wip

Signed-off-by: Nils Bandener <[email protected]>

Author: nibix

src/integrationTest/java/org/opensearch/security/privileges/IndexAuthorizationReadOnlyIntTests.java

@@ -14,8 +14,11 @@
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
+import java.util.function.Function;
+import java.util.function.Supplier;
 
 import com.google.common.collect.ImmutableList;
+import org.junit.AfterClass;
 import org.junit.ClassRule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -27,6 +30,8 @@
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.cluster.LocalCluster;
 import org.opensearch.test.framework.cluster.TestRestClient;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsString;
@@ -204,18 +209,27 @@ public class IndexAuthorizationReadOnlyIntTests {
         UNLIMITED_USER,
         SUPER_UNLIMITED_USER
     );
+    private static final Logger log = LoggerFactory.getLogger(IndexAuthorizationReadOnlyIntTests.class);
+
+    static LocalCluster.Builder clusterBuilder() {
+        return new LocalCluster.Builder().singleNode()
+                .anonymousAuth(false)
+                .authc(AUTHC_HTTPBASIC_INTERNAL)
+                .users(USERS)//
+                .indices(index_a1, index_a2, index_a3, index_b1, index_b2, index_b3, index_c1, index_hidden, index_hidden_dot)//
+                .aliases(alias_ab1, alias_c1);
+    }
 
-    @ClassRule
-    public static LocalCluster cluster = new LocalCluster.Builder().singleNode()
-        .anonymousAuth(false)
-        .authc(AUTHC_HTTPBASIC_INTERNAL)
-        .users(USERS)//
-        .indices(index_a1, index_a2, index_a3, index_b1, index_b2, index_b3, index_c1, index_hidden, index_hidden_dot)//
-        .aliases(alias_ab1, alias_c1)//
-        .doNotFailOnForbidden(true)
-        .build();
+    @AfterClass
+    public static void stopClusters() {
+        for (ClusterConfig clusterConfig : ClusterConfig.values()) {
+            clusterConfig.shutdown();
+        }
+    }
 
     final TestSecurityConfig.User user;
+    final LocalCluster cluster;
+    final ClusterConfig clusterConfig;
 
     @Test
     public void search_noPattern() throws Exception {
@@ -234,7 +248,11 @@ public void search_noPattern() throws Exception {
     public void search_noPattern_noWildcards() throws Exception {
         try (TestRestClient restClient = cluster.getRestClient(user)) {
             TestRestClient.HttpResponse httpResponse = restClient.get("/_search?size=1000&expand_wildcards=none");
-            assertThat(httpResponse, containsExactly().at("hits.hits[*]._index").whenEmpty(200));
+            if (user == UNLIMITED_USER || user == SUPER_UNLIMITED_USER) {
+                assertThat(httpResponse, isOk());
+            } else {
+                assertThat(httpResponse, isForbidden("/error/root_cause/0/reason", "no permissions for [indices:data/read/search]"));
+            }
         }
     }
 
@@ -268,7 +286,11 @@ public void search_all() throws Exception {
     public void search_all_noWildcards() throws Exception {
         try (TestRestClient restClient = cluster.getRestClient(user)) {
             TestRestClient.HttpResponse httpResponse = restClient.get("_all/_search?size=1000&expand_wildcards=none");
-            assertThat(httpResponse, containsExactly().at("hits.hits[*]._index").whenEmpty(200));
+            if (user == UNLIMITED_USER || user == SUPER_UNLIMITED_USER) {
+                assertThat(httpResponse, isOk());
+            } else {
+                assertThat(httpResponse, isForbidden("/error/root_cause/0/reason", "no permissions for [indices:data/read/search]"));
+            }
         }
     }
 
@@ -311,7 +333,11 @@ public void search_wildcard() throws Exception {
     public void search_wildcard_noWildcards() throws Exception {
         try (TestRestClient restClient = cluster.getRestClient(user)) {
             TestRestClient.HttpResponse httpResponse = restClient.get("*/_search?size=1000&expand_wildcards=none");
-            assertThat(httpResponse, containsExactly().at("hits.hits[*]._index").whenEmpty(200));
+            if (user == UNLIMITED_USER || user == SUPER_UNLIMITED_USER) {
+                assertThat(httpResponse, isOk());
+            } else {
+                assertThat(httpResponse, isForbidden("/error/root_cause/0/reason", "no permissions for [indices:data/read/search]"));
+            }
         }
     }
 
