From 69a9a6474aaf6b9c60d07e0967a71ef5c09e5a27 Mon Sep 17 00:00:00 2001 From: Graeme Mjehovich Date: Tue, 3 Jun 2025 14:33:28 -0400 Subject: [PATCH 1/3] Fix unsupported privileges error message during role and API key creation --- .../authz/privilege/IndexPrivilege.java | 2 +- .../authz/privilege/IndexPrivilegeTests.java | 24 +++++++++++++++ .../xpack/security/role/PutRoleRestIT.java | 29 +++++++++++++++++-- 3 files changed, 51 insertions(+), 4 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java index 7174b2f616c2a..3818a8855f437 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java @@ -291,7 +291,7 @@ private static IndexPrivilege resolve(Set name) { + part + "]. a privilege must be either " + "one of the predefined fixed indices privileges [" - + Strings.collectionToCommaDelimitedString(VALUES.entrySet()) + + Strings.collectionToCommaDelimitedString(names().stream().sorted().collect(Collectors.toList())) + "] or a pattern over one of the available index" + " actions"; logger.debug(errorMessage); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java index 073b3b92a43a5..8feddb64d7722 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java @@ -13,6 +13,7 @@ import org.elasticsearch.action.index.TransportIndexAction; import org.elasticsearch.action.search.TransportSearchAction; import org.elasticsearch.action.update.TransportUpdateAction; +import org.elasticsearch.common.Strings; import org.elasticsearch.common.util.iterable.Iterables; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.core.rollup.action.GetRollupIndexCapsAction; @@ -21,7 +22,9 @@ import java.util.Collection; import java.util.List; +import java.util.Locale; import java.util.Set; +import java.util.stream.Collectors; import static org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege.findPrivilegesThatGrant; import static org.hamcrest.Matchers.containsInAnyOrder; @@ -145,4 +148,25 @@ public void testCrossClusterReplicationPrivileges() { assertThat(Automatons.subsetOf(crossClusterReplicationInternal.automaton, IndexPrivilege.get(Set.of("all")).automaton), is(true)); } + public void testInvalidPrivilegeErrorMessage() { + final String unknownPrivilege = randomValueOtherThanMany( + i -> IndexPrivilege.values().containsKey(i), + () -> randomAlphaOfLength(10).toLowerCase(Locale.ROOT) + ); + + IllegalArgumentException exception = expectThrows( + IllegalArgumentException.class, + () -> IndexPrivilege.get(Set.of(unknownPrivilege)) + ); + + final String expectedFullErrorMessage = "unknown index privilege [" + + unknownPrivilege + + "]. a privilege must be either " + + "one of the predefined fixed indices privileges [" + + Strings.collectionToCommaDelimitedString(IndexPrivilege.names().stream().sorted().collect(Collectors.toList())) + + "] or a pattern over one of the available index" + + " actions"; + + assertEquals(expectedFullErrorMessage, exception.getMessage()); + } } diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/role/PutRoleRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/role/PutRoleRestIT.java index 377e774a9f96b..eecbe74cd092b 100644 --- a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/role/PutRoleRestIT.java +++ b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/role/PutRoleRestIT.java @@ -9,17 +9,22 @@ import org.elasticsearch.client.Request; import org.elasticsearch.client.ResponseException; +import org.elasticsearch.common.Strings; import org.elasticsearch.xpack.core.security.authz.RoleDescriptor; +import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege; import org.elasticsearch.xpack.security.SecurityOnTrialLicenseRestTestCase; import java.util.List; +import java.util.Locale; import java.util.Map; +import java.util.stream.Collectors; import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.hasKey; import static org.hamcrest.Matchers.hasSize; import static org.hamcrest.Matchers.not; +import static org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege.names; public class PutRoleRestIT extends