Tweaks

n1v0lg · n1v0lg · commit 4c51737ceae1 · 2025-02-05T11:18:27.000+01:00
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java
@@ -818,6 +818,9 @@ private Map<Automaton, Automaton> indexGroupAutomatons(boolean combine) {
 
     public static class Group {
         public static final Group[] EMPTY_ARRAY = new Group[0];
+        // TODO this is just a hack to avoid implementing a new field in this POC; this would be set via allow_failure_store_access on
+        // the role descriptor
+        private static final String FAILURE_STORE_ACCESS_MARKER = ".failure_store_access_marker";
 
         private final IndexPrivilege privilege;
         private final Predicate<String> actionMatcher;
@@ -831,42 +834,56 @@ public static class Group {
         // users. Setting this flag true eliminates the special status for the purpose of this permission - restricted indices still have
         // to be covered by the "indices"
         private final boolean allowRestrictedIndices;
+        private final boolean allowFailureStoreAccess;
 
         public Group(
             IndexPrivilege privilege,
             FieldPermissions fieldPermissions,
             @Nullable Set<BytesReference> query,
             boolean allowRestrictedIndices,
             RestrictedIndices restrictedIndices,
-            final String... indices
+            String... indices
         ) {
             assert indices.length != 0;
             this.privilege = privilege;
             this.actionMatcher = privilege.predicate();
             this.indices = indices;
+            boolean allowFailureStoreAccess = allowFailureStoreAccess(indices);
+            this.allowFailureStoreAccess = allowFailureStoreAccess;
             // TODO: [Jake] how to support selectors for hasPrivileges ? (are reg-ex's just broken for hasPrivilege index checks ?)
             // TODO: [Jake] ensure that only ::failure selectors can be added the role (i.e. error on name::* or name::data)
             // TODO: [Jake] ensure that no selectors can be added to remote_indices (or gate usage with a feature flag, or just test)
-            String[] patternsReWritten = maybeAddFailureExclusions(indices);
             this.allowRestrictedIndices = allowRestrictedIndices;
             ConcurrentHashMap<String[], Automaton> indexNameAutomatonMemo = new ConcurrentHashMap<>(1);
             if (allowRestrictedIndices) {
-                this.indexNameMatcher = StringMatcher.of(patternsReWritten);
-                this.indexNameAutomaton = () -> indexNameAutomatonMemo.computeIfAbsent(
-                    patternsReWritten,
-                    k -> Automatons.patterns(patternsReWritten)
-                );
+                this.indexNameMatcher = getIndexNameMatcher(allowFailureStoreAccess, indices);
+                // TODO handle this, too
+                this.indexNameAutomaton = () -> indexNameAutomatonMemo.computeIfAbsent(indices, k -> Automatons.patterns(indices));
             } else {
-                this.indexNameMatcher = StringMatcher.of(patternsReWritten).and(name -> restrictedIndices.isRestricted(name) == false);
+                this.indexNameMatcher = getIndexNameMatcher(allowFailureStoreAccess, indices).and(
+                    name -> restrictedIndices.isRestricted(name) == false
+                );
+                // TODO handle this, too
                 this.indexNameAutomaton = () -> indexNameAutomatonMemo.computeIfAbsent(
-                    patternsReWritten,
-                    k -> Automatons.minusAndMinimize(Automatons.patterns(patternsReWritten), restrictedIndices.getAutomaton())
+                    indices,
+                    k -> Automatons.minusAndMinimize(Automatons.patterns(indices), restrictedIndices.getAutomaton())
                 );
             }
             this.fieldPermissions = Objects.requireNonNull(fieldPermissions);
             this.query = query;
         }
 
+        private static StringMatcher getIndexNameMatcher(boolean allowFailureStoreAccess, String[] indices) {
+            if (false == allowFailureStoreAccess) {
+                return StringMatcher.of(indices).and(name -> name.endsWith("::failures") == false);
+            }
+            return StringMatcher.of(indices);
+        }
+
+        private static boolean allowFailureStoreAccess(String... indices) {
+            return Arrays.stream(indices).anyMatch(index -> index.equals("*") || index.equals(FAILURE_STORE_ACCESS_MARKER));
+        }
+
         // TODO: [Jake] ensure this javadoc is still correct before merging (some minor details are wrong, but the gist is correct)
         /**
          * This method looks for any index patterns in this group that have all the following characteristics:
diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/FailureStoreSecurityRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/FailureStoreSecurityRestIT.java
@@ -13,13 +13,15 @@
 import org.elasticsearch.client.Response;
 import org.elasticsearch.client.ResponseException;
 import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.common.xcontent.support.XContentMapValues;
 import org.elasticsearch.core.Strings;
 import org.elasticsearch.search.SearchHit;
 import org.elasticsearch.search.SearchResponseUtils;
 
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 
@@ -29,36 +31,115 @@
 
 public class FailureStoreSecurityRestIT extends SecurityOnTrialLicenseRestTestCase {
 
