fix to include hidden indices when resolving wildcards (#1472)

Signed-off-by: Nidhi Sridhar <[email protected]>

src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java

@@ -691,7 +691,7 @@ private boolean getOrReplaceAllIndices(final Object request, final IndicesProvid
     private IndicesOptions indicesOptionsFrom(Object localRequest) {
 
         if(!respectRequestIndicesOptions) {
-            return IndicesOptions.fromOptions(false, true, true, false);
+            return IndicesOptions.fromOptions(false, true, true, false, true);
         }
 
         if (IndicesRequest.class.isInstance(localRequest)) {
@@ -701,7 +701,7 @@ else if (RestoreSnapshotRequest.class.isInstance(localRequest)) {
             return ((RestoreSnapshotRequest) localRequest).indicesOptions();
         }
         else {
-            return IndicesOptions.fromOptions(false, true, true, false);
+            return IndicesOptions.fromOptions(false, true, true, false, true);
         }
     }
 

src/test/java/org/opensearch/security/PrivilegesEvaluationTest.java

@@ -0,0 +1,40 @@
+package org.opensearch.security;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.opensearch.action.admin.indices.create.CreateIndexRequest;
+import org.opensearch.action.index.IndexRequest;
+import org.opensearch.action.support.WriteRequest.RefreshPolicy;
+import org.opensearch.client.Client;
+import org.opensearch.common.xcontent.XContentType;
+import org.opensearch.security.test.SingleClusterTest;
+import org.opensearch.security.test.helper.rest.RestHelper;
+
+import com.google.common.collect.ImmutableMap;
+
+public class PrivilegesEvaluationTest extends SingleClusterTest {
+    @Test
+    public void resolveTestHidden() throws Exception {
+
+        setup();
+
+        try (Client client = getInternalTransportClient()) {
+
+            client.index(new IndexRequest("hidden_test_not_hidden").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(XContentType.JSON, "index",
+                    "hidden_test_not_hidden", "b", "y", "date", "1985/01/01")).actionGet();
+
+            client.admin().indices().create(new CreateIndexRequest(".hidden_test_actually_hidden").settings(ImmutableMap.of("index.hidden", true)))
+                                       .actionGet();
+            client.index(new IndexRequest(".hidden_test_actually_hidden").id("test").source("a", "b").setRefreshPolicy(RefreshPolicy.IMMEDIATE))
+                    .actionGet();
+        }
+        RestHelper rh = nonSslRestHelper();
+        RestHelper.HttpResponse httpResponse = rh.executeGetRequest("/*hidden_test*/_search?expand_wildcards=all&pretty=true",
+                encodeBasicHeader("hidden_test", "nