Skip to content

Commit

Permalink
fix set logic
Browse files Browse the repository at this point in the history
  • Loading branch information
@jakelandis
jakelandis committed Nov 4, 2024
1 parent b4b85c8 commit 7e9cb22
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 8 deletions.
13 changes: 6 additions & 7 deletions ...plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,6 @@
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;

import static org.elasticsearch.common.xcontent.XContentHelper.createParserNotCompressed;
import static org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions.ROLE_REMOTE_CLUSTER_PRIVS;
Expand Down Expand Up @@ -834,17 +833,17 @@ private static RemoteClusterPermissions parseRemoteCluster(final String roleName
currentFieldName = parser.currentName();
} else if (Fields.PRIVILEGES.match(currentFieldName, parser.getDeprecationHandler())) {
privileges = readStringArray(roleName, parser, false);
if (Collections.disjoint(
RemoteClusterPermissions.getSupportedRemoteClusterPermissions(),
Arrays.stream(privileges).map(s -> s.toLowerCase(Locale.ROOT)).collect(Collectors.toSet())
)) {
if (Arrays.stream(privileges)
.map(s -> s.toLowerCase(Locale.ROOT))
.allMatch(RemoteClusterPermissions.getSupportedRemoteClusterPermissions()::contains) == false) {
final String message = String.format(
Locale.ROOT,
"failed to parse remote_cluster for role [%s]. "
+ "%s are the only values allowed for [%s] within [remote_cluster]",
+ "%s are the only values allowed for [%s] within [remote_cluster]. Found %s",
roleName,
RemoteClusterPermissions.getSupportedRemoteClusterPermissions(),
currentFieldName
currentFieldName,
Arrays.toString(privileges)
);
logger.warn(message);
throw new ElasticsearchParseException(message);
Expand Down
28 changes: 28 additions & 0 deletions ...n/core/src/test/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptorTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -542,6 +542,34 @@ public void testParseInvalidRemoteCluster() throws IOException {
() -> RoleDescriptor.parserBuilder().build().parse("test", new BytesArray(q4), XContentType.JSON)
);
assertThat(illegalArgumentException.getMessage(), containsString("remote cluster groups must not be null or empty"));

// one invalid privilege
String q5 = """
{
"remote_cluster": [
{
"privileges": [
"monitor_stats", "read_pipeline"
],
"clusters": [
"*"
]
}
]
}""";

ElasticsearchParseException parseException = expectThrows(
ElasticsearchParseException.class,
() -> RoleDescriptor.parserBuilder().build().parse("test", new BytesArray(q5), XContentType.JSON)
);
assertThat(
parseException.getMessage(),
containsString(
"failed to parse remote_cluster for role [test]. "
+ "[monitor_enrich, monitor_stats] are the only values allowed for [privileges] within [remote_cluster]. "
+ "Found [monitor_stats, read_pipeline]"
)
);
}

public void testParsingFieldPermissionsUsesCache() throws IOException {
Expand Down
2 changes: 1 addition & 1 deletion ...urity/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -389,7 +389,7 @@ public void testParseFileWithRemoteIndicesAndCluster() throws IllegalAccessExcep
startsWith(
"failed to parse remote_cluster for role [invalid_role_bad_priv_remote_clusters]. "
+ "[monitor_enrich, monitor_stats] are the only values allowed for [privileges] within [remote_cluster]. "
+ "skipping role..."
+ "Found [junk]. skipping role..."
)
);
}
Expand Down

0 comments on commit 7e9cb22

Please sign in to comment.