Introduced the next gen action privilege evaluation

Signed-off-by: Nils Bandener <[email protected]>

Author: nibix

src/integrationTest/java/org/opensearch/security/privileges/ClusterStateMetadataDependentPrivilegesTest.java

@@ -17,14 +17,10 @@
 
 import org.opensearch.cluster.ClusterState;
 import org.opensearch.cluster.metadata.Metadata;
-import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.node.Node;
 import org.opensearch.threadpool.ThreadPool;
 
-import org.mockito.Mockito;
-import org.mockito.stubbing.Answer;
-
 public class ClusterStateMetadataDependentPrivilegesTest {
 
     @Test
@@ -33,10 +29,8 @@ public void simpleUpdate() {
         try {
             ConcreteTestSubject subject = new ConcreteTestSubject();
             ClusterState clusterState = clusterState(metadata(1));
-            ClusterService clusterService = Mockito.mock(ClusterService.class);
-            Mockito.when(clusterService.state()).thenReturn(clusterState);
 
-            subject.updateClusterStateMetadataAsync(clusterService, threadPool);
+            subject.updateClusterStateMetadataAsync(() -> clusterState, threadPool);
             Awaitility.await().until(() -> subject.getCurrentlyUsedMetadataVersion() == 1);
             subject.shutdown();
         } finally {
@@ -50,14 +44,12 @@ public void frequentUpdates() throws Exception {
         try {
             ConcreteTestSubject subject = new ConcreteTestSubject();
             AtomicReference<ClusterState> clusterStateReference = new AtomicReference<>(clusterState(metadata(1)));
-            ClusterService clusterService = Mockito.mock(ClusterService.class);
-            Mockito.when(clusterService.state()).thenAnswer((Answer<ClusterState>) invocationOnMock -> clusterStateReference.get());
-            subject.updateClusterStateMetadataAsync(clusterService, threadPool);
-            subject.updateClusterStateMetadataAsync(clusterService, threadPool);
+            subject.updateClusterStateMetadataAsync(clusterStateReference::get, threadPool);
+            subject.updateClusterStateMetadataAsync(clusterStateReference::get, threadPool);
 
             for (int i = 2; i <= 100; i++) {
                 clusterStateReference.set(clusterState(metadata(i)));
-                subject.updateClusterStateMetadataAsync(clusterService, threadPool);
+                subject.updateClusterStateMetadataAsync(clusterStateReference::get, threadPool);
                 Thread.sleep(10);
             }
 
@@ -74,9 +66,7 @@ public void shutdown() {
         try {
             ConcreteTestSubject subject = new ConcreteTestSubject();
             ClusterState clusterState = clusterState(metadata(1));
-            ClusterService clusterService = Mockito.mock(ClusterService.class);
-            Mockito.when(clusterService.state()).thenReturn(clusterState);
-            subject.updateClusterStateMetadataAsync(clusterService, threadPool);
+            subject.updateClusterStateMetadataAsync(() -> clusterState, threadPool);
             subject.shutdown();
         } finally {
             threadPool.shutdown();

src/integrationTest/java/org/opensearch/security/privileges/IndexPatternTest.java

@@ -13,18 +13,11 @@
 import java.time.ZonedDateTime;
 import java.time.temporal.ChronoField;
 
-import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
 import org.junit.Test;
 
 import org.opensearch.cluster.ClusterState;
-import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.metadata.Metadata;
-import org.opensearch.common.settings.Settings;
-import org.opensearch.common.util.concurrent.ThreadContext;
-import org.opensearch.security.resolver.IndexResolverReplacer;
 import org.opensearch.security.support.WildcardMatcher;
-import org.opensearch.security.user.User;
 import org.opensearch.security.util.MockPrivilegeEvaluationContextBuilder;
 
 import static org.opensearch.security.util.MockIndexMetadataBuilder.indices;
@@ -234,9 +227,9 @@ public void equals() {
 
     private static PrivilegesEvaluationContext ctx() {
         return MockPrivilegeEvaluationContextBuilder.ctx()
-                .action("indices:action/test")
-                .attr("attrs.a11", "a11")
-                .attr("attrs.year", "year")
-                .get();
+            .action("indices:action/test")
+            .attr("attrs.a11", "a11")
+            .attr("attrs.year", "year")
+            .get();
     }
 }

src/integrationTest/java/org/opensearch/security/privileges/IndexRequestModifierTest.java

