adding get alerts rbac IT

Author: toepkerd-zz

alerting/src/main/kotlin/org/opensearch/alerting/alertsv2/AlertV2Mover.kt

@@ -23,6 +23,7 @@ import org.opensearch.alerting.modelv2.MonitorV2
 import org.opensearch.alerting.modelv2.MonitorV2.Companion.MONITOR_V2_TYPE
 import org.opensearch.alerting.opensearchapi.suspendUntil
 import org.opensearch.alerting.settings.AlertingSettings.Companion.ALERT_V2_HISTORY_ENABLED
+import org.opensearch.alerting.util.MAX_SEARCH_SIZE
 import org.opensearch.cluster.ClusterChangedEvent
 import org.opensearch.cluster.ClusterStateListener
 import org.opensearch.cluster.service.ClusterService
@@ -138,7 +139,7 @@ class AlertV2Mover(
         // first collect all active alerts
         val allAlertsSearchQuery = SearchSourceBuilder.searchSource()
             .query(QueryBuilders.matchAllQuery())
-            .size(10000)
+            .size(MAX_SEARCH_SIZE)
             .version(true)
         val activeAlertsRequest = SearchRequest(ALERT_V2_INDEX)
             .source(allAlertsSearchQuery)
@@ -154,7 +155,7 @@ class AlertV2Mover(
         // now collect all triggers and their expire durations
         val monitorV2sSearchQuery = SearchSourceBuilder.searchSource()
             .query(QueryBuilders.existsQuery(MONITOR_V2_TYPE))
-            .size(10000)
+            .size(MAX_SEARCH_SIZE)
             .version(true)
         val monitorV2sRequest = SearchRequest(SCHEDULED_JOBS_INDEX)
             .source(monitorV2sSearchQuery)
@@ -333,7 +334,7 @@ class AlertV2Mover(
 
             val alertsSearchQuery = SearchSourceBuilder.searchSource()
                 .query(boolQuery)
-                .size(10000)
+                .size(MAX_SEARCH_SIZE)
                 .version(true)
             val activeAlertsRequest = SearchRequest(ALERT_V2_INDEX)
                 .source(alertsSearchQuery)

alerting/src/main/kotlin/org/opensearch/alerting/transportv2/TransportGetAlertsV2Action.kt

@@ -21,6 +21,7 @@ import org.opensearch.alerting.alertsv2.AlertV2Indices
 import org.opensearch.alerting.core.settings.AlertingV2Settings.Companion.ALERTING_V2_ENABLED
 import org.opensearch.alerting.modelv2.AlertV2
 import org.opensearch.alerting.modelv2.AlertV2.Companion.MONITOR_V2_NAME_FIELD
+import org.opensearch.alerting.modelv2.AlertV2.Companion.MONITOR_V2_USER_FIELD
 import org.opensearch.alerting.modelv2.AlertV2.Companion.TRIGGER_V2_NAME_FIELD
 import org.opensearch.alerting.opensearchapi.addFilter
 import org.opensearch.alerting.settings.AlertingSettings
@@ -32,7 +33,6 @@ import org.opensearch.common.settings.Settings
 import org.opensearch.common.xcontent.LoggingDeprecationHandler
 import org.opensearch.common.xcontent.XContentHelper
 import org.opensearch.common.xcontent.XContentType
-import org.opensearch.commons.alerting.model.Alert.Companion.MONITOR_USER_FIELD
 import org.opensearch.commons.alerting.util.AlertingException
 import org.opensearch.commons.authuser.User
 import org.opensearch.commons.authuser.User.BACKEND_ROLES_FIELD
@@ -163,7 +163,7 @@ class TransportGetAlertsV2Action @Inject constructor(
             if (user != null && doFilterForUser(user)) {
                 // if security is enabled and filterby is enabled, add search filter
                 log.info("Filtering result by: ${user.backendRoles}")
-                addFilter(user, searchSourceBuilder, "$MONITOR_USER_FIELD.$BACKEND_ROLES_FIELD.keyword")
+                addFilter(user, searchSourceBuilder, "$MONITOR_V2_USER_FIELD.$BACKEND_ROLES_FIELD.keyword")
             }
 
             search(alertIndex, searchSourceBuilder, actionListener)

