Adapted RestLayerPrivilegesEvaluator

Signed-off-by: Nils Bandener <nils.bandener@eliatra.com>
opensearch-project · Jul 12, 2024 · 30fcc0f · 30fcc0f
1 parent 0500d12
commit 30fcc0f
Show file tree

Hide file tree

Showing 10 changed files with 186 additions and 180 deletions.
diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -1142,7 +1142,7 @@ public Collection<Object> createComponents(
             principalExtractor = ReflectionHelper.instantiatePrincipalExtractor(principalExtractorClass);
         }
 
-        restLayerEvaluator = new RestLayerPrivilegesEvaluator(clusterService, threadPool);
+        restLayerEvaluator = new RestLayerPrivilegesEvaluator(evaluator);
 
         securityRestHandler = new SecurityRestFilter(
             backendRegistry,
@@ -1161,7 +1161,6 @@ public Collection<Object> createComponents(
         dcf.registerDCFListener(xffResolver);
         dcf.registerDCFListener(evaluator);
         dcf.registerDCFListener(restLayerEvaluator);
-        dcf.registerDCFListener(securityRestHandler);
         dcf.registerDCFListener(tokenManager);
         if (!(auditLog instanceof NullAuditLog)) {
             // Don't register if advanced modules is disabled in which case auditlog is instance of NullAuditLog

diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
@@ -27,12 +27,14 @@
 package org.opensearch.security.filter;
 
 import java.nio.file.Path;
+import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
 import java.util.regex.Pattern;
 import javax.net.ssl.SSLPeerUnverifiedException;
 
+import com.google.common.collect.ImmutableSet;
 import org.apache.http.HttpStatus;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -225,17 +227,12 @@ void authorizeRequest(RestHandler original, SecurityRequestChannel request, User
         if (routeSupportsRestAuthorization) {
             PrivilegesEvaluatorResponse pres = new PrivilegesEvaluatorResponse();
             NamedRoute route = ((NamedRoute) handler.get());
-            // if actionNames are present evaluate those first
-            Set<String> actionNames = route.actionNames();
-            if (actionNames != null && !actionNames.isEmpty()) {
-                pres = evaluator.evaluate(user, actionNames);
-            }
-
-            // now if pres.allowed is still false check for the NamedRoute name as a permission
-            if (!pres.isAllowed()) {
-                String action = route.name();
-                pres = evaluator.evaluate(user, Set.of(action));
-            }
+            // Check both route.actionNames() and route.name(). The presence of either is sufficient.
+            Set<String> actionNames = ImmutableSet.<String>builder()
+                .addAll(route.actionNames() != null ? route.actionNames() : Collections.emptySet())
+                .add(route.name())
+                .build();
+            pres = evaluator.evaluate(user, route.name(), actionNames);
 
             if (log.isDebugEnabled()) {
                 log.debug(pres.toString());

diff --git a/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java b/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java
@@ -111,6 +111,10 @@ public PrivilegesEvaluatorResponse hasClusterPrivilege(PrivilegesEvaluationConte
         return cluster.providesPrivilege(context, action, context.getMappedRoles());
     }
 
+    public PrivilegesEvaluatorResponse hasAnyClusterPrivilege(PrivilegesEvaluationContext context, Set<String> actions) {
+        return cluster.providesAnyPrivilege(context, actions, context.getMappedRoles());
+    }
+
     public PrivilegesEvaluatorResponse hasIndexPrivilege(
         PrivilegesEvaluationContext context,
         Set<String> actions,
@@ -311,6 +315,46 @@ PrivilegesEvaluatorResponse providesPrivilege(PrivilegesEvaluationContext contex
 
