Test fixes

nibix · nibix · commit 6fdab03dd64b · 2025-10-27T04:03:20.000+01:00
Signed-off-by: Nils Bandener &lt;nils.bandener@eliatra.com&gt;
diff --git a/src/integrationTest/java/org/opensearch/security/privileges/actionlevel/RoleBasedActionPrivilegesTest.java b/src/integrationTest/java/org/opensearch/security/privileges/actionlevel/RoleBasedActionPrivilegesTest.java
@@ -551,19 +551,27 @@ public static class DataStreams {
             final String primaryAction;
             final ImmutableSet<String> requiredActions;
             final ImmutableSet<String> otherActions;
-            final RoleBasedActionPrivileges subject;
+            final Statefulness statefulness;
 
             @Test
             public void positive_full() throws Exception {
                 PrivilegesEvaluationContext ctx = ctx().roles("test_role").indexMetadata(INDEX_METADATA).get();
-                PrivilegesEvaluatorResponse result = subject.hasIndexPrivilege(ctx, requiredActions, resolved("data_stream_a11"));
+                PrivilegesEvaluatorResponse result = subject(false).hasIndexPrivilege(ctx, requiredActions, resolved("data_stream_a11"));
                 if (covers(ctx, "data_stream_a11")) {
                     assertThat(result, isAllowed());
-                } else if (covers(ctx, ".ds-data_stream_a11-000001")) {
-                    assertThat(
-                        result,
-                        isPartiallyOk(".ds-data_stream_a11-000001", ".ds-data_stream_a11-000002", ".ds-data_stream_a11-000003")
-                    );
+                } else {
+                    assertThat(result, isForbidden(missingPrivileges(requiredActions)));
+                }
+            }
+
+            @Test
+            public void positive_full_breakDownAliases() throws Exception {
+                PrivilegesEvaluationContext ctx = ctx().roles("test_role").indexMetadata(INDEX_METADATA).get();
+                PrivilegesEvaluatorResponse result = subject(true).hasIndexPrivilege(ctx, requiredActions, resolved("data_stream_a11"));
+                if (covers(ctx, "data_stream_a11")) {
+                    assertThat(result, isAllowed());
+                } else if (covers(ctx, ".ds-data_stream_a11")) {
+                    assertThat(result, isAllowed());
                 } else {
                     assertThat(result, isForbidden(missingPrivileges(requiredActions)));
                 }
@@ -572,7 +580,7 @@ public void positive_full() throws Exception {
             @Test
             public void positive_partial() throws Exception {
                 PrivilegesEvaluationContext ctx = ctx().roles("test_role").indexMetadata(INDEX_METADATA).get();
-                PrivilegesEvaluatorResponse result = subject.hasIndexPrivilege(
+                PrivilegesEvaluatorResponse result = subject(false).hasIndexPrivilege(
                     ctx,
                     requiredActions,
                     resolved("data_stream_a11", "data_stream_a12")
@@ -584,16 +592,38 @@ public void positive_partial() throws Exception {
                     assertThat(
                         result,
                         isPartiallyOk(
-                            "data_stream_a11",
-                            ".ds-data_stream_a11-000001",
-                            ".ds-data_stream_a11-000002",
-                            ".ds-data_stream_a11-000003"
+                            "data_stream_a11"
                         )
                     );
-                } else if (covers(ctx, ".ds-data_stream_a11-000001")) {
+                } else {
+                    assertThat(result, isForbidden(missingPrivileges(requiredActions)));
+                }
+            }
+
+            @Test
+            public void positive_partial_breakDownAliases() throws Exception {
+                PrivilegesEvaluationContext ctx = ctx().roles("test_role").indexMetadata(INDEX_METADATA).get();
+                PrivilegesEvaluatorResponse result = subject(true).hasIndexPrivilege(
+                        ctx,
+                        requiredActions,
+                        resolved("data_stream_a11", "data_stream_a12")
+                );
+
+                if (covers(ctx, "data_stream_a11", "data_stream_a12")) {
+                    assertThat(result, isAllowed());
+                } else if (covers(ctx, "data_stream_a11")) {
                     assertThat(
-                        result,
-                        isPartiallyOk(".ds-data_stream_a11-000001", ".ds-data_stream_a11-000002", ".ds-data_stream_a11-000003")
+                            result,
+                            isPartiallyOk(
+                                    "data_stream_a11"
+                            )
+                    );
+                } else if (covers(ctx, ".ds-data_stream_a11")) {
+                    assertThat(
+                            result,
+                            isPartiallyOk(
+                                    "data_stream_a11"
+                            )
                     );
                 } else {
                     assertThat(result, isForbidden(missingPrivileges(requiredActions)));
@@ -603,14 +633,14 @@ public void positive_partial() throws Exception {
             @Test
             public void negative_wrongRole() throws Exception {
                 PrivilegesEvaluationContext ctx = ctx().roles("other_role").indexMetadata(INDEX_METADATA).get();
-                PrivilegesEvaluatorResponse result = subject.hasIndexPrivilege(ctx, requiredActions, resolved("data_stream_a11"));
+                PrivilegesEvaluatorResponse result = subject(false).hasIndexPrivilege(ctx, requiredActions, resolved("data_stream_a11"));
                 assertThat(result, isForbidden(missingPrivileges(requiredActions)));
             }
 
