|
| 1 | +/* |
| 2 | + * SPDX-License-Identifier: Apache-2.0 |
| 3 | + * |
| 4 | + * The OpenSearch Contributors require contributions made to |
| 5 | + * this file be licensed under the Apache-2.0 license or a |
| 6 | + * compatible open source license. |
| 7 | + * |
| 8 | + * Modifications Copyright OpenSearch Contributors. See |
| 9 | + * GitHub history for details. |
| 10 | + */ |
| 11 | +package org.opensearch.security.api; |
| 12 | + |
| 13 | +import java.util.ArrayList; |
| 14 | +import java.util.Collection; |
| 15 | +import java.util.Collections; |
| 16 | +import java.util.List; |
| 17 | +import java.util.Set; |
| 18 | +import java.util.StringJoiner; |
| 19 | +import java.util.stream.Collectors; |
| 20 | + |
| 21 | +import com.carrotsearch.randomizedtesting.RandomizedContext; |
| 22 | +import com.google.common.collect.ImmutableList; |
| 23 | +import com.fasterxml.jackson.databind.JsonNode; |
| 24 | +import org.apache.commons.lang3.tuple.Pair; |
| 25 | +import org.junit.Test; |
| 26 | + |
| 27 | +import org.opensearch.security.dlic.rest.api.Endpoint; |
| 28 | +import org.opensearch.security.dlic.rest.api.ssl.CertificateType; |
| 29 | +import org.opensearch.test.framework.TestSecurityConfig; |
| 30 | +import org.opensearch.test.framework.certificate.TestCertificates; |
| 31 | +import org.opensearch.test.framework.cluster.LocalOpenSearchCluster; |
| 32 | +import org.opensearch.test.framework.cluster.TestRestClient; |
| 33 | + |
| 34 | +import static org.hamcrest.CoreMatchers.containsString; |
| 35 | +import static org.hamcrest.CoreMatchers.is; |
| 36 | +import static org.hamcrest.MatcherAssert.assertThat; |
| 37 | +import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; |
| 38 | +import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION; |
| 39 | +import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; |
| 40 | + |
| 41 | +public class CertificatesRestApiIntegrationTest extends AbstractApiIntegrationTest { |
| 42 | + |
| 43 | + final static String REST_API_ADMIN_SSL_INFO = "rest-api-admin-ssl-info"; |
| 44 | + |
| 45 | + final static String REGULAR_USER = "regular_user"; |
| 46 | + |
| 47 | + static { |
| 48 | + clusterSettings.put(SECURITY_RESTAPI_ADMIN_ENABLED, true); |
| 49 | + testSecurityConfig.roles( |
| 50 | + new TestSecurityConfig.Role("simple_user_role").clusterPermissions("cluster:admin/security/certificates/info") |
| 51 | + ) |
| 52 | + .rolesMapping(new TestSecurityConfig.RoleMapping("simple_user_role").users(REGULAR_USER, ADMIN_USER_NAME)) |
| 53 | + .user(new TestSecurityConfig.User(REGULAR_USER)) |
| 54 | + .withRestAdminUser(REST_ADMIN_USER, allRestAdminPermissions()) |
| 55 | + .withRestAdminUser(REST_API_ADMIN_SSL_INFO, restAdminPermission(Endpoint.SSL, CERTS_INFO_ACTION)); |
| 56 | + } |
| 57 | + |
| 58 | + @Override |
| 59 | + protected String apiPathPrefix() { |
| 60 | + return PLUGINS_PREFIX; |
| 61 | + } |
| 62 | + |
| 63 | + protected String sslCertsPath(String... path) { |
| 64 | + final var fullPath = new StringJoiner("/"); |
| 65 | + fullPath.add(super.apiPath("certificates")); |
| 66 | + if (path != null) { |
| 67 | + for (final var p : path) { |