@@ -0,0 +1,163 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.privileges;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Map;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Suite;
+
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.IndicesRequest;
+import org.opensearch.action.OriginalIndices;
+import org.opensearch.action.index.IndexRequest;
+import org.opensearch.action.search.SearchRequest;
+import org.opensearch.action.support.IndicesOptions;
+import org.opensearch.cluster.ClusterState;
+import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
+import org.opensearch.cluster.metadata.Metadata;
+import org.opensearch.cluster.metadata.ResolvedIndices;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.security.util.MockIndexMetadataBuilder;
+
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+@RunWith(Suite.class)
+@Suite.SuiteClasses({ IndexRequestModifierTest.SetLocalIndices.class, IndexRequestModifierTest.SetLocalIndicesToEmpty.class })
+public class IndexRequestModifierTest {
+
+    static final IndexNameExpressionResolver indexNameExpressionResolver = new IndexNameExpressionResolver(
+        new ThreadContext(Settings.EMPTY)
+    );
+    static final Metadata metadata = MockIndexMetadataBuilder.indices("index", "index1", "index2", "index3").build();
+    final static ClusterState clusterState = ClusterState.builder(ClusterState.EMPTY_STATE).metadata(metadata).build();
+    static final IndicesRequestModifier subject = new IndicesRequestModifier();
+
+    public static class SetLocalIndices {
+        @Test
+        public void basic() {
+            ResolvedIndices resolvedIndices = ResolvedIndices.of("index1");
+            SearchRequest request = new SearchRequest("index1", "index2", "index3");
+
+            boolean success = subject.setLocalIndices(request, resolvedIndices, Collections.singletonList("index1"));
+            assertTrue(success);
+            assertArrayEquals(new String[] { "index1" }, request.indices());
+        }
+
+        @Test
+        public void withRemote() {
+            ResolvedIndices resolvedIndices = ResolvedIndices.of("index1")
+                .withRemoteIndices(
+                    Map.of("remote", new OriginalIndices(new String[] { "index_remote" }, IndicesOptions.LENIENT_EXPAND_OPEN))
+                );
+            SearchRequest request = new SearchRequest("index1", "index2", "index3", "remote:index_remote");
+
+            boolean success = subject.setLocalIndices(request, resolvedIndices, Collections.singletonList("index1"));
+            assertTrue(success);
+            assertArrayEquals(new String[] { "index1", "remote:index_remote" }, request.indices());
+        }
+
+        @Test
+        public void empty() {
+            ResolvedIndices resolvedIndices = ResolvedIndices.of("index1");
+            SearchRequest request = new SearchRequest("index1", "index2", "index3");
+
+            boolean success = subject.setLocalIndices(request, resolvedIndices, Collections.emptyList());
+            assertTrue(success);
+            String[] finalResolvedIndices = indexNameExpressionResolver.concreteIndexNames(clusterState, request);
+            assertArrayEquals(new String[0], finalResolvedIndices);
+        }
+
+        @Test
+        public void unsupportedType() {
