Skip to content

Commit

Permalink
merge errors
Browse files Browse the repository at this point in the history 
Signed-off-by: scosta <samuel.costa@eliatra.com>
  • Loading branch information
@samuelcostae
samuelcostae committed May 16, 2023
1 parent e29519c commit e12f8e6
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 60 deletions.
23 changes: 5 additions & 18 deletions src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,20 +26,12 @@

package org.opensearch.security.privileges;

import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import org.opensearch.action.ActionRequest;
import org.opensearch.action.RealtimeRequest;
import org.opensearch.action.search.SearchRequest;
import org.opensearch.common.settings.Settings;
import org.opensearch.common.util.FeatureFlags;
import org.opensearch.security.auditlog.AuditLog;
import org.opensearch.security.resolver.IndexResolverReplacer;
import org.opensearch.security.resolver.IndexResolverReplacer.Resolved;
Expand All @@ -52,19 +44,14 @@
import java.util.stream.Collectors;

public class SecurityIndexAccessEvaluator {

Logger log = LogManager.getLogger(this.getClass());

private final String securityIndex;
private final AuditLog auditLog;
private final WildcardMatcher securityDeniedActionMatcher;
private final IndexResolverReplacer irr;
private final boolean filterSecurityIndex;

// for system-indices configuration
private final WildcardMatcher systemIndexMatcher;
private final boolean systemIndexEnabled;

public SecurityIndexAccessEvaluator(final Settings settings, AuditLog auditLog, IndexResolverReplacer irr) {
this.securityIndex = settings.get(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX);
this.auditLog = auditLog;
Expand Down Expand Up @@ -103,11 +90,11 @@ public SecurityIndexAccessEvaluator(final Settings settings, AuditLog auditLog,
}

public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final Task task, final String action, final Resolved requestedResolved,
final PrivilegesEvaluatorResponse presponse, ConfigModelV7.SecurityRoles securityRoles) {
final PrivilegesEvaluatorResponse presponse, ConfigModelV7.SecurityRoles securityRoles) {

boolean isDebugEnabled = log.isDebugEnabled();
final boolean isDebugEnabled = log.isDebugEnabled();

if( FeatureFlags.isEnabled(FeatureFlags.EXTENSIONS) && matchAnySystemIndices(requestedResolved) && !checkSystemIndexPermissionsForUser(securityRoles)){
if( matchAnySystemIndices(requestedResolved) && !checkExtensionPermissionsForUser(securityRoles)){
log.warn("An account without the {} permission is trying to access one of the Extensions's System Indexes. Related indexes: {}", ConfigConstants.EXTENSIONS_PERMISSION, requestedResolved.getAllIndices() );
presponse.allowed = false;
return presponse.markComplete();
Expand All @@ -128,7 +115,7 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final T
presponse.allowed = false;
return presponse.markComplete();
}
if (matchAnySystemIndices(requestedResolved)) {
if (matchAnySystemIndices(requestedResolved) && !checkExtensionPermissionsForUser(securityRoles)) {
if (filterSecurityIndex) {
Set<String> allWithoutSecurity = new HashSet<>(requestedResolved.getAllIndices());
allWithoutSecurity.remove(securityIndex);
Expand Down Expand Up @@ -173,7 +160,7 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final T
return presponse;
}

private boolean checkSystemIndexPermissionsForUser(ConfigModelV7.SecurityRoles securityRoles) {
private boolean checkExtensionPermissionsForUser(ConfigModelV7.SecurityRoles securityRoles) {
Set<WildcardMatcher> userPermMatchers = new HashSet<>();

securityRoles.getRoles().stream().forEach(securityRole -> {
Expand Down
86 changes: 44 additions & 42 deletions src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -339,7 +339,7 @@ public String toString() {
public Set<SecurityRole> getRoles() {
return Collections.unmodifiableSet(roles);
}

public Set<String> getRoleNames() {
return getRoles().stream().map(r -> r.getName()).collect(Collectors.toSet());
}
Expand Down Expand Up @@ -367,8 +367,8 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll,

return EvaluatedDlsFlsConfig.EMPTY;
}
Map<String, Set<String>> dlsQueriesByIndex = new HashMap<String, Set<String>>();

Map<String, Set<String>> dlsQueriesByIndex = new HashMap<String, Set<String>>();
Map<String, Set<String>> flsFields = new HashMap<String, Set<String>>();
Map<String, Set<String>> maskedFieldsMap = new HashMap<String, Set<String>>();

Expand All @@ -379,20 +379,20 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll,
Set<String> noDlsConcreteIndices = new HashSet<>();
Set<String> noFlsConcreteIndices = new HashSet<>();
Set<String> noMaskedFieldConcreteIndices = new HashSet<>();

for (SecurityRole role : roles) {
for (IndexPattern ip : role.getIpatterns()) {
final Set<String> concreteIndices = ip.concreteIndexNames(user, resolver, cs);
String dls = ip.getDlsQuery(user);
final Set<String> concreteIndices = ip.concreteIndexNames(user, resolver, cs);
String dls = ip.getDlsQuery(user);

if (dls != null && dls.length() > 0) {
if (dls != null && dls.length() > 0) {

for (String concreteIndex : concreteIndices) {
dlsQueriesByIndex.computeIfAbsent(concreteIndex, (key) -> new HashSet<String>()).add(dls);
}
} else if (dfmEmptyOverwritesAll) {
noDlsConcreteIndices.addAll(concreteIndices);
}
for (String concreteIndex : concreteIndices) {
dlsQueriesByIndex.computeIfAbsent(concreteIndex, (key) -> new HashSet<String>()).add(dls);
}
} else if (dfmEmptyOverwritesAll) {
noDlsConcreteIndices.addAll(concreteIndices);
}

