|
1 | | -/* |
2 | | - * SPDX-License-Identifier: Apache-2.0 |
3 | | - * |
4 | | - * The OpenSearch Contributors require contributions made to |
5 | | - * this file be licensed under the Apache-2.0 license or a |
6 | | - * compatible open source license. |
7 | | - */ |
8 | | -package org.opensearch.security.bwc; |
9 | | - |
10 | | -import java.io.IOException; |
11 | | -import java.util.List; |
12 | | -import java.util.Map; |
13 | | -import java.util.Optional; |
14 | | -import java.util.Set; |
15 | | -import java.util.stream.Collectors; |
16 | | - |
17 | | -import org.apache.http.Header; |
18 | | -import org.apache.http.HttpHost; |
19 | | -import org.apache.http.auth.AuthScope; |
20 | | -import org.apache.http.auth.UsernamePasswordCredentials; |
21 | | -import org.apache.http.client.CredentialsProvider; |
22 | | -import org.apache.http.conn.ssl.NoopHostnameVerifier; |
23 | | -import org.apache.http.impl.client.BasicCredentialsProvider; |
24 | | -import org.apache.http.message.BasicHeader; |
25 | | -import org.apache.http.ssl.SSLContextBuilder; |
26 | | -import org.junit.Assume; |
27 | | -import org.junit.Before; |
28 | | -import org.opensearch.common.settings.Settings; |
29 | | -import org.opensearch.common.util.concurrent.ThreadContext; |
30 | | -import org.opensearch.test.rest.OpenSearchRestTestCase; |
31 | | - |
32 | | -import org.opensearch.Version; |
33 | | - |
34 | | -import static org.hamcrest.MatcherAssert.assertThat; |
35 | | -import static org.hamcrest.Matchers.hasItem; |
36 | | - |
37 | | -import org.opensearch.client.RestClient; |
38 | | -import org.opensearch.client.RestClientBuilder; |
39 | | - |
40 | | -import org.junit.Assert; |
41 | | - |
42 | | -public class SecurityBackwardsCompatibilityIT extends OpenSearchRestTestCase { |
43 | | - |
44 | | - private ClusterType CLUSTER_TYPE; |
45 | | - private String CLUSTER_NAME; |
46 | | - |
47 | | - @Before |
48 | | - private void testSetup() { |
49 | | - final String bwcsuiteString = System.getProperty("tests.rest.bwcsuite"); |
50 | | - Assume.assumeTrue("Test cannot be run outside the BWC gradle task 'bwcTestSuite' or its dependent tasks", bwcsuiteString != null); |
51 | | - CLUSTER_TYPE = ClusterType.parse(bwcsuiteString); |
52 | | - CLUSTER_NAME = System.getProperty("tests.clustername"); |
53 | | - } |
54 | | - |
55 | | - @Override |
56 | | - protected final boolean preserveClusterUponCompletion() { |
57 | | - return true; |
58 | | - } |
59 | | - |
60 | | - @Override |
61 | | - protected final boolean preserveIndicesUponCompletion() { |
62 | | - return true; |
63 | | - } |
64 | | - |
65 | | - @Override |
66 | | - protected final boolean preserveReposUponCompletion() { |
67 | | - return true; |
68 | | - } |
69 | | - |
70 | | - @Override |
71 | | - protected boolean preserveTemplatesUponCompletion() { |
72 | | - return true; |
73 | | - } |
74 | | - |
75 | | - @Override |
76 | | - protected String getProtocol() { |
77 | | - return "https"; |
78 | | - } |
79 | | - |
80 | | - @Override |
81 | | - protected final Settings restClientSettings() { |
82 | | - return Settings.builder() |
83 | | - .put(super.restClientSettings()) |
84 | | - // increase the timeout here to 90 seconds to handle long waits for a green |
85 | | - // cluster health. the waits for green need to be longer than a minute to |
86 | | - // account for delayed shards |
87 | | - .put(OpenSearchRestTestCase.CLIENT_SOCKET_TIMEOUT, "90s") |
88 | | - .build(); |
89 | | - } |
90 | | - |
91 | | - @Override |
92 | | - protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException { |
93 | | - RestClientBuilder builder = RestClient.builder(hosts); |
94 | | - configureHttpsClient(builder, settings); |
95 | | - boolean strictDeprecationMode = settings.getAsBoolean("strictDeprecationMode", true); |
96 | | - builder.setStrictDeprecationMode(strictDeprecationMode); |
97 | | - return builder.build(); |
98 | | - } |
99 | | - |
