Fix build

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroSubject.java

@@ -9,8 +9,12 @@
 package org.opensearch.identity.shiro;
 
 import java.security.Principal;
+import java.util.List;
 import java.util.Objects;
+import java.util.Set;
 
+import org.opensearch.common.util.set.Sets;
+import org.opensearch.identity.Scope;
 import org.opensearch.identity.Subject;
 import org.opensearch.identity.tokens.AuthToken;
 
@@ -22,6 +26,7 @@
 public class ShiroSubject implements Subject {
     private final AuthTokenHandler authTokenHandler;
     private final org.apache.shiro.subject.Subject shiroSubject;
+    private List<Scope> scopes;
 
     /**
      * Creates a new shiro subject for use with the IdentityPlugin
@@ -32,6 +37,7 @@ public class ShiroSubject implements Subject {
     public ShiroSubject(final AuthTokenHandler authTokenHandler, final org.apache.shiro.subject.Subject subject) {
         this.authTokenHandler = Objects.requireNonNull(authTokenHandler);
         this.shiroSubject = Objects.requireNonNull(subject);
+        this.scopes = List.of();
     }
 
     /**
@@ -88,4 +94,29 @@ public void authenticate(AuthToken authenticationToken) {
             .orElseThrow(() -> new UnsupportedAuthenticationToken());
         shiroSubject.login(authToken);
     }
+
+    /**
+     * Sets the scopes of the Subject to the provided list
+     * @param scopes The scopes the subject should have
+     */
+    public void setScopes(List<Scope> scopes) {
+        this.scopes = (scopes);
+    }
+
+    /**
+     * @return The scopes associated with the subject
+     */
+    public List<Scope> getScopes() {
+        return this.scopes;
+    }
+
+    /**
+     * @param scope The scope to check against the subject's associated scopes
+     * @return Whether any of the scopes match
+     */
+    @Override
+    public boolean isAllowed(List<Scope> scope) {
+        Set<Scope> intersection = Sets.intersection(Set.copyOf(this.scopes), Set.copyOf(scope));
+        return intersection.size() > 0;
+    }
 }

server/src/main/java/org/opensearch/action/admin/cluster/allocation/ClusterAllocationExplainAction.java

@@ -33,7 +33,6 @@
 package org.opensearch.action.admin.cluster.allocation;
 
 import java.util.List;
-import javax.swing.Action;
 import org.opensearch.action.ActionScopes;
 import org.opensearch.action.ActionType;
 import org.opensearch.identity.Scope;

server/src/main/java/org/opensearch/action/admin/cluster/repositories/get/GetRepositoriesAction.java

@@ -51,7 +51,6 @@ private GetRepositoriesAction() {
         super(NAME, GetRepositoriesResponse::new);
     }
 
-
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Cluster_Read, ActionScopes.Cluster_ALL);

server/src/main/java/org/opensearch/action/admin/indices/datastream/CreateDataStreamAction.java

@@ -60,7 +60,6 @@
 import java.io.IOException;
 import java.util.List;
 import java.util.Objects;
-import javax.swing.Action;
 
 /**
  * Transport action for creating a datastream

server/src/main/java/org/opensearch/action/admin/indices/flush/FlushAction.java

@@ -56,4 +56,3 @@ public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);
     }
 }
-

server/src/main/java/org/opensearch/action/admin/indices/get/GetIndexAction.java

@@ -48,5 +48,4 @@ private GetIndexAction() {
         super(NAME, GetIndexResponse::new);
     }
 
-
 }

server/src/main/java/org/opensearch/action/admin/indices/readonly/AddIndexBlockAction.java

@@ -33,7 +33,6 @@
 package org.opensearch.action.admin.indices.readonly;
 
 import java.util.List;
-import javax.swing.Action;
 import org.opensearch.action.ActionScopes;
 import org.opensearch.action.ActionType;
 import org.opensearch.identity.Scope;

server/src/main/java/org/opensearch/action/admin/indices/template/put/PutComponentTemplateAction.java

@@ -167,6 +167,7 @@ public String toString() {
             return sb.toString();
         }
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/client/node/NodeClient.java