@@ -439,17 +465,14 @@ public void search_indexPattern_noWildcards() throws Exception {
             TestRestClient.HttpResponse httpResponse = restClient.get(
                 "index_a*,index_b*/_search?size=1000&expand_wildcards=none&ignore_unavailable=true"
             );
-            assertThat(httpResponse, containsExactly().at("hits.hits[*]._index").but(user.indexMatcher("search")).whenEmpty(200));
-        }
-    }
-
-    @Test
-    public void search_indexPatternAndStatic_noWildcards() throws Exception {
-        try (TestRestClient restClient = cluster.getRestClient(user)) {
-            TestRestClient.HttpResponse httpResponse = restClient.get(
-                "index_a*,index_b1/_search?size=1000&expand_wildcards=none&ignore_unavailable=true"
-            );
-            assertThat(httpResponse, containsExactly(index_b1).at("hits.hits[*]._index").but(user.indexMatcher("search")).whenEmpty(403));
+            // We have to specify the users here explicitly because here we need to check privileges for the
+            // non-existing (and invalidly named) indices "index_a*" and "index_b*". Only users with privileges for "index_a*"
+            // and "index_b*" will get a ok response.
+            if (user == LIMITED_USER_A || user == LIMITED_USER_B || user == LIMITED_USER_A_HIDDEN || user == UNLIMITED_USER || user == SUPER_UNLIMITED_USER) {
+                assertThat(httpResponse, isOk());
+            } else {
+                assertThat(httpResponse, isForbidden("", ""));
+            }
         }
     }
 
@@ -510,12 +533,18 @@ public void search_alias_pattern_negation() throws Exception {
     public void search_aliasAndIndex() throws Exception {
         try (TestRestClient restClient = cluster.getRestClient(user)) {
             TestRestClient.HttpResponse httpResponse = restClient.get("alias_ab1,index_b2/_search?size=1000&ignore_unavailable=true");
-            assertThat(
-                httpResponse,
-                containsExactly(index_a1, index_a2, index_a3, index_b1, index_b2).at("hits.hits[*]._index")
-                    .but(user.indexMatcher("search"))
-                    .whenEmpty(403)
-            );
+            if (clusterConfig == ClusterConfig.LEGACY_PRIVILEGES_EVALUATION) {
+                // The legacy privilege evaluation with dnfof enabled can replace aliases by a sub-set of its member indices
+                assertThat(
+                        httpResponse,
+                        containsExactly(index_a1, index_a2, index_a3, index_b1, index_b2).at("hits.hits[*]._index")
+                                .but(user.indexMatcher("search"))
+                                .whenEmpty(403)
+                );
+            } else {
+                // The new privilege evaluation never replaces aliases
+                if (user.indexMatcher("search").covers(alias_ab1))
+            }
         }
     }
 
@@ -891,15 +920,6 @@ public void getAlias_aliasPattern() throws Exception {
         }
     }
 
-    @Test
-    public void getAlias_aliasPattern_noWildcards() throws Exception {
-        try (TestRestClient restClient = cluster.getRestClient(user)) {
-            TestRestClient.HttpResponse httpResponse = restClient.get("_alias/alias_ab*?expand_wildcards=none");
-            assertThat(httpResponse, isOk());
-            assertThat(httpResponse.bodyAsJsonNode().isEmpty(), equalTo(true));
-        }
-    }
-
     @Test
     public void getAlias_mixed() throws Exception {
         try (TestRestClient restClient = cluster.getRestClient(user)) {
@@ -1043,7 +1063,7 @@ public void field_caps_indexPattern() throws Exception {
             TestRestClient.HttpResponse httpResponse = restClient.get("index_b*/_field_caps?fields=*");
             assertThat(
                 httpResponse,
-                containsExactly(index_b1, index_b2, index_b3).at("indices").but(user.indexMatcher("read")).whenEmpty(403)
+                containsExactly(index_b1, index_b2, index_b3).at("indices").but(user.indexMatcher("read")).whenEmpty( clusterConfig == ClusterConfig.NEXT_GEN_PRIVILEGES_EVALUATION ? 200 : 403)
             );
         }
     }
@@ -1155,19 +1175,60 @@ public void field_caps_indexPattern_minus() throws Exception {
         }
     }
 
-    @Parameterized.Parameters(name = "{1}")
+    @Parameterized.Parameters(name = "{0}, {2}")
     public static Collection<Object[]> params() {
         List<Object[]> result = new ArrayList<>();
 
