Skip to content

Commit f762c6b

Browse files
authored
Add explicit test for DLS with OIDC metadata (#60030)
When a user authenticates via OpenID Connect we copy information from the OIDC claims into the user's metadata in a particular format. This commit adds a test that metadata in that format can be used in a mustache template for Document Level Security.
1 parent f3403fa commit f762c6b

File tree

1 file changed

+21
-0
lines changed

1 file changed

+21
-0
lines changed

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/support/SecurityQueryTemplateEvaluatorTests.java

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
import org.elasticsearch.script.ScriptService;
1515
import org.elasticsearch.script.ScriptType;
1616
import org.elasticsearch.script.TemplateScript;
17+
import org.elasticsearch.script.mustache.MustacheScriptEngine;
1718
import org.elasticsearch.test.ESTestCase;
1819
import org.elasticsearch.xpack.core.security.user.User;
1920
import org.junit.Before;
@@ -25,6 +26,7 @@
2526
import java.util.Map;
2627

2728
import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
29+
import static org.hamcrest.Matchers.arrayWithSize;
2830
import static org.hamcrest.Matchers.equalTo;
2931
import static org.hamcrest.Matchers.sameInstance;
3032
import static org.mockito.Matchers.any;
@@ -80,7 +82,26 @@ public String execute() {
8082
userModel.put("roles", Arrays.asList(user.roles()));
8183
userModel.put("metadata", user.metadata());
8284
assertThat(usedScript.getParams().get("_user"), equalTo(userModel));
85+
}
86+
87+
public void testDocLevelSecurityTemplateWithOpenIdConnectStyleMetadata() throws Exception {
88+
User user = new User(randomAlphaOfLength(8), generateRandomStringArray(5, 5, false), randomAlphaOfLength(9), "[email protected]",
89+
Map.of("oidc(email)", "[email protected]"), true);
90+
91+
final MustacheScriptEngine mustache = new MustacheScriptEngine();
92+
93+
when(scriptService.compile(any(Script.class), eq(TemplateScript.CONTEXT))).thenAnswer(inv -> {
94+
assertThat(inv.getArguments(), arrayWithSize(2));
95+
Script script = (Script) inv.getArguments()[0];
96+
TemplateScript.Factory factory = mustache.compile(
97+
script.getIdOrCode(), script.getIdOrCode(), TemplateScript.CONTEXT, script.getOptions());
98+
return factory;
99+
});
100+
101+
String template = "{ \"template\" : { \"source\" : {\"term\":{\"field\":\"{{_user.metadata.oidc(email)}}\"}} } }";
83102

103+
String evaluated = SecurityQueryTemplateEvaluator.evaluateTemplate(template, scriptService, user);
104+
assertThat(evaluated, equalTo("{\"term\":{\"field\":\"[email protected]\"}}"));
84105
}
85106

86107
public void testSkipTemplating() throws Exception {

0 commit comments

Comments
 (0)