Add explicit test for DLS with OIDC metadata (#60030)

tvernum · web-flow · commit f762c6b36b94 · 2020-07-31T14:00:10.000+10:00
When a user authenticates via OpenID Connect we copy information from
the OIDC claims into the user's metadata in a particular format.

This commit adds a test that metadata in that format can be used in a
mustache template for Document Level Security.
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/support/SecurityQueryTemplateEvaluatorTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/support/SecurityQueryTemplateEvaluatorTests.java
@@ -14,6 +14,7 @@
 import org.elasticsearch.script.ScriptService;
 import org.elasticsearch.script.ScriptType;
 import org.elasticsearch.script.TemplateScript;
+import org.elasticsearch.script.mustache.MustacheScriptEngine;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.security.user.User;
 import org.junit.Before;
@@ -25,6 +26,7 @@
 import java.util.Map;
 
 import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
+import static org.hamcrest.Matchers.arrayWithSize;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.sameInstance;
 import static org.mockito.Matchers.any;
@@ -80,7 +82,26 @@ public String execute() {
         userModel.put("roles", Arrays.asList(user.roles()));
         userModel.put("metadata", user.metadata());
         assertThat(usedScript.getParams().get("_user"), equalTo(userModel));
+    }
+
+    public void testDocLevelSecurityTemplateWithOpenIdConnectStyleMetadata() throws Exception {
+        User user = new User(randomAlphaOfLength(8), generateRandomStringArray(5, 5, false), randomAlphaOfLength(9), "sample@example.com",
+            Map.of("oidc(email)", "sample@example.com"), true);
+
+        final MustacheScriptEngine mustache = new MustacheScriptEngine();
+
+        when(scriptService.compile(any(Script.class), eq(TemplateScript.CONTEXT))).thenAnswer(inv -> {
+            assertThat(inv.getArguments(), arrayWithSize(2));
+            Script script = (Script) inv.getArguments()[0];
+            TemplateScript.Factory factory = mustache.compile(
+                script.getIdOrCode(), script.getIdOrCode(), TemplateScript.CONTEXT, script.getOptions());
+            return factory;
+        });
+
+        String template = "{ \"template\" : { \"source\" : {\"term\":{\"field\":\"{{_user.metadata.oidc(email)}}\"}} } }";
 
+        String evaluated = SecurityQueryTemplateEvaluator.evaluateTemplate(template, scriptService, user);
+        assertThat(evaluated, equalTo("{\"term\":{\"field\":\"sample@example.com\"}}"));
     }
 
     public void testSkipTemplating() throws Exception {
