poc

Author: n1v0lg

server/src/main/java/org/elasticsearch/FlatIndicesRequest.java

@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch;
+
+import org.elasticsearch.action.IndicesRequest;
+
+import java.util.List;
+
+public interface FlatIndicesRequest extends IndicesRequest {
+    void indices(List<String> indices);
+}

server/src/main/java/org/elasticsearch/action/search/SearchRequest.java

@@ -9,6 +9,7 @@
 
 package org.elasticsearch.action.search;
 
+import org.elasticsearch.FlatIndicesRequest;
 import org.elasticsearch.TransportVersions;
 import org.elasticsearch.Version;
 import org.elasticsearch.action.ActionRequestValidationException;
@@ -53,7 +54,11 @@
  * @see Client#search(SearchRequest)
  * @see SearchResponse
  */
-public class SearchRequest extends LegacyActionRequest implements IndicesRequest.Replaceable, Rewriteable<SearchRequest> {
+public class SearchRequest extends LegacyActionRequest
+    implements
+        FlatIndicesRequest,
+        IndicesRequest.Replaceable,
+        Rewriteable<SearchRequest> {
 
     public static final ToXContent.Params FORMAT_PARAMS = new ToXContent.MapParams(Collections.singletonMap("pretty", "false"));
 
@@ -853,4 +858,9 @@ public String toString() {
             + source
             + '}';
     }
+
+    @Override
+    public void indices(List<String> indices) {
+        indices(indices.toArray(Strings.EMPTY_ARRAY));
+    }
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/AuthorizationEngine.java

@@ -299,6 +299,11 @@ interface AuthorizedIndices {
          * Checks if an index-like resource name is authorized, for an action by a user. The resource might or might not exist.
          */
         boolean check(String name, IndexComponentSelector selector);
+
+        // Does not belong here
+        default boolean checkProject(String projectId) {
+            return false;
+        }
     }
 
     /**

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/SerializationDemoTests.java

