more data model

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/PutRoleRequest.java

@@ -16,6 +16,7 @@
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.core.Nullable;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions;
 import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivilege;
 import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivileges;
 import org.elasticsearch.xpack.core.security.support.NativeRealmValidationUtil;
@@ -44,7 +45,7 @@ public class PutRoleRequest extends ActionRequest implements WriteRequest<PutRol
     private RefreshPolicy refreshPolicy = RefreshPolicy.IMMEDIATE;
     private Map<String, Object> metadata;
     private List<RoleDescriptor.RemoteIndicesPrivileges> remoteIndicesPrivileges = new ArrayList<>();
-    private List<RoleDescriptor.RemoteClusterPrivileges> remoteClusterPrivileges = new ArrayList<>();
+    private RemoteClusterPermissions remoteClusterPermissions = RemoteClusterPermissions.NONE;
 
     public PutRoleRequest(StreamInput in) throws IOException {
         super(in);
@@ -64,7 +65,7 @@ public PutRoleRequest(StreamInput in) throws IOException {
             remoteIndicesPrivileges = in.readCollectionAsList(RoleDescriptor.RemoteIndicesPrivileges::new);
         }
         if (in.getTransportVersion().onOrAfter(TransportVersions.ROLE_REMOTE_CLUSTER_PRIVS)) {
-            // TODO:
+            remoteClusterPermissions = new RemoteClusterPermissions(in);
         }
     }
 
@@ -100,8 +101,8 @@ public void addRemoteIndex(RoleDescriptor.RemoteIndicesPrivileges... privileges)
         remoteIndicesPrivileges.addAll(Arrays.asList(privileges));
     }
 
-    public void addRemoteCluster(RoleDescriptor.RemoteClusterPrivileges... privileges) {
-        remoteClusterPrivileges.addAll(Arrays.asList(privileges));
+    public void addRemoteCluster(RemoteClusterPermissions remoteClusterPermissions) {
+        this.remoteClusterPermissions = remoteClusterPermissions;
     }
 
     public void addRemoteIndex(
@@ -126,9 +127,9 @@ public void addRemoteIndex(
     }
 
     //TODO: who calls this ?
-    public void addRemoteCluster(final String[] privileges, final String[] remoteClusters) {
-        remoteClusterPrivileges.add(new RoleDescriptor.RemoteClusterPrivileges(remoteClusters, privileges));
-    }
+//    public void addRemoteCluster(final String[] privileges, final String[] remoteClusters) {
+//        remoteClusterPrivileges.add(new RoleDescriptor.RemoteClusterPrivileges(remoteClusters, privileges));
+//    }
 
     public void addIndex(
         String[] indices,
@@ -197,9 +198,10 @@ public boolean hasRemoteIndicesPrivileges() {
         return false == remoteIndicesPrivileges.isEmpty();
     }
 
-    public boolean hasRemoteClusterPrivileges() {
-        return false == remoteClusterPrivileges.isEmpty();
-    }
+    //TODO: who calls this ?
+    //public boolean hasRemoteClusterPrivileges() {
+     //   return false == remoteClusterPrivileges.isEmpty();
+   // }
 
     public List<RoleDescriptor.ApplicationResourcePrivileges> applicationPrivileges() {
         return Collections.unmodifiableList(applicationPrivileges);
@@ -255,7 +257,7 @@ public RoleDescriptor roleDescriptor() {
             metadata,
             Collections.emptyMap(),
             remoteIndicesPrivileges.toArray(new RoleDescriptor.RemoteIndicesPrivileges[0]),
-            remoteClusterPrivileges.toArray(new RoleDescriptor.RemoteClusterPrivileges[0]),
+            remoteClusterPermissions,
             null
         );
     }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/PutRoleRequestBuilder.java

@@ -41,7 +41,7 @@ public PutRoleRequestBuilder source(String name, BytesReference source, XContent
         request.conditionalCluster(descriptor.getConditionalClusterPrivileges());
         request.addIndex(descriptor.getIndicesPrivileges());
         request.addRemoteIndex(descriptor.getRemoteIndicesPrivileges());
-        request.addRemoteCluster(descriptor.getRemoteClusterPrivileges());
+        request.addRemoteCluster(descriptor.getRemoteClusterPermissions());
         request.addApplicationPrivileges(descriptor.getApplicationPrivileges());
         request.runAs(descriptor.getRunAs());
         request.metadata(descriptor.getMetadata());

