Completes FlowFrameworkSecureRestApiIT

DarshitChanpura · DarshitChanpura · commit 1dbe06ecb40b · 2025-11-11T18:06:58.000-08:00
Signed-off-by: Darshit Chanpura &lt;dchanp@amazon.com&gt;
diff --git a/src/test/java/org/opensearch/flowframework/rest/FlowFrameworkSecureRestApiIT.java b/src/test/java/org/opensearch/flowframework/rest/FlowFrameworkSecureRestApiIT.java
@@ -179,7 +179,12 @@ public void testGetWorkflowStepsWithReadAccess() throws Exception {
     public void testGetWorkflowWithReadAccess() throws Exception {
         // No permissions to create, so we assert only that the response status isnt forbidden
         ResponseException exception = expectThrows(ResponseException.class, () -> getWorkflow(bobClient, "test"));
-        assertEquals(RestStatus.NOT_FOUND, TestHelpers.restStatus(exception.getResponse()));
+        if (isResourceSharingFeatureEnabled()) {
+            // 403 because resource is not shared
+            assertEquals(RestStatus.FORBIDDEN.getStatus(), exception.getResponse().getStatusLine().getStatusCode());
+        } else {
+            assertEquals(RestStatus.NOT_FOUND, TestHelpers.restStatus(exception.getResponse()));
+        }
     }
 
     public void testFilterByDisabled() throws Exception {
@@ -188,8 +193,15 @@ public void testFilterByDisabled() throws Exception {
         Response aliceWorkflow = createWorkflow(aliceClient, template);
         Map<String, Object> responseMap = entityAsMap(aliceWorkflow);
         String workflowId = (String) responseMap.get(WORKFLOW_ID);
-        Response response = getWorkflow(catClient, workflowId);
-        assertEquals(RestStatus.OK, TestHelpers.restStatus(response));
+
+        // when resources sharing is enabled, we throw 403
+        if (isResourceSharingFeatureEnabled()) {
+            ResponseException exception = expectThrows(ResponseException.class, () -> getWorkflow(catClient, workflowId));
+            assertEquals(exception.getResponse().getStatusLine().getStatusCode(), RestStatus.FORBIDDEN.getStatus());
+        } else {
+            Response response = getWorkflow(catClient, workflowId);
+            assertEquals(RestStatus.OK, TestHelpers.restStatus(response));
+        }
     }
 
     public void testSearchWorkflowWithReadAccess() throws Exception {
@@ -212,9 +224,15 @@ public void testGetWorkflowStateWithReadAccess() throws Exception {
 
         Map<String, Object> responseMap = entityAsMap(response);
         String workflowId = (String) responseMap.get(WORKFLOW_ID);
-        // No permissions to create or provision, so we assert only that the response status isnt forbidden
-        Response searchResponse = getWorkflowStatus(bobClient, workflowId, false);
-        assertEquals(RestStatus.OK, TestHelpers.restStatus(searchResponse));
+        if (isResourceSharingFeatureEnabled()) {
+            ResponseException exception = expectThrows(ResponseException.class, () -> getWorkflowStatus(bobClient, workflowId, false));
+            assertTrue(exception.getMessage().contains("Failed to get workflow status"));
+            assertEquals(exception.getResponse().getStatusLine().getStatusCode(), RestStatus.FORBIDDEN.getStatus());
+        } else {
+            // No permissions to create or provision, so we assert only that the response status isnt forbidden
+            Response searchResponse = getWorkflowStatus(bobClient, workflowId, false);
+            assertEquals(RestStatus.OK, TestHelpers.restStatus(searchResponse));
+        }
     }
 
     public void testSearchWorkflowStateWithReadAccess() throws Exception {
@@ -226,18 +244,26 @@ public void testSearchWorkflowStateWithReadAccess() throws Exception {
         // No permissions to create, so we assert only that the response status isnt forbidden
         String termIdQuery = "{\"query\":{\"bool\":{\"filter\":[{\"term\":{\"ids\":\"test\"}}]}}}";
         SearchResponse searchResponse = searchWorkflowState(bobClient, termIdQuery);
+        // when resource sharing is enabled this would return an empty response
         assertEquals(RestStatus.OK, searchResponse.status());
     }
 
