From af53f9cb59c54f7d4ebd52a1066c2558338ae752 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Mon, 15 Jul 2024 11:53:45 -0400 Subject: [PATCH 01/48] Updates the missing item types for security API related schemas Signed-off-by: Darshit Chanpura --- spec/schemas/security._common.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index 2fcce2ec2..9980212ef 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -142,12 +142,18 @@ components: backend_roles: type: array description: Backend roles associated with the user. + items: + type: string custom_attribute_names: type: array description: Name of the attributes associated with the user. + items: + type: string roles: type: array description: Roles associated with the user. + items: + type: string tenants: type: object description: Tenants the user has access to with read-write or read-only access indicator. @@ -255,6 +261,8 @@ components: config: type: array description: List of configs to be upgraded. + items: + type: string CreateTenantParams: type: object @@ -292,6 +300,8 @@ components: sign_in_options: type: array description: List of available sign-in options available. + items: + type: string password_validation_error_message: type: string description: Error message when password validation fails. @@ -547,9 +557,13 @@ components: peer_certificates_list: type: array description: List of domain names from peer certificates. + items: + type: string local_certificates_list: type: array description: List of domain names from local certificates. + items: + type: string ssl_protocol: type: string description: Protocol for this ssl setup. From f5220c13fd2cc5c983f42af0b963c4cb17cf7175 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 18 Jul 2024 16:45:15 -0400 Subject: [PATCH 02/48] Adds tests for some APIs Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 8 --- tests/security/with-api-prefix/account.yaml | 50 +++++++++++++++++++ .../with-api-prefix/action_groups.yaml | 6 +++ tests/security/with-api-prefix/allowlist.yaml | 6 +++ tests/security/with-api-prefix/audit.yaml | 6 +++ tests/security/with-api-prefix/authtoken.yaml | 6 +++ tests/security/with-api-prefix/cache.yaml | 6 +++ .../with-api-prefix/internal_users.yaml | 6 +++ tests/security/with-api-prefix/migrate.yaml | 6 +++ tests/security/with-api-prefix/nodesdn.yaml | 6 +++ .../with-api-prefix/permissionsinfo.yaml | 6 +++ tests/security/with-api-prefix/roles.yaml | 6 +++ .../with-api-prefix/rolesmapping.yaml | 6 +++ .../with-api-prefix/securityconfig.yaml | 6 +++ tests/security/with-api-prefix/ssl.yaml | 6 +++ tests/security/with-api-prefix/tenancy.yaml | 6 +++ tests/security/with-api-prefix/tenants.yaml | 6 +++ tests/security/with-api-prefix/validate.yaml | 6 +++ .../security/without-api-prefix/authinfo.yaml | 20 ++++++++ .../without-api-prefix/dashboardsinfo.yaml | 14 ++++++ tests/security/without-api-prefix/health.yaml | 18 +++++++ .../security/without-api-prefix/sslinfo.yaml | 11 ++++ .../without-api-prefix/tenantinfo.yaml | 15 ++++++ .../security/without-api-prefix/upgrade.yaml | 19 +++++++ tests/security/without-api-prefix/whoami.yaml | 20 ++++++++ 25 files changed, 263 insertions(+), 8 deletions(-) create mode 100644 tests/security/with-api-prefix/account.yaml create mode 100644 tests/security/with-api-prefix/action_groups.yaml create mode 100644 tests/security/with-api-prefix/allowlist.yaml create mode 100644 tests/security/with-api-prefix/audit.yaml create mode 100644 tests/security/with-api-prefix/authtoken.yaml create mode 100644 tests/security/with-api-prefix/cache.yaml create mode 100644 tests/security/with-api-prefix/internal_users.yaml create mode 100644 tests/security/with-api-prefix/migrate.yaml create mode 100644 tests/security/with-api-prefix/nodesdn.yaml create mode 100644 tests/security/with-api-prefix/permissionsinfo.yaml create mode 100644 tests/security/with-api-prefix/roles.yaml create mode 100644 tests/security/with-api-prefix/rolesmapping.yaml create mode 100644 tests/security/with-api-prefix/securityconfig.yaml create mode 100644 tests/security/with-api-prefix/ssl.yaml create mode 100644 tests/security/with-api-prefix/tenancy.yaml create mode 100644 tests/security/with-api-prefix/tenants.yaml create mode 100644 tests/security/with-api-prefix/validate.yaml create mode 100644 tests/security/without-api-prefix/authinfo.yaml create mode 100644 tests/security/without-api-prefix/dashboardsinfo.yaml create mode 100644 tests/security/without-api-prefix/health.yaml create mode 100644 tests/security/without-api-prefix/sslinfo.yaml create mode 100644 tests/security/without-api-prefix/tenantinfo.yaml create mode 100644 tests/security/without-api-prefix/upgrade.yaml create mode 100644 tests/security/without-api-prefix/whoami.yaml diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 234ab6fc7..0b706146f 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -60,8 +60,6 @@ paths: x-operation-group: security.post_dashboards_info x-version-added: '1.0' description: Updates the current security-dashboards plugin configuration. - requestBody: - $ref: '#/components/requestBodies/security.post_dashboards_info' responses: '200': $ref: '#/components/responses/security.post_dashboards_info@200' @@ -1203,12 +1201,6 @@ components: items: $ref: '../schemas/security._common.yaml#/components/schemas/PatchOperation' required: true - security.post_dashboards_info: - content: - application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/DashboardsInfo' - required: false security.update_audit_configuration: content: application/json: diff --git a/tests/security/with-api-prefix/account.yaml b/tests/security/with-api-prefix/account.yaml new file mode 100644 index 000000000..c4a685192 --- /dev/null +++ b/tests/security/with-api-prefix/account.yaml @@ -0,0 +1,50 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test account endpoint. + +prologues: + - path: _plugins/_security/api/internalusers/{username} + method: PUT + parameters: + username: test + request_body: + payload: + password: "myWeakPassword123!" + opendistro_security_roles: [] + backend_roles: [] + attributes: {} + response: + status: 200 +chapters: + - synopsis: Get account details. + path: /_plugins/_security/api/account + method: GET + parameters: + format: json + response: + status: 200 +# TODO: following test can be changed to interact with test user once https://github.com/opensearch-project/opensearch-api-specification/issues/438 is implemented +# NOTE: this test assumes that admin password is set to `myStrongPassword123!`, please update this test to correct password. One more reason to have the above feature implemented to avoid this. + - synopsis: Change password. + path: /_plugins/_security/api/account + method: PUT + request_body: + payload: + current_password: "myStrongPassword123!" + password: "myWeakPassword123!" + response: + status: 200 +epilogues: + - path: /_plugins/_security/api/account + method: PUT + request_body: + payload: + current_password: "myWeakPassword123!" + password: "myStrongPassword123!" + response: + status: 200 + - path: /_plugins/_security/api/internalusers/{username} + method: DELETE + parameters: + username: test + status: [200, 404] \ No newline at end of file diff --git a/tests/security/with-api-prefix/action_groups.yaml b/tests/security/with-api-prefix/action_groups.yaml new file mode 100644 index 000000000..c552db5e9 --- /dev/null +++ b/tests/security/with-api-prefix/action_groups.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test action_groups endpoints. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/allowlist.yaml b/tests/security/with-api-prefix/allowlist.yaml new file mode 100644 index 000000000..3856a4103 --- /dev/null +++ b/tests/security/with-api-prefix/allowlist.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test allowlist endpoints. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/audit.yaml b/tests/security/with-api-prefix/audit.yaml new file mode 100644 index 000000000..0325d6467 --- /dev/null +++ b/tests/security/with-api-prefix/audit.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test audit endpoints. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/authtoken.yaml b/tests/security/with-api-prefix/authtoken.yaml new file mode 100644 index 000000000..08558d587 --- /dev/null +++ b/tests/security/with-api-prefix/authtoken.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test authtoken endpoints. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/cache.yaml b/tests/security/with-api-prefix/cache.yaml new file mode 100644 index 000000000..3600ab466 --- /dev/null +++ b/tests/security/with-api-prefix/cache.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test cache endpoint. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/internal_users.yaml b/tests/security/with-api-prefix/internal_users.yaml new file mode 100644 index 000000000..bccbb9b76 --- /dev/null +++ b/tests/security/with-api-prefix/internal_users.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test internal users endpoints. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/migrate.yaml b/tests/security/with-api-prefix/migrate.yaml new file mode 100644 index 000000000..4310e3982 --- /dev/null +++ b/tests/security/with-api-prefix/migrate.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test migrate endpoint. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/nodesdn.yaml b/tests/security/with-api-prefix/nodesdn.yaml new file mode 100644 index 000000000..037497709 --- /dev/null +++ b/tests/security/with-api-prefix/nodesdn.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test nodesdn endpoints. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/permissionsinfo.yaml b/tests/security/with-api-prefix/permissionsinfo.yaml new file mode 100644 index 000000000..c21e48d5e --- /dev/null +++ b/tests/security/with-api-prefix/permissionsinfo.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test permissionsinfo endpoint. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/roles.yaml b/tests/security/with-api-prefix/roles.yaml new file mode 100644 index 000000000..3cd6e26c6 --- /dev/null +++ b/tests/security/with-api-prefix/roles.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test roles endpoints. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/rolesmapping.yaml b/tests/security/with-api-prefix/rolesmapping.yaml new file mode 100644 index 000000000..857a1061c --- /dev/null +++ b/tests/security/with-api-prefix/rolesmapping.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test rolesmapping endpoint. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/securityconfig.yaml b/tests/security/with-api-prefix/securityconfig.yaml new file mode 100644 index 000000000..6fb9e86ee --- /dev/null +++ b/tests/security/with-api-prefix/securityconfig.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test securityconfig endpoints. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/ssl.yaml b/tests/security/with-api-prefix/ssl.yaml new file mode 100644 index 000000000..eea66942f --- /dev/null +++ b/tests/security/with-api-prefix/ssl.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test ssl endpoints. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/tenancy.yaml b/tests/security/with-api-prefix/tenancy.yaml new file mode 100644 index 000000000..573421e81 --- /dev/null +++ b/tests/security/with-api-prefix/tenancy.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test tenancy endpoint. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/tenants.yaml b/tests/security/with-api-prefix/tenants.yaml new file mode 100644 index 000000000..f883291ea --- /dev/null +++ b/tests/security/with-api-prefix/tenants.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test tenants endpoints. +prologues: +chapters: +epilogues: diff --git a/tests/security/with-api-prefix/validate.yaml b/tests/security/with-api-prefix/validate.yaml new file mode 100644 index 000000000..4a2134ad3 --- /dev/null +++ b/tests/security/with-api-prefix/validate.yaml @@ -0,0 +1,6 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test validate endpoint. +prologues: +chapters: +epilogues: diff --git a/tests/security/without-api-prefix/authinfo.yaml b/tests/security/without-api-prefix/authinfo.yaml new file mode 100644 index 000000000..4b9ad67a7 --- /dev/null +++ b/tests/security/without-api-prefix/authinfo.yaml @@ -0,0 +1,20 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test authinfo endpoint. +chapters: + - synopsis: Get auth info. + path: /_plugins/_security/authinfo + method: GET + parameters: + auth_type: basic + verbose: false + response: + status: [200, 500] + - synopsis: Get auth info via POST. + path: /_plugins/_security/authinfo + method: POST + parameters: + auth_type: basic + verbose: false + response: + status: [200, 500] diff --git a/tests/security/without-api-prefix/dashboardsinfo.yaml b/tests/security/without-api-prefix/dashboardsinfo.yaml new file mode 100644 index 000000000..4fde724ad --- /dev/null +++ b/tests/security/without-api-prefix/dashboardsinfo.yaml @@ -0,0 +1,14 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test dashboardsinfo endpoint. +chapters: + - synopsis: Get dashboards info. + path: /_plugins/_security/dashboardsinfo + method: GET + response: + status: [200, 500] + - synopsis: Get dashboards info via POST. + path: /_plugins/_security/dashboardsinfo + method: POST + response: + status: [200, 500] diff --git a/tests/security/without-api-prefix/health.yaml b/tests/security/without-api-prefix/health.yaml new file mode 100644 index 000000000..8178981fa --- /dev/null +++ b/tests/security/without-api-prefix/health.yaml @@ -0,0 +1,18 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test health endpoint. +chapters: + - synopsis: Get security health info. + path: /_plugins/_security/health + method: GET + parameters: + mode: strict + response: + status: 200 + - synopsis: Get security health info via POST. + path: /_plugins/_security/health + method: POST + parameters: + mode: strict + response: + status: 200 \ No newline at end of file diff --git a/tests/security/without-api-prefix/sslinfo.yaml b/tests/security/without-api-prefix/sslinfo.yaml new file mode 100644 index 000000000..ab5e51b0d --- /dev/null +++ b/tests/security/without-api-prefix/sslinfo.yaml @@ -0,0 +1,11 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test sslinfo endpoint. +chapters: + - synopsis: Get ssl info. + path: /_opendistro/_security/sslinfo + method: GET + parameters: + show_dn: false + response: + status: [200, 500] diff --git a/tests/security/without-api-prefix/tenantinfo.yaml b/tests/security/without-api-prefix/tenantinfo.yaml new file mode 100644 index 000000000..a10350fb0 --- /dev/null +++ b/tests/security/without-api-prefix/tenantinfo.yaml @@ -0,0 +1,15 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test tenantinfo endpoint. +chapters: + - synopsis: Get tenant info. + path: /_plugins/_security/tenantinfo + method: GET + response: + status: [200, 500] + - synopsis: Get tenant info via POST. + path: /_plugins/_security/tenantinfo + method: POST + response: + status: [200, 500] + \ No newline at end of file diff --git a/tests/security/without-api-prefix/upgrade.yaml b/tests/security/without-api-prefix/upgrade.yaml new file mode 100644 index 000000000..485ab217c --- /dev/null +++ b/tests/security/without-api-prefix/upgrade.yaml @@ -0,0 +1,19 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test upgrade eligibility endpoints. +chapters: + - synopsis: Check whether an upgrade can be performed. + version: '>= 2.14' + path: /_plugins/_security/_upgrade_check + method: GET + response: + status: 200 + - synopsis: Perform the upgrade. + version: '>= 2.14' + path: /_plugins/_security/_upgrade_perform + method: POST + request_body: + payload: + config: ["roles"] + response: + status: 200 \ No newline at end of file diff --git a/tests/security/without-api-prefix/whoami.yaml b/tests/security/without-api-prefix/whoami.yaml new file mode 100644 index 000000000..70b81ce82 --- /dev/null +++ b/tests/security/without-api-prefix/whoami.yaml @@ -0,0 +1,20 @@ +$schema: ../../json_schemas/test_story.schema.yaml + +description: Test whoami endpoints. +chapters: + - synopsis: Get current user info. + path: /_plugins/_security/whoami + method: GET + response: + status: [200, 500] + - synopsis: Get current user info via POST. + path: /_plugins/_security/whoami + method: POST + response: + status: [200, 500] + - synopsis: Get current user info from protected endpoint. + version: '>= 2.11' + path: /_plugins/_security/whoamiprotected + method: GET + response: + status: [200, 500] From 4c51de4cc0abf3986e40f14a7b6aa15d7c9dd745 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 18 Jul 2024 17:02:29 -0400 Subject: [PATCH 03/48] Fixes schema path and lint error in a file Signed-off-by: Darshit Chanpura --- tests/security/with-api-prefix/account.yaml | 16 ++++++++-------- .../security/with-api-prefix/action_groups.yaml | 2 +- tests/security/with-api-prefix/allowlist.yaml | 2 +- tests/security/with-api-prefix/audit.yaml | 2 +- tests/security/with-api-prefix/authtoken.yaml | 2 +- tests/security/with-api-prefix/cache.yaml | 2 +- .../security/with-api-prefix/internal_users.yaml | 2 +- tests/security/with-api-prefix/migrate.yaml | 2 +- tests/security/with-api-prefix/nodesdn.yaml | 2 +- .../with-api-prefix/permissionsinfo.yaml | 2 +- tests/security/with-api-prefix/roles.yaml | 2 +- tests/security/with-api-prefix/rolesmapping.yaml | 2 +- .../security/with-api-prefix/securityconfig.yaml | 2 +- tests/security/with-api-prefix/ssl.yaml | 2 +- tests/security/with-api-prefix/tenancy.yaml | 2 +- tests/security/with-api-prefix/tenants.yaml | 2 +- tests/security/with-api-prefix/validate.yaml | 2 +- tests/security/without-api-prefix/authinfo.yaml | 2 +- .../without-api-prefix/dashboardsinfo.yaml | 2 +- tests/security/without-api-prefix/health.yaml | 2 +- tests/security/without-api-prefix/sslinfo.yaml | 2 +- .../security/without-api-prefix/tenantinfo.yaml | 2 +- tests/security/without-api-prefix/upgrade.yaml | 4 ++-- tests/security/without-api-prefix/whoami.yaml | 2 +- 24 files changed, 32 insertions(+), 32 deletions(-) diff --git a/tests/security/with-api-prefix/account.yaml b/tests/security/with-api-prefix/account.yaml index c4a685192..0e24e1dc9 100644 --- a/tests/security/with-api-prefix/account.yaml +++ b/tests/security/with-api-prefix/account.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test account endpoint. @@ -9,7 +9,7 @@ prologues: username: test request_body: payload: - password: "myWeakPassword123!" + password: myWeakPassword123! opendistro_security_roles: [] backend_roles: [] attributes: {} @@ -23,15 +23,15 @@ chapters: format: json response: status: 200 -# TODO: following test can be changed to interact with test user once https://github.com/opensearch-project/opensearch-api-specification/issues/438 is implemented -# NOTE: this test assumes that admin password is set to `myStrongPassword123!`, please update this test to correct password. One more reason to have the above feature implemented to avoid this. + # TODO: following test can be changed to interact with test user once https://github.com/opensearch-project/opensearch-api-specification/issues/438 is implemented + # NOTE: this test assumes that admin password is set to `myStrongPassword123!`, please update this test to correct password. One more reason to have the above feature implemented to avoid this. - synopsis: Change password. path: /_plugins/_security/api/account method: PUT request_body: payload: - current_password: "myStrongPassword123!" - password: "myWeakPassword123!" + current_password: myStrongPassword123! + password: myWeakPassword123! response: status: 200 epilogues: @@ -39,8 +39,8 @@ epilogues: method: PUT request_body: payload: - current_password: "myWeakPassword123!" - password: "myStrongPassword123!" + current_password: myWeakPassword123! + password: myStrongPassword123! response: status: 200 - path: /_plugins/_security/api/internalusers/{username} diff --git a/tests/security/with-api-prefix/action_groups.yaml b/tests/security/with-api-prefix/action_groups.yaml index c552db5e9..60d28642b 100644 --- a/tests/security/with-api-prefix/action_groups.yaml +++ b/tests/security/with-api-prefix/action_groups.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test action_groups endpoints. prologues: diff --git a/tests/security/with-api-prefix/allowlist.yaml b/tests/security/with-api-prefix/allowlist.yaml index 3856a4103..5799f23c8 100644 --- a/tests/security/with-api-prefix/allowlist.yaml +++ b/tests/security/with-api-prefix/allowlist.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test allowlist endpoints. prologues: diff --git a/tests/security/with-api-prefix/audit.yaml b/tests/security/with-api-prefix/audit.yaml index 0325d6467..5d72508a1 100644 --- a/tests/security/with-api-prefix/audit.yaml +++ b/tests/security/with-api-prefix/audit.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test audit endpoints. prologues: diff --git a/tests/security/with-api-prefix/authtoken.yaml b/tests/security/with-api-prefix/authtoken.yaml index 08558d587..4ffb4f05e 100644 --- a/tests/security/with-api-prefix/authtoken.yaml +++ b/tests/security/with-api-prefix/authtoken.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test authtoken endpoints. prologues: diff --git a/tests/security/with-api-prefix/cache.yaml b/tests/security/with-api-prefix/cache.yaml index 3600ab466..d536220f7 100644 --- a/tests/security/with-api-prefix/cache.yaml +++ b/tests/security/with-api-prefix/cache.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test cache endpoint. prologues: diff --git a/tests/security/with-api-prefix/internal_users.yaml b/tests/security/with-api-prefix/internal_users.yaml index bccbb9b76..b362e522a 100644 --- a/tests/security/with-api-prefix/internal_users.yaml +++ b/tests/security/with-api-prefix/internal_users.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test internal users endpoints. prologues: diff --git a/tests/security/with-api-prefix/migrate.yaml b/tests/security/with-api-prefix/migrate.yaml index 4310e3982..4d4d616dd 100644 --- a/tests/security/with-api-prefix/migrate.yaml +++ b/tests/security/with-api-prefix/migrate.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test migrate endpoint. prologues: diff --git a/tests/security/with-api-prefix/nodesdn.yaml b/tests/security/with-api-prefix/nodesdn.yaml index 037497709..14cdf254a 100644 --- a/tests/security/with-api-prefix/nodesdn.yaml +++ b/tests/security/with-api-prefix/nodesdn.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test nodesdn endpoints. prologues: diff --git a/tests/security/with-api-prefix/permissionsinfo.yaml b/tests/security/with-api-prefix/permissionsinfo.yaml index c21e48d5e..8a5a0d07e 100644 --- a/tests/security/with-api-prefix/permissionsinfo.yaml +++ b/tests/security/with-api-prefix/permissionsinfo.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test permissionsinfo endpoint. prologues: diff --git a/tests/security/with-api-prefix/roles.yaml b/tests/security/with-api-prefix/roles.yaml index 3cd6e26c6..2d62353de 100644 --- a/tests/security/with-api-prefix/roles.yaml +++ b/tests/security/with-api-prefix/roles.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test roles endpoints. prologues: diff --git a/tests/security/with-api-prefix/rolesmapping.yaml b/tests/security/with-api-prefix/rolesmapping.yaml index 857a1061c..8a7e1de17 100644 --- a/tests/security/with-api-prefix/rolesmapping.yaml +++ b/tests/security/with-api-prefix/rolesmapping.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test rolesmapping endpoint. prologues: diff --git a/tests/security/with-api-prefix/securityconfig.yaml b/tests/security/with-api-prefix/securityconfig.yaml index 6fb9e86ee..b676f70b7 100644 --- a/tests/security/with-api-prefix/securityconfig.yaml +++ b/tests/security/with-api-prefix/securityconfig.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test securityconfig endpoints. prologues: diff --git a/tests/security/with-api-prefix/ssl.yaml b/tests/security/with-api-prefix/ssl.yaml index eea66942f..fa63c4100 100644 --- a/tests/security/with-api-prefix/ssl.yaml +++ b/tests/security/with-api-prefix/ssl.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test ssl endpoints. prologues: diff --git a/tests/security/with-api-prefix/tenancy.yaml b/tests/security/with-api-prefix/tenancy.yaml index 573421e81..7997800db 100644 --- a/tests/security/with-api-prefix/tenancy.yaml +++ b/tests/security/with-api-prefix/tenancy.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test tenancy endpoint. prologues: diff --git a/tests/security/with-api-prefix/tenants.yaml b/tests/security/with-api-prefix/tenants.yaml index f883291ea..6ac9d3f13 100644 --- a/tests/security/with-api-prefix/tenants.yaml +++ b/tests/security/with-api-prefix/tenants.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test tenants endpoints. prologues: diff --git a/tests/security/with-api-prefix/validate.yaml b/tests/security/with-api-prefix/validate.yaml index 4a2134ad3..2dd4f3765 100644 --- a/tests/security/with-api-prefix/validate.yaml +++ b/tests/security/with-api-prefix/validate.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test validate endpoint. prologues: diff --git a/tests/security/without-api-prefix/authinfo.yaml b/tests/security/without-api-prefix/authinfo.yaml index 4b9ad67a7..3b06a9448 100644 --- a/tests/security/without-api-prefix/authinfo.yaml +++ b/tests/security/without-api-prefix/authinfo.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test authinfo endpoint. chapters: diff --git a/tests/security/without-api-prefix/dashboardsinfo.yaml b/tests/security/without-api-prefix/dashboardsinfo.yaml index 4fde724ad..5e095c204 100644 --- a/tests/security/without-api-prefix/dashboardsinfo.yaml +++ b/tests/security/without-api-prefix/dashboardsinfo.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test dashboardsinfo endpoint. chapters: diff --git a/tests/security/without-api-prefix/health.yaml b/tests/security/without-api-prefix/health.yaml index 8178981fa..ba3e387dd 100644 --- a/tests/security/without-api-prefix/health.yaml +++ b/tests/security/without-api-prefix/health.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test health endpoint. chapters: diff --git a/tests/security/without-api-prefix/sslinfo.yaml b/tests/security/without-api-prefix/sslinfo.yaml index ab5e51b0d..7c5b26bcd 100644 --- a/tests/security/without-api-prefix/sslinfo.yaml +++ b/tests/security/without-api-prefix/sslinfo.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test sslinfo endpoint. chapters: diff --git a/tests/security/without-api-prefix/tenantinfo.yaml b/tests/security/without-api-prefix/tenantinfo.yaml index a10350fb0..0a2d9a498 100644 --- a/tests/security/without-api-prefix/tenantinfo.yaml +++ b/tests/security/without-api-prefix/tenantinfo.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test tenantinfo endpoint. chapters: diff --git a/tests/security/without-api-prefix/upgrade.yaml b/tests/security/without-api-prefix/upgrade.yaml index 485ab217c..6fad5e80d 100644 --- a/tests/security/without-api-prefix/upgrade.yaml +++ b/tests/security/without-api-prefix/upgrade.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test upgrade eligibility endpoints. chapters: @@ -14,6 +14,6 @@ chapters: method: POST request_body: payload: - config: ["roles"] + config: [roles] response: status: 200 \ No newline at end of file diff --git a/tests/security/without-api-prefix/whoami.yaml b/tests/security/without-api-prefix/whoami.yaml index 70b81ce82..55085de6d 100644 --- a/tests/security/without-api-prefix/whoami.yaml +++ b/tests/security/without-api-prefix/whoami.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test whoami endpoints. chapters: From a35cfdab661fe003d73444adb7032de2a412ff84 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 18 Jul 2024 17:11:52 -0400 Subject: [PATCH 04/48] Adds version check for account API test Signed-off-by: Darshit Chanpura --- tests/security/with-api-prefix/account.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/security/with-api-prefix/account.yaml b/tests/security/with-api-prefix/account.yaml index 0e24e1dc9..bbe4b063b 100644 --- a/tests/security/with-api-prefix/account.yaml +++ b/tests/security/with-api-prefix/account.yaml @@ -1,6 +1,7 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test account endpoint. +version: '>= 2.12' # Should be removed once TODO referenced above is addressed prologues: - path: _plugins/_security/api/internalusers/{username} From 488e7746f2eb802c896f6588dc7e5a47fe855e31 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 18 Jul 2024 17:12:10 -0400 Subject: [PATCH 05/48] Adds a CHANGELOG entry Signed-off-by: Darshit Chanpura --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d520d3f8c..1053570d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -49,6 +49,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - Added `is_hidden` to `/{index}/_alias/{name}` and `/{index}/_aliases/{name}` ([#429](https://github.com/opensearch-project/opensearch-api-specification/pull/429)) - Added `ignore_unmapped` to `GeoDistanceQuery` ([#427](https://github.com/opensearch-project/opensearch-api-specification/pull/427)) - Added missing variants of `indices.put_alias` ([#434](https://github.com/opensearch-project/opensearch-api-specification/pull/434)) +- Added tests for security APIs ([#439](https://github.com/opensearch-project/opensearch-api-specification/pull/439)) ### Changed From 0439eb29bf31d956db8804c69faf6b6d2c666510 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 18 Jul 2024 17:17:29 -0400 Subject: [PATCH 06/48] Fixes tests to expect status as integer Signed-off-by: Darshit Chanpura --- tests/security/without-api-prefix/authinfo.yaml | 4 ++-- tests/security/without-api-prefix/dashboardsinfo.yaml | 4 ++-- tests/security/without-api-prefix/sslinfo.yaml | 2 +- tests/security/without-api-prefix/tenantinfo.yaml | 4 ++-- tests/security/without-api-prefix/upgrade.yaml | 3 +-- tests/security/without-api-prefix/whoami.yaml | 6 +++--- 6 files changed, 11 insertions(+), 12 deletions(-) diff --git a/tests/security/without-api-prefix/authinfo.yaml b/tests/security/without-api-prefix/authinfo.yaml index 3b06a9448..3895af8c0 100644 --- a/tests/security/without-api-prefix/authinfo.yaml +++ b/tests/security/without-api-prefix/authinfo.yaml @@ -9,7 +9,7 @@ chapters: auth_type: basic verbose: false response: - status: [200, 500] + status: 200 - synopsis: Get auth info via POST. path: /_plugins/_security/authinfo method: POST @@ -17,4 +17,4 @@ chapters: auth_type: basic verbose: false response: - status: [200, 500] + status: 200 diff --git a/tests/security/without-api-prefix/dashboardsinfo.yaml b/tests/security/without-api-prefix/dashboardsinfo.yaml index 5e095c204..16925b704 100644 --- a/tests/security/without-api-prefix/dashboardsinfo.yaml +++ b/tests/security/without-api-prefix/dashboardsinfo.yaml @@ -6,9 +6,9 @@ chapters: path: /_plugins/_security/dashboardsinfo method: GET response: - status: [200, 500] + status: 200 - synopsis: Get dashboards info via POST. path: /_plugins/_security/dashboardsinfo method: POST response: - status: [200, 500] + status: 200 diff --git a/tests/security/without-api-prefix/sslinfo.yaml b/tests/security/without-api-prefix/sslinfo.yaml index 7c5b26bcd..67afcf717 100644 --- a/tests/security/without-api-prefix/sslinfo.yaml +++ b/tests/security/without-api-prefix/sslinfo.yaml @@ -8,4 +8,4 @@ chapters: parameters: show_dn: false response: - status: [200, 500] + status: 200 diff --git a/tests/security/without-api-prefix/tenantinfo.yaml b/tests/security/without-api-prefix/tenantinfo.yaml index 0a2d9a498..9498a4275 100644 --- a/tests/security/without-api-prefix/tenantinfo.yaml +++ b/tests/security/without-api-prefix/tenantinfo.yaml @@ -6,10 +6,10 @@ chapters: path: /_plugins/_security/tenantinfo method: GET response: - status: [200, 500] + status: 200 - synopsis: Get tenant info via POST. path: /_plugins/_security/tenantinfo method: POST response: - status: [200, 500] + status: 200 \ No newline at end of file diff --git a/tests/security/without-api-prefix/upgrade.yaml b/tests/security/without-api-prefix/upgrade.yaml index 6fad5e80d..903cd13b8 100644 --- a/tests/security/without-api-prefix/upgrade.yaml +++ b/tests/security/without-api-prefix/upgrade.yaml @@ -1,15 +1,14 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test upgrade eligibility endpoints. +version: '>= 2.14' chapters: - synopsis: Check whether an upgrade can be performed. - version: '>= 2.14' path: /_plugins/_security/_upgrade_check method: GET response: status: 200 - synopsis: Perform the upgrade. - version: '>= 2.14' path: /_plugins/_security/_upgrade_perform method: POST request_body: diff --git a/tests/security/without-api-prefix/whoami.yaml b/tests/security/without-api-prefix/whoami.yaml index 55085de6d..fabc9bb22 100644 --- a/tests/security/without-api-prefix/whoami.yaml +++ b/tests/security/without-api-prefix/whoami.yaml @@ -6,15 +6,15 @@ chapters: path: /_plugins/_security/whoami method: GET response: - status: [200, 500] + status: 200 - synopsis: Get current user info via POST. path: /_plugins/_security/whoami method: POST response: - status: [200, 500] + status: 200 - synopsis: Get current user info from protected endpoint. version: '>= 2.11' path: /_plugins/_security/whoamiprotected method: GET response: - status: [200, 500] + status: 200 From f65a6cf906123bf99576a78f4ffbcede2a1e595a Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Mon, 22 Jul 2024 23:10:41 -0400 Subject: [PATCH 07/48] Adds base tests for all APIs Signed-off-by: Darshit Chanpura --- tests/security/with-api-prefix/account.yaml | 8 +- .../with-api-prefix/action_groups.yaml | 75 +++++++++++++++++++ tests/security/with-api-prefix/allowlist.yaml | 28 ++++++- tests/security/with-api-prefix/audit.yaml | 48 +++++++++++- tests/security/with-api-prefix/authtoken.yaml | 6 -- tests/security/with-api-prefix/cache.yaml | 23 +++++- .../with-api-prefix/internal_users.yaml | 57 +++++++++++++- tests/security/with-api-prefix/migrate.yaml | 9 ++- tests/security/with-api-prefix/nodesdn.yaml | 61 ++++++++++++++- .../with-api-prefix/permissionsinfo.yaml | 9 ++- tests/security/with-api-prefix/roles.yaml | 68 ++++++++++++++++- .../with-api-prefix/rolesmapping.yaml | 62 ++++++++++++++- .../with-api-prefix/securityconfig.yaml | 40 +++++++++- tests/security/with-api-prefix/ssl.yaml | 6 -- tests/security/with-api-prefix/ssl_certs.yaml | 20 +++++ tests/security/with-api-prefix/tenancy.yaml | 6 -- .../with-api-prefix/tenancy_config.yaml | 23 ++++++ tests/security/with-api-prefix/tenants.yaml | 54 ++++++++++++- tests/security/with-api-prefix/tokens.yaml | 35 +++++++++ tests/security/with-api-prefix/user.yaml | 37 +++++++++ tests/security/with-api-prefix/validate.yaml | 11 ++- tests/security/without-api-prefix/health.yaml | 4 +- 22 files changed, 642 insertions(+), 48 deletions(-) delete mode 100644 tests/security/with-api-prefix/authtoken.yaml delete mode 100644 tests/security/with-api-prefix/ssl.yaml create mode 100644 tests/security/with-api-prefix/ssl_certs.yaml delete mode 100644 tests/security/with-api-prefix/tenancy.yaml create mode 100644 tests/security/with-api-prefix/tenancy_config.yaml create mode 100644 tests/security/with-api-prefix/tokens.yaml create mode 100644 tests/security/with-api-prefix/user.yaml diff --git a/tests/security/with-api-prefix/account.yaml b/tests/security/with-api-prefix/account.yaml index bbe4b063b..e8cd74628 100644 --- a/tests/security/with-api-prefix/account.yaml +++ b/tests/security/with-api-prefix/account.yaml @@ -4,7 +4,7 @@ description: Test account endpoint. version: '>= 2.12' # Should be removed once TODO referenced above is addressed prologues: - - path: _plugins/_security/api/internalusers/{username} + - path: /_plugins/_security/api/internalusers/{username} method: PUT parameters: username: test @@ -14,8 +14,7 @@ prologues: opendistro_security_roles: [] backend_roles: [] attributes: {} - response: - status: 200 + status: 200 chapters: - synopsis: Get account details. path: /_plugins/_security/api/account @@ -42,8 +41,7 @@ epilogues: payload: current_password: myWeakPassword123! password: myStrongPassword123! - response: - status: 200 + status: 200 - path: /_plugins/_security/api/internalusers/{username} method: DELETE parameters: diff --git a/tests/security/with-api-prefix/action_groups.yaml b/tests/security/with-api-prefix/action_groups.yaml index 60d28642b..0d9a4d624 100644 --- a/tests/security/with-api-prefix/action_groups.yaml +++ b/tests/security/with-api-prefix/action_groups.yaml @@ -1,6 +1,81 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test action_groups endpoints. + prologues: + - path: /_plugins/_security/api/actiongroups/{action_group} + method: PUT + parameters: + action_group: test + request_body: + payload: + reserved: + hidden: + allowed_actions: [] + type: + description: + static: + status: 200 chapters: + - synopsis: Get action groups bulk. + path: /_plugins/_security/api/actiongroups + method: GET + response: + status: 200 + - synopsis: Patch action groups bulk. + path: /_plugins/_security/api/actiongroups + method: PATCH + request_body: + payload: + op: + path: + value: + response: + status: 200 + - synopsis: Get action group. + path: /_plugins/_security/api/actiongroups/{action_group} + method: GET + parameters: + action_group: test + response: + status: 200 + - synopsis: Create action group. + path: /_plugins/_security/api/actiongroups/{action_group} + method: PUT + parameters: + action_group: test2 + request_body: + payload: + reserved: + hidden: + allowed_actions: [] + type: + description: + static: + response: + status: 200 + - synopsis: Patch action group. + path: /_plugins/_security/api/actiongroups/{action_group} + method: PATCH + parameters: + action_group: test2 + request_body: + payload: + op: + path: + value: + response: + status: 200 + - synopsis: Delete action group. + path: /_plugins/_security/api/actiongroups/{action_group} + method: DELETE + parameters: + action_group: test2 + response: + status: 200 epilogues: + - path: /_plugins/_security/api/actiongroups/{action_group} + method: DELETE + parameters: + action_group: test + status: [200, 404] diff --git a/tests/security/with-api-prefix/allowlist.yaml b/tests/security/with-api-prefix/allowlist.yaml index 5799f23c8..53f54ab72 100644 --- a/tests/security/with-api-prefix/allowlist.yaml +++ b/tests/security/with-api-prefix/allowlist.yaml @@ -1,6 +1,30 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test allowlist endpoints. -prologues: + chapters: -epilogues: + - synopsis: Create an allowlist. + path: /_plugins/_security/api/allowlist + method: PUT + request_body: + payload: + config: + enabled: true, + requests: {} + response: + status: 200 + - synopsis: Get an allowlist. + path: /_plugins/_security/api/allowlist + method: GET + response: + status: 200 + - synopsis: Patch an allowlist. + path: /_plugins/_security/api/allowlist + method: PATCH + request_body: + payload: + op: + path: + value: + status: 200 + diff --git a/tests/security/with-api-prefix/audit.yaml b/tests/security/with-api-prefix/audit.yaml index 5d72508a1..82d9db89a 100644 --- a/tests/security/with-api-prefix/audit.yaml +++ b/tests/security/with-api-prefix/audit.yaml @@ -1,6 +1,50 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test audit endpoints. -prologues: + chapters: -epilogues: + - synopsis: Create an audit config. + path: /_plugins/_security/api/audit/config + method: PUT + request_body: + payload: + compliance: + enabled: + write_log_diffs: + read_watched_fields: {} + read_ignore_users: [] + write_watched_indices: [] + write_ignore_users: [] + read_metadata_only: + write_metadata_only: + external_config: + internal_config: + enabled: true + audit: + ignore_users: + ignore_requests: [] + disabled_rest_categories: [] + disabled_transport_categories: [] + log_request_body: + resolve_indices: + resolve_bulk_requests: + exclude_sensitive_headers: + enable_transport: + enable_rest: + response: + status: 200 + - synopsis: Get an audit config. + path: /_plugins/_security/api/audit + method: GET + response: + status: 200 + - synopsis: Patch an audit config. + path: /_plugins/_security/api/audit + method: PATCH + request_body: + payload: + op: + path: + value: + status: 200 + diff --git a/tests/security/with-api-prefix/authtoken.yaml b/tests/security/with-api-prefix/authtoken.yaml deleted file mode 100644 index 4ffb4f05e..000000000 --- a/tests/security/with-api-prefix/authtoken.yaml +++ /dev/null @@ -1,6 +0,0 @@ -$schema: ../../../json_schemas/test_story.schema.yaml - -description: Test authtoken endpoints. -prologues: -chapters: -epilogues: diff --git a/tests/security/with-api-prefix/cache.yaml b/tests/security/with-api-prefix/cache.yaml index d536220f7..b875fb75b 100644 --- a/tests/security/with-api-prefix/cache.yaml +++ b/tests/security/with-api-prefix/cache.yaml @@ -1,6 +1,25 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test cache endpoint. -prologues: + chapters: -epilogues: + - synopsis: Get cache. + path: /_plugins/_security/api/cache + method: GET + response: + status: 501 + - synopsis: Create cache. + path: /_plugins/_security/api/cache + method: POST + response: + status: 501 + - synopsis: Update cache. + path: /_plugins/_security/api/cache + method: PUT + response: + status: 501 + - synopsis: Flush cache. + path: /_plugins/_security/api/cache + method: DELETE + response: + status: 200 diff --git a/tests/security/with-api-prefix/internal_users.yaml b/tests/security/with-api-prefix/internal_users.yaml index b362e522a..9e0f69368 100644 --- a/tests/security/with-api-prefix/internal_users.yaml +++ b/tests/security/with-api-prefix/internal_users.yaml @@ -1,6 +1,59 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test internal users endpoints. -prologues: + chapters: -epilogues: + - synopsis: Get internal users bulk. + path: /_plugins/_security/api/internalusers + method: GET + response: + status: 200 + - synopsis: Patch internal users bulk. + path: /_plugins/_security/api/internalusers + method: PATCH + request_body: + payload: + op: + path: + value: + response: + status: 200 + - synopsis: Create internal user. + path: /_plugins/_security/api/internalusers/{username} + method: PUT + parameters: + username: test2 + request_body: + payload: + password: myWeakPassword123! + opendistro_security_roles: [] + backend_roles: [] + attributes: {} + response: + status: 200 + - synopsis: Get internal user. + path: /_plugins/_security/api/internalusers/{username} + method: GET + parameters: + username: test + response: + status: 200 + - synopsis: Patch internal user. + path: /_plugins/_security/api/internalusers/{username} + method: PATCH + parameters: + username: test + request_body: + payload: + op: + path: + value: + response: + status: 200 + - synopsis: Delete internal user. + path: /_plugins/_security/api/internalusers/{username} + method: DELETE + parameters: + username: test + response: + status: 200 diff --git a/tests/security/with-api-prefix/migrate.yaml b/tests/security/with-api-prefix/migrate.yaml index 4d4d616dd..cc4a7486d 100644 --- a/tests/security/with-api-prefix/migrate.yaml +++ b/tests/security/with-api-prefix/migrate.yaml @@ -1,6 +1,11 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test migrate endpoint. -prologues: + chapters: -epilogues: + - synopsis: Migrate v6 to v7 config. + path: /_plugins/_security/api/migrate + method: POST + response: + status: 200 + diff --git a/tests/security/with-api-prefix/nodesdn.yaml b/tests/security/with-api-prefix/nodesdn.yaml index 14cdf254a..494975ce3 100644 --- a/tests/security/with-api-prefix/nodesdn.yaml +++ b/tests/security/with-api-prefix/nodesdn.yaml @@ -1,6 +1,63 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test nodesdn endpoints. -prologues: + chapters: -epilogues: + - synopsis: Get distinguished names. + path: /_plugins/_security/api/nodesdn + method: GET + parameters: + show_all: true + response: + status: 200 + - synopsis: Patch distinguished names. + path: /_plugins/_security/api/nodesdn + method: PATCH + request_body: + payload: + op: + path: + value: + response: + status: 200 + - synopsis: Create distinguished name. + path: /_plugins/_security/api/nodesdn/{cluster_name} + method: PUT + parameters: + cluster_name: test + request_body: + payload: + reserved: + hidden: + allowed_actions: [] + type: + description: + static: + response: + status: 200 + - synopsis: Get distinguished name. + path: /_plugins/_security/api/nodesdn/{cluster_name} + method: GET + parameters: + cluster_name: test + response: + status: 200 + - synopsis: Patch distinguished name. + path: /_plugins/_security/api/nodesdn/{cluster_name} + method: PATCH + parameters: + cluster_name: test + request_body: + payload: + op: + path: + value: + response: + status: 200 + - synopsis: Delete distinguished name. + path: /_plugins/_security/api/nodesdn/{cluster_name} + method: DELETE + parameters: + cluster_name: test + response: + status: 200 diff --git a/tests/security/with-api-prefix/permissionsinfo.yaml b/tests/security/with-api-prefix/permissionsinfo.yaml index 8a5a0d07e..6ef3b5de3 100644 --- a/tests/security/with-api-prefix/permissionsinfo.yaml +++ b/tests/security/with-api-prefix/permissionsinfo.yaml @@ -1,6 +1,11 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test permissionsinfo endpoint. -prologues: + chapters: -epilogues: + - synopsis: Get evaluated permissions for currently logged in user. + path: /_plugins/_security/api/nodesdn + method: GET + response: + status: 200 + \ No newline at end of file diff --git a/tests/security/with-api-prefix/roles.yaml b/tests/security/with-api-prefix/roles.yaml index 2d62353de..0bc53e70f 100644 --- a/tests/security/with-api-prefix/roles.yaml +++ b/tests/security/with-api-prefix/roles.yaml @@ -1,6 +1,70 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test roles endpoints. -prologues: + chapters: -epilogues: + - synopsis: Get roles bulk. + path: /_plugins/_security/api/roles + method: GET + response: + status: 200 + - synopsis: Patch roles bulk. + path: /_plugins/_security/api/roles + method: PATCH + request_body: + payload: + op: + path: + value: + response: + status: 200 + - synopsis: Create role. + path: /_plugins/_security/api/roles/{role} + method: PUT + parameters: + role: test + request_body: + payload: + reserved: + hidden: + description: + cluster_permissions: + index_permissions: + index_patterns: [] + dls: + fls: [] + masked_fields: [] + allowed_actions: [] + tenant_permissions: + tenant_patterns: [] + allowed_actions: [] + static: + response: + status: 200 + - synopsis: Get role. + path: /_plugins/_security/api/roles/{role} + method: GET + parameters: + role: test + response: + status: 200 + - synopsis: Patch role. + path: /_plugins/_security/api/roles/{role} + method: PATCH + parameters: + role: test + request_body: + payload: + op: + path: + value: + response: + status: 200 + - synopsis: Delete role. + path: /_plugins/_security/api/roles/{role} + method: DELETE + parameters: + role: test + response: + status: 200 + diff --git a/tests/security/with-api-prefix/rolesmapping.yaml b/tests/security/with-api-prefix/rolesmapping.yaml index 8a7e1de17..b65bc228d 100644 --- a/tests/security/with-api-prefix/rolesmapping.yaml +++ b/tests/security/with-api-prefix/rolesmapping.yaml @@ -1,6 +1,64 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test rolesmapping endpoint. -prologues: + chapters: -epilogues: + - synopsis: Get rolesmapping bulk. + path: /_plugins/_security/api/rolesmapping + method: GET + response: + status: 200 + - synopsis: Patch rolesmapping bulk. + path: /_plugins/_security/api/rolesmapping + method: PATCH + request_body: + payload: + op: + path: + value: + response: + status: 200 + - synopsis: Create rolesmapping. + path: /_plugins/_security/api/rolesmapping/{role} + method: PUT + parameters: + role: test + request_body: + payload: + hosts: [] + users: [] + reserved: + hidden: + backend_roles: [] + and_backend_roles: [] + description: + response: + status: 200 + - synopsis: Get rolesmapping. + path: /_plugins/_security/api/rolesmapping/{role} + method: GET + parameters: + role: test + response: + status: 200 + - synopsis: Patch rolesmapping. + path: /_plugins/_security/api/rolesmapping/{role} + method: PATCH + parameters: + role: test + request_body: + payload: + op: + path: + value: + response: + status: 200 + - synopsis: Delete rolesmapping. + path: /_plugins/_security/api/rolesmapping/{role} + method: DELETE + parameters: + role: test + response: + status: 200 + + diff --git a/tests/security/with-api-prefix/securityconfig.yaml b/tests/security/with-api-prefix/securityconfig.yaml index b676f70b7..6c5ca19a8 100644 --- a/tests/security/with-api-prefix/securityconfig.yaml +++ b/tests/security/with-api-prefix/securityconfig.yaml @@ -1,6 +1,42 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test securityconfig endpoints. -prologues: + chapters: -epilogues: + - synopsis: Update a security config. + path: /_plugins/_security/api/securityconfig/config + method: PUT + request_body: + payload: + dynamic: + filteredAliasMode: + disableRestAuth: + disableIntertransportAuth: + respectRequestIndicesOptions: + kibana: {} + http: {} + authc: {} + authz: {} + authFailureListeners: {} + doNotFailOnForbidden: + multiRolespanEnabled: + hostsResolverMode: + doNotFailOnForbiddenEmpty: + response: + status: 200 + - synopsis: Get a security config. + path: /_plugins/_security/api/securityconfig + method: GET + response: + status: 200 + - synopsis: Patch a security config. + path: /_plugins/_security/api/securityconfig + method: PATCH + request_body: + payload: + op: + path: + value: + status: 200 + + diff --git a/tests/security/with-api-prefix/ssl.yaml b/tests/security/with-api-prefix/ssl.yaml deleted file mode 100644 index fa63c4100..000000000 --- a/tests/security/with-api-prefix/ssl.yaml +++ /dev/null @@ -1,6 +0,0 @@ -$schema: ../../../json_schemas/test_story.schema.yaml - -description: Test ssl endpoints. -prologues: -chapters: -epilogues: diff --git a/tests/security/with-api-prefix/ssl_certs.yaml b/tests/security/with-api-prefix/ssl_certs.yaml new file mode 100644 index 000000000..c61607408 --- /dev/null +++ b/tests/security/with-api-prefix/ssl_certs.yaml @@ -0,0 +1,20 @@ +$schema: ../../../json_schemas/test_story.schema.yaml + +description: Test ssl endpoints. + +chapters: + - synopsis: Get ssl certificates. + path: /_plugins/_security/api/ssl/certs + method: GET + response: + status: 200 + - synopsis: Reload http certs. + path: /_plugins/_security/api/ssl/http/reloadcerts + method: PUT + response: + status: 200 + - synopsis: Reload transport certs. + path: /_plugins/_security/api/ssl/transport/reloadcerts + method: PUT + response: + status: 200 diff --git a/tests/security/with-api-prefix/tenancy.yaml b/tests/security/with-api-prefix/tenancy.yaml deleted file mode 100644 index 7997800db..000000000 --- a/tests/security/with-api-prefix/tenancy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -$schema: ../../../json_schemas/test_story.schema.yaml - -description: Test tenancy endpoint. -prologues: -chapters: -epilogues: diff --git a/tests/security/with-api-prefix/tenancy_config.yaml b/tests/security/with-api-prefix/tenancy_config.yaml new file mode 100644 index 000000000..8a4f4de89 --- /dev/null +++ b/tests/security/with-api-prefix/tenancy_config.yaml @@ -0,0 +1,23 @@ +$schema: ../../../json_schemas/test_story.schema.yaml + +description: Test tenancy config endpoint. +version: '>= 2.7' + +chapters: + - synopsis: Get tenancy config. + path: /_plugins/_security/api/tenancy/config + method: GET + response: + status: 200 + - synopsis: Create or Update tenancy config. + path: /_plugins/_security/api/tenancy/config + method: PUT + request_body: + payload: + default_tenant: + private_tenant_enabled: + multitenancy_enabled: + sign_in_options: [] + response: + status: 200 + diff --git a/tests/security/with-api-prefix/tenants.yaml b/tests/security/with-api-prefix/tenants.yaml index 6ac9d3f13..7057238fa 100644 --- a/tests/security/with-api-prefix/tenants.yaml +++ b/tests/security/with-api-prefix/tenants.yaml @@ -1,6 +1,56 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test tenants endpoints. -prologues: + chapters: -epilogues: + - synopsis: Get tenants bulk. + path: /_plugins/_security/api/tenants + method: GET + response: + status: 200 + - synopsis: Patch tenants bulk. + path: /_plugins/_security/api/tenants + method: PATCH + request_body: + payload: + op: + path: + value: + response: + status: 200 + - synopsis: Create tenant. + path: /_plugins/_security/api/tenants/{tenant} + method: PUT + parameters: + tenant: test + request_body: + payload: + description: + response: + status: 200 + - synopsis: Get tenant. + path: /_plugins/_security/api/tenants/{tenant} + method: GET + parameters: + tenant: test + response: + status: 200 + - synopsis: Patch tenant. + path: /_plugins/_security/api/tenants/{tenant} + method: PATCH + parameters: + tenant: test + request_body: + payload: + op: + path: + value: + response: + status: 200 + - synopsis: Delete tenant. + path: /_plugins/_security/api/tenants/{tenant} + method: DELETE + parameters: + tenant: test + response: + status: 200 diff --git a/tests/security/with-api-prefix/tokens.yaml b/tests/security/with-api-prefix/tokens.yaml new file mode 100644 index 000000000..4596fc724 --- /dev/null +++ b/tests/security/with-api-prefix/tokens.yaml @@ -0,0 +1,35 @@ +$schema: ../../../json_schemas/test_story.schema.yaml + +description: Test authtoken endpoints. + +chapters: + - synopsis: Create an auth token. + path: /_plugins/_security/api/authtoken + method: POST + response: + status: 200 + - synopsis: Create an On-Behalf-Of token. + version: '>= 2.12' + path: /_plugins/_security/api/generateonbehalfoftoken + method: POST + request_body: + payload: + description: Auth token for admin + service: "" + duration: 60 + response: + status: 200 + - synopsis: Create internal user token. + path: /_plugins/_security/api/internalusers/{username}/authtoken + method: POST + parameters: + username: admin + response: + status: 200 + - synopsis: Create user token. + path: /_plugins/_security/api/user/{username}/authtoken + method: POST + parameters: + username: admin + response: + status: 200 diff --git a/tests/security/with-api-prefix/user.yaml b/tests/security/with-api-prefix/user.yaml new file mode 100644 index 000000000..d3d875622 --- /dev/null +++ b/tests/security/with-api-prefix/user.yaml @@ -0,0 +1,37 @@ +$schema: ../../../json_schemas/test_story.schema.yaml + +description: Test user endpoints. + +chapters: + - synopsis: Get user bulk. + path: /_plugins/_security/api/user + method: GET + response: + status: 200 + - synopsis: Create user. + path: /_plugins/_security/api/user/{username} + method: PUT + parameters: + username: test2 + request_body: + payload: + password: myWeakPassword123! + opendistro_security_roles: [] + backend_roles: [] + attributes: {} + response: + status: 200 + - synopsis: Get user. + path: /_plugins/_security/api/user/{username} + method: GET + parameters: + username: test + response: + status: 200 + - synopsis: Delete user. + path: /_plugins/_security/api/user/{username} + method: DELETE + parameters: + username: test + response: + status: 200 diff --git a/tests/security/with-api-prefix/validate.yaml b/tests/security/with-api-prefix/validate.yaml index 2dd4f3765..37d4660ee 100644 --- a/tests/security/with-api-prefix/validate.yaml +++ b/tests/security/with-api-prefix/validate.yaml @@ -1,6 +1,13 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test validate endpoint. -prologues: + chapters: -epilogues: + - synopsis: Check whether v6 configuration is valid. + path: /_plugins/_security/api/validate + method: GET + parameters: + accept_invalid: false + response: + status: 200 + diff --git a/tests/security/without-api-prefix/health.yaml b/tests/security/without-api-prefix/health.yaml index ba3e387dd..636eafb03 100644 --- a/tests/security/without-api-prefix/health.yaml +++ b/tests/security/without-api-prefix/health.yaml @@ -9,10 +9,12 @@ chapters: mode: strict response: status: 200 + message: - synopsis: Get security health info via POST. path: /_plugins/_security/health method: POST parameters: mode: strict response: - status: 200 \ No newline at end of file + status: 200 + message: \ No newline at end of file From a25b14f7608fe221050b75af109f801d381ef01a Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Tue, 23 Jul 2024 00:21:19 -0400 Subject: [PATCH 08/48] Fixes linter errors and complete payloads and request bodies Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 4 +- spec/schemas/security._common.yaml | 1 - .../with-api-prefix/action_groups.yaml | 40 +++++++------- tests/security/with-api-prefix/allowlist.yaml | 13 ++--- tests/security/with-api-prefix/audit.yaml | 52 +++++++++++-------- .../with-api-prefix/internal_users.yaml | 17 +++--- tests/security/with-api-prefix/nodesdn.yaml | 22 ++++---- tests/security/with-api-prefix/roles.yaml | 47 +++++++++-------- .../with-api-prefix/rolesmapping.yaml | 30 +++++------ .../with-api-prefix/securityconfig.yaml | 52 ++++++++++++------- .../with-api-prefix/tenancy_config.yaml | 6 +-- tests/security/with-api-prefix/tenants.yaml | 22 ++++---- tests/security/with-api-prefix/tokens.yaml | 2 +- tests/security/without-api-prefix/health.yaml | 4 +- 14 files changed, 171 insertions(+), 141 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 0b706146f..c099ddb7b 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -1062,9 +1062,7 @@ components: content: application/json: schema: - type: array - items: - $ref: '../schemas/security._common.yaml#/components/schemas/MultiTenancyConfig' + $ref: '../schemas/security._common.yaml#/components/schemas/MultiTenancyConfig' required: true security.create_user: content: diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index 2fcce2ec2..d9286c1d9 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -419,7 +419,6 @@ components: type: array items: type: string - description: Value in seconds. OBOToken: type: object diff --git a/tests/security/with-api-prefix/action_groups.yaml b/tests/security/with-api-prefix/action_groups.yaml index 0d9a4d624..c4915d59c 100644 --- a/tests/security/with-api-prefix/action_groups.yaml +++ b/tests/security/with-api-prefix/action_groups.yaml @@ -9,12 +9,12 @@ prologues: action_group: test request_body: payload: - reserved: - hidden: + reserved: false + hidden: false allowed_actions: [] - type: - description: - static: + type: index + description: Test action group + static: false status: 200 chapters: - synopsis: Get action groups bulk. @@ -26,10 +26,13 @@ chapters: path: /_plugins/_security/api/actiongroups method: PATCH request_body: - payload: - op: - path: - value: + payload: + - op: add + path: /test + value: + allowed_actions: ['indices:admin/create', 'indices:admin/mapping/put'] + + response: status: 200 - synopsis: Get action group. @@ -46,12 +49,12 @@ chapters: action_group: test2 request_body: payload: - reserved: - hidden: + reserved: false + hidden: false allowed_actions: [] - type: - description: - static: + type: index + description: Test action group + static: false response: status: 200 - synopsis: Patch action group. @@ -60,10 +63,11 @@ chapters: parameters: action_group: test2 request_body: - payload: - op: - path: - value: + payload: + - op: replace + path: /allowed_actions + value: + allowed_actions: ['indices:admin/create', 'indices:admin/mapping/put'] response: status: 200 - synopsis: Delete action group. diff --git a/tests/security/with-api-prefix/allowlist.yaml b/tests/security/with-api-prefix/allowlist.yaml index 53f54ab72..50e8d148f 100644 --- a/tests/security/with-api-prefix/allowlist.yaml +++ b/tests/security/with-api-prefix/allowlist.yaml @@ -10,7 +10,8 @@ chapters: payload: config: enabled: true, - requests: {} + requests: + /_cat/nodes: [GET] response: status: 200 - synopsis: Get an allowlist. @@ -22,9 +23,9 @@ chapters: path: /_plugins/_security/api/allowlist method: PATCH request_body: - payload: - op: - path: - value: - status: 200 + op: remove + path: /config/requests + + response: + status: 200 diff --git a/tests/security/with-api-prefix/audit.yaml b/tests/security/with-api-prefix/audit.yaml index 82d9db89a..116dc22e2 100644 --- a/tests/security/with-api-prefix/audit.yaml +++ b/tests/security/with-api-prefix/audit.yaml @@ -8,29 +8,37 @@ chapters: method: PUT request_body: payload: - compliance: - enabled: - write_log_diffs: + enabled: true + audit: + ignore_users: [] + ignore_requests: [] + disabled_rest_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + + disabled_transport_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + + log_request_body: false + resolve_indices: false + resolve_bulk_requests: false + exclude_sensitive_headers: true + enable_transport: false + enable_rest: true + + compliance: + enabled: true + write_log_diffs: false read_watched_fields: {} read_ignore_users: [] write_watched_indices: [] write_ignore_users: [] - read_metadata_only: - write_metadata_only: - external_config: - internal_config: - enabled: true - audit: - ignore_users: - ignore_requests: [] - disabled_rest_categories: [] - disabled_transport_categories: [] - log_request_body: - resolve_indices: - resolve_bulk_requests: - exclude_sensitive_headers: - enable_transport: - enable_rest: + read_metadata_only: true + write_metadata_only: true + external_config: false + internal_config: true + response: status: 200 - synopsis: Get an audit config. @@ -43,8 +51,8 @@ chapters: method: PATCH request_body: payload: - op: - path: - value: + op: add + path: /config/enabled + value: 'true' status: 200 diff --git a/tests/security/with-api-prefix/internal_users.yaml b/tests/security/with-api-prefix/internal_users.yaml index 9e0f69368..def22b59e 100644 --- a/tests/security/with-api-prefix/internal_users.yaml +++ b/tests/security/with-api-prefix/internal_users.yaml @@ -12,17 +12,18 @@ chapters: path: /_plugins/_security/api/internalusers method: PATCH request_body: - payload: - op: - path: - value: + payload: + - op: add + path: /test + value: + backend_roles: [admin] response: status: 200 - synopsis: Create internal user. path: /_plugins/_security/api/internalusers/{username} method: PUT parameters: - username: test2 + username: test request_body: payload: password: myWeakPassword123! @@ -45,9 +46,9 @@ chapters: username: test request_body: payload: - op: - path: - value: + op: replace + path: /opendistro_security_roles + value: [ship_manager] response: status: 200 - synopsis: Delete internal user. diff --git a/tests/security/with-api-prefix/nodesdn.yaml b/tests/security/with-api-prefix/nodesdn.yaml index 494975ce3..1d8f668e1 100644 --- a/tests/security/with-api-prefix/nodesdn.yaml +++ b/tests/security/with-api-prefix/nodesdn.yaml @@ -14,10 +14,10 @@ chapters: path: /_plugins/_security/api/nodesdn method: PATCH request_body: - payload: - op: - path: - value: + payload: + - op: replace + path: /cluster1/nodes_dn/0 + value: [''] response: status: 200 - synopsis: Create distinguished name. @@ -27,12 +27,8 @@ chapters: cluster_name: test request_body: payload: - reserved: - hidden: - allowed_actions: [] - type: - description: - static: + nodes_dn: + - CN=cluster3.example.com response: status: 200 - synopsis: Get distinguished name. @@ -49,9 +45,9 @@ chapters: cluster_name: test request_body: payload: - op: - path: - value: + op: replace + path: /test/nodes_dn/0 + value: [CN=cluster2.example.com] response: status: 200 - synopsis: Delete distinguished name. diff --git a/tests/security/with-api-prefix/roles.yaml b/tests/security/with-api-prefix/roles.yaml index 0bc53e70f..c1d12628c 100644 --- a/tests/security/with-api-prefix/roles.yaml +++ b/tests/security/with-api-prefix/roles.yaml @@ -12,10 +12,12 @@ chapters: path: /_plugins/_security/api/roles method: PATCH request_body: - payload: - op: - path: - value: + payload: + - op: replace + path: /test/index_permissions/0/fls + value: ['random*', ~random1] + - op: remove + path: /test/index_permissions/0/dls response: status: 200 - synopsis: Create role. @@ -25,20 +27,22 @@ chapters: role: test request_body: payload: - reserved: - hidden: - description: - cluster_permissions: - index_permissions: - index_patterns: [] - dls: - fls: [] - masked_fields: [] - allowed_actions: [] - tenant_permissions: - tenant_patterns: [] - allowed_actions: [] - static: + cluster_permissions: + - cluster_composite_ops + - indices_monitor + index_permissions: + - index_patterns: + - 'movies*' + dls: '' + fls: [] + masked_fields: [] + allowed_actions: + - read + tenant_permissions: + - tenant_patterns: + - human_resources + allowed_actions: + - kibana_all_read response: status: 200 - synopsis: Get role. @@ -55,9 +59,10 @@ chapters: role: test request_body: payload: - op: - path: - value: + op: replace + path: /index_permissions/0/fls + value: [random1, random2] + response: status: 200 - synopsis: Delete role. diff --git a/tests/security/with-api-prefix/rolesmapping.yaml b/tests/security/with-api-prefix/rolesmapping.yaml index b65bc228d..8aceeb770 100644 --- a/tests/security/with-api-prefix/rolesmapping.yaml +++ b/tests/security/with-api-prefix/rolesmapping.yaml @@ -12,10 +12,12 @@ chapters: path: /_plugins/_security/api/rolesmapping method: PATCH request_body: - payload: - op: - path: - value: + payload: + - op: add + path: /all_access + value: + users: [test] + backend_roles: [admin] response: status: 200 - synopsis: Create rolesmapping. @@ -25,13 +27,11 @@ chapters: role: test request_body: payload: - hosts: [] - users: [] - reserved: - hidden: - backend_roles: [] - and_backend_roles: [] - description: + backend_roles: [captains] + hosts: + - '*.example.com' + + users: [test] response: status: 200 - synopsis: Get rolesmapping. @@ -47,10 +47,10 @@ chapters: parameters: role: test request_body: - payload: - op: - path: - value: + payload: + - op: replace + path: /backend_roles + value: [admin] response: status: 200 - synopsis: Delete rolesmapping. diff --git a/tests/security/with-api-prefix/securityconfig.yaml b/tests/security/with-api-prefix/securityconfig.yaml index 6c5ca19a8..e0a817315 100644 --- a/tests/security/with-api-prefix/securityconfig.yaml +++ b/tests/security/with-api-prefix/securityconfig.yaml @@ -8,20 +8,35 @@ chapters: method: PUT request_body: payload: - dynamic: - filteredAliasMode: - disableRestAuth: - disableIntertransportAuth: - respectRequestIndicesOptions: - kibana: {} - http: {} - authc: {} - authz: {} - authFailureListeners: {} - doNotFailOnForbidden: - multiRolespanEnabled: - hostsResolverMode: - doNotFailOnForbiddenEmpty: + dynamic: + filtered_alias_mode: warn + disable_rest_auth: false + disable_intertransport_auth: false + respect_request_indices_options: false + opensearch-dashboards: + multitenancy_enabled: true + server_username: kibanaserver + index: .opensearch-dashboards + http: + anonymous_auth_enabled: false + authc: + basic_internal_auth_domain: + http_enabled: true + transport_enabled: true + order: 0 + http_authenticator: + challenge: true + type: basic + config: {} + authentication_backend: + type: intern + config: {} + description: Authenticate via HTTP Basic against internal users database + auth_failure_listeners: {} + do_not_fail_on_forbidden: false + multi_rolespan_enabled: true + hosts_resolver_mode: ip-only + do_not_fail_on_forbidden_empty: false response: