Skip to content

[Failure Store] ES|QL security tests #125586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Apr 15, 2025
Merged

[Failure Store] ES|QL security tests #125586

Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
6fd6cff
WIP esql tests
n1v0lg Mar 25, 2025
ddfaef8
WIP esql coverage
n1v0lg Mar 25, 2025
492a848
More ES|QL tests
n1v0lg Mar 25, 2025
cb7144b
[Failure Store] ES|QL security tests
n1v0lg Mar 25, 2025
d053241
Merge branch 'main' into failure-store-esql-security-tests
n1v0lg Mar 25, 2025
837b746
Merge
n1v0lg Apr 7, 2025
c0b5632
Merge branch 'failure-store-esql-security-tests' of github.com:n1v0lg…
n1v0lg Apr 7, 2025
a232679
Smaller diff
n1v0lg Apr 7, 2025
047fd1b
Merge branch 'main' into failure-store-esql-security-tests
n1v0lg Apr 7, 2025
f414dd2
Merge branch 'main' into failure-store-esql-security-tests
n1v0lg Apr 8, 2025
277afe7
Merge branch 'main' into failure-store-esql-security-tests
n1v0lg Apr 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
[Failure Store] ES|QL security tests
  • Loading branch information
@n1v0lg
n1v0lg committed Mar 25, 2025
commit cb7144b789241e6bcf2db3dbc6cb93d5541d4da9
57 changes: 47 additions & 10 deletions ...stTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -866,9 +866,11 @@ public void testFailureStoreAccess() throws Exception {
case STAR_READ_ONLY_ACCESS, BOTH_ACCESS, DATA_ACCESS, FAILURE_STORE_ACCESS, FAILURE_INDEX_DATA_ACCESS,
FAILURE_INDEX_FAILURE_ACCESS, BACKING_INDEX_DATA_ACCESS:
expectSearchThrows(user, request, 403);
expectEsqlThrows(user, request, 400);
break;
case ADMIN_USER, BACKING_INDEX_FAILURE_ACCESS:
expectSearchThrows(user, request, 404);
expectEsqlThrows(user, request, 400);
break;
default:
fail("must cover user: " + user);
Expand Down Expand Up @@ -896,6 +898,7 @@ public void testFailureStoreAccess() throws Exception {
case DATA_ACCESS, FAILURE_STORE_ACCESS, ADMIN_USER, STAR_READ_ONLY_ACCESS, BOTH_ACCESS, BACKING_INDEX_DATA_ACCESS,
BACKING_INDEX_FAILURE_ACCESS, FAILURE_INDEX_DATA_ACCESS, FAILURE_INDEX_FAILURE_ACCESS:
expectSearch(user, request);
expectEsqlThrows(user, request, 400);
break;
default:
fail("must cover user: " + user);
Expand All @@ -909,6 +912,7 @@ public void testFailureStoreAccess() throws Exception {
case DATA_ACCESS, FAILURE_STORE_ACCESS, ADMIN_USER, STAR_READ_ONLY_ACCESS, BOTH_ACCESS, BACKING_INDEX_DATA_ACCESS,
BACKING_INDEX_FAILURE_ACCESS, FAILURE_INDEX_DATA_ACCESS, FAILURE_INDEX_FAILURE_ACCESS:
expectSearch(user, request);
expectEsqlThrows(user, request, 400);
break;
default:
fail("must cover user: " + user);
Expand All @@ -922,9 +926,11 @@ public void testFailureStoreAccess() throws Exception {
case DATA_ACCESS, STAR_READ_ONLY_ACCESS, BACKING_INDEX_DATA_ACCESS, BACKING_INDEX_FAILURE_ACCESS,
FAILURE_INDEX_DATA_ACCESS, FAILURE_INDEX_FAILURE_ACCESS:
expectSearchThrows(user, request, 403);
expectEsqlThrows(user, request, 400);
break;
case ADMIN_USER, FAILURE_STORE_ACCESS, BOTH_ACCESS:
expectSearchThrows(user, request, 404);
expectEsqlThrows(user, request, 400);
break;
default:
fail("must cover user: " + user);
Expand All @@ -951,12 +957,17 @@ public void testFailureStoreAccess() throws Exception {
var request = new Search("test1,test1::failures");
for (var user : users) {
switch (user) {
case DATA_ACCESS, FAILURE_STORE_ACCESS, STAR_READ_ONLY_ACCESS, BACKING_INDEX_DATA_ACCESS, BACKING_INDEX_FAILURE_ACCESS,
FAILURE_INDEX_DATA_ACCESS, FAILURE_INDEX_FAILURE_ACCESS:
case DATA_ACCESS, FAILURE_STORE_ACCESS, STAR_READ_ONLY_ACCESS:
expectSearchThrows(user, request, 403);
expectEsqlThrows(user, request, 403);
break;
case BACKING_INDEX_DATA_ACCESS, BACKING_INDEX_FAILURE_ACCESS, FAILURE_INDEX_DATA_ACCESS, FAILURE_INDEX_FAILURE_ACCESS:
expectSearchThrows(user, request, 403);
expectEsqlThrows(user, request, 400);
break;
case ADMIN_USER, BOTH_ACCESS:
expectSearch(user, request, dataDocId, failuresDocId);
expectEsql(user, request, dataDocId, failuresDocId);
break;
default:
fail("must cover user: " + user);
Expand Down Expand Up @@ -992,12 +1003,17 @@ public void testFailureStoreAccess() throws Exception {
var request = new Search("test1," + failureIndexName);
for (var user : users) {
switch (user) {
