Test: randomly assign the superuser role in RunAsIntegTests

This commit updates the RunAsIntegTests to randomly assign the superuser role to the user that
is authenticating with the cluster but the request is being run as a different user. This provides
additional validation that the authorization errors are actually coming from the user the request
is running as and not due to the authenticating user's privileges.

Original commit: elastic/x-pack-elasticsearch@c6360d13e6
This commit is contained in:
jaymode 2017-05-11 09:18:57 -04:00
parent 69f9fa8ae9
commit 4d3bc71327
1 changed files with 30 additions and 13 deletions

View File

@ -22,6 +22,7 @@ import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.test.SecurityIntegTestCase;
import org.elasticsearch.test.SecuritySettingsSource;
import org.elasticsearch.xpack.TestXPackTransportClient;
import org.junit.BeforeClass;
import java.util.Collections;
import java.util.HashMap;
@ -34,12 +35,21 @@ import static org.hamcrest.Matchers.greaterThan;
import static org.hamcrest.Matchers.is;
public class RunAsIntegTests extends SecurityIntegTestCase {
static final String RUN_AS_USER = "run_as_user";
static final String TRANSPORT_CLIENT_USER = "transport_user";
static final String ROLES =
private static final String RUN_AS_USER = "run_as_user";
private static final String TRANSPORT_CLIENT_USER = "transport_user";
private static final String ROLES =
"run_as_role:\n" +
" run_as: [ '" + SecuritySettingsSource.DEFAULT_USER_NAME + "', 'idontexist' ]\n";
// indicates whether the RUN_AS_USER that is being authenticated is also a superuser
private static boolean runAsHasSuperUserRole;
@BeforeClass
public static void configureRunAsHasSuperUserRole() {
runAsHasSuperUserRole = randomBoolean();
}
@Override
public Settings nodeSettings(int nodeOrdinal) {
return Settings.builder()
@ -62,9 +72,14 @@ public class RunAsIntegTests extends SecurityIntegTestCase {
@Override
public String configUsersRoles() {
return super.configUsersRoles()
String roles = super.configUsersRoles()
+ "run_as_role:" + RUN_AS_USER + "\n"
+ "transport_client:" + TRANSPORT_CLIENT_USER;
if (runAsHasSuperUserRole) {
roles = roles + "\n"
+ "superuser:" + RUN_AS_USER;
}
return roles;
}
@Override
@ -121,6 +136,7 @@ public class RunAsIntegTests extends SecurityIntegTestCase {
assertThat(e.getResponse().getStatusLine().getStatusCode(), is(403));
}
if (runAsHasSuperUserRole == false) {
try {
//the run as user shouldn't have access to the nodes api
getRestClient().performRequest("GET", "/_nodes",
@ -128,9 +144,10 @@ public class RunAsIntegTests extends SecurityIntegTestCase {
UsernamePasswordToken.basicAuthHeaderValue(RUN_AS_USER,
DEFAULT_PASSWORD_SECURE_STRING)));
fail("request should have failed");
} catch(ResponseException e) {
} catch (ResponseException e) {
assertThat(e.getResponse().getStatusLine().getStatusCode(), is(403));
}
}
// but when running as a different user it should work
Response response = getRestClient().performRequest("GET", "/_nodes",