status: 200 - synopsis: Get a security config. @@ -34,9 +49,10 @@ chapters: method: PATCH request_body: payload: - op: - path: - value: - status: 200 + op: replace + path: /config/dynamic/authc/basic_internal_auth_domain/transport_enabled + value: 'true' + response: + status: 200 diff --git a/tests/security/with-api-prefix/tenancy_config.yaml b/tests/security/with-api-prefix/tenancy_config.yaml index 8a4f4de89..eef62871e 100644 --- a/tests/security/with-api-prefix/tenancy_config.yaml +++ b/tests/security/with-api-prefix/tenancy_config.yaml @@ -14,9 +14,9 @@ chapters: method: PUT request_body: payload: - default_tenant: - private_tenant_enabled: - multitenancy_enabled: + default_tenant: custom tenant 1 + private_tenant_enabled: false + multitenancy_enabled: true sign_in_options: [] response: status: 200 diff --git a/tests/security/with-api-prefix/tenants.yaml b/tests/security/with-api-prefix/tenants.yaml index 7057238fa..c223614cd 100644 --- a/tests/security/with-api-prefix/tenants.yaml +++ b/tests/security/with-api-prefix/tenants.yaml @@ -12,10 +12,12 @@ chapters: path: /_plugins/_security/api/tenants method: PATCH request_body: - payload: - op: - path: - value: + payload: + - op: replace + path: /test/description + value: A very good description + + response: status: 200 - synopsis: Create tenant. @@ -25,7 +27,7 @@ chapters: tenant: test request_body: payload: - description: + description: A test tenant. response: status: 200 - synopsis: Get tenant. @@ -41,10 +43,12 @@ chapters: parameters: tenant: test request_body: - payload: - op: - path: - value: + payload: + - op: replace + path: /description + value: An updated description + + response: status: 200 - synopsis: Delete tenant. diff --git a/tests/security/with-api-prefix/tokens.yaml b/tests/security/with-api-prefix/tokens.yaml index 4596fc724..6b2423ea0 100644 --- a/tests/security/with-api-prefix/tokens.yaml +++ b/tests/security/with-api-prefix/tokens.yaml @@ -15,7 +15,7 @@ chapters: request_body: payload: description: Auth token for admin - service: "" + service: '' duration: 60 response: status: 200 diff --git a/tests/security/without-api-prefix/health.yaml b/tests/security/without-api-prefix/health.yaml index 636eafb03..ba3e387dd 100644 --- a/tests/security/without-api-prefix/health.yaml +++ b/tests/security/without-api-prefix/health.yaml @@ -9,12 +9,10 @@ chapters: mode: strict response: status: 200 - message: - synopsis: Get security health info via POST. path: /_plugins/_security/health method: POST parameters: mode: strict response: - status: 200 - message: \ No newline at end of file + status: 200 \ No newline at end of file From ab976d480d57d08575945aaa55b09e6995d4ce36 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Tue, 23 Jul 2024 01:34:13 -0400 Subject: [PATCH 09/48] Adds API spec for the new certificates API and adds tests Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 59 +++++++++++++++++++ spec/schemas/security._common.yaml | 46 +++++++++++++++ .../with-api-prefix/certificates.yaml | 33 +++++++++++ 3 files changed, 138 insertions(+) create mode 100644 tests/security/with-api-prefix/certificates.yaml diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index c099ddb7b..fd8c479bb 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -384,6 +384,35 @@ paths: responses: '200': $ref: '#/components/responses/security.flush_cache@200' + /_plugins/_security/api/certificates: + get: + operationId: security.get_certificates_new.0 + x-operation-group: security.get_certificates_new + x-version-added: '2.15' + description: Retrieves the cluster security certificates. + parameters: + - $ref: '#/components/parameters/security.get_certificates_new::query.cert_type' + - $ref: '#/components/parameters/security.get_certificates_new::query.timeout' + responses: + '200': + $ref: '#/components/responses/security.get_certificates_new@200' + '400': + $ref: '#/components/responses/security.get_certificates_new@500' + /_plugins/_security/api/certificates/{node_id}: + get: + operationId: security.get_certificates_new.1 + x-operation-group: security.get_certificates_new + x-version-added: '2.15' + description: Retrieves the given node's security certificates. + parameters: + - $ref: '#/components/parameters/security.get_certificates_new::path.node_id' + - $ref: '#/components/parameters/security.get_certificates_new::query.cert_type' + - $ref: '#/components/parameters/security.get_certificates_new::query.timeout' + responses: + '200': + $ref: '#/components/responses/security.get_certificates_new@200' + '400': + $ref: '#/components/responses/security.get_certificates_new@500' /_plugins/_security/api/generateonbehalfoftoken: post: operationId: security.generate_obo_token.0 @@ -1451,12 +1480,24 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/GetCertificates' + security.get_certificates_new@200: + description: '' + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/GetCertificatesNew' security.get_certificates@400: description: '' content: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + security.get_certificates_new@500: + description: '' + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/InternalServerError' security.get_configuration@200: description: '' content: @@ -1982,6 +2023,24 @@ components: type: string description: Action group to retrieve. required: true + security.get_certificates_new::path.node_id: + name: node_id + in: path + schema: + type: string + required: true + security.get_certificates_new::query.cert_type: + name: cert_type + in: query + schema: + type: string + required: false + security.get_certificates_new::query.timeout: + name: timeout + in: query + schema: + type: string + required: false security.get_distinguished_name::path.cluster_name: name: cluster_name in: path diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index d9286c1d9..fc07b9a72 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -194,6 +194,28 @@ components: type: string not_after: type: string + + CertificatesPerNode: + type: object + properties: + name: + type: string + description: Name of the node. + certificates: + type: object + properties: + http: + type: array + items: + type: object + properties: + $ref: '#/components/schemas/CertificatesDetail' + transport: + type: array + items: + type: object + properties: + $ref: '#/components/schemas/CertificatesDetail' GetCertificates: type: object @@ -206,6 +228,30 @@ components: type: array items: $ref: '#/components/schemas/CertificatesDetail' + + GetCertificatesNew: + type: object + properties: + _nodes: + type: object + properties: + total: + type: number + description: Total number of nodes. + successful: + type: number + description: Number of nodes for which certificates could be fetched. + failed: + type: number + description: Number of nodes for which certificates could not be fetched. + cluster_name: + type: string + description: Name of this cluster. + nodes: + type: object + additionalProperties: + $ref: '#/components/schemas/CertificatesPerNode' + ChangePasswordRequestContent: type: object diff --git a/tests/security/with-api-prefix/certificates.yaml b/tests/security/with-api-prefix/certificates.yaml new file mode 100644 index 000000000..efb31c5ca --- /dev/null +++ b/tests/security/with-api-prefix/certificates.yaml @@ -0,0 +1,33 @@ +$schema: ../../../json_schemas/test_story.schema.yaml + +description: Test certificates endpoints. +version: '>= 2.15' + +prologues: + - synopsis: Get node. + id: get_node + path: /_cat/nodes + method: POST + parameters: + h: id + full_id: true + response: + status: 200 + output: + node_id: payload.0.id +chapters: + - synopsis: Get all certificates. + path: /_plugins/_security/api/certificates + method: GET + parameters: + cert_type: all + response: + status: 200 + - synopsis: Get node certificates. + path: /_plugins/_security/api/certificates/{node_id} + method: GET + parameters: + node_id: ${get_node.node_id} + cert_type: all + response: + status: 200 From 463401af87f3bc9460cc65d3058083088be482af Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Tue, 23 Jul 2024 01:38:51 -0400 Subject: [PATCH 10/48] Adds missing new lines at the end of files and removes any extra lines added by linter Signed-off-by: Darshit Chanpura --- tests/security/with-api-prefix/account.yaml | 2 +- tests/security/with-api-prefix/action_groups.yaml | 2 -- tests/security/with-api-prefix/allowlist.yaml | 2 -- tests/security/with-api-prefix/audit.yaml | 5 ----- tests/security/with-api-prefix/migrate.yaml | 1 - tests/security/with-api-prefix/permissionsinfo.yaml | 2 +- tests/security/with-api-prefix/roles.yaml | 2 -- tests/security/with-api-prefix/rolesmapping.yaml | 3 --- tests/security/with-api-prefix/securityconfig.yaml | 2 -- tests/security/with-api-prefix/tenancy_config.yaml | 1 - tests/security/with-api-prefix/tenants.yaml | 4 ---- tests/security/with-api-prefix/validate.yaml | 1 - 12 files changed, 2 insertions(+), 25 deletions(-) diff --git a/tests/security/with-api-prefix/account.yaml b/tests/security/with-api-prefix/account.yaml index e8cd74628..9adb58ff0 100644 --- a/tests/security/with-api-prefix/account.yaml +++ b/tests/security/with-api-prefix/account.yaml @@ -46,4 +46,4 @@ epilogues: method: DELETE parameters: username: test - status: [200, 404] \ No newline at end of file + status: [200, 404] diff --git a/tests/security/with-api-prefix/action_groups.yaml b/tests/security/with-api-prefix/action_groups.yaml index c4915d59c..accef99e7 100644 --- a/tests/security/with-api-prefix/action_groups.yaml +++ b/tests/security/with-api-prefix/action_groups.yaml @@ -31,8 +31,6 @@ chapters: path: /test value: allowed_actions: ['indices:admin/create', 'indices:admin/mapping/put'] - - response: status: 200 - synopsis: Get action group. diff --git a/tests/security/with-api-prefix/allowlist.yaml b/tests/security/with-api-prefix/allowlist.yaml index 50e8d148f..b2ed6fa13 100644 --- a/tests/security/with-api-prefix/allowlist.yaml +++ b/tests/security/with-api-prefix/allowlist.yaml @@ -25,7 +25,5 @@ chapters: request_body: op: remove path: /config/requests - response: status: 200 - diff --git a/tests/security/with-api-prefix/audit.yaml b/tests/security/with-api-prefix/audit.yaml index 116dc22e2..2f378ee6b 100644 --- a/tests/security/with-api-prefix/audit.yaml +++ b/tests/security/with-api-prefix/audit.yaml @@ -15,18 +15,15 @@ chapters: disabled_rest_categories: - AUTHENTICATED - GRANTED_PRIVILEGES - disabled_transport_categories: - AUTHENTICATED - GRANTED_PRIVILEGES - log_request_body: false resolve_indices: false resolve_bulk_requests: false exclude_sensitive_headers: true enable_transport: false enable_rest: true - compliance: enabled: true write_log_diffs: false @@ -38,7 +35,6 @@ chapters: write_metadata_only: true external_config: false internal_config: true - response: status: 200 - synopsis: Get an audit config. @@ -55,4 +51,3 @@ chapters: path: /config/enabled value: 'true' status: 200 - diff --git a/tests/security/with-api-prefix/migrate.yaml b/tests/security/with-api-prefix/migrate.yaml index cc4a7486d..67a4e3a6d 100644 --- a/tests/security/with-api-prefix/migrate.yaml +++ b/tests/security/with-api-prefix/migrate.yaml @@ -8,4 +8,3 @@ chapters: method: POST response: status: 200 - diff --git a/tests/security/with-api-prefix/permissionsinfo.yaml b/tests/security/with-api-prefix/permissionsinfo.yaml index 6ef3b5de3..1db4b098c 100644 --- a/tests/security/with-api-prefix/permissionsinfo.yaml +++ b/tests/security/with-api-prefix/permissionsinfo.yaml @@ -4,7 +4,7 @@ description: Test permissionsinfo endpoint. chapters: - synopsis: Get evaluated permissions for currently logged in user. - path: /_plugins/_security/api/nodesdn + path: /_plugins/_security/api/permissionsinfo method: GET response: status: 200 diff --git a/tests/security/with-api-prefix/roles.yaml b/tests/security/with-api-prefix/roles.yaml index c1d12628c..201d0c487 100644 --- a/tests/security/with-api-prefix/roles.yaml +++ b/tests/security/with-api-prefix/roles.yaml @@ -62,7 +62,6 @@ chapters: op: replace path: /index_permissions/0/fls value: [random1, random2] - response: status: 200 - synopsis: Delete role. @@ -72,4 +71,3 @@ chapters: role: test response: status: 200 - diff --git a/tests/security/with-api-prefix/rolesmapping.yaml b/tests/security/with-api-prefix/rolesmapping.yaml index 8aceeb770..e518957ec 100644 --- a/tests/security/with-api-prefix/rolesmapping.yaml +++ b/tests/security/with-api-prefix/rolesmapping.yaml @@ -30,7 +30,6 @@ chapters: backend_roles: [captains] hosts: - '*.example.com' - users: [test] response: status: 200 @@ -60,5 +59,3 @@ chapters: role: test response: status: 200 - - diff --git a/tests/security/with-api-prefix/securityconfig.yaml b/tests/security/with-api-prefix/securityconfig.yaml index e0a817315..0082dfc7e 100644 --- a/tests/security/with-api-prefix/securityconfig.yaml +++ b/tests/security/with-api-prefix/securityconfig.yaml @@ -54,5 +54,3 @@ chapters: value: 'true' response: status: 200 - - diff --git a/tests/security/with-api-prefix/tenancy_config.yaml b/tests/security/with-api-prefix/tenancy_config.yaml index eef62871e..cc8a6d820 100644 --- a/tests/security/with-api-prefix/tenancy_config.yaml +++ b/tests/security/with-api-prefix/tenancy_config.yaml @@ -20,4 +20,3 @@ chapters: sign_in_options: [] response: status: 200 - diff --git a/tests/security/with-api-prefix/tenants.yaml b/tests/security/with-api-prefix/tenants.yaml index c223614cd..b734aa2e0 100644 --- a/tests/security/with-api-prefix/tenants.yaml +++ b/tests/security/with-api-prefix/tenants.yaml @@ -16,8 +16,6 @@ chapters: - op: replace path: /test/description value: A very good description - - response: status: 200 - synopsis: Create tenant. @@ -47,8 +45,6 @@ chapters: - op: replace path: /description value: An updated description - - response: status: 200 - synopsis: Delete tenant. diff --git a/tests/security/with-api-prefix/validate.yaml b/tests/security/with-api-prefix/validate.yaml index 37d4660ee..895eacea8 100644 --- a/tests/security/with-api-prefix/validate.yaml +++ b/tests/security/with-api-prefix/validate.yaml @@ -10,4 +10,3 @@ chapters: accept_invalid: false response: status: 200 - From 092a1d6c16a19a432f95ea730eb421852ab24af5 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Wed, 31 Jul 2024 17:30:32 -0400 Subject: [PATCH 11/48] Fixes lint errors Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 64 ++++++++++++++++++++---------- spec/schemas/security._common.yaml | 33 ++++++++------- 2 files changed, 63 insertions(+), 34 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index fd8c479bb..f2bbecaf8 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -386,33 +386,33 @@ paths: $ref: '#/components/responses/security.flush_cache@200' /_plugins/_security/api/certificates: get: - operationId: security.get_certificates_new.0 - x-operation-group: security.get_certificates_new + operationId: security.get_all_certificates.0 + x-operation-group: security.get_all_certificates x-version-added: '2.15' description: Retrieves the cluster security certificates. parameters: - - $ref: '#/components/parameters/security.get_certificates_new::query.cert_type' - - $ref: '#/components/parameters/security.get_certificates_new::query.timeout' + - $ref: '#/components/parameters/security.get_all_certificates::query.cert_type' + - $ref: '#/components/parameters/security.get_all_certificates::query.timeout' responses: '200': - $ref: '#/components/responses/security.get_certificates_new@200' - '400': - $ref: '#/components/responses/security.get_certificates_new@500' + $ref: '#/components/responses/security.get_all_certificates@200' + '500': + $ref: '#/components/responses/security.get_all_certificates@500' /_plugins/_security/api/certificates/{node_id}: get: - operationId: security.get_certificates_new.1 - x-operation-group: security.get_certificates_new + operationId: security.get_node_certificates.0 + x-operation-group: security.get_node_certificates x-version-added: '2.15' description: Retrieves the given node's security certificates. parameters: - - $ref: '#/components/parameters/security.get_certificates_new::path.node_id' - - $ref: '#/components/parameters/security.get_certificates_new::query.cert_type' - - $ref: '#/components/parameters/security.get_certificates_new::query.timeout' + - $ref: '#/components/parameters/security.get_node_certificates::path.node_id' + - $ref: '#/components/parameters/security.get_node_certificates::query.cert_type' + - $ref: '#/components/parameters/security.get_node_certificates::query.timeout' responses: '200': - $ref: '#/components/responses/security.get_certificates_new@200' - '400': - $ref: '#/components/responses/security.get_certificates_new@500' + $ref: '#/components/responses/security.get_node_certificates@200' + '500': + $ref: '#/components/responses/security.get_node_certificates@500' /_plugins/_security/api/generateonbehalfoftoken: post: operationId: security.generate_obo_token.0 @@ -1480,7 +1480,13 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/GetCertificates' - security.get_certificates_new@200: + security.get_all_certificates@200: + description: '' + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/GetCertificatesNew' + security.get_node_certificates@200: description: '' content: application/json: @@ -1492,7 +1498,13 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' - security.get_certificates_new@500: + security.get_all_certificates@500: + description: '' + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/InternalServerError' + security.get_node_certificates@500: description: '' content: application/json: @@ -2023,19 +2035,31 @@ components: type: string description: Action group to retrieve. required: true - security.get_certificates_new::path.node_id: + security.get_node_certificates::path.node_id: name: node_id in: path schema: type: string required: true - security.get_certificates_new::query.cert_type: + security.get_all_certificates::query.cert_type: + name: cert_type + in: query + schema: + type: string + required: false + security.get_node_certificates::query.cert_type: name: cert_type in: query schema: type: string required: false - security.get_certificates_new::query.timeout: + security.get_all_certificates::query.timeout: + name: timeout + in: query + schema: + type: string + required: false + security.get_node_certificates::query.timeout: name: timeout in: query schema: diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index fc07b9a72..6510f08e7 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -203,20 +203,25 @@ components: description: Name of the node. certificates: type: object - properties: - http: - type: array - items: - type: object - properties: - $ref: '#/components/schemas/CertificatesDetail' - transport: - type: array - items: - type: object - properties: - $ref: '#/components/schemas/CertificatesDetail' + additionalProperties: + $ref: '#/components/schemas/CertificateTypes' + CertificateTypes: + type: object + properties: + http: + type: array + items: + type: object + additionalProperties: + $ref: '#/components/schemas/CertificatesDetail' + transport: + type: array + items: + type: object + additionalProperties: + $ref: '#/components/schemas/CertificatesDetail' + GetCertificates: type: object properties: @@ -234,7 +239,7 @@ components: properties: _nodes: type: object - properties: + additionalProperties: total: type: number description: Total number of nodes. From 757b0ede25428c71816abe6171a4c21910acb8f5 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Wed, 31 Jul 2024 17:39:25 -0400 Subject: [PATCH 12/48] Fixes test spec lint Signed-off-by: Darshit Chanpura --- spec/schemas/security._common.yaml | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index 6510f08e7..61f90a9a5 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -181,6 +181,19 @@ components: type: string description: Message returned as part of BAD_REQUEST response. + CertificateCountPerNode: + type: object + properties: + total: + type: number + description: Total number of nodes. + successful: + type: number + description: Number of nodes for which certificates could be fetched. + failed: + type: number + description: Number of nodes for which certificates could not be fetched. + CertificatesDetail: type: object properties: @@ -240,15 +253,7 @@ components: _nodes: type: object additionalProperties: - total: - type: number - description: Total number of nodes. - successful: - type: number - description: Number of nodes for which certificates could be fetched. - failed: - type: number - description: Number of nodes for which certificates could not be fetched. + $ref: '#/components/schemas/CertificateCountPerNode' cluster_name: type: string description: Name of this cluster. From 70e9f4ca3a6a05fb76c1efa529887dea4bcc0138 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 1 Aug 2024 11:42:12 -0400 Subject: [PATCH 13/48] Fixes without api prefix tests Signed-off-by: Darshit Chanpura --- .cspell | 1 + spec/namespaces/security.yaml | 28 +++++--- spec/schemas/security._common.yaml | 66 +++++++++++-------- tests/security/with-api-prefix/account.yaml | 4 +- .../with-api-prefix/action_groups.yaml | 2 +- tests/security/with-api-prefix/audit.yaml | 3 +- .../with-api-prefix/certificates.yaml | 3 +- .../upgrade.yaml | 4 +- .../security/without-api-prefix/authinfo.yaml | 29 ++++++++ tests/security/without-api-prefix/health.yaml | 10 ++- .../security/without-api-prefix/sslinfo.yaml | 17 ++++- .../without-api-prefix/tenantinfo.yaml | 8 ++- tests/security/without-api-prefix/whoami.yaml | 12 ++++ 13 files changed, 140 insertions(+), 47 deletions(-) rename tests/security/{without-api-prefix => with-api-prefix}/upgrade.yaml (79%) diff --git a/.cspell b/.cspell index 80670e9b4..03506d7af 100644 --- a/.cspell +++ b/.cspell @@ -163,6 +163,7 @@ subqueries subschemas subword syserr +tcnative tdigest tenantinfo termvectors diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index f2bbecaf8..73c333838 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -99,6 +99,8 @@ paths: responses: '200': $ref: '#/components/responses/security.tenant_info@200' + '403': + $ref: '#/components/responses/security.tenant_info@403' '500': $ref: '#/components/responses/security.tenant_info@500' post: @@ -109,6 +111,8 @@ paths: responses: '200': $ref: '#/components/responses/security.tenant_info@200' + '403': + $ref: '#/components/responses/security.tenant_info@403' '500': $ref: '#/components/responses/security.tenant_info@500' /_plugins/_security/whoami: @@ -143,7 +147,7 @@ paths: $ref: '#/components/responses/security.who_am_i_protected@200' '500': $ref: '#/components/responses/security.who_am_i_protected@500' - /_plugins/_security/_upgrade_check: + /_plugins/_security/api/_upgrade_check: get: operationId: security.config_upgrade_check.0 x-operation-group: security.config_upgrade_check @@ -154,7 +158,7 @@ paths: responses: '200': $ref: '#/components/responses/security.config_upgrade_check@200' - /_plugins/_security/_upgrade_perform: + /_plugins/_security/api/_upgrade_perform: post: operationId: security.config_upgrade_perform.0 x-operation-group: security.config_upgrade_perform @@ -1365,7 +1369,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.delete_role@200: description: '' content: @@ -1539,7 +1543,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_distinguished_names@200: description: '' content: @@ -1551,7 +1555,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_permissions_info@200: description: '' content: @@ -1713,7 +1717,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_distinguished_names@200: description: '' content: @@ -1725,7 +1729,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_role@200: description: '' content: @@ -1852,6 +1856,14 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/TenantInfo' + security.tenant_info@403: + description: '' + content: + text/plain: + type: string + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.tenant_info@500: description: '' content: @@ -1881,7 +1893,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.validate@200: description: '' content: diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index 61f90a9a5..112e3a9f5 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -134,10 +134,10 @@ components: type: string description: User's name. user_requested_tenant: - type: string + type: ['null', string] description: Name of the tenant the user wants to switch to. remote_address: - type: string + type: ['null', string] description: The IP address of remote user. backend_roles: type: array @@ -152,13 +152,13 @@ components: type: object description: Tenants the user has access to with read-write or read-only access indicator. principal: - type: string + type: ['null', string] description: User principal. peer_certificates: - type: number + type: [number, string] description: Number of peer certificates. sso_logout_url: - type: string + type: ['null', string] description: Logout url. size_of_user: type: string @@ -399,6 +399,17 @@ components: doNotFailOnForbiddenEmpty: type: boolean + Forbidden: + type: object + properties: + status: + type: string + enum: + - 403 + message: + type: string + description: Message returned as part of Forbidden response. + GenerateOBOToken: type: object properties: @@ -416,7 +427,7 @@ components: type: object properties: message: - type: string + type: ['null', string] mode: type: string status: @@ -594,13 +605,13 @@ components: type: object properties: principal: - type: string + type: ['null', string] description: User principal. peer_certificates: - type: number + type: [number, string] description: Number of certificates. peer_certificates_list: - type: array + type: [array,'null'] description: List of domain names from peer certificates. local_certificates_list: type: array @@ -615,13 +626,13 @@ components: type: boolean description: A boolean to indicate if OpenSSL is available. ssl_openssl_version: - type: string + type: [number, string] description: Version of openssl. ssl_openssl_version_string: - type: string + type: ['null', string] description: Full version string for openssl version. ssl_openssl_non_available_cause: - type: string + type: ['null', string] description: Reason for openssl unavailability. ssl_openssl_supports_key_manager_factory: type: boolean @@ -638,6 +649,20 @@ components: ssl_provider_transport_client: type: string description: Returns transport client's name. + required: + - peer_certificates + - principal + - ssl_cipher + - ssl_openssl_available + - ssl_openssl_non_available_cause + - ssl_openssl_supports_hostname_validation + - ssl_openssl_supports_key_manager_factory + - ssl_openssl_version + - ssl_openssl_version_string + - ssl_protocol + - ssl_provider_http + - ssl_provider_transport_client + - ssl_provider_transport_server Tenant: type: object @@ -668,17 +693,6 @@ components: additionalProperties: $ref: '#/components/schemas/Tenant' - Unauthorized: - type: object - properties: - status: - type: string - enum: - - 403 - message: - type: string - description: Message returned as part of FORBIDDEN response. - UpgradeCheck: type: object properties: @@ -745,11 +759,11 @@ components: type: object properties: dn: - type: string + type: ['null', string] is_admin: - type: string + type: boolean is_node_certificate_request: - type: string + type: boolean TenantInfo: type: object diff --git a/tests/security/with-api-prefix/account.yaml b/tests/security/with-api-prefix/account.yaml index 9adb58ff0..d9b3fb709 100644 --- a/tests/security/with-api-prefix/account.yaml +++ b/tests/security/with-api-prefix/account.yaml @@ -14,7 +14,7 @@ prologues: opendistro_security_roles: [] backend_roles: [] attributes: {} - status: 200 + status: [200] chapters: - synopsis: Get account details. path: /_plugins/_security/api/account @@ -41,7 +41,7 @@ epilogues: payload: current_password: myWeakPassword123! password: myStrongPassword123! - status: 200 + status: [200] - path: /_plugins/_security/api/internalusers/{username} method: DELETE parameters: diff --git a/tests/security/with-api-prefix/action_groups.yaml b/tests/security/with-api-prefix/action_groups.yaml index accef99e7..b64366462 100644 --- a/tests/security/with-api-prefix/action_groups.yaml +++ b/tests/security/with-api-prefix/action_groups.yaml @@ -15,7 +15,7 @@ prologues: type: index description: Test action group static: false - status: 200 + status: [200] chapters: - synopsis: Get action groups bulk. path: /_plugins/_security/api/actiongroups diff --git a/tests/security/with-api-prefix/audit.yaml b/tests/security/with-api-prefix/audit.yaml index 2f378ee6b..09e420e66 100644 --- a/tests/security/with-api-prefix/audit.yaml +++ b/tests/security/with-api-prefix/audit.yaml @@ -50,4 +50,5 @@ chapters: op: add path: /config/enabled value: 'true' - status: 200 + response: + status: 200 diff --git a/tests/security/with-api-prefix/certificates.yaml b/tests/security/with-api-prefix/certificates.yaml index efb31c5ca..3b87f9fe0 100644 --- a/tests/security/with-api-prefix/certificates.yaml +++ b/tests/security/with-api-prefix/certificates.yaml @@ -11,8 +11,7 @@ prologues: parameters: h: id full_id: true - response: - status: 200 + status: [200] output: node_id: payload.0.id chapters: diff --git a/tests/security/without-api-prefix/upgrade.yaml b/tests/security/with-api-prefix/upgrade.yaml similarity index 79% rename from tests/security/without-api-prefix/upgrade.yaml rename to tests/security/with-api-prefix/upgrade.yaml index 903cd13b8..0d1b068d6 100644 --- a/tests/security/without-api-prefix/upgrade.yaml +++ b/tests/security/with-api-prefix/upgrade.yaml @@ -4,12 +4,12 @@ description: Test upgrade eligibility endpoints. version: '>= 2.14' chapters: - synopsis: Check whether an upgrade can be performed. - path: /_plugins/_security/_upgrade_check + path: /_plugins/_security/api/_upgrade_check method: GET response: status: 200 - synopsis: Perform the upgrade. - path: /_plugins/_security/_upgrade_perform + path: /_plugins/_security/api/_upgrade_perform method: POST request_body: payload: diff --git a/tests/security/without-api-prefix/authinfo.yaml b/tests/security/without-api-prefix/authinfo.yaml index 3895af8c0..056f3a393 100644 --- a/tests/security/without-api-prefix/authinfo.yaml +++ b/tests/security/without-api-prefix/authinfo.yaml @@ -10,6 +10,21 @@ chapters: verbose: false response: status: 200 + payload: + user_requested_tenant: null + principal: null + peer_certificates: '0' + sso_logout_url: null + user: 'User [name=admin, backend_roles=[admin], requestedTenant=null]' + user_name: admin + backend_roles: [admin] + custom_attribute_names: [] + roles: [own_index,all_access] + tenants: + global_tenant: true + admin_tenant: true + admin: true + - synopsis: Get auth info via POST. path: /_plugins/_security/authinfo method: POST @@ -18,3 +33,17 @@ chapters: verbose: false response: status: 200 + payload: + user_requested_tenant: null + principal: null + peer_certificates: '0' + sso_logout_url: null + user: 'User [name=admin, backend_roles=[admin], requestedTenant=null]' + user_name: admin + backend_roles: [admin] + custom_attribute_names: [] + roles: [own_index,all_access] + tenants: + global_tenant: true + admin_tenant: true + admin: true diff --git a/tests/security/without-api-prefix/health.yaml b/tests/security/without-api-prefix/health.yaml index ba3e387dd..6fa73719a 100644 --- a/tests/security/without-api-prefix/health.yaml +++ b/tests/security/without-api-prefix/health.yaml @@ -9,10 +9,18 @@ chapters: mode: strict response: status: 200 + payload: + message: null + mode: strict + status: UP - synopsis: Get security health info via POST. path: /_plugins/_security/health method: POST parameters: mode: strict response: - status: 200 \ No newline at end of file + status: 200 + payload: + message: null + mode: strict + status: UP \ No newline at end of file diff --git a/tests/security/without-api-prefix/sslinfo.yaml b/tests/security/without-api-prefix/sslinfo.yaml index 67afcf717..0a35c07e6 100644 --- a/tests/security/without-api-prefix/sslinfo.yaml +++ b/tests/security/without-api-prefix/sslinfo.yaml @@ -6,6 +6,21 @@ chapters: path: /_opendistro/_security/sslinfo method: GET parameters: - show_dn: false + show_dn: 'false' response: status: 200 + payload: + principal: null + peer_certificates: '0' + ssl_protocol: TLSv1.3 + ssl_cipher: TLS_AES_256_GCM_SHA384 + ssl_openssl_available: false + ssl_openssl_version: -1 + ssl_openssl_version_string: null + ssl_openssl_non_available_cause: 'java.lang.ClassNotFoundException: io.netty.internal.tcnative.SSLContext' + ssl_openssl_supports_key_manager_factory: false + ssl_openssl_supports_hostname_validation: false + ssl_provider_http: JDK + ssl_provider_transport_server: JDK + ssl_provider_transport_client: JDK + diff --git a/tests/security/without-api-prefix/tenantinfo.yaml b/tests/security/without-api-prefix/tenantinfo.yaml index 9498a4275..3ffca8068 100644 --- a/tests/security/without-api-prefix/tenantinfo.yaml +++ b/tests/security/without-api-prefix/tenantinfo.yaml @@ -5,11 +5,13 @@ chapters: - synopsis: Get tenant info. path: /_plugins/_security/tenantinfo method: GET - response: - status: 200 + response: + status: 403 # only allowed for super-admin or dashboards-server role mapping + content_type: text/plain - synopsis: Get tenant info via POST. path: /_plugins/_security/tenantinfo method: POST response: - status: 200 + status: 403 # only allowed for super-admin or dashboards-server role mapping + content_type: text/plain \ No newline at end of file diff --git a/tests/security/without-api-prefix/whoami.yaml b/tests/security/without-api-prefix/whoami.yaml index fabc9bb22..9e3eab4fe 100644 --- a/tests/security/without-api-prefix/whoami.yaml +++ b/tests/security/without-api-prefix/whoami.yaml @@ -7,14 +7,26 @@ chapters: method: GET response: status: 200 + payload: + dn: null + is_admin: false + is_node_certificate_request: false - synopsis: Get current user info via POST. path: /_plugins/_security/whoami method: POST response: status: 200 + payload: + dn: null + is_admin: false + is_node_certificate_request: false - synopsis: Get current user info from protected endpoint. version: '>= 2.11' path: /_plugins/_security/whoamiprotected method: GET response: status: 200 + payload: + dn: null + is_admin: false + is_node_certificate_request: false From c86e8fac204ff53c81e238f99845d7898e48a7f0 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Wed, 7 Aug 2024 15:03:31 -0400 Subject: [PATCH 14/48] Fixes accounts tests Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 10 +- spec/schemas/security._common.yaml | 4 +- tests/security/with-api-prefix/account.yaml | 92 +++++++++++-------- .../security/without-api-prefix/authinfo.yaml | 1 - .../security/without-api-prefix/sslinfo.yaml | 2 +- 5 files changed, 67 insertions(+), 42 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 42d20f1af..29d0fefe1 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -194,6 +194,8 @@ paths: responses: '200': $ref: '#/components/responses/security.change_password@200' + '403': + $ref: '#/components/responses/security.change_password@403' /_plugins/_security/api/actiongroups: get: operationId: security.get_action_groups.0 @@ -1275,6 +1277,12 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.change_password@403: + description: '' + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.config_upgrade_check@200: content: application/json: @@ -2005,7 +2013,7 @@ components: in: query description: The domain names from all certificates. schema: - type: string + type: [ boolean, string ] description: A boolean flag to indicate whether all domain names should be returned. required: false security.get_tenant::path.tenant: diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index 2d29630ae..1fda9ee9f 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -18,7 +18,7 @@ components: is_internal_user: type: boolean user_requested_tenant: - type: string + type: ['null', string] backend_roles: type: array items: @@ -416,9 +416,11 @@ components: type: string enum: - 403 + - FORBIDDEN message: type: string description: Message returned as part of Forbidden response. + unevaluatedProperties: false GenerateOBOToken: type: object diff --git a/tests/security/with-api-prefix/account.yaml b/tests/security/with-api-prefix/account.yaml index d9b3fb709..fb08742ce 100644 --- a/tests/security/with-api-prefix/account.yaml +++ b/tests/security/with-api-prefix/account.yaml @@ -1,49 +1,65 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test account endpoint. -version: '>= 2.12' # Should be removed once TODO referenced above is addressed -prologues: - - path: /_plugins/_security/api/internalusers/{username} - method: PUT - parameters: - username: test - request_body: - payload: - password: myWeakPassword123! - opendistro_security_roles: [] - backend_roles: [] - attributes: {} - status: [200] +# prologues: +# - path: /_plugins/_security/api/internalusers/{username} +# method: PUT +# parameters: +# username: test +# request_body: +# payload: +# password: myWeakPassword123! +# opendistro_security_roles: [] +# backend_roles: [] +# attributes: {} +# status: [200] chapters: - synopsis: Get account details. path: /_plugins/_security/api/account method: GET - parameters: - format: json response: status: 200 - # TODO: following test can be changed to interact with test user once https://github.com/opensearch-project/opensearch-api-specification/issues/438 is implemented - # NOTE: this test assumes that admin password is set to `myStrongPassword123!