opensearch-project · derek-ho · Dec 24, 2024 · Dec 24, 2024 · Dec 26, 2024 · Dec 26, 2024
@@ -38,14 +38,20 @@
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.common.unit.ByteSizeUnit;
 import org.opensearch.core.common.unit.ByteSizeValue;
+import org.opensearch.security.action.apitokens.ApiToken;
+import org.opensearch.security.action.apitokens.ApiTokenRepository;
+import org.opensearch.security.action.apitokens.Permissions;
 import org.opensearch.security.resolver.IndexResolverReplacer;
 import org.opensearch.security.securityconf.FlattenedActionGroups;
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
+import org.opensearch.security.securityconf.impl.v7.ActionGroupsV7;
 import org.opensearch.security.securityconf.impl.v7.RoleV7;
 import org.opensearch.security.user.User;
 import org.opensearch.security.util.MockIndexMetadataBuilder;
 
+import org.mockito.Mockito;
+
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.opensearch.security.privileges.PrivilegeEvaluatorResponseMatcher.isAllowed;
 import static org.opensearch.security.privileges.PrivilegeEvaluatorResponseMatcher.isForbidden;
@@ -258,6 +264,63 @@ public void hasAny_wildcard() throws Exception {
                 isForbidden(missingPrivileges("cluster:whatever"))
             );
         }
+
+        @Test
+        public void apiToken_explicit_failsWithWildcard() throws Exception {
+            SecurityDynamicConfiguration<RoleV7> roles = SecurityDynamicConfiguration.empty(CType.ROLES);
+            ActionPrivileges subject = new ActionPrivileges(roles, FlattenedActionGroups.EMPTY, null, Settings.EMPTY);
+            String token = "blah";
+            PrivilegesEvaluationContext context = ctxForApiToken("apitoken:" + token, new Permissions(List.of("*"), List.of()));
+            // Explicit fails
+            assertThat(
+                subject.hasExplicitClusterPrivilege(context, "cluster:whatever"),
+                isForbidden(missingPrivileges("cluster:whatever"))
+            );
+            // Not explicit succeeds
+            assertThat(subject.hasClusterPrivilege(context, "cluster:whatever"), isAllowed());
+            // Any succeeds
+            assertThat(subject.hasAnyClusterPrivilege(context, ImmutableSet.of("cluster:whatever")), isAllowed());
+        }
+
+        @Test
+        public void apiToken_succeedsWithExactMatch() throws Exception {
+            SecurityDynamicConfiguration<RoleV7> roles = SecurityDynamicConfiguration.empty(CType.ROLES);
+            ActionPrivileges subject = new ActionPrivileges(roles, FlattenedActionGroups.EMPTY, null, Settings.EMPTY);
+            String token = "blah";
+            PrivilegesEvaluationContext context = ctxForApiToken(
+                "apitoken:" + token,
+                new Permissions(List.of("cluster:whatever"), List.of())
+            );
+            // Explicit succeeds
+            assertThat(subject.hasExplicitClusterPrivilege(context, "cluster:whatever"), isAllowed());
+            // Not explicit succeeds
+            assertThat(subject.hasClusterPrivilege(context, "cluster:whatever"), isAllowed());
+            // Any succeeds
+            assertThat(subject.hasAnyClusterPrivilege(context, ImmutableSet.of("cluster:whatever")), isAllowed());
+            // Any succeeds
+            assertThat(subject.hasAnyClusterPrivilege(context, ImmutableSet.of("cluster:whatever", "cluster:other")), isAllowed());
+        }
+
+        @Test
+        public void apiToken_succeedsWithActionGroupsExapnded() throws Exception {
+            SecurityDynamicConfiguration<RoleV7> roles = SecurityDynamicConfiguration.empty(CType.ROLES);
+
+            SecurityDynamicConfiguration<ActionGroupsV7> config = SecurityDynamicConfiguration.fromYaml(
+                "CLUSTER_ALL:\n  allowed_actions:\n    - \"cluster:*\"",
+                CType.ACTIONGROUPS
+            );
+
+            FlattenedActionGroups actionGroups = new FlattenedActionGroups(config);
+            ActionPrivileges subject = new ActionPrivileges(roles, actionGroups, null, Settings.EMPTY);
+            String token = "blah";
+            PrivilegesEvaluationContext context = ctxForApiToken("apitoken:" + token, new Permissions(List.of("CLUSTER_ALL"), List.of()));
+            // Explicit succeeds
+            assertThat(subject.hasExplicitClusterPrivilege(context, "cluster:whatever"), isAllowed());
+            // Not explicit succeeds
+            assertThat(subject.hasClusterPrivilege(context, "cluster:whatever"), isAllowed());
+            // Any succeeds
+            assertThat(subject.hasClusterPrivilege(context, "cluster:monitor/main"), isAllowed());
+        }
     }
 
