Tweak and tests

n1v0lg · n1v0lg · commit 5e75b5a59c1b · 2025-03-28T08:39:35.000+01:00
diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java
@@ -32,6 +32,7 @@
 import org.elasticsearch.xcontent.json.JsonXContent;
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.security.SecurityOnTrialLicenseRestTestCase;
+import org.hamcrest.Matcher;
 import org.junit.Before;
 import org.junit.ClassRule;
 
@@ -47,6 +48,7 @@
 import java.util.stream.Collectors;
 
 import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.is;
@@ -1096,6 +1098,12 @@ public void testFailureStoreAccess() throws Exception {
                     case FAILURE_STORE_ACCESS, BACKING_INDEX_DATA_ACCESS, BACKING_INDEX_FAILURE_ACCESS, FAILURE_INDEX_DATA_ACCESS,
                         FAILURE_INDEX_FAILURE_ACCESS:
                         expectThrows(user, request, 403);
+                        // also check authz message
+                        expectThrowsUnauthorized(
+                            user,
+                            request,
+                            containsString("this action is granted by the index privileges [read,all]")
+                        );
                         break;
                     default:
                         fail("must cover user: " + user);
@@ -1281,6 +1289,15 @@ public void testFailureStoreAccess() throws Exception {
                     case DATA_ACCESS, STAR_READ_ONLY_ACCESS, BACKING_INDEX_DATA_ACCESS, BACKING_INDEX_FAILURE_ACCESS,
                         FAILURE_INDEX_FAILURE_ACCESS, FAILURE_INDEX_DATA_ACCESS:
                         expectThrows(user, request, 403);
+                        // also check authz message
+                        expectThrowsUnauthorized(
+                            user,
+                            request,
+                            containsString(
+                                "this action is granted by the index privileges [read,all] for data access, "
+                                    + "or by [read_failure_store] for access with the [failures] selector"
+                            )
+                        );
                         break;
                     case ADMIN_USER, FAILURE_STORE_ACCESS, BOTH_ACCESS:
                         expectSearch(user, request, failuresDocId);
@@ -2167,6 +2184,12 @@ private static void expectThrows(ThrowingRunnable runnable, int statusCode) {
         assertThat(ex.getResponse().getStatusLine().getStatusCode(), equalTo(statusCode));
     }
 
+    private void expectThrowsUnauthorized(String user, Search search, Matcher<String> errorMatcher) {
+        ResponseException ex = expectThrows(ResponseException.class, () -> performRequest(user, search.toSearchRequest()));
+        assertThat(ex.getResponse().getStatusLine().getStatusCode(), equalTo(403));
+        assertThat(ex.getMessage(), errorMatcher);
+    }
+
     private void expectThrows(String user, Search search, int statusCode) {
         expectThrows(() -> performRequest(user, search.toSearchRequest()), statusCode);
         expectThrows(() -> performRequest(user, search.toAsyncSearchRequest()), statusCode);
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationDenialMessages.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationDenialMessages.java
@@ -8,6 +8,7 @@
 package org.elasticsearch.xpack.security.authz;
 
 import org.elasticsearch.action.support.IndexComponentSelector;
+import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.util.set.Sets;
 import org.elasticsearch.core.Nullable;
@@ -103,27 +104,31 @@ public String actionDenied(
                     action,
                     p -> p.getSelectorPredicate().test(IndexComponentSelector.DATA)
                 );
-                final Collection<String> privilegesForFailuresSelector = findIndexPrivilegesThatGrant(
-                    action,
-                    p -> p.getSelectorPredicate().test(IndexComponentSelector.FAILURES)
-                        && false == p.getSelectorPredicate().test(IndexComponentSelector.DATA)
-                );
-                if (privileges != null && false == privileges.isEmpty()) {
+                assert false == privileges.isEmpty()
+                    || findIndexPrivilegesThatGrant(
+                        action,
+                        p -> p.getSelectorPredicate().test(IndexComponentSelector.FAILURES)
+                            && false == p.getSelectorPredicate().test(IndexComponentSelector.DATA)
+                    ).isEmpty()
+                    : "action [" + action + "] is not covered by any regular index privilege, only by failures-selector privileges";
+
+                if (false == privileges.isEmpty()) {
                     message = message
                         + ", this action is granted by the index privileges ["
                         + collectionToCommaDelimitedString(privileges)
                         + "]";
-                }
-                if (privilegesForFailuresSelector != null && false == privilegesForFailuresSelector.isEmpty()) {
-                    if (privileges != null && false == privileges.isEmpty()) {
+
+                    final Collection<String> privilegesForFailuresOnly = findIndexPrivilegesThatGrant(
+                        action,
+                        p -> p.getSelectorPredicate().test(IndexComponentSelector.FAILURES)
+                            && false == p.getSelectorPredicate().test(IndexComponentSelector.DATA)
+                    );
+                    if (false == privilegesForFailuresOnly.isEmpty() && hasIndicesWithFailuresSelector(request)) {
                         message = message
-                            + ", or by ["
-                            + collectionToCommaDelimitedString(privilegesForFailuresSelector)
+                            + " for data access, or by ["
+                            + collectionToCommaDelimitedString(privilegesForFailuresOnly)
                             + "] for access with the [failures] selector";
-                    } else {
-                        assert false : "action covered by failures selector privileges but no regular privileges [" + action + "]";
                     }
-
                 }
             }
             return message;
@@ -160,6 +165,19 @@ private String remoteClusterText(@Nullable String clusterAlias) {
             return Strings.format("towards remote cluster%s ", clusterAlias == null ? "" : " [" + clusterAlias + "]");
         }
 
