record security exceptions in resolved index expressions (elastic#135630)

richard-dennehy · elasticsearchmachine · chrisparrinello · commit e2b3f573172c · 2025-11-03T14:06:15.000-06:00
* record security exceptions in resolved index expressions

* [CI] Auto commit changes from spotless

* override equality in LocalExpressions

* [CI] Auto commit changes from spotless

* record exception for unresolved index when ignore_unavailable is true

* clean up

* spotless

* enable CPS mode in test

* include index name in exception message

* [CI] Auto commit changes from spotless

* address review comments

* [CI] Auto commit changes from spotless

* assert exception is not set twice

* use recorded exception in CrossProjectIndexResolutionValidator

* [CI] Auto commit changes from spotless

* actually only set exception if unset

---------

Co-authored-by: elasticsearchmachine &lt;infra-root+elasticsearchmachine@elastic.co&gt;
diff --git a/server/src/main/java/org/elasticsearch/action/ResolvedIndexExpression.java b/server/src/main/java/org/elasticsearch/action/ResolvedIndexExpression.java
@@ -9,13 +9,16 @@
 
 package org.elasticsearch.action;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.io.stream.Writeable;
 import org.elasticsearch.core.Nullable;
 
 import java.io.IOException;
+import java.util.Objects;
 import java.util.Set;
 
 /**
@@ -49,6 +52,8 @@ public record ResolvedIndexExpression(String original, LocalExpressions localExp
     implements
         Writeable {
 
+    private static final Logger logger = LogManager.getLogger(ResolvedIndexExpression.class);
+
     public ResolvedIndexExpression(StreamInput in) throws IOException {
         this(in.readString(), new LocalExpressions(in), in.readCollectionAsImmutableSet(StreamInput::readString));
     }
@@ -76,17 +81,83 @@ public enum LocalIndexResolutionResult {
 
     /**
      * Represents local (non-remote) resolution results, including expanded indices, and a {@link LocalIndexResolutionResult}.
-     *
-     * @param indices represents the resolved concrete indices backing the expression
      */
-    public record LocalExpressions(
-        Set<String> indices,
-        LocalIndexResolutionResult localIndexResolutionResult,
-        @Nullable ElasticsearchException exception
-    ) implements Writeable {
-        public LocalExpressions {
+    public static final class LocalExpressions implements Writeable {
+        private final Set<String> indices;
+        private final LocalIndexResolutionResult localIndexResolutionResult;
+        @Nullable
+        private ElasticsearchException exception;
+
+        /**
+         * @param indices represents the resolved concrete indices backing the expression
+         */
+        public LocalExpressions(
+            Set<String> indices,
+            LocalIndexResolutionResult localIndexResolutionResult,
+            @Nullable ElasticsearchException exception
+        ) {
             assert localIndexResolutionResult != LocalIndexResolutionResult.SUCCESS || exception == null
                 : "If the local resolution result is SUCCESS, exception must be null";
+            this.indices = indices;
+            this.localIndexResolutionResult = localIndexResolutionResult;
+            this.exception = exception;
+        }
+
+        public Set<String> indices() {
+            return indices;
+        }
+
+        public LocalIndexResolutionResult localIndexResolutionResult() {
+            return localIndexResolutionResult;
+        }
+
+        @Nullable
+        public ElasticsearchException exception() {
+            return exception;
+        }
+
+        public void setExceptionIfUnset(ElasticsearchException exception) {
+            assert localIndexResolutionResult != LocalIndexResolutionResult.SUCCESS
+                : "If the local resolution result is SUCCESS, exception must be null";
+            Objects.requireNonNull(exception);
+
+            if (this.exception == null) {
+                this.exception = exception;
+            } else if (Objects.equals(this.exception.getMessage(), exception.getMessage()) == false) {
+                // see https://github.com/elastic/elasticsearch/issues/135799
+                var message = "Exception is already set: " + exception.getMessage();
+                logger.debug(message);
+                assert false : message;
+            }
+        }
+
+        @Override
+        public boolean equals(Object obj) {
+            if (obj == this) return true;
+            if (obj == null || obj.getClass() != this.getClass()) return false;
+            var that = (LocalExpressions) obj;
+            return Objects.equals(this.indices, that.indices)
+                && Objects.equals(this.localIndexResolutionResult, that.localIndexResolutionResult)
+                && Objects.equals(this.exception, that.exception);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(indices, localIndexResolutionResult, exception);
+        }
+
+        @Override
+        public String toString() {
+            return "LocalExpressions["
+                + "indices="
+                + indices
+                + ", "
+                + "localIndexResolutionResult="
+                + localIndexResolutionResult
+                + ", "
+                + "exception="
+                + exception
+                + ']';
         }
 
