Skip to content

Commit

Permalink
Remove HLRC from security integration tests (#91088)
Browse files Browse the repository at this point in the history 
Removed remaining usages of HLRC from security integration tests.

Relates to #83423
  • Loading branch information
@slobodanadamovic
slobodanadamovic committed Nov 1, 2022
1 parent 87268db commit 6f4cee4
Show file tree
Hide file tree
Showing 15 changed files with 301 additions and 297 deletions.
1 change: 0 additions & 1 deletion ...a/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,6 @@
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.greaterThanOrEqualTo;

@SuppressWarnings("removal")
public class PermissionsIT extends ESRestTestCase {

private static final String jsonDoc = """
Expand Down
12 changes: 0 additions & 12 deletions ...c/src/javaRestTest/java/org/elasticsearch/xpack/security/SecurityInBasicRestTestCase.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,12 @@

package org.elasticsearch.xpack.security;

import org.elasticsearch.client.RestHighLevelClient;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.test.rest.ESRestTestCase;

import java.util.List;

@SuppressWarnings("removal")
public abstract class SecurityInBasicRestTestCase extends ESRestTestCase {
private RestHighLevelClient highLevelAdminClient;

@Override
protected Settings restAdminSettings() {
Expand All @@ -31,11 +26,4 @@ protected Settings restClientSettings() {
return Settings.builder().put(ThreadContext.PREFIX + ".Authorization", token).build();
}

private RestHighLevelClient getHighLevelAdminClient() {
if (highLevelAdminClient == null) {
highLevelAdminClient = new RestHighLevelClient(adminClient(), ignore -> {}, List.of()) {
};
}
return highLevelAdminClient;
}
}
1 change: 0 additions & 1 deletion .../javaRestTest/java/org/elasticsearch/xpack/security/authc/SecurityRealmSmokeTestCase.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@
import static org.hamcrest.Matchers.instanceOf;
import static org.hamcrest.Matchers.not;

@SuppressWarnings("removal")
public abstract class SecurityRealmSmokeTestCase extends ESRestTestCase {

private static Path httpCAPath;
Expand Down
3 changes: 0 additions & 3 deletions ...rity/src/internalClusterTest/java/org/elasticsearch/integration/ClearRolesCacheTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@

import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.support.PlainActionFuture;
import org.elasticsearch.client.RestHighLevelClient;
import org.elasticsearch.test.NativeRealmIntegTestCase;
import org.elasticsearch.test.TestSecurityClient;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
Expand Down Expand Up @@ -36,7 +35,6 @@
/**
* Test for the clear roles API
*/
@SuppressWarnings("removal")
public class ClearRolesCacheTests extends NativeRealmIntegTestCase {

private static String[] roles;
Expand Down Expand Up @@ -88,7 +86,6 @@ protected boolean addMockHttpTransport() {

public void testModifyingViaApiClearsCache() throws Exception {
final TestSecurityClient securityClient = new TestSecurityClient(getRestClient(), SECURITY_REQUEST_OPTIONS);
final RestHighLevelClient restClient = new TestRestHighLevelClient();
int modifiedRolesCount = randomIntBetween(1, roles.length);
List<String> toModify = randomSubsetOf(modifiedRolesCount, roles);
logger.debug("--> modifying roles {} to have run_as", toModify);
Expand Down
1 change: 0 additions & 1 deletion ...ecurity/src/internalClusterTest/java/org/elasticsearch/test/NativeRealmIntegTestCase.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@
/**
* Test case with method to handle the starting and stopping the stores for native users and roles
*/
@SuppressWarnings("removal")
public abstract class NativeRealmIntegTestCase extends SecurityIntegTestCase {

@Before
Expand Down
1 change: 0 additions & 1 deletion ...src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/ApiKeyIntegTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,6 @@
import static org.hamcrest.Matchers.not;
import static org.hamcrest.Matchers.nullValue;

@SuppressWarnings("removal")
public class ApiKeyIntegTests extends SecurityIntegTestCase {
private static final long DELETE_INTERVAL_MILLIS = 100L;
private static final int CRYPTO_THREAD_POOL_QUEUE_SIZE = 10;
Expand Down
146 changes: 90 additions & 56 deletions .../internalClusterTest/java/org/elasticsearch/xpack/security/authc/TokenAuthIntegTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,27 +6,21 @@
*/
package org.elasticsearch.xpack.security.authc;

import org.apache.directory.api.util.Strings;
import org.apache.http.client.methods.HttpPost;
import org.elasticsearch.Version;
import org.elasticsearch.action.admin.cluster.state.ClusterStateResponse;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.action.support.PlainActionFuture;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.action.update.UpdateResponse;
import org.elasticsearch.client.Request;
import org.elasticsearch.client.RequestOptions;
import org.elasticsearch.client.Response;
import org.elasticsearch.client.ResponseException;
import org.elasticsearch.client.RestHighLevelClient;
import org.elasticsearch.common.CheckedSupplier;
import org.elasticsearch.common.UUIDs;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.elasticsearch.test.SecurityIntegTestCase;
import org.elasticsearch.test.SecuritySettingsSource;
import org.elasticsearch.test.SecuritySettingsSourceField;
Expand Down Expand Up @@ -71,7 +65,6 @@
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.notNullValue;

