Fix Security's expression resolver to not remove unavailable but authorized names (#92625)

For non-wildcard resource names in expressions from requests with the
`ignoreUnavailable` request option set to `true`, the Security filter
removes names for "unavailable" resources. This behavior is
theoretically correct, but in practice the cluster state might not be
recovered at the point in time when the Security filter does the
rewrite (this causes problems, see #90215); In any case, the logic
to remove "unavailable" names is unnecessarily duplicated from
Core's expression resolver.

This PR makes the expression resolver in the Security filter to NOT:
 * remove missing but authorized names (indices, aliases, datastreams)
 * remove authorized datastreams if context disallows datastreams
 * remove backing indices of authorized datastreams if context disallows datastreams

It will only remove names of unauthorized resources, and let the
unavailable names go through to be handled (to be ignored or
throw "not found" exception) by the expression resolver in Core.

Fixes: #90215

Author: albertzaharovits

docs/changelog/92625.yaml

@@ -0,0 +1,6 @@
+pr: 92625
+summary: Fix Security's expression resolver to not remove unavailable but authorized
+  names
+area: Authorization
+type: bug
+issues: []

server/src/main/java/org/elasticsearch/cluster/metadata/IndexAbstractionResolver.java

@@ -83,6 +83,9 @@ && isIndexVisible(
                 if (minus) {
                     finalIndices.remove(indexAbstraction);
                 } else if (indicesOptions.ignoreUnavailable() == false || isAuthorized.test(indexAbstraction)) {
+                    // Unauthorized names are considered unavailable, so if `ignoreUnavailable` is `true` they should be silently
+                    // discarded from the `finalIndices` list. Other "ways of unavailable" must be handled by the action
+                    // handler, see: https://github.com/elastic/elasticsearch/issues/90215
                     finalIndices.add(indexAbstraction);
                 }
             }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -38,6 +38,7 @@
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.atomic.AtomicInteger;
+import java.util.function.BiPredicate;
 import java.util.function.Predicate;
 import java.util.function.Supplier;
 
@@ -55,7 +56,7 @@ public final class IndicesPermission {
 
     private static final Set<String> PRIVILEGE_NAME_SET_BWC_ALLOW_MAPPING_UPDATE = Set.of("create", "create_doc", "index", "write");
 
-    private final Map<String, Predicate<IndexAbstraction>> allowedIndicesMatchersForAction = new ConcurrentHashMap<>();
+    private final Map<String, IsResourceAuthorizedPredicate> allowedIndicesMatchersForAction = new ConcurrentHashMap<>();
 
     private final RestrictedIndices restrictedIndices;
     private final Group[] groups;
@@ -127,15 +128,15 @@ public Group[] groups() {
      * @return A predicate that will match all the indices that this permission
      * has the privilege for executing the given action on.
      */
-    public Predicate<IndexAbstraction> allowedIndicesMatcher(String action) {
+    public IsResourceAuthorizedPredicate allowedIndicesMatcher(String action) {
         return allowedIndicesMatchersForAction.computeIfAbsent(action, this::buildIndexMatcherPredicateForAction);
     }
 
     public boolean hasFieldOrDocumentLevelSecurity() {
         return hasFieldOrDocumentLevelSecurity;
     }
 
