diff --git a/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java b/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java index 63c16fa790..41845f08d8 100644 --- a/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java +++ b/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java @@ -113,6 +113,14 @@ public PrivilegesEvaluatorResponse hasIndexPrivilege( Set actions, IndexResolverReplacer.Resolved resolvedIndices ) { + if (resolvedIndices.isLocalAll()) { + PrivilegesEvaluatorResponse response = this.index.providesWildcardPrivilege(context, actions); + + if (response != null) { + return response; + } + } + if (resolvedIndices.getAllIndices().isEmpty()) { log.debug("No local indices; grant the request"); return PrivilegesEvaluatorResponse.ok(); @@ -120,7 +128,10 @@ public PrivilegesEvaluatorResponse hasIndexPrivilege( // TODO one might want to consider to create a semantic wrapper for action in order to be better tell apart // what's the action and what's the index in the generic parameters of CheckTable. - CheckTable checkTable = CheckTable.create(resolvedIndices.getAllIndices(), actions); + CheckTable checkTable = CheckTable.create( + resolvedIndices.getAllIndicesResolved(context.getClusterStateSupplier(), context.getIndexNameExpressionResolver()), + actions + ); StatefulIndexPrivileges statefulIndex = this.statefulIndex; PrivilegesEvaluatorResponse resultFromStatefulIndex = null; @@ -568,6 +579,29 @@ PrivilegesEvaluatorResponse providesPrivilege( ); } + /** + * Returns PrivilegesEvaluatorResponse.ok() if the user identified in the context object has privileges for all + * indices (using *) for the given actions. Returns null otherwise. Then, further checks must be done to check + * the user's privileges. + */ + PrivilegesEvaluatorResponse providesWildcardPrivilege(PrivilegesEvaluationContext context, Set actions) { + ImmutableSet effectiveRoles = context.getMappedRoles(); + CheckTable checkTable = CheckTable.create(ImmutableSet.of("*"), actions); + + for (String action : actions) { + ImmutableSet rolesWithWildcardIndexPrivileges = this.actionToRolesWithWildcardIndexPrivileges.get(action); + + if (rolesWithWildcardIndexPrivileges != null + && CollectionUtils.containsAny(rolesWithWildcardIndexPrivileges, effectiveRoles)) { + if (checkTable.check("*", action)) { + return PrivilegesEvaluatorResponse.ok(); + } + } + } + + return null; + } + PrivilegesEvaluatorResponse providesExplicitPrivilege( PrivilegesEvaluationContext context, Set actions, diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluationContext.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluationContext.java index 413b2696bc..7ddbb1e1b5 100644 --- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluationContext.java +++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluationContext.java @@ -12,9 +12,11 @@ import java.util.HashMap; import java.util.Map; +import java.util.function.Supplier; import com.google.common.collect.ImmutableSet; +import org.opensearch.cluster.ClusterState; import org.opensearch.cluster.metadata.IndexNameExpressionResolver; import org.opensearch.security.support.WildcardMatcher; import org.opensearch.security.user.User; @@ -42,6 +44,7 @@ public class PrivilegesEvaluationContext { private final Map renderedPatternTemplateCache = new HashMap<>(); private final ImmutableSet mappedRoles; + private final Supplier clusterStateSupplier; private final IndexNameExpressionResolver indexNameExpressionResolver; public PrivilegesEvaluationContext( @@ -49,12 +52,14 @@ public PrivilegesEvaluationContext( ImmutableSet mappedRoles, String action, Object request, + Supplier clusterStateSupplier, IndexNameExpressionResolver indexNameExpressionResolver ) { this.user = user; this.mappedRoles = mappedRoles; this.action = action; this.request = request; + this.clusterStateSupplier = clusterStateSupplier; this.indexNameExpressionResolver = indexNameExpressionResolver; } @@ -95,7 +100,7 @@ public PrivilegesEvaluationContext mappedRoles(ImmutableSet mappedRoles) if (this.mappedRoles != null && this.mappedRoles.equals(mappedRoles)) { return this; } else { - return new PrivilegesEvaluationContext(user, mappedRoles, action, request, indexNameExpressionResolver); + return new PrivilegesEvaluationContext(user, mappedRoles, action, request, clusterStateSupplier, indexNameExpressionResolver); } } @@ -103,4 +108,8 @@ public IndexNameExpressionResolver getIndexNameExpressionResolver() { return indexNameExpressionResolver; } + public Supplier getClusterStateSupplier() { + return clusterStateSupplier; + } + } diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java index 988775ddf5..27193fa3bf 100644 --- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java @@ -331,7 +331,14 @@ public PrivilegesEvaluatorResponse evaluate( throw new OpenSearchSecurityException("OpenSearch Security is not initialized: roles configuration is missing"); } - PrivilegesEvaluationContext context = new PrivilegesEvaluationContext(user, mappedRoles, action0, request, resolver); + PrivilegesEvaluationContext context = new PrivilegesEvaluationContext( + user, + mappedRoles, + action0, + request, + clusterService::state, + resolver + ); if (request instanceof BulkRequest && (Strings.isNullOrEmpty(user.getRequestedTenant()))) { // Shortcut for bulk actions. The details are checked on the lower level of the BulkShardRequests (Action diff --git a/src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java b/src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java index bebf76c219..27729f28f7 100644 --- a/src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java +++ b/src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java @@ -37,6 +37,7 @@ import java.util.Map; import java.util.Objects; import java.util.Set; +import java.util.function.Supplier; import java.util.regex.PatternSyntaxException; import java.util.stream.Collectors; @@ -489,8 +490,12 @@ public Set getAllIndices() { } public Set getAllIndicesResolved(ClusterService clusterService, IndexNameExpressionResolver resolver) { + return getAllIndicesResolved(clusterService::state, resolver); + } + + public Set getAllIndicesResolved(Supplier clusterStateSupplier, IndexNameExpressionResolver resolver) { if (isLocalAll) { - return new HashSet<>(Arrays.asList(resolver.concreteIndexNames(clusterService.state(), indicesOptions, "*"))); + return new HashSet<>(Arrays.asList(resolver.concreteIndexNames(clusterStateSupplier.get(), indicesOptions, "*"))); } else { return allIndices; } diff --git a/src/test/java/org/opensearch/security/privileges/ActionPrivilegesTest.java b/src/test/java/org/opensearch/security/privileges/ActionPrivilegesTest.java index a77ff08678..dbaee6ba1d 100644 --- a/src/test/java/org/opensearch/security/privileges/ActionPrivilegesTest.java +++ b/src/test/java/org/opensearch/security/privileges/ActionPrivilegesTest.java @@ -272,7 +272,7 @@ static IndexResolverReplacer.Resolved resolved(String... indices) { return new IndexResolverReplacer.Resolved( ImmutableSet.of(), ImmutableSet.copyOf(indices), - ImmutableSet.of(), + ImmutableSet.copyOf(indices), ImmutableSet.of(), IndicesOptions.LENIENT_EXPAND_OPEN ); @@ -444,7 +444,7 @@ static IndexResolverReplacer.Resolved resolved(String... indices) { return new IndexResolverReplacer.Resolved( ImmutableSet.of(), allIndices.build(), - ImmutableSet.of(), + ImmutableSet.copyOf(indices), ImmutableSet.of(), IndicesOptions.LENIENT_EXPAND_OPEN ); @@ -582,6 +582,7 @@ static PrivilegesEvaluationContext ctx(String... roles) { ImmutableSet.copyOf(roles), null, null, + null, new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)) ); } diff --git a/src/test/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluatorTest.java b/src/test/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluatorTest.java index 6def646981..68c682c2fb 100644 --- a/src/test/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluatorTest.java +++ b/src/test/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluatorTest.java @@ -11,13 +11,13 @@ package org.opensearch.security.privileges; -import