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptor.java

@@ -64,7 +64,7 @@ public class RoleDescriptor implements ToXContentObject, Writeable {
     private final ApplicationResourcePrivileges[] applicationPrivileges;
     private final String[] runAs;
     private final RemoteIndicesPrivileges[] remoteIndicesPrivileges;
-    private final RemoteClusterPrivileges[] remoteClusterPrivileges;
+    private final RemoteClusterPermissions remoteClusterPermissions;
     private final Restriction restriction;
     private final Map<String, Object> metadata;
     private final Map<String, Object> transientMetadata;
@@ -91,7 +91,7 @@ public RoleDescriptor(
 
     /**
      * @deprecated Use {@link #RoleDescriptor(String, String[], IndicesPrivileges[], ApplicationResourcePrivileges[],
-     * ConfigurableClusterPrivilege[], String[], Map, Map, RemoteIndicesPrivileges[], RemoteClusterPrivileges[], Restriction)}
+     * ConfigurableClusterPrivilege[], String[], Map, Map, RemoteIndicesPrivileges[], RemoteClusterPermissions, Restriction)}
      */
     @Deprecated
     public RoleDescriptor(
@@ -106,7 +106,7 @@ public RoleDescriptor(
 
     /**
      * @deprecated Use {@link #RoleDescriptor(String, String[], IndicesPrivileges[], ApplicationResourcePrivileges[],
-     * ConfigurableClusterPrivilege[], String[], Map, Map, RemoteIndicesPrivileges[], RemoteClusterPrivileges[], Restriction)}
+     * ConfigurableClusterPrivilege[], String[], Map, Map, RemoteIndicesPrivileges[], RemoteClusterPermissions, Restriction)}
      */
     @Deprecated
     public RoleDescriptor(
@@ -127,7 +127,7 @@ public RoleDescriptor(
             metadata,
             transientMetadata,
             RemoteIndicesPrivileges.NONE,
-            RemoteClusterPrivileges.NONE,
+            RemoteClusterPermissions.NONE,
             Restriction.NONE
         );
     }
@@ -152,7 +152,7 @@ public RoleDescriptor(
             metadata,
             transientMetadata,
             RemoteIndicesPrivileges.NONE,
-            RemoteClusterPrivileges.NONE,
+            RemoteClusterPermissions.NONE,
             Restriction.NONE
         );
     }
@@ -167,7 +167,7 @@ public RoleDescriptor(
         @Nullable Map<String, Object> metadata,
         @Nullable Map<String, Object> transientMetadata,
         @Nullable RemoteIndicesPrivileges[] remoteIndicesPrivileges,
-        @Nullable RemoteClusterPrivileges[] remoteClusterPrivileges,
+        @Nullable RemoteClusterPermissions remoteClusterPermissions,
         @Nullable Restriction restriction
     ) {
         this.name = name;
@@ -181,7 +181,9 @@ public RoleDescriptor(
             ? Collections.unmodifiableMap(transientMetadata)
             : Collections.singletonMap("enabled", true);
         this.remoteIndicesPrivileges = remoteIndicesPrivileges != null ? remoteIndicesPrivileges : RemoteIndicesPrivileges.NONE;
-        this.remoteClusterPrivileges = remoteClusterPrivileges != null ? remoteClusterPrivileges : RemoteClusterPrivileges.NONE;
+        this.remoteClusterPermissions = remoteClusterPermissions != null && remoteClusterPermissions.hasPrivileges()
+            ? remoteClusterPermissions
+            : RemoteClusterPermissions.NONE;
         this.restriction = restriction != null ? restriction : Restriction.NONE;
     }
 
@@ -210,9 +212,9 @@ public RoleDescriptor(StreamInput in) throws IOException {
             this.restriction = Restriction.NONE;
         }
         if (in.getTransportVersion().onOrAfter(TransportVersions.ROLE_REMOTE_CLUSTER_PRIVS)) {
-            this.remoteClusterPrivileges = null; // TODO: in.readArray(RemoteClusterPrivileges::new, RemoteClusterPrivileges[]::new);
+            this.remoteClusterPermissions = new RemoteClusterPermissions(in);
         } else {
-            this.remoteClusterPrivileges = RemoteClusterPrivileges.NONE;
+            this.remoteClusterPermissions = RemoteClusterPermissions.NONE;
         }
     }
 
@@ -240,12 +242,12 @@ public boolean hasRemoteIndicesPrivileges() {
         return remoteIndicesPrivileges.length != 0;
     }
 