     /**
@@ -292,6 +355,17 @@ public void positive_full() throws Exception {
                 assertThat(result, isAllowed());
             }
 
+            @Test
+            public void apiTokens_positive_full() throws Exception {
+                String token = "blah";
+                PrivilegesEvaluationContext context = ctxForApiToken(
+                    "apitoken:" + token,
+                    new Permissions(List.of("index_a11"), List.of(new ApiToken.IndexPermission(List.of("index_a11"), List.of("*"))))
+                );
+                PrivilegesEvaluatorResponse result = subject.hasIndexPrivilege(context, requiredActions, resolved("index_a11"));
+                assertThat(result, isAllowed());
+            }
+
             @Test
             public void positive_partial() throws Exception {
                 PrivilegesEvaluationContext ctx = ctx("test_role");
@@ -346,6 +420,18 @@ public void negative_wrongRole() throws Exception {
                 assertThat(result, isForbidden(missingPrivileges(requiredActions)));
             }
 
+            @Test
+            public void apiToken_negative_noPermissions() throws Exception {
+                String token = "blah";
+                PrivilegesEvaluationContext context = ctxForApiToken(
+                    "apitoken:" + token,
+                    new Permissions(List.of(), List.of(new ApiToken.IndexPermission(List.of(), List.of())))
+                );
+
+                PrivilegesEvaluatorResponse result = subject.hasIndexPrivilege(context, requiredActions, resolved("index_a11"));
+                assertThat(result, isForbidden(missingPrivileges(requiredActions)));
+            }
+
             @Test
             public void negative_wrongAction() throws Exception {
                 PrivilegesEvaluationContext ctx = ctx("test_role");
@@ -375,6 +461,20 @@ public void positive_hasExplicit_full() {
                 }
             }
 
+            @Test
+            public void apiTokens_positive_hasExplicit_full() {
+                String token = "blah";
+                PrivilegesEvaluationContext context = ctxForApiToken(
+                    "apitoken:" + token,
+                    new Permissions(List.of("index_a11"), List.of(new ApiToken.IndexPermission(List.of("index_a11"), List.of("*"))))
+                );
+
+                PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(context, requiredActions, resolved("index_a11"));
+
+                assertThat(result, isForbidden(missingPrivileges(requiredActions)));
+
+            }
+
             private boolean covers(PrivilegesEvaluationContext ctx, String... indices) {
                 for (String index : indices) {
                     if (!indexSpec.covers(ctx.getUser(), index)) {
@@ -1017,8 +1117,13 @@ static SecurityDynamicConfiguration<RoleV7> createRoles(int numberOfRoles, int n
     }
 
