Skip to content

Commit

Permalink
change to wildcard matcher
Browse files Browse the repository at this point in the history
Signed-off-by: Derek Ho <dxho@amazon.com>
  • Loading branch information
derek-ho committed Aug 28, 2023
1 parent 20493d8 commit c12333c
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 14 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
import java.util.Set;
import java.util.StringJoiner;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
Expand Down Expand Up @@ -100,6 +101,17 @@

public class PrivilegesEvaluator {

static final WildcardMatcher DNFOF_MATCHER = WildcardMatcher.from(
ImmutableList.of(
"indices:data/read/*",
"indices:admin/mappings/fields/get*",
"indices:admin/shards/search_shards",
"indices:admin/resolve/index",
"indices:monitor/settings/get",
"indices:monitor/stats"
)
);

private static final WildcardMatcher ACTION_MATCHER = WildcardMatcher.from("indices:data/read/*search*");

private static final IndicesOptions ALLOW_EMPTY = IndicesOptions.fromOptions(true, true, false, false);
Expand Down Expand Up @@ -468,7 +480,7 @@ public PrivilegesEvaluatorResponse evaluate(
}
}

if (dnfofEnabled && isDnfofAction(action0)) {
if (dnfofEnabled && DNFOF_MATCHER.test(action0)) {

if (requestedResolved.getAllIndices().isEmpty()) {
presponse.missingPrivileges.clear();
Expand Down Expand Up @@ -669,15 +681,6 @@ public static boolean isClusterPerm(String action0) {
);
}

static boolean isDnfofAction(String action0) {
return (action0.startsWith("indices:data/read/")
|| (action0.startsWith("indices:admin/mappings/fields/get")
|| action0.equals("indices:admin/shards/search_shards")
|| action0.equals("indices:admin/resolve/index"))
|| action0.equals("indices:monitor/settings/get")
|| action0.equals("indices:monitor/stats"));
}

@SuppressWarnings("unchecked")
private boolean checkFilteredAliases(Resolved requestedResolved, String action, boolean isDebugEnabled) {
final String faMode = dcm.getFilteredAliasMode();// getConfigSettings().dynamic.filtered_alias_mode;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,7 @@
import static org.hamcrest.Matchers.equalTo;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.opensearch.security.privileges.PrivilegesEvaluator.isClusterPerm;
import static org.opensearch.security.privileges.PrivilegesEvaluator.isDnfofAction;
import static org.opensearch.security.privileges.PrivilegesEvaluator.*;

public class PrivilegesEvaluatorUnitTest {

Expand Down Expand Up @@ -118,14 +117,14 @@ public void testClusterPerm() {
@Test
public void testDnfofPermissions_negative() {
for (final String permission : disallowedDnfof) {
assertThat(isDnfofAction(permission), equalTo(false));
assertThat(DNFOF_MATCHER.test(permission), equalTo(false));
}
}

@Test
public void testDnfofPermissions_positive() {
for (final String permission : allowedDnfof) {
assertThat(isDnfofAction(permission), equalTo(true));
assertThat(DNFOF_MATCHER.test(permission), equalTo(true));
}
}
}

0 comments on commit c12333c

Please sign in to comment.