wip

Signed-off-by: Nils Bandener <[email protected]>

Author: nibix

src/main/java/org/opensearch/security/privileges/IndicesRequestResolver.java

@@ -21,7 +21,7 @@
 import org.opensearch.cluster.metadata.ResolvedIndices;
 
 public class IndicesRequestResolver {
-    private final IndexNameExpressionResolver indexNameExpressionResolver;
+    protected final IndexNameExpressionResolver indexNameExpressionResolver;
 
     public IndicesRequestResolver(IndexNameExpressionResolver indexNameExpressionResolver) {
         this.indexNameExpressionResolver = indexNameExpressionResolver;

src/main/java/org/opensearch/security/privileges/actionlevel/legacy/LegacyIndicesRequestResolver.java

@@ -0,0 +1,56 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+package org.opensearch.security.privileges.actionlevel.legacy;
+
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.IndicesRequest;
+import org.opensearch.action.admin.indices.alias.IndicesAliasesRequest;
+import org.opensearch.action.support.ActionRequestMetadata;
+import org.opensearch.cluster.ClusterState;
+import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
+import org.opensearch.cluster.metadata.OptionallyResolvedIndices;
+import org.opensearch.cluster.metadata.ResolvedIndices;
+import org.opensearch.security.privileges.IndicesRequestResolver;
+import org.opensearch.security.privileges.PrivilegesEvaluationContext;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.function.Supplier;
+
+/**
+ * A modified IndicesRequestResolver which keeps the default index resolution behavior of OpenSearch 3.2.0
+ */
+public class LegacyIndicesRequestResolver extends IndicesRequestResolver {
+
+    public LegacyIndicesRequestResolver(IndexNameExpressionResolver indexNameExpressionResolver) {
+        super(indexNameExpressionResolver);
+    }
+
+    @Override
+    public OptionallyResolvedIndices resolve(
+        ActionRequest request,
+        ActionRequestMetadata<?, ?> actionRequestMetadata,
+        Supplier<ClusterState> clusterStateSupplier
+    ) {
+        if (request instanceof IndicesAliasesRequest indicesAliasesRequest) {
+            List<String> indices = new ArrayList<>();
+            ClusterState clusterState = clusterStateSupplier.get();
+            for (IndicesAliasesRequest.AliasActions aliasActions : indicesAliasesRequest.getAliasActions()) {
+                indices.addAll(indexNameExpressionResolver.concreteResolvedIndices(clusterState, aliasActions).namesOfIndices(clusterState));
+            }
+            return ResolvedIndices.of(indices);
+        } else {
+            return super.resolve(request, actionRequestMetadata, clusterStateSupplier);
+        }
+    }
+}

src/main/java/org/opensearch/security/privileges/actionlevel/legacy/PrivilegesEvaluator.java

@@ -200,7 +200,7 @@ public PrivilegesEvaluator(
         systemIndexAccessEvaluator = new SystemIndexAccessEvaluator(settings, auditLog);
         protectedIndexAccessEvaluator = new ProtectedIndexAccessEvaluator(settings, auditLog);
         termsAggregationEvaluator = new TermsAggregationEvaluator();
-        this.indicesRequestResolver = new IndicesRequestResolver(resolver);
+        this.indicesRequestResolver = new LegacyIndicesRequestResolver(resolver);
 
         this.pluginIdToActionPrivileges.putAll(createActionPrivileges(pluginIdToRolePrivileges, staticActionGroups));
         this.updateConfiguration(actionGroups, rolesConfiguration, generalConfiguration);

src/test/java/org/opensearch/security/IndexIntegrationTests.java

@@ -595,6 +595,9 @@ public void testAliases() throws Exception {
         );
         assertContains(res, "*\"hits\" : {*\"value\" : 0,*\"hits\" : [ ]*");
 
+        res = rh.executePutRequest("/logstash-1/_alias/alog1", "", encodeBasicHeader("aliasmngt", "nagilum"));
+        System.out.println(res.getBody());
+
         // add alias to allowed index
         assertThat(
             HttpStatus.SC_OK,
@@ -664,11 +667,23 @@ public void testIndexResolveInvalidIndexName() throws Exception {
         setup();
         final RestHelper rh = nonSslRestHelper();
 
-        // invalid_index_name_exception should be thrown and responded when invalid index name is mentioned in requests.
+        // invalid_index_name_exception should be thrown and responded when invalid index name is mentioned in requests AND if the
+        // user has in theory privileges for the (invalid) index name. This is because the index name validation takes
+        // place in the transport action itself.
+        // The security plugin should not engage itself in any validation logic that is outside of its scope.
+
+        // We do not have privileges for the index below, thus we get a 403 error
         HttpResponse res = rh.executeGetRequest(
             URLEncoder.encode("_##pdt_data/_search", "UTF-8"),
             encodeBasicHeader("ccsresolv", "nagilum")
         );
+        assertThat(res.getStatusCode(), is(HttpStatus.SC_FORBIDDEN));
+
+        // We have privileges for the invalid index name below, thus we get through to the validation logic
+        res = rh.executeGetRequest(
+                URLEncoder.encode("aabc#data/_search", "UTF-8"),
+                encodeBasicHeader("ccsresolv", "nagilum")
+        );
         assertThat(res.getStatusCode(), is(HttpStatus.SC_BAD_REQUEST));
         Assert.assertTrue(res.getBody().contains("invalid_index_name_exception"));
     }