From e986cc40f06a1fca1ee8b871924ebb60a3d261b8 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Sun, 5 Apr 2026 23:27:42 -0400 Subject: [PATCH 1/2] Combine RestApiPrivilegesEvaluator and RestApiAdminPrivilegesEvaluator to RestApiAuthorizationEvaluator Signed-off-by: Craig Perkins --- .../security/OpenSearchSecurityPlugin.java | 4 +- .../dlic/rest/api/AbstractApiAction.java | 10 +- .../dlic/rest/api/AccountApiAction.java | 4 +- .../dlic/rest/api/ActionGroupsApiAction.java | 4 +- .../dlic/rest/api/AllowlistApiAction.java | 4 +- .../dlic/rest/api/AuditApiAction.java | 4 +- .../dlic/rest/api/CertificatesApiAction.java | 4 +- .../dlic/rest/api/ConfigUpgradeApiAction.java | 4 +- .../dlic/rest/api/InternalUsersApiAction.java | 4 +- .../rest/api/MultiTenancyConfigApiAction.java | 4 +- .../dlic/rest/api/NodesDnApiAction.java | 4 +- .../dlic/rest/api/PermissionsInfoAction.java | 13 +- .../dlic/rest/api/RateLimitersApiAction.java | 4 +- .../api/RestApiAdminPrivilegesEvaluator.java | 162 ------- ...ava => RestApiAuthorizationEvaluator.java} | 399 ++++++++++-------- .../dlic/rest/api/RolesApiAction.java | 4 +- .../dlic/rest/api/RolesMappingApiAction.java | 4 +- .../rest/api/RollbackVersionApiAction.java | 4 +- .../rest/api/SecurityApiDependencies.java | 17 +- .../rest/api/SecurityConfigApiAction.java | 9 +- .../dlic/rest/api/SecurityRestApiActions.java | 20 +- .../rest/api/SecuritySSLCertsApiAction.java | 8 +- .../dlic/rest/api/TenantsApiAction.java | 4 +- .../dlic/rest/api/ViewVersionApiAction.java | 4 +- .../rest/validation/EndpointValidator.java | 10 +- .../MigrateResourceSharingInfoApiAction.java | 10 +- .../api/AbstractApiActionValidationTest.java | 5 +- .../rest/api/AbstractRestApiUnitTest.java | 3 +- .../ActionGroupsApiActionValidationTest.java | 4 +- ...=> RestApiAuthorizationEvaluatorTest.java} | 9 +- .../api/RolesApiActionValidationTest.java | 2 +- .../RolesMappingApiActionValidationTest.java | 4 +- ...ollbackVersionApiActionValidationTest.java | 3 +- ...SecurityConfigApiActionValidationTest.java | 11 +- ...curitySSLCertsApiActionValidationTest.java | 12 +- .../ViewVersionApiActionValidationTest.java | 3 +- .../validation/EndpointValidatorTest.java | 20 +- 37 files changed, 339 insertions(+), 459 deletions(-) delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java rename src/main/java/org/opensearch/security/dlic/rest/api/{RestApiPrivilegesEvaluator.java => RestApiAuthorizationEvaluator.java} (59%) rename src/test/java/org/opensearch/security/dlic/rest/api/{RestApiPrivilegesEvaluatorTest.java => RestApiAuthorizationEvaluatorTest.java} (86%) diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 3cdeaa2e31..81863fc184 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -245,8 +245,8 @@ import org.opensearch.watcher.ResourceWatcherService; import static org.opensearch.http.HttpTransportSettings.SETTING_HTTP_HTTP3_ENABLED; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.SECURITY_CONFIG_UPDATE; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.ENDPOINTS_WITH_PERMISSIONS; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.SECURITY_CONFIG_UPDATE; import static org.opensearch.security.privileges.dlsfls.FieldMasking.Config.BLAKE2B_LEGACY_DEFAULT; import static org.opensearch.security.resources.ResourceSharingIndexHandler.getSharingIndex; import static org.opensearch.security.setting.DeprecatedSettings.checkForDeprecatedSetting; diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java index c24705e260..5cd5a09a91 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java @@ -119,7 +119,7 @@ protected AbstractApiAction( } private void buildDefaultRequestHandlers(final RequestHandler.RequestHandlersBuilder builder) { - builder.withAccessHandler(request -> securityApiDependencies.restApiAdminPrivilegesEvaluator().isCurrentUserAdminFor(endpoint)) + builder.withAccessHandler(request -> securityApiDependencies.restApiAuthorizationEvaluator().isCurrentUserAdminFor(endpoint)) .withSaveOrUpdateConfigurationHandler(this::saveOrUpdateConfiguration) .add(Method.POST, methodNotImplementedHandler) .add(Method.PATCH, methodNotImplementedHandler) @@ -397,7 +397,7 @@ protected ValidationResult> loadConfiguration( ); } if (omitSensitiveData) { - if (!securityApiDependencies.restApiAdminPrivilegesEvaluator().isCurrentUserAdminFor(endpoint)) { + if (!securityApiDependencies.restApiAuthorizationEvaluator().isCurrentUserAdminFor(endpoint)) { configuration.removeHidden(); } configuration.clearHashes(); @@ -423,8 +423,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override @@ -594,7 +594,7 @@ protected final RestChannelConsumer prepareRequest(RestRequest request, NodeClie } // check if request is authorized - final String authError = securityApiDependencies.restApiPrivilegesEvaluator().checkAccessPermissions(request, endpoint); + final String authError = securityApiDependencies.restApiAuthorizationEvaluator().checkAccessPermissions(request, endpoint); final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); final String userName = user == null ? null : user.getName(); diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java index a74983733e..517479b165 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java @@ -191,8 +191,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiAction.java index 751de30905..af5c2e9d48 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiAction.java @@ -129,8 +129,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AllowlistApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AllowlistApiAction.java index 8462ec3fcf..b64fbf7898 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/AllowlistApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/AllowlistApiAction.java @@ -120,8 +120,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AuditApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AuditApiAction.java index 690458da2f..0880ce24e6 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/AuditApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/AuditApiAction.java @@ -289,8 +289,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java index 61f1695b21..d9c4f0f1d1 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java @@ -30,7 +30,7 @@ import static org.opensearch.security.dlic.rest.api.Responses.internalServerError; import static org.opensearch.security.dlic.rest.api.Responses.ok; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.CERTS_INFO_ACTION; import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_API_ROUTE_PREFIX; import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix; @@ -118,7 +118,7 @@ private String certType(final RestRequest request) { boolean accessHandler(final RestRequest request) { if (request.method() == RestRequest.Method.GET) { - return securityApiDependencies.restApiAdminPrivilegesEvaluator().isCurrentUserAdminFor(endpoint, CERTS_INFO_ACTION); + return securityApiDependencies.restApiAuthorizationEvaluator().isCurrentUserAdminFor(endpoint, CERTS_INFO_ACTION); } else { return false; } diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/ConfigUpgradeApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/ConfigUpgradeApiAction.java index 4456a1cbad..d96e697985 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/ConfigUpgradeApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/ConfigUpgradeApiAction.java @@ -369,8 +369,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java index f0eeb89926..7e8ecc2217 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java @@ -283,8 +283,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiAction.java index 4782f4686a..33dc2cd055 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiAction.java @@ -113,8 +113,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java index d7d13014c6..9daca7dab8 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java @@ -152,8 +152,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/PermissionsInfoAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/PermissionsInfoAction.java index 06f407f715..407f97c9b9 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/PermissionsInfoAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/PermissionsInfoAction.java @@ -35,6 +35,7 @@ import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.configuration.AdminDNs; import org.opensearch.security.configuration.ConfigurationRepository; +import org.opensearch.security.privileges.PrivilegesConfiguration; import org.opensearch.security.privileges.RoleMapper; import org.opensearch.security.ssl.transport.PrincipalExtractor; import org.opensearch.security.support.ConfigConstants; @@ -58,7 +59,7 @@ public class PermissionsInfoAction extends BaseRestHandler { ImmutableList.of(new DeprecatedRoute(Method.GET, "/permissionsinfo", OPENDISTRO_API_DEPRECATION_MESSAGE)) ); - private final RestApiPrivilegesEvaluator restApiPrivilegesEvaluator; + private final RestApiAuthorizationEvaluator restApiAuthorizationEvaluator; private final ThreadPool threadPool; private final RoleMapper roleMapper; private final ConfigurationRepository configurationRepository; @@ -73,19 +74,21 @@ protected PermissionsInfoAction( final ClusterService cs, final PrincipalExtractor principalExtractor, final RoleMapper roleMapper, + final PrivilegesConfiguration privilegesConfiguration, ThreadPool threadPool, AuditLog auditLog ) { super(); this.threadPool = threadPool; this.roleMapper = roleMapper; - this.restApiPrivilegesEvaluator = new RestApiPrivilegesEvaluator( + this.restApiAuthorizationEvaluator = new RestApiAuthorizationEvaluator( settings, adminDNs, roleMapper, principalExtractor, configPath, - threadPool + threadPool, + privilegesConfiguration ); this.configurationRepository = configurationRepository; } @@ -130,8 +133,8 @@ public void accept(RestChannel channel) throws Exception { final TransportAddress remoteAddress = threadPool.getThreadContext() .getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS); Set userRoles = roleMapper.map(user, remoteAddress); - Boolean hasApiAccess = restApiPrivilegesEvaluator.currentUserHasRestApiAccess(userRoles); - Map> disabledEndpoints = restApiPrivilegesEvaluator.getDisabledEndpointsForCurrentUser( + Boolean hasApiAccess = restApiAuthorizationEvaluator.currentUserHasRestApiAccess(userRoles); + Map> disabledEndpoints = restApiAuthorizationEvaluator.getDisabledEndpointsForCurrentUser( user.getName(), userRoles ); diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RateLimitersApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/RateLimitersApiAction.java index b250923471..e2c9337014 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/RateLimitersApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/RateLimitersApiAction.java @@ -121,8 +121,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java deleted file mode 100644 index 9045fcbcd3..