New test framework (#1967)

This is the first iteration of a new framework for integration tests. The main focus is on conciseness and self-contained test. The framework offers:

A programmatic way of defining the cluster setup
A programmatic way of defining users and roles
A programmatic way of defining indices
A REST client with methods tailored for testing

This is now all part of the test class, so you do not need to jump around in various configuration files to get an overview on the test setup. There are of course still a lot of features missing, like setting up test data. I propose to add these features in increments.

Signed-off-by: Nils Bandener <[email protected]>
Signed-off-by: Jochen Kressin <[email protected]>
Signed-off-by: Lukasz Soszynski <[email protected]>
Signed-off-by: Kacper Trochimiak <[email protected]>
Signed-off-by: Nils Bandener <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Co-authored-by: Jochen Kressin <[email protected]>
Co-authored-by: Lukasz Soszynski <[email protected]>
Co-authored-by: Kacper Trochimiak <[email protected]>
Co-authored-by: Peter Nied <[email protected]>

.github/workflows/cd.yml

@@ -34,9 +34,9 @@ jobs:
 
  - name: Build
  run: |
- ./gradlew clean build -Dbuild.snapshot=false -x test
+ ./gradlew clean build -Dbuild.snapshot=false -x test -x integrationTest
  artifact_zip=`ls $(pwd)/build/distributions/opensearch-security-*.zip | grep -v admin-standalone`
- ./gradlew build buildDeb buildRpm -ParchivePath=$artifact_zip -Dbuild.snapshot=false -x test
+ ./gradlew build buildDeb buildRpm -ParchivePath=$artifact_zip -Dbuild.snapshot=false -x test -x integrationTest
  mkdir artifacts
  cp $artifact_zip artifacts/
  cp build/distributions/*.deb artifacts/

.github/workflows/ci.yml

@@ -36,10 +36,10 @@ jobs:
  ${{ runner.os }}-gradle-
 
  - name: Package
- run: ./gradlew clean build -Dbuild.snapshot=false -x test
+ run: ./gradlew clean build -Dbuild.snapshot=false -x test -x integrationTest
 
  - name: Test
- run: OPENDISTRO_SECURITY_TEST_OPENSSL_OPT=true ./gradlew test -i
+ run: OPENDISTRO_SECURITY_TEST_OPENSSL_OPT=true ./gradlew test integrationTest -i
 
  - name: Coverage
  uses: codecov/codecov-action@v1
@@ -65,7 +65,7 @@ jobs:
  - uses: actions/setup-java@v1
  with:
  java-version: 11
- - run: ./gradlew clean build -Dbuild.snapshot=false -x test
+ - run: ./gradlew clean build -Dbuild.snapshot=false -x test -x integrationTest
  - run: |
  echo "Running backwards compatibility tests ..."
  security_plugin_version_no_snapshot=$(./gradlew properties -q | grep -E '^version:' | awk '{print $2}' | sed 's/-SNAPSHOT//g')
@@ -88,7 +88,7 @@ jobs:
  - uses: github/codeql-action/init@v1
  with:
  languages: java
- - run: ./gradlew clean build -Dbuild.snapshot=false -x test
+ - run: ./gradlew clean build -Dbuild.snapshot=false -x test -x integrationTest
  - uses: github/codeql-action/analyze@v1
 
  build-artifact-names:

build.gradle

@@ -9,6 +9,8 @@
  * GitHub history for details.
  */
 
+
+import com.diffplug.gradle.spotless.JavaExtension
 import org.opensearch.gradle.test.RestIntegTestTask
 
 buildscript {
@@ -73,6 +75,12 @@ spotless {
  java {
  // note: you can use an empty string for all the imports you didn't specify explicitly, and '\\#` prefix for static imports
  importOrder('java', 'javax', '', 'com.amazon', 'org.opensearch', '\\#')
+ targetExclude('src/integrationTest/**')
+ }
+ format("integrationTest", JavaExtension) {
+ target('src/integrationTest/java/**/*.java')
+ importOrder('java', 'javax', '', 'com.amazon', 'org.opensearch', '\\#')
+ indentWithTabs(4)
  }
 }
 
