List of usage examples for org.apache.lucene.util.automaton Operations subsetOf
public static boolean subsetOf(Automaton a1, Automaton a2)
a1 is a subset of the language of a2. From source file:org.elasticsearch.xpack.core.security.authz.privilege.PrivilegeTests.java
License:Open Source License
public void testIndexCollapse() throws Exception { IndexPrivilege[] values = IndexPrivilege.values().values() .toArray(new IndexPrivilege[IndexPrivilege.values().size()]); IndexPrivilege first = values[randomIntBetween(0, values.length - 1)]; IndexPrivilege second = values[randomIntBetween(0, values.length - 1)]; Set<String> name = Sets.newHashSet(first.name().iterator().next(), second.name().iterator().next()); IndexPrivilege index = IndexPrivilege.get(name); if (Operations.subsetOf(second.getAutomaton(), first.getAutomaton())) { assertTrue(Operations.sameLanguage(index.getAutomaton(), first.getAutomaton())); } else if (Operations.subsetOf(first.getAutomaton(), second.getAutomaton())) { assertTrue(Operations.sameLanguage(index.getAutomaton(), second.getAutomaton())); } else {/*from w w w. j a va 2 s . c om*/ assertFalse(Operations.sameLanguage(index.getAutomaton(), first.getAutomaton())); assertFalse(Operations.sameLanguage(index.getAutomaton(), second.getAutomaton())); } }
From source file:org.elasticsearch.xpack.security.action.interceptor.IndicesAliasesRequestInterceptor.java
License:Open Source License
@Override public void intercept(IndicesAliasesRequest request, Authentication authentication, Role userPermissions, String action) {/*from ww w . j a v a2 s . c om*/ if (licenseState.isSecurityEnabled() == false) { return; } if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) { IndicesAccessControl indicesAccessControl = threadContext .getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); for (IndicesAliasesRequest.AliasActions aliasAction : request.getAliasActions()) { if (aliasAction.actionType() == IndicesAliasesRequest.AliasActions.Type.ADD) { for (String index : aliasAction.indices()) { IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl .getIndexPermissions(index); if (indexAccessControl != null) { final boolean fls = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity(); final boolean dls = indexAccessControl.getQueries() != null; if (fls || dls) { throw new ElasticsearchSecurityException( "Alias requests are not allowed for users who have " + "field or document level security enabled on one of the indices", RestStatus.BAD_REQUEST); } } } } } } Map<String, Automaton> permissionsMap = new HashMap<>(); for (IndicesAliasesRequest.AliasActions aliasAction : request.getAliasActions()) { if (aliasAction.actionType() == IndicesAliasesRequest.AliasActions.Type.ADD) { for (String index : aliasAction.indices()) { Automaton indexPermissions = permissionsMap.computeIfAbsent(index, userPermissions.indices()::allowedActionsMatcher); for (String alias : aliasAction.aliases()) { Automaton aliasPermissions = permissionsMap.computeIfAbsent(alias, userPermissions.indices()::allowedActionsMatcher); if (Operations.subsetOf(aliasPermissions, indexPermissions) == false) { // TODO we've already audited a access granted event so this is going to look ugly auditTrailService.accessDenied(authentication, action, request, userPermissions.names()); throw Exceptions.authorizationError("Adding an alias is not allowed when the alias " + "has more permissions than any of the indices"); } } } } } }
From source file:org.elasticsearch.xpack.security.action.interceptor.ResizeRequestInterceptor.java
License:Open Source License
@Override public void intercept(ResizeRequest request, Authentication authentication, Role userPermissions, String action) {//w w w .j av a2s. c o m if (licenseState.isSecurityEnabled() == false) { return; } if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) { IndicesAccessControl indicesAccessControl = threadContext .getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl .getIndexPermissions(request.getSourceIndex()); if (indexAccessControl != null) { final boolean fls = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity(); final boolean dls = indexAccessControl.getQueries() != null; if (fls || dls) { throw new ElasticsearchSecurityException( "Resize requests are not allowed for users when " + "field or document