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java +++ /dev/null @@ -1,162 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.api; - -import java.util.Locale; -import java.util.Map; - -import com.google.common.collect.ImmutableMap; -import org.apache.commons.lang3.tuple.Pair; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; - -import org.opensearch.common.util.concurrent.ThreadContext; -import org.opensearch.core.common.transport.TransportAddress; -import org.opensearch.security.configuration.AdminDNs; -import org.opensearch.security.dlic.rest.support.Utils; -import org.opensearch.security.privileges.PrivilegesConfiguration; -import org.opensearch.security.privileges.PrivilegesEvaluationContext; -import org.opensearch.security.securityconf.impl.v7.ActionGroupsV7; -import org.opensearch.security.securityconf.impl.v7.RoleV7; -import org.opensearch.security.support.WildcardMatcher; -import org.opensearch.security.user.User; - -import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; - -public class RestApiAdminPrivilegesEvaluator { - - protected final Logger logger = LogManager.getLogger(RestApiAdminPrivilegesEvaluator.class); - - public final static String CERTS_INFO_ACTION = "certs/info"; - - public final static String RELOAD_CERTS_ACTION = "certs/reload"; - - public final static String SECURITY_CONFIG_UPDATE = "update"; - - public final static String RESOURCE_MIGRATE_ACTION = "migrate"; - - private final static String REST_API_PERMISSION_PREFIX = "restapi:admin"; - - private final static String REST_ENDPOINT_PERMISSION_PATTERN = REST_API_PERMISSION_PREFIX + "/%s"; - - private final static String REST_ENDPOINT_ACTION_PERMISSION_PATTERN = REST_API_PERMISSION_PREFIX + "/%s/%s"; - - private final static WildcardMatcher REST_API_PERMISSION_PREFIX_MATCHER = WildcardMatcher.from(REST_API_PERMISSION_PREFIX + "/*"); - - @FunctionalInterface - public interface PermissionBuilder { - - default String build() { - return build(null); - } - - String build(final String action); - - } - - public final static Map ENDPOINTS_WITH_PERMISSIONS = ImmutableMap.builder() - .put(Endpoint.ACTIONGROUPS, action -> buildEndpointPermission(Endpoint.ACTIONGROUPS)) - .put(Endpoint.ALLOWLIST, action -> buildEndpointPermission(Endpoint.ALLOWLIST)) - .put(Endpoint.CONFIG, action -> buildEndpointActionPermission(Endpoint.CONFIG, action)) - .put(Endpoint.INTERNALUSERS, action -> buildEndpointPermission(Endpoint.INTERNALUSERS)) - .put(Endpoint.NODESDN, action -> buildEndpointPermission(Endpoint.NODESDN)) - .put(Endpoint.RATELIMITERS, action -> buildEndpointPermission(Endpoint.RATELIMITERS)) - .put(Endpoint.ROLES, action -> buildEndpointPermission(Endpoint.ROLES)) - .put(Endpoint.ROLESMAPPING, action -> buildEndpointPermission(Endpoint.ROLESMAPPING)) - .put(Endpoint.TENANTS, action -> buildEndpointPermission(Endpoint.TENANTS)) - .put(Endpoint.VIEW_VERSION, action -> buildEndpointPermission(Endpoint.VIEW_VERSION)) - .put(Endpoint.ROLLBACK_VERSION, action -> buildEndpointPermission(Endpoint.ROLLBACK_VERSION)) - .put(Endpoint.SSL, action -> buildEndpointActionPermission(Endpoint.SSL, action)) - .put(Endpoint.RESOURCE_SHARING, action -> buildEndpointActionPermission(Endpoint.RESOURCE_SHARING, action)) - .build(); - - private final ThreadContext threadContext; - - private final PrivilegesConfiguration privilegesConfiguration; - - private final AdminDNs adminDNs; - - private final boolean restapiAdminEnabled; - - public RestApiAdminPrivilegesEvaluator( - final ThreadContext threadContext, - final PrivilegesConfiguration privilegesConfiguration, - final AdminDNs adminDNs, - final boolean restapiAdminEnabled - ) { - this.threadContext = threadContext; - this.privilegesConfiguration = privilegesConfiguration; - this.adminDNs = adminDNs; - this.restapiAdminEnabled = restapiAdminEnabled; - } - - public boolean isCurrentUserAdminFor(final Endpoint endpoint, final String action) { - final Pair userAndRemoteAddress = Utils.userAndRemoteAddressFrom(threadContext); - if (userAndRemoteAddress.getLeft() == null) { - return false; - } - if (adminDNs.isAdmin(userAndRemoteAddress.getLeft())) { - return true; - } - if (!ENDPOINTS_WITH_PERMISSIONS.containsKey(endpoint)) { - logger.debug("No permission found for {} endpoint", endpoint); - return false; - } - final String permission = ENDPOINTS_WITH_PERMISSIONS.get(endpoint).build(action); - PrivilegesEvaluationContext context = privilegesConfiguration.privilegesEvaluator() - .createContext(userAndRemoteAddress.getLeft(), permission); - final boolean hasAccess = context.getActionPrivileges().hasExplicitClusterPrivilege(context, permission).isAllowed(); - - if (logger.isDebugEnabled()) { - logger.debug( - "User {} with permission {} {} access to endpoint {}", - userAndRemoteAddress.getLeft().getName(), - permission, - hasAccess ? "has" : "has no", - endpoint - ); - logger.debug( - "{} set to {}. {} use access decision", - SECURITY_RESTAPI_ADMIN_ENABLED, - restapiAdminEnabled, - restapiAdminEnabled ? "Will" : "Will not" - ); - } - return hasAccess && restapiAdminEnabled; - } - - public boolean containsRestApiAdminPermissions(final Object configObject) { - if (configObject == null) { - return false; - } - if (configObject instanceof RoleV7) { - return ((RoleV7) configObject).getCluster_permissions().stream().anyMatch(REST_API_PERMISSION_PREFIX_MATCHER); - } else if (configObject instanceof ActionGroupsV7) { - return ((ActionGroupsV7) configObject).getAllowed_actions().stream().anyMatch(REST_API_PERMISSION_PREFIX_MATCHER); - } else { - return false; - } - } - - public boolean isCurrentUserAdminFor(final Endpoint endpoint) { - return isCurrentUserAdminFor(endpoint, null); - } - - private static String buildEndpointActionPermission(final Endpoint endpoint, final String action) { - return String.format(REST_ENDPOINT_ACTION_PERMISSION_PATTERN, endpoint.name().toLowerCase(Locale.ROOT), action); - } - - private static String buildEndpointPermission(final Endpoint endpoint) { - return String.format(REST_ENDPOINT_PERMISSION_PATTERN, endpoint.name().toLowerCase(Locale.ROOT)); - } - -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAuthorizationEvaluator.java similarity index 59% rename from src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java rename to src/main/java/org/opensearch/security/dlic/rest/api/RestApiAuthorizationEvaluator.java index 5a3b66a561..e93e57a253 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAuthorizationEvaluator.java @@ -21,15 +21,18 @@ import java.util.HashSet; import java.util.LinkedList; import java.util.List; +import java.util.Locale; import java.util.Map; import java.util.Map.Entry; import java.util.Set; +import com.google.common.collect.ImmutableMap; import org.apache.commons.lang3.tuple.Pair; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.common.settings.Settings; +import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.core.common.transport.TransportAddress; import org.opensearch.rest.RestRequest; import org.opensearch.rest.RestRequest.Method; @@ -37,76 +40,121 @@ import org.opensearch.security.dlic.rest.support.Utils; import org.opensearch.security.filter.SecurityRequest; import org.opensearch.security.filter.SecurityRequestFactory; +import org.opensearch.security.privileges.PrivilegesConfiguration; +import org.opensearch.security.privileges.PrivilegesEvaluationContext; import org.opensearch.security.privileges.RoleMapper; +import org.opensearch.security.securityconf.impl.v7.ActionGroupsV7; +import org.opensearch.security.securityconf.impl.v7.RoleV7; import org.opensearch.security.ssl.transport.PrincipalExtractor; import org.opensearch.security.ssl.util.SSLRequestHelper; import org.opensearch.security.support.ConfigConstants; +import org.opensearch.security.support.WildcardMatcher; import org.opensearch.security.user.User; import org.opensearch.threadpool.ThreadPool; -// TODO: Make Singleton? -public class RestApiPrivilegesEvaluator { +import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; + +public class RestApiAuthorizationEvaluator { protected final Logger logger = LogManager.getLogger(this.getClass()); + public static final String CERTS_INFO_ACTION = "certs/info"; + + public static final String RELOAD_CERTS_ACTION = "certs/reload"; + + public static final String SECURITY_CONFIG_UPDATE = "update"; + + public static final String RESOURCE_MIGRATE_ACTION = "migrate"; + + private static final String REST_API_PERMISSION_PREFIX = "restapi:admin"; + + private static final String REST_ENDPOINT_PERMISSION_PATTERN = REST_API_PERMISSION_PREFIX + "/%s"; + + private static final String REST_ENDPOINT_ACTION_PERMISSION_PATTERN = REST_API_PERMISSION_PREFIX + "/%s/%s"; + + private static final WildcardMatcher REST_API_PERMISSION_PREFIX_MATCHER = WildcardMatcher.from(REST_API_PERMISSION_PREFIX + "/*"); + + @FunctionalInterface + public interface PermissionBuilder { + + default String build() { + return build(null); + } + + String build(final String action); + + } + + public static final Map ENDPOINTS_WITH_PERMISSIONS = ImmutableMap.builder() + .put(Endpoint.ACTIONGROUPS, action -> buildEndpointPermission(Endpoint.ACTIONGROUPS)) + .put(Endpoint.ALLOWLIST, action -> buildEndpointPermission(Endpoint.ALLOWLIST)) + .put(Endpoint.CONFIG, action -> buildEndpointActionPermission(Endpoint.CONFIG, action)) + .put(Endpoint.INTERNALUSERS, action -> buildEndpointPermission(Endpoint.INTERNALUSERS)) + .put(Endpoint.NODESDN, action -> buildEndpointPermission(Endpoint.NODESDN)) + .put(Endpoint.RATELIMITERS, action -> buildEndpointPermission(Endpoint.RATELIMITERS)) + .put(Endpoint.ROLES, action -> buildEndpointPermission(Endpoint.ROLES)) + .put(Endpoint.ROLESMAPPING, action -> buildEndpointPermission(Endpoint.ROLESMAPPING)) + .put(Endpoint.TENANTS, action -> buildEndpointPermission(Endpoint.TENANTS)) + .put(Endpoint.VIEW_VERSION, action -> buildEndpointPermission(Endpoint.VIEW_VERSION)) + .put(Endpoint.ROLLBACK_VERSION, action -> buildEndpointPermission(Endpoint.ROLLBACK_VERSION)) + .put(Endpoint.SSL, action -> buildEndpointActionPermission(Endpoint.SSL, action)) + .put(Endpoint.RESOURCE_SHARING, action -> buildEndpointActionPermission(Endpoint.RESOURCE_SHARING, action)) + .build(); + private final AdminDNs adminDNs; private final RoleMapper roleMapper; private final PrincipalExtractor principalExtractor; private final Path configPath; private final ThreadPool threadPool; private final Settings settings; + private final ThreadContext threadContext; + private final PrivilegesConfiguration privilegesConfiguration; + private final boolean restapiAdminEnabled; private final Set allowedRoles = new HashSet<>(); - // endpoints per role, read and cached from settings. Changes here require a - // node restart, so it's save to cache. private final Map>> disabledEndpointsForRoles = new HashMap<>(); - // endpoints per user, evaluated and cached dynamically. Changes here - // require a node restart, so it's save to cache. private final Map>> disabledEndpointsForUsers = new HashMap<>(); - // globally disabled endpoints and methods, will always be forbidden Map> globallyDisabledEndpoints = new HashMap<>(); - // all endpoints and methods, will be returned for users that do not have any access at all Map> allEndpoints = new HashMap<>(); - private final Boolean roleBasedAccessEnabled; + private final boolean roleBasedAccessEnabled; - public RestApiPrivilegesEvaluator( + public RestApiAuthorizationEvaluator( final Settings settings, final AdminDNs adminDNs, final RoleMapper roleMapper, final PrincipalExtractor principalExtractor, final Path configPath, - ThreadPool threadPool + final ThreadPool threadPool, + final PrivilegesConfiguration privilegesConfiguration ) { - this.adminDNs = adminDNs; this.roleMapper = roleMapper; this.principalExtractor = principalExtractor; this.configPath = configPath; this.threadPool = threadPool; + this.threadContext = threadPool.getThreadContext(); this.settings = settings; - // set up - // all endpoints and methods - Map> allEndpoints = new HashMap<>(); + this.privilegesConfiguration = privilegesConfiguration; + this.restapiAdminEnabled = settings.getAsBoolean(SECURITY_RESTAPI_ADMIN_ENABLED, false); + + final Map> allEndpoints = new HashMap<>(); for (Endpoint endpoint : Endpoint.values()) { - List allMethods = new LinkedList<>(); + final List allMethods = new LinkedList<>(); allMethods.addAll(Arrays.asList(Method.values())); allEndpoints.put(endpoint, allMethods); } this.allEndpoints = Collections.unmodifiableMap(allEndpoints); - // setup role based permissions allowedRoles.addAll(settings.getAsList(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED)); + this.roleBasedAccessEnabled = allowedRoles.isEmpty() == false; - this.roleBasedAccessEnabled = !allowedRoles.isEmpty(); - - // globally disabled endpoints, disables access to Endpoint/Method combination for all roles - Settings globalSettings = settings.getAsSettings(ConfigConstants.SECURITY_RESTAPI_ENDPOINTS_DISABLED + ".global"); - if (!globalSettings.isEmpty()) { + final Settings globalSettings = settings.getAsSettings(ConfigConstants.SECURITY_RESTAPI_ENDPOINTS_DISABLED + ".global"); + if (globalSettings.isEmpty() == false) { globallyDisabledEndpoints = parseDisabledEndpoints(globalSettings); } @@ -116,111 +164,27 @@ public RestApiPrivilegesEvaluator( } for (String role : allowedRoles) { - Settings settingsForRole = settings.getAsSettings(ConfigConstants.SECURITY_RESTAPI_ENDPOINTS_DISABLED + "." + role); + final Settings settingsForRole = settings.getAsSettings(ConfigConstants.SECURITY_RESTAPI_ENDPOINTS_DISABLED + "." + role); if (settingsForRole.isEmpty()) { if (isDebugEnabled) { logger.debug("No disabled endpoints/methods for permitted role {} found, allowing all", role); } continue; } - Map> disabledEndpointsForRole = parseDisabledEndpoints(settingsForRole); - if (!disabledEndpointsForRole.isEmpty()) { + + final Map> disabledEndpointsForRole = parseDisabledEndpoints(settingsForRole); + if (disabledEndpointsForRole.isEmpty() == false) { disabledEndpointsForRoles.put(role, disabledEndpointsForRole); } else { logger.warn("Disabled endpoints/methods empty for role {}, please check configuration", role); } } + if (logger.isTraceEnabled()) { logger.trace("Parsed permission set for endpoints: {}", disabledEndpointsForRoles); } } - @SuppressWarnings({ "rawtypes" }) - private Map> parseDisabledEndpoints(Settings settings) { - - // Expects Setting like: 'ACTIONGROUPS=["GET", "POST"]' - if (settings == null || settings.isEmpty()) { - logger.error("Settings for disabled endpoint is null or empty: '{}', skipping.", settings); - return Collections.emptyMap(); - } - - final Map> disabledEndpoints = new HashMap>(); - - Map disabledEndpointsSettings = Utils.convertJsonToxToStructuredMap(settings); - - for (Entry value : disabledEndpointsSettings.entrySet()) { - // key is the endpoint, see if it is a valid one - String endpointString = value.getKey().toUpperCase(); - Endpoint endpoint = null; - try { - endpoint = Endpoint.valueOf(endpointString); - } catch (Exception e) { - logger.error("Unknown endpoint '{}' found in configuration, skipping.", endpointString); - continue; - } - // value must be non null - if (value.getValue() == null) { - logger.error("Disabled HTTP methods of endpoint '{}' is null, skipping.", endpointString); - continue; - } - - // value must be an array of methods - if (!(value.getValue() instanceof Collection)) { - logger.error( - "Disabled HTTP methods of endpoint '{}' must be an array, actually is '{}', skipping.", - endpointString, - (value.getValue().toString()) - ); - } - List disabledMethods = new LinkedList<>(); - for (Object disabledMethodObj : (Collection) value.getValue()) { - if (disabledMethodObj == null) { - logger.error("Found null value in disabled HTTP methods of endpoint '{}', skipping.", endpointString); - continue; - } - - if (!(disabledMethodObj instanceof String)) { - logger.error("Found non-String value in disabled HTTP methods of endpoint '{}', skipping.", endpointString); - continue; - } - - String disabledMethodAsString = (String) disabledMethodObj; - - // Provide support for '*', means all methods - if (disabledMethodAsString.trim().equals("*")) { - disabledMethods.addAll(Arrays.asList(Method.values())); - break; - } - // no wild card, disabled method must be one of - // RestRequest.Method - Method disabledMethod = null; - try { - disabledMethod = Method.valueOf(disabledMethodAsString.toUpperCase()); - } catch (Exception e) { - logger.error( - "Invalid HTTP method '{}' found in disabled HTTP methods of endpoint '{}', skipping.", - disabledMethodAsString.toUpperCase(), - endpointString - ); - continue; - } - disabledMethods.add(disabledMethod); - } - - disabledEndpoints.put(endpoint, disabledMethods); - - } - return disabledEndpoints; - } - - /** - * Check if the current request is allowed to use the REST API and the - * requested end point. Using an admin certificate grants all permissions. A - * user/role can have restricted end points. - * - * @return an error message if user does not have access, null otherwise - * TODO: log failed attempt in audit log - */ public String checkAccessPermissions(RestRequest request, Endpoint endpoint) throws IOException { if (logger.isDebugEnabled()) { @@ -232,20 +196,16 @@ public String checkAccessPermissions(RestRequest request, Endpoint endpoint) thr ); } - // Grant permission for Account endpoint. - // Return null to grant access. if (endpoint == Endpoint.ACCOUNT) { return null; } - String roleBasedAccessFailureReason = checkRoleBasedAccessPermissions(request, endpoint); - // Role based access granted + final String roleBasedAccessFailureReason = checkRoleBasedAccessPermissions(request, endpoint); if (roleBasedAccessFailureReason == null) { return null; } - String