Fix wildcard handling

n1v0lg · n1v0lg · commit 9e973324a8a9 · 2025-01-30T14:57:47.000+01:00
diff --git a/docs/reference/rest-api/security/get-user-privileges.asciidoc b/docs/reference/rest-api/security/get-user-privileges.asciidoc
@@ -11,7 +11,7 @@
 For the most up-to-date API details, refer to {api-es}/group/endpoint-security[Security APIs].
 --
 
-Retrieves the <<security-privileges,security privileges>> for the logged in 
+Retrieves the <<security-privileges,security privileges>> for the logged in
 user.
 
 [[security-api-get-user-privileges-request]]
@@ -22,7 +22,7 @@ user.
 [[security-api-get-user-privileges-prereqs]]
 ==== {api-prereq-title}
 
-* All users can use this API, but only to determine their own privileges. To 
+* All users can use this API, but only to determine their own privileges. To
 check the privileges of other users, you must use the run as feature. For
 more information, see <<run-as-privilege>>.
 
@@ -57,6 +57,15 @@ GET /_security/user/_privileges
         "all"
       ],
       "allow_restricted_indices" : true
+    },
+    {
+      "names" : [
+        "*::failures"
+      ],
+      "privileges" : [
+        "all"
+      ],
+      "allow_restricted_indices" : true
     }
   ],
   "applications" : [
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java
@@ -433,6 +433,19 @@ static SimpleRole buildFromRoleDescriptor(
         );
 
         for (RoleDescriptor.IndicesPrivileges indexPrivilege : roleDescriptor.getIndicesPrivileges()) {
+            if (Arrays.asList(indexPrivilege.getIndices()).contains("*")) {
+                builder.add(
+                    fieldPermissionsCache.getFieldPermissions(
+                        new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
+                    ),
+                    indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery()),
+                    IndexPrivilege.get(Sets.newHashSet(indexPrivilege.getPrivileges())),
+                    indexPrivilege.allowRestrictedIndices(),
+                    // TODO properly handle this
+                    true,
+                    indexPrivilege.getIndices()
+                );
+            }
             builder.add(
                 fieldPermissionsCache.getFieldPermissions(
                     new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
@@ -441,7 +454,7 @@ static SimpleRole buildFromRoleDescriptor(
                 IndexPrivilege.get(Sets.newHashSet(indexPrivilege.getPrivileges())),
                 indexPrivilege.allowRestrictedIndices(),
                 // TODO properly handle this
-                Arrays.asList(indexPrivilege.getIndices()).contains("*"),
+                false,
                 indexPrivilege.getIndices()
             );
         }
