Test get privileges

n1v0lg · n1v0lg · commit 253f6ab95f3d · 2025-02-19T09:26:16.000+01:00
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java
@@ -13,6 +13,7 @@
 import org.elasticsearch.action.index.TransportIndexAction;
 import org.elasticsearch.action.search.TransportSearchAction;
 import org.elasticsearch.action.update.TransportUpdateAction;
+import org.elasticsearch.cluster.metadata.DataStream;
 import org.elasticsearch.common.util.iterable.Iterables;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.rollup.action.GetRollupIndexCapsAction;
@@ -69,6 +70,74 @@ public void testFindPrivilegesThatGrant() {
         assertThat(findPrivilegesThatGrant(RefreshAction.NAME), equalTo(List.of("maintenance", "manage", "all")));
     }
 
+    public void testGetSingleSelector() {
+        {
+            IndexPrivilege actual = IndexPrivilege.getSingleSelector(Set.of("all"));
+            assertThat(actual, equalTo(IndexPrivilege.ALL));
+            assertThat(actual.getSelectorPrivilege(), equalTo(IndexComponentSelectorPrivilege.ALL));
+        }
+        {
+            IndexPrivilege actual = IndexPrivilege.getSingleSelector(Set.of("read"));
+            assertThat(actual, equalTo(IndexPrivilege.READ));
+            assertThat(actual.getSelectorPrivilege(), equalTo(IndexComponentSelectorPrivilege.DATA));
+        }
+        {
+            IndexPrivilege actual = IndexPrivilege.getSingleSelector(Set.of("none"));
+            assertThat(actual, equalTo(IndexPrivilege.NONE));
+            assertThat(actual.getSelectorPrivilege(), equalTo(IndexComponentSelectorPrivilege.DATA));
+        }
+        {
+            IndexPrivilege actual = IndexPrivilege.getSingleSelector(Set.of());
+            assertThat(actual, equalTo(IndexPrivilege.NONE));
+            assertThat(actual.getSelectorPrivilege(), equalTo(IndexComponentSelectorPrivilege.DATA));
+        }
+        {
+            IndexPrivilege actual = IndexPrivilege.getSingleSelector(Set.of("indices:data/read/search"));
+            assertThat(actual.getSingleName(), equalTo("indices:data/read/search"));
+            assertThat(actual.predicate.test("indices:data/read/search"), is(true));
+            assertThat(actual.getSelectorPrivilege(), equalTo(IndexComponentSelectorPrivilege.DATA));
+        }
+        {
+            IndexPrivilege actual = IndexPrivilege.getSingleSelector(Set.of("all", "read", "indices:data/read/search"));
+            assertThat(actual.name, equalTo(Set.of("all", "read", "indices:data/read/search")));
+            assertThat(Automatons.subsetOf(IndexPrivilege.ALL.automaton, actual.automaton), is(true));
+            assertThat(actual.getSelectorPrivilege(), equalTo(IndexComponentSelectorPrivilege.ALL));
+        }
+    }
+
+    public void testGetSingleSelectorWithFailuresSelector() {
+        assumeTrue("This test requires the failure store to be enabled", DataStream.isFailureStoreFeatureFlagEnabled());
+        {
+            IndexPrivilege actual = IndexPrivilege.getSingleSelector(Set.of("read_failure_store"));
+            assertThat(actual, equalTo(IndexPrivilege.READ_FAILURE_STORE));
+            assertThat(actual.getSelectorPrivilege(), equalTo(IndexComponentSelectorPrivilege.FAILURES));
+        }
+        {
+            IndexPrivilege actual = IndexPrivilege.getSingleSelector(Set.of("all", "read_failure_store"));
+            assertThat(actual.name(), equalTo(Set.of("all", "read_failure_store")));
+            assertThat(actual.getSelectorPrivilege(), equalTo(IndexComponentSelectorPrivilege.ALL));
+            assertThat(Automatons.subsetOf(IndexPrivilege.ALL.automaton, actual.automaton), is(true));
+        }
+        {
+            IndexPrivilege actual = IndexPrivilege.getSingleSelector(Set.of("all", "indices:data/read/search", "read_failure_store"));
+            assertThat(actual.name(), equalTo(Set.of("all", "indices:data/read/search", "read_failure_store")));
+            assertThat(actual.getSelectorPrivilege(), equalTo(IndexComponentSelectorPrivilege.ALL));
+            assertThat(Automatons.subsetOf(IndexPrivilege.ALL.automaton, actual.automaton), is(true));
+        }
+        {
+            IndexPrivilege actual = IndexPrivilege.getSingleSelector(Set.of("all", "read", "read_failure_store"));
+            assertThat(actual.name(), equalTo(Set.of("all", "read", "read_failure_store")));
+            assertThat(actual.getSelectorPrivilege(), equalTo(IndexComponentSelectorPrivilege.ALL));
+            assertThat(Automatons.subsetOf(IndexPrivilege.ALL.automaton, actual.automaton), is(true));
+        }
+        expectThrows(IllegalArgumentException.class, () -> IndexPrivilege.getSingleSelector(Set.of("read", "read_failure_store")));
+        expectThrows(
+            IllegalArgumentException.class,
+            () -> IndexPrivilege.getSingleSelector(Set.of("indices:data/read/search", "read_failure_store"))
+        );
+        expectThrows(IllegalArgumentException.class, () -> IndexPrivilege.getSingleSelector(Set.of("none", "read_failure_store")));
+    }
+
     public void testPrivilegesForRollupFieldCapsAction() {
         final Collection<String> privileges = findPrivilegesThatGrant(GetRollupIndexCapsAction.NAME);
         assertThat(Set.copyOf(privileges), equalTo(Set.of("manage", "all", "view_index_metadata", "read")));