`, please update this test to correct password. One more reason to have the above feature implemented to avoid this. - - synopsis: Change password. - path: /_plugins/_security/api/account - method: PUT - request_body: payload: - current_password: myStrongPassword123! - password: myWeakPassword123! - response: - status: 200 -epilogues: - - path: /_plugins/_security/api/account - method: PUT - request_body: - payload: - current_password: myWeakPassword123! - password: myStrongPassword123! - status: [200] - - path: /_plugins/_security/api/internalusers/{username} - method: DELETE - parameters: - username: test - status: [200, 404] + user_name: admin + is_reserved: true + is_hidden: false + is_internal_user: true + user_requested_tenant: null + backend_roles: + - admin + custom_attribute_names: [] + tenants: + global_tenant: true + admin_tenant: true + admin: true + roles: + - own_index + - all_access + # TODO: following test can be changed to interact with test user once https://github.com/opensearch-project/opensearch-api-specification/issues/438 is implemented + # NOTE: this test should be updated to change test user's password created in epilogue. Until then this will be 403 since admin is a reserved user. + # - synopsis: Change password. + # path: /_plugins/_security/api/account + # method: PUT + # request_body: + # payload: + # current_password: myStrongPassword123! + # password: myWeakPassword123! + # response: + # status: 403 + # payload: + # status: FORBIDDEN + # message: "Resource 'admin' is reserved." +# epilogues: +# - path: /_plugins/_security/api/account +# method: PUT +# request_body: +# payload: +# current_password: myWeakPassword123! +# password: myStrongPassword123! +# status: [200] +# - path: /_plugins/_security/api/internalusers/{username} +# method: DELETE +# parameters: +# username: test +# status: [200, 404] diff --git a/tests/security/without-api-prefix/authinfo.yaml b/tests/security/without-api-prefix/authinfo.yaml index 056f3a393..2116222e4 100644 --- a/tests/security/without-api-prefix/authinfo.yaml +++ b/tests/security/without-api-prefix/authinfo.yaml @@ -24,7 +24,6 @@ chapters: global_tenant: true admin_tenant: true admin: true - - synopsis: Get auth info via POST. path: /_plugins/_security/authinfo method: POST diff --git a/tests/security/without-api-prefix/sslinfo.yaml b/tests/security/without-api-prefix/sslinfo.yaml index 0a35c07e6..10303c84e 100644 --- a/tests/security/without-api-prefix/sslinfo.yaml +++ b/tests/security/without-api-prefix/sslinfo.yaml @@ -6,7 +6,7 @@ chapters: path: /_opendistro/_security/sslinfo method: GET parameters: - show_dn: 'false' + show_dn: false response: status: 200 payload: From 7b34505d8523c203db2845c66575c21022976bb5 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Wed, 7 Aug 2024 15:43:49 -0400 Subject: [PATCH 15/48] Fixes action-groups tests Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 7 +++ spec/schemas/security._common.yaml | 13 ++++-- .../with-api-prefix/action_groups.yaml | 46 +++++-------------- 3 files changed, 28 insertions(+), 38 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 29d0fefe1..3c71b71a3 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -246,6 +246,8 @@ paths: responses: '200': $ref: '#/components/responses/security.create_action_group@200' + '201': + $ref: '#/components/responses/security.create_action_group@201' patch: operationId: security.patch_action_group.0 x-operation-group: security.patch_action_group @@ -1298,6 +1300,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.create_action_group@201: + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/Created' security.create_allowlist@200: content: application/json: diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index 1fda9ee9f..3947d8b25 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -518,12 +518,19 @@ components: type: object properties: status: - type: string - enum: - - 200 + type: [number, string] message: type: string description: Message returned as part of OK response. + + Created: + type: object + properties: + status: + type: [number, string] + message: + type: string + description: Message returned as part of CREATED response. PatchOperation: type: object diff --git a/tests/security/with-api-prefix/action_groups.yaml b/tests/security/with-api-prefix/action_groups.yaml index b64366462..5ce272966 100644 --- a/tests/security/with-api-prefix/action_groups.yaml +++ b/tests/security/with-api-prefix/action_groups.yaml @@ -2,21 +2,19 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test action_groups endpoints. -prologues: - - path: /_plugins/_security/api/actiongroups/{action_group} +chapters: + - synopsis: Create action group. + path: /_plugins/_security/api/actiongroups/{action_group} method: PUT parameters: action_group: test - request_body: + request: payload: - reserved: false - hidden: false allowed_actions: [] type: index description: Test action group - static: false - status: [200] -chapters: + response: + status: 201 - synopsis: Get action groups bulk. path: /_plugins/_security/api/actiongroups method: GET @@ -25,7 +23,7 @@ chapters: - synopsis: Patch action groups bulk. path: /_plugins/_security/api/actiongroups method: PATCH - request_body: + request: payload: - op: add path: /test @@ -40,44 +38,22 @@ chapters: action_group: test response: status: 200 - - synopsis: Create action group. - path: /_plugins/_security/api/actiongroups/{action_group} - method: PUT - parameters: - action_group: test2 - request_body: - payload: - reserved: false - hidden: false - allowed_actions: [] - type: index - description: Test action group - static: false - response: - status: 200 - synopsis: Patch action group. path: /_plugins/_security/api/actiongroups/{action_group} method: PATCH parameters: - action_group: test2 - request_body: + action_group: test + request: payload: - op: replace path: /allowed_actions - value: - allowed_actions: ['indices:admin/create', 'indices:admin/mapping/put'] + value: ['indices:admin/create', 'indices:admin/mapping/get'] response: status: 200 - synopsis: Delete action group. path: /_plugins/_security/api/actiongroups/{action_group} method: DELETE parameters: - action_group: test2 + action_group: test response: status: 200 -epilogues: - - path: /_plugins/_security/api/actiongroups/{action_group} - method: DELETE - parameters: - action_group: test - status: [200, 404] From 0eac313aae51188a65e90abb425b30adcc35e58a Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 14:25:14 -0400 Subject: [PATCH 16/48] Fixes account, allowlist and audit tests Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 57 ++++++++++++++++++++---------- spec/schemas/security._common.yaml | 23 ++++++++---- 2 files changed, 55 insertions(+), 25 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 3c71b71a3..cf4d619b7 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -285,6 +285,8 @@ paths: responses: '200': $ref: '#/components/responses/security.get_allowlist@200' + '403': + $ref: '#/components/responses/security.get_allowlist@403' put: operationId: security.create_allowlist.0 x-operation-group: security.create_allowlist @@ -297,6 +299,8 @@ paths: responses: '200': $ref: '#/components/responses/security.create_allowlist@200' + '403': + $ref: '#/components/responses/security.create_allowlist@403' patch: operationId: security.patch_allowlist.0 x-operation-group: security.patch_allowlist @@ -309,6 +313,8 @@ paths: responses: '200': $ref: '#/components/responses/security.patch_allowlist@200' + '403': + $ref: '#/components/responses/security.patch_allowlist@403' /_plugins/_security/api/audit: get: operationId: security.get_audit_configuration.0 @@ -1272,8 +1278,8 @@ components: security.cache@501: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/MethodNotImplemented' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/MethodNotImplemented' security.change_password@200: content: application/json: @@ -1283,8 +1289,8 @@ components: description: '' content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.config_upgrade_check@200: content: application/json: @@ -1310,6 +1316,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/AllowListConfig' + security.create_allowlist@403: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.create_role@200: content: application/json: @@ -1363,8 +1374,8 @@ components: security.delete_distinguished_name@403: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.delete_role@200: content: application/json: @@ -1450,6 +1461,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/AllowListConfig' + security.get_allowlist@403: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_audit_configuration@200: content: application/json: @@ -1513,8 +1529,8 @@ components: security.get_distinguished_name@403: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_distinguished_names@200: content: application/json: @@ -1523,8 +1539,8 @@ components: security.get_distinguished_names@403: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_permissions_info@200: content: application/json: @@ -1640,6 +1656,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/AllowListConfig' + security.patch_allowlist@403: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_audit_configuration@200: content: application/json: @@ -1658,8 +1679,8 @@ components: security.patch_distinguished_name@403: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_distinguished_names@200: content: application/json: @@ -1668,8 +1689,8 @@ components: security.patch_distinguished_names@403: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_role@200: content: application/json: @@ -1781,8 +1802,8 @@ components: text/plain: type: string application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.tenant_info@500: content: application/json: @@ -1806,8 +1827,8 @@ components: security.update_distinguished_name@403: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.validate@200: content: application/json: diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index 3947d8b25..3dd0823ad 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -60,8 +60,13 @@ components: AllowListConfig: type: object properties: - config: - $ref: '#/components/schemas/AllowConfig' + # config: + # $ref: '#/components/schemas/AllowConfig' + enabled: + type: boolean + requests: + type: object + description: An object with APIs as key and array of http methods as values. AllowConfig: type: object @@ -103,6 +108,14 @@ components: type: array items: type: string + ignore_headers: + type: array + items: + type: string + ignore_url_params: + type: array + items: + type: string disabled_rest_categories: type: array items: @@ -413,14 +426,10 @@ components: type: object properties: status: - type: string - enum: - - 403 - - FORBIDDEN + type: [ number, string] message: type: string description: Message returned as part of Forbidden response. - unevaluatedProperties: false GenerateOBOToken: type: object From f16a75a1469871ddf44345d6eede91d977f1eadd Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 14:39:14 -0400 Subject: [PATCH 17/48] Fixes certificates tests Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 14 +++++++++++ tests/security/with-api-prefix/account.yaml | 25 ++++++++----------- tests/security/with-api-prefix/allowlist.yaml | 23 +++++++++-------- tests/security/with-api-prefix/audit.yaml | 10 ++++---- .../with-api-prefix/certificates.yaml | 19 ++++++++------ 5 files changed, 53 insertions(+), 38 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index cf4d619b7..7f04e30c9 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -410,6 +410,8 @@ paths: responses: '200': $ref: '#/components/responses/security.get_all_certificates@200' + '403': + $ref: '#/components/responses/security.get_all_certificates@403' '500': $ref: '#/components/responses/security.get_all_certificates@500' /_plugins/_security/api/certificates/{node_id}: @@ -425,6 +427,8 @@ paths: responses: '200': $ref: '#/components/responses/security.get_node_certificates@200' + '403': + $ref: '#/components/responses/security.get_node_certificates@403' '500': $ref: '#/components/responses/security.get_node_certificates@500' /_plugins/_security/api/generateonbehalfoftoken: @@ -1482,12 +1486,22 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/GetCertificatesNew' + security.get_all_certificates@403: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_node_certificates@200: description: '' content: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/GetCertificatesNew' + security.get_node_certificates@403: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_certificates@400: content: application/json: diff --git a/tests/security/with-api-prefix/account.yaml b/tests/security/with-api-prefix/account.yaml index fb08742ce..babece686 100644 --- a/tests/security/with-api-prefix/account.yaml +++ b/tests/security/with-api-prefix/account.yaml @@ -7,7 +7,7 @@ description: Test account endpoint. # method: PUT # parameters: # username: test -# request_body: +# request: # payload: # password: myWeakPassword123! # opendistro_security_roles: [] @@ -38,22 +38,19 @@ chapters: - all_access # TODO: following test can be changed to interact with test user once https://github.com/opensearch-project/opensearch-api-specification/issues/438 is implemented # NOTE: this test should be updated to change test user's password created in epilogue. Until then this will be 403 since admin is a reserved user. - # - synopsis: Change password. - # path: /_plugins/_security/api/account - # method: PUT - # request_body: - # payload: - # current_password: myStrongPassword123! - # password: myWeakPassword123! - # response: - # status: 403 - # payload: - # status: FORBIDDEN - # message: "Resource 'admin' is reserved." + - synopsis: Change password. + path: /_plugins/_security/api/account + method: PUT + request: + payload: + current_password: myStrongPassword123! + password: myWeakPassword123! + response: + status: 403 # epilogues: # - path: /_plugins/_security/api/account # method: PUT -# request_body: +# request: # payload: # current_password: myWeakPassword123! # password: myStrongPassword123! diff --git a/tests/security/with-api-prefix/allowlist.yaml b/tests/security/with-api-prefix/allowlist.yaml index b2ed6fa13..097593bf8 100644 --- a/tests/security/with-api-prefix/allowlist.yaml +++ b/tests/security/with-api-prefix/allowlist.yaml @@ -2,28 +2,29 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test allowlist endpoints. +# ADMIN-CERT only. These tests require explicit rest api admin privileges. chapters: - synopsis: Create an allowlist. path: /_plugins/_security/api/allowlist method: PUT - request_body: + request: payload: - config: - enabled: true, - requests: - /_cat/nodes: [GET] + enabled: true + requests: + /_cat/nodes: ["GET"] response: - status: 200 + status: 403 - synopsis: Get an allowlist. path: /_plugins/_security/api/allowlist method: GET response: - status: 200 + status: 403 - synopsis: Patch an allowlist. path: /_plugins/_security/api/allowlist method: PATCH - request_body: - op: remove - path: /config/requests + request: + payload: + - op: remove + path: /config/requests response: - status: 200 + status: 403 \ No newline at end of file diff --git a/tests/security/with-api-prefix/audit.yaml b/tests/security/with-api-prefix/audit.yaml index 09e420e66..9a53fe76f 100644 --- a/tests/security/with-api-prefix/audit.yaml +++ b/tests/security/with-api-prefix/audit.yaml @@ -6,7 +6,7 @@ chapters: - synopsis: Create an audit config. path: /_plugins/_security/api/audit/config method: PUT - request_body: + request: payload: enabled: true audit: @@ -45,10 +45,10 @@ chapters: - synopsis: Patch an audit config. path: /_plugins/_security/api/audit method: PATCH - request_body: + request: payload: - op: add - path: /config/enabled - value: 'true' + - op: add + path: /config/enabled + value: 'true' response: status: 200 diff --git a/tests/security/with-api-prefix/certificates.yaml b/tests/security/with-api-prefix/certificates.yaml index 3b87f9fe0..e68760d6c 100644 --- a/tests/security/with-api-prefix/certificates.yaml +++ b/tests/security/with-api-prefix/certificates.yaml @@ -3,25 +3,28 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test certificates endpoints. version: '>= 2.15' -prologues: +# ADMIN-CERT only. These tests require explicit rest api admin privileges. +chapters: - synopsis: Get node. id: get_node path: /_cat/nodes - method: POST + method: GET parameters: - h: id + h: + - id full_id: true - status: [200] + response: + status: 200 + content_type: text/plain output: - node_id: payload.0.id -chapters: + node_id: payload - synopsis: Get all certificates. path: /_plugins/_security/api/certificates method: GET parameters: cert_type: all response: - status: 200 + status: 403 - synopsis: Get node certificates. path: /_plugins/_security/api/certificates/{node_id} method: GET @@ -29,4 +32,4 @@ chapters: node_id: ${get_node.node_id} cert_type: all response: - status: 200 + status: 403 From 41c2edfaa159b7c20aef363cf0f3896fd366e2d6 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 14:53:15 -0400 Subject: [PATCH 18/48] Fixes internal users test Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 30 +++++++++---------- spec/schemas/security._common.yaml | 4 ++- tests/security/with-api-prefix/account.yaml | 2 +- tests/security/with-api-prefix/allowlist.yaml | 2 +- .../with-api-prefix/internal_users.yaml | 12 ++++---- .../security/without-api-prefix/authinfo.yaml | 4 +-- 6 files changed, 28 insertions(+), 26 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 7f04e30c9..d383ed5d3 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -1283,7 +1283,7 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/MethodNotImplemented' + # $ref: '../schemas/security._common.yaml#/components/schemas/MethodNotImplemented' security.change_password@200: content: application/json: @@ -1294,7 +1294,7 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.config_upgrade_check@200: content: application/json: @@ -1324,7 +1324,7 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.create_role@200: content: application/json: @@ -1379,7 +1379,7 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.delete_role@200: content: application/json: @@ -1469,7 +1469,7 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_audit_configuration@200: content: application/json: @@ -1490,7 +1490,7 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_node_certificates@200: description: '' content: @@ -1501,7 +1501,7 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_certificates@400: content: application/json: @@ -1544,7 +1544,7 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_distinguished_names@200: content: application/json: @@ -1554,7 +1554,7 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_permissions_info@200: content: application/json: @@ -1674,7 +1674,7 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_audit_configuration@200: content: application/json: @@ -1694,7 +1694,7 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_distinguished_names@200: content: application/json: @@ -1704,7 +1704,7 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_role@200: content: application/json: @@ -1817,7 +1817,7 @@ components: type: string application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.tenant_info@500: content: application/json: @@ -1842,7 +1842,7 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.validate@200: content: application/json: @@ -2055,7 +2055,7 @@ components: in: query description: The domain names from all certificates. schema: - type: [ boolean, string ] + type: [boolean, string] description: A boolean flag to indicate whether all domain names should be returned. required: false security.get_tenant::path.tenant: diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index 3dd0823ad..72e5eb9e7 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -426,7 +426,7 @@ components: type: object properties: status: - type: [ number, string] + type: [number, string] message: type: string description: Message returned as part of Forbidden response. @@ -746,6 +746,8 @@ components: User: type: object properties: + password: + type: string hash: type: string reserved: diff --git a/tests/security/with-api-prefix/account.yaml b/tests/security/with-api-prefix/account.yaml index babece686..0becc58a0 100644 --- a/tests/security/with-api-prefix/account.yaml +++ b/tests/security/with-api-prefix/account.yaml @@ -34,8 +34,8 @@ chapters: admin_tenant: true admin: true roles: - - own_index - all_access + - own_index # TODO: following test can be changed to interact with test user once https://github.com/opensearch-project/opensearch-api-specification/issues/438 is implemented # NOTE: this test should be updated to change test user's password created in epilogue. Until then this will be 403 since admin is a reserved user. - synopsis: Change password. diff --git a/tests/security/with-api-prefix/allowlist.yaml b/tests/security/with-api-prefix/allowlist.yaml index 097593bf8..f10f96c80 100644 --- a/tests/security/with-api-prefix/allowlist.yaml +++ b/tests/security/with-api-prefix/allowlist.yaml @@ -11,7 +11,7 @@ chapters: payload: enabled: true requests: - /_cat/nodes: ["GET"] + /_cat/nodes: [GET] response: status: 403 - synopsis: Get an allowlist. diff --git a/tests/security/with-api-prefix/internal_users.yaml b/tests/security/with-api-prefix/internal_users.yaml index def22b59e..7a574d12d 100644 --- a/tests/security/with-api-prefix/internal_users.yaml +++ b/tests/security/with-api-prefix/internal_users.yaml @@ -11,7 +11,7 @@ chapters: - synopsis: Patch internal users bulk. path: /_plugins/_security/api/internalusers method: PATCH - request_body: + request: payload: - op: add path: /test @@ -24,7 +24,7 @@ chapters: method: PUT parameters: username: test - request_body: + request: payload: password: myWeakPassword123! opendistro_security_roles: [] @@ -44,11 +44,11 @@ chapters: method: PATCH parameters: username: test - request_body: + request: payload: - op: replace - path: /opendistro_security_roles - value: [ship_manager] + - op: add + path: /opendistro_security_roles + value: [all_access] response: status: 200 - synopsis: Delete internal user. diff --git a/tests/security/without-api-prefix/authinfo.yaml b/tests/security/without-api-prefix/authinfo.yaml index 2116222e4..a28a4090e 100644 --- a/tests/security/without-api-prefix/authinfo.yaml +++ b/tests/security/without-api-prefix/authinfo.yaml @@ -19,7 +19,7 @@ chapters: user_name: admin backend_roles: [admin] custom_attribute_names: [] - roles: [own_index,all_access] + roles: [all_access,own_index] tenants: global_tenant: true admin_tenant: true @@ -41,7 +41,7 @@ chapters: user_name: admin backend_roles: [admin] custom_attribute_names: [] - roles: [own_index,all_access] + roles: [all_access,own_index] tenants: global_tenant: true admin_tenant: true From 7622f108fd4e82953b3dae8900d6837db46ada64 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 15:57:12 -0400 Subject: [PATCH 19/48] Fixes nodesdn test Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 49 +++++++++++++++++++-- tests/security/with-api-prefix/migrate.yaml | 3 +- tests/security/with-api-prefix/nodesdn.yaml | 21 +++++---- 3 files changed, 60 insertions(+), 13 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index d383ed5d3..54d74fd02 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -559,6 +559,8 @@ paths: responses: '200': $ref: '#/components/responses/security.get_distinguished_names@200' + '400': + $ref: '#/components/responses/security.get_distinguished_names@400' '403': $ref: '#/components/responses/security.get_distinguished_names@403' patch: @@ -573,6 +575,8 @@ paths: responses: '200': $ref: '#/components/responses/security.patch_distinguished_names@200' + '400': + $ref: '#/components/responses/security.patch_distinguished_names@400' '403': $ref: '#/components/responses/security.patch_distinguished_names@403' /_plugins/_security/api/nodesdn/{cluster_name}: @@ -589,6 +593,8 @@ paths: responses: '200': $ref: '#/components/responses/security.get_distinguished_name@200' + '400': + $ref: '#/components/responses/security.get_distinguished_name@400' '403': $ref: '#/components/responses/security.get_distinguished_name@403' put: @@ -605,6 +611,8 @@ paths: responses: '200': $ref: '#/components/responses/security.update_distinguished_name@200' + '400': + $ref: '#/components/responses/security.update_distinguished_name@400' '403': $ref: '#/components/responses/security.update_distinguished_name@403' patch: @@ -619,6 +627,8 @@ paths: responses: '200': $ref: '#/components/responses/security.patch_distinguished_name@200' + '400': + $ref: '#/components/responses/security.patch_distinguished_name@400' '403': $ref: '#/components/responses/security.patch_distinguished_name@403' delete: @@ -633,6 +643,8 @@ paths: responses: '200': $ref: '#/components/responses/security.delete_distinguished_name@200' + '400': + $ref: '#/components/responses/security.get_distinguished_name@400' '403': $ref: '#/components/responses/security.delete_distinguished_name@403' /_plugins/_security/api/permissionsinfo: @@ -1262,7 +1274,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/PatchOperation' + $ref: '../schemas/security._common.yaml#/components/schemas/DistinguishedNames' responses: security.authinfo@200: content: @@ -1375,6 +1387,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.delete_distinguished_name@400: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.delete_distinguished_name@403: content: application/json: @@ -1540,6 +1557,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/DistinguishedNames' + security.get_distinguished_name@400: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.get_distinguished_name@403: content: application/json: @@ -1550,6 +1572,12 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/DistinguishedNamesMap' + security.get_distinguished_names@400: + description: Show nodesDn setting for given cluster. + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.get_distinguished_names@403: content: application/json: @@ -1653,8 +1681,8 @@ components: security.migrate@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_action_group@200: content: application/json: @@ -1690,6 +1718,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.patch_distinguished_name@400: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_distinguished_name@403: content: application/json: @@ -1700,6 +1733,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.patch_distinguished_names@400: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_distinguished_names@403: content: application/json: @@ -1838,6 +1876,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.update_distinguished_name@400: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.update_distinguished_name@403: content: application/json: diff --git a/tests/security/with-api-prefix/migrate.yaml b/tests/security/with-api-prefix/migrate.yaml index 67a4e3a6d..add24c5eb 100644 --- a/tests/security/with-api-prefix/migrate.yaml +++ b/tests/security/with-api-prefix/migrate.yaml @@ -2,9 +2,10 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test migrate endpoint. +# BAD_REQUEST. Can not migrate configuration because it was already migrated. chapters: - synopsis: Migrate v6 to v7 config. path: /_plugins/_security/api/migrate method: POST response: - status: 200 + status: 400 diff --git a/tests/security/with-api-prefix/nodesdn.yaml b/tests/security/with-api-prefix/nodesdn.yaml index 1d8f668e1..79baafa88 100644 --- a/tests/security/with-api-prefix/nodesdn.yaml +++ b/tests/security/with-api-prefix/nodesdn.yaml @@ -1,5 +1,8 @@ $schema: ../../../json_schemas/test_story.schema.yaml + +# ADMIN-CERT only. These tests require explicit rest api admin privileges. +# The setting `plugins. security. nodes_dn_dynamic_config_enabled` must be enabled. description: Test nodesdn endpoints. chapters: @@ -9,51 +12,51 @@ chapters: parameters: show_all: true response: - status: 200 + status: 400 - synopsis: Patch distinguished names. path: /_plugins/_security/api/nodesdn method: PATCH - request_body: + request: payload: - op: replace path: /cluster1/nodes_dn/0 value: [''] response: - status: 200 + status: 400 - synopsis: Create distinguished name. path: /_plugins/_security/api/nodesdn/{cluster_name} method: PUT parameters: cluster_name: test - request_body: + request: payload: nodes_dn: - CN=cluster3.example.com response: - status: 200 + status: 400 - synopsis: Get distinguished name. path: /_plugins/_security/api/nodesdn/{cluster_name} method: GET parameters: cluster_name: test response: - status: 200 + status: 400 - synopsis: Patch distinguished name. path: /_plugins/_security/api/nodesdn/{cluster_name} method: PATCH parameters: cluster_name: test - request_body: + request: payload: op: replace path: /test/nodes_dn/0 value: [CN=cluster2.example.com] response: - status: 200 + status: 400 - synopsis: Delete distinguished name. path: /_plugins/_security/api/nodesdn/{cluster_name} method: DELETE parameters: cluster_name: test response: - status: 200 + status: 400 From d73694e1e8db17ac68e2659c3647fb057fef3644 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 16:30:09 -0400 Subject: [PATCH 20/48] Fixes roles test Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 7 ++++ tests/security/with-api-prefix/roles.yaml | 46 ++++++++++++----------- 2 files changed, 31 insertions(+), 22 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 54d74fd02..d1ed8a971 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -710,6 +710,8 @@ paths: responses: '200': $ref: '#/components/responses/security.create_role@200' + '201': + $ref: '#/components/responses/security.create_role@201' patch: operationId: security.patch_role.0 x-operation-group: security.patch_role @@ -1342,6 +1344,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.create_role@201: + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/Created' security.create_role_mapping@200: content: application/json: diff --git a/tests/security/with-api-prefix/roles.yaml b/tests/security/with-api-prefix/roles.yaml index 201d0c487..52e8326ae 100644 --- a/tests/security/with-api-prefix/roles.yaml +++ b/tests/security/with-api-prefix/roles.yaml @@ -3,29 +3,12 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test roles endpoints. chapters: - - synopsis: Get roles bulk. - path: /_plugins/_security/api/roles - method: GET - response: - status: 200 - - synopsis: Patch roles bulk. - path: /_plugins/_security/api/roles - method: PATCH - request_body: - payload: - - op: replace - path: /test/index_permissions/0/fls - value: ['random*', ~random1] - - op: remove - path: /test/index_permissions/0/dls - response: - status: 200 - synopsis: Create role. path: /_plugins/_security/api/roles/{role} method: PUT parameters: role: test - request_body: + request: payload: cluster_permissions: - cluster_composite_ops @@ -43,6 +26,23 @@ chapters: - human_resources allowed_actions: - kibana_all_read + response: + status: 201 + - synopsis: Get roles bulk. + path: /_plugins/_security/api/roles + method: GET + response: + status: 200 + - synopsis: Patch roles bulk. + path: /_plugins/_security/api/roles + method: PATCH + request: + payload: + - op: add + path: /test/index_permissions/0/fls + value: + - 'random*' + - ~random1 response: status: 200 - synopsis: Get role. @@ -57,11 +57,13 @@ chapters: method: PATCH parameters: role: test - request_body: + request: payload: - op: replace - path: /index_permissions/0/fls - value: [random1, random2] + - op: add + path: /index_permissions/0/fls + value: + - 'random*' + - ~random1 response: status: 200 - synopsis: Delete role. From 85612c09013f60b787e5e466ab2973e94f431321 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 16:34:26 -0400 Subject: [PATCH 21/48] Fixes rolesmapping test Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 7 ++++++ .../with-api-prefix/rolesmapping.yaml | 24 +++++++++++++++---- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index d1ed8a971..6212608d8 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -792,6 +792,8 @@ paths: responses: '200': $ref: '#/components/responses/security.create_role_mapping@200' + '201': + $ref: '#/components/responses/security.create_role_mapping@201' patch: operationId: security.patch_role_mapping.0 x-operation-group: security.patch_role_mapping @@ -1354,6 +1356,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.create_role_mapping@201: + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/Created' security.create_tenant@200: content: application/json: diff --git a/tests/security/with-api-prefix/rolesmapping.yaml b/tests/security/with-api-prefix/rolesmapping.yaml index e518957ec..813b43257 100644 --- a/tests/security/with-api-prefix/rolesmapping.yaml +++ b/tests/security/with-api-prefix/rolesmapping.yaml @@ -2,6 +2,16 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test rolesmapping endpoint. +prologues: + - path: /_plugins/_security/api/roles/{role} + method: PUT + parameters: + role: test + request: + payload: + cluster_permissions: + - cluster_composite_ops + status: [201] chapters: - synopsis: Get rolesmapping bulk. path: /_plugins/_security/api/rolesmapping @@ -11,7 +21,7 @@ chapters: - synopsis: Patch rolesmapping bulk. path: /_plugins/_security/api/rolesmapping method: PATCH - request_body: + request: payload: - op: add path: /all_access @@ -25,14 +35,14 @@ chapters: method: PUT parameters: role: test - request_body: + request: payload: backend_roles: [captains] hosts: - '*.example.com' users: [test] response: - status: 200 + status: 201 - synopsis: Get rolesmapping. path: /_plugins/_security/api/rolesmapping/{role} method: GET @@ -45,7 +55,7 @@ chapters: method: PATCH parameters: role: test - request_body: + request: payload: - op: replace path: /backend_roles @@ -59,3 +69,9 @@ chapters: role: test response: status: 200 +epilogues: + - path: /_plugins/_security/api/roles/{role} + method: DELETE + parameters: + role: test + status: [200] \ No newline at end of file From 65374222fd300c39017f0d7a74abe5d30fc8104a Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 16:46:16 -0400 Subject: [PATCH 22/48] Fixes securityconfig test Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 16 +++++++- spec/schemas/security._common.yaml | 41 +++++++++++++------ .../with-api-prefix/securityconfig.yaml | 16 ++++---- 3 files changed, 52 insertions(+), 21 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 6212608d8..5ee8d9eb0 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -845,6 +845,8 @@ paths: responses: '200': $ref: '#/components/responses/security.patch_configuration@200' + '403': + $ref: '#/components/responses/security.patch_configuration@403' /_plugins/_security/api/securityconfig/config: put: operationId: security.update_configuration.0 @@ -858,6 +860,8 @@ paths: responses: '200': $ref: '#/components/responses/security.update_configuration@200' + '403': + $ref: '#/components/responses/security.update_configuration@403' /_plugins/_security/api/ssl/certs: get: operationId: security.get_certificates.0 @@ -1554,7 +1558,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/DynamicConfig' + $ref: '../schemas/security._common.yaml#/components/schemas/SecurityConfig' security.get_dashboards_info@200: content: application/json: @@ -1727,6 +1731,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.patch_configuration@403: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_distinguished_name@200: content: application/json: @@ -1885,6 +1894,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.update_configuration@403: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.update_distinguished_name@200: content: application/json: diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index 72e5eb9e7..4ae72f1d5 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -400,27 +400,36 @@ components: DynamicOptions: type: object properties: - filteredAliasMode: + filtered_alias_mode: type: string - disableRestAuth: + disable_rest_auth: type: boolean - disableIntertransportAuth: + disable_intertransport_auth: type: boolean - respectRequestIndicesOptions: + respect_request_indices_options: type: boolean - kibana: {} - http: {} - authc: {} - authz: {} - authFailureListeners: {} - doNotFailOnForbidden: + opensearch-dashboards: + type: object + kibana: + type: object + http: + type: object + authc: + type: object + authz: + type: object + auth_failure_listeners: + type: object + do_not_fail_on_forbidden: type: boolean - multiRolespanEnabled: + multi_rolespan_enabled: type: boolean - hostsResolverMode: + hosts_resolver_mode: type: string - doNotFailOnForbiddenEmpty: + do_not_fail_on_forbidden_empty: type: boolean + on_behalf_of: + type: object Forbidden: type: object @@ -628,6 +637,12 @@ components: type: object additionalProperties: $ref: '#/components/schemas/Role' + + SecurityConfig: + type: object + properties: + config: + $ref: '#/components/schemas/DynamicConfig' SSLInfo: type: object diff --git a/tests/security/with-api-prefix/securityconfig.yaml b/tests/security/with-api-prefix/securityconfig.yaml index 0082dfc7e..ca0e38cc3 100644 --- a/tests/security/with-api-prefix/securityconfig.yaml +++ b/tests/security/with-api-prefix/securityconfig.yaml @@ -1,12 +1,14 @@ $schema: ../../../json_schemas/test_story.schema.yaml +# ADMIN-CERT only (except GET). These tests require explicit rest api admin privileges. + description: Test securityconfig endpoints. chapters: - synopsis: Update a security config. path: /_plugins/_security/api/securityconfig/config method: PUT - request_body: + request: payload: dynamic: filtered_alias_mode: warn @@ -38,7 +40,7 @@ chapters: hosts_resolver_mode: ip-only do_not_fail_on_forbidden_empty: false response: - status: 200 + status: 403 - synopsis: Get a security config. path: /_plugins/_security/api/securityconfig method: GET @@ -47,10 +49,10 @@ chapters: - synopsis: Patch a security config. path: /_plugins/_security/api/securityconfig method: PATCH - request_body: + request: payload: - op: replace - path: /config/dynamic/authc/basic_internal_auth_domain/transport_enabled - value: 'true' + - op: replace + path: /config/dynamic/authc/basic_internal_auth_domain/transport_enabled + value: 'true' response: - status: 200 + status: 403 From c87fa98e8ee8bc03a31d3c23e9ee389713a86da7 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 16:50:55 -0400 Subject: [PATCH 23/48] Fixes ssl_certs tests Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 29 ++++++++++++++++--- tests/security/with-api-prefix/ssl_certs.yaml | 7 +++-- 2 files changed, 29 insertions(+), 7 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 5ee8d9eb0..461de5e70 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -875,6 +875,8 @@ paths: $ref: '#/components/responses/security.get_certificates@200' '400': $ref: '#/components/responses/security.get_certificates@400' + '403': + $ref: '#/components/responses/security.get_certificates@403' /_plugins/_security/api/ssl/http/reloadcerts: put: operationId: security.reload_http_certificates.0 @@ -888,6 +890,8 @@ paths: $ref: '#/components/responses/security.reload_http_certificates@200' '400': $ref: '#/components/responses/security.reload_http_certificates@400' + '403': + $ref: '#/components/responses/security.reload_http_certificates@403' /_plugins/_security/api/ssl/transport/reloadcerts: put: operationId: security.reload_transport_certificates.0 @@ -901,6 +905,8 @@ paths: $ref: '#/components/responses/security.reload_transport_certificates@200' '400': $ref: '#/components/responses/security.reload_transport_certificates@400' + '403': + $ref: '#/components/responses/security.reload_transport_certificates@403' /_plugins/_security/api/tenancy/config: get: operationId: security.get_tenancy_config.0 @@ -1526,6 +1532,12 @@ components: application/json: schema: null # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' + security.get_all_certificates@500: + description: '' + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/InternalServerError' security.get_node_certificates@200: description: '' content: @@ -1542,12 +1554,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' - security.get_all_certificates@500: - description: '' + security.get_certificates@403: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/InternalServerError' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_node_certificates@500: description: '' content: @@ -1856,6 +1867,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + security.reload_http_certificates@403: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.reload_transport_certificates@200: content: application/json: @@ -1866,6 +1882,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + security.reload_transport_certificates@403: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.tenant_info@200: content: application/json: diff --git a/tests/security/with-api-prefix/ssl_certs.yaml b/tests/security/with-api-prefix/ssl_certs.yaml index c61607408..bd0d9771e 100644 --- a/tests/security/with-api-prefix/ssl_certs.yaml +++ b/tests/security/with-api-prefix/ssl_certs.yaml @@ -2,19 +2,20 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test ssl endpoints. +# ADMIN-CERT only. These tests require explicit rest api admin privileges. chapters: - synopsis: Get ssl certificates. path: /_plugins/_security/api/ssl/certs method: GET response: - status: 200 + status: 403 - synopsis: Reload http certs. path: /_plugins/_security/api/ssl/http/reloadcerts method: PUT response: - status: 200 + status: 403 - synopsis: Reload transport certs. path: /_plugins/_security/api/ssl/transport/reloadcerts method: PUT response: - status: 200 + status: 403 From f12ee766305be554447616dc2ae6b971634ef11f Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 16:54:15 -0400 Subject: [PATCH 24/48] Fixes tenancyconfig tests Signed-off-by: Darshit Chanpura --- tests/security/with-api-prefix/tenancy_config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/security/with-api-prefix/tenancy_config.yaml b/tests/security/with-api-prefix/tenancy_config.yaml index cc8a6d820..3596d53da 100644 --- a/tests/security/with-api-prefix/tenancy_config.yaml +++ b/tests/security/with-api-prefix/tenancy_config.yaml @@ -12,9 +12,9 @@ chapters: - synopsis: Create or Update tenancy config. path: /_plugins/_security/api/tenancy/config method: PUT - request_body: + request: payload: - default_tenant: custom tenant 1 + default_tenant: admin_tenant private_tenant_enabled: false multitenancy_enabled: true sign_in_options: [] From 48cbc7f8cca239e1ccd2de567b94b589995e7293 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 16:56:40 -0400 Subject: [PATCH 25/48] Fixes tenants tests Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 7 ++++++ tests/security/with-api-prefix/tenants.yaml | 24 ++++++++++----------- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 461de5e70..e3ab7e062 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -988,6 +988,8 @@ paths: responses: '200': $ref: '#/components/responses/security.create_tenant@200' + '201': + $ref: '#/components/responses/security.create_tenant@201' '400': $ref: '#/components/responses/security.create_tenant@400' patch: @@ -1376,6 +1378,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.create_tenant@201: + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/Created' security.create_tenant@400: content: application/json: diff --git a/tests/security/with-api-prefix/tenants.yaml b/tests/security/with-api-prefix/tenants.yaml index b734aa2e0..c6f3f690b 100644 --- a/tests/security/with-api-prefix/tenants.yaml +++ b/tests/security/with-api-prefix/tenants.yaml @@ -3,6 +3,16 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test tenants endpoints. chapters: + - synopsis: Create tenant. + path: /_plugins/_security/api/tenants/{tenant} + method: PUT + parameters: + tenant: test + request: + payload: + description: A test tenant. + response: + status: 201 - synopsis: Get tenants bulk. path: /_plugins/_security/api/tenants method: GET @@ -11,23 +21,13 @@ chapters: - synopsis: Patch tenants bulk. path: /_plugins/_security/api/tenants method: PATCH - request_body: + request: payload: - op: replace path: /test/description value: A very good description response: status: 200 - - synopsis: Create tenant. - path: /_plugins/_security/api/tenants/{tenant} - method: PUT - parameters: - tenant: test - request_body: - payload: - description: A test tenant. - response: - status: 200 - synopsis: Get tenant. path: /_plugins/_security/api/tenants/{tenant} method: GET @@ -40,7 +40,7 @@ chapters: method: PATCH parameters: tenant: test - request_body: + request: payload: - op: replace path: /description From cb5fe806e37fa6636764dc576fe13c1d8c9188af Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 19:28:55 -0400 Subject: [PATCH 26/48] Fixes tokens and upgrade tests Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 9 ++++++ tests/security/with-api-prefix/migrate.yaml | 2 +- tests/security/with-api-prefix/tokens.yaml | 34 ++++++++++++++++++--- tests/security/with-api-prefix/upgrade.yaml | 4 +-- 4 files changed, 41 insertions(+), 8 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index e3ab7e062..525e1310e 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -171,6 +171,8 @@ paths: responses: '200': $ref: '#/components/responses/security.config_upgrade_perform@200' + '400': + $ref: '#/components/responses/security.config_upgrade_perform@400' /_plugins/_security/api/account: get: operationId: security.get_account_details.0 @@ -1333,6 +1335,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/UpgradePerform' + security.config_upgrade_perform@400: + content: + application/json: + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.create_action_group@200: content: application/json: @@ -1470,6 +1477,8 @@ components: $ref: '../schemas/security._common.yaml#/components/schemas/GenerateOBOToken' security.generate_obo_token@400: content: + text/plain: + type: string application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' diff --git a/tests/security/with-api-prefix/migrate.yaml b/tests/security/with-api-prefix/migrate.yaml index add24c5eb..7b14428de 100644 --- a/tests/security/with-api-prefix/migrate.yaml +++ b/tests/security/with-api-prefix/migrate.yaml @@ -1,7 +1,7 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test migrate endpoint. - +version: <1.1 # BAD_REQUEST. Can not migrate configuration because it was already migrated. chapters: - synopsis: Migrate v6 to v7 config. diff --git a/tests/security/with-api-prefix/tokens.yaml b/tests/security/with-api-prefix/tokens.yaml index 6b2423ea0..41f6185c0 100644 --- a/tests/security/with-api-prefix/tokens.yaml +++ b/tests/security/with-api-prefix/tokens.yaml @@ -2,6 +2,19 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test authtoken endpoints. +prologues: + - path: /_plugins/_security/api/internalusers/{username} + method: PUT + parameters: + username: test + request: + payload: + opendistro_security_roles: [] + backend_roles: [] + attributes: + service: true + enabled: true + status: [201] chapters: - synopsis: Create an auth token. path: /_plugins/_security/api/authtoken @@ -9,27 +22,38 @@ chapters: response: status: 200 - synopsis: Create an On-Behalf-Of token. + # Feature is disabled by default. https://opensearch.org/docs/latest/security/access-control/authentication-tokens/#configuration version: '>= 2.12' path: /_plugins/_security/api/generateonbehalfoftoken method: POST - request_body: + request: payload: description: Auth token for admin service: '' - duration: 60 + duration: '60' response: - status: 200 + content_type: text/plain + status: 400 + # Auth-tokens can only be vended for service accounts. - synopsis: Create internal user token. path: /_plugins/_security/api/internalusers/{username}/authtoken + version: '>2.16' # Fixed via https://github.com/opensearch-project/security/pull/4628 method: POST parameters: - username: admin + username: test response: status: 200 - synopsis: Create user token. path: /_plugins/_security/api/user/{username}/authtoken + version: '>2.16' # Fixed via https://github.com/opensearch-project/security/pull/4628 method: POST parameters: - username: admin + username: test response: status: 200 +epilogues: + - path: /_plugins/_security/api/internalusers/{username} + method: DELETE + parameters: + username: test + status: [200] \ No newline at end of file diff --git a/tests/security/with-api-prefix/upgrade.yaml b/tests/security/with-api-prefix/upgrade.yaml index 0d1b068d6..c0984e8b5 100644 --- a/tests/security/with-api-prefix/upgrade.yaml +++ b/tests/security/with-api-prefix/upgrade.yaml @@ -11,8 +11,8 @@ chapters: - synopsis: Perform the upgrade. path: /_plugins/_security/api/_upgrade_perform method: POST - request_body: + request: payload: config: [roles] response: - status: 200 \ No newline at end of file + status: 400 # Unable to upgrade, no differences found in 'roles' config \ No newline at end of file From 269b4167e9b4ac832911872859d7b1cdef548be4 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 19:30:54 -0400 Subject: [PATCH 27/48] Fixes user tests Signed-off-by: Darshit Chanpura --- tests/security/with-api-prefix/user.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/security/with-api-prefix/user.yaml b/tests/security/with-api-prefix/user.yaml index d3d875622..540a9355c 100644 --- a/tests/security/with-api-prefix/user.yaml +++ b/tests/security/with-api-prefix/user.yaml @@ -12,15 +12,15 @@ chapters: path: /_plugins/_security/api/user/{username} method: PUT parameters: - username: test2 - request_body: + username: test + request: payload: password: myWeakPassword123! opendistro_security_roles: [] backend_roles: [] attributes: {} response: - status: 200 + status: 201 - synopsis: Get user. path: /_plugins/_security/api/user/{username} method: GET From 44160ab565186602e9174842a557b25875b9817d Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 19:42:56 -0400 Subject: [PATCH 28/48] Fixes validate tests and run linter Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 11 +++++-- tests/security/with-api-prefix/account.yaml | 32 +++++++++---------- tests/security/with-api-prefix/migrate.yaml | 2 +- tests/security/with-api-prefix/upgrade.yaml | 2 +- tests/security/with-api-prefix/validate.yaml | 4 +-- .../security/without-api-prefix/authinfo.yaml | 28 ---------------- 6 files changed, 29 insertions(+), 50 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 525e1310e..5aebfd243 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -1056,6 +1056,8 @@ paths: responses: '200': $ref: '#/components/responses/security.create_user_legacy@200' + '201': + $ref: '#/components/responses/security.create_user_legacy@201' delete: operationId: security.delete_user_legacy.0 x-operation-group: security.delete_user_legacy @@ -1415,6 +1417,11 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' + security.create_user_legacy@201: + content: + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/Created' security.delete_action_group@200: content: application/json: @@ -1959,8 +1966,8 @@ components: security.validate@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.who_am_i@200: content: application/json: diff --git a/tests/security/with-api-prefix/account.yaml b/tests/security/with-api-prefix/account.yaml index 0becc58a0..e8db0f3e7 100644 --- a/tests/security/with-api-prefix/account.yaml +++ b/tests/security/with-api-prefix/account.yaml @@ -20,22 +20,22 @@ chapters: method: GET response: status: 200 - payload: - user_name: admin - is_reserved: true - is_hidden: false - is_internal_user: true - user_requested_tenant: null - backend_roles: - - admin - custom_attribute_names: [] - tenants: - global_tenant: true - admin_tenant: true - admin: true - roles: - - all_access - - own_index + # payload: + # user_name: admin + # is_reserved: true + # is_hidden: false + # is_internal_user: true + # user_requested_tenant: null + # backend_roles: + # - admin + # custom_attribute_names: [] + # tenants: + # global_tenant: true + # admin_tenant: true + # admin: true + # roles: + # - all_access + # - own_index # TODO: following test can be changed to interact with test user once https://github.com/opensearch-project/opensearch-api-specification/issues/438 is implemented # NOTE: this test should be updated to change test user's password created in epilogue. Until then this will be 403 since admin is a reserved user. - synopsis: Change password. diff --git a/tests/security/with-api-prefix/migrate.yaml b/tests/security/with-api-prefix/migrate.yaml index 7b14428de..add24c5eb 100644 --- a/tests/security/with-api-prefix/migrate.yaml +++ b/tests/security/with-api-prefix/migrate.yaml @@ -1,7 +1,7 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test migrate endpoint. -version: <1.1 + # BAD_REQUEST. Can not migrate configuration because it was already migrated. chapters: - synopsis: Migrate v6 to v7 config. diff --git a/tests/security/with-api-prefix/upgrade.yaml b/tests/security/with-api-prefix/upgrade.yaml index c0984e8b5..af9a57bc4 100644 --- a/tests/security/with-api-prefix/upgrade.yaml +++ b/tests/security/with-api-prefix/upgrade.yaml @@ -15,4 +15,4 @@ chapters: payload: config: [roles] response: - status: 400 # Unable to upgrade, no differences found in 'roles' config \ No newline at end of file + status: 400 # Unable to upgrade, no differences found in 'roles' config. \ No newline at end of file diff --git a/tests/security/with-api-prefix/validate.yaml b/tests/security/with-api-prefix/validate.yaml index 895eacea8..11646a8ad 100644 --- a/tests/security/with-api-prefix/validate.yaml +++ b/tests/security/with-api-prefix/validate.yaml @@ -1,7 +1,7 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test validate endpoint. - +# BAD_REQUEST. Can not migrate configuration because it was already migrated. chapters: - synopsis: Check whether v6 configuration is valid. path: /_plugins/_security/api/validate @@ -9,4 +9,4 @@ chapters: parameters: accept_invalid: false response: - status: 200 + status: 400 diff --git a/tests/security/without-api-prefix/authinfo.yaml b/tests/security/without-api-prefix/authinfo.yaml index a28a4090e..3895af8c0 100644 --- a/tests/security/without-api-prefix/authinfo.yaml +++ b/tests/security/without-api-prefix/authinfo.yaml @@ -10,20 +10,6 @@ chapters: verbose: false response: status: 200 - payload: - user_requested_tenant: null - principal: null - peer_certificates: '0' - sso_logout_url: null - user: 'User [name=admin, backend_roles=[admin], requestedTenant=null]' - user_name: admin - backend_roles: [admin] - custom_attribute_names: [] - roles: [all_access,own_index] - tenants: - global_tenant: true - admin_tenant: true - admin: true - synopsis: Get auth info via POST. path: /_plugins/_security/authinfo method: POST @@ -32,17 +18,3 @@ chapters: verbose: false response: status: 200 - payload: - user_requested_tenant: null - principal: null - peer_certificates: '0' - sso_logout_url: null - user: 'User [name=admin, backend_roles=[admin], requestedTenant=null]' - user_name: admin - backend_roles: [admin] - custom_attribute_names: [] - roles: [all_access,own_index] - tenants: - global_tenant: true - admin_tenant: true - admin: true From a92aa5bd32d3ede609c841492cf14322ba8339e1 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 19:55:27 -0400 Subject: [PATCH 29/48] Fixes spec Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 70 +++++++++++++++--------------- spec/schemas/security._common.yaml | 67 ++++++++++++---------------- 2 files changed, 63 insertions(+), 74 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 5aebfd243..d3b523e27 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -646,7 +646,7 @@ paths: '200': $ref: '#/components/responses/security.delete_distinguished_name@200' '400': - $ref: '#/components/responses/security.get_distinguished_name@400' + $ref: '#/components/responses/security.delete_distinguished_name@400' '403': $ref: '#/components/responses/security.delete_distinguished_name@403' /_plugins/_security/api/permissionsinfo: @@ -1395,8 +1395,8 @@ components: security.create_tenant@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.create_update_tenancy_config@200: content: application/json: @@ -1405,8 +1405,8 @@ components: security.create_update_tenancy_config@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.create_user@200: content: application/json: @@ -1460,8 +1460,8 @@ components: security.delete_tenant@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.delete_user@200: content: application/json: @@ -1487,8 +1487,8 @@ components: text/plain: type: string application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.generate_user_token@200: content: application/json: @@ -1497,8 +1497,8 @@ components: security.generate_user_token@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.generate_user_token_legacy@200: content: application/json: @@ -1507,8 +1507,8 @@ components: security.generate_user_token_legacy@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.get_account_details@200: content: application/json: @@ -1575,8 +1575,8 @@ components: security.get_certificates@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.get_certificates@403: content: application/json: @@ -1688,8 +1688,8 @@ components: security.get_tenancy_config@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.get_tenants@200: content: application/json: @@ -1698,8 +1698,8 @@ components: security.get_tenants@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.get_user@200: content: application/json: @@ -1808,8 +1808,8 @@ components: security.patch_role@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_role_mapping@200: content: application/json: @@ -1818,8 +1818,8 @@ components: security.patch_role_mapping@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_role_mappings@200: content: application/json: @@ -1828,8 +1828,8 @@ components: security.patch_role_mappings@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_roles@200: content: application/json: @@ -1838,8 +1838,8 @@ components: security.patch_roles@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_tenant@200: content: application/json: @@ -1848,8 +1848,8 @@ components: security.patch_tenant@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_tenants@200: content: application/json: @@ -1858,8 +1858,8 @@ components: security.patch_tenants@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_user@200: content: application/json: @@ -1888,8 +1888,8 @@ components: security.reload_http_certificates@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.reload_http_certificates@403: content: application/json: @@ -1903,8 +1903,8 @@ components: security.reload_transport_certificates@400: content: application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' + schema: null + # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.reload_transport_certificates@403: content: application/json: diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index 4ae72f1d5..180d677f8 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -58,17 +58,6 @@ components: $ref: '#/components/schemas/ActionGroup' AllowListConfig: - type: object - properties: - # config: - # $ref: '#/components/schemas/AllowConfig' - enabled: - type: boolean - requests: - type: object - description: An object with APIs as key and array of http methods as values. - - AllowConfig: type: object properties: enabled: @@ -189,16 +178,16 @@ components: type: string description: Size of backend roles in bytes. - BadRequest: - type: object - properties: - status: - type: string - enum: - - 400 - message: - type: string - description: Message returned as part of BAD_REQUEST response. + # BadRequest: + # type: object + # properties: + # status: + # type: string + # enum: + # - 400 + # message: + # type: string + # description: Message returned as part of BAD_REQUEST response. CertificateCountPerNode: type: object @@ -431,14 +420,14 @@ components: on_behalf_of: type: object - Forbidden: - type: object - properties: - status: - type: [number, string] - message: - type: string - description: Message returned as part of Forbidden response. + # Forbidden: + # type: object + # properties: + # status: + # type: string + # message: + # type: string + # description: Message returned as part of Forbidden response. GenerateOBOToken: type: object @@ -492,16 +481,16 @@ components: type: string description: Error message during request execution. - MethodNotImplemented: - type: object - properties: - status: - type: string - enum: - - 501 - message: - type: string - description: Message returned as part of NOT_IMPLEMENTED response. + # MethodNotImplemented: + # type: object + # properties: + # status: + # type: string + # enum: + # - 501 + # message: + # type: string + # description: Message returned as part of NOT_IMPLEMENTED response. MultiTenancyConfig: type: object From ef92ce6804ba207b28fdf8ae7d4d13a553366c29 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 20:25:37 -0400 Subject: [PATCH 30/48] Adds missing new lines to EOFs Signed-off-by: Darshit Chanpura --- tests/security/with-api-prefix/account.yaml | 43 +------------------ tests/security/with-api-prefix/allowlist.yaml | 2 +- .../with-api-prefix/permissionsinfo.yaml | 1 - .../with-api-prefix/rolesmapping.yaml | 2 +- tests/security/with-api-prefix/tokens.yaml | 2 +- tests/security/with-api-prefix/upgrade.yaml | 2 +- tests/security/without-api-prefix/health.yaml | 2 +- .../security/without-api-prefix/sslinfo.yaml | 1 - .../without-api-prefix/tenantinfo.yaml | 1 - 9 files changed, 6 insertions(+), 50 deletions(-) diff --git a/tests/security/with-api-prefix/account.yaml b/tests/security/with-api-prefix/account.yaml index e8db0f3e7..22e82de4c 100644 --- a/tests/security/with-api-prefix/account.yaml +++ b/tests/security/with-api-prefix/account.yaml @@ -2,41 +2,13 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test account endpoint. -# prologues: -# - path: /_plugins/_security/api/internalusers/{username} -# method: PUT -# parameters: -# username: test -# request: -# payload: -# password: myWeakPassword123! -# opendistro_security_roles: [] -# backend_roles: [] -# attributes: {} -# status: [200] chapters: - synopsis: Get account details. path: /_plugins/_security/api/account method: GET response: status: 200 - # payload: - # user_name: admin - # is_reserved: true - # is_hidden: false - # is_internal_user: true - # user_requested_tenant: null - # backend_roles: - # - admin - # custom_attribute_names: [] - # tenants: - # global_tenant: true - # admin_tenant: true - # admin: true - # roles: - # - all_access - # - own_index - # TODO: following test can be changed to interact with test user once https://github.com/opensearch-project/opensearch-api-specification/issues/438 is implemented + # TODO: following test can be changed to interact with test user, to be created in prologues, once https://github.com/opensearch-project/opensearch-api-specification/issues/438 is implemented # NOTE: this test should be updated to change test user's password created in epilogue. Until then this will be 403 since admin is a reserved user. - synopsis: Change password. path: /_plugins/_security/api/account @@ -47,16 +19,3 @@ chapters: password: myWeakPassword123! response: status: 403 -# epilogues: -# - path: /_plugins/_security/api/account -# method: PUT -# request: -# payload: -# current_password: myWeakPassword123! -# password: myStrongPassword123! -# status: [200] -# - path: /_plugins/_security/api/internalusers/{username} -# method: DELETE -# parameters: -# username: test -# status: [200, 404] diff --git a/tests/security/with-api-prefix/allowlist.yaml b/tests/security/with-api-prefix/allowlist.yaml index f10f96c80..0a6531d06 