Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implements end-to-end integration tests for Authorization in Rest Layer #3226

Merged

Conversation

DarshitChanpura
Copy link
Member

Description

This change test Authorization in Rest Layer feature by testing NamedRoutes and legacy Routes. It does so by adding two plugins in security plugin's test framework with one registering NamedRoutes and other registering legacy Routes.

  • Category: Enhancement

Issues Resolved

Testing

Integration tests

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Darshit Chanpura <[email protected]>
@DarshitChanpura
Copy link
Member Author

DarshitChanpura commented Aug 21, 2023

Not sure why Codecov/project shows 27% decrease when this PR adds more tests.

Update: Seems to have resolved on its own.

@DarshitChanpura DarshitChanpura added the backport 2.x backport to 2.x branch label Aug 22, 2023
@DarshitChanpura
Copy link
Member Author

Backport is currently blocked by: #3230

Copy link
Contributor

@stephen-crawford stephen-crawford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job @DarshitChanpura! Just a few comments.

Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really thorough testing on these components great work. I'm having trouble knowing reading if scenarios are covered or not based on conventions around the naming conventions.

@codecov
Copy link

codecov bot commented Aug 22, 2023

Codecov Report

Merging #3226 (fd84d3a) into main (07406d6) will increase coverage by 0.01%.
Report is 1 commits behind head on main.
The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff              @@
##               main    #3226      +/-   ##
============================================
+ Coverage     62.43%   62.45%   +0.01%     
+ Complexity     3351     3350       -1     
============================================
  Files           254      254              
  Lines         19748    19748              
  Branches       3334     3334              
============================================
+ Hits          12330    12333       +3     
+ Misses         5789     5785       -4     
- Partials       1629     1630       +1     

see 3 files with indirect coverage changes

Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed and commented on several test names

Signed-off-by: Darshit Chanpura <[email protected]>
@DarshitChanpura
Copy link
Member Author

DarshitChanpura commented Aug 23, 2023

No sure why the codecov/project/plugin report shows decrease of .01% when upon clicking the link to codecov it shows an increase of .01%

@peternied
Copy link
Member

No sure why the codecov/project/plugin report shows decrease of .01% when upon clicking the link to codecov it shows an increase of .01%

Congrats you've found another source of non-deterministic test results - src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java

I've updated #3137, and you can update the codecov.yml to prevent false positives if you'd like

Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the renames - much more approachable!

Copy link
Collaborator

@RyanL1997 RyanL1997 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @DarshitChanpura, great work for putting the tests together! In generally this is looking good to me. I just left some minor questions and a naming related comment.

@@ -179,26 +186,6 @@ private void assertResponse(TestRestClient.HttpResponse response, int expectedSt
assertThat(response.getBody(), equalTo(expectedBody));
}

private void assertExactlyOneAuthenticatedLogMessage(TestSecurityConfig.User user) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just wanna confirm, we are removing this since we are switching to use the audit log for capturing all the log msgs?

) {
return auditPredicate(category).withLayer(Origin.TRANSPORT)
.withEffectiveUser(user)
.withPrivilege(privilege)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By reading through the previous comment, I think the privilege is the actual permissions for the user who sends out the request is that correct?

public class DummyAction extends ActionType<DummyResponse> {

public static final DummyAction INSTANCE = new DummyAction();
public static final String NAME = "cluster:admin/dummy_protected_plugin/dummy/get";
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I assume the NAME is referencing to this dummy permission? so maybe rename it to DUMMY_PERMISSION_NAME?

Copy link
Contributor

@stephen-crawford stephen-crawford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks Good To Me!

@stephen-crawford stephen-crawford merged commit 9a7e517 into opensearch-project:main Aug 24, 2023
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-3226-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 9a7e517abd9d4d0e301f918adc65cb82b8f14d88
# Push it to GitHub
git push --set-upstream origin backport/backport-3226-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-3226-to-2.x.

@peternied
Copy link
Member

@DarshitChanpura Can you make sure to include this in the everything at once backport for AuthZ in the Rest layer?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Implement end-to-end testing of the new named routes API and ensure backwards compatibility.
4 participants