             delete("_snapshot/test_repository/single_index_snapshot");
@@ -223,10 +238,7 @@ public void restore_singleIndex_rename1() throws Exception {
                 json("rename_pattern", "index_(.+)x1", "rename_replacement", "index_$1x2")
             );
 
-            assertThat(
-                httpResponse,
-                containsExactly(index_awx2).at("snapshot.indices").butForbiddenIfIncomplete(user.indexMatcher("write"))
-            );
+            assertThat(httpResponse, containsExactly(index_awx2).at("snapshot.indices").butForbiddenIfIncomplete(user.reference(WRITE)));
 
         } finally {
             delete("_snapshot/test_repository/single_index_snapshot");
@@ -245,10 +257,7 @@ public void restore_singleIndex_rename2() throws Exception {
                 json("rename_pattern", "index_a(.*)", "rename_replacement", "index_b$1")
             );
 
-            assertThat(
-                httpResponse,
-                containsExactly(index_bwx1).at("snapshot.indices").butForbiddenIfIncomplete(user.indexMatcher("write"))
-            );
+            assertThat(httpResponse, containsExactly(index_bwx1).at("snapshot.indices").butForbiddenIfIncomplete(user.reference(WRITE)));
 
         } finally {
             delete("_snapshot/test_repository/single_index_snapshot");
@@ -270,8 +279,7 @@ public void restore_singleIndex_renameToSystemIndex() throws Exception {
             if (clusterConfig.systemIndexPrivilegeEnabled || user == SUPER_UNLIMITED_USER) {
                 assertThat(
                     httpResponse,
-                    containsExactly(system_index_plugin_not_existing).at("snapshot.indices")
-                        .butForbiddenIfIncomplete(user.indexMatcher("write"))
+                    containsExactly(system_index_plugin_not_existing).at("snapshot.indices").butForbiddenIfIncomplete(user.reference(WRITE))
                 );
             } else {
                 assertThat(httpResponse, isForbidden());
@@ -295,10 +303,7 @@ public void restore_singleIndexFromAllIndices() throws Exception {
                 json("indices", "index_awx1")
             );
 
-            assertThat(
-                httpResponse,
-                containsExactly(index_awx1).at("snapshot.indices").butForbiddenIfIncomplete(user.indexMatcher("write"))
-            );
+            assertThat(httpResponse, containsExactly(index_awx1).at("snapshot.indices").butForbiddenIfIncomplete(user.reference(WRITE)));
 
         } finally {
             delete("_snapshot/test_repository/all_index_snapshot");

src/integrationTest/java/org/opensearch/security/privileges/int_tests/DataStreamAuthorizationReadWriteIntTests.java

@@ -95,6 +95,11 @@ public Builder rolloverAfter(int rolloverAfter) {
             return this;
         }
 
+        public Builder segmentCount(int segmentCount) {
+            testDataBuilder.segmentCount(segmentCount);
+            return this;
+        }
+
         public TestDataStream build() {
             if (testData == null) {
                 testData = testDataBuilder.get();

src/integrationTest/java/org/opensearch/security/privileges/int_tests/IndexAuthorizationReadOnlyIntTests.java

@@ -107,7 +107,7 @@ public Builder setting(String name, int value) {
         }
 
         public Builder shards(int value) {
-            settings.put("index.number_of_shards", 5);
+            settings.put("index.number_of_shards", value);
             return this;
         }
 

src/integrationTest/java/org/opensearch/security/privileges/int_tests/IndexAuthorizationReadWriteIntTests.java

@@ -72,7 +72,7 @@
 import org.opensearch.security.securityconf.impl.v7.RoleV7;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.test.framework.cluster.OpenSearchClientProvider.UserCredentialsHolder;
-import org.opensearch.test.framework.matcher.IndexApiResponseMatchers;
+import org.opensearch.test.framework.matcher.RestIndexMatchers;
 import org.opensearch.transport.client.Client;
 
 import static org.apache.http.HttpHeaders.AUTHORIZATION;
@@ -459,7 +459,7 @@ public static final class User implements UserCredentialsHolder, ToXContentObjec
         String requestedTenant;
         private Map<String, String> attributes = new HashMap<>();
         private Map<MetadataKey<?>, Object> matchers = new HashMap<>();
-        private Map<String, IndexApiResponseMatchers.IndexMatcher> indexMatchers = new HashMap<>();
+        private Map<String, RestIndexMatchers.IndexMatcher> indexMatchers = new HashMap<>();
         private boolean adminCertUser = false;
 
         private Boolean hidden = null;
@@ -514,25 +514,6 @@ public User attr(String key, String value) {
             return this;
         }
 
-        /**
-         * Associates an IndexMatcher with this test user. The IndexMatcher can be later used as a test oracle.
-         * See IndexAuthorizationReadOnlyIntTests for examples.
-         */
-        public User indexMatcher(String key, IndexApiResponseMatchers.IndexMatcher indexMatcher) {
-            this.indexMatchers.put(key, indexMatcher);
-            return this;
-        }
-
-        public IndexApiResponseMatchers.IndexMatcher indexMatcher(String key) {
-            IndexApiResponseMatchers.IndexMatcher result = this.indexMatchers.get(key);
-
-            if (result != null) {
-                return result;
-            } else {
-                throw new RuntimeException("Unknown index matcher " + key + " in user " + this.name);
-            }
-        }
-
         public User hash(String hash) {
             this.hash = hash;
             return this;
@@ -586,7 +567,7 @@ public <T> T reference(MetadataKey<T> key) {
             if (result != null) {
                 return key.type.cast(result);
             } else {
-                return null;
+                throw new RuntimeException("Unknown reference " + key + " in user " + this.name);
             }
         }
 

src/integrationTest/java/org/opensearch/security/privileges/int_tests/SnapshotAuthorizationIntTests.java

@@ -50,7 +50,7 @@
  *     <li>The results of REST API calls can be also associated with a maximum space of indices the operation could work on. Combined with the user specific index matcher, one can determine the intersection of the allowed indices and thus the indices that are allowed in the particular case. The matchers support JSON path expressions to extract information on indices from the HTTP response bodies. See IndexAuthorizationReadOnlyIntTests for examples.</li>
  * </ul>
  */
-public class IndexApiResponseMatchers {
+public class RestIndexMatchers {
 
     /**
      * Matchers that are directly used on HTTP responses