Feature/184 introduce security tests (#474)

* 184: Code copied from Ravi's branch

Signed-off-by: Stevan Buzejic <buzejic.stevan@gmail.com>

* 184: Added security tests. Extended gradle file. Resolved 500 issue once opensearch status exception is raised

Signed-off-by: Stevan Buzejic <buzejic.stevan@gmail.com>

* 184: Refactored ISM rest test cases to consider forwarded client. Extended test cases and created reusable methods

Signed-off-by: Stevan Buzejic <buzejic.stevan@gmail.com>

* 184: Removed unused privileges

Signed-off-by: Stevan Buzejic <buzejic.stevan@gmail.com>

Signed-off-by: Stevan Buzejic <buzejic.stevan@gmail.com>

Author: stevanbz

build.gradle

@@ -407,6 +407,12 @@ integTest {
             excludeTestsMatching "org.opensearch.indexmanagement.bwc.*IT"
         }
     }
+    // Exclude security test
+    if (System.getProperty("https") == null || System.getProperty("https") == "false") {
+        filter {
+            excludeTestsMatching "org.opensearch.*Security*IT"
+        }
+    }
 
     // TODO: Fix running notification test against remote cluster with security plugin installed
     if (System.getProperty("https") != null) {
@@ -446,6 +452,11 @@ task integTestRemote(type: RestIntegTestTask)  {
             excludeTestsMatching "org.opensearch.indexmanagement.indexstatemanagement.action.NotificationActionIT"
         }
     }
+
+    if (System.getProperty("test.debug") != null) {
+        jvmArgs '-agentlib:jdwp=transport=dt_socket,server=n,suspend=y,address=8000'
+    }
+
     // Snapshot action integration tests rely on node level setting path.repo which we can't set remotely
     exclude 'org/opensearch/indexmanagement/indexstatemanagement/action/SnapshotActionIT.class'
 }

src/main/kotlin/org/opensearch/indexmanagement/util/IndexManagementException.kt

@@ -6,6 +6,7 @@
 package org.opensearch.indexmanagement.util
 
 import org.opensearch.OpenSearchException
+import org.opensearch.OpenSearchStatusException
 import org.opensearch.common.Strings
 import org.opensearch.common.ValidationException
 import org.opensearch.index.IndexNotFoundException
@@ -37,6 +38,10 @@ class IndexManagementException(message: String, val status: RestStatus, ex: Exce
                     status = RestStatus.BAD_REQUEST
                     friendlyMsg = ex.message as String
                 }
+                is OpenSearchStatusException -> {
+                    status = ex.status()
+                    friendlyMsg = ex.message as String
+                }
                 else -> {
                     if (!Strings.isNullOrEmpty(ex.message)) {
                         friendlyMsg = ex.message as String

src/test/kotlin/org/opensearch/indexmanagement/AccessRoles.kt

@@ -0,0 +1,59 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.indexmanagement
+
+import org.opensearch.indexmanagement.indexstatemanagement.transport.action.addpolicy.AddPolicyAction
+import org.opensearch.indexmanagement.indexstatemanagement.transport.action.deletepolicy.DeletePolicyAction
+import org.opensearch.indexmanagement.indexstatemanagement.transport.action.explain.ExplainAction
+import org.opensearch.indexmanagement.indexstatemanagement.transport.action.getpolicy.GetPoliciesAction
+import org.opensearch.indexmanagement.indexstatemanagement.transport.action.getpolicy.GetPolicyAction
+import org.opensearch.indexmanagement.indexstatemanagement.transport.action.indexpolicy.IndexPolicyAction
+import org.opensearch.indexmanagement.indexstatemanagement.transport.action.managedIndex.ManagedIndexAction
+import org.opensearch.indexmanagement.rollup.action.delete.DeleteRollupAction
+import org.opensearch.indexmanagement.rollup.action.explain.ExplainRollupAction
+import org.opensearch.indexmanagement.rollup.action.get.GetRollupAction
+import org.opensearch.indexmanagement.rollup.action.index.IndexRollupAction
+import org.opensearch.indexmanagement.rollup.action.mapping.UpdateRollupMappingAction
+import org.opensearch.indexmanagement.transform.action.delete.DeleteTransformsAction
+import org.opensearch.indexmanagement.transform.action.explain.ExplainTransformAction
+import org.opensearch.indexmanagement.transform.action.get.GetTransformAction
+import org.opensearch.indexmanagement.transform.action.get.GetTransformsAction
+import org.opensearch.indexmanagement.transform.action.index.IndexTransformAction
+import org.opensearch.indexmanagement.transform.action.start.StartTransformAction
+import org.opensearch.indexmanagement.transform.action.stop.StopTransformAction
+
+// ISM
+const val WRITE_POLICY = IndexPolicyAction.NAME
+const val ADD_POLICY = AddPolicyAction.NAME
+const val GET_POLICIES = GetPoliciesAction.NAME
+const val GET_POLICY = GetPolicyAction.NAME
+const val EXPLAIN_INDEX = ExplainAction.NAME
+const val MANAGED_INDEX = ManagedIndexAction.NAME
+const val DELETE_POLICY = DeletePolicyAction.NAME
+// Rollup
+const val ROLLUP_ALL = "cluster:admin/opendistro/rollup/*"
+const val INDEX_ROLLUP = IndexRollupAction.NAME
+const val GET_ROLLUP = GetRollupAction.NAME
+const val EXPLAIN_ROLLUP = ExplainRollupAction.NAME
+const val UPDATE_ROLLUP = UpdateRollupMappingAction.NAME
+const val DELETE_ROLLUP = DeleteRollupAction.NAME
+// Transform
+const val TRANSFORM_ACTION = IndexTransformAction.NAME
+const val GET_TRANSFORM = GetTransformAction.NAME
+const val EXPLAIN_TRANSFORM = ExplainTransformAction.NAME
+const val START_TRANSFORM = StartTransformAction.NAME
+const val DELETE_TRANSFORM = DeleteTransformsAction.NAME
+const val GET_TRANSFORMS = GetTransformsAction.NAME
+const val STOP_TRANSFORM = StopTransformAction.NAME
+// In order to execute transform, user need to have health privilege
+const val HEALTH = "cluster:monitor/health"
+// Index
+const val GET_INDEX_MAPPING = "indices:admin/mappings/get"
+const val PUT_INDEX_MAPPING = "indices:admin/mapping/put"
+const val SEARCH_INDEX = "indices:data/read/search"
+const val CREATE_INDEX = "indices:admin/create"
+const val WRITE_INDEX = "indices:data/write/index"
+const val BULK_WRITE_INDEX = "indices:data/write/bulk*"