Skip to content

Commit

Permalink
Add integration test case for obo permission
Browse files Browse the repository at this point in the history
Signed-off-by: Ryan Liang <jiallian@amazon.com>
  • Loading branch information
RyanL1997 committed Aug 22, 2023
1 parent 93bc8c6 commit 267255c
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
import org.apache.hc.core5.http.Header;
import org.apache.hc.core5.http.HttpStatus;
import org.apache.hc.core5.http.message.BasicHeader;
import org.junit.Assert;
import org.junit.ClassRule;
Expand Down Expand Up @@ -57,6 +58,8 @@ public class OnBehalfOfJwtAuthenticationTest {
);
private static final String encryptionKey = Base64.getEncoder().encodeToString("encryptionKey".getBytes(StandardCharsets.UTF_8));
public static final String ADMIN_USER_NAME = "admin";
public static final String OBO_USER_NAME_WITH_PERM = "obo_user";
public static final String OBO_USER_NAME_NO_PERM = "obo_user_no_perm";
public static final String DEFAULT_PASSWORD = "secret";
public static final String NEW_PASSWORD = "testPassword123!!";
public static final String OBO_TOKEN_REASON = "{\"reason\":\"Test generation\"}";
Expand All @@ -68,10 +71,18 @@ public class OnBehalfOfJwtAuthenticationTest {
+ NEW_PASSWORD
+ "\" }";

protected final static TestSecurityConfig.User OBO_USER = new TestSecurityConfig.User(OBO_USER_NAME_WITH_PERM).roles(
new TestSecurityConfig.Role("obo_access_role").clusterPermissions("security:obo/create")
);

protected final static TestSecurityConfig.User OBO_USER_NO_PERM = new TestSecurityConfig.User(OBO_USER_NAME_NO_PERM).roles(
new TestSecurityConfig.Role("obo_user_no_perm")
);

@ClassRule
public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
.anonymousAuth(false)
.users(ADMIN_USER)
.users(ADMIN_USER, OBO_USER, OBO_USER_NO_PERM)
.nodeSettings(
Map.of(SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true, SECURITY_RESTAPI_ROLES_ENABLED, List.of("user_admin__all_access"))
)
Expand Down Expand Up @@ -116,6 +127,20 @@ public void shouldNotAuthenticateForUsingOBOTokenToAccessAccountEndpoint() {
}
}

@Test
public void shouldAuthenticateForNonAdminUserWithOBOPermission() {
String oboToken = generateOboToken(OBO_USER_NAME_WITH_PERM, DEFAULT_PASSWORD);
Header oboAuthHeader = new BasicHeader("Authorization", "Bearer " + oboToken);
authenticateWithOboToken(oboAuthHeader, OBO_USER_NAME_WITH_PERM, 200);
}

@Test
public void shouldNotAuthenticateForNonAdminUserWithoutOBOPermission() {
try (TestRestClient client = cluster.getRestClient(OBO_USER_NO_PERM)) {
assertThat(client.post(OBO_ENDPOINT_PREFIX).getStatusCode(), equalTo(HttpStatus.SC_UNAUTHORIZED));
}
}

private String generateOboToken(String username, String password) {
try (TestRestClient client = cluster.getRestClient(username, password)) {
client.assertCorrectCredentials(username);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ public HttpResponse getAuthInfo(Header... headers) {
public HttpResponse getOnBehalfOfToken(String jsonData, Header... headers) {
try {
HttpPost httpPost = new HttpPost(
new URIBuilder(getHttpServerUri() + "/_plugins/_security/api/generateobotokenf?pretty").build()
new URIBuilder(getHttpServerUri() + "/_plugins/_security/api/generateobotoken?pretty").build()
);
httpPost.setEntity(toStringEntity(jsonData));
return executeRequest(httpPost, mergeHeaders(CONTENT_TYPE_JSON, headers));
Expand Down

0 comments on commit 267255c

Please sign in to comment.