Tests of IndicesRequestModifier and IndicesRequestResolver

Signed-off-by: Nils Bandener <nils.bandener@eliatra.com>

Author: nibix

src/integrationTest/java/org/opensearch/security/privileges/IndexRequestModifierTest.java

@@ -31,20 +31,66 @@
 
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Map;
 
+import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
 @RunWith(Suite.class)
 @Suite.SuiteClasses({
+        IndexRequestModifierTest.SetLocalIndices.class,
         IndexRequestModifierTest.SetLocalIndicesToEmpty.class })
 public class IndexRequestModifierTest {
 
     static final IndexNameExpressionResolver indexNameExpressionResolver = new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY));
-    static final Metadata metadata = MockIndexMetadataBuilder.indices("index").build();
+    static final Metadata metadata = MockIndexMetadataBuilder.indices("index", "index1", "index2", "index3").build();
     final static ClusterState clusterState = ClusterState.builder(ClusterState.EMPTY_STATE).metadata(metadata).build();
+    static final IndicesRequestModifier subject = new IndicesRequestModifier();
+
+    public static class SetLocalIndices {
+        @Test
+        public void basic() {
+            ResolvedIndices resolvedIndices = ResolvedIndices.of("index1");
+            SearchRequest request = new SearchRequest("index1", "index2", "index3");
+
+            boolean success = subject.setLocalIndices(request, resolvedIndices, Collections.singletonList("index1"));
+            assertTrue(success);
+            assertArrayEquals(new String [] {"index1"}, request.indices());
+        }
+
+        @Test
+        public void withRemote() {
+            ResolvedIndices resolvedIndices = ResolvedIndices.of("index1").withRemoteIndices(Map.of("remote", new OriginalIndices(new String[] {"index_remote"}, IndicesOptions.LENIENT_EXPAND_OPEN)));
+            SearchRequest request = new SearchRequest("index1", "index2", "index3", "remote:index_remote");
+
+            boolean success = subject.setLocalIndices(request, resolvedIndices, Collections.singletonList("index1"));
+            assertTrue(success);
+            assertArrayEquals(new String [] {"index1", "remote:index_remote"}, request.indices());
+        }
+
+        @Test
+        public void empty() {
+            ResolvedIndices resolvedIndices = ResolvedIndices.of("index1");
+            SearchRequest request = new SearchRequest("index1", "index2", "index3");
+
+            boolean success = subject.setLocalIndices(request, resolvedIndices, Collections.emptyList());
+            assertTrue(success);
+            String [] finalResolvedIndices = indexNameExpressionResolver.concreteIndexNames(clusterState, request);
+            assertArrayEquals(new String [0], finalResolvedIndices);
+        }
+
+        @Test
+        public void unsupportedType() {
+            ResolvedIndices resolvedIndices = ResolvedIndices.of("index1");
+            IndexRequest request = new IndexRequest("index1");
+
+            boolean success = subject.setLocalIndices(request, resolvedIndices, Collections.singletonList("index1"));
+            assertFalse(success);
+        }
+    }
 
     @RunWith(Parameterized.class)
     public static class SetLocalIndicesToEmpty {
@@ -62,7 +108,7 @@ public void setLocalIndicesToEmpty() {
                 resolvedIndices = resolvedIndices.withRemoteIndices(Map.of("remote", new OriginalIndices(new String [] {"index"}, request.indicesOptions())));
             }
 
-            boolean success = new IndicesRequestModifier().setLocalIndicesToEmpty((ActionRequest) request, resolvedIndices);
+            boolean success = subject.setLocalIndicesToEmpty((ActionRequest) request, resolvedIndices);
 
             if (!(request instanceof IndicesRequest.Replaceable)) {
                 assertFalse(success);

src/integrationTest/java/org/opensearch/security/privileges/IndicesRequestResolverTest.java