-    public boolean hasRemoteClusterPrivileges() {
-        return remoteClusterPrivileges.length != 0;
+    public boolean hasRemoteClusterPermissions() {
+        return remoteClusterPermissions.hasPrivileges();
     }
 
-    public RemoteClusterPrivileges[] getRemoteClusterPrivileges() {
-        return this.remoteClusterPrivileges;
+    public RemoteClusterPermissions getRemoteClusterPermissions() {
+        return this.remoteClusterPermissions;
     }
 
     public ApplicationResourcePrivileges[] getApplicationPrivileges() {
@@ -413,8 +415,8 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params, boolea
         if (hasRemoteIndicesPrivileges()) {
             builder.xContentList(Fields.REMOTE_INDICES.getPreferredName(), remoteIndicesPrivileges);
         }
-        if (hasRemoteClusterPrivileges()) {
-            builder.xContentList(Fields.REMOTE_CLUSTER.getPreferredName(), remoteClusterPrivileges);
+        if (hasRemoteClusterPermissions()) {
+            builder.xContentList(Fields.REMOTE_CLUSTER.getPreferredName(), remoteClusterPermissions);
         }
         if (hasRestriction()) {
             builder.field(Fields.RESTRICTION.getPreferredName(), restriction);
@@ -483,7 +485,7 @@ public static RoleDescriptor parse(String name, XContentParser parser, boolean a
         String currentFieldName = null;
         IndicesPrivileges[] indicesPrivileges = null;
         RemoteIndicesPrivileges[] remoteIndicesPrivileges = null;
-        RemoteClusterPrivileges[] remoteClusterPrivileges = null;
+        RemoteClusterPermissions remoteClusterPermissions = null;
         String[] clusterPrivileges = null;
         List<ConfigurableClusterPrivilege> configurableClusterPrivileges = Collections.emptyList();
         ApplicationResourcePrivileges[] applicationPrivileges = null;
@@ -528,7 +530,7 @@ public static RoleDescriptor parse(String name, XContentParser parser, boolean a
                     } else if (Fields.REMOTE_INDICES.match(currentFieldName, parser.getDeprecationHandler())) {
                         remoteIndicesPrivileges = parseRemoteIndices(name, parser);
                     } else if (Fields.REMOTE_CLUSTER.match(currentFieldName, parser.getDeprecationHandler())) {
-                        remoteClusterPrivileges = parseRemoteCluster(name, parser);
+                        remoteClusterPermissions = parseRemoteCluster(name, parser);
                     } else if (allowRestriction && Fields.RESTRICTION.match(currentFieldName, parser.getDeprecationHandler())) {
                         restriction = Restriction.parse(name, parser);
                     } else if (Fields.TYPE.match(currentFieldName, parser.getDeprecationHandler())) {
@@ -547,7 +549,7 @@ public static RoleDescriptor parse(String name, XContentParser parser, boolean a
             metadata,
             null,
             remoteIndicesPrivileges,
-            remoteClusterPrivileges,
+            remoteClusterPermissions,
             restriction
         );
     }
@@ -707,7 +709,7 @@ private static RemoteIndicesPrivileges parseRemoteIndex(String roleName, XConten
         return new RemoteIndicesPrivileges(parsed.indicesPrivileges(), parsed.remoteClusters());
     }
 
-    private static RoleDescriptor.RemoteClusterPrivileges[] parseRemoteCluster(final String roleName, final XContentParser parser)
+    private static RemoteClusterPermissions parseRemoteCluster(final String roleName, final XContentParser parser)
         throws IOException {
         if (parser.currentToken() != XContentParser.Token.START_ARRAY) {
             throw new ElasticsearchParseException(
@@ -717,7 +719,7 @@ private static RoleDescriptor.RemoteClusterPrivileges[] parseRemoteCluster(final
                 parser.currentToken()
             );
         }
-        final List<RoleDescriptor.RemoteClusterPrivileges> remoteClusterPrivileges = new ArrayList<>();
+        RemoteClusterPermissions.Builder remoteClusterPermissionsBuilder =  RemoteClusterPermissions.builder();
         String[] privileges = null;
         String[] clusters = null;
         while (parser.nextToken() != XContentParser.Token.END_ARRAY) {
@@ -746,9 +748,9 @@ private static RoleDescriptor.RemoteClusterPrivileges[] parseRemoteCluster(final
                     );
                 }
             }
-            remoteClusterPrivileges.add(new RemoteClusterPrivileges(privileges, clusters));
+            remoteClusterPermissionsBuilder.addGroup(new RemoteClusterPermissions.RemoteClusterGroup(privileges, clusters));
         }
-        return remoteClusterPrivileges.toArray(new RemoteClusterPrivileges[0]);
+        return remoteClusterPermissionsBuilder.build();
     }
 
     private record IndicesPrivilegesWithOptionalRemoteClusters(IndicesPrivileges indicesPrivileges, String[] remoteClusters) {}
@@ -1071,43 +1073,6 @@ private static ApplicationResourcePrivileges parseApplicationPrivilege(String ro
         return builder.build();
     }
 
