S2D1 - CPS Error handling (elastic#135358)

* impl

* Update docs/changelog/135358.yaml

* iter

* javadoc

* better handing of qualified expressions

* iter

* iter

* updated tests

* updated tests

* updated tests

* refactor CPS error util

* logic rework

* deleted unused class

* renames + static utility

* cleaner code + java docs

* cleaner

* iter

* reworked

* iter

* Delete docs/changelog/135358.yaml

* iter

* optimized lookup

* Revert "optimized lookup"

This reverts commit 8c66dd0.

Author: piergm

server/src/main/java/org/elasticsearch/action/ResolvedIndexExpression.java

@@ -46,8 +46,10 @@ public record ResolvedIndexExpression(String original, LocalExpressions localExp
      * Failures can be due to concrete resources not being visible (either missing or not visible due to indices options)
      * or unauthorized concrete resources.
      * A wildcard expression resolving to nothing is still considered a successful resolution.
+     * The NONE result indicates that no local resolution was attempted, because the expression is known to be remote-only.
      */
     public enum LocalIndexResolutionResult {
+        NONE,
         SUCCESS,
         CONCRETE_RESOURCE_NOT_VISIBLE,
         CONCRETE_RESOURCE_UNAUTHORIZED,
@@ -65,5 +67,8 @@ public record LocalExpressions(
             assert localIndexResolutionResult != LocalIndexResolutionResult.SUCCESS || exception == null
                 : "If the local resolution result is SUCCESS, exception must be null";
         }
+
+        // Singleton for the case where all expressions in a ResolvedIndexExpression instance are remote
+        public static final LocalExpressions NONE = new LocalExpressions(Set.of(), LocalIndexResolutionResult.NONE, null);
     }
 }

server/src/main/java/org/elasticsearch/search/crossproject/ResponseValidator.java