             return PrivilegesEvaluatorResponse.insufficient(action, context);
         }
+
+        /**
+         * Checks whether this instance provides privileges for the combination of any of the provided actions and the
+         * provided roles. Returns a PrivilegesEvaluatorResponse with allowed=true if privileges are available.
+         * Otherwise, allowed will be false and missingPrivileges will contain the name of the given action.
+         */
+        PrivilegesEvaluatorResponse providesAnyPrivilege(PrivilegesEvaluationContext context, Set<String> actions, Set<String> roles) {
+            // 1: Check roles with wildcards
+            if (CollectionUtils.containsAny(roles, this.rolesWithWildcardPermissions)) {
+                return PrivilegesEvaluatorResponse.ok();
+            }
+
+            // 2: Check well-known actions - this should cover most cases
+            for (String action : actions) {
+                ImmutableSet<String> rolesWithPrivileges = this.actionToRoles.get(action);
+
+                if (rolesWithPrivileges != null && CollectionUtils.containsAny(roles, rolesWithPrivileges)) {
+                    return PrivilegesEvaluatorResponse.ok();
+                }
+            }
+
+            // 3: Only if everything else fails: Check the matchers in case we have a non-well-known action
+            for (String action : actions) {
+                if (!this.wellKnownClusterActions.contains(action)) {
+                    for (String role : roles) {
+                        WildcardMatcher matcher = this.rolesToActionMatcher.get(role);
+
+                        if (matcher != null && matcher.test(action)) {
+                            return PrivilegesEvaluatorResponse.ok();
+                        }
+                    }
+                }
+            }
+
+            if (actions.size() == 1) {
+                return PrivilegesEvaluatorResponse.insufficient(actions.iterator().next(), context);
+            } else {
+                return PrivilegesEvaluatorResponse.insufficient("any of " + actions, context);
+            }
+        }
     }
 
     /**

diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluationContext.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluationContext.java
@@ -51,7 +51,7 @@ public class PrivilegesEvaluationContext {
      */
     private final Map<String, WildcardMatcher> renderedPatternTemplateCache = new HashMap<>();
 
-    public PrivilegesEvaluationContext(
+    PrivilegesEvaluationContext(
         User user,
         ImmutableSet<String> mappedRoles,
         String action,

diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -188,18 +188,22 @@ public PrivilegesEvaluator(
         pitPrivilegesEvaluator = new PitPrivilegesEvaluator();
         this.namedXContentRegistry = namedXContentRegistry;
 
-        configurationRepository.subscribeOnChange(configMap -> {
-            try {
-                // TODO: It is not nice that we cannot use a concrete generic parameter for SecurityDynamicConfiguration
-                // TODO: At the moment, the implementations only support the V7 config objects
-                SecurityDynamicConfiguration<?> actionGroupsConfiguration = configurationRepository.getConfiguration(CType.ACTIONGROUPS);
-                SecurityDynamicConfiguration<?> rolesConfiguration = configurationRepository.getConfiguration(CType.ROLES);
-
-                this.updateConfiguration(actionGroupsConfiguration, rolesConfiguration);
-            } catch (Exception e) {
-                log.error("Error while updating ActionPrivileges object with {}", configMap, e);
-            }
-        });
+        if (configurationRepository != null) {
+            configurationRepository.subscribeOnChange(configMap -> {
+                try {
+                    // TODO: It is not nice that we cannot use a concrete generic parameter for SecurityDynamicConfiguration
+                    // TODO: At the moment, the implementations only support the V7 config objects
+                    SecurityDynamicConfiguration<?> actionGroupsConfiguration = configurationRepository.getConfiguration(
+                        CType.ACTIONGROUPS
+                    );
+                    SecurityDynamicConfiguration<?> rolesConfiguration = configurationRepository.getConfiguration(CType.ROLES);
+
+                    this.updateConfiguration(actionGroupsConfiguration, rolesConfiguration);
+                } catch (Exception e) {
+                    log.error("Error while updating ActionPrivileges object with {}", configMap, e);
+                }
+            });
+        }
 