             @Test
             public void negative_wrongAction() throws Exception {
                 PrivilegesEvaluationContext ctx = ctx().roles("test_role").indexMetadata(INDEX_METADATA).get();
-                PrivilegesEvaluatorResponse result = subject.hasIndexPrivilege(ctx, otherActions, resolved("data_stream_a11"));
+                PrivilegesEvaluatorResponse result = subject(false).hasIndexPrivilege(ctx, otherActions, resolved("data_stream_a11"));
                 assertThat(result, isForbidden(missingPrivileges(otherActions)));
             }
 
@@ -676,28 +706,33 @@ public DataStreams(IndexSpec indexSpec, ActionSpec actionSpec, Statefulness stat
                     ? ImmutableSet.of("indices:data/write/update")
                     : ImmutableSet.of("indices:foobar/unknown");
                 this.indexSpec.indexMetadata = INDEX_METADATA.getIndicesLookup();
+                this.statefulness = statefulness;
+            }
 
+            private RoleBasedActionPrivileges subject(boolean breakDownAliases) {
                 Settings settings = Settings.EMPTY;
                 if (statefulness == Statefulness.STATEFUL_LIMITED) {
                     settings = Settings.builder()
-                        .put(
-                            RoleBasedActionPrivileges.PRECOMPUTED_PRIVILEGES_MAX_HEAP_SIZE.getKey(),
-                            new ByteSizeValue(10, ByteSizeUnit.BYTES)
-                        )
-                        .build();
+                            .put(
+                                    RoleBasedActionPrivileges.PRECOMPUTED_PRIVILEGES_MAX_HEAP_SIZE.getKey(),
+                                    new ByteSizeValue(10, ByteSizeUnit.BYTES)
+                            )
+                            .build();
                 }
 
-                this.subject = new RoleBasedActionPrivileges(
-                    roles,
-                    FlattenedActionGroups.EMPTY,
-                    RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
-                    settings,
-                    false
+                RoleBasedActionPrivileges result = new RoleBasedActionPrivileges(
+                        roles,
+                        FlattenedActionGroups.EMPTY,
+                        RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
+                        settings,
+                        breakDownAliases
                 );
 
                 if (statefulness == Statefulness.STATEFUL || statefulness == Statefulness.STATEFUL_LIMITED) {
-                    this.subject.updateStatefulIndexPrivileges(INDEX_METADATA.getIndicesLookup(), 1);
+                    result.updateStatefulIndexPrivileges(INDEX_METADATA.getIndicesLookup(), 1);
                 }
+
+                return result;
             }
 
             final static Metadata INDEX_METADATA = //
@@ -706,22 +741,6 @@ public DataStreams(IndexSpec indexSpec, ActionSpec actionSpec, Statefulness stat
 
             static ResolvedIndices resolved(String... indices) {
                 return ResolvedIndices.of(indices);
-                // TODO check
-                // ImmutableSet.Builder<String> allIndices = ImmutableSet.builder();
-                //
-                //
-                // for (String index : indices) {
-                // IndexAbstraction indexAbstraction = INDEX_METADATA.getIndicesLookup().get(index);
-                //
-                // if (indexAbstraction instanceof IndexAbstraction.DataStream) {
-                // allIndices.addAll(
-                // indexAbstraction.getIndices().stream().map(i -> i.getIndex().getName()).collect(Collectors.toList())
-                // );
-                // }
-                //
-                // allIndices.add(index);
-                // }
-
             }
         }
 
@@ -849,21 +868,6 @@ enum Statefulness {
     }
 
     public static class Misc {
-        @Test
-        public void relevantOnly_identity() throws Exception {
-            Map<String, IndexAbstraction> metadata = //
-                indices("index_a11", "index_a12", "index_b")//
-                    .alias("alias_a")
-                    .of("index_a11", "index_a12")//
-                    .build()
-                    .getIndicesLookup();
-
-            assertTrue(
-                "relevantOnly() returned identical object",
-                RoleBasedActionPrivileges.StatefulIndexPrivileges.relevantOnly(metadata, i -> false) == metadata
-            );
-        }
-
         @Test
         public void relevantOnly_closed() throws Exception {
             Map<String, IndexAbstraction> metadata = indices("index_open_1", "index_open_2")//
@@ -942,7 +946,7 @@ public void hasIndexPrivilege_errors() throws Exception {
             assertTrue(
                 "Result mentions role_with_errors: " + result.getEvaluationExceptionInfo(),
                 result.getEvaluationExceptionInfo()
-                    .startsWith("Exceptions encountered during privilege evaluation:\n" + "Error while evaluating")
+                    .contains("Exceptions encountered during privilege evaluation:\n" + "Error while evaluating")
             );
         }
 