     static PrivilegesEvaluationContext ctx(String... roles) {
-        User user = new User("test_user");
+        return ctxWithUserName("test-user", roles);
+    }
+
+    static PrivilegesEvaluationContext ctxWithUserName(String userName, String... roles) {
+        User user = new User(userName);
         user.addAttributes(ImmutableMap.of("attrs.dept_no", "a11"));
+        ApiTokenRepository mockRepository = Mockito.mock(ApiTokenRepository.class);
         return new PrivilegesEvaluationContext(
             user,
             ImmutableSet.copyOf(roles),
@@ -1030,4 +1135,21 @@ static PrivilegesEvaluationContext ctx(String... roles) {
             null
         );
     }
+
+    static PrivilegesEvaluationContext ctxForApiToken(String userName, Permissions permissions) {
+        User user = new User(userName);
+        user.addAttributes(ImmutableMap.of("attrs.dept_no", "a11"));
+        ApiTokenRepository mockRepository = Mockito.mock(ApiTokenRepository.class);
+        return new PrivilegesEvaluationContext(
+            user,
+            ImmutableSet.of(),
+            null,
+            null,
+            null,
+            null,
+            new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)),
+            null,
+            permissions
+        );
+    }
 }
@@ -35,6 +35,7 @@
 import org.opensearch.index.query.RangeQueryBuilder;
 import org.opensearch.index.query.TermQueryBuilder;
 import org.opensearch.search.internal.ShardSearchRequest;
+import org.opensearch.security.action.apitokens.ApiTokenRepository;
 import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
 import org.opensearch.security.securityconf.impl.v7.RoleV7;
@@ -47,6 +48,7 @@
 
 import org.mockito.Mockito;
 
+import static org.mockito.Mockito.mock;
 import static org.opensearch.security.Song.ARTIST_STRING;
 import static org.opensearch.security.Song.ARTIST_TWINS;
 import static org.opensearch.security.Song.FIELD_ARTIST;
@@ -255,11 +257,11 @@ public void performHeaderDecoration_oldNode() throws Exception {
         Metadata metadata = exampleMetadata();
         DlsFlsProcessedConfig dlsFlsProcessedConfig = dlsFlsProcessedConfig(exampleRolesConfig(), metadata);
 
-        Transport.Connection connection = Mockito.mock(Transport.Connection.class);
+        Transport.Connection connection = mock(Transport.Connection.class);
         Mockito.when(connection.getVersion()).thenReturn(Version.V_2_0_0);
 
         // ShardSearchRequest does not extend ActionRequest, thus the headers must be set
-        ShardSearchRequest request = Mockito.mock(ShardSearchRequest.class);
+        ShardSearchRequest request = mock(ShardSearchRequest.class);
 
         Map<String, String> headerSink = new HashMap<>();
 
@@ -277,7 +279,7 @@ public void performHeaderDecoration_actionRequest() throws Exception {
         Metadata metadata = exampleMetadata();
         DlsFlsProcessedConfig dlsFlsProcessedConfig = dlsFlsProcessedConfig(exampleRolesConfig(), metadata);
 
-        Transport.Connection connection = Mockito.mock(Transport.Connection.class);
+        Transport.Connection connection = mock(Transport.Connection.class);
         Mockito.when(connection.getVersion()).thenReturn(Version.V_2_0_0);
 
         // SearchRequest does extend ActionRequest, thus the headers must not be set
@@ -296,11 +298,11 @@ public void performHeaderDecoration_newNode() throws Exception {
         Metadata metadata = exampleMetadata();
         DlsFlsProcessedConfig dlsFlsProcessedConfig = dlsFlsProcessedConfig(exampleRolesConfig(), metadata);
 
-        Transport.Connection connection = Mockito.mock(Transport.Connection.class);
+        Transport.Connection connection = mock(Transport.Connection.class);
         Mockito.when(connection.getVersion()).thenReturn(Version.V_3_0_0);
 
         // ShardSearchRequest does not extend ActionRequest, thus the headers must be set
-        ShardSearchRequest request = Mockito.mock(ShardSearchRequest.class);
+        ShardSearchRequest request = mock(ShardSearchRequest.class);
 
         Map<String, String> headerSink = new HashMap<>();
 
@@ -345,7 +347,8 @@ public void prepare_ccs() throws Exception {
             null,
             null,
             new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)),
-            () -> clusterState
+            () -> clusterState,
+                mock(ApiTokenRepository.class)
         );
 
         DlsFlsLegacyHeaders.prepare(threadContext, ctx, dlsFlsProcessedConfig(exampleRolesConfig(), metadata), metadata, false);
@@ -364,7 +367,8 @@ static PrivilegesEvaluationContext ctx(Metadata metadata, String... roles) {
             null,
             null,
             new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)),
-            () -> clusterState
+            () -> clusterState,
+                mock(ApiTokenRepository.class)
         );
     }
 

