Optionally provide hash key of current DLS/FLS config in thread context

Closes #324

See merge request search-guard/search-guard-suite-enterprise!890

Author: DeTeKee

dlic-dlsfls/src/main/java/com/floragunn/searchguard/enterprise/dlsfls/DlsFlsModule.java

@@ -56,6 +56,7 @@
 import com.floragunn.searchguard.enterprise.dlsfls.lucene.DlsFlsDirectoryReaderWrapper;
 import com.floragunn.searchguard.license.SearchGuardLicense;
 import com.floragunn.searchguard.license.SearchGuardLicense.Feature;
+import com.floragunn.searchsupport.StaticSettings;
 import com.floragunn.searchsupport.cstate.ComponentState;
 import com.floragunn.searchsupport.cstate.ComponentStateProvider;
 import com.floragunn.searchsupport.cstate.metrics.TimeAggregation;
@@ -67,6 +68,9 @@ public class DlsFlsModule implements SearchGuardModule, ComponentStateProvider {
     // XXX Hack to trigger early initialization of DlsFlsConfig
     @SuppressWarnings("unused")
     private static final CType<DlsFlsConfig> TYPE = DlsFlsConfig.TYPE;
+    
+    static final StaticSettings.Attribute<Boolean> PROVIDE_THREAD_CONTEXT_AUTHZ_HASH = StaticSettings.Attribute
+            .define("searchguard.dls_fls.provide_thread_context_authz_hash").withDefault(false).asBoolean();
 
     private final ComponentState componentState = new ComponentState(1000, null, "dlsfls", DlsFlsModule.class).requiresEnterpriseLicense();
     /**
@@ -104,7 +108,7 @@ public Collection<Object> createComponents(BaseDependencies baseDependencies) {
 
         this.dlsFlsValve = new DlsFlsValve(baseDependencies.getLocalClient(), baseDependencies.getClusterService(),
                 baseDependencies.getIndexNameExpressionResolver(), baseDependencies.getGuiceDependencies(),
-                baseDependencies.getThreadPool().getThreadContext(), config);
+                baseDependencies.getThreadPool().getThreadContext(), config, baseDependencies.getStaticSettings());
 
         this.dlsFlsSearchOperationListener = new DlsFlsSearchOperationListener(this.dlsFlsBaseContext, config);
 
@@ -190,4 +194,9 @@ public List<RestHandler> getRestHandlers(Settings settings, RestController restC
     public List<ActionHandler<? extends ActionRequest, ? extends ActionResponse>> getActions() {
         return DlsFlsConfigApi.ACTION_HANDLERS;
     }
+    
+    @Override
+    public StaticSettings.AttributeSet getSettings() {
+        return StaticSettings.AttributeSet.of(PROVIDE_THREAD_CONTEXT_AUTHZ_HASH);
+    }
 }

dlic-dlsfls/src/main/java/com/floragunn/searchguard/enterprise/dlsfls/DlsFlsProcessedConfig.java

@@ -42,7 +42,7 @@
 public class DlsFlsProcessedConfig {
     private static final Logger log = LogManager.getLogger(DlsFlsProcessedConfig.class);
 
-    public static final DlsFlsProcessedConfig DEFAULT = new DlsFlsProcessedConfig(DlsFlsConfig.DEFAULT, null, null, null, null, null);
+    public static final DlsFlsProcessedConfig DEFAULT = new DlsFlsProcessedConfig(DlsFlsConfig.DEFAULT, null, null, null, SgDynamicConfiguration.empty(CType.ROLES), null, null);
 
     private final DlsFlsConfig dlsFlsConfig;
     private final RoleBasedDocumentAuthorization documentAuthorization;
@@ -51,21 +51,23 @@ public class DlsFlsProcessedConfig {
     private final boolean validationErrorsPresent;
     private final String validationErrorDescription;
     private final String uniqueValidationErrorToken;
+    private final SgDynamicConfiguration<Role> roleConfig;
     private Future<?> updateFuture;
     private long metadataVersionEffective;
 