level security is enabled on the source index", RestStatus.BAD_REQUEST); } } } // ensure that the user would have the same level of access OR less on the target index final Automaton sourceIndexPermissions = userPermissions.indices() .allowedActionsMatcher(request.getSourceIndex()); final Automaton targetIndexPermissions = userPermissions.indices() .allowedActionsMatcher(request.getTargetIndexRequest().index()); if (Operations.subsetOf(targetIndexPermissions, sourceIndexPermissions) == false) { // TODO we've already audited a access granted event so this is going to look ugly auditTrailService.accessDenied(authentication, action, request, userPermissions.names()); throw Exceptions.authorizationError("Resizing an index is not allowed when the target index " + "has more permissions than the source index"); } }
From source file:org.elasticsearch.xpack.security.action.user.TransportHasPrivilegesAction.java
License:Open Source License
private static boolean testIndex(Automaton checkIndex, Automaton roleIndex) { return Operations.subsetOf(checkIndex, roleIndex); }
From source file:org.elasticsearch.xpack.security.action.user.TransportHasPrivilegesAction.java
License:Open Source License
private static boolean testPrivilege(Privilege checkPrivilege, Automaton roleAutomaton) { return Operations.subsetOf(checkPrivilege.getAutomaton(), roleAutomaton); }
From source file:org.elasticsearch.xpack.security.authz.store.FileRolesStoreTests.java
License:Open Source License
public void testParseFile() throws Exception { Path path = getDataPath("roles.yml"); Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.builder().put(XPackSettings.DLS_FLS_ENABLED.getKey(), true).build(), new XPackLicenseState(Settings.EMPTY)); assertThat(roles, notNullValue());/*www. ja v a 2 s .c om*/ assertThat(roles.size(), is(9)); RoleDescriptor descriptor = roles.get("role1"); assertNotNull(descriptor); Role role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role1" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster().privilege(), is(ClusterPrivilege.ALL)); assertThat(role.indices(), notNullValue()); assertThat(role.indices().groups(), notNullValue()); assertThat(role.indices().groups().length, is(2)); assertThat(role.runAs(), is(RunAsPermission.NONE)); IndicesPermission.Group group = role.indices().groups()[0]; assertThat(group.indices(), notNullValue()); assertThat(group.indices().length, is(2)); assertThat(group.indices()[0], equalTo("idx1")); assertThat(group.indices()[1], equalTo("idx2")); assertThat(group.privilege(), notNullValue()); assertThat(group.privilege(), is(IndexPrivilege.READ)); group = role.indices().groups()[1]; assertThat(group.indices(), notNullValue()); assertThat(group.indices().length, is(1)); assertThat(group.indices()[0], equalTo("idx3")); assertThat(group.privilege(), notNullValue()); assertTrue(Operations.subsetOf(IndexPrivilege.READ.getAutomaton(), group.privilege().getAutomaton())); assertTrue(Operations.subsetOf(IndexPrivilege.WRITE.getAutomaton(), group.privilege().getAutomaton())); descriptor = roles.get("role1.ab"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role1.ab" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster().privilege(), is(ClusterPrivilege.ALL)); assertThat(role.indices(), notNullValue()); assertThat(role.indices().groups(), notNullValue()); assertThat(role.indices().groups().length, is(0)); assertThat(role.runAs(), is(RunAsPermission.NONE)); descriptor = roles.get("role2"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role2" })); assertThat(role.cluster(), notNullValue()); assertTrue(Operations.sameLanguage(role.cluster().privilege().getAutomaton(), ClusterPrivilege.ALL.getAutomaton())); assertThat(role.indices(), notNullValue()); assertThat(role.indices(), is(IndicesPermission.NONE)); assertThat(role.runAs(), is(RunAsPermission.NONE)); descriptor = roles.get("role3"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role3" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster(), is(ClusterPermission.SimpleClusterPermission.NONE)); assertThat(role.indices(), notNullValue()); assertThat(role.indices().groups(), notNullValue()); assertThat(role.indices().groups().length, is(1)); assertThat(role.runAs(), is(RunAsPermission.NONE)); group = role.indices().groups()[0]; assertThat(group.indices(), notNullValue()); assertThat(group.indices().length, is(1)); assertThat(group.indices()[0], equalTo("/.