fix direct access to .fs and .ds indices

Author: jakelandis

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -430,7 +430,11 @@ public boolean isPartOfDataStream() {
         public boolean checkIndex(Group group) {
             final DataStream ds = indexAbstraction == null ? null : indexAbstraction.getParentDataStream();
             if (ds != null) {
-                if (group.checkIndex(ds.getName())) {
+                boolean isFailureStoreIndex = ds.isFailureStoreIndex(indexAbstraction.getName());
+                if (isFailureStoreIndex
+                    && group.checkIndex(IndexNameExpressionResolver.combineSelector(ds.getName(), IndexComponentSelector.FAILURES))) {
+                    return true;
+                } else if (isFailureStoreIndex == false && group.checkIndex(ds.getName())) {
                     return true;
                 }
             }
@@ -907,12 +911,9 @@ static String convertToExcludeFailures(String indexPattern) {
             assert indexPattern != "*" : "* is a special case and should never exclude failures";
             assert indexPattern.endsWith("*") || Automatons.isLuceneRegex(indexPattern)
                 : "Only patterns with a trailing wildcard " + "or regular expressions should explicitly exclude failures";
-            // TODO: [Jake] also properly convert `?` and properly escape any characters such as `.` that is valid in index names but have
-            // special meaning in the regular expression
             StringBuilder sb = new StringBuilder();
             if (indexPattern.endsWith("*")) {
-                // using Strings.replace instead of String.replaceAll to avoid regex compilation
-                String inny = Strings.replace(indexPattern, "*", ".*");
+                String inny = globToRegex(indexPattern);
                 return sb.append("/(").append(inny).append(")&~(").append(inny).append("::failures)/").toString();
             } else if (Automatons.isLuceneRegex(indexPattern)) {
                 String inny = indexPattern.substring(1, indexPattern.length() - 1);
@@ -922,6 +923,43 @@ static String convertToExcludeFailures(String indexPattern) {
             }
         }
 
+        private static String globToRegex(String glob) {
+            StringBuilder sb = new StringBuilder();
+            for (int i = 0; i < glob.length(); i++) {
+                char c = glob.charAt(i);
+                switch (c) {
+                    case '*':
+                        sb.append(".*");
+                        break;
+                    case '?':
+                        sb.append('.');
+                        break;
+                    case '.':
+                    case '(':
+                    case ')':
+                    case '[':
+                    case ']':
+                    case '{':
+                    case '}':
+                    case '\\':
+                    case '\"':
+                    case '|':
+                    case '+':
+                    case '#':
+                    case '@':
+                    case '<':
+                    case '>':
+                    case '~':
+                        sb.append('\\').append(c);
+                        break;
+                    default:
+                        sb.append(c);
+                        break;
+                }
+            }
+            return sb.toString();
+        }
+
         public IndexPrivilege privilege() {
             return privilege;
         }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java

@@ -875,14 +875,22 @@ static AuthorizedIndices resolveAuthorizedIndicesFromRole(
             // TODO: can this be done smarter? I think there are usually more indices/aliases in the cluster then indices defined a roles?
             if (includeDataStreams) {
                 for (IndexAbstraction indexAbstraction : lookup.values()) {
-                    if (predicate.test(indexAbstraction)) {
+                    // the index abstraction here is from cluster state which will never have the ::failure data selector
+                    // the first check is to see if the index/alias/data stream with no selector is authorized
+                    // the second check is to see if the data stream with the ::failures appended to the name is authorized
+                    boolean authorizedForDataAccess = predicate.test(indexAbstraction);
+                    boolean authorizedForFailureAccess = indexAbstraction.getType() == IndexAbstraction.Type.DATA_STREAM
+                        && predicate.testDataStreamForFailureAccess(indexAbstraction);
+                    if (authorizedForDataAccess || authorizedForFailureAccess) {
                         indicesAndAliases.add(indexAbstraction.getName());
+                        // add data stream and its backing indices for any authorized data streams
                         if (indexAbstraction.getType() == IndexAbstraction.Type.DATA_STREAM) {
-                            // add data stream and its backing indices for any authorized data streams
-                            for (Index index : indexAbstraction.getIndices()) {
-                                indicesAndAliases.add(index.getName());
+                            if (authorizedForDataAccess) {
+                                for (Index index : indexAbstraction.getIndices()) {
+                                    indicesAndAliases.add(index.getName());
+                                }
                             }
-                            if (predicate.testDataStreamForFailureAccess(indexAbstraction)) {
+                            if (authorizedForFailureAccess) {
                                 for (Index index : ((DataStream) indexAbstraction).getFailureIndices()) {
                                     indicesAndAliases.add(index.getName());
                                 }