From 80ca336a474e650544ad85fed28aa2b4b2bea42f Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Mon, 14 Aug 2023 12:50:38 -0400 Subject: [PATCH] Fix Document GET with DLS terms query (#3136) Fixes an error on document retrieval for users that are mapped to roles with DLS rules including a terms query. The bug was introduced by a change in Lucene and reported on Slack [here](https://opensearch.slack.com/archives/C0539F41Z5X/p1690714779140659). This fix adds a test to catch an error like this at build time and assert the intended behavior. * Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) Bug fix https://github.com/opensearch-project/security/issues/3088 - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Craig Perkins (cherry picked from commit 88b6d23f0c84d83f138cf1a61bbe0145d8dd007e) --- .../configuration/DlsFlsFilterLeafReader.java | 2 +- .../security/dlic/dlsfls/DlsTest.java | 34 +++++++++++++++++++ .../security/test/helper/rest/RestHelper.java | 17 ++++++++++ src/test/resources/dlsfls/roles.yml | 9 +++++ src/test/resources/dlsfls/roles_mapping.yml | 4 +++ 5 files changed, 65 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java b/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java index 0966a3f3ac..84dc7f8c19 100644 --- a/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java +++ b/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java @@ -232,7 +232,7 @@ public DlsGetEvaluator(final Query dlsQuery, final LeafReader in, boolean applyD // https://github.com/apache/lucene-solr/blob/branch_6_3/lucene/misc/src/java/org/apache/lucene/index/PKIndexSplitter.java final IndexSearcher searcher = new IndexSearcher(DlsFlsFilterLeafReader.this); searcher.setQueryCache(null); - final Weight preserveWeight = searcher.createWeight(dlsQuery, ScoreMode.COMPLETE_NO_SCORES, 1f); + final Weight preserveWeight = searcher.rewrite(dlsQuery).createWeight(searcher, ScoreMode.COMPLETE_NO_SCORES, 1f); final int maxDoc = in.maxDoc(); final FixedBitSet bits = new FixedBitSet(maxDoc); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java index ff9db66c16..f1db4a74f2 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java @@ -35,6 +35,13 @@ protected void populateData(Client tc) { new IndexRequest("deals").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"amount\": 1500}", XContentType.JSON) ).actionGet(); + tc.index( + new IndexRequest("terms").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"foo\": \"bar\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("terms").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"foo\": \"baz\"}", XContentType.JSON) + ).actionGet(); + try { Thread.sleep(3000); } catch (InterruptedException e) { @@ -44,6 +51,7 @@ protected void populateData(Client tc) { System.out.println("q"); System.out.println(Strings.toString(XContentType.JSON, tc.search(new SearchRequest().indices(".opendistro_security")).actionGet())); tc.search(new SearchRequest().indices("deals")).actionGet(); + tc.search(new SearchRequest().indices("terms")).actionGet(); } @Test @@ -250,6 +258,32 @@ public void testDls() throws Exception { } + @Test + public void testDlsWithTermsQuery() throws Exception { + + setup(); + + HttpResponse res; + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/terms/_search?pretty", encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); + Assert.assertEquals(res.getTextFromJsonBody("/hits/total/value"), "1"); + Assert.assertEquals(res.getTextFromJsonBody("/_shards/failed"), "0"); + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/terms/_doc/0", encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); + Assert.assertEquals(res.getTextFromJsonBody("/_source/foo"), "bar"); + + Assert.assertEquals( + HttpStatus.SC_NOT_FOUND, + rh.executeGetRequest("/terms/_doc/1", encodeBasicHeader("dept_manager", "password")).getStatusCode() + ); + } + @Test public void testNonDls() throws Exception { diff --git a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java index 9bdb8ef61b..a23d1a31c9 100644 --- a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java +++ b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java @@ -43,6 +43,7 @@ import javax.net.ssl.SSLContext; +import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.JsonNode; import org.apache.commons.io.IOUtils; import org.apache.http.Header; @@ -344,6 +345,22 @@ public boolean isJsonContentType() { return ct.contains("application/json"); } + public String getTextFromJsonBody(String jsonPointer) { + return getJsonNodeAt(jsonPointer).asText(); + } + + private JsonNode getJsonNodeAt(String jsonPointer) { + try { + return toJsonNode().at(jsonPointer); + } catch (IOException e) { + throw new IllegalArgumentException("Cound not convert response body to JSON node ", e); + } + } + + private JsonNode toJsonNode() throws JsonProcessingException, IOException { + return DefaultObjectMapper.objectMapper.readTree(getBody()); + } + public CloseableHttpResponse getInner() { return inner; } diff --git a/src/test/resources/dlsfls/roles.yml b/src/test/resources/dlsfls/roles.yml index c692f73ceb..185116e2bb 100644 --- a/src/test/resources/dlsfls/roles.yml +++ b/src/test/resources/dlsfls/roles.yml @@ -2482,3 +2482,12 @@ logs_index_with_dls: masked_fields: null allowed_actions: - "OPENDISTRO_SECURITY_READ" + +terms_index_with_dls: + index_permissions: + - index_patterns: + - "terms" + dls: "{ \"terms\": { \"foo\" : [\"bar\"] } }" + masked_fields: null + allowed_actions: + - "OPENDISTRO_SECURITY_READ" diff --git a/src/test/resources/dlsfls/roles_mapping.yml b/src/test/resources/dlsfls/roles_mapping.yml index 27cf71c3bb..a37299908d 100644 --- a/src/test/resources/dlsfls/roles_mapping.yml +++ b/src/test/resources/dlsfls/roles_mapping.yml @@ -247,3 +247,7 @@ opendistro_security_mapped: logs_index_with_dls: users: - dept_manager + +terms_index_with_dls: + users: + - dept_manager