opensearch-project
diff --git a/‎src/integrationTest/java/org/opensearch/security/privileges/IndexPatternTest.java‎
Lines changed: 6 additions & 14 deletions b/‎src/integrationTest/java/org/opensearch/security/privileges/IndexPatternTest.java‎
Lines changed: 6 additions & 14 deletions
diff --git a/‎src/integrationTest/java/org/opensearch/security/privileges/dlsfls/DlsFlsLegacyHeadersTest.java‎
Lines changed: 7 additions & 29 deletions b/‎src/integrationTest/java/org/opensearch/security/privileges/dlsfls/DlsFlsLegacyHeadersTest.java‎
Lines changed: 7 additions & 29 deletions
diff --git a/‎src/integrationTest/java/org/opensearch/security/privileges/dlsfls/DocumentPrivilegesTest.java‎
Lines changed: 12 additions & 30 deletions b/‎src/integrationTest/java/org/opensearch/security/privileges/dlsfls/DocumentPrivilegesTest.java‎
Lines changed: 12 additions & 30 deletions
diff --git a/‎src/integrationTest/java/org/opensearch/security/privileges/dlsfls/FieldMaskingTest.java‎
Lines changed: 2 additions & 14 deletions b/‎src/integrationTest/java/org/opensearch/security/privileges/dlsfls/FieldMaskingTest.java‎
Lines changed: 2 additions & 14 deletions
diff --git a/‎src/integrationTest/java/org/opensearch/security/privileges/dlsfls/FieldPrivilegesTest.java‎
Lines changed: 2 additions & 14 deletions b/‎src/integrationTest/java/org/opensearch/security/privileges/dlsfls/FieldPrivilegesTest.java‎
Lines changed: 2 additions & 14 deletions
diff --git a/‎src/integrationTest/java/org/opensearch/security/util/MockPrivilegeEvaluationContextBuilder.java‎
Lines changed: 17 additions & 2 deletions b/‎src/integrationTest/java/org/opensearch/security/util/MockPrivilegeEvaluationContextBuilder.java‎
Lines changed: 17 additions & 2 deletions
@@ -25,6 +25,7 @@
 import org.opensearch.security.resolver.IndexResolverReplacer;
 import org.opensearch.security.support.WildcardMatcher;
 import org.opensearch.security.user.User;
+import org.opensearch.security.util.MockPrivilegeEvaluationContextBuilder;
 
 import static org.opensearch.security.util.MockIndexMetadataBuilder.indices;
 import static org.junit.Assert.assertEquals;
@@ -232,19 +233,10 @@ public void equals() {
     }
 
     private static PrivilegesEvaluationContext ctx() {
-        IndexNameExpressionResolver indexNameExpressionResolver = new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY));
-        IndexResolverReplacer indexResolverReplacer = new IndexResolverReplacer(indexNameExpressionResolver, () -> CLUSTER_STATE, null);
-        User user = new User("test_user").withAttributes(ImmutableMap.of("attrs.a11", "a11", "attrs.year", "year"));
-        return new PrivilegesEvaluationContext(
-            user,
-            ImmutableSet.of(),
-            "indices:action/test",
-            null,
-            null,
-            indexResolverReplacer,
-            indexNameExpressionResolver,
-            () -> CLUSTER_STATE,
-            ActionPrivileges.EMPTY
-        );
+        return MockPrivilegeEvaluationContextBuilder.ctx()
+                .action("indices:action/test")
+                .attr("attrs.a11", "a11")
+                .attr("attrs.year", "year")
+                .get();
     }
 }
@@ -15,14 +15,12 @@
 import java.util.Map;
 
 import com.google.common.collect.ImmutableList;
-import com.google.common.collect.ImmutableSet;
 import org.junit.Test;
 