-    private Predicate<IndexAbstraction> buildIndexMatcherPredicateForAction(String action) {
+    private IsResourceAuthorizedPredicate buildIndexMatcherPredicateForAction(String action) {
         final Set<String> ordinaryIndices = new HashSet<>();
         final Set<String> restrictedIndices = new HashSet<>();
         final Set<String> grantMappingUpdatesOnIndices = new HashSet<>();
@@ -160,10 +161,64 @@ private Predicate<IndexAbstraction> buildIndexMatcherPredicateForAction(String a
         }
         final StringMatcher nameMatcher = indexMatcher(ordinaryIndices, restrictedIndices);
         final StringMatcher bwcSpecialCaseMatcher = indexMatcher(grantMappingUpdatesOnIndices, grantMappingUpdatesOnRestrictedIndices);
-        return indexAbstraction -> nameMatcher.test(indexAbstraction.getName())
-            || (indexAbstraction.getType() != IndexAbstraction.Type.DATA_STREAM
-                && (indexAbstraction.getParentDataStream() == null)
-                && bwcSpecialCaseMatcher.test(indexAbstraction.getName()));
+        return new IsResourceAuthorizedPredicate(nameMatcher, bwcSpecialCaseMatcher);
+    }
+
+    /**
+     * This encapsulates the authorization test for resources.
+     * There is an additional test for resources that are missing or that are not a datastream or a backing index.
+     */
+    public static class IsResourceAuthorizedPredicate implements BiPredicate<String, IndexAbstraction> {
+
+        private final BiPredicate<String, IndexAbstraction> biPredicate;
+
+        // public for tests
+        public IsResourceAuthorizedPredicate(StringMatcher resourceNameMatcher, StringMatcher additionalNonDatastreamNameMatcher) {
+            this((String name, @Nullable IndexAbstraction indexAbstraction) -> {
+                assert indexAbstraction == null || name.equals(indexAbstraction.getName());
+                return resourceNameMatcher.test(name)
+                    || (isPartOfDatastream(indexAbstraction) == false && additionalNonDatastreamNameMatcher.test(name));
+            });
+        }
+
+        private IsResourceAuthorizedPredicate(BiPredicate<String, IndexAbstraction> biPredicate) {
+            this.biPredicate = biPredicate;
+        }
+
+        /**
+        * Given another {@link IsResourceAuthorizedPredicate} instance in {@param other},
+        * return a new {@link IsResourceAuthorizedPredicate} instance that is equivalent to the conjunction of
+        * authorization tests of that other instance and this one.
+        */
+        @Override
+        public final IsResourceAuthorizedPredicate and(BiPredicate<? super String, ? super IndexAbstraction> other) {
+            return new IsResourceAuthorizedPredicate(this.biPredicate.and(other));
+        }
+
+        /**
+         * Verifies if access is authorized to the given {@param indexAbstraction} resource.
+         * The resource must exist. Otherwise, use the {@link #test(String, IndexAbstraction)} method.
+         * Returns {@code true} if access to the given resource is authorized or {@code false} otherwise.
+         */
+        public final boolean test(IndexAbstraction indexAbstraction) {
+            return test(indexAbstraction.getName(), indexAbstraction);
+        }
+
+        /**
+         * Verifies if access is authorized to the resource with the given {@param name}.
+         * The {@param indexAbstraction}, which is the resource to be accessed, must be supplied if the resource exists or be {@code null}
+         * if it doesn't.
+         * Returns {@code true} if access to the given resource is authorized or {@code false} otherwise.
+         */
+        @Override
+        public boolean test(String name, @Nullable IndexAbstraction indexAbstraction) {
+            return biPredicate.test(name, indexAbstraction);
+        }
+
+        private static boolean isPartOfDatastream(IndexAbstraction indexAbstraction) {
+            return indexAbstraction != null
+                && (indexAbstraction.getType() == IndexAbstraction.Type.DATA_STREAM || indexAbstraction.getParentDataStream() != null);
+        }
     }
 
     /**

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.java

@@ -13,6 +13,7 @@
 import org.elasticsearch.transport.TransportRequest;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
+import org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission.IsResourceAuthorizedPredicate;
 import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
 import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilege;
 import org.elasticsearch.xpack.core.security.support.Automatons;
@@ -21,7 +22,6 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
-import java.util.function.Predicate;
 
 /**
  * A {@link Role} limited by another role.<br>
@@ -123,8 +123,8 @@ public IndicesAccessControl authorize(
      * action on.
      */
     @Override
-    public Predicate<IndexAbstraction> allowedIndicesMatcher(String action) {
-        Predicate<IndexAbstraction> predicate = baseRole.indices().allowedIndicesMatcher(action);
+    public IsResourceAuthorizedPredicate allowedIndicesMatcher(String action) {
+        IsResourceAuthorizedPredicate predicate = baseRole.indices().allowedIndicesMatcher(action);
         predicate = predicate.and(limitedByRole.indices().allowedIndicesMatcher(action));
         return predicate;
     }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java

@@ -18,6 +18,7 @@
 import org.elasticsearch.xpack.core.security.authz.RestrictedIndices;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
+import org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission.IsResourceAuthorizedPredicate;
 import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
 import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
 import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilege;
@@ -36,7 +37,6 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
-import java.util.function.Predicate;
 
 public interface Role {
 
@@ -64,7 +64,7 @@ public interface Role {
      * @return A predicate that will match all the indices that this role
      * has the privilege for executing the given action on.
      */
-    Predicate<IndexAbstraction> allowedIndicesMatcher(String action);
+    IsResourceAuthorizedPredicate allowedIndicesMatcher(String action);
 
     /**
      * Returns an {@link Automaton} that matches all action names allowed for the given index

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/SimpleRole.java

@@ -18,6 +18,7 @@
 import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.PrivilegesCheckResult;
 import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.PrivilegesToCheck;
 import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
+import org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission.IsResourceAuthorizedPredicate;
 import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
 import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilege;
 
@@ -28,7 +29,6 @@
 import java.util.Set;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.atomic.AtomicReference;
-import java.util.function.Predicate;
 
 public class SimpleRole implements Role {
 
@@ -97,7 +97,7 @@ public boolean hasFieldOrDocumentLevelSecurity() {
     }
 
     @Override
-    public Predicate<IndexAbstraction> allowedIndicesMatcher(String action) {
+    public IsResourceAuthorizedPredicate allowedIndicesMatcher(String action) {
         return indices.allowedIndicesMatcher(action);
     }
 

x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/EqlRestValidationTestCase.java

