Merge branch 'main' into search_relevance_role_updates

Author: RyanL1997

CHANGELOG.md

@@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 * Added new option skip_users to client cert authenticator  (clientcert_auth_domain.http_authenticator.config.skip_users in config.yml)([#4378](https://github.com/opensearch-project/security/pull/5525))
 * [Resource Sharing] Fixes accessible resource ids search by marking created_by.user field as keyword search instead of text ([#5574](https://github.com/opensearch-project/security/pull/5574))
 * [Resource Sharing] Reverts @Inject pattern usage for ResourceSharingExtension to client accessor pattern. ([#5576](https://github.com/opensearch-project/security/pull/5576))
+* Inject user custom attributes when injecting user and role information to the thread context ([#5560](https://github.com/opensearch-project/security/pull/5560))
 
 ### Refactoring
 
@@ -30,6 +31,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Bump `org.springframework.kafka:spring-kafka-test` from 4.0.0-M3 to 4.0.0-M4 ([#5583](https://github.com/opensearch-project/security/pull/5583))
 - Bump `net.bytebuddy:byte-buddy` from 1.17.6 to 1.17.7 ([#5586](https://github.com/opensearch-project/security/pull/5586))
 - Bump `io.dropwizard.metrics:metrics-core` from 4.2.33 to 4.2.34 ([#5589](https://github.com/opensearch-project/security/pull/5589))
+- Bump `com.nimbusds:nimbus-jose-jwt:9.48` from 9.48 to 10.4.2 ([#5595](https://github.com/opensearch-project/security/pull/5595))
 
 ### Documentation
 

build.gradle

@@ -664,7 +664,7 @@ dependencies {
     implementation "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
     implementation "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
     implementation 'org.ldaptive:ldaptive:1.2.3'
-    implementation 'com.nimbusds:nimbus-jose-jwt:9.48'
+    implementation 'com.nimbusds:nimbus-jose-jwt:10.4.2'
     implementation 'com.rfksystems:blake2b:2.0.0'
     implementation "com.password4j:password4j:${versions.password4j}"
     implementation "com.github.seancfoley:ipaddress:5.5.1"

src/integrationTest/java/org/opensearch/security/privileges/dlsfls/DocumentPrivilegesTest.java

@@ -69,6 +69,7 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotEquals;
+import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
@@ -94,7 +95,6 @@
     DocumentPrivilegesTest.DataStreams_getRestriction.class,
     DocumentPrivilegesTest.DlsQuery.class })
 public class DocumentPrivilegesTest {
-
     static NamedXContentRegistry xContentRegistry = new NamedXContentRegistry(
         ImmutableList.of(
             new NamedXContentRegistry.Entry(
@@ -364,23 +364,25 @@ public void queryPatternTemplate() throws Exception {
                 new TestSecurityConfig.Role("non_dls_role").indexPermissions("*").on("index_a*")
             );
 
-            DocumentPrivileges subject = createSubject(roleConfig);
+            Exception exception = null;
+            DlsRestriction dlsRestriction = null;
+            DocumentPrivileges subject = null;
 
-            DlsRestriction dlsRestriction = subject.getRestriction(context, index.getName());
+            try {
+                subject = createSubject(roleConfig);
+                dlsRestriction = subject.getRestriction(context, index.getName());
+            } catch (PrivilegesEvaluationException ex) {
+                exception = ex;
+            }
 
