Skip to content

Commit

Permalink
Remove remaining type and String type
Browse files Browse the repository at this point in the history 
Signed-off-by: cliu123 <lc12251109@gmail.com>
  • Loading branch information
@cliu123
cliu123 committed Apr 1, 2022
1 parent 7e0888d commit 69bdefe
Show file tree
Hide file tree
Showing 10 changed files with 63 additions and 64 deletions.
2 changes: 1 addition & 1 deletion src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ public void close() throws IOException {

public boolean doStore(final AuditMessage msg) {
try {
boolean successful = client.index(msg.toString(), getExpandedIndexName(indexPattern, index), type, true);
boolean successful = client.index(msg.toString(), getExpandedIndexName(indexPattern, index), true);
if (!successful) {
log.error("Unable to send audit log {} to one of these servers: {}", msg, servers);
}
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/org/opensearch/security/configuration/ConfigurationLoaderSecurity7.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ public void noData(String id) {
//when index was created with ES 6 there are no separate tenants. So we load just empty ones.
//when index was created with ES 7 and type not "security" (ES 6 type) there are no rolemappings anymore.
if(cs.state().metadata().index(securityIndex).getCreationVersion().before(LegacyESVersion.V_7_0_0)) {
//created with SG 6
//created with ES 6
//skip tenants

if (isDebugEnabled) {
Expand Down
1 change: 0 additions & 1 deletion src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -305,7 +305,6 @@ protected void saveAnUpdateConfigs(final Client client, final RestRequest reques
final SecurityDynamicConfiguration<?> configuration, OnSucessActionListener<IndexResponse> actionListener) {
final IndexRequest ir = new IndexRequest(this.opendistroIndex);

//final String type = "_doc";
final String id = cType.toLCString();

configuration.removeStatic();
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/org/opensearch/security/httpclient/HttpClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@ public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpCli
rclient = new RestHighLevelClient(builder);
}

public boolean index(final String content, final String index, final String type, final boolean refresh) {
public boolean index(final String content, final String index, final boolean refresh) {

try {

Expand Down
12 changes: 6 additions & 6 deletions src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,11 +199,11 @@ protected void checkGeneralAccess(int status, String username, String password)
rh.sendAdminCertificate = sendAdminCertificate;
}

protected String checkReadAccess(int status, String username, String password, String indexName, String type,
int id) throws Exception {
protected String checkReadAccess(int status, String username, String password, String indexName,
int id) throws Exception {
boolean sendAdminCertificate = rh.sendAdminCertificate;
rh.sendAdminCertificate = false;
String action = indexName + "/" + type + "/" + id;
String action = indexName + "/" + id;
HttpResponse response = rh.executeGetRequest(action,
encodeBasicHeader(username, password));
int returnedStatus = response.getStatusCode();
Expand All @@ -213,12 +213,12 @@ protected String checkReadAccess(int status, String username, String password, S

}

protected String checkWriteAccess(int status, String username, String password, String indexName, String type,
int id) throws Exception {
protected String checkWriteAccess(int status, String username, String password, String indexName,
int id) throws Exception {

boolean sendAdminCertificate = rh.sendAdminCertificate;
rh.sendAdminCertificate = false;
String action = indexName + "/" + type + "/" + id;
String action = indexName + "/" + id;
String payload = "{\"value\" : \"true\"}";
HttpResponse response = rh.executePutRequest(action, payload,
encodeBasicHeader(username, password));
Expand Down
22 changes: 11 additions & 11 deletions src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,10 +102,10 @@ public void testActionGroupsApi() throws Exception {

// add user picard, role starfleet, maps to opendistro_security_role_starfleet
addUserWithPassword("picard", "picard", new String[] { "starfleet" }, HttpStatus.SC_CREATED);
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 0);
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 0);
// TODO: only one doctype allowed for ES6
// checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "public", 0);
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 0);
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 0);
// TODO: only one doctype allowed for ES6
//checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "public", 0);

Expand All @@ -123,22 +123,22 @@ public void testActionGroupsApi() throws Exception {
Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode());

rh.sendAdminCertificate = false;
checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 0);
checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 0);

// put picard in captains role. Role opendistro_security_role_captains uses the CRUD_UT
// action group
// which uses READ_UT and WRITE action groups. We removed READ_UT, so only
// WRITE is possible
addUserWithPassword("picard", "picard", new String[] { "captains" }, HttpStatus.SC_OK);
checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 0);
checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 0);
checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 0);
checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 0);

