Ensure ResourceProvider exists for extracted resourceType (#5802)

cwperks · web-flow · commit dcbaa1a249b2 · 2025-11-19T16:13:01.000-08:00
diff --git a/sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/feature/disabled/DirectIndexAccessTests.java b/sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/feature/disabled/DirectIndexAccessTests.java
@@ -31,6 +31,7 @@
 import static org.opensearch.sample.resource.TestUtils.SAMPLE_RESOURCE_SEARCH_ENDPOINT;
 import static org.opensearch.sample.resource.TestUtils.newCluster;
 import static org.opensearch.sample.utils.Constants.RESOURCE_INDEX_NAME;
+import static org.opensearch.sample.utils.Constants.RESOURCE_TYPE;
 import static org.opensearch.security.api.AbstractApiIntegrationTest.forbidden;
 import static org.opensearch.test.framework.TestSecurityConfig.User.USER_ADMIN;
 
@@ -66,7 +67,7 @@ public void testRawAccess_noAccessUser() throws Exception {
 
             // cannot access any raw request
             try (TestRestClient client = cluster.getRestClient(NO_ACCESS_USER)) {
-                String sample = "{\"name\":\"sampleUser\"}";
+                String sample = "{\"name\":\"sampleUser\",\"resource_type\":\"" + RESOURCE_TYPE + "\"}";
                 HttpResponse resp = client.postJson(RESOURCE_INDEX_NAME + "/_doc", sample);
                 resp.assertStatusCode(HttpStatus.SC_FORBIDDEN);
             }
@@ -89,7 +90,7 @@ public void testRawAccess_limitedAccessUser() {
 
             // cannot create a resource since user doesn't have indices:data/write/index permission
             try (TestRestClient client = cluster.getRestClient(LIMITED_ACCESS_USER)) {
-                String sample = "{\"name\":\"sampleUser\"}";
+                String sample = "{\"name\":\"sampleUser\",\"resource_type\":\"" + RESOURCE_TYPE + "\"}";
                 HttpResponse resp = client.postJson(RESOURCE_INDEX_NAME + "/_doc", sample);
                 resp.assertStatusCode(HttpStatus.SC_FORBIDDEN);
             }
@@ -114,7 +115,7 @@ public void testRawAccess_allAccessUser() {
 
             // cannot create a resource directly since system index protection (SIP) is enabled
             try (TestRestClient client = cluster.getRestClient(FULL_ACCESS_USER)) {
-                String sample = "{\"name\":\"sampleUser\"}";
+                String sample = "{\"name\":\"sampleUser\",\"resource_type\":\"" + RESOURCE_TYPE + "\"}";
                 HttpResponse resp = client.postJson(RESOURCE_INDEX_NAME + "/_doc", sample);
                 resp.assertStatusCode(HttpStatus.SC_FORBIDDEN);
             }
@@ -179,7 +180,7 @@ public void testRawAccess_noAccessUser() {
 
             // cannot access any raw request
             try (TestRestClient client = cluster.getRestClient(NO_ACCESS_USER)) {
-                String sample = "{\"name\":\"sampleUser\"}";
+                String sample = "{\"name\":\"sampleUser\",\"resource_type\":\"" + RESOURCE_TYPE + "\"}";
                 TestRestClient.HttpResponse resp = client.postJson(RESOURCE_INDEX_NAME + "/_doc", sample);
                 resp.assertStatusCode(HttpStatus.SC_FORBIDDEN);
             }
@@ -202,7 +203,7 @@ public void testRawAccess_limitedAccessUser() {
 
             // cannot create a resource since user doesn't have indices:data/write/index permission
             try (TestRestClient client = cluster.getRestClient(LIMITED_ACCESS_USER)) {
-                String sample = "{\"name\":\"sampleUser\"}";
+                String sample = "{\"name\":\"sampleUser\",\"resource_type\":\"" + RESOURCE_TYPE + "\"}";
                 TestRestClient.HttpResponse resp = client.postJson(RESOURCE_INDEX_NAME + "/_doc", sample);
                 resp.assertStatusCode(HttpStatus.SC_FORBIDDEN);
             }
@@ -228,7 +229,7 @@ public void testRawAccess_allAccessUser() {
             // can create a resource
             String userResId;
             try (TestRestClient client = cluster.getRestClient(FULL_ACCESS_USER)) {
-                String sample = "{\"name\":\"sampleUser\"}";
+                String sample = "{\"name\":\"sampleUser\",\"resource_type\":\"" + RESOURCE_TYPE + "\"}";
                 TestRestClient.HttpResponse resp = client.postJson(RESOURCE_INDEX_NAME + "/_doc", sample);
                 resp.assertStatusCode(HttpStatus.SC_CREATED);
                 userResId = resp.getTextFromJsonBody("/_id");
diff --git a/sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/feature/enabled/DirectIndexAccessTests.java b/sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/feature/enabled/DirectIndexAccessTests.java
@@ -36,6 +36,7 @@
 import static org.opensearch.sample.resource.TestUtils.directSharePayload;
 import static org.opensearch.sample.resource.TestUtils.newCluster;
 import static org.opensearch.sample.utils.Constants.RESOURCE_INDEX_NAME;
+import static org.opensearch.sample.utils.Constants.RESOURCE_TYPE;
 import static org.opensearch.test.framework.TestSecurityConfig.User.USER_ADMIN;
 