@@ -54,10 +54,14 @@ public void prepareIndices() throws IOException {
 
     protected abstract String getInexistentIndexErrorMessage();
 
+    protected String getInexistentWildcardErrorMessage() {
+        return getInexistentIndexErrorMessage();
+    }
+
     protected abstract void assertErrorMessageWhenAllowNoIndicesIsFalse(String reqParameter) throws IOException;
 
     public void testDefaultIndicesOptions() throws IOException {
-        assertErrorMessages(inexistentIndexNameWithWildcard, EMPTY, getInexistentIndexErrorMessage());
+        assertErrorMessages(inexistentIndexNameWithWildcard, EMPTY, getInexistentWildcardErrorMessage());
         assertErrorMessages(inexistentIndexNameWithoutWildcard, EMPTY, getInexistentIndexErrorMessage());
         assertValidRequestOnIndices(existentIndexWithWildcard, EMPTY);
         assertValidRequestOnIndices(existentIndexWithoutWildcard, EMPTY);
@@ -70,7 +74,7 @@ public void testAllowNoIndicesOption() throws IOException {
         String reqParameter = setAllowNoIndices ? "?allow_no_indices=" + allowNoIndices : EMPTY;
 
         if (isAllowNoIndices) {
-            assertErrorMessages(inexistentIndexNameWithWildcard, reqParameter, getInexistentIndexErrorMessage());
+            assertErrorMessages(inexistentIndexNameWithWildcard, reqParameter, getInexistentWildcardErrorMessage());
             assertErrorMessages(inexistentIndexNameWithoutWildcard, reqParameter, getInexistentIndexErrorMessage());
             assertValidRequestOnIndices(existentIndexWithWildcard, reqParameter);
             assertValidRequestOnIndices(existentIndexWithoutWildcard, reqParameter);

x-pack/plugin/eql/qa/multi-cluster-with-security/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlRestValidationIT.java

@@ -37,7 +37,8 @@ protected void assertErrorMessageWhenAllowNoIndicesIsFalse(String reqParameter)
         assertErrorMessage(
             "inexistent1,inexistent2",
             reqParameter,
-            getInexistentIndexErrorMessage() + "[" + indexPattern("inexistent1") + "," + indexPattern("inexistent2") + "]\""
+            getInexistentIndexErrorMessage()
+                + "[null]\",\"resource.type\":\"index_expression\",\"resource.id\":[\"inexistent1\",\"inexistent2\"]}]"
         );
     }
 

x-pack/plugin/eql/qa/rest/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlRestValidationIT.java

@@ -30,7 +30,11 @@ protected void assertErrorMessageWhenAllowNoIndicesIsFalse(String reqParameter)
         // TODO: revisit after
         // https://github.com/elastic/elasticsearch/issues/64197
         // is closed
-        assertErrorMessage("inexistent1,inexistent2", reqParameter, """
-            "root_cause":[{"type":"index_not_found_exception","reason":"no such index [null]\"""");
+        assertErrorMessage(
+            "inexistent1,inexistent2",
+            reqParameter,
+            "\"root_cause\":[{\"type\":\"index_not_found_exception\",\"reason\":\"no such index [null]\","
+                + "\"resource.type\":\"index_expression\",\"resource.id\":[\"inexistent1\",\"inexistent2\"]}]"
+        );
     }
 }

x-pack/plugin/eql/qa/security/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlRestValidationIT.java

@@ -23,6 +23,11 @@ protected Settings restClientSettings() {
 
     @Override
     protected String getInexistentIndexErrorMessage() {
+        return "\"root_cause\":[{\"type\":\"verification_exception\",\"reason\":\"Found 1 problem\\nline -1:-1: Unknown index ";
+    }
+
+    @Override
+    protected String getInexistentWildcardErrorMessage() {
         return """
             "root_cause":[{"type":"verification_exception","reason":"Found 1 problem\\nline -1:-1: Unknown index [*,-*]"}],\
             "type":"index_not_found_exception","reason":"no such index\s""";
@@ -38,9 +43,9 @@ protected void assertErrorMessageWhenAllowNoIndicesIsFalse(String reqParameter)
             "root_cause":[{"type":"index_not_found_exception","reason":"no such index [inexistent*]\"""");
         // TODO: revisit the next two tests when https://github.com/elastic/elasticsearch/issues/64190 is closed
         assertErrorMessage("inexistent", reqParameter, """
-            "root_cause":[{"type":"index_not_found_exception","reason":"no such index [[inexistent]]\"""");
+            "root_cause":[{"type":"index_not_found_exception","reason":"no such index [inexistent]\"""");
         assertErrorMessage("inexistent1,inexistent2", reqParameter, """
-            "root_cause":[{"type":"index_not_found_exception","reason":"no such index [[inexistent1, inexistent2]]\"""");
+            "root_cause":[{"type":"index_not_found_exception","reason":"no such index [null]\"""");
     }
 
 }