Skip to content

Commit ef7c3db

Browse files
nibixnibix
committed
wip
Signed-off-by: Nils Bandener <[email protected]>
1 parent a735f3c commit ef7c3db

File tree

58 files changed

+3197
-1745
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

58 files changed

+3197
-1745
lines changed

src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,7 @@
4747
import org.opensearch.security.dlic.rest.api.Endpoint;
4848
import org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.PermissionBuilder;
4949
import org.opensearch.security.privileges.actionlevel.RoleBasedActionPrivileges;
50+
import org.opensearch.security.privileges.actionlevel.RuntimeOptimizedActionPrivileges;
5051
import org.opensearch.security.securityconf.FlattenedActionGroups;
5152
import org.opensearch.security.securityconf.impl.CType;
5253
import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
@@ -117,7 +118,12 @@ static String[] allRestApiPermissions() {
117118
final RoleBasedActionPrivileges actionPrivileges;
118119

119120
public RestEndpointPermissionTests() throws IOException {
120-
this.actionPrivileges = new RoleBasedActionPrivileges(createRolesConfig(), FlattenedActionGroups.EMPTY, Settings.EMPTY);
121+
this.actionPrivileges = new RoleBasedActionPrivileges(
122+
createRolesConfig(),
123+
FlattenedActionGroups.EMPTY,
124+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
125+
Settings.EMPTY
126+
);
121127
}
122128

123129
@Test

src/integrationTest/java/org/opensearch/security/privileges/actionlevel/RoleBasedActionPrivilegesTest.java

Lines changed: 118 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,12 @@ public void wellKnown() throws Exception {
8282
" cluster_permissions:\n" + //
8383
" - cluster:monitor/nodes/stats*", CType.ROLES);
8484

85-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
85+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
86+
roles,
87+
FlattenedActionGroups.EMPTY,
88+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
89+
Settings.EMPTY
90+
);
8691

8792
assertThat(subject.hasClusterPrivilege(ctx().roles("test_role").get(), "cluster:monitor/nodes/stats"), isAllowed());
8893
assertThat(
@@ -101,7 +106,12 @@ public void notWellKnown() throws Exception {
101106
" cluster_permissions:\n" + //
102107
" - cluster:monitor/nodes/stats*", CType.ROLES);
103108

104-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
109+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
110+
roles,
111+
FlattenedActionGroups.EMPTY,
112+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
113+
Settings.EMPTY
114+
);
105115

106116
assertThat(
107117
subject.hasClusterPrivilege(ctx().roles("test_role").get(), "cluster:monitor/nodes/stats/somethingnotwellknown"),
@@ -123,7 +133,12 @@ public void wildcard() throws Exception {
123133
" cluster_permissions:\n" + //
124134
" - '*'", CType.ROLES);
125135

126-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
136+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
137+
roles,
138+
FlattenedActionGroups.EMPTY,
139+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
140+
Settings.EMPTY
141+
);
127142

128143
assertThat(subject.hasClusterPrivilege(ctx().roles("test_role").get(), "cluster:whatever"), isAllowed());
129144
assertThat(
@@ -146,7 +161,12 @@ public void explicit_wellKnown() throws Exception {
146161
CType.ROLES
147162
);
148163

149-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
164+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
165+
roles,
166+
FlattenedActionGroups.EMPTY,
167+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
168+
Settings.EMPTY
169+
);
150170

151171
assertThat(subject.hasExplicitClusterPrivilege(ctx().roles("explicit_role").get(), "cluster:monitor/nodes/stats"), isAllowed());
152172
assertThat(
@@ -177,7 +197,12 @@ public void explicit_notWellKnown() throws Exception {
177197
CType.ROLES
178198
);
179199

180-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
200+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
201+
roles,
202+
FlattenedActionGroups.EMPTY,
203+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
204+
Settings.EMPTY
205+
);
181206

182207
assertThat(
183208
subject.hasExplicitClusterPrivilege(ctx().roles("explicit_role").get(), "cluster:monitor/nodes/notwellknown"),
@@ -203,7 +228,12 @@ public void hasAny_wellKnown() throws Exception {
203228
" cluster_permissions:\n" + //
204229
" - cluster:monitor/nodes/stats*", CType.ROLES);
205230

206-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
231+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
232+
roles,
233+
FlattenedActionGroups.EMPTY,
234+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
235+
Settings.EMPTY
236+
);
207237