@@ -140,7 +140,7 @@ public String getLocalNodeId() {
     private <Request extends ActionRequest, Response extends ActionResponse> TransportAction<Request, Response> transportAction(
         ActionType<Response> action
     ) {
-        if (!IdentityService.getInstance().getSubject().isAllowed(action.allowedScopes())) {
+        if (IdentityService.getInstance().getSubject().isAllowed(action.allowedScopes())) {
             final String scopeList = action.allowedScopes().stream().map(s -> s.toString()).collect(Collectors.joining(","));
             logger.debug("Request did not have any of the required scopes, " + scopeList);
             throw new OpenSearchSecurityException("Unauthorized, at least of these scopes is required, " + scopeList);

server/src/main/java/org/opensearch/identity/Subject.java

@@ -36,11 +36,5 @@ public interface Subject {
      * @param scope The scopes to check against the subject
      * @return true if allowed, false if none of the scopes are allowed.
      */
-    /// Draft Pull Request Remarks
-    // Permissions haven't been implemented yet, and there are good reasons to have permissions and scopes overlap,
-    // as well as have disconnected. For the moment lets look past that debate and get feedback around how
-    // scope might be added inside of OpenSearch and connected into various systems create security barriers between
-    // systems.
-    // This will need to be addressed before this change can come out of draft
     boolean isAllowed(final List<Scope> scope);
 }

server/src/main/java/org/opensearch/node/Node.java

@@ -189,7 +189,7 @@
 import org.opensearch.plugins.Plugin;
 import org.opensearch.plugins.PluginsService;
 import org.opensearch.plugins.RepositoryPlugin;
-import org.opensearch.plugins.ScopeProtectedActionPlugin;
+import org.opensearch.plugins.wrappers.ScopeProtectedActionPlugin;
 import org.opensearch.plugins.ScriptPlugin;
 import org.opensearch.plugins.SearchPlugin;
 import org.opensearch.plugins.SystemIndexPlugin;

server/src/main/java/org/opensearch/plugins/wrappers/ScopeProtectedActionPlugin.java

@@ -30,7 +30,7 @@
  * GitHub history for details.
  */
 
-package org.opensearch.plugins;
+package org.opensearch.plugins.wrappers;
 
 import org.opensearch.action.ActionType;
 import org.opensearch.action.ActionRequest;
@@ -47,6 +47,8 @@
 import org.opensearch.common.settings.SettingsFilter;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.identity.IdentityService;
+import org.opensearch.plugins.ActionPlugin;
+import org.opensearch.plugins.ExtensionPointScopes;
 import org.opensearch.rest.RestHandler;
 import org.opensearch.rest.RestHeaderDefinition;
 import org.opensearch.rest.RestController;
@@ -57,7 +59,7 @@
 import java.util.function.UnaryOperator;
 
 /**
- * Only allowed plugins are able able to response
+ * Only allowed plugins are able to respond
  *
  * @opensearch.experimental
  */
@@ -71,7 +73,7 @@ public ScopeProtectedActionPlugin(final ActionPlugin plugin, final IdentityServi
     }
 
     private void throwIfNotAllowed() {
-        if (!identity.getSubject().isAllowed(List.of(ExtensionPointScopes.Action))) {
+        if (identity.getSubject().isAllowed(List.of(ExtensionPointScopes.Action))) {
             throw new ExtensionPointScopes.ExtensionPointScopeException(ExtensionPointScopes.Action);
         }
     }

server/src/main/java/org/opensearch/rest/BaseRestHandler.java

@@ -103,7 +103,7 @@ public final long getUsageCount() {
     @Override
     public final void handleRequest(RestRequest request, RestChannel channel, NodeClient client) throws Exception {
         final IdentityService identityService = IdentityService.getInstance();
-        if (!identityService.getSubject().isAllowed(allowedScopes())) {
+        if (identityService.getSubject().isAllowed(allowedScopes())) {
             final String scopeList = allowedScopes().stream().map(s -> s.toString()).collect(Collectors.joining(","));
             logger.debug("Request did not have any of the required scopes, " + scopeList);
             throw new IllegalArgumentException("Unauthorized, at least of these scopes is required, " + scopeList);

server/src/main/java/org/opensearch/rest/action/admin/cluster/RestClearVotingConfigExclusionsAction.java

