Use same system index pattern in restricted names (#84180)

The index pattern that was used for the ".security" system index was not identical to the pattern used in RestrictedIndices. The consequence was that it would be possible for a user without restricted indices access to create an index that would get caught by the system indices pattern, which could lead to confusion. In 8.0 all system indices are automatically restricted, using the index name pattern from the system index descriptor, so in 7.17 we are changing the restricted index name to cover the same set of names as the system index descriptor
elastic · Feb 22, 2022 · 1861e8a · 1861e8a
1 parent 01a0dae
commit 1861e8a
Show file tree

Hide file tree

Showing 4 changed files with 132 additions and 2 deletions.
diff --git a/docs/changelog/84180.yaml b/docs/changelog/84180.yaml
@@ -0,0 +1,5 @@
+pr: 84180
+summary: Unify index name pattern between security system-index and RBAC restricted names
+area: Authorization
+type: enhancement
+issues: []
diff --git a/...ore/src/main/java/org/elasticsearch/xpack/core/security/index/RestrictedIndicesNames.java b/...ore/src/main/java/org/elasticsearch/xpack/core/security/index/RestrictedIndicesNames.java
@@ -7,13 +7,17 @@
 
 package org.elasticsearch.xpack.core.security.index;
 
+import org.apache.lucene.util.automaton.Automata;
 import org.apache.lucene.util.automaton.Automaton;
+import org.apache.lucene.util.automaton.Operations;
 import org.elasticsearch.common.util.set.Sets;
+import org.elasticsearch.core.List;
 import org.elasticsearch.xpack.core.security.support.Automatons;
 
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Set;
+import java.util.function.Predicate;
 
 public final class RestrictedIndicesNames {
     public static final String INTERNAL_SECURITY_MAIN_INDEX_6 = ".security-6";
@@ -23,6 +27,17 @@ public final class RestrictedIndicesNames {
     public static final String INTERNAL_SECURITY_TOKENS_INDEX_7 = ".security-tokens-7";
     public static final String SECURITY_TOKENS_ALIAS = ".security-tokens";
 
+    // See o.e.x.security.Security#getSecurityMainIndexDescriptor, o.e.x.security.Security#getSecurityTokensIndexDescriptor
+    private static final Automaton SECURITY_INDEX_AUTOMATON = Operations.concatenate(
+        List.of(
+            Operations.union(Automata.makeString(SECURITY_MAIN_ALIAS), Automata.makeString(SECURITY_TOKENS_ALIAS)),
+            Automata.makeChar('-'),
+            Automata.makeCharRange('0', '9'),
+            Automata.makeAnyString()
+        )
+    );
+    private static final Predicate<String> SECURITY_INDEX_PREDICATE = Automatons.predicate(SECURITY_INDEX_AUTOMATON);
+
     // public for tests
     public static final String ASYNC_SEARCH_PREFIX = ".async-search";
     private static final Automaton ASYNC_SEARCH_AUTOMATON = Automatons.patterns(ASYNC_SEARCH_PREFIX + "*");
@@ -39,11 +54,13 @@ public final class RestrictedIndicesNames {
     );
 
     public static boolean isRestricted(String concreteIndexName) {
-        return RESTRICTED_NAMES.contains(concreteIndexName) || concreteIndexName.startsWith(ASYNC_SEARCH_PREFIX);
+        return RESTRICTED_NAMES.contains(concreteIndexName)
+            || concreteIndexName.startsWith(ASYNC_SEARCH_PREFIX)
+            || SECURITY_INDEX_PREDICATE.test(concreteIndexName);
     }
 
     public static final Automaton NAMES_AUTOMATON = Automatons.unionAndMinimize(
-        Arrays.asList(Automatons.patterns(RESTRICTED_NAMES), ASYNC_SEARCH_AUTOMATON)
+        Arrays.asList(Automatons.patterns(RESTRICTED_NAMES), ASYNC_SEARCH_AUTOMATON, SECURITY_INDEX_AUTOMATON)
     );
 