             if (index == index_b1) {
                 // This test case never grants privileges to index_b1
                 assertThat(dlsRestriction, isFullyRestricted());
             } else if (userSpec.attributes.isEmpty()) {
-                // If a role uses undefined user attributes for DLS queries, the attribute templates
-                // remain unchanged in the resulting query. This is a property of the current attribute handling code.
-                // It would be probably better if an error would be raised in that case.
+                // If a role uses undefined user attributes for DLS queries, an exception should be raised
                 if (index == index_a1) {
                     if (userSpec.roles.contains("dls_role_1") && userSpec.roles.contains("dls_role_2")) {
-                        assertThat(
-                            dlsRestriction,
-                            isRestricted(termQuery("dept", "${attr.attr_a}1"), termQuery("dept", "${attr.attr_a}2"))
-                        );
+                        assertNotNull(exception);
                     }
                 }
             } else if (userSpec.roles.contains("non_dls_role") && dfmEmptyOverridesAll) {
@@ -417,7 +419,7 @@ public void queryPatternTemplate() throws Exception {
             }
 
             boolean isUnrestricted = subject.isUnrestricted(context, index.getName());
-            if (dlsRestriction.isUnrestricted()) {
+            if (dlsRestriction != null && dlsRestriction.isUnrestricted()) {
                 assertTrue("isUnrestricted() should return true according to " + dlsRestriction, isUnrestricted);
             } else {
                 assertFalse("isUnrestricted() should return false according to " + dlsRestriction, isUnrestricted);

src/main/java/org/opensearch/security/auth/RolesInjector.java

@@ -15,6 +15,7 @@
 
 package org.opensearch.security.auth;
 
+import java.util.Map;
 import java.util.Set;
 
 import com.google.common.collect.ImmutableSet;
@@ -70,7 +71,11 @@ public Set<String> injectUserAndRoles(final ThreadPool threadPool) {
             return null;
         }
         Set<String> roles = ImmutableSet.copyOf(strs[1].split(","));
-        User user = new User(strs[0]).withSecurityRoles(roles);
+
+        Map<String, String> customAttributes = threadPool.getThreadContext()
+            .getTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER_CUSTOM_ATTRIBUTES);
+
+        User user = new User(strs[0]).withSecurityRoles(roles).withAttributes(customAttributes);
 
         addUser(user, threadPool);
         return roles;

src/main/java/org/opensearch/security/privileges/IndexPattern.java

@@ -220,7 +220,7 @@ public void add(List<String> source) {
 
                     if (indexPattern.startsWith("<") && indexPattern.endsWith(">")) {
                         this.dateMathExpressions.add(indexPattern);
-                    } else if (!containsPlaceholder(indexPattern)) {
+                    } else if (!UserAttributes.needsAttributeSubstitution(indexPattern)) {
                         this.constantPatterns.add(WildcardMatcher.from(indexPattern));
                     } else {
                         this.patternTemplates.add(indexPattern);
@@ -241,10 +241,6 @@ public IndexPattern build() {
         }
     }
 
-    static boolean containsPlaceholder(String indexPattern) {
-        return indexPattern.indexOf("${") != -1;
-    }
-
     public static IndexPattern from(List<String> source) {
         Builder builder = new Builder();
         builder.add(source);

src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java

@@ -26,7 +26,6 @@
 
 package org.opensearch.security.privileges;
 
-import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -307,7 +306,7 @@ private void setUserInfoInThreadContext(PrivilegesEvaluationContext context) {
             log.debug(joiner);
 
             if (this.isUserAttributeSerializationEnabled()) {
-                joiner.add(Base64Helper.serializeObject((Serializable) context.getUser().getCustomAttributesMap()));
+                joiner.add(Base64Helper.serializeObject(new HashMap<>(context.getUser().getCustomAttributesMap())));
             }
 
             threadContext.putTransient(OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT, joiner.toString());

src/main/java/org/opensearch/security/privileges/TenantPrivileges.java

@@ -104,7 +104,7 @@ public TenantPrivileges(
                 for (RoleV7.Tenant tenantPermissions : role.getTenant_permissions()) {
                     List<ActionType> actionTypes = resolveActionType(tenantPermissions.getAllowed_actions(), actionGroups);
                     for (String tenantPattern : tenantPermissions.getTenant_patterns()) {
-                        if (isDynamic(tenantPattern)) {
+                        if (UserAttributes.needsAttributeSubstitution(tenantPattern)) {
                             // If a tenant pattern contains a user attribute (like ${user.name}), we can only
                             // do the tenant pattern matching during the actual tenant privilege evaluation, when the user is known.
                             // Thus, we just keep these patterns here unprocessed
@@ -252,10 +252,6 @@ static List<ActionType> resolveActionType(Collection<String> allowedActions, Fla
         }
     }
 