@@ -72,6 +72,7 @@ protected RestChannelConsumer prepareRequest(final RestRequest request, final No
         }
         return channel -> client.execute(ClearVotingConfigExclusionsAction.INSTANCE, req, new RestToXContentListener<>(channel));
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Cluster_ALL);

server/src/main/java/org/opensearch/rest/action/admin/cluster/RestClusterPutWeightedRoutingAction.java

@@ -57,7 +57,6 @@ public static ClusterPutWeightedRoutingRequest createRequest(RestRequest request
         return putWeightedRoutingRequest;
     }
 
-
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Cluster_ALL);

server/src/main/java/org/opensearch/rest/action/admin/cluster/RestPutRepositoryAction.java

@@ -84,6 +84,7 @@ public RestChannelConsumer prepareRequest(final RestRequest request, final NodeC
         putRepositoryRequest.timeout(request.paramAsTime("timeout", putRepositoryRequest.timeout()));
         return channel -> client.admin().cluster().putRepository(putRepositoryRequest, new RestToXContentListener<>(channel));
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Cluster_ALL);

server/src/main/java/org/opensearch/rest/action/admin/cluster/RestPutStoredScriptAction.java

@@ -91,6 +91,7 @@ public RestChannelConsumer prepareRequest(RestRequest request, NodeClient client
         putRequest.timeout(request.paramAsTime("timeout", putRequest.timeout()));
         return channel -> client.admin().cluster().putStoredScript(putRequest, new RestToXContentListener<>(channel));
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Cluster_ALL);

server/src/main/java/org/opensearch/rest/action/admin/cluster/RestRemoteClusterInfoAction.java

@@ -72,6 +72,7 @@ public RestChannelConsumer prepareRequest(final RestRequest request, final NodeC
     public boolean canTripCircuitBreaker() {
         return false;
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Cluster_Read, ActionScopes.Cluster_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestAddIndexBlockAction.java

@@ -83,6 +83,7 @@ public RestChannelConsumer prepareRequest(final RestRequest request, final NodeC
         addIndexBlockRequest.indicesOptions(IndicesOptions.fromRequest(request, addIndexBlockRequest.indicesOptions()));
         return channel -> client.admin().indices().addBlock(addIndexBlockRequest, new RestToXContentListener<>(channel));
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestAnalyzeAction.java

@@ -97,6 +97,7 @@ public RestChannelConsumer prepareRequest(final RestRequest request, final NodeC
             return channel -> client.admin().indices().analyze(analyzeRequest, new RestToXContentListener<>(channel));
         }
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestClearIndicesCacheAction.java

@@ -89,6 +89,7 @@ public static ClearIndicesCacheRequest fromRequest(final RestRequest request, Cl
         clearIndicesCacheRequest.fields(request.paramAsStringArray("fields", clearIndicesCacheRequest.fields()));
         return clearIndicesCacheRequest;
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestCloseIndexAction.java

@@ -85,6 +85,7 @@ public RestChannelConsumer prepareRequest(final RestRequest request, final NodeC
         }
         return channel -> client.admin().indices().close(closeIndexRequest, new RestToXContentListener<>(channel));
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestCreateDataStreamAction.java

@@ -65,6 +65,7 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli
         CreateDataStreamAction.Request putDataStreamRequest = new CreateDataStreamAction.Request(request.param("name"));
         return channel -> client.admin().indices().createDataStream(putDataStreamRequest, new RestToXContentListener<>(channel));
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestCreateIndexAction.java

@@ -108,9 +108,9 @@ static Map<String, Object> prepareMappings(Map<String, Object> source) {
         newSource.put("mappings", singletonMap(MapperService.SINGLE_MAPPING_NAME, mappings));
         return newSource;
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);
     }
 }
-

server/src/main/java/org/opensearch/rest/action/admin/indices/RestDataStreamsStatsAction.java

