diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 22c272065d..33e3365d78 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -1041,6 +1041,8 @@ public List> getSettings() { settings.add(Setting.listSetting(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, Collections.emptyList(), Function.identity(), Property.NodeScope)); //not filtered here settings.add(Setting.groupSetting(ConfigConstants.SECURITY_RESTAPI_ENDPOINTS_DISABLED + ".", Property.NodeScope)); + settings.add(Setting.boolSetting(ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED, false, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, Property.NodeScope, Property.Filtered)); settings.add(Setting.simpleString(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, Property.NodeScope, Property.Filtered)); @@ -1192,6 +1194,7 @@ public static class GuiceHolder implements LifecycleComponent { private static RepositoriesService repositoriesService; private static RemoteClusterService remoteClusterService; private static IndicesService indicesService; + private static PitService pitService; private static ExtensionsManager extensionsManager; diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java index 26fcef3b3e..a73b174ee2 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java @@ -66,6 +66,8 @@ import org.opensearch.security.user.User; import org.opensearch.threadpool.ThreadPool; +import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; + public abstract class AbstractApiAction extends BaseRestHandler { protected final Logger log = LogManager.getLogger(this.getClass()); @@ -94,7 +96,9 @@ protected AbstractApiAction(final Settings settings, final Path configPath, fina this.restApiPrivilegesEvaluator = new RestApiPrivilegesEvaluator(settings, adminDNs, evaluator, principalExtractor, configPath, threadPool); this.restApiAdminPrivilegesEvaluator = - new RestApiAdminPrivilegesEvaluator(threadPool.getThreadContext(), evaluator, adminDNs); + new RestApiAdminPrivilegesEvaluator( + threadPool.getThreadContext(), evaluator, adminDNs, + settings.getAsBoolean(SECURITY_RESTAPI_ADMIN_ENABLED, false)); this.auditLog = auditLog; } diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java index c3449e99bb..c8e44ee4ca 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java @@ -29,6 +29,8 @@ import org.opensearch.security.support.WildcardMatcher; import org.opensearch.security.user.User; +import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; + public class RestApiAdminPrivilegesEvaluator { protected final Logger logger = LogManager.getLogger(RestApiAdminPrivilegesEvaluator.class); @@ -85,13 +87,17 @@ default String build() { private final AdminDNs adminDNs; + private final boolean restapiAdminEnabled; + public RestApiAdminPrivilegesEvaluator( final ThreadContext threadContext, final PrivilegesEvaluator privilegesEvaluator, - final AdminDNs adminDNs) { + final AdminDNs adminDNs, + final boolean restapiAdminEnabled) { this.threadContext = threadContext; this.privilegesEvaluator = privilegesEvaluator; this.adminDNs = adminDNs; + this.restapiAdminEnabled = restapiAdminEnabled; } public boolean isCurrentUserRestApiAdminFor(final Endpoint endpoint, final String action) { @@ -108,20 +114,31 @@ public boolean isCurrentUserRestApiAdminFor(final Endpoint endpoint, final Strin return true; } if (!ENDPOINTS_WITH_PERMISSIONS.containsKey(endpoint)) { - if (logger.isDebugEnabled()) { - logger.debug("No permission found for {} endpoint", endpoint); - } + logger.debug("No permission found for {} endpoint", endpoint); return false; } final String permission = ENDPOINTS_WITH_PERMISSIONS.get(endpoint).build(action); - if (logger.isDebugEnabled()) { - logger.debug("Checking permission {} for endpoint {}", permission, endpoint); - } - return privilegesEvaluator.hasRestAdminPermissions( + final boolean hasAccess = privilegesEvaluator.hasRestAdminPermissions( userAndRemoteAddress.getLeft(), userAndRemoteAddress.getRight(), permission ); + if (logger.isDebugEnabled()) { + logger.debug( + "User {} with permission {} {} access to endpoint {}", + userAndRemoteAddress.getLeft().getName(), + permission, + hasAccess ? "has" : "has no", + endpoint + ); + logger.debug( + "{} set to {}. {} use access decision", + SECURITY_RESTAPI_ADMIN_ENABLED, + restapiAdminEnabled, + restapiAdminEnabled ? "Will" : "Will not" + ); + } + return hasAccess && restapiAdminEnabled; } public boolean containsRestApiAdminPermissions(final Object configObject) { diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsAction.java index 4168bf4109..1c1fe9b815 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsAction.java @@ -72,8 +72,6 @@ public class SecuritySSLCertsAction extends AbstractApiAction { private final boolean certificatesReloadEnabled; - private final RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator; - private final boolean httpsEnabled; public SecuritySSLCertsAction(final Settings settings, @@ -91,8 +89,6 @@ public SecuritySSLCertsAction(final Settings settings, final boolean certificatesReloadEnabled) { super(settings, configPath, controller, client, adminDNs, cl, cs, principalExtractor, privilegesEvaluator, threadPool, auditLog); this.securityKeyStore = securityKeyStore; - this.restApiAdminPrivilegesEvaluator = - new RestApiAdminPrivilegesEvaluator(threadPool.getThreadContext(), privilegesEvaluator, adminDNs); this.certificatesReloadEnabled = certificatesReloadEnabled; this.httpsEnabled = settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true); } diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java index abcb342561..c37da699c4 100644 --- a/src/main/java/org/opensearch/security/support/ConfigConstants.java +++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java @@ -250,13 +250,13 @@ public enum RolesMappingResolution { public static final String SECURITY_DLS_MODE = "plugins.security.dls.mode"; // REST API public static final String SECURITY_RESTAPI_ROLES_ENABLED = "plugins.security.restapi.roles_enabled"; + public static final String SECURITY_RESTAPI_ADMIN_ENABLED = "plugins.security.restapi.admin.enabled"; public static final String SECURITY_RESTAPI_ENDPOINTS_DISABLED = "plugins.security.restapi.endpoints_disabled"; public static final String SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX = "plugins.security.restapi.password_validation_regex"; public static final String SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE = "plugins.security.restapi.password_validation_error_message"; public static final String SECURITY_RESTAPI_PASSWORD_MIN_LENGTH = "plugins.security.restapi.password_min_length"; public static final String SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH = "plugins.security.restapi.password_score_based_validation_strength"; - // Illegal Opcodes from here on public static final String SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY = "plugins.security.unsupported.disable_rest_auth_initially"; public static final String SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY = "plugins.security.unsupported.disable_intertransport_auth_initially"; public static final String SECURITY_UNSUPPORTED_PASSIVE_INTERTRANSPORT_AUTH_INITIALLY = "plugins.security.unsupported.passive_intertransport_auth_initially"; diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java index d2df19997d..fc6fb6036c 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java @@ -29,6 +29,7 @@ import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; +import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; public class ActionGroupsApiTest extends AbstractRestApiUnitTest { private final String ENDPOINT; @@ -363,7 +364,7 @@ void verifyPatchForSuperAdmin(final Header[] header, final boolean userAdminCert @Test public void testActionGroupsApiForRestAdmin() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); rh.sendAdminCertificate = false; // create index setupStarfleetIndex(); @@ -381,7 +382,7 @@ public void testActionGroupsApiForRestAdmin() throws Exception { @Test public void testActionGroupsApiForActionGroupsRestApiAdmin() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); rh.sendAdminCertificate = false; // create index setupStarfleetIndex(); @@ -399,7 +400,7 @@ public void testActionGroupsApiForActionGroupsRestApiAdmin() throws Exception { @Test public void testCreateActionGroupWithRestAdminPermissionsForbidden() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); rh.sendAdminCertificate = false; final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"); final Header restApiAdminActionGroupsHeader = encodeBasicHeader("rest_api_admin_actiongroups", "rest_api_admin_actiongroups"); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AllowlistApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AllowlistApiTest.java index a4a121bc06..0b08b7fa3c 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AllowlistApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AllowlistApiTest.java @@ -37,6 +37,7 @@ import static org.hamcrest.Matchers.equalTo; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; +import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; /** * Testing class to verify that {@link AllowlistApiAction} works correctly. @@ -158,7 +159,7 @@ public void testAllowlistApi() throws Exception { @Test public void testAllowlistApiWithPermissions() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"); final Header restApiAllowlistHeader = encodeBasicHeader("rest_api_admin_allowlist", "rest_api_admin_allowlist"); @@ -170,7 +171,7 @@ public void testAllowlistApiWithPermissions() throws Exception { @Test public void testAllowlistApiWithAllowListPermissions() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); final Header restApiAllowlistHeader = encodeBasicHeader("rest_api_admin_allowlist", "rest_api_admin_allowlist"); final Header restApiUserHeader = encodeBasicHeader("test", "test"); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java index ca73e7b527..1f853d117a 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java @@ -37,6 +37,7 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.equalTo; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; +import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; public class NodesDnApiTest extends AbstractRestApiUnitTest { private HttpResponse response; @@ -184,7 +185,10 @@ public void testNodesDnApi() throws Exception { @Test public void testNodesDnApiWithPermissions() throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) + Settings settings = + Settings.builder() + .put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) + .put(SECURITY_RESTAPI_ADMIN_ENABLED, true) .build(); setupWithRestRoles(settings); final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java index 06858c685b..4be90cda72 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java @@ -31,6 +31,7 @@ import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; +import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; public class RolesApiTest extends AbstractRestApiUnitTest { private final String ENDPOINT; @@ -77,15 +78,17 @@ public void testAllRolesForSuperAdmin() throws Exception { @Test public void testAllRolesForRestAdmin() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"); + rh.sendAdminCertificate = false; checkSuperAdminRoles(new Header[]{restApiAdminHeader}); } @Test public void testAllRolesForRolesRestAdmin() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); final Header restApiAdminRolesHeader = encodeBasicHeader("rest_api_admin_roles", "rest_api_admin_roles"); + rh.sendAdminCertificate = false; checkSuperAdminRoles(new Header[]{restApiAdminRolesHeader}); } @@ -520,7 +523,7 @@ void verifyPatchForSuperAdmin(final Header[] header, final boolean sendAdminCert @Test public void testRolesApiWithAllRestApiPermissions() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"); @@ -540,7 +543,7 @@ public void testRolesApiWithAllRestApiPermissions() throws Exception { @Test public void testRolesApiWithRestApiRolePermission() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); final Header restApiRolesHeader = encodeBasicHeader("rest_api_admin_roles", "rest_api_admin_roles"); @@ -561,7 +564,7 @@ public void testRolesApiWithRestApiRolePermission() throws Exception { @Test public void testCreateOrUpdateRestApiAdminRoleForbiddenForNonSuperAdmin() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); rh.sendAdminCertificate = false; final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"); @@ -633,7 +636,7 @@ public void testCreateOrUpdateRestApiAdminRoleForbiddenForNonSuperAdmin() throws @Test public void testDeleteRestApiAdminRoleForbiddenForNonSuperAdmin() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); rh.sendAdminCertificate = false; final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiTest.java index ee7a3a6cf5..729afe1c54 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiTest.java @@ -29,6 +29,7 @@ import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; +import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; public class RolesMappingApiTest extends AbstractRestApiUnitTest { private final String ENDPOINT; @@ -98,7 +99,7 @@ public void testRolesMappingApi() throws Exception { @Test public void testRolesMappingApiWithFullPermissions() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); rh.sendAdminCertificate = false; final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"); @@ -466,7 +467,7 @@ void verifyNonSuperAdminUser(final Header[] header) throws Exception { @Test public void testChangeRestApiAdminRoleMappingForbiddenForNonSuperAdmin() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); rh.sendAdminCertificate = false; final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/SslCertsApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/SslCertsApiTest.java index e2b649770a..ecd5512ce0 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/SslCertsApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/SslCertsApiTest.java @@ -28,6 +28,7 @@ import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; +import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; public class SslCertsApiTest extends AbstractRestApiUnitTest { @@ -83,9 +84,7 @@ public String certsReloadEndpoint(final String