Skip to content

Commit

Permalink
passing test
Browse files Browse the repository at this point in the history
  • Loading branch information
@jakelandis
jakelandis committed Oct 30, 2024
1 parent c380112 commit a34b620
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 37 deletions.
50 changes: 19 additions & 31 deletions ...plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,11 @@
import org.elasticsearch.core.Strings;
import org.elasticsearch.xcontent.ConstructingObjectParser;
import org.elasticsearch.xcontent.ParseField;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.ToXContentObject;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xcontent.json.JsonXContent;
import org.elasticsearch.xpack.core.security.action.profile.Profile;
import org.elasticsearch.xpack.core.security.authc.CrossClusterAccessSubjectInfo.RoleDescriptorsBytes;
import org.elasticsearch.xpack.core.security.authc.RealmConfig.RealmIdentifier;
Expand Down Expand Up @@ -79,6 +81,7 @@
import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.FALLBACK_REALM_NAME;
import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.FALLBACK_REALM_TYPE;
import static org.elasticsearch.xpack.core.security.authc.RealmDomain.REALM_DOMAIN_PARSER;
import static org.elasticsearch.xpack.core.security.authz.RoleDescriptor.Fields.REMOTE_CLUSTER;
import static org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions.ROLE_REMOTE_CLUSTER_PRIVS;

/**
Expand Down Expand Up @@ -1343,6 +1346,7 @@ private static Map<String, Object> maybeRewriteMetadataForApiKeyRoleDescriptors(
);
}

//TODO: this needs to be in the else so we don't add back the remote_cluster field
// the current cluster understands remote_cluster field in role descriptors, so check each permission and remove as needed
if (authentication.getEffectiveSubject().getTransportVersion().onOrAfter(ROLE_REMOTE_CLUSTER_PRIVS)){

Expand Down Expand Up @@ -1444,7 +1448,7 @@ private static BytesReference convertRoleDescriptorsMapToBytes(Map<String, Objec
}

static BytesReference maybeRemoveRemoteClusterFromRoleDescriptors(BytesReference roleDescriptorsBytes) {
return maybeRemoveTopLevelFromRoleDescriptors(roleDescriptorsBytes, RoleDescriptor.Fields.REMOTE_CLUSTER.getPreferredName());
return maybeRemoveTopLevelFromRoleDescriptors(roleDescriptorsBytes, REMOTE_CLUSTER.getPreferredName());
}

static BytesReference maybeRemoveRemoteIndicesFromRoleDescriptors(BytesReference roleDescriptorsBytes) {
Expand Down Expand Up @@ -1493,50 +1497,34 @@ static BytesReference maybeRemoveRemoteClusterPrivilegesFromRoleDescriptors(
}

final Map<String, Object> roleDescriptorsMap = convertRoleDescriptorsBytesToMap(roleDescriptorsBytes);
final Map<String, Object> roleDescriptorsMapMutated = new HashMap<>(roleDescriptorsMap);
final AtomicBoolean modified = new AtomicBoolean(false);
System.out.println("****************************** ");
System.out.println("roleDescriptorsMap: " + roleDescriptorsMap);
roleDescriptorsMap.forEach((key, value) -> {
if (value instanceof Map) {
@SuppressWarnings("unchecked")
Map<String, Object> roleDescriptor = (Map<String, Object>) value;
roleDescriptor.forEach((innerKey, innerValue) -> {

// remote_cluster=[{privileges=[monitor_enrich, monitor_stats]
if ("remote_cluster".equals(innerKey)) { // todo: use constant
assert innerValue instanceof List;
RemoteClusterPermissions discoveredRemoteClusterPermission
= new RemoteClusterPermissions((List<Map<String, List<String>>>) innerValue);


RemoteClusterPermissions mutated = discoveredRemoteClusterPermission.removeUnsupportedPrivileges(outboundVersion);
System.out.println("********* mutated: " + mutated);
if(mutated.equals(discoveredRemoteClusterPermission) == false) {
System.out.println("********* modified: " + true);
// example: remote_cluster=[{privileges=[monitor_enrich, monitor_stats]
if (REMOTE_CLUSTER.getPreferredName().equals(innerKey)) {
assert innerValue instanceof List;
RemoteClusterPermissions discoveredRemoteClusterPermission = new RemoteClusterPermissions(
(List<Map<String, List<String>>>) innerValue
);
RemoteClusterPermissions mutated = discoveredRemoteClusterPermission.removeUnsupportedPrivileges(outboundVersion);
if (mutated.equals(discoveredRemoteClusterPermission) == false) {
// swap out the old value with the new value
modified.set(true);
Map<String, Object> remoteClusterMap = ((Map<String, Object>) roleDescriptorsMapMutated.get(key));
remoteClusterMap.put(innerKey, mutated.toMap());
}


}
});


}
});
Iterator<Map.Entry<String, Object>> it = roleDescriptorsMap.entrySet().iterator();
Map.Entry<String, Object> next = it.next();
System.out.println("******** next: " + next);


if (modified.get()) {
// Iterator<Map.Entry<String, Object>> it = roleDescriptorsMap.entrySet().iterator();
// Map.Entry<String, Object> next = it.next();
// System.out.println("******** next: " + next


return convertRoleDescriptorsMapToBytes(roleDescriptorsMap);
return convertRoleDescriptorsMapToBytes(roleDescriptorsMapMutated);
} else {
// No need to serialize if we did not remove anything.
// No need to serialize if we did not change anything.
return roleDescriptorsBytes;
}
}
Expand Down
19 changes: 13 additions & 6 deletions ...plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@
*/
package org.elasticsearch.xpack.core.security.authz;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchParseException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.TransportVersion;
Expand Down Expand Up @@ -63,6 +65,7 @@ public class RoleDescriptor implements ToXContentObject, Writeable {
public static final TransportVersion SECURITY_ROLE_DESCRIPTION = TransportVersions.V_8_15_0;

public static final String ROLE_TYPE = "role";
private static final Logger logger = LogManager.getLogger(RoleDescriptor.class);

private final String name;
private final String[] clusterPrivileges;
Expand Down Expand Up @@ -835,22 +838,26 @@ private static RemoteClusterPermissions parseRemoteCluster(final String roleName
RemoteClusterPermissions.getSupportedRemoteClusterPermissions(),
Arrays.stream(privileges).map(s -> s.toLowerCase(Locale.ROOT)).collect(Collectors.toSet())
)) {
throw new ElasticsearchParseException(
"failed to parse remote_cluster for role [{}]. "
+ RemoteClusterPermissions.getSupportedRemoteClusterPermissions()
+ " are the only values allowed for [{}] within [remote_cluster]",
final String message = String.format(
"failed to parse remote_cluster for role [%s]. " +
"[%s] are the only values allowed for [%s] within [remote_cluster]",
roleName,
RemoteClusterPermissions.getSupportedRemoteClusterPermissions(),
currentFieldName
);
logger.warn(message);
throw new ElasticsearchParseException(message);
}
} else if (Fields.CLUSTERS.match(currentFieldName, parser.getDeprecationHandler())) {
clusters = readStringArray(roleName, parser, false);
} else {
throw new ElasticsearchParseException(
"failed to parse remote_cluster for role [{}]. unexpected field [{}]",
final String message = String.format(
"failed to parse remote_cluster for role [%s]. unexpected field [%s]",
roleName,
currentFieldName
);
logger.warn(message);
throw new ElasticsearchParseException(message);
}
}
if (privileges != null && clusters == null) {
Expand Down

0 comments on commit a34b620

Please sign in to comment.