Support for alias based DLS/FLS evaluation

Signed-off-by: Nils Bandener <[email protected]>

Author: nibix

src/main/java/org/opensearch/security/privileges/dlsfls/AbstractRuleBasedPrivileges.java

@@ -25,6 +25,7 @@
 import org.apache.logging.log4j.Logger;
 
 import org.opensearch.cluster.metadata.IndexAbstraction;
+import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.cluster.metadata.OptionallyResolvedIndices;
 import org.opensearch.cluster.metadata.ResolvedIndices;
 import org.opensearch.common.settings.Settings;
@@ -230,6 +231,46 @@ public boolean isUnrestricted(PrivilegesEvaluationContext context, String index)
     private boolean hasUnrestrictedRulesExplicit(PrivilegesEvaluationContext context, StatefulRules<SingleRule> statefulRules, String index)
         throws PrivilegesEvaluationException {
 
+        if (hasUnrestrictedRulesExplicitNoRecursion(context, statefulRules, index)) {
+            return true;
+        }
+
+        IndexAbstraction indexAbstraction = context.getIndicesLookup().get(index);
+        if (indexAbstraction instanceof IndexAbstraction.Index) {
+            for (String parent : getParents(indexAbstraction)) {
+                if (hasUnrestrictedRulesExplicitNoRecursion(context, statefulRules, parent)) {
+                    return true;
+                }
+            }
+        } else if (indexAbstraction instanceof IndexAbstraction.DataStream || indexAbstraction instanceof IndexAbstraction.Alias) {
+            // If we got an alias or a data stream, we might be also unrestricted if all member indices are unrestricted
+
+            List<IndexMetadata> memberIndices = indexAbstraction.getIndices();
+            int unrestrictedMemberIndices = 0;
+
+            for (IndexMetadata memberIndex : memberIndices) {
+                if (hasUnrestrictedRulesExplicitNoRecursion(context, statefulRules, memberIndex.getIndex().getName())) {
+                    unrestrictedMemberIndices++;
+                }
+            }
+
+            if (unrestrictedMemberIndices == memberIndices.size()) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Should be only called by hasUnrestrictedRulesExplicit()
+     */
+    private boolean hasUnrestrictedRulesExplicitNoRecursion(
+        PrivilegesEvaluationContext context,
+        StatefulRules<SingleRule> statefulRules,
+        String index
+    ) throws PrivilegesEvaluationException {
+
         if (statefulRules != null && statefulRules.covers(index)) {
             Set<String> roleWithoutRule = statefulRules.indexToRoleWithoutRule.get(index);
 
@@ -246,17 +287,7 @@ private boolean hasUnrestrictedRulesExplicit(PrivilegesEvaluationContext context
             return true;
         }
 
-        IndexAbstraction indexAbstraction = context.getIndicesLookup().get(index);
-        if (indexAbstraction != null) {
-            for (String parent : getParents(indexAbstraction)) {
-                if (hasUnrestrictedRulesExplicit(context, statefulRules, parent)) {
-                    return true;
-                }
-            }
-        }
-
         return false;
-
     }
 
     /**
@@ -283,9 +314,17 @@ private boolean hasRestrictedRulesExplicit(PrivilegesEvaluationContext context,
         }
 
         IndexAbstraction indexAbstraction = context.getIndicesLookup().get(index);
-        if (indexAbstraction != null) {
+        if (indexAbstraction instanceof IndexAbstraction.Index) {
             for (String parent : getParents(indexAbstraction)) {
-                if (hasRestrictedRulesExplicit(context, statefulRules, parent)) {
+                if (hasRestrictedRulesExplicitNoRecursion(context, statefulRules, parent)) {
+                    return true;
+                }
+            }
+        } else if (indexAbstraction instanceof IndexAbstraction.DataStream || indexAbstraction instanceof IndexAbstraction.Alias) {
+            // If we got an alias or a data stream, we might be also restricted if there is a member index that is restricted
+
+            for (IndexMetadata memberIndex : indexAbstraction.getIndices()) {
+                if (hasRestrictedRulesExplicitNoRecursion(context, statefulRules, memberIndex.getIndex().getName())) {
                     return true;
                 }
             }
@@ -294,6 +333,34 @@ private boolean hasRestrictedRulesExplicit(PrivilegesEvaluationContext context,
         return false;
     }
 
+    /**
+     * Should be only called by hasRestrictedRulesExplicit()
+     */
+    private boolean hasRestrictedRulesExplicitNoRecursion(
+        PrivilegesEvaluationContext context,
+        StatefulRules<SingleRule> statefulRules,
+        String index
+    ) throws PrivilegesEvaluationException {
+
+        if (statefulRules != null && statefulRules.covers(index)) {
+            Map<String, SingleRule> roleWithRule = statefulRules.indexToRoleToRule.get(index);
+
+            if (roleWithRule != null && CollectionUtils.containsAny(roleWithRule.keySet(), context.getMappedRoles())) {
+                return true;
+            }
+        } else {
+            if (this.staticRules.hasRestrictedPatterns(context, index)) {
+                return true;
+            }
+        }
+
+        if (this.staticRules.hasRestrictedPatternTemplates(context, index)) {
+            return true;
+        }
+
+        return false;
+    }
+
     /**
      * Returns true if the user specified by the given context parameter has roles which apply for the index wildcard ("*")
      * and which specify DLS rules.

src/test/java/org/opensearch/security/filter/SecurityFilterTests.java

@@ -34,7 +34,6 @@
 import org.opensearch.security.privileges.PrivilegesConfiguration;
 import org.opensearch.security.privileges.ResourceAccessEvaluator;
 import org.opensearch.security.privileges.RoleMapper;
-import org.opensearch.security.privileges.ResourceAccessEvaluator;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.WildcardMatcher;
 import org.opensearch.threadpool.ThreadPool;