Marvel: Reimplement SecuredClient

closes elastic/elasticsearch#1150

i#Update after Uri's review

Original commit: elastic/x-pack-elasticsearch@2526dc9da1

elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/exporter/ExportersTests.java

@@ -5,6 +5,7 @@
  */
 package org.elasticsearch.marvel.agent.exporter;
 
+import org.elasticsearch.client.Client;
 import org.elasticsearch.cluster.ClusterService;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.settings.ClusterSettings;
@@ -14,6 +15,7 @@ import org.elasticsearch.marvel.agent.exporter.local.LocalExporter;
 import org.elasticsearch.marvel.agent.renderer.RendererRegistry;
 import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.shield.MarvelSettingsFilter;
+import org.elasticsearch.marvel.shield.MarvelShieldIntegration;
 import org.elasticsearch.marvel.shield.SecuredClient;
 import org.elasticsearch.test.ESTestCase;
 import org.junit.Before;
@@ -52,12 +54,12 @@ public class ExportersTests extends ESTestCase {
     public void init() throws Exception {
         factories = new HashMap<>();
 
-        SecuredClient securedClient = mock(SecuredClient.class);
+        Client client = mock(Client.class);
-        when(securedClient.settings()).thenReturn(Settings.EMPTY);
+        when(client.settings()).thenReturn(Settings.EMPTY);
         clusterService = mock(ClusterService.class);
 
         // we always need to have the local exporter as it serves as the default one
-        factories.put(LocalExporter.TYPE, new LocalExporter.Factory(securedClient, clusterService, mock(RendererRegistry.class)));
+        factories.put(LocalExporter.TYPE, new LocalExporter.Factory(new SecuredClient(client, mock(MarvelShieldIntegration.class)), clusterService, mock(RendererRegistry.class)));
         clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(Arrays.asList(MarvelSettings.COLLECTORS_SETTING, MarvelSettings.INTERVAL_SETTING, Exporters.EXPORTERS_SETTING)));
         settingsFilter = mock(MarvelSettingsFilter.class);
         exporters = new Exporters(Settings.EMPTY, factories, settingsFilter, clusterService, clusterSettings);

elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/shield/SecuredClientTests.java

@@ -0,0 +1,78 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.marvel.shield;
+
+import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.action.ActionRequestBuilder;
+import org.elasticsearch.index.IndexNotFoundException;
+import org.elasticsearch.marvel.agent.exporter.MarvelTemplateUtils;
+import org.elasticsearch.marvel.agent.settings.MarvelSettings;
+import org.elasticsearch.marvel.test.MarvelIntegTestCase;
+import org.elasticsearch.rest.RestStatus;
+
+import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
+import static org.hamcrest.Matchers.is;
+
+public class SecuredClientTests extends MarvelIntegTestCase {
+
+    public void testAllowedAccess() {
+        SecuredClient securedClient = internalCluster().getInstance(SecuredClient.class);
+
+        assertAccessIsAllowed(securedClient.admin().cluster().prepareHealth());
+        assertAccessIsAllowed(securedClient.admin().cluster().prepareClusterStats());
+        assertAccessIsAllowed(securedClient.admin().cluster().prepareState());
+        assertAccessIsAllowed(securedClient.admin().cluster().prepareNodesInfo());
+        assertAccessIsAllowed(securedClient.admin().cluster().prepareNodesStats());
+        assertAccessIsAllowed(securedClient.admin().cluster().prepareNodesHotThreads());
+
+        assertAccessIsAllowed(securedClient.admin().indices().prepareGetSettings());
+        assertAccessIsAllowed(securedClient.admin().indices().prepareSegments());
+        assertAccessIsAllowed(securedClient.admin().indices().prepareRecoveries());
+        assertAccessIsAllowed(securedClient.admin().indices().prepareStats());
+
+        assertAccessIsAllowed(securedClient.admin().indices().prepareDelete(MarvelSettings.MARVEL_INDICES_PREFIX));
+        assertAccessIsAllowed(securedClient.admin().indices().prepareCreate(MarvelSettings.MARVEL_INDICES_PREFIX + "test"));
+
+        assertAccessIsAllowed(securedClient.admin().indices().preparePutTemplate("foo").setSource(MarvelTemplateUtils.loadDefaultTemplate()));
+        assertAccessIsAllowed(securedClient.admin().indices().prepareGetTemplates("foo"));
+    }
+
+    public void testDeniedAccess() {
+        SecuredClient securedClient = internalCluster().getInstance(SecuredClient.class);
+        assertAcked(securedClient.admin().indices().preparePutTemplate("foo").setSource(MarvelTemplateUtils.loadDefaultTemplate()).get());
+
+        if (shieldEnabled) {
+            assertAccessIsDenied(securedClient.admin().indices().prepareDeleteTemplate("foo"));
+            assertAccessIsDenied(securedClient.admin().cluster().prepareGetRepositories());
+        } else {
+            assertAccessIsAllowed(securedClient.admin().indices().prepareDeleteTemplate("foo"));
+            assertAccessIsAllowed(securedClient.admin().cluster().prepareGetRepositories());
+        }
+    }
+
+    public void assertAccessIsAllowed(ActionRequestBuilder request) {
+        try {
+            request.get();
+        } catch (IndexNotFoundException e) {
+            // Ok
+        } catch (ElasticsearchSecurityException e) {
+            fail("unexpected security exception: " + e.getMessage());
+        }
+    }
+
+    public void assertAccessIsDenied(ActionRequestBuilder request) {
+        try {
+            request.get();
+            fail("expected a security exception");
+        } catch (IndexNotFoundException e) {
+            // Ok
+        } catch (ElasticsearchSecurityException e) {
+            // expected
+            assertThat(e.status(), is(RestStatus.FORBIDDEN));
+        }
+    }
+}
+