         if (clusterService != null) {
             clusterService.addListener(new ClusterStateListener() {
@@ -226,11 +230,11 @@ void updateConfiguration(
         if (rolesConfiguration != null) {
             @SuppressWarnings("unchecked")
             SecurityDynamicConfiguration<ActionGroupsV7> actionGroupsWithStatics = actionGroupsConfiguration != null
-                ? (SecurityDynamicConfiguration<ActionGroupsV7>) DynamicConfigFactory.addStatics(actionGroupsConfiguration.deepClone())
+                ? (SecurityDynamicConfiguration<ActionGroupsV7>) DynamicConfigFactory.addStatics(actionGroupsConfiguration.clone())
                 : (SecurityDynamicConfiguration<ActionGroupsV7>) DynamicConfigFactory.addStatics(SecurityDynamicConfiguration.empty());
             FlattenedActionGroups flattenedActionGroups = new FlattenedActionGroups(actionGroupsWithStatics);
             ActionPrivileges actionPrivileges = new ActionPrivileges(
-                DynamicConfigFactory.addStatics(rolesConfiguration.deepClone()),
+                DynamicConfigFactory.addStatics(rolesConfiguration.clone()),
                 flattenedActionGroups,
                 () -> clusterStateSupplier.get().metadata().getIndicesLookup()
             );
@@ -249,6 +253,10 @@ public void onDynamicConfigModelChanged(DynamicConfigModel dcm) {
         this.dcm = dcm;
     }
 
+    ActionPrivileges getActionPrivileges() {
+        return this.actionPrivileges;
+    }
+
     public SecurityRoles getSecurityRoles(Set<String> roles) {
         return configModel.getSecurityRoles().filter(roles);
     }
@@ -264,7 +272,7 @@ private boolean hasRestAdminPermissions(final Set<String> roles, String permissi
     }
 
     public boolean isInitialized() {
-        return configModel != null && configModel.getSecurityRoles() != null && dcm != null;
+        return configModel != null && dcm != null && actionPrivileges != null;
     }
 
     private void setUserInfoInThreadContext(User user) {
@@ -281,6 +289,10 @@ private void setUserInfoInThreadContext(User user) {
         }
     }
 
+    public PrivilegesEvaluationContext createContext(User user, String action) {
+        return createContext(user, action, null, null, null);
+    }
+
     public PrivilegesEvaluationContext createContext(
         User user,
         String action0,

diff --git a/src/main/java/org/opensearch/security/privileges/RestLayerPrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/RestLayerPrivilegesEvaluator.java
@@ -16,85 +16,38 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import org.opensearch.OpenSearchSecurityException;
-import org.opensearch.cluster.service.ClusterService;
-import org.opensearch.common.util.concurrent.ThreadContext;
-import org.opensearch.core.common.transport.TransportAddress;
-import org.opensearch.security.securityconf.ConfigModel;
-import org.opensearch.security.securityconf.SecurityRoles;
-import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.user.User;
-import org.opensearch.threadpool.ThreadPool;
-
-import org.greenrobot.eventbus.Subscribe;
 
 public class RestLayerPrivilegesEvaluator {
     protected final Logger log = LogManager.getLogger(this.getClass());
-    private final ClusterService clusterService;
-    private ThreadContext threadContext;
-    private ConfigModel configModel;
-
-    public RestLayerPrivilegesEvaluator(final ClusterService clusterService, final ThreadPool threadPool) {
-        this.clusterService = clusterService;
-        this.threadContext = threadPool.getThreadContext();
-    }
-
-    @Subscribe
-    public void onConfigModelChanged(final ConfigModel configModel) {
-        this.configModel = configModel;
-    }
-
-    SecurityRoles getSecurityRoles(final Set<String> roles) {
-        return configModel.getSecurityRoles().filter(roles);
-    }
+    private final PrivilegesEvaluator privilegesEvaluator;
 
-    boolean isInitialized() {
-        return configModel != null && configModel.getSecurityRoles() != null;
+    public RestLayerPrivilegesEvaluator(PrivilegesEvaluator privilegesEvaluator) {
+        this.privilegesEvaluator = privilegesEvaluator;
     }
 
-    public PrivilegesEvaluatorResponse evaluate(final User user, final Set<String> actions) {
-        if (!isInitialized()) {
-            throw new OpenSearchSecurityException("OpenSearch Security is not initialized.");
-        }
-
-        final TransportAddress caller = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS);
-
-        final Set<String> mappedRoles = mapRoles(user, caller);
-
-        final SecurityRoles securityRoles = getSecurityRoles(mappedRoles);
+    public PrivilegesEvaluatorResponse evaluate(final User user, final String routeName, final Set<String> actions) {
+        PrivilegesEvaluationContext context = privilegesEvaluator.createContext(user, routeName);
 
         final boolean isDebugEnabled = log.isDebugEnabled();
         if (isDebugEnabled) {
-            log.debug("Evaluate permissions for {} on {}", user, clusterService.localNode().getName());
+            log.debug("Evaluate permissions for {}", user);
             log.debug("Action: {}", actions);
-            log.debug("Mapped roles: {}", mappedRoles.toString());
+            log.debug("Mapped roles: {}", context.getMappedRoles().toString());
         }
 
-        for (final String action : actions) {
-            if (!securityRoles.impliesClusterPermissionPermission(action)) {
-                // TODO This will exhibit a weird behaviour when a REST action specifies two permissions, and
-                // if the user has no permissions for the first one, but has permissions for the second one:
-                // First, the information "No permission match" will be logged, but then the action will be
-                // allowed nevertheless.
-                log.info(
-                    "No permission match for {} [Action [{}]] [RolesChecked {}]. No permissions for {}",
-                    user,
-                    action,
-                    securityRoles.getRoleNames(),
-                    action
-                );
-            } else {
-                if (isDebugEnabled) {
-                    log.debug("Allowed because we have permissions for {}", actions);
-                }
-                return PrivilegesEvaluatorResponse.ok();
-            }
-        }
+        PrivilegesEvaluatorResponse result = privilegesEvaluator.getActionPrivileges().hasAnyClusterPrivilege(context, actions);
 
-        return PrivilegesEvaluatorResponse.insufficient(actions).resolvedSecurityRoles(mappedRoles);
-    }
+        if (!result.allowed) {
+            log.info(
+                "No permission match for {} [Action [{}]] [RolesChecked {}]. No permissions for {}",
+                user,
+                routeName,
+                context.getMappedRoles(),
+                result.getMissingPrivileges()
+            );
+        }
 
-    Set<String> mapRoles(final User user, final TransportAddress caller) {
-        return this.configModel.mapSecurityRoles(user, caller);
+        return result;
     }
 }
diff --git a/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java b/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java
@@ -169,6 +169,7 @@ public static <T> SecurityDynamicConfiguration<T> fromYaml(String yaml, CType ct
             DefaultObjectMapper.getTypeFactory().constructParametricType(SecurityDynamicConfiguration.class, implementationClass)
         );
         result.ctype = ctype;
+        result.version = 2;
         return result;
     }
 
@@ -327,6 +328,18 @@ public Class<?> getImplementingClass() {
         return getCType() == null ? null : getCType().getImplementationClass().get(getVersion());
     }
 
+    @JsonIgnore
+    public SecurityDynamicConfiguration<T> clone() {
+        SecurityDynamicConfiguration<T> result = new SecurityDynamicConfiguration<T>();
+        result.version = this.version;
+        result.ctype = this.ctype;
+        result.primaryTerm = this.primaryTerm;
+        result.seqNo = this.seqNo;
+        result._meta = this._meta;
+        result.centries.putAll(this.centries);
+        return result;
+    }
+
     @JsonIgnore
     public SecurityDynamicConfiguration<T> deepClone() {
         try {

diff --git a/src/test/java/org/opensearch/security/privileges/ActionPrivilegesTest.java b/src/test/java/org/opensearch/security/privileges/ActionPrivilegesTest.java
@@ -571,8 +571,8 @@ static PrivilegesEvaluationContext ctx(String... roles) {
             null,
             null,
             null,
-                new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)),
-        null
+            new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)),
+            null
         );
     }
 }