From 4d3bc7132713c848d517451af2a52c7ac892a697 Mon Sep 17 00:00:00 2001 From: jaymode Date: Thu, 11 May 2017 09:18:57 -0400 Subject: [PATCH] Test: randomly assign the superuser role in RunAsIntegTests This commit updates the RunAsIntegTests to randomly assign the superuser role to the user that is authenticating with the cluster but the request is being run as a different user. This provides additional validation that the authorization errors are actually coming from the user the request is running as and not due to the authenticating user's privileges. Original commit: elastic/x-pack-elasticsearch@c6360d13e621d16b205071d97f084099d4c44156 --- .../xpack/security/authc/RunAsIntegTests.java | 43 +++++++++++++------ 1 file changed, 30 insertions(+), 13 deletions(-) diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/RunAsIntegTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/RunAsIntegTests.java index 1918f8413a2..d24fc2dbf93 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/RunAsIntegTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/RunAsIntegTests.java @@ -22,6 +22,7 @@ import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken; import org.elasticsearch.test.SecurityIntegTestCase; import org.elasticsearch.test.SecuritySettingsSource; import org.elasticsearch.xpack.TestXPackTransportClient; +import org.junit.BeforeClass; import java.util.Collections; import java.util.HashMap; @@ -34,12 +35,21 @@ import static org.hamcrest.Matchers.greaterThan; import static org.hamcrest.Matchers.is; public class RunAsIntegTests extends SecurityIntegTestCase { - static final String RUN_AS_USER = "run_as_user"; - static final String TRANSPORT_CLIENT_USER = "transport_user"; - static final String ROLES = + + private static final String RUN_AS_USER = "run_as_user"; + private static final String TRANSPORT_CLIENT_USER = "transport_user"; + private static final String ROLES = "run_as_role:\n" + " run_as: [ '" + SecuritySettingsSource.DEFAULT_USER_NAME + "', 'idontexist' ]\n"; + // indicates whether the RUN_AS_USER that is being authenticated is also a superuser + private static boolean runAsHasSuperUserRole; + + @BeforeClass + public static void configureRunAsHasSuperUserRole() { + runAsHasSuperUserRole = randomBoolean(); + } + @Override public Settings nodeSettings(int nodeOrdinal) { return Settings.builder() @@ -62,9 +72,14 @@ public class RunAsIntegTests extends SecurityIntegTestCase { @Override public String configUsersRoles() { - return super.configUsersRoles() + String roles = super.configUsersRoles() + "run_as_role:" + RUN_AS_USER + "\n" + "transport_client:" + TRANSPORT_CLIENT_USER; + if (runAsHasSuperUserRole) { + roles = roles + "\n" + + "superuser:" + RUN_AS_USER; + } + return roles; } @Override @@ -121,15 +136,17 @@ public class RunAsIntegTests extends SecurityIntegTestCase { assertThat(e.getResponse().getStatusLine().getStatusCode(), is(403)); } - try { - //the run as user shouldn't have access to the nodes api - getRestClient().performRequest("GET", "/_nodes", - new BasicHeader(UsernamePasswordToken.BASIC_AUTH_HEADER, - UsernamePasswordToken.basicAuthHeaderValue(RUN_AS_USER, - DEFAULT_PASSWORD_SECURE_STRING))); - fail("request should have failed"); - } catch(ResponseException e) { - assertThat(e.getResponse().getStatusLine().getStatusCode(), is(403)); + if (runAsHasSuperUserRole == false) { + try { + //the run as user shouldn't have access to the nodes api + getRestClient().performRequest("GET", "/_nodes", + new BasicHeader(UsernamePasswordToken.BASIC_AUTH_HEADER, + UsernamePasswordToken.basicAuthHeaderValue(RUN_AS_USER, + DEFAULT_PASSWORD_SECURE_STRING))); + fail("request should have failed"); + } catch (ResponseException e) { + assertThat(e.getResponse().getStatusLine().getStatusCode(), is(403)); + } } // but when running as a different user it should work