@@ -78,6 +78,7 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli
         dataStreamsStatsRequest.indices(Strings.splitStringByCommaToArray(request.param("name")));
         return channel -> client.execute(DataStreamsStatsAction.INSTANCE, dataStreamsStatsRequest, new RestToXContentListener<>(channel));
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestDeleteComponentTemplateAction.java

@@ -75,6 +75,7 @@ public RestChannelConsumer prepareRequest(final RestRequest request, final NodeC
 
         return channel -> client.execute(DeleteComponentTemplateAction.INSTANCE, deleteReq, new RestToXContentListener<>(channel));
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestDeleteComposableIndexTemplateAction.java

@@ -75,6 +75,7 @@ public RestChannelConsumer prepareRequest(final RestRequest request, final NodeC
 
         return channel -> client.execute(DeleteComposableIndexTemplateAction.INSTANCE, deleteReq, new RestToXContentListener<>(channel));
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestDeleteDataStreamAction.java

@@ -68,6 +68,7 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli
         );
         return channel -> client.admin().indices().deleteDataStream(deleteDataStreamRequest, new RestToXContentListener<>(channel));
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestDeleteIndexAction.java

@@ -80,6 +80,7 @@ public RestChannelConsumer prepareRequest(final RestRequest request, final NodeC
         deleteIndexRequest.indicesOptions(IndicesOptions.fromRequest(request, deleteIndexRequest.indicesOptions()));
         return channel -> client.admin().indices().delete(deleteIndexRequest, new RestToXContentListener<>(channel));
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestDeleteIndexTemplateAction.java

@@ -74,6 +74,7 @@ public RestChannelConsumer prepareRequest(final RestRequest request, final NodeC
         parseDeprecatedMasterTimeoutParameter(deleteIndexTemplateRequest, request, deprecationLogger, getName());
         return channel -> client.admin().indices().deleteTemplate(deleteIndexTemplateRequest, new RestToXContentListener<>(channel));
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestFlushAction.java

@@ -82,6 +82,7 @@ public RestChannelConsumer prepareRequest(final RestRequest request, final NodeC
         flushRequest.waitIfOngoing(request.paramAsBoolean("wait_if_ongoing", flushRequest.waitIfOngoing()));
         return channel -> client.admin().indices().flush(flushRequest, new RestToXContentListener<>(channel));
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestForceMergeAction.java

@@ -95,6 +95,7 @@ public RestChannelConsumer prepareRequest(final RestRequest request, final NodeC
             );
         }
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestGetAliasesAction.java

@@ -209,6 +209,7 @@ public RestResponse buildResponse(GetAliasesResponse response, XContentBuilder b
             }
         });
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestGetComponentTemplateAction.java

@@ -104,6 +104,7 @@ protected RestStatus getStatus(final GetComponentTemplateAction.Response respons
     protected Set<String> responseParams() {
         return Settings.FORMAT_PARAMS;
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestGetComposableIndexTemplateAction.java

@@ -103,6 +103,7 @@ protected RestStatus getStatus(final GetComposableIndexTemplateAction.Response r
     protected Set<String> responseParams() {
         return Settings.FORMAT_PARAMS;
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestGetDataStreamsAction.java

@@ -67,6 +67,7 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli
         );
         return channel -> client.admin().indices().getDataStreams(getDataStreamsRequest, new RestToXContentListener<>(channel));
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestGetFieldMappingAction.java

@@ -112,6 +112,7 @@ public RestResponse buildResponse(GetFieldMappingsResponse response, XContentBui
                 }
             });
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestGetIndexTemplateAction.java

@@ -105,6 +105,7 @@ protected RestStatus getStatus(final GetIndexTemplatesResponse response) {
     protected Set<String> responseParams() {
         return Settings.FORMAT_PARAMS;
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);

server/src/main/java/org/opensearch/rest/action/admin/indices/RestGetIndicesAction.java

@@ -96,6 +96,7 @@ public RestChannelConsumer prepareRequest(final RestRequest request, final NodeC
     protected Set<String> responseParams() {
         return Settings.FORMAT_PARAMS;
     }
+
     @Override
     public List<Scope> allowedScopes() {
         return List.of(ActionScopes.Index_ALL);