@@ -108,19 +108,12 @@ private IndicesPermission(RestrictedIndices restrictedIndices, Group[] groups) {
108108 * @return A matcher that will match all non-restricted index names in the ordinaryIndices
109109 * collection and all index names in the restrictedIndices collection.
110110 */
111- private StringMatcher indexMatcher (
112- Collection <String > ordinaryIndices ,
113- Collection <String > restrictedIndices ,
114- boolean allowFailureStoreAccess
115- ) {
111+ private StringMatcher indexMatcher (Collection <String > ordinaryIndices , Collection <String > restrictedIndices ) {
116112 StringMatcher matcher ;
117113 if (ordinaryIndices .isEmpty ()) {
118114 matcher = StringMatcher .of (restrictedIndices );
119115 } else {
120116 matcher = StringMatcher .of (ordinaryIndices );
121- if (false == allowFailureStoreAccess ) {
122- matcher = matcher .and ("<not-failure-store>" , name -> name .endsWith ("::failure" ) == false );
123- }
124117 if (this .restrictedIndices != null ) {
125118 matcher = matcher .and ("<not-restricted>" , name -> this .restrictedIndices .isRestricted (name ) == false );
126119 }
@@ -151,13 +144,19 @@ private IsResourceAuthorizedPredicate buildIndexMatcherPredicateForAction(String
151144 final Set <String > ordinaryIndices = new HashSet <>();
152145 final Set <String > ordinaryIndicesWithFailureStoreAccess = new HashSet <>();
153146 final Set <String > restrictedIndices = new HashSet <>();
147+ final Set <String > restrictedIndicesWithFailureStoreAccess = new HashSet <>();
148+
154149 final Set <String > grantMappingUpdatesOnIndices = new HashSet <>();
155150 final Set <String > grantMappingUpdatesOnRestrictedIndices = new HashSet <>();
156151 final boolean isMappingUpdateAction = isMappingUpdateAction (action );
157152 for (final Group group : groups ) {
158153 if (group .actionMatcher .test (action )) {
159154 if (group .allowRestrictedIndices ) {
160- restrictedIndices .addAll (Arrays .asList (group .indices ()));
155+ if (group .allowFailureStoreAccess ) {
156+ restrictedIndicesWithFailureStoreAccess .addAll (Arrays .asList (group .indices ()));
157+ } else {
158+ restrictedIndices .addAll (Arrays .asList (group .indices ()));
159+ }
161160 } else {
162161 if (group .allowFailureStoreAccess ) {
163162 ordinaryIndicesWithFailureStoreAccess .addAll (Arrays .asList (group .indices ()));
@@ -175,15 +174,12 @@ private IsResourceAuthorizedPredicate buildIndexMatcherPredicateForAction(String
175174 }
176175 }
177176 }
178- final StringMatcher nameMatcher = indexMatcher (ordinaryIndices , restrictedIndices , false );
179- // TODO restricted indices
180- final StringMatcher nameMatcherWithFailureAccess = indexMatcher (ordinaryIndicesWithFailureStoreAccess , restrictedIndices , true );
181- final StringMatcher bwcSpecialCaseMatcher = indexMatcher (
182- grantMappingUpdatesOnIndices ,
183- grantMappingUpdatesOnRestrictedIndices ,
184- false
185- );
186- return new IsResourceAuthorizedPredicate (nameMatcher , nameMatcherWithFailureAccess , bwcSpecialCaseMatcher );
177+ final StringMatcher nameMatcher = indexMatcher (ordinaryIndices , restrictedIndices ).and (
178+ "<not-failure-store>" ,
179+ name -> name .endsWith ("::failures" ) == false
180+ ).or (indexMatcher (ordinaryIndicesWithFailureStoreAccess , restrictedIndicesWithFailureStoreAccess ));
181+ final StringMatcher bwcSpecialCaseMatcher = indexMatcher (grantMappingUpdatesOnIndices , grantMappingUpdatesOnRestrictedIndices );
182+ return new IsResourceAuthorizedPredicate (nameMatcher , bwcSpecialCaseMatcher );
187183 }
188184
189185 /**
@@ -193,30 +189,18 @@ private IsResourceAuthorizedPredicate buildIndexMatcherPredicateForAction(String
193189 public static class IsResourceAuthorizedPredicate {
194190
195191 private final BiPredicate <String , IndexAbstraction > biPredicate ;
196- private final BiPredicate <String , IndexAbstraction > failureAccessBiPredicate ;
197192
198193 // public for tests
199- public IsResourceAuthorizedPredicate (
200- StringMatcher resourceNameMatcher ,
