Ensure SAS Tokens in Test Use Minimal Permissions (#46112) (#46628)

There were some issues with the Azure implementation requiring
permissions to list all containers ue to a container exists
check. This was caught in CI this time, but going forward we
should ensure that CI is executed using a token that does not
allow listing containers.

Relates #43288
This commit is contained in:
Armin Braun 2019-09-17 15:40:11 +02:00 committed by GitHub
parent 92e518e789
commit b00de8edf3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 42 additions and 1 deletions

View File

@ -68,6 +68,10 @@ public class AzureBlobStore implements BlobStore {
return container;
}
public AzureStorageService getService() {
return service;
}
/**
* Gets the configured {@link LocationMode} for the Azure storage requests.
*/

View File

@ -19,15 +19,25 @@
package org.elasticsearch.repositories.azure;
import com.microsoft.azure.storage.OperationContext;
import com.microsoft.azure.storage.StorageException;
import com.microsoft.azure.storage.blob.CloudBlobClient;
import com.microsoft.azure.storage.blob.CloudBlobContainer;
import org.elasticsearch.action.ActionRunnable;
import org.elasticsearch.action.support.PlainActionFuture;
import org.elasticsearch.action.support.master.AcknowledgedResponse;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.settings.MockSecureSettings;
import org.elasticsearch.common.settings.SecureSettings;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.repositories.AbstractThirdPartyRepositoryTestCase;
import org.elasticsearch.repositories.blobstore.BlobStoreRepository;
import java.net.HttpURLConnection;
import java.util.Collection;
import java.util.function.Supplier;
import static org.hamcrest.Matchers.blankOrNullString;
import static org.hamcrest.Matchers.equalTo;
@ -71,5 +81,32 @@ public class AzureStorageCleanupThirdPartyTests extends AbstractThirdPartyReposi
.put("base_path", System.getProperty("test.azure.base"))
).get();
assertThat(putRepositoryResponse.isAcknowledged(), equalTo(true));
if (Strings.hasText(System.getProperty("test.azure.sas_token"))) {
ensureSasTokenPermissions();
}
}
private void ensureSasTokenPermissions() {
final BlobStoreRepository repository = getRepository();
final PlainActionFuture<Void> future = PlainActionFuture.newFuture();
repository.threadPool().generic().execute(ActionRunnable.wrap(future, l -> {
final AzureBlobStore blobStore = (AzureBlobStore) repository.blobStore();
final String account = "default";
final Tuple<CloudBlobClient, Supplier<OperationContext>> client = blobStore.getService().client(account);
final CloudBlobContainer blobContainer = client.v1().getContainerReference(blobStore.toString());
try {
SocketAccess.doPrivilegedException(() -> blobContainer.exists(null, null, client.v2().get()));
future.onFailure(new RuntimeException(
"The SAS token used in this test allowed for checking container existence. This test only supports tokens " +
"that grant only the documented permission requirements for the Azure repository plugin."));
} catch (StorageException e) {
if (e.getHttpStatusCode() == HttpURLConnection.HTTP_FORBIDDEN) {
future.onResponse(null);
} else {
future.onFailure(e);
}
}
}));
future.actionGet();
}
}

View File

@ -302,7 +302,7 @@ public abstract class AbstractThirdPartyRepositoryTestCase extends ESSingleNodeT
return future.actionGet();
}
private BlobStoreRepository getRepository() {
protected BlobStoreRepository getRepository() {
return (BlobStoreRepository) getInstanceFromNode(RepositoriesService.class).repository("test-repo");
}
}