Javadoc and test fixes

Author: n1v0lg

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -302,7 +302,7 @@ public boolean checkResourcePrivileges(
                     }
                 }
                 for (String privilege : checkForPrivileges) {
-                    IndexPrivilege indexPrivilege = IndexPrivilege.getSingle(Collections.singleton(privilege));
+                    IndexPrivilege indexPrivilege = IndexPrivilege.getSingleSelector(Collections.singleton(privilege));
                     if (allowedIndexPrivilegesAutomaton != null
                         && Automatons.subsetOf(indexPrivilege.getAutomaton(), allowedIndexPrivilegesAutomaton)) {
                         if (resourcePrivilegesMapBuilder != null) {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConfigurableClusterPrivileges.java

@@ -416,7 +416,7 @@ public ManageRolesPrivilege(List<ManageRolesIndexPermissionGroup> manageRolesInd
                 for (ManageRolesIndexPermissionGroup indexPatternPrivilege : manageRolesIndexPermissionGroups) {
                     // TODO handle selectors
                     indicesPermissionBuilder.addGroup(
-                        IndexPrivilege.getSingle(Set.of(indexPatternPrivilege.privileges())),
+                        IndexPrivilege.getSingleSelector(Set.of(indexPatternPrivilege.privileges())),
                         FieldPermissions.DEFAULT,
                         null,
                         false,

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java

@@ -271,16 +271,26 @@ private IndexPrivilege(Set<String> name, Automaton automaton, IndexComponentSele
         this.selectorPrivilege = selectorPrivilege;
     }
 
-    // TODO javadoc
-    public static IndexPrivilege getSingle(Set<String> name) {
+    /**
+     * TODO more detail
+     * Returns an index privilege for a single selector. Delegates to {@link #getSplitBySelector(Set)} but throws if the result has more
+     * than one selector. The caller must ensure that the names only map to privileges with the same selector.
+     */
+    public static IndexPrivilege getSingleSelector(Set<String> name) {
         var single = getSplitBySelector(name);
         if (single.size() != 1) {
             throw new IllegalArgumentException("expected singleton");
         }
         return single.iterator().next();
     }
 
-    // TODO javadoc
+    /**
+     * TODO more detail
+     * Returns a set of index privileges, each privilege responsible for a separate selector.
+     * For instance, `getSplitBySelector(Set.of("view_index_metadata", "write", "read_failure_store"))` will return two index privileges
+     * one covering "view_index_metadata" and "write" for a {@link IndexComponentSelectorPrivilege#DATA}, the other covering
+     * "read_failure_store" for a {@link IndexComponentSelectorPrivilege#FAILURES} selector.
+     */
     public static Set<IndexPrivilege> getSplitBySelector(Set<String> name) {
         return CACHE.computeIfAbsent(name, (theName) -> {
             if (theName.isEmpty()) {

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRoleTests.java

@@ -240,7 +240,7 @@ private static FieldPermissions randomFlsPermissions(String... grantedFields) {
 
     private static IndexPrivilege randomIndexPrivilege() {
         // TODO handle failure store
-        return IndexPrivilege.getSingle(Set.of(randomFrom(IndexPrivilege.names())));
+        return IndexPrivilege.getSingleSelector(Set.of(randomFrom(IndexPrivilege.names())));
     }
 
     public void testGetRoleDescriptorsIntersectionForRemoteClusterReturnsEmpty() {

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/SimpleRoleTests.java

@@ -177,7 +177,7 @@ public void testGetRoleDescriptorsIntersectionForRemoteCluster() {
                 new FieldPermissions(new FieldPermissionsDefinition(new String[] { randomAlphaOfLength(5) }, null)),
                 null,
                 // TODO handle failure store
-                IndexPrivilege.getSingle(Set.of(randomFrom(IndexPrivilege.names()))),
+                IndexPrivilege.getSingleSelector(Set.of(randomFrom(IndexPrivilege.names()))),
                 randomBoolean(),
                 randomAlphaOfLength(9)
             )

