Cleans up rest of the changes

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
opensearch-project · Sep 27, 2023 · 9277ffe · 9277ffe
1 parent 5db55ea
commit 9277ffe
Show file tree

Hide file tree

Showing 9 changed files with 847 additions and 184 deletions.
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -36,8 +36,8 @@
 import java.util.Optional;
 import java.util.Set;
 import java.util.StringJoiner;
-import java.util.regex.Pattern;
 
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -106,12 +106,19 @@
 
 public class PrivilegesEvaluator {
 
-    private static final WildcardMatcher ACTION_MATCHER = WildcardMatcher.from("indices:data/read/*search*");
-
-    private static final Pattern DNFOF_PATTERNS = Pattern.compile(
-        "indices:(data/read/.*|(admin/(mappings/fields/get.*|shards/search_shards|resolve/index)))"
+    static final WildcardMatcher DNFOF_MATCHER = WildcardMatcher.from(
+        ImmutableList.of(
+            "indices:data/read/*",
+            "indices:admin/mappings/fields/get*",
+            "indices:admin/shards/search_shards",
+            "indices:admin/resolve/index",
+            "indices:monitor/settings/get",
+            "indices:monitor/stats"
+        )
     );
 
+    private static final WildcardMatcher ACTION_MATCHER = WildcardMatcher.from("indices:data/read/*search*");
+
     private static final IndicesOptions ALLOW_EMPTY = IndicesOptions.fromOptions(true, true, false, false);
 
     protected final Logger log = LogManager.getLogger(this.getClass());
@@ -195,25 +202,21 @@ private SecurityRoles getSecurityRoles(Set<String> roles) {
             .lookupExtensionSettingsById(authenticatedUser.getName());
         if (matchingExtension.isPresent()) {
             Settings permissions = (Settings) matchingExtension.get().getAdditionalSettings().get(PERMISSIONS_SETTING);
-            List<Settings> indexPerms = permissions.getNestedListOfSettings("index_permissions");
+            Settings indexPerms = permissions.getAsSettings("index_permissions");
             List<String> clusterPerms = permissions.getAsList("cluster_permissions");
-            if (indexPerms != null || clusterPerms != null) {
-                RoleV7 newRole = new RoleV7();
-                if (clusterPerms != null) {
-                    newRole.setCluster_permissions(clusterPerms);
-                }
-                if (indexPerms != null) {
-                    List<RoleV7.Index> allIndexPerms = new ArrayList<>();
-                    for (Settings indexPerm : indexPerms) {
-                        RoleV7.Index indexPermissions = new RoleV7.Index();
-                        indexPermissions.setIndex_patterns(indexPerm.getAsList("index_patterns"));
-                        indexPermissions.setAllowed_actions(indexPerm.getAsList("allowed_actions"));
-                        allIndexPerms.add(indexPermissions);
-                    }
-                    newRole.setIndex_permissions(allIndexPerms);
-                }
-                securityRoles.addRole(newRole);
+            RoleV7 newRole = new RoleV7();
+            if (clusterPerms != null) {
+                newRole.setCluster_permissions(clusterPerms);
+            }
+            if (!indexPerms.keySet().isEmpty()) {
+                List<RoleV7.Index> allIndexPerms = new ArrayList<>();
+                RoleV7.Index indexPermissions = new RoleV7.Index();
+                indexPermissions.setIndex_patterns(indexPerms.getAsList("index_patterns"));
+                indexPermissions.setAllowed_actions(indexPerms.getAsList("allowed_actions"));
+                allIndexPerms.add(indexPermissions);
+                newRole.setIndex_permissions(allIndexPerms);
             }
+            securityRoles.addRole(newRole);
         }
 
         return securityRoles;
@@ -339,7 +342,17 @@ public PrivilegesEvaluatorResponse evaluate(
         }
 
         // Security index access
-        if (securityIndexAccessEvaluator.evaluate(request, task, action0, requestedResolved, presponse).isComplete()) {
+        if (securityIndexAccessEvaluator.evaluate(
+            request,
+            task,
+            action0,
+            requestedResolved,
+            presponse,
+            securityRoles,
+            user,
+            resolver,
+            clusterService
+        ).isComplete()) {
             return presponse;
         }
 
@@ -505,7 +518,7 @@ public PrivilegesEvaluatorResponse evaluate(
             }
         }
 
-        if (dnfofEnabled && DNFOF_PATTERNS.matcher(action0).matches()) {
+        if (dnfofEnabled && DNFOF_MATCHER.test(action0)) {
 
             if (requestedResolved.getAllIndices().isEmpty()) {
                 presponse.missingPrivileges.clear();