 import org.opensearch.Version;
 import org.opensearch.action.admin.cluster.shards.ClusterSearchShardsRequest;
 import org.opensearch.action.search.SearchRequest;
 import org.opensearch.cluster.ClusterState;
-import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.metadata.Metadata;
 import org.opensearch.common.CheckedFunction;
 import org.opensearch.common.settings.Settings;
@@ -35,14 +33,13 @@
 import org.opensearch.index.query.RangeQueryBuilder;
 import org.opensearch.index.query.TermQueryBuilder;
 import org.opensearch.search.internal.ShardSearchRequest;
-import org.opensearch.security.privileges.ActionPrivileges;
 import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
 import org.opensearch.security.securityconf.impl.v7.RoleV7;
 import org.opensearch.security.support.Base64Helper;
 import org.opensearch.security.support.ConfigConstants;
-import org.opensearch.security.user.User;
 import org.opensearch.security.util.MockIndexMetadataBuilder;
+import org.opensearch.security.util.MockPrivilegeEvaluationContextBuilder;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.transport.Transport;
 
@@ -335,40 +332,21 @@ public void prepare_ccs() throws Exception {
 
         ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
         threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST, true);
-        User user = new User("test_user");
         ClusterState clusterState = ClusterState.builder(ClusterState.EMPTY_STATE).metadata(metadata).build();
 
-        PrivilegesEvaluationContext ctx = new PrivilegesEvaluationContext(
-            user,
-            ImmutableSet.of("test_role"),
-            null,
-            new ClusterSearchShardsRequest(),
-            null,
-            null,
-            new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)),
-            () -> clusterState,
-            ActionPrivileges.EMPTY
-        );
+        PrivilegesEvaluationContext ctx = MockPrivilegeEvaluationContextBuilder.ctx()
+            .roles("test_role")
+            .request(new ClusterSearchShardsRequest())
+            .clusterState(clusterState)
+            .get();
 
         DlsFlsLegacyHeaders.prepare(threadContext, ctx, dlsFlsProcessedConfig(exampleRolesConfig(), metadata), metadata, false);
         assertTrue(threadContext.getResponseHeaders().containsKey(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER));
     }
 
     static PrivilegesEvaluationContext ctx(Metadata metadata, String... roles) {
-        User user = new User("test_user");
         ClusterState clusterState = ClusterState.builder(ClusterState.EMPTY_STATE).metadata(metadata).build();
-
-        return new PrivilegesEvaluationContext(
-            user,
-            ImmutableSet.copyOf(roles),
-            null,
-            null,
-            null,
-            null,
-            new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)),
-            () -> clusterState,
-            ActionPrivileges.EMPTY
-        );
+        return MockPrivilegeEvaluationContextBuilder.ctx().roles(roles).clusterState(clusterState).get();
     }
 
     static DlsFlsProcessedConfig dlsFlsProcessedConfig(SecurityDynamicConfiguration<RoleV7> rolesConfig, Metadata metadata) {
 
@@ -32,12 +32,12 @@
 import org.junit.runners.Parameterized;
 import org.junit.runners.Suite;
 
-import org.opensearch.action.IndicesRequest;
-import org.opensearch.action.support.IndicesOptions;
+import org.opensearch.action.support.ActionRequestMetadata;
 import org.opensearch.cluster.ClusterState;
 import org.opensearch.cluster.metadata.IndexAbstraction;
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.metadata.Metadata;
+import org.opensearch.cluster.metadata.ResolvedIndices;
 import org.opensearch.common.CheckedFunction;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.util.concurrent.ThreadContext;
@@ -56,7 +56,6 @@
 import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.privileges.PrivilegesEvaluationException;
 import org.opensearch.security.privileges.actionlevel.RoleBasedActionPrivileges;
-import org.opensearch.security.resolver.IndexResolverReplacer;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
 import org.opensearch.security.securityconf.impl.v7.RoleV7;
 import org.opensearch.security.user.User;
@@ -531,6 +530,7 @@ public IndicesAndAliases_getRestriction(
                 null,
                 null,
                 null,
+                null,
                 () -> CLUSTER_STATE,
                 ActionPrivileges.EMPTY
             );
@@ -567,17 +567,12 @@ public static class IndicesAndAliases_isUnrestricted {
         final static IndexNameExpressionResolver INDEX_NAME_EXPRESSION_RESOLVER = new IndexNameExpressionResolver(
             new ThreadContext(Settings.EMPTY)
         );
-        final static IndexResolverReplacer RESOLVER_REPLACER = new IndexResolverReplacer(
-            INDEX_NAME_EXPRESSION_RESOLVER,
-            () -> CLUSTER_STATE,
-            null
-        );
 
         final Statefulness statefulness;
         final UserSpec userSpec;
         final User user;
         final IndicesSpec indicesSpec;
-        final IndexResolverReplacer.Resolved resolvedIndices;
+        final ResolvedIndices resolvedIndices;
         final PrivilegesEvaluationContext context;
         final boolean dfmEmptyOverridesAll;
 