+            ResolvedIndices resolvedIndices = ResolvedIndices.of("index1");
+            IndexRequest request = new IndexRequest("index1");
+
+            boolean success = subject.setLocalIndices(request, resolvedIndices, Collections.singletonList("index1"));
+            assertFalse(success);
+        }
+    }
+
+    @RunWith(Parameterized.class)
+    public static class SetLocalIndicesToEmpty {
+
+        String description;
+        IndicesRequest request;
+
+        @Test
+        public void setLocalIndicesToEmpty() {
+
+            ResolvedIndices resolvedIndices = ResolvedIndices.of("index");
+
+            if (Arrays.asList(request.indices()).contains("remote:index")) {
+                resolvedIndices = resolvedIndices.withRemoteIndices(
+                    Map.of("remote", new OriginalIndices(new String[] { "index" }, request.indicesOptions()))
+                );
+            }
+
+            boolean success = subject.setLocalIndicesToEmpty((ActionRequest) request, resolvedIndices);
+
+            if (!(request instanceof IndicesRequest.Replaceable)) {
+                assertFalse(success);
+            } else if (!request.indicesOptions().allowNoIndices()) {
+                assertFalse(success);
+            } else {
+                assertTrue(success);
+
+                String[] finalResolvedIndices = indexNameExpressionResolver.concreteIndexNames(clusterState, request);
+
+                assertEquals("Resolved to empty indices: " + Arrays.asList(finalResolvedIndices), 0, finalResolvedIndices.length);
+            }
+        }
+
+        @Parameterized.Parameters(name = "{0}")
+        public static Collection<Object[]> params() {
+            return Arrays.asList(
+                new Object[] { "lenient expand open", new SearchRequest("index").indicesOptions(IndicesOptions.LENIENT_EXPAND_OPEN) },
+                new Object[] {
+                    "lenient expand open/closed",
+                    new SearchRequest("index").indicesOptions(IndicesOptions.LENIENT_EXPAND_OPEN_CLOSED) },
+                new Object[] {
+                    "lenient expand open/closed/hidden",
+                    new SearchRequest("index").indicesOptions(IndicesOptions.LENIENT_EXPAND_OPEN_CLOSED_HIDDEN) },
+                new Object[] {
+                    "allow no indices",
+                    new SearchRequest("index").indicesOptions(IndicesOptions.fromOptions(false, true, false, false)) },
+                new Object[] {
+                    "ignore unavailable",
+                    new SearchRequest("index").indicesOptions(IndicesOptions.fromOptions(true, false, false, false)) },
+                new Object[] {
+                    "strict single index",
+                    new SearchRequest("index").indicesOptions(IndicesOptions.STRICT_SINGLE_INDEX_NO_EXPAND_FORBID_CLOSED) },
+                new Object[] {
+                    "with remote index",
+                    new SearchRequest("index", "remote:index").indicesOptions(IndicesOptions.LENIENT_EXPAND_OPEN) },
+                new Object[] { "not implementing IndicesRequest.Replaceable", new IndexRequest("index") }
+            );
+
+        }
+
+        public SetLocalIndicesToEmpty(String description, IndicesRequest request) {
+            this.description = description;
+            this.request = request;
+        }
+    }
+}

