Skip to content

Commit

Permalink
Cleans up rest of the changes
Browse files Browse the repository at this point in the history
Signed-off-by: Darshit Chanpura <[email protected]>
  • Loading branch information
DarshitChanpura committed Sep 27, 2023
1 parent 5db55ea commit 9277ffe
Show file tree
Hide file tree
Showing 9 changed files with 847 additions and 184 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@
import java.util.Optional;
import java.util.Set;
import java.util.StringJoiner;
import java.util.regex.Pattern;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
Expand Down Expand Up @@ -106,12 +106,19 @@

public class PrivilegesEvaluator {

private static final WildcardMatcher ACTION_MATCHER = WildcardMatcher.from("indices:data/read/*search*");

private static final Pattern DNFOF_PATTERNS = Pattern.compile(
"indices:(data/read/.*|(admin/(mappings/fields/get.*|shards/search_shards|resolve/index)))"
static final WildcardMatcher DNFOF_MATCHER = WildcardMatcher.from(
ImmutableList.of(
"indices:data/read/*",
"indices:admin/mappings/fields/get*",
"indices:admin/shards/search_shards",
"indices:admin/resolve/index",
"indices:monitor/settings/get",
"indices:monitor/stats"
)
);

private static final WildcardMatcher ACTION_MATCHER = WildcardMatcher.from("indices:data/read/*search*");

private static final IndicesOptions ALLOW_EMPTY = IndicesOptions.fromOptions(true, true, false, false);

protected final Logger log = LogManager.getLogger(this.getClass());
Expand Down Expand Up @@ -195,25 +202,21 @@ private SecurityRoles getSecurityRoles(Set<String> roles) {
.lookupExtensionSettingsById(authenticatedUser.getName());
if (matchingExtension.isPresent()) {
Settings permissions = (Settings) matchingExtension.get().getAdditionalSettings().get(PERMISSIONS_SETTING);
List<Settings> indexPerms = permissions.getNestedListOfSettings("index_permissions");
Settings indexPerms = permissions.getAsSettings("index_permissions");
List<String> clusterPerms = permissions.getAsList("cluster_permissions");
if (indexPerms != null || clusterPerms != null) {
RoleV7 newRole = new RoleV7();
if (clusterPerms != null) {
newRole.setCluster_permissions(clusterPerms);
}
if (indexPerms != null) {
List<RoleV7.Index> allIndexPerms = new ArrayList<>();
for (Settings indexPerm : indexPerms) {
RoleV7.Index indexPermissions = new RoleV7.Index();
indexPermissions.setIndex_patterns(indexPerm.getAsList("index_patterns"));
indexPermissions.setAllowed_actions(indexPerm.getAsList("allowed_actions"));
allIndexPerms.add(indexPermissions);
}
newRole.setIndex_permissions(allIndexPerms);
}
securityRoles.addRole(newRole);
RoleV7 newRole = new RoleV7();
if (clusterPerms != null) {
newRole.setCluster_permissions(clusterPerms);
}
if (!indexPerms.keySet().isEmpty()) {
List<RoleV7.Index> allIndexPerms = new ArrayList<>();
RoleV7.Index indexPermissions = new RoleV7.Index();
indexPermissions.setIndex_patterns(indexPerms.getAsList("index_patterns"));
indexPermissions.setAllowed_actions(indexPerms.getAsList("allowed_actions"));
allIndexPerms.add(indexPermissions);
newRole.setIndex_permissions(allIndexPerms);
}
securityRoles.addRole(newRole);
}

return securityRoles;
Expand Down Expand Up @@ -339,7 +342,17 @@ public PrivilegesEvaluatorResponse evaluate(
}

// Security index access
if (securityIndexAccessEvaluator.evaluate(request, task, action0, requestedResolved, presponse).isComplete()) {
if (securityIndexAccessEvaluator.evaluate(
request,
task,
action0,
requestedResolved,
presponse,
securityRoles,
user,
resolver,
clusterService
).isComplete()) {
return presponse;
}

Expand Down Expand Up @@ -505,7 +518,7 @@ public PrivilegesEvaluatorResponse evaluate(
}
}

if (dnfofEnabled && DNFOF_PATTERNS.matcher(action0).matches()) {
if (dnfofEnabled && DNFOF_MATCHER.test(action0)) {

if (requestedResolved.getAllIndices().isEmpty()) {
presponse.missingPrivileges.clear();
Expand Down
Loading

0 comments on commit 9277ffe

Please sign in to comment.