201- StringMatcher resourceNameWithFailureAccessMatcher ,
202- StringMatcher additionalNonDatastreamNameMatcher
203- ) {
194+ public IsResourceAuthorizedPredicate (StringMatcher resourceNameMatcher , StringMatcher additionalNonDatastreamNameMatcher ) {
204195 this ((String name , @ Nullable IndexAbstraction indexAbstraction ) -> {
205196 assert indexAbstraction == null || name .equals (indexAbstraction .getName ());
206197 return resourceNameMatcher .test (name )
207198 || (isPartOfDatastream (indexAbstraction ) == false && additionalNonDatastreamNameMatcher .test (name ));
208- }, (String name , @ Nullable IndexAbstraction indexAbstraction ) -> {
209- assert indexAbstraction == null || name .equals (indexAbstraction .getName ());
210- return resourceNameWithFailureAccessMatcher .test (name );
211199 });
212200 }
213201
214- private IsResourceAuthorizedPredicate (
215- BiPredicate <String , IndexAbstraction > biPredicate ,
216- BiPredicate <String , IndexAbstraction > failureAccessBiPredicate
217- ) {
202+ private IsResourceAuthorizedPredicate (BiPredicate <String , IndexAbstraction > biPredicate ) {
218203 this .biPredicate = biPredicate ;
219- this .failureAccessBiPredicate = failureAccessBiPredicate ;
220204 }
221205
222206 /**
@@ -225,10 +209,7 @@ private IsResourceAuthorizedPredicate(
225209 * authorization tests of that other instance and this one.
226210 */
227211 public final IsResourceAuthorizedPredicate and (IsResourceAuthorizedPredicate other ) {
228- return new IsResourceAuthorizedPredicate (
229- this .biPredicate .and (other .biPredicate ),
230- this .failureAccessBiPredicate .and (other .failureAccessBiPredicate )
231- );
212+ return new IsResourceAuthorizedPredicate (this .biPredicate .and (other .biPredicate ));
232213 }
233214
234215 /**
@@ -247,8 +228,7 @@ public final boolean test(IndexAbstraction indexAbstraction) {
247228 * Returns {@code true} if access to the given resource is authorized or {@code false} otherwise.
248229 */
249230 public boolean test (String name , @ Nullable IndexAbstraction indexAbstraction ) {
250- // TODO clean up
251- return biPredicate .test (name , indexAbstraction ) || failureAccessBiPredicate .test (name , indexAbstraction );
231+ return biPredicate .test (name , indexAbstraction );
252232 }
253233
254234 /**
@@ -258,7 +238,7 @@ public boolean test(String name, @Nullable IndexAbstraction indexAbstraction) {
258238 public final boolean testDataStreamForFailureAccess (IndexAbstraction indexAbstraction ) {
259239 // TODO clean up
260240 assert indexAbstraction != null && indexAbstraction .getType () == IndexAbstraction .Type .DATA_STREAM ;
261- return failureAccessBiPredicate .test (
241+ return biPredicate .test (
262242 IndexNameExpressionResolver .combineSelector (indexAbstraction .getName (), IndexComponentSelector .FAILURES ),
263243 null
264244 );
@@ -414,7 +394,7 @@ private static class IndexResource {
414394 private final IndexAbstraction indexAbstraction ;
415395
416396 private IndexResource (String name , @ Nullable IndexAbstraction abstraction , @ Nullable IndexComponentSelector selector ) {
417- // assert name != null : "Resource name cannot be null";
397+ assert name != null : "Resource name cannot be null" ;
418398 // assert abstraction == null || abstraction.getName().equals(name)
419399 // : "Index abstraction has unexpected name [" + abstraction.getName() + "] vs [" + name + "]";
420400 // assert abstraction == null
@@ -426,6 +406,9 @@ private IndexResource(String name, @Nullable IndexAbstraction abstraction, @Null
426406 // + "] applied to abstraction of type ["
427407 // + abstraction.getType()
428408 // + "]";
409+ var tuple = IndexNameExpressionResolver .splitSelectorExpression (name );
410+ assert tuple .v2 () == null || tuple .v2 ().equals (IndexComponentSelector .FAILURES .getKey ())
411+ : "Unexpected selector [" + tuple .v2 () + "] in index name [" + name + "]" ;
429412 this .name = name ;
430413 this .indexAbstraction = abstraction ;
431414 this .selector = selector ;
0 commit comments