*_.*/")); assertThat(group.privilege(), notNullValue()); assertTrue(Operations.sameLanguage(group.privilege().getAutomaton(), MinimizationOperations.minimize( Operations.union(IndexPrivilege.READ.getAutomaton(), IndexPrivilege.WRITE.getAutomaton()), Operations.DEFAULT_MAX_DETERMINIZED_STATES))); descriptor = roles.get("role4"); assertNull(descriptor); descriptor = roles.get("role_run_as"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_run_as" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster(), is(ClusterPermission.SimpleClusterPermission.NONE)); assertThat(role.indices(), is(IndicesPermission.NONE)); assertThat(role.runAs(), notNullValue()); assertThat(role.runAs().check("user1"), is(true)); assertThat(role.runAs().check("user2"), is(true)); assertThat(role.runAs().check("user" + randomIntBetween(3, 9)), is(false)); descriptor = roles.get("role_run_as1"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_run_as1" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster(), is(ClusterPermission.SimpleClusterPermission.NONE)); assertThat(role.indices(), is(IndicesPermission.NONE)); assertThat(role.runAs(), notNullValue()); assertThat(role.runAs().check("user1"), is(true)); assertThat(role.runAs().check("user2"), is(true)); assertThat(role.runAs().check("user" + randomIntBetween(3, 9)), is(false)); descriptor = roles.get("role_fields"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_fields" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster(), is(ClusterPermission.SimpleClusterPermission.NONE)); assertThat(role.runAs(), is(RunAsPermission.NONE)); assertThat(role.indices(), notNullValue()); assertThat(role.indices().groups(), notNullValue()); assertThat(role.indices().groups().length, is(1)); group = role.indices().groups()[0]; assertThat(group.indices(), notNullValue()); assertThat(group.indices().length, is(1)); assertThat(group.indices()[0], equalTo("field_idx")); assertThat(group.privilege(), notNullValue()); assertTrue(Operations.sameLanguage(group.privilege().getAutomaton(), IndexPrivilege.READ.getAutomaton())); assertTrue(group.getFieldPermissions().grantsAccessTo("foo")); assertTrue(group.getFieldPermissions().grantsAccessTo("boo")); assertTrue(group.getFieldPermissions().hasFieldLevelSecurity()); descriptor = roles.get("role_query"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_query" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster(), is(ClusterPermission.SimpleClusterPermission.NONE)); assertThat(role.runAs(), is(RunAsPermission.NONE)); assertThat(role.indices(), notNullValue()); assertThat(role.indices().groups(), notNullValue()); assertThat(role.indices().groups().length, is(1)); group = role.indices().groups()[0]; assertThat(group.indices(), notNullValue()); assertThat(group.indices().length, is(1)); assertThat(group.indices()[0], equalTo("query_idx")); assertThat(group.privilege(), notNullValue()); assertTrue(Operations.sameLanguage(group.privilege().getAutomaton(), IndexPrivilege.READ.getAutomaton())); assertFalse(group.getFieldPermissions().hasFieldLevelSecurity()); assertThat(group.getQuery(), notNullValue()); descriptor = roles.get("role_query_fields"); assertNotNull(descriptor); role = Role.builder(descriptor, null).build(); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_query_fields" })); assertThat(role.cluster(), notNullValue()); assertThat(role.cluster(), is(ClusterPermission.SimpleClusterPermission.NONE)); assertThat(role.runAs(), is(RunAsPermission.NONE)); assertThat(role.indices(), notNullValue()); assertThat(role.indices().groups(), notNullValue()); assertThat(role.indices().groups().length, is(1)); group = role.indices().groups()[0]; assertThat(group.indices(), notNullValue()); assertThat(group.indices().length, is(1)); assertThat(group.indices()[0], equalTo("query_fields_idx")); assertThat(group.privilege(), notNullValue()); assertTrue(Operations.sameLanguage(group.privilege().getAutomaton(), IndexPrivilege.READ.getAutomaton())); assertTrue(group.getFieldPermissions().grantsAccessTo("foo")); assertTrue(group.getFieldPermissions().grantsAccessTo("boo")); assertTrue(group.getFieldPermissions().hasFieldLevelSecurity()); assertThat(group.getQuery(), notNullValue()); }