diff --git a/elasticsearch/src/test/java/org/elasticsearch/integration/PermissionPrecedenceTests.java b/elasticsearch/src/test/java/org/elasticsearch/integration/PermissionPrecedenceTests.java index cea4385d3ad..c06ad09727a 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/integration/PermissionPrecedenceTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/integration/PermissionPrecedenceTests.java @@ -5,24 +5,25 @@ */ package org.elasticsearch.integration; -import org.elasticsearch.ElasticsearchSecurityException; +import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesAction; import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesResponse; +import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateAction; import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse; import org.elasticsearch.client.Client; import org.elasticsearch.cluster.metadata.IndexTemplateMetaData; +import org.elasticsearch.test.SecurityIntegTestCase; import org.elasticsearch.xpack.security.authc.support.Hasher; import org.elasticsearch.xpack.security.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredStringTests; import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken; -import org.elasticsearch.test.SecurityIntegTestCase; import java.util.Collections; import java.util.List; import java.util.Map; -import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; -import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException; +import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException; import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked; +import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.hasSize; /** @@ -103,29 +104,14 @@ public class PermissionPrecedenceTests extends SecurityIntegTestCase { // now lets try with "user" - try { - Map auth = Collections.singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, basicAuthHeaderValue("user", - transportClientPassword())); - client.filterWithHeader(auth) - .admin().indices().preparePutTemplate("template1") - .setTemplate("test_*") - .get(); - fail("expected an authorization exception as template APIs should require cluster ALL permission"); - } catch (ElasticsearchSecurityException e) { - // expected - assertAuthorizationException(e); - } + Map auth = Collections.singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, basicAuthHeaderValue("user", + transportClientPassword())); + assertThrowsAuthorizationException(client.filterWithHeader(auth).admin().indices().preparePutTemplate("template1") + .setTemplate("test_*")::get, PutIndexTemplateAction.NAME, "user"); - try { - Map headers = Collections.singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, basicAuthHeaderValue("user", - SecuredStringTests.build("test123"))); - client.filterWithHeader(headers) - .admin().indices().prepareGetTemplates("template1") - .get(); - fail("expected an authorization exception as template APIs should require cluster ALL permission"); - } catch (ElasticsearchSecurityException e) { - // expected - assertAuthorizationException(e); - } + Map headers = Collections.singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, basicAuthHeaderValue("user", + SecuredStringTests.build("test123"))); + assertThrowsAuthorizationException(client.filterWithHeader(headers).admin().indices().prepareGetTemplates("template1")::get, + GetIndexTemplatesAction.NAME, "user"); } } diff --git a/elasticsearch/src/test/java/org/elasticsearch/integration/ScrollIdSigningTests.java b/elasticsearch/src/test/java/org/elasticsearch/integration/ScrollIdSigningTests.java index ab0609141af..d33780db158 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/integration/ScrollIdSigningTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/integration/ScrollIdSigningTests.java @@ -5,23 +5,19 @@ */ package org.elasticsearch.integration; -import org.elasticsearch.ElasticsearchSecurityException; -import org.elasticsearch.ExceptionsHelper; import org.elasticsearch.action.index.IndexRequestBuilder; import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.common.unit.TimeValue; -import org.elasticsearch.xpack.security.crypto.CryptoService; -import org.elasticsearch.xpack.security.crypto.CryptoService; import org.elasticsearch.test.SecurityIntegTestCase; +import org.elasticsearch.xpack.security.crypto.CryptoService; import java.util.Locale; import static org.elasticsearch.index.query.QueryBuilders.matchAllQuery; -import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException; +import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException; import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertHitCount; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; -import static org.hamcrest.Matchers.notNullValue; public class ScrollIdSigningTests extends SecurityIntegTestCase { public void testSearchAndClearScroll() throws Exception { @@ -66,14 +62,10 @@ public class ScrollIdSigningTests extends SecurityIntegTestCase { String scrollId = response.getScrollId(); String tamperedScrollId = randomBoolean() ? scrollId.substring(randomIntBetween(1, 10)) : scrollId + randomAsciiOfLength(randomIntBetween(3, 10)); + try { - client().prepareSearchScroll(tamperedScrollId).setScroll(TimeValue.timeValueMinutes(2)).get(); - fail("Expected an authorization exception to be thrown when scroll id is tampered"); - } catch (Exception e) { - ElasticsearchSecurityException ese = (ElasticsearchSecurityException) ExceptionsHelper.unwrap(e, - ElasticsearchSecurityException.class); - assertThat(ese, notNullValue()); - assertAuthorizationException(ese); + assertThrowsAuthorizationException(client().prepareSearchScroll(tamperedScrollId).setScroll(TimeValue.timeValueMinutes(2))::get, + equalTo("invalid request. tampered signed text")); } finally { clearScroll(scrollId); } @@ -92,14 +84,10 @@ public class ScrollIdSigningTests extends SecurityIntegTestCase { String scrollId = response.getScrollId(); String tamperedScrollId = randomBoolean() ? scrollId.substring(randomIntBetween(1, 10)) : scrollId + randomAsciiOfLength(randomIntBetween(3, 10)); + try { - client().prepareClearScroll().addScrollId(tamperedScrollId).get(); - fail("Expected an authorization exception to be thrown when scroll id is tampered"); - } catch (Exception e) { - ElasticsearchSecurityException ese = (ElasticsearchSecurityException) ExceptionsHelper.unwrap(e, - ElasticsearchSecurityException.class); - assertThat(ese, notNullValue()); - assertAuthorizationException(ese); + assertThrowsAuthorizationException(client().prepareClearScroll().addScrollId(tamperedScrollId)::get, + equalTo("invalid request. tampered signed text")); } finally { clearScroll(scrollId); } diff --git a/elasticsearch/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java b/elasticsearch/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java index d51085a2ab3..667a076bccd 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java +++ b/elasticsearch/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java @@ -6,8 +6,6 @@ package org.elasticsearch.test; import org.elasticsearch.AbstractOldXPackIndicesBackwardsCompatibilityTestCase; -import org.elasticsearch.ElasticsearchSecurityException; -import org.elasticsearch.action.ActionRequestBuilder; import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse; import org.elasticsearch.action.admin.cluster.node.info.NodeInfo; import org.elasticsearch.action.admin.cluster.node.info.NodesInfoResponse; @@ -43,7 +41,6 @@ import java.util.stream.Collectors; import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoTimeout; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; -import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.is; import static org.hamcrest.core.IsCollectionContaining.hasItem; @@ -362,11 +359,10 @@ public abstract class SecurityIntegTestCase extends ESIntegTestCase { assertThat(clusterHealthResponse.getStatus(), is(ClusterHealthStatus.GREEN)); } - protected static void assertThrowsAuthorizationException(ActionRequestBuilder actionRequestBuilder) { - ElasticsearchSecurityException e = expectThrows(ElasticsearchSecurityException.class, actionRequestBuilder::get); - SecurityTestsUtils.assertAuthorizationException(e, containsString("is unauthorized for user [")); - } - + /** + * Creates the indices provided as argument, randomly associating them with aliases, indexes one dummy document per index + * and refreshes the new indices + */ protected void createIndicesWithRandomAliases(String... indices) { if (randomBoolean()) { //no aliases @@ -388,7 +384,7 @@ public abstract class SecurityIntegTestCase extends ESIntegTestCase { for (String index : indices) { client().prepareIndex(index, "type").setSource("field", "value").get(); } - refresh(); + refresh(indices); } @Override diff --git a/elasticsearch/src/test/java/org/elasticsearch/test/SecurityTestsUtils.java b/elasticsearch/src/test/java/org/elasticsearch/test/SecurityTestsUtils.java index 0b7b8d16714..8bae59c74aa 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/test/SecurityTestsUtils.java +++ b/elasticsearch/src/test/java/org/elasticsearch/test/SecurityTestsUtils.java @@ -5,11 +5,16 @@ */ package org.elasticsearch.test; +import org.apache.lucene.util.LuceneTestCase; import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.rest.RestStatus; import org.hamcrest.Matcher; +import static org.apache.lucene.util.LuceneTestCase.expectThrows; import static org.elasticsearch.xpack.security.test.SecurityAssertions.assertContainsWWWAuthenticateHeader; +import static org.hamcrest.CoreMatchers.containsString; +import static org.hamcrest.CoreMatchers.either; +import static org.hamcrest.CoreMatchers.instanceOf; import static org.hamcrest.CoreMatchers.nullValue; import static org.hamcrest.Matchers.is; import static org.junit.Assert.assertThat; @@ -31,13 +36,38 @@ public class SecurityTestsUtils { assertThat(e.getMessage(), messageMatcher); } - public static void assertAuthorizationException(ElasticsearchSecurityException e) { - assertThat(e.status(), is(RestStatus.FORBIDDEN)); + public