Introduced explicit index resolution API

Signed-off-by: Nils Bandener <nils.bandener@eliatra.com>

Author: nibix

src/integrationTest/java/org/opensearch/security/privileges/IndexPatternTest.java

@@ -13,18 +13,12 @@
 import java.time.ZonedDateTime;
 import java.time.temporal.ChronoField;
 
-import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
 import org.junit.Test;
 
 import org.opensearch.cluster.ClusterState;
-import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.metadata.Metadata;
-import org.opensearch.common.settings.Settings;
-import org.opensearch.common.util.concurrent.ThreadContext;
-import org.opensearch.security.resolver.IndexResolverReplacer;
 import org.opensearch.security.support.WildcardMatcher;
-import org.opensearch.security.user.User;
+import org.opensearch.security.util.MockPrivilegeEvaluationContextBuilder;
 
 import static org.opensearch.security.util.MockIndexMetadataBuilder.indices;
 import static org.junit.Assert.assertEquals;
@@ -232,19 +226,10 @@ public void equals() {
     }
 
     private static PrivilegesEvaluationContext ctx() {
-        IndexNameExpressionResolver indexNameExpressionResolver = new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY));
-        IndexResolverReplacer indexResolverReplacer = new IndexResolverReplacer(indexNameExpressionResolver, () -> CLUSTER_STATE, null);
-        User user = new User("test_user").withAttributes(ImmutableMap.of("attrs.a11", "a11", "attrs.year", "year"));
-        return new PrivilegesEvaluationContext(
-            user,
-            ImmutableSet.of(),
-            "indices:action/test",
-            null,
-            null,
-            indexResolverReplacer,
-            indexNameExpressionResolver,
-            () -> CLUSTER_STATE,
-            ActionPrivileges.EMPTY
-        );
+        return MockPrivilegeEvaluationContextBuilder.ctx()
+            .action("indices:action/test")
+            .attr("attrs.a11", "a11")
+            .attr("attrs.year", "year")
+            .get();
     }
 }

src/integrationTest/java/org/opensearch/security/privileges/actionlevel/EmptyActionPrivilegesTest.java

@@ -15,9 +15,9 @@
 
 import org.junit.Test;
 
+import org.opensearch.cluster.metadata.ResolvedIndices;
 import org.opensearch.security.privileges.ActionPrivileges;
 import org.opensearch.security.privileges.PrivilegesEvaluatorResponse;
-import org.opensearch.security.resolver.IndexResolverReplacer;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.opensearch.security.privileges.PrivilegeEvaluatorResponseMatcher.isForbidden;
@@ -50,7 +50,7 @@ public void hasIndexPrivilege() {
         PrivilegesEvaluatorResponse result = subject.hasIndexPrivilege(
             ctx().get(),
             Set.of("indices:data/write/index"),
-            IndexResolverReplacer.Resolved.ofIndex("any_index")
+            ResolvedIndices.of("any_index")
         );
         assertThat(result, isForbidden());
     }
@@ -60,7 +60,7 @@ public void hasExplicitIndexPrivilege() {
         PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
             ctx().get(),
             Set.of("indices:data/write/index"),
-            IndexResolverReplacer.Resolved.ofIndex("any_index")
+            ResolvedIndices.of("any_index")
         );
         assertThat(result, isForbidden());
     }

src/integrationTest/java/org/opensearch/security/privileges/actionlevel/RoleBasedActionPrivilegesTest.java

@@ -13,6 +13,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -29,16 +30,17 @@
 import org.junit.runners.Parameterized;
 import org.junit.runners.Suite;
 
+import org.opensearch.action.OriginalIndices;
 import org.opensearch.action.support.IndicesOptions;
 import org.opensearch.cluster.metadata.IndexAbstraction;
 import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.cluster.metadata.Metadata;
+import org.opensearch.cluster.metadata.ResolvedIndices;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.core.common.unit.ByteSizeUnit;
 import org.opensearch.core.common.unit.ByteSizeValue;
 import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.privileges.PrivilegesEvaluatorResponse;
-import org.opensearch.security.resolver.IndexResolverReplacer;
 import org.opensearch.security.securityconf.FlattenedActionGroups;
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
@@ -352,13 +354,13 @@ public void positive_partial2() throws Exception {
 
