Add security tests and workflow plus minor fix #470
Conversation
Signed-off-by: Ashish Agrawal <ashisagr@amazon.com>
.../notifications/src/main/kotlin/org/opensearch/notifications/index/NotificationConfigIndex.kt
Show resolved
Hide resolved
| val error = sendResponse.get("error").asJsonObject | ||
| Assert.assertNotNull(error.get("reason").asString) |
There was a problem hiding this comment.
Should we check the error explicitly since this is technically testing an expected INTERNAL_SERVER_ERROR because the Slack channel doesn't exist.
Just want to make sure an actual issue presenting itself as an INTERNAL_SERVER_ERROR doesn't slip by in this case.
Signed-off-by: Ashish Agrawal <ashisagr@amazon.com>
Signed-off-by: Ashish Agrawal <ashisagr@amazon.com>
Codecov Report
@@ Coverage Diff @@
## main #470 +/- ##
============================================
- Coverage 61.77% 61.43% -0.34%
Complexity 112 112
============================================
Files 73 73
Lines 2451 2466 +15
Branches 264 266 +2
============================================
+ Hits 1514 1515 +1
- Misses 761 773 +12
- Partials 176 178 +2
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
|
The test and build dashboards CI is failing because it needs to build against 2.2 if we're using OSD branch If the bump to |
| * @param block a function to process this [AutoCloseable] resource. | ||
| * @return the result of [block] function invoked on this resource. | ||
| */ | ||
| @Suppress("TooGenericExceptionCaught") |
There was a problem hiding this comment.
Let's see if we can get rid of these Suppress by having more specific exceptions raised. Unless it is breaking bwc.
| val ALL_ACCESS_ROLE = "all_access" | ||
| val NOTIFICATION_FULL_ACCESS_ROLE = "notifications_full_access" | ||
| val NOTIFICATION_READ_ONLY_ACCESS = "notifications_read_access" | ||
| val NOTIFICATION_NO_ACCESS_ROLE = "no_access" | ||
| val NOTIFICATION_CREATE_CONFIG_ACCESS = "notifications_create_config_access" | ||
| val NOTIFICATION_UPDATE_CONFIG_ACCESS = "notifications_update_config_access" | ||
| val NOTIFICATION_DELETE_CONFIG_ACCESS = "notifications_delete_config_access" | ||
| val NOTIFICATION_GET_CONFIG_ACCESS = "notifications_get_config_access" | ||
| val NOTIFICATION_GET_PLUGIN_FEATURE_ACCESS = "notifications_get_plugin_access" | ||
| val NOTIFICATION_GET_CHANNEL_ACCESS = "notifications_get_channel_access" | ||
| val NOTIFICATION_TEST_SEND_ACCESS = "notifications_test_send_access" |
There was a problem hiding this comment.
Why do we need to define these access roles separately/specifically for tests, and not import from the actual source for consistency ?
There was a problem hiding this comment.
This is purely as a helper class. Only the ALL_ACCESS_ROLE, NOTIFICATION_FULL_ACCESS_ROLE, and NOTIFICATION_READ_ONLY_ACCESS exist, but that is in the security plugin. We have set the others so it easier for the security integration tests to use them.
| @@ -99,6 +101,68 @@ fun getStatusText(response: JsonObject): String { | |||
| .get("status_text").asString | |||
| } | |||
|
|
|||
| private val charPool: List<Char> = ('a'..'z') + ('A'..'Z') + ('0'..'9') | |||
|
|
|||
| fun getCreateRequestJsonString( | |||
There was a problem hiding this comment.
nit : should we be more specific in naming such as getCreateNotificationRequestJsonString
| ConfigType.SLACK -> """ | ||
| "slack":{"url":"https://slack.domain.com/sample_slack_url#$randomString"} | ||
| """.trimIndent() | ||
| ConfigType.CHIME -> """ | ||
| "chime":{"url":"https://chime.domain.com/sample_chime_url#$randomString"} | ||
| """.trimIndent() | ||
| ConfigType.WEBHOOK -> """ | ||
| "webhook":{"url":"https://web.domain.com/sample_web_url#$randomString"} | ||
| """.trimIndent() | ||
| ConfigType.SMTP_ACCOUNT -> """ | ||
| "smtp_account":{ | ||
| "host":"smtp.domain.com", | ||
| "port":"4321", | ||
| "method":"ssl", | ||
| "from_address":"$randomString@from.com" |
There was a problem hiding this comment.
Wondering if these all can be resolved via predefined Map <ConfigType, Value> for better maintainability and reusability ?
There was a problem hiding this comment.
The problem is that we need to pass in values to the config definition and abstracting this out would end up complicating the code as no other function currently needs this.
| deleteUserWithCustomRole(user, NOTIFICATION_DELETE_CONFIG_ACCESS) | ||
| } | ||
|
|
||
| fun `test delete slack notification config without get Notification permission`() { |
There was a problem hiding this comment.
Wondering if we should randomize on the channels; since all the scenarios will fit across different channels (slack/chime)
There was a problem hiding this comment.
I agree. In a future PR, we can make the tests run for each channel type
Signed-off-by: Ashish Agrawal <ashisagr@amazon.com>
* Add security tests and workflow plus minor fix Signed-off-by: Ashish Agrawal <ashisagr@amazon.com> * fix test and update workflow Signed-off-by: Ashish Agrawal <ashisagr@amazon.com> * apply cleanup comments Signed-off-by: Ashish Agrawal <ashisagr@amazon.com> (cherry picked from commit 7f3c6a8)
* Add security tests and workflow plus minor fix Signed-off-by: Ashish Agrawal <ashisagr@amazon.com> * fix test and update workflow Signed-off-by: Ashish Agrawal <ashisagr@amazon.com> * apply cleanup comments Signed-off-by: Ashish Agrawal <ashisagr@amazon.com> (cherry picked from commit 7f3c6a8) Co-authored-by: Ashish Agrawal <ashisagr@amazon.com>
Signed-off-by: Ashish Agrawal ashisagr@amazon.com
Description
Issues Resolved
#258
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.