@@ -685,7 +680,7 @@ public void alias_static() throws Exception {
             DocumentPrivileges subject = createSubject(roleConfig);
             boolean result = subject.isUnrestricted(context, resolvedIndices);
 
-            if (resolvedIndices.getAllIndices().contains("index_b1")) {
+            if (resolvedIndices.local().names().contains("index_b1")) {
                 // index_b1 is not covered by any of the above roles, so there should be always a restriction
                 assertFalse(result);
             } else if (dfmEmptyOverridesAll && userSpec.roles.contains("non_dls_role")) {
@@ -741,7 +736,7 @@ public void alias_wildcard() throws Exception {
             DocumentPrivileges subject = createSubject(roleConfig);
             boolean result = subject.isUnrestricted(context, resolvedIndices);
 
-            if (resolvedIndices.getAllIndices().contains("index_b1")) {
+            if (resolvedIndices.local().names().contains("index_b1")) {
                 // index_b1 is not covered by any of the above roles, so there should be always a restriction
                 assertFalse(result);
             } else if (dfmEmptyOverridesAll && userSpec.roles.contains("non_dls_role")) {
@@ -771,7 +766,7 @@ public void alias_template() throws Exception {
             if (userSpec.attributes.isEmpty()) {
                 // All roles defined above use attributes. If there are no user attributes, we must get a restricted result.
                 assertFalse(result);
-            } else if (resolvedIndices.getAllIndices().contains("index_b1")) {
+            } else if (resolvedIndices.local().names().contains("index_b1")) {
                 // index_b1 is not covered by any of the above roles, so there should be always a restriction
                 assertFalse(result);
             } else if (dfmEmptyOverridesAll && userSpec.roles.contains("non_dls_role")) {
@@ -828,30 +823,15 @@ public IndicesAndAliases_isUnrestricted(
             this.userSpec = userSpec;
             this.indicesSpec = indicesSpec;
             this.user = userSpec.buildUser();
-            this.resolvedIndices = RESOLVER_REPLACER.resolveRequest(new IndicesRequest.Replaceable() {
-
-                @Override
-                public String[] indices() {
-                    return indicesSpec.indices.toArray(new String[0]);
-                }
-
-                @Override
-                public IndicesOptions indicesOptions() {
-                    return IndicesOptions.LENIENT_EXPAND_OPEN_CLOSED;
-                }
-
-                @Override
-                public IndicesRequest indices(String... strings) {
-                    return this;
-                }
-            });
+            this.resolvedIndices = ResolvedIndices.of(indicesSpec.indices);
             this.context = new PrivilegesEvaluationContext(
                 this.user,
                 ImmutableSet.copyOf(userSpec.roles),
                 null,
                 null,
+                ActionRequestMetadata.empty(),
+                null,
                 null,
-                RESOLVER_REPLACER,
                 INDEX_NAME_EXPRESSION_RESOLVER,
                 () -> CLUSTER_STATE,
                 ActionPrivileges.EMPTY
@@ -1151,7 +1131,9 @@ public DataStreams_getRestriction(
                 null,
                 null,
                 null,
+                null,
                 () -> CLUSTER_STATE,
+
                 ActionPrivileges.EMPTY
             );
             this.statefulness = statefulness;
 
