Skip to content

Commit

Permalink
Add User.isAdminDn to User class (opensearch-project#547) (opensearch…
Browse files Browse the repository at this point in the history
…-project#562)

* Add User.isSuperUser to User class



* Add null check



* Add another test



* Make method non-static and require a user to exist to call method



* Change to isAdminDn



---------



(cherry picked from commit 107be59)

Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Signed-off-by: AWSHurneyt <[email protected]>
  • Loading branch information
2 people authored and AWSHurneyt committed Apr 12, 2024
1 parent 1d12511 commit 988b707
Show file tree
Hide file tree
Showing 3 changed files with 57 additions and 0 deletions.
2 changes: 2 additions & 0 deletions src/main/java/org/opensearch/commons/ConfigConstants.java
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,7 @@ public class ConfigConstants {
public static final String INJECTED_USER = "injected_user";
public static final String OPENSEARCH_SECURITY_USE_INJECTED_USER_FOR_PLUGINS = "plugins.security_use_injected_user_for_plugins";
public static final String OPENSEARCH_SECURITY_SSL_HTTP_ENABLED = "plugins.security.ssl.http.enabled";
public static final String OPENSEARCH_SECURITY_AUTHCZ_ADMIN_DN = "plugins.security.authcz.admin_dn";
public static final String OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT = "_opendistro_security_user_info";

}
11 changes: 11 additions & 0 deletions src/main/java/org/opensearch/commons/authuser/User.java
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
Expand All @@ -18,8 +19,10 @@
import org.opensearch.client.Response;
import org.opensearch.common.Nullable;
import org.opensearch.common.inject.internal.ToStringBuilder;
import org.opensearch.common.settings.Settings;
import org.opensearch.common.xcontent.XContentHelper;
import org.opensearch.common.xcontent.json.JsonXContent;
import org.opensearch.commons.ConfigConstants;
import org.opensearch.core.common.Strings;
import org.opensearch.core.common.io.stream.StreamInput;
import org.opensearch.core.common.io.stream.StreamOutput;
Expand Down Expand Up @@ -249,4 +252,12 @@ public List<String> getCustomAttNames() {
public String getRequestedTenant() {
return requestedTenant;
}

public boolean isAdminDn(Settings settings) {
if (settings == null) {
return false;
}
List<String> adminDns = settings.getAsList(ConfigConstants.OPENSEARCH_SECURITY_AUTHCZ_ADMIN_DN, Collections.emptyList());
return adminDns.contains(this.name);
}
}
44 changes: 44 additions & 0 deletions src/test/java/org/opensearch/commons/authuser/UserTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,13 @@

import java.io.IOException;
import java.util.Arrays;
import java.util.List;

import org.junit.jupiter.api.Test;
import org.opensearch.common.io.stream.BytesStreamOutput;
import org.opensearch.common.settings.Settings;
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.commons.ConfigConstants;
import org.opensearch.core.common.Strings;
import org.opensearch.core.common.io.stream.StreamInput;

Expand Down Expand Up @@ -202,4 +204,46 @@ public void testParseUserStringMalformed() {
User user = User.parse(str);
assertNull(user);
}

@Test
public void testUserIsAdminDnTrue() {
Settings settings = Settings
.builder()
.putList(ConfigConstants.OPENSEARCH_SECURITY_AUTHCZ_ADMIN_DN, List.of("CN=kirk,OU=client,O=client,L=test, C=de"))
.build();
ThreadContext tc = new ThreadContext(Settings.EMPTY);
tc
.putTransient(
OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT,
"CN=kirk,OU=client,O=client,L=test, C=de|backendrole1,backendrole2|role1,role2"
);
String str = tc.getTransient(OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT);
User user = User.parse(str);
assertTrue(user.isAdminDn(settings));
}

@Test
public void testUserIsAdminDnFalse() {
Settings settings = Settings
.builder()
.putList(ConfigConstants.OPENSEARCH_SECURITY_AUTHCZ_ADMIN_DN, List.of("CN=spock,OU=client,O=client,L=test, C=de"))
.build();
ThreadContext tc = new ThreadContext(Settings.EMPTY);
tc
.putTransient(
OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT,
"CN=kirk,OU=client,O=client,L=test, C=de|backendrole1,backendrole2|role1,role2"
);
String str = tc.getTransient(OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT);
User user = User.parse(str);
assertFalse(user.isAdminDn(settings));
}

@Test
public void testUserOrSettingsAreNullOrEmpty() {
Settings settings = Settings.EMPTY;
User user = User.parse("username|backend_role1|role1");
assertFalse(user.isAdminDn(null));
assertFalse(user.isAdminDn(settings));
}
}

0 comments on commit 988b707

Please sign in to comment.