100 | | - protected static void configureHttpsClient(RestClientBuilder builder, Settings settings) throws IOException { |
101 | | - Map<String, String> headers = ThreadContext.buildDefaultHeaders(settings); |
102 | | - Header[] defaultHeaders = new Header[headers.size()]; |
103 | | - int i = 0; |
104 | | - for (Map.Entry<String, String> entry : headers.entrySet()) { |
105 | | - defaultHeaders[i++] = new BasicHeader(entry.getKey(), entry.getValue()); |
106 | | - } |
107 | | - builder.setDefaultHeaders(defaultHeaders); |
108 | | - builder.setHttpClientConfigCallback(httpClientBuilder -> { |
109 | | - String userName = Optional.ofNullable(System.getProperty("tests.opensearch.username")) |
110 | | - .orElseThrow(() -> new RuntimeException("user name is missing")); |
111 | | - String password = Optional.ofNullable(System.getProperty("tests.opensearch.password")) |
112 | | - .orElseThrow(() -> new RuntimeException("password is missing")); |
113 | | - CredentialsProvider credentialsProvider = new BasicCredentialsProvider(); |
114 | | - credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(userName, password)); |
115 | | - try { |
116 | | - return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider) |
117 | | - // disable the certificate since our testing cluster just uses the default security configuration |
118 | | - .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE) |
119 | | - .setSSLContext(SSLContextBuilder.create().loadTrustMaterial(null, (chains, authType) -> true).build()); |
120 | | - } catch (Exception e) { |
121 | | - throw new RuntimeException(e); |
122 | | - } |
123 | | - }); |
124 | | - } |
125 | | - |
126 | | - public void testBasicBackwardsCompatibility() throws Exception { |
127 | | - String round = System.getProperty("tests.rest.bwcsuite_round"); |
128 | | - |
129 | | - if (round.equals("first") || round.equals("old")) { |
130 | | - assertPluginUpgrade("_nodes/" + CLUSTER_NAME + "-0/plugins"); |
131 | | - } else if (round.equals("second")) { |
132 | | - assertPluginUpgrade("_nodes/" + CLUSTER_NAME + "-1/plugins"); |
133 | | - } else if (round.equals("third")) { |
134 | | - assertPluginUpgrade("_nodes/" + CLUSTER_NAME + "-2/plugins"); |
135 | | - } |
136 | | - } |
137 | | - |
138 | | - @SuppressWarnings("unchecked") |
139 | | - public void testWhoAmI() throws Exception { |
140 | | - Map<String, Object> responseMap = (Map<String, Object>) getAsMap("_plugins/_security/whoami"); |
141 | | - Assert.assertTrue(responseMap.containsKey("dn")); |
142 | | - } |
143 | | - |
144 | | - private enum ClusterType { |
145 | | - OLD, |
146 | | - MIXED, |
147 | | - UPGRADED; |
148 | | - |
149 | | - public static ClusterType parse(String value) { |
150 | | - switch (value) { |
151 | | - case "old_cluster": |
152 | | - return OLD; |
153 | | - case "mixed_cluster": |
154 | | - return MIXED; |
155 | | - case "upgraded_cluster": |
156 | | - return UPGRADED; |
157 | | - default: |
158 | | - throw new AssertionError("unknown cluster type: " + value); |
159 | | - } |
160 | | - } |
161 | | - } |
162 | | - |
163 | | - @SuppressWarnings("unchecked") |
164 | | - private void assertPluginUpgrade(String uri) throws Exception { |
165 | | - Map<String, Map<String, Object>> responseMap = (Map<String, Map<String, Object>>) getAsMap(uri).get("nodes"); |
166 | | - for (Map<String, Object> response : responseMap.values()) { |
167 | | - List<Map<String, Object>> plugins = (List<Map<String, Object>>) response.get("plugins"); |
168 | | - Set<String> pluginNames = plugins.stream().map(map -> (String) map.get("name")).collect(Collectors.toSet()); |
169 | | - |
170 | | - final Version minNodeVersion = this.minimumNodeVersion(); |
171 | | - |
172 | | - if (minNodeVersion.major <= 1) { |
173 | | - assertThat(pluginNames, hasItem("opensearch_security")); |
174 | | - } else { |
175 | | - assertThat(pluginNames, hasItem("opensearch-security")); |
176 | | - } |
177 | | - |
178 | | - } |
179 | | - } |
180 | | -} |
0 commit comments