diff --git a/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java index 288672bf49..63c419c2ef 100644 --- a/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java +++ b/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java @@ -18,6 +18,7 @@ import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.hc.core5.http.Header; +import org.apache.hc.core5.http.HttpStatus; import org.apache.hc.core5.http.message.BasicHeader; import org.junit.Assert; import org.junit.ClassRule; @@ -57,6 +58,8 @@ public class OnBehalfOfJwtAuthenticationTest { ); private static final String encryptionKey = Base64.getEncoder().encodeToString("encryptionKey".getBytes(StandardCharsets.UTF_8)); public static final String ADMIN_USER_NAME = "admin"; + public static final String OBO_USER_NAME_WITH_PERM = "obo_user"; + public static final String OBO_USER_NAME_NO_PERM = "obo_user_no_perm"; public static final String DEFAULT_PASSWORD = "secret"; public static final String NEW_PASSWORD = "testPassword123!!"; public static final String OBO_TOKEN_REASON = "{\"reason\":\"Test generation\"}"; @@ -68,10 +71,18 @@ public class OnBehalfOfJwtAuthenticationTest { + NEW_PASSWORD + "\" }"; + protected final static TestSecurityConfig.User OBO_USER = new TestSecurityConfig.User(OBO_USER_NAME_WITH_PERM).roles( + new TestSecurityConfig.Role("obo_access_role").clusterPermissions("security:obo/create") + ); + + protected final static TestSecurityConfig.User OBO_USER_NO_PERM = new TestSecurityConfig.User(OBO_USER_NAME_NO_PERM).roles( + new TestSecurityConfig.Role("obo_user_no_perm") + ); + @ClassRule public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE) .anonymousAuth(false) - .users(ADMIN_USER) + .users(ADMIN_USER, OBO_USER, OBO_USER_NO_PERM) .nodeSettings( Map.of(SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true, SECURITY_RESTAPI_ROLES_ENABLED, List.of("user_admin__all_access")) ) @@ -116,6 +127,20 @@ public void shouldNotAuthenticateForUsingOBOTokenToAccessAccountEndpoint() { } } + @Test + public void shouldAuthenticateForNonAdminUserWithOBOPermission() { + String oboToken = generateOboToken(OBO_USER_NAME_WITH_PERM, DEFAULT_PASSWORD); + Header oboAuthHeader = new BasicHeader("Authorization", "Bearer " + oboToken); + authenticateWithOboToken(oboAuthHeader, OBO_USER_NAME_WITH_PERM, 200); + } + + @Test + public void shouldNotAuthenticateForNonAdminUserWithoutOBOPermission() { + try (TestRestClient client = cluster.getRestClient(OBO_USER_NO_PERM)) { + assertThat(client.post(OBO_ENDPOINT_PREFIX).getStatusCode(), equalTo(HttpStatus.SC_UNAUTHORIZED)); + } + } + private String generateOboToken(String username, String password) { try (TestRestClient client = cluster.getRestClient(username, password)) { client.assertCorrectCredentials(username); diff --git a/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java b/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java index 864cd0746e..636c2742cc 100644 --- a/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java +++ b/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java @@ -138,7 +138,7 @@ public HttpResponse getAuthInfo(Header... headers) { public HttpResponse getOnBehalfOfToken(String jsonData, Header... headers) { try { HttpPost httpPost = new HttpPost( - new URIBuilder(getHttpServerUri() + "/_plugins/_security/api/generateobotokenf?pretty").build() + new URIBuilder(getHttpServerUri() + "/_plugins/_security/api/generateobotoken?pretty").build() ); httpPost.setEntity(toStringEntity(jsonData)); return executeRequest(httpPost, mergeHeaders(CONTENT_TYPE_JSON, headers));