Add mapping name validation

Author: jfreden

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/rolemapping/TransportGetRoleMappingsAction.java

@@ -22,10 +22,8 @@
 
 import java.util.Arrays;
 import java.util.Comparator;
-import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
-import java.util.Map;
 import java.util.Set;
 import java.util.stream.Stream;
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/rolemapping/TransportPutRoleMappingAction.java

@@ -39,6 +39,7 @@ public TransportPutRoleMappingAction(
 
     @Override
     protected void doExecute(Task task, final PutRoleMappingRequest request, final ActionListener<PutRoleMappingResponse> listener) {
+        validateMappingName(request.getName());
         if (clusterStateRoleMapper.hasMapping(request.getName())) {
             // Allow to define a mapping with the same name in the native role mapping store as the file_settings namespace, but add a
             // warning header to signal to the caller that this could be a problem.
@@ -54,4 +55,13 @@ protected void doExecute(Task task, final PutRoleMappingRequest request, final A
             ActionListener.wrap(created -> listener.onResponse(new PutRoleMappingResponse(created)), listener::onFailure)
         );
     }
+
+    private void validateMappingName(String mappingName) {
+        String reservedSuffix = " (read only)";
+        if (mappingName.endsWith(reservedSuffix)) {
+            throw new IllegalArgumentException(
+                "Invalid mapping name [" + mappingName + "]. [" + reservedSuffix + "] is not an allowed suffix"
+            );
+        }
+    }
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/rolemapping/TransportPutRoleMappingActionTests.java

@@ -93,6 +93,19 @@ public void testPutValidMapping() throws Exception {
         assertThat(mapping.getMetadata().get("dumb"), equalTo(true));
     }
 
+    public void testPutMappingWithInvalidName() {
+        final FieldExpression expression = new FieldExpression("username", Collections.singletonList(new FieldExpression.FieldValue("*")));
+        IllegalArgumentException illegalArgumentException = expectThrows(
+            IllegalArgumentException.class,
+            () -> put("anarchy (read only)", expression, "superuser", Collections.singletonMap("dumb", true))
+        );
+
+        assertThat(
+            illegalArgumentException.getMessage(),
+            equalTo("Invalid mapping name [anarchy (read only)]. [ (read only)] is not an allowed suffix")
+        );
+    }
+
     private PutRoleMappingResponse put(String name, FieldExpression expression, String role, Map<String, Object> metadata)
         throws Exception {
         final PutRoleMappingRequest request = new PutRoleMappingRequest();