Test underscored roles

n1v0lg · Dec 9, 2024 · 6383588 · 6383588
1 parent 7eed4b8
commit 6383588
Showing 1 changed file with 52 additions and 9 deletions.
diff --git a/...nalClusterTest/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java b/...nalClusterTest/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java
@@ -50,14 +50,24 @@ public class DocumentAndFieldLevelSecurityTests extends SecurityIntegTestCase {
     @Override
     protected String configUsers() {
         final String usersPasswdHashed = new String(getFastStoredHashAlgoForTests().hash(USERS_PASSWD));
-        return super.configUsers() + Strings.format("""
-            user1:%s
-            user2:%s
-            user3:%s
-            user4:%s
-            user5:%s
-            user6:%s
-            """, usersPasswdHashed, usersPasswdHashed, usersPasswdHashed, usersPasswdHashed, usersPasswdHashed, usersPasswdHashed);
+        return super.configUsers() + Strings.format(
+            """
+                user1:%s
+                user2:%s
+                user3:%s
+                user4:%s
+                user5:%s
+                user6:%s
+                user7:%s
+                """,
+            usersPasswdHashed,
+            usersPasswdHashed,
+            usersPasswdHashed,
+            usersPasswdHashed,
+            usersPasswdHashed,
+            usersPasswdHashed,
+            usersPasswdHashed
+        );
     }
 
     @Override
@@ -67,7 +77,8 @@ protected String configUsersRoles() {
             + "role2:user1,user4\n"
             + "role3:user2,user4\n"
             + "role4:user3,user4,user5\n"
-            + "role5:user6\n";
+            + "role5:user6\n"
+            + "role6:user7\n";
     }
 
     @Override
@@ -111,6 +122,14 @@ protected String configRoles() {
                   privileges: [ ALL ]
                   field_security:
                      grant: [ field1, id ]
+                     except: [ _field1 ]
+            role6:
+              cluster: [ all ]
+              indices:
+                - names: '*'
+                  privileges: [ ALL ]
+                  field_security:
+                     grant: [ field1, _field1, _field2, id ]
                      except: [ _field2 ]
             """;
     }
@@ -437,6 +456,30 @@ public void testFieldCapabilitiesIsFiltered() {
         }
     }
 
+    public void testUnderscoredFieldsFiltered() {
+        assertAcked(indicesAdmin().prepareCreate("test").setMapping("field1", "type=text", "_field1", "type=text", "_field2", "type=text"));
+        prepareIndex("test").setId("1")
+            .setSource("field1", "value1", "_field1", "_value1", "_field2", "_value2")
+            .setRefreshPolicy(IMMEDIATE)
+            .get();
+
+        {
+            FieldCapabilitiesRequest fieldCapabilitiesRequest = new FieldCapabilitiesRequest().fields("*").indices("test");
+            FieldCapabilitiesResponse response = client().filterWithHeader(
+                Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user5", USERS_PASSWD))
+            ).fieldCaps(fieldCapabilitiesRequest).actionGet();
+            assertExpectedFieldsIgnoringAllowlistedMetadataFields(response, "field1");
+        }
+
+        {
+            FieldCapabilitiesRequest fieldCapabilitiesRequest = new FieldCapabilitiesRequest().fields("*").indices("test");
+            FieldCapabilitiesResponse response = client().filterWithHeader(
+                Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user7", USERS_PASSWD))
+            ).fieldCaps(fieldCapabilitiesRequest).actionGet();
+            assertExpectedFieldsIgnoringAllowlistedMetadataFields(response, "field1", "_field1");
+        }
+    }
+
     @SuppressWarnings("unchecked")
     private static void assertExpectedFields(Map<String, MappingMetadata> mappings, String... fields) {
         Map<String, Object> sourceAsMap = mappings.get("test").getSourceAsMap();