From d75efbcf6839a63e05ae3b88c84b6324921f25b3 Mon Sep 17 00:00:00 2001 From: Tim Vernum Date: Tue, 31 Jul 2018 09:07:47 +1000 Subject: [PATCH] Make get all app privs requires "*" permission (#32460) The default behaviour for "GetPrivileges" is to get all application privileges. This should only be allowed if the user has access to the "*" application. --- .../action/privilege/GetPrivilegesRequest.java | 2 +- .../privilege/ConditionalClusterPrivileges.java | 4 +++- .../ManageApplicationPrivilegesTests.java | 14 ++++++++++++++ 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/GetPrivilegesRequest.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/GetPrivilegesRequest.java index 559e0ab8d9877..585fb372d3247 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/GetPrivilegesRequest.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/GetPrivilegesRequest.java @@ -50,7 +50,7 @@ public String application() { @Override public Collection getApplicationNames() { - return Collections.singleton(application); + return application == null ? Collections.emptySet() : Collections.singleton(application); } public void privileges(String... privileges) { diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConditionalClusterPrivileges.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConditionalClusterPrivileges.java index c068c77781b14..e204d89b1c095 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConditionalClusterPrivileges.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConditionalClusterPrivileges.java @@ -135,7 +135,9 @@ public ManageApplicationPrivileges(Set applicationNames) { this.requestPredicate = request -> { if (request instanceof ApplicationPrivilegesRequest) { final ApplicationPrivilegesRequest privRequest = (ApplicationPrivilegesRequest) request; - return privRequest.getApplicationNames().stream().allMatch(application -> applicationPredicate.test(application)); + final Collection requestApplicationNames = privRequest.getApplicationNames(); + return requestApplicationNames.isEmpty() ? this.applicationNames.contains("*") + : requestApplicationNames.stream().allMatch(application -> applicationPredicate.test(application)); } return false; }; diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageApplicationPrivilegesTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageApplicationPrivilegesTests.java index a5c1bbc98d1ba..9c113d4ff0f94 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageApplicationPrivilegesTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageApplicationPrivilegesTests.java @@ -50,6 +50,7 @@ import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.instanceOf; import static org.hamcrest.Matchers.notNullValue; +import static org.hamcrest.Matchers.nullValue; public class ManageApplicationPrivilegesTests extends ESTestCase { @@ -140,6 +141,19 @@ public void testRequestPredicate() { assertThat(cloudAndSwiftypePredicate, not(predicateMatches(putKibana))); } + public void testSecurityForGetAllApplicationPrivileges() { + final GetPrivilegesRequest getAll = new GetPrivilegesRequest(); + getAll.application(null); + getAll.privileges(new String[0]); + + assertThat(getAll.validate(), nullValue()); + + final ManageApplicationPrivileges kibanaOnly = new ManageApplicationPrivileges(Sets.newHashSet("kibana-*")); + final ManageApplicationPrivileges allApps = new ManageApplicationPrivileges(Sets.newHashSet("*")); + + assertThat(kibanaOnly.getRequestPredicate(), not(predicateMatches(getAll))); + assertThat(allApps.getRequestPredicate(), predicateMatches(getAll)); + } private ManageApplicationPrivileges clone(ManageApplicationPrivileges original) { return new ManageApplicationPrivileges(new LinkedHashSet<>(original.getApplicationNames()));