java.lang.reflect.Constructor; -import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Method; +import java.util.Arrays; import java.util.List; import java.util.Set; +import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableSet; +import com.fasterxml.jackson.core.JsonProcessingException; import org.apache.logging.log4j.Logger; import org.junit.After; import org.junit.Test; @@ -27,6 +27,7 @@ import org.opensearch.action.get.MultiGetRequest; import org.opensearch.action.search.SearchRequest; import org.opensearch.action.support.IndicesOptions; +import org.opensearch.cluster.metadata.IndexAbstraction; import org.opensearch.cluster.metadata.IndexNameExpressionResolver; import org.opensearch.cluster.service.ClusterService; import org.opensearch.common.settings.Settings; @@ -34,10 +35,13 @@ import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.resolver.IndexResolverReplacer; import org.opensearch.security.resolver.IndexResolverReplacer.Resolved; -import org.opensearch.security.securityconf.ConfigModelV7; -import org.opensearch.security.securityconf.SecurityRoles; +import org.opensearch.security.securityconf.FlattenedActionGroups; +import org.opensearch.security.securityconf.impl.CType; +import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration; +import org.opensearch.security.securityconf.impl.v7.RoleV7; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.user.User; +import org.opensearch.security.util.MockIndexMetadataBuilder; import org.opensearch.tasks.Task; import org.mockito.Mock; @@ -46,9 +50,7 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.is; import static org.opensearch.security.support.ConfigConstants.SYSTEM_INDEX_PERMISSION; -import static org.mockito.Mockito.doReturn; import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.spy; import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyNoInteractions; @@ -81,12 +83,12 @@ public class SecurityIndexAccessEvaluatorTest { private static final String TEST_INDEX = ".test"; private static final String SECURITY_INDEX = ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX; - @Mock - SecurityRoles securityRoles; + ImmutableMap indexMetadata = MockIndexMetadataBuilder.indices(TEST_INDEX, TEST_SYSTEM_INDEX, SECURITY_INDEX) + .build(); User user; - IndexNameExpressionResolver indexNameExpressionResolver; + ActionPrivileges actionPrivileges; private ThreadContext createThreadContext() { return new ThreadContext(Settings.EMPTY); @@ -105,29 +107,29 @@ public void setup( ThreadContext threadContext = createThreadContext(); indexNameExpressionResolver = createIndexNameExpressionResolver(threadContext); - // create a security role - ConfigModelV7.IndexPattern ip = spy(new ConfigModelV7.IndexPattern(index)); - ConfigModelV7.SecurityRole.Builder _securityRole = new ConfigModelV7.SecurityRole.Builder("role_a"); - ip.addPerm(createIndexPatternWithSystemIndexPermission ? Set.of("*", SYSTEM_INDEX_PERMISSION) : Set.of("*")); - _securityRole.addIndexPattern(ip); - _securityRole.addClusterPerms(List.of("*")); - ConfigModelV7.SecurityRole secRole = _securityRole.build(); - try { - // create an instance of Security Role - Constructor constructor = ConfigModelV7.SecurityRoles.class.getDeclaredConstructor(int.class); - constructor.setAccessible(true); - securityRoles = constructor.newInstance(1); - - // add security role to Security Roles - Method addSecurityRoleMethod = ConfigModelV7.SecurityRoles.class.getDeclaredMethod( - "addSecurityRole", - ConfigModelV7.SecurityRole.class + SecurityDynamicConfiguration rolesConfig = SecurityDynamicConfiguration.fromMap( + ImmutableMap.of( + "role_a", + ImmutableMap.of( + "index_permissions", + Arrays.asList( + ImmutableMap.of( + "index_patterns", + Arrays.asList(index), + "allowed_actions", + createIndexPatternWithSystemIndexPermission ? Set.of("*", SYSTEM_INDEX_PERMISSION) : Set.of("*") + ) + ), + "cluster_permissions", + Arrays.asList("*") + ) + ), + CType.ROLES ); - addSecurityRoleMethod.setAccessible(true); - addSecurityRoleMethod.invoke(securityRoles, secRole); - } catch (NoSuchMethodException | InvocationTargetException | InstantiationException | IllegalAccessException e) { + this.actionPrivileges = new ActionPrivileges(rolesConfig, FlattenedActionGroups.EMPTY, () -> indexMetadata); + } catch (JsonProcessingException e) { throw new RuntimeException(e); } @@ -150,8 +152,10 @@ public void setup( when(log.isDebugEnabled()).thenReturn(true); when(log.isInfoEnabled()).thenReturn(true); + } - doReturn(ImmutableSet.of(index)).when(ip).getResolvedIndexPattern(user, indexNameExpressionResolver, cs, true); + PrivilegesEvaluationContext ctx(String action) { + return new PrivilegesEvaluationContext(user, ImmutableSet.of("role_a"), action, request, null, indexNameExpressionResolver); } @After @@ -171,7 +175,8 @@ public void testUnprotectedActionOnRegularIndex_systemIndexDisabled() { UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -193,7 +198,8 @@ public void testUnprotectedActionOnRegularIndex_systemIndexPermissionDisabled() UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -214,7 +220,8 @@ public void testUnprotectedActionOnRegularIndex_systemIndexPermissionEnabled() { UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -235,7 +242,8 @@ public void testUnprotectedActionOnSystemIndex_systemIndexDisabled() { UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -256,7 +264,8 @@ public void testUnprotectedActionOnSystemIndex_systemIndexPermissionDisabled() { UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -277,7 +286,8 @@ public void testUnprotectedActionOnSystemIndex_systemIndexPermissionEnabled_With UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -287,7 +297,12 @@ public void testUnprotectedActionOnSystemIndex_systemIndexPermissionEnabled_With verify(auditLog).logSecurityIndexAttempt(request, UNPROTECTED_ACTION, null); verify(log).isInfoEnabled(); - verify(log).info("No {} permission for user roles {} to System Indices {}", UNPROTECTED_ACTION, securityRoles, TEST_SYSTEM_INDEX); + verify(log).info( + "No {} permission for user roles {} to System Indices {}", + UNPROTECTED_ACTION, + user.getSecurityRoles(), + TEST_SYSTEM_INDEX + ); } @Test @@ -302,7 +317,8 @@ public void testUnprotectedActionOnSystemIndex_systemIndexPermissionEnabled_With UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -321,14 +337,26 @@ public void testDisableCacheOrRealtimeOnSystemIndex_systemIndexDisabled() { final Resolved resolved = createResolved(TEST_SYSTEM_INDEX); // Action - evaluator.evaluate(request, null, UNPROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + null, + UNPROTECTED_ACTION, + resolved, + presponse, + ctx(UNPROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); evaluator.evaluate( searchRequest, null, UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -339,7 +367,8 @@ public void testDisableCacheOrRealtimeOnSystemIndex_systemIndexDisabled() { UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -357,14 +386,26 @@ public void testDisableCacheOrRealtimeOnSystemIndex_systemIndexPermissionDisable final Resolved resolved = createResolved(TEST_SYSTEM_INDEX); // Action - evaluator.evaluate(request, null, UNPROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + null, + UNPROTECTED_ACTION, + resolved, + presponse, + ctx(UNPROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); evaluator.evaluate( searchRequest, null, UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -375,7 +416,8 @@ public void testDisableCacheOrRealtimeOnSystemIndex_systemIndexPermissionDisable UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -398,14 +440,26 @@ public void testDisableCacheOrRealtimeOnSystemIndex_systemIndexPermissionEnabled final Resolved resolved = createResolved(TEST_SYSTEM_INDEX); // Action - evaluator.evaluate(request, null, UNPROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + null, + UNPROTECTED_ACTION, + resolved, + presponse, + ctx(UNPROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); evaluator.evaluate( searchRequest, null, UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -416,7 +470,8 @@ public void testDisableCacheOrRealtimeOnSystemIndex_systemIndexPermissionEnabled UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -437,7 +492,7 @@ public void testDisableCacheOrRealtimeOnSystemIndex_systemIndexPermissionEnabled verify(log, times(3)).info( "No {} permission for user roles {} to System Indices {}", UNPROTECTED_ACTION, - securityRoles, + user.getSecurityRoles(), TEST_SYSTEM_INDEX ); verify(log).debug("Disable search request cache for this request"); @@ -453,14 +508,26 @@ public void testDisableCacheOrRealtimeOnSystemIndex_systemIndexPermissionEnabled final Resolved resolved = createResolved(TEST_SYSTEM_INDEX); // Action - evaluator.evaluate(request, null, UNPROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + null, + UNPROTECTED_ACTION, + resolved, + presponse, + ctx(UNPROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); evaluator.evaluate( searchRequest, null, UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -471,7 +538,8 @@ public void testDisableCacheOrRealtimeOnSystemIndex_systemIndexPermissionEnabled UNPROTECTED_ACTION, resolved, presponse, - securityRoles, + ctx(UNPROTECTED_ACTION), + actionPrivileges, user, indexNameExpressionResolver, cs @@ -491,7 +559,18 @@ public void testProtectedActionLocalAll_systemIndexDisabled() { final Resolved resolved = Resolved._LOCAL_ALL; // Action - evaluator.evaluate(request, task, PROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + task, + PROTECTED_ACTION, + resolved, + presponse, + ctx(PROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); verify(auditLog).logSecurityIndexAttempt(request, PROTECTED_ACTION, task); assertThat(presponse.allowed, is(false)); @@ -505,7 +584,18 @@ public void testProtectedActionLocalAll_systemIndexPermissionDisabled() { final Resolved resolved = Resolved._LOCAL_ALL; // Action - evaluator.evaluate(request, task, PROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + task, + PROTECTED_ACTION, + resolved, + presponse, + ctx(PROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); verify(auditLog).logSecurityIndexAttempt(request, PROTECTED_ACTION, task); assertThat(presponse.allowed, is(false)); @@ -519,7 +609,18 @@ public void testProtectedActionLocalAll_systemIndexPermissionEnabled() { final Resolved resolved = Resolved._LOCAL_ALL; // Action - evaluator.evaluate(request, task, PROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + task, + PROTECTED_ACTION, + resolved, + presponse, + ctx(PROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); verify(auditLog).logSecurityIndexAttempt(request, PROTECTED_ACTION, task); assertThat(presponse.allowed, is(false)); @@ -533,7 +634,18 @@ public void testProtectedActionOnRegularIndex_systemIndexDisabled() { final Resolved resolved = createResolved(TEST_INDEX); // Action - evaluator.evaluate(request, task, PROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + task, + PROTECTED_ACTION, + resolved, + presponse, + ctx(PROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); assertThat(presponse.allowed, is(false)); } @@ -544,7 +656,18 @@ public void testProtectedActionOnRegularIndex_systemIndexPermissionDisabled() { final Resolved resolved = createResolved(TEST_INDEX); // Action - evaluator.evaluate(request, task, PROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + task, + PROTECTED_ACTION, + resolved, + presponse, + ctx(PROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); assertThat(presponse.allowed, is(false)); } @@ -555,7 +678,18 @@ public void testProtectedActionOnRegularIndex_systemIndexPermissionEnabled() { final Resolved resolved = createResolved(TEST_INDEX); // Action - evaluator.evaluate(request, task, PROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + task, + PROTECTED_ACTION, + resolved, + presponse, + ctx(PROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); assertThat(presponse.allowed, is(false)); } @@ -566,7 +700,18 @@ public void testProtectedActionOnSystemIndex_systemIndexDisabled() { final Resolved resolved = createResolved(TEST_SYSTEM_INDEX); // Action - evaluator.evaluate(request, task, PROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + task, + PROTECTED_ACTION, + resolved, + presponse, + ctx(PROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); assertThat(presponse.allowed, is(false)); } @@ -577,7 +722,18 @@ public void testProtectedActionOnSystemIndex_systemIndexPermissionDisabled() { final Resolved resolved = createResolved(TEST_SYSTEM_INDEX); // Action - evaluator.evaluate(request, task, PROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + task, + PROTECTED_ACTION, + resolved, + presponse, + ctx(PROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); verify(auditLog).logSecurityIndexAttempt(request, PROTECTED_ACTION, task); assertThat(presponse.allowed, is(false)); @@ -591,13 +747,29 @@ public void testProtectedActionOnSystemIndex_systemIndexPermissionEnabled_withou final Resolved resolved = createResolved(TEST_SYSTEM_INDEX); // Action - evaluator.evaluate(request, task, PROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + task, + PROTECTED_ACTION, + resolved, + presponse, + ctx(PROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); verify(auditLog).logSecurityIndexAttempt(request, PROTECTED_ACTION, task); assertThat(presponse.allowed, is(false)); verify(presponse).markComplete(); verify(log).isInfoEnabled(); - verify(log).info("No {} permission for user roles {} to System Indices {}", PROTECTED_ACTION, securityRoles, TEST_SYSTEM_INDEX); + verify(log).info( + "No {} permission for user roles {} to System Indices {}", + PROTECTED_ACTION, + user.getSecurityRoles(), + TEST_SYSTEM_INDEX + ); } @Test @@ -607,7 +779,18 @@ public void testProtectedActionOnSystemIndex_systemIndexPermissionEnabled_withSy final Resolved resolved = createResolved(TEST_SYSTEM_INDEX); // Action - evaluator.evaluate(request, task, PROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + task, + PROTECTED_ACTION, + resolved, + presponse, + ctx(PROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); assertThat(presponse.allowed, is(false)); } @@ -618,7 +801,18 @@ public void testProtectedActionOnProtectedSystemIndex_systemIndexDisabled() { final Resolved resolved = createResolved(SECURITY_INDEX); // Action - evaluator.evaluate(request, task, PROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + task, + PROTECTED_ACTION, + resolved, + presponse, + ctx(PROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); verify(auditLog).logSecurityIndexAttempt(request, PROTECTED_ACTION, task); assertThat(presponse.allowed, is(false)); @@ -633,7 +827,18 @@ public void testProtectedActionOnProtectedSystemIndex_systemIndexPermissionDisab final Resolved resolved = createResolved(SECURITY_INDEX); // Action - evaluator.evaluate(request, task, PROTECTED_ACTION, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + task, + PROTECTED_ACTION, + resolved, + presponse, + ctx(PROTECTED_ACTION), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); verify(auditLog).logSecurityIndexAttempt(request, PROTECTED_ACTION, task); assertThat(presponse.allowed, is(false)); @@ -668,14 +873,30 @@ private void testSecurityIndexAccess(String action) { final Resolved resolved = createResolved(SECURITY_INDEX); // Action - evaluator.evaluate(request, task, action, resolved, presponse, securityRoles, user, indexNameExpressionResolver, cs); + evaluator.evaluate( + request, + task, + action, + resolved, + presponse, + ctx(action), + actionPrivileges, + user, + indexNameExpressionResolver, + cs + ); verify(auditLog).logSecurityIndexAttempt(request, action, task); assertThat(presponse.allowed, is(false)); verify(presponse).markComplete(); verify(log).isInfoEnabled(); - verify(log).info("{} not permitted for a regular user {} on protected system indices {}", action, securityRoles, SECURITY_INDEX); + verify(log).info( + "{} not permitted for a regular user {} on protected system indices {}", + action, + user.getSecurityRoles(), + SECURITY_INDEX + ); } private Resolved createResolved(final String... indexes) {