From e12f8e63814915f84b22026bc5be2d33ebd3b30b Mon Sep 17 00:00:00 2001 From: scosta Date: Tue, 16 May 2023 14:17:28 +0100 Subject: [PATCH] merge errors Signed-off-by: scosta --- .../SecurityIndexAccessEvaluator.java | 23 ++--- .../security/securityconf/ConfigModelV7.java | 86 ++++++++++--------- 2 files changed, 49 insertions(+), 60 deletions(-) diff --git a/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java b/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java index 7320b709e0..2186258fd2 100644 --- a/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java @@ -26,20 +26,12 @@ package org.opensearch.security.privileges; -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; -import java.util.stream.Collectors; - import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; - import org.opensearch.action.ActionRequest; import org.opensearch.action.RealtimeRequest; import org.opensearch.action.search.SearchRequest; import org.opensearch.common.settings.Settings; -import org.opensearch.common.util.FeatureFlags; import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.resolver.IndexResolverReplacer; import org.opensearch.security.resolver.IndexResolverReplacer.Resolved; @@ -52,19 +44,14 @@ import java.util.stream.Collectors; public class SecurityIndexAccessEvaluator { - Logger log = LogManager.getLogger(this.getClass()); - private final String securityIndex; private final AuditLog auditLog; private final WildcardMatcher securityDeniedActionMatcher; private final IndexResolverReplacer irr; private final boolean filterSecurityIndex; - - // for system-indices configuration private final WildcardMatcher systemIndexMatcher; private final boolean systemIndexEnabled; - public SecurityIndexAccessEvaluator(final Settings settings, AuditLog auditLog, IndexResolverReplacer irr) { this.securityIndex = settings.get(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX); this.auditLog = auditLog; @@ -103,11 +90,11 @@ public SecurityIndexAccessEvaluator(final Settings settings, AuditLog auditLog, } public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final Task task, final String action, final Resolved requestedResolved, - final PrivilegesEvaluatorResponse presponse, ConfigModelV7.SecurityRoles securityRoles) { + final PrivilegesEvaluatorResponse presponse, ConfigModelV7.SecurityRoles securityRoles) { - boolean isDebugEnabled = log.isDebugEnabled(); + final boolean isDebugEnabled = log.isDebugEnabled(); - if( FeatureFlags.isEnabled(FeatureFlags.EXTENSIONS) && matchAnySystemIndices(requestedResolved) && !checkSystemIndexPermissionsForUser(securityRoles)){ + if( matchAnySystemIndices(requestedResolved) && !checkExtensionPermissionsForUser(securityRoles)){ log.warn("An account without the {} permission is trying to access one of the Extensions's System Indexes. Related indexes: {}", ConfigConstants.EXTENSIONS_PERMISSION, requestedResolved.getAllIndices() ); presponse.allowed = false; return presponse.markComplete(); @@ -128,7 +115,7 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final T presponse.allowed = false; return presponse.markComplete(); } - if (matchAnySystemIndices(requestedResolved)) { + if (matchAnySystemIndices(requestedResolved) && !checkExtensionPermissionsForUser(securityRoles)) { if (filterSecurityIndex) { Set allWithoutSecurity = new HashSet<>(requestedResolved.getAllIndices()); allWithoutSecurity.remove(securityIndex); @@ -173,7 +160,7 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final T return presponse; } - private boolean checkSystemIndexPermissionsForUser(ConfigModelV7.SecurityRoles securityRoles) { + private boolean checkExtensionPermissionsForUser(ConfigModelV7.SecurityRoles securityRoles) { Set userPermMatchers = new HashSet<>(); securityRoles.getRoles().stream().forEach(securityRole -> { diff --git a/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java b/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java index 1509bd6319..75370b6473 100644 --- a/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java +++ b/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java @@ -339,7 +339,7 @@ public String toString() { public Set getRoles() { return Collections.unmodifiableSet(roles); } - + public Set getRoleNames() { return getRoles().stream().map(r -> r.getName()).collect(Collectors.toSet()); } @@ -367,8 +367,8 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll, return EvaluatedDlsFlsConfig.EMPTY; } - - Map> dlsQueriesByIndex = new HashMap>(); + + Map> dlsQueriesByIndex = new HashMap>(); Map> flsFields = new HashMap>(); Map> maskedFieldsMap = new HashMap>(); @@ -379,20 +379,20 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll, Set noDlsConcreteIndices = new HashSet<>(); Set noFlsConcreteIndices = new HashSet<>(); Set noMaskedFieldConcreteIndices = new HashSet<>(); - + for (SecurityRole role : roles) { for (IndexPattern ip : role.getIpatterns()) { - final Set concreteIndices = ip.concreteIndexNames(user, resolver, cs); - String dls = ip.getDlsQuery(user); + final Set concreteIndices = ip.concreteIndexNames(user, resolver, cs); + String dls = ip.getDlsQuery(user); - if (dls != null && dls.length() > 0) { + if (dls != null && dls.length() > 