test: add a simple test for reserved realm authentication

See elastic/elasticsearch#2089 Original commit: elastic/x-pack-elasticsearch@1bede0a206
2025-02-17 18:35:25 +00:00 · 2016-04-25 07:34:14 -04:00 · 2016-04-25 07:34:14 -04:00 · c7ad6b9872
commit c7ad6b9872
parent bc3dd65fe6
1 changed files with 16 additions and 0 deletions
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ReservedRealmTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ReservedRealmTests.java
@ -131,4 +131,20 @@ public class ReservedRealmTests extends ESTestCase {

        assertThat(ReservedRealm.users(), containsInAnyOrder((User) XPackUser.INSTANCE, KibanaUser.INSTANCE));
    }
+
+    public void testFailedAuthentication() {
+        final ReservedRealm reservedRealm = new ReservedRealm(mock(Environment.class), Settings.EMPTY, usersStore);
+        // maybe cache a successful auth
+        if (randomBoolean()) {
+            User user = reservedRealm.authenticate(new UsernamePasswordToken(XPackUser.NAME, new SecuredString("changeme".toCharArray())));
+            assertThat(user, sameInstance(XPackUser.INSTANCE));
+        }
+
+        try {
+            reservedRealm.authenticate(new UsernamePasswordToken(XPackUser.NAME, new SecuredString("foobar".toCharArray())));
+            fail("authentication should throw an exception otherwise we may allow others to impersonate reserved users...");
+        } catch (ElasticsearchSecurityException e) {
+            assertThat(e.getMessage(), containsString("failed to authenticate"));
+        }
+    }
 }