     DlsFlsProcessedConfig(DlsFlsConfig dlsFlsConfig, RoleBasedDocumentAuthorization documentAuthorization,
-            RoleBasedFieldAuthorization fieldAuthorization, RoleBasedFieldMasking fieldMasking, ValidationErrors rolesValidationErrors,
-            ValidationErrors rolesMappingValidationErrors) {
+            RoleBasedFieldAuthorization fieldAuthorization, RoleBasedFieldMasking fieldMasking, SgDynamicConfiguration<Role> roleConfig, ValidationErrors rolesValidationErrors,
+        ValidationErrors rolesMappingValidationErrors) {
         this.dlsFlsConfig = dlsFlsConfig;
         this.documentAuthorization = documentAuthorization;
         this.fieldAuthorization = fieldAuthorization;
         this.fieldMasking = fieldMasking;
         this.validationErrorsPresent = ((rolesValidationErrors != null) && (rolesValidationErrors.hasErrors()))//
                 || ((rolesMappingValidationErrors != null) && (rolesMappingValidationErrors.hasErrors()));
         this.uniqueValidationErrorToken = UUID.randomUUID().toString();
-        this.validationErrorDescription = describeValidationErrors(uniqueValidationErrorToken, rolesValidationErrors, //
-                rolesMappingValidationErrors);
+        this.validationErrorDescription = describeValidationErrors(uniqueValidationErrorToken, rolesValidationErrors,//
+            rolesMappingValidationErrors);
+        this.roleConfig = roleConfig;
     }
 
     static DlsFlsProcessedConfig createFrom(ConfigMap configMap, ComponentState componentState, Meta indexMetadata) {
@@ -100,9 +102,10 @@ static DlsFlsProcessedConfig createFrom(ConfigMap configMap, ComponentState comp
             componentState.setState(State.INITIALIZED);
             ValidationErrors rolesValidationErrors = roleConfig.getValidationErrors();
             ValidationErrors rolesMappingsValidationErrors = Optional.ofNullable(configMap.get(CType.ROLESMAPPING))
-                    .map(SgDynamicConfiguration::getValidationErrors).orElse(null);
-            return new DlsFlsProcessedConfig(dlsFlsConfig, documentAuthorization, fieldAuthorization, fieldMasking, rolesValidationErrors,
-                    rolesMappingsValidationErrors);
+                .map(SgDynamicConfiguration::getValidationErrors)
+                .orElse(null);
+            return new DlsFlsProcessedConfig(dlsFlsConfig, documentAuthorization, fieldAuthorization, fieldMasking, roleConfig, rolesValidationErrors,
+                rolesMappingsValidationErrors);
         } catch (Exception e) {
             log.error("Error while updating DLS/FLS config", e);
             componentState.setFailed(e);
@@ -130,6 +133,10 @@ public MetricsLevel getMetricsLevel() {
         return dlsFlsConfig.getMetricsLevel();
     }
 
+    public SgDynamicConfiguration<Role> getRoleConfig() {
+        return roleConfig;
+    }
+
     private void updateIndices(Meta indexMetadata) {
         if (documentAuthorization != null) {
             documentAuthorization.updateIndices(indexMetadata);

dlic-dlsfls/src/main/java/com/floragunn/searchguard/enterprise/dlsfls/DlsFlsValve.java

@@ -63,12 +63,14 @@
 import com.floragunn.searchguard.enterprise.dlsfls.DlsFlsConfig.Mode;
 import com.floragunn.searchguard.enterprise.dlsfls.filter.DlsFilterLevelActionHandler;
 import com.floragunn.searchguard.support.ConfigConstants;
+import com.floragunn.searchsupport.StaticSettings;
 import com.floragunn.searchsupport.cstate.ComponentState;
 import com.floragunn.searchsupport.cstate.ComponentStateProvider;
 import com.floragunn.searchsupport.cstate.metrics.Meter;
 import com.floragunn.searchsupport.cstate.metrics.TimeAggregation;
 import com.floragunn.searchsupport.meta.Meta;
 
