honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add explicit test for DLS with OIDC metadata (#61955) 

When a user authenticates via OpenID Connect we copy information from
the OIDC claims into the user's metadata in a particular format.

This commit adds a test that metadata in that format can be used in a
mustache template for Document Level Security.

Backport of: #60030
This commit is contained in:
Tim Vernum 2020-09-04 16:21:20 +10:00 committed by GitHub
parent 57efda2865
commit cdfb163c7c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/support/SecurityQueryTemplateEvaluatorTests.java
View File

@ -14,6 +14,7 @@ import org.elasticsearch.script.Script;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.script.ScriptType;
import org.elasticsearch.script.TemplateScript;
import org.elasticsearch.script.mustache.MustacheScriptEngine;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.xpack.core.security.user.User;
import org.junit.Before;
@ -25,6 +26,7 @@ import java.util.HashMap;
import java.util.Map;
import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
import static org.hamcrest.Matchers.arrayWithSize;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.sameInstance;
import static org.mockito.Matchers.any;
@ -80,7 +82,26 @@ public class SecurityQueryTemplateEvaluatorTests extends ESTestCase {
userModel.put("roles", Arrays.asList(user.roles()));
userModel.put("metadata", user.metadata());
assertThat(usedScript.getParams().get("_user"), equalTo(userModel));
}
public void testDocLevelSecurityTemplateWithOpenIdConnectStyleMetadata() throws Exception {
User user = new User(randomAlphaOfLength(8), generateRandomStringArray(5, 5, false), randomAlphaOfLength(9), "sample@example.com",
org.elasticsearch.common.collect.Map.of("oidc(email)", "sample@example.com"), true);
final MustacheScriptEngine mustache = new MustacheScriptEngine();
when(scriptService.compile(any(Script.class), eq(TemplateScript.CONTEXT))).thenAnswer(inv -> {
assertThat(inv.getArguments(), arrayWithSize(2));
Script script = (Script) inv.getArguments()[0];
TemplateScript.Factory factory = mustache.compile(
script.getIdOrCode(), script.getIdOrCode(), TemplateScript.CONTEXT, script.getOptions());
return factory;
});
String template = "{ \"template\" : { \"source\" : {\"term\":{\"field\":\"{{_user.metadata.oidc(email)}}\"}} } }";
String evaluated = SecurityQueryTemplateEvaluator.evaluateTemplate(template, scriptService, user);
assertThat(evaluated, equalTo("{\"term\":{\"field\":\"sample@example.com\"}}"));
}
public void testSkipTemplating() throws Exception {