Fix and simplify

Author: n1v0lg

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java

@@ -255,6 +255,19 @@ public Builder add(IndexPrivilege privilege, String... indices) {
             return add(FieldPermissions.DEFAULT, null, privilege, false, indices);
         }
 
+        public Builder add(
+            FieldPermissions fieldPermissions,
+            Set<BytesReference> query,
+            Set<IndexPrivilege> privilegesSplitBySelector,
+            boolean allowRestrictedIndices,
+            String... indices
+        ) {
+            for (var indexPrivilege : privilegesSplitBySelector) {
+                add(fieldPermissions, query, indexPrivilege, allowRestrictedIndices, indices);
+            }
+            return this;
+        }
+
         public Builder add(
             FieldPermissions fieldPermissions,
             Set<BytesReference> query,
@@ -266,6 +279,20 @@ public Builder add(
             return this;
         }
 
+        public Builder addRemoteIndicesGroup(
+            final Set<String> remoteClusterAliases,
+            final FieldPermissions fieldPermissions,
+            final Set<BytesReference> query,
+            final Set<IndexPrivilege> privilegesSplitBySelector,
+            final boolean allowRestrictedIndices,
+            final String... indices
+        ) {
+            for (var indexPrivilege : privilegesSplitBySelector) {
+                addRemoteIndicesGroup(remoteClusterAliases, fieldPermissions, query, indexPrivilege, allowRestrictedIndices, indices);
+            }
+            return this;
+        }
+
         public Builder addRemoteIndicesGroup(
             final Set<String> remoteClusterAliases,
             final FieldPermissions fieldPermissions,
@@ -405,38 +432,32 @@ static SimpleRole buildFromRoleDescriptor(
         );
 
         for (RoleDescriptor.IndicesPrivileges indexPrivilege : roleDescriptor.getIndicesPrivileges()) {
-            FieldPermissions fieldPermissions = fieldPermissionsCache.getFieldPermissions(
-                new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
+            builder.add(
+                fieldPermissionsCache.getFieldPermissions(
+                    new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
+                ),
+                indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery()),
+                IndexPrivilege.getSplitBySelector(Set.of(indexPrivilege.getPrivileges())),
+                indexPrivilege.allowRestrictedIndices(),
+                indexPrivilege.getIndices()
             );
-            Set<BytesReference> query = indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery());
-            boolean allowRestrictedIndices = indexPrivilege.allowRestrictedIndices();
-            Set<IndexPrivilege> splitPrivileges = IndexPrivilege.getSplitBySelector(Set.of(indexPrivilege.getPrivileges()));
-            for (var entry : splitPrivileges) {
-                builder.add(fieldPermissions, query, entry, allowRestrictedIndices, indexPrivilege.getIndices());
-            }
         }
 
         for (RoleDescriptor.RemoteIndicesPrivileges remoteIndicesPrivileges : roleDescriptor.getRemoteIndicesPrivileges()) {
             final String[] clusterAliases = remoteIndicesPrivileges.remoteClusters();
             assert Arrays.equals(new String[] { "*" }, clusterAliases)
                 : "reserved role should not define remote indices privileges for specific clusters";
             final RoleDescriptor.IndicesPrivileges indexPrivilege = remoteIndicesPrivileges.indicesPrivileges();
-            FieldPermissions fieldPermissions = fieldPermissionsCache.getFieldPermissions(
-                new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
+            builder.addRemoteIndicesGroup(
+                Set.of(clusterAliases),
+                fieldPermissionsCache.getFieldPermissions(
+                    new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
+                ),
+                indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery()),
+                IndexPrivilege.getSplitBySelector(Set.of(indexPrivilege.getPrivileges())),
+                indexPrivilege.allowRestrictedIndices(),
+                indexPrivilege.getIndices()
             );
-            Set<BytesReference> query = indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery());
-            boolean allowRestrictedIndices = indexPrivilege.allowRestrictedIndices();
-            Set<IndexPrivilege> splitPrivileges = IndexPrivilege.getSplitBySelector(Set.of(indexPrivilege.getPrivileges()));
-            for (var entry : splitPrivileges) {
-                builder.addRemoteIndicesGroup(
-                    Set.of(clusterAliases),
-                    fieldPermissions,
-                    query,
-                    entry,
-                    allowRestrictedIndices,
-                    indexPrivilege.getIndices()
-                );
-            }
         }
 
