WIP fix unit tests

n1v0lg · n1v0lg · commit de6054e15ed1 · 2025-02-07T12:05:07.000+01:00
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java
@@ -286,17 +286,6 @@ public Builder add(
             return add(fieldPermissions, query, privilege, allowRestrictedIndices, IndexComponentSelector.DATA, indices);
         }
 
-        public Builder add(
-            FieldPermissions fieldPermissions,
-            Set<BytesReference> query,
-            IndexPrivilege privilege,
-            boolean allowRestrictedIndices,
-            boolean foo,
-            String... indices
-        ) {
-            return add(fieldPermissions, query, privilege, allowRestrictedIndices, IndexComponentSelector.DATA, indices);
-        }
-
         public Builder add(
             FieldPermissions fieldPermissions,
             Set<BytesReference> query,
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java
@@ -324,6 +324,12 @@ public static Set<String> names() {
      * @see Privilege#sortByAccessLevel
      */
     public static Collection<String> findPrivilegesThatGrant(String action) {
-        return VALUES.entrySet().stream().filter(e -> e.getValue().predicate.test(action)).map(e -> e.getKey()).toList();
+        return VALUES.entrySet()
+            .stream()
+            .filter(e -> e.getValue().predicate.test(action))
+            .map(Map.Entry::getKey)
+            // read_failures is special and should not show up here
+            .filter(p -> false == p.equals("read_failures"))
+            .toList();
     }
 }
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -95,7 +95,8 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
             new RoleDescriptor.RemoteIndicesPrivileges(
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("*")
-                    .privileges("monitor", "read", "view_index_metadata", "read_cross_cluster")
+                    // TODO "read_failures" does not belong here
+                    .privileges("monitor", "read", "view_index_metadata", "read_cross_cluster", "read_failures")
                     .allowRestrictedIndices(true)
                     .build(),
                 "*"
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizedIndicesTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizedIndicesTests.java
@@ -188,7 +188,7 @@ public void testSecurityIndicesAreRestrictedForDefaultRole() {
 
     public void testSecurityIndicesAreNotRemovedFromUnrestrictedRole() {
         Role role = Role.builder(RESTRICTED_INDICES, randomAlphaOfLength(8))
-            .add(FieldPermissions.DEFAULT, null, IndexPrivilege.ALL, true, false, "*")
+            .add(FieldPermissions.DEFAULT, null, IndexPrivilege.ALL, true, "*")
             .cluster(Set.of("all"), Set.of())
             .build();
         Settings indexSettings = Settings.builder().put(IndexMetadata.SETTING_VERSION_CREATED, IndexVersion.current()).build();
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java
@@ -71,7 +71,7 @@ public void testAuthorize() {
         Set<BytesReference> query = Collections.singleton(new BytesArray("{}"));
         String[] fields = new String[] { "_field" };
         Role role = Role.builder(RESTRICTED_INDICES, "_role")
-            .add(new FieldPermissions(fieldPermissionDef(fields, null)), query, IndexPrivilege.ALL, randomBoolean(), false, "_index")
+            .add(new FieldPermissions(fieldPermissionDef(fields, null)), query, IndexPrivilege.ALL, randomBoolean(), "_index")
             .build();
         IndicesAccessControl permissions = role.authorize(
             TransportSearchAction.TYPE.name(),
@@ -88,7 +88,7 @@ public void testAuthorize() {
 
         // no document level security:
         role = Role.builder(RESTRICTED_INDICES, "_role")
-            .add(new FieldPermissions(fieldPermissionDef(fields, null)), null, IndexPrivilege.ALL, randomBoolean(), false, "_index")
+            .add(new FieldPermissions(fieldPermissionDef(fields, null)), null, IndexPrivilege.ALL, randomBoolean(), "_index")
             .build();
         permissions = role.authorize(TransportSearchAction.TYPE.name(), Sets.newHashSet("_index"), md, fieldPermissionsCache);
         assertThat(permissions.getIndexPermissions("_index"), notNullValue());
@@ -99,7 +99,7 @@ public void testAuthorize() {
 
         // no field level security:
         role = Role.builder(RESTRICTED_INDICES, "_role")
-            .add(FieldPermissions.DEFAULT, query, IndexPrivilege.ALL, randomBoolean(), false, "_index")
+            .add(FieldPermissions.DEFAULT, query, IndexPrivilege.ALL, randomBoolean(), "_index")
             .build();
         permissions = role.authorize(TransportSearchAction.TYPE.name(), Sets.newHashSet("_index"), md, fieldPermissionsCache);
         assertThat(permissions.getIndexPermissions("_index"), notNullValue());
@@ -110,7 +110,7 @@ public void testAuthorize() {
 
