Tests

Signed-off-by: Nils Bandener <[email protected]>

Author: nibix

src/integrationTest/java/org/opensearch/security/privileges/int_tests/IndexAuthorizationReadOnlyIntTests.java

@@ -68,6 +68,8 @@
 @ThreadLeakScope(ThreadLeakScope.Scope.NONE)
 public class IndexAuthorizationReadOnlyIntTests {
 
+    // TODO pit_segments
+
     static final TestIndex index_a1 = TestIndex.name("index_a1").documentCount(100).seed(1).build();
     static final TestIndex index_a2 = TestIndex.name("index_a2").documentCount(110).seed(2).build();
     static final TestIndex index_a3 = TestIndex.name("index_a3").documentCount(120).seed(3).build();

src/integrationTest/java/org/opensearch/security/privileges/int_tests/IndexAuthorizationReadWriteIntTests.java

@@ -199,21 +199,21 @@ public class IndexAuthorizationReadWriteIntTests {
     static TestSecurityConfig.User LIMITED_USER_B_HIDDEN_MANAGE_INDEX_ALIAS = new TestSecurityConfig.User(
         "limited_user_B_hidden_manage_index_alias"
     )//
-        .description("index_b*, index_hidden*, alias_bwx* with manage privs")//
+        .description("index_b*, index_hidden*, alias_bwx* with manage privs, index_a* read only")//
         .roles(
             //
             new Role("r1")//
                 .clusterPermissions("cluster_composite_ops", "cluster_monitor")//
                 .indexPermissions("read", "indices_monitor", "indices:admin/refresh*")
-                .on("index_b*", "index_hidden*")//
+                .on("index_a*", "index_b*", "index_hidden*")//
                 .indexPermissions("write")
                 .on("index_bw*", "index_hidden*")//
                 .indexPermissions("manage")
                 .on("index_bw*", "index_hidden*")//
                 .indexPermissions("manage_aliases")
                 .on("alias_bwx*")
         )//
-        .indexMatcher("read", limitedTo(index_br1, index_br2, index_bw1, index_bw2, index_bwx1, index_bwx2, index_hidden))//
+        .indexMatcher("read", limitedTo(index_ar1, index_ar2, index_aw1, index_aw2, index_br1, index_br2, index_bw1, index_bw2, index_bwx1, index_bwx2, index_hidden))//
         .indexMatcher("write", limitedTo(index_bw1, index_bw2, index_bwx1, index_bwx2, index_hidden))//
         .indexMatcher("create_index", limitedTo(index_bw1, index_bw2, index_bwx1, index_bwx2, index_hidden))//
         .indexMatcher("manage_index", limitedTo(index_bw1, index_bw2, index_bwx1, index_bwx2, alias_bwx, index_hidden))//
@@ -1271,6 +1271,50 @@ public void closeIndex_openIndex() throws Exception {
         }
     }
 
+    @Test
+    public void rollover_explicitTargetIndex() throws Exception {
+        try (TestRestClient restClient = cluster.getRestClient(user)) {
+            createInitialTestObjects(alias_bwx.on(index_bw1, index_bw2));
+
+            HttpResponse httpResponse = restClient.postJson("_aliases", """
+                {
+                  "actions": [
+                    { "remove": { "index": "*", "alias": "alias_bwx" } }
+                  ]
+                }""");
+
+            if (clusterConfig.legacyPrivilegeEvaluation) {
+                // This is only allowed if we have privileges for all indices, even if not all indices are member of alias_bwx
+                if (user.indexMatcher("manage_alias")
+                        .coversAll(
+                                index_ar1,
+                                index_ar2,
+                                index_aw1,
+                                index_aw2,
+                                index_br1,
+                                index_br2,
+                                index_bw1,
+                                index_bw1,
+                                index_cr1,
+                                index_cw1
+                        )) {
+                    assertThat(httpResponse, isOk());
+                } else {
+                    assertThat(httpResponse, isForbidden());
+                }
+            } else {
+                if (user.indexMatcher("manage_alias").coversAll(alias_bwx)) {
+                    assertThat(httpResponse, isOk());
+                } else {
+                    assertThat(httpResponse, isForbidden());
+                }
+            }
+
+        } finally {
+            delete(alias_bwx);
+        }
+    }
+
     @After
     public void refresh() {
         cluster.getInternalNodeClient().admin().indices().refresh(new RefreshRequest("*")).actionGet();