Check TooComplex exception for HasPrivileges body

The index pattern provided in the body of `_has_privileges` can
trigger a `TooComplexToDeterminizeException` which is then bubbled up
(badly).

This change catches that exception and provides a better message

Author: tvernum

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -8,6 +8,7 @@
 
 import org.apache.lucene.util.automaton.Automaton;
 import org.apache.lucene.util.automaton.Operations;
+import org.apache.lucene.util.automaton.TooComplexToDeterminizeException;
 import org.elasticsearch.action.admin.indices.mapping.put.TransportAutoPutMappingAction;
 import org.elasticsearch.action.admin.indices.mapping.put.TransportPutMappingAction;
 import org.elasticsearch.action.support.IndexComponentSelector;
@@ -43,8 +44,10 @@
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.BiPredicate;
+import java.util.function.Function;
 import java.util.function.Predicate;
 import java.util.function.Supplier;
+import java.util.stream.Collectors;
 
 import static java.util.Collections.unmodifiableMap;
 
@@ -330,11 +333,22 @@ public boolean checkResourcePrivileges(
                 combineIndexGroups && checkForIndexPatterns.stream().anyMatch(Automatons::isLuceneRegex),
                 IndexComponentSelector.FAILURES
             );
-        for (String forIndexPattern : checkForIndexPatterns) {
-            Automaton checkIndexAutomaton = Automatons.patterns(forIndexPattern);
-            if (false == allowRestrictedIndices && false == isConcreteRestrictedIndex(forIndexPattern)) {
-                checkIndexAutomaton = Automatons.minusAndMinimize(checkIndexAutomaton, restrictedIndices.getAutomaton());
-            }
+        Map<String, Automaton> checkIndexPatterns = checkForIndexPatterns.stream()
+            .collect(Collectors.toMap(Function.identity(), pattern -> {
+                try {
+                    Automaton automaton = Automatons.patterns(pattern);
+                    if (false == allowRestrictedIndices && false == isConcreteRestrictedIndex(pattern)) {
+                        automaton = Automatons.minusAndMinimize(automaton, restrictedIndices.getAutomaton());
+                    }
+                    return automaton;
+                } catch (TooComplexToDeterminizeException e) {
+                    final String text = pattern.length() > 260 ? Strings.cleanTruncate(pattern, 256) + "..." : pattern;
+                    throw new IllegalArgumentException("the provided index pattern [" + text + "] is too complex to be evaluated", e);
+                }
+            }));
+        for (var entry : checkIndexPatterns.entrySet()) {
+            final String forIndexPattern = entry.getKey();
+            final Automaton checkIndexAutomaton = entry.getValue();
             if (false == Operations.isEmpty(checkIndexAutomaton)) {
                 Automaton allowedPrivilegesAutomatonForDataSelector = getIndexPrivilegesAutomaton(
                     indexGroupAutomatonsForDataSelector,

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java

@@ -6,6 +6,7 @@
  */
 package org.elasticsearch.xpack.security.authz.accesscontrol;
 
+import org.apache.lucene.util.automaton.TooComplexToDeterminizeException;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.TransportVersion;
 import org.elasticsearch.action.admin.indices.mapping.put.TransportAutoPutMappingAction;
@@ -55,6 +56,7 @@
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasSize;
+import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.Matchers.nullValue;
@@ -1090,6 +1092,31 @@ public void testResourceAuthorizedPredicateAndWithFailures() {
         assertThat(predicate.test(concreteIndexF, IndexComponentSelector.FAILURES), is(true));
     }
 
+    public void testCheckResourcePrivilegesWithTooComplexAutomaton() {
+        IndicesPermission permission = new IndicesPermission.Builder(RESTRICTED_INDICES).addGroup(
+            IndexPrivilege.ALL,
+            FieldPermissions.DEFAULT,
+            null,
+            false,
+            "my-index"
+        ).build();
+
+        StringBuilder pattern = new StringBuilder("/");
+        for (int i = 0; i < 2048; i++) {
+            if (i > 0) {
+                pattern.append("|");
+            }
+            pattern.append(randomAlphaOfLength(64));
+        }
+        pattern.append("/");
+        var ex = expectThrows(
+            IllegalArgumentException.class,
+            () -> permission.checkResourcePrivileges(Set.of(pattern.toString()), false, Set.of("read"), null)
+        );
+        assertThat(ex.getMessage(), containsString("index pattern [/"));
+        assertThat(ex.getCause(), instanceOf(TooComplexToDeterminizeException.class));
+    }
+
     private static IndexAbstraction concreteIndexAbstraction(String name) {
         return new IndexAbstraction.ConcreteIndex(
             IndexMetadata.builder(name).settings(indexSettings(IndexVersion.current(), 1, 0)).build()