diff --git a/.cspell b/.cspell index 80670e9b4..03506d7af 100644 --- a/.cspell +++ b/.cspell @@ -163,6 +163,7 @@ subqueries subschemas subword syserr +tcnative tdigest tenantinfo termvectors diff --git a/spec/namespaces/security.yaml b/spec/namespaces/security.yaml index f2bbecaf8..73c333838 100644 --- a/spec/namespaces/security.yaml +++ b/spec/namespaces/security.yaml @@ -99,6 +99,8 @@ paths: responses: '200': $ref: '#/components/responses/security.tenant_info@200' + '403': + $ref: '#/components/responses/security.tenant_info@403' '500': $ref: '#/components/responses/security.tenant_info@500' post: @@ -109,6 +111,8 @@ paths: responses: '200': $ref: '#/components/responses/security.tenant_info@200' + '403': + $ref: '#/components/responses/security.tenant_info@403' '500': $ref: '#/components/responses/security.tenant_info@500' /_plugins/_security/whoami: @@ -143,7 +147,7 @@ paths: $ref: '#/components/responses/security.who_am_i_protected@200' '500': $ref: '#/components/responses/security.who_am_i_protected@500' - /_plugins/_security/_upgrade_check: + /_plugins/_security/api/_upgrade_check: get: operationId: security.config_upgrade_check.0 x-operation-group: security.config_upgrade_check @@ -154,7 +158,7 @@ paths: responses: '200': $ref: '#/components/responses/security.config_upgrade_check@200' - /_plugins/_security/_upgrade_perform: + /_plugins/_security/api/_upgrade_perform: post: operationId: security.config_upgrade_perform.0 x-operation-group: security.config_upgrade_perform @@ -1365,7 +1369,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.delete_role@200: description: '' content: @@ -1539,7 +1543,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_distinguished_names@200: description: '' content: @@ -1551,7 +1555,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.get_permissions_info@200: description: '' content: @@ -1713,7 +1717,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_distinguished_names@200: description: '' content: @@ -1725,7 +1729,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.patch_role@200: description: '' content: @@ -1852,6 +1856,14 @@ components: application/json: schema: $ref: '../schemas/security._common.yaml#/components/schemas/TenantInfo' + security.tenant_info@403: + description: '' + content: + text/plain: + type: string + application/json: + schema: + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.tenant_info@500: description: '' content: @@ -1881,7 +1893,7 @@ components: content: application/json: schema: - $ref: '../schemas/security._common.yaml#/components/schemas/Unauthorized' + $ref: '../schemas/security._common.yaml#/components/schemas/Forbidden' security.validate@200: description: '' content: diff --git a/spec/schemas/security._common.yaml b/spec/schemas/security._common.yaml index 61f90a9a5..112e3a9f5 100644 --- a/spec/schemas/security._common.yaml +++ b/spec/schemas/security._common.yaml @@ -134,10 +134,10 @@ components: type: string description: User's name. user_requested_tenant: - type: string + type: ['null', string] description: Name of the tenant the user wants to switch to. remote_address: - type: string + type: ['null', string] description: The IP address of remote user. backend_roles: type: array @@ -152,13 +152,13 @@ components: type: object description: Tenants the user has access to with read-write or read-only access indicator. principal: - type: string + type: ['null', string] description: User principal. peer_certificates: - type: number + type: [number, string] description: Number of peer certificates. sso_logout_url: - type: string + type: ['null', string] description: Logout url. size_of_user: type: string @@ -399,6 +399,17 @@ components: doNotFailOnForbiddenEmpty: type: boolean + Forbidden: + type: object + properties: + status: + type: string + enum: + - 403 + message: + type: string + description: Message returned as part of Forbidden response. + GenerateOBOToken: type: object properties: @@ -416,7 +427,7 @@ components: type: object properties: message: - type: string + type: ['null', string] mode: type: string status: @@ -594,13 +605,13 @@ components: type: object properties: principal: - type: string + type: ['null', string] description: User principal. peer_certificates: - type: number + type: [number, string] description: Number of certificates. peer_certificates_list: - type: array + type: [array,'null'] description: List of domain names from peer certificates. local_certificates_list: type: array @@ -615,13 +626,13 @@ components: type: boolean description: A boolean to indicate if OpenSSL is available. ssl_openssl_version: - type: string + type: [number, string] description: Version of openssl. ssl_openssl_version_string: - type: string + type: ['null', string] description: Full version string for openssl version. ssl_openssl_non_available_cause: - type: string + type: ['null', string] description: Reason for openssl unavailability. ssl_openssl_supports_key_manager_factory: type: boolean @@ -638,6 +649,20 @@ components: ssl_provider_transport_client: type: string description: Returns transport client's name. + required: + - peer_certificates + - principal + - ssl_cipher + - ssl_openssl_available + - ssl_openssl_non_available_cause + - ssl_openssl_supports_hostname_validation + - ssl_openssl_supports_key_manager_factory + - ssl_openssl_version + - ssl_openssl_version_string + - ssl_protocol + - ssl_provider_http + - ssl_provider_transport_client + - ssl_provider_transport_server Tenant: type: object @@ -668,17 +693,6 @@ components: additionalProperties: $ref: '#/components/schemas/Tenant' - Unauthorized: - type: object - properties: - status: - type: string - enum: - - 403 - message: - type: string - description: Message returned as part of FORBIDDEN response. - UpgradeCheck: type: object properties: @@ -745,11 +759,11 @@ components: type: object properties: dn: - type: string + type: ['null', string] is_admin: - type: string + type: boolean is_node_certificate_request: - type: string + type: boolean TenantInfo: type: object diff --git a/tests/security/with-api-prefix/account.yaml b/tests/security/with-api-prefix/account.yaml index 9adb58ff0..d9b3fb709 100644 --- a/tests/security/with-api-prefix/account.yaml +++ b/tests/security/with-api-prefix/account.yaml @@ -14,7 +14,7 @@ prologues: opendistro_security_roles: [] backend_roles: [] attributes: {} - status: 200 + status: [200] chapters: - synopsis: Get account details. path: /_plugins/_security/api/account @@ -41,7 +41,7 @@ epilogues: payload: current_password: myWeakPassword123! password: myStrongPassword123! - status: 200 + status: [200] - path: /_plugins/_security/api/internalusers/{username} method: DELETE parameters: diff --git a/tests/security/with-api-prefix/action_groups.yaml b/tests/security/with-api-prefix/action_groups.yaml index accef99e7..b64366462 100644 --- a/tests/security/with-api-prefix/action_groups.yaml +++ b/tests/security/with-api-prefix/action_groups.yaml @@ -15,7 +15,7 @@ prologues: type: index description: Test action group static: false - status: 200 + status: [200] chapters: - synopsis: Get action groups bulk. path: /_plugins/_security/api/actiongroups diff --git a/tests/security/with-api-prefix/audit.yaml b/tests/security/with-api-prefix/audit.yaml index 2f378ee6b..09e420e66 100644 --- a/tests/security/with-api-prefix/audit.yaml +++ b/tests/security/with-api-prefix/audit.yaml @@ -50,4 +50,5 @@ chapters: op: add path: /config/enabled value: 'true' - status: 200 + response: + status: 200 diff --git a/tests/security/with-api-prefix/certificates.yaml b/tests/security/with-api-prefix/certificates.yaml index efb31c5ca..3b87f9fe0 100644 --- a/tests/security/with-api-prefix/certificates.yaml +++ b/tests/security/with-api-prefix/certificates.yaml @@ -11,8 +11,7 @@ prologues: parameters: h: id full_id: true - response: - status: 200 + status: [200] output: node_id: payload.0.id chapters: diff --git a/tests/security/without-api-prefix/upgrade.yaml b/tests/security/with-api-prefix/upgrade.yaml similarity index 79% rename from tests/security/without-api-prefix/upgrade.yaml rename to tests/security/with-api-prefix/upgrade.yaml index 903cd13b8..0d1b068d6 100644 --- a/tests/security/without-api-prefix/upgrade.yaml +++ b/tests/security/with-api-prefix/upgrade.yaml @@ -4,12 +4,12 @@ description: Test upgrade eligibility endpoints. version: '>= 2.14' chapters: - synopsis: Check whether an upgrade can be performed. - path: /_plugins/_security/_upgrade_check + path: /_plugins/_security/api/_upgrade_check method: GET response: status: 200 - synopsis: Perform the upgrade. - path: /_plugins/_security/_upgrade_perform + path: /_plugins/_security/api/_upgrade_perform method: POST request_body: payload: diff --git