List of usage examples for org.apache.lucene.util.automaton MinimizationOperations minimize
public static Automaton minimize(Automaton a, int maxDeterminizedStates)
From source file:org.elasticsearch.index.reindex.TransportReindexAction.java
License:Apache License
/** * Build the {@link CharacterRunAutomaton} that represents the reindex-from-remote whitelist and make sure that it doesn't whitelist * the world.//from w w w . ja v a2s.c o m */ static CharacterRunAutomaton buildRemoteWhitelist(List<String> whitelist) { if (whitelist.isEmpty()) { return new CharacterRunAutomaton(Automata.makeEmpty()); } Automaton automaton = Regex.simpleMatchToAutomaton(whitelist.toArray(Strings.EMPTY_ARRAY)); automaton = MinimizationOperations.minimize(automaton, Operations.DEFAULT_MAX_DETERMINIZED_STATES); if (Operations.isTotal(automaton)) { throw new IllegalArgumentException("Refusing to start because whitelist " + whitelist + " accepts all addresses. " + "This would allow users to reindex-from-remote any URL they like effectively having Elasticsearch make HTTP GETs " + "for them."); } return new CharacterRunAutomaton(automaton); }
From source file:org.elasticsearch.xpack.core.security.authz.permission.FieldPermissions.java
License:Open Source License
private static Automaton initializePermittedFieldsAutomaton(final String[] grantedFields, final String[] deniedFields) { Automaton grantedFieldsAutomaton;/*from ww w .ja v a 2s.c o m*/ if (grantedFields == null || Arrays.stream(grantedFields).anyMatch(Regex::isMatchAllPattern)) { grantedFieldsAutomaton = Automatons.MATCH_ALL; } else { // an automaton that includes metadata fields, including join fields created by the _parent field such // as _parent#type Automaton metaFieldsAutomaton = Operations.concatenate(Automata.makeChar('_'), Automata.makeAnyString()); grantedFieldsAutomaton = Operations.union(Automatons.patterns(grantedFields), metaFieldsAutomaton); } Automaton deniedFieldsAutomaton; if (deniedFields == null || deniedFields.length == 0) { deniedFieldsAutomaton = Automatons.EMPTY; } else { deniedFieldsAutomaton = Automatons.patterns(deniedFields); } grantedFieldsAutomaton = MinimizationOperations.minimize(grantedFieldsAutomaton, Operations.DEFAULT_MAX_DETERMINIZED_STATES); deniedFieldsAutomaton = MinimizationOperations.minimize(deniedFieldsAutomaton, Operations.DEFAULT_MAX_DETERMINIZED_STATES); if (subsetOf(deniedFieldsAutomaton, grantedFieldsAutomaton) == false) { throw new ElasticsearchSecurityException("Exceptions for field permissions must be a subset of the " + "granted fields but " + Strings.arrayToCommaDelimitedString(deniedFields) + " is not a subset of " + Strings.arrayToCommaDelimitedString(grantedFields)); } grantedFieldsAutomaton = Automatons.minusAndMinimize(grantedFieldsAutomaton, deniedFieldsAutomaton); return grantedFieldsAutomaton; }
From source file:org.elasticsearch.xpack.security.authz.store.FileRolesStoreTests.java
License:Open Source License
public void testParseFile() throws Exception { Path path = getDataPath("roles.yml"); Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.builder().put(XPackSettings.DLS_FLS_ENABLED.getKey(), true).build(), new XPackLicenseState(Settings.EMPTY)); assertThat(roles, notNullValue());/* w ww. j av a 2s . c o m*/ assertThat(roles.size(), is(9)); RoleDescriptor descriptor = roles.get("role1"); assertNotNull(descriptor); Role role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role1" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster().privilege(), is(ClusterPrivilege.ALL)); assertThat(role.indices(), notNullValue()); assertThat(role.indices().groups(), notNullValue()); assertThat(role.indices().groups().length, is(2)); assertThat(role.runAs(), is(RunAsPermission.NONE)); IndicesPermission.Group group = role.indices().groups()[0]; assertThat(group.indices(), notNullValue()); assertThat(group.indices().length, is(2)); assertThat(group.indices()[0], equalTo("idx1")); assertThat(group.indices()[1], equalTo("idx2")); assertThat(group.privilege(), notNullValue()); assertThat(group.privilege(), is(IndexPrivilege.READ)); group = role.indices().groups()[1]; assertThat(group.indices(), notNullValue()); assertThat(group.indices().length, is(1)); assertThat(group.indices()[0], equalTo("idx3")); assertThat(group.privilege(), notNullValue()); assertTrue(Operations.subsetOf(IndexPrivilege.READ.getAutomaton(), group.privilege().getAutomaton())); assertTrue(Operations.subsetOf(IndexPrivilege.WRITE.getAutomaton(), group.privilege().getAutomaton())); descriptor = roles.get("role1.ab"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role1.ab" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster().privilege(), is(ClusterPrivilege.ALL)); assertThat(role.indices(), notNullValue()); assertThat(role.indices().groups(), notNullValue()); assertThat(role.indices().groups().length, is(0)); assertThat(role.runAs(), is(RunAsPermission.NONE)); descriptor = roles.get("role2"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role2" })); assertThat(role.cluster(), notNullValue()); assertTrue(Operations.sameLanguage(role.cluster().privilege().getAutomaton(), ClusterPrivilege.ALL.getAutomaton())); assertThat(role.indices(), notNullValue()); assertThat(role.indices(), is(IndicesPermission.NONE)); assertThat(role.runAs(), is(RunAsPermission.NONE)); descriptor = roles.get("role3"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role3" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster(), is(ClusterPermission.SimpleClusterPermission.NONE)); assertThat(role.indices(), notNullValue()); assertThat(role.indices().groups(), notNullValue()); assertThat(role.indices().groups().length, is(1)); assertThat(role.runAs(), is(RunAsPermission.NONE)); group = role.indices().groups()[0]; assertThat(group.indices(), notNullValue()); assertThat(group.indices().length, is(1)); assertThat(group.indices()[0], equalTo("/.*_.*/")); assertThat(group.privilege(), notNullValue()); assertTrue(Operations.sameLanguage(group.privilege().getAutomaton(), MinimizationOperations.minimize( Operations.union(IndexPrivilege.READ.getAutomaton(), IndexPrivilege.WRITE.getAutomaton()), Operations.DEFAULT_MAX_DETERMINIZED_STATES))); descriptor = roles.get("role4"); assertNull(descriptor); descriptor = roles.get("role_run_as"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_run_as" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster(), is(ClusterPermission.SimpleClusterPermission.NONE)); assertThat(role.indices(), is(IndicesPermission.NONE)); assertThat(role.runAs(), notNullValue()); assertThat(role.runAs().check("user1"), is(true)); assertThat(role.runAs().check("user2"), is(true)); assertThat(role.runAs().check("user" + randomIntBetween(3, 9)), is(false)); descriptor = roles.get("role_run_as1"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_run_as1" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster(), is(ClusterPermission.SimpleClusterPermission.NONE)); assertThat(role.indices(), is(IndicesPermission.NONE)); assertThat(role.runAs(), notNullValue()); assertThat(role.runAs().check("user1"), is(true)); assertThat(role.runAs().check("user2"), is(true)); assertThat(role.runAs().check("user" + randomIntBetween(3, 9)), is(false)); descriptor = roles.get("role_fields"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_fields" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster(), is(ClusterPermission.SimpleClusterPermission.NONE)); assertThat(role.runAs(), is(RunAsPermission.NONE)); assertThat(role.indices(), notNullValue()); assertThat(role.indices().groups(), notNullValue()); assertThat(role.indices().groups().length, is(1)); group = role.indices().groups()[0]; assertThat(group.indices(), notNullValue()); assertThat(group.indices().length, is(1)); assertThat(group.indices()[0], equalTo("field_idx")); assertThat(group.privilege(), notNullValue()); assertTrue(Operations.sameLanguage(group.privilege().getAutomaton(), IndexPrivilege.READ.getAutomaton())); assertTrue(group.getFieldPermissions().grantsAccessTo("foo")); assertTrue(group.getFieldPermissions().grantsAccessTo("boo")); assertTrue(group.getFieldPermissions().hasFieldLevelSecurity()); descriptor = roles.get("role_query"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_query" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster(), is(ClusterPermission.SimpleClusterPermission.NONE)); assertThat(role.runAs(), is(RunAsPermission.NONE)); assertThat(role.indices(), notNullValue()); assertThat(role.indices().groups(), notNullValue()); assertThat(role.indices().groups().length, is(1)); group = role.indices().groups()[0]; assertThat(group.indices(), notNullValue()); assertThat(group.indices().length, is(1)); assertThat(group.indices()[0], equalTo("query_idx")); assertThat(group.privilege(), notNullValue()); assertTrue(Operations.sameLanguage(group.privilege().getAutomaton(), IndexPrivilege.READ.getAutomaton())); assertFalse(group.getFieldPermissions().hasFieldLevelSecurity()); assertThat(group.getQuery(), notNullValue()); descriptor = roles.get("role_query_fields"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_query_fields" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster(), is(ClusterPermission.SimpleClusterPermission.NONE)); assertThat(role.runAs(), is(RunAsPermission.NONE)); assertThat(role.indices(), notNullValue()); assertThat(role.indices().groups(), notNullValue()); assertThat(role.indices().groups().length, is(1)); group = role.indices().groups()[0]; assertThat(group.indices(), notNullValue()); assertThat(group.indices().length, is(1)); assertThat(group.indices()[0], equalTo("query_fields_idx")); assertThat(group.privilege(), notNullValue()); assertTrue(Operations.sameLanguage(group.privilege().getAutomaton(), IndexPrivilege.READ.getAutomaton())); assertTrue(group.getFieldPermissions().grantsAccessTo("foo")); assertTrue(group.getFieldPermissions().grantsAccessTo("boo")); assertTrue(group.getFieldPermissions().hasFieldLevelSecurity()); assertThat(group.getQuery(), notNullValue()); }