static void assertThrowsAuthorizationException(LuceneTestCase.ThrowingRunnable throwingRunnable, String action, String user) { + assertThrowsAuthorizationException(throwingRunnable, + containsString("[" + action + "] is unauthorized for user [" + user + "]")); } - public static void assertAuthorizationException(ElasticsearchSecurityException e, Matcher messageMatcher) { - assertAuthorizationException(e); - assertThat(e.getMessage(), messageMatcher); + public static void assertThrowsAuthorizationExceptionRunAs(LuceneTestCase.ThrowingRunnable throwingRunnable, + String action, String user, String runAs) { + assertThrowsAuthorizationException(throwingRunnable, + containsString("[" + action + "] is unauthorized for user [" + user + "] run as [" + runAs + "]")); } + public static void assertThrowsAuthorizationExceptionDefaultUsers(LuceneTestCase.ThrowingRunnable throwingRunnable, String action) { + ElasticsearchSecurityException exception = expectThrows(ElasticsearchSecurityException.class, throwingRunnable); + assertAuthorizationExceptionDefaultUsers(exception, action); + } + + public static void assertAuthorizationExceptionDefaultUsers(Throwable throwable, String action) { + assertAuthorizationException(throwable, either(containsString("[" + action + "] is unauthorized for user [" + + SecuritySettingsSource.DEFAULT_USER_NAME + "]")).or(containsString("[" + action + "] is unauthorized for user [" + + SecuritySettingsSource.DEFAULT_TRANSPORT_CLIENT_USER_NAME + "]"))); + } + + public static void assertThrowsAuthorizationException(LuceneTestCase.ThrowingRunnable throwingRunnable, + Matcher messageMatcher) { + ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class, throwingRunnable); + assertAuthorizationException(securityException, messageMatcher); + } + + private static void assertAuthorizationException(Throwable throwable, Matcher messageMatcher) { + assertThat(throwable, instanceOf(ElasticsearchSecurityException.class)); + ElasticsearchSecurityException securityException = (ElasticsearchSecurityException) throwable; + assertThat(securityException.status(), is(RestStatus.FORBIDDEN)); + assertThat(throwable.getMessage(), messageMatcher); + } } diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AnalyzeTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AnalyzeTests.java index 986fa94299f..0770500d5c1 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AnalyzeTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AnalyzeTests.java @@ -5,17 +5,16 @@ */ package org.elasticsearch.xpack.security.authz; -import org.elasticsearch.ElasticsearchSecurityException; +import org.elasticsearch.action.admin.indices.analyze.AnalyzeAction; +import org.elasticsearch.test.SecurityIntegTestCase; import org.elasticsearch.xpack.security.authc.support.Hasher; import org.elasticsearch.xpack.security.authc.support.SecuredString; -import org.elasticsearch.test.SecurityIntegTestCase; import java.util.Collections; +import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; -import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException; -import static org.hamcrest.CoreMatchers.containsString; public class AnalyzeTests extends SecurityIntegTestCase { protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("test123".toCharArray()))); @@ -59,34 +58,28 @@ public class AnalyzeTests extends SecurityIntegTestCase { client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd))) .admin().indices().prepareAnalyze("this is my text").setIndex("test_1").setAnalyzer("standard").get(); - try { - //fails: user doesn't have permissions for analyze on index non_authorized - client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd))) - .admin().indices().prepareAnalyze("this is my text").setIndex("non_authorized").setAnalyzer("standard").get(); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:admin/analyze] is unauthorized for user [analyze_indices]")); - } + //fails: user doesn't have permissions for analyze on index non_authorized + assertThrowsAuthorizationException(client().filterWithHeader( + Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd))) + .admin().indices().prepareAnalyze("this is my text").setIndex("non_authorized").setAnalyzer("standard")::get, + AnalyzeAction.NAME, "analyze_indices"); - try { - //fails: user doesn't have permissions for cluster level analyze - client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd))) - .admin().indices().prepareAnalyze("this is my text").setAnalyzer("standard").get(); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [cluster:admin/analyze] is unauthorized for user [analyze_indices]")); - } + //fails: user doesn't have permissions for cluster level analyze + assertThrowsAuthorizationException(client().filterWithHeader( + Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd))) + .admin().indices().prepareAnalyze("this is my text").setAnalyzer("standard")::get, + "cluster:admin/analyze", "analyze_indices"); } public void testAnalyzeWithoutIndices() { //this test tries to execute different analyze api variants from a user that has analyze privileges only at cluster level SecuredString passwd = new SecuredString("test123".toCharArray()); - try { - //fails: user doesn't have permissions for analyze on index test_1 - client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_cluster", passwd))) - .admin().indices().prepareAnalyze("this is my text").setIndex("test_1").setAnalyzer("standard").get(); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:admin/analyze] is unauthorized for user [analyze_cluster]")); - } + //fails: user doesn't have permissions for analyze on index test_1 + assertThrowsAuthorizationException(client().filterWithHeader( + Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_cluster", passwd))) + .admin().indices().prepareAnalyze("this is my text").setIndex("test_1").setAnalyzer("standard")::get, + AnalyzeAction.NAME, "analyze_cluster"); client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_cluster", passwd))) .admin().indices().prepareAnalyze("this is my text").setAnalyzer("standard").get(); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java index 82af04a076b..87fb465b6cc 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java @@ -68,7 +68,6 @@ import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.common.collect.Tuple; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; -import org.elasticsearch.rest.RestStatus; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.transport.TransportRequest; @@ -97,7 +96,8 @@ import java.util.Collections; import java.util.List; import static org.elasticsearch.test.SecurityTestsUtils.assertAuthenticationException; -import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException; +import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException; +import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationExceptionRunAs; import static org.hamcrest.Matchers.arrayContaining; import static org.hamcrest.Matchers.containsInAnyOrder; import static org.hamcrest.Matchers.containsString; @@ -144,67 +144,49 @@ public class AuthorizationServiceTests extends ESTestCase { public void testIndicesActionsAreNotAuthorized() { TransportRequest request = mock(TransportRequest.class); - try { - authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "indices:", request); - fail("action beginning with indices should have failed"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:] is unauthorized for user [" + SystemUser.INSTANCE.principal() + "]")); - verify(auditTrail).accessDenied(SystemUser.INSTANCE, "indices:", request); - verifyNoMoreInteractions(auditTrail); - } + assertThrowsAuthorizationException( + () -> authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "indices:", request), + "indices:", SystemUser.INSTANCE.principal()); + verify(auditTrail).accessDenied(SystemUser.INSTANCE, "indices:", request); + verifyNoMoreInteractions(auditTrail); } public void testClusterAdminActionsAreNotAuthorized() { TransportRequest request = mock(TransportRequest.class); - try { - authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "cluster:admin/whatever", request); - fail("action beginning with cluster:admin/whatever should have failed"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [cluster:admin/whatever] is unauthorized for user [" + SystemUser.INSTANCE.principal() + "]")); - verify(auditTrail).accessDenied(SystemUser.INSTANCE, "cluster:admin/whatever", request); - verifyNoMoreInteractions(auditTrail); - } + assertThrowsAuthorizationException( + () -> authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "cluster:admin/whatever", request), + "cluster:admin/whatever", SystemUser.INSTANCE.principal()); + verify(auditTrail).accessDenied(SystemUser.INSTANCE, "cluster:admin/whatever", request); + verifyNoMoreInteractions(auditTrail); } public void testClusterAdminSnapshotStatusActionIsNotAuthorized() { TransportRequest request = mock(TransportRequest.class); - try { - authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "cluster:admin/snapshot/status", request); - fail("action beginning with cluster:admin/snapshot/status should have failed"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [cluster:admin/snapshot/status] is unauthorized for user [" + - SystemUser.INSTANCE.principal() + "]")); - verify(auditTrail).accessDenied(SystemUser.INSTANCE, "cluster:admin/snapshot/status", request); - verifyNoMoreInteractions(auditTrail); - } + assertThrowsAuthorizationException( + () -> authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "cluster:admin/snapshot/status", request), + "cluster:admin/snapshot/status", SystemUser.INSTANCE.principal()); + verify(auditTrail).accessDenied(SystemUser.INSTANCE, "cluster:admin/snapshot/status", request); + verifyNoMoreInteractions(auditTrail); } public void testNoRolesCausesDenial() { TransportRequest request = new SearchRequest(); User user = new User("test user"); - try { - authorizationService.authorize(createAuthentication(user), "indices:a", request); - fail("user