@@ -0,0 +1,244 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.search.crossproject;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.ElasticsearchException;
+import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.action.ResolvedIndexExpression;
+import org.elasticsearch.action.ResolvedIndexExpressions;
+import org.elasticsearch.action.support.IndicesOptions;
+import org.elasticsearch.index.IndexNotFoundException;
+import org.elasticsearch.transport.RemoteClusterAware;
+
+import java.util.Map;
+import java.util.Set;
+
+import static org.elasticsearch.action.ResolvedIndexExpression.LocalIndexResolutionResult.CONCRETE_RESOURCE_NOT_VISIBLE;
+import static org.elasticsearch.action.ResolvedIndexExpression.LocalIndexResolutionResult.CONCRETE_RESOURCE_UNAUTHORIZED;
+import static org.elasticsearch.action.ResolvedIndexExpression.LocalIndexResolutionResult.SUCCESS;
+
+/**
+ * Utility class for validating index resolution results in cross-project operations.
+ * <p>
+ * This class provides consistent error handling for scenarios where index resolution
+ * spans multiple projects, taking into account the provided {@link IndicesOptions}.
+ * It handles:
+ * <ul>
+ *   <li>Validation of index existence in both origin and linked projects based on IndicesOptions
+ *       (ignoreUnavailable, allowNoIndices)</li>
+ *   <li>Authorization issues during cross-project index resolution, returning appropriate
+ *       {@link ElasticsearchSecurityException} responses</li>
+ *   <li>Both flat (unqualified) and qualified index expressions (including "_origin:" prefixed indices)</li>
+ *   <li>Wildcard index patterns that may resolve differently across projects</li>
+ * </ul>
+ * <p>
+ * The validator examines both local and remote resolution results to determine the appropriate
+ * error response, returning {@link IndexNotFoundException} for missing indices or
+ * {@link ElasticsearchSecurityException} for authorization failures.
+ */
+public class ResponseValidator {
+    private static final Logger logger = LogManager.getLogger(ResponseValidator.class);
+
+    /**
+     * Validates the results of cross-project index resolution and returns appropriate exceptions based on the provided
+     * {@link IndicesOptions}.
+     * <p>
+     * This method handles error scenarios when resolving indices across multiple projects:
+     * <ul>
+     *   <li>If both {@code ignoreUnavailable} and {@code allowNoIndices} are true, the method returns null without validation
+     *       (lenient mode)</li>
+     *   <li>For wildcard patterns that resolve to no indices, validates against {@code allowNoIndices}</li>
+     *   <li>For concrete indices that don't exist, validates against {@code ignoreUnavailable}</li>
+     *   <li>For indices with authorization issues, returns security exceptions</li>
+     * </ul>
+     * <p>
+     * The method considers both flat (unqualified) and qualified index expressions, as well as
+     * local and linked project resolution results when determining the appropriate error response.
+     *
+     * @param indicesOptions            Controls error behavior for missing indices
+     * @param localResolvedExpressions  Resolution results from the origin project
+     * @param remoteResolvedExpressions Resolution results from linked projects
+     * @return a {@link ElasticsearchException} if validation fails, null if validation passes
+     */
+    public static ElasticsearchException validate(
+        IndicesOptions indicesOptions,
+        ResolvedIndexExpressions localResolvedExpressions,
+        Map<String, ResolvedIndexExpressions> remoteResolvedExpressions
+    ) {
+        if (indicesOptions.allowNoIndices() && indicesOptions.ignoreUnavailable()) {
+            logger.debug("Skipping index existence check in lenient mode");
+            return null;
+        }
+
+        logger.debug(
+            "Checking index existence for [{}] and [{}] with indices options [{}]",
+            localResolvedExpressions,
+            remoteResolvedExpressions,
+            indicesOptions
+        );
+
+        for (ResolvedIndexExpression localResolvedIndices : localResolvedExpressions.expressions()) {
+            String originalExpression = localResolvedIndices.original();
+            logger.debug("Checking replaced expression for original expression [{}]", originalExpression);
+
+            // Check if this is a qualified resource (project:index pattern)
+            boolean isQualifiedExpression = RemoteClusterAware.isRemoteIndexName(originalExpression);
+
+            Set<String> remoteExpressions = localResolvedIndices.remoteExpressions();
+            ResolvedIndexExpression.LocalExpressions localExpressions = localResolvedIndices.localExpressions();
+            ResolvedIndexExpression.LocalIndexResolutionResult result = localExpressions.localIndexResolutionResult();
+            if (isQualifiedExpression) {
+                ElasticsearchException e = checkResolutionFailure(
+                    localExpressions.expressions(),
+                    result,
+                    originalExpression,
+                    indicesOptions
+                );
+                if (e != null) {
+                    return e;
+                }
+                // qualified linked project expression
+                for (String remoteExpression : remoteExpressions) {
+                    String[] splitResource = splitQualifiedResource(remoteExpression);
+                    ElasticsearchException exception = checkSingleRemoteExpression(
+                        remoteResolvedExpressions,
+                        splitResource[0], // projectAlias
+                        splitResource[1], // resource
+                        remoteExpression,
+                        indicesOptions
+                    );
+                    if (exception != null) {
+                        return exception;
+                    }
+                }
+            } else {
+                ElasticsearchException localException = checkResolutionFailure(
+                    localExpressions.expressions(),
+                    result,
+                    originalExpression,
+                    indicesOptions
+                );
+                if (localException == null) {
+                    // found locally, continue to next expression
+                    continue;
+                }
+                boolean isUnauthorized = localException instanceof ElasticsearchSecurityException;
+                boolean foundFlat = false;
+                // checking if flat expression matched remotely
+                for (String remoteExpression : remoteExpressions) {
+                    String[] splitResource = splitQualifiedResource(remoteExpression);
+                    ElasticsearchException exception = checkSingleRemoteExpression(
+                        remoteResolvedExpressions,
+                        splitResource[0], // projectAlias
+                        splitResource[1], // resource
+                        remoteExpression,
+                        indicesOptions
+                    );
+                    if (exception == null) {
+                        // found flat expression somewhere
+                        foundFlat = true;
+                        break;
+                    }
+                    if (false == isUnauthorized && exception instanceof ElasticsearchSecurityException) {
+                        isUnauthorized = true;
+                    }
+                }
+                if (foundFlat) {
+                    continue;
+                }
+                if (isUnauthorized) {
+                    return securityException(originalExpression);
+                }
+                return new IndexNotFoundException(originalExpression);
+            }
+        }
+        // if we didn't throw before it means that we can proceed with the request
+        return null;
+    }
+
+    private static ElasticsearchSecurityException securityException(String originalExpression) {
+        // TODO plug in proper recorded authorization exceptions instead, once available
+        return new ElasticsearchSecurityException("user cannot access [" + originalExpression + "]");
+    }
+
+    private static ElasticsearchException checkSingleRemoteExpression(
+        Map<String, ResolvedIndexExpressions> remoteResolvedExpressions,
+        String projectAlias,
+        String resource,
+        String remoteExpression,
+        IndicesOptions indicesOptions
+    ) {
+        ResolvedIndexExpressions resolvedExpressionsInProject = remoteResolvedExpressions.get(projectAlias);
+        assert resolvedExpressionsInProject != null : "We should always have resolved expressions from linked project";
+
+        ResolvedIndexExpression.LocalExpressions matchingExpression = findMatchingExpression(resolvedExpressionsInProject, resource);
+        if (matchingExpression == null) {
+            assert false : "Expected to find matching expression [" + resource + "] in project [" + projectAlias + "]";
+            return new IndexNotFoundException(remoteExpression);
+        }
+
+        return checkResolutionFailure(
+            matchingExpression.expressions(),
+            matchingExpression.localIndexResolutionResult(),
+            remoteExpression,
+            indicesOptions
+        );
+    }
+
+    private static String[] splitQualifiedResource(String resource) {
+        String[] splitResource = RemoteClusterAware.splitIndexName(resource);
+        assert splitResource.length == 2
+            : "Expected two strings (project and indexExpression) for a qualified resource ["
+                + resource
+                + "], but found ["
+                + splitResource.length
+                + "]";
+        return splitResource;
+    }
+
+    // TODO optimize with a precomputed Map<String, ResolvedIndexExpression.LocalExpressions> instead
+    private static ResolvedIndexExpression.LocalExpressions findMatchingExpression(
+        ResolvedIndexExpressions projectExpressions,
+        String resource
+    ) {
+        return projectExpressions.expressions()
+            .stream()
+            .filter(expr -> expr.original().equals(resource))
+            .map(ResolvedIndexExpression::localExpressions)
+            .findFirst()
+            .orElse(null);
+    }
+
+    private static ElasticsearchException checkResolutionFailure(
+        Set<String> localExpressions,
+        ResolvedIndexExpression.LocalIndexResolutionResult result,
+        String expression,
+        IndicesOptions indicesOptions
+    ) {
+        assert false == (indicesOptions.allowNoIndices() && indicesOptions.ignoreUnavailable())
+            : "Should not be checking index existence in lenient mode";
+
+        if (indicesOptions.ignoreUnavailable() == false) {
+            if (result == CONCRETE_RESOURCE_NOT_VISIBLE) {
+                return new IndexNotFoundException(expression);
+            } else if (result == CONCRETE_RESOURCE_UNAUTHORIZED) {
+                return securityException(expression);
+            }
+        }
+
+        if (indicesOptions.allowNoIndices() == false && result == SUCCESS && localExpressions.isEmpty()) {
+            return new IndexNotFoundException(expression);
+        }
+
+        return null;
+    }
+}