@SuppressWarnings("removal")
public class TokenAuthIntegTests extends SecurityIntegTestCase {

@Override
Expand Down Expand Up @@ -118,7 +111,6 @@ public void testTokenServiceBootstrapOnNodeJoin() throws Exception {
}

public void testExpiredTokensDeletedAfterExpiration() throws Exception {
final RestHighLevelClient restClient = new TestRestHighLevelClient();
OAuth2Token response = createToken(TEST_USER_NAME, SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING);
final String accessToken = response.accessToken();
final String refreshToken = response.getRefreshToken();
Expand All @@ -130,24 +122,42 @@ public void testExpiredTokensDeletedAfterExpiration() throws Exception {
assertThat(invalidateResponse.errors(), empty());
AtomicReference<String> docId = new AtomicReference<>();
assertBusy(() -> {
SearchResponse searchResponse = restClient.search(
new SearchRequest(SecuritySystemIndices.SECURITY_TOKENS_ALIAS).source(
SearchSourceBuilder.searchSource().size(1).terminateAfter(1).query(QueryBuilders.termQuery("doc_type", "token"))
),
SECURITY_REQUEST_OPTIONS
);
assertThat(searchResponse.getHits().getTotalHits().value, equalTo(1L));
docId.set(searchResponse.getHits().getAt(0).getId());
Request searchRequest = new Request(HttpPost.METHOD_NAME, SecuritySystemIndices.SECURITY_TOKENS_ALIAS + "/_search");
searchRequest.setOptions(SECURITY_REQUEST_OPTIONS);
searchRequest.setJsonEntity("""
{
"query" : {
"term" : {
"doc_type" : "token"
}
},
"terminate_after" : 1,
"size" : 1
}
""");
Response searchResponse = getRestClient().performRequest(searchRequest);
ObjectPath path = ObjectPath.createFromResponse(searchResponse);
assertThat(path.evaluate("hits.total.value"), equalTo(1));
final List<Map<String, ?>> hits = path.evaluate("hits.hits");
final String id = ObjectPath.evaluate(hits.get(0), "_id");
assertThat(id, notNullValue());
docId.set(id);
});

// hack doc to modify the creation time to the day before
Instant yesterday = created.minus(36L, ChronoUnit.HOURS);
assertTrue(Instant.now().isAfter(yesterday));
restClient.update(
new UpdateRequest(SecuritySystemIndices.SECURITY_TOKENS_ALIAS, docId.get()).doc("creation_time", yesterday.toEpochMilli())
.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE),
SECURITY_REQUEST_OPTIONS
);
Request updateRequest = new Request(HttpPost.METHOD_NAME, SecuritySystemIndices.SECURITY_TOKENS_ALIAS + "/_update/" + docId.get());
updateRequest.addParameter("refresh", WriteRequest.RefreshPolicy.IMMEDIATE.getValue());
updateRequest.setOptions(SECURITY_REQUEST_OPTIONS);
updateRequest.setJsonEntity(formatted("""
{
"doc": {
"creation_time": %s
}
}
""", yesterday.toEpochMilli()));
getRestClient().performRequest(updateRequest);

AtomicBoolean deleteTriggered = new AtomicBoolean(false);
assertBusy(() -> {
Expand All @@ -160,14 +170,23 @@ public void testExpiredTokensDeletedAfterExpiration() throws Exception {
}
Request refreshRequest = new Request("POST", "/" + SecuritySystemIndices.SECURITY_TOKENS_ALIAS + "/_refresh");
refreshRequest.setOptions(SECURITY_REQUEST_OPTIONS);
restClient.getLowLevelClient().performRequest(refreshRequest);
SearchResponse searchResponse = restClient.search(
new SearchRequest(SecuritySystemIndices.SECURITY_TOKENS_ALIAS).source(
SearchSourceBuilder.searchSource().query(QueryBuilders.termQuery("doc_type", "token")).terminateAfter(1)
),
SECURITY_REQUEST_OPTIONS
);
assertThat(searchResponse.getHits().getTotalHits().value, equalTo(0L));
getRestClient().performRequest(refreshRequest);

Request searchRequest = new Request(HttpPost.METHOD_NAME, SecuritySystemIndices.SECURITY_TOKENS_ALIAS + "/_search");
searchRequest.setOptions(SECURITY_REQUEST_OPTIONS);
searchRequest.setJsonEntity("""
{
"query" : {
"term" : {
"doc_type" : "token"
}
},
"terminate_after" : 1,
"size" : 1
}
""");
Response searchResponse = getRestClient().performRequest(searchRequest);
assertThat(ObjectPath.createFromResponse(searchResponse).evaluate("hits.total.value"), equalTo(1));
}, 30, TimeUnit.SECONDS);

// Weird testing behaviour ahead...
Expand Down Expand Up @@ -383,7 +402,6 @@ public void testRefreshingInvalidatedToken() throws IOException {
}

public void testRefreshingMultipleTimesFails() throws Exception {
final RestHighLevelClient restClient = new TestRestHighLevelClient();
OAuth2Token createTokenResponse = createToken(TEST_USER_NAME, SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING);
assertNotNull(createTokenResponse.getRefreshToken());