208238
assertThat(
209239
subject.hasAnyClusterPrivilege(ctx().roles("test_role").get(), ImmutableSet.of("cluster:monitor/nodes/stats")),
@@ -233,7 +263,12 @@ public void hasAny_notWellKnown() throws Exception {
233263
" cluster_permissions:\n" + //
234264
" - cluster:monitor/nodes/*", CType.ROLES);
235265

236-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
266+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
267+
roles,
268+
FlattenedActionGroups.EMPTY,
269+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
270+
Settings.EMPTY
271+
);
237272

238273
assertThat(
239274
subject.hasAnyClusterPrivilege(ctx().roles("test_role").get(), ImmutableSet.of("cluster:monitor/nodes/notwellknown")),
@@ -270,7 +305,12 @@ public void hasAny_wildcard() throws Exception {
270305
" cluster_permissions:\n" + //
271306
" - '*'", CType.ROLES);
272307

273-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
308+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
309+
roles,
310+
FlattenedActionGroups.EMPTY,
311+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
312+
Settings.EMPTY
313+
);
274314

275315
assertThat(subject.hasAnyClusterPrivilege(ctx().roles("test_role").get(), ImmutableSet.of("cluster:whatever")), isAllowed());
276316

@@ -464,7 +504,12 @@ public IndicesAndAliases(IndexSpec indexSpec, ActionSpec actionSpec, Statefulnes
464504
.build();
465505
}
466506

467-
this.subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, settings);
507+
this.subject = new RoleBasedActionPrivileges(
508+
roles,
509+
FlattenedActionGroups.EMPTY,
510+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
511+
settings
512+
);
468513

469514
if (statefulness == Statefulness.STATEFUL || statefulness == Statefulness.STATEFUL_LIMITED) {
470515
this.subject.updateStatefulIndexPrivileges(INDEX_METADATA.getIndicesLookup(), 1);
@@ -633,7 +678,12 @@ public DataStreams(IndexSpec indexSpec, ActionSpec actionSpec, Statefulness stat
633678
.build();
634679
}
635680

636-
this.subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, settings);
681+
this.subject = new RoleBasedActionPrivileges(
682+
roles,
683+
FlattenedActionGroups.EMPTY,
684+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
685+
settings
686+
);
637687

638688
if (statefulness == Statefulness.STATEFUL || statefulness == Statefulness.STATEFUL_LIMITED) {
639689
this.subject.updateStatefulIndexPrivileges(INDEX_METADATA.getIndicesLookup(), 1);
@@ -800,7 +850,7 @@ public void relevantOnly_identity() throws Exception {
800850

801851
assertTrue(
802852
"relevantOnly() returned identical object",
803-
RoleBasedActionPrivileges.StatefulIndexPrivileges.relevantOnly(metadata) == metadata
853+
RoleBasedActionPrivileges.StatefulIndexPrivileges.relevantOnly(metadata, i -> false) == metadata
804854
);
805855
}
806856

@@ -814,7 +864,10 @@ public void relevantOnly_closed() throws Exception {
814864
assertNotNull("Original metadata contains index_open_1", metadata.get("index_open_1"));
815865
assertNotNull("Original metadata contains index_closed", metadata.get("index_closed"));
816866

817-
Map<String, IndexAbstraction> filteredMetadata = RoleBasedActionPrivileges.StatefulIndexPrivileges.relevantOnly(metadata);
867+
Map<String, IndexAbstraction> filteredMetadata = RoleBasedActionPrivileges.StatefulIndexPrivileges.relevantOnly(
868+
metadata,
869+
i -> false
870+
);
818871

819872
assertNotNull("Filtered metadata contains index_open_1", filteredMetadata.get("index_open_1"));
820873
assertNull("Filtered metadata does not contain index_closed", filteredMetadata.get("index_closed"));
@@ -827,7 +880,10 @@ public void relevantOnly_dataStreamBackingIndices() throws Exception {
827880
assertNotNull("Original metadata contains backing index", metadata.get(".ds-data_stream_1-000001"));
828881
assertNotNull("Original metadata contains data stream", metadata.get("data_stream_1"));
829882

830-
Map<String, IndexAbstraction> filteredMetadata = RoleBasedActionPrivileges.StatefulIndexPrivileges.relevantOnly(metadata);
883+
Map<String, IndexAbstraction> filteredMetadata = RoleBasedActionPrivileges.StatefulIndexPrivileges.relevantOnly(
884+
metadata,
885+
i -> false
886+
);
831887