without roles should be denied"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user]")); - verify(auditTrail).accessDenied(user, "indices:a", request); - verifyNoMoreInteractions(auditTrail); - } + assertThrowsAuthorizationException( + () -> authorizationService.authorize(createAuthentication(user), "indices:a", request), + "indices:a", "test user"); + verify(auditTrail).accessDenied(user, "indices:a", request); + verifyNoMoreInteractions(auditTrail); } public void testUnknownRoleCausesDenial() { TransportRequest request = new SearchRequest(); User user = new User("test user", "non-existent-role"); - try { - authorizationService.authorize(createAuthentication(user), "indices:a", request); - fail("user with unknown role only should have been denied"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user]")); - verify(auditTrail).accessDenied(user, "indices:a", request); - verifyNoMoreInteractions(auditTrail); - } + assertThrowsAuthorizationException( + () -> authorizationService.authorize(createAuthentication(user), "indices:a", request), + "indices:a", "test user"); + verify(auditTrail).accessDenied(user, "indices:a", request); + verifyNoMoreInteractions(auditTrail); } public void testThatNonIndicesAndNonClusterActionIsDenied() { @@ -212,14 +194,11 @@ public class AuthorizationServiceTests extends ESTestCase { User user = new User("test user", "a_all"); when(rolesStore.role("a_all")).thenReturn(Role.builder("a_role").add(IndexPrivilege.ALL, "a").build()); - try { - authorizationService.authorize(createAuthentication(user), "whatever", request); - fail("non indices and non cluster requests should be denied"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [whatever] is unauthorized for user [test user]")); - verify(auditTrail).accessDenied(user, "whatever", request); - verifyNoMoreInteractions(auditTrail); - } + assertThrowsAuthorizationException( + () -> authorizationService.authorize(createAuthentication(user), "whatever", request), + "whatever", "test user"); + verify(auditTrail).accessDenied(user, "whatever", request); + verifyNoMoreInteractions(auditTrail); } public void testThatRoleWithNoIndicesIsDenied() { @@ -227,14 +206,11 @@ public class AuthorizationServiceTests extends ESTestCase { User user = new User("test user", "no_indices"); when(rolesStore.role("no_indices")).thenReturn(Role.builder("no_indices").cluster(ClusterPrivilege.action("")).build()); - try { - authorizationService.authorize(createAuthentication(user), "indices:a", request); - fail("user only has cluster roles so indices requests should fail"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user]")); - verify(auditTrail).accessDenied(user, "indices:a", request); - verifyNoMoreInteractions(auditTrail); - } + assertThrowsAuthorizationException( + () -> authorizationService.authorize(createAuthentication(user), "indices:a", request), + "indices:a", "test user"); + verify(auditTrail).accessDenied(user, "indices:a", request); + verifyNoMoreInteractions(auditTrail); } public void testSearchAgainstEmptyCluster() { @@ -248,14 +224,12 @@ public class AuthorizationServiceTests extends ESTestCase { //ignore_unavailable set to false, user is not authorized for this index nor does it exist SearchRequest searchRequest = new SearchRequest("does_not_exist") .indicesOptions(IndicesOptions.fromOptions(false, true, true, false)); - try { - authorizationService.authorize(createAuthentication(user), SearchAction.NAME, searchRequest); - fail("indices request for b should be denied since there is no such index"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [" + SearchAction.NAME + "] is unauthorized for user [test user]")); - verify(auditTrail).accessDenied(user, SearchAction.NAME, searchRequest); - verifyNoMoreInteractions(auditTrail); - } + + assertThrowsAuthorizationException( + () -> authorizationService.authorize(createAuthentication(user), SearchAction.NAME, searchRequest), + SearchAction.NAME, "test user"); + verify(auditTrail).accessDenied(user, SearchAction.NAME, searchRequest); + verifyNoMoreInteractions(auditTrail); } { @@ -312,16 +286,13 @@ public class AuthorizationServiceTests extends ESTestCase { when(clusterService.state()).thenReturn(state); when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA); - try { - authorizationService.authorize(createAuthentication(user), "indices:a", request); - fail("indices request for b should be denied since there is no such index"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user]")); - verify(auditTrail).accessDenied(user, "indices:a", request); - verifyNoMoreInteractions(auditTrail); - verify(clusterService, times(2)).state(); - verify(state, times(3)).metaData(); - } + assertThrowsAuthorizationException( + () -> authorizationService.authorize(createAuthentication(user), "indices:a", request), + "indices:a", "test user"); + verify(auditTrail).accessDenied(user, "indices:a", request); + verifyNoMoreInteractions(auditTrail); + verify(clusterService, times(2)).state(); + verify(state, times(3)).metaData(); } public void testCreateIndexWithAliasWithoutPermissions() { @@ -333,17 +304,13 @@ public class AuthorizationServiceTests extends ESTestCase { when(clusterService.state()).thenReturn(state); when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA); - try { - authorizationService.authorize(createAuthentication(user), CreateIndexAction.NAME, request); - fail("indices creation request with alias should be denied since user does not have permission to alias"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [" + IndicesAliasesAction.NAME + "] is unauthorized for user [test user]")); - verify(auditTrail).accessDenied(user, IndicesAliasesAction.NAME, request); - verifyNoMoreInteractions(auditTrail); - verify(clusterService).state(); - verify(state, times(2)).metaData(); - } + assertThrowsAuthorizationException( + () -> authorizationService.authorize(createAuthentication(user), CreateIndexAction.NAME, request), + IndicesAliasesAction.NAME, "test user"); + verify(auditTrail).accessDenied(user, IndicesAliasesAction.NAME, request); + verifyNoMoreInteractions(auditTrail); + verify(clusterService).state(); + verify(state, times(2)).metaData(); } public void testCreateIndexWithAlias() { @@ -409,17 +376,13 @@ public class AuthorizationServiceTests extends ESTestCase { when(clusterService.state()).thenReturn(state); when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA); - try { - authorizationService.authorize(createAuthentication(anonymousUser), "indices:a", request); - fail("indices request for b should be denied since there is no such index"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:a] is unauthorized for user [" + anonymousUser.principal() + "]")); - verify(auditTrail).accessDenied(anonymousUser, "indices:a", request); - verifyNoMoreInteractions(auditTrail); - verify(clusterService, times(2)).state(); - verify(state, times(3)).metaData(); - } + assertThrowsAuthorizationException( + () -> authorizationService.authorize(createAuthentication(anonymousUser), "indices:a", request), + "indices:a", anonymousUser.principal()); + verify(auditTrail).accessDenied(anonymousUser, "indices:a", request); + verifyNoMoreInteractions(auditTrail); + verify(clusterService, times(2)).state(); + verify(state, times(3)).metaData(); } public void testDenialForAnonymousUserAuthorizationExceptionDisabled() { @@ -453,14 +416,11 @@ public class AuthorizationServiceTests extends ESTestCase { TransportRequest request = mock(TransportRequest.class); User user = new User("test user", null, new User("run as me", new String[] { "admin" })); assertThat(user.runAs(), is(notNullValue())); - try { - authorizationService.authorize(createAuthentication(user), "indices:a", request); - fail("user without roles should be denied for run as"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user] run as [run as me]")); - verify(auditTrail).runAsDenied(user, "indices:a", request); - verifyNoMoreInteractions(auditTrail); - } + assertThrowsAuthorizationExceptionRunAs( + () -> authorizationService.authorize(createAuthentication(user), "indices:a", request), + "indices:a", "test user", "run as me"); // run as [run as me] + verify(auditTrail).runAsDenied(user, "indices:a", request); + verifyNoMoreInteractions(auditTrail); } public void testRunAsRequestRunningAsUnAllowedUser() { @@ -473,14 +433,11 @@ public class AuthorizationServiceTests extends ESTestCase { .add(IndexPrivilege.ALL, "a") .build()); - try { - authorizationService.authorize(createAuthentication(user), "indices:a", request); - fail("user without roles should be denied for run as"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user] run as [run as me]")); - verify(auditTrail).runAsDenied(user, "indices:a", request); - verifyNoMoreInteractions(auditTrail); - } + assertThrowsAuthorizationExceptionRunAs( + () -> authorizationService.authorize(createAuthentication(user), "indices:a", request), + "indices:a", "test user", "run as me"); + verify(auditTrail).runAsDenied(user, "indices:a", request); + verifyNoMoreInteractions(auditTrail); } public void testRunAsRequestWithRunAsUserWithoutPermission() { @@ -507,15 +464,12 @@ public class AuthorizationServiceTests extends ESTestCase { .build()); } - try { - authorizationService.authorize(createAuthentication(user), "indices:a", request); - fail("the run as user's role doesn't exist so they should not get authorized"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user] run as [run as me]")); - verify(auditTrail).runAsGranted(user, "indices:a", request); - verify(auditTrail).accessDenied(user, "indices:a", request); - verifyNoMoreInteractions(auditTrail); - } + assertThrowsAuthorizationExceptionRunAs( + () -> authorizationService.authorize(createAuthentication(user), "indices:a", request), + "indices:a", "test user", "run as me"); + verify(auditTrail).runAsGranted(user, "indices:a", request); + verify(auditTrail).accessDenied(user, "indices:a", request); + verifyNoMoreInteractions(auditTrail); } public