| 68 | + fullPath.add(p); |
| 69 | + } |
| 70 | + } |
| 71 | + return fullPath.toString(); |
| 72 | + } |
| 73 | + |
| 74 | + @Test |
| 75 | + public void forbiddenForRegularUser() throws Exception { |
| 76 | + withUser(REGULAR_USER, client -> forbidden(() -> client.get(sslCertsPath()))); |
| 77 | + } |
| 78 | + |
| 79 | + @Test |
| 80 | + public void forbiddenForAdminUser() throws Exception { |
| 81 | + withUser(ADMIN_USER_NAME, client -> forbidden(() -> client.get(sslCertsPath()))); |
| 82 | + } |
| 83 | + |
| 84 | + @Test |
| 85 | + public void availableForTlsAdmin() throws Exception { |
| 86 | + withUser(ADMIN_USER_NAME, localCluster.getAdminCertificate(), this::verifySSLCertsInfo); |
| 87 | + } |
| 88 | + |
| 89 | + @Test |
| 90 | + public void availableForRestAdmin() throws Exception { |
| 91 | + withUser(REST_ADMIN_USER, this::verifySSLCertsInfo); |
| 92 | + withUser(REST_API_ADMIN_SSL_INFO, this::verifySSLCertsInfo); |
| 93 | + } |
| 94 | + |
| 95 | + private void verifySSLCertsInfo(final TestRestClient client) throws Exception { |
| 96 | + assertSSLCertsInfo(nodesWithOrder(), Set.of(CertificateType.HTTP, CertificateType.TRANSPORT), ok(() -> client.get(sslCertsPath()))); |
| 97 | + if (localCluster.nodes().size() > 1) { |
| 98 | + final var randomNodes = randomNodes(); |
| 99 | + final var nodeIds = randomNodes.stream() |
| 100 | + .map(Pair::getRight) |
| 101 | + .map(n -> n.esNode().getNodeEnvironment().nodeId()) |
| 102 | + .collect(Collectors.joining(",")); |
| 103 | + assertSSLCertsInfo( |
| 104 | + randomNodes, |
| 105 | + Set.of(CertificateType.HTTP, CertificateType.TRANSPORT), |
| 106 | + ok(() -> client.get(sslCertsPath(nodeIds))) |
| 107 | + ); |
| 108 | + } |
| 109 | + final var randomCertType = randomFrom(List.of(CertificateType.HTTP, CertificateType.TRANSPORT)); |
| 110 | + assertSSLCertsInfo( |
| 111 | + nodesWithOrder(), |
| 112 | + Set.of(randomCertType), |
| 113 | + ok(() -> client.get(String.format("%s?cert_type=%s", sslCertsPath(), randomCertType))) |
| 114 | + ); |
| 115 | + |
| 116 | + } |
| 117 | + |
| 118 | + private void assertSSLCertsInfo( |
| 119 | + final List<Pair<Integer, LocalOpenSearchCluster.Node>> expectedNode, |
| 120 | + final Set<CertificateType> expectedCertTypes, |
| 121 | + final TestRestClient.HttpResponse response |
| 122 | + ) { |
| 123 | + final var body = response.bodyAsJsonNode(); |
| 124 | + final var prettyStringBody = body.toPrettyString(); |
| 125 | + |
| 126 | + final var _nodes = body.get("_nodes"); |
| 127 | + assertThat(prettyStringBody, _nodes.get("total").asInt(), is(expectedNode.size())); |
| 128 | + assertThat(prettyStringBody, _nodes.get("successful").asInt(), is(expectedNode.size())); |
| 129 | + assertThat(prettyStringBody, _nodes.get("failed").asInt(), is(0)); |
| 130 | + assertThat(prettyStringBody, body.get("cluster_name").asText(), is(localCluster.getClusterName())); |
| 131 | + |
| 132 | + final var nodes = body.get("nodes"); |
| 133 | + |
| 134 | + for (final var nodeWithOrder : expectedNode) { |
| 135 | + final var esNode = nodeWithOrder.getRight().esNode(); |
| 136 | + final var node = nodes.get(esNode.getNodeEnvironment().nodeId()); |