certBasedAccessFailureReason = checkAdminCertBasedAccessPermissions(request); - // TLS access granted, skip checking roles + final String certBasedAccessFailureReason = checkAdminCertBasedAccessPermissions(request); if (certBasedAccessFailureReason == null) { return null; } @@ -253,18 +213,66 @@ public String checkAccessPermissions(RestRequest request, Endpoint endpoint) thr return constructAccessErrorMessage(roleBasedAccessFailureReason, certBasedAccessFailureReason); } - public Boolean currentUserHasRestApiAccess(Set userRoles) { + public boolean isCurrentUserAdminFor(final Endpoint endpoint, final String action) { + final Pair userAndRemoteAddress = Utils.userAndRemoteAddressFrom(threadContext); + if (userAndRemoteAddress.getLeft() == null) { + return false; + } + if (adminDNs.isAdmin(userAndRemoteAddress.getLeft())) { + return true; + } + if (ENDPOINTS_WITH_PERMISSIONS.containsKey(endpoint) == false) { + logger.debug("No permission found for {} endpoint", endpoint); + return false; + } + final String permission = ENDPOINTS_WITH_PERMISSIONS.get(endpoint).build(action); + final PrivilegesEvaluationContext context = privilegesConfiguration.privilegesEvaluator() + .createContext(userAndRemoteAddress.getLeft(), permission); + final boolean hasAccess = context.getActionPrivileges().hasExplicitClusterPrivilege(context, permission).isAllowed(); - // check if user has any role that grants access - return !Collections.disjoint(allowedRoles, userRoles); + if (logger.isDebugEnabled()) { + logger.debug( + "User {} with permission {} {} access to endpoint {}", + userAndRemoteAddress.getLeft().getName(), + permission, + hasAccess ? "has" : "has no", + endpoint + ); + logger.debug( + "{} set to {}. {} use access decision", + SECURITY_RESTAPI_ADMIN_ENABLED, + restapiAdminEnabled, + restapiAdminEnabled ? "Will" : "Will not" + ); + } + return hasAccess && restapiAdminEnabled; + } + + public boolean isCurrentUserAdminFor(final Endpoint endpoint) { + return isCurrentUserAdminFor(endpoint, null); + } + public boolean containsRestApiAdminPermissions(final Object configObject) { + if (configObject == null) { + return false; + } + if (configObject instanceof RoleV7) { + return ((RoleV7) configObject).getCluster_permissions().stream().anyMatch(REST_API_PERMISSION_PREFIX_MATCHER); + } else if (configObject instanceof ActionGroupsV7) { + return ((ActionGroupsV7) configObject).getAllowed_actions().stream().anyMatch(REST_API_PERMISSION_PREFIX_MATCHER); + } else { + return false; + } + } + + public boolean currentUserHasRestApiAccess(Set userRoles) { + return Collections.disjoint(allowedRoles, userRoles) == false; } public Map> getDisabledEndpointsForCurrentUser(String userPrincipal, Set userRoles) { final boolean isDebugEnabled = logger.isDebugEnabled(); - // cache if (disabledEndpointsForUsers.containsKey(userPrincipal)) { return disabledEndpointsForUsers.get(userPrincipal); } @@ -273,26 +281,16 @@ public Map> getDisabledEndpointsForCurrentUser(String use return this.allEndpoints; } - // will contain the final list of disabled endpoints and methods - Map> finalEndpoints = new HashMap<>(); - - // List of all disabled endpoints for user. Disabled endpoints must be configured in all - // roles to take effect. If a role contains a disabled endpoint, but another role - // allows this endpoint (i.e. not contained in the disabled endpoints for this role), - // the access is allowed. + final Map> finalEndpoints = new HashMap<>(); + final List remainingEndpoints = new LinkedList<>(Arrays.asList(Endpoint.values())); - // make list mutable - List remainingEndpoints = new LinkedList<>(Arrays.asList(Endpoint.values())); - - // only retain endpoints contained in all roles for user boolean hasDisabledEndpoints = false; for (String userRole : userRoles) { - Map> endpointsForRole = disabledEndpointsForRoles.get(userRole); + final Map> endpointsForRole = disabledEndpointsForRoles.get(userRole); if (endpointsForRole == null || endpointsForRole.isEmpty()) { continue; } - Set disabledEndpoints = endpointsForRole.keySet(); - remainingEndpoints.retainAll(disabledEndpoints); + remainingEndpoints.retainAll(endpointsForRole.keySet()); hasDisabledEndpoints = true; } @@ -300,9 +298,7 @@ public Map> getDisabledEndpointsForCurrentUser(String use logger.debug("Remaining endpoints for user {} after retaining all : {}", userPrincipal, remainingEndpoints); } - // if user does not have any disabled endpoints, only globally disabled endpoints apply - if (!hasDisabledEndpoints) { - + if (hasDisabledEndpoints == false) { if (isDebugEnabled) { logger.debug( "No disabled endpoints for user {} at all, only globally disabledendpoints apply.", @@ -312,17 +308,13 @@ public Map> getDisabledEndpointsForCurrentUser(String use } disabledEndpointsForUsers.put(userPrincipal, addGloballyDisabledEndpoints(finalEndpoints)); return finalEndpoints; - } - // one or more disabled remaining endpoints, keep only - // methods contained in all roles for each endpoint for (Endpoint endpoint : remainingEndpoints) { - // make list mutable - List remainingMethodsForEndpoint = new LinkedList<>(Arrays.asList(Method.values())); + final List remainingMethodsForEndpoint = new LinkedList<>(Arrays.asList(Method.values())); for (String userRole : userRoles) { - Map> endpoints = disabledEndpointsForRoles.get(userRole); - if (endpoints != null && !endpoints.isEmpty()) { + final Map> endpoints = disabledEndpointsForRoles.get(userRole); + if (endpoints != null && endpoints.isEmpty() == false) { remainingMethodsForEndpoint.retainAll(endpoints.get(endpoint)); } } @@ -334,7 +326,6 @@ public Map> getDisabledEndpointsForCurrentUser(String use logger.debug("Disabled endpoints for user {} after retaining all : {}", userPrincipal, finalEndpoints); } - // add globally disabled endpoints and methods, will always be disabled addGloballyDisabledEndpoints(finalEndpoints); disabledEndpointsForUsers.put(userPrincipal, finalEndpoints); @@ -349,10 +340,79 @@ public Map> getDisabledEndpointsForCurrentUser(String use return disabledEndpointsForUsers.get(userPrincipal); } + @SuppressWarnings({ "rawtypes" }) + private Map> parseDisabledEndpoints(Settings settings) { + if (settings == null || settings.isEmpty()) { + logger.error("Settings for disabled endpoint is null or empty: '{}', skipping.", settings); + return Collections.emptyMap(); + } + + final Map> disabledEndpoints = new HashMap<>(); + final Map disabledEndpointsSettings = Utils.convertJsonToxToStructuredMap(settings); + + for (Entry value : disabledEndpointsSettings.entrySet()) { + final String endpointString = value.getKey().toUpperCase(); + final Endpoint endpoint; + try { + endpoint = Endpoint.valueOf(endpointString); + } catch (Exception e) { + logger.error("Unknown endpoint '{}' found in configuration, skipping.", endpointString); + continue; + } + + if (value.getValue() == null) { + logger.error("Disabled HTTP methods of endpoint '{}' is null, skipping.", endpointString); + continue; + } + + if (value.getValue() instanceof Collection == false) { + logger.error( + "Disabled HTTP methods of endpoint '{}' must be an array, actually is '{}', skipping.", + endpointString, + (value.getValue().toString()) + ); + } + + final List disabledMethods = new LinkedList<>(); + for (Object disabledMethodObj : (Collection) value.getValue()) { + if (disabledMethodObj == null) { + logger.error("Found null value in disabled HTTP methods of endpoint '{}', skipping.", endpointString); + continue; + } + + if (disabledMethodObj instanceof String == false) { + logger.error("Found non-String value in disabled HTTP methods of endpoint '{}', skipping.", endpointString); + continue; + } + + final String disabledMethodAsString = (String) disabledMethodObj; + + if (disabledMethodAsString.trim().equals("*")) { + disabledMethods.addAll(Arrays.asList(Method.values())); + break; + } + + try { + disabledMethods.add(Method.valueOf(disabledMethodAsString.toUpperCase())); + } catch (Exception e) { + logger.error( + "Invalid HTTP method '{}' found in disabled HTTP methods of endpoint '{}', skipping.", + disabledMethodAsString.toUpperCase(), + endpointString + ); + } + } + + disabledEndpoints.put(endpoint, disabledMethods); + } + + return disabledEndpoints; + } + private Map> addGloballyDisabledEndpoints(Map> endpoints) { - if (globallyDisabledEndpoints != null && !globallyDisabledEndpoints.isEmpty()) { - Set globalEndoints = globallyDisabledEndpoints.keySet(); - for (Endpoint endpoint : globalEndoints) { + if (globallyDisabledEndpoints != null && globallyDisabledEndpoints.isEmpty() == false) { + final Set globalEndpoints = globallyDisabledEndpoints.keySet(); + for (Endpoint endpoint : globalEndpoints) { endpoints.putIfAbsent(endpoint, new LinkedList<>()); endpoints.get(endpoint).addAll(globallyDisabledEndpoints.get(endpoint)); } @@ -361,38 +421,25 @@ private Map> addGloballyDisabledEndpoints(Map userAndRemoteAddress = Utils.userAndRemoteAddressFrom(threadPool.getThreadContext()); final User user = userAndRemoteAddress.getLeft(); final TransportAddress remoteAddress = userAndRemoteAddress.getRight(); - // map the users Security roles - Set userRoles = roleMapper.map(user, remoteAddress); + final Set userRoles = roleMapper.map(user, remoteAddress); - // check if user has any role that grants access if (currentUserHasRestApiAccess(userRoles)) { - // yes, calculate disabled end points. Since a user can have - // multiple roles, the endpoint - // needs to be disabled in all roles. - Map> disabledEndpointsForUser = getDisabledEndpointsForCurrentUser(user.getName(), userRoles); + final Map> disabledEndpointsForUser = getDisabledEndpointsForCurrentUser(user.getName(), userRoles); if (isDebugEnabled) { logger.debug("Disabled endpoints for user {} : {} ", user, disabledEndpointsForUser); } - // check if we have any disabled methods for this endpoint - List disabledMethodsForEndpoint = disabledEndpointsForUser.get(endpoint); - - // no settings, all methods for this endpoint allowed + final List disabledMethodsForEndpoint = disabledEndpointsForUser.get(endpoint); if (disabledMethodsForEndpoint == null || disabledMethodsForEndpoint.isEmpty()) { if (isDebugEnabled) { logger.debug("No disabled methods for user {} and endpoint {}, access allowed ", user, endpoint); @@ -400,8 +447,7 @@ private String checkRoleBasedAccessPermissions(RestRequest request, Endpoint end return null; } - // some methods disabled, check requested method - if (!disabledMethodsForEndpoint.contains(request.method())) { + if (disabledMethodsForEndpoint.contains(request.method()) == false) { if (isDebugEnabled) { logger.debug( "Request method {} for user {} and endpoint {} not restricted, access allowed ", @@ -429,8 +475,6 @@ private String checkRoleBasedAccessPermissions(RestRequest request, Endpoint end + " and method " + request.method().name(); } else { - // no, but maybe the request contains a client certificate. - // Remember error reason for better response message later on. logger.info("User {} with Security roles {} does not have any role privileged for admin access.", user, userRoles); return "User " + user.getName() @@ -447,24 +491,22 @@ private String checkAdminCertBasedAccessPermissions(RestRequest request) throws logger.trace("Checking certificate based admin access for path {} and method {}", request.path(), request.method().name()); } - // Certificate based access, Check if we have an admin TLS certificate final SecurityRequest securityRequest = SecurityRequestFactory.from(request); - SSLRequestHelper.SSLInfo sslInfo = SSLRequestHelper.getSSLInfo(settings, configPath, securityRequest, principalExtractor); + final SSLRequestHelper.SSLInfo sslInfo = SSLRequestHelper.getSSLInfo(settings, configPath, securityRequest, principalExtractor); if (sslInfo == null) { - // here we log on error level, since authentication finally failed logger.warn("No ssl info found in request."); return "No ssl info found in request."; } - X509Certificate[] certs = sslInfo.getX509Certs(); + final X509Certificate[] certs = sslInfo.getX509Certs(); if (certs == null || certs.length == 0) { logger.warn("No client TLS certificate found in request"); return "No client TLS certificate found in request"; } - if (!adminDNs.isAdminDN(sslInfo.getPrincipal())) { + if (adminDNs.isAdminDN(sslInfo.getPrincipal()) == false) { logger.warn("Security admin permissions required but {} is not an admin", sslInfo.getPrincipal()); return "Security admin permissions required but " + sslInfo.getPrincipal() + " is not an admin"; } @@ -475,4 +517,11 @@ private String constructAccessErrorMessage(String roleBasedAccessFailure, String return roleBasedAccessFailure + ". " + certBasedAccessFailure; } + private static String buildEndpointActionPermission(final Endpoint endpoint, final String action) { + return String.format(REST_ENDPOINT_ACTION_PERMISSION_PATTERN, endpoint.name().toLowerCase(Locale.ROOT), action); + } + + private static String buildEndpointPermission(final Endpoint endpoint) { + return String.format(REST_ENDPOINT_PERMISSION_PATTERN, endpoint.name().toLowerCase(Locale.ROOT)); + } } diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RolesApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/RolesApiAction.java index 4339a11d96..33521a408a 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/RolesApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/RolesApiAction.java @@ -152,8 +152,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RolesMappingApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/RolesMappingApiAction.java index 58ce27af93..148a3a7a52 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/RolesMappingApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/RolesMappingApiAction.java @@ -96,8 +96,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RollbackVersionApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/RollbackVersionApiAction.java index bd36955c2d..999626f08b 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/RollbackVersionApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/RollbackVersionApiAction.java @@ -370,8 +370,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityApiDependencies.java b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityApiDependencies.java index cb985899b1..270dbc8cac 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityApiDependencies.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityApiDependencies.java @@ -21,8 +21,7 @@ public class SecurityApiDependencies { private AdminDNs adminDNs; private final ConfigurationRepository configurationRepository; - private final RestApiPrivilegesEvaluator restApiPrivilegesEvaluator; - private final RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator; + private final RestApiAuthorizationEvaluator restApiAuthorizationEvaluator; private final AuditLog auditLog; private final Settings settings; @@ -32,16 +31,14 @@ public SecurityApiDependencies( final AdminDNs adminDNs, final ConfigurationRepository configurationRepository, final PrivilegesConfiguration privilegesConfiguration, - final RestApiPrivilegesEvaluator restApiPrivilegesEvaluator, - final RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator, + final RestApiAuthorizationEvaluator restApiAuthorizationEvaluator, final AuditLog auditLog, final Settings settings ) { this.adminDNs = adminDNs; this.configurationRepository = configurationRepository; this.privilegesConfiguration = privilegesConfiguration; - this.restApiPrivilegesEvaluator = restApiPrivilegesEvaluator; - this.restApiAdminPrivilegesEvaluator = restApiAdminPrivilegesEvaluator; + this.restApiAuthorizationEvaluator = restApiAuthorizationEvaluator; this.auditLog = auditLog; this.settings = settings; } @@ -58,12 +55,8 @@ public ConfigurationRepository configurationRepository() { return configurationRepository; } - public RestApiPrivilegesEvaluator restApiPrivilegesEvaluator() { - return restApiPrivilegesEvaluator; - } - - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return restApiAdminPrivilegesEvaluator; + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return restApiAuthorizationEvaluator; } public AuditLog auditLog() { diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiAction.java index 4cb5a2a77e..5fa0b0119d 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiAction.java @@ -30,7 +30,7 @@ import org.opensearch.threadpool.ThreadPool; import static org.opensearch.security.dlic.rest.api.RequestHandler.methodNotImplementedHandler; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.SECURITY_CONFIG_UPDATE; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.SECURITY_CONFIG_UPDATE; import static org.opensearch.security.dlic.rest.support.Utils.OPENDISTRO_API_DEPRECATION_MESSAGE; import static org.opensearch.security.dlic.rest.support.Utils.addLegacyRoutesPrefix; import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix; @@ -107,8 +107,7 @@ boolean accessHandler(final RestRequest request) { if (!restApiAdminEnabled) { return allowPutOrPatch; } else { - return securityApiDependencies.restApiAdminPrivilegesEvaluator() - .isCurrentUserAdminFor(endpoint, SECURITY_CONFIG_UPDATE); + return securityApiDependencies.restApiAuthorizationEvaluator().isCurrentUserAdminFor(endpoint, SECURITY_CONFIG_UPDATE); } default: return true; @@ -125,8 +124,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java index 9a1314b837..afc70c2cb2 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java @@ -37,8 +37,6 @@ import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.client.Client; -import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; - public class SecurityRestApiActions { public static Collection getHandler( @@ -61,17 +59,20 @@ public static Collection getHandler( final ResourceSharingIndexHandler resourceSharingIndexHandler, final ResourcePluginInfo resourcePluginInfo ) { + final var restApiAuthorizationEvaluator = new RestApiAuthorizationEvaluator( + settings, + adminDns, + roleMapper, + principalExtractor, + configPath, + threadPool, + privilegesConfiguration + ); final var securityApiDependencies = new SecurityApiDependencies( adminDns, configurationRepository, privilegesConfiguration, - new RestApiPrivilegesEvaluator(settings, adminDns, roleMapper, principalExtractor, configPath, threadPool), - new RestApiAdminPrivilegesEvaluator( - threadPool.getThreadContext(), - privilegesConfiguration, - adminDns, - settings.getAsBoolean(SECURITY_RESTAPI_ADMIN_ENABLED, false) - ), + restApiAuthorizationEvaluator, auditLog, settings ); @@ -94,6 +95,7 @@ public static Collection getHandler( clusterService, principalExtractor, roleMapper, + privilegesConfiguration, threadPool, auditLog ), diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java index acaa9d0aab..d52ccaf2f0 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java @@ -41,8 +41,8 @@ import static org.opensearch.security.dlic.rest.api.Responses.badRequestMessage; import static org.opensearch.security.dlic.rest.api.Responses.ok; import static