fixes

nibix · nibix · commit a7c1ea4b6c3a · 2025-09-19T06:25:14.000+02:00
Signed-off-by: Nils Bandener &lt;nils.bandener@eliatra.com&gt;
diff --git a/src/integrationTest/java/org/opensearch/security/privileges/IndexRequestModifierTest.java b/src/integrationTest/java/org/opensearch/security/privileges/IndexRequestModifierTest.java
@@ -0,0 +1,118 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.privileges;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Suite;
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.IndicesRequest;
+import org.opensearch.action.OriginalIndices;
+import org.opensearch.action.index.IndexRequest;
+import org.opensearch.action.search.SearchRequest;
+import org.opensearch.action.support.IndicesOptions;
+import org.opensearch.cluster.ClusterState;
+import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
+import org.opensearch.cluster.metadata.Metadata;
+import org.opensearch.cluster.metadata.ResolvedIndices;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.security.util.MockIndexMetadataBuilder;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+@RunWith(Suite.class)
+@Suite.SuiteClasses({
+        IndexRequestModifierTest.SetLocalIndicesToEmpty.class })
+public class IndexRequestModifierTest {
+
+    static final IndexNameExpressionResolver indexNameExpressionResolver = new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY));
+    static final Metadata metadata = MockIndexMetadataBuilder.indices("index").build();
+    final static ClusterState clusterState = ClusterState.builder(ClusterState.EMPTY_STATE).metadata(metadata).build();
+
+    @RunWith(Parameterized.class)
+    public static class SetLocalIndicesToEmpty {
+
+
+        String description;
+        IndicesRequest request;
+
+        @Test
+        public void setLocalIndicesToEmpty() {
+
+            ResolvedIndices resolvedIndices = ResolvedIndices.of("index");
+
+            if (Arrays.asList(request.indices()).contains("remote:index")) {
+                resolvedIndices = resolvedIndices.withRemoteIndices(Map.of("remote", new OriginalIndices(new String [] {"index"}, request.indicesOptions())));
+            }
+
+            boolean success = new IndicesRequestModifier().setLocalIndicesToEmpty((ActionRequest) request, resolvedIndices);
+
+            if (!(request instanceof IndicesRequest.Replaceable)) {
+                assertFalse(success);
+            } else
+            if (!request.indicesOptions().allowNoIndices()) {
+                assertFalse(success);
+            } else {
+                assertTrue(success);
+
+                String [] finalResolvedIndices = indexNameExpressionResolver.concreteIndexNames(clusterState, request);
+
+                    assertEquals("Resolved to empty indices: " + Arrays.asList(finalResolvedIndices), 0, finalResolvedIndices.length);
+            }
+        }
+
+
+        @Parameterized.Parameters(name = "{0}")
+        public static Collection<Object[]> params() {
+            return Arrays.asList(
+                    new Object [] {
+                            "lenient expand open", new SearchRequest("index").indicesOptions(IndicesOptions.LENIENT_EXPAND_OPEN)
+                    },
+                    new Object [] {
+                            "lenient expand open/closed", new SearchRequest("index").indicesOptions(IndicesOptions.LENIENT_EXPAND_OPEN_CLOSED)
+                    },
+                    new Object [] {
+                            "lenient expand open/closed/hidden", new SearchRequest("index").indicesOptions(IndicesOptions.LENIENT_EXPAND_OPEN_CLOSED_HIDDEN)
+                    },
+                    new Object [] {
+                           "allow no indices", new SearchRequest("index").indicesOptions(IndicesOptions.fromOptions(false, true, false, false))
+                    },
+                    new Object [] {
+                         "ignore unavailable",   new SearchRequest("index").indicesOptions(IndicesOptions.fromOptions(true, false, false, false))
+                    },
+                    new Object [] {
+                          "strict single index",  new SearchRequest("index").indicesOptions(IndicesOptions.STRICT_SINGLE_INDEX_NO_EXPAND_FORBID_CLOSED)
+                    },
+                    new Object [] {
+                        "with remote index",    new SearchRequest("index", "remote:index").indicesOptions(IndicesOptions.LENIENT_EXPAND_OPEN)
+                    },
+                    new Object [] {
+                            "not implementing IndicesRequest.Replaceable",    new IndexRequest("index")
+                    }
+            );
+
+        }
+
+        public SetLocalIndicesToEmpty(String description, IndicesRequest request) {
+            this.description = description;
+            this.request = request;
+        }
+    }
+}
diff --git a/src/main/java/org/opensearch/security/privileges/IndicesRequestModifier.java b/src/main/java/org/opensearch/security/privileges/IndicesRequestModifier.java
@@ -18,6 +18,13 @@
 import org.opensearch.action.IndicesRequest;
 import org.opensearch.cluster.metadata.ResolvedIndices;
 