@@ -92,6 +100,12 @@ forbiddenPatterns.enabled = false
 testingConventions.enabled = false
 // Conflicts between runtime kafka-clients:3.0.1 & testRuntime kafka-clients:3.0.1:test
 jarHell.enabled = false
+tasks.whenTaskAdded {task ->
+ if(task.name.contains("forbiddenApisIntegrationTest")) {
+ task.enabled = false
+ }
+}
+
 
 test {
  include '**/*.class'
@@ -221,24 +235,62 @@ bundlePlugin {
  }
 }
 
-configurations.all {
- resolutionStrategy {
- force 'commons-codec:commons-codec:1.14'
- force 'org.slf4j:slf4j-api:1.7.30'
- force 'org.scala-lang:scala-library:2.13.8'
- force 'commons-io:commons-io:2.11.0'
- force "com.fasterxml.jackson:jackson-bom:${versions.jackson}"
- force "com.fasterxml.jackson.core:jackson-core:${versions.jackson}"
- force "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:${versions.jackson}"
- force "com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}"
- force "io.netty:netty-buffer:${versions.netty}"
- force "io.netty:netty-common:${versions.netty}"
- force "io.netty:netty-handler:${versions.netty}"
- force "io.netty:netty-transport:${versions.netty}"
- force "io.netty:netty-transport-native-unix-common:${versions.netty}"
+configurations {
+ all {
+ resolutionStrategy {
+ force 'commons-codec:commons-codec:1.14'
+ force 'org.slf4j:slf4j-api:1.7.30'
+ force 'org.scala-lang:scala-library:2.13.8'
+ force 'commons-io:commons-io:2.11.0'
+ force "com.fasterxml.jackson:jackson-bom:${versions.jackson}"
+ force "com.fasterxml.jackson.core:jackson-core:${versions.jackson}"
+ force "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:${versions.jackson}"
+ force "com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}"
+ force "io.netty:netty-buffer:${versions.netty}"
+ force "io.netty:netty-common:${versions.netty}"
+ force "io.netty:netty-handler:${versions.netty}"
+ force "io.netty:netty-transport:${versions.netty}"
+ force "io.netty:netty-transport-native-unix-common:${versions.netty}"
+ }
+ }
+
+ integrationTestImplementation.extendsFrom implementation
+ integrationTestRuntimeOnly.extendsFrom runtimeOnly
+}
+
+//create source set 'integrationTest'
+//add classes from the main source set to the compilation and runtime classpaths of the integrationTest
+sourceSets {
+ integrationTest {
+ java {
+ srcDir file ('src/integrationTest/java')
+ compileClasspath += sourceSets.main.output
+ runtimeClasspath += sourceSets.main.output
+ }
+ resources {
+ srcDir file('src/integrationTest/resources')
+ }
+ processIntegrationTestResources {
+ duplicatesStrategy(DuplicatesStrategy.INCLUDE)
+ }
  }
 }
 
+//add new task that runs integration tests
+task integrationTest(type: Test) {
+ description = 'Run integration tests.'
+ group = 'verification'
+ systemProperty "java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager"
+ testClassesDirs = sourceSets.integrationTest.output.classesDirs
+ classpath = sourceSets.integrationTest.runtimeClasspath
+
+ //run the integrationTest task after the test task
+ shouldRunAfter test
+}
+
+//run the integrationTest task before the check task
+check.dependsOn integrationTest
+
 dependencies {
  implementation 'jakarta.annotation:jakarta.annotation-api:1.3.5'
  implementation "org.opensearch.plugin:transport-netty4-client:${opensearch_version}"
@@ -327,7 +379,7 @@ dependencies {
  testImplementation "org.opensearch.plugin:parent-join-client:${opensearch_version}"
  testImplementation "org.opensearch.plugin:aggs-matrix-stats-client:${opensearch_version}"
  testImplementation 'org.apache.logging.log4j:log4j-core:2.17.1'
- testImplementation 'commons-io:commons-io:2.7'
+ testImplementation 'commons-io:commons-io:2.11.0'
  testImplementation 'javax.servlet:servlet-api:2.5'
  testImplementation 'com.unboundid:unboundid-ldapsdk:4.0.9'
  testImplementation 'com.github.stephenc.jcip:jcip-annotations:1.0-1'
@@ -362,6 +414,19 @@ dependencies {
  implementation "com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}"
 
  compileOnly "org.opensearch:opensearch:${opensearch_version}"
+
+ //integration test framework:
+ integrationTestImplementation('com.carrotsearch.randomizedtesting:randomizedtesting-runner:2.7.1') {
+ exclude(group: 'junit', module: 'junit')
+ }
+ integrationTestImplementation 'junit:junit:4.13.2'
+ integrationTestImplementation "org.opensearch.plugin:reindex-client:${opensearch_version}"
+ integrationTestImplementation "org.opensearch.plugin:percolator-client:${opensearch_version}"
+ integrationTestImplementation 'commons-io:commons-io:2.11.0'
+ integrationTestImplementation 'org.apache.logging.log4j:log4j-core:2.17.1'
+ integrationTestImplementation 'org.apache.logging.log4j:log4j-jul:2.17.1'
+ integrationTestImplementation 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.1'
+ integrationTestImplementation 'org.hamcrest:hamcrest:2.2'
 }
 
 jar {

src/integrationTest/java/org/opensearch/common/logging/NodeAndClusterIdConverter.java