-        for (TestSecurityConfig.User user : USERS) {
-            result.add(new Object[] { user, user.getDescription() });
+        for (ClusterConfig clusterConfig : ClusterConfig.values()) {
+            for (TestSecurityConfig.User user : USERS) {
+                result.add(new Object[]{clusterConfig, user, user.getDescription()});
+            }
         }
-
         return result;
     }
 
-    public IndexAuthorizationReadOnlyIntTests(TestSecurityConfig.User user, String description) throws Exception {
+    public IndexAuthorizationReadOnlyIntTests(ClusterConfig clusterConfig, TestSecurityConfig.User user, String description) throws Exception {
         this.user = user;
+        this.cluster = clusterConfig.cluster();
+        this.clusterConfig = clusterConfig;
+    }
+
+    public enum ClusterConfig {
+        LEGACY_PRIVILEGES_EVALUATION("legacy", c -> c.doNotFailOnForbidden(true)),
+        NEXT_GEN_PRIVILEGES_EVALUATION("next_gen", c-> c.privilegesEvaluationType("next_gen"));
+
+        final String name;
+        final Function<LocalCluster.Builder, LocalCluster.Builder> clusterConfiguration;
+        private LocalCluster cluster;
+
+        ClusterConfig(String name, Function<LocalCluster.Builder, LocalCluster.Builder> clusterConfiguration) {
+            this.name = name;
+            this.clusterConfiguration = clusterConfiguration;
+        }
+
+        LocalCluster cluster() {
+            if (cluster == null) {
+                cluster = this.clusterConfiguration.apply(clusterBuilder()).build();
+                cluster.before();
+            }
+            return cluster;
+        }
+
+        void shutdown() {
+            if (cluster != null) {
+                try {
+                    cluster.close();
+                } catch (Exception e) {
+                    e.printStackTrace();
+                }
+                cluster = null;
+            }
+        }
+
+        @Override
+        public String toString() {
+            return name;
+        }
     }
 
 }

src/integrationTest/java/org/opensearch/test/framework/TestSecurityConfig.java

@@ -139,6 +139,11 @@ public TestSecurityConfig doNotFailOnForbidden(boolean doNotFailOnForbidden) {
         return this;
     }
 
+    public TestSecurityConfig privilegesEvaluationType(String privilegesEvaluationType) {
+        config.privilegesEvaluationType(privilegesEvaluationType);
+        return this;
+    }
+
     public TestSecurityConfig xff(XffConfig xffConfig) {
         config.xffConfig(xffConfig);
         return this;
@@ -263,6 +268,7 @@ public static class Config implements ToXContentObject {
         private boolean anonymousAuth;
 
         private Boolean doNotFailOnForbidden;
+        private String privilegesEvaluationType;
         private XffConfig xffConfig;
         private OnBehalfOfConfig onBehalfOfConfig;
         private Map<String, AuthcDomain> authcDomainMap = new LinkedHashMap<>();
@@ -280,6 +286,11 @@ public Config doNotFailOnForbidden(Boolean doNotFailOnForbidden) {
             return this;
         }
 
+        public Config privilegesEvaluationType(String privilegesEvaluationType) {
+            this.privilegesEvaluationType = privilegesEvaluationType;
+            return this;
+        }
+
         public Config xffConfig(XffConfig xffConfig) {
             this.xffConfig = xffConfig;
             return this;
@@ -325,6 +336,9 @@ public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params
             if (doNotFailOnForbidden != null) {
                 xContentBuilder.field("do_not_fail_on_forbidden", doNotFailOnForbidden);
             }
+            if (privilegesEvaluationType != null) {
+                xContentBuilder.field("privileges_evaluation_type", privilegesEvaluationType);
+            }
             xContentBuilder.field("authc", authcDomainMap);
             if (authzDomainMap.isEmpty() == false) {
                 xContentBuilder.field("authz", authzDomainMap);

src/integrationTest/java/org/opensearch/test/framework/cluster/LocalCluster.java

@@ -597,6 +597,11 @@ public Builder doNotFailOnForbidden(boolean doNotFailOnForbidden) {
             return this;
         }
 