+        private boolean hasIndicesWithFailuresSelector(TransportRequest request) {
+            String[] indices = AuthorizationEngine.RequestInfo.indices(request);
+            if (indices == null) {
+                return false;
+            }
+            for (String index : indices) {
+                if (IndexNameExpressionResolver.hasSelector(index, IndexComponentSelector.FAILURES)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
         private String authenticatedUserDescription(Authentication authentication) {
             String userText = (authentication.isServiceAccount() ? "service account" : "user")
                 + " ["
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationDenialMessagesTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationDenialMessagesTests.java
@@ -7,9 +7,12 @@
 
 package org.elasticsearch.xpack.security.authz;
 
+import org.elasticsearch.action.search.SearchRequest;
+import org.elasticsearch.cluster.metadata.DataStream;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.core.Tuple;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.transport.TransportRequest;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationField;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationTestHelper;
@@ -23,6 +26,7 @@
 import java.util.stream.IntStream;
 import java.util.stream.Stream;
 
+import static org.hamcrest.Matchers.endsWith;
 import static org.hamcrest.Matchers.equalTo;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -233,6 +237,94 @@ public void testActionDeniedForCrossClusterAccessAuthentication() {
         );
     }
 
+    public void testActionDeniedWithFailuresAndCorrectActionIncludesFailuresMessage() {
+        assumeTrue("failure store required", DataStream.isFailureStoreFeatureFlagEnabled());
+
+        Authentication authentication = AuthenticationTestHelper.builder().build();
+
+        final String action = "indices:data/read/" + randomAlphaOfLengthBetween(0, 8);
+        SearchRequest request = mock(SearchRequest.class);
+        for (List<String> requestedIndices : List.of(
+            List.of(randomAlphaOfLength(5) + "::failures"),
+            List.of(randomAlphaOfLength(5) + "::failures", randomAlphaOfLength(5)),
+            List.of(randomAlphaOfLength(5), randomAlphaOfLength(5) + "::failures")
+        )) {
+            when(request.indices()).thenReturn(requestedIndices.toArray(new String[0]));
+            assertThat(
+                "for [" + Strings.collectionToCommaDelimitedString(requestedIndices) + "]",
+                denialMessages.actionDenied(authentication, null, action, request, null),
+                endsWith(
+                    "this action is granted by the index privileges [read,all] for data access, "
+                        + "or by [read_failure_store] for access with the [failures] selector"
+                )
+            );
+        }
+    }
+
+    public void testActionDeniedWithNonMatchingActionFailuresOmitsFailuresMessage() {
+        assumeTrue("failure store required", DataStream.isFailureStoreFeatureFlagEnabled());
+
+        Authentication authentication = AuthenticationTestHelper.builder().build();
+
+        // granted only by all, so selector message is omitted
+        final String action = "indices:/some/action/" + randomAlphaOfLengthBetween(0, 8);
+        SearchRequest request = mock(SearchRequest.class);
+        for (List<String> requestedIndices : List.of(
+            List.of(randomAlphaOfLength(5) + "::failures"),
+            List.of(randomAlphaOfLength(5) + "::failures", randomAlphaOfLength(5)),
+            List.of(randomAlphaOfLength(5), randomAlphaOfLength(5) + "::failures")
+        )) {
+            when(request.indices()).thenReturn(requestedIndices.toArray(new String[0]));
+            assertThat(
+                "for [" + Strings.collectionToCommaDelimitedString(requestedIndices) + "]",
+                denialMessages.actionDenied(authentication, null, action, request, null),
+                endsWith("this action is granted by the index privileges [all]")
+            );
+        }
+    }
+
+    public void testActionDeniedWithoutFailuresOmitsFailuresMessage() {
+        assumeTrue("failure store required", DataStream.isFailureStoreFeatureFlagEnabled());
+
+        Authentication authentication = AuthenticationTestHelper.builder().build();
+
+        final String action = "indices:data/read/" + randomAlphaOfLengthBetween(0, 8);
+        SearchRequest request = mock(SearchRequest.class);
+        for (List<String> requestedIndices : List.of(
+            List.<String>of(),
+            List.of(randomAlphaOfLength(5)),
+            List.of(randomAlphaOfLength(5), randomAlphaOfLength(5))
+        )) {
+            when(request.indices()).thenReturn(requestedIndices.toArray(new String[0]));
+            assertThat(
+                "for [" + Strings.collectionToCommaDelimitedString(requestedIndices) + "]",
+                denialMessages.actionDenied(authentication, null, action, request, null),
+                endsWith("this action is granted by the index privileges [read,all]")
+            );
+        }
+    }
+
+    public void testActionDeniedWithoutIndicesOmitsFailuresMessage() {
+        assumeTrue("failure store required", DataStream.isFailureStoreFeatureFlagEnabled());
+
+        Authentication authentication = AuthenticationTestHelper.builder().build();
+
+        final String action = "indices:data/read/" + randomAlphaOfLengthBetween(0, 8);
+        // not an IndicesRequest
+        TransportRequest request = mock(TransportRequest.class);
+        for (List<String> requestedIndices : List.of(
+            List.<String>of(),
+            List.of(randomAlphaOfLength(5)),
+            List.of(randomAlphaOfLength(5), randomAlphaOfLength(5))
+        )) {
+            assertThat(
+                "for [" + Strings.collectionToCommaDelimitedString(requestedIndices) + "]",
+                denialMessages.actionDenied(authentication, null, action, request, null),
+                endsWith("this action is granted by the index privileges [read,all]")
+            );
+        }
+    }
+
     public void testSuccessfulAuthenticationDescription() {
         final Authentication authentication1 = AuthenticationTestHelper.builder().realm().build(false);
         assertThat(