100644 --- a/tests/security/with-api-prefix/allowlist.yaml +++ b/tests/security/with-api-prefix/allowlist.yaml @@ -27,4 +27,4 @@ chapters: - op: remove path: /config/requests response: - status: 403 \ No newline at end of file + status: 403 diff --git a/tests/security/with-api-prefix/permissionsinfo.yaml b/tests/security/with-api-prefix/permissionsinfo.yaml index 1db4b098c..c60a0dd62 100644 --- a/tests/security/with-api-prefix/permissionsinfo.yaml +++ b/tests/security/with-api-prefix/permissionsinfo.yaml @@ -8,4 +8,3 @@ chapters: method: GET response: status: 200 - \ No newline at end of file diff --git a/tests/security/with-api-prefix/rolesmapping.yaml b/tests/security/with-api-prefix/rolesmapping.yaml index 813b43257..ca08baeec 100644 --- a/tests/security/with-api-prefix/rolesmapping.yaml +++ b/tests/security/with-api-prefix/rolesmapping.yaml @@ -74,4 +74,4 @@ epilogues: method: DELETE parameters: role: test - status: [200] \ No newline at end of file + status: [200] diff --git a/tests/security/with-api-prefix/tokens.yaml b/tests/security/with-api-prefix/tokens.yaml index 41f6185c0..96d400af6 100644 --- a/tests/security/with-api-prefix/tokens.yaml +++ b/tests/security/with-api-prefix/tokens.yaml @@ -56,4 +56,4 @@ epilogues: method: DELETE parameters: username: test - status: [200] \ No newline at end of file + status: [200] diff --git a/tests/security/with-api-prefix/upgrade.yaml b/tests/security/with-api-prefix/upgrade.yaml index af9a57bc4..04d33a86c 100644 --- a/tests/security/with-api-prefix/upgrade.yaml +++ b/tests/security/with-api-prefix/upgrade.yaml @@ -15,4 +15,4 @@ chapters: payload: config: [roles] response: - status: 400 # Unable to upgrade, no differences found in 'roles' config. \ No newline at end of file + status: 400 # Unable to upgrade, no differences found in 'roles' config. diff --git a/tests/security/without-api-prefix/health.yaml b/tests/security/without-api-prefix/health.yaml index 6fa73719a..b4855fdee 100644 --- a/tests/security/without-api-prefix/health.yaml +++ b/tests/security/without-api-prefix/health.yaml @@ -23,4 +23,4 @@ chapters: payload: message: null mode: strict - status: UP \ No newline at end of file + status: UP diff --git a/tests/security/without-api-prefix/sslinfo.yaml b/tests/security/without-api-prefix/sslinfo.yaml index 10303c84e..c6f6b9a96 100644 --- a/tests/security/without-api-prefix/sslinfo.yaml +++ b/tests/security/without-api-prefix/sslinfo.yaml @@ -23,4 +23,3 @@ chapters: ssl_provider_http: JDK ssl_provider_transport_server: JDK ssl_provider_transport_client: JDK - diff --git a/tests/security/without-api-prefix/tenantinfo.yaml b/tests/security/without-api-prefix/tenantinfo.yaml index 3ffca8068..66fece71a 100644 --- a/tests/security/without-api-prefix/tenantinfo.yaml +++ b/tests/security/without-api-prefix/tenantinfo.yaml @@ -14,4 +14,3 @@ chapters: response: status: 403 # only allowed for super-admin or dashboards-server role mapping content_type: text/plain - \ No newline at end of file From 2e090ee4a9b6560c2f29f135e550197675451aca Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Fri, 9 Aug 2024 11:19:49 -0400 Subject: [PATCH 31/48] Address changes in CHANGELOG Signed-off-by: Darshit Chanpura --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 386c00f34..5b74c66c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -67,7 +67,8 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - Added doc on `cluster create-index blocked` workaround ([#465](https://github.com/opensearch-project/opensearch-api-specification/pull/465)) - Added support for reusing output variables as keys in payload expectations ([#471](https://github.com/opensearch-project/opensearch-api-specification/pull/471)) - Added support for running tests against Amazon OpenSearch ([#476](https://github.com/opensearch-project/opensearch-api-specification/pull/476)) -- Added tests for security APIs ([#439](https://github.com/opensearch-project/opensearch-api-specification/pull/439)) +- Added API spec for security plugin ([#271](https://github.com/opensearch-project/opensearch-api-specification/pull/271)) +- Added `/_plugins/_security/api/certificates/` to API spec ([#439](https://github.com/opensearch-project/opensearch-api-specification/pull/439)) ### Changed @@ -110,6 +111,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - Fixed `_source` accepting an array of fields in `/_search` ([#430](https://github.com/opensearch-project/opensearch-api-specification/pull/430)) - Fixed `_update_by_query` with a simple term ([#451](https://github.com/opensearch-project/opensearch-api-specification/pull/451)) - Fixed `Duration` to allow for non-integers ([#479](https://github.com/opensearch-project/opensearch-api-specification/pull/479)) +- Fixed security spec to add support for 400 and 403s ([#439](https://github.com/opensearch-project/opensearch-api-specification/pull/439)) ### Security From 688e69fa94e4abce2fa4dfa1e59ada5742d4cfb9 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Fri, 9 Aug 2024 12:00:55 -0400 Subject: [PATCH 32/48] Updates parameter descriptions Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 53 +++++++++++++++++++++++++---------- 1 file changed, 38 insertions(+), 15 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index d3b523e27..53578ad0c 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -1322,7 +1322,6 @@ components: schema: $ref: '../schemas/security._common.yaml#/components/schemas/Ok' security.change_password@403: - description: '' content: application/json: schema: null @@ -1545,7 +1544,6 @@ components: schema: $ref: '../schemas/security._common.yaml#/components/schemas/GetCertificates' security.get_all_certificates@200: - description: '' content: application/json: schema: @@ -1556,13 +1554,11 @@ components: schema: null # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_all_certificates@500: - description: '' content: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/InternalServerError' security.get_node_certificates@200: - description: '' content: application/json: schema: @@ -1583,7 +1579,6 @@ components: schema: null # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_node_certificates@500: - description: '' content: application/json: schema: @@ -1916,7 +1911,6 @@ components: schema: $ref: '../schemas/security._common.yaml#/components/schemas/TenantInfo' security.tenant_info@403: - description: '' content: text/plain: type: string @@ -2009,147 +2003,165 @@ components: description: The name of the action group to create or replace. schema: type: string - description: The name of the action group to create or replace. required: true security.create_role::path.role: name: role in: path + description: The name of the role to be created. schema: type: string required: true security.create_role_mapping::path.role: name: role in: path + description: The name of the role to create a role mapping for. schema: type: string required: true security.create_tenant::path.tenant: name: tenant in: path + description: The name of the tenant to be created. schema: type: string required: true security.create_user::path.username: name: username in: path + description: The name of the user to be created. schema: type: string required: true security.create_user_legacy::path.username: name: username in: path + description: The name of the user to be created. schema: type: string required: true security.delete_action_group::path.action_group: name: action_group in: path - description: Action group to delete. + description: The name of the action group to delete. schema: type: string - description: Action group to delete. required: true security.delete_distinguished_name::path.cluster_name: name: cluster_name in: path + description: The cluster-name to delete from list of distinguished names. schema: type: string required: true security.delete_role::path.role: name: role in: path + description: The name of the role to delete. schema: type: string required: true security.delete_role_mapping::path.role: name: role in: path + description: The name of the role whose mapping needs to delete. schema: type: string required: true security.delete_tenant::path.tenant: name: tenant in: path + description: The name of the tenant to delete. schema: type: string required: true security.delete_user::path.username: name: username in: path + description: The name of the user to delete. schema: type: string required: true security.delete_user_legacy::path.username: name: username in: path + description: The name of the user to delete. schema: type: string required: true security.generate_user_token::path.username: name: username in: path + description: The name of the user for whom an auth token is to be vended. schema: type: string required: true security.generate_user_token_legacy::path.username: name: username in: path + description: The name of the user for whom an auth token is to be vended. schema: type: string required: true security.get_action_group::path.action_group: name: action_group in: path - description: Action group to retrieve. + description: The name of the action group to retrieve. schema: type: string - description: Action group to retrieve. required: true security.get_node_certificates::path.node_id: name: node_id in: path + description: The full-id of the node to retrieve certificates. schema: type: string required: true security.get_all_certificates::query.cert_type: name: cert_type in: query + description: The type of certificates (HTTP, TRANSPORT, ALL) to retrieve from all nodes. schema: type: string required: false security.get_node_certificates::query.cert_type: name: cert_type in: query + description: The type of certificates (HTTP, TRANSPORT, ALL) to retrieve for a node. schema: type: string required: false security.get_all_certificates::query.timeout: name: timeout in: query + description: The maximum duration, in seconds, to be spent to retrieve certificates from all nodes. schema: - type: string + $ref: '../schemas/_common.yaml#/components/schemas/Duration' required: false security.get_node_certificates::query.timeout: name: timeout in: query + description: The maximum duration, in seconds, to be spent to retrieve a node's certificates. schema: - type: string + $ref: '../schemas/_common.yaml#/components/schemas/Duration' required: false security.get_distinguished_name::path.cluster_name: name: cluster_name in: path + description: The cluster-name to retrieve nodes DN setting for. schema: type: string required: true security.get_distinguished_name::query.show_all: name: show_all in: query + description: A boolean flag to include/exclude static nodes DN from final result. schema: type: boolean required: false security.get_distinguished_names::query.show_all: name: show_all in: query + description: A boolean flag to include/exclude static nodes DN from final result. schema: type: boolean required: false @@ -2168,80 +2180,91 @@ components: security.get_sslinfo::query.show_dn: name: show_dn in: query - description: The domain names from all certificates. + description: A boolean flag to indicate whether all domain names should be returned. schema: type: [boolean, string] - description: A boolean flag to indicate whether all domain names should be returned. required: false security.get_tenant::path.tenant: name: tenant in: path + description: The name of the tenant to retrieve. schema: type: string required: true security.get_user::path.username: name: username in: path + description: The name of the user to retrieve. schema: type: string required: true security.get_user_legacy::path.username: name: username in: path + description: The name of the user to retrieve. schema: type: string required: true security.health::query.mode: name: mode in: query + description: A flag to indicate whether service should consider security-plugin's status before returning health response. `strict` mode indicates service should check security plugin status. schema: type: string required: false security.patch_action_group::path.action_group: name: action_group in: path + description: The name of the action group to update. schema: type: string required: true security.patch_distinguished_name::path.cluster_name: name: cluster_name in: path + description: The cluster-name to update nodesDn value. schema: type: string required: true security.patch_role::path.role: name: role in: path + description: The name of the role to update. schema: type: string required: true security.patch_role_mapping::path.role: name: role in: path + description: The name of the role to update role-mapping for. schema: type: string required: true security.patch_tenant::path.tenant: name: tenant in: path + description: The name of the tenant to update. schema: type: string required: true security.patch_user::path.username: name: username in: path + description: The name of the user to update. schema: type: string required: true security.update_distinguished_name::path.cluster_name: name: cluster_name in: path + description: The cluster-name to create/update nodesDn value for. schema: type: string required: true security.validate::query.accept_invalid: name: accept_invalid in: query + description: A boolean flag to indicate whether invalid v6 configuration should be allowed. schema: type: boolean required: false From a91e52cb24f1d1791847f3d652ec07ed41bb2b6f Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Fri, 9 Aug 2024 12:05:12 -0400 Subject: [PATCH 33/48] Re-organize folder structure Signed-off-by: Darshit Chanpura --- tests/security/{with-api-prefix => api}/account.yaml | 0 tests/security/{with-api-prefix => api}/action_groups.yaml | 0 tests/security/{with-api-prefix => api}/allowlist.yaml | 0 tests/security/{with-api-prefix => api}/audit.yaml | 0 tests/security/{with-api-prefix => api}/cache.yaml | 0 tests/security/{with-api-prefix => api}/certificates.yaml | 0 tests/security/{with-api-prefix => api}/internal_users.yaml | 0 tests/security/{with-api-prefix => api}/migrate.yaml | 0 tests/security/{with-api-prefix => api}/nodesdn.yaml | 0 tests/security/{with-api-prefix => api}/permissionsinfo.yaml | 0 tests/security/{with-api-prefix => api}/roles.yaml | 0 tests/security/{with-api-prefix => api}/rolesmapping.yaml | 0 tests/security/{with-api-prefix => api}/securityconfig.yaml | 0 tests/security/{with-api-prefix => api}/ssl_certs.yaml | 0 tests/security/{with-api-prefix => api}/tenancy_config.yaml | 0 tests/security/{with-api-prefix => api}/tenants.yaml | 0 tests/security/{with-api-prefix => api}/tokens.yaml | 0 tests/security/{with-api-prefix => api}/upgrade.yaml | 0 tests/security/{with-api-prefix => api}/user.yaml | 0 tests/security/{with-api-prefix => api}/validate.yaml | 0 tests/security/{without-api-prefix => }/authinfo.yaml | 2 +- tests/security/{without-api-prefix => }/dashboardsinfo.yaml | 2 +- tests/security/{without-api-prefix => }/health.yaml | 2 +- tests/security/{without-api-prefix => }/sslinfo.yaml | 2 +- tests/security/{without-api-prefix => }/tenantinfo.yaml | 2 +- tests/security/{without-api-prefix => }/whoami.yaml | 2 +- 26 files changed, 6 insertions(+), 6 deletions(-) rename tests/security/{with-api-prefix => api}/account.yaml (100%) rename tests/security/{with-api-prefix => api}/action_groups.yaml (100%) rename tests/security/{with-api-prefix => api}/allowlist.yaml (100%) rename tests/security/{with-api-prefix => api}/audit.yaml (100%) rename tests/security/{with-api-prefix => api}/cache.yaml (100%) rename tests/security/{with-api-prefix => api}/certificates.yaml (100%) rename tests/security/{with-api-prefix => api}/internal_users.yaml (100%) rename tests/security/{with-api-prefix => api}/migrate.yaml (100%) rename tests/security/{with-api-prefix => api}/nodesdn.yaml (100%) rename tests/security/{with-api-prefix => api}/permissionsinfo.yaml (100%) rename tests/security/{with-api-prefix => api}/roles.yaml (100%) rename tests/security/{with-api-prefix => api}/rolesmapping.yaml (100%) rename tests/security/{with-api-prefix => api}/securityconfig.yaml (100%) rename tests/security/{with-api-prefix => api}/ssl_certs.yaml (100%) rename tests/security/{with-api-prefix => api}/tenancy_config.yaml (100%) rename tests/security/{with-api-prefix => api}/tenants.yaml (100%) rename tests/security/{with-api-prefix => api}/tokens.yaml (100%) rename tests/security/{with-api-prefix => api}/upgrade.yaml (100%) rename tests/security/{with-api-prefix => api}/user.yaml (100%) rename tests/security/{with-api-prefix => api}/validate.yaml (100%) rename tests/security/{without-api-prefix => }/authinfo.yaml (88%) rename tests/security/{without-api-prefix => }/dashboardsinfo.yaml (85%) rename tests/security/{without-api-prefix => }/health.yaml (90%) rename tests/security/{without-api-prefix => }/sslinfo.yaml (93%) rename tests/security/{without-api-prefix => }/tenantinfo.yaml (90%) rename tests/security/{without-api-prefix => }/whoami.yaml (93%) diff --git a/tests/security/with-api-prefix/account.yaml b/tests/security/api/account.yaml similarity index 100% rename from tests/security/with-api-prefix/account.yaml rename to tests/security/api/account.yaml diff --git a/tests/security/with-api-prefix/action_groups.yaml b/tests/security/api/action_groups.yaml similarity index 100% rename from tests/security/with-api-prefix/action_groups.yaml rename to tests/security/api/action_groups.yaml diff --git a/tests/security/with-api-prefix/allowlist.yaml b/tests/security/api/allowlist.yaml similarity index 100% rename from tests/security/with-api-prefix/allowlist.yaml rename to tests/security/api/allowlist.yaml diff --git a/tests/security/with-api-prefix/audit.yaml b/tests/security/api/audit.yaml similarity index 100% rename from tests/security/with-api-prefix/audit.yaml rename to tests/security/api/audit.yaml diff --git a/tests/security/with-api-prefix/cache.yaml b/tests/security/api/cache.yaml similarity index 100% rename from tests/security/with-api-prefix/cache.yaml rename to tests/security/api/cache.yaml diff --git a/tests/security/with-api-prefix/certificates.yaml b/tests/security/api/certificates.yaml similarity index 100% rename from tests/security/with-api-prefix/certificates.yaml rename to tests/security/api/certificates.yaml diff --git a/tests/security/with-api-prefix/internal_users.yaml b/tests/security/api/internal_users.yaml similarity index 100% rename from tests/security/with-api-prefix/internal_users.yaml rename to tests/security/api/internal_users.yaml diff --git a/tests/security/with-api-prefix/migrate.yaml b/tests/security/api/migrate.yaml similarity index 100% rename from tests/security/with-api-prefix/migrate.yaml rename to tests/security/api/migrate.yaml diff --git a/tests/security/with-api-prefix/nodesdn.yaml b/tests/security/api/nodesdn.yaml similarity index 100% rename from tests/security/with-api-prefix/nodesdn.yaml rename to tests/security/api/nodesdn.yaml diff --git a/tests/security/with-api-prefix/permissionsinfo.yaml b/tests/security/api/permissionsinfo.yaml similarity index 100% rename from tests/security/with-api-prefix/permissionsinfo.yaml rename to tests/security/api/permissionsinfo.yaml diff --git a/tests/security/with-api-prefix/roles.yaml b/tests/security/api/roles.yaml similarity index 100% rename from tests/security/with-api-prefix/roles.yaml rename to tests/security/api/roles.yaml diff --git a/tests/security/with-api-prefix/rolesmapping.yaml b/tests/security/api/rolesmapping.yaml similarity index 100% rename from tests/security/with-api-prefix/rolesmapping.yaml rename to tests/security/api/rolesmapping.yaml diff --git a/tests/security/with-api-prefix/securityconfig.yaml b/tests/security/api/securityconfig.yaml similarity index 100% rename from tests/security/with-api-prefix/securityconfig.yaml rename to tests/security/api/securityconfig.yaml diff --git a/tests/security/with-api-prefix/ssl_certs.yaml b/tests/security/api/ssl_certs.yaml similarity index 100% rename from tests/security/with-api-prefix/ssl_certs.yaml rename to tests/security/api/ssl_certs.yaml diff --git a/tests/security/with-api-prefix/tenancy_config.yaml b/tests/security/api/tenancy_config.yaml similarity index 100% rename from tests/security/with-api-prefix/tenancy_config.yaml rename to tests/security/api/tenancy_config.yaml diff --git a/tests/security/with-api-prefix/tenants.yaml b/tests/security/api/tenants.yaml similarity index 100% rename from tests/security/with-api-prefix/tenants.yaml rename to tests/security/api/tenants.yaml diff --git a/tests/security/with-api-prefix/tokens.yaml b/tests/security/api/tokens.yaml similarity index 100% rename from tests/security/with-api-prefix/tokens.yaml rename to tests/security/api/tokens.yaml diff --git a/tests/security/with-api-prefix/upgrade.yaml b/tests/security/api/upgrade.yaml similarity index 100% rename from tests/security/with-api-prefix/upgrade.yaml rename to tests/security/api/upgrade.yaml diff --git a/tests/security/with-api-prefix/user.yaml b/tests/security/api/user.yaml similarity index 100% rename from tests/security/with-api-prefix/user.yaml rename to tests/security/api/user.yaml diff --git a/tests/security/with-api-prefix/validate.yaml b/tests/security/api/validate.yaml similarity index 100% rename from tests/security/with-api-prefix/validate.yaml rename to tests/security/api/validate.yaml diff --git a/tests/security/without-api-prefix/authinfo.yaml b/tests/security/authinfo.yaml similarity index 88% rename from tests/security/without-api-prefix/authinfo.yaml rename to tests/security/authinfo.yaml index 3895af8c0..0e04dce5a 100644 --- a/tests/security/without-api-prefix/authinfo.yaml +++ b/tests/security/authinfo.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../json_schemas/test_story.schema.yaml description: Test authinfo endpoint. chapters: diff --git a/tests/security/without-api-prefix/dashboardsinfo.yaml b/tests/security/dashboardsinfo.yaml similarity index 85% rename from tests/security/without-api-prefix/dashboardsinfo.yaml rename to tests/security/dashboardsinfo.yaml index 16925b704..afcfa4bf6 100644 --- a/tests/security/without-api-prefix/dashboardsinfo.yaml +++ b/tests/security/dashboardsinfo.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../json_schemas/test_story.schema.yaml description: Test dashboardsinfo endpoint. chapters: diff --git a/tests/security/without-api-prefix/health.yaml b/tests/security/health.yaml similarity index 90% rename from tests/security/without-api-prefix/health.yaml rename to tests/security/health.yaml index b4855fdee..b43b0beef 100644 --- a/tests/security/without-api-prefix/health.yaml +++ b/tests/security/health.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../json_schemas/test_story.schema.yaml description: Test health endpoint. chapters: diff --git a/tests/security/without-api-prefix/sslinfo.yaml b/tests/security/sslinfo.yaml similarity index 93% rename from tests/security/without-api-prefix/sslinfo.yaml rename to tests/security/sslinfo.yaml index c6f6b9a96..a99be72f6 100644 --- a/tests/security/without-api-prefix/sslinfo.yaml +++ b/tests/security/sslinfo.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../json_schemas/test_story.schema.yaml description: Test sslinfo endpoint. chapters: diff --git a/tests/security/without-api-prefix/tenantinfo.yaml b/tests/security/tenantinfo.yaml similarity index 90% rename from tests/security/without-api-prefix/tenantinfo.yaml rename to tests/security/tenantinfo.yaml index 66fece71a..5ef84a9a6 100644 --- a/tests/security/without-api-prefix/tenantinfo.yaml +++ b/tests/security/tenantinfo.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../json_schemas/test_story.schema.yaml description: Test tenantinfo endpoint. chapters: diff --git a/tests/security/without-api-prefix/whoami.yaml b/tests/security/whoami.yaml similarity index 93% rename from tests/security/without-api-prefix/whoami.yaml rename to tests/security/whoami.yaml index 9e3eab4fe..742891249 100644 --- a/tests/security/without-api-prefix/whoami.yaml +++ b/tests/security/whoami.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../json_schemas/test_story.schema.yaml description: Test whoami endpoints. chapters: From 2b3494f1b77c0745150d01c21848146685ee13fb Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Fri, 9 Aug 2024 15:54:28 -0400 Subject: [PATCH 34/48] Moved security tests inside plugins folder Signed-off-by: Darshit Chanpura --- tests/{ => plugins}/security/api/account.yaml | 2 +- tests/{ => plugins}/security/api/action_groups.yaml | 2 +- tests/{ => plugins}/security/api/allowlist.yaml | 2 +- tests/{ => plugins}/security/api/audit.yaml | 2 +- tests/{ => plugins}/security/api/cache.yaml | 2 +- tests/{ => plugins}/security/api/certificates.yaml | 2 +- tests/{ => plugins}/security/api/internal_users.yaml | 2 +- tests/{ => plugins}/security/api/migrate.yaml | 2 +- tests/{ => plugins}/security/api/nodesdn.yaml | 2 +- tests/{ => plugins}/security/api/permissionsinfo.yaml | 2 +- tests/{ => plugins}/security/api/roles.yaml | 2 +- tests/{ => plugins}/security/api/rolesmapping.yaml | 2 +- tests/{ => plugins}/security/api/securityconfig.yaml | 2 +- tests/{ => plugins}/security/api/ssl_certs.yaml | 2 +- tests/{ => plugins}/security/api/tenancy_config.yaml | 2 +- tests/{ => plugins}/security/api/tenants.yaml | 2 +- tests/{ => plugins}/security/api/tokens.yaml | 2 +- tests/{ => plugins}/security/api/upgrade.yaml | 2 +- tests/{ => plugins}/security/api/user.yaml | 2 +- tests/{ => plugins}/security/api/validate.yaml | 2 +- tests/{ => plugins}/security/authinfo.yaml | 2 +- tests/{ => plugins}/security/dashboardsinfo.yaml | 2 +- tests/{ => plugins}/security/health.yaml | 2 +- tests/{ => plugins}/security/sslinfo.yaml | 2 +- tests/{ => plugins}/security/tenantinfo.yaml | 2 +- tests/{ => plugins}/security/whoami.yaml | 2 +- 26 files changed, 26 insertions(+), 26 deletions(-) rename tests/{ => plugins}/security/api/account.yaml (92%) rename tests/{ => plugins}/security/api/action_groups.yaml (96%) rename tests/{ => plugins}/security/api/allowlist.yaml (92%) rename tests/{ => plugins}/security/api/audit.yaml (96%) rename tests/{ => plugins}/security/api/cache.yaml (89%) rename tests/{ => plugins}/security/api/certificates.yaml (93%) rename tests/{ => plugins}/security/api/internal_users.yaml (96%) rename tests/{ => plugins}/security/api/migrate.yaml (81%) rename tests/{ => plugins}/security/api/nodesdn.yaml (96%) rename tests/{ => plugins}/security/api/permissionsinfo.yaml (79%) rename tests/{ => plugins}/security/api/roles.yaml (96%) rename tests/{ => plugins}/security/api/rolesmapping.yaml (96%) rename tests/{ => plugins}/security/api/securityconfig.yaml (96%) rename tests/{ => plugins}/security/api/ssl_certs.yaml (90%) rename tests/{ => plugins}/security/api/tenancy_config.yaml (90%) rename tests/{ => plugins}/security/api/tenants.yaml (95%) rename tests/{ => plugins}/security/api/tokens.yaml (96%) rename tests/{ => plugins}/security/api/upgrade.yaml (89%) rename tests/{ => plugins}/security/api/user.yaml (93%) rename tests/{ => plugins}/security/api/validate.yaml (84%) rename tests/{ => plugins}/security/authinfo.yaml (88%) rename tests/{ => plugins}/security/dashboardsinfo.yaml (85%) rename tests/{ => plugins}/security/health.yaml (90%) rename tests/{ => plugins}/security/sslinfo.yaml (93%) rename tests/{ => plugins}/security/tenantinfo.yaml (90%) rename tests/{ => plugins}/security/whoami.yaml (93%) diff --git a/tests/security/api/account.yaml b/tests/plugins/security/api/account.yaml similarity index 92% rename from tests/security/api/account.yaml rename to tests/plugins/security/api/account.yaml index 22e82de4c..2fc10499f 100644 --- a/tests/security/api/account.yaml +++ b/tests/plugins/security/api/account.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test account endpoint. diff --git a/tests/security/api/action_groups.yaml b/tests/plugins/security/api/action_groups.yaml similarity index 96% rename from tests/security/api/action_groups.yaml rename to tests/plugins/security/api/action_groups.yaml index 5ce272966..363aacdf3 100644 --- a/tests/security/api/action_groups.yaml +++ b/tests/plugins/security/api/action_groups.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test action_groups endpoints. diff --git a/tests/security/api/allowlist.yaml b/tests/plugins/security/api/allowlist.yaml similarity index 92% rename from tests/security/api/allowlist.yaml rename to tests/plugins/security/api/allowlist.yaml index 0a6531d06..5ba032900 100644 --- a/tests/security/api/allowlist.yaml +++ b/tests/plugins/security/api/allowlist.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test allowlist endpoints. diff --git a/tests/security/api/audit.yaml b/tests/plugins/security/api/audit.yaml similarity index 96% rename from tests/security/api/audit.yaml rename to tests/plugins/security/api/audit.yaml index 9a53fe76f..61c57be67 100644 --- a/tests/security/api/audit.yaml +++ b/tests/plugins/security/api/audit.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test audit endpoints. diff --git a/tests/security/api/cache.yaml b/tests/plugins/security/api/cache.yaml similarity index 89% rename from tests/security/api/cache.yaml rename to tests/plugins/security/api/cache.yaml index b875fb75b..d1f1d6d26 100644 --- a/tests/security/api/cache.yaml +++ b/tests/plugins/security/api/cache.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test cache endpoint. diff --git a/tests/security/api/certificates.yaml b/tests/plugins/security/api/certificates.yaml similarity index 93% rename from tests/security/api/certificates.yaml rename to tests/plugins/security/api/certificates.yaml index e68760d6c..ec2bd3603 100644 --- a/tests/security/api/certificates.yaml +++ b/tests/plugins/security/api/certificates.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test certificates endpoints. version: '>= 2.15' diff --git a/tests/security/api/internal_users.yaml b/tests/plugins/security/api/internal_users.yaml similarity index 96% rename from tests/security/api/internal_users.yaml rename to tests/plugins/security/api/internal_users.yaml index 7a574d12d..4c3bd7066 100644 --- a/tests/security/api/internal_users.yaml +++ b/tests/plugins/security/api/internal_users.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test internal users endpoints. diff --git a/tests/security/api/migrate.yaml b/tests/plugins/security/api/migrate.yaml similarity index 81% rename from tests/security/api/migrate.yaml rename to tests/plugins/security/api/migrate.yaml index add24c5eb..3cf053554 100644 --- a/tests/security/api/migrate.yaml +++ b/tests/plugins/security/api/migrate.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test migrate endpoint. diff --git a/tests/security/api/nodesdn.yaml b/tests/plugins/security/api/nodesdn.yaml similarity index 96% rename from tests/security/api/nodesdn.yaml rename to tests/plugins/security/api/nodesdn.yaml index 79baafa88..7a82d0307 100644 --- a/tests/security/api/nodesdn.yaml +++ b/tests/plugins/security/api/nodesdn.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml # ADMIN-CERT only. These tests require explicit rest api admin privileges. diff --git a/tests/security/api/permissionsinfo.yaml b/tests/plugins/security/api/permissionsinfo.yaml similarity index 79% rename from tests/security/api/permissionsinfo.yaml rename to tests/plugins/security/api/permissionsinfo.yaml index c60a0dd62..59e1f9062 100644 --- a/tests/security/api/permissionsinfo.yaml +++ b/tests/plugins/security/api/permissionsinfo.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test permissionsinfo endpoint. diff --git a/tests/security/api/roles.yaml b/tests/plugins/security/api/roles.yaml similarity index 96% rename from tests/security/api/roles.yaml rename to tests/plugins/security/api/roles.yaml index 52e8326ae..a79ef6312 100644 --- a/tests/security/api/roles.yaml +++ b/tests/plugins/security/api/roles.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test roles endpoints. diff --git a/tests/security/api/rolesmapping.yaml b/tests/plugins/security/api/rolesmapping.yaml similarity index 96% rename from tests/security/api/rolesmapping.yaml rename to tests/plugins/security/api/rolesmapping.yaml index ca08baeec..8fed57e18 100644 --- a/tests/security/api/rolesmapping.yaml +++ b/tests/plugins/security/api/rolesmapping.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test rolesmapping endpoint. diff --git a/tests/security/api/securityconfig.yaml b/tests/plugins/security/api/securityconfig.yaml similarity index 96% rename from tests/security/api/securityconfig.yaml rename to tests/plugins/security/api/securityconfig.yaml index ca0e38cc3..739862c07 100644 --- a/tests/security/api/securityconfig.yaml +++ b/tests/plugins/security/api/securityconfig.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml # ADMIN-CERT only (except GET). These tests require explicit rest api admin privileges. diff --git a/tests/security/api/ssl_certs.yaml b/tests/plugins/security/api/ssl_certs.yaml similarity index 90% rename from tests/security/api/ssl_certs.yaml rename to tests/plugins/security/api/ssl_certs.yaml index bd0d9771e..e6ce37b33 100644 --- a/tests/security/api/ssl_certs.yaml +++ b/tests/plugins/security/api/ssl_certs.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test ssl endpoints. diff --git a/tests/security/api/tenancy_config.yaml b/tests/plugins/security/api/tenancy_config.yaml similarity index 90% rename from tests/security/api/tenancy_config.yaml rename to tests/plugins/security/api/tenancy_config.yaml index 3596d53da..f3d107e7f 100644 --- a/tests/security/api/tenancy_config.yaml +++ b/tests/plugins/security/api/tenancy_config.