Skip to content

Commit a8dcab5

Browse files
rursprungclaude
andcommitted
add DlsTermLookupQueryTest version for V4 evaluator
so far, the tests only used the legacy evaluator. add a new subclass to also test against V4 to ensure that this is also covered. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Ralph Ursprung <Ralph.Ursprung@avaloq.com>
1 parent 95012de commit a8dcab5

3 files changed

Lines changed: 91 additions & 120 deletions

File tree

src/test/java/org/opensearch/security/dlic/dlsfls/DlsTermLookupQueryTest.java

Lines changed: 35 additions & 120 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,21 @@
5656

5757
public class DlsTermLookupQueryTest extends AbstractDlsFlsTest {
5858

59+
protected String getSecurityConfigName() {
60+
return "securityconfig_tlq.yml";
61+
}
62+
63+
protected DynamicSecurityConfig tlqSecurityConfig() {
64+
return new DynamicSecurityConfig().setConfig(getSecurityConfigName())
65+
.setSecurityInternalUsers("internal_users_tlq.yml")
66+
.setSecurityRoles("roles_tlq.yml")
67+
.setSecurityRolesMapping("roles_mapping_tlq.yml");
68+
}
69+
70+
protected void setupWithTlqSecurityConfig() throws Exception {
71+
setup(tlqSecurityConfig());
72+
}
73+
5974
protected void populateData(Client client) {
6075
// user access codes, basis for TLQ query
6176
client.index(
@@ -230,12 +245,7 @@ protected void populateData(Client client) {
230245
@Test
231246
public void testSimpleSearch_AccessCode_1337() throws Exception {
232247

233-
setup(
234-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
235-
.setSecurityInternalUsers("internal_users_tlq.yml")
236-
.setSecurityRoles("roles_tlq.yml")
237-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
238-
);
248+
setupWithTlqSecurityConfig();
239249

240250
HttpResponse response = rh.executeGetRequest("/tlqdocuments/_search?pretty", encodeBasicHeader("tlq_1337", "password"));
241251
assertThat(response.getStatusCode(), is(200));
@@ -251,12 +261,7 @@ public void testSimpleSearch_AccessCode_1337() throws Exception {
251261
@Test
252262
public void testSimpleSearch_AccessCode_42() throws Exception {
253263

254-
setup(
255-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
256-
.setSecurityInternalUsers("internal_users_tlq.yml")
257-
.setSecurityRoles("roles_tlq.yml")
258-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
259-
);
264+
setupWithTlqSecurityConfig();
260265

261266
HttpResponse response = rh.executeGetRequest("/tlqdocuments/_search?pretty", encodeBasicHeader("tlq_42", "password"));
262267
assertThat(response.getStatusCode(), is(200));
@@ -274,12 +279,7 @@ public void testSimpleSearch_AccessCode_42() throws Exception {
274279
@Test
275280
public void testSimpleSearch_AccessCodes_1337_42() throws Exception {
276281

277-
setup(
278-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
279-
.setSecurityInternalUsers("internal_users_tlq.yml")
280-
.setSecurityRoles("roles_tlq.yml")
281-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
282-
);
282+
setupWithTlqSecurityConfig();
283283

284284
HttpResponse response = rh.executeGetRequest("/tlqdocuments/_search?pretty", encodeBasicHeader("tlq_1337_42", "password"));
285285
assertThat(response.getStatusCode(), is(200));
@@ -297,12 +297,7 @@ public void testSimpleSearch_AccessCodes_1337_42() throws Exception {
297297
@Test
298298
public void testSimpleSearch_AccessCodes_999() throws Exception {
299299

300-
setup(
301-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
302-
.setSecurityInternalUsers("internal_users_tlq.yml")
303-
.setSecurityRoles("roles_tlq.yml")
304-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
305-
);
300+
setupWithTlqSecurityConfig();
306301