org.opensearch.security.dlic.rest.api.Responses.response; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.RELOAD_CERTS_ACTION; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.CERTS_INFO_ACTION; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.RELOAD_CERTS_ACTION; import static org.opensearch.security.dlic.rest.support.Utils.OPENDISTRO_API_DEPRECATION_MESSAGE; import static org.opensearch.security.dlic.rest.support.Utils.addLegacyRoutesPrefix; import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix; @@ -142,9 +142,9 @@ private void securitySSLCertsRequestHandlers(RequestHandler.RequestHandlersBuild boolean accessHandler(final RestRequest request) { if (request.method() == Method.GET) { - return securityApiDependencies.restApiAdminPrivilegesEvaluator().isCurrentUserAdminFor(endpoint, CERTS_INFO_ACTION); + return securityApiDependencies.restApiAuthorizationEvaluator().isCurrentUserAdminFor(endpoint, CERTS_INFO_ACTION); } else if (request.method() == Method.PUT) { - return securityApiDependencies.restApiAdminPrivilegesEvaluator().isCurrentUserAdminFor(endpoint, RELOAD_CERTS_ACTION); + return securityApiDependencies.restApiAuthorizationEvaluator().isCurrentUserAdminFor(endpoint, RELOAD_CERTS_ACTION); } else { return false; } diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/TenantsApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/TenantsApiAction.java index 6eb2c986a9..3b553cf653 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/TenantsApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/TenantsApiAction.java @@ -105,8 +105,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/ViewVersionApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/ViewVersionApiAction.java index b3a2910081..01cfb504a6 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/ViewVersionApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/ViewVersionApiAction.java @@ -154,8 +154,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/EndpointValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/EndpointValidator.java index 17c8b1f2ba..c60926846c 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/EndpointValidator.java +++ b/src/main/java/org/opensearch/security/dlic/rest/validation/EndpointValidator.java @@ -15,7 +15,7 @@ import org.opensearch.core.rest.RestStatus; import org.opensearch.security.dlic.rest.api.Endpoint; -import org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator; +import org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator; import org.opensearch.security.dlic.rest.api.SecurityConfiguration; import org.opensearch.security.dlic.rest.support.Utils; import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration; @@ -28,7 +28,7 @@ public interface EndpointValidator { Endpoint endpoint(); - RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator(); + RestApiAuthorizationEvaluator restApiAuthorizationEvaluator(); private String resourceName() { if (Objects.isNull(endpoint())) { @@ -59,7 +59,7 @@ private String resourceName() { } default boolean isCurrentUserAdmin() { - return restApiAdminPrivilegesEvaluator().isCurrentUserAdminFor(endpoint()); + return restApiAuthorizationEvaluator().isCurrentUserAdminFor(endpoint()); } default ValidationResult withRequiredEntityName(final String entityName) { @@ -159,7 +159,7 @@ default ValidationResult isAllowedToChangeEntityWithRestA final var configuration = securityConfiguration.configuration(); if (securityConfiguration.entityExists()) { final var existingEntity = configuration.getCEntry(securityConfiguration.entityName()); - if (restApiAdminPrivilegesEvaluator().containsRestApiAdminPermissions(existingEntity)) { + if (restApiAuthorizationEvaluator().containsRestApiAdminPermissions(existingEntity)) { return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Access denied")); } } @@ -168,7 +168,7 @@ default ValidationResult isAllowedToChangeEntityWithRestA securityConfiguration.requestContent(), configuration.getImplementingClass() ); - if (restApiAdminPrivilegesEvaluator().containsRestApiAdminPermissions(newConfigEntityContent)) { + if (restApiAuthorizationEvaluator().containsRestApiAdminPermissions(newConfigEntityContent)) { return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Access denied")); } } diff --git a/src/main/java/org/opensearch/security/resources/api/migrate/MigrateResourceSharingInfoApiAction.java b/src/main/java/org/opensearch/security/resources/api/migrate/MigrateResourceSharingInfoApiAction.java index f813361c8d..2de686f5c9 100644 --- a/src/main/java/org/opensearch/security/resources/api/migrate/MigrateResourceSharingInfoApiAction.java +++ b/src/main/java/org/opensearch/security/resources/api/migrate/MigrateResourceSharingInfoApiAction.java @@ -47,7 +47,7 @@ import org.opensearch.security.dlic.rest.api.AbstractApiAction; import org.opensearch.security.dlic.rest.api.Endpoint; import org.opensearch.security.dlic.rest.api.RequestHandler; -import org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator; +import org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator; import org.opensearch.security.dlic.rest.api.SecurityApiDependencies; import org.opensearch.security.dlic.rest.support.Utils; import org.opensearch.security.dlic.rest.validation.EndpointValidator; @@ -69,7 +69,7 @@ import static org.opensearch.security.dlic.rest.api.Responses.badRequestMessage; import static org.opensearch.security.dlic.rest.api.Responses.ok; import static org.opensearch.security.dlic.rest.api.Responses.response; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.RESOURCE_MIGRATE_ACTION; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.RESOURCE_MIGRATE_ACTION; import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix; /** @@ -126,7 +126,7 @@ private void migrateApiRequestHandlers(RequestHandler.RequestHandlersBuilder b) boolean accessHandler(final RestRequest request) { if (request.method() == POST) { - return securityApiDependencies.restApiAdminPrivilegesEvaluator().isCurrentUserAdminFor(endpoint, RESOURCE_MIGRATE_ACTION); + return securityApiDependencies.restApiAuthorizationEvaluator().isCurrentUserAdminFor(endpoint, RESOURCE_MIGRATE_ACTION); } else { return false; } @@ -442,8 +442,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return securityApiDependencies.restApiAdminPrivilegesEvaluator(); + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return securityApiDependencies.restApiAuthorizationEvaluator(); } @Override diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractApiActionValidationTest.java index 9278551efa..d841175ae6 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractApiActionValidationTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractApiActionValidationTest.java @@ -56,7 +56,7 @@ public abstract class AbstractApiActionValidationTest { ConfigurationRepository configurationRepository; @Mock - RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator; + RestApiAuthorizationEvaluator restApiAuthorizationEvaluator; SecurityApiDependencies securityApiDependencies; @@ -75,8 +75,7 @@ public void setup() { null, configurationRepository, null, - null, - restApiAdminPrivilegesEvaluator, + restApiAuthorizationEvaluator, null, Settings.EMPTY ); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java index 989e9933e9..3171f4ddb3 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java @@ -257,8 +257,7 @@ ArrayNode clusterPermissionsForRestAdmin(String... additionPerms) { final ArrayNode permissionsArray = DefaultObjectMapper.objectMapper.createArrayNode(); for (final Map.Entry< Endpoint, - RestApiAdminPrivilegesEvaluator.PermissionBuilder> entry : RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS - .entrySet()) { + RestApiAuthorizationEvaluator.PermissionBuilder> entry : RestApiAuthorizationEvaluator.ENDPOINTS_WITH_PERMISSIONS.entrySet()) { if (entry.getKey() == Endpoint.SSL) { permissionsArray.add(entry.getValue().build("certs")).add(entry.getValue().build("reloadcerts")); } else { diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiActionValidationTest.java index 0ad73ef61c..be63a5945a 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiActionValidationTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiActionValidationTest.java @@ -38,7 +38,7 @@ public void hasNoRightsToChangeImmutableEntityFoAdminUser() throws Exception { final var actionGroups = new ActionGroupsV7("ag", restApiAdminPermissions()); when(configuration.exists("ag")).thenReturn(true); Mockito.when(configuration.getCEntry("ag")).thenReturn(actionGroups); - when(restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); + when(restApiAuthorizationEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); final var actionGroupsApiActionEndpointValidator = new ActionGroupsApiAction(clusterService, threadPool, securityApiDependencies) .createEndpointValidator(); @@ -55,7 +55,7 @@ public void hasNoRightsToChangeImmutableEntityForRegularUser() throws Exception final var actionGroups = new ActionGroupsV7("ag", restApiAdminPermissions()); when(configuration.exists("ag")).thenReturn(true); Mockito.when(configuration.getCEntry("ag")).thenReturn(actionGroups); - when(restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); + when(restApiAuthorizationEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); final var actionGroupsApiActionEndpointValidator = new ActionGroupsApiAction(clusterService, threadPool, securityApiDependencies) .createEndpointValidator(); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluatorTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RestApiAuthorizationEvaluatorTest.java similarity index 