@@ -1075,7 +1079,7 @@ public void hasExplicitIndexPrivilege_errors() throws Exception {
             assertTrue(
                 "Result mentions role_with_errors: " + result.getEvaluationExceptionInfo(),
                 result.getEvaluationExceptionInfo()
-                    .startsWith("Exceptions encountered during privilege evaluation:\n" + "Error while evaluating role role_with_errors")
+                    .contains("Exceptions encountered during privilege evaluation:\n" + "Error while evaluating role role_with_errors")
             );
         }
 
diff --git a/src/integrationTest/java/org/opensearch/security/privileges/actionlevel/SubjectBasedActionPrivilegesTest.java b/src/integrationTest/java/org/opensearch/security/privileges/actionlevel/SubjectBasedActionPrivilegesTest.java
@@ -404,11 +404,6 @@ public void positive_full() throws Exception {
                 PrivilegesEvaluatorResponse result = subject.hasIndexPrivilege(ctx, requiredActions, resolved("data_stream_a11"));
                 if (covers(ctx, "data_stream_a11")) {
                     assertThat(result, isAllowed());
-                } else if (covers(ctx, ".ds-data_stream_a11-000001")) {
-                    assertThat(
-                        result,
-                        isPartiallyOk(".ds-data_stream_a11-000001", ".ds-data_stream_a11-000002", ".ds-data_stream_a11-000003")
-                    );
                 } else {
                     assertThat(result, isForbidden(missingPrivileges(requiredActions)));
                 }
@@ -429,17 +424,9 @@ public void positive_partial() throws Exception {
                     assertThat(
                         result,
                         isPartiallyOk(
-                            "data_stream_a11",
-                            ".ds-data_stream_a11-000001",
-                            ".ds-data_stream_a11-000002",
-                            ".ds-data_stream_a11-000003"
+                            "data_stream_a11"
                         )
                     );
-                } else if (covers(ctx, ".ds-data_stream_a11-000001")) {
-                    assertThat(
-                        result,
-                        isPartiallyOk(".ds-data_stream_a11-000001", ".ds-data_stream_a11-000002", ".ds-data_stream_a11-000003")
-                    );
                 } else {
                     assertThat(result, isForbidden(missingPrivileges(requiredActions)));
                 }
@@ -516,7 +503,7 @@ public DataStreams(IndexSpec indexSpec, ActionSpec actionSpec) throws Exception
                     config,
                     FlattenedActionGroups.EMPTY,
                     RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
-                    true
+                    false // breakDownAliases = true is already sufficiently checked in RoleBasedActionPrivilegesTest
                 );
             }
 
@@ -526,30 +513,6 @@ public DataStreams(IndexSpec indexSpec, ActionSpec actionSpec) throws Exception
 
             static ResolvedIndices resolved(String... indices) {
                 return ResolvedIndices.of(indices);
-                /* TODO CHECK
-                ImmutableSet.Builder<String> allIndices = ImmutableSet.builder();
-
-                for (String index : indices) {
-                    IndexAbstraction indexAbstraction = INDEX_METADATA.getIndicesLookup().get(index);
-
-                    if (indexAbstraction instanceof IndexAbstraction.DataStream) {
-                        allIndices.addAll(
-                            indexAbstraction.getIndices().stream().map(i -> i.getIndex().getName()).collect(Collectors.toList())
-                        );
-                    }
-
-                    allIndices.add(index);
-                }
-
-                return new IndexResolverReplacer.Resolved(
-                    ImmutableSet.of(),
-                    allIndices.build(),
-                    ImmutableSet.copyOf(indices),
-                    ImmutableSet.of(),
-                    IndicesOptions.LENIENT_EXPAND_OPEN
-                );
-
-                 */
             }
         }
 
diff --git a/src/main/java/org/opensearch/security/privileges/IndexPattern.java b/src/main/java/org/opensearch/security/privileges/IndexPattern.java
@@ -53,9 +53,15 @@ public class IndexPattern {
      * Index patterns which contain date math (like <index_{now}>)
      */
     private final ImmutableList<String> dateMathExpressions;
-    private final int hashCode;
+
+    /**
+     * If this is true, this pattern will also match an alias or data stream if it actually matches ALL child indices of
+     * of the alias or data stream.
+     */
     private final boolean memberIndexPrivilegesYieldAliasPrivileges;
 