307302
HttpResponse response = rh.executeGetRequest("/tlqdocuments/_search?pretty", encodeBasicHeader("tlq_999", "password"));
308303
assertThat(response.getStatusCode(), is(200));
@@ -316,38 +311,23 @@ public void testSimpleSearch_AccessCodes_999() throws Exception {
316311
@Test
317312
public void testSimpleSearch_AccessCodes_emptyAccessCodes() throws Exception {
318313

319-
setup(
320-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
321-
.setSecurityInternalUsers("internal_users_tlq.yml")
322-
.setSecurityRoles("roles_tlq.yml")
323-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
324-
);
314+
setupWithTlqSecurityConfig();
325315
SearchResponse searchResponse = executeSearch("tlqdocuments", "tlq_empty_access_codes", "password");
326316
assertThat(searchResponse.toString(), searchResponse.getHits().getTotalHits().value(), is(0L));
327317
}
328318

329319
@Test
330320
public void testSimpleSearch_AccessCodes_noAccessCodes() throws Exception {
331321

332-
setup(
333-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
334-
.setSecurityInternalUsers("internal_users_tlq.yml")
335-
.setSecurityRoles("roles_tlq.yml")
336-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
337-
);
322+
setupWithTlqSecurityConfig();
338323
SearchResponse searchResponse = executeSearch("tlqdocuments", "tlq_no_codes", "password");
339324

340325
assertThat(searchResponse.toString(), searchResponse.getHits().getTotalHits().value(), is(0L));
341326
}
342327

343328
@Test
344329
public void testSimpleSearch_AllIndices_All_AccessCodes_1337() throws Exception {
345-
setup(
346-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
347-
.setSecurityInternalUsers("internal_users_tlq.yml")
348-
.setSecurityRoles("roles_tlq.yml")
349-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
350-
);
330+
setupWithTlqSecurityConfig();
351331

352332
SearchResponse searchResponse = executeSearch("_all", "tlq_1337", "password");
353333

@@ -383,12 +363,7 @@ public void testSimpleSearch_AllIndices_All_AccessCodes_1337() throws Exception
383363
@Test
384364
public void testSimpleSearch_AllIndicesWildcard_AccessCodes_1337() throws Exception {
385365

386-
setup(
387-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
388-
.setSecurityInternalUsers("internal_users_tlq.yml")
389-
.setSecurityRoles("roles_tlq.yml")
390-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
391-
);
366+
setupWithTlqSecurityConfig();
392367

393368
SearchResponse searchResponse = executeSearch("*", "tlq_1337", "password");
394369

@@ -424,12 +399,7 @@ public void testSimpleSearch_AllIndicesWildcard_AccessCodes_1337() throws Except
424399
@Test
425400
public void testSimpleSearch_ThreeIndicesWildcard_AccessCodes_1337() throws Exception {
426401

427-
setup(
428-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
429-
.setSecurityInternalUsers("internal_users_tlq.yml")
430-
.setSecurityRoles("roles_tlq.yml")
431-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
432-
);
402+
setupWithTlqSecurityConfig();
433403

434404
SearchResponse searchResponse = executeSearch("tlq*,user*", "tlq_1337", "password");
435405

@@ -466,12 +436,7 @@ public void testSimpleSearch_ThreeIndicesWildcard_AccessCodes_1337() throws Exce
466436
@Test
467437
public void testSimpleSearch_TwoIndicesConcreteNames_AccessCodes_1337() throws Exception {
468438

469-
setup(
470-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
471-
.setSecurityInternalUsers("internal_users_tlq.yml")
472-
.setSecurityRoles("roles_tlq.yml")
473-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
474-
);
439+
setupWithTlqSecurityConfig();
475440

476441
SearchResponse searchResponse = executeSearch("tlqdocuments,tlqdummy", "tlq_1337", "password");
477442

@@ -499,12 +464,7 @@ public void testSimpleSearch_TwoIndicesConcreteNames_AccessCodes_1337() throws E
499464
@Test
500465
public void testMSearch_ThreeIndices_AccessCodes_1337() throws Exception {
501466