case DATA_ACCESS, FAILURE_STORE_ACCESS, BACKING_INDEX_DATA_ACCESS, BACKING_INDEX_FAILURE_ACCESS,
FAILURE_INDEX_DATA_ACCESS, FAILURE_INDEX_FAILURE_ACCESS:
case DATA_ACCESS, FAILURE_STORE_ACCESS, FAILURE_INDEX_DATA_ACCESS:
expectSearchThrows(user, request, 403);
expectEsqlThrows(user, request, 403);
break;
case BACKING_INDEX_DATA_ACCESS, FAILURE_INDEX_FAILURE_ACCESS, BACKING_INDEX_FAILURE_ACCESS:
expectSearchThrows(user, request, 403);
expectEsqlThrows(user, request, 400);
break;
case ADMIN_USER, BOTH_ACCESS, STAR_READ_ONLY_ACCESS:
expectSearch(user, request, dataDocId, failuresDocId);
expectEsql(user, request, dataDocId, failuresDocId);
break;
default:
fail("must cover user: " + user);
Expand Down Expand Up @@ -1032,12 +1048,17 @@ public void testFailureStoreAccess() throws Exception {
var request = new Search("test1::failures," + dataIndexName);
for (var user : users) {
switch (user) {
case DATA_ACCESS, FAILURE_STORE_ACCESS, STAR_READ_ONLY_ACCESS, BACKING_INDEX_DATA_ACCESS, BACKING_INDEX_FAILURE_ACCESS,
FAILURE_INDEX_DATA_ACCESS, FAILURE_INDEX_FAILURE_ACCESS:
case DATA_ACCESS, FAILURE_STORE_ACCESS, STAR_READ_ONLY_ACCESS, BACKING_INDEX_DATA_ACCESS:
expectSearchThrows(user, request, 403);
expectEsqlThrows(user, request, 403);
break;
case BACKING_INDEX_FAILURE_ACCESS, FAILURE_INDEX_DATA_ACCESS, FAILURE_INDEX_FAILURE_ACCESS:
expectSearchThrows(user, request, 403);
expectEsqlThrows(user, request, 400);
break;
case ADMIN_USER, BOTH_ACCESS:
expectSearch(user, request, dataDocId, failuresDocId);
expectEsql(user, request, dataDocId, failuresDocId);
break;
default:
fail("must cover user: " + user);
Expand Down Expand Up @@ -1073,15 +1094,21 @@ public void testFailureStoreAccess() throws Exception {
var request = new Search("test1,*::failures");
for (var user : users) {
switch (user) {
case FAILURE_STORE_ACCESS, BACKING_INDEX_DATA_ACCESS, BACKING_INDEX_FAILURE_ACCESS, FAILURE_INDEX_DATA_ACCESS,
FAILURE_INDEX_FAILURE_ACCESS:
case FAILURE_STORE_ACCESS:
expectSearchThrows(user, request, 403);
expectEsqlThrows(user, request, 403);
break;
case BACKING_INDEX_DATA_ACCESS, FAILURE_INDEX_DATA_ACCESS, BACKING_INDEX_FAILURE_ACCESS, FAILURE_INDEX_FAILURE_ACCESS:
expectSearchThrows(user, request, 403);
expectEsqlThrows(user, request, 400);
break;
case DATA_ACCESS, STAR_READ_ONLY_ACCESS:
expectSearch(user, request, dataDocId);
expectEsql(user, request, dataDocId);
break;
case ADMIN_USER, BOTH_ACCESS:
expectSearch(user, request, dataDocId, failuresDocId);
expectEsql(user, request, dataDocId, failuresDocId);
break;
default:
fail("must cover user: " + user);
Expand Down Expand Up @@ -1119,13 +1146,19 @@ public void testFailureStoreAccess() throws Exception {
switch (user) {
case FAILURE_STORE_ACCESS:
expectSearch(user, request, failuresDocId);
expectEsql(user, request, failuresDocId);
break;
case DATA_ACCESS, STAR_READ_ONLY_ACCESS, BACKING_INDEX_DATA_ACCESS, BACKING_INDEX_FAILURE_ACCESS,
FAILURE_INDEX_DATA_ACCESS, FAILURE_INDEX_FAILURE_ACCESS:
case BACKING_INDEX_DATA_ACCESS, BACKING_INDEX_FAILURE_ACCESS, FAILURE_INDEX_DATA_ACCESS, FAILURE_INDEX_FAILURE_ACCESS:
expectSearchThrows(user, request, 403);
expectEsqlThrows(user, request, 400);
break;
case DATA_ACCESS, STAR_READ_ONLY_ACCESS:
expectSearchThrows(user, request, 403);
expectEsqlThrows(user, request, 403);
break;
case ADMIN_USER, BOTH_ACCESS:
expectSearch(user, request, dataDocId, failuresDocId);
expectEsql(user, request, dataDocId, failuresDocId);
break;
default:
fail("must cover user: " + user);
Expand Down Expand Up @@ -1163,15 +1196,19 @@ public void testFailureStoreAccess() throws Exception {
switch (user) {
case FAILURE_STORE_ACCESS:
expectSearch(user, request, failuresDocId);
expectEsql(user, request, failuresDocId);
break;
case DATA_ACCESS, STAR_READ_ONLY_ACCESS:
expectSearch(user, request, dataDocId);
expectEsql(user, request, dataDocId);
break;
case ADMIN_USER, BOTH_ACCESS:
expectSearch(user, request, dataDocId, failuresDocId);
expectEsql(user, request, dataDocId, failuresDocId);
break;
case BACKING_INDEX_FAILURE_ACCESS, FAILURE_INDEX_FAILURE_ACCESS, BACKING_INDEX_DATA_ACCESS, FAILURE_INDEX_DATA_ACCESS:
expectSearch(user, request);
expectEsqlThrows(user, request, 400);
break;
default:
fail("must cover user: " + user);
Expand Down