Add tenancy access info to serialized user in threadcontext (#857)

Author: cwperks

src/main/java/org/opensearch/commons/authuser/User.java

@@ -18,6 +18,7 @@
 
 import org.apache.hc.core5.http.ParseException;
 import org.apache.hc.core5.http.io.entity.EntityUtils;
+import org.opensearch.Version;
 import org.opensearch.client.Response;
 import org.opensearch.common.Nullable;
 import org.opensearch.common.inject.internal.ToStringBuilder;
@@ -45,20 +46,24 @@ final public class User implements Writeable, ToXContent {
     public static final String ROLES_FIELD = "roles";
     public static final String CUSTOM_ATTRIBUTE_NAMES_FIELD = "custom_attribute_names";
     public static final String REQUESTED_TENANT_FIELD = "user_requested_tenant";
+    public static final String REQUESTED_TENANT_ACCESS = "user_requested_tenant_access";
 
     private final String name;
     private final List<String> backendRoles;
     private final List<String> roles;
     private final List<String> customAttNames;
     @Nullable
     private final String requestedTenant;
+    @Nullable
+    private final String requestedTenantAccess;
 
     public User() {
         name = "";
         backendRoles = new ArrayList<>();
         roles = new ArrayList<>();
         customAttNames = new ArrayList<>();
         requestedTenant = null;
+        requestedTenantAccess = null;
     }
 
     public User(final String name, final List<String> backendRoles, List<String> roles, List<String> customAttNames) {
@@ -67,6 +72,7 @@ public User(final String name, final List<String> backendRoles, List<String> rol
         this.roles = roles;
         this.customAttNames = customAttNames;
         this.requestedTenant = null;
+        this.requestedTenantAccess = null;
     }
 
     public User(
@@ -81,6 +87,23 @@ public User(
         this.roles = roles;
         this.customAttNames = customAttNames;
         this.requestedTenant = requestedTenant;
+        this.requestedTenantAccess = null;
+    }
+
+    public User(
+        final String name,
+        final List<String> backendRoles,
+        final List<String> roles,
+        final List<String> customAttNames,
+        @Nullable final String requestedTenant,
+        @Nullable final String requestedTenantAccess
+    ) {
+        this.name = name;
+        this.backendRoles = backendRoles;
+        this.roles = roles;
+        this.customAttNames = customAttNames;
+        this.requestedTenant = requestedTenant;
+        this.requestedTenantAccess = requestedTenantAccess;
     }
 
     /**
@@ -104,6 +127,7 @@ public User(String json) {
         roles = (List<String>) mapValue.get("roles");
         customAttNames = (List<String>) mapValue.get("custom_attribute_names");
         requestedTenant = (String) mapValue.getOrDefault("user_requested_tenant", null);
+        requestedTenantAccess = (String) mapValue.getOrDefault("user_requested_tenant_access", null);
     }
 
     public User(StreamInput in) throws IOException {
@@ -112,6 +136,11 @@ public User(StreamInput in) throws IOException {
         roles = in.readStringList();
         customAttNames = in.readStringList();
         requestedTenant = in.readOptionalString();
+        if (in.getVersion().onOrAfter(Version.V_3_2_0)) {
+            requestedTenantAccess = in.readOptionalString();
+        } else {
+            requestedTenantAccess = null;
+        }
     }
 
     public static User parse(XContentParser parser) throws IOException {
@@ -120,6 +149,7 @@ public static User parse(XContentParser parser) throws IOException {
         List<String> roles = new ArrayList<>();
         List<String> customAttNames = new ArrayList<>();
         String requestedTenant = null;
+        String requestedTenantAccess = null;
 
         ensureExpectedToken(XContentParser.Token.START_OBJECT, parser.currentToken(), parser);
         while (parser.nextToken() != XContentParser.Token.END_OBJECT) {
@@ -150,11 +180,14 @@ public static User parse(XContentParser parser) throws IOException {
                 case REQUESTED_TENANT_FIELD:
                     requestedTenant = parser.textOrNull();
                     break;
+                case REQUESTED_TENANT_ACCESS:
+                    requestedTenantAccess = parser.textOrNull();
+                    break;
                 default:
                     break;
             }
         }
-        return new User(name, backendRoles, roles, customAttNames, requestedTenant);
+        return new User(name, backendRoles, roles, customAttNames, requestedTenant, requestedTenantAccess);
     }
 
     /**
@@ -178,6 +211,7 @@ public static User parse(final String userString) {
         List<String> backendRoles = new ArrayList<>();
         List<String> roles = new ArrayList<>();
         String requestedTenant = null;
+        String requestedTenantAccess = null;
 
         if ((strs.length > 1) && !Strings.isNullOrEmpty(strs[1])) {
             backendRoles.addAll(Arrays.stream(strs[1].split(",")).map(Utils::unescapePipe).toList());
@@ -188,7 +222,10 @@ public static User parse(final String userString) {
         if ((strs.length > 3) && !Strings.isNullOrEmpty(strs[3])) {
             requestedTenant = unescapePipe(strs[3].trim());
         }
-        return new User(userName, backendRoles, roles, Arrays.asList(), requestedTenant);
+        if ((strs.length > 4) && !Strings.isNullOrEmpty(strs[4])) {
+            requestedTenantAccess = strs[4].trim();
+        }
+        return new User(userName, backendRoles, roles, Arrays.asList(), requestedTenant, requestedTenantAccess);
     }
 