alerting/src/test/kotlin/org/opensearch/alerting/AlertingRestTestCase.kt

@@ -929,7 +929,7 @@ abstract class AlertingRestTestCase : ODFERestTestCase() {
     protected fun getAlertV2s(): Response {
         val response = client().makeRequest(
             "GET",
-            "$MONITOR_V2_BASE_URI/alerts?",
+            "$MONITOR_V2_BASE_URI/alerts",
             null,
             BasicHeader(HttpHeaders.CONTENT_TYPE, "application/json")
         )

alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorV2RestApiIT.kt

@@ -18,18 +18,26 @@ import org.opensearch.alerting.AlertingPlugin.Companion.MONITOR_V2_BASE_URI
 import org.opensearch.alerting.AlertingRestTestCase
 import org.opensearch.alerting.PPL_FULL_ACCESS_ROLE
 import org.opensearch.alerting.ROLE_TO_PERMISSION_MAPPING
+import org.opensearch.alerting.TEST_INDEX_MAPPINGS
 import org.opensearch.alerting.TEST_INDEX_NAME
 import org.opensearch.alerting.core.settings.AlertingV2Settings
 import org.opensearch.alerting.makeRequest
+import org.opensearch.alerting.modelv2.PPLSQLMonitor
+import org.opensearch.alerting.modelv2.PPLSQLTrigger.ConditionType
+import org.opensearch.alerting.modelv2.PPLSQLTrigger.NumResultsCondition
+import org.opensearch.alerting.modelv2.PPLSQLTrigger.TriggerMode
 import org.opensearch.alerting.randomPPLMonitor
+import org.opensearch.alerting.randomPPLTrigger
 import org.opensearch.client.ResponseException
 import org.opensearch.client.RestClient
 import org.opensearch.common.settings.Settings
 import org.opensearch.common.xcontent.XContentType
+import org.opensearch.commons.alerting.model.IntervalSchedule
 import org.opensearch.commons.rest.SecureRestClientBuilder
 import org.opensearch.core.rest.RestStatus
 import org.opensearch.index.query.QueryBuilders
 import org.opensearch.search.builder.SearchSourceBuilder
+import java.time.temporal.ChronoUnit.MINUTES
 
 /***
  * Tests Alerting V2 CRUD with role-based access control
@@ -618,6 +626,160 @@ class SecureMonitorV2RestApiIT : AlertingRestTestCase() {
         }
     }
 
