missing stuff

Author: sscarduzio

src/test/java/org/elasticsearch/rest/action/readonlyrest/acl/test/ACLTest.java

@@ -28,21 +28,25 @@
 
 public class ACLTest {
   private static ACL acl;
-
-  @BeforeClass
-  public static void setUpBeforeClass() throws Exception {
+  public static ACL mkACL(String fileName) {
+    ACL _acl = null;
     try {
-      byte[] encoded = Files.readAllBytes(Paths.get(System.getProperty("user.dir") + "/src/test/test_rules.yml"));
+      byte[] encoded = Files.readAllBytes(Paths.get(System.getProperty("user.dir") + fileName));
       String str = Charsets.UTF_8.decode(ByteBuffer.wrap(encoded)).toString();
       Settings s = Settings.builder().loadFromSource(str).build();
-      acl = new ACL(s);
+      _acl = new ACL(s);
     } catch (IOException e) {
       e.printStackTrace();
     }
+    return _acl;
+  }
 
+  @BeforeClass
+  public static void setUpBeforeClass() throws Exception {
+    acl = mkACL("/src/test/test_rules.yml");
   }
 
-  private RequestContext mockReq(String uri, String address, String apiKey, String authKey, Integer bodyLength, Method method, String xForwardedForHeader, final String[] _indices, String action) throws Throwable {
+  public static RequestContext mockReq(String uri, String address, String apiKey, String authKey, Integer bodyLength, Method method, String xForwardedForHeader, final String[] _indices, String action) throws Throwable {
     RestRequest r = mock(RestRequest.class, RETURNS_DEEP_STUBS);
     when(r.method()).thenReturn(method);
     when(r.uri()).thenReturn(uri);
@@ -232,7 +236,7 @@ public final void testActionWildcard() throws Throwable {
     assertTrue(res.getBlock().getPolicy() == Block.Policy.ALLOW);
     assertEquals(res.getBlock().getName(), "12");
   }
-  
+
   @Test
   public final void testActionWildcardExactMatch() throws Throwable {
     RequestContext rc = mockReq("/public-idx/_search?q=item.getName():fishingpole&size=200", "1.1.1.1", "", "", 0, Method.POST, null, null, "action*");

src/test/java/org/elasticsearch/rest/action/readonlyrest/acl/test/KibanaACLTest.java

