Optimize getFieldFilter to only return a predicate when index has FLS restrictions for user

Signed-off-by: Craig Perkins <[email protected]>

Author: cwperks

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -2328,13 +2328,24 @@ public Collection<Class<? extends LifecycleComponent>> getGuiceServiceClasses()
     public Function<String, Predicate<String>> getFieldFilter() {
         return index -> {
             if (threadPool == null || dlsFlsValve == null) {
-                return field -> true;
+                return NOOP_FIELD_PREDICATE;
             }
 
             PrivilegesEvaluationContext ctx = this.dlsFlsBaseContext != null
                 ? this.dlsFlsBaseContext.getPrivilegesEvaluationContext()
                 : null;
 
+            boolean indexHasRestrictions = false;
+            try {
+                indexHasRestrictions = dlsFlsValve.indexHasFlsRestrictions(index, ctx);
+            } catch (PrivilegesEvaluationException e) {
+                log.error("Error while evaluating FLS restrictions for {}", index, e);
+            }
+
+            if (!indexHasRestrictions) {
+                return NOOP_FIELD_PREDICATE;
+            }
+
             return field -> {
                 try {
                     return dlsFlsValve.isFieldAllowed(index, field, ctx);

src/main/java/org/opensearch/security/configuration/DlsFlsRequestValve.java

@@ -51,6 +51,8 @@ public interface DlsFlsRequestValve {
 
     boolean isFieldAllowed(String index, String field, PrivilegesEvaluationContext ctx) throws PrivilegesEvaluationException;
 
+    boolean indexHasFlsRestrictions(String index, PrivilegesEvaluationContext ctx) throws PrivilegesEvaluationException;
+
     public static class NoopDlsFlsRequestValve implements DlsFlsRequestValve {
 
         @Override
@@ -87,6 +89,11 @@ public boolean hasFieldMasking(String index) {
         public boolean isFieldAllowed(String index, String field, PrivilegesEvaluationContext ctx) {
             return true;
         }
+
+        @Override
+        public boolean indexHasFlsRestrictions(String index, PrivilegesEvaluationContext ctx) {
+            return false;
+        }
     }
 
 }

src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java

@@ -538,6 +538,15 @@ public boolean isFieldAllowed(String index, String field, PrivilegesEvaluationCo
         return config.getFieldPrivileges().getRestriction(ctx, index).isAllowedRecursive(field);
     }
 
+    @Override
+    public boolean indexHasFlsRestrictions(String index, PrivilegesEvaluationContext ctx) throws PrivilegesEvaluationException {
+        if (ctx == null) {
+            return false;
+        }
+        DlsFlsProcessedConfig config = this.dlsFlsProcessedConfig.get();
+        return !config.getFieldPrivileges().getRestriction(ctx, index).isUnrestricted();
+    }
+
     private static InternalAggregation aggregateBuckets(InternalAggregation aggregation) {
         if (aggregation instanceof StringTerms) {
             StringTerms stringTerms = (StringTerms) aggregation;