@@ -0,0 +1,136 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.security;
+
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.io.stream.BytesStreamOutput;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.common.io.stream.Writeable;
+import org.elasticsearch.common.xcontent.LoggingDeprecationHandler;
+import org.elasticsearch.core.Nullable;
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xcontent.ConstructingObjectParser;
+import org.elasticsearch.xcontent.NamedXContentRegistry;
+import org.elasticsearch.xcontent.ParseField;
+import org.elasticsearch.xcontent.ToXContent;
+import org.elasticsearch.xcontent.ToXContentObject;
+import org.elasticsearch.xcontent.XContentBuilder;
+import org.elasticsearch.xcontent.XContentParser;
+import org.elasticsearch.xcontent.XContentType;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.util.List;
+
+import static org.elasticsearch.TransportVersions.PARTIAL_DATA_DEMO;
+import static org.elasticsearch.xcontent.ConstructingObjectParser.constructorArg;
+import static org.elasticsearch.xcontent.ConstructingObjectParser.optionalConstructorArg;
+
+public class SerializationDemoTests extends ESTestCase {
+
+    record SearchResult(boolean success, @Nullable List<String> results, @Nullable List<String> failures)
+        implements
+            Writeable,
+            // ToXContentFragment also exists
+            ToXContentObject {
+
+        private static final ConstructingObjectParser<SearchResult, Void> PARSER = buildParser();
+
+        @SuppressWarnings("unchecked")
+        private static ConstructingObjectParser<SearchResult, Void> buildParser() {
+            final ConstructingObjectParser<SearchResult, Void> parser = new ConstructingObjectParser<>(
+                "search_result",
+                true,
+                a -> new SearchResult((boolean) a[0], (List<String>) a[1], (List<String>) a[2])
+            );
+            parser.declareBoolean(constructorArg(), new ParseField("success"));
+            parser.declareStringArray(optionalConstructorArg(), new ParseField("results"));
+            parser.declareStringArray(optionalConstructorArg(), new ParseField("failures"));
+            return parser;
+        }
+
+        @Override
+        public void writeTo(StreamOutput out) throws IOException {
+            out.writeBoolean(success);
+            out.writeOptionalCollection(results, StreamOutput::writeString);
+            // Elasticsearch supports rolling upgrades across 1 major version and within major versions.
+            // For example 7.17 needs to be able to communicate with 8.4 nodes, and 8.1 nodes need to be able to talk with 8.4 nodes.
+            // Serverless removed the notion of transport versions being tied cleanly to ES versions since we release to serverless
+            // every week and have rolling upgrades
+            if (out.getTransportVersion().onOrAfter(PARTIAL_DATA_DEMO)) {
+                out.writeOptionalCollection(failures, StreamOutput::writeString);
+            }
+        }
+
+        SearchResult(StreamInput input) throws IOException {
+            this(
+                input.readBoolean(),
+                input.readOptionalCollectionAsList(StreamInput::readString),
+                input.getTransportVersion().onOrAfter(PARTIAL_DATA_DEMO)
+                    ? input.readOptionalCollectionAsList(StreamInput::readString)
+                    : List.of()
+            );
+        }
+
+        @Override
+        public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+            var xcb = builder.startObject().field("success", success);
+            if (results != null) {
+                xcb = xcb.field("results", results);
+            }
+            if (failures != null) {
+                xcb = xcb.field("failures", failures);
+            }
+            return xcb.endObject();
+        }
+
+        public SearchResult fromXContent(XContentParser parser) {
+            return PARSER.apply(parser, null);
+        }
+
+    }
+
+    public void testRoundTripTransportSerialization() throws IOException {
+        var result = new SearchResult(true, List.of("hit1"), List.of());
+
+        try (var out = new BytesStreamOutput()) {
+            result.writeTo(out);
+            var received = new SearchResult(out.bytes().streamInput());
+
+            System.out.println("Original: " + result);
+            System.out.println("Received: " + received);
+        }
+    }
+
+    public void testToXContent() {
+        var result = new SearchResult(true, List.of("hit1", "hit2"), List.of("failure1"));
+
+        try (var builder = XContentBuilder.builder(XContentType.JSON.xContent())) {
+            result.toXContent(builder, ToXContent.EMPTY_PARAMS);
+            builder.flush();
+            String json = Strings.toString(builder);
+            System.out.println("JSON Output: " + json);
+            // test from XContent
+            try (
+                var parser = XContentType.JSON.xContent()
+                    .createParser(
+                        NamedXContentRegistry.EMPTY,
+                        LoggingDeprecationHandler.INSTANCE,
+                        new ByteArrayInputStream(json.getBytes())
+                    )
+            ) {
+                var parsedResult = result.fromXContent(parser);
+                System.out.println("Parsed Result: " + parsedResult);
+            }
+        } catch (IOException e) {
+            fail("Failed to convert to XContent: " + e.getMessage());
+        }
+    }
+
+}

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java

@@ -6,6 +6,9 @@
  */
 package org.elasticsearch.xpack.security.authz;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.FlatIndicesRequest;
 import org.elasticsearch.action.AliasesRequest;
 import org.elasticsearch.action.IndicesRequest;
 import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
@@ -55,6 +58,8 @@
 
 class IndicesAndAliasesResolver {
 
+    private static final Logger logger = LogManager.getLogger(IndicesAndAliasesResolver.class);
+
     private final IndexNameExpressionResolver nameExpressionResolver;
     private final IndexAbstractionResolver indexAbstractionResolver;
     private final RemoteClusterResolver remoteClusterResolver;
@@ -103,7 +108,6 @@ class IndicesAndAliasesResolver {
      * resolving wildcards.
      * </p>
      */
-
     ResolvedIndices resolve(
         String action,
         TransportRequest request,
@@ -124,9 +128,52 @@ ResolvedIndices resolve(
         if (request instanceof IndicesRequest == false) {
             throw new IllegalStateException("Request [" + request + "] is not an Indices request, but should be.");
         }
+
+        if (request instanceof FlatIndicesRequest flatIndicesRequest) {
+            rewrite(flatIndicesRequest, authorizedIndices);
+        }
+
         return resolveIndicesAndAliases(action, (IndicesRequest) request, projectMetadata, authorizedIndices);
     }
 