         // Singleton for the case where all expressions in a ResolvedIndexExpression instance are remote
diff --git a/server/src/main/java/org/elasticsearch/search/crossproject/CrossProjectIndexResolutionValidator.java b/server/src/main/java/org/elasticsearch/search/crossproject/CrossProjectIndexResolutionValidator.java
@@ -98,7 +98,7 @@ public static ElasticsearchException validate(
             ResolvedIndexExpression.LocalExpressions localExpressions = localResolvedIndices.localExpressions();
             ResolvedIndexExpression.LocalIndexResolutionResult result = localExpressions.localIndexResolutionResult();
             if (isQualifiedExpression) {
-                ElasticsearchException e = checkResolutionFailure(localExpressions.indices(), result, originalExpression, indicesOptions);
+                ElasticsearchException e = checkResolutionFailure(localExpressions, result, originalExpression, indicesOptions);
                 if (e != null) {
                     return e;
                 }
@@ -118,7 +118,7 @@ public static ElasticsearchException validate(
                 }
             } else {
                 ElasticsearchException localException = checkResolutionFailure(
-                    localExpressions.indices(),
+                    localExpressions,
                     result,
                     originalExpression,
                     indicesOptions
@@ -152,7 +152,7 @@ public static ElasticsearchException validate(
                     continue;
                 }
                 if (isUnauthorized) {
-                    return securityException(originalExpression);
+                    return localException;
                 }
                 return new IndexNotFoundException(originalExpression);
             }
@@ -191,7 +191,7 @@ private static ElasticsearchException checkSingleRemoteExpression(
         }
 
         return checkResolutionFailure(
-            matchingExpression.indices(),
+            matchingExpression,
             matchingExpression.localIndexResolutionResult(),
             remoteExpression,
             indicesOptions
@@ -223,7 +223,7 @@ private static ResolvedIndexExpression.LocalExpressions findMatchingExpression(
     }
 
     private static ElasticsearchException checkResolutionFailure(
-        Set<String> localExpressions,
+        ResolvedIndexExpression.LocalExpressions localExpressions,
         ResolvedIndexExpression.LocalIndexResolutionResult result,
         String expression,
         IndicesOptions indicesOptions
@@ -235,11 +235,14 @@ private static ElasticsearchException checkResolutionFailure(
             if (result == CONCRETE_RESOURCE_NOT_VISIBLE) {
                 return new IndexNotFoundException(expression);
             } else if (result == CONCRETE_RESOURCE_UNAUTHORIZED) {
-                return securityException(expression);
+                assert localExpressions.exception() != null
+                    : "ResolvedIndexExpression should have exception set when concrete index is unauthorized";
+
+                return localExpressions.exception();
             }
         }
 
-        if (indicesOptions.allowNoIndices() == false && result == SUCCESS && localExpressions.isEmpty()) {
+        if (indicesOptions.allowNoIndices() == false && result == SUCCESS && localExpressions.indices().isEmpty()) {
             return new IndexNotFoundException(expression);
         }
 
diff --git a/server/src/test/java/org/elasticsearch/search/crossproject/CrossProjectIndexResolutionValidatorTests.java b/server/src/test/java/org/elasticsearch/search/crossproject/CrossProjectIndexResolutionValidatorTests.java
@@ -23,6 +23,7 @@
 
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.instanceOf;
+import static org.hamcrest.Matchers.is;
 
 public class CrossProjectIndexResolutionValidatorTests extends ESTestCase {
 
@@ -124,14 +125,15 @@ public void testMissingFlatExpressionWithStrictIgnoreUnavailable() {
     }
 
     public void testUnauthorizedFlatExpressionWithStrictIgnoreUnavailable() {
+        final var exception = new ElasticsearchSecurityException("authorization errors while resolving [logs]");
         ResolvedIndexExpressions local = new ResolvedIndexExpressions(
             List.of(
                 new ResolvedIndexExpression(
                     "logs",
                     new ResolvedIndexExpression.LocalExpressions(
                         Set.of(),
                         ResolvedIndexExpression.LocalIndexResolutionResult.CONCRETE_RESOURCE_UNAUTHORIZED,
-                        new ElasticsearchSecurityException("authorization errors while resolving [logs]")
+                        exception
                     ),
                     Set.of("P1:logs")
                 )
@@ -157,8 +159,7 @@ public void testUnauthorizedFlatExpressionWithStrictIgnoreUnavailable() {
 
         var e = CrossProjectIndexResolutionValidator.validate(getStrictIgnoreUnavailable(), local, remote);
         assertNotNull(e);
-        assertThat(e, instanceOf(ElasticsearchSecurityException.class));
-        assertThat(e.getMessage(), containsString("user cannot access [logs]"));
+        assertThat(e, is(exception));
     }
 
     public void testQualifiedExpressionWithStrictIgnoreUnavailableMatchingInOriginProject() {
@@ -270,6 +271,7 @@ public void testUnauthorizedQualifiedExpressionWithStrictIgnoreUnavailable() {
             List.of(new ResolvedIndexExpression("P1:logs", ResolvedIndexExpression.LocalExpressions.NONE, Set.of("P1:logs")))
         );
 