+
 public class DlsFlsValve implements SyncAuthorizationFilter, ComponentStateProvider {
     private static final String MAP_EXECUTION_HINT = "map";
     private static final String DIRECT_EXECUTION_HINT = "direct";
@@ -82,16 +84,18 @@ public class DlsFlsValve implements SyncAuthorizationFilter, ComponentStateProvi
     private final AtomicReference<DlsFlsProcessedConfig> config;
     private final ComponentState componentState = new ComponentState(0, null, "dls_fls_valve", DlsFlsValve.class).initialized();
     private final TimeAggregation applyTimeAggregation = new TimeAggregation.Nanoseconds();
+    private final ThreadContextAuthzHashProvider authzHashProvider;
 
     public DlsFlsValve(Client nodeClient, ClusterService clusterService, IndexNameExpressionResolver resolver, GuiceDependencies guiceDependencies,
-            ThreadContext threadContext, AtomicReference<DlsFlsProcessedConfig> config) {
+            ThreadContext threadContext, AtomicReference<DlsFlsProcessedConfig> config, StaticSettings staticSettings) {
         this.nodeClient = nodeClient;
         this.clusterService = clusterService;
         this.resolver = resolver;
         this.guiceDependencies = guiceDependencies;
         this.threadContext = threadContext;
         this.config = config;
         this.componentState.addMetrics("filter_request", applyTimeAggregation);
+        this.authzHashProvider = new ThreadContextAuthzHashProvider(staticSettings, threadContext);
     }
 
     @Override
@@ -134,6 +138,7 @@ public SyncAuthorizationFilter.Result apply(PrivilegesEvaluationContext context,
             boolean hasFieldMasking = fieldMasking.hasRestrictions(context, resolvedIndices, meter);
 
             if (!hasDlsRestrictions && !hasFlsRestrictions && !hasFieldMasking) {
+                authzHashProvider.noRestrictions();
                 return SyncAuthorizationFilter.Result.OK;
             }
 
@@ -169,6 +174,8 @@ public SyncAuthorizationFilter.Result apply(PrivilegesEvaluationContext context,
                 }
             }
 
+            authzHashProvider.restrictions(context, config);
+
             Object request = context.getRequest();
 
             if (request instanceof RealtimeRequest) {

dlic-dlsfls/src/main/java/com/floragunn/searchguard/enterprise/dlsfls/ThreadContextAuthzHashProvider.java

