More fixes

Author: n1v0lg

server/src/main/java/org/elasticsearch/action/support/IndexComponentSelector.java

@@ -79,7 +79,7 @@ public static IndexComponentSelector getByKeyOrThrow(@Nullable String key) {
         IndexComponentSelector selector = getByKey(key);
         if (selector == null) {
             throw new IllegalArgumentException(
-                "Unknown key of index component selector [" + key + "], available options are: " + KEY_REGISTRY
+                "Unknown key of index component selector [" + key + "], available options are: " + KEY_REGISTRY.keySet()
             );
         }
         return selector;

server/src/main/java/org/elasticsearch/cluster/metadata/IndexAbstractionResolver.java

@@ -63,8 +63,8 @@ public List<String> resolveIndexAbstractions(
                         + "]"
                 );
             }
-            IndexComponentSelector selector = IndexComponentSelector.getByKeyOrThrow(selectorString);
             indexAbstraction = expressionAndSelector.v1();
+            IndexComponentSelector selector = IndexComponentSelector.getByKeyOrThrow(selectorString);
 
             // we always need to check for date math expressions
             indexAbstraction = IndexNameExpressionResolver.resolveDateMathExpression(indexAbstraction);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl.java

@@ -57,7 +57,7 @@ protected IndicesAccessControl(IndicesAccessControl copy) {
     }
 
     /**
-     * @return The document and field permissions for an index if exist, otherwise <code>null</code> is returned.
+     * @return The document and field permissions for an index if they exist, otherwise <code>null</code> is returned.
      *         If <code>null</code> is being returned this means that there are no field or document level restrictions.
      */
     @Nullable

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -451,6 +451,8 @@ public boolean isPartOfDataStream() {
         public boolean checkIndex(Group group) {
             final DataStream ds = indexAbstraction == null ? null : indexAbstraction.getParentDataStream();
             if (ds != null) {
+                // failure indices are special: when accessed directly (not through ::failures on parent data stream) they are accessed
+                // implicitly as data. However, authz to the parent data stream happens via the failures selector
                 final IndexComponentSelector selectorToCheck = indexAbstraction.isFailureIndexOfDataStream()
                     ? IndexComponentSelector.FAILURES
                     : selector;

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -2211,6 +2211,7 @@ public Function<String, FieldPredicate> getFieldFilter() {
                     return FieldPredicate.ACCEPT_ALL;
                 }
                 assert indicesAccessControl.isGranted();
+                IndexNameExpressionResolver.assertExpressionHasDefaultOrDataSelector(index);
                 IndicesAccessControl.IndexAccessControl indexPermissions = indicesAccessControl.getIndexPermissions(index);
                 if (indexPermissions == null) {
                     return FieldPredicate.ACCEPT_ALL;

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java

@@ -885,7 +885,7 @@ static AuthorizedIndices resolveAuthorizedIndicesFromRole(
             if (includeDataStreams) {
                 for (IndexAbstraction indexAbstraction : lookup.values()) {
                     // failure indices are special: when accessed directly (not through ::failures on parent data stream) they are accessed
-                    // as implicitly as data. However, authz to the parent data stream happens via the failures selector
+                    // implicitly as data. However, authz to the parent data stream happens via the failures selector
                     if (indexAbstraction.isFailureIndexOfDataStream()
                         && predicate.test(indexAbstraction.getParentDataStream(), IndexComponentSelector.FAILURES)) {
                         indicesAndAliases.add(indexAbstraction.getName());
@@ -1072,7 +1072,6 @@ private static boolean isAsyncRelatedAction(String action) {
     }
 
     static final class AuthorizedIndices implements AuthorizationEngine.AuthorizedIndices {
-
         private final CachedSupplier<Set<String>> authorizedAndAvailableSupplier;
         private final CachedSupplier<Set<String>> failureStoreAuthorizedAndAvailableSupplier;
         private final BiPredicate<String, IndexComponentSelector> isAuthorizedPredicate;
@@ -1089,13 +1088,15 @@ static final class AuthorizedIndices implements AuthorizationEngine.AuthorizedIn
 
         @Override
         public Set<String> all(IndexComponentSelector selector) {
+            Objects.requireNonNull(selector);
             return IndexComponentSelector.FAILURES.equals(selector)
                 ? failureStoreAuthorizedAndAvailableSupplier.get()
                 : authorizedAndAvailableSupplier.get();
         }
 
         @Override
         public boolean check(String name, IndexComponentSelector selector) {
+            Objects.requireNonNull(selector);
             return isAuthorizedPredicate.test(name, selector);
         }
     }