SecurityOnTrialLicenseRestTestCase { public void testPutManyValidRoles() throws Exception { @@ -316,6 +321,24 @@ public void testBulkUpdates() throws Exception { public void testPutRoleWithInvalidManageRolesPrivilege() throws Exception { final String badRoleName = "bad-role"; + final String unknownPrivilege = randomValueOtherThanMany( + i -> names().contains(i), + () -> randomAlphaOfLength(10).toLowerCase(Locale.ROOT) + ); + + final String expectedExceptionMessage = "unknown index privilege [" + + unknownPrivilege + + "]. a privilege must be either " + + "one of the predefined fixed indices privileges [" + + Strings.collectionToCommaDelimitedString( + IndexPrivilege.names().stream() + .sorted() + .collect(Collectors.toList()) + ) + + "] or a pattern over one of the available index" + + " actions"; + + final ResponseException exception = expectThrows(ResponseException.class, () -> upsertRoles(String.format(""" { "roles": { @@ -326,7 +349,7 @@ public void testPutRoleWithInvalidManageRolesPrivilege() throws Exception { "indices": [ { "names": ["allowed-index-prefix-*"], - "privileges": ["foobar"] + "privileges": ["%s"] } ] } @@ -334,9 +357,9 @@ public void testPutRoleWithInvalidManageRolesPrivilege() throws Exception { } } } - }""", badRoleName))); + }""", badRoleName, unknownPrivilege))); - assertThat(exception.getMessage(), containsString("unknown index privilege [foobar]")); + assertThat(exception.getMessage(), containsString(expectedExceptionMessage)); assertEquals(400, exception.getResponse().getStatusLine().getStatusCode()); assertRoleDoesNotExist(badRoleName); } From 19a4e8a32f3387eac01687cd71f91bbaeda36280 Mon Sep 17 00:00:00 2001 From: elasticsearchmachine Date: Mon, 9 Jun 2025 18:13:29 +0000 Subject: [PATCH 2/3] [CI] Auto commit changes from spotless --- .../elasticsearch/xpack/security/role/PutRoleRestIT.java | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/role/PutRoleRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/role/PutRoleRestIT.java index eecbe74cd092b..64ea916ac3ff7 100644 --- a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/role/PutRoleRestIT.java +++ b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/role/PutRoleRestIT.java @@ -19,12 +19,12 @@ import java.util.Map; import java.util.stream.Collectors; +import static org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege.names; import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.hasKey; import static org.hamcrest.Matchers.hasSize; import static org.hamcrest.Matchers.not; -import static org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege.names; public class PutRoleRestIT extends SecurityOnTrialLicenseRestTestCase { public void testPutManyValidRoles() throws Exception { @@ -330,15 +330,10 @@ public void testPutRoleWithInvalidManageRolesPrivilege() throws Exception { + unknownPrivilege + "]. a privilege must be either " + "one of the predefined fixed indices privileges [" - + Strings.collectionToCommaDelimitedString( - IndexPrivilege.names().stream() - .sorted() - .collect(Collectors.toList()) - ) + + Strings.collectionToCommaDelimitedString(IndexPrivilege.names().stream().sorted().collect(Collectors.toList())) + "] or a pattern over one of the available index" + " actions"; - final ResponseException exception = expectThrows(ResponseException.class, () -> upsertRoles(String.format(""" { "roles": { From 13e5d2d7a30d620aff4c91855bed3738fd2242a1 Mon Sep 17 00:00:00 2001 From: Graeme Mjehovich Date: Wed, 11 Jun 2025 09:44:49 -0400 Subject: [PATCH 3/3] Add changelog file --- docs/changelog/129158.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 docs/changelog/129158.yaml diff --git a/docs/changelog/129158.yaml b/docs/changelog/129158.yaml new file mode 100644 index 0000000000000..c824522929863 --- /dev/null +++ b/docs/changelog/129158.yaml @@ -0,0 +1,6 @@ +pr: 129158 +summary: Fix unsupported privileges error message during role and API key creation +area: Authorization +type: enhancement +issues: + - 128132