-    private static final String USER = "user";
+    private static final String DATA_ACCESS_USER = "data_access_user";
+    private static final String FAILURE_STORE_ACCESS_USER = "failure_store_access_user";
     private static final SecureString PASSWORD = new SecureString("elastic-password");
 
+    @SuppressWarnings("unchecked")
     public void testFailureStoreAccess() throws IOException {
+        String dataAccessRole = "data_access";
         String failureStoreAccessRole = "failure_store_access";
-        createUser(USER, PASSWORD, List.of(failureStoreAccessRole));
+
+        createUser(DATA_ACCESS_USER, PASSWORD, List.of(dataAccessRole));
+        createUser(FAILURE_STORE_ACCESS_USER, PASSWORD, List.of(failureStoreAccessRole));
 
+        upsertRole(Strings.format("""
+            {
+              "description": "Role with data access",
+              "cluster": ["all"],
+              "indices": [{"names": ["test*"], "privileges": ["read"]}]
+            }"""), dataAccessRole);
         upsertRole(Strings.format("""
             {
               "description": "Role with failure store access",
               "cluster": ["all"],
-              "indices": [{"names": ["test*::failures"], "privileges": ["read"]}]
+              "indices": [{"names": ["test*::failures", ".failure_store_access_marker"], "privileges": ["read"]}]
             }"""), failureStoreAccessRole);
 
         createTemplates();
-        List<String> ids = populateDataStreamWithBulkRequest();
-        assertThat(ids.size(), equalTo(2));
-        assertThat(ids, hasItem("1"));
+        List<String> docIds = populateDataStreamWithBulkRequest();
+        assertThat(docIds.size(), equalTo(2));
+        assertThat(docIds, hasItem("1"));
         String successDocId = "1";
-        String failedDocId = ids.stream().filter(id -> false == id.equals(successDocId)).findFirst().get();
+        String failedDocId = docIds.stream().filter(id -> false == id.equals(successDocId)).findFirst().get();
+
+        Request dataStream = new Request("GET", "/_data_stream/test1");
+        Response response = adminClient().performRequest(dataStream);
+        Map<String, Object> dataStreams = entityAsMap(response);
+        assertEquals(Collections.singletonList("test1"), XContentMapValues.extractValue("data_streams.name", dataStreams));
+        List<String> dataIndexNames = (List<String>) XContentMapValues.extractValue("data_streams.indices.index_name", dataStreams);
+        assertThat(dataIndexNames.size(), equalTo(1));
+        List<String> failureIndexNames = (List<String>) XContentMapValues.extractValue(
+            "data_streams.failure_store.indices.index_name",
+            dataStreams
+        );
+        assertThat(failureIndexNames.size(), equalTo(1));
+
+        String dataIndexName = dataIndexNames.get(0);
+        String failureIndexName = failureIndexNames.get(0);
 
         // user with access to failures index
-        assertContainsDocIds(performRequestAsUser1(new Request("GET", "/test1::failures/_search")), failedDocId);
-        assertContainsDocIds(performRequestAsUser1(new Request("GET", "/test*::failures/_search")), failedDocId);
-        assertContainsDocIds(performRequestAsUser1(new Request("GET", "/*1::failures/_search")), failedDocId);
-        assertContainsDocIds(performRequestAsUser1(new Request("GET", "/*::failures/_search")), failedDocId);
-        assertContainsDocIds(performRequestAsUser1(new Request("GET", "/.fs*/_search")), failedDocId);
+        assertContainsDocIds(performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/test1::failures/_search")), failedDocId);
+        assertContainsDocIds(performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/test*::failures/_search")), failedDocId);
+        assertContainsDocIds(performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/*1::failures/_search")), failedDocId);
+        assertContainsDocIds(performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/*::failures/_search")), failedDocId);
+        assertContainsDocIds(performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/.fs*/_search")), failedDocId);
+        assertContainsDocIds(
+            performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/" + failureIndexName + "/_search")),
+            failedDocId
+        );
+        // TODO fix this
+        // assertContainsDocIds(
+        // performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/" + failureIndexName + "/_search?ignore_unavailable=true")),
+        // failedDocId
+        // );
 
-        expectThrows404(() -> performRequestAsUser1(new Request("GET", "/test12::failures/_search")));
-        expectThrows404(() -> performRequestAsUser1(new Request("GET", "/test2::failures/_search")));
+        expectThrows404(() -> performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/test12::failures/_search")));
+        expectThrows404(() -> performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/test2::failures/_search")));
+        expectThrows403(() -> performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/test12::*/_search")));
+
+        expectThrows403(() -> performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/test1::data/_search")));
+        expectThrows403(() -> performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/test1/_search")));
+        expectThrows403(() -> performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/test2::data/_search")));
+        expectThrows403(() -> performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/test2/_search")));
+        expectThrows403(() -> performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/" + dataIndexName + "/_search")));
+
+        assertEmpty(performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/test1::data/_search?ignore_unavailable=true")));
+        assertEmpty(performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/test1/_search?ignore_unavailable=true")));
+        assertEmpty(performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/test2::data/_search?ignore_unavailable=true")));
+        assertEmpty(performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/test2/_search?ignore_unavailable=true")));
+        // TODO fix this
+        // assertEmpty(
+        // performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/" + dataIndexName + "/_search?ignore_unavailable=true"))
+        // );
+
+        // assertEmpty(performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/*1::data/_search")));
+        // assertEmpty(performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/*1/_search")));
+        // TODO is this correct?
+        assertEmpty(performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/.ds*/_search")));
+
+        // user with access to data index
+        assertContainsDocIds(performRequest(DATA_ACCESS_USER, new Request("GET", "/test1/_search")), successDocId);
+        assertContainsDocIds(performRequest(DATA_ACCESS_USER, new Request("GET", "/test*/_search")), successDocId);
+        assertContainsDocIds(performRequest(DATA_ACCESS_USER, new Request("GET", "/*1/_search")), successDocId);
+        assertContainsDocIds(performRequest(DATA_ACCESS_USER, new Request("GET", "/*/_search")), successDocId);
+        assertContainsDocIds(performRequest(DATA_ACCESS_USER, new Request("GET", "/.ds*/_search")), successDocId);
+        assertContainsDocIds(performRequest(DATA_ACCESS_USER, new Request("GET", "/" + dataIndexName + "/_search")), successDocId);
+        assertContainsDocIds(
+            performRequest(DATA_ACCESS_USER, new Request("GET", "/" + dataIndexName + "/_search?ignore_unavailable=true")),
+            successDocId
+        );
+
+        expectThrows404(() -> performRequest(DATA_ACCESS_USER, new Request("GET", "/test12/_search")));
+        expectThrows404(() -> performRequest(DATA_ACCESS_USER, new Request("GET", "/test2/_search")));
+        expectThrows403(() -> performRequest(FAILURE_STORE_ACCESS_USER, new Request("GET", "/test12::*/_search")));
+
+        expectThrows403(() -> performRequest(DATA_ACCESS_USER, new Request("GET", "/test1::failures/_search")));
+        expectThrows403(() -> performRequest(DATA_ACCESS_USER, new Request("GET", "/test2::failures/_search")));
+        expectThrows403(() -> performRequest(DATA_ACCESS_USER, new Request("GET", "/" + failureIndexName + "/_search")));
+        // TODO is this correct?
+        assertEmpty(performRequest(DATA_ACCESS_USER, new Request("GET", "/.fs*/_search")));
+        // assertEmpty(performRequest(DATA_ACCESS_USER, new Request("GET", "/*1::failures/_search")));
 
         // user with access to everything
         assertContainsDocIds(adminClient().performRequest(new Request("GET", "/test1::failures/_search")), failedDocId);
@@ -76,6 +157,11 @@ private static void expectThrows404(ThrowingRunnable get) {
         assertThat(ex.getResponse().getStatusLine().getStatusCode(), equalTo(404));
     }
 
+    private static void expectThrows403(ThrowingRunnable get) {
+        var ex = expectThrows(ResponseException.class, get);
+        assertThat(ex.getResponse().getStatusLine().getStatusCode(), equalTo(403));
+    }
+
     @SuppressWarnings("unchecked")
     private static void assertContainsDocIds(Response response, String... docIds) throws IOException {
         assertOK(response);
@@ -90,12 +176,15 @@ private static void assertContainsDocIds(Response response, String... docIds) th
         }
     }
 
-    private static void assert404(Response response) {
-        assertThat(response.getStatusLine().getStatusCode(), equalTo(404));
-    }
-
-    private static void assert403(Response response) {
-        assertThat(response.getStatusLine().getStatusCode(), equalTo(403));
+    private static void assertEmpty(Response response) throws IOException {
+        assertOK(response);
+        final SearchResponse searchResponse = SearchResponseUtils.parseSearchResponse(responseAsParser(response));
+        try {
+            SearchHit[] hits = searchResponse.getHits().getHits();
+            assertThat(hits.length, equalTo(0));
+        } finally {
+            searchResponse.decRef();
+        }
     }
 
     private void createTemplates() throws IOException {
@@ -120,10 +209,10 @@ private void createTemplates() throws IOException {
                         }
                     },
                     "data_stream_options": {
-                  "failure_store": {
-                    "enabled": true
-                  }
-                }
+                      "failure_store": {
+                        "enabled": true
+                      }
+                    }
                 }
             }
             """);
@@ -165,10 +254,8 @@ private List<String> populateDataStreamWithBulkRequest() throws IOException {
         return ids;
     }
 
-    private Response performRequestAsUser1(Request request) throws IOException {
-        request.setOptions(RequestOptions.DEFAULT.toBuilder().addHeader("Authorization", basicAuthHeaderValue(USER, PASSWORD)).build());
-        var response = client().performRequest(request);
-        return response;
+    private Response performRequest(String user, Request request) throws IOException {
+        request.setOptions(RequestOptions.DEFAULT.toBuilder().addHeader("Authorization", basicAuthHeaderValue(user, PASSWORD)).build());
+        return client().performRequest(request);
     }
-
 }
