|
@@ -5,17 +5,21 @@
|
|
|
*/
|
|
|
package org.elasticsearch.xpack.security.ingest;
|
|
|
|
|
|
+import org.elasticsearch.Version;
|
|
|
import org.elasticsearch.common.settings.Settings;
|
|
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
|
|
import org.elasticsearch.ingest.IngestDocument;
|
|
|
import org.elasticsearch.test.ESTestCase;
|
|
|
import org.elasticsearch.xpack.core.security.authc.Authentication;
|
|
|
+import org.elasticsearch.xpack.core.security.authc.Authentication.AuthenticationType;
|
|
|
import org.elasticsearch.xpack.core.security.authc.AuthenticationField;
|
|
|
import org.elasticsearch.xpack.core.security.user.User;
|
|
|
+import org.elasticsearch.xpack.security.authc.ApiKeyService;
|
|
|
import org.elasticsearch.xpack.security.ingest.SetSecurityUserProcessor.Property;
|
|
|
import org.mockito.Mockito;
|
|
|
|
|
|
import java.util.Arrays;
|
|
|
+import java.util.Collections;
|
|
|
import java.util.EnumSet;
|
|
|
import java.util.HashMap;
|
|
|
import java.util.Map;
|
|
@@ -29,20 +33,23 @@ public class SetSecurityUserProcessorTests extends ESTestCase {
|
|
|
Map.of("key", "value"), true);
|
|
|
Authentication.RealmRef realmRef = new Authentication.RealmRef("_name", "_type", "_node_name");
|
|
|
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
|
|
- threadContext.putTransient(AuthenticationField.AUTHENTICATION_KEY, new Authentication(user, realmRef, null));
|
|
|
+ threadContext.putTransient(AuthenticationField.AUTHENTICATION_KEY, new Authentication(user, realmRef, null, Version.CURRENT));
|
|
|
|
|
|
IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>());
|
|
|
SetSecurityUserProcessor processor = new SetSecurityUserProcessor("_tag", threadContext, "_field", EnumSet.allOf(Property.class));
|
|
|
processor.execute(ingestDocument);
|
|
|
|
|
|
Map<String, Object> result = ingestDocument.getFieldValue("_field", Map.class);
|
|
|
- assertThat(result.size(), equalTo(5));
|
|
|
+ assertThat(result.size(), equalTo(7));
|
|
|
assertThat(result.get("username"), equalTo("_username"));
|
|
|
assertThat(result.get("roles"), equalTo(Arrays.asList("role1", "role2")));
|
|
|
assertThat(result.get("full_name"), equalTo("firstname lastname"));
|
|
|
assertThat(result.get("email"), equalTo("_email"));
|
|
|
assertThat(((Map) result.get("metadata")).size(), equalTo(1));
|
|
|
assertThat(((Map) result.get("metadata")).get("key"), equalTo("value"));
|
|
|
+ assertThat(((Map) result.get("realm")).get("name"), equalTo("_name"));
|
|
|
+ assertThat(((Map) result.get("realm")).get("type"), equalTo("_type"));
|
|
|
+ assertThat(result.get("authentication_type"), equalTo("REALM"));
|
|
|
}
|
|
|
|
|
|
public void testProcessorWithEmptyUserData() throws Exception {
|
|
@@ -50,6 +57,8 @@ public class SetSecurityUserProcessorTests extends ESTestCase {
|
|
|
User user = Mockito.mock(User.class);
|
|
|
Authentication authentication = Mockito.mock(Authentication.class);
|
|
|
Mockito.when(authentication.getUser()).thenReturn(user);
|
|
|
+ Mockito.when(authentication.getSourceRealm()).thenReturn(new Authentication.RealmRef("_name", "_type", "_node_name"));
|
|
|
+ Mockito.when(authentication.getAuthenticationType()).thenReturn(AuthenticationType.REALM);
|
|
|
|
|
|
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
|
|
threadContext.putTransient(AuthenticationField.AUTHENTICATION_KEY, authentication);
|
|
@@ -57,8 +66,12 @@ public class SetSecurityUserProcessorTests extends ESTestCase {
|
|
|
IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>());
|
|
|
SetSecurityUserProcessor processor = new SetSecurityUserProcessor("_tag", threadContext, "_field", EnumSet.allOf(Property.class));
|
|
|
processor.execute(ingestDocument);
|
|
|
- Map result = ingestDocument.getFieldValue("_field", Map.class);
|
|
|
- assertThat(result.size(), equalTo(0));
|
|
|
+ Map<String, Object> result = ingestDocument.getFieldValue("_field", Map.class);
|
|
|
+ // Still holds data for realm and authentication type
|
|
|
+ assertThat(result.size(), equalTo(2));
|
|
|
+ assertThat(((Map) result.get("realm")).get("name"), equalTo("_name"));
|
|
|
+ assertThat(((Map) result.get("realm")).get("type"), equalTo("_type"));
|
|
|
+ assertThat(result.get("authentication_type"), equalTo("REALM"));
|
|
|
}
|
|
|
|
|
|
public void testNoCurrentUser() throws Exception {
|
|
@@ -179,4 +192,82 @@ public class SetSecurityUserProcessorTests extends ESTestCase {
|
|
|
assertThat(result2.get("other"), equalTo("test"));
|
|
|
}
|
|
|
|
|
|
+ public void testApiKeyPopulation() throws Exception {
|
|
|