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java

@@ -84,39 +84,39 @@ public void testPrivilegesForGetCheckPointAction() {
     public void testRelationshipBetweenPrivileges() {
         assertThat(
             Automatons.subsetOf(
-                IndexPrivilege.getSingle(Set.of("view_index_metadata")).automaton,
-                IndexPrivilege.getSingle(Set.of("manage")).automaton
+                IndexPrivilege.getSingleSelector(Set.of("view_index_metadata")).automaton,
+                IndexPrivilege.getSingleSelector(Set.of("manage")).automaton
             ),
             is(true)
         );
 
         assertThat(
             Automatons.subsetOf(
-                IndexPrivilege.getSingle(Set.of("monitor")).automaton,
-                IndexPrivilege.getSingle(Set.of("manage")).automaton
+                IndexPrivilege.getSingleSelector(Set.of("monitor")).automaton,
+                IndexPrivilege.getSingleSelector(Set.of("manage")).automaton
             ),
             is(true)
         );
 
         assertThat(
             Automatons.subsetOf(
-                IndexPrivilege.getSingle(Set.of("create", "create_doc", "index", "delete")).automaton,
-                IndexPrivilege.getSingle(Set.of("write")).automaton
+                IndexPrivilege.getSingleSelector(Set.of("create", "create_doc", "index", "delete")).automaton,
+                IndexPrivilege.getSingleSelector(Set.of("write")).automaton
             ),
             is(true)
         );
 
         assertThat(
             Automatons.subsetOf(
-                IndexPrivilege.getSingle(Set.of("create_index", "delete_index")).automaton,
-                IndexPrivilege.getSingle(Set.of("manage")).automaton
+                IndexPrivilege.getSingleSelector(Set.of("create_index", "delete_index")).automaton,
+                IndexPrivilege.getSingleSelector(Set.of("manage")).automaton
             ),
             is(true)
         );
     }
 
     public void testCrossClusterReplicationPrivileges() {
-        final IndexPrivilege crossClusterReplication = IndexPrivilege.getSingle(Set.of("cross_cluster_replication"));
+        final IndexPrivilege crossClusterReplication = IndexPrivilege.getSingleSelector(Set.of("cross_cluster_replication"));
         List.of(
             "indices:data/read/xpack/ccr/shard_changes",
             "indices:monitor/stats",
@@ -125,11 +125,16 @@ public void testCrossClusterReplicationPrivileges() {
             "indices:admin/seq_no/renew_retention_lease"
         ).forEach(action -> assertThat(crossClusterReplication.predicate.test(action + randomAlphaOfLengthBetween(0, 8)), is(true)));
         assertThat(
-            Automatons.subsetOf(crossClusterReplication.automaton, IndexPrivilege.getSingle(Set.of("manage", "read", "monitor")).automaton),
+            Automatons.subsetOf(
+                crossClusterReplication.automaton,
+                IndexPrivilege.getSingleSelector(Set.of("manage", "read", "monitor")).automaton
+            ),
             is(true)
         );
 
-        final IndexPrivilege crossClusterReplicationInternal = IndexPrivilege.getSingle(Set.of("cross_cluster_replication_internal"));
+        final IndexPrivilege crossClusterReplicationInternal = IndexPrivilege.getSingleSelector(
+            Set.of("cross_cluster_replication_internal")
+        );
         List.of(
             "indices:internal/admin/ccr/restore/session/clear",
             "indices:internal/admin/ccr/restore/file_chunk/get",
@@ -142,11 +147,11 @@ public void testCrossClusterReplicationPrivileges() {
             );
 
         assertThat(
-            Automatons.subsetOf(crossClusterReplicationInternal.automaton, IndexPrivilege.getSingle(Set.of("manage")).automaton),
+            Automatons.subsetOf(crossClusterReplicationInternal.automaton, IndexPrivilege.getSingleSelector(Set.of("manage")).automaton),
             is(false)
         );
         assertThat(
-            Automatons.subsetOf(crossClusterReplicationInternal.automaton, IndexPrivilege.getSingle(Set.of("all")).automaton),
+            Automatons.subsetOf(crossClusterReplicationInternal.automaton, IndexPrivilege.getSingleSelector(Set.of("all")).automaton),
             is(true)
         );
     }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java

@@ -7,6 +7,7 @@
 package org.elasticsearch.xpack.core.security.authz.privilege;
 
 import org.apache.lucene.tests.util.automaton.AutomatonTestUtil;
+import org.apache.lucene.util.automaton.Automaton;
 import org.elasticsearch.action.admin.cluster.health.TransportClusterHealthAction;
 import org.elasticsearch.action.admin.cluster.node.tasks.cancel.TransportCancelTasksAction;
 import org.elasticsearch.action.admin.cluster.reroute.TransportClusterRerouteAction;
@@ -66,6 +67,7 @@
 import org.junit.Rule;
 import org.junit.rules.ExpectedException;
 
