Fix

n1v0lg · n1v0lg · commit baf63ed786d0 · 2025-02-19T23:28:35.000+01:00
diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/privilege/FailureStoreSecurityRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/privilege/FailureStoreSecurityRestIT.java
@@ -0,0 +1,101 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.privilege;
+
+import org.elasticsearch.client.Request;
+import org.elasticsearch.client.Response;
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.common.xcontent.XContentHelper;
+import org.elasticsearch.test.cluster.ElasticsearchCluster;
+import org.elasticsearch.test.cluster.FeatureFlag;
+import org.elasticsearch.test.rest.ESRestTestCase;
+import org.elasticsearch.xcontent.json.JsonXContent;
+import org.elasticsearch.xpack.security.SecurityOnTrialLicenseRestTestCase;
+import org.junit.ClassRule;
+
+import java.io.IOException;
+import java.util.Map;
+
+import static org.hamcrest.Matchers.equalTo;
+
+public class FailureStoreSecurityRestIT extends ESRestTestCase {
+
+    @ClassRule
+    public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
+        .apply(SecurityOnTrialLicenseRestTestCase.commonTrialSecurityClusterConfig)
+        .feature(FeatureFlag.FAILURE_STORE_ENABLED)
+        .build();
+
+    @Override
+    protected String getTestRestCluster() {
+        return cluster.getHttpAddresses();
+    }
+
+    @Override
+    protected Settings restAdminSettings() {
+        String token = basicAuthHeaderValue("admin_user", new SecureString("admin-password".toCharArray()));
+        return Settings.builder().put(ThreadContext.PREFIX + ".Authorization", token).build();
+    }
+
+    public void testGetUserPrivileges() throws IOException {
+        Request roleRequest = new Request("PUT", "/_security/role/role");
+        roleRequest.setJsonEntity("""
+            {
+              "cluster": ["all"],
+              "indices": [
+                {
+                  "names": ["*"],
+                  "privileges": ["read", "read_failure_store"]
+                }
+              ]
+            }
+            """);
+        assertOK(adminClient().performRequest(roleRequest));
+
+        Request userRequest = new Request("PUT", "/_security/user/user");
+        userRequest.setJsonEntity("""
+            {
+              "password": "x-pack-test-password",
+              "roles": ["role"]
+            }
+            """);
+        assertOK(adminClient().performRequest(userRequest));
+
+        Request request = new Request("GET", "/_security/user/_privileges");
+        request.setOptions(
+            request.getOptions()
+                .toBuilder()
+                .addHeader("Authorization", basicAuthHeaderValue("user", new SecureString("x-pack-test-password".toCharArray())))
+        );
+        Response response = client().performRequest(request);
+        assertOK(response);
+        assertThat(responseAsMap(response), equalTo(mapFromJson("""
+            {
+              "cluster": ["all"],
+              "global": [],
+              "indices": [{
+                  "names": ["*"],
+                  "privileges": ["read"],
+                  "allow_restricted_indices": false
+                },
+                {
+                  "names": ["*"],
+                  "privileges": ["read_failure_store"],
+                  "allow_restricted_indices": false
+                }],
+              "applications": [],
+              "run_as": []
+            }""")));
+    }
+
+    private static Map<String, Object> mapFromJson(String json) {
+        return XContentHelper.convertToMap(JsonXContent.jsonXContent, json, false);
+    }
+}
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/DeprecationRoleDescriptorConsumer.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/DeprecationRoleDescriptorConsumer.java
@@ -179,27 +179,34 @@ private void logDeprecatedPermission(RoleDescriptor roleDescriptor) {
             }
         }
         // compute privileges Automaton for each alias and for each of the indices it points to
-        final Map<String, Automaton> indexAutomatonMap = new HashMap<>();
+        final Map<String, Set<IndexPrivilege>> indexPrivilegeMap = new HashMap<>();
         for (Map.Entry<String, Set<String>> privilegesByAlias : privilegesByAliasMap.entrySet()) {
             final String aliasName = privilegesByAlias.getKey();
             final Set<String> aliasPrivilegeNames = privilegesByAlias.getValue();
-            final Automaton aliasPrivilegeAutomaton = IndexPrivilege.getWithSingleSelectorAccess(aliasPrivilegeNames).getAutomaton();
+            final Set<IndexPrivilege> aliasPrivileges = IndexPrivilege.splitBySelectorAccess(aliasPrivilegeNames);
             final SortedSet<String> inferiorIndexNames = new TreeSet<>();
-            // check if the alias grants superiors privileges than the indices it points to
-            for (Index index : aliasOrIndexMap.get(aliasName).getIndices()) {
-                final Set<String> indexPrivileges = privilegesByIndexMap.get(index.getName());
-                // null iff the index does not have *any* privilege
-                if (indexPrivileges != null) {
-                    // compute automaton once per index no matter how many times it is pointed to
-                    final Automaton indexPrivilegeAutomaton = indexAutomatonMap.computeIfAbsent(
-                        index.getName(),
-                        i -> IndexPrivilege.getWithSingleSelectorAccess(indexPrivileges).getAutomaton()
-                    );
-                    if (false == Automatons.subsetOf(indexPrivilegeAutomaton, aliasPrivilegeAutomaton)) {
+            for (var aliasPrivilege : aliasPrivileges) {
+                final Automaton aliasPrivilegeAutomaton = aliasPrivilege.getAutomaton();
+                // check if the alias grants superiors privileges than the indices it points to
+                for (Index index : aliasOrIndexMap.get(aliasName).getIndices()) {
+                    final Set<String> indexPrivileges = privilegesByIndexMap.get(index.getName());
+                    // null iff the index does not have *any* privilege
+                    if (indexPrivileges != null) {
+                        // compute automaton once per index no matter how many times it is pointed to
+                        final Set<IndexPrivilege> indexPrivilegeSet = indexPrivilegeMap.computeIfAbsent(
+                            index.getName(),
+                            i -> IndexPrivilege.splitBySelectorAccess(indexPrivileges)
+                        );
+                        for (var indexPrivilege : indexPrivilegeSet) {
+                            // TODO still not quite right
+                            if (indexPrivilege.getSelectorPredicate() == aliasPrivilege.getSelectorPredicate()
+                                && false == Automatons.subsetOf(indexPrivilege.getAutomaton(), aliasPrivilegeAutomaton)) {
+                                inferiorIndexNames.add(index.getName());
+                            }
+                        }
+                    } else {
                         inferiorIndexNames.add(index.getName());
                     }
-                } else {
-                    inferiorIndexNames.add(index.getName());
                 }
             }
             // log inferior indices for this role, for this alias