         // index group associated with an alias:
         role = Role.builder(RESTRICTED_INDICES, "_role")
-            .add(new FieldPermissions(fieldPermissionDef(fields, null)), query, IndexPrivilege.ALL, randomBoolean(), false, "_alias")
+            .add(new FieldPermissions(fieldPermissionDef(fields, null)), query, IndexPrivilege.ALL, randomBoolean(), "_alias")
             .build();
         permissions = role.authorize(TransportSearchAction.TYPE.name(), Sets.newHashSet("_alias"), md, fieldPermissionsCache);
         assertThat(permissions.getIndexPermissions("_index"), notNullValue());
@@ -134,7 +134,7 @@ public void testAuthorize() {
             new String[] { randomAlphaOfLengthBetween(1, 10), "*" }
         );
         role = Role.builder(RESTRICTED_INDICES, "_role")
-            .add(new FieldPermissions(fieldPermissionDef(allFields, null)), query, IndexPrivilege.ALL, randomBoolean(), false, "_alias")
+            .add(new FieldPermissions(fieldPermissionDef(allFields, null)), query, IndexPrivilege.ALL, randomBoolean(), "_alias")
             .build();
         permissions = role.authorize(TransportSearchAction.TYPE.name(), Sets.newHashSet("_alias"), md, fieldPermissionsCache);
         assertThat(permissions.getIndexPermissions("_index"), notNullValue());
@@ -158,8 +158,8 @@ public void testAuthorize() {
         Set<BytesReference> fooQuery = Collections.singleton(new BytesArray("{foo}"));
         allFields = randomFrom(new String[] { "*" }, new String[] { "foo", "*" }, new String[] { randomAlphaOfLengthBetween(1, 10), "*" });
         role = Role.builder(RESTRICTED_INDICES, "_role")
-            .add(new FieldPermissions(fieldPermissionDef(allFields, null)), fooQuery, IndexPrivilege.ALL, randomBoolean(), false, "_alias")
-            .add(new FieldPermissions(fieldPermissionDef(allFields, null)), query, IndexPrivilege.ALL, randomBoolean(), false, "_alias")
+            .add(new FieldPermissions(fieldPermissionDef(allFields, null)), fooQuery, IndexPrivilege.ALL, randomBoolean(), "_alias")
+            .add(new FieldPermissions(fieldPermissionDef(allFields, null)), query, IndexPrivilege.ALL, randomBoolean(), "_alias")
             .build();
         permissions = role.authorize(TransportSearchAction.TYPE.name(), Sets.newHashSet("_alias"), md, fieldPermissionsCache);
         Set<BytesReference> bothQueries = Sets.union(fooQuery, query);
@@ -193,8 +193,8 @@ public void testAuthorizeMultipleGroupsMixedDls() {
         Set<BytesReference> query = Collections.singleton(new BytesArray("{}"));
         String[] fields = new String[] { "_field" };
         Role role = Role.builder(RESTRICTED_INDICES, "_role")
-            .add(new FieldPermissions(fieldPermissionDef(fields, null)), query, IndexPrivilege.ALL, randomBoolean(), false, "_index")
-            .add(new FieldPermissions(fieldPermissionDef(null, null)), null, IndexPrivilege.ALL, randomBoolean(), false, "*")
+            .add(new FieldPermissions(fieldPermissionDef(fields, null)), query, IndexPrivilege.ALL, randomBoolean(), "_index")
+            .add(new FieldPermissions(fieldPermissionDef(null, null)), null, IndexPrivilege.ALL, randomBoolean(), "*")
             .build();
         IndicesAccessControl permissions = role.authorize(
             TransportSearchAction.TYPE.name(),

Original file line number	Diff line number	Diff line change
`@@ -324,6 +324,12 @@ public static Set<String> names() {`
`324`	`324`	`* @see Privilege#sortByAccessLevel`
`325`	`325`	`*/`
`326`	`326`	`public static Collection<String> findPrivilegesThatGrant(String action) {`
`327`		`- return VALUES.entrySet().stream().filter(e -> e.getValue().predicate.test(action)).map(e -> e.getKey()).toList();`
	`327`	`+ return VALUES.entrySet()`
	`328`	`+ .stream()`
	`329`	`+ .filter(e -> e.getValue().predicate.test(action))`
	`330`	`+ .map(Map.Entry::getKey)`
	`331`	`+ // read_failures is special and should not show up here`
	`332`	`+ .filter(p -> false == p.equals("read_failures"))`
	`333`	`+ .toList();`
`328`	`334`	`}`
`329`	`335`	`}`