void testRunAsRequestWithValidPermissions() { @@ -577,14 +531,11 @@ public class AuthorizationServiceTests extends ESTestCase { for (Tuple requestTuple : requests) { String action = requestTuple.v1(); TransportRequest request = requestTuple.v2(); - try { - authorizationService.authorize(createAuthentication(user), action, request); - fail("only the xpack user can execute operation [" + action + "] against the internal index"); - } catch (ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [" + action + "] is unauthorized for user [all_access_user]")); - verify(auditTrail).accessDenied(user, action, request); - verifyNoMoreInteractions(auditTrail); - } + assertThrowsAuthorizationException( + () -> authorizationService.authorize(createAuthentication(user), action, request), + action, "all_access_user"); + verify(auditTrail).accessDenied(user, action, request); + verifyNoMoreInteractions(auditTrail); } // we should allow waiting for the health of the index or any index if the user has this permission @@ -729,10 +680,8 @@ public class AuthorizationServiceTests extends ESTestCase { TransportRequest request = compositeRequest.v2(); User user = new User("test user", "no_indices"); when(rolesStore.role("no_indices")).thenReturn(Role.builder("no_indices").cluster(ClusterPrivilege.action("")).build()); - ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class, - () -> authorizationService.authorize(createAuthentication(user), action, request)); - assertThat(securityException.status(), is(RestStatus.FORBIDDEN)); - assertThat(securityException.getMessage(), containsString("[" + action + "] is unauthorized for user [" + user.principal() + "]")); + assertThrowsAuthorizationException( + () -> authorizationService.authorize(createAuthentication(user), action, request), action, "test user"); verify(auditTrail).accessDenied(user, action, request); verifyNoMoreInteractions(auditTrail); } @@ -795,11 +744,8 @@ public class AuthorizationServiceTests extends ESTestCase { when(rolesStore.role("roleDenied")).thenReturn(Role.builder("roleDenied").add(IndexPrivilege.ALL, "a").build()); mockEmptyMetaData(); authorizationService.authorize(createAuthentication(userAllowed), action, request); - ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class, - () -> authorizationService.authorize(createAuthentication(userDenied), action, request)); - assertThat(securityException.status(), is(RestStatus.FORBIDDEN)); - assertThat(securityException.getMessage(), - containsString("[" + action + "] is unauthorized for user [" + userDenied.principal() + "]")); + assertThrowsAuthorizationException( + () -> authorizationService.authorize(createAuthentication(userDenied), action, request), action, "userDenied"); } private static Tuple randomCompositeRequest() { diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/IndexAliasesTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/IndexAliasesTests.java index 1a402ee469a..1cc883a2e96 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/IndexAliasesTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/IndexAliasesTests.java @@ -5,28 +5,29 @@ */ package org.elasticsearch.xpack.security.authz; -import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.action.admin.indices.alias.Alias; +import org.elasticsearch.action.admin.indices.alias.IndicesAliasesAction; +import org.elasticsearch.action.admin.indices.alias.get.GetAliasesAction; import org.elasticsearch.action.admin.indices.alias.get.GetAliasesRequestBuilder; import org.elasticsearch.action.admin.indices.alias.get.GetAliasesResponse; +import org.elasticsearch.action.admin.indices.create.CreateIndexAction; import org.elasticsearch.action.support.IndicesOptions; import org.elasticsearch.client.Client; import org.elasticsearch.index.IndexNotFoundException; +import org.elasticsearch.test.SecurityIntegTestCase; import org.elasticsearch.xpack.security.authc.support.Hasher; import org.elasticsearch.xpack.security.authc.support.SecuredString; -import org.elasticsearch.test.SecurityIntegTestCase; import org.junit.Before; import java.util.Collections; import java.util.Map; +import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException; +import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; -import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException; -import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked; import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.CoreMatchers.equalTo; -import static org.hamcrest.CoreMatchers.is; public class IndexAliasesTests extends SecurityIntegTestCase { @@ -100,19 +101,13 @@ public class IndexAliasesTests extends SecurityIntegTestCase { new SecuredString("test123".toCharArray()))); assertAcked(client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").get()); - try { - client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_1", "test_alias").get(); - fail("add alias should have failed due to missing manage_aliases privileges"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:admin/aliases] is unauthorized for user [create_only]")); - } + assertThrowsAuthorizationException( + client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_1", "test_alias")::get, + IndicesAliasesAction.NAME, "create_only"); - try { - client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_*", "test_alias").get(); - fail("add alias should have failed due to missing manage_aliases privileges"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[test_*]")); - } + IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, + client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_*", "test_alias")::get); + assertThat(indexNotFoundException.toString(), containsString("[test_*]")); } public void testCreateIndexAndAliasesCreateOnlyPermission() { @@ -120,80 +115,56 @@ public class IndexAliasesTests extends SecurityIntegTestCase { // the same create index request Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only", new SecuredString("test123".toCharArray()))); - try { - client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").addAlias(new Alias("test_2")).get(); - fail("create index should have failed due to missing manage_aliases privileges"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:admin/aliases] is unauthorized for user [create_only]")); - } + + assertThrowsAuthorizationException( + client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").addAlias(new Alias("test_2"))::get, + IndicesAliasesAction.NAME, "create_only"); } public void testDeleteAliasesCreateOnlyPermission() { //user has create permission only: allows to create indices, manage_aliases is required to add/remove aliases Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only", new SecuredString("test123".toCharArray()))); - try { - client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_1").get(); - fail("remove alias should have failed due to missing manage_aliases privileges"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:admin/aliases] is unauthorized for user [create_only]")); - } - try { - client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_*").get(); - fail("remove alias should have failed due to missing manage_aliases privileges"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[alias_*")); - } + assertThrowsAuthorizationException( + client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_1")::get, + IndicesAliasesAction.NAME, "create_only"); - try { - client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "_all").get(); - fail("remove alias should have failed due to missing manage_aliases privileges"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[_all]")); - } + IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, + client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_*")::get); + assertThat(indexNotFoundException.toString(), containsString("[alias_*")); + + indexNotFoundException = expectThrows(IndexNotFoundException.class, + client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "_all")::get); + assertThat(indexNotFoundException.toString(), containsString("[_all]")); } public void testGetAliasesCreateOnlyPermissionStrict() { //user has create permission only: allows to create indices, manage_aliases is required to retrieve aliases though Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only", new SecuredString("test123".toCharArray()))); - try { - client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_1").setIndices("test_1") - .setIndicesOptions(IndicesOptions.strictExpand()).get(); - fail("get alias should have failed due to missing manage_aliases privileges"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:admin/aliases/get] is unauthorized for user [create_only]")); - } - try { - client().filterWithHeader(headers).admin().indices().prepareGetAliases("_all").setIndices("test_1") - .setIndicesOptions(IndicesOptions.strictExpand()).get(); - fail("get alias should have failed due to missing manage_aliases privileges"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[_all]")); - } + assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_1") + .setIndices("test_1").setIndicesOptions(IndicesOptions.strictExpand())::get, GetAliasesAction.NAME, "create_only"); - try { - client().filterWithHeader(headers).admin().indices().prepareGetAliases().setIndices("test_1") - .setIndicesOptions(IndicesOptions.strictExpand()).get(); - fail("get alias should have failed due to missing manage_aliases privileges"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[_all]")); - } + IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers) + .admin().indices().prepareGetAliases("_all") + .setIndices("test_1").setIndicesOptions(IndicesOptions.strictExpand())::get); + assertThat(indexNotFoundException.toString(), containsString("[_all]")); + + indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers).admin().indices() + .prepareGetAliases().setIndices("test_1").setIndicesOptions(IndicesOptions.strictExpand())::get); + assertThat(indexNotFoundException.toString(), containsString("[_all]")); GetAliasesResponse getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias") .setIndices("test_*").setIndicesOptions(IndicesOptions.strictExpand()).get(); assertEquals(0, getAliasesResponse.getAliases().size()); - try { - //this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias - //and there is no way to "allow_no_aliases" like we can do with indices. - client().filterWithHeader(headers).admin().indices().prepareGetAliases().get(); - fail("get alias should have failed due to missing manage_aliases privileges"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[_all]")); - } + //this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias + //and there is no way to "allow_no_aliases" like we can do with indices. + indexNotFoundException = expectThrows(IndexNotFoundException.class, + client().filterWithHeader(headers).admin().indices().prepareGetAliases()::get); + assertThat(indexNotFoundException.toString(), containsString("[_all]")); } public void testGetAliasesCreateOnlyPermissionIgnoreUnavailable() { @@ -205,35 +176,24 @@ public class IndexAliasesTests extends SecurityIntegTestCase { .setIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); assertEquals(0, getAliasesResponse.getAliases().size()); - try { - client().filterWithHeader(headers).admin().indices().prepareGetAliases("_all").setIndices("test_1") - .setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); - fail("get alias should have failed due empty set of indices after indices resolution"); - } catch(IndexNotFoundException e) { - assertEquals("no such index", e.getMessage()); - } + IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers) + .admin().indices().prepareGetAliases("_all") + .setIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen())::get); + assertThat(indexNotFoundException.toString(), containsString("[_all]")); - try { - client().filterWithHeader(headers).admin().indices().prepareGetAliases().setIndices("test_1") - .setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); - fail("get alias should have failed due empty set of indices after indices resolution"); - } catch(IndexNotFoundException e) { - assertEquals("no such index", e.getMessage()); - } + indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers).admin().indices() + .prepareGetAliases().setIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen())::get); + assertThat(indexNotFoundException.toString(), containsString("[_all]")); getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias") .setIndices("test_*").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); assertEquals(0, getAliasesResponse.getAliases().size()); - try { - //this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias - //and there is no way to "allow_no_aliases" like we can do with indices. - client().filterWithHeader(headers).admin().indices().prepareGetAliases() - .setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); - fail("get alias should have failed due to missing manage_aliases privileges"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[_all]")); - } + //this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias + //and there is no way to "allow_no_aliases" like we can do with indices. + indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers).admin().indices() + .prepareGetAliases().setIndicesOptions(IndicesOptions.lenientExpandOpen())::get); + assertThat(indexNotFoundException.toString(), containsString("[_all]")); } public void testCreateIndexThenAliasesCreateAndAliasesPermission() { @@ -250,15 +210,10 @@ public class IndexAliasesTests extends SecurityIntegTestCase { //ok: user has manage_aliases on test_* assertAcked(client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_*", "test_alias_2").get()); - try { - //fails: user doesn't have manage_aliases on alias_1 - client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_1", "alias_1") - .addAlias("test_1", "test_alias").get(); - fail("add alias should have failed due to missing manage_aliases privileges on alias_1"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test]")); - } + //fails: user doesn't have manage_aliases on alias_1 + assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareAliases() + .addAlias("test_1", "alias_1").addAlias("test_1", "test_alias")::get, + IndicesAliasesAction.NAME, "create_test_aliases_test"); } public void testCreateIndexAndAliasesCreateAndAliasesPermission() { @@ -269,15 +224,10 @@ public class IndexAliasesTests extends SecurityIntegTestCase { new SecuredString("test123".toCharArray()))); assertAcked(client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).get()); - try { - //fails: user doesn't have manage_aliases on alias_1 - client().filterWithHeader(headers).admin().indices().prepareCreate("test_2").addAlias(new Alias("test_alias")) - .addAlias(new Alias("alias_2")).get(); - fail("create index should have failed due to missing manage_aliases privileges on alias_2"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test]")); - } + //fails: user doesn't have manage_aliases on alias_1 + assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareCreate("test_2") + .addAlias(new Alias("test_alias")).addAlias(new Alias("alias_2"))::get, + IndicesAliasesAction.NAME, "create_test_aliases_test"); } public void testDeleteAliasesCreateAndAliasesPermission() { @@ -297,40 +247,23 @@ public class IndexAliasesTests extends SecurityIntegTestCase { //ok: user has manage_aliases on test_* assertAcked(client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*").get()); - try { - //fails: all aliases have been deleted, no existing aliases match test_alias_* - client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*").get(); - fail("remove alias should have failed due to no existing matching aliases to expand test_alias_* to"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[test_alias_*]")); - } + //fails: all aliases have been deleted, no existing aliases match test_alias_* + IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, + client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*")::get); + assertThat(indexNotFoundException.toString(), containsString("[test_alias_*]")); - try { - //fails: all aliases have been deleted, no existing aliases match _all - client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "_all").get(); - fail("remove alias should have failed due to no existing matching aliases to expand _all to"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[_all]")); - } + //fails: all aliases have been deleted, no existing aliases match _all + indexNotFoundException = expectThrows(IndexNotFoundException.class, + client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "_all")::get); + assertThat(indexNotFoundException.toString(), containsString("[_all]")); - try { - //fails: user doesn't have manage_aliases on alias_1 - client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_1").get(); - fail("remove alias should have failed due to missing manage_aliases privileges on alias_1"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test]")); - } + //fails: user doesn't have manage_aliases on alias_1 + assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareAliases() + .removeAlias("test_1", "alias_1")::get, IndicesAliasesAction.NAME, "create_test_aliases_test"); - try { - //fails: user doesn't have manage_aliases on alias_1 - client().filterWithHeader(headers).admin().indices().prepareAliases() - .removeAlias("test_1", new String[]{"_all", "alias_1"}).get(); - fail("remove alias should have failed due to missing manage_aliases privileges on alias_1"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test]")); - } + //fails: user doesn't have manage_aliases on alias_1 + assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareAliases() + .removeAlias("test_1", new String[]{"_all", "alias_1"})::get, IndicesAliasesAction.NAME, "create_test_aliases_test"); } public void testGetAliasesCreateAndAliasesPermission() { @@ -376,24 +309,14 @@ public class IndexAliasesTests extends SecurityIntegTestCase { assertAliases(client.admin().indices().prepareGetAliases(), "test_1", "test_alias"); - try { - //fails: user has manage_aliases on test_*, although _all aliases and empty indices can be resolved, the explicit non - // authorized alias (alias_1) causes the request to fail - client.admin().indices().prepareGetAliases().setAliases("_all", "alias_1").get(); - fail("get alias should have failed due to missing manage_aliases privileges on alias_1"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:admin/aliases/get] is unauthorized for user [create_test_aliases_test]")); - } + //fails: user has manage_aliases on test_*, although _all aliases and empty indices can be resolved, the explicit non + // authorized alias (alias_1) causes the request to fail + assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases().setAliases("_all", "alias_1")::get, + GetAliasesAction.NAME, "create_test_aliases_test"); - try { - //fails: user doesn't have manage_aliases on alias_1 - client.admin().indices().prepareGetAliases().setAliases("alias_1").get(); - fail("get alias should have failed due to missing manage_aliases privileges on alias_1"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:admin/aliases/get] is unauthorized for user [create_test_aliases_test]")); - } + //fails: user doesn't have manage_aliases on alias_1 + assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases().setAliases("alias_1")::get, + GetAliasesAction.NAME, "create_test_aliases_test"); } public void testCreateIndexThenAliasesCreateAndAliasesPermission2() { @@ -405,31 +328,18 @@ public class IndexAliasesTests extends SecurityIntegTestCase { // on both aliases and indices assertAcked(client.admin().indices().prepareCreate("test_1")); - try { - //fails: user doesn't have manage_aliases aliases on test_1 - client.admin().indices().prepareAliases().addAlias("test_1", "test_alias").get(); - fail("add alias should