@@ -13,7 +13,6 @@
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 
-import com.google.common.collect.ImmutableSet;
 import org.apache.lucene.util.BytesRef;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -22,13 +21,12 @@
 import org.opensearch.cluster.ClusterState;
 import org.opensearch.cluster.metadata.Metadata;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.security.privileges.ActionPrivileges;
 import org.opensearch.security.privileges.PrivilegesConfigurationValidationException;
 import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
 import org.opensearch.security.securityconf.impl.v7.RoleV7;
 import org.opensearch.security.support.WildcardMatcher;
-import org.opensearch.security.user.User;
+import org.opensearch.security.util.MockPrivilegeEvaluationContextBuilder;
 import org.opensearch.test.framework.TestSecurityConfig;
 
 import static org.opensearch.security.privileges.dlsfls.FieldMasking.Config.BLAKE2B_LEGACY_DEFAULT;
@@ -117,17 +115,7 @@ static FieldMasking createSubject(SecurityDynamicConfiguration<RoleV7> roleConfi
         }
 
         static PrivilegesEvaluationContext ctx(String... roles) {
-            return new PrivilegesEvaluationContext(
-                new User("test_user"),
-                ImmutableSet.copyOf(roles),
-                null,
-                null,
-                null,
-                null,
-                null,
-                () -> CLUSTER_STATE,
-                ActionPrivileges.EMPTY
-            );
+            return MockPrivilegeEvaluationContextBuilder.ctx().roles(roles).get();
         }
     }
 
 
@@ -13,21 +13,19 @@
 import java.util.Arrays;
 import java.util.Collections;
 
-import com.google.common.collect.ImmutableSet;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Suite;
 
 import org.opensearch.cluster.ClusterState;
 import org.opensearch.cluster.metadata.Metadata;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.security.privileges.ActionPrivileges;
 import org.opensearch.security.privileges.PrivilegesConfigurationValidationException;
 import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
 import org.opensearch.security.securityconf.impl.v7.RoleV7;
 import org.opensearch.security.support.WildcardMatcher;
-import org.opensearch.security.user.User;
+import org.opensearch.security.util.MockPrivilegeEvaluationContextBuilder;
 import org.opensearch.test.framework.TestSecurityConfig;
 
 import static org.opensearch.security.util.MockIndexMetadataBuilder.indices;
@@ -154,17 +152,7 @@ static FieldPrivileges createSubject(SecurityDynamicConfiguration<RoleV7> roleCo
         }
 
         static PrivilegesEvaluationContext ctx(String... roles) {
-            return new PrivilegesEvaluationContext(
-                new User("test_user"),
-                ImmutableSet.copyOf(roles),
-                null,
-                null,
-                null,
-                null,
-                null,
-                () -> CLUSTER_STATE,
-                ActionPrivileges.EMPTY
-            );
+            return MockPrivilegeEvaluationContextBuilder.ctx().roles(roles).get();
         }
     }
 
 
@@ -20,6 +20,8 @@
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.support.ActionRequestMetadata;
 import org.opensearch.cluster.ClusterState;
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.metadata.Metadata;
@@ -47,6 +49,8 @@ public static MockPrivilegeEvaluationContextBuilder ctx() {
     private Set<String> roles = new HashSet<>();
     private ClusterState clusterState = EMPTY_CLUSTER_STATE;
     private ActionPrivileges actionPrivileges = ActionPrivileges.EMPTY;
+    private String action;
+    private ActionRequest request;
 
     public MockPrivilegeEvaluationContextBuilder attr(String key, String value) {
         this.attributes.put(key, value);
@@ -72,15 +76,26 @@ public MockPrivilegeEvaluationContextBuilder actionPrivileges(ActionPrivileges a
         return this;
     }
 
+    public MockPrivilegeEvaluationContextBuilder action(String action) {
+        this.action = action;
+        return this;
+    }
+
+    public MockPrivilegeEvaluationContextBuilder request(ActionRequest request) {
+        this.request = request;
+        return this;
+    }
+
     public PrivilegesEvaluationContext get() {
         IndexNameExpressionResolver indexNameExpressionResolver = new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY));
 
         User user = new User(this.username).withAttributes(ImmutableMap.copyOf(this.attributes));
         return new PrivilegesEvaluationContext(
             user,
             ImmutableSet.copyOf(roles),
-            null,
-            null,
+            action,
+            request,
+            ActionRequestMetadata.empty(),
             null,
             new IndexResolverReplacer(indexNameExpressionResolver, () -> clusterState, null),
             indexNameExpressionResolver,