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test tenancy config endpoint. version: '>= 2.7' diff --git a/tests/security/api/tenants.yaml b/tests/plugins/security/api/tenants.yaml similarity index 95% rename from tests/security/api/tenants.yaml rename to tests/plugins/security/api/tenants.yaml index c6f3f690b..3e41617ee 100644 --- a/tests/security/api/tenants.yaml +++ b/tests/plugins/security/api/tenants.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test tenants endpoints. diff --git a/tests/security/api/tokens.yaml b/tests/plugins/security/api/tokens.yaml similarity index 96% rename from tests/security/api/tokens.yaml rename to tests/plugins/security/api/tokens.yaml index 96d400af6..6815ce1f9 100644 --- a/tests/security/api/tokens.yaml +++ b/tests/plugins/security/api/tokens.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test authtoken endpoints. diff --git a/tests/security/api/upgrade.yaml b/tests/plugins/security/api/upgrade.yaml similarity index 89% rename from tests/security/api/upgrade.yaml rename to tests/plugins/security/api/upgrade.yaml index 04d33a86c..4cc316b48 100644 --- a/tests/security/api/upgrade.yaml +++ b/tests/plugins/security/api/upgrade.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test upgrade eligibility endpoints. version: '>= 2.14' diff --git a/tests/security/api/user.yaml b/tests/plugins/security/api/user.yaml similarity index 93% rename from tests/security/api/user.yaml rename to tests/plugins/security/api/user.yaml index 540a9355c..4c676f39a 100644 --- a/tests/security/api/user.yaml +++ b/tests/plugins/security/api/user.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test user endpoints. diff --git a/tests/security/api/validate.yaml b/tests/plugins/security/api/validate.yaml similarity index 84% rename from tests/security/api/validate.yaml rename to tests/plugins/security/api/validate.yaml index 11646a8ad..08d4b1ab2 100644 --- a/tests/security/api/validate.yaml +++ b/tests/plugins/security/api/validate.yaml @@ -1,4 +1,4 @@ -$schema: ../../../json_schemas/test_story.schema.yaml +$schema: ../../../../json_schemas/test_story.schema.yaml description: Test validate endpoint. # BAD_REQUEST. Can not migrate configuration because it was already migrated. diff --git a/tests/security/authinfo.yaml b/tests/plugins/security/authinfo.yaml similarity index 88% rename from tests/security/authinfo.yaml rename to tests/plugins/security/authinfo.yaml index 0e04dce5a..3895af8c0 100644 --- a/tests/security/authinfo.yaml +++ b/tests/plugins/security/authinfo.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test authinfo endpoint. chapters: diff --git a/tests/security/dashboardsinfo.yaml b/tests/plugins/security/dashboardsinfo.yaml similarity index 85% rename from tests/security/dashboardsinfo.yaml rename to tests/plugins/security/dashboardsinfo.yaml index afcfa4bf6..16925b704 100644 --- a/tests/security/dashboardsinfo.yaml +++ b/tests/plugins/security/dashboardsinfo.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test dashboardsinfo endpoint. chapters: diff --git a/tests/security/health.yaml b/tests/plugins/security/health.yaml similarity index 90% rename from tests/security/health.yaml rename to tests/plugins/security/health.yaml index b43b0beef..b4855fdee 100644 --- a/tests/security/health.yaml +++ b/tests/plugins/security/health.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test health endpoint. chapters: diff --git a/tests/security/sslinfo.yaml b/tests/plugins/security/sslinfo.yaml similarity index 93% rename from tests/security/sslinfo.yaml rename to tests/plugins/security/sslinfo.yaml index a99be72f6..c6f6b9a96 100644 --- a/tests/security/sslinfo.yaml +++ b/tests/plugins/security/sslinfo.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test sslinfo endpoint. chapters: diff --git a/tests/security/tenantinfo.yaml b/tests/plugins/security/tenantinfo.yaml similarity index 90% rename from tests/security/tenantinfo.yaml rename to tests/plugins/security/tenantinfo.yaml index 5ef84a9a6..66fece71a 100644 --- a/tests/security/tenantinfo.yaml +++ b/tests/plugins/security/tenantinfo.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test tenantinfo endpoint. chapters: diff --git a/tests/security/whoami.yaml b/tests/plugins/security/whoami.yaml similarity index 93% rename from tests/security/whoami.yaml rename to tests/plugins/security/whoami.yaml index 742891249..9e3eab4fe 100644 --- a/tests/security/whoami.yaml +++ b/tests/plugins/security/whoami.yaml @@ -1,4 +1,4 @@ -$schema: ../../json_schemas/test_story.schema.yaml +$schema: ../../../json_schemas/test_story.schema.yaml description: Test whoami endpoints. chapters: From 833c82ed1fda56c060b4a5b542bb3133bff871a1 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Fri, 9 Aug 2024 16:01:44 -0400 Subject: [PATCH 35/48] Updates test spec workflow to run security tests Signed-off-by: Darshit Chanpura --- .github/workflows/test-spec.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/test-spec.yml b/.github/workflows/test-spec.yml index b0014a322..be01907a6 100644 --- a/.github/workflows/test-spec.yml +++ b/.github/workflows/test-spec.yml @@ -30,6 +30,14 @@ jobs: - version: 2.16.0 - version: 2.16.0 tests: plugins/index_state_management + - version: 1.3.17 + admin_password: admin + tests: plugins/security + - version: 2.0.0 + admin_password: admin + tests: plugins/security + - version: 2.16.0 + tests: plugins/security - version: 2.16.0 tests: snapshot - version: 2.17.0 From 451b17932fbc6eaf602d420bddb69a2248a776be Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Fri, 9 Aug 2024 16:15:22 -0400 Subject: [PATCH 36/48] Adds security test specific docker compose file Signed-off-by: Darshit Chanpura --- tests/plugins/security/docker-compose.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 tests/plugins/security/docker-compose.yml diff --git a/tests/plugins/security/docker-compose.yml b/tests/plugins/security/docker-compose.yml new file mode 100644 index 000000000..a39a4cfef --- /dev/null +++ b/tests/plugins/security/docker-compose.yml @@ -0,0 +1,10 @@ +services: + opensearch-cluster: + image: ${OPENSEARCH_DOCKER_HUB_PROJECT:-opensearchproject}/opensearch:${OPENSEARCH_VERSION:-latest}${OPENSEARCH_DOCKER_REF} + ports: + - 9200:9200 + - 9600:9600 + environment: + - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_PASSWORD:-myStrongPassword123!} + - OPENSEARCH_JAVA_OPTS=${OPENSEARCH_JAVA_OPTS} + - discovery.type=single-node From cb0547e5a1c039a996c86945d4b71d0478b5442e Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Fri, 9 Aug 2024 16:42:25 -0400 Subject: [PATCH 37/48] Cleans commented code and updates test-spec to run for 2.16 only Signed-off-by: Darshit Chanpura --- .github/workflows/test-spec.yml | 6 ---- spec/namespaces/security.yaml | 45 ------------------------------ spec/schemas/security._common.yaml | 31 -------------------- 3 files changed, 82 deletions(-) diff --git a/.github/workflows/test-spec.yml b/.github/workflows/test-spec.yml index be01907a6..c6e2706f8 100644 --- a/.github/workflows/test-spec.yml +++ b/.github/workflows/test-spec.yml @@ -30,12 +30,6 @@ jobs: - version: 2.16.0 - version: 2.16.0 tests: plugins/index_state_management - - version: 1.3.17 - admin_password: admin - tests: plugins/security - - version: 2.0.0 - admin_password: admin - tests: plugins/security - version: 2.16.0 tests: plugins/security - version: 2.16.0 diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 53578ad0c..026b797c2 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -1315,7 +1315,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/MethodNotImplemented' security.change_password@200: content: application/json: @@ -1325,7 +1324,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.config_upgrade_check@200: content: application/json: @@ -1340,7 +1338,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.create_action_group@200: content: application/json: @@ -1360,7 +1357,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.create_role@200: content: application/json: @@ -1395,7 +1391,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.create_update_tenancy_config@200: content: application/json: @@ -1405,7 +1400,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.create_user@200: content: application/json: @@ -1435,12 +1429,10 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.delete_distinguished_name@403: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.delete_role@200: content: application/json: @@ -1460,7 +1452,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.delete_user@200: content: application/json: @@ -1487,7 +1478,6 @@ components: type: string application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.generate_user_token@200: content: application/json: @@ -1497,7 +1487,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.generate_user_token_legacy@200: content: application/json: @@ -1507,7 +1496,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.get_account_details@200: content: application/json: @@ -1532,7 +1520,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_audit_configuration@200: content: application/json: @@ -1552,7 +1539,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_all_certificates@500: content: application/json: @@ -1567,17 +1553,14 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_certificates@400: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.get_certificates@403: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_node_certificates@500: content: application/json: @@ -1608,12 +1591,10 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.get_distinguished_name@403: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_distinguished_names@200: content: application/json: @@ -1624,12 +1605,10 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.get_distinguished_names@403: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_permissions_info@200: content: application/json: @@ -1684,7 +1663,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.get_tenants@200: content: application/json: @@ -1694,7 +1672,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.get_user@200: content: application/json: @@ -1729,7 +1706,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_action_group@200: content: application/json: @@ -1749,7 +1725,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_audit_configuration@200: content: application/json: @@ -1764,7 +1739,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_distinguished_name@200: content: application/json: @@ -1774,12 +1748,10 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_distinguished_name@403: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_distinguished_names@200: content: application/json: @@ -1789,12 +1761,10 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_distinguished_names@403: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_role@200: content: application/json: @@ -1804,7 +1774,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_role_mapping@200: content: application/json: @@ -1814,7 +1783,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_role_mappings@200: content: application/json: @@ -1824,7 +1792,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_roles@200: content: application/json: @@ -1834,7 +1801,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_tenant@200: content: application/json: @@ -1844,7 +1810,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_tenants@200: content: application/json: @@ -1854,7 +1819,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.patch_user@200: content: application/json: @@ -1884,12 +1848,10 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.reload_http_certificates@403: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.reload_transport_certificates@200: content: application/json: @@ -1899,12 +1861,10 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.reload_transport_certificates@403: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.tenant_info@200: content: application/json: @@ -1916,7 +1876,6 @@ components: type: string application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.tenant_info@500: content: application/json: @@ -1936,7 +1895,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.update_distinguished_name@200: content: application/json: @@ -1946,12 +1904,10 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.update_distinguished_name@403: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.validate@200: content: application/json: @@ -1961,7 +1917,6 @@ components: content: application/json: schema: null - # $ref: '../schemas/security._common.yaml#/components/schemas/BadRequest' security.who_am_i@200: content: application/json: diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index 180d677f8..36c976cb0 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -178,17 +178,6 @@ components: type: string description: Size of backend roles in bytes. - # BadRequest: - # type: object - # properties: - # status: - # type: string - # enum: - # - 400 - # message: - # type: string - # description: Message returned as part of BAD_REQUEST response. - CertificateCountPerNode: type: object properties: @@ -420,15 +409,6 @@ components: on_behalf_of: type: object - # Forbidden: - # type: object - # properties: - # status: - # type: string - # message: - # type: string - # description: Message returned as part of Forbidden response. - GenerateOBOToken: type: object properties: @@ -481,17 +461,6 @@ components: type: string description: Error message during request execution. - # MethodNotImplemented: - # type: object - # properties: - # status: - # type: string - # enum: - # - 501 - # message: - # type: string - # description: Message returned as part of NOT_IMPLEMENTED response. - MultiTenancyConfig: type: object properties: From 54f4cfae69b031f4ec3a1e723893fe8eddf9e104 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Fri, 9 Aug 2024 16:56:12 -0400 Subject: [PATCH 38/48] Refactor s boolean to be true boolean Signed-off-by: Darshit Chanpura --- tests/plugins/security/api/audit.yaml | 2 +- tests/plugins/security/api/securityconfig.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/plugins/security/api/audit.yaml b/tests/plugins/security/api/audit.yaml index 61c57be67..a449e9e7b 100644 --- a/tests/plugins/security/api/audit.yaml +++ b/tests/plugins/security/api/audit.yaml @@ -49,6 +49,6 @@ chapters: payload: - op: add path: /config/enabled - value: 'true' + value: true response: status: 200 diff --git a/tests/plugins/security/api/securityconfig.yaml b/tests/plugins/security/api/securityconfig.yaml index 739862c07..ea895f92f 100644 --- a/tests/plugins/security/api/securityconfig.yaml +++ b/tests/plugins/security/api/securityconfig.yaml @@ -53,6 +53,6 @@ chapters: payload: - op: replace path: /config/dynamic/authc/basic_internal_auth_domain/transport_enabled - value: 'true' + value: true response: status: 403 From 536cf041d1e9591452dcffd8ba3f0f657c6de7b2 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Fri, 9 Aug 2024 17:01:58 -0400 Subject: [PATCH 39/48] Move security tests to default folder and updates spec file Signed-off-by: Darshit Chanpura --- .github/workflows/test-spec.yml | 2 -- tests/{plugins => default}/security/api/account.yaml | 0 .../security/api/action_groups.yaml | 0 tests/{plugins => default}/security/api/allowlist.yaml | 0 tests/{plugins => default}/security/api/audit.yaml | 0 tests/{plugins => default}/security/api/cache.yaml | 0 .../security/api/certificates.yaml | 0 .../security/api/internal_users.yaml | 0 tests/{plugins => default}/security/api/migrate.yaml | 0 tests/{plugins => default}/security/api/nodesdn.yaml | 0 .../security/api/permissionsinfo.yaml | 0 tests/{plugins => default}/security/api/roles.yaml | 0 .../security/api/rolesmapping.yaml | 0 .../security/api/securityconfig.yaml | 0 tests/{plugins => default}/security/api/ssl_certs.yaml | 0 .../security/api/tenancy_config.yaml | 0 tests/{plugins => default}/security/api/tenants.yaml | 0 tests/{plugins => default}/security/api/tokens.yaml | 0 tests/{plugins => default}/security/api/upgrade.yaml | 0 tests/{plugins => default}/security/api/user.yaml | 0 tests/{plugins => default}/security/api/validate.yaml | 0 tests/{plugins => default}/security/authinfo.yaml | 0 .../{plugins => default}/security/dashboardsinfo.yaml | 0 tests/{plugins => default}/security/health.yaml | 0 tests/{plugins => default}/security/sslinfo.yaml | 0 tests/{plugins => default}/security/tenantinfo.yaml | 0 tests/{plugins => default}/security/whoami.yaml | 0 tests/plugins/security/docker-compose.yml | 10 ---------- 28 files changed, 12 deletions(-) rename tests/{plugins => default}/security/api/account.yaml (100%) rename tests/{plugins => default}/security/api/action_groups.yaml (100%) rename tests/{plugins => default}/security/api/allowlist.yaml (100%) rename tests/{plugins => default}/security/api/audit.yaml (100%) rename tests/{plugins => default}/security/api/cache.yaml (100%) rename tests/{plugins => default}/security/api/certificates.yaml (100%) rename tests/{plugins => default}/security/api/internal_users.yaml (100%) rename tests/{plugins => default}/security/api/migrate.yaml (100%) rename tests/{plugins => default}/security/api/nodesdn.yaml (100%) rename tests/{plugins => default}/security/api/permissionsinfo.yaml (100%) rename tests/{plugins => default}/security/api/roles.yaml (100%) rename tests/{plugins => default}/security/api/rolesmapping.yaml (100%) rename tests/{plugins => default}/security/api/securityconfig.yaml (100%) rename tests/{plugins => default}/security/api/ssl_certs.yaml (100%) rename tests/{plugins => default}/security/api/tenancy_config.yaml (100%) rename tests/{plugins => default}/security/api/tenants.yaml (100%) rename tests/{plugins => default}/security/api/tokens.yaml (100%) rename tests/{plugins => default}/security/api/upgrade.yaml (100%) rename tests/{plugins => default}/security/api/user.yaml (100%) rename tests/{plugins => default}/security/api/validate.yaml (100%) rename tests/{plugins => default}/security/authinfo.yaml (100%) rename tests/{plugins => default}/security/dashboardsinfo.yaml (100%) rename tests/{plugins => default}/security/health.yaml (100%) rename tests/{plugins => default}/security/sslinfo.yaml (100%) rename tests/{plugins => default}/security/tenantinfo.yaml (100%) rename tests/{plugins => default}/security/whoami.yaml (100%) delete mode 100644 tests/plugins/security/docker-compose.yml diff --git a/.github/workflows/test-spec.yml b/.github/workflows/test-spec.yml index c6e2706f8..b0014a322 100644 --- a/.github/workflows/test-spec.yml +++ b/.github/workflows/test-spec.yml @@ -30,8 +30,6 @@ jobs: - version: 2.16.0 - version: 2.16.0 tests: plugins/index_state_management - - version: 2.16.0 - tests: plugins/security - version: 2.16.0 tests: snapshot - version: 2.17.0 diff --git a/tests/plugins/security/api/account.yaml b/tests/default/security/api/account.yaml similarity index 100% rename from tests/plugins/security/api/account.yaml rename to tests/default/security/api/account.yaml diff --git a/tests/plugins/security/api/action_groups.yaml b/tests/default/security/api/action_groups.yaml similarity index 100% rename from tests/plugins/security/api/action_groups.yaml rename to tests/default/security/api/action_groups.yaml diff --git a/tests/plugins/security/api/allowlist.yaml b/tests/default/security/api/allowlist.yaml similarity index 100% rename from tests/plugins/security/api/allowlist.yaml rename to tests/default/security/api/allowlist.yaml diff --git a/tests/plugins/security/api/audit.yaml b/tests/default/security/api/audit.yaml similarity index 100% rename from tests/plugins/security/api/audit.yaml rename to tests/default/security/api/audit.yaml diff --git a/tests/plugins/security/api/cache.yaml b/tests/default/security/api/cache.yaml similarity index 100% rename from tests/plugins/security/api/cache.yaml rename to tests/default/security/api/cache.yaml diff --git a/tests/plugins/security/api/certificates.yaml b/tests/default/security/api/certificates.yaml similarity index 100% rename from tests/plugins/security/api/certificates.yaml rename to tests/default/security/api/certificates.yaml diff --git a/tests/plugins/security/api/internal_users.yaml b/tests/default/security/api/internal_users.yaml similarity index 100% rename from tests/plugins/security/api/internal_users.yaml rename to tests/default/security/api/internal_users.yaml diff --git a/tests/plugins/security/api/migrate.yaml b/tests/default/security/api/migrate.yaml similarity index 100% rename from tests/plugins/security/api/migrate.yaml rename to tests/default/security/api/migrate.yaml diff --git a/tests/plugins/security/api/nodesdn.yaml b/tests/default/security/api/nodesdn.yaml similarity index 100% rename from tests/plugins/security/api/nodesdn.yaml rename to tests/default/security/api/nodesdn.yaml diff --git a/tests/plugins/security/api/permissionsinfo.yaml b/tests/default/security/api/permissionsinfo.yaml similarity index 100% rename from tests/plugins/security/api/permissionsinfo.yaml rename to tests/default/security/api/permissionsinfo.yaml diff --git a/tests/plugins/security/api/roles.yaml b/tests/default/security/api/roles.yaml similarity index 100% rename from tests/plugins/security/api/roles.yaml rename to tests/default/security/api/roles.yaml diff --git a/tests/plugins/security/api/rolesmapping.yaml b/tests/default/security/api/rolesmapping.yaml similarity index 100% rename from tests/plugins/security/api/rolesmapping.yaml rename to tests/default/security/api/rolesmapping.yaml diff --git a/tests/plugins/security/api/securityconfig.yaml b/tests/default/security/api/securityconfig.yaml similarity index 100% rename from tests/plugins/security/api/securityconfig.yaml rename to tests/default/security/api/securityconfig.yaml diff --git a/tests/plugins/security/api/ssl_certs.yaml b/tests/default/security/api/ssl_certs.yaml similarity index 100% rename from tests/plugins/security/api/ssl_certs.yaml rename to tests/default/security/api/ssl_certs.yaml diff --git a/tests/plugins/security/api/tenancy_config.yaml b/tests/default/security/api/tenancy_config.yaml similarity index 100% rename from tests/plugins/security/api/tenancy_config.yaml rename to tests/default/security/api/tenancy_config.yaml diff --git a/tests/plugins/security/api/tenants.yaml b/tests/default/security/api/tenants.yaml similarity index 100% rename from tests/plugins/security/api/tenants.yaml rename to tests/default/security/api/tenants.yaml diff --git a/tests/plugins/security/api/tokens.yaml b/tests/default/security/api/tokens.yaml similarity index 100% rename from tests/plugins/security/api/tokens.yaml rename to tests/default/security/api/tokens.yaml diff --git a/tests/plugins/security/api/upgrade.yaml b/tests/default/security/api/upgrade.yaml similarity index 100% rename from tests/plugins/security/api/upgrade.yaml rename to tests/default/security/api/upgrade.yaml diff --git a/tests/plugins/security/api/user.yaml b/tests/default/security/api/user.yaml similarity index 100% rename from tests/plugins/security/api/user.yaml rename to tests/default/security/api/user.yaml diff --git a/tests/plugins/security/api/validate.yaml b/tests/default/security/api/validate.yaml similarity index 100% rename from tests/plugins/security/api/validate.yaml rename to tests/default/security/api/validate.yaml diff --git a/tests/plugins/security/authinfo.yaml b/tests/default/security/authinfo.yaml similarity index 100% rename from tests/plugins/security/authinfo.yaml rename to tests/default/security/authinfo.yaml diff --git a/tests/plugins/security/dashboardsinfo.yaml b/tests/default/security/dashboardsinfo.yaml similarity index 100% rename from tests/plugins/security/dashboardsinfo.yaml rename to tests/default/security/dashboardsinfo.yaml diff --git a/tests/plugins/security/health.yaml b/tests/default/security/health.yaml similarity index 100% rename from tests/plugins/security/health.yaml rename to tests/default/security/health.yaml diff --git a/tests/plugins/security/sslinfo.yaml b/tests/default/security/sslinfo.yaml similarity index 100% rename from tests/plugins/security/sslinfo.yaml rename to tests/default/security/sslinfo.yaml diff --git a/tests/plugins/security/tenantinfo.yaml b/tests/default/security/tenantinfo.yaml similarity index 100% rename from tests/plugins/security/tenantinfo.yaml rename to tests/default/security/tenantinfo.yaml diff --git a/tests/plugins/security/whoami.yaml b/tests/default/security/whoami.yaml similarity index 100% rename from tests/plugins/security/whoami.yaml rename to tests/default/security/whoami.yaml diff --git a/tests/plugins/security/docker-compose.yml b/tests/plugins/security/docker-compose.yml deleted file mode 100644 index a39a4cfef..000000000 --- a/tests/plugins/security/docker-compose.yml +++ /dev/null @@ -1,10 +0,0 @@ -services: - opensearch-cluster: - image: ${OPENSEARCH_DOCKER_HUB_PROJECT:-opensearchproject}/opensearch:${OPENSEARCH_VERSION:-latest}${OPENSEARCH_DOCKER_REF} - ports: - - 9200:9200 - - 9600:9600 - environment: - - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_PASSWORD:-myStrongPassword123!} - - OPENSEARCH_JAVA_OPTS=${OPENSEARCH_JAVA_OPTS} - - discovery.type=single-node From 87640ecc8c2195f97e82e7a5424a2b7c9630de08 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Fri, 9 Aug 2024 18:23:03 -0400 Subject: [PATCH 40/48] Fixes 1.3 tests Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 26 ++++++------ tests/default/security/api/allowlist.yaml | 1 + .../default/security/api/securityconfig.yaml | 1 + tests/default/security/api/ssl_certs.yaml | 2 +- tests/default/security/api/tokens.yaml | 36 ---------------- .../default/security/api/user_authtoken.yaml | 41 +++++++++++++++++++ tests/default/security/authinfo.yaml | 21 ++++++++-- tests/default/security/whoami.yaml | 1 + 8 files changed, 75 insertions(+), 54 deletions(-) create mode 100644 tests/default/security/api/user_authtoken.yaml diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 026b797c2..a4c74485c 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -119,7 +119,7 @@ paths: get: operationId: security.who_am_i.0 x-operation-group: security.who_am_i - x-version-added: '1.0' + x-version-added: '2.0' description: Gets the user identity related information for currently logged in user. responses: '200': @@ -129,7 +129,7 @@ paths: post: operationId: security.who_am_i.1 x-operation-group: security.who_am_i - x-version-added: '1.0' + x-version-added: '2.0' description: Gets the user identity related information for currently logged in user. responses: '200': @@ -280,7 +280,7 @@ paths: get: operationId: security.get_allowlist.0 x-operation-group: security.get_allowlist - x-version-added: '1.0' + x-version-added: '2.1' description: Retrieves the current list of allowed API accessible to normal user. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#access-control-for-the-api @@ -292,7 +292,7 @@ paths: put: operationId: security.create_allowlist.0 x-operation-group: security.create_allowlist - x-version-added: '1.0' + x-version-added: '2.1' description: Creates or replaces the allowlisted APIs. Accessible via Super Admin certificate or REST API permission. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#access-control-for-the-api @@ -306,7 +306,7 @@ paths: patch: operationId: security.patch_allowlist.0 x-operation-group: security.patch_allowlist - x-version-added: '1.0' + x-version-added: '2.1' description: Updates the current list of allowed API accessible to normal user. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#access-control-for-the-api @@ -528,7 +528,7 @@ paths: post: operationId: security.generate_user_token.0 x-operation-group: security.generate_user_token - x-version-added: '1.0' + x-version-added: '2.7' description: Generates authorization token for the given user. parameters: - $ref: '#/components/parameters/security.generate_user_token::path.username' @@ -828,7 +828,7 @@ paths: get: operationId: security.get_configuration.0 x-operation-group: security.get_configuration - x-version-added: '1.0' + x-version-added: '2.10' description: Returns the current Security plugin configuration in JSON format. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#get-configuration @@ -838,7 +838,7 @@ paths: patch: operationId: security.patch_configuration.0 x-operation-group: security.patch_configuration - x-version-added: '1.0' + x-version-added: '2.10' description: A PATCH call is used to update the existing configuration using the REST API. Only accessible by admins and users with rest api access and only when put or patch is enabled. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#patch-configuration @@ -853,7 +853,7 @@ paths: put: operationId: security.update_configuration.0 x-operation-group: security.update_configuration - x-version-added: '1.0' + x-version-added: '2.10' description: Adds or updates the existing configuration using the REST API. Only accessible by admins and users with rest api access and only when put or patch is enabled. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#update-configuration @@ -868,7 +868,7 @@ paths: get: operationId: security.get_certificates.0 x-operation-group: security.get_certificates - x-version-added: '1.0' + x-version-added: '2.0' description: Retrieves the cluster security certificates. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#get-certificates @@ -883,7 +883,7 @@ paths: put: operationId: security.reload_http_certificates.0 x-operation-group: security.reload_http_certificates - x-version-added: '1.0' + x-version-added: '2.11' description: Reload HTTP layer communication certificates. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#reload-http-certificates @@ -898,7 +898,7 @@ paths: put: operationId: security.reload_transport_certificates.0 x-operation-group: security.reload_transport_certificates - x-version-added: '1.0' + x-version-added: '2.11' description: Reload Transport layer communication certificates. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#reload-transport-certificates @@ -1072,7 +1072,7 @@ paths: post: operationId: security.generate_user_token_legacy.0 x-operation-group: security.generate_user_token_legacy - x-version-added: '1.0' + x-version-added: '2.7' description: Generates authorization token for the given user. Legacy API. parameters: - $ref: '#/components/parameters/security.generate_user_token_legacy::path.username' diff --git a/tests/default/security/api/allowlist.yaml b/tests/default/security/api/allowlist.yaml index 5ba032900..474d7e5f6 100644 --- a/tests/default/security/api/allowlist.yaml +++ b/tests/default/security/api/allowlist.yaml @@ -1,6 +1,7 @@ $schema: ../../../../json_schemas/test_story.schema.yaml description: Test allowlist endpoints. +version: '>2.0' # ADMIN-CERT only. These tests require explicit rest api admin privileges. chapters: diff --git a/tests/default/security/api/securityconfig.yaml b/tests/default/security/api/securityconfig.yaml index ea895f92f..75aeeddad 100644 --- a/tests/default/security/api/securityconfig.yaml +++ b/tests/default/security/api/securityconfig.yaml @@ -3,6 +3,7 @@ $schema: ../../../../json_schemas/test_story.schema.yaml # ADMIN-CERT only (except GET). These tests require explicit rest api admin privileges. description: Test securityconfig endpoints. +version: '>=2.10' chapters: - synopsis: Update a security config. diff --git a/tests/default/security/api/ssl_certs.yaml b/tests/default/security/api/ssl_certs.yaml index e6ce37b33..e32f25203 100644 --- a/tests/default/security/api/ssl_certs.yaml +++ b/tests/default/security/api/ssl_certs.yaml @@ -1,7 +1,7 @@ $schema: ../../../../json_schemas/test_story.schema.yaml description: Test ssl endpoints. - +version: '>=2.0' # ADMIN-CERT only. These tests require explicit rest api admin privileges. chapters: - synopsis: Get ssl certificates. diff --git a/tests/default/security/api/tokens.yaml b/tests/default/security/api/tokens.yaml index 6815ce1f9..1d58b85f7 100644 --- a/tests/default/security/api/tokens.yaml +++ b/tests/default/security/api/tokens.yaml @@ -2,19 +2,6 @@ $schema: ../../../../json_schemas/test_story.schema.yaml description: Test authtoken endpoints. -prologues: - - path: /_plugins/_security/api/internalusers/{username} - method: PUT - parameters: - username: test - request: - payload: - opendistro_security_roles: [] - backend_roles: [] - attributes: - service: true - enabled: true - status: [201] chapters: - synopsis: Create an auth token. path: /_plugins/_security/api/authtoken @@ -34,26 +21,3 @@ chapters: response: content_type: text/plain status: 400 - # Auth-tokens can only be vended for service accounts. - - synopsis: Create internal user token. - path: /_plugins/_security/api/internalusers/{username}/authtoken - version: '>2.16' # Fixed via https://github.com/opensearch-project/security/pull/4628 - method: POST - parameters: - username: test - response: - status: 200 - - synopsis: Create user token. - path: /_plugins/_security/api/user/{username}/authtoken - version: '>2.16' # Fixed via https://github.com/opensearch-project/security/pull/4628 - method: POST - parameters: - username: test - response: - status: 200 -epilogues: - - path: /_plugins/_security/api/internalusers/{username} - method: DELETE - parameters: - username: test - status: [200] diff --git a/tests/default/security/api/user_authtoken.yaml b/tests/default/security/api/user_authtoken.yaml new file mode 100644 index 000000000..17a46e3ab --- /dev/null +++ b/tests/default/security/api/user_authtoken.yaml @@ -0,0 +1,41 @@ + +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test authtoken endpoints for user. +version: '>2.16' # Fixed via https://github.com/opensearch-project/security/pull/4628 + +prologues: + - path: /_plugins/_security/api/internalusers/{username} + method: PUT + parameters: + username: test + request: + payload: + opendistro_security_roles: [] + backend_roles: [] + attributes: + service: true + enabled: true + status: [201] +chapters: + # Auth-tokens can only be vended for service accounts. + - synopsis: Create internal user token. + path: /_plugins/_security/api/internalusers/{username}/authtoken + method: POST + parameters: + username: test + response: + status: 200 + - synopsis: Create user token. + path: /_plugins/_security/api/user/{username}/authtoken + method: POST + parameters: + username: test + response: + status: 200 +epilogues: + - path: /_plugins/_security/api/internalusers/{username} + method: DELETE + parameters: + username: test + status: [200] diff --git a/tests/default/security/authinfo.yaml b/tests/default/security/authinfo.yaml index 3895af8c0..e2138e28b 100644 --- a/tests/default/security/authinfo.yaml +++ b/tests/default/security/authinfo.yaml @@ -5,16 +5,29 @@ chapters: - synopsis: Get auth info. path: /_plugins/_security/authinfo method: GET - parameters: - auth_type: basic - verbose: false + version: <2.13 response: status: 200 - synopsis: Get auth info via POST. path: /_plugins/_security/authinfo method: POST + version: <2.13 + response: + status: 200 + - synopsis: Get auth info. + path: /_plugins/_security/authinfo + method: GET + version: =2.13 parameters: - auth_type: basic verbose: false response: status: 200 + - synopsis: Get auth info. + path: /_plugins/_security/authinfo + method: GET + version: '>2.13' + parameters: + verbose: false + auth_type: basic + response: + status: 200 diff --git a/tests/default/security/whoami.yaml b/tests/default/security/whoami.yaml index 9e3eab4fe..ba742b3f5 100644 --- a/tests/default/security/whoami.yaml +++ b/tests/default/security/whoami.yaml @@ -1,6 +1,7 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test whoami endpoints. +version: '>=2.0' chapters: - synopsis: Get current user info. path: /_plugins/_security/whoami From c4205c52bbfc63ab76a08a41ac413c53477c9d76 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Fri, 9 Aug 2024 18:38:58 -0400 Subject: [PATCH 41/48] Fixes 2.0 test failures Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 4 ++-- tests/default/security/api/ssl_certs.yaml | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index a4c74485c..1a8e3c604 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -883,7 +883,7 @@ paths: put: operationId: security.reload_http_certificates.0 x-operation-group: security.reload_http_certificates - x-version-added: '2.11' + x-version-added: '2.8' description: Reload HTTP layer communication certificates. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#reload-http-certificates @@ -898,7 +898,7 @@ paths: put: operationId: security.reload_transport_certificates.0 x-operation-group: security.reload_transport_certificates - x-version-added: '2.11' + x-version-added: '2.8' description: Reload Transport layer communication certificates. externalDocs: url: https://opensearch.org/docs/latest/security/access-control/api/#reload-transport-certificates diff --git a/tests/default/security/api/ssl_certs.yaml b/tests/default/security/api/ssl_certs.yaml index e32f25203..738537da1 100644 --- a/tests/default/security/api/ssl_certs.yaml +++ b/tests/default/security/api/ssl_certs.yaml @@ -1,21 +1,23 @@ $schema: ../../../../json_schemas/test_story.schema.yaml description: Test ssl endpoints. -version: '>=2.0' # ADMIN-CERT only. These tests require explicit rest api admin privileges. chapters: - synopsis: Get ssl certificates. path: /_plugins/_security/api/ssl/certs + version: '>=2.0' method: GET response: status: 403 - synopsis: Reload http certs. path: /_plugins/_security/api/ssl/http/reloadcerts + version: '>2.7' method: PUT response: status: 403 - synopsis: Reload transport certs. path: /_plugins/_security/api/ssl/transport/reloadcerts + version: '>2.7' method: PUT response: status: 403 From 4227e00b94c510f80392272e6d4a54560e22ca4e Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Fri, 9 Aug 2024 19:02:21 -0400 Subject: [PATCH 42/48] Fixes TLS cipher versiion payload issue Signed-off-by: Darshit Chanpura --- tests/default/security/sslinfo.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/default/security/sslinfo.yaml b/tests/default/security/sslinfo.yaml index c6f6b9a96..c5dd4e1ce 100644 --- a/tests/default/security/sslinfo.yaml +++ b/tests/default/security/sslinfo.yaml @@ -13,7 +13,6 @@ chapters: principal: null peer_certificates: '0' ssl_protocol: TLSv1.3 - ssl_cipher: TLS_AES_256_GCM_SHA384 ssl_openssl_available: false ssl_openssl_version: -1 ssl_openssl_version_string: null From 2f30633c888f23f1bd9711dd04a55093ed9c70b4 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Mon, 12 Aug 2024 11:46:09 -0400 Subject: [PATCH 43/48] Re-verifies auth token fix Signed-off-by: Darshit Chanpura --- spec/namespaces/security.yaml | 15 ++++----------- tests/default/security/api/user_authtoken.yaml | 2 +- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index 1a8e3c604..72da8905e 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -1073,14 +1073,12 @@ paths: operationId: security.generate_user_token_legacy.0 x-operation-group: security.generate_user_token_legacy x-version-added: '2.7' - description: Generates authorization token for the given user. Legacy API. + description: Generates authorization token for the given user. Legacy API. Not Implemented. parameters: - $ref: '#/components/parameters/security.generate_user_token_legacy::path.username' responses: - '200': - $ref: '#/components/responses/security.generate_user_token_legacy@200' - '400': - $ref: '#/components/responses/security.generate_user_token_legacy@400' + '501': + $ref: '#/components/responses/security.generate_user_token_legacy@501' /_plugins/_security/api/validate: get: operationId: security.validate.0 @@ -1487,12 +1485,7 @@ components: content: application/json: schema: null - security.generate_user_token_legacy@200: - content: - application/json: - schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Ok' - security.generate_user_token_legacy@400: + security.generate_user_token_legacy@501: content: application/json: schema: null diff --git a/tests/default/security/api/user_authtoken.yaml b/tests/default/security/api/user_authtoken.yaml index 17a46e3ab..da1ee7ce5 100644 --- a/tests/default/security/api/user_authtoken.yaml +++ b/tests/default/security/api/user_authtoken.yaml @@ -32,7 +32,7 @@ chapters: parameters: username: test response: - status: 200 + status: 501 epilogues: - path: /_plugins/_security/api/internalusers/{username} method: DELETE From cc106001f5c18ae20083624b93f675ddd04e9ee2 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Mon, 12 Aug 2024 11:51:04 -0400 Subject: [PATCH 44/48] Checks for newer images and pulls them before running tests Signed-off-by: Darshit Chanpura --- .github/workflows/test-spec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-spec.yml b/.github/workflows/test-spec.yml index d9ed81aea..b0127ff0d 100644 --- a/.github/workflows/test-spec.yml +++ b/.github/workflows/test-spec.yml @@ -63,7 +63,7 @@ jobs: - name: Run OpenSearch Cluster working-directory: tests/${{ matrix.entry.tests || 'default' }} - run: docker compose up -d + run: docker-compose pull && docker compose up -d - name: Get Container ID id: container From 355cace16005e166936436c58a2b3c21ee8b54e5 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Mon, 12 Aug 2024 11:54:03 -0400 Subject: [PATCH 45/48] Updates the docker compose command Signed-off-by: Darshit Chanpura --- .github/workflows/test-spec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-spec.yml b/.github/workflows/test-spec.yml index b0127ff0d..78ac89c0b 100644 --- a/.github/workflows/test-spec.yml +++ b/.github/workflows/test-spec.yml @@ -63,7 +63,7 @@ jobs: - name: Run OpenSearch Cluster working-directory: tests/${{ matrix.entry.tests || 'default' }} - run: docker-compose pull && docker compose up -d + run: docker compose pull && docker compose up -d - name: Get Container ID id: container From 172328a6161d77024cd81397b651cf08bb4b368f Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Mon, 12 Aug 2024 12:06:42 -0400 Subject: [PATCH 46/48] Removes sha ref for staging branches Signed-off-by: Darshit Chanpura --- .github/workflows/test-spec.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/test-spec.yml b/.github/workflows/test-spec.yml index 78ac89c0b..ac83276b4 100644 --- a/.github/workflows/test-spec.yml +++ b/.github/workflows/test-spec.yml @@ -34,10 +34,8 @@ jobs: tests: snapshot - version: 2.17.0 hub: opensearchstaging - ref: '@sha256:6398c27d7560626ed6b0ba28b3d6b20b7f00c6d94abf45ad3a820f8eeb3d61a3' - version: 3.0.0 hub: opensearchstaging - ref: '@sha256:101681eea630393f8caf5987dd023a975a9656b63090a07bfdfe6ad2f73f0640' name: test-opensearch-spec (version=${{ matrix.entry.version }}, hub=${{ matrix.entry.hub || 'opensearchproject' }}, tests=${{ matrix.entry.tests || 'default' }}) runs-on: ubuntu-latest From 7e6bf0cc03b87ea698a7dfe3df1eb73e4dd0e33a Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Mon, 12 Aug 2024 12:21:07 -0400 Subject: [PATCH 47/48] Updates shas Signed-off-by: Darshit Chanpura --- .github/workflows/test-spec.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test-spec.yml b/.github/workflows/test-spec.yml index ac83276b4..13a218e29 100644 --- a/.github/workflows/test-spec.yml +++ b/.github/workflows/test-spec.yml @@ -34,8 +34,10 @@ jobs: tests: snapshot - version: 2.17.0 hub: opensearchstaging + ref: '@sha256:ed4274522a50228f41b50f1a7ea86e6b52fa6737072fc151b2624d22aff80d56' - version: 3.0.0 hub: opensearchstaging + ref: '@sha256:cab6f71b284485c44306f8f4849ad520283c2a32ece617109b38183ba29cc401' name: test-opensearch-spec (version=${{ matrix.entry.version }}, hub=${{ matrix.entry.hub || 'opensearchproject' }}, tests=${{ matrix.entry.tests || 'default' }}) runs-on: ubuntu-latest @@ -61,7 +63,7 @@ jobs: - name: Run OpenSearch Cluster working-directory: tests/${{ matrix.entry.tests || 'default' }} - run: docker compose pull && docker compose up -d + run: docker compose up -d - name: Get Container ID id: container From 705e6cf480d4fe48e84117b8be27cc2f1b03b37a Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Mon, 12 Aug 2024 13:58:11 -0400 Subject: [PATCH 48/48] Renames everything to match the API path Signed-off-by: Darshit Chanpura --- .../default/security/api/_upgrade_check.yaml | 11 +++++ .../{upgrade.yaml => _upgrade_perform.yaml} | 10 ++--- .../{action_groups.yaml => actiongroups.yaml} | 2 +- tests/default/security/api/allowlist.yaml | 2 +- tests/default/security/api/audit.yaml | 34 --------------- tests/default/security/api/audit/config.yaml | 39 +++++++++++++++++ tests/default/security/api/authtoken.yaml | 10 +++++ tests/default/security/api/certificates.yaml | 2 +- ...kens.yaml => generateonbehalfoftoken.yaml} | 9 +--- ...internal_users.yaml => internalusers.yaml} | 2 +- .../authtoken.yml} | 16 +++---- tests/default/security/api/nodesdn.yaml | 3 +- .../default/security/api/securityconfig.yaml | 41 +----------------- .../security/api/securityconfig/config.yaml | 43 +++++++++++++++++++ tests/default/security/api/ssl/certs.yml | 12 ++++++ .../security/api/ssl/http/reloadcerts.yaml | 12 ++++++ .../api/ssl/transport/reloadcerts.yaml | 12 ++++++ tests/default/security/api/ssl_certs.yaml | 23 ---------- .../config.yaml} | 6 +-- .../default/security/api/user/authtoken.yaml | 35 +++++++++++++++ tests/default/security/api/validate.yaml | 1 + tests/default/security/authinfo.yaml | 9 ++-- tests/default/security/dashboardsinfo.yaml | 1 + tests/default/security/health.yaml | 1 + tests/default/security/sslinfo.yaml | 1 + tests/default/security/tenantinfo.yaml | 1 + tests/default/security/whoami.yaml | 13 +----- tests/default/security/whoamiprotected.yaml | 15 +++++++ 28 files changed, 221 insertions(+), 145 deletions(-) create mode 100644 tests/default/security/api/_upgrade_check.yaml rename tests/default/security/api/{upgrade.yaml => _upgrade_perform.yaml} (58%) rename tests/default/security/api/{action_groups.yaml => actiongroups.yaml} (97%) create mode 100644 tests/default/security/api/audit/config.yaml create mode 100644 tests/default/security/api/authtoken.yaml rename tests/default/security/api/{tokens.yaml => generateonbehalfoftoken.yaml} (72%) rename tests/default/security/api/{internal_users.yaml => internalusers.yaml} (97%) rename tests/default/security/api/{user_authtoken.yaml => internalusers.yml/authtoken.yml} (65%) create mode 100644 tests/default/security/api/securityconfig/config.yaml create mode 100644 tests/default/security/api/ssl/certs.yml create mode 100644 tests/default/security/api/ssl/http/reloadcerts.yaml create mode 100644 tests/default/security/api/ssl/transport/reloadcerts.yaml delete mode 100644 tests/default/security/api/ssl_certs.yaml rename tests/default/security/api/{tenancy_config.yaml => tenancy/config.yaml} (78%) create mode 100644 tests/default/security/api/user/authtoken.yaml create mode 100644 tests/default/security/whoamiprotected.yaml diff --git a/tests/default/security/api/_upgrade_check.yaml b/tests/default/security/api/_upgrade_check.yaml new file mode 100644 index 000000000..60d553753 --- /dev/null +++ b/tests/default/security/api/_upgrade_check.yaml @@ -0,0 +1,11 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test _upgrade_check endpoint. +version: '> 2.13' + +chapters: + - synopsis: Check whether an upgrade can be performed. + path: /_plugins/_security/api/_upgrade_check + method: GET + response: + status: 200 diff --git a/tests/default/security/api/upgrade.yaml b/tests/default/security/api/_upgrade_perform.yaml similarity index 58% rename from tests/default/security/api/upgrade.yaml rename to tests/default/security/api/_upgrade_perform.yaml index 4cc316b48..643f7896f 100644 --- a/tests/default/security/api/upgrade.yaml +++ b/tests/default/security/api/_upgrade_perform.yaml @@ -1,13 +1,9 @@ $schema: ../../../../json_schemas/test_story.schema.yaml -description: Test upgrade eligibility endpoints. -version: '>= 2.14' +description: Test _upgrade_perform endpoint. +version: '> 2.13' + chapters: - - synopsis: Check whether an upgrade can be performed. - path: /_plugins/_security/api/_upgrade_check - method: GET - response: - status: 200 - synopsis: Perform the upgrade. path: /_plugins/_security/api/_upgrade_perform method: POST diff --git a/tests/default/security/api/action_groups.yaml b/tests/default/security/api/actiongroups.yaml similarity index 97% rename from tests/default/security/api/action_groups.yaml rename to tests/default/security/api/actiongroups.yaml index 363aacdf3..0321d9022 100644 --- a/tests/default/security/api/action_groups.yaml +++ b/tests/default/security/api/actiongroups.yaml @@ -1,6 +1,6 @@ $schema: ../../../../json_schemas/test_story.schema.yaml -description: Test action_groups endpoints. +description: Test actiongroups endpoints. chapters: - synopsis: Create action group. diff --git a/tests/default/security/api/allowlist.yaml b/tests/default/security/api/allowlist.yaml index 474d7e5f6..6808131d8 100644 --- a/tests/default/security/api/allowlist.yaml +++ b/tests/default/security/api/allowlist.yaml @@ -1,7 +1,7 @@ $schema: ../../../../json_schemas/test_story.schema.yaml description: Test allowlist endpoints. -version: '>2.0' +version: '> 2.0' # ADMIN-CERT only. These tests require explicit rest api admin privileges. chapters: diff --git a/tests/default/security/api/audit.yaml b/tests/default/security/api/audit.yaml index a449e9e7b..7c004b24b 100644 --- a/tests/default/security/api/audit.yaml +++ b/tests/default/security/api/audit.yaml @@ -3,40 +3,6 @@ $schema: ../../../../json_schemas/test_story.schema.yaml description: Test audit endpoints. chapters: - - synopsis: Create an audit config. - path: /_plugins/_security/api/audit/config - method: PUT - request: - payload: - enabled: true - audit: - ignore_users: [] - ignore_requests: [] - disabled_rest_categories: - - AUTHENTICATED - - GRANTED_PRIVILEGES - disabled_transport_categories: - - AUTHENTICATED - - GRANTED_PRIVILEGES - log_request_body: false - resolve_indices: false - resolve_bulk_requests: false - exclude_sensitive_headers: true - enable_transport: false - enable_rest: true - compliance: - enabled: true - write_log_diffs: false - read_watched_fields: {} - read_ignore_users: [] - write_watched_indices: [] - write_ignore_users: [] - read_metadata_only: true - write_metadata_only: true - external_config: false - internal_config: true - response: - status: 200 - synopsis: Get an audit config. path: /_plugins/_security/api/audit method: GET diff --git a/tests/default/security/api/audit/config.yaml b/tests/default/security/api/audit/config.yaml new file mode 100644 index 000000000..97335168c --- /dev/null +++ b/tests/default/security/api/audit/config.yaml @@ -0,0 +1,39 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml + +description: Test audit/config endpoint. + +chapters: + - synopsis: Create an audit config. + path: /_plugins/_security/api/audit/config + method: PUT + request: + payload: + enabled: true + audit: + ignore_users: [] + ignore_requests: [] + disabled_rest_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + disabled_transport_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + log_request_body: false + resolve_indices: false + resolve_bulk_requests: false + exclude_sensitive_headers: true + enable_transport: false + enable_rest: true + compliance: + enabled: true + write_log_diffs: false + read_watched_fields: {} + read_ignore_users: [] + write_watched_indices: [] + write_ignore_users: [] + read_metadata_only: true + write_metadata_only: true + external_config: false + internal_config: true + response: + status: 200 diff --git a/tests/default/security/api/authtoken.yaml b/tests/default/security/api/authtoken.yaml new file mode 100644 index 000000000..4da5718b2 --- /dev/null +++ b/tests/default/security/api/authtoken.yaml @@ -0,0 +1,10 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test authtoken endpoint. + +chapters: + - synopsis: Create an auth token. + path: /_plugins/_security/api/authtoken + method: POST + response: + status: 200 diff --git a/tests/default/security/api/certificates.yaml b/tests/default/security/api/certificates.yaml index ec2bd3603..f4f23e817 100644 --- a/tests/default/security/api/certificates.yaml +++ b/tests/default/security/api/certificates.yaml @@ -1,7 +1,7 @@ $schema: ../../../../json_schemas/test_story.schema.yaml description: Test certificates endpoints. -version: '>= 2.15' +version: '> 2.14' # ADMIN-CERT only. These tests require explicit rest api admin privileges. chapters: diff --git a/tests/default/security/api/tokens.yaml b/tests/default/security/api/generateonbehalfoftoken.yaml similarity index 72% rename from tests/default/security/api/tokens.yaml rename to tests/default/security/api/generateonbehalfoftoken.yaml index 1d58b85f7..41b5f1453 100644 --- a/tests/default/security/api/tokens.yaml +++ b/tests/default/security/api/generateonbehalfoftoken.yaml @@ -1,16 +1,11 @@ $schema: ../../../../json_schemas/test_story.schema.yaml -description: Test authtoken endpoints. +description: Test generateonbehalfoftoken endpoint. +version: '> 2.11' chapters: - - synopsis: Create an auth token. - path: /_plugins/_security/api/authtoken - method: POST - response: - status: 200 - synopsis: Create an On-Behalf-Of token. # Feature is disabled by default. https://opensearch.org/docs/latest/security/access-control/authentication-tokens/#configuration - version: '>= 2.12' path: /_plugins/_security/api/generateonbehalfoftoken method: POST request: diff --git a/tests/default/security/api/internal_users.yaml b/tests/default/security/api/internalusers.yaml similarity index 97% rename from tests/default/security/api/internal_users.yaml rename to tests/default/security/api/internalusers.yaml index 4c3bd7066..784db4fcd 100644 --- a/tests/default/security/api/internal_users.yaml +++ b/tests/default/security/api/internalusers.yaml @@ -1,6 +1,6 @@ $schema: ../../../../json_schemas/test_story.schema.yaml -description: Test internal users endpoints. +description: Test internalusers endpoints. chapters: - synopsis: Get internal users bulk. diff --git a/tests/default/security/api/user_authtoken.yaml b/tests/default/security/api/internalusers.yml/authtoken.yml similarity index 65% rename from tests/default/security/api/user_authtoken.yaml rename to tests/default/security/api/internalusers.yml/authtoken.yml index da1ee7ce5..2cfb3c6a1 100644 --- a/tests/default/security/api/user_authtoken.yaml +++ b/tests/default/security/api/internalusers.yml/authtoken.yml @@ -1,8 +1,7 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml -$schema: ../../../../json_schemas/test_story.schema.yaml - -description: Test authtoken endpoints for user. -version: '>2.16' # Fixed via https://github.com/opensearch-project/security/pull/4628 +description: Test internalusers/authtoken endpoint. +version: '> 2.16' # Fixed via https://github.com/opensearch-project/security/pull/4628 prologues: - path: /_plugins/_security/api/internalusers/{username} @@ -17,6 +16,7 @@ prologues: service: true enabled: true status: [201] + chapters: # Auth-tokens can only be vended for service accounts. - synopsis: Create internal user token. @@ -26,13 +26,7 @@ chapters: username: test response: status: 200 - - synopsis: Create user token. - path: /_plugins/_security/api/user/{username}/authtoken - method: POST - parameters: - username: test - response: - status: 501 + epilogues: - path: /_plugins/_security/api/internalusers/{username} method: DELETE diff --git a/tests/default/security/api/nodesdn.yaml b/tests/default/security/api/nodesdn.yaml index 7a82d0307..0cfcd1b43 100644 --- a/tests/default/security/api/nodesdn.yaml +++ b/tests/default/security/api/nodesdn.yaml @@ -1,10 +1,9 @@ $schema: ../../../../json_schemas/test_story.schema.yaml +description: Test nodesdn endpoints. # ADMIN-CERT only. These tests require explicit rest api admin privileges. # The setting `plugins. security. nodes_dn_dynamic_config_enabled` must be enabled. -description: Test nodesdn endpoints. - chapters: - synopsis: Get distinguished names. path: /_plugins/_security/api/nodesdn diff --git a/tests/default/security/api/securityconfig.yaml b/tests/default/security/api/securityconfig.yaml index 75aeeddad..28c6573bd 100644 --- a/tests/default/security/api/securityconfig.yaml +++ b/tests/default/security/api/securityconfig.yaml @@ -1,47 +1,10 @@ $schema: ../../../../json_schemas/test_story.schema.yaml -# ADMIN-CERT only (except GET). These tests require explicit rest api admin privileges. - description: Test securityconfig endpoints. -version: '>=2.10' +version: '> 2.9' +# ADMIN-CERT only (except GET). These tests require explicit rest api admin privileges. chapters: - - synopsis: Update a security config. - path: /_plugins/_security/api/securityconfig/config - method: PUT - request: - payload: - dynamic: - filtered_alias_mode: warn - disable_rest_auth: false - disable_intertransport_auth: false - respect_request_indices_options: false - opensearch-dashboards: - multitenancy_enabled: true - server_username: kibanaserver - index: .opensearch-dashboards - http: - anonymous_auth_enabled: false - authc: - basic_internal_auth_domain: - http_enabled: true - transport_enabled: true - order: 0 - http_authenticator: - challenge: true - type: basic - config: {} - authentication_backend: - type: intern - config: {} - description: Authenticate via HTTP Basic against internal users database - auth_failure_listeners: {} - do_not_fail_on_forbidden: false - multi_rolespan_enabled: true - hosts_resolver_mode: ip-only - do_not_fail_on_forbidden_empty: false - response: - status: 403 - synopsis: Get a security config. path: /_plugins/_security/api/securityconfig method: GET diff --git a/tests/default/security/api/securityconfig/config.yaml b/tests/default/security/api/securityconfig/config.yaml new file mode 100644 index 000000000..5bae694be --- /dev/null +++ b/tests/default/security/api/securityconfig/config.yaml @@ -0,0 +1,43 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml + +description: Test securityconfig/config endpoint. +version: '>2.9' + +# ADMIN-CERT only (except GET). These tests require explicit rest api admin privileges. +chapters: + - synopsis: Update a security config. + path: /_plugins/_security/api/securityconfig/config + method: PUT + request: + payload: + dynamic: + filtered_alias_mode: warn + disable_rest_auth: false + disable_intertransport_auth: false + respect_request_indices_options: false + opensearch-dashboards: + multitenancy_enabled: true + server_username: kibanaserver + index: .opensearch-dashboards + http: + anonymous_auth_enabled: false + authc: + basic_internal_auth_domain: + http_enabled: true + transport_enabled: true + order: 0 + http_authenticator: + challenge: true + type: basic + config: {} + authentication_backend: + type: intern + config: {} + description: Authenticate via HTTP Basic against internal users database + auth_failure_listeners: {} + do_not_fail_on_forbidden: false + multi_rolespan_enabled: true + hosts_resolver_mode: ip-only + do_not_fail_on_forbidden_empty: false + response: + status: 403 diff --git a/tests/default/security/api/ssl/certs.yml b/tests/default/security/api/ssl/certs.yml new file mode 100644 index 000000000..168ff0964 --- /dev/null +++ b/tests/default/security/api/ssl/certs.yml @@ -0,0 +1,12 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml + +description: Test ssl/certs endpoint. +version: '>= 2.0' + +# ADMIN-CERT only. These tests require explicit rest api admin privileges. +chapters: + - synopsis: Get ssl certificates. + path: /_plugins/_security/api/ssl/certs + method: GET + response: + status: 403 diff --git a/tests/default/security/api/ssl/http/reloadcerts.yaml b/tests/default/security/api/ssl/http/reloadcerts.yaml new file mode 100644 index 000000000..30f1f043b --- /dev/null +++ b/tests/default/security/api/ssl/http/reloadcerts.yaml @@ -0,0 +1,12 @@ +$schema: ../../../../../../json_schemas/test_story.schema.yaml + +description: Test ssl/http/reloadcerts endpoint. +version: '> 2.7' + +# ADMIN-CERT only. These tests require explicit rest api admin privileges. +chapters: + - synopsis: Reload http certs. + path: /_plugins/_security/api/ssl/http/reloadcerts + method: PUT + response: + status: 403 diff --git a/tests/default/security/api/ssl/transport/reloadcerts.yaml b/tests/default/security/api/ssl/transport/reloadcerts.yaml new file mode 100644 index 000000000..9585b1a17 --- /dev/null +++ b/tests/default/security/api/ssl/transport/reloadcerts.yaml @@ -0,0 +1,12 @@ +$schema: ../../../../../../json_schemas/test_story.schema.yaml + +description: Test ssl/transport/reloadcerts endpoint. +version: '> 2.7' + +# ADMIN-CERT only. These tests require explicit rest api admin privileges. +chapters: + - synopsis: Reload transport certs. + path: /_plugins/_security/api/ssl/transport/reloadcerts + method: PUT + response: + status: 403 diff --git a/tests/default/security/api/ssl_certs.yaml b/tests/default/security/api/ssl_certs.yaml deleted file mode 100644 index 738537da1..000000000 --- a/tests/default/security/api/ssl_certs.yaml +++ /dev/null @@ -1,23 +0,0 @@ -$schema: ../../../../json_schemas/test_story.schema.yaml - -description: Test ssl endpoints. -# ADMIN-CERT only. These tests require explicit rest api admin privileges. -chapters: - - synopsis: Get ssl certificates. - path: /_plugins/_security/api/ssl/certs - version: '>=2.0' - method: GET - response: - status: 403 - - synopsis: Reload http certs. - path: /_plugins/_security/api/ssl/http/reloadcerts - version: '>2.7' - method: PUT - response: - status: 403 - - synopsis: Reload transport certs. - path: /_plugins/_security/api/ssl/transport/reloadcerts - version: '>2.7' - method: PUT - response: - status: 403 diff --git a/tests/default/security/api/tenancy_config.yaml b/tests/default/security/api/tenancy/config.yaml similarity index 78% rename from tests/default/security/api/tenancy_config.yaml rename to tests/default/security/api/tenancy/config.yaml index f3d107e7f..1e3d95262 100644 --- a/tests/default/security/api/tenancy_config.yaml +++ b/tests/default/security/api/tenancy/config.yaml @@ -1,7 +1,7 @@ -$schema: ../../../../json_schemas/test_story.schema.yaml +$schema: ../../../../../json_schemas/test_story.schema.yaml -description: Test tenancy config endpoint. -version: '>= 2.7' +description: Test tenancy/config endpoints. +version: '> 2.6' chapters: - synopsis: Get tenancy config. diff --git a/tests/default/security/api/user/authtoken.yaml b/tests/default/security/api/user/authtoken.yaml new file mode 100644 index 000000000..edf450fb6 --- /dev/null +++ b/tests/default/security/api/user/authtoken.yaml @@ -0,0 +1,35 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml + +description: Test authtoken endpoints for user. +version: '> 2.16' # Fixed via https://github.com/opensearch-project/security/pull/4628 + +prologues: + - path: /_plugins/_security/api/user/{username} + method: PUT + parameters: + username: test + request: + payload: + opendistro_security_roles: [] + backend_roles: [] + attributes: + service: true + enabled: true + status: [201] + +chapters: + # Auth-tokens can only be vended for service accounts. + - synopsis: Create user token. + path: /_plugins/_security/api/user/{username}/authtoken + method: POST + parameters: + username: test + response: + status: 501 + +epilogues: + - path: /_plugins/_security/api/user/{username} + method: DELETE + parameters: + username: test + status: [200] diff --git a/tests/default/security/api/validate.yaml b/tests/default/security/api/validate.yaml index 08d4b1ab2..5c4cbdfc4 100644 --- a/tests/default/security/api/validate.yaml +++ b/tests/default/security/api/validate.yaml @@ -1,6 +1,7 @@ $schema: ../../../../json_schemas/test_story.schema.yaml description: Test validate endpoint. + # BAD_REQUEST. Can not migrate configuration because it was already migrated. chapters: - synopsis: Check whether v6 configuration is valid. diff --git a/tests/default/security/authinfo.yaml b/tests/default/security/authinfo.yaml index e2138e28b..1d65c31f0 100644 --- a/tests/default/security/authinfo.yaml +++ b/tests/default/security/authinfo.yaml @@ -1,23 +1,24 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test authinfo endpoint. + chapters: - synopsis: Get auth info. path: /_plugins/_security/authinfo method: GET - version: <2.13 + version: < 2.13 response: status: 200 - synopsis: Get auth info via POST. path: /_plugins/_security/authinfo method: POST - version: <2.13 + version: < 2.13 response: status: 200 - synopsis: Get auth info. path: /_plugins/_security/authinfo method: GET - version: =2.13 + version: = 2.13 parameters: verbose: false response: @@ -25,7 +26,7 @@ chapters: - synopsis: Get auth info. path: /_plugins/_security/authinfo method: GET - version: '>2.13' + version: '> 2.13' parameters: verbose: false auth_type: basic diff --git a/tests/default/security/dashboardsinfo.yaml b/tests/default/security/dashboardsinfo.yaml index 16925b704..fb28a9914 100644 --- a/tests/default/security/dashboardsinfo.yaml +++ b/tests/default/security/dashboardsinfo.yaml @@ -1,6 +1,7 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test dashboardsinfo endpoint. + chapters: - synopsis: Get dashboards info. path: /_plugins/_security/dashboardsinfo diff --git a/tests/default/security/health.yaml b/tests/default/security/health.yaml index b4855fdee..b1c42b037 100644 --- a/tests/default/security/health.yaml +++ b/tests/default/security/health.yaml @@ -1,6 +1,7 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test health endpoint. + chapters: - synopsis: Get security health info. path: /_plugins/_security/health diff --git a/tests/default/security/sslinfo.yaml b/tests/default/security/sslinfo.yaml index c5dd4e1ce..b73d18ee4 100644 --- a/tests/default/security/sslinfo.yaml +++ b/tests/default/security/sslinfo.yaml @@ -1,6 +1,7 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test sslinfo endpoint. + chapters: - synopsis: Get ssl info. path: /_opendistro/_security/sslinfo diff --git a/tests/default/security/tenantinfo.yaml b/tests/default/security/tenantinfo.yaml index 66fece71a..8b0aeee54 100644 --- a/tests/default/security/tenantinfo.yaml +++ b/tests/default/security/tenantinfo.yaml @@ -1,6 +1,7 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test tenantinfo endpoint. + chapters: - synopsis: Get tenant info. path: /_plugins/_security/tenantinfo diff --git a/tests/default/security/whoami.yaml b/tests/default/security/whoami.yaml index ba742b3f5..3e2c5016b 100644 --- a/tests/default/security/whoami.yaml +++ b/tests/default/security/whoami.yaml @@ -1,7 +1,8 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test whoami endpoints. -version: '>=2.0' +version: '>= 2.0' + chapters: - synopsis: Get current user info. path: /_plugins/_security/whoami @@ -21,13 +22,3 @@ chapters: dn: null is_admin: false is_node_certificate_request: false - - synopsis: Get current user info from protected endpoint. - version: '>= 2.11' - path: /_plugins/_security/whoamiprotected - method: GET - response: - status: 200 - payload: - dn: null - is_admin: false - is_node_certificate_request: false diff --git a/tests/default/security/whoamiprotected.yaml b/tests/default/security/whoamiprotected.yaml new file mode 100644 index 000000000..a3771fb7c --- /dev/null +++ b/tests/default/security/whoamiprotected.yaml @@ -0,0 +1,15 @@ +$schema: ../../../json_schemas/test_story.schema.yaml + +description: Test whoamiprotected endpoint. +version: '> 2.10' + +chapters: + - synopsis: Get current user info from protected endpoint. + path: /_plugins/_security/whoamiprotected + method: GET + response: + status: 200 + payload: + dn: null + is_admin: false + is_node_certificate_request: false