         RemoteClusterPermissions remoteClusterPermissions = roleDescriptor.getRemoteClusterPermissions();

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java

@@ -194,11 +194,6 @@ public final class IndexPrivilege extends Privilege {
     public static final IndexPrivilege CREATE_DOC = new IndexPrivilege("create_doc", CREATE_DOC_AUTOMATON);
     public static final IndexPrivilege MONITOR = new IndexPrivilege("monitor", MONITOR_AUTOMATON);
     public static final IndexPrivilege MANAGE = new IndexPrivilege("manage", MANAGE_AUTOMATON);
-    public static final IndexPrivilege MANAGE_FAILURE_STORE_INTERNAL = new IndexPrivilege(
-        "manage_failure_store_internal",
-        MANAGE_AUTOMATON,
-        IndexComponentSelectorPrivilege.FAILURES
-    );
     public static final IndexPrivilege DELETE_INDEX = new IndexPrivilege("delete_index", DELETE_INDEX_AUTOMATON);
     public static final IndexPrivilege CREATE_INDEX = new IndexPrivilege("create_index", CREATE_INDEX_AUTOMATON);
     public static final IndexPrivilege VIEW_METADATA = new IndexPrivilege("view_index_metadata", VIEW_METADATA_AUTOMATON);
@@ -248,8 +243,7 @@ public final class IndexPrivilege extends Privilege {
             entry("auto_configure", AUTO_CONFIGURE),
             entry("cross_cluster_replication", CROSS_CLUSTER_REPLICATION),
             entry("cross_cluster_replication_internal", CROSS_CLUSTER_REPLICATION_INTERNAL),
-            DataStream.isFailureStoreFeatureFlagEnabled() ? entry("read_failure_store", READ_FAILURE_STORE) : null,
-            DataStream.isFailureStoreFeatureFlagEnabled() ? entry("manage_failure_store_internal", MANAGE_FAILURE_STORE_INTERNAL) : null
+            DataStream.isFailureStoreFeatureFlagEnabled() ? entry("read_failure_store", READ_FAILURE_STORE) : null
         ).filter(Objects::nonNull).collect(Collectors.toUnmodifiableMap(Map.Entry::getKey, Map.Entry::getValue))
     );
 
@@ -347,7 +341,7 @@ private static Set<IndexPrivilege> resolve(Set<String> name) {
         }
 
         final Set<IndexPrivilege> result = combineIntoResult(allAccessPrivileges, failureAccessPrivileges, dataAccessPrivileges, actions);
-        assertNamesMatch(result, name);
+        assertNamesMatch(name, result);
         return result;
     }
 
@@ -376,8 +370,12 @@ private static Set<IndexPrivilege> combineIntoResult(
         return result;
     }
 
-    private static void assertNamesMatch(Set<IndexPrivilege> privileges, Set<String> names) {
-        assert names.equals(privileges.stream().map(Privilege::name).flatMap(Set::stream).collect(Collectors.toSet()))
+    private static void assertNamesMatch(Set<String> names, Set<IndexPrivilege> privileges) {
+        // TODO clean up
+        assert names.stream()
+            .map(n -> n.toLowerCase(Locale.ROOT))
+            .collect(Collectors.toSet())
+            .equals(privileges.stream().map(Privilege::name).flatMap(Set::stream).collect(Collectors.toSet()))
             : "mismatch between names [" + names + "] and names on split privileges [" + privileges + "]";
     }
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

