Composite role store tests

Author: n1v0lg

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -899,6 +899,10 @@ boolean hasQuery() {
             return query != null;
         }
 
+        public IndexComponentSelectorPrivilege getSelectorPrivilege() {
+            return selectorPrivilege;
+        }
+
         public boolean allowRestrictedIndices() {
             return allowRestrictedIndices;
         }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java

@@ -86,6 +86,7 @@
 import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeTests;
 import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver;
 import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivilege;
+import org.elasticsearch.xpack.core.security.authz.privilege.IndexComponentSelectorPrivilege;
 import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
 import org.elasticsearch.xpack.core.security.authz.restriction.Workflow;
 import org.elasticsearch.xpack.core.security.authz.restriction.WorkflowResolver;
@@ -150,6 +151,7 @@
 import static org.elasticsearch.xpack.security.authc.ApiKeyServiceTests.Utils.createApiKeyAuthentication;
 import static org.hamcrest.Matchers.anyOf;
 import static org.hamcrest.Matchers.arrayContaining;
+import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
 import static org.hamcrest.Matchers.arrayWithSize;
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.containsString;
@@ -1268,6 +1270,7 @@ public void testBuildRoleWithFlsAndDlsInRemoteIndicesDefinition() {
                 false,
                 "{\"match\":{\"field\":\"a\"}}",
                 new FieldPermissionsDefinition.FieldGrantExcludeGroup(new String[] { "field" }, null),
+                IndexComponentSelectorPrivilege.DATA,
                 "index-1"
             )
         );
@@ -1303,13 +1306,15 @@ public void testBuildRoleWithFlsAndDlsInRemoteIndicesDefinition() {
                 false,
                 "{\"match\":{\"field\":\"a\"}}",
                 new FieldPermissionsDefinition.FieldGrantExcludeGroup(new String[] { "field" }, null),
+                IndexComponentSelectorPrivilege.DATA,
                 "index-1"
             ),
             indexGroup(
                 IndexPrivilege.READ,
                 false,
                 "{\"match\":{\"field\":\"b\"}}",
                 new FieldPermissionsDefinition.FieldGrantExcludeGroup(new String[] { "other" }, null),
+                IndexComponentSelectorPrivilege.DATA,
                 "index-1"
             )
         );
@@ -1529,6 +1534,90 @@ public void testBuildRoleWithMultipleRemoteClusterMerged() {
         }
     }
 
+    public void testBuildRoleWithReadFailureStorePrivilegeOnly() {
+        String indexPattern = randomAlphanumericOfLength(10);
+        final Role role = buildRole(
+            roleDescriptorWithIndicesPrivileges(
+                "r1",
+                new IndicesPrivileges[] { IndicesPrivileges.builder().indices(indexPattern).privileges("read_failure_store").build() }
+            )
+        );
+        assertHasIndexGroups(
+            role.indices(),
+            indexGroup(IndexPrivilege.READ_FAILURE_STORE, false, IndexComponentSelectorPrivilege.FAILURES, indexPattern)
+        );
+    }
+
+    public void testBuildRoleWithReadFailureStorePrivilegeDuplicatesMerged() {
+        String indexPattern = randomAlphanumericOfLength(10);
+        final Role role = buildRole(
+            roleDescriptorWithIndicesPrivileges(
+                "r1",
+                new IndicesPrivileges[] {
+                    IndicesPrivileges.builder().indices(indexPattern).privileges("read_failure_store").build(),
+                    IndicesPrivileges.builder().indices(indexPattern).privileges("read_failure_store").build() }
+            )
+        );
+        assertHasIndexGroups(
+            role.indices(),
+            indexGroup(IndexPrivilege.READ_FAILURE_STORE, false, IndexComponentSelectorPrivilege.FAILURES, indexPattern)
+        );
+    }
+
+    public void testBuildRoleWithReadFailureStoreAndReadPrivilegeSplit() {
+        String indexPattern = randomAlphanumericOfLength(10);
+        final Role role = buildRole(
+            roleDescriptorWithIndicesPrivileges(
+                "r1",
+                new IndicesPrivileges[] {
+                    IndicesPrivileges.builder().indices(indexPattern).privileges("read", "read_failure_store").build() }
+            )
+        );
+        assertHasIndexGroups(
+            role.indices(),
+            indexGroup(IndexPrivilege.READ_FAILURE_STORE, false, IndexComponentSelectorPrivilege.FAILURES, indexPattern),
+            indexGroup(IndexPrivilege.READ, false, IndexComponentSelectorPrivilege.DATA, indexPattern)
+        );
+    }
+
+    public void testBuildRoleWithMultipleReadFailureStoreAndReadPrivilegeSplit() {
+        String indexPattern = randomAlphanumericOfLength(10);
+        final Role role = buildRole(
+            roleDescriptorWithIndicesPrivileges(
+                "r1",
+                new IndicesPrivileges[] {
+                    IndicesPrivileges.builder().indices(indexPattern).privileges("read").build(),
+                    IndicesPrivileges.builder().indices(indexPattern).privileges("read_failure_store").build() }
+            )
+        );
+        assertHasIndexGroups(
+            role.indices(),
+            indexGroup(IndexPrivilege.READ_FAILURE_STORE, false, IndexComponentSelectorPrivilege.FAILURES, indexPattern),
+            indexGroup(IndexPrivilege.READ, false, IndexComponentSelectorPrivilege.DATA, indexPattern)
+        );
+    }
+
+    public void testBuildRoleWithAllPrivilegeIsNeverSplit() {
+        String indexPattern = randomAlphanumericOfLength(10);
+        final Role role = buildRole(
+            roleDescriptorWithIndicesPrivileges(
+                "r1",
+                new IndicesPrivileges[] {
+                    IndicesPrivileges.builder().indices(indexPattern).privileges("read", "read_failure_store", "all").build(),
+                    IndicesPrivileges.builder().indices(indexPattern).privileges("read_failure_store").build() }
+            )
+        );
+        assertHasIndexGroups(
+            role.indices(),
+            indexGroup(
+                IndexPrivilege.get(Set.of("read", "read_failure_store", "all")),
+                false,
+                IndexComponentSelectorPrivilege.ALL,
+                indexPattern
+            )
+        );
+    }
+
     public void testCustomRolesProviderFailures() throws Exception {
         final FileRolesStore fileRolesStore = mock(FileRolesStore.class);
         doCallRealMethod().when(fileRolesStore).accept(anySet(), anyActionListener());
@@ -3257,6 +3346,10 @@ private RoleDescriptor roleDescriptorWithRemoteIndicesPrivileges(
         return roleDescriptorWithIndicesPrivileges(name, rips, null);
     }
 