+        final var exception = new ElasticsearchException("action is unauthorized for indices [logs]");
         var remote = Map.of(
             "P1",
             new ResolvedIndexExpressions(
@@ -279,7 +281,7 @@ public void testUnauthorizedQualifiedExpressionWithStrictIgnoreUnavailable() {
                         new ResolvedIndexExpression.LocalExpressions(
                             Set.of(),
                             ResolvedIndexExpression.LocalIndexResolutionResult.CONCRETE_RESOURCE_UNAUTHORIZED,
-                            new ElasticsearchException("logs")
+                            exception
                         ),
                         Set.of()
                     )
@@ -289,8 +291,7 @@ public void testUnauthorizedQualifiedExpressionWithStrictIgnoreUnavailable() {
 
         var e = CrossProjectIndexResolutionValidator.validate(getStrictIgnoreUnavailable(), local, remote);
         assertNotNull(e);
-        assertThat(e, instanceOf(ElasticsearchSecurityException.class));
-        assertThat(e.getMessage(), containsString("user cannot access [P1:logs]"));
+        assertThat(e, is(exception));
     }
 
     public void testFlatExpressionWithStrictAllowNoIndicesMatchingInOriginProject() {
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
@@ -16,6 +16,7 @@
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.DelegatingActionListener;
 import org.elasticsearch.action.DocWriteRequest;
+import org.elasticsearch.action.IndicesRequest;
 import org.elasticsearch.action.admin.indices.alias.Alias;
 import org.elasticsearch.action.admin.indices.alias.TransportIndicesAliasesAction;
 import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
@@ -108,6 +109,7 @@
 import java.util.function.Consumer;
 import java.util.function.Supplier;
 
+import static org.elasticsearch.action.ResolvedIndexExpression.LocalIndexResolutionResult.CONCRETE_RESOURCE_UNAUTHORIZED;
 import static org.elasticsearch.action.support.ContextPreservingActionListener.wrapPreservingContext;
 import static org.elasticsearch.xpack.core.security.SecurityField.setting;
 import static org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField.ACTION_SCOPE_AUTHORIZATION_KEYS;
@@ -529,27 +531,19 @@ private void authorizeAction(
                 ActionListener.run(
                     listener,
                     l -> authzEngine.authorizeIndexAction(requestInfo, authzInfo, resolvedIndicesAsyncSupplier, projectMetadata)
-                        .addListener(
-                            wrapPreservingContext(
-                                new AuthorizationResultListener<>(
-                                    result -> handleIndexActionAuthorizationResult(
-                                        result,
-                                        requestInfo,
-                                        requestId,
-                                        authzInfo,
-                                        authzEngine,
-                                        resolvedIndicesAsyncSupplier,
-                                        projectMetadata,
-                                        l
-                                    ),
-                                    l::onFailure,
-                                    requestInfo,
-                                    requestId,
-                                    authzInfo
-                                ),
-                                threadContext
-                            )
-                        )
+                        .addListener(wrapPreservingContext(new AuthorizationResultListener<>(result -> {
+                            setIndexResolutionException(authzInfo, request, authentication, action);
+                            handleIndexActionAuthorizationResult(
+                                result,
+                                requestInfo,
+                                requestId,
+                                authzInfo,
+                                authzEngine,
+                                resolvedIndicesAsyncSupplier,
+                                projectMetadata,
+                                l
+                            );
+                        }, l::onFailure, requestInfo, requestId, authzInfo), threadContext))
                 );
             }, e -> onAuthorizedResourceLoadFailure(requestId, requestInfo, authzInfo, auditTrail, listener, e)));
         } else {
@@ -714,6 +708,34 @@ private void handleIndexActionAuthorizationResult(
         }
     }
 