@@ -11,7 +11,6 @@
 import org.elasticsearch.action.admin.cluster.repositories.get.GetRepositoriesAction;
 import org.elasticsearch.action.admin.indices.alias.TransportIndicesAliasesAction;
 import org.elasticsearch.action.admin.indices.rollover.RolloverAction;
-import org.elasticsearch.cluster.metadata.DataStream;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.util.set.Sets;
@@ -79,12 +78,8 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
             RoleDescriptor.IndicesPrivileges.builder().indices("*").privileges("all").allowRestrictedIndices(false).build(),
             RoleDescriptor.IndicesPrivileges.builder()
                 .indices("*")
-                .privileges(
-                    // TODO are there edge-cases where this is a bad idea?
-                    DataStream.isFailureStoreFeatureFlagEnabled()
-                        ? new String[] { "monitor", "read", "view_index_metadata", "read_cross_cluster", "read_failure_store" }
-                        : new String[] { "monitor", "read", "view_index_metadata", "read_cross_cluster" }
-                )
+                // TODO add read_failure_store when failures authorization is implemented
+                .privileges("monitor", "read", "view_index_metadata", "read_cross_cluster")
                 .allowRestrictedIndices(true)
                 .build() },
         new RoleDescriptor.ApplicationResourcePrivileges[] {
@@ -101,12 +96,8 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
             new RoleDescriptor.RemoteIndicesPrivileges(
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("*")
-                    .privileges(
-                        // TODO are there edge-cases where this is a bad idea?
-                        DataStream.isFailureStoreFeatureFlagEnabled()
-                            ? new String[] { "monitor", "read", "view_index_metadata", "read_cross_cluster", "read_failure_store" }
-                            : new String[] { "monitor", "read", "view_index_metadata", "read_cross_cluster" }
-                    )
+                    // TODO add read_failure_store when failures authorization is implemented
+                    .privileges("monitor", "read", "view_index_metadata", "read_cross_cluster")
                     .allowRestrictedIndices(true)
                     .build(),
                 "*"

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java

@@ -31,7 +31,6 @@
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor.IndicesPrivileges;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor.RemoteIndicesPrivileges;
 import org.elasticsearch.xpack.core.security.authz.accesscontrol.DocumentSubsetBitsetCache;
-import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissions;
 import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
 import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsDefinition;
 import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsDefinition.FieldGrantExcludeGroup;
@@ -542,43 +541,38 @@ public static void buildRoleFromDescriptors(
 
         for (Map.Entry<Set<String>, MergeableIndicesPrivilege> entry : indicesPrivilegesMap.entrySet()) {
             MergeableIndicesPrivilege indicesPrivilege = entry.getValue();
-            FieldPermissions fieldPermissions = fieldPermissionsCache.getFieldPermissions(indicesPrivilege.fieldPermissionsDefinition);
-            String[] indices = indicesPrivilege.indices.toArray(Strings.EMPTY_ARRAY);
-            Set<IndexPrivilege> splitPrivileges = IndexPrivilege.getSplitBySelector(indicesPrivilege.privileges);
-            for (var splitPrivilege : splitPrivileges) {
-                builder.add(fieldPermissions, indicesPrivilege.query, splitPrivilege, false, indices);
-            }
+            builder.add(
+                fieldPermissionsCache.getFieldPermissions(indicesPrivilege.fieldPermissionsDefinition),
+                indicesPrivilege.query,
+                IndexPrivilege.getSplitBySelector(indicesPrivilege.privileges),
+                false,
+                indicesPrivilege.indices.toArray(Strings.EMPTY_ARRAY)
+            );
+
         }
         for (Map.Entry<Set<String>, MergeableIndicesPrivilege> entry : restrictedIndicesPrivilegesMap.entrySet()) {
             MergeableIndicesPrivilege indicesPrivilege = entry.getValue();
-            FieldPermissions fieldPermissions = fieldPermissionsCache.getFieldPermissions(indicesPrivilege.fieldPermissionsDefinition);
-            String[] indices = indicesPrivilege.indices.toArray(Strings.EMPTY_ARRAY);
-            Set<IndexPrivilege> splitPrivileges = IndexPrivilege.getSplitBySelector(indicesPrivilege.privileges);
-            for (var splitPrivilege : splitPrivileges) {
-                builder.add(fieldPermissions, indicesPrivilege.query, splitPrivilege, true, indices);
-            }
+            builder.add(
+                fieldPermissionsCache.getFieldPermissions(indicesPrivilege.fieldPermissionsDefinition),
+                indicesPrivilege.query,
+                IndexPrivilege.getSplitBySelector(indicesPrivilege.privileges),
+                true,
+                indicesPrivilege.indices.toArray(Strings.EMPTY_ARRAY)
+            );
         }
 
