Filter out the regular index when it is a mixed request with both sys…

…tem indices and regular indices Signed-off-by: Ryan Liang <[email protected]>
RyanL1997 · Oct 28, 2023 · ac9416e · ac9416e
1 parent 1dc296b
commit ac9416e
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 7 deletions.
diff --git a/src/integrationTest/java/org/opensearch/security/http/ServiceAccountAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/ServiceAccountAuthenticationTest.java
@@ -128,6 +128,18 @@ public void testReadNonSysIndexWithServiceAccountCred() {
         }
     }
 
+    @Test
+    public void testReadBothWithServiceAccountCred() {
+        try (TestRestClient client = cluster.getRestClient(SERVICE_ACCOUNT_USER_NAME, DEFAULT_PASSWORD)) {
+            client.confirmCorrectCredentials(SERVICE_ACCOUNT_USER_NAME);
+            TestRestClient.HttpResponse response = client.get("test-non-sys-index,test-sys-index");
+            response.assertStatusCode(HttpStatus.SC_OK);
+            // TODO: CHECK IT ONLY READ SYSTEM INDEX AND FILTERED OUT REGULAR INDEX
+            // TODO: REMOVE THIS AND PARSING/CHECKING THE RESPONSE
+            System.out.println(response);
+        }
+    }
+
     // TODO: REMOVE THIS DEBUGGING TEST CASE
     @Test
     public void testReadNonSysIndexWithAdminCred() {

diff --git a/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java b/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java
@@ -199,6 +199,29 @@ private List<String> getAllProtectedSystemIndices(final Resolved requestedResolv
         return new ArrayList<>(superAdminAccessOnlyIndexMatcher.getMatchAny(requestedResolved.getAllIndices(), Collectors.toList()));
     }
 
+    /**
+     * Checks if the request contains any regular (non-system and non-protected) indices.
+     * Regular indices are those that are not categorized as system indices or protected system indices.
+     * This method helps in identifying requests that might be accessing regular indices alongside system indices.
+     * @param requestedResolved The resolved object of the request, which contains the list of indices from the original request.
+     * @return true if the request contains any regular indices, false otherwise.
+     */
+    private boolean requestContainsAnyRegularIndices(final Resolved requestedResolved) {
+        Set<String> allIndices = requestedResolved.getAllIndices();
+
+        List<String> allSystemIndices = getAllSystemIndices(requestedResolved);
+        List<String> allProtectedSystemIndices = getAllProtectedSystemIndices(requestedResolved);
+
+        for (String index : allIndices) {
+            // Check if the index is not in the list of system or protected system indices
+            if (!allSystemIndices.contains(index) && !allProtectedSystemIndices.contains(index)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     /**
      * Is the current action allowed to be performed on security index
      * @param action request action on security index
@@ -233,17 +256,41 @@ private void evaluateSystemIndicesAccess(
     ) {
         // Perform access check is system index permissions are enabled
         boolean containsSystemIndex = requestContainsAnySystemIndices(requestedResolved);
+        boolean containsRegularIndex = requestContainsAnyRegularIndices(requestedResolved);
         boolean serviceAccountUser = user.isServiceAccount();
 
         if (isSystemIndexPermissionEnabled) {
-            if (serviceAccountUser && !containsSystemIndex) {
-                auditLog.logSecurityIndexAttempt(request, action, task);
-                if (log.isInfoEnabled()) {
-                    log.info("{} not permitted for a service account {} on non system indices.", action, securityRoles);
+            if (serviceAccountUser) {
+                if (!containsSystemIndex && containsRegularIndex) {
+                    auditLog.logSecurityIndexAttempt(request, action, task);
+                    if (log.isInfoEnabled()) {
+                        log.info("{} not permitted for a service account {} on non-system indices.", action, securityRoles);
+                    }
+                    presponse.allowed = false;
+                    presponse.markComplete();
+                    return;
+                } else if (containsSystemIndex && containsRegularIndex) {
+                    // Filter out regular indices
+                    List<String> systemIndices = getAllSystemIndices(requestedResolved);
+                    irr.replace(request, false, systemIndices.toArray(new String[0]));
+                    if (log.isDebugEnabled()) {
+                        log.debug("Filtered out regular indices, resulting list is {}", systemIndices);
+                    }
+                    // Recalculate indices after filtering
+                    Resolved filteredResolved = irr.resolveRequest(request);
+                    evaluateSystemIndicesAccess(
+                        action,
+                        filteredResolved,
+                        request,
+                        task,
+                        presponse,
+                        securityRoles,
+                        user,
+                        resolver,
+                        clusterService
+                    );
+                    return;
                 }
-                presponse.allowed = false;
-                presponse.markComplete();
-                return;
             }
             boolean containsProtectedIndex = requestContainsAnyProtectedSystemIndices(requestedResolved);
             if (containsProtectedIndex) {