certType) { return String.format("%s/api/ssl/%s/reloadcerts", PLUGINS_PREFIX, certType); } - @Test - public void testCertsInfo() throws Exception { - setupWithRestRoles(); + private void verifyHasNoAccess() throws Exception { final Header adminCredsHeader = encodeBasicHeader("admin", "admin"); // No creds, no admin certificate - UNAUTHORIZED rh.sendAdminCertificate = false; @@ -96,17 +95,28 @@ public void testCertsInfo() throws Exception { response = rh.executeGetRequest(certsInfoEndpoint(), adminCredsHeader); Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode()); + response = rh.executeGetRequest(certsInfoEndpoint(), restApiHeader); + Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode()); + } + + @Test + public void testCertsInfo() throws Exception { + setup(); + verifyHasNoAccess(); sendAdminCert(); - response = rh.executeGetRequest(certsInfoEndpoint()); + HttpResponse response = rh.executeGetRequest(certsInfoEndpoint()); Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode()); Assert.assertEquals(EXPECTED_CERTIFICATES_BY_TYPE, response.getBody()); + } + + @Test + public void testCertsInfoRestAdmin() throws Exception { + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); + verifyHasNoAccess(); rh.sendAdminCertificate = false; Assert.assertEquals(EXPECTED_CERTIFICATES_BY_TYPE, loadCerts(restApiAdminHeader)); Assert.assertEquals(EXPECTED_CERTIFICATES_BY_TYPE, loadCerts(restApiCertsInfoAdminHeader)); - - response = rh.executeGetRequest(certsInfoEndpoint(), restApiHeader); - Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode()); } private String loadCerts(final Header... header) throws Exception { @@ -120,23 +130,18 @@ public void testReloadCertsNotAvailableByDefault() throws Exception { setupWithRestRoles(); sendAdminCert(); - verifyReloadCertsNotAvailable(); + verifyReloadCertsNotAvailable(HttpStatus.SC_BAD_REQUEST); rh.sendAdminCertificate = false; - verifyReloadCertsNotAvailable(restApiAdminHeader); - verifyReloadCertsNotAvailable(restApiReloadCertsAdminHeader); - - HttpResponse response = rh.executePutRequest(certsReloadEndpoint(HTTP_CERTS), "{}", restApiHeader); - Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode()); - response = rh.executePutRequest(certsReloadEndpoint(TRANSPORT_CERTS), "{}", restApiHeader); - Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode()); + verifyReloadCertsNotAvailable(HttpStatus.SC_FORBIDDEN, restApiAdminHeader); + verifyReloadCertsNotAvailable(HttpStatus.SC_FORBIDDEN, restApiReloadCertsAdminHeader); } - private void verifyReloadCertsNotAvailable(final Header... header) { + private void verifyReloadCertsNotAvailable(final int expectedStatus, final Header... header) { HttpResponse response = rh.executePutRequest(certsReloadEndpoint(HTTP_CERTS), "{}", header); - Assert.assertEquals(response.getBody(), HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); + Assert.assertEquals(response.getBody(), expectedStatus, response.getStatusCode()); response = rh.executePutRequest(certsReloadEndpoint(TRANSPORT_CERTS), "{}", header); - Assert.assertEquals(response.getBody(), HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); + Assert.assertEquals(response.getBody(), expectedStatus, response.getStatusCode()); } @Test @@ -154,12 +159,6 @@ public void testReloadCertsWrongCertsType() throws Exception { } - @Test - public void testReloadCerts() throws Exception { - setupWithRestRoles(reloadEnabled()); - } - - private void sendAdminCert() { rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java index c778a8f8f7..753940a4e6 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java @@ -35,6 +35,7 @@ import static org.hamcrest.Matchers.equalTo; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; import static org.opensearch.security.dlic.rest.api.InternalUsersApiAction.RESTRICTED_FROM_USERNAME; +import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; public class UserApiTest extends AbstractRestApiUnitTest { private final String ENDPOINT; @@ -528,7 +529,7 @@ private void verifyRoles(final boolean sendAdminCert, Header... header) throws E @Test public void testUserApiWithRestAdminPermissions() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); rh.sendAdminCertificate = false; final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"); // initial configuration @@ -546,7 +547,7 @@ public void testUserApiWithRestAdminPermissions() throws Exception { @Test public void testUserApiWithRestInternalUsersAdminPermissions() throws Exception { - setupWithRestRoles(); + setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build()); rh.sendAdminCertificate = false; final Header restApiInternalUsersAdminHeader = encodeBasicHeader("rest_api_admin_internalusers", "rest_api_admin_internalusers"); // initial configuration