From c9392183d2fe226cb8d77c749ba3cbbe5b7087dd Mon Sep 17 00:00:00 2001
From: Tanguy Leroux <tlrx.dev@gmail.com>
Date: Thu, 31 Mar 2016 18:01:31 +0200
Subject: [PATCH] Monitoring: Add smoke test for Monitoring with Security

Original commit: elastic/x-pack-elasticsearch@9dc800ebcc263e35a6d6d4093b2602a0cbb39a02
---
 .../build.gradle                              | 40 ++++++++++++++
 .../roles.yml                                 | 19 +++++++
 .../smoketest/MonitoringWithShieldIT.java     | 55 +++++++++++++++++++
 ...onitoringWithShieldInsufficientRoleIT.java | 36 ++++++++++++
 4 files changed, 150 insertions(+)
 create mode 100644 elasticsearch/qa/smoke-test-monitoring-with-shield/build.gradle
 create mode 100644 elasticsearch/qa/smoke-test-monitoring-with-shield/roles.yml
 create mode 100644 elasticsearch/qa/smoke-test-monitoring-with-shield/src/test/java/org/elasticsearch/smoketest/MonitoringWithShieldIT.java
 create mode 100644 elasticsearch/qa/smoke-test-monitoring-with-shield/src/test/java/org/elasticsearch/smoketest/MonitoringWithShieldInsufficientRoleIT.java

diff --git a/elasticsearch/qa/smoke-test-monitoring-with-shield/build.gradle b/elasticsearch/qa/smoke-test-monitoring-with-shield/build.gradle
new file mode 100644
index 00000000000..ea8536bd10f
--- /dev/null
+++ b/elasticsearch/qa/smoke-test-monitoring-with-shield/build.gradle
@@ -0,0 +1,40 @@
+apply plugin: 'elasticsearch.rest-test'
+
+dependencies {
+  testCompile project(path: ':x-plugins:elasticsearch:x-pack', configuration: 'runtime')
+}
+
+// bring in monitoring rest test suite
+task copyMonitoringRestTests(type: Copy) {
+  into project.sourceSets.test.output.resourcesDir
+  from project(':x-plugins:elasticsearch:x-pack').sourceSets.test.resources.srcDirs
+  include 'rest-api-spec/test/monitoring/**'
+}
+
+integTest {
+  dependsOn copyMonitoringRestTests
+
+  cluster {
+    plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack')
+    setting 'xpack.monitoring.agent.interval', '3s'
+    extraConfigFile 'x-pack/roles.yml', 'roles.yml'
+    setupCommand 'setupTestAdminUser',
+                 'bin/x-pack/users', 'useradd', 'test_admin', '-p', 'changeme', '-r', 'admin'
+    setupCommand 'setupMonitoredSystemUser',
+                 'bin/x-pack/users', 'useradd', 'monitored_system', '-p', 'changeme', '-r', 'monitored_system,required_for_test'
+    setupCommand 'setupPowerlessUser',
+                 'bin/x-pack/users', 'useradd', 'no_monitored_system', '-p', 'changeme', '-r', 'required_for_test'
+
+    waitCondition = { node, ant ->
+      File tmpFile = new File(node.cwd, 'wait.success')
+      ant.get(src: "http://${node.httpUri()}",
+              dest: tmpFile.toString(),
+              username: 'test_admin',
+              password: 'changeme',
+              ignoreerrors: true,
+              retries: 10)
+      return tmpFile.exists()
+    }
+  }
+}
+
diff --git a/elasticsearch/qa/smoke-test-monitoring-with-shield/roles.yml b/elasticsearch/qa/smoke-test-monitoring-with-shield/roles.yml
new file mode 100644
index 00000000000..308a49051b7
--- /dev/null
+++ b/elasticsearch/qa/smoke-test-monitoring-with-shield/roles.yml
@@ -0,0 +1,19 @@
+admin:
+  cluster:
+    - all
+  indices:
+    - names: '*'
+      privileges:
+        - all
+
+monitored_system:
+  cluster: [ 'cluster:admin/xpack/monitoring/bulk' ]
+
+required_for_test:
+  cluster: [ 'monitor' ]
+  indices:
+    - names: '.monitoring-*'
+      privileges:
+        - write
+        - read
+        - manage
diff --git a/elasticsearch/qa/smoke-test-monitoring-with-shield/src/test/java/org/elasticsearch/smoketest/MonitoringWithShieldIT.java b/elasticsearch/qa/smoke-test-monitoring-with-shield/src/test/java/org/elasticsearch/smoketest/MonitoringWithShieldIT.java