| 137 | + assertThat(prettyStringBody, node.get("name").asText(), is(nodeWithOrder.getRight().getNodeName())); |
| 138 | + assertThat(prettyStringBody, node.has("certificates")); |
| 139 | + final var certificates = node.get("certificates"); |
| 140 | + if (expectedCertTypes.contains(CertificateType.HTTP)) { |
| 141 | + final var httpCertificates = certificates.get(CertificateType.HTTP.value()); |
| 142 | + assertThat(prettyStringBody, httpCertificates.isArray()); |
| 143 | + assertThat(prettyStringBody, httpCertificates.size(), is(1)); |
| 144 | + verifyCertsJson(nodeWithOrder.getLeft(), httpCertificates.get(0)); |
| 145 | + } |
| 146 | + if (expectedCertTypes.contains(CertificateType.TRANSPORT)) { |
| 147 | + final var transportCertificates = certificates.get(CertificateType.TRANSPORT.value()); |
| 148 | + assertThat(prettyStringBody, transportCertificates.isArray()); |
| 149 | + assertThat(prettyStringBody, transportCertificates.size(), is(1)); |
| 150 | + verifyCertsJson(nodeWithOrder.getLeft(), transportCertificates.get(0)); |
| 151 | + } |
| 152 | + } |
| 153 | + |
| 154 | + } |
| 155 | + |
| 156 | + private void verifyCertsJson(final int nodeNumber, final JsonNode jsonNode) { |
| 157 | + assertThat(jsonNode.toPrettyString(), jsonNode.get("issuer_dn").asText(), is(TestCertificates.CA_SUBJECT)); |
| 158 | + assertThat( |
| 159 | + jsonNode.toPrettyString(), |
| 160 | + jsonNode.get("subject_dn").asText(), |
| 161 | + is(String.format(TestCertificates.NODE_SUBJECT_PATTERN, nodeNumber)) |
| 162 | + ); |
| 163 | + assertThat( |
| 164 | + jsonNode.toPrettyString(), |
| 165 | + jsonNode.get("san").asText(), |
| 166 | + containsString(String.format("node-%s.example.com", nodeNumber)) |
| 167 | + ); |
| 168 | + assertThat(jsonNode.toPrettyString(), jsonNode.has("not_before")); |
| 169 | + assertThat(jsonNode.toPrettyString(), jsonNode.has("not_after")); |
| 170 | + } |
| 171 | + |
| 172 | + private List<Pair<Integer, LocalOpenSearchCluster.Node>> randomNodes() { |
| 173 | + final var nodesWithOrder = nodesWithOrder(); |
| 174 | + int leaveElements = randomIntBetween(1, nodesWithOrder.size() - 1); |
| 175 | + return randomSubsetOf(leaveElements, nodesWithOrder); |
| 176 | + } |
| 177 | + |
| 178 | + private List<Pair<Integer, LocalOpenSearchCluster.Node>> nodesWithOrder() { |
| 179 | + final var list = ImmutableList.<Pair<Integer, LocalOpenSearchCluster.Node>>builder(); |
| 180 | + for (int i = 0; i < localCluster.nodes().size(); i++) |
| 181 | + list.add(Pair.of(i, localCluster.nodes().get(i))); |
| 182 | + return list.build(); |
| 183 | + } |
| 184 | + |
| 185 | + public <T> List<T> randomSubsetOf(int size, Collection<T> collection) { |
| 186 | + if (size > collection.size()) { |
| 187 | + throw new IllegalArgumentException( |
| 188 | + "Can't pick " + size + " random objects from a collection of " + collection.size() + " objects" |
| 189 | + ); |
| 190 | + } |
| 191 | + List<T> tempList = new ArrayList<>(collection); |
| 192 | + Collections.shuffle(tempList, RandomizedContext.current().getRandom()); |
| 193 | + return tempList.subList(0, size); |
| 194 | + } |
| 195 | + |
| 196 | +} |
0 commit comments