diff --git a/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/authenticate/10_basic.yaml b/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/authenticate/10_basic.yaml index afefac0f844..f9caca85123 100644 --- a/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/authenticate/10_basic.yaml +++ b/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/authenticate/10_basic.yaml @@ -1,3 +1,4 @@ +--- setup: - skip: features: headers @@ -16,6 +17,13 @@ setup: "full_name" : "Authenticate User" } +--- +teardown: + - do: + xpack.security.delete_user: + username: "authenticate_user" + ignore: 404 + --- "Test authenticate api": diff --git a/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/change_password/10_basic.yaml b/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/change_password/10_basic.yaml index 9f83345d7b6..a2cc4430a5c 100644 --- a/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/change_password/10_basic.yaml +++ b/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/change_password/10_basic.yaml @@ -1,23 +1,58 @@ --- -"Test changing users password": +setup: - skip: features: headers - - do: cluster.health: wait_for_status: yellow - - do: xpack.security.put_user: username: "joe" body: > - { - "password": "s3krit", - "roles" : [ "superuser" ] - } - - match: { user: { created: true } } + { + "password": "s3krit", + "roles" : [ "superuser" ] + } + - do: + xpack.security.put_role: + name: "user" + body: > + { + "cluster": ["monitor"], + "indices": [ + { + "names": "*", + "privileges": ["all"] + } + ] + } + - do: + xpack.security.put_user: + username: "unprivileged_user" + body: > + { + "password": "s3krit", + "roles" : [ "user" ] + } -# test that the role actually works +--- +teardown: + - do: + xpack.security.delete_user: + username: "joe" + ignore: 404 + - do: + xpack.security.delete_role: + name: "user" + ignore: 404 + - do: + xpack.security.delete_user: + username: "unprivileged_user" + ignore: 404 + +--- +"Test changing users password": +# validate that the user actually works - do: headers: Authorization: "Basic am9lOnMza3JpdA==" @@ -49,49 +84,17 @@ --- "Test user changing their own password": - - skip: - features: headers - - - do: - cluster.health: - wait_for_status: yellow - - - do: - xpack.security.put_role: - name: "user" - body: > - { - "cluster": ["monitor"], - "indices": [ - { - "names": "*", - "privileges": ["all"] - } - ] - } - - match: { role: { created: true } } - - - do: - xpack.security.put_user: - username: "joe" - body: > - { - "password": "s3krit", - "roles" : [ "user" ] - } - - match: { user: { created: true } } - # test that the role actually works - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0" cluster.health: {} - match: { timed_out: false } -# change password as the current user. the power_user role only grants the ability to change their own password +# change password as the current user. the user role only grants the ability to change their own password - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0" xpack.security.change_password: body: > { @@ -102,61 +105,29 @@ - do: catch: request headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0" cluster.health: {} # login with new credentials - do: headers: - Authorization: "Basic am9lOnMza3JpdDI=" + Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0Mg==" cluster.health: {} - match: { timed_out: false } --- "Test unauthorized user changing anothers password": - - skip: - features: headers - - - do: - cluster.health: - wait_for_status: yellow - - - do: - xpack.security.put_role: - name: "user" - body: > - { - "cluster": ["monitor"], - "indices": [ - { - "names": "*", - "privileges": ["all"] - } - ] - } - - match: { role: { created: true } } - - - do: - xpack.security.put_user: - username: "joe" - body: > - { - "password": "s3krit", - "roles" : [ "user" ] - } - - match: { user: { created: true } } - # test that the role actually works - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0" cluster.health: {} - match: { timed_out: false } # attempt to change another users password - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0" catch: forbidden xpack.security.change_password: username: "anotheruser" diff --git a/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/roles/10_basic.yaml b/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/roles/10_basic.yaml index 9e5898103c6..21498c69b0d 100644 --- a/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/roles/10_basic.yaml +++ b/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/roles/10_basic.yaml @@ -1,12 +1,37 @@ --- -"Test put role api": +setup: - skip: features: headers - do: cluster.health: - wait_for_status: yellow + wait_for_status: yellow + - do: + xpack.security.put_user: + username: "joe" + body: > + { + "password": "s3krit", + "roles" : [ "admin_role" ] + } +--- +teardown: + - do: + xpack.security.delete_user: + username: "joe" + ignore: 404 + - do: + xpack.security.delete_role: + name: "admin_role" + ignore: 404 + - do: + xpack.security.delete_role: + name: "backwards_role" + ignore: 404 + +--- +"Test put role api": - do: xpack.security.put_role: name: "admin_role" @@ -37,16 +62,6 @@ } - match: { role: { created: true } } - - do: - xpack.security.put_user: - username: "joe" - body: > - { - "password": "s3krit", - "roles" : [ "admin_role" ] - } - - match: { user: { created: true } } - # test that the role actually works - do: headers: diff --git a/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/roles/11_idx_arrays.yaml b/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/roles/11_idx_arrays.yaml index aeda2d10749..c9743a005e8 100644 --- a/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/roles/11_idx_arrays.yaml +++ b/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/roles/11_idx_arrays.yaml @@ -1,11 +1,32 @@ --- -"Test put role api using as array of index names": +setup: - skip: features: headers - - do: cluster.health: - wait_for_status: yellow + wait_for_status: yellow + +--- +teardown: + - do: + xpack.security.delete_role: + name: "admin_role2" + ignore: 404 + + - do: + xpack.security.delete_user: + username: "joe" + ignore: 404 + + - do: + delete: + index: foo + type: doc + id: 1 + ignore: 404 + +--- +"Test put role api using as array of index names": - do: xpack.security.put_role: @@ -50,7 +71,6 @@ - match: { _index: foo } - match: { _type: doc } - match: { _id: "1"} - - match: { _version: 1} - match: { _source: { foo: bar }} # test that the role works on the cluster level diff --git a/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/users/10_basic.yaml b/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/users/10_basic.yaml index 309b9d693fd..1e18f51ac13 100644 --- a/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/users/10_basic.yaml +++ b/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/users/10_basic.yaml @@ -1,12 +1,21 @@ --- -"Test put user api": +setup: - skip: features: headers - do: cluster.health: - wait_for_status: yellow + wait_for_status: yellow +--- +teardown: + - do: + xpack.security.delete_user: + username: "joe" + ignore: 404 + +--- +"Test put user api": - do: xpack.security.put_user: username: "joe" diff --git a/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/users/15_overwrite_user.yaml b/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/users/15_overwrite_user.yaml index 16eb52fbfcc..66bcc9d1c5a 100644 --- a/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/users/15_overwrite_user.yaml +++ b/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/users/15_overwrite_user.yaml @@ -1,22 +1,30 @@ --- -"Test overwriting a user": +setup: - skip: features: headers - do: cluster.health: - wait_for_status: yellow + wait_for_status: yellow - do: xpack.security.put_user: username: "joe" body: > - { - "password": "s3krit", - "roles" : [ "superuser" ] - } - - match: { user: { created: true } } + { + "password": "s3krit", + "roles" : [ "superuser" ] + } +--- +teardown: + - do: + xpack.security.delete_user: + username: "joe" + ignore: 404 + +--- +"Test overwriting a user": - do: xpack.security.get_user: username: "joe" diff --git a/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/users/16_update_user.yaml b/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/users/16_update_user.yaml index 71cba78bf22..92c6d3fea1c 100644 --- a/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/users/16_update_user.yaml +++ b/elasticsearch/x-pack/security/src/test/resources/rest-api-spec/test/users/16_update_user.yaml @@ -1,24 +1,5 @@ --- -"Test creating a user without password": - - do: - cluster.health: - wait_for_status: yellow - - - do: - catch: request - xpack.security.put_user: - username: "joe" - body: > - { - "roles" : [ "superuser" ] - } - - match: { error.root_cause.0.reason: 'Validation Failed: 1: password must be specified unless you are updating an existing user;' } - ---- -"Test create user and update without and with password": - - skip: - features: headers - +setup: - do: cluster.health: wait_for_status: yellow @@ -31,7 +12,30 @@ "password": "s3krit", "roles" : [ "superuser" ] } - - match: { user: { created: true } } + +--- +teardown: + - do: + xpack.security.delete_user: + username: "joe" + ignore: 404 + +--- +"Test creating a user without password": + - do: + catch: request + xpack.security.put_user: + username: "no_password_user" + body: > + { + "roles" : [ "superuser" ] + } + - match: { error.root_cause.0.reason: 'Validation Failed: 1: password must be specified unless you are updating an existing user;' } + +--- +"Test create user and update without and with password": + - skip: + features: headers # test that the role actually works - do: diff --git a/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/test/rest/XPackRestTestCase.java b/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/test/rest/XPackRestTestCase.java index a02d6307bd9..ddcd5479716 100644 --- a/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/test/rest/XPackRestTestCase.java +++ b/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/test/rest/XPackRestTestCase.java @@ -63,29 +63,6 @@ public abstract class XPackRestTestCase extends ESRestTestCase { } } - @After - public void clearUsersAndRoles() throws Exception { - // we cannot delete the .security index from a rest test since we aren't the internal user, lets wipe the data - // TODO remove this once the built-in SUPERUSER role is added that can delete the index and we use the built in admin user here - RestTestResponse response = getAdminExecutionContext().callApi("xpack.security.get_user", emptyMap(), emptyList(), emptyMap()); - @SuppressWarnings("unchecked") - Map users = (Map) response.getBody(); - for (String user: users.keySet()) { - if (ReservedRealm.isReserved(user) == false) { - getAdminExecutionContext().callApi("xpack.security.delete_user", singletonMap("username", user), emptyList(), emptyMap()); - } - } - - response = getAdminExecutionContext().callApi("xpack.security.get_role", emptyMap(), emptyList(), emptyMap()); - @SuppressWarnings("unchecked") - Map roles = (Map) response.getBody(); - for (String role: roles.keySet()) { - if (ReservedRolesStore.isReserved(role) == false) { - getAdminExecutionContext().callApi("xpack.security.delete_role", singletonMap("name", role), emptyList(), emptyMap()); - } - } - } - @Override protected Settings restClientSettings() { return Settings.builder()