Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Security: wrong schemes for PUT requests #202

Open
Jakob3xD opened this issue Mar 15, 2024 · 2 comments
Open

[BUG] Security: wrong schemes for PUT requests #202

Jakob3xD opened this issue Mar 15, 2024 · 2 comments
Assignees
@DarshitChanpura
Labels
bug Something isn't working

Comments

@Jakob3xD
Copy link
Contributor

What is the bug?

The OpenSearch.openapi.json currently contains some issues related to /_plugins/_security/api and the component schemes they reference.
Most of the GET requests like for roles, internalusers, actiongroups and tenants return the keys hidden, reserved and static which is represented in the schemes. The same schemes are used for the PUT request but those keys are not valid for PUT requests.
In addition the internalusers PUT component scheme misses the password field.

How can one reproduce the bug?

 curl -XPUT -u 'admin:myStrongPassword123!' -k https://localhost:9200/_plugins/_security/api/roles/test -H 'Content-Type: application/json' -d '{"reserved":true,"hidden":false,"cluster_permissions":[],"index_permissions":[],"tenant_permissions":[],"static":false}}'

Returns:

"status":"error","reason":"Invalid configuration","invalid_keys":{"keys":"static,hidden,reserved"}}

What is the expected behavior?

I would expect an extra component scheme for the Put Requests.

Do you have any screenshots?

PUT Role references the scheme Role:
https://github.com/opensearch-project/opensearch-api-specification/blob/23fa274e6b8609db587623d6f1f05346b023bd11/OpenSearch.openapi.json#L14226

Scheme Role:
https://github.com/opensearch-project/opensearch-api-specification/blob/23fa274e6b8609db587623d6f1f05346b023bd11/OpenSearch.openapi.json#L33784-L33818

GET role references RolesMap
https://github.com/opensearch-project/opensearch-api-specification/blob/23fa274e6b8609db587623d6f1f05346b023bd11/OpenSearch.openapi.json#L14164

Scheme RolesMap references Role:
https://github.com/opensearch-project/opensearch-api-specification/blob/23fa274e6b8609db587623d6f1f05346b023bd11/OpenSearch.openapi.json#L33863-L33868
@Jakob3xD Jakob3xD added bug Something isn't working untriaged labels Mar 15, 2024
@dblock dblock removed the untriaged label Apr 2, 2024
@Jakob3xD Jakob3xD mentioned this issue Apr 10, 2024
Merged
@dblock
Copy link
Member

dblock commented Jun 4, 2024

@DarshitChanpura do you have some time to check this one?

@DarshitChanpura
Copy link
Member

Yes, I can take a look. From what I understand, static,hidden,reserved are reserved for admin (and super-admin) users only. I will take a detailed look and update here.

@DarshitChanpura DarshitChanpura self-assigned this Jun 4, 2024
@DarshitChanpura DarshitChanpura mentioned this issue Jun 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DarshitChanpura DarshitChanpura

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dblock @Jakob3xD @DarshitChanpura