|
40 | 40 | import java.util.HashMap; |
41 | 41 | import java.util.HashSet; |
42 | 42 | import java.util.List; |
43 | | -import java.util.Locale; |
44 | 43 | import java.util.Map; |
45 | 44 | import java.util.Objects; |
46 | 45 | import java.util.Set; |
@@ -849,7 +848,7 @@ public static class Group { |
849 | 848 | public static final Group[] EMPTY_ARRAY = new Group[0]; |
850 | 849 | // TODO this is just a hack to avoid implementing a new field in this POC; this would be set via allow_failure_store_access on |
851 | 850 | // the role descriptor |
852 | | - private static final String FAILURE_STORE_ACCESS_MARKER = ".failure_store_access_marker"; |
| 851 | + public static final String FAILURE_STORE_ACCESS_MARKER = ".failure_store_access_marker"; |
853 | 852 |
|
854 | 853 | private final IndexPrivilege privilege; |
855 | 854 | private final Predicate<String> actionMatcher; |
@@ -913,102 +912,6 @@ private static boolean allowFailureStoreAccess(String... indices) { |
913 | 912 | return Arrays.stream(indices).anyMatch(index -> index.equals("*") || index.equals(FAILURE_STORE_ACCESS_MARKER)); |
914 | 913 | } |
915 | 914 |
|
916 | | - // TODO: [Jake] ensure this javadoc is still correct before merging (some minor details are wrong, but the gist is correct) |
917 | | - /** |
918 | | - * This method looks for any index patterns in this group that have all the following characteristics: |
919 | | - * <ul> |
920 | | - * <li>Index pattern has a trailing wildcard, i.e., {@code name*}</li> |
921 | | - * <li>Index pattern is a regular expression, i.e. {@code /name.*fooba[r]+/}</li> |
922 | | - * <li>Index pattern is not {@code "*"}.</li> |
923 | | - * </ul> |
924 | | - * |
925 | | - * If all of these conditions are met, then the pattern is transformed into a regular expression to exclude failures. |
926 | | - * For example: |
927 | | - * <ul> |
928 | | - * <li>{@code name*} becomes {@code /(name.*)&~(name.*::failures)/}</li> |
929 | | - * <li>{@code /name.*fooba[r]+/} becomes {@code /(name.*fooba[r]+)&~(name.*fooba[r]+::failures)/}</li> |
930 | | - * <li>{@code na*e} remains {@code na*e} (Lucene regular expressions are always begin/end anchored)</li> |
931 | | - * </ul> |
932 | | - * |
933 | | - * Only the {@code ::failures} selector on non-regular expressions is allowed in the role definition |
934 | | - * (ensured by create-time validation). |
935 | | - * |
936 | | - * @param indexPatterns the index patterns for this group that have been resolved to only contain the |
937 | | - * {@code ::failures} selector or no selector at all |
938 | | - * @return a {@code String[]} of the transformed and/or non-transformed index patterns for this group |
939 | | - * that will be used for authorization purposes |
940 | | - */ |
941 | | - static String[] maybeAddFailureExclusions(final String[] indexPatterns) { |
942 | | - // TODO: [Jake] use trace logging ! |
943 | | - logger.error(() -> String.format(Locale.ROOT, "original indices: %s", Arrays.toString(indexPatterns))); |
944 | | - String[] indexPatternsWithExclusions = new String[indexPatterns.length]; |
945 | | - for (int i = 0; i < indexPatterns.length; i++) { |
946 | | - assert indexPatterns[i].endsWith("::data") == false : "Data selector is not allowed in this context"; |
947 | | - assert indexPatterns[i].endsWith("::*") == false : "All selector is not allowed in this context"; |
948 | | - if (indexPatterns[i].equals("*") == false |
949 | | - && (indexPatterns[i].endsWith("*") || Automatons.isLuceneRegex(indexPatterns[i]))) { |
950 | | - indexPatternsWithExclusions[i] = convertToExcludeFailures(indexPatterns[i]); |
951 | | - } else { |
952 | | - indexPatternsWithExclusions[i] = indexPatterns[i]; |
953 | | - } |
954 | | - } |
955 | | - logger.error(() -> String.format(Locale.ROOT, "after failure exclusions: %s", Arrays.toString(indexPatternsWithExclusions))); |
956 | | - return indexPatternsWithExclusions; |
957 | | - } |
958 | | - |
959 | | - static String convertToExcludeFailures(String indexPattern) { |
960 | | - assert indexPattern != "*" : "* is a special case and should never exclude failures"; |
961 | | - assert indexPattern.endsWith("*") || Automatons.isLuceneRegex(indexPattern) |
962 | | - : "Only patterns with a trailing wildcard " + "or regular expressions should explicitly exclude failures"; |
963 | | - StringBuilder sb = new StringBuilder(); |
964 | | - if (indexPattern.endsWith("*")) { |
965 | | - String inny = globToRegex(indexPattern); |
966 | | - return sb.append("/(").append(inny).append(")&~(").append(inny).append("::failures)/").toString(); |
967 | | - } else if (Automatons.isLuceneRegex(indexPattern)) { |
968 | | - String inny = indexPattern.substring(1, indexPattern.length() - 1); |
969 | | - return sb.append("/(").append(inny).append(")&~((").append(inny).append(")::failures)/").toString(); |
970 | | - } else { |
971 | | - throw new IllegalArgumentException("Unexpected index pattern: " + indexPattern); // should never happen |
972 | | - } |
973 | | - } |
974 | | - |
975 | | - private static String globToRegex(String glob) { |
976 | | - StringBuilder sb = new StringBuilder(); |
977 | | - for (int i = 0; i < glob.length(); i++) { |
978 | | - char c = glob.charAt(i); |
979 | | - switch (c) { |
980 | | - case '*': |
981 | | - sb.append(".*"); |
982 | | - break; |
983 | | - case '?': |
984 | | - sb.append('.'); |
985 | | - break; |
986 | | - case '.': |
987 | | - case '(': |
988 | | - case ')': |
989 | | - case '[': |
990 | | - case ']': |
991 | | - case '{': |
992 | | - case '}': |
993 | | - case '\\': |
994 | | - case '\"': |
995 | | - case '|': |
996 | | - case '+': |
997 | | - case '#': |
998 | | - case '@': |
999 | | - case '<': |
1000 | | - case '>': |
1001 | | - case '~': |
1002 | | - sb.append('\\').append(c); |
1003 | | - break; |
1004 | | - default: |
1005 | | - sb.append(c); |
1006 | | - break; |
1007 | | - } |
1008 | | - } |
1009 | | - return sb.toString(); |
1010 | | - } |
1011 | | - |
1012 | 915 | public IndexPrivilege privilege() { |
1013 | 916 | return privilege; |
1014 | 917 | } |
|
0 commit comments