+import java.util.Iterator;
 import java.util.Set;
 import java.util.function.Predicate;
 
@@ -203,29 +205,44 @@ public void testClusterAction() throws Exception {
 
     public void testIndexAction() throws Exception {
         Set<String> actionName = Sets.newHashSet("indices:admin/mapping/delete");
-        IndexPrivilege index = IndexPrivilege.getSingle(actionName);
+        IndexPrivilege index = IndexPrivilege.getSingleSelector(actionName);
         assertThat(index, notNullValue());
         assertThat(index.predicate().test("indices:admin/mapping/delete"), is(true));
         assertThat(index.predicate().test("indices:admin/mapping/dele"), is(false));
         assertThat(IndexPrivilege.READ_CROSS_CLUSTER.predicate().test("internal:transport/proxy/indices:data/read/query"), is(true));
     }
 
-    public void testIndexCollapse() throws Exception {
-        IndexPrivilege[] values = IndexPrivilege.values().values().toArray(new IndexPrivilege[IndexPrivilege.values().size()]);
+    public void testIndexCollapse() {
+        IndexPrivilege[] values = IndexPrivilege.values().values().toArray(new IndexPrivilege[0]);
         IndexPrivilege first = values[randomIntBetween(0, values.length - 1)];
         IndexPrivilege second = values[randomIntBetween(0, values.length - 1)];
 
         Set<String> name = Sets.newHashSet(first.name().iterator().next(), second.name().iterator().next());
-        IndexPrivilege index = IndexPrivilege.getSingle(name);
+        Set<IndexPrivilege> indices = IndexPrivilege.getSplitBySelector(name);
+
+        Automaton automaton = null;
+        if (indices.size() == 1) {
+            IndexPrivilege index = indices.iterator().next();
+            automaton = index.getAutomaton();
+        } else if (indices.size() == 2) {
+            Iterator<IndexPrivilege> it = indices.iterator();
+            IndexPrivilege index1 = it.next();
+            IndexPrivilege index2 = it.next();
+            automaton = Automatons.unionAndMinimize(Set.of(index1.getAutomaton(), index2.getAutomaton()));
+        } else {
+            fail("indices.size() must be 1 or 2");
+            assert false;
+        }
 
         if (Automatons.subsetOf(second.getAutomaton(), first.getAutomaton())) {
-            assertTrue(AutomatonTestUtil.sameLanguage(index.getAutomaton(), first.getAutomaton()));
+            assertTrue(AutomatonTestUtil.sameLanguage(automaton, first.getAutomaton()));
         } else if (Automatons.subsetOf(first.getAutomaton(), second.getAutomaton())) {
-            assertTrue(AutomatonTestUtil.sameLanguage(index.getAutomaton(), second.getAutomaton()));
+            assertTrue(AutomatonTestUtil.sameLanguage(automaton, second.getAutomaton()));
         } else {
-            assertFalse(AutomatonTestUtil.sameLanguage(index.getAutomaton(), first.getAutomaton()));
-            assertFalse(AutomatonTestUtil.sameLanguage(index.getAutomaton(), second.getAutomaton()));
+            assertFalse(AutomatonTestUtil.sameLanguage(automaton, first.getAutomaton()));
+            assertFalse(AutomatonTestUtil.sameLanguage(automaton, second.getAutomaton()));
         }
+
     }
 
     public void testSystem() throws Exception {

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/support/AutomatonPatternsTests.java