-    public void testCreateWorkflowWithNoBackendRole() throws IOException {
+    public void testCreateWorkflowWithNoBackendRole() throws Exception {
         enableFilterBy();
         // User Dog has FF full access, but has no backend role
         // When filter by is enabled, we block creating workflows
         Template template = TestHelpers.createTemplateFromFile("register-deploylocalsparseencodingmodel.json");
-        Exception exception = expectThrows(IOException.class, () -> { createWorkflow(dogClient, template); });
-        assertTrue(
-            exception.getMessage().contains("Filter by backend roles is enabled, but User dog does not have any backend roles configured")
-        );
+        if (isResourceSharingFeatureEnabled()) {
+            // If resource sharing is enabled, we allow creation of workflows regardless of the user's backend roles
+            Response dogWorkflow = createWorkflow(dogClient, template);
+            assertEquals(RestStatus.CREATED, TestHelpers.restStatus(dogWorkflow));
+        } else {
+            Exception exception = expectThrows(IOException.class, () -> { createWorkflow(dogClient, template); });
+            assertTrue(
+                exception.getMessage()
+                    .contains("Filter by backend roles is enabled, but User dog does not have any backend roles configured")
+            );
+        }
     }
 
     public void testDeprovisionWorkflowWithWriteAccess() throws Exception {
@@ -259,7 +285,12 @@ public void testGetWorkflowWithFilterEnabled() throws Exception {
         String workflowId = (String) responseMap.get(WORKFLOW_ID);
         // User Cat has FF full access, but is part of different backend role so Cat should not be able to access alice workflow
         ResponseException exception = expectThrows(ResponseException.class, () -> getWorkflow(catClient, workflowId));
-        assertTrue(exception.getMessage().contains("User does not have permissions to access workflow: " + workflowId));
+        if (isResourceSharingFeatureEnabled()) {
+            assertTrue(exception.getMessage().contains("Failed to get workflow."));
+            assertEquals(exception.getResponse().getStatusLine().getStatusCode(), RestStatus.FORBIDDEN.getStatus());
+        } else {
+            assertTrue(exception.getMessage().contains("User does not have permissions to access workflow: " + workflowId));
+        }
     }
 
     public void testGetWorkflowFilterbyEnabledForAdmin() throws Exception {
@@ -402,7 +433,15 @@ public void testCreateProvisionDeprovisionWorkflowWithFullAccess() throws Except
 
         // Invoke status API with failure
         ResponseException exception = expectThrows(ResponseException.class, () -> getWorkflowStatus(aliceClient, workflowId, false));
-        assertEquals(RestStatus.NOT_FOUND.getStatus(), exception.getResponse().getStatusLine().getStatusCode());
+        if (isResourceSharingFeatureEnabled()) {
+            // sample log message: No sharing info found for 'pmaAdZoBL3PmSyJoha0C'. Action
+            // cluster:admin/opensearch/flow_framework/workflow_state/get is not allowed.
+            // since record is deleted corresponding sharing record will also be deleted and thus we show 403 for non-existent sharing
+            // records,
+            assertEquals(RestStatus.FORBIDDEN.getStatus(), exception.getResponse().getStatusLine().getStatusCode());
+        } else {
+            assertEquals(RestStatus.NOT_FOUND.getStatus(), exception.getResponse().getStatusLine().getStatusCode());
+        }
     }
 
     public void testUpdateWorkflowEnabledForAdmin() throws Exception {
@@ -470,11 +509,18 @@ public void testUpdateWorkflowWithFilterEnabled() throws Exception {
         String workflowId = (String) responseMap.get(WORKFLOW_ID);
 
         enableFilterBy();
-        // User Fish has FF full access, and has "odfe" backend role which is one of Alice's backend role, so
-        // Fish should be able to update workflows created by Alice. But the workflow's backend role should
-        // not be replaced as Fish's backend roles.
-        Response updateResponse = updateWorkflow(fishClient, workflowId, template);
-        assertEquals(RestStatus.CREATED, TestHelpers.restStatus(updateResponse));
+        if (isResourceSharingFeatureEnabled()) {
+            ResponseException exception = expectThrows(ResponseException.class, () -> updateWorkflow(fishClient, workflowId, template));
+            // we show 403 because fishClient doesn't have resource access
+            assertEquals(RestStatus.FORBIDDEN.getStatus(), exception.getResponse().getStatusLine().getStatusCode());
+            // it should be 200 after sharing but we test that in a resource-sharing test class
+        } else {
+            // User Fish has FF full access, and has "odfe" backend role which is one of Alice's backend role, so
+            // Fish should be able to update workflows created by Alice. But the workflow's backend role should
+            // not be replaced as Fish's backend roles.
+            Response updateResponse = updateWorkflow(fishClient, workflowId, template);
+            assertEquals(RestStatus.CREATED, TestHelpers.restStatus(updateResponse));
+        }
     }
 
     public void testUpdateWorkflowWithNoFFAccess() throws Exception {