a/tests/security/without-api-prefix/authinfo.yaml b/tests/security/without-api-prefix/authinfo.yaml index 3895af8c0..9e45a36f7 100644 --- a/tests/security/without-api-prefix/authinfo.yaml +++ b/tests/security/without-api-prefix/authinfo.yaml @@ -10,6 +10,21 @@ chapters: verbose: false response: status: 200 + payload: + user_requested_tenant: null + principal: null + peer_certificates: '0' + sso_logout_url: null + user: 'User [name=admin, backend_roles=[admin], requestedTenant=null]' + user_name: admin + backend_roles: [admin] + custom_attribute_names: [] + roles: [all_access,own_index] + tenants: + global_tenant: true + admin_tenant: true + admin: true + - synopsis: Get auth info via POST. path: /_plugins/_security/authinfo method: POST @@ -18,3 +33,17 @@ chapters: verbose: false response: status: 200 + payload: + user_requested_tenant: null + principal: null + peer_certificates: '0' + sso_logout_url: null + user: 'User [name=admin, backend_roles=[admin], requestedTenant=null]' + user_name: admin + backend_roles: [admin] + custom_attribute_names: [] + roles: [all_access,own_index] + tenants: + global_tenant: true + admin_tenant: true + admin: true diff --git a/tests/security/without-api-prefix/health.yaml b/tests/security/without-api-prefix/health.yaml index ba3e387dd..6fa73719a 100644 --- a/tests/security/without-api-prefix/health.yaml +++ b/tests/security/without-api-prefix/health.yaml @@ -9,10 +9,18 @@ chapters: mode: strict response: status: 200 + payload: + message: null + mode: strict + status: UP - synopsis: Get security health info via POST. path: /_plugins/_security/health method: POST parameters: mode: strict response: - status: 200 \ No newline at end of file + status: 200 + payload: + message: null + mode: strict + status: UP \ No newline at end of file diff --git a/tests/security/without-api-prefix/sslinfo.yaml b/tests/security/without-api-prefix/sslinfo.yaml index 67afcf717..c800ba3c4 100644 --- a/tests/security/without-api-prefix/sslinfo.yaml +++ b/tests/security/without-api-prefix/sslinfo.yaml @@ -6,6 +6,24 @@ chapters: path: /_opendistro/_security/sslinfo method: GET parameters: - show_dn: false + show_dn: 'true' response: status: 200 + payload: + principal: null + peer_certificates: '0' + peer_certificates_list: null + local_certificates_list: + - 'CN=node-0.example.com, OU=node, O=node, L=test, C=de' + ssl_protocol: TLSv1.3 + ssl_cipher: TLS_AES_256_GCM_SHA384 + ssl_openssl_available: false + ssl_openssl_version: -1 + ssl_openssl_version_string: null + ssl_openssl_non_available_cause: 'java.lang.ClassNotFoundException: io.netty.internal.tcnative.SSLContext' + ssl_openssl_supports_key_manager_factory: false + ssl_openssl_supports_hostname_validation: false + ssl_provider_http: JDK + ssl_provider_transport_server: JDK + ssl_provider_transport_client: JDK + diff --git a/tests/security/without-api-prefix/tenantinfo.yaml b/tests/security/without-api-prefix/tenantinfo.yaml index 9498a4275..3ffca8068 100644 --- a/tests/security/without-api-prefix/tenantinfo.yaml +++ b/tests/security/without-api-prefix/tenantinfo.yaml @@ -5,11 +5,13 @@ chapters: - synopsis: Get tenant info. path: /_plugins/_security/tenantinfo method: GET - response: - status: 200 + response: + status: 403 # only allowed for super-admin or dashboards-server role mapping + content_type: text/plain - synopsis: Get tenant info via POST. path: /_plugins/_security/tenantinfo method: POST response: - status: 200 + status: 403 # only allowed for super-admin or dashboards-server role mapping + content_type: text/plain \ No newline at end of file diff --git a/tests/security/without-api-prefix/whoami.yaml b/tests/security/without-api-prefix/whoami.yaml index fabc9bb22..9e3eab4fe 100644 --- a/tests/security/without-api-prefix/whoami.yaml +++ b/tests/security/without-api-prefix/whoami.yaml @@ -7,14 +7,26 @@ chapters: method: GET response: status: 200 + payload: + dn: null + is_admin: false + is_node_certificate_request: false - synopsis: Get current user info via POST. path: /_plugins/_security/whoami method: POST response: status: 200 + payload: + dn: null + is_admin: false + is_node_certificate_request: false - synopsis: Get current user info from protected endpoint. version: '>= 2.11' path: /_plugins/_security/whoamiprotected method: GET response: status: 200 + payload: + dn: null + is_admin: false + is_node_certificate_request: false