@@ -0,0 +1,33 @@
+/*
+* Copyright OpenSearch Contributors
+* SPDX-License-Identifier: Apache-2.0
+*
+* The OpenSearch Contributors require contributions made to
+* this file be licensed under the Apache-2.0 license or a
+* compatible open source license.
+*
+*/
+package org.opensearch.common.logging;
+
+/**
+* Class uses to override OpenSearch NodeAndClusterIdConverter Log4j2 plugin in order to disable plugin and limit number of
+* warn messages like "...ApplierService#updateTask][T#1] WARN ClusterApplierService:628 - failed to notify ClusterStateListener..."
+* during tests execution.
+*
+* The class is rather a temporary solution and the real one should be developed in scope of:
+* https:/opensearch-project/OpenSearch/pull/4322
+*/
+import org.apache.logging.log4j.core.LogEvent;
+
+class NodeAndClusterIdConverter {
+
+
+ public NodeAndClusterIdConverter() {
+ }
+
+ public static void setNodeIdAndClusterId(String nodeId, String clusterUUID) {
+ }
+
+ public void format(LogEvent event, StringBuilder toAppendTo) {
+ }
+}

src/integrationTest/java/org/opensearch/node/PluginAwareNode.java

@@ -0,0 +1,49 @@
+/*
+* Copyright 2015-2018 _floragunn_ GmbH
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+/*
+* SPDX-License-Identifier: Apache-2.0
+*
+* The OpenSearch Contributors require contributions made to
+* this file be licensed under the Apache-2.0 license or a
+* compatible open source license.
+*
+* Modifications Copyright OpenSearch Contributors. See
+* GitHub history for details.
+*/
+
+package org.opensearch.node;
+
+import java.util.Arrays;
+import java.util.Collections;
+
+import org.opensearch.common.settings.Settings;
+import org.opensearch.plugins.Plugin;
+
+public class PluginAwareNode extends Node {
+
+ private final boolean clusterManagerEligible;
+
+ @SafeVarargs
+ public PluginAwareNode(boolean clusterManagerEligible, final Settings preparedSettings, final Class<? extends Plugin>... plugins) {
+ super(InternalSettingsPreparer.prepareEnvironment(preparedSettings, Collections.emptyMap(), null, () -> System.getenv("HOSTNAME")), Arrays.asList(plugins), true);
+ this.clusterManagerEligible = clusterManagerEligible;
+ }
+
+
+ public boolean isClusterManagerEligible() {
+ return clusterManagerEligible;
+ }
+}

src/integrationTest/java/org/opensearch/security/SecurityRolesTests.java

@@ -0,0 +1,60 @@
+/*
+* SPDX-License-Identifier: Apache-2.0
+*
+* The OpenSearch Contributors require contributions made to
+* this file be licensed under the Apache-2.0 license or a
+* compatible open source license.
+*
+* Modifications Copyright OpenSearch Contributors. See
+* GitHub history for details.
+*/
+
+package org.opensearch.security;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.apache.http.HttpStatus;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.TestSecurityConfig.Role;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class SecurityRolesTests {
+
+ protected final static TestSecurityConfig.User USER_SR = new TestSecurityConfig.User("sr_user").roles(
+ new Role("abc_ber").indexPermissions("*").on("*").clusterPermissions("*"),
+ new Role("def_efg").indexPermissions("*").on("*").clusterPermissions("*"));
+
+ @ClassRule
+ public static LocalCluster cluster = new LocalCluster.Builder()
+ .clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS).anonymousAuth(true)
+ .authc(AUTHC_HTTPBASIC_INTERNAL).users(USER_SR).build();
+
+ @Test
+ public void testSecurityRoles() throws Exception {
+ try (TestRestClient client = cluster.getRestClient(USER_SR)) {
+ HttpResponse response = client.getAuthInfo();
+ assertThat(response.getStatusCode(), equalTo(HttpStatus.SC_OK));
+
+ // Check username 
+ assertThat(response.getTextFromJsonBody("/user_name"), equalTo("sr_user"));
+
+ // Check security roles
+ assertThat(response.getTextFromJsonBody("/roles/0"), equalTo("user_sr_user__abc_ber"));
+ assertThat(response.getTextFromJsonBody("/roles/1"), equalTo("user_sr_user__def_efg"));
+
+ }
+ }
+
+}