         remoteIndicesPrivilegesByCluster.forEach((clusterAliasKey, remoteIndicesPrivilegesForCluster) -> {
             remoteIndicesPrivilegesForCluster.forEach((privilege) -> {
-                FieldPermissions fieldPermissions = fieldPermissionsCache.getFieldPermissions(
-                    new FieldPermissionsDefinition(privilege.getGrantedFields(), privilege.getDeniedFields())
-                );
-                Set<BytesReference> query = privilege.getQuery() == null ? null : newHashSet(privilege.getQuery());
-                String[] indices = newHashSet(Objects.requireNonNull(privilege.getIndices())).toArray(new String[0]);
-                Set<IndexPrivilege> splitPrivileges = IndexPrivilege.getSplitBySelector(
-                    Set.of(Objects.requireNonNull(privilege.getPrivileges()))
+                builder.addRemoteIndicesGroup(
+                    clusterAliasKey,
+                    fieldPermissionsCache.getFieldPermissions(
+                        new FieldPermissionsDefinition(privilege.getGrantedFields(), privilege.getDeniedFields())
+                    ),
+                    privilege.getQuery() == null ? null : newHashSet(privilege.getQuery()),
+                    IndexPrivilege.getSplitBySelector(Set.of(Objects.requireNonNull(privilege.getPrivileges()))),
+                    privilege.allowRestrictedIndices(),
+                    newHashSet(Objects.requireNonNull(privilege.getIndices())).toArray(new String[0])
                 );
-                for (var indexPrivilege : splitPrivileges) {
-                    builder.addRemoteIndicesGroup(
-                        clusterAliasKey,
-                        fieldPermissions,
-                        query,
-                        indexPrivilege,
-                        privilege.allowRestrictedIndices(),
-                        indices
-                    );
-                }
             });
         });
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/privilege/RestGetBuiltinPrivilegesAction.java

@@ -43,10 +43,7 @@ public class RestGetBuiltinPrivilegesAction extends SecurityBaseRestHandler {
 
     private static final Logger logger = LogManager.getLogger(RestGetBuiltinPrivilegesAction.class);
     // TODO remove this once we can update docs tests again
-    private static final Set<String> FAILURE_STORE_PRIVILEGES_TO_EXCLUDE = Set.of(
-        IndexPrivilege.READ_FAILURE_STORE.getSingleName(),
-        IndexPrivilege.MANAGE_FAILURE_STORE_INTERNAL.getSingleName()
-    );
+    private static final Set<String> FAILURE_STORE_PRIVILEGES_TO_EXCLUDE = Set.of(IndexPrivilege.READ_FAILURE_STORE.getSingleName());
     private final GetBuiltinPrivilegesResponseTranslator responseTranslator;
 
     public RestGetBuiltinPrivilegesAction(

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/QueryableBuiltInRolesUtilsTests.java

@@ -7,7 +7,6 @@
 
 package org.elasticsearch.xpack.security.support;
 
-import org.elasticsearch.cluster.metadata.DataStream;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptorTestHelper;
@@ -41,11 +40,7 @@ public static void setupReservedRolesStore() {
     public void testCalculateHash() {
         assertThat(
             QueryableBuiltInRolesUtils.calculateHash(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR),
-            equalTo(
-                DataStream.isFailureStoreFeatureFlagEnabled()
-                    ? "qgdWamvjudRKGezTGfjoSCr230sFDdh2t6xFUPYiW2Q="
-                    : "bWEFdFo4WX229wdhdecfiz5QHMYEssh3ex8hizRgg+Q="
-            )
+            equalTo("bWEFdFo4WX229wdhdecfiz5QHMYEssh3ex8hizRgg+Q=")
         );
     }