diff --git a/tests/default/security/api/_upgrade_check.yaml b/tests/default/security/api/_upgrade_check.yaml new file mode 100644 index 000000000..60d553753 --- /dev/null +++ b/tests/default/security/api/_upgrade_check.yaml @@ -0,0 +1,11 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test _upgrade_check endpoint. +version: '> 2.13' + +chapters: + - synopsis: Check whether an upgrade can be performed. + path: /_plugins/_security/api/_upgrade_check + method: GET + response: + status: 200 diff --git a/tests/default/security/api/upgrade.yaml b/tests/default/security/api/_upgrade_perform.yaml similarity index 58% rename from tests/default/security/api/upgrade.yaml rename to tests/default/security/api/_upgrade_perform.yaml index 4cc316b48..643f7896f 100644 --- a/tests/default/security/api/upgrade.yaml +++ b/tests/default/security/api/_upgrade_perform.yaml @@ -1,13 +1,9 @@ $schema: ../../../../json_schemas/test_story.schema.yaml -description: Test upgrade eligibility endpoints. -version: '>= 2.14' +description: Test _upgrade_perform endpoint. +version: '> 2.13' + chapters: - - synopsis: Check whether an upgrade can be performed. - path: /_plugins/_security/api/_upgrade_check - method: GET - response: - status: 200 - synopsis: Perform the upgrade. path: /_plugins/_security/api/_upgrade_perform method: POST diff --git a/tests/default/security/api/action_groups.yaml b/tests/default/security/api/actiongroups.yaml similarity index 97% rename from tests/default/security/api/action_groups.yaml rename to tests/default/security/api/actiongroups.yaml index 363aacdf3..0321d9022 100644 --- a/tests/default/security/api/action_groups.yaml +++ b/tests/default/security/api/actiongroups.yaml @@ -1,6 +1,6 @@ $schema: ../../../../json_schemas/test_story.schema.yaml -description: Test action_groups endpoints. +description: Test actiongroups endpoints. chapters: - synopsis: Create action group. diff --git a/tests/default/security/api/allowlist.yaml b/tests/default/security/api/allowlist.yaml index 474d7e5f6..6808131d8 100644 --- a/tests/default/security/api/allowlist.yaml +++ b/tests/default/security/api/allowlist.yaml @@ -1,7 +1,7 @@ $schema: ../../../../json_schemas/test_story.schema.yaml description: Test allowlist endpoints. -version: '>2.0' +version: '> 2.0' # ADMIN-CERT only. These tests require explicit rest api admin privileges. chapters: diff --git a/tests/default/security/api/audit.yaml b/tests/default/security/api/audit.yaml index a449e9e7b..7c004b24b 100644 --- a/tests/default/security/api/audit.yaml +++ b/tests/default/security/api/audit.yaml @@ -3,40 +3,6 @@ $schema: ../../../../json_schemas/test_story.schema.yaml description: Test audit endpoints. chapters: - - synopsis: Create an audit config. - path: /_plugins/_security/api/audit/config - method: PUT - request: - payload: - enabled: true - audit: - ignore_users: [] - ignore_requests: [] - disabled_rest_categories: - - AUTHENTICATED - - GRANTED_PRIVILEGES - disabled_transport_categories: - - AUTHENTICATED - - GRANTED_PRIVILEGES - log_request_body: false - resolve_indices: false - resolve_bulk_requests: false - exclude_sensitive_headers: true - enable_transport: false - enable_rest: true - compliance: - enabled: true - write_log_diffs: false - read_watched_fields: {} - read_ignore_users: [] - write_watched_indices: [] - write_ignore_users: [] - read_metadata_only: true - write_metadata_only: true - external_config: false - internal_config: true - response: - status: 200 - synopsis: Get an audit config. path: /_plugins/_security/api/audit method: GET diff --git a/tests/default/security/api/audit/config.yaml b/tests/default/security/api/audit/config.yaml new file mode 100644 index 000000000..97335168c --- /dev/null +++ b/tests/default/security/api/audit/config.yaml @@ -0,0 +1,39 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml + +description: Test audit/config endpoint. + +chapters: + - synopsis: Create an audit config. + path: /_plugins/_security/api/audit/config + method: PUT + request: + payload: + enabled: true + audit: + ignore_users: [] + ignore_requests: [] + disabled_rest_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + disabled_transport_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + log_request_body: false + resolve_indices: false + resolve_bulk_requests: false + exclude_sensitive_headers: true + enable_transport: false + enable_rest: true + compliance: + enabled: true + write_log_diffs: false + read_watched_fields: {} + read_ignore_users: [] + write_watched_indices: [] + write_ignore_users: [] + read_metadata_only: true + write_metadata_only: true + external_config: false + internal_config: true + response: + status: 200 diff --git a/tests/default/security/api/authtoken.yaml b/tests/default/security/api/authtoken.yaml new file mode 100644 index 000000000..4da5718b2 --- /dev/null +++ b/tests/default/security/api/authtoken.yaml @@ -0,0 +1,10 @@ +$schema: ../../../../json_schemas/test_story.schema.yaml + +description: Test authtoken endpoint. + +chapters: + - synopsis: Create an auth token. + path: /_plugins/_security/api/authtoken + method: POST + response: + status: 200 diff --git a/tests/default/security/api/certificates.yaml b/tests/default/security/api/certificates.yaml index ec2bd3603..f4f23e817 100644 --- a/tests/default/security/api/certificates.yaml +++ b/tests/default/security/api/certificates.yaml @@ -1,7 +1,7 @@ $schema: ../../../../json_schemas/test_story.schema.yaml description: Test certificates endpoints. -version: '>= 2.15' +version: '> 2.14' # ADMIN-CERT only. These tests require explicit rest api admin privileges. chapters: diff --git a/tests/default/security/api/tokens.yaml b/tests/default/security/api/generateonbehalfoftoken.yaml similarity index 72% rename from tests/default/security/api/tokens.yaml rename to tests/default/security/api/generateonbehalfoftoken.yaml index 1d58b85f7..41b5f1453 100644 --- a/tests/default/security/api/tokens.yaml +++ b/tests/default/security/api/generateonbehalfoftoken.yaml @@ -1,16 +1,11 @@ $schema: ../../../../json_schemas/test_story.schema.yaml -description: Test authtoken endpoints. +description: Test generateonbehalfoftoken endpoint. +version: '> 2.11' chapters: - - synopsis: Create an auth token. - path: /_plugins/_security/api/authtoken - method: POST - response: - status: 200 - synopsis: Create an On-Behalf-Of token. # Feature is disabled by default. https://opensearch.org/docs/latest/security/access-control/authentication-tokens/#configuration - version: '>= 2.12' path: /_plugins/_security/api/generateonbehalfoftoken method: POST request: diff --git a/tests/default/security/api/internal_users.yaml b/tests/default/security/api/internalusers.yaml similarity index 97% rename from tests/default/security/api/internal_users.yaml rename to tests/default/security/api/internalusers.yaml index 4c3bd7066..784db4fcd 100644 --- a/tests/default/security/api/internal_users.yaml +++ b/tests/default/security/api/internalusers.yaml @@ -1,6 +1,6 @@ $schema: ../../../../json_schemas/test_story.schema.yaml -description: Test internal users endpoints. +description: Test internalusers endpoints. chapters: - synopsis: Get internal users bulk. diff --git a/tests/default/security/api/user_authtoken.yaml b/tests/default/security/api/internalusers.yml/authtoken.yml similarity index 65% rename from tests/default/security/api/user_authtoken.yaml rename to tests/default/security/api/internalusers.yml/authtoken.yml index da1ee7ce5..2cfb3c6a1 100644 --- a/tests/default/security/api/user_authtoken.yaml +++ b/tests/default/security/api/internalusers.yml/authtoken.yml @@ -1,8 +1,7 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml -$schema: ../../../../json_schemas/test_story.schema.yaml - -description: Test authtoken endpoints for user. -version: '>2.16' # Fixed via https://github.com/opensearch-project/security/pull/4628 +description: Test internalusers/authtoken endpoint. +version: '> 2.16' # Fixed via https://github.com/opensearch-project/security/pull/4628 prologues: - path: /_plugins/_security/api/internalusers/{username} @@ -17,6 +16,7 @@ prologues: service: true enabled: true status: [201] + chapters: # Auth-tokens can only be vended for service accounts. - synopsis: Create internal user token. @@ -26,13 +26,7 @@ chapters: username: test response: status: 200 - - synopsis: Create user token. - path: /_plugins/_security/api/user/{username}/authtoken - method: POST - parameters: - username: test - response: - status: 501 + epilogues: - path: /_plugins/_security/api/internalusers/{username} method: DELETE diff --git a/tests/default/security/api/nodesdn.yaml b/tests/default/security/api/nodesdn.yaml index 7a82d0307..0cfcd1b43 100644 --- a/tests/default/security/api/nodesdn.yaml +++ b/tests/default/security/api/nodesdn.yaml @@ -1,10 +1,9 @@ $schema: ../../../../json_schemas/test_story.schema.yaml +description: Test nodesdn endpoints. # ADMIN-CERT only. These tests require explicit rest api admin privileges. # The setting `plugins. security. nodes_dn_dynamic_config_enabled` must be enabled. -description: Test nodesdn endpoints. - chapters: - synopsis: Get distinguished names. path: /_plugins/_security/api/nodesdn diff --git a/tests/default/security/api/securityconfig.yaml b/tests/default/security/api/securityconfig.yaml index 75aeeddad..28c6573bd 100644 --- a/tests/default/security/api/securityconfig.yaml +++ b/tests/default/security/api/securityconfig.yaml @@ -1,47 +1,10 @@ $schema: ../../../../json_schemas/test_story.schema.yaml -# ADMIN-CERT only (except GET). These tests require explicit rest api admin privileges. - description: Test securityconfig endpoints. -version: '>=2.10' +version: '> 2.9' +# ADMIN-CERT only (except GET). These tests require explicit rest api admin privileges. chapters: - - synopsis: Update a security config. - path: /_plugins/_security/api/securityconfig/config - method: PUT - request: - payload: - dynamic: - filtered_alias_mode: warn - disable_rest_auth: false - disable_intertransport_auth: false - respect_request_indices_options: false - opensearch-dashboards: - multitenancy_enabled: true - server_username: kibanaserver - index: .opensearch-dashboards - http: - anonymous_auth_enabled: false - authc: - basic_internal_auth_domain: - http_enabled: true - transport_enabled: true - order: 0 - http_authenticator: - challenge: true - type: basic - config: {} - authentication_backend: - type: intern - config: {} - description: Authenticate via HTTP Basic against internal users database - auth_failure_listeners: {} - do_not_fail_on_forbidden: false - multi_rolespan_enabled: true - hosts_resolver_mode: ip-only - do_not_fail_on_forbidden_empty: false - response: - status: 403 - synopsis: Get a security config. path: /_plugins/_security/api/securityconfig method: GET diff --git a/tests/default/security/api/securityconfig/config.yaml b/tests/default/security/api/securityconfig/config.yaml new file mode 100644 index 000000000..5bae694be --- /dev/null +++ b/tests/default/security/api/securityconfig/config.yaml @@ -0,0 +1,43 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml + +description: Test securityconfig/config endpoint. +version: '>2.9' + +# ADMIN-CERT only (except GET). These tests require explicit rest api admin privileges. +chapters: + - synopsis: Update a security config. + path: /_plugins/_security/api/securityconfig/config + method: PUT + request: + payload: + dynamic: + filtered_alias_mode: warn + disable_rest_auth: false + disable_intertransport_auth: false + respect_request_indices_options: false + opensearch-dashboards: + multitenancy_enabled: true + server_username: kibanaserver + index: .opensearch-dashboards + http: + anonymous_auth_enabled: false + authc: + basic_internal_auth_domain: + http_enabled: true + transport_enabled: true + order: 0 + http_authenticator: + challenge: true + type: basic + config: {} + authentication_backend: + type: intern + config: {} + description: Authenticate via HTTP Basic against internal users database + auth_failure_listeners: {} + do_not_fail_on_forbidden: false + multi_rolespan_enabled: true + hosts_resolver_mode: ip-only + do_not_fail_on_forbidden_empty: false + response: + status: 403 diff --git a/tests/default/security/api/ssl/certs.yml b/tests/default/security/api/ssl/certs.yml new file mode 100644 index 000000000..168ff0964 --- /dev/null +++ b/tests/default/security/api/ssl/certs.yml @@ -0,0 +1,12 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml + +description: Test ssl/certs