|
9 | 9 | import com.google.common.collect.Sets;
|
10 | 10 | import org.elasticsearch.ElasticsearchSecurityException;
|
11 | 11 | import org.elasticsearch.action.DocWriteResponse;
|
| 12 | +import org.elasticsearch.action.admin.indices.refresh.RefreshAction; |
| 13 | +import org.elasticsearch.action.admin.indices.refresh.RefreshRequestBuilder; |
12 | 14 | import org.elasticsearch.action.admin.indices.refresh.RefreshResponse;
|
13 | 15 | import org.elasticsearch.action.support.PlainActionFuture;
|
14 | 16 | import org.elasticsearch.action.support.WriteRequest;
|
@@ -758,6 +760,75 @@ public void testApiKeyWithManageOwnPrivilegeIsAbleToInvalidateItselfButNotAnyOth
|
758 | 760 | assertThat(invalidateResponse.getErrors().size(), equalTo(0));
|
759 | 761 | }
|
760 | 762 |
|
| 763 | + public void testDerivedKeys() throws ExecutionException, InterruptedException { |
| 764 | + Client client = client().filterWithHeader(Collections.singletonMap("Authorization", |
| 765 | + UsernamePasswordToken.basicAuthHeaderValue(SecuritySettingsSource.TEST_SUPERUSER, |
| 766 | + SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING))); |
| 767 | + final CreateApiKeyResponse response = new CreateApiKeyRequestBuilder(client) |
| 768 | + .setName("key-1") |
| 769 | + .setRoleDescriptors(Collections.singletonList( |
| 770 | + new RoleDescriptor("role", new String[] { "manage_api_key" }, null, null))) |
| 771 | + .get(); |
| 772 | + |
| 773 | + assertEquals("key-1", response.getName()); |
| 774 | + assertNotNull(response.getId()); |
| 775 | + assertNotNull(response.getKey()); |
| 776 | + |
| 777 | + // use the first ApiKey for authorized action |
| 778 | + final String base64ApiKeyKeyValue = Base64.getEncoder().encodeToString( |
| 779 | + (response.getId() + ":" + response.getKey().toString()).getBytes(StandardCharsets.UTF_8)); |
| 780 | + final Client clientKey1 = client().filterWithHeader(Collections.singletonMap("Authorization", "ApiKey " + base64ApiKeyKeyValue)); |
| 781 | + |
| 782 | + final String expectedMessage = "creating derived api keys requires an explicit role descriptor that is empty"; |
| 783 | + |
| 784 | + final IllegalArgumentException e1 = expectThrows(IllegalArgumentException.class, |
| 785 | + () -> new CreateApiKeyRequestBuilder(clientKey1).setName("key-2").get()); |
| 786 | + assertThat(e1.getMessage(), containsString(expectedMessage)); |
| 787 | + |
| 788 | + final IllegalArgumentException e2 = expectThrows(IllegalArgumentException.class, |
| 789 | + () -> new CreateApiKeyRequestBuilder(clientKey1).setName("key-3") |
| 790 | + .setRoleDescriptors(Collections.emptyList()).get()); |
| 791 | + assertThat(e2.getMessage(), containsString(expectedMessage)); |
| 792 | + |
| 793 | + final IllegalArgumentException e3 = expectThrows(IllegalArgumentException.class, |
| 794 | + () -> new CreateApiKeyRequestBuilder(clientKey1).setName("key-4") |
| 795 | + .setRoleDescriptors(Collections.singletonList( |
| 796 | + new RoleDescriptor("role", new String[] {"manage_own_api_key"}, null, null) |
| 797 | + )).get()); |
| 798 | + assertThat(e3.getMessage(), containsString(expectedMessage)); |
| 799 | + |
| 800 | + final List<RoleDescriptor> roleDescriptors = randomList(2, 10, |
| 801 | + () -> new RoleDescriptor("role", null, null, null)); |
| 802 | + roleDescriptors.set(randomInt(roleDescriptors.size() - 1), |
| 803 | + new RoleDescriptor("role", new String[] {"manage_own_api_key"}, null, null)); |
| 804 | + |
| 805 | + final IllegalArgumentException e4 = expectThrows(IllegalArgumentException.class, |
| 806 | + () -> new CreateApiKeyRequestBuilder(clientKey1).setName("key-5") |
| 807 | + .setRoleDescriptors(roleDescriptors).get()); |
| 808 | + assertThat(e4.getMessage(), containsString(expectedMessage)); |
| 809 | + |
| 810 | + final CreateApiKeyResponse key100Response = new CreateApiKeyRequestBuilder(clientKey1).setName("key-100") |
| 811 | + .setRoleDescriptors(Collections.singletonList( |
| 812 | + new RoleDescriptor("role", null, null, null) |
| 813 | + )).get(); |
| 814 | + assertEquals("key-100", key100Response.getName()); |
| 815 | + assertNotNull(key100Response.getId()); |
| 816 | + assertNotNull(key100Response.getKey()); |
| 817 | + |
| 818 | + // Check at the end to allow sometime for the operation to happen. Since an erroneous creation is |
| 819 | + // asynchronous so that the document is not available immediately. |
| 820 | + assertApiKeyNotCreated(client, "key-2"); |
| 821 | + assertApiKeyNotCreated(client, "key-3"); |
| 822 | + assertApiKeyNotCreated(client, "key-4"); |
| 823 | + assertApiKeyNotCreated(client, "key-5"); |
| 824 | + } |
| 825 | + |
| 826 | + private void assertApiKeyNotCreated(Client client, String keyName) throws ExecutionException, InterruptedException { |
| 827 | + new RefreshRequestBuilder(client, RefreshAction.INSTANCE).setIndices(SECURITY_MAIN_ALIAS).execute().get(); |
| 828 | + assertEquals(0, client.execute(GetApiKeyAction.INSTANCE, |
| 829 | + GetApiKeyRequest.usingApiKeyName(keyName, false)).get().getApiKeyInfos().length); |
| 830 | + } |
| 831 | + |
761 | 832 | private void verifyGetResponse(int expectedNumberOfApiKeys, List<CreateApiKeyResponse> responses,
|
762 | 833 | GetApiKeyResponse response, Set<String> validApiKeyIds, List<String> invalidatedApiKeyIds) {
|
763 | 834 | verifyGetResponse(SecuritySettingsSource.TEST_SUPERUSER, expectedNumberOfApiKeys, responses, response, validApiKeyIds,
|
|
0 commit comments