honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-17 18:35:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

[TEST] Fix issue with bulk security rejections

Browse Source 
Now that /_bulk requests are handled on a shard level, the entire request isn't
rejected, instead, each individual request is rejected. This changes the assert
accordingly.

Relates to elastic/elasticsearch#4441

Original commit: elastic/x-pack-elasticsearch@7ca777b574
This commit is contained in:
Lee Hinman 2017-01-13 11:49:37 -07:00
parent 4db2d7101a
commit 1ee5ac8a89
2 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
elasticsearch/src/test/java/org/elasticsearch/integration/AbstractPrivilegeTestCase.java
View File

@ -23,6 +23,7 @@ import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.greaterThanOrEqualTo;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.not;
@ -74,6 +75,27 @@ public abstract class AbstractPrivilegeTestCase extends SecurityIntegTestCase {
assertThat(message, statusLine.getStatusCode(), is(403));
}
protected void assertBodyHasAccessIsDenied(String user, String method, String uri, String body) throws IOException {
assertBodyHasAccessIsDenied(user, method, uri, body, new HashMap<>());
}
/**
* Like {@code assertAcessIsDenied}, but for _bulk requests since the entire
* request will not be failed, just the individual ones
*/
protected void assertBodyHasAccessIsDenied(String user, String method, String uri, String body,
Map<String, String> params) throws IOException {
Response resp = getRestClient().performRequest(method, uri, params, entityOrNull(body),
new BasicHeader(UsernamePasswordToken.BASIC_AUTH_HEADER,
UsernamePasswordToken.basicAuthHeaderValue(user, new SecuredString("passwd".toCharArray()))));
StatusLine statusLine = resp.getStatusLine();
assertThat(statusLine.getStatusCode(), is(200));
HttpEntity bodyEntity = resp.getEntity();
String bodyStr = EntityUtils.toString(bodyEntity);
assertThat(bodyStr, containsString("unauthorized for user [" + user + "]"));
}
private static HttpEntity entityOrNull(String body) {
HttpEntity entity = null;
if (body != null) {

6
elasticsearch/src/test/java/org/elasticsearch/integration/IndexPrivilegeTests.java
View File

@ -347,7 +347,7 @@ public class IndexPrivilegeTests extends AbstractPrivilegeTestCase {
assertAccessIsDenied("u11",
"GET", "/" + randomIndex() + "/foo/_msearch", "{}\n{ \"query\" : { \"match_all\" : {} } }\n");
assertAccessIsDenied("u11", "POST", "/" + randomIndex() + "/foo/_mget", "{ \"ids\" : [ \"1\", \"2\" ] } ");
assertAccessIsDenied("u11", "PUT",
assertBodyHasAccessIsDenied("u11", "PUT",
"/" + randomIndex() + "/foo/_bulk", "{ \"index\" : { \"_id\" : \"123\" } }\n{ \"foo\" : \"bar\" }\n");
assertAccessIsDenied("u11",
"GET", "/" + randomIndex() + "/foo/_mtermvectors", "{ \"docs\" : [ { \"_id\": \"1\" }, { \"_id\": \"2\" } ] }");
@ -386,8 +386,8 @@ public class IndexPrivilegeTests extends AbstractPrivilegeTestCase {
assertAccessIsAllowed("u13",
"GET", "/" + randomIndex() + "/foo/_msearch", "{}\n{ \"query\" : { \"match_all\" : {} } }\n");
assertAccessIsAllowed("u13", "POST", "/" + randomIndex() + "/foo/_mget", "{ \"ids\" : [ \"1\", \"2\" ] } ");
assertAccessIsDenied("u13", "PUT",
"/" + randomIndex() + "/foo/_bulk", "{ \"index\" : { \"_id\" : \"123\" } }\n{ \"foo\" : \"bar\" }\n");
assertAccessIsAllowed("u13", "PUT", "/a/foo/_bulk", "{ \"index\" : { \"_id\" : \"123\" } }\n{ \"foo\" : \"bar\" }\n");
assertBodyHasAccessIsDenied("u13", "PUT", "/b/foo/_bulk", "{ \"index\" : { \"_id\" : \"123\" } }\n{ \"foo\" : \"bar\" }\n");
assertAccessIsAllowed("u13",
"GET", "/" + randomIndex() + "/foo/_mtermvectors", "{ \"docs\" : [ { \"_id\": \"1\" }, { \"_id\": \"2\" } ] }");
}