+ User user = new User(randomAlphaOfLengthBetween(4, 12), null, null);
|
|
|
+ Authentication.RealmRef realmRef = new Authentication.RealmRef(
|
|
|
+ ApiKeyService.API_KEY_REALM_NAME, ApiKeyService.API_KEY_REALM_TYPE, "_node_name");
|
|
|
+ ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
|
|
+
|
|
|
+ threadContext.putTransient(AuthenticationField.AUTHENTICATION_KEY, new Authentication(user, realmRef, null, Version.CURRENT,
|
|
|
+ AuthenticationType.API_KEY,
|
|
|
+ Map.of(
|
|
|
+ ApiKeyService.API_KEY_ID_KEY, "api_key_id",
|
|
|
+ ApiKeyService.API_KEY_NAME_KEY, "api_key_name",
|
|
|
+ ApiKeyService.API_KEY_CREATOR_REALM_NAME, "creator_realm_name",
|
|
|
+ ApiKeyService.API_KEY_CREATOR_REALM_TYPE, "creator_realm_type"
|
|
|
+ )));
|
|
|
+
|
|
|
+ IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>());
|
|
|
+ SetSecurityUserProcessor processor = new SetSecurityUserProcessor("_tag", threadContext, "_field", EnumSet.allOf(Property.class));
|
|
|
+ processor.execute(ingestDocument);
|
|
|
+
|
|
|
+ Map<String, Object> result = ingestDocument.getFieldValue("_field", Map.class);
|
|
|
+ assertThat(result.size(), equalTo(4));
|
|
|
+ assertThat(((Map) result.get("api_key")).get("name"), equalTo("api_key_name"));
|
|
|
+ assertThat(((Map) result.get("api_key")).get("id"), equalTo("api_key_id"));
|
|
|
+ assertThat(((Map) result.get("realm")).get("name"), equalTo("creator_realm_name"));
|
|
|
+ assertThat(((Map) result.get("realm")).get("type"), equalTo("creator_realm_type"));
|
|
|
+ assertThat(result.get("authentication_type"), equalTo("API_KEY"));
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testWillNotOverwriteExistingApiKeyAndRealm() throws Exception {
|
|
|
+ User user = new User(randomAlphaOfLengthBetween(4, 12), null, null);
|
|
|
+ Authentication.RealmRef realmRef = new Authentication.RealmRef(
|
|
|
+ ApiKeyService.API_KEY_REALM_NAME, ApiKeyService.API_KEY_REALM_TYPE, "_node_name");
|
|
|
+ ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
|
|
+
|
|
|
+ threadContext.putTransient(AuthenticationField.AUTHENTICATION_KEY, new Authentication(user, realmRef, null, Version.CURRENT,
|
|
|
+ AuthenticationType.API_KEY,
|
|
|
+ Map.of(
|
|
|
+ ApiKeyService.API_KEY_ID_KEY, "api_key_id",
|
|
|
+ ApiKeyService.API_KEY_NAME_KEY, "api_key_name",
|
|
|
+ ApiKeyService.API_KEY_CREATOR_REALM_NAME, "creator_realm_name",
|
|
|
+ ApiKeyService.API_KEY_CREATOR_REALM_TYPE, "creator_realm_type"
|
|
|
+ )));
|
|
|
+
|
|
|
+ IngestDocument ingestDocument = new IngestDocument(IngestDocument.deepCopyMap(Map.of(
|
|
|
+ "_field", Map.of("api_key", Map.of("version", 42), "realm", Map.of("id", 7))
|
|
|
+ )), new HashMap<>());
|
|
|
+ SetSecurityUserProcessor processor = new SetSecurityUserProcessor("_tag", threadContext, "_field", EnumSet.allOf(Property.class));
|
|
|
+ processor.execute(ingestDocument);
|
|
|
+
|
|
|
+ Map<String, Object> result = ingestDocument.getFieldValue("_field", Map.class);
|
|
|
+ assertThat(result.size(), equalTo(4));
|
|
|
+ assertThat(((Map) result.get("api_key")).get("version"), equalTo(42));
|
|
|
+ assertThat(((Map) result.get("realm")).get("id"), equalTo(7));
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testWillSetRunAsRealmForNonApiAuth() throws Exception {
|
|
|
+ User user = new User(randomAlphaOfLengthBetween(4, 12), null, null);
|
|
|
+ Authentication.RealmRef authRealmRef = new Authentication.RealmRef(
|
|
|
+ randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12));
|
|
|
+ Authentication.RealmRef lookedUpRealmRef = new Authentication.RealmRef(
|
|
|
+ randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12));
|
|
|
+ ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
|
|
+
|
|
|
+ threadContext.putTransient(AuthenticationField.AUTHENTICATION_KEY,
|
|
|
+ new Authentication(user, authRealmRef, lookedUpRealmRef, Version.CURRENT,
|
|
|
+ randomFrom(AuthenticationType.REALM, AuthenticationType.TOKEN, AuthenticationType.INTERNAL),
|
|
|
+ Collections.emptyMap()));
|
|
|
+
|
|
|
+ IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>());
|
|
|
+ SetSecurityUserProcessor processor = new SetSecurityUserProcessor("_tag", threadContext, "_field", EnumSet.allOf(Property.class));
|
|
|
+ processor.execute(ingestDocument);
|
|
|
+
|
|
|
+ Map<String, Object> result = ingestDocument.getFieldValue("_field", Map.class);
|
|
|
+ assertThat(result.size(), equalTo(3));
|
|
|
+ assertThat(((Map) result.get("realm")).get("name"), equalTo(lookedUpRealmRef.getName()));
|
|
|
+ assertThat(((Map) result.get("realm")).get("type"), equalTo(lookedUpRealmRef.getType()));
|
|
|
+ }
|
|
|
+
|
|
|
}
|