// now remove also CRUD_UT groups, write also not possible anymore
rh.sendAdminCertificate = true;
response = rh.executeDeleteRequest(ENDPOINT+"/CRUD_UT", new Header[0]);
rh.sendAdminCertificate = false;
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 0);
checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 0);
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 0);
checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 0);

// -- PUT

Expand All @@ -162,8 +162,8 @@ public void testActionGroupsApi() throws Exception {
rh.sendAdminCertificate = false;

// write access allowed again, read forbidden, since READ_UT group is still missing
checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 0);
checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 0);
checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 0);
checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 0);

// restore READ_UT action groups
rh.sendAdminCertificate = true;
Expand All @@ -172,8 +172,8 @@ public void testActionGroupsApi() throws Exception {

rh.sendAdminCertificate = false;
// read/write allowed again
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 0);
checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 0);
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 0);
checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 0);

// -- PUT, new JSON format including readonly flag, disallowed in REST API
rh.sendAdminCertificate = true;
Expand Down
20 changes: 10 additions & 10 deletions src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,8 +176,8 @@ public void testRolesApi() throws Exception {

// add user picard, role starfleet, maps to opendistro_security_role_starfleet
addUserWithPassword("picard", "picard", new String[] { "starfleet", "captains" }, HttpStatus.SC_CREATED);
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 0);
checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 0);
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 0);
checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 0);


// -- DELETE
Expand All @@ -204,18 +204,18 @@ public void testRolesApi() throws Exception {
rh.sendAdminCertificate = false;

// user has only role starfleet left, role has READ access only
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 1);
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 1);

// ES7 only supports one doc type, but OpenSearch permission checks run first
// So we also get a 403 FORBIDDEN when tring to add new document type
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 0);
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 0);

rh.sendAdminCertificate = true;
// remove also starfleet role, nothing is allowed anymore
response = rh.executeDeleteRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet", new Header[0]);
Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode());
checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 0);
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 0);
checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 0);
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 0);

// -- PUT
// put with empty roles, must fail
Expand Down Expand Up @@ -265,14 +265,14 @@ public void testRolesApi() throws Exception {
FileHelper.loadFile("restapi/roles_starfleet.json"), new Header[0]);
Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode());
rh.sendAdminCertificate = false;
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 0);
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 0);

// now picard is only in opendistro_security_role_starfleet, which has write access to
// all indices. We collapse all document types in ODFE7 so this permission in the
// starfleet role grants all permissions:
// _doc:
// - 'indices:*'
checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 0);
checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 0);

rh.sendAdminCertificate = true;

Expand All @@ -281,8 +281,8 @@ public void testRolesApi() throws Exception {
FileHelper.loadFile("restapi/roles_captains.json"), new Header[0]);
Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode());
rh.sendAdminCertificate = false;
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 0);
checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 0);
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 0);
checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 0);

rh.sendAdminCertificate = true;
response = rh.executePutRequest(ENDPOINT + "/roles/opendistro_security_role_starfleet_captains",
Expand Down
14 changes: 7 additions & 7 deletions src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ public void testRolesMappingApi() throws Exception {
// add user picard, role captains initially maps to
// opendistro_security_role_starfleet_captains and opendistro_security_role_starfleet
addUserWithPassword("picard", "picard", new String[] { "captains" }, HttpStatus.SC_CREATED);
checkWriteAccess(HttpStatus.SC_CREATED, "picard", "picard", "sf", "_doc", 1);
checkWriteAccess(HttpStatus.SC_CREATED, "picard", "picard", "sf", 1);

// TODO: only one doctype allowed for ES6
//checkWriteAccess(HttpStatus.SC_CREATED, "picard", "picard", "sf", "_doc", 1);
Expand Down Expand Up @@ -143,7 +143,7 @@ public void testRolesMappingApi() throws Exception {

// now picard is only in opendistro_security_role_starfleet, which has write access to
// public, but not to _doc
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 1);
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 1);