src/integrationTest/java/org/opensearch/security/privileges/IndicesRequestResolverTest.java

@@ -0,0 +1,90 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.privileges;
+
+import java.util.Set;
+
+import org.junit.Test;
+
+import org.opensearch.action.admin.cluster.stats.ClusterStatsRequest;
+import org.opensearch.action.search.SearchRequest;
+import org.opensearch.action.support.ActionRequestMetadata;
+import org.opensearch.cluster.ClusterState;
+import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
+import org.opensearch.cluster.metadata.Metadata;
+import org.opensearch.cluster.metadata.OptionallyResolvedIndices;
+import org.opensearch.cluster.metadata.ResolvedIndices;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.security.util.MockIndexMetadataBuilder;
+import org.opensearch.security.util.MockPrivilegeEvaluationContextBuilder;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.fail;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class IndicesRequestResolverTest {
+
+    static final Metadata metadata = MockIndexMetadataBuilder.indices("index_a1", "index_a2", "index_b1", "index_b2").build();
+    final static ClusterState clusterState = ClusterState.builder(ClusterState.EMPTY_STATE).metadata(metadata).build();
+    static final IndicesRequestResolver subject = new IndicesRequestResolver(
+        new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY))
+    );
+
+    @Test
+    public void resolve_normal() {
+        SearchRequest request = new SearchRequest("index1");
+        ActionRequestMetadata<SearchRequest, ?> actionRequestMetadata = mock();
+        ResolvedIndices resolvedIndices = ResolvedIndices.of("index1");
+        when(actionRequestMetadata.resolvedIndices()).thenReturn(resolvedIndices);
+
+        OptionallyResolvedIndices returnedResolvedIndices = subject.resolve(request, actionRequestMetadata, () -> clusterState);
+        assertEquals(resolvedIndices, returnedResolvedIndices);
+    }
+
+    @Test
+    public void resolve_fallback() {
+        SearchRequest request = new SearchRequest("index1");
+        ActionRequestMetadata<SearchRequest, ?> actionRequestMetadata = mock();
+        when(actionRequestMetadata.resolvedIndices()).thenReturn(OptionallyResolvedIndices.unknown());
+
+        OptionallyResolvedIndices returnedResolvedIndices = subject.resolve(request, actionRequestMetadata, () -> clusterState);
+        if (returnedResolvedIndices instanceof ResolvedIndices castReturnedResovledIndices) {
+            assertEquals(Set.of("index1"), castReturnedResovledIndices.local().names());
+        } else {
+            fail("Expected ResolvedIndices, got: " + returnedResolvedIndices);
+        }
+    }
+
+    @Test
+    public void resolve_fallbackUnsupported() {
+        ClusterStatsRequest request = new ClusterStatsRequest();
+        ActionRequestMetadata<SearchRequest, ?> actionRequestMetadata = mock();
+        when(actionRequestMetadata.resolvedIndices()).thenReturn(OptionallyResolvedIndices.unknown());
+
+        OptionallyResolvedIndices returnedResolvedIndices = subject.resolve(request, actionRequestMetadata, () -> clusterState);
+        assertFalse(returnedResolvedIndices instanceof ResolvedIndices);
+    }
+
+    @Test
+    public void resolve_withPrivilegesEvaluationContext() {
+        SearchRequest request = new SearchRequest("index_a*");
+        ActionRequestMetadata<SearchRequest, ?> actionRequestMetadata = mock();
+        when(actionRequestMetadata.resolvedIndices()).thenReturn(OptionallyResolvedIndices.unknown());
+        PrivilegesEvaluationContext context = MockPrivilegeEvaluationContextBuilder.ctx().clusterState(clusterState).get();
+
+        OptionallyResolvedIndices returnedResolvedIndices = subject.resolve(request, actionRequestMetadata, context);
+        assertEquals(Set.of("index_a1", "index_a2"), returnedResolvedIndices.local().names(clusterState));
+    }
+}

src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java

@@ -47,6 +47,7 @@
 import org.opensearch.security.dlic.rest.api.Endpoint;
 import org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.PermissionBuilder;
 import org.opensearch.security.privileges.actionlevel.RoleBasedActionPrivileges;
+import org.opensearch.security.privileges.actionlevel.RuntimeOptimizedActionPrivileges;
 import org.opensearch.security.securityconf.FlattenedActionGroups;
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
@@ -117,7 +118,13 @@ static String[] allRestApiPermissions() {
     final RoleBasedActionPrivileges actionPrivileges;
 
     public RestEndpointPermissionTests() throws IOException {
-        this.actionPrivileges = new RoleBasedActionPrivileges(createRolesConfig(), FlattenedActionGroups.EMPTY, Settings.EMPTY);
+        this.actionPrivileges = new RoleBasedActionPrivileges(
+            createRolesConfig(),
+            FlattenedActionGroups.EMPTY,
+            RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
+            Settings.EMPTY,
+            false
+        );
     }
 
     @Test