adjust IT tests

slobodanadamovic · slobodanadamovic · commit 80e904a698c6 · 2025-03-24T11:20:06.000+01:00
diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java
@@ -47,6 +47,7 @@
 import java.util.stream.Collectors;
 
 import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.is;
@@ -1388,12 +1389,8 @@ public void testDlsFls() throws Exception {
             Map.of(dataIndexName, Set.of("@timestamp", "age"))
         );
 
-        // FLS sort of applies to failure store
-        // TODO this will change with FLS handling
-        assertSearchResponseContainsExpectedIndicesAndFields(
-            performRequest(user, new Search("test1::failures").toSearchRequest()),
-            Map.of(failureIndexName, Set.of("@timestamp"))
-        );
+        // FLS does not apply to failure store
+        expectFlsDlsError(() -> performRequest(user, new Search("test1::failures").toSearchRequest()));
 
         upsertRole(Strings.format("""
             {
@@ -1422,12 +1419,8 @@ public void testDlsFls() throws Exception {
             Map.of(dataIndexName, Set.of("@timestamp", "age"))
         );
 
-        // FLS sort of applies to failure store
-        // TODO this will change with FLS handling
-        assertSearchResponseContainsExpectedIndicesAndFields(
-            performRequest(user, new Search("test1::failures").toSearchRequest()),
-            Map.of(failureIndexName, Set.of("@timestamp"))
-        );
+        // FLS does not apply to failure store
+        expectFlsDlsError(() -> performRequest(user, new Search("test1::failures").toSearchRequest()));
 
         upsertRole("""
             {
@@ -1473,7 +1466,8 @@ public void testDlsFls() throws Exception {
              }""", role);
         // DLS applies and no docs match the query
         expectSearch(user, new Search(randomFrom("test1", "test1::data")));
-        expectSearch(user, new Search("test1::failures"));
+        // DLS is not applicable to failure store
+        expectFlsDlsError(() -> performRequest(user, new Search("test1::failures").toSearchRequest()));
 
         upsertRole("""
             {
@@ -1488,7 +1482,8 @@ public void testDlsFls() throws Exception {
              }""", role);
         // DLS applies and doc matches the query
         expectSearch(user, new Search(randomFrom("test1", "test1::data")), dataIndexDocId);
-        expectSearch(user, new Search("test1::failures"));
+        // DLS is not applicable to failure store
+        expectFlsDlsError(() -> performRequest(user, new Search("test1::failures").toSearchRequest()));
 
         upsertRole("""
             {
@@ -1827,4 +1822,14 @@ private Tuple<String, String> getSingleDataAndFailureIndices(String dataStreamNa
         assertThat(indices.v2().size(), equalTo(1));
         return new Tuple<>(indices.v1().get(0), indices.v2().get(0));
     }
+
+    private static void expectFlsDlsError(ThrowingRunnable runnable) {
+        var exception = expectThrows(ResponseException.class, runnable);
+        assertThat(
+            exception.getMessage(),
+            containsString(
+                "Failure store access is not allowed for users who have field or document level security enabled on one of the indices"
+            )
+        );
+    }
 }
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FailureStoreRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FailureStoreRequestInterceptor.java
@@ -32,7 +32,7 @@ void disableFeatures(
         ActionListener<Void> listener
     ) {
         for (var indexAccessControl : indicesAccessControlByIndex.entrySet()) {
-            if (hasFailureStoreSelectorSuffix(indexAccessControl.getKey()) && hasDlsFlsPermissions(indexAccessControl.getValue())) {
+            if (hasFailuresSelectorSuffix(indexAccessControl.getKey()) && hasDlsFlsPermissions(indexAccessControl.getValue())) {
                 listener.onFailure(
                     new ElasticsearchSecurityException(
                         "Failure store access is not allowed for users who have "
@@ -50,15 +50,15 @@ void disableFeatures(
     boolean supports(IndicesRequest request) {
         if (request.indicesOptions().allowSelectors()) {
             for (String index : request.indices()) {
-                if (hasFailureStoreSelectorSuffix(index)) {
+                if (hasFailuresSelectorSuffix(index)) {
                     return true;
                 }
             }
         }
         return false;
     }
 
-    private boolean hasFailureStoreSelectorSuffix(String name) {
+    private boolean hasFailuresSelectorSuffix(String name) {
         return IndexNameExpressionResolver.hasSelectorSuffix(name)
             && IndexComponentSelector.getByKey(
                 IndexNameExpressionResolver.splitSelectorExpression(name).v2()