have failed due to missing manage_aliases privileges on test_alias and test_1"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]")); - } + //fails: user doesn't have manage_aliases aliases on test_1 + assertThrowsAuthorizationException(client.admin().indices().prepareAliases().addAlias("test_1", "test_alias")::get, + IndicesAliasesAction.NAME, "create_test_aliases_alias"); - try { - //fails: user doesn't have manage_aliases aliases on test_1 - client.admin().indices().prepareAliases().addAlias("test_1", "alias_1").get(); - fail("add alias should have failed due to missing manage_aliases privileges on test_1"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]")); - } + //fails: user doesn't have manage_aliases aliases on test_1 + assertThrowsAuthorizationException(client.admin().indices().prepareAliases().addAlias("test_1", "alias_1")::get, + IndicesAliasesAction.NAME, "create_test_aliases_alias"); - try { - //fails: user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards - client.admin().indices().prepareAliases().addAlias("test_*", "alias_1").get(); - fail("add alias should have failed due to missing manage_aliases privileges on test_1"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[test_*]")); - } + //fails: user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards + IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, + client.admin().indices().prepareAliases().addAlias("test_*", "alias_1")::get); + assertThat(indexNotFoundException.toString(), containsString("[test_*]")); } public void testCreateIndexAndAliasesCreateAndAliasesPermission2() { @@ -440,23 +350,10 @@ public class IndexAliasesTests extends SecurityIntegTestCase { //user has create permission on test_* and manage_aliases permission on alias_*. manage_aliases is required to add/remove aliases // on both aliases and indices - try { - //fails: user doesn't have manage_aliases on test_1, create index is rejected as a whole - client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).get(); - fail("create index should have failed due to missing manage_aliases privileges on test_1 and test_alias"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]")); - } - try { - //fails: user doesn't have manage_aliases on test_*, create index is rejected as a whole - client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).addAlias(new Alias("alias_1")).get(); - fail("create index should have failed due to missing manage_aliases privileges on test_1 and test_alias"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]")); - } + //fails: user doesn't have manage_aliases on test_1, create index is rejected as a whole + assertThrowsAuthorizationException(client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias"))::get, + IndicesAliasesAction.NAME, "create_test_aliases_alias"); } public void testDeleteAliasesCreateAndAliasesPermission2() { @@ -466,32 +363,15 @@ public class IndexAliasesTests extends SecurityIntegTestCase { //user has create permission on test_* and manage_aliases permission on alias_*. manage_aliases is required to add/remove aliases // on both aliases and indices - try { - //fails: user doesn't have manage_aliases on test_1 - client.admin().indices().prepareAliases().removeAlias("test_1", "test_alias").get(); - fail("remove alias should have failed due to missing manage_aliases privileges on test_alias and test_1"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]")); - } - try { - //fails: user doesn't have manage_aliases on test_1 - client.admin().indices().prepareAliases().removeAlias("test_1", "alias_1").get(); - fail("remove alias should have failed due to missing manage_aliases privileges on test_1"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]")); - } + //fails: user doesn't have manage_aliases on test_1 + assertThrowsAuthorizationException(client.admin().indices().prepareAliases().removeAlias("test_1", "test_alias")::get, + IndicesAliasesAction.NAME, "create_test_aliases_alias"); - try { - //fails: user doesn't have manage_aliases on test_*, wildcards can't get replaced - client.admin().indices().prepareAliases().removeAlias("test_*", "alias_1").get(); - fail("remove alias should have failed due to missing manage_aliases privileges on test_*"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[test_*]")); + //fails: user doesn't have manage_aliases on test_*, wildcards can't get replaced + IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, + client.admin().indices().prepareAliases().removeAlias("test_*", "alias_1")::get); } - } public void testGetAliasesCreateAndAliasesPermission2() { Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, @@ -502,14 +382,9 @@ public class IndexAliasesTests extends SecurityIntegTestCase { // on both aliases and indices assertAcked(client.admin().indices().prepareCreate("test_1")); - try { - //fails: user doesn't have manage_aliases aliases on test_1, nor test_alias - client.admin().indices().prepareGetAliases().setAliases("test_alias").setIndices("test_1").get(); - fail("get alias should have failed due to missing manage_aliases privileges on test_alias and test_1"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:admin/aliases/get] is unauthorized for user [create_test_aliases_alias]")); - } + //fails: user doesn't have manage_aliases aliases on test_1, nor test_alias + assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases().setAliases("test_alias").setIndices("test_1")::get, + GetAliasesAction.NAME, "create_test_aliases_alias"); //user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards GetAliasesResponse getAliasesResponse = client.admin().indices().prepareGetAliases() @@ -520,37 +395,24 @@ public class IndexAliasesTests extends SecurityIntegTestCase { getAliasesResponse = client.admin().indices().prepareGetAliases().setAliases("test_alias").get(); assertEquals(0, getAliasesResponse.getAliases().size()); - try { - //fails: no existing aliases to replace wildcards - client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("test_*").get(); - fail("get alias should have failed due to missing manage_aliases privileges on test_1"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[test_*]")); - } + //fails: no existing aliases to replace wildcards + IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, + client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("test_*")::get); + assertThat(indexNotFoundException.toString(), containsString("[test_*]")); - try { - //fails: no existing aliases to replace _all - client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("_all").get(); - fail("get alias should have failed due to missing manage_aliases privileges on test_1"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[_all]")); - } + //fails: no existing aliases to replace _all + indexNotFoundException = expectThrows(IndexNotFoundException.class, + client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("_all")::get); + assertThat(indexNotFoundException.toString(), containsString("[_all]")); - try { - //fails: no existing aliases to replace empty aliases - client.admin().indices().prepareGetAliases().setIndices("test_1").get(); - fail("get alias should have failed due to missing manage_aliases privileges on test_1"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[_all]")); - } + //fails: no existing aliases to replace empty aliases + indexNotFoundException = expectThrows(IndexNotFoundException.class, + client.admin().indices().prepareGetAliases().setIndices("test_1")::get); + assertThat(indexNotFoundException.toString(), containsString("[_all]")); - try { - //fails: no existing aliases to replace empty aliases - client.admin().indices().prepareGetAliases().get(); - fail("get alias should have failed due to missing manage_aliases privileges on test_1"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[_all]")); - } + //fails: no existing aliases to replace empty aliases + indexNotFoundException = expectThrows(IndexNotFoundException.class, client.admin().indices().prepareGetAliases()::get); + assertThat(indexNotFoundException.toString(), containsString("[_all]")); } public void testCreateIndexThenAliasesCreateAndAliasesPermission3() { @@ -588,26 +450,18 @@ public class IndexAliasesTests extends SecurityIntegTestCase { assertAcked(client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).addAlias(new Alias("alias_1")) .addAlias(new Alias("alias_2")).addAlias(new Alias("alias_3"))); - try { - //fails: user doesn't have manage_aliases privilege on non_authorized - client.admin().indices().prepareAliases().removeAlias("test_1", "non_authorized").removeAlias("test_1", "test_alias").get(); - fail("remove alias should have failed due to missing manage_aliases privileges on non_authorized"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, - containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test_alias]")); - } + //fails: user doesn't have manage_aliases privilege on non_authorized + assertThrowsAuthorizationException(client.admin().indices().prepareAliases().removeAlias("test_1", "non_authorized") + .removeAlias("test_1", "test_alias")::get, IndicesAliasesAction.NAME, "create_test_aliases_test_alias"); assertAcked(client.admin().indices().prepareAliases().removeAlias("test_1", "alias_1")); assertAcked(client.admin().indices().prepareAliases().removeAlias("test_*", "_all")); - try { - //fails: all aliases have been deleted, _all can't be resolved to any existing authorized aliases - client.admin().indices().prepareAliases().removeAlias("test_1", "_all").get(); - fail("remove alias should have failed due to no existing aliases matching _all"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[_all]")); - } + //fails: all aliases have been deleted, _all can't be resolved to any existing authorized aliases + IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, + client.admin().indices().prepareAliases().removeAlias("test_1", "_all")::get); + assertThat(indexNotFoundException.toString(), containsString("[_all]")); } public