@@ -51,6 +51,7 @@
 import org.opensearch.index.query.QueryBuilder;
 import org.opensearch.index.query.QueryBuilders;
 import org.opensearch.index.query.TermQueryBuilder;
+import org.opensearch.security.action.apitokens.ApiTokenRepository;
 import org.opensearch.security.privileges.PrivilegesConfigurationValidationException;
 import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.privileges.PrivilegesEvaluationException;
@@ -61,6 +62,7 @@
 import org.opensearch.test.framework.TestSecurityConfig;
 
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.mockito.Mockito.mock;
 import static org.opensearch.security.util.MockIndexMetadataBuilder.dataStreams;
 import static org.opensearch.security.util.MockIndexMetadataBuilder.indices;
 import static org.junit.Assert.assertEquals;
@@ -526,7 +528,8 @@ public IndicesAndAliases_getRestriction(
                 null,
                 null,
                 null,
-                () -> CLUSTER_STATE
+                () -> CLUSTER_STATE,
+                    mock(ApiTokenRepository.class)
             );
             this.statefulness = statefulness;
             this.dfmEmptyOverridesAll = dfmEmptyOverridesAll == DfmEmptyOverridesAll.DFM_EMPTY_OVERRIDES_ALL_TRUE;
@@ -841,7 +844,8 @@ public IndicesRequest indices(String... strings) {
                 null,
                 RESOLVER_REPLACER,
                 INDEX_NAME_EXPRESSION_RESOLVER,
-                () -> CLUSTER_STATE
+                () -> CLUSTER_STATE,
+                    mock(ApiTokenRepository.class)
             );
             this.statefulness = statefulness;
             this.dfmEmptyOverridesAll = dfmEmptyOverridesAll == DfmEmptyOverridesAll.DFM_EMPTY_OVERRIDES_ALL_TRUE;
@@ -1126,7 +1130,8 @@ public DataStreams_getRestriction(
                 null,
                 null,
                 null,
-                () -> CLUSTER_STATE
+                () -> CLUSTER_STATE,
+                    mock(ApiTokenRepository.class)
             );
             this.statefulness = statefulness;
             this.dfmEmptyOverridesAll = dfmEmptyOverridesAll == DfmEmptyOverridesAll.DFM_EMPTY_OVERRIDES_ALL_TRUE;
@@ -1146,7 +1151,7 @@ public void invalidQuery() throws Exception {
         @Test(expected = PrivilegesEvaluationException.class)
         public void invalidTemplatedQuery() throws Exception {
             DocumentPrivileges.DlsQuery.create("{\"invalid\": \"totally ${attr.foo}\"}", xContentRegistry)
-                .evaluate(new PrivilegesEvaluationContext(new User("test_user"), ImmutableSet.of(), null, null, null, null, null, null));
+                .evaluate(new PrivilegesEvaluationContext(new User("test_user"), ImmutableSet.of(), null, null, null, null, null, null, mock(ApiTokenRepository.class)));
         }
 
         @Test

@@ -21,6 +21,7 @@
 import org.opensearch.cluster.ClusterState;
 import org.opensearch.cluster.metadata.Metadata;
 import org.opensearch.common.settings.Settings;
+import org.opensearch.security.action.apitokens.ApiTokenRepository;
 import org.opensearch.security.privileges.PrivilegesConfigurationValidationException;
 import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
@@ -29,6 +30,7 @@
 import org.opensearch.security.user.User;
 import org.opensearch.test.framework.TestSecurityConfig;
 
+import static org.mockito.Mockito.mock;
 import static org.opensearch.security.util.MockIndexMetadataBuilder.indices;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
@@ -158,7 +160,8 @@ static PrivilegesEvaluationContext ctx(String... roles) {
                 null,
                 null,
                 null,
-                () -> CLUSTER_STATE
+                () -> CLUSTER_STATE,
+                    mock(ApiTokenRepository.class)
             );
         }
     }