IT Security Tests for model access control (#1095)

* IT Security Tests for model access control

Signed-off-by: Bhavana Ramaram <[email protected]>

* Fix assertion error

Signed-off-by: Bhavana Ramaram <[email protected]>

* Fix format violations

Signed-off-by: Bhavana Ramaram <[email protected]>

---------

Signed-off-by: Bhavana Ramaram <[email protected]>

plugin/src/main/java/org/opensearch/ml/action/model_group/TransportUpdateModelGroupAction.java

@@ -218,7 +218,7 @@ private void validateRequestForAccessControl(MLUpdateModelGroupInput input, User
             && !modelAccessControlHelper.isAdmin(user)
             && !modelAccessControlHelper.isOwnerStillHasPermission(user, mlModelGroup)) {
             throw new IllegalArgumentException(
-                "You don’t have the specified backend role to update access control data. For more information, contact your administrator."
+                "You don’t have the specified backend role to update this model group. For more information, contact your administrator."
             );
         }
         AccessMode accessMode = input.getModelAccessMode();
@@ -258,7 +258,9 @@ private boolean hasAccessControlChange(MLUpdateModelGroupInput input) {
     }
 
     private void validateSecurityDisabledOrModelAccessControlDisabled(MLUpdateModelGroupInput input) {
-        if (input.getModelAccessMode() != null || input.getIsAddAllBackendRoles() != null || input.getBackendRoles() != null) {
+        if (input.getModelAccessMode() != null
+            || input.getIsAddAllBackendRoles() != null
+            || !CollectionUtils.isEmpty(input.getBackendRoles())) {
             throw new IllegalArgumentException(
                 "You cannot specify model access control parameters because the Security plugin or model access control is disabled on your cluster."
             );

plugin/src/test/java/org/opensearch/ml/action/model_group/TransportUpdateModelGroupActionTests.java

@@ -172,7 +172,7 @@ public void test_OwnerNoMoreHasPermissionException() {
         ArgumentCaptor<Exception> argumentCaptor = ArgumentCaptor.forClass(Exception.class);
         verify(actionListener).onFailure(argumentCaptor.capture());
         assertEquals(
-            "You don’t have the specified backend role to update access control data. For more information, contact your administrator.",
+            "You don’t have the specified backend role to update this model group. For more information, contact your administrator.",
             argumentCaptor.getValue().getMessage()
         );
     }

plugin/src/test/java/org/opensearch/ml/rest/MLCommonsRestTestCase.java

@@ -668,13 +668,14 @@ public MLRegisterModelInput createRegisterModelInput(String modelGroupID) {
     }
 
     public MLRegisterModelGroupInput createRegisterModelGroupInput(
+        String name,
         List<String> backendRoles,
         AccessMode modelAccessMode,
         Boolean isAddAllBackendRoles
     ) {
         return MLRegisterModelGroupInput
             .builder()
-            .name("modelGroupName")
+            .name(name)
             .description("This is a test model group")
             .backendRoles(backendRoles)
             .modelAccessMode(modelAccessMode)