Set<String> fls = ip.getFls();

Expand All @@ -409,12 +409,12 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll,
} else if (dfmEmptyOverwritesAll) {
noFlsConcreteIndices.addAll(concreteIndices);
}

Set<String> maskedFields = ip.getMaskedFields();

if (maskedFields != null && maskedFields.size() > 0) {

for (String concreteIndex : concreteIndices) {
for (String concreteIndex : concreteIndices) {
if (maskedFieldsMap.containsKey(concreteIndex)) {
maskedFieldsMap.get(concreteIndex).addAll(Sets.newHashSet(maskedFields));
} else {
Expand Down Expand Up @@ -447,7 +447,7 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll,
}


//opensearchDashboards special only, terms eval
//opensearchDashboards special only, terms eval
public Set<String> getAllPermittedIndicesForDashboards(Resolved resolved, User user, String[] actions, IndexNameExpressionResolver resolver, ClusterService cs) {
Set<String> retVal = new HashSet<>();
for (SecurityRole sr : roles) {
Expand Down Expand Up @@ -498,7 +498,7 @@ public boolean impliesTypePermGlobal(Resolved resolved, User user, String[] acti
roles.stream().forEach(p -> ipatterns.addAll(p.getIpatterns()));
return ConfigModelV7.impliesTypePerm(ipatterns, resolved, user, actions, resolver, cs);
}

private boolean containsDlsFlsConfig() {
for (SecurityRole role : roles) {
for (IndexPattern ip : role.getIpatterns()) {
Expand Down Expand Up @@ -562,13 +562,13 @@ private Set<String> getAllResolvedPermittedIndices(Resolved resolved, User user,
for (IndexPattern p : ipatterns) {
//what if we cannot resolve one (for create purposes)
final boolean patternMatch = p.getPerms().matchAll(actions);
// final Set<TypePerm> tperms = p.getTypePerms();
// for (TypePerm tp : tperms) {
// if (WildcardMatcher.matchAny(tp.typePattern, resolved.getTypes(-).toArray(new String[0]))) {
// patternMatch = WildcardMatcher.matchAll(tp.perms.toArray(new String[0]), actions);
// }
// }

// final Set<TypePerm> tperms = p.getTypePerms();
// for (TypePerm tp : tperms) {
// if (WildcardMatcher.matchAny(tp.typePattern, resolved.getTypes(-).toArray(new String[0]))) {
// patternMatch = WildcardMatcher.matchAll(tp.perms.toArray(new String[0]), actions);
// }
// }
if (patternMatch) {
//resolved but can contain patterns for nonexistent indices
final WildcardMatcher permitted = WildcardMatcher.from(p.attemptResolveIndexNames(user, resolver, cs)); //maybe they do not exist
Expand Down Expand Up @@ -634,11 +634,11 @@ public boolean equals(Object obj) {
return false;
} else if (!name.equals(other.name))
return false;
// if (tenants == null) {
// if (other.tenants != null)
// return false;
// } else if (!tenants.equals(other.tenants))
// return false;
// if (tenants == null) {
// if (other.tenants != null)
// return false;
// } else if (!tenants.equals(other.tenants))
// return false;
return true;
}

Expand Down Expand Up @@ -810,28 +810,30 @@ public String getDlsQuery(User user) {
public boolean hasDlsQuery() {
return dlsQuery != null && !dlsQuery.isEmpty();
}

public Set<String> getFls() {
return Collections.unmodifiableSet(fls);
}

public boolean hasFlsFields() {
return fls != null && !fls.isEmpty();
}

public Set<String> getMaskedFields() {
return Collections.unmodifiableSet(maskedFields);
}

public boolean hasMaskedFields() {
return maskedFields != null && !maskedFields.isEmpty();
}

public WildcardMatcher getPerms() {
return WildcardMatcher.from(perms);
}


public WildcardMatcher getNonStarPerms() {
return WildcardMatcher.from(perms.stream().filter(perm -> !perm.equals("*") ));
}
}

/*public static class TypePerm {
Expand Down Expand Up @@ -1033,7 +1035,7 @@ private static boolean impliesTypePerm(Set<IndexPattern> ipatterns, Resolved res
)
);
}

private class TenantHolder {

private SetMultimap<String, Tuple<String, Boolean>> tenantsMM = null;
Expand All @@ -1055,7 +1057,7 @@ public Tuple<String, Set<Tuple<String, Boolean>>> call() throws Exception {
final Set<Tuple<String, Boolean>> tuples = new HashSet<>();
final List<RoleV7.Tenant> tenants = securityRole.getValue().getTenant_permissions();
if (tenants != null) {

for (RoleV7.Tenant tenant : tenants) {

// find Wildcarded tenant patterns
Expand Down Expand Up @@ -1142,8 +1144,8 @@ public Map<String, Boolean> mapTenants(final User user, Set<String> roles) {
_roles.addAll(roles);
if(!result.containsKey("global_tenant") && (
_roles.contains("kibana_user")
|| _roles.contains("all_access")
)) {
|| _roles.contains("all_access")
)) {
result.put("global_tenant", true);
}

Expand All @@ -1166,7 +1168,7 @@ private class RoleMappingHolder {
private RoleMappingHolder(final SecurityDynamicConfiguration<RoleMappingsV7> rolemappings, final String hostResolverMode) {

this.hostResolverMode = hostResolverMode;

if (roles != null) {

users = ArrayListMultimap.create();
Expand Down Expand Up @@ -1267,10 +1269,10 @@ private Set<String> map(final User user, final TransportAddress caller) {

}
}





public Map<String, Boolean> mapTenants(User user, Set<String> roles) {
return tenantHolder.mapTenants(user, roles);
Expand Down

0 comments on commit e12f8e6

Please sign in to comment.