             @Test
             public void positive_noLocal() throws Exception {
-                IndexResolverReplacer.Resolved resolved = new IndexResolverReplacer.Resolved(
-                    ImmutableSet.of(),
-                    ImmutableSet.of(),
-                    ImmutableSet.of("remote:a"),
-                    ImmutableSet.of("remote:a"),
-                    IndicesOptions.LENIENT_EXPAND_OPEN
-                );
+                ResolvedIndices resolved = ResolvedIndices.of(Collections.emptySet())
+                    .withRemoteIndices(
+                        Map.of(
+                            "remote",
+                            new OriginalIndices(new String[] { "a" }, IndicesOptions.STRICT_SINGLE_INDEX_NO_EXPAND_FORBID_CLOSED)
+                        )
+                    );
                 PrivilegesEvaluatorResponse result = subject.hasIndexPrivilege(
                     ctx().roles("test_role").indexMetadata(INDEX_METADATA).get(),
                     requiredActions,
@@ -481,14 +483,8 @@ public IndicesAndAliases(IndexSpec indexSpec, ActionSpec actionSpec, Statefulnes
                     .of("index_b1", "index_b2")//
                     .build();
 
-            static IndexResolverReplacer.Resolved resolved(String... indices) {
-                return new IndexResolverReplacer.Resolved(
-                    ImmutableSet.of(),
-                    ImmutableSet.copyOf(indices),
-                    ImmutableSet.copyOf(indices),
-                    ImmutableSet.of(),
-                    IndicesOptions.LENIENT_EXPAND_OPEN
-                );
+            static ResolvedIndices resolved(String... indices) {
+                return ResolvedIndices.of(indices);
             }
 
         }
@@ -648,28 +644,24 @@ public DataStreams(IndexSpec indexSpec, ActionSpec actionSpec, Statefulness stat
                 dataStreams("data_stream_a11", "data_stream_a12", "data_stream_a21", "data_stream_a22", "data_stream_b1", "data_stream_b2")
                     .build();
 
-            static IndexResolverReplacer.Resolved resolved(String... indices) {
-                ImmutableSet.Builder<String> allIndices = ImmutableSet.builder();
-
-                for (String index : indices) {
-                    IndexAbstraction indexAbstraction = INDEX_METADATA.getIndicesLookup().get(index);
+            static ResolvedIndices resolved(String... indices) {
+                return ResolvedIndices.of(indices);
+                // TODO check
+                // ImmutableSet.Builder<String> allIndices = ImmutableSet.builder();
+                //
+                //
+                // for (String index : indices) {
+                // IndexAbstraction indexAbstraction = INDEX_METADATA.getIndicesLookup().get(index);
+                //
+                // if (indexAbstraction instanceof IndexAbstraction.DataStream) {
+                // allIndices.addAll(
+                // indexAbstraction.getIndices().stream().map(i -> i.getIndex().getName()).collect(Collectors.toList())
+                // );
+                // }
+                //
+                // allIndices.add(index);
+                // }
 
-                    if (indexAbstraction instanceof IndexAbstraction.DataStream) {
-                        allIndices.addAll(
-                            indexAbstraction.getIndices().stream().map(i -> i.getIndex().getName()).collect(Collectors.toList())
-                        );
-                    }
-
-                    allIndices.add(index);
-                }
-
-                return new IndexResolverReplacer.Resolved(
-                    ImmutableSet.of(),
-                    allIndices.build(),
-                    ImmutableSet.copyOf(indices),
-                    ImmutableSet.of(),
-                    IndicesOptions.LENIENT_EXPAND_OPEN
-                );
             }
         }
 