+    private RoleDescriptor roleDescriptorWithIndicesPrivileges(final String name, final IndicesPrivileges[] ips) {
+        return roleDescriptorWithIndicesPrivileges(name, null, ips);
+    }
+
     private RoleDescriptor roleDescriptorWithIndicesPrivileges(
         final String name,
         final RoleDescriptor.RemoteIndicesPrivileges[] rips,
@@ -3357,6 +3450,12 @@ private void assertHasRemoteIndexGroupsForClusters(
         );
     }
 
+    @SafeVarargs
+    @SuppressWarnings("varargs")
+    private void assertHasIndexGroups(final IndicesPermission permission, final Matcher<IndicesPermission.Group>... matchers) {
+        assertThat(permission.groups(), arrayContainingInAnyOrder(matchers));
+    }
+
     private static Matcher<IndicesPermission.Group> indexGroup(final String... indices) {
         return indexGroup(IndexPrivilege.READ, false, indices);
     }
@@ -3371,6 +3470,23 @@ private static Matcher<IndicesPermission.Group> indexGroup(
             allowRestrictedIndices,
             null,
             new FieldPermissionsDefinition.FieldGrantExcludeGroup(null, null),
+            IndexComponentSelectorPrivilege.DATA,
+            indices
+        );
+    }
+
+    private static Matcher<IndicesPermission.Group> indexGroup(
+        final IndexPrivilege privilege,
+        final boolean allowRestrictedIndices,
+        final IndexComponentSelectorPrivilege selectorPrivilege,
+        final String... indices
+    ) {
+        return indexGroup(
+            privilege,
+            allowRestrictedIndices,
+            null,
+            new FieldPermissionsDefinition.FieldGrantExcludeGroup(null, null),
+            selectorPrivilege,
             indices
         );
     }
@@ -3380,6 +3496,7 @@ private static Matcher<IndicesPermission.Group> indexGroup(
         final boolean allowRestrictedIndices,
         @Nullable final String query,
         final FieldPermissionsDefinition.FieldGrantExcludeGroup flsGroup,
+        IndexComponentSelectorPrivilege selectorPrivilege,
         final String... indices
     ) {
         return new BaseMatcher<>() {
@@ -3393,6 +3510,7 @@ public boolean matches(Object o) {
                     && equalTo(privilege).matches(group.privilege())
                     && equalTo(allowRestrictedIndices).matches(group.allowRestrictedIndices())
                     && equalTo(new FieldPermissions(new FieldPermissionsDefinition(Set.of(flsGroup)))).matches(group.getFieldPermissions())
+                    && equalTo(selectorPrivilege).matches(group.getSelectorPrivilege())
                     && arrayContaining(indices).matches(group.indices());
             }
 
@@ -3410,6 +3528,8 @@ public void describeTo(Description description) {
                         + query
                         + ", fieldGrantExcludeGroup="
                         + flsGroup
+                        + ", selectorPrivilege="
+                        + selectorPrivilege
                         + '}'
                 );
             }