@@ -0,0 +1,127 @@
+/*
+ * Copyright 2024 by floragunn GmbH - All rights reserved
+ * 
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed here is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * 
+ * This software is free of charge for non-commercial and academic use. 
+ * For commercial use in a production environment you have to obtain a license 
+ * from https://floragunn.com
+ * 
+ */
+package com.floragunn.searchguard.enterprise.dlsfls;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeMap;
+import java.util.TreeSet;
+
+import org.elasticsearch.common.util.concurrent.ThreadContext;
+
+import com.floragunn.codova.config.templates.Template;
+import com.floragunn.codova.documents.DocNode;
+import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
+import com.floragunn.searchguard.authz.config.Role;
+import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
+import com.floragunn.searchsupport.StaticSettings;
+import com.google.common.hash.Hashing;
+
+class ThreadContextAuthzHashProvider {
+    static final String THREAD_CONTEXT_HEADER = "_sg_dls_fls_authz";
+
+    private final boolean active;
+    private final ThreadContext threadContext;
+
+    ThreadContextAuthzHashProvider(StaticSettings staticSettings, ThreadContext threadContext) {
+        this.active = staticSettings.get(DlsFlsModule.PROVIDE_THREAD_CONTEXT_AUTHZ_HASH);
+        this.threadContext = threadContext;
+    }
+
+    void noRestrictions() {
+        if (this.active && this.threadContext.getHeader(THREAD_CONTEXT_HEADER) == null) {
+            this.threadContext.putHeader(THREAD_CONTEXT_HEADER, "0");
+        }
+    }
+
+    void restrictions(PrivilegesEvaluationContext context, DlsFlsProcessedConfig config) {
+        if (this.active && this.threadContext.getHeader(THREAD_CONTEXT_HEADER) == null) {
+            String restrictionsInfo = restrictionsInfo(context, config);
+            this.threadContext.putHeader(THREAD_CONTEXT_HEADER, Hashing.sha256().hashString(restrictionsInfo, StandardCharsets.UTF_8).toString());
+        }
+
+    }
+
+    String restrictionsInfo(PrivilegesEvaluationContext context, DlsFlsProcessedConfig config) {
+        SgDynamicConfiguration<Role> rolesConfig;
+
+        if (context.getSpecialPrivilegesEvaluationContext() != null) {
+            rolesConfig = context.getSpecialPrivilegesEvaluationContext().getRolesConfig();
+        } else {
+            rolesConfig = config.getRoleConfig();
+        }
+
+        return restrictionsInfo(context, rolesConfig);
+    }
+
+    String restrictionsInfo(PrivilegesEvaluationContext context, SgDynamicConfiguration<Role> rolesConfig) {
+        if (usesTemplates(context, rolesConfig)) {
+            return userBasedRestrictionsInfo(context);
+        } else {
+            return roleBasedRestrictionInfo(context, rolesConfig);
+        }
+    }
+
+    boolean usesTemplates(PrivilegesEvaluationContext context, SgDynamicConfiguration<Role> rolesConfig) {
+        for (String roleName : context.getMappedRoles()) {
+            Role role = rolesConfig.getCEntry(roleName);
+
+            if (role != null) {
+                for (Role.Index indexPermissions : role.getIndexPermissions()) {
+                    if (indexPermissions.usesTemplates()) {
+                        return true;
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+
+    String userBasedRestrictionsInfo(PrivilegesEvaluationContext context) {
+        return context.getUser().getName() + "::" + DocNode.wrap(context.getUser().getStructuredAttributes()).toJsonString() + "::" + context.getMappedRoles();
+    }
+
+    String roleBasedRestrictionInfo(PrivilegesEvaluationContext context, SgDynamicConfiguration<Role> rolesConfig) {
+        Set<String> unprotectedIndices = new TreeSet<>();
+        Map<String, Set<String>> protectedIndices = new TreeMap<>();
+
+        for (String roleName : context.getMappedRoles()) {
+            Role role = rolesConfig.getCEntry(roleName);
+
+            if (role != null) {
+                for (Role.Index indexPermissions : role.getIndexPermissions()) {
+                    if (indexPermissions.getDls() == null && (indexPermissions.getFls() == null || indexPermissions.getFls().isEmpty())
+                            && (indexPermissions.getMaskedFields() == null || indexPermissions.getMaskedFields().isEmpty())) {
+                        unprotectedIndices.addAll(indexPermissions.getIndexPatterns().getSource().map(Template::toString));
+                    } else {
+                        for (String indexPattern : indexPermissions.getIndexPatterns().getSource().map(Template::toString)) {
+                            Set<String> rules = protectedIndices.computeIfAbsent(indexPattern, k -> new TreeSet<>());
+                            rules.add("dls:" + indexPermissions.getDls());
+                            rules.add("fls: " + indexPermissions.getFls());
+                            rules.add("fm: " + indexPermissions.getMaskedFields());
+                        }
+                    }
+                }
+            }
+        }
+
+        for (String unprotectedIndex : unprotectedIndices) {
+            protectedIndices.remove(unprotectedIndex);
+        }
+
+        return unprotectedIndices + "::" + protectedIndices;
+    }
+}

dlic-dlsfls/src/test/java/com/floragunn/searchguard/enterprise/dlsfls/DlsFlsProcessedConfigTest.java

@@ -49,17 +49,16 @@ public class DlsFlsProcessedConfigTest {
 
     @Test
     public void shouldSupportNullValidationErrors() {
-        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,//
-            null, null);
+        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking, null, null, null);
 
         assertThat(config.containsValidationError(), equalTo(false));
         assertThat(config.getValidationErrorDescription(), isEmptyOrNullString());
     }
 
