From 06113e295f0fbffc6c4698279d8543f81f60b7b5 Mon Sep 17 00:00:00 2001 From: Derek Ho Date: Thu, 12 Sep 2024 12:29:13 -0400 Subject: [PATCH] Rename auth failure listeners & add permission support (#4713) Signed-off-by: Derek Ho Signed-off-by: tmanninger --- .../opensearch/security/dlic/rest/api/Endpoint.java | 2 +- ...nersApiAction.java => RateLimitersApiAction.java} | 12 ++++-------- .../rest/api/RestApiAdminPrivilegesEvaluator.java | 8 +------- .../dlic/rest/api/SecurityRestApiActions.java | 2 +- .../rest/api/AbstractApiActionValidationTest.java | 3 ++- ...ctionTest.java => RateLimitersApiActionTest.java} | 2 +- ...java => RateLimitersApiActionValidationTest.java} | 4 ++-- .../dlic/rest/validation/EndpointValidatorTest.java | 3 ++- 8 files changed, 14 insertions(+), 22 deletions(-) rename src/main/java/org/opensearch/security/dlic/rest/api/{AuthFailureListenersApiAction.java => RateLimitersApiAction.java} (96%) rename src/test/java/org/opensearch/security/dlic/rest/api/{AuthFailureListenersApiActionTest.java => RateLimitersApiActionTest.java} (99%) rename src/test/java/org/opensearch/security/dlic/rest/api/{AuthFailureListenersApiActionValidationTest.java => RateLimitersApiActionValidationTest.java} (94%) diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/Endpoint.java b/src/main/java/org/opensearch/security/dlic/rest/api/Endpoint.java index 45be6c8596..ecc9dcbc59 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/Endpoint.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/Endpoint.java @@ -24,7 +24,7 @@ public enum Endpoint { PERMISSIONSINFO, AUTHTOKEN, TENANTS, - AUTHFAILURELISTENERS, + RATELIMITERS, MIGRATE, VALIDATE, WHITELIST, diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AuthFailureListenersApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/RateLimitersApiAction.java similarity index 96% rename from src/main/java/org/opensearch/security/dlic/rest/api/AuthFailureListenersApiAction.java rename to src/main/java/org/opensearch/security/dlic/rest/api/RateLimitersApiAction.java index 63937befaa..6dc51bf6e1 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/AuthFailureListenersApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/RateLimitersApiAction.java @@ -50,7 +50,7 @@ import static org.opensearch.security.securityconf.impl.v7.ConfigV7.MAX_TRACKED_CLIENTS_DEFAULT; import static org.opensearch.security.securityconf.impl.v7.ConfigV7.TIME_WINDOW_SECONDS_DEFAULT; -public class AuthFailureListenersApiAction extends AbstractApiAction { +public class RateLimitersApiAction extends AbstractApiAction { public static final String IP_TYPE = "ip"; @@ -75,18 +75,14 @@ public class AuthFailureListenersApiAction extends AbstractApiAction { ) ); - protected AuthFailureListenersApiAction( - ClusterService clusterService, - ThreadPool threadPool, - SecurityApiDependencies securityApiDependencies - ) { - super(Endpoint.AUTHFAILURELISTENERS, clusterService, threadPool, securityApiDependencies); + protected RateLimitersApiAction(ClusterService clusterService, ThreadPool threadPool, SecurityApiDependencies securityApiDependencies) { + super(Endpoint.RATELIMITERS, clusterService, threadPool, securityApiDependencies); this.requestHandlersBuilder.configureRequestHandlers(this::authFailureConfigApiRequestHandlers); } @Override public String getName() { - return "Auth failure listener actions to Retrieve / Update configs."; + return "Rate limiter actions to retrieve / update configs."; } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java index a80d029f13..faa0217db2 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java @@ -66,6 +66,7 @@ default String build() { .put(Endpoint.CONFIG, action -> buildEndpointActionPermission(Endpoint.CONFIG, action)) .put(Endpoint.INTERNALUSERS, action -> buildEndpointPermission(Endpoint.INTERNALUSERS)) .put(Endpoint.NODESDN, action -> buildEndpointPermission(Endpoint.NODESDN)) + .put(Endpoint.RATELIMITERS, action -> buildEndpointPermission(Endpoint.RATELIMITERS)) .put(Endpoint.ROLES, action -> buildEndpointPermission(Endpoint.ROLES)) .put(Endpoint.ROLESMAPPING, action -> buildEndpointPermission(Endpoint.ROLESMAPPING)) .put(Endpoint.TENANTS, action -> buildEndpointPermission(Endpoint.TENANTS)) @@ -98,13 +99,6 @@ public boolean isCurrentUserAdminFor(final Endpoint endpoint, final String actio return false; } if (adminDNs.isAdmin(userAndRemoteAddress.getLeft())) { - if (logger.isDebugEnabled()) { - logger.debug( - "Security admin permissions required for endpoint {} but {} is not an admin", - endpoint, - userAndRemoteAddress.getLeft().getName() - ); - } return true; } if (!ENDPOINTS_WITH_PERMISSIONS.containsKey(endpoint)) { diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java index ff1d0ef112..ceb99a9401 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java @@ -97,7 +97,7 @@ public static Collection getHandler( new AllowlistApiAction(Endpoint.ALLOWLIST, clusterService, threadPool, securityApiDependencies), new AuditApiAction(clusterService, threadPool, securityApiDependencies), new MultiTenancyConfigApiAction(clusterService, threadPool, securityApiDependencies), - new AuthFailureListenersApiAction(clusterService, threadPool, securityApiDependencies), + new RateLimitersApiAction(clusterService, threadPool, securityApiDependencies), new ConfigUpgradeApiAction(clusterService, threadPool, securityApiDependencies), new SecuritySSLCertsApiAction(clusterService, threadPool, securityKeyStore, certificatesReloadEnabled, securityApiDependencies), new CertificatesApiAction(clusterService, threadPool, securityApiDependencies) diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractApiActionValidationTest.java index b91374e725..39ff609c06 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractApiActionValidationTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractApiActionValidationTest.java @@ -145,7 +145,8 @@ protected List restApiAdminPermissions() { "restapi:admin/rolesmapping", "restapi:admin/ssl/certs/info", "restapi:admin/ssl/certs/reload", - "restapi:admin/tenants" + "restapi:admin/tenants", + "restapi:admin/ratelimiters" ); } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AuthFailureListenersApiActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RateLimitersApiActionTest.java similarity index 99% rename from src/test/java/org/opensearch/security/dlic/rest/api/AuthFailureListenersApiActionTest.java rename to src/test/java/org/opensearch/security/dlic/rest/api/RateLimitersApiActionTest.java index 8e283ad0d4..9b2bad983a 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AuthFailureListenersApiActionTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/RateLimitersApiActionTest.java @@ -21,7 +21,7 @@ import static org.hamcrest.core.IsEqual.equalTo; import static org.hamcrest.core.StringContains.containsString; -public class AuthFailureListenersApiActionTest extends AbstractRestApiUnitTest { +public class RateLimitersApiActionTest extends AbstractRestApiUnitTest { private static final Header ADMIN_FULL_ACCESS_USER = encodeBasicHeader("admin_all_access", "admin_all_access"); private static final Header USER_NO_REST_API_ACCESS = encodeBasicHeader("admin", "admin"); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AuthFailureListenersApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RateLimitersApiActionValidationTest.java similarity index 94% rename from src/test/java/org/opensearch/security/dlic/rest/api/AuthFailureListenersApiActionValidationTest.java rename to src/test/java/org/opensearch/security/dlic/rest/api/RateLimitersApiActionValidationTest.java index 1982b7c738..6191a043ff 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AuthFailureListenersApiActionValidationTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/RateLimitersApiActionValidationTest.java @@ -27,11 +27,11 @@ import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; -public class AuthFailureListenersApiActionValidationTest extends AbstractApiActionValidationTest { +public class RateLimitersApiActionValidationTest extends AbstractApiActionValidationTest { @Test public void validateAllowedFields() throws IOException { - final var authFailureListenerApiActionRequestContentValidator = new AuthFailureListenersApiAction( + final var authFailureListenerApiActionRequestContentValidator = new RateLimitersApiAction( clusterService, threadPool, securityApiDependencies diff --git a/src/test/java/org/opensearch/security/dlic/rest/validation/EndpointValidatorTest.java b/src/test/java/org/opensearch/security/dlic/rest/validation/EndpointValidatorTest.java index 69bdb6a1a3..a38b28fa5c 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/validation/EndpointValidatorTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/validation/EndpointValidatorTest.java @@ -405,7 +405,8 @@ private List restAdminPermissions() { "restapi:admin/rolesmapping", "restapi:admin/ssl/certs/info", "restapi:admin/ssl/certs/reload", - "restapi:admin/tenants" + "restapi:admin/tenants", + "restapi:admin/ratelimiters" ); }