support has privs

Author: jakelandis

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/user/HasPrivilegesRequest.java

@@ -8,13 +8,18 @@
 
 import org.elasticsearch.action.ActionRequest;
 import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.action.support.IndexComponentSelector;
+import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.core.Tuple;
 import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor.ApplicationResourcePrivileges;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor.IndicesPrivileges;
 
 import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
 
 /**
  * A request for checking a user's privileges
@@ -84,7 +89,50 @@ public ApplicationResourcePrivileges[] applicationPrivileges() {
     }
 
     public void indexPrivileges(IndicesPrivileges... privileges) {
-        this.indexPrivileges = privileges;
+        IndicesPrivileges[] newPrivileges = new IndicesPrivileges[privileges.length];
+        for (int i = 0; i < privileges.length; i++) {
+            IndicesPrivileges currentPriv = privileges[i];
+            IndicesPrivileges.Builder builder = IndicesPrivileges.builder(privileges[i]);
+            builder.indices((String[]) null);
+            List<String> updatedIndexPatterns = new ArrayList<>();
+            for (String indexPatternRequested : currentPriv.getIndices()) {
+                Tuple<String, String> split = IndexNameExpressionResolver.splitSelectorExpression(indexPatternRequested);
+                String indexNameNoSelector = split.v1();
+                String selectorAsString = split.v2();
+                if (selectorAsString == null) {
+                    assert indexPatternRequested.equals(indexNameNoSelector);
+                    updatedIndexPatterns.add(indexNameNoSelector); // add as-is, no selector
+                } else {
+                    IndexComponentSelector selector = IndexComponentSelector.getByKey(selectorAsString);
+                    switch (selector) {
+                        case DATA:
+                            updatedIndexPatterns.add(indexNameNoSelector); // strip the selector
+                            break;
+                        case FAILURES:
+                            updatedIndexPatterns.add(indexPatternRequested); // add as-is, keep selector in name
+                            break;
+                        case ALL_APPLICABLE:
+                            updatedIndexPatterns.add(indexNameNoSelector); // add with no selector for data
+                            updatedIndexPatterns.add(
+                                IndexNameExpressionResolver.combineSelector(indexNameNoSelector, IndexComponentSelector.FAILURES)
+                            ); // add with failure selector
+                            break;
+                        default:
+                            throw new IllegalArgumentException(
+                                "Unknown index component selector ["
+                                    + selectorAsString
+                                    + "], available options are: "
+                                    + IndexComponentSelector.values()
+                            );
+
+                    }
+                }
+                builder.indices(updatedIndexPatterns);
+                newPrivileges[i] = builder.build();
+            }
+        }
+
+        this.indexPrivileges = newPrivileges;
     }
 
     public void clusterPrivileges(String... privileges) {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptor.java

@@ -1371,6 +1371,10 @@ public static Builder builder() {
             return new Builder();
         }
 
+        public static Builder builder(IndicesPrivileges copyFrom) {
+            return new Builder(copyFrom);
+        }
+
         public String[] getIndices() {
             return this.indices;
         }
@@ -1553,6 +1557,15 @@ public static class Builder {
 
             private Builder() {}
 
+            private Builder(IndicesPrivileges copyFrom) {
+                indicesPrivileges.indices = copyFrom.indices;
+                indicesPrivileges.privileges = copyFrom.privileges;
+                indicesPrivileges.grantedFields = copyFrom.grantedFields;
+                indicesPrivileges.deniedFields = copyFrom.deniedFields;
+                indicesPrivileges.query = copyFrom.query;
+                indicesPrivileges.allowRestrictedIndices = copyFrom.allowRestrictedIndices;
+            }
+
             public Builder indices(String... indices) {
                 indicesPrivileges.indices = indices;
                 return this;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -847,17 +847,20 @@ public Group(
             // TODO: [Jake] how to support selectors for hasPrivileges ? (are reg-ex's just broken for hasPrivilege index checks ?)
             // TODO: [Jake] ensure that only ::failure selectors can be added the role (i.e. error on name::* or name::data)
             // TODO: [Jake] ensure that no selectors can be added to remote_indices (or gate usage with a feature flag, or just test)
-            String[] indicesResolved = maybeAddFailureExclusions(indices);
+            String[] patternsReWritten = maybeAddFailureExclusions(indices);
             this.allowRestrictedIndices = allowRestrictedIndices;
             ConcurrentHashMap<String[], Automaton> indexNameAutomatonMemo = new ConcurrentHashMap<>(1);
             if (allowRestrictedIndices) {
-                this.indexNameMatcher = StringMatcher.of(indicesResolved);
-                this.indexNameAutomaton = () -> indexNameAutomatonMemo.computeIfAbsent(indices, k -> Automatons.patterns(indices));
+                this.indexNameMatcher = StringMatcher.of(patternsReWritten);
+                this.indexNameAutomaton = () -> indexNameAutomatonMemo.computeIfAbsent(
+                    patternsReWritten,
+                    k -> Automatons.patterns(patternsReWritten)
+                );
             } else {
-                this.indexNameMatcher = StringMatcher.of(indicesResolved).and(name -> restrictedIndices.isRestricted(name) == false);
+                this.indexNameMatcher = StringMatcher.of(patternsReWritten).and(name -> restrictedIndices.isRestricted(name) == false);
                 this.indexNameAutomaton = () -> indexNameAutomatonMemo.computeIfAbsent(
-                    indices,
-                    k -> Automatons.minusAndMinimize(Automatons.patterns(indices), restrictedIndices.getAutomaton())
+                    patternsReWritten,
+                    k -> Automatons.minusAndMinimize(Automatons.patterns(patternsReWritten), restrictedIndices.getAutomaton())
                 );
             }
             this.fieldPermissions = Objects.requireNonNull(fieldPermissions);