Fix unsupported privileges error message during role and API key creation

gmjehovich · gmjehovich · commit 333a5d12a7ec · 2025-06-03T14:33:28.000-04:00
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java
@@ -396,7 +396,7 @@ private static Set<IndexPrivilege> resolve(Set<String> name) {
                         + part
                         + "]. a privilege must be either "
                         + "one of the predefined fixed indices privileges ["
-                        + Strings.collectionToCommaDelimitedString(VALUES.entrySet())
+                        + Strings.collectionToCommaDelimitedString(names().stream().sorted().collect(Collectors.toList()))
                         + "] or a pattern over one of the available index"
                         + " actions";
                     logger.debug(errorMessage);
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java
@@ -13,6 +13,7 @@
 import org.elasticsearch.action.index.TransportIndexAction;
 import org.elasticsearch.action.search.TransportSearchAction;
 import org.elasticsearch.action.update.TransportUpdateAction;
+import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.util.iterable.Iterables;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.rollup.action.GetRollupIndexCapsAction;
@@ -21,8 +22,10 @@
 
 import java.util.Collection;
 import java.util.List;
+import java.util.Locale;
 import java.util.Set;
 import java.util.function.Predicate;
+import java.util.stream.Collectors;
 
 import static org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege.findPrivilegesThatGrant;
 import static org.hamcrest.Matchers.containsInAnyOrder;
@@ -392,6 +395,28 @@ public void testCrossClusterReplicationPrivileges() {
         );
     }
 
+    public void testInvalidPrivilegeErrorMessage() {
+        final String unknownPrivilege = randomValueOtherThanMany(
+            i -> IndexPrivilege.values().containsKey(i),
+            () -> randomAlphaOfLength(10).toLowerCase(Locale.ROOT)
+        );
+
+        IllegalArgumentException exception = expectThrows(
+            IllegalArgumentException.class,
+            () -> IndexPrivilege.resolveBySelectorAccess(Set.of(unknownPrivilege))
+        );
+
+        final String expectedFullErrorMessage = "unknown index privilege ["
+            + unknownPrivilege
+            + "]. a privilege must be either "
+            + "one of the predefined fixed indices privileges ["
+            + Strings.collectionToCommaDelimitedString(IndexPrivilege.names().stream().sorted().collect(Collectors.toList()))
+            + "] or a pattern over one of the available index"
+            + " actions";
+
+        assertEquals(expectedFullErrorMessage, exception.getMessage());
+    }
+
     public static IndexPrivilege resolvePrivilegeAndAssertSingleton(Set<String> names) {
         final Set<IndexPrivilege> splitBySelector = IndexPrivilege.resolveBySelectorAccess(names);
         assertThat("expected singleton privilege set but got " + splitBySelector, splitBySelector.size(), equalTo(1));
diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/role/PutRoleRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/role/PutRoleRestIT.java
@@ -9,17 +9,22 @@
 
 import org.elasticsearch.client.Request;
 import org.elasticsearch.client.ResponseException;
+import org.elasticsearch.common.Strings;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
 import org.elasticsearch.xpack.security.SecurityOnTrialLicenseRestTestCase;
 
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
+import java.util.stream.Collectors;
 
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.hasKey;
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.not;
+import static org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege.names;
 
 public class PutRoleRestIT extends SecurityOnTrialLicenseRestTestCase {
     public void testPutManyValidRoles() throws Exception {
@@ -316,6 +321,24 @@ public void testBulkUpdates() throws Exception {
     public void testPutRoleWithInvalidManageRolesPrivilege() throws Exception {
         final String badRoleName = "bad-role";
 
+        final String unknownPrivilege = randomValueOtherThanMany(
+            i -> names().contains(i),
+            () -> randomAlphaOfLength(10).toLowerCase(Locale.ROOT)
+        );
+
+        final String expectedExceptionMessage = "unknown index privilege ["
+            + unknownPrivilege
+            + "]. a privilege must be either "
+            + "one of the predefined fixed indices privileges ["
+            + Strings.collectionToCommaDelimitedString(
+            IndexPrivilege.names().stream()
+                .sorted()
+                .collect(Collectors.toList())
+            )
+            + "] or a pattern over one of the available index"
+            + " actions";
+
+
         final ResponseException exception = expectThrows(ResponseException.class, () -> upsertRoles(String.format("""
             {
                 "roles": {
@@ -326,17 +349,17 @@ public void testPutRoleWithInvalidManageRolesPrivilege() throws Exception {
                                     "indices": [
                                         {
                                             "names": ["allowed-index-prefix-*"],
-                                            "privileges": ["foobar"]
+                                            "privileges": ["%s"]
                                         }
                                     ]
                                 }
                             }
                         }
                     }
                 }
-            }""", badRoleName)));
+            }""", badRoleName, unknownPrivilege)));
 
-        assertThat(exception.getMessage(), containsString("unknown index privilege [foobar]"));
+        assertThat(exception.getMessage(), containsString(expectedExceptionMessage));
         assertEquals(400, exception.getResponse().getStatusLine().getStatusCode());
         assertRoleDoesNotExist(badRoleName);
     }
