From 5a103eb25bb7618f2fbe37495c4fd6b9f355eb5f Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Thu, 23 Jan 2025 20:43:50 -0500 Subject: [PATCH] Ensure that plugin can search on system index when utilizing pluginSubject.runAs Signed-off-by: Craig Perkins --- .../systemindex/SystemIndexTests.java | 34 ++++++++++ .../RestUpdateOnSystemIndexAction.java | 64 +++++++++++++++++++ .../sampleplugin/SystemIndexPlugin1.java | 3 +- .../configuration/DlsFlsValveImpl.java | 4 ++ 4 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestUpdateOnSystemIndexAction.java diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/SystemIndexTests.java b/src/integrationTest/java/org/opensearch/security/systemindex/SystemIndexTests.java index 8294d912e9..e8fdd9d7d4 100644 --- a/src/integrationTest/java/org/opensearch/security/systemindex/SystemIndexTests.java +++ b/src/integrationTest/java/org/opensearch/security/systemindex/SystemIndexTests.java @@ -238,6 +238,40 @@ public void testPluginShouldBeAbleGetOnItsSystemIndex() { assertThat(getResponse1.toPrettyString(), equalTo(getResponse2.toPrettyString())); } + @Test + public void testPluginShouldBeAbleUpdateOnItsSystemIndex() { + try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) { + HttpResponse response = client.put("try-create-and-bulk-index/" + SYSTEM_INDEX_1); + + assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus())); + + HttpResponse searchResponse = client.get("search-on-system-index/" + SYSTEM_INDEX_1); + + assertThat(searchResponse.getStatusCode(), equalTo(RestStatus.OK.getStatus())); + assertThat(searchResponse.getIntFromJsonBody("/hits/total/value"), equalTo(2)); + + String docId = searchResponse.getTextFromJsonBody("/hits/hits/0/_id"); + + HttpResponse updateResponse = client.put("update-on-system-index/" + SYSTEM_INDEX_1 + "/" + docId); + + updateResponse.assertStatusCode(RestStatus.OK.getStatus()); + } + + try (TestRestClient client = cluster.getRestClient(cluster.getAdminCertificate())) { + HttpResponse searchResponse = client.get(SYSTEM_INDEX_1 + "/_search"); + + searchResponse.assertStatusCode(RestStatus.OK.getStatus()); + + assertThat(searchResponse.getIntFromJsonBody("/hits/total/value"), equalTo(2)); + + String docId = searchResponse.getTextFromJsonBody("/hits/hits/0/_id"); + + HttpResponse getResponse = client.get(SYSTEM_INDEX_1 + "/_doc/" + docId); + + assertThat("{\"content\":3}", equalTo(getResponse.bodyAsJsonNode().get("_source").toString())); + } + } + @Test public void testPluginShouldNotBeAbleToBulkIndexDocumentIntoMixOfSystemIndexWhereAtLeastOneDoesNotBelongToPlugin() { try (TestRestClient client = cluster.getRestClient(cluster.getAdminCertificate())) { diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestUpdateOnSystemIndexAction.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestUpdateOnSystemIndexAction.java new file mode 100644 index 0000000000..97e71e1b99 --- /dev/null +++ b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestUpdateOnSystemIndexAction.java @@ -0,0 +1,64 @@ +/* + * Copyright OpenSearch Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + */ + +package org.opensearch.security.systemindex.sampleplugin; + +import java.util.List; + +import org.opensearch.action.update.UpdateRequest; +import org.opensearch.client.node.NodeClient; +import org.opensearch.core.action.ActionListener; +import org.opensearch.core.rest.RestStatus; +import org.opensearch.core.xcontent.ToXContent; +import org.opensearch.rest.BaseRestHandler; +import org.opensearch.rest.BytesRestResponse; +import org.opensearch.rest.RestChannel; +import org.opensearch.rest.RestRequest; + +import static java.util.Collections.singletonList; +import static org.opensearch.rest.RestRequest.Method.PUT; + +public class RestUpdateOnSystemIndexAction extends BaseRestHandler { + + private final RunAsSubjectClient pluginClient; + + public RestUpdateOnSystemIndexAction(RunAsSubjectClient pluginClient) { + this.pluginClient = pluginClient; + } + + @Override + public List routes() { + return singletonList(new Route(PUT, "/update-on-system-index/{index}/{docId}")); + } + + @Override + public String getName() { + return "test_update_on_system_index_action"; + } + + @Override + public RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) { + String indexName = request.param("index"); + String docId = request.param("docId"); + return new RestChannelConsumer() { + + @Override + public void accept(RestChannel channel) throws Exception { + UpdateRequest updateRequest = new UpdateRequest(); + updateRequest.index(indexName); + updateRequest.id(docId); + updateRequest.doc("content", 3); + pluginClient.update(updateRequest, ActionListener.wrap(r -> { + channel.sendResponse(new BytesRestResponse(RestStatus.OK, r.toXContent(channel.newBuilder(), ToXContent.EMPTY_PARAMS))); + }, fr -> { channel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN, String.valueOf(fr))); })); + } + }; + } +} diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/SystemIndexPlugin1.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/SystemIndexPlugin1.java index edd90d0568..4724a21e06 100644 --- a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/SystemIndexPlugin1.java +++ b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/SystemIndexPlugin1.java @@ -90,7 +90,8 @@ public List getRestHandlers( new RestBulkIndexDocumentIntoSystemIndexAction(client, pluginClient), new RestBulkIndexDocumentIntoMixOfSystemIndexAction(client, pluginClient), new RestSearchOnSystemIndexAction(pluginClient), - new RestGetOnSystemIndexAction(pluginClient) + new RestGetOnSystemIndexAction(pluginClient), + new RestUpdateOnSystemIndexAction(pluginClient) ); } diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java b/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java index 498b908e5d..d63d89d250 100644 --- a/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java +++ b/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java @@ -81,6 +81,7 @@ import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration; import org.opensearch.security.securityconf.impl.v7.RoleV7; import org.opensearch.security.support.ConfigConstants; +import org.opensearch.security.support.HeaderHelper; import org.opensearch.threadpool.ThreadPool; public class DlsFlsValveImpl implements DlsFlsRequestValve { @@ -135,6 +136,9 @@ public DlsFlsValveImpl( */ @Override public boolean invoke(PrivilegesEvaluationContext context, final ActionListener listener) { + if (HeaderHelper.isInternalOrPluginRequest(threadContext)) { + return true; + } DlsFlsProcessedConfig config = this.dlsFlsProcessedConfig.get(); ActionRequest request = context.getRequest(); IndexResolverReplacer.Resolved resolved = context.getResolvedRequest();