@@ -871,7 +863,7 @@ public void hasIndexPrivilege_errors() throws Exception {
             PrivilegesEvaluatorResponse result = subject.hasIndexPrivilege(
                 ctx().roles("role_with_errors").get(),
                 Set.of("indices:some_action", "indices:data/write/index"),
-                IndexResolverReplacer.Resolved.ofIndex("any_index")
+                ResolvedIndices.of("any_index")
             );
             assertThat(result, isForbidden());
             assertTrue(result.hasEvaluationExceptions());
@@ -897,7 +889,7 @@ public void hasExplicitIndexPrivilege_positive() throws Exception {
             PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
                 ctx().roles("test_role").get(),
                 Set.of("system:admin/system_index"),
-                IndexResolverReplacer.Resolved.ofIndex("test_index")
+                ResolvedIndices.of("test_index")
             );
             assertThat(result, isAllowed());
         }
@@ -917,7 +909,7 @@ public void hasExplicitIndexPrivilege_positive_wildcard() throws Exception {
             PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
                 ctx().roles("test_role").get(),
                 Set.of("system:admin/system_index"),
-                IndexResolverReplacer.Resolved.ofIndex("test_index")
+                ResolvedIndices.of("test_index")
             );
             assertThat(result, isAllowed());
         }
@@ -934,7 +926,7 @@ public void hasExplicitIndexPrivilege_noWildcard() throws Exception {
             PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
                 ctx().roles("test_role").get(),
                 Set.of("system:admin/system_index"),
-                IndexResolverReplacer.Resolved.ofIndex("test_index")
+                ResolvedIndices.of("test_index")
             );
             assertThat(result, isForbidden());
         }
@@ -954,7 +946,7 @@ public void hasExplicitIndexPrivilege_negative_wrongAction() throws Exception {
             PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
                 ctx().roles("test_role").get(),
                 Set.of("system:admin/system_foo"),
-                IndexResolverReplacer.Resolved.ofIndex("test_index")
+                ResolvedIndices.of("test_index")
             );
             assertThat(result, isForbidden());
         }
@@ -974,7 +966,7 @@ public void hasExplicitIndexPrivilege_errors() throws Exception {
             PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
                 ctx().roles("role_with_errors").get(),
                 Set.of("system:admin/system_index"),
-                IndexResolverReplacer.Resolved.ofIndex("any_index")
+                ResolvedIndices.of("any_index")
             );
             assertThat(result, isForbidden());
             assertTrue(result.hasEvaluationExceptions());
@@ -1004,14 +996,14 @@ public void aliasesOnDataStreamBackingIndices() throws Exception {
             PrivilegesEvaluatorResponse resultForIndexCoveredByAlias = subject.hasIndexPrivilege(
                 ctx().roles("role").indexMetadata(metadata).get(),
                 Set.of("indices:data/write/index"),
-                IndexResolverReplacer.Resolved.ofIndex(".ds-ds_a-000001")
+                ResolvedIndices.of(".ds-ds_a-000001")
             );
             assertThat(resultForIndexCoveredByAlias, isAllowed());
 
             PrivilegesEvaluatorResponse resultForIndexNotCoveredByAlias = subject.hasIndexPrivilege(
                 ctx().roles("role").indexMetadata(metadata).get(),
                 Set.of("indices:data/write/index"),
-                IndexResolverReplacer.Resolved.ofIndex(".ds-ds_a-000002")
+                ResolvedIndices.of(".ds-ds_a-000002")
             );
             assertThat(resultForIndexNotCoveredByAlias, isForbidden());
         }

src/integrationTest/java/org/opensearch/security/privileges/actionlevel/SubjectBasedActionPrivilegesTest.java

@@ -13,6 +13,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -27,12 +28,13 @@
 import org.junit.runners.Parameterized;
 import org.junit.runners.Suite;
 
+import org.opensearch.action.OriginalIndices;
 import org.opensearch.action.support.IndicesOptions;
 import org.opensearch.cluster.metadata.IndexAbstraction;
 import org.opensearch.cluster.metadata.Metadata;
+import org.opensearch.cluster.metadata.ResolvedIndices;
 import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.privileges.PrivilegesEvaluatorResponse;
-import org.opensearch.security.resolver.IndexResolverReplacer;
 import org.opensearch.security.securityconf.FlattenedActionGroups;
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
@@ -224,13 +226,13 @@ public void positive_partial2() throws Exception {
 
             @Test
             public void positive_noLocal() throws Exception {
-                IndexResolverReplacer.Resolved resolved = new IndexResolverReplacer.Resolved(
-                    ImmutableSet.of(),
-                    ImmutableSet.of(),
-                    ImmutableSet.of("remote:a"),
-                    ImmutableSet.of("remote:a"),
-                    IndicesOptions.LENIENT_EXPAND_OPEN
-                );
+                ResolvedIndices resolved = ResolvedIndices.of(Collections.emptySet())
+                    .withRemoteIndices(
+                        Map.of(
+                            "remote",
+                            new OriginalIndices(new String[] { "a" }, IndicesOptions.STRICT_SINGLE_INDEX_NO_EXPAND_FORBID_CLOSED)
+                        )
+                    );
                 PrivilegesEvaluatorResponse result = subject.hasIndexPrivilege(
                     ctx().indexMetadata(INDEX_METADATA).get(),
                     requiredActions,
@@ -330,14 +332,8 @@ public IndicesAndAliases(IndexSpec indexSpec, ActionSpec actionSpec) throws Exce
                     .of("index_b1", "index_b2")//
                     .build();
 
-            static IndexResolverReplacer.Resolved resolved(String... indices) {
-                return new IndexResolverReplacer.Resolved(
-                    ImmutableSet.of(),
-                    ImmutableSet.copyOf(indices),
-                    ImmutableSet.copyOf(indices),
-                    ImmutableSet.of(),
-                    IndicesOptions.LENIENT_EXPAND_OPEN
-                );
+            static ResolvedIndices resolved(String... indices) {
+                return ResolvedIndices.of(indices);
             }
 
         }
@@ -473,7 +469,9 @@ public DataStreams(IndexSpec indexSpec, ActionSpec actionSpec) throws Exception
                 dataStreams("data_stream_a11", "data_stream_a12", "data_stream_a21", "data_stream_a22", "data_stream_b1", "data_stream_b2")
                     .build();
 
-            static IndexResolverReplacer.Resolved resolved(String... indices) {
+            static ResolvedIndices resolved(String... indices) {
+                return ResolvedIndices.of(indices);
+                /* TODO CHECK
                 ImmutableSet.Builder<String> allIndices = ImmutableSet.builder();
 
                 for (String index : indices) {
@@ -495,6 +493,8 @@ static IndexResolverReplacer.Resolved resolved(String... indices) {
                     ImmutableSet.of(),
                     IndicesOptions.LENIENT_EXPAND_OPEN
                 );
+
+                 */
             }
         }
 
@@ -630,7 +630,7 @@ public void hasExplicitIndexPrivilege_positive() throws Exception {
             PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
                 ctx().get(),
                 Set.of("system:admin/system_index"),
-                IndexResolverReplacer.Resolved.ofIndex("test_index")
+                ResolvedIndices.of("test_index")
             );
             assertThat(result, isAllowed());
         }
@@ -648,7 +648,7 @@ public void hasExplicitIndexPrivilege_positive_pattern() throws Exception {
             PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
                 ctx().get(),
                 Set.of("system:admin/system_index"),
-                IndexResolverReplacer.Resolved.ofIndex("test_index")
+                ResolvedIndices.of("test_index")
             );
             assertThat(result, isAllowed());
         }
@@ -665,7 +665,7 @@ public void hasExplicitIndexPrivilege_noWildcard() throws Exception {
             PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
                 ctx().get(),
                 Set.of("system:admin/system_index"),
-                IndexResolverReplacer.Resolved.ofIndex("test_index")
+                ResolvedIndices.of("test_index")
             );
             assertThat(result, isForbidden());
         }
@@ -682,7 +682,7 @@ public void hasExplicitIndexPrivilege_negative_wrongAction() throws Exception {
             PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
                 ctx().get(),
                 Set.of("system:admin/system_foo"),
-                IndexResolverReplacer.Resolved.ofIndex("test_index")
+                ResolvedIndices.of("test_index")
             );
             assertThat(result, isForbidden());
         }
@@ -699,7 +699,7 @@ public void hasExplicitIndexPrivilege_errors() throws Exception {
             PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
                 ctx().get(),
                 Set.of("system:admin/system_index"),
-                IndexResolverReplacer.Resolved.ofIndex("test_index")
+                ResolvedIndices.of("test_index")
             );
             assertThat(result, isForbidden());
             assertTrue(result.hasEvaluationExceptions());