Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test related to authentication with x.509 certificates. #2227

Merged
merged 1 commit into from
Nov 22, 2022
Merged

Test related to authentication with x.509 certificates. #2227

merged 1 commit into from
Nov 22, 2022

Conversation

lukasz-soszynski-eliatra
Copy link
Contributor

Description

[Describe what this change achieves]

  • Category (Integration tests)
  • Why these changes are required?
  • What is the old behavior before changes and new behavior after changes?

Issues Resolved

[List any issues this PR will resolve]

Integration tests related to user authentication with X.509 certificates.

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@lukasz-soszynski-eliatra lukasz-soszynski-eliatra requested a review from a team November 3, 2022 10:12
@codecov-commenter
Copy link

codecov-commenter commented Nov 3, 2022
edited

Codecov Report

Merging #2227 (88eca16) into main (25ea092) will decrease coverage by 0.01%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##               main    #2227      +/-   ##
============================================
- Coverage     61.04%   61.02%   -0.02%     
+ Complexity     3268     3267       -1     
============================================
  Files           259      259              
  Lines         18337    18336       -1     
  Branches       3248     3248              
============================================
- Hits          11193    11190       -3     
- Misses         5559     5561       +2     
  Partials       1585     1585
Impacted Files Coverage Δ
...ch/security/auditlog/routing/AsyncStoragePool.java 50.00% <0.00%> (-5.56%) ⬇️
...ecurity/ssl/rest/SecuritySSLReloadCertsAction.java 84.78% <0.00%> (-0.33%) ⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

DarshitChanpura
DarshitChanpura previously approved these changes Nov 8, 2022
View reviewed changes
Copy link
Member

@DarshitChanpura DarshitChanpura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@DarshitChanpura
Copy link
Member

Bwc tests are broken on main. Tracking issue here: #2221

@lukasz-soszynski-eliatra lukasz-soszynski-eliatra force-pushed the authentication-with-certificate-test branch 2 times, most recently from fcd1fc7 to bb5ac5c Compare November 11, 2022 11:07
@peternied peternied mentioned this pull request Nov 16, 2022
Closed
8 tasks
@lukasz-soszynski-eliatra
Test related to authentication with x.509 certificates.
88eca16 
Signed-off-by: Lukasz Soszynski <lukasz.soszynski@eliatra.com>
cwperks
cwperks approved these changes Nov 22, 2022
View reviewed changes
Copy link
Member

@cwperks cwperks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @lukasz-soszynski-eliatra, this looks good to me. There may be an opportunity to test a scenario with multiple backend roles, but I think this adds some nice coverage!

src/integrationTest/java/org/opensearch/security/http/CertificateAuthenticationTest.java
}

@Test
public void shouldAuthenticateUserWithCertificate_positiveUserSpoke() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Spock

src/integrationTest/java/org/opensearch/security/http/CertificateAuthenticationTest.java

private static final Map<String, Object> CERT_AUTH_CONFIG = Map.of(
"username_attribute", "cn",
"roles_attribute", "ou"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, I didn't know roles_attribute was possible with client cert authentication. I don't see documentation for this on the documentation website: https://opensearch.org/docs/latest/security-plugin/configuration/client-auth/

@cwillum, putting this on your radar to visit when client cert authentication is re-visited on the documentation website.

My understanding of Organizational Unit in LDAP is that it is conventionally used to model hierarchical structures of organizations. i.e. As a contributor the OpenSearch project concentrated on security, I may model a Distinguished name as:

L=NYC,CN=Craig,OU=OpenSearch,OU=Security,DC=opensearch,DC=org

Here it looks like we are using this as the list of backend roles and using that it is repeated as a convenience.

@cwperks cwperks merged commit 7cad5e4 into opensearch-project:main Nov 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cwperks cwperks cwperks approved these changes

@DarshitChanpura DarshitChanpura DarshitChanpura approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@lukasz-soszynski-eliatra @codecov-commenter @DarshitChanpura @cwperks