@@ -37,7 +37,7 @@ public void testRemoteClusterPrivsDoNotOverlap() {
 
         // check that the action patterns for remote CCS are not allowed by remote CCR privileges
         Arrays.stream(CCS_INDICES_PRIVILEGE_NAMES).forEach(ccsPrivilege -> {
-            Automaton ccsAutomaton = IndexPrivilege.getSingle(Set.of(ccsPrivilege)).getAutomaton();
+            Automaton ccsAutomaton = IndexPrivilege.getSingleSelector(Set.of(ccsPrivilege)).getAutomaton();
             Automatons.getPatterns(ccsAutomaton).forEach(ccsPattern -> {
                 // emulate an action name that could be allowed by a CCS privilege
                 String actionName = ccsPattern.replaceAll("\\*", randomAlphaOfLengthBetween(1, 8));
@@ -49,14 +49,14 @@ public void testRemoteClusterPrivsDoNotOverlap() {
                         ccrPrivileges,
                         ccsPattern
                     );
-                    assertFalse(errorMessage, IndexPrivilege.getSingle(Set.of(ccrPrivileges)).predicate().test(actionName));
+                    assertFalse(errorMessage, IndexPrivilege.getSingleSelector(Set.of(ccrPrivileges)).predicate().test(actionName));
                 });
             });
         });
 
         // check that the action patterns for remote CCR are not allowed by remote CCS privileges
         Arrays.stream(CCR_INDICES_PRIVILEGE_NAMES).forEach(ccrPrivilege -> {
-            Automaton ccrAutomaton = IndexPrivilege.getSingle(Set.of(ccrPrivilege)).getAutomaton();
+            Automaton ccrAutomaton = IndexPrivilege.getSingleSelector(Set.of(ccrPrivilege)).getAutomaton();
             Automatons.getPatterns(ccrAutomaton).forEach(ccrPattern -> {
                 // emulate an action name that could be allowed by a CCR privilege
                 String actionName = ccrPattern.replaceAll("\\*", randomAlphaOfLengthBetween(1, 8));
@@ -72,7 +72,7 @@ public void testRemoteClusterPrivsDoNotOverlap() {
                             ccsPrivileges,
                             ccrPattern
                         );
-                        assertFalse(errorMessage, IndexPrivilege.getSingle(Set.of(ccsPrivileges)).predicate().test(actionName));
+                        assertFalse(errorMessage, IndexPrivilege.getSingleSelector(Set.of(ccsPrivileges)).predicate().test(actionName));
                     }
                 });
             });

x-pack/plugin/security/qa/consistency-checks/src/test/java/org/elasticsearch/xpack/security/CrossClusterShardTests.java

@@ -112,7 +112,7 @@ public void testCheckForNewShardLevelTransportActions() throws Exception {
 
         List<String> shardActions = transportActionBindings.stream()
             .map(binding -> binding.getProvider().get())
-            .filter(action -> IndexPrivilege.getSingle(crossClusterPrivilegeNames).predicate().test(action.actionName))
+            .filter(action -> IndexPrivilege.getSingleSelector(crossClusterPrivilegeNames).predicate().test(action.actionName))
             .filter(this::actionIsLikelyShardAction)
             .map(action -> action.actionName)
             .toList();

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/DeprecationRoleDescriptorConsumer.java

@@ -183,7 +183,7 @@ private void logDeprecatedPermission(RoleDescriptor roleDescriptor) {
         for (Map.Entry<String, Set<String>> privilegesByAlias : privilegesByAliasMap.entrySet()) {
             final String aliasName = privilegesByAlias.getKey();
             final Set<String> aliasPrivilegeNames = privilegesByAlias.getValue();
-            final Automaton aliasPrivilegeAutomaton = IndexPrivilege.getSingle(aliasPrivilegeNames).getAutomaton();
+            final Automaton aliasPrivilegeAutomaton = IndexPrivilege.getSingleSelector(aliasPrivilegeNames).getAutomaton();
             final SortedSet<String> inferiorIndexNames = new TreeSet<>();
             // check if the alias grants superiors privileges than the indices it points to
             for (Index index : aliasOrIndexMap.get(aliasName).getIndices()) {
@@ -193,7 +193,7 @@ private void logDeprecatedPermission(RoleDescriptor roleDescriptor) {
                     // compute automaton once per index no matter how many times it is pointed to
                     final Automaton indexPrivilegeAutomaton = indexAutomatonMap.computeIfAbsent(
                         index.getName(),
-                        i -> IndexPrivilege.getSingle(indexPrivileges).getAutomaton()
+                        i -> IndexPrivilege.getSingleSelector(indexPrivileges).getAutomaton()
                     );
                     if (false == Automatons.subsetOf(indexPrivilegeAutomaton, aliasPrivilegeAutomaton)) {
                         inferiorIndexNames.add(index.getName());