@@ -0,0 +1,132 @@
+package org.elasticsearch.rest.action.readonlyrest.acl.test;
+
+import org.elasticsearch.plugin.readonlyrest.acl.ACL;
+import org.elasticsearch.plugin.readonlyrest.acl.RequestContext;
+import org.elasticsearch.plugin.readonlyrest.acl.blocks.Block;
+import org.elasticsearch.plugin.readonlyrest.acl.blocks.BlockExitResult;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class KibanaACLTest {
+  private static ACL acl;
+
+  @BeforeClass
+  public static void setUpBeforeClass() throws Exception {
+    acl = ACLTest.mkACL("/src/test/kibana_test_rules.yml");
+  }
+
+  @Test
+  public final void testKibanaROClusterAction() throws Throwable {
+    RequestContext rc = ACLTest.mockReq("xyz", "1.1.1.1", "", "", 0, null, null, new String[]{"random-idx"}, "cluster:monitor/health");
+    BlockExitResult res = acl.check(rc);
+    assertTrue(res.isMatch());
+    assertTrue(res.getBlock().getPolicy() == Block.Policy.ALLOW);
+    assertEquals(res.getBlock().getName(), "1");
+  }
+
+  @Test
+  public final void testKibanaROreadAction() throws Throwable {
+    RequestContext rc = ACLTest.mockReq("xyz", "1.1.1.1", "", "", 0, null, null, new String[]{"random-idx"}, "indices:admin/get");
+    BlockExitResult res = acl.check(rc);
+    assertTrue(res.isMatch());
+    assertTrue(res.getBlock().getPolicy() == Block.Policy.ALLOW);
+    assertEquals(res.getBlock().getName(), "1");
+  }
+  @Test
+  public final void testKibanaROwriteKibanaDevNull() throws Throwable {
+    RequestContext rc = ACLTest.mockReq("xyz", "1.1.1.1", "", "", 0, null, null, new String[]{".kibana-devnull"}, "indices:data/write/update");
+    BlockExitResult res = acl.check(rc);
+    assertTrue(res.isMatch());
+    assertTrue(res.getBlock().getPolicy() == Block.Policy.ALLOW);
+    assertEquals(res.getBlock().getName(), "1");
+  }
+
+ @Test
+  public final void testKibanaROwriteAction_FORBID() throws Throwable {
+    RequestContext rc = ACLTest.mockReq("xyz", "1.1.1.1", "", "", 0, null, null, new String[]{"random-idx"}, "indices:data/write/update");
+    BlockExitResult res = acl.check(rc);
+    assertFalse(res.isMatch());
+  }
+
+  @Test
+  public final void testKibanaRWreadAction() throws Throwable {
+    RequestContext rc = ACLTest.mockReq("xyz", "2.2.2.2", "", "", 0, null, null, new String[]{"random-idx"}, "indices:admin/get");
+    BlockExitResult res = acl.check(rc);
+    assertTrue(res.isMatch());
+    assertTrue(res.getBlock().getPolicy() == Block.Policy.ALLOW);
+    assertEquals(res.getBlock().getName(), "2");
+  }
+  @Test
+  public final void testKibanaRWwriteAction() throws Throwable {
+    RequestContext rc = ACLTest.mockReq("xyz", "2.2.2.2", "", "", 0, null, null, new String[]{"random-idx"}, "indices:data/write/update");
+    BlockExitResult res = acl.check(rc);
+    assertTrue(res.isMatch());
+    assertTrue(res.getBlock().getPolicy() == Block.Policy.ALLOW);
+    assertEquals(res.getBlock().getName(), "2");
+  }
+  @Test
+  public final void testKibanaRWClusterAction() throws Throwable {
+    RequestContext rc = ACLTest.mockReq("xyz", "2.2.2.2", "", "", 0, null, null, new String[]{"random-idx"}, "cluster:monitor/health");
+    BlockExitResult res = acl.check(rc);
+    assertTrue(res.isMatch());
+    assertTrue(res.getBlock().getPolicy() == Block.Policy.ALLOW);
+    assertEquals(res.getBlock().getName(), "2");
+  }
+
+  @Test
+  public final void testKibanaR0writeDashboard() throws Throwable {
+    RequestContext rc = ACLTest.mockReq("xyz", "1.1.1.1", "", "", 0, null, null, new String[]{".kibana"}, "indices:data/write/update");
+    BlockExitResult res = acl.check(rc);
+    assertFalse(res.isMatch());
+  }
+
+  @Test
+  public final void testKibanaRWwriteDashboard() throws Throwable {
+    RequestContext rc = ACLTest.mockReq("xyz", "2.2.2.2", "", "", 0, null, null, new String[]{".kibana"}, "indices:data/write/update");
+    BlockExitResult res = acl.check(rc);
+    assertTrue(res.isMatch());
+    assertTrue(res.getBlock().getPolicy() == Block.Policy.ALLOW);
+    assertEquals(res.getBlock().getName(), "2");
+  }
+
+ @Test
+  public final void testKibanaR0PlusWriteDashboard() throws Throwable {
+    RequestContext rc = ACLTest.mockReq("xyz", "3.3.3.3", "", "", 0, null, null, new String[]{".kibana"}, "indices:data/write/update");
+    BlockExitResult res = acl.check(rc);
+    assertTrue(res.isMatch());
+    assertTrue(res.getBlock().getPolicy() == Block.Policy.ALLOW);
+    assertEquals(res.getBlock().getName(), "3");
+  }
+
+  @Test
+  public final void testKibanaR0PlusWriteKibanaDevnull() throws Throwable {
+    RequestContext rc = ACLTest.mockReq("xyz", "3.3.3.3", "", "", 0, null, null, new String[]{".kibana-devnull"}, "indices:data/write/update");
+    BlockExitResult res = acl.check(rc);
+    assertTrue(res.isMatch());
+    assertTrue(res.getBlock().getPolicy() == Block.Policy.ALLOW);
+    assertEquals(res.getBlock().getName(), "3");
+  }
+
+  @Test
+  public final void testKibanaR0WriteKibanaDevnull() throws Throwable {
+    RequestContext rc = ACLTest.mockReq("xyz", "3.3.3.3", "", "", 0, null, null, new String[]{".kibana-devnull"}, "indices:data/write/update");
+    BlockExitResult res = acl.check(rc);
+    assertTrue(res.isMatch());
+    assertTrue(res.getBlock().getPolicy() == Block.Policy.ALLOW);
+    assertEquals(res.getBlock().getName(), "3");
+  }
+
+  @Test
+  public final void testKibanaR0WriteDashboardCustomKibanaIdx() throws Throwable {
+    RequestContext rc = ACLTest.mockReq("xyz", "4.4.4.4", "", "", 0, null, null, new String[]{"custom-kibana-idx"}, "indices:data/write/update");
+    BlockExitResult res = acl.check(rc);
+    assertTrue(res.isMatch());
+    assertTrue(res.getBlock().getPolicy() == Block.Policy.ALLOW);
+    assertEquals(res.getBlock().getName(), "4");
+  }
+
+}

src/test/kibana_test_rules.yml

@@ -0,0 +1,57 @@
+cluster:
+  name: elasticsearch
+
+index:
+    number_of_replicas: 0
+    number_of_shards: 1
+    analysis:
+        analyzer:
+            eulang:
+                type: custom
+                tokenizer: standard
+                filter: [standard, lowercase, asciifolding]
+            location:
+                type: custom
+                tokenizer: standard
+                filter: [standard, lowercase, asciifolding]
+
+
+network.host: _eth0:ipv4_
+transport.tcp.port : 9310
+http.bind_host: _eth0:ipv4_
+http.publish_address: _eth0:ipv4_
+discovery.zen.ping.multicast.enabled: false
+
+readonlyrest:
+    # (De)activate plugin
+    enable: true
+
+    # HTTP response body in case of forbidden request. 
+    # If this is null or omitted, the name of the first violated access control rule is returned (useful for debugging!)
+    response_if_req_forbidden: <h1>Forbidden</h1>
+    
+    # Default policy is to forbid everything, so let's define a whitelist
+    access_control_rules:
+
+    - name: 1
+      type: allow
+      hosts: 1.1.1.1
+      kibana_access: ro
+
+    - name: 2
+      type: allow
+      hosts: 2.2.2.2
+      kibana_access: rw
+      
+    - name: 3
+      type: allow
+      hosts: 3.3.3.3
+      kibana_access: ro+
+
+    - name: 4
+      type: allow
+      hosts: 4.4.4.4
+      kibana_access: ro+
+      kibana_index: custom-kibana-idx
+
+

src/test/test_rules.yml

@@ -83,3 +83,5 @@ readonlyrest:
     - name: 12
       type: allow
       actions: action*
+
+