832888
assertNull("Filtered metadata does not contain backing index", filteredMetadata.get(".ds-data_stream_1-000001"));
833889
assertNotNull("Filtered metadata contains data stream", filteredMetadata.get("data_stream_1"));
@@ -858,7 +914,12 @@ public void hasIndexPrivilege_errors() throws Exception {
858914
CType.ROLES
859915
);
860916

861-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
917+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
918+
roles,
919+
FlattenedActionGroups.EMPTY,
920+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
921+
Settings.EMPTY
922+
);
862923

863924
PrivilegesEvaluatorResponse result = subject.hasIndexPrivilege(
864925
ctx().roles("role_with_errors").get(),
@@ -884,7 +945,12 @@ public void hasExplicitIndexPrivilege_positive() throws Exception {
884945
CType.ROLES
885946
);
886947

887-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
948+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
949+
roles,
950+
FlattenedActionGroups.EMPTY,
951+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
952+
Settings.EMPTY
953+
);
888954

889955
PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
890956
ctx().roles("test_role").get(),
@@ -904,7 +970,12 @@ public void hasExplicitIndexPrivilege_positive_wildcard() throws Exception {
904970
CType.ROLES
905971
);
906972

907-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
973+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
974+
roles,
975+
FlattenedActionGroups.EMPTY,
976+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
977+
Settings.EMPTY
978+
);
908979

909980
PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
910981
ctx().roles("test_role").get(),
@@ -921,7 +992,12 @@ public void hasExplicitIndexPrivilege_noWildcard() throws Exception {
921992
CType.ROLES
922993
);
923994

924-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
995+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
996+
roles,
997+
FlattenedActionGroups.EMPTY,
998+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
999+
Settings.EMPTY
1000+
);
9251001

9261002
PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
9271003
ctx().roles("test_role").get(),
@@ -941,7 +1017,12 @@ public void hasExplicitIndexPrivilege_negative_wrongAction() throws Exception {
9411017
CType.ROLES
9421018
);
9431019

944-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
1020+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
1021+
roles,
1022+
FlattenedActionGroups.EMPTY,
1023+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
1024+
Settings.EMPTY
1025+
);
9451026

9461027
PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
9471028
ctx().roles("test_role").get(),
@@ -961,7 +1042,12 @@ public void hasExplicitIndexPrivilege_errors() throws Exception {
9611042
CType.ROLES
9621043
);
9631044

964-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
1045+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
1046+
roles,
1047+
FlattenedActionGroups.EMPTY,
1048+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
1049+
Settings.EMPTY
1050+
);
9651051

9661052
PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
9671053
ctx().roles("role_with_errors").get(),
@@ -990,7 +1076,12 @@ public void aliasesOnDataStreamBackingIndices() throws Exception {
9901076
+ " allowed_actions: ['indices:data/write/index']",
9911077
CType.ROLES
9921078
);
993-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
1079+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
1080+
roles,
1081+
FlattenedActionGroups.EMPTY,
1082+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
1083+
Settings.EMPTY
1084+
);
9941085
subject.updateStatefulIndexPrivileges(metadata.getIndicesLookup(), 2);
9951086

9961087
PrivilegesEvaluatorResponse resultForIndexCoveredByAlias = subject.hasIndexPrivilege(
@@ -1021,6 +1112,7 @@ public void statefulDisabled() throws Exception {
10211112
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
10221113
roles,
10231114
FlattenedActionGroups.EMPTY,
1115+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
10241116
Settings.builder().put(RoleBasedActionPrivileges.PRECOMPUTED_PRIVILEGES_ENABLED.getKey(), false).build()
10251117
);
10261118
subject.updateStatefulIndexPrivileges(metadata, 1);
@@ -1040,7 +1132,12 @@ public static class StatefulIndexPrivilegesHeapSize {
10401132

10411133
@Test
10421134
public void estimatedSize() throws Exception {
1043-
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
1135+
RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(
1136+
roles,
1137+
FlattenedActionGroups.EMPTY,
1138+
RuntimeOptimizedActionPrivileges.SpecialIndexProtection.NONE,
1139+
Settings.EMPTY
1140+
);
10441141

10451142
subject.updateStatefulIndexPrivileges(indices, 1);
10461143

0 commit comments

Comments
 (0)