// TODO: only one doctype allowed for ES6
// checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 1);
Expand Down Expand Up @@ -339,16 +339,16 @@ public void testRolesMappingApi() throws Exception {

private void checkAllSfAllowed() throws Exception {
rh.sendAdminCertificate = false;
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 1);
checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 1);
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 1);
checkWriteAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 1);
// ES7 only supports one doc type, so trying to create a second one leads to 400 BAD REQUEST
checkWriteAccess(HttpStatus.SC_BAD_REQUEST, "picard", "picard", "sf", "public", 1);
checkWriteAccess(HttpStatus.SC_BAD_REQUEST, "picard", "picard", "sf", 1);
}

private void checkAllSfForbidden() throws Exception {
rh.sendAdminCertificate = false;
checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 1);
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 1);
checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 1);
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 1);
}

private HttpResponse deleteAndputNewMapping(String fileName) throws Exception {
Expand Down
10 changes: 5 additions & 5 deletions src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -390,19 +390,19 @@ public void testUserApi() throws Exception {
checkGeneralAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard");

// check read access to starfleet index and _doc type, must fail
checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 0);
checkReadAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 0);

// overwrite user picard, and give him role "starfleet".
addUserWithPassword("picard", "picard", new String[]{"starfleet"}, HttpStatus.SC_OK);

checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 0);
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", "_doc", 1);
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 0);
checkWriteAccess(HttpStatus.SC_FORBIDDEN, "picard", "picard", "sf", 1);

// overwrite user picard, and give him role "starfleet" plus "captains. Now
// document can be created.
addUserWithPassword("picard", "picard", new String[]{"starfleet", "captains"}, HttpStatus.SC_OK);
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", "_doc", 0);
checkWriteAccess(HttpStatus.SC_CREATED, "picard", "picard", "sf", "_doc", 1);
checkReadAccess(HttpStatus.SC_OK, "picard", "picard", "sf", 0);
checkWriteAccess(HttpStatus.SC_CREATED, "picard", "picard", "sf", 1);

rh.sendAdminCertificate = true;
response = rh.executeGetRequest(ENDPOINT + "/internalusers/picard", new Header[0]);
Expand Down
42 changes: 21 additions & 21 deletions src/test/java/org/opensearch/security/httpclient/HttpClientTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,31 +44,31 @@ public void testPlainConnection() throws Exception {

try(final HttpClient httpClient = HttpClient.builder(clusterInfo.httpHost+":"+clusterInfo.httpPort)
.setBasicCredentials("admin", "admin").build()) {
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", false));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", false));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", true));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", true));
}

try(final HttpClient httpClient = HttpClient.builder("unknownhost:6654")
.setBasicCredentials("admin", "admin").build()) {
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", false));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", true));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", true));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", false));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", true));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", true));
}

try(final HttpClient httpClient = HttpClient.builder("unknownhost:6654", clusterInfo.httpHost+":"+clusterInfo.httpPort)
.enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore.jks","changeit"), false)
.setBasicCredentials("admin", "admin").build()) {
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", false));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", true));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", true));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", false));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", true));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", true));
}

try(final HttpClient httpClient = HttpClient.builder("unknownhost:6654", clusterInfo.httpHost+":"+clusterInfo.httpPort)
.setBasicCredentials("admin", "admin").build()) {
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", false));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", false));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", true));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", true));
}

}
Expand All @@ -91,16 +91,16 @@ public void testSslConnection() throws Exception {
try(final HttpClient httpClient = HttpClient.builder(clusterInfo.httpHost+":"+clusterInfo.httpPort)
.enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore.jks","changeit"), false)
.setBasicCredentials("admin", "admin").build()) {
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", false));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", false));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", true));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", true));
}

try(final HttpClient httpClient = HttpClient.builder(clusterInfo.httpHost+":"+clusterInfo.httpPort)
.setBasicCredentials("admin", "admin").build()) {
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", false));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", true));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", "type", true));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", false));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", true));
Assert.assertFalse(httpClient.index("{\"a\":5}", "index", true));
}

}
Expand All @@ -125,9 +125,9 @@ public void testSslConnectionPKIAuth() throws Exception {
.enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore.jks","changeit"), false)
.setPkiCredentials(FileHelper.getKeystoreFromClassPath("auditlog/spock-keystore.jks", "changeit"), "changeit".toCharArray(), null)
.build()) {
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", false));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", "type", true));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", false));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", true));
Assert.assertTrue(httpClient.index("{\"a\":5}", "index", true));
}

}
Expand Down

0 comments on commit 69bdefe

Please sign in to comment.