endpoint. +version: '>= 2.0' + +# ADMIN-CERT only. These tests require explicit rest api admin privileges. +chapters: + - synopsis: Get ssl certificates. + path: /_plugins/_security/api/ssl/certs + method: GET + response: + status: 403 diff --git a/tests/default/security/api/ssl/http/reloadcerts.yaml b/tests/default/security/api/ssl/http/reloadcerts.yaml new file mode 100644 index 000000000..30f1f043b --- /dev/null +++ b/tests/default/security/api/ssl/http/reloadcerts.yaml @@ -0,0 +1,12 @@ +$schema: ../../../../../../json_schemas/test_story.schema.yaml + +description: Test ssl/http/reloadcerts endpoint. +version: '> 2.7' + +# ADMIN-CERT only. These tests require explicit rest api admin privileges. +chapters: + - synopsis: Reload http certs. + path: /_plugins/_security/api/ssl/http/reloadcerts + method: PUT + response: + status: 403 diff --git a/tests/default/security/api/ssl/transport/reloadcerts.yaml b/tests/default/security/api/ssl/transport/reloadcerts.yaml new file mode 100644 index 000000000..9585b1a17 --- /dev/null +++ b/tests/default/security/api/ssl/transport/reloadcerts.yaml @@ -0,0 +1,12 @@ +$schema: ../../../../../../json_schemas/test_story.schema.yaml + +description: Test ssl/transport/reloadcerts endpoint. +version: '> 2.7' + +# ADMIN-CERT only. These tests require explicit rest api admin privileges. +chapters: + - synopsis: Reload transport certs. + path: /_plugins/_security/api/ssl/transport/reloadcerts + method: PUT + response: + status: 403 diff --git a/tests/default/security/api/ssl_certs.yaml b/tests/default/security/api/ssl_certs.yaml deleted file mode 100644 index 738537da1..000000000 --- a/tests/default/security/api/ssl_certs.yaml +++ /dev/null @@ -1,23 +0,0 @@ -$schema: ../../../../json_schemas/test_story.schema.yaml - -description: Test ssl endpoints. -# ADMIN-CERT only. These tests require explicit rest api admin privileges. -chapters: - - synopsis: Get ssl certificates. - path: /_plugins/_security/api/ssl/certs - version: '>=2.0' - method: GET - response: - status: 403 - - synopsis: Reload http certs. - path: /_plugins/_security/api/ssl/http/reloadcerts - version: '>2.7' - method: PUT - response: - status: 403 - - synopsis: Reload transport certs. - path: /_plugins/_security/api/ssl/transport/reloadcerts - version: '>2.7' - method: PUT - response: - status: 403 diff --git a/tests/default/security/api/tenancy_config.yaml b/tests/default/security/api/tenancy/config.yaml similarity index 78% rename from tests/default/security/api/tenancy_config.yaml rename to tests/default/security/api/tenancy/config.yaml index f3d107e7f..1e3d95262 100644 --- a/tests/default/security/api/tenancy_config.yaml +++ b/tests/default/security/api/tenancy/config.yaml @@ -1,7 +1,7 @@ -$schema: ../../../../json_schemas/test_story.schema.yaml +$schema: ../../../../../json_schemas/test_story.schema.yaml -description: Test tenancy config endpoint. -version: '>= 2.7' +description: Test tenancy/config endpoints. +version: '> 2.6' chapters: - synopsis: Get tenancy config. diff --git a/tests/default/security/api/user/authtoken.yaml b/tests/default/security/api/user/authtoken.yaml new file mode 100644 index 000000000..edf450fb6 --- /dev/null +++ b/tests/default/security/api/user/authtoken.yaml @@ -0,0 +1,35 @@ +$schema: ../../../../../json_schemas/test_story.schema.yaml + +description: Test authtoken endpoints for user. +version: '> 2.16' # Fixed via https://github.com/opensearch-project/security/pull/4628 + +prologues: + - path: /_plugins/_security/api/user/{username} + method: PUT + parameters: + username: test + request: + payload: + opendistro_security_roles: [] + backend_roles: [] + attributes: + service: true + enabled: true + status: [201] + +chapters: + # Auth-tokens can only be vended for service accounts. + - synopsis: Create user token. + path: /_plugins/_security/api/user/{username}/authtoken + method: POST + parameters: + username: test + response: + status: 501 + +epilogues: + - path: /_plugins/_security/api/user/{username} + method: DELETE + parameters: + username: test + status: [200] diff --git a/tests/default/security/api/validate.yaml b/tests/default/security/api/validate.yaml index 