     private RestrictedIndicesNames() {}

diff --git a/...rc/test/java/org/elasticsearch/xpack/core/security/index/RestrictedIndicesNamesTests.java b/...rc/test/java/org/elasticsearch/xpack/core/security/index/RestrictedIndicesNamesTests.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.security.index;
+
+import org.apache.lucene.util.automaton.CharacterRunAutomaton;
+import org.elasticsearch.test.ESTestCase;
+
+import static org.hamcrest.CoreMatchers.is;
+
+public class RestrictedIndicesNamesTests extends ESTestCase {
+
+    private final CharacterRunAutomaton RUN_AUTOMATON = new CharacterRunAutomaton(RestrictedIndicesNames.NAMES_AUTOMATON);
+
+    public void testAsyncSearchNames() {
+        testIndex(".async-search", true);
+        testIndex(".async-search" + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 8), true);
+        testIndex(".async-search" + (randomBoolean() ? "-" : "") + randomInt(), true);
+        testIndex("async-search" + (randomBoolean() ? "-" : "") + randomInt(), false);
+        testIndex(".asynchronous-search" + (randomBoolean() ? "-" : "") + randomInt(), false);
+        testIndex(".not-async-search" + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 8), false);
+    }
+
+    public void testSecurityNames() {
+        testIndex(".security", true);
+        testIndex(".security-6", true);
+        testIndex(".security-7", true);
+        testIndex(".security-" + randomIntBetween(0, 999_999), true);
+        testIndex(".security-" + randomIntBetween(0, 99) + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 20), true);
+
+        testIndex(".security-tokens-7", true);
+        testIndex(".security-tokens-" + randomIntBetween(0, 99) + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 20), true);
+
+        testIndex("security", false);
+        testIndex(randomAlphaOfLength(1) + "security", false);
+        testIndex("security-6", false);
+        testIndex("@security-6", false);
+        testIndex(".not-security-7", false);
+        testIndex(".security-", false);
+        testIndex("security-tokens", false);
+        testIndex("security-tokens-7", false);
+        testIndex("_security-tokens", false);
+        testIndex(".security-" + randomAlphaOfLengthBetween(1, 3), false);
+        testIndex(".security-tokens-" + randomAlphaOfLengthBetween(1, 3), false);
+        testIndex(".security" + randomAlphaOfLengthBetween(1, 10), false);
+        testIndex(".security-tokens" + randomAlphaOfLengthBetween(1, 10), false);
+        testIndex(".security" + randomIntBetween(1, 9), false);
+        testIndex(".security-" + randomAlphaOfLength(1) + randomIntBetween(1, 9), false);
+        testIndex(".security" + randomAlphaOfLength(1) + randomIntBetween(1, 9), false);
+    }
+
+    private void testIndex(String name, boolean expected) {
+        assertThat("For index [" + name + "]", RestrictedIndicesNames.isRestricted(name), is(expected));
+        assertThat("For index [" + name + "]", RUN_AUTOMATON.run(name), is(expected));
+    }
+
+}
diff --git a/...gin/security/src/test/java/org/elasticsearch/xpack/security/SecuritySystemIndexTests.java b/...gin/security/src/test/java/org/elasticsearch/xpack/security/SecuritySystemIndexTests.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security;
+
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.core.security.index.RestrictedIndicesNames;
+
+import java.util.function.Consumer;
+
+import static org.hamcrest.Matchers.is;
+
+public class SecuritySystemIndexTests extends ESTestCase {
+
+    public void testSystemIndexNameIsRestricted() {
+        Consumer<String> check = idx -> assertThat(
+            "For index [" + idx + "]",
+            Security.SECURITY_MAIN_INDEX_DESCRIPTOR.matchesIndexPattern(idx)
+                || Security.SECURITY_TOKEN_INDEX_DESCRIPTOR.matchesIndexPattern(idx),
+            is(RestrictedIndicesNames.isRestricted(idx))
+        );
+
+        check.accept(".security-" + randomIntBetween(0, 99));
+        check.accept(".security" + randomIntBetween(0, 99));
+
+        check.accept(".security-" + randomAlphaOfLengthBetween(1, 12));
+        check.accept(".security" + randomAlphaOfLengthBetween(1, 12));
+
+        check.accept(".security-" + randomIntBetween(0, 99) + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 12));
+        check.accept(".security-" + randomAlphaOfLengthBetween(1, 12) + (randomBoolean() ? "-" : "") + randomIntBetween(0, 99));
+
+        check.accept(".security-tokens-" + randomAlphaOfLengthBetween(1, 12));
+        check.accept(".security-tokens-" + randomIntBetween(1, 99));
+        check.accept(".security-tokens-" + randomIntBetween(1, 99) + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 12));
+
+        check.accept("." + randomAlphaOfLengthBetween(1, 12) + "-security");
+
+        check.accept(randomAlphaOfLengthBetween(1, 3) + "security");
+        check.accept(randomAlphaOfLengthBetween(1, 3) + ".security");
+        check.accept(randomAlphaOfLengthBetween(1, 3) + ".security-6");
+        check.accept(randomAlphaOfLengthBetween(1, 3) + "security-tokens-7");
+    }
+}