Fix and more tests

n1v0lg · n1v0lg · commit 22b861f792e8 · 2025-02-20T08:41:17.000+01:00
diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-package org.elasticsearch.xpack.security.privilege;
+package org.elasticsearch.xpack.security.failurestore;
 
 import org.elasticsearch.client.Request;
 import org.elasticsearch.client.Response;
@@ -45,8 +45,16 @@ protected Settings restAdminSettings() {
     }
 
     public void testGetUserPrivileges() throws IOException {
-        Request roleRequest = new Request("PUT", "/_security/role/role");
-        roleRequest.setJsonEntity("""
+        Request userRequest = new Request("PUT", "/_security/user/user");
+        userRequest.setJsonEntity("""
+            {
+              "password": "x-pack-test-password",
+              "roles": ["role"]
+            }
+            """);
+        assertOK(adminClient().performRequest(userRequest));
+
+        putRole("""
             {
               "cluster": ["all"],
               "indices": [
@@ -57,26 +65,7 @@ public void testGetUserPrivileges() throws IOException {
               ]
             }
             """);
-        assertOK(adminClient().performRequest(roleRequest));
-
-        Request userRequest = new Request("PUT", "/_security/user/user");
-        userRequest.setJsonEntity("""
-            {
-              "password": "x-pack-test-password",
-              "roles": ["role"]
-            }
-            """);
-        assertOK(adminClient().performRequest(userRequest));
-
-        Request request = new Request("GET", "/_security/user/_privileges");
-        request.setOptions(
-            request.getOptions()
-                .toBuilder()
-                .addHeader("Authorization", basicAuthHeaderValue("user", new SecureString("x-pack-test-password".toCharArray())))
-        );
-        Response response = client().performRequest(request);
-        assertOK(response);
-        assertThat(responseAsMap(response), equalTo(mapFromJson("""
+        expectUserPrivilegesResponse("""
             {
               "cluster": ["all"],
               "global": [],
@@ -92,7 +81,75 @@ public void testGetUserPrivileges() throws IOException {
                 }],
               "applications": [],
               "run_as": []
-            }""")));
+            }""");
+
+        putRole("""
+            {
+              "cluster": ["all"],
+              "indices": [
+                {
+                  "names": ["*"],
+                  "privileges": ["read_failure_store"]
+                }
+              ]
+            }
+            """);
+        expectUserPrivilegesResponse("""
+            {
+              "cluster": ["all"],
+              "global": [],
+              "indices": [
+                {
+                  "names": ["*"],
+                  "privileges": ["read_failure_store"],
+                  "allow_restricted_indices": false
+                }],
+              "applications": [],
+              "run_as": []
+            }""");
+
+        putRole("""
+            {
+              "cluster": ["all"],
+              "indices": [
+                {
+                  "names": ["*"],
+                  "privileges": ["all", "read_failure_store"]
+                }
+              ]
+            }
+            """);
+        expectUserPrivilegesResponse("""
+            {
+              "cluster": ["all"],
+              "global": [],
+              "indices": [
+                {
+                  "names": ["*"],
+                  "privileges": ["all", "read_failure_store"],
+                  "allow_restricted_indices": false
+                }],
+              "applications": [],
+              "run_as": []
+            }""");
+    }
+
+    private static void expectUserPrivilegesResponse(String userPrivilegesResponse) throws IOException {
+        Request request = new Request("GET", "/_security/user/_privileges");
+        request.setOptions(
+            request.getOptions()
+                .toBuilder()
+                .addHeader("Authorization", basicAuthHeaderValue("user", new SecureString("x-pack-test-password".toCharArray())))
+        );
+        Response response = client().performRequest(request);
+        assertOK(response);
+        assertThat(responseAsMap(response), equalTo(mapFromJson(userPrivilegesResponse)));
+    }
+
+    private static void putRole(String rolePayload) throws IOException {
+        Request roleRequest = new Request("PUT", "/_security/role/role");
+        roleRequest.setJsonEntity(rolePayload);
+        assertOK(adminClient().performRequest(roleRequest));
     }
 
     private static Map<String, Object> mapFromJson(String json) {
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/DeprecationRoleDescriptorConsumer.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/DeprecationRoleDescriptorConsumer.java
@@ -19,6 +19,7 @@
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor.IndicesPrivileges;
+import org.elasticsearch.xpack.core.security.authz.privilege.IndexComponentSelectorPredicate;
 import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
 import org.elasticsearch.xpack.core.security.support.Automatons;
 import org.elasticsearch.xpack.core.security.support.StringMatcher;
@@ -186,21 +187,27 @@ private void logDeprecatedPermission(RoleDescriptor roleDescriptor) {
             final Set<IndexPrivilege> aliasPrivileges = IndexPrivilege.splitBySelectorAccess(aliasPrivilegeNames);
             final SortedSet<String> inferiorIndexNames = new TreeSet<>();
             for (var aliasPrivilege : aliasPrivileges) {
+                // TODO implement failures handling in a follow-up
+                if (aliasPrivilege.getSelectorPredicate() == IndexComponentSelectorPredicate.FAILURES) {
+                    continue;
+                }
                 final Automaton aliasPrivilegeAutomaton = aliasPrivilege.getAutomaton();
                 // check if the alias grants superiors privileges than the indices it points to
                 for (Index index : aliasOrIndexMap.get(aliasName).getIndices()) {
                     final Set<String> indexPrivileges = privilegesByIndexMap.get(index.getName());
                     // null iff the index does not have *any* privilege
                     if (indexPrivileges != null) {
-                        // compute automaton once per index no matter how many times it is pointed to
+                        // compute privilege set once per index no matter how many times it is pointed to
                         final Set<IndexPrivilege> indexPrivilegeSet = indexPrivilegeMap.computeIfAbsent(
                             index.getName(),
                             i -> IndexPrivilege.splitBySelectorAccess(indexPrivileges)
                         );
                         for (var indexPrivilege : indexPrivilegeSet) {
-                            // TODO still not quite right
-                            if (indexPrivilege.getSelectorPredicate() == aliasPrivilege.getSelectorPredicate()
-                                && false == Automatons.subsetOf(indexPrivilege.getAutomaton(), aliasPrivilegeAutomaton)) {
+                            // TODO implement failures handling in a follow-up
+                            if (indexPrivilege.getSelectorPredicate() == IndexComponentSelectorPredicate.FAILURES) {
+                                continue;
+                            }
+                            if (false == Automatons.subsetOf(indexPrivilege.getAutomaton(), aliasPrivilegeAutomaton)) {
                                 inferiorIndexNames.add(index.getName());
                             }
                         }