+/**
+ * Provides methods to modify the local indices of an IndicesRequest. All methods use the ResolvedIndices metadata object
+ * to make sure that remote indices are properly retained.
+ * <p>
+ * We need the distinction between local indices and remote indices because authorization on remote indices is performed
+ * on the remote cluster - thus, we can leave them here just as they are.
+ */
 public class IndicesRequestModifier {
 
     public boolean reduceLocalIndices(ActionRequest targetRequest, ResolvedIndices resolvedIndices, Collection<String> newIndices) {
@@ -37,23 +44,13 @@ public boolean setLocalIndicesToEmpty(ActionRequest targetRequest, ResolvedIndic
         if (targetRequest instanceof IndicesRequest.Replaceable replaceable) {
             if (resolvedIndices.remote().isEmpty()) {
                 if (replaceable.indicesOptions().expandWildcardsOpen()
-                    || replaceable.indicesOptions().expandWildcardsClosed()
-                    || replaceable.indicesOptions().expandWildcardsHidden()) {
+                    || replaceable.indicesOptions().expandWildcardsClosed()) {
                     // If the request expands wildcards, we use an index expression which resolves to no indices
-                    // This expression cannot resolve to anything because indices with a leading underscore are not allowed
-                    replaceable.indices("_empty*,-*");
+                    replaceable.indices(".none*,-*");
                     return true;
                 } else if (replaceable.indicesOptions().allowNoIndices()) {
-                    // If the request does not expand wildcards, we have to look for two different conditions due to
-                    // a slightly odd behavior of IndexNameExpressionResolver:
-                    // https://github.com/opensearch-project/OpenSearch/blob/afb08a071269b234936b778f62800bded0e5ea7a/server/src/main/java/org/opensearch/cluster/metadata/IndexNameExpressionResolver.java#L249
-                    // For allowNoIndices(), we just select a non-existing index. Again, index names with leading
-                    // underscores never exist.
-                    replaceable.indices("_empty");
-                    return true;
-                } else if (replaceable.indicesOptions().ignoreUnavailable()) {
-                    // Second case for the special behavior of IndexNameExpressionResolver:
-                    replaceable.indices("_empty", "-_empty*");
+                    // If the request does not expand wildcards, we use a index name that cannot exist.
+                    replaceable.indices("-.none*");
                     return true;
                 } else {
                     // In this case, we cannot perform replacement. But it also won't be necessary due to the
diff --git a/src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java b/src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java
@@ -269,7 +269,7 @@ private void evaluateSystemIndicesAccess(
                 presponse.markComplete();
                 return;
             } else {
-                Set<String> matchingSystemIndices = SystemIndexRegistry.matchesSystemIndexPattern(requestedResolved.getAllIndices());
+                Set<String> matchingSystemIndices = SystemIndexRegistry.matchesSystemIndexPattern(requestedResolved.local().names());
                 matchingSystemIndices.removeAll(matchingPluginIndices);
                 // See if request matches other system indices not belong to the plugin
                 if (!matchingSystemIndices.isEmpty()) {