+    private final int hashCode;
+
     private IndexPattern(
         WildcardMatcher staticPattern,
         ImmutableList<String> patternTemplates,
diff --git a/src/test/java/org/opensearch/security/multitenancy/test/MultitenancyTests.java b/src/test/java/org/opensearch/security/multitenancy/test/MultitenancyTests.java
@@ -406,7 +406,7 @@ public void testMtMulti() throws Exception {
         Assert.assertTrue(res.getBody().contains(dashboardsIndex));
 
         // get
-        assertThat(
+        assertThat(res.getBody(),
             HttpStatus.SC_OK,
             is(
                 (res = rh.executeGetRequest(
@@ -416,10 +416,10 @@ public void testMtMulti() throws Exception {
                 )).getStatusCode()
             )
         );
-        Assert.assertFalse(res.getBody().contains("exception"));
-        Assert.assertTrue(res.getBody().contains("humanresources"));
-        Assert.assertTrue(res.getBody().contains("\"found\" : true"));
-        Assert.assertTrue(res.getBody().contains(dashboardsIndex));
+        Assert.assertFalse(res.getBody(),res.getBody().contains("exception"));
+        Assert.assertTrue(res.getBody(),res.getBody().contains("humanresources"));
+        Assert.assertTrue(res.getBody(),res.getBody().contains("\"found\" : true"));
+        Assert.assertTrue(res.getBody(),res.getBody().contains(dashboardsIndex));
 
         // mget
         body = "{\"docs\" : [{\"_index\" : \".kibana\",\"_id\" : \"index-pattern:9fbbd1a0-c3c5-11e8-a13f-71b8ea5a4f7b\"}]}";
@@ -563,7 +563,7 @@ public void testDashboardsAlias65() throws Exception {
                 )).getStatusCode()
             )
         );
-        Assert.assertTrue(res.getBody().contains(".kibana_-900636979_kibanaro"));
+        Assert.assertTrue(res.getBody(), res.getBody().contains(".kibana_-900636979_kibanaro"));
     }
 
     @Test
@@ -638,12 +638,12 @@ public void testMultitenancyAnonymousUser() throws Exception {
 
         /* The anonymous user has access to its tenant */
         res = rh.executeGetRequest(url, new BasicHeader("securitytenant", anonymousTenant));
-        assertThat(res.getStatusCode(), is(HttpStatus.SC_OK));
-        assertThat(res.findValueInJson("_source.tenant"), is(anonymousTenant));
+        assertThat(res.getBody(), res.getStatusCode(), is(HttpStatus.SC_OK));
+        assertThat(res.getBody(), res.findValueInJson("_source.tenant"), is(anonymousTenant));
 
         /* No access to other tenants */
         res = rh.executeGetRequest(url, new BasicHeader("securitytenant", "human_resources"));
-        assertThat(res.getStatusCode(), is(HttpStatus.SC_FORBIDDEN));
+        assertThat(res.getBody(), res.getStatusCode(), is(HttpStatus.SC_FORBIDDEN));
     }
 
     @Test
diff --git a/src/test/java/org/opensearch/security/system_indices/SystemIndexDisabledTests.java b/src/test/java/org/opensearch/security/system_indices/SystemIndexDisabledTests.java
@@ -394,7 +394,7 @@ private void testSnapshotWithUser(String user, Header header) {
                 "{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_with_global_state_$1\" }",
                 header
             );
-            validateForbiddenResponse(res, action, user);
+            assertThat(res.getStatusCode(), is(HttpStatus.SC_FORBIDDEN));
         }
     }
 }
diff --git a/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java b/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
@@ -57,7 +57,6 @@
 import static org.junit.Assert.fail;
 
 @SuppressWarnings("removal")
-@RunWith(RandomizedRunner.class)
 public class SecuritySettingsConfigurerTests {
 
     private final ByteArrayOutputStream outContent = new ByteArrayOutputStream();

Original file line number	Diff line number	Diff line change
`@@ -394,7 +394,7 @@ private void testSnapshotWithUser(String user, Header header) {`
`394`	`394`	`"{ \"rename_pattern\": \"(.+)\", \"rename_replacement\": \"restored_index_with_global_state_$1\" }",`
`395`	`395`	`header`
`396`	`396`	`);`
`397`		`- validateForbiddenResponse(res, action, user);`
	`397`	`+ assertThat(res.getStatusCode(), is(HttpStatus.SC_FORBIDDEN));`
`398`	`398`	`}`
`399`	`399`	`}`
`400`	`400`	`}`