+    void rewrite(FlatIndicesRequest request, AuthorizationEngine.AuthorizedIndices authorizedIndices) {
+        var clusters = remoteClusterResolver.clusters();
+        logger.info("Clusters available for remote indices: {}", clusters);
+        // no remotes, nothing to rewrite...
+        if (clusters.isEmpty()) {
+            logger.info("Skipping...");
+            return;
+        }
+
+        var indices = request.indices();
+        // empty indices actually means search everything so would need to also rewrite that
+
+        var authorizedClusters = new HashSet<String>();
+        for (var cluster : clusters) {
+            if (authorizedIndices.checkProject(cluster)) {
+                logger.info("Remote cluster [{}] authorized", cluster);
+                authorizedClusters.add(cluster);
+            }
+        }
+
+        // TODO do not rewrite twice
+        List<String> rewrittenIndices = new ArrayList<>(indices.length);
+        ResolvedIndices resolved = remoteClusterResolver.splitLocalAndRemoteIndexNames(indices);
+        for (var local : resolved.getLocal()) {
+            String rewritten = local;
+            for (var cluster : authorizedClusters) {
+                rewritten += "," + RemoteClusterAware.buildRemoteIndexName(cluster, local);
+                rewrittenIndices.add(rewritten);
+            }
+            logger.info("Rewrote [{}] to [{}]", local, rewritten);
+        }
+        if (resolved.getRemote().isEmpty() == false) {
+            rewrittenIndices.addAll(resolved.getRemote());
+        }
+        request.indices(rewrittenIndices);
+        // skipping mixed expressions, _local expressions and all that jazz
+    }
+
     /**
      * Attempt to resolve requested indices without expanding any wildcards.
      * @return The {@link ResolvedIndices} or null if wildcard expansion must be performed.
@@ -569,5 +616,9 @@ ResolvedIndices splitLocalAndRemoteIndexNames(String... indices) {
                 .toList();
             return new ResolvedIndices(local == null ? List.of() : local, remote);
         }
+
+        Set<String> clusters() {
+            return Collections.unmodifiableSet(clusters);
+        }
     }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java

@@ -998,6 +998,9 @@ static AuthorizedIndices resolveAuthorizedIndicesFromRole(
                 } // we don't support granting access to a backing index with a failure selector via the parent data stream
             }
             return predicate.test(indexAbstraction, selector);
+        }, name -> {
+            // just some bogus predicate that lets us differentiate between roles
+            return Arrays.asList(role.names()).contains("remote_searcher");
         });
     }
 
@@ -1125,15 +1128,18 @@ static final class AuthorizedIndices implements AuthorizationEngine.AuthorizedIn
         private final CachedSupplier<Set<String>> authorizedAndAvailableDataResources;
         private final CachedSupplier<Set<String>> authorizedAndAvailableFailuresResources;
         private final BiPredicate<String, IndexComponentSelector> isAuthorizedPredicate;
+        private final Predicate<String> projectPredicate;
 
         AuthorizedIndices(
             Supplier<Set<String>> authorizedAndAvailableDataResources,
             Supplier<Set<String>> authorizedAndAvailableFailuresResources,
-            BiPredicate<String, IndexComponentSelector> isAuthorizedPredicate
+            BiPredicate<String, IndexComponentSelector> isAuthorizedPredicate,
+            Predicate<String> projectPredicate
         ) {
             this.authorizedAndAvailableDataResources = CachedSupplier.wrap(authorizedAndAvailableDataResources);
             this.authorizedAndAvailableFailuresResources = CachedSupplier.wrap(authorizedAndAvailableFailuresResources);
             this.isAuthorizedPredicate = Objects.requireNonNull(isAuthorizedPredicate);
+            this.projectPredicate = projectPredicate;
         }
 
         @Override
@@ -1149,5 +1155,11 @@ public boolean check(String name, IndexComponentSelector selector) {
             Objects.requireNonNull(selector, "must specify a selector for authorization check");
             return isAuthorizedPredicate.test(name, selector);
         }
+
+        @Override
+        public boolean checkProject(String name) {
+            Objects.requireNonNull(name, "must specify a project name for authorization check");
+            return projectPredicate.test(name);
+        }
     }
 }