@@ -0,0 +1,86 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.privileges;
+import org.junit.Test;
+import org.opensearch.action.admin.cluster.state.ClusterStateRequest;
+import org.opensearch.action.admin.cluster.stats.ClusterStatsRequest;
+import org.opensearch.action.admin.indices.settings.put.UpdateSettingsRequest;
+import org.opensearch.action.search.SearchRequest;
+import org.opensearch.action.support.ActionRequestMetadata;
+import org.opensearch.cluster.ClusterState;
+import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
+import org.opensearch.cluster.metadata.Metadata;
+import org.opensearch.cluster.metadata.ResolvedIndices;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.security.util.MockIndexMetadataBuilder;
+import org.opensearch.security.util.MockPrivilegeEvaluationContextBuilder;
+
+import java.util.Optional;
+import java.util.Set;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class IndicesRequestResolverTest {
+
+    static final Metadata metadata = MockIndexMetadataBuilder.indices("index1", "index2", "index3").build();
+    final static ClusterState clusterState = ClusterState.builder(ClusterState.EMPTY_STATE).metadata(metadata).build();
+    static final IndicesRequestResolver subject = new IndicesRequestResolver(new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)));
+
+    @Test
+    public void resolve_normal() {
+        SearchRequest request = new SearchRequest("index1");
+        ActionRequestMetadata<SearchRequest, ?> actionRequestMetadata = mock();
+        ResolvedIndices resolvedIndices = ResolvedIndices.of("index1");
+        when(actionRequestMetadata.resolvedIndices()).thenReturn(Optional.of(resolvedIndices));
+
+        ResolvedIndices returnedResolvedIndices = subject.resolve(request, actionRequestMetadata, () -> clusterState);
+        assertEquals(resolvedIndices, returnedResolvedIndices);
+    }
+
+    @Test
+    public void resolve_fallback() {
+        SearchRequest request = new SearchRequest("index1");
+        ActionRequestMetadata<SearchRequest, ?> actionRequestMetadata = mock();
+        when(actionRequestMetadata.resolvedIndices()).thenReturn(Optional.empty());
+
+        ResolvedIndices returnedResolvedIndices = subject.resolve(request, actionRequestMetadata, () -> clusterState);
+        assertEquals(Set.of("index1"), returnedResolvedIndices.local().names());
+    }
+
+    @Test
+    public void resolve_fallbackUnsupported() {
+        ClusterStatsRequest request = new ClusterStatsRequest();
+        ActionRequestMetadata<SearchRequest, ?> actionRequestMetadata = mock();
+        when(actionRequestMetadata.resolvedIndices()).thenReturn(Optional.empty());
+
+        ResolvedIndices returnedResolvedIndices = subject.resolve(request, actionRequestMetadata, () -> clusterState);
+        assertTrue("Expected isAll(), got: " + returnedResolvedIndices, returnedResolvedIndices.local().isAll());
+    }
+
+    @Test
+    public void resolve_withPrivilegesEvaluationContext() {
+        SearchRequest request = new SearchRequest("index*");
+        ActionRequestMetadata<SearchRequest, ?> actionRequestMetadata = mock();
+        when(actionRequestMetadata.resolvedIndices()).thenReturn(Optional.empty());
+        PrivilegesEvaluationContext context = MockPrivilegeEvaluationContextBuilder.ctx().clusterState(clusterState).get();
+
+        ResolvedIndices returnedResolvedIndices = subject.resolve(request, actionRequestMetadata, context);
+        assertEquals(Set.of("index1", "index2", "index3"), returnedResolvedIndices.local().names());
+    }
+}

src/main/java/org/opensearch/security/privileges/IndicesRequestModifier.java

@@ -27,7 +27,7 @@
  */
 public class IndicesRequestModifier {
 
-    public boolean reduceLocalIndices(ActionRequest targetRequest, ResolvedIndices resolvedIndices, Collection<String> newIndices) {
+    public boolean setLocalIndices(ActionRequest targetRequest, ResolvedIndices resolvedIndices, Collection<String> newIndices) {
         if (newIndices.isEmpty()) {
             return setLocalIndicesToEmpty(targetRequest, resolvedIndices);
         }

src/main/java/org/opensearch/security/privileges/IndicesRequestResolver.java

@@ -46,13 +46,7 @@ public ResolvedIndices resolve(
         ActionRequestMetadata<?, ?> actionRequestMetadata,
         PrivilegesEvaluationContext context
     ) {
-        Optional<ResolvedIndices> providedIndices = actionRequestMetadata.resolvedIndices();
-        if (providedIndices.isPresent()) {
-            return providedIndices.get();
-        } else {
-            // The action does not implement the resolution mechanism; we have to do it by ourselves
-            return resolveFallback(request, context.clusterState());
-        }
+        return resolve(request, actionRequestMetadata, context::clusterState);
     }
 
     private ResolvedIndices resolveFallback(ActionRequest request, ClusterState clusterState) {

src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java

@@ -609,7 +609,7 @@ public PrivilegesEvaluatorResponse evaluate(PrivilegesEvaluationContext context)
 
         if (presponse.isPartiallyOk()) {
             if (dnfofPossible) {
-                if (this.indicesRequestModifier.reduceLocalIndices(request, resolvedIndices, presponse.getAvailableIndices())) {
+                if (this.indicesRequestModifier.setLocalIndices(request, resolvedIndices, presponse.getAvailableIndices())) {
                     return PrivilegesEvaluatorResponse.ok();
                 }
             }

src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java

@@ -322,7 +322,7 @@ else if (containsSystemIndex && !isSystemIndexPermissionEnabled) {
                         presponse.markComplete();
                         return;
                     }
-                    this.indicesRequestModifier.reduceLocalIndices(request, requestedResolved, allWithoutSecurity);
+                    this.indicesRequestModifier.setLocalIndices(request, requestedResolved, allWithoutSecurity);
                     if (log.isDebugEnabled()) {
                         log.debug("Filtered '{}', resulting list is {}", securityIndex, allWithoutSecurity);
                     }