0) { - for (String concreteIndex : concreteIndices) { - dlsQueriesByIndex.computeIfAbsent(concreteIndex, (key) -> new HashSet()).add(dls); - } - } else if (dfmEmptyOverwritesAll) { - noDlsConcreteIndices.addAll(concreteIndices); - } + for (String concreteIndex : concreteIndices) { + dlsQueriesByIndex.computeIfAbsent(concreteIndex, (key) -> new HashSet()).add(dls); + } + } else if (dfmEmptyOverwritesAll) { + noDlsConcreteIndices.addAll(concreteIndices); + } Set fls = ip.getFls(); @@ -409,12 +409,12 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll, } else if (dfmEmptyOverwritesAll) { noFlsConcreteIndices.addAll(concreteIndices); } - + Set maskedFields = ip.getMaskedFields(); if (maskedFields != null && maskedFields.size() > 0) { - for (String concreteIndex : concreteIndices) { + for (String concreteIndex : concreteIndices) { if (maskedFieldsMap.containsKey(concreteIndex)) { maskedFieldsMap.get(concreteIndex).addAll(Sets.newHashSet(maskedFields)); } else { @@ -447,7 +447,7 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll, } - //opensearchDashboards special only, terms eval + //opensearchDashboards special only, terms eval public Set getAllPermittedIndicesForDashboards(Resolved resolved, User user, String[] actions, IndexNameExpressionResolver resolver, ClusterService cs) { Set retVal = new HashSet<>(); for (SecurityRole sr : roles) { @@ -498,7 +498,7 @@ public boolean impliesTypePermGlobal(Resolved resolved, User user, String[] acti roles.stream().forEach(p -> ipatterns.addAll(p.getIpatterns())); return ConfigModelV7.impliesTypePerm(ipatterns, resolved, user, actions, resolver, cs); } - + private boolean containsDlsFlsConfig() { for (SecurityRole role : roles) { for (IndexPattern ip : role.getIpatterns()) { @@ -562,13 +562,13 @@ private Set getAllResolvedPermittedIndices(Resolved resolved, User user, for (IndexPattern p : ipatterns) { //what if we cannot resolve one (for create purposes) final boolean patternMatch = p.getPerms().matchAll(actions); - -// final Set tperms = p.getTypePerms(); -// for (TypePerm tp : tperms) { -// if (WildcardMatcher.matchAny(tp.typePattern, resolved.getTypes(-).toArray(new String[0]))) { -// patternMatch = WildcardMatcher.matchAll(tp.perms.toArray(new String[0]), actions); -// } -// } + + // final Set tperms = p.getTypePerms(); + // for (TypePerm tp : tperms) { + // if (WildcardMatcher.matchAny(tp.typePattern, resolved.getTypes(-).toArray(new String[0]))) { + // patternMatch = WildcardMatcher.matchAll(tp.perms.toArray(new String[0]), actions); + // } + // } if (patternMatch) { //resolved but can contain patterns for nonexistent indices final WildcardMatcher permitted = WildcardMatcher.from(p.attemptResolveIndexNames(user, resolver, cs)); //maybe they do not exist @@ -634,11 +634,11 @@ public boolean equals(Object obj) { return false; } else if (!name.equals(other.name)) return false; -// if (tenants == null) { -// if (other.tenants != null) -// return false; -// } else if (!tenants.equals(other.tenants)) -// return false; + // if (tenants == null) { + // if (other.tenants != null) + // return false; + // } else if (!tenants.equals(other.tenants)) + // return false; return true; } @@ -810,7 +810,7 @@ public String getDlsQuery(User user) { public boolean hasDlsQuery() { return dlsQuery != null && !dlsQuery.isEmpty(); } - + public Set getFls() { return Collections.unmodifiableSet(fls); } @@ -818,7 +818,7 @@ public Set getFls() { public boolean hasFlsFields() { return fls != null && !fls.isEmpty(); } - + public Set getMaskedFields() { return Collections.unmodifiableSet(maskedFields); } @@ -826,12 +826,14 @@ public Set getMaskedFields() { public boolean hasMaskedFields() { return maskedFields != null && !maskedFields.isEmpty(); } - + public WildcardMatcher getPerms() { return WildcardMatcher.from(perms); } - + public WildcardMatcher getNonStarPerms() { + return WildcardMatcher.from(perms.stream().filter(perm -> !perm.equals("*") )); + } } /*public static class TypePerm { @@ -1033,7 +1035,7 @@ private static boolean impliesTypePerm(Set ipatterns, Resolved res ) ); } - + private class TenantHolder { private SetMultimap> tenantsMM = null; @@ -1055,7 +1057,7 @@ public Tuple>> call() throws Exception { final Set> tuples = new HashSet<>(); final List tenants = securityRole.getValue().getTenant_permissions(); if (tenants != null) { - + for (RoleV7.Tenant tenant : tenants) { // find Wildcarded tenant patterns @@ -1142,8 +1144,8 @@ public Map mapTenants(final User user, Set roles) { _roles.addAll(roles); if(!result.containsKey("global_tenant") && ( _roles.contains("kibana_user") - || _roles.contains("all_access") - )) { + || _roles.contains("all_access") + )) { result.put("global_tenant", true); } @@ -1166,7 +1168,7 @@ private class RoleMappingHolder { private RoleMappingHolder(final SecurityDynamicConfiguration rolemappings, final String hostResolverMode) { this.hostResolverMode = hostResolverMode; - + if (roles != null) { users = ArrayListMultimap.create(); @@ -1267,10 +1269,10 @@ private Set map(final User user, final TransportAddress caller) { } } - - - - + + + + public Map mapTenants(User user, Set roles) { return tenantHolder.mapTenants(user, roles);