     @Test
     public void shouldNotContainValidationErrors() {
-        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,//
-            rolesValidationErrors, rolesMapingdValidationErrors);
+        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking, null, rolesValidationErrors,
+                rolesMapingdValidationErrors);
 
         assertThat(config.containsValidationError(), equalTo(false));
         assertThat(config.getValidationErrorDescription(), isEmptyOrNullString());
@@ -70,7 +69,7 @@ public void shouldReturnRoleValidationErrorForRoles() {
         when(rolesValidationErrors.hasErrors()).thenReturn(true);
         when(rolesValidationErrors.getErrors()).thenReturn(ImmutableMap.of(INVALID_ROLE_1, singleton(VALIDATION_ERROR_1)));
 
-        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,//
+        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,null,
             rolesValidationErrors, rolesMapingdValidationErrors);
 
         assertThat(config.containsValidationError(), equalTo(true));
@@ -86,7 +85,7 @@ public void shouldReturnMultipleRoleValidationError() {
         when(rolesValidationErrors.getErrors()).thenReturn(ImmutableMap.of(INVALID_ROLE_1, singleton(VALIDATION_ERROR_1),//
             INVALID_ROLE_2, singleton(VALIDATION_ERROR_2)));
 
-        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,//
+        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,null,
             rolesValidationErrors, rolesMapingdValidationErrors);
 
         assertThat(config.containsValidationError(), equalTo(true));
@@ -103,7 +102,7 @@ public void shouldReturnMultipleValidationErrorForSameRole() {
         when(rolesValidationErrors.hasErrors()).thenReturn(true);
         when(rolesValidationErrors.getErrors()).thenReturn(ImmutableMap.of(INVALID_ROLE_1, asList(VALIDATION_ERROR_1, VALIDATION_ERROR_2)));
 
-        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,//
+        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,null,
             rolesValidationErrors, rolesMapingdValidationErrors);
 
         assertThat(config.containsValidationError(), equalTo(true));
@@ -119,7 +118,7 @@ public void shouldReturnRoleValidationErrorForRolesMappings() {
         when(rolesMapingdValidationErrors.hasErrors()).thenReturn(true);
         when(rolesMapingdValidationErrors.getErrors()).thenReturn(ImmutableMap.of(INVALID_MAPPING_1, singleton(VALIDATION_ERROR_1)));
 
-        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,//
+        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,null,
             rolesValidationErrors, rolesMapingdValidationErrors);
 
         assertThat(config.containsValidationError(), equalTo(true));
@@ -135,7 +134,7 @@ public void shouldReturnMultipleRoleMappingValidationError() {
         when(rolesMapingdValidationErrors.getErrors()).thenReturn(ImmutableMap.of(INVALID_MAPPING_1, singleton(VALIDATION_ERROR_1),//
             INVALID_MAPPING_2, singleton(VALIDATION_ERROR_2)));
 
-        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,//
+        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,null,
             rolesValidationErrors, rolesMapingdValidationErrors);
 
         assertThat(config.containsValidationError(), equalTo(true));
@@ -152,7 +151,7 @@ public void shouldReturnMultipleValidationErrorForSameMappingsRole() {
         when(rolesMapingdValidationErrors.hasErrors()).thenReturn(true);
         when(rolesMapingdValidationErrors.getErrors()).thenReturn(Map.of(INVALID_MAPPING_1, asList(VALIDATION_ERROR_1, VALIDATION_ERROR_2)));
 
-        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,//
+        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,null,
             rolesValidationErrors, rolesMapingdValidationErrors);
 
         assertThat(config.containsValidationError(), equalTo(true));
@@ -170,7 +169,7 @@ public void shouldReturnValidationErrorsForRolesAndMappings() {
         when(rolesMapingdValidationErrors.hasErrors()).thenReturn(true);
         when(rolesMapingdValidationErrors.getErrors()).thenReturn(ImmutableMap.of(INVALID_MAPPING_2, singleton(VALIDATION_ERROR_2)));
 
-        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking,//
+        this.config = new DlsFlsProcessedConfig(dlsDlsConfig, documentAuthorization, fieldAuthorization, fieldMasking, null,
             rolesValidationErrors, rolesMapingdValidationErrors);
 
         assertThat(config.containsValidationError(), equalTo(true));