void testGetAliasesCreateAndAliasesPermission3() { @@ -646,14 +500,9 @@ public class IndexAliasesTests extends SecurityIntegTestCase { } public void testCreateIndexAliasesOnlyPermission() { - try { - client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, - basicAuthHeaderValue("aliases_only", new SecuredString("test123".toCharArray())))) - .admin().indices().prepareCreate("test_1").get(); - fail("Expected ElasticsearchSecurityException"); - } catch (ElasticsearchSecurityException e) { - assertThat(e.getMessage(), is("action [indices:admin/create] is unauthorized for user [aliases_only]")); - } + assertThrowsAuthorizationException(client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, + basicAuthHeaderValue("aliases_only", new SecuredString("test123".toCharArray())))) + .admin().indices().prepareCreate("test_1")::get, CreateIndexAction.NAME, "aliases_only"); } public void testGetAliasesAliasesOnlyPermissionStrict() { @@ -662,33 +511,18 @@ public class IndexAliasesTests extends SecurityIntegTestCase { final Client client = client().filterWithHeader(headers); //user has manage_aliases only permissions on both alias_* and test_* - //ok: manage_aliases on both test_* and alias_* - try { - //security plugin lets it through, but es core intercepts it due to strict indices options and throws index not found - client.admin().indices().prepareGetAliases("alias_1") - .addIndices("test_1").setIndicesOptions(IndicesOptions.strictExpandOpen()).get(); - fail("Expected IndexNotFoundException"); - } catch(IndexNotFoundException e) { - assertEquals("no such index", e.getMessage()); - } + //security plugin lets it through, but es core intercepts it due to strict indices options and throws index not found + IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, client.admin().indices() + .prepareGetAliases("alias_1").addIndices("test_1").setIndicesOptions(IndicesOptions.strictExpandOpen())::get); + assertEquals("no such index", indexNotFoundException.getMessage()); - try { - //fails: no manage_aliases privilege on non_authorized alias - client.admin().indices().prepareGetAliases("non_authorized").addIndices("test_1") - .setIndicesOptions(IndicesOptions.strictExpandOpen()).get(); - fail("Expected ElasticsearchSecurityException"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:admin/aliases/get] is unauthorized for user [aliases_only]")); - } + //fails: no manage_aliases privilege on non_authorized alias + assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases("non_authorized").addIndices("test_1") + .setIndicesOptions(IndicesOptions.strictExpandOpen())::get, GetAliasesAction.NAME, "aliases_only"); - try { - //fails: no manage_aliases privilege on non_authorized index - client.admin().indices().prepareGetAliases("alias_1").addIndices("non_authorized") - .setIndicesOptions(IndicesOptions.strictExpandOpen()).get(); - fail("Expected ElasticsearchSecurityException"); - } catch(ElasticsearchSecurityException e) { - assertAuthorizationException(e, containsString("action [indices:admin/aliases/get] is unauthorized for user [aliases_only]")); - } + //fails: no manage_aliases privilege on non_authorized index + assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases("alias_1").addIndices("non_authorized") + .setIndicesOptions(IndicesOptions.strictExpandOpen())::get, GetAliasesAction.NAME, "aliases_only"); } public void testGetAliasesAliasesOnlyPermissionIgnoreUnavailable() { diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/ReadActionsTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/ReadActionsTests.java index ed64de0a5de..d9a996dba28 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/ReadActionsTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/ReadActionsTests.java @@ -6,11 +6,16 @@ package org.elasticsearch.xpack.security.authz; import org.elasticsearch.ElasticsearchSecurityException; +import org.elasticsearch.action.get.GetAction; +import org.elasticsearch.action.get.MultiGetAction; import org.elasticsearch.action.get.MultiGetResponse; import org.elasticsearch.action.search.MultiSearchResponse; +import org.elasticsearch.action.search.SearchAction; import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.action.support.IndicesOptions; +import org.elasticsearch.action.termvectors.MultiTermVectorsAction; import org.elasticsearch.action.termvectors.MultiTermVectorsResponse; +import org.elasticsearch.action.termvectors.TermVectorsAction; import org.elasticsearch.client.Requests; import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.search.SearchHit; @@ -20,9 +25,9 @@ import org.elasticsearch.test.SecuritySettingsSource; import java.util.ArrayList; import java.util.List; -import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException; +import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationExceptionDefaultUsers; +import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationExceptionDefaultUsers; import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoSearchHits; -import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.core.IsCollectionContaining.hasItems; import static org.hamcrest.core.IsEqual.equalTo; import static org.hamcrest.core.IsInstanceOf.instanceOf; @@ -118,12 +123,12 @@ public class ReadActionsTests extends SecurityIntegTestCase { public void testExplicitNonAuthorizedIndex() { createIndicesWithRandomAliases("test1", "test2", "index1"); - assertThrowsAuthorizationException(client().prepareSearch("test*", "index1")); + assertThrowsAuthorizationExceptionDefaultUsers(client().prepareSearch("test*", "index1")::get, SearchAction.NAME); } public void testIndexNotFound() { createIndicesWithRandomAliases("test1", "test2", "index1"); - assertThrowsAuthorizationException(client().prepareSearch("missing")); + assertThrowsAuthorizationExceptionDefaultUsers(client().prepareSearch("missing")::get, SearchAction.NAME); } public void testIndexNotFoundIgnoreUnavailable() { @@ -212,7 +217,7 @@ public class ReadActionsTests extends SecurityIntegTestCase { assertTrue(multiSearchResponse.getResponses()[1].isFailure()); Exception exception = multiSearchResponse.getResponses()[1].getFailure(); assertThat(exception, instanceOf(ElasticsearchSecurityException.class)); - assertAuthorizationException((ElasticsearchSecurityException)exception, containsString("is unauthorized for user [")); + assertAuthorizationExceptionDefaultUsers(exception, SearchAction.NAME); } { MultiSearchResponse multiSearchResponse = client().prepareMultiSearch() @@ -243,7 +248,7 @@ public class ReadActionsTests extends SecurityIntegTestCase { assertTrue(multiSearchResponse.getResponses()[1].isFailure()); Exception exception = multiSearchResponse.getResponses()[1].getFailure(); assertThat(exception, instanceOf(ElasticsearchSecurityException.class)); - assertAuthorizationException((ElasticsearchSecurityException)exception, containsString("is unauthorized for user [")); + assertAuthorizationExceptionDefaultUsers(exception, SearchAction.NAME); } { MultiSearchResponse multiSearchResponse = client().prepareMultiSearch() @@ -333,13 +338,9 @@ public class ReadActionsTests extends SecurityIntegTestCase { client().prepareGet("test1", "type", "id").get(); - ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class, - () -> client().prepareGet("index1", "type", "id").get()); - assertAuthorizationException(securityException); + assertThrowsAuthorizationExceptionDefaultUsers(client().prepareGet("index1", "type", "id")::get, GetAction.NAME); - securityException = expectThrows(ElasticsearchSecurityException.class, - () -> client().prepareGet("missing", "type", "id").get()); - assertAuthorizationException(securityException); + assertThrowsAuthorizationExceptionDefaultUsers(client().prepareGet("missing", "type", "id")::get, GetAction.NAME); expectThrows(IndexNotFoundException.class, () -> client().prepareGet("test5", "type", "id").get()); } @@ -357,7 +358,8 @@ public class ReadActionsTests extends SecurityIntegTestCase { assertEquals("test1", multiGetResponse.getResponses()[0].getResponse().getIndex()); assertTrue(multiGetResponse.getResponses()[1].isFailed()); assertEquals("index1", multiGetResponse.getResponses()[1].getFailure().getIndex()); - assertAuthorizationException((ElasticsearchSecurityException) multiGetResponse.getResponses()[1].getFailure().getFailure()); + assertAuthorizationExceptionDefaultUsers(multiGetResponse.getResponses()[1].getFailure().getFailure(), + MultiGetAction.NAME + "[shard]"); assertFalse(multiGetResponse.getResponses()[2].isFailed()); assertEquals("test3", multiGetResponse.getResponses()[2].getResponse().getIndex()); assertTrue(multiGetResponse.getResponses()[3].isFailed()); @@ -374,13 +376,9 @@ public class ReadActionsTests extends SecurityIntegTestCase { createIndicesWithRandomAliases("test1", "index1"); client().prepareTermVectors("test1", "type", "id").get(); - ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class, - () -> client().prepareTermVectors("index1", "type", "id").get()); - assertAuthorizationException(securityException); + assertThrowsAuthorizationExceptionDefaultUsers(client().prepareTermVectors("index1", "type", "id")::get, TermVectorsAction.NAME); - securityException = expectThrows(ElasticsearchSecurityException.class, - () -> client().prepareTermVectors("missing", "type", "id").get()); - assertAuthorizationException(securityException); + assertThrowsAuthorizationExceptionDefaultUsers(client().prepareTermVectors("missing", "type", "id")::get, TermVectorsAction.NAME); expectThrows(IndexNotFoundException.class, () -> client().prepareTermVectors("test5", "type", "id").get()); } @@ -398,12 +396,13 @@ public class ReadActionsTests extends SecurityIntegTestCase { assertEquals("test1", response.getResponses()[0].getResponse().getIndex()); assertTrue(response.getResponses()[1].isFailed()); assertEquals("index1", response.getResponses()[1].getFailure().getIndex()); - assertAuthorizationException((ElasticsearchSecurityException) response.getResponses()[1].getFailure().getCause()); + assertAuthorizationExceptionDefaultUsers(response.getResponses()[1].getFailure().getCause(), + MultiTermVectorsAction.NAME + "[shard]"); assertFalse(response.getResponses()[2].isFailed()); assertEquals("test3", response.getResponses()[2].getResponse().getIndex()); assertTrue(response.getResponses()[3].isFailed()); assertEquals("missing", response.getResponses()[3].getFailure().getIndex()); - //different behaviour compared to get api: we leak information about a non existing index that the current user is not + //different behaviour compared to term_vector api: we leak information about a non existing index that the current user is not //authorized for. Should rather be an authorization exception but we only authorize at the shard level in mget. If we //authorized globally, we would fail the whole mget request which is not desirable. assertThat(response.getResponses()[3].getFailure().getCause(), instanceOf(IndexNotFoundException.class)); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/WriteActionsTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/WriteActionsTests.java index 434b59c61c0..a30e5be7f9b 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/WriteActionsTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/WriteActionsTests.java @@ -7,16 +7,21 @@ package org.elasticsearch.xpack.security.authz; import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.action.DocWriteRequest; +import org.elasticsearch.action.bulk.BulkAction; import org.elasticsearch.action.bulk.BulkResponse; +import org.elasticsearch.action.delete.DeleteAction; import org.elasticsearch.action.delete.DeleteRequest; +import org.elasticsearch.action.index.IndexAction; import org.elasticsearch.action.index.IndexRequest; +import org.elasticsearch.action.update.UpdateAction; import org.elasticsearch.action.update.UpdateRequest; import org.elasticsearch.index.engine.DocumentMissingException; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.test.SecurityIntegTestCase; import org.elasticsearch.test.SecuritySettingsSource; -import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException; +import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationExceptionDefaultUsers; +import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationExceptionDefaultUsers; import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.core.IsInstanceOf.instanceOf; @@ -41,14 +46,13 @@ public class WriteActionsTests extends SecurityIntegTestCase { createIndex("test1", "index1"); client().prepareIndex("test1", "type", "id").setSource("field", "value").get(); - assertThrowsAuthorizationException(client().prepareIndex("index1", "type", "id").setSource("field", "value")); + assertThrowsAuthorizationExceptionDefaultUsers(client().prepareIndex("index1", "type", "id").setSource("field", "value")::get, + IndexAction.NAME); client().prepareIndex("test4", "type", "id").setSource("field", "value").get(); //the missing index gets automatically created (user has permissions for that), but indexing fails due to missing authorization - ElasticsearchSecurityException exception = expectThrows(ElasticsearchSecurityException.class, - () -> client().prepareIndex("missing", "type", "id").setSource("field", "value").get()); - assertAuthorizationException(exception); - assertThat(exception.getMessage(), containsString("[indices:data/write/index] is unauthorized")); + assertThrowsAuthorizationExceptionDefaultUsers(client().prepareIndex("missing", "type", "id").setSource("field", "value")::get, + IndexAction.NAME); } public void testDelete() { @@ -56,14 +60,11 @@ public class WriteActionsTests extends SecurityIntegTestCase { client().prepareIndex("test1", "type", "id").setSource("field", "value").get(); assertEquals(RestStatus.OK, client().prepareDelete("test1", "type", "id").get().status()); - assertThrowsAuthorizationException(client().prepareDelete("index1", "type", "id")); + assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("index1", "type", "id")::get, DeleteAction.NAME); assertEquals(RestStatus.NOT_FOUND, client().prepareDelete("test4", "type", "id").get().status()); - ElasticsearchSecurityException exception = expectThrows(ElasticsearchSecurityException.class, - () -> client().prepareDelete("missing", "type", "id").get()); - assertAuthorizationException(exception); - assertThat(exception.getMessage(), containsString("[indices:data/write/delete] is unauthorized")); + assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("missing", "type", "id")::get, DeleteAction.NAME); } public void testUpdate() { @@ -71,14 +72,13 @@ public class WriteActionsTests extends SecurityIntegTestCase { client().prepareIndex("test1", "type", "id").setSource("field", "value").get(); assertEquals(RestStatus.OK, client().prepareUpdate("test1", "type", "id").setDoc("field2", "value2").get().status()); - assertThrowsAuthorizationException(client().prepareUpdate("index1", "type", "id").setDoc("field2", "value2")); + assertThrowsAuthorizationExceptionDefaultUsers(client().prepareUpdate("index1", "type", "id").setDoc("field2", "value2")::get, + UpdateAction.NAME); expectThrows(DocumentMissingException.class, () -> client().prepareUpdate("test4", "type", "id").setDoc("field2", "value2").get()); - ElasticsearchSecurityException exception = expectThrows(ElasticsearchSecurityException.class, - () -> client().prepareUpdate("missing", "type", "id").setDoc("field2", "value2").get()); - assertAuthorizationException(exception); - assertThat(exception.getMessage(), containsString("[indices:data/write/update] is unauthorized")); + assertThrowsAuthorizationExceptionDefaultUsers(client().prepareUpdate("missing", "type", "id").setDoc("field2", "value2")::get, + UpdateAction.NAME); } public void testBulk() { @@ -105,7 +105,7 @@ public class WriteActionsTests extends SecurityIntegTestCase { assertTrue(bulkResponse.getItems()[1].isFailed()); assertEquals(DocWriteRequest.OpType.INDEX, bulkResponse.getItems()[1].getOpType()); assertEquals("index1", bulkResponse.getItems()[1].getFailure().getIndex()); - assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[1].getFailure().getCause()); + assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[1].getFailure().getCause(), BulkAction.NAME + "[s]"); assertThat(bulkResponse.getItems()[1].getFailure().getCause().getMessage(), containsString("[indices:data/write/bulk[s]] is unauthorized")); assertFalse(bulkResponse.getItems()[2].isFailed()); @@ -116,7 +116,7 @@ public class WriteActionsTests extends SecurityIntegTestCase { //the missing index gets automatically created (user has permissions for that), but indexing fails due to missing authorization assertEquals("missing", bulkResponse.getItems()[3].getFailure().getIndex()); assertThat(bulkResponse.getItems()[3].getFailure().getCause(), instanceOf(ElasticsearchSecurityException.class)); - assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[3].getFailure().getCause()); + assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[3].getFailure().getCause(), BulkAction.NAME + "[s]"); assertThat(bulkResponse.getItems()[3].getFailure().getCause().getMessage(), containsString("[indices:data/write/bulk[s]] is unauthorized")); assertFalse(bulkResponse.getItems()[4].isFailed()); @@ -125,7 +125,7 @@ public class WriteActionsTests extends SecurityIntegTestCase { assertTrue(bulkResponse.getItems()[5].isFailed()); assertEquals(DocWriteRequest.OpType.DELETE, bulkResponse.getItems()[5].getOpType()); assertEquals("index1", bulkResponse.getItems()[5].getFailure().getIndex()); - assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[5].getFailure().getCause()); + assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[5].getFailure().getCause(), BulkAction.NAME + "[s]"); assertThat(bulkResponse.getItems()[5].getFailure().getCause().getMessage(), containsString("[indices:data/write/bulk[s]] is unauthorized")); assertFalse(bulkResponse.getItems()[6].isFailed()); @@ -134,7 +134,7 @@ public class WriteActionsTests extends SecurityIntegTestCase { assertTrue(bulkResponse.getItems()[7].isFailed()); assertEquals(DocWriteRequest.OpType.DELETE, bulkResponse.getItems()[7].getOpType()); assertEquals("missing", bulkResponse.getItems()[7].getFailure().getIndex()); - assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[7].getFailure().getCause()); + assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[7].getFailure().getCause(), BulkAction.NAME + "[s]"); assertThat(bulkResponse.getItems()[7].getFailure().getCause().getMessage(), containsString("[indices:data/write/bulk[s]] is unauthorized")); assertFalse(bulkResponse.getItems()[8].isFailed()); @@ -146,7 +146,7 @@ public class WriteActionsTests extends SecurityIntegTestCase { assertTrue(bulkResponse.getItems()[10].isFailed()); assertEquals(DocWriteRequest.OpType.UPDATE, bulkResponse.getItems()[10].getOpType()); assertEquals("index1", bulkResponse.getItems()[10].getFailure().getIndex()); - assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[10].getFailure().getCause()); + assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[10].getFailure().getCause(), BulkAction.NAME + "[s]"); assertThat(bulkResponse.getItems()[10].getFailure().getCause().getMessage(), containsString("[indices:data/write/bulk[s]] is unauthorized")); assertTrue(bulkResponse.getItems()[11].isFailed()); @@ -157,7 +157,7 @@ public class WriteActionsTests extends SecurityIntegTestCase { assertEquals(DocWriteRequest.OpType.UPDATE, bulkResponse.getItems()[12].getOpType()); assertEquals("missing", bulkResponse.getItems()[12].getFailure().getIndex()); assertThat(bulkResponse.getItems()[12].getFailure().getCause(), instanceOf(ElasticsearchSecurityException.class)); - assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[12].getFailure().getCause()); + assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[12].getFailure().getCause(), BulkAction.NAME + "[s]"); assertThat(bulkResponse.getItems()[12].getFailure().getCause().getMessage(), containsString("[indices:data/write/bulk[s]] is unauthorized")); }