 /**
@@ -62,7 +63,7 @@ public static class SystemIndexEnabled {
         private void assertResourceIndexAccess(String id, TestSecurityConfig.User user) {
             // cannot interact with resource index
             try (TestRestClient client = cluster.getRestClient(user)) {
-                String sample = "{\"name\":\"sampleUser\"}";
+                String sample = "{\"name\":\"sampleUser\",\"resource_type\":\"" + RESOURCE_TYPE + "\"}";
                 HttpResponse resp = client.postJson(RESOURCE_INDEX_NAME + "/_doc", sample);
                 resp.assertStatusCode(HttpStatus.SC_FORBIDDEN);
             }
@@ -196,7 +197,7 @@ public void testRawAccess_noAccessUser() {
 
             // cannot access any raw request
             try (TestRestClient client = cluster.getRestClient(NO_ACCESS_USER)) {
-                String sample = "{\"name\":\"sampleUser\"}";
+                String sample = "{\"name\":\"sampleUser\",\"resource_type\":\"" + RESOURCE_TYPE + "\"}";
                 HttpResponse resp = client.postJson(RESOURCE_INDEX_NAME + "/_doc", sample);
                 resp.assertStatusCode(HttpStatus.SC_FORBIDDEN);
             }
@@ -221,7 +222,7 @@ public void testRawAccess_limitedAccessUser() {
 
             // cannot create a resource since user doesn't have indices:data/write/index permission
             try (TestRestClient client = cluster.getRestClient(LIMITED_ACCESS_USER)) {
-                String sample = "{\"name\":\"sampleUser\"}";
+                String sample = "{\"name\":\"sampleUser\",\"resource_type\":\"" + RESOURCE_TYPE + "\"}";
                 HttpResponse resp = client.postJson(RESOURCE_INDEX_NAME + "/_doc", sample);
                 resp.assertStatusCode(HttpStatus.SC_FORBIDDEN);
             }
@@ -259,7 +260,7 @@ public void testRawAccess_allAccessUser() {
             // can create a resource
             String userResId;
             try (TestRestClient client = cluster.getRestClient(FULL_ACCESS_USER)) {
-                String sample = "{\"name\":\"sampleUser\"}";
+                String sample = "{\"name\":\"sampleUser\",\"resource_type\":\"" + RESOURCE_TYPE + "\"}";
                 HttpResponse resp = client.postJson(RESOURCE_INDEX_NAME + "/_doc?refresh=true", sample);
                 resp.assertStatusCode(HttpStatus.SC_CREATED);
                 userResId = resp.getTextFromJsonBody("/_id");
diff --git a/sample-resource-plugin/src/main/java/org/opensearch/sample/SampleResourceGroup.java b/sample-resource-plugin/src/main/java/org/opensearch/sample/SampleResourceGroup.java
@@ -25,7 +25,6 @@
 import static org.opensearch.core.xcontent.ConstructingObjectParser.constructorArg;
 import static org.opensearch.core.xcontent.ConstructingObjectParser.optionalConstructorArg;
 import static org.opensearch.sample.utils.Constants.RESOURCE_GROUP_TYPE;
-import static org.opensearch.sample.utils.Constants.RESOURCE_TYPE;
 
 /**
  * Sample resource group declared by this plugin.
@@ -45,7 +44,7 @@ public SampleResourceGroup(StreamInput in) throws IOException {
     }
 
     private static final ConstructingObjectParser<SampleResourceGroup, Void> PARSER = new ConstructingObjectParser<>(
-        RESOURCE_TYPE,
+        RESOURCE_GROUP_TYPE,
         true,
         a -> {
             SampleResourceGroup s;
@@ -56,21 +55,27 @@ public SampleResourceGroup(StreamInput in) throws IOException {
             }
             s.setName((String) a[0]);
             s.setDescription((String) a[1]);
+            // ignore a[2] as we know the type
             return s;
         }
     );
 
     static {
         PARSER.declareString(constructorArg(), new ParseField("name"));
         PARSER.declareStringOrNull(optionalConstructorArg(), new ParseField("description"));
+        PARSER.declareStringOrNull(optionalConstructorArg(), new ParseField("resource_type"));
     }
 
     public static SampleResourceGroup fromXContent(XContentParser parser) throws IOException {
         return PARSER.parse(parser, null);
     }
 
     public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
-        return builder.startObject().field("name", name).field("description", description).endObject();
+        return builder.startObject()
+            .field("name", name)
+            .field("description", description)
+            .field("resource_type", RESOURCE_GROUP_TYPE)
+            .endObject();
     }
 
     public void writeTo(StreamOutput out) throws IOException {
diff --git a/src/main/java/org/opensearch/security/resources/ResourceIndexListener.java b/src/main/java/org/opensearch/security/resources/ResourceIndexListener.java
@@ -22,6 +22,7 @@
 import org.opensearch.security.resources.sharing.CreatedBy;
 import org.opensearch.security.resources.sharing.ResourceSharing;
 import org.opensearch.security.setting.OpensearchDynamicSetting;
+import org.opensearch.security.spi.resources.ResourceProvider;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.user.User;
 import org.opensearch.threadpool.ThreadPool;
@@ -76,6 +77,15 @@ public void postIndex(ShardId shardId, Engine.Index index, Engine.IndexResult re
         String resourceType = resourcePluginInfo.getResourceTypeForIndexOp(resourceIndex, index);
 
         String resourceId = index.id();
+        ResourceProvider provider = resourcePluginInfo.getResourceProvider(resourceType);
+        if (provider == null) {
+            log.warn(
+                "Failed to create a resource sharing entry for resource: {} with type: {}. The type is not declared as a protected type in plugins.security.experimental.resource_sharing.protected_types.",
+                resourceId,
+                resourceType
+            );
+            return;
+        }
 
         // Only proceed if this was a create operation and for primary shard
         if (!index.origin().equals(Engine.Operation.Origin.PRIMARY)) {