     @Override
@@ -199,7 +236,8 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
             .field(BACKEND_ROLES_FIELD, backendRoles)
             .field(ROLES_FIELD, roles)
             .field(CUSTOM_ATTRIBUTE_NAMES_FIELD, customAttNames)
-            .field(REQUESTED_TENANT_FIELD, requestedTenant);
+            .field(REQUESTED_TENANT_FIELD, requestedTenant)
+            .field(REQUESTED_TENANT_ACCESS, requestedTenantAccess);
         return builder.endObject();
     }
 
@@ -210,6 +248,9 @@ public void writeTo(StreamOutput out) throws IOException {
         out.writeStringCollection(roles);
         out.writeStringCollection(customAttNames);
         out.writeOptionalString(requestedTenant);
+        if (out.getVersion().onOrAfter(Version.V_3_2_0)) {
+            out.writeOptionalString(requestedTenantAccess);
+        }
     }
 
     @Override
@@ -220,6 +261,7 @@ public String toString() {
         builder.add(ROLES_FIELD, roles);
         builder.add(CUSTOM_ATTRIBUTE_NAMES_FIELD, customAttNames);
         builder.add(REQUESTED_TENANT_FIELD, requestedTenant);
+        builder.add(REQUESTED_TENANT_ACCESS, requestedTenantAccess);
         return builder.toString();
     }
 
@@ -233,7 +275,8 @@ public boolean equals(Object obj) {
             && this.getBackendRoles().equals(that.backendRoles)
             && this.getRoles().equals(that.roles)
             && this.getCustomAttNames().equals(that.customAttNames)
-            && (Objects.equals(this.requestedTenant, that.requestedTenant));
+            && (Objects.equals(this.requestedTenant, that.requestedTenant))
+            && (Objects.equals(this.requestedTenantAccess, that.requestedTenantAccess));
     }
 
     public String getName() {
@@ -257,6 +300,11 @@ public String getRequestedTenant() {
         return requestedTenant;
     }
 
+    @Nullable
+    public String getRequestedTenantAccess() {
+        return requestedTenantAccess;
+    }
+
     public boolean isAdminDn(Settings settings) {
         if (settings == null) {
             return false;

src/test/java/org/opensearch/commons/authuser/UserTest.java

@@ -30,6 +30,17 @@ User testNoTenantUser() {
     }
 
     User testTenantUser() {
+        return new User(
+            "chip",
+            Arrays.asList("admin", "ops"),
+            Arrays.asList("ops_data"),
+            Arrays.asList("attr1", "attr2"),
+            "__user__",
+            "WRITE"
+        );
+    }
+
+    User testTenantUserWithNoAccessInfo() {
         return new User("chip", Arrays.asList("admin", "ops"), Arrays.asList("ops_data"), Arrays.asList("attr1", "attr2"), "__user__");
     }
 
@@ -53,6 +64,16 @@ public void testParamsConstForNoTenantUser() {
         assertNull(user.getRequestedTenant());
     }
 
+    @Test
+    public void testParamsConstForTenantUserWithNoAccessInfo() {
+        User user = testTenantUserWithNoAccessInfo();
+        assertFalse(Strings.isNullOrEmpty(user.getName()));
+        assertEquals(2, user.getBackendRoles().size());
+        assertEquals(1, user.getRoles().size());
+        assertEquals(2, user.getCustomAttNames().size());
+        assertFalse(Strings.isNullOrEmpty(user.getRequestedTenant()));
+    }
+
     @Test
     public void testParamsConstForTenantUser() {
         User user = testTenantUser();
@@ -111,6 +132,17 @@ public void testStreamConstForTenantUser() throws IOException {
         assertEquals(user, newUser, "Round tripping User doesn't work");
     }
 
+    @Test
+    public void testStreamConstForTenantUserWithNoAccessInfo() throws IOException {
+        User user = testTenantUserWithNoAccessInfo();
+        BytesStreamOutput out = new BytesStreamOutput();
+        user.writeTo(out);
+        StreamInput in = StreamInput.wrap(out.bytes().toBytesRef().bytes);
+        User newUser = new User(in);
+        assertEquals(user.toString(), newUser.toString(), "Round tripping User doesn't work");
+        assertEquals(user, newUser, "Round tripping User doesn't work");
+    }
+
     @Test
     public void testParseUserString() {
         ThreadContext tc = new ThreadContext(Settings.EMPTY);
@@ -126,6 +158,20 @@ public void testParseUserString() {
         assertEquals("myTenant", user.getRequestedTenant());
     }
 
+    @Test
+    public void testParseUserStringNameWithTenantAndAccess() {
+        ThreadContext tc = new ThreadContext(Settings.EMPTY);
+        tc.putTransient(OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT, "myuser|||myTenant|NO");
+        String str = tc.getTransient(OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT);
+        User user = User.parse(str);
+
+        assertEquals("myuser", user.getName());
+        assertEquals(0, user.getBackendRoles().size());
+        assertEquals(0, user.getRoles().size());
+        assertEquals("myTenant", user.getRequestedTenant());
+        assertEquals("NO", user.getRequestedTenantAccess());
+    }
+
     @Test
     public void testParseUserStringEmpty() {
         ThreadContext tc = new ThreadContext(Settings.EMPTY);