Expand All @@ -392,37 +410,53 @@ public void testRefreshingMultipleTimesFails() throws Exception {
// We now have two documents, the original(now refreshed) token doc and the new one with the new access doc
AtomicReference<String> docId = new AtomicReference<>();
assertBusy(() -> {
SearchResponse searchResponse = restClient.search(
new SearchRequest(SecuritySystemIndices.SECURITY_TOKENS_ALIAS).source(
SearchSourceBuilder.searchSource()
.query(
QueryBuilders.boolQuery()
.must(QueryBuilders.termQuery("doc_type", TokenService.TOKEN_DOC_TYPE))
.must(QueryBuilders.termQuery("refresh_token.refreshed", "true"))
)
.size(1)
.terminateAfter(1)
),
SECURITY_REQUEST_OPTIONS
);
assertThat(searchResponse.getHits().getTotalHits().value, equalTo(1L));
docId.set(searchResponse.getHits().getAt(0).getId());
Request searchRequest = new Request(HttpPost.METHOD_NAME, SecuritySystemIndices.SECURITY_TOKENS_ALIAS + "/_search");
searchRequest.setOptions(SECURITY_REQUEST_OPTIONS);
searchRequest.setJsonEntity("""
{
"query" : {
"bool" : {
"must" : [
{"term" : { "doc_type" : "token" }},
{"term" : { "refresh_token.refreshed" : "true" }}
]
}
},
"terminate_after" : 1,
"size" : 1
}
""");
Response searchResponse = getRestClient().performRequest(searchRequest);
ObjectPath path = ObjectPath.createFromResponse(searchResponse);
assertThat(path.evaluate("hits.total.value"), equalTo(1));
final List<Map<String, ?>> hits = path.evaluate("hits.hits");
final String id = ObjectPath.evaluate(hits.get(0), "_id");
assertThat(id, notNullValue());
docId.set(id);
});

// hack doc to modify the refresh time to 50 seconds ago so that we don't hit the lenient refresh case
Instant refreshed = Instant.now();
Instant aWhileAgo = refreshed.minus(50L, ChronoUnit.SECONDS);
assertTrue(Instant.now().isAfter(aWhileAgo));
UpdateResponse updateResponse = restClient.update(
new UpdateRequest(SecuritySystemIndices.SECURITY_TOKENS_ALIAS, docId.get()).doc(
"refresh_token",
Collections.singletonMap("refresh_time", aWhileAgo.toEpochMilli())
).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).fetchSource("refresh_token", Strings.EMPTY_STRING),
SECURITY_REQUEST_OPTIONS
);

Request updateRequest = new Request(HttpPost.METHOD_NAME, SecuritySystemIndices.SECURITY_TOKENS_ALIAS + "/_update/" + docId.get());
updateRequest.addParameter("refresh", WriteRequest.RefreshPolicy.IMMEDIATE.getValue());
updateRequest.setOptions(SECURITY_REQUEST_OPTIONS);
updateRequest.setJsonEntity(formatted("""
{
"doc": {
"refresh_token": {
"refresh_time" : %s
}
}
}
""", aWhileAgo.toEpochMilli()));
updateRequest.addParameter("_source_includes", "refresh_token");
Response updateResponse = getRestClient().performRequest(updateRequest);
assertNotNull(updateResponse);
@SuppressWarnings("unchecked")
Map<String, Object> refreshTokenMap = (Map<String, Object>) updateResponse.getGetResult().sourceAsMap().get("refresh_token");

Map<String, Object> refreshTokenMap = ObjectPath.createFromResponse(updateResponse).evaluate("get._source.refresh_token");
assertTrue(Instant.ofEpochMilli((long) refreshTokenMap.get("refresh_time")).isBefore(Instant.now().minus(30L, ChronoUnit.SECONDS)));
ResponseException e = expectThrows(ResponseException.class, () -> refreshToken(createTokenResponse.getRefreshToken()));
assertThat(e, throwableWithMessage(containsString("invalid_grant")));
Expand Down
3 changes: 0 additions & 3 deletions ...terTest/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmIntegTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@

import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
import org.elasticsearch.client.RestHighLevelClient;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.test.NativeRealmIntegTestCase;
Expand All @@ -34,7 +33,6 @@
/**
* Integration tests for the built in realm
*/
@SuppressWarnings("removal")
public class ReservedRealmIntegTests extends NativeRealmIntegTestCase {

private static Hasher hasher;
Expand Down Expand Up @@ -140,7 +138,6 @@ public void testChangingPassword() throws IOException {
}

public void testDisablingUser() throws Exception {
final RestHighLevelClient restClient = new TestRestHighLevelClient();
// validate the user works
ClusterHealthResponse response = client().filterWithHeader(
singletonMap("Authorization", basicAuthHeaderValue(ElasticUser.NAME, getReservedPassword()))
Expand Down

0 comments on commit 6f4cee4

Please sign in to comment.