+    private void setIndexResolutionException(
+        AuthorizationInfo authzInfo,
+        TransportRequest request,
+        Authentication authentication,
+        String action
+    ) {
+        if (request instanceof IndicesRequest.Replaceable replaceable) {
+            var indexExpressions = replaceable.getResolvedIndexExpressions();
+            if (indexExpressions != null) {
+                indexExpressions.expressions().forEach(resolved -> {
+                    if (resolved.localExpressions().localIndexResolutionResult() == CONCRETE_RESOURCE_UNAUTHORIZED) {
+                        resolved.localExpressions()
+                            .setExceptionIfUnset(
+                                actionDenied(
+                                    authentication,
+                                    authzInfo,
+                                    action,
+                                    request,
+                                    IndexAuthorizationResult.getFailureDescription(List.of(resolved.original()), restrictedIndices),
+                                    null
+                                )
+                            );
+                    }
+                });
+            }
+        }
+    }
+
     private void runRequestInterceptors(
         RequestInfo requestInfo,
         AuthorizationInfo authorizationInfo,
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java

Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,7 @@ public static ElasticsearchException validate(`
`98`	`98`	`ResolvedIndexExpression.LocalExpressions localExpressions = localResolvedIndices.localExpressions();`
`99`	`99`	`ResolvedIndexExpression.LocalIndexResolutionResult result = localExpressions.localIndexResolutionResult();`
`100`	`100`	`if (isQualifiedExpression) {`
`101`		`- ElasticsearchException e = checkResolutionFailure(localExpressions.indices(), result, originalExpression, indicesOptions);`
	`101`	`+ ElasticsearchException e = checkResolutionFailure(localExpressions, result, originalExpression, indicesOptions);`
`102`	`102`	`if (e != null) {`
`103`	`103`	`return e;`
`104`	`104`	`}`
`@@ -118,7 +118,7 @@ public static ElasticsearchException validate(`
`118`	`118`	`}`
`119`	`119`	`} else {`
`120`	`120`	`ElasticsearchException localException = checkResolutionFailure(`
`121`		`- localExpressions.indices(),`
	`121`	`+ localExpressions,`
`122`	`122`	`result,`
`123`	`123`	`originalExpression,`
`124`	`124`	`indicesOptions`
`@@ -152,7 +152,7 @@ public static ElasticsearchException validate(`
`152`	`152`	`continue;`
`153`	`153`	`}`
`154`	`154`	`if (isUnauthorized) {`
`155`		`- return securityException(originalExpression);`
	`155`	`+ return localException;`
`156`	`156`	`}`
`157`	`157`	`return new IndexNotFoundException(originalExpression);`
`158`	`158`	`}`
`@@ -191,7 +191,7 @@ private static ElasticsearchException checkSingleRemoteExpression(`
`191`	`191`	`}`
`192`	`192`
`193`	`193`	`return checkResolutionFailure(`
`194`		`- matchingExpression.indices(),`
	`194`	`+ matchingExpression,`
`195`	`195`	`matchingExpression.localIndexResolutionResult(),`
`196`	`196`	`remoteExpression,`
`197`	`197`	`indicesOptions`
`@@ -223,7 +223,7 @@ private static ResolvedIndexExpression.LocalExpressions findMatchingExpression(`
`223`	`223`	`}`
`224`	`224`
`225`	`225`	`private static ElasticsearchException checkResolutionFailure(`
`226`		`- Set<String> localExpressions,`
	`226`	`+ ResolvedIndexExpression.LocalExpressions localExpressions,`
`227`	`227`	`ResolvedIndexExpression.LocalIndexResolutionResult result,`
`228`	`228`	`String expression,`
`229`	`229`	`IndicesOptions indicesOptions`
`@@ -235,11 +235,14 @@ private static ElasticsearchException checkResolutionFailure(`
`235`	`235`	`if (result == CONCRETE_RESOURCE_NOT_VISIBLE) {`
`236`	`236`	`return new IndexNotFoundException(expression);`
`237`	`237`	`} else if (result == CONCRETE_RESOURCE_UNAUTHORIZED) {`
`238`		`- return securityException(expression);`
	`238`	`+ assert localExpressions.exception() != null`
	`239`	`+ : "ResolvedIndexExpression should have exception set when concrete index is unauthorized";`
	`240`	`+`
	`241`	`+ return localExpressions.exception();`
`239`	`242`	`}`
`240`	`243`	`}`
`241`	`244`
`242`		`- if (indicesOptions.allowNoIndices() == false && result == SUCCESS && localExpressions.isEmpty()) {`
	`245`	`+ if (indicesOptions.allowNoIndices() == false && result == SUCCESS && localExpressions.indices().isEmpty()) {`
`243`	`246`	`return new IndexNotFoundException(expression);`
`244`	`247`	`}`
`245`	`248`