+    fun `test RBAC get alerts v2 as user without correct backend roles fails`() {
+        enableFilterBy()
+        if (!isHttps()) {
+            return
+        }
+
+        createIndex(TEST_INDEX_NAME, Settings.EMPTY, TEST_INDEX_MAPPINGS)
+        indexDocFromSomeTimeAgo(2, MINUTES, "abc", 5)
+
+        val pplMonitorConfig = createRandomPPLMonitor(
+            randomPPLMonitor(
+                enabled = true,
+                schedule = IntervalSchedule(interval = 1, unit = MINUTES),
+                lookBackWindow = null,
+                triggers = listOf(
+                    randomPPLTrigger(
+                        throttleDuration = null,
+                        expireDuration = 5,
+                        mode = TriggerMode.RESULT_SET,
+                        conditionType = ConditionType.NUMBER_OF_RESULTS,
+                        numResultsCondition = NumResultsCondition.GREATER_THAN,
+                        numResultsValue = 0L,
+                        customCondition = null
+                    )
+                ),
+                query = "source = $TEST_INDEX_NAME | head 10"
+            )
+        )
+
+        createUserWithRoles(
+            user,
+            listOf(ALERTING_FULL_ACCESS_ROLE, PPL_FULL_ACCESS_ROLE),
+            listOf("backend_role_a", "backend_role_b"),
+            false
+        )
+
+        val pplMonitor = createMonitorV2WithClient(
+            userClient!!,
+            pplMonitorConfig,
+            null
+        ) as PPLSQLMonitor
+
+        val executeResponse = executeMonitorV2(pplMonitor.id)
+        val triggered = isTriggered(pplMonitor, executeResponse)
+        assertTrue(triggered)
+
+        // the get alerts user should be able to see the alerts
+        val getAlertsUser = "getAlertsUser"
+        createUserWithRoles(
+            getAlertsUser,
+            listOf(ALERTING_FULL_ACCESS_ROLE, PPL_FULL_ACCESS_ROLE),
+            listOf("backend_role_c"),
+            true
+        )
+
+        val getAlertsUserClient = SecureRestClientBuilder(clusterHosts.toTypedArray(), isHttps(), getAlertsUser, password)
+            .setSocketTimeout(60000)
+            .setConnectionRequestTimeout(180000)
+            .build()
+
+        val getAlertsResponse = getAlertsUserClient!!.makeRequest(
+            "GET",
+            "$MONITOR_V2_BASE_URI/alerts",
+            null,
+            BasicHeader(HttpHeaders.CONTENT_TYPE, "application/json")
+        )
+        assertEquals("Get alerts v2 failed", RestStatus.OK, getAlertsResponse.restStatus())
+
+        val alertsGenerated = numAlerts(getAlertsResponse) > 0
+        assert(!alertsGenerated)
+
+        // cleanup
+        getAlertsUserClient.close()
+    }
+
+    fun `test RBAC get alerts v2 as user with correct backend roles succeeds`() {
+        enableFilterBy()
+        if (!isHttps()) {
+            return
+        }
+
+        createIndex(TEST_INDEX_NAME, Settings.EMPTY, TEST_INDEX_MAPPINGS)
+        indexDocFromSomeTimeAgo(2, MINUTES, "abc", 5)
+
+        val pplMonitorConfig = createRandomPPLMonitor(
+            randomPPLMonitor(
+                enabled = true,
+                schedule = IntervalSchedule(interval = 1, unit = MINUTES),
+                lookBackWindow = null,
+                triggers = listOf(
+                    randomPPLTrigger(
+                        throttleDuration = null,
+                        expireDuration = 5,
+                        mode = TriggerMode.RESULT_SET,
+                        conditionType = ConditionType.NUMBER_OF_RESULTS,
+                        numResultsCondition = NumResultsCondition.GREATER_THAN,
+                        numResultsValue = 0L,
+                        customCondition = null
+                    )
+                ),
+                query = "source = $TEST_INDEX_NAME | head 10"
+            )
+        )
+
+        createUserWithRoles(
+            user,
+            listOf(ALERTING_FULL_ACCESS_ROLE, PPL_FULL_ACCESS_ROLE),
+            listOf("backend_role_a", "backend_role_b"),
+            false
+        )
+
+        val pplMonitor = createMonitorV2WithClient(
+            userClient!!,
+            pplMonitorConfig,
+            null
+        ) as PPLSQLMonitor
+
+        val executeResponse = executeMonitorV2(pplMonitor.id)
+        val triggered = isTriggered(pplMonitor, executeResponse)
+        assertTrue(triggered)
+
+        // TODO: creating this user overrides the ALERTING_FULL_ACCESS mapping and displaces "user"
+        // TODO: above, even though passing in isExistingRole = true should trigger an update
+        // TODO: role mappings call. doesn't block the test because "user" isn't used for the
+        // TODO: rest of the test, but this could lead to unexpected behavior for future test writers
+        // the get alerts user should be able to see the alerts
+        val getAlertsUser = "getAlertsUser"
+        createUserWithRoles(
+            getAlertsUser,
+            listOf(ALERTING_FULL_ACCESS_ROLE, PPL_FULL_ACCESS_ROLE),
+            listOf("backend_role_a"),
+            true
+        )
+
+        val getAlertsUserClient = SecureRestClientBuilder(clusterHosts.toTypedArray(), isHttps(), getAlertsUser, password)
+            .setSocketTimeout(60000)
+            .setConnectionRequestTimeout(180000)
+            .build()
+
+        val getAlertsResponse = getAlertsUserClient!!.makeRequest(
+            "GET",
+            "$MONITOR_V2_BASE_URI/alerts",
+            null,
+            BasicHeader(HttpHeaders.CONTENT_TYPE, "application/json")
+        )
+        assertEquals("Get alerts v2 failed", RestStatus.OK, getAlertsResponse.restStatus())
+
+        val alertsGenerated = numAlerts(getAlertsResponse) > 0
+        assert(alertsGenerated)
+
+        // cleanup
+        getAlertsUserClient.close()
+    }
+
     fun `test RBAC delete monitorV2 as user with correct backend roles succeeds`() {
         enableFilterBy()
         if (!isHttps()) {