08d4b1ab2..5c4cbdfc4 100644 --- a/tests/default/security/api/validate.yaml +++ b/tests/default/security/api/validate.yaml @@ -1,6 +1,7 @@ $schema: ../../../../json_schemas/test_story.schema.yaml description: Test validate endpoint. + # BAD_REQUEST. Can not migrate configuration because it was already migrated. chapters: - synopsis: Check whether v6 configuration is valid. diff --git a/tests/default/security/authinfo.yaml b/tests/default/security/authinfo.yaml index e2138e28b..1d65c31f0 100644 --- a/tests/default/security/authinfo.yaml +++ b/tests/default/security/authinfo.yaml @@ -1,23 +1,24 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test authinfo endpoint. + chapters: - synopsis: Get auth info. path: /_plugins/_security/authinfo method: GET - version: <2.13 + version: < 2.13 response: status: 200 - synopsis: Get auth info via POST. path: /_plugins/_security/authinfo method: POST - version: <2.13 + version: < 2.13 response: status: 200 - synopsis: Get auth info. path: /_plugins/_security/authinfo method: GET - version: =2.13 + version: = 2.13 parameters: verbose: false response: @@ -25,7 +26,7 @@ chapters: - synopsis: Get auth info. path: /_plugins/_security/authinfo method: GET - version: '>2.13' + version: '> 2.13' parameters: verbose: false auth_type: basic diff --git a/tests/default/security/dashboardsinfo.yaml b/tests/default/security/dashboardsinfo.yaml index 16925b704..fb28a9914 100644 --- a/tests/default/security/dashboardsinfo.yaml +++ b/tests/default/security/dashboardsinfo.yaml @@ -1,6 +1,7 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test dashboardsinfo endpoint. + chapters: - synopsis: Get dashboards info. path: /_plugins/_security/dashboardsinfo diff --git a/tests/default/security/health.yaml b/tests/default/security/health.yaml index b4855fdee..b1c42b037 100644 --- a/tests/default/security/health.yaml +++ b/tests/default/security/health.yaml @@ -1,6 +1,7 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test health endpoint. + chapters: - synopsis: Get security health info. path: /_plugins/_security/health diff --git a/tests/default/security/sslinfo.yaml b/tests/default/security/sslinfo.yaml index c5dd4e1ce..b73d18ee4 100644 --- a/tests/default/security/sslinfo.yaml +++ b/tests/default/security/sslinfo.yaml @@ -1,6 +1,7 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test sslinfo endpoint. + chapters: - synopsis: Get ssl info. path: /_opendistro/_security/sslinfo diff --git a/tests/default/security/tenantinfo.yaml b/tests/default/security/tenantinfo.yaml index 66fece71a..8b0aeee54 100644 --- a/tests/default/security/tenantinfo.yaml +++ b/tests/default/security/tenantinfo.yaml @@ -1,6 +1,7 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test tenantinfo endpoint. + chapters: - synopsis: Get tenant info. path: /_plugins/_security/tenantinfo diff --git a/tests/default/security/whoami.yaml b/tests/default/security/whoami.yaml index ba742b3f5..3e2c5016b 100644 --- a/tests/default/security/whoami.yaml +++ b/tests/default/security/whoami.yaml @@ -1,7 +1,8 @@ $schema: ../../../json_schemas/test_story.schema.yaml description: Test whoami endpoints. -version: '>=2.0' +version: '>= 2.0' + chapters: - synopsis: Get current user info. path: /_plugins/_security/whoami @@ -21,13 +22,3 @@ chapters: dn: null is_admin: false is_node_certificate_request: false - - synopsis: Get current user info from protected endpoint. - version: '>= 2.11' - path: /_plugins/_security/whoamiprotected - method: GET - response: - status: 200 - payload: - dn: null - is_admin: false - is_node_certificate_request: false diff --git a/tests/default/security/whoamiprotected.yaml b/tests/default/security/whoamiprotected.yaml new file mode 100644 index 000000000..a3771fb7c --- /dev/null +++ b/tests/default/security/whoamiprotected.yaml @@ -0,0 +1,15 @@ +$schema: ../../../json_schemas/test_story.schema.yaml + +description: Test whoamiprotected endpoint. +version: '> 2.10' + +chapters: + - synopsis: Get current user info from protected endpoint. + path: /_plugins/_security/whoamiprotected + method: GET + response: + status: 200 + payload: + dn: null + is_admin: false + is_node_certificate_request: false