Feature/184 introduce security tests

[stevanbz]

Issue #, if available:
N/A
Description of changes:

• Created security test to test the behavior of IM with users for different permissions
• Tests can be run against the remote cluster by executing:
• ./gradlew integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="docker-cluster" -Dhttps=true -Duser=admin -Dpassword=admin -Dtests.class=*SecurityBehaviorIT (also tests can be executed against the remote cluster started with official docker image)
• These tests are designed to test mix cluster and index privileges over IM objects
• Test are divided into separate files that relate with the exact domain (ISM, Rollup or Transform)
• SecurityBehaviorIT test policy access based on the backend roles -> can be considered as integral test that does privilege and access check based on different back-end roles and privileges assigned to those roles

IndexStateManagementSecurityBehaviorIT

• test policy successful execution -> checks if the policy with rollup step can be created and executed correctly. Beside that, code checks if the users with lacking privileges are receiving valid http status responses (403) when they try to access policy
• test add policy -> checks if the users with different cluster privileges can add a policy to an index
• test explain index -> checks if the users with different cluster privileges can trigger explain index
• test delete policy -> check if users with different privileges can delete the policy

RollupSecurityBehaviorIT

• test rollup successful execution -> checks if the user with correct cluster and index privileges can create and access the rollup; Also checks if the rollup can be executed (ie. does the user has correct privileges over the target/source indexes, can he see the indexes etc.)
• test rollup access -> checks if users with privileges and user lacking privileges can create and access the rollup; user lacking privilege is receiving 403 FORBIDDEN but after assigning a user to a role, he can access the rollup
• test failed rollup creation user missing cluster privileges -> checks if the user lacking cluster privileges is receiving appropriate status (403 forbidden) once he tries to create a rollup
• test failed rollup execution user missing index access-> checks if the user lacking index access (user is supporting only specified index template ie. airline-*) can create (expected status: created) rollup but can't execute (once the execution is triggered the job is returning FAILED status)
• test delete rollup -> checks if the user with correct privileges can delete the rollup job and confirms that the rollup has been deleted

TransformSecurityBehaviorIT

• test transform successful execution -> checks if the user with correct cluster and index privilege can create and execute transform over the given source index

• test failed transform creation user missing cluster privileges -> checks if the user lacking cluster privileges is receiving appropriate status (403 forbidden) once he tries to create a transform

• test failed transform execution user missing index access -> checks if the user lacking index access (user is supporting only specified index template ie. airline-*) can create (expected status: created) transform but can't execute (once the execution is triggered the job is returning FAILED status)

• test transform access -> checks if users with privileges and user lacking privileges can create and access the transform job; user lacking privilege is receiving 403 FORBIDDEN but after assigning a user to a role, he can access the transform job

• test delete transform -> checks if users with different privileges can delete the transform job by first disabling it; the users without appropriate cluster privilege should receive FORBIDDEN once they try to delete the transform job

• During writing tests one issue is spotted and solved. Issue can be reproduced by following the next steps:

  1. create a policy p1 with user which has b1 backend role
  2. create a policy p2 with user which has b2 backend role
  3. users belonging b1 can get _plugins/_ism/policies/p2 (200, OK); users belonging b2 can get _plugins/_ism/policies/p1 (200, OK)
  4. enable filtering by backend role(update flag) ie.: plugins.index_management.filter_by_backend_roles": "true"
  5. try to get a policy p2 as user belonging backend role b1 ie.: get _plugins/_ism/policies/p2
     Expected result:
     403 Forbidden with message
     Actual result
     500 Internal server error with message

Class that contains a bugfix is: IndexManagementException

CheckList:

• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

Merging #474 (cf69fc0) into main (76de976) will increase coverage by 0.17%.
The diff coverage is 0.00%.

@@             Coverage Diff              @@
##               main     #474      +/-   ##
============================================
+ Coverage     75.80%   75.97%   +0.17%     
- Complexity     2466     2475       +9     
============================================
  Files           313      314       +1     
  Lines         14411    14459      +48     
  Branches       2227     2238      +11     
============================================
+ Hits          10924    10985      +61     
+ Misses         2240     2232       -8     
+ Partials       1247     1242       -5     

Impacted Files	Coverage Δ
...h/indexmanagement/util/IndexManagementException.kt	35.00% <0.00%> (-6.18%)	⬇️
...nt/indexstatemanagement/model/destination/Slack.kt	55.55% <0.00%> (-22.23%)	⬇️
...rch/indexmanagement/snapshotmanagement/SMRunner.kt	64.28% <0.00%> (-4.29%)	⬇️
.../rollup/action/index/TransportIndexRollupAction.kt	71.26% <0.00%> (-3.41%)	⬇️
.../action/explain/TransportExplainTransformAction.kt	70.78% <0.00%> (-2.25%)	⬇️
...arch/indexmanagement/snapshotmanagement/SMUtils.kt	72.28% <0.00%> (-1.81%)	⬇️
...ent/indexstatemanagement/util/ManagedIndexUtils.kt	76.10% <0.00%> (-1.77%)	⬇️
...t/action/indexpolicy/TransportIndexPolicyAction.kt	79.03% <0.00%> (-1.53%)	⬇️
...management/engine/states/deletion/DeletingState.kt	82.66% <0.00%> (-1.34%)	⬇️
.../opensearch/indexmanagement/rollup/model/Rollup.kt	85.58% <0.00%> (ø)
... and 15 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[bowenlan-amzn]

Thanks for adding a thorough suite of security test, fantastic!