502-
setup(
503-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
504-
.setSecurityInternalUsers("internal_users_tlq.yml")
505-
.setSecurityRoles("roles_tlq.yml")
506-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
507-
);
467+
setupWithTlqSecurityConfig();
508468

509469
MultiSearchResponse searchResponse = executeMSearchMatchAll(
510470
"tlq_1337",
@@ -541,12 +501,7 @@ public void testMSearch_ThreeIndices_AccessCodes_1337() throws Exception {
541501
@Test
542502
public void testGet_TlqDocumentsIndex_1337() throws Exception {
543503

544-
setup(
545-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
546-
.setSecurityInternalUsers("internal_users_tlq.yml")
547-
.setSecurityRoles("roles_tlq.yml")
548-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
549-
);
504+
setupWithTlqSecurityConfig();
550505

551506
// user has 1337, document has 1337
552507
GetResponse searchResponse = executeGet("tlqdocuments", "1", "tlq_1337", "password");
@@ -581,12 +536,7 @@ public void testGet_TlqDocumentsIndex_1337() throws Exception {
581536
@Test
582537
public void testGet_TlqDocumentsIndex_1337_42() throws Exception {
583538

584-
setup(
585-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
586-
.setSecurityInternalUsers("internal_users_tlq.yml")
587-
.setSecurityRoles("roles_tlq.yml")
588-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
589-
);
539+
setupWithTlqSecurityConfig();
590540

591541
// user has 1337 and 42, document has 1337
592542
GetResponse searchResponse = executeGet("tlqdocuments", "1", "tlq_1337_42", "password");
@@ -623,12 +573,7 @@ public void testGet_TlqDocumentsIndex_1337_42() throws Exception {
623573
@Test
624574
public void testGet_TlqDummyIndex_1337() throws Exception {
625575

626-
setup(
627-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
628-
.setSecurityInternalUsers("internal_users_tlq.yml")
629-
.setSecurityRoles("roles_tlq.yml")
630-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
631-
);
576+
setupWithTlqSecurityConfig();
632577

633578
// no restrictions on this index
634579
GetResponse searchResponse = executeGet("tlqdummy", "101", "tlq_1337", "password");
@@ -644,12 +589,7 @@ public void testGet_TlqDummyIndex_1337() throws Exception {
644589
@Test
645590
public void testGet_UserAccessCodesIndex_1337() throws Exception {
646591

647-
setup(
648-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
649-
.setSecurityInternalUsers("internal_users_tlq.yml")
650-
.setSecurityRoles("roles_tlq.yml")
651-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
652-
);
592+
setupWithTlqSecurityConfig();
653593

654594
// we expect a security exception here, user has no direct access to
655595
// user_access_codes index
@@ -660,12 +600,7 @@ public void testGet_UserAccessCodesIndex_1337() throws Exception {
660600
@Test
661601
public void testMGet_1337() throws Exception {
662602

663-
setup(
664-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
665-
.setSecurityInternalUsers("internal_users_tlq.yml")
666-
.setSecurityRoles("roles_tlq.yml")
667-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
668-
);
603+
setupWithTlqSecurityConfig();
669604

670605
Map<String, String> indicesAndIds = new HashMap<>();
671606
indicesAndIds.put("tlqdocuments", "1");
@@ -702,12 +637,7 @@ public void testMGet_1337() throws Exception {
702637
@Test
703638
public void testSimpleAggregation_tlqdocuments_AccessCode_1337() throws Exception {
704639

705-
setup(
706-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
707-
.setSecurityInternalUsers("internal_users_tlq.yml")
708-
.setSecurityRoles("roles_tlq.yml")
709-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
710-
);
640+
setupWithTlqSecurityConfig();
711641

712642
String body = ""
713643
+ " {\n"
@@ -755,12 +685,7 @@ public void testSimpleAggregation_tlqdocuments_AccessCode_1337() throws Exceptio
755685
@Test
756686
public void testQueryBasedTlq_Search_AccessCode_1337() throws Exception {
757687