+        public Builder privilegesEvaluationType(String privilegesEvaluationType) {
+            testSecurityConfig.privilegesEvaluationType(privilegesEvaluationType);
+            return this;
+        }
+
         public Builder defaultConfigurationInitDirectory(String defaultConfigurationInitDirectory) {
             this.defaultConfigurationInitDirectory = defaultConfigurationInitDirectory;
             return this;

src/main/java/org/opensearch/security/privileges/PrivilegesConfiguration.java

@@ -117,10 +117,12 @@ public PrivilegesConfiguration(
                 PrivilegesEvaluationType privilegesEvaluationType = PrivilegesEvaluationType.getFrom(
                     configurationRepository.getConfiguration(CType.CONFIG)
                 );
-                PrivilegesEvaluationType currentEvaluationType = currentPrivilegesEvaluator == null ? null
-                    : currentPrivilegesEvaluator instanceof org.opensearch.security.privileges.actionlevel.legacy.PrivilegesEvaluator
+                PrivilegesEvaluationType currentEvaluationType =
+                     currentPrivilegesEvaluator instanceof org.opensearch.security.privileges.actionlevel.legacy.PrivilegesEvaluator
                         ? PrivilegesEvaluationType.LEGACY
-                    : PrivilegesEvaluationType.NEXT_GEN;
+                    : currentPrivilegesEvaluator instanceof org.opensearch.security.privileges.actionlevel.nextgen.PrivilegesEvaluator ?
+                        PrivilegesEvaluationType.NEXT_GEN
+                        : null;
 
                 if (privilegesEvaluationType != currentEvaluationType) {
                     if (privilegesEvaluationType == PrivilegesEvaluationType.LEGACY) {

src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorResponse.java

@@ -31,13 +31,18 @@
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
 import java.util.Set;
 
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 
 import org.opensearch.action.admin.indices.create.CreateIndexRequestBuilder;
 
 import com.selectivem.collections.CheckTable;
+import org.opensearch.cluster.metadata.OptionallyResolvedIndices;
+import org.opensearch.cluster.metadata.ResolvedIndices;
 
 public class PrivilegesEvaluatorResponse {
     boolean allowed = false;
@@ -46,6 +51,7 @@ public class PrivilegesEvaluatorResponse {
     CreateIndexRequestBuilder createIndexRequestBuilder;
     private Set<String> onlyAllowedForIndices = ImmutableSet.of();
     private CheckTable<String, String> indexToActionCheckTable;
+    private ImmutableList<PrivilegesEvaluatorResponse> subResults = ImmutableList.of();
     private String privilegeMatrix;
     private String reason;
 
@@ -127,7 +133,23 @@ public String getPrivilegeMatrix() {
         String result = this.privilegeMatrix;
 
         if (result == null) {
-            result = this.indexToActionCheckTable.toTableString("ok", "MISSING");
+            String topLevelMatrix;
+
+            if (this.indexToActionCheckTable != null) {
+                topLevelMatrix = this.indexToActionCheckTable.toTableString("ok", "MISSING");
+            } else {
+                topLevelMatrix = "n/a";
+            }
+
+            if (subResults.isEmpty()) {
+                result = topLevelMatrix;
+            } else {
+                StringBuilder resultBuilder = new StringBuilder(topLevelMatrix);
+                for (PrivilegesEvaluatorResponse subResult : subResults) {
+                    resultBuilder.append("\n");
+                    resultBuilder.append(subResult.getPrivilegeMatrix());
+                }
+            }
             this.privilegeMatrix = result;
         }
         return result;
@@ -159,6 +181,18 @@ public boolean isPending() {
         return this.state == PrivilegesEvaluatorResponseState.PENDING;
     }
 
+    public PrivilegesEvaluatorResponse insufficient(List<PrivilegesEvaluatorResponse> subResults) {
+        String reason = this.reason;
+        if (reason == null) {
+            reason = subResults.stream().map(result -> result.reason).filter(Objects::nonNull).findFirst().orElse(null);
+        }
+        PrivilegesEvaluatorResponse result = new PrivilegesEvaluatorResponse();
+        result.allowed = false;
+        result.indexToActionCheckTable = this.indexToActionCheckTable;
+        result.subResults = ImmutableList.copyOf(subResults);
+        return result;
+    }
+
     @Override
     public String toString() {
         return "PrivEvalResponse [\nallowed="
@@ -176,6 +210,13 @@ public static PrivilegesEvaluatorResponse ok() {
         return response;
     }
 
+    public static PrivilegesEvaluatorResponse ok(CheckTable<String, String> indexToActionCheckTable) {
+        PrivilegesEvaluatorResponse response = new PrivilegesEvaluatorResponse();
+        response.indexToActionCheckTable = indexToActionCheckTable;
+        response.allowed = true;
+        return response;
+    }
+
     public static PrivilegesEvaluatorResponse ok(CreateIndexRequestBuilder createIndexRequestBuilder) {
         PrivilegesEvaluatorResponse response = new PrivilegesEvaluatorResponse();
         response.allowed = true;