-    static boolean isDynamic(String tenantPattern) {
-        return tenantPattern.contains("${");
-    }
-
     private static ImmutableMap<ActionType, ImmutableCompactSubSet<String>> build(
         Map<ActionType, DeduplicatingCompactSubSetBuilder.SubSetBuilder<String>> source,
         DeduplicatingCompactSubSetBuilder.Completed<String> completedRoleSetBuilder

src/main/java/org/opensearch/security/privileges/UserAttributes.java

@@ -25,6 +25,10 @@
  * This code was moved over from ConfigModelV7.
  */
 public class UserAttributes {
+    public static boolean needsAttributeSubstitution(String patternString) {
+        return patternString.contains("${");
+    }
+
     public static String replaceProperties(String orig, PrivilegesEvaluationContext context) {
         User user = context.getUser();
 

src/main/java/org/opensearch/security/privileges/dlsfls/DocumentPrivileges.java

@@ -18,6 +18,7 @@
 
 import org.apache.logging.log4j.util.Strings;
 
+import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.cluster.metadata.IndexAbstraction;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.xcontent.json.JsonXContent;
@@ -44,7 +45,6 @@
  * Instances of this class are managed by DlsFlsProcessedConfig.
  */
 public class DocumentPrivileges extends AbstractRuleBasedPrivileges<DocumentPrivileges.DlsQuery, DlsRestriction> {
-
     private final NamedXContentRegistry xContentRegistry;
 
     public DocumentPrivileges(
@@ -134,7 +134,7 @@ protected QueryBuilder parseQuery(String queryString, NamedXContentRegistry xCon
 
         static DlsQuery create(String queryString, NamedXContentRegistry xContentRegistry)
             throws PrivilegesConfigurationValidationException {
-            if (queryString.contains("${")) {
+            if (UserAttributes.needsAttributeSubstitution(queryString)) {
                 return new DlsQuery.Dynamic(queryString, xContentRegistry);
             } else {
                 return new DlsQuery.Constant(queryString, xContentRegistry);
@@ -174,6 +174,12 @@ static class Dynamic extends DlsQuery {
             @Override
             RenderedDlsQuery evaluate(PrivilegesEvaluationContext context) throws PrivilegesEvaluationException {
                 String effectiveQueryString = UserAttributes.replaceProperties(this.queryString, context);
+                if (UserAttributes.needsAttributeSubstitution(effectiveQueryString)) {
+                    throw new PrivilegesEvaluationException(
+                        "Invalid DLS query: " + effectiveQueryString,
+                        new OpenSearchSecurityException("User attribute substitution failed")
+                    );
+                }
                 try {
                     return new RenderedDlsQuery(parseQuery(effectiveQueryString, xContentRegistry), effectiveQueryString);
                 } catch (Exception e) {

src/main/java/org/opensearch/security/support/ConfigConstants.java

@@ -131,6 +131,7 @@ public class ConfigConstants {
 
     public static final String OPENDISTRO_SECURITY_INJECTED_USER = "injected_user";
     public static final String OPENDISTRO_SECURITY_INJECTED_USER_HEADER = "injected_user_header";
+    public static final String OPENDISTRO_SECURITY_INJECTED_USER_CUSTOM_ATTRIBUTES = "injected_user_custom_attributes";
 
     public static final String OPENDISTRO_SECURITY_XFF_DONE = OPENDISTRO_SECURITY_CONFIG_PREFIX + "xff_done";