Ensure SAS Tokens in Test Use Minimal Permissions (#46112) (#46628)

original-brownbear · web-flow · commit b00de8edf370 · 2019-09-17T15:40:11.000+02:00
There were some issues with the Azure implementation requiring permissions to list all containers ue to a container exists check. This was caught in CI this time, but going forward we should ensure that CI is executed using a token that does not allow listing containers. Relates #43288
diff --git a/plugins/repository-azure/src/main/java/org/elasticsearch/repositories/azure/AzureBlobStore.java b/plugins/repository-azure/src/main/java/org/elasticsearch/repositories/azure/AzureBlobStore.java
@@ -68,6 +68,10 @@ public String toString() {
         return container;
     }
 
+    public AzureStorageService getService() {
+        return service;
+    }
+
     /**
      * Gets the configured {@link LocationMode} for the Azure storage requests.
      */
diff --git a/plugins/repository-azure/src/test/java/org/elasticsearch/repositories/azure/AzureStorageCleanupThirdPartyTests.java b/plugins/repository-azure/src/test/java/org/elasticsearch/repositories/azure/AzureStorageCleanupThirdPartyTests.java
@@ -19,15 +19,25 @@
 
 package org.elasticsearch.repositories.azure;
 
+import com.microsoft.azure.storage.OperationContext;
+import com.microsoft.azure.storage.StorageException;
+import com.microsoft.azure.storage.blob.CloudBlobClient;
+import com.microsoft.azure.storage.blob.CloudBlobContainer;
+import org.elasticsearch.action.ActionRunnable;
+import org.elasticsearch.action.support.PlainActionFuture;
 import org.elasticsearch.action.support.master.AcknowledgedResponse;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.collect.Tuple;
 import org.elasticsearch.common.settings.MockSecureSettings;
 import org.elasticsearch.common.settings.SecureSettings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.repositories.AbstractThirdPartyRepositoryTestCase;
+import org.elasticsearch.repositories.blobstore.BlobStoreRepository;
 
+import java.net.HttpURLConnection;
 import java.util.Collection;
+import java.util.function.Supplier;
 
 import static org.hamcrest.Matchers.blankOrNullString;
 import static org.hamcrest.Matchers.equalTo;
@@ -71,5 +81,32 @@ protected void createRepository(String repoName) {
                 .put("base_path", System.getProperty("test.azure.base"))
             ).get();
         assertThat(putRepositoryResponse.isAcknowledged(), equalTo(true));
+        if (Strings.hasText(System.getProperty("test.azure.sas_token"))) {
+            ensureSasTokenPermissions();
+        }
+    }
+
+    private void ensureSasTokenPermissions() {
+        final BlobStoreRepository repository = getRepository();
+        final PlainActionFuture<Void> future = PlainActionFuture.newFuture();
+        repository.threadPool().generic().execute(ActionRunnable.wrap(future, l -> {
+            final AzureBlobStore blobStore = (AzureBlobStore) repository.blobStore();
+            final String account = "default";
+            final Tuple<CloudBlobClient, Supplier<OperationContext>> client = blobStore.getService().client(account);
+            final CloudBlobContainer blobContainer = client.v1().getContainerReference(blobStore.toString());
+            try {
+                SocketAccess.doPrivilegedException(() -> blobContainer.exists(null, null, client.v2().get()));
+                future.onFailure(new RuntimeException(
+                    "The SAS token used in this test allowed for checking container existence. This test only supports tokens " +
+                        "that grant only the documented permission requirements for the Azure repository plugin."));
+            } catch (StorageException e) {
+                if (e.getHttpStatusCode() == HttpURLConnection.HTTP_FORBIDDEN) {
+                    future.onResponse(null);
+                } else {
+                    future.onFailure(e);
+                }
+            }
+        }));
+        future.actionGet();
     }
 }
diff --git a/test/framework/src/main/java/org/elasticsearch/repositories/AbstractThirdPartyRepositoryTestCase.java b/test/framework/src/main/java/org/elasticsearch/repositories/AbstractThirdPartyRepositoryTestCase.java
@@ -302,7 +302,7 @@ protected void doRun() throws Exception {
         return future.actionGet();
     }
 
-    private BlobStoreRepository getRepository() {
+    protected BlobStoreRepository getRepository() {
         return (BlobStoreRepository) getInstanceFromNode(RepositoriesService.class).repository("test-repo");
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -302,7 +302,7 @@ protected void doRun() throws Exception {`
`302`	`302`	`return future.actionGet();`
`303`	`303`	`}`
`304`	`304`
`305`		`- private BlobStoreRepository getRepository() {`
	`305`	`+ protected BlobStoreRepository getRepository() {`
`306`	`306`	`return (BlobStoreRepository) getInstanceFromNode(RepositoriesService.class).repository("test-repo");`
`307`	`307`	`}`
`308`	`308`	`}`