-    //TODO: can this be replace completely by RemoteClusterPermissions.RemoteClusterGroup ?
-    public static final class RemoteClusterPrivileges implements Writeable, ToXContentObject {
-
-        private static final RemoteClusterPrivileges[] NONE = new RemoteClusterPrivileges[0];
-        private final RemoteClusterPermissions.RemoteClusterGroup remoteClusterGroup;
-
-        public RemoteClusterPrivileges(String[] clusterPrivileges, String[] remoteClusters) {
-            remoteClusterGroup = new RemoteClusterPermissions.RemoteClusterGroup(clusterPrivileges, remoteClusters);
-        }
-
-        public String[] clusterPrivileges() {
-            return remoteClusterGroup.clusterPrivileges();
-        }
-
-        public String[] remoteClusters() {
-            return remoteClusterGroup.remoteClusterAliases();
-        }
-
-        public RemoteClusterPermissions.RemoteClusterGroup remoteClusterGroup() {
-            return remoteClusterGroup;
-        }
-
-        @Override
-        public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
-            builder.startObject();
-            builder.array(Fields.PRIVILEGES.getPreferredName(), remoteClusterGroup.clusterPrivileges());
-            builder.array(Fields.CLUSTERS.getPreferredName(), remoteClusterGroup.remoteClusterAliases());
-            builder.endObject();
-            return builder;
-        }
-
-        @Override
-        public void writeTo(StreamOutput out) throws IOException {
-            // TODO
-        }
-    }
-
     public static final class RemoteIndicesPrivileges implements Writeable, ToXContentObject {
 
         private static final RemoteIndicesPrivileges[] NONE = new RemoteIndicesPrivileges[0];

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/RemoteClusterPermissions.java

@@ -7,19 +7,29 @@
 
 package org.elasticsearch.xpack.core.security.authz.permission;
 
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.common.io.stream.Writeable;
+import org.elasticsearch.xcontent.ToXContentObject;
+import org.elasticsearch.xcontent.XContentBuilder;
 import org.elasticsearch.xpack.core.security.support.StringMatcher;
 
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
 
 
-public class RemoteClusterPermissions {
+public class RemoteClusterPermissions implements Writeable, ToXContentObject {
 
     private final List<RemoteClusterGroup> remoteClusterGroups;
 
     public static final RemoteClusterPermissions NONE = new RemoteClusterPermissions(List.of());
 
+    public RemoteClusterPermissions(StreamInput in) throws IOException {
+        this(List.of()); //TODO: fixme
+    }
     private RemoteClusterPermissions(List<RemoteClusterGroup> remoteClusterGroups) {
         this.remoteClusterGroups = remoteClusterGroups;
     }
@@ -36,10 +46,36 @@ public boolean hasPrivileges(final String remoteClusterAlias) {
             .anyMatch(remoteIndicesGroup -> remoteIndicesGroup.hasPrivileges(remoteClusterAlias));
     }
 
+    public boolean hasPrivileges(){
+        return remoteClusterGroups.isEmpty() == false;
+    }
+
+    public List<RemoteClusterGroup> groups() {
+        return Collections.unmodifiableList(remoteClusterGroups);
+    }
+
+    //TODO: remove this in favor of just constructing the builder
     public static Builder builder() {
         return new Builder();
     }
 
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        //TODO: fixme
+//        builder.startObject();
+//        builder.array(RoleDescriptor.Fields.PRIVILEGES.getPreferredName(), remoteClusterGroup.clusterPrivileges());
+//        builder.array(RoleDescriptor.Fields.CLUSTERS.getPreferredName(), remoteClusterGroup.remoteClusterAliases());
+//        builder.endObject();
+//        return builder;
+        return null;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+
+        //TODO: fixme
+    }
+
     public static class Builder {
         final List<RemoteClusterGroup> remoteClusterGroupsList; //aliases -> permissions