Add render search template as a cluster permission (#3689)

### Description Companion PRs in core: - opensearch-project/OpenSearch#11170 - opensearch-project/OpenSearch#11591 This PR adds render search template as a cluster perm so that its separately permissioned from a SearchTemplateRequest which needs a set of indices to authorize the request. The companion PR in core separates the transport actions that handle search template request and render search template request so that they can be authorized separately. I am opening this in Draft until the core PR is merged because this PR depends on the core PR. * Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) Bug fix ### Issues Resolved - #3672 ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Craig Perkins <cwperx@amazon.com>
opensearch-project · Dec 19, 2023 · cc57710 · cc57710
1 parent 918c821
commit cc57710
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 3 deletions.
diff --git a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java
@@ -18,6 +18,7 @@
 import org.junit.runner.RunWith;
 
 import org.opensearch.script.mustache.MustacheModulePlugin;
+import org.opensearch.script.mustache.RenderSearchTemplateAction;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.TestSecurityConfig.Role;
 import org.opensearch.test.framework.cluster.ClusterManager;
@@ -49,15 +50,25 @@ public class PrivilegesEvaluatorTest {
         new Role("search_template_role").indexPermissions("read").on("services").clusterPermissions("cluster_composite_ops")
     );
 
+    protected final static TestSecurityConfig.User RENDER_SEARCH_TEMPLATE = new TestSecurityConfig.User("render_search_template_user")
+        .roles(
+            new Role("render_search_template_role").indexPermissions("read")
+                .on("services")
+                .clusterPermissions(RenderSearchTemplateAction.NAME)
+        );
+
     private String TEST_QUERY =
         "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}";
 
     private String TEST_DOC = "{\"source\": {\"title\": \"Spirited Away\"}}";
 
+    private String TEST_RENDER_SEARCH_TEMPLATE_QUERY =
+        "{\"params\":{\"status\":[\"pending\",\"published\"]},\"source\":\"{\\\"query\\\": {\\\"terms\\\": {\\\"status\\\": [\\\"{{#status}}\\\",\\\"{{.}}\\\",\\\"{{/status}}\\\"]}}}\"}";
+
     @ClassRule
     public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
         .authc(AUTHC_HTTPBASIC_INTERNAL)
-        .users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE, TestSecurityConfig.User.USER_ADMIN)
+        .users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE, RENDER_SEARCH_TEMPLATE, TestSecurityConfig.User.USER_ADMIN)
         .plugin(MustacheModulePlugin.class)
         .build();
 
@@ -118,4 +129,28 @@ public void testSearchTemplateRequestUnauthorizedAllIndices() {
             assertThat(searchOnAllIndicesResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
         }
     }
+
+    @Test
+    public void testRenderSearchTemplateRequestFailure() {
+        try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) {
+            final String renderSearchTemplate = "_render/template";
+            final TestRestClient.HttpResponse renderSearchTemplateResponse = client.postJson(
+                renderSearchTemplate,
+                TEST_RENDER_SEARCH_TEMPLATE_QUERY
+            );
+            assertThat(renderSearchTemplateResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
+        }
+    }
+
+    @Test
+    public void testRenderSearchTemplateRequestSuccess() {
+        try (TestRestClient client = cluster.getRestClient(RENDER_SEARCH_TEMPLATE)) {
+            final String renderSearchTemplate = "_render/template";
+            final TestRestClient.HttpResponse renderSearchTemplateResponse = client.postJson(
+                renderSearchTemplate,
+                TEST_RENDER_SEARCH_TEMPLATE_QUERY
+            );
+            assertThat(renderSearchTemplateResponse.getStatusCode(), equalTo(HttpStatus.SC_OK));
+        }
+    }
 }
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -81,6 +81,7 @@
 import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.index.reindex.ReindexAction;
+import org.opensearch.script.mustache.RenderSearchTemplateAction;
 import org.opensearch.security.auditlog.AuditLog;
 import org.opensearch.security.configuration.ClusterInfoHolder;
 import org.opensearch.security.configuration.ConfigurationRepository;
@@ -696,8 +697,7 @@ public static boolean isClusterPerm(String action0) {
             || (action0.startsWith(MultiSearchAction.NAME))
             || (action0.equals(MultiTermVectorsAction.NAME))
             || (action0.equals(ReindexAction.NAME))
-
-        );
+            || (action0.equals(RenderSearchTemplateAction.NAME)));
     }
 
     @SuppressWarnings("unchecked")