new file mode 100644
index 00000000000..8c803d543f6
--- /dev/null
+++ b/elasticsearch/qa/smoke-test-monitoring-with-shield/src/test/java/org/elasticsearch/smoketest/MonitoringWithShieldIT.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.smoketest;
+
+import com.carrotsearch.randomizedtesting.annotations.Name;
+import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.shield.authc.support.SecuredString;
+import org.elasticsearch.test.rest.ESRestTestCase;
+import org.elasticsearch.test.rest.RestTestCandidate;
+import org.elasticsearch.test.rest.parser.RestTestParseException;
+
+import java.io.IOException;
+
+import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
+
+public class MonitoringWithShieldIT extends ESRestTestCase {
+
+    private final static String TEST_ADMIN_USERNAME = "test_admin";
+    private final static String TEST_ADMIN_PASSWORD = "changeme";
+
+    public MonitoringWithShieldIT(@Name("yaml") RestTestCandidate testCandidate) {
+        super(testCandidate);
+    }
+
+    @ParametersFactory
+    public static Iterable<Object[]> parameters() throws IOException, RestTestParseException {
+        return ESRestTestCase.createParameters(0, 1);
+    }
+
+    protected String[] getCredentials() {
+        return new String[]{"monitored_system", "changeme"};
+    }
+
+    @Override
+    protected Settings restClientSettings() {
+        String[] creds = getCredentials();
+        String token = basicAuthHeaderValue(creds[0], new SecuredString(creds[1].toCharArray()));
+        return Settings.builder()
+                .put(ThreadContext.PREFIX + ".Authorization", token)
+                .build();
+    }
+
+    @Override
+    protected Settings restAdminSettings() {
+        String token = basicAuthHeaderValue(TEST_ADMIN_USERNAME, new SecuredString(TEST_ADMIN_PASSWORD.toCharArray()));
+        return Settings.builder()
+                .put(ThreadContext.PREFIX + ".Authorization", token)
+                .build();
+    }
+}
diff --git a/elasticsearch/qa/smoke-test-monitoring-with-shield/src/test/java/org/elasticsearch/smoketest/MonitoringWithShieldInsufficientRoleIT.java b/elasticsearch/qa/smoke-test-monitoring-with-shield/src/test/java/org/elasticsearch/smoketest/MonitoringWithShieldInsufficientRoleIT.java
new file mode 100644
index 00000000000..e08a0e992a1
--- /dev/null
+++ b/elasticsearch/qa/smoke-test-monitoring-with-shield/src/test/java/org/elasticsearch/smoketest/MonitoringWithShieldInsufficientRoleIT.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.smoketest;
+
+import com.carrotsearch.randomizedtesting.annotations.Name;
+import org.elasticsearch.test.rest.RestTestCandidate;
+
+import java.io.IOException;
+
+import static org.hamcrest.Matchers.containsString;
+
+public class MonitoringWithShieldInsufficientRoleIT extends MonitoringWithShieldIT {
+
+    public MonitoringWithShieldInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) {
+        super(testCandidate);
+    }
+
+    public void test() throws IOException {
+        try {
+            super.test();
+            fail("should have failed because of missing role");
+        } catch(AssertionError ae) {
+            assertThat(ae.getMessage(), containsString("action [cluster:admin/xpack/monitoring/bulk]"));
+            assertThat(ae.getMessage(), containsString("returned [403 Forbidden]"));
+            assertThat(ae.getMessage(), containsString("is unauthorized for user [no_monitored_system]"));
+        }
+    }
+
+    @Override
+    protected String[] getCredentials() {
+        return new String[]{"no_monitored_system", "changeme"};
+    }
+}