758-
setup(
759-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
760-
.setSecurityInternalUsers("internal_users_tlq.yml")
761-
.setSecurityRoles("roles_tlq.yml")
762-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
763-
);
688+
setupWithTlqSecurityConfig();
764689

765690
final var response = rh.executeGetRequest("/tlqdocuments/_search?pretty", encodeBasicHeader("tlq_query_1337", "password"));
766691
assertThat(response.getStatusCode(), is(200));
@@ -774,12 +699,7 @@ public void testQueryBasedTlq_Search_AccessCode_1337() throws Exception {
774699
@Test
775700
public void testQueryBasedTlq_Search_Dummy_AccessCode_1337() throws Exception {
776701

777-
setup(
778-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
779-
.setSecurityInternalUsers("internal_users_tlq.yml")
780-
.setSecurityRoles("roles_tlq.yml")
781-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
782-
);
702+
setupWithTlqSecurityConfig();
783703

784704
final var response = rh.executeGetRequest("/tlqdummy/_search?pretty", encodeBasicHeader("tlq_query_1337", "password"));
785705
assertThat(response.getStatusCode(), is(200));
@@ -792,12 +712,7 @@ public void testQueryBasedTlq_Search_Dummy_AccessCode_1337() throws Exception {
792712
@Test
793713
public void testQueryBasedTlq_Get_AccessCode_1337() throws Exception {
794714

795-
setup(
796-
new DynamicSecurityConfig().setConfig("securityconfig_tlq.yml")
797-
.setSecurityInternalUsers("internal_users_tlq.yml")
798-
.setSecurityRoles("roles_tlq.yml")
799-
.setSecurityRolesMapping("roles_mapping_tlq.yml")
800-
);
715+
setupWithTlqSecurityConfig();
801716

802717
// doc 1 has access_codes [1337] - should be accessible
803718
HttpResponse response = rh.executeGetRequest("/tlqdocuments/_doc/1", encodeBasicHeader("tlq_query_1337", "password"));
Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
/*
2+
* SPDX-License-Identifier: Apache-2.0
3+
*
4+
* The OpenSearch Contributors require contributions made to
5+
* this file be licensed under the Apache-2.0 license or a
6+
* compatible open source license.
7+
*
8+
* Modifications Copyright OpenSearch Contributors. See
9+
* GitHub history for details.
10+
*/
11+
12+
package org.opensearch.security.dlic.dlsfls;
13+
14+
import org.junit.Ignore;
15+
import org.junit.Test;
16+
17+
/**
18+
* Runs all TLQ tests with the V4 (nextgen) privilege evaluator.
19+
* The V4 evaluator does not have the DNFOF_MATCHER that silently absorbs
20+
* missing privileges on internal sub-requests, so this exercises the
21+
* DocumentAllowList bypass path more rigorously.
22+
*/
23+
public class DlsTermLookupQueryV4EvaluatorTest extends DlsTermLookupQueryTest {
24+
25+
@Override
26+
protected String getSecurityConfigName() {
27+
return "securityconfig_tlq_v4.yml";
28+
}
29+
30+
@Override
31+
@Test
32+
@Ignore("expected to fail with V4 evaluator")
33+
public void testMGet_1337() throws Exception {
34+
// V4 evaluator does not silently strip unauthorized indices from explicit _mget requests.
35+
// Legacy uses DNFOF_MATCHER on "indices:data/read/*" to reduce indices; V4 only reduces
36+
// for wildcard/pattern requests or ignore_unavailable=true. Concrete unauthorized index -> 403.
37+
super.testMGet_1337();
38+
}
39+
}
Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
---
2+
_meta:
3+
type: "config"
4+
config_version: 2
5+
config:
6+
dynamic:
7+
do_not_fail_on_forbidden: true
8+
privileges_evaluation_type: "v4"
9+
authc:
10+
authentication_domain_basic_internal:
11+
http_enabled: true
12+
transport_enabled: true
13+
order: 0
14+
http_authenticator:
15+
type: "basic"
16+
authentication_backend:
17+
type: "intern"

0 commit comments

Comments
 (0)