86% rename from src/test/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluatorTest.java rename to src/test/java/org/opensearch/security/dlic/rest/api/RestApiAuthorizationEvaluatorTest.java index e8172d7723..44ab4beeae 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluatorTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/RestApiAuthorizationEvaluatorTest.java @@ -27,19 +27,20 @@ import static org.junit.Assert.assertNull; import static org.mockito.Mockito.mock; -public class RestApiPrivilegesEvaluatorTest { +public class RestApiAuthorizationEvaluatorTest { - private RestApiPrivilegesEvaluator privilegesEvaluator; + private RestApiAuthorizationEvaluator privilegesEvaluator; @Before public void setUp() { - this.privilegesEvaluator = new RestApiPrivilegesEvaluator( + this.privilegesEvaluator = new RestApiAuthorizationEvaluator( Settings.EMPTY, mock(AdminDNs.class), (user, caller) -> user.getSecurityRoles(), mock(PrincipalExtractor.class), mock(Path.class), - mock(ThreadPool.class) + mock(ThreadPool.class), + null ); } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiActionValidationTest.java index a908ec348a..a5b6e4b267 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiActionValidationTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiActionValidationTest.java @@ -47,7 +47,7 @@ public void isNotAllowedRightsToChangeImmutableEntity() throws Exception { when(configuration.exists("sss")).thenReturn(true); Mockito.when(configuration.getCEntry("sss")).thenReturn(role); - when(restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); + when(restApiAuthorizationEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); final var rolesApiActionEndpointValidator = new RolesApiAction(clusterService, threadPool, securityApiDependencies) .createEndpointValidator(); final var result = rolesApiActionEndpointValidator.isAllowedToChangeImmutableEntity(SecurityConfiguration.of("sss", configuration)); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiActionValidationTest.java index 21dd372265..2904edc18f 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiActionValidationTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiActionValidationTest.java @@ -46,7 +46,7 @@ public void isAllowedRightsToChangeRoleEntity() throws Exception { @Test public void isNotAllowedNoRightsToChangeRoleEntity() throws Exception { - when(restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); + when(restApiAuthorizationEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); final var rolesApiActionEndpointValidator = new RolesMappingApiAction(clusterService, threadPool, @@ -60,7 +60,7 @@ public void isNotAllowedNoRightsToChangeRoleEntity() throws Exception { @Test public void onConfigChangeShouldCheckRoles() throws Exception { - when(restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); + when(restApiAuthorizationEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); when(configurationRepository.getConfigurationsFromIndex(List.of(CType.ROLES), false)) .thenReturn(ConfigurationMap.of(rolesConfiguration)); final var rolesApiActionEndpointValidator = diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RollbackVersionApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RollbackVersionApiActionValidationTest.java index 74c8c50728..521b73e968 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/RollbackVersionApiActionValidationTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/RollbackVersionApiActionValidationTest.java @@ -39,8 +39,7 @@ public void setupTest() { null, configurationRepository, null, - null, - restApiAdminPrivilegesEvaluator, + restApiAuthorizationEvaluator, null, settings ); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiActionValidationTest.java index a6832457b3..6eac661542 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiActionValidationTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiActionValidationTest.java @@ -30,7 +30,7 @@ public void accessHandlerForDefaultSettings() { final var securityConfigApiAction = new SecurityConfigApiAction( clusterService, threadPool, - new SecurityApiDependencies(null, configurationRepository, null, null, restApiAdminPrivilegesEvaluator, null, Settings.EMPTY) + new SecurityApiDependencies(null, configurationRepository, null, restApiAuthorizationEvaluator, null, Settings.EMPTY) ); assertTrue(securityConfigApiAction.accessHandler(FakeRestRequest.builder().withMethod(RestRequest.Method.GET).build())); assertFalse(securityConfigApiAction.accessHandler(FakeRestRequest.builder().withMethod(RestRequest.Method.PUT).build())); @@ -46,8 +46,7 @@ public void accessHandlerForUnsupportedSetting() { null, configurationRepository, null, - null, - restApiAdminPrivilegesEvaluator, + restApiAuthorizationEvaluator, null, Settings.builder().put(SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true).build() ) @@ -59,7 +58,8 @@ public void accessHandlerForUnsupportedSetting() { @Test public void accessHandlerForRestAdmin() { - when(restApiAdminPrivilegesEvaluator.isCurrentUserAdminFor(Endpoint.CONFIG, RestApiAdminPrivilegesEvaluator.SECURITY_CONFIG_UPDATE)).thenReturn(true); + when(restApiAuthorizationEvaluator.isCurrentUserAdminFor(Endpoint.CONFIG, RestApiAuthorizationEvaluator.SECURITY_CONFIG_UPDATE)) + .thenReturn(true); final var securityConfigApiAction = new SecurityConfigApiAction( clusterService, threadPool, @@ -67,8 +67,7 @@ public void accessHandlerForRestAdmin() { null, configurationRepository, null, - null, - restApiAdminPrivilegesEvaluator, + restApiAuthorizationEvaluator, null, Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build() ) diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiActionValidationTest.java index 6ad50b5cb5..b6a468b5f6 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiActionValidationTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiActionValidationTest.java @@ -19,8 +19,8 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.is; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.RELOAD_CERTS_ACTION; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.CERTS_INFO_ACTION; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.RELOAD_CERTS_ACTION; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; import static org.mockito.Mockito.when; @@ -50,8 +50,8 @@ public void accessDenied() { true, securityApiDependencies ); - when(restApiAdminPrivilegesEvaluator.isCurrentUserAdminFor(Endpoint.SSL, CERTS_INFO_ACTION)).thenReturn(false); - when(restApiAdminPrivilegesEvaluator.isCurrentUserAdminFor(Endpoint.SSL, RELOAD_CERTS_ACTION)).thenReturn(false); + when(restApiAuthorizationEvaluator.isCurrentUserAdminFor(Endpoint.SSL, CERTS_INFO_ACTION)).thenReturn(false); + when(restApiAuthorizationEvaluator.isCurrentUserAdminFor(Endpoint.SSL, RELOAD_CERTS_ACTION)).thenReturn(false); assertFalse(securitySSLCertsApiAction.accessHandler(FakeRestRequest.builder().withMethod(RestRequest.Method.GET).build())); assertFalse(securitySSLCertsApiAction.accessHandler(FakeRestRequest.builder().withMethod(RestRequest.Method.PUT).build())); @@ -71,8 +71,8 @@ public void hasAccess() { true, securityApiDependencies ); - when(restApiAdminPrivilegesEvaluator.isCurrentUserAdminFor(Endpoint.SSL, CERTS_INFO_ACTION)).thenReturn(true); - when(restApiAdminPrivilegesEvaluator.isCurrentUserAdminFor(Endpoint.SSL, RELOAD_CERTS_ACTION)).thenReturn(true); + when(restApiAuthorizationEvaluator.isCurrentUserAdminFor(Endpoint.SSL, CERTS_INFO_ACTION)).thenReturn(true); + when(restApiAuthorizationEvaluator.isCurrentUserAdminFor(Endpoint.SSL, RELOAD_CERTS_ACTION)).thenReturn(true); assertTrue(securitySSLCertsApiAction.accessHandler(FakeRestRequest.builder().withMethod(RestRequest.Method.GET).build())); assertTrue(securitySSLCertsApiAction.accessHandler(FakeRestRequest.builder().withMethod(RestRequest.Method.PUT).build())); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/ViewVersionApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/ViewVersionApiActionValidationTest.java index 3c3d51f3e2..59f76e3cfb 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/ViewVersionApiActionValidationTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/ViewVersionApiActionValidationTest.java @@ -41,8 +41,7 @@ public void setUp() { null, configurationRepository, null, - null, - restApiAdminPrivilegesEvaluator, + restApiAuthorizationEvaluator, null, settings ); diff --git a/src/test/java/org/opensearch/security/dlic/rest/validation/EndpointValidatorTest.java b/src/test/java/org/opensearch/security/dlic/rest/validation/EndpointValidatorTest.java index d87fb9ee77..2e54484e0b 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/validation/EndpointValidatorTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/validation/EndpointValidatorTest.java @@ -22,7 +22,7 @@ import org.opensearch.core.rest.RestStatus; import org.opensearch.security.DefaultObjectMapper; import org.opensearch.security.dlic.rest.api.Endpoint; -import org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator; +import org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator; import org.opensearch.security.dlic.rest.api.SecurityConfiguration; import org.opensearch.security.securityconf.impl.CType; import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration; @@ -48,7 +48,7 @@ public class EndpointValidatorTest { SecurityDynamicConfiguration configuration; @Mock - RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator; + RestApiAuthorizationEvaluator restApiAuthorizationEvaluator; private EndpointValidator endpointValidator; @@ -61,8 +61,8 @@ public Endpoint endpoint() { } @Override - public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { - return restApiAdminPrivilegesEvaluator; + public RestApiAuthorizationEvaluator restApiAuthorizationEvaluator() { + return restApiAuthorizationEvaluator; } @Override @@ -251,7 +251,7 @@ public void hasRightsToLoadOrChangeHiddenEntityForAdmin() throws Exception { } private void configImmutableEntities(final boolean isAdmin) { - when(restApiAdminPrivilegesEvaluator.isCurrentUserAdminFor(any(Endpoint.class))).thenReturn(isAdmin); + when(restApiAuthorizationEvaluator.isCurrentUserAdminFor(any(Endpoint.class))).thenReturn(isAdmin); when(configuration.isHidden("just_entity")).thenReturn(false); when(configuration.isStatic("just_entity")).thenReturn(false); when(configuration.isReserved("just_entity")).thenReturn(false); @@ -311,7 +311,7 @@ public void validateRolesForRegularUser() throws IOException { } private void configureRoles(final boolean isAdmin) { - when(restApiAdminPrivilegesEvaluator.isCurrentUserAdminFor(any(Endpoint.class))).thenReturn(isAdmin); + when(restApiAuthorizationEvaluator.isCurrentUserAdminFor(any(Endpoint.class))).thenReturn(isAdmin); when(configuration.exists("non_existing_role")).thenReturn(false); @@ -334,7 +334,7 @@ public void regularUserCanNotChangeObjectWithRestAdminPermissionsForExistingRole role.setCluster_permissions(restAdminPermissions()); when(configuration.exists("some_role")).thenReturn(true); - when(restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); + when(restApiAuthorizationEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); Mockito.when(configuration.getCEntry("some_role")).thenReturn(role); final var roleCheckResult = endpointValidator.isAllowedToChangeEntityWithRestAdminPermissions( SecurityConfiguration.of("some_role", configuration) @@ -355,7 +355,7 @@ public void regularUserCanNotChangeObjectWithRestAdminPermissionsForNewRoles() t doReturn(CType.ROLES).when(configuration).getCType(); when(configuration.getImplementingClass()).thenCallRealMethod(); when(configuration.exists("some_role")).thenReturn(false); - when(restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); + when(restApiAuthorizationEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); final var roleCheckResult = endpointValidator.isAllowedToChangeEntityWithRestAdminPermissions( SecurityConfiguration.of(objectMapper.createObjectNode().set("cluster_permissions", array), "some_role", configuration) ); @@ -367,7 +367,7 @@ public void regularUserCanNotChangeObjectWithRestAdminPermissionsForNewRoles() t public void regularUserCanNotChangeObjectWithRestAdminPermissionsForExitingActionGroups() throws Exception { final var actionGroups = new ActionGroupsV7("some_ag", restAdminPermissions()); when(configuration.exists("some_ag")).thenReturn(true); - when(restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); + when(restApiAuthorizationEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); Mockito.when(configuration.getCEntry("some_ag")).thenReturn(actionGroups); var agCheckResult = endpointValidator.isAllowedToChangeEntityWithRestAdminPermissions( SecurityConfiguration.of("some_ag", configuration) @@ -381,7 +381,7 @@ public void regularUserCanNotChangeObjectWithRestAdminPermissionsForMewActionGro doReturn(CType.ACTIONGROUPS).when(configuration).getCType(); when(configuration.getImplementingClass()).thenCallRealMethod(); when(configuration.exists("some_ag")).thenReturn(false); - when(restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); + when(restApiAuthorizationEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod(); final var objectMapper = DefaultObjectMapper.objectMapper; final var array = objectMapper.createArrayNode(); From 05ae95dd6a62c400f2a8250b5ce93beaf5574e61 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Mon, 6 Apr 2026 07:03:53 -0400 Subject: [PATCH 2/2] Fix compileIntegrationTest Signed-off-by: Craig Perkins --- .../security/api/AbstractApiIntegrationTest.java | 10 +++++----- .../api/CertificatesRestApiIntegrationTest.java | 2 +- .../security/api/ConfigRestApiIntegrationTest.java | 2 +- .../security/api/SslCertsRestApiIntegrationTest.java | 2 +- .../privileges/RestEndpointPermissionTests.java | 10 +++++----- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java index b910b31b93..8978926370 100644 --- a/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java +++ b/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java @@ -40,11 +40,11 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; import static org.opensearch.security.api.InternalUsersRestApiIntegrationTest.REST_API_ADMIN_INTERNAL_USERS_ONLY; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.RELOAD_CERTS_ACTION; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.RESOURCE_MIGRATE_ACTION; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.SECURITY_CONFIG_UPDATE; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.CERTS_INFO_ACTION; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.ENDPOINTS_WITH_PERMISSIONS; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.RELOAD_CERTS_ACTION; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.RESOURCE_MIGRATE_ACTION; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.SECURITY_CONFIG_UPDATE; public abstract class AbstractApiIntegrationTest { diff --git a/src/integrationTest/java/org/opensearch/security/api/CertificatesRestApiIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/CertificatesRestApiIntegrationTest.java index 2b5c3fd8b5..e5a287c483 100644 --- a/src/integrationTest/java/org/opensearch/security/api/CertificatesRestApiIntegrationTest.java +++ b/src/integrationTest/java/org/opensearch/security/api/CertificatesRestApiIntegrationTest.java @@ -34,7 +34,7 @@ import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.MatcherAssert.assertThat; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.CERTS_INFO_ACTION; import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; import static org.opensearch.test.framework.matcher.RestMatchers.isForbidden; import static org.opensearch.test.framework.matcher.RestMatchers.isOk; diff --git a/src/integrationTest/java/org/opensearch/security/api/ConfigRestApiIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/ConfigRestApiIntegrationTest.java index 4432aa7768..7d14057a7d 100644 --- a/src/integrationTest/java/org/opensearch/security/api/ConfigRestApiIntegrationTest.java +++ b/src/integrationTest/java/org/opensearch/security/api/ConfigRestApiIntegrationTest.java @@ -25,7 +25,7 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.opensearch.security.api.PatchPayloadHelper.patch; import static org.opensearch.security.api.PatchPayloadHelper.replaceOp; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.SECURITY_CONFIG_UPDATE; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.SECURITY_CONFIG_UPDATE; import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; import static org.opensearch.security.support.ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION; import static org.opensearch.test.framework.matcher.RestMatchers.isBadRequest; diff --git a/src/integrationTest/java/org/opensearch/security/api/SslCertsRestApiIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/SslCertsRestApiIntegrationTest.java index 97f2969984..6c3d4be957 100644 --- a/src/integrationTest/java/org/opensearch/security/api/SslCertsRestApiIntegrationTest.java +++ b/src/integrationTest/java/org/opensearch/security/api/SslCertsRestApiIntegrationTest.java @@ -20,7 +20,7 @@ import org.opensearch.test.framework.cluster.TestRestClient; import static org.hamcrest.MatcherAssert.assertThat; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.CERTS_INFO_ACTION; import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; import static org.opensearch.test.framework.matcher.RestMatchers.isForbidden; import static org.opensearch.test.framework.matcher.RestMatchers.isOk; diff --git a/src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java b/src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java index 3510303efc..9e58ce2081 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java @@ -46,7 +46,7 @@ import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.security.DefaultObjectMapper; import org.opensearch.security.dlic.rest.api.Endpoint; -import org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.PermissionBuilder; +import org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.PermissionBuilder; import org.opensearch.security.privileges.actionlevel.RoleBasedActionPrivileges; import org.opensearch.security.privileges.dlsfls.FieldMasking; import org.opensearch.security.securityconf.FlattenedActionGroups; @@ -55,10 +55,10 @@ import org.opensearch.security.securityconf.impl.v7.RoleV7; import org.opensearch.security.util.MockPrivilegeEvaluationContextBuilder; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.RELOAD_CERTS_ACTION; -import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.SECURITY_CONFIG_UPDATE; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.CERTS_INFO_ACTION; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.ENDPOINTS_WITH_PERMISSIONS; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.RELOAD_CERTS_ACTION; +import static org.opensearch.security.dlic.rest.api.RestApiAuthorizationEvaluator.SECURITY_CONFIG_UPDATE; /** * Moved from https://github.com/opensearch-project/security/blob/54361468f5c4b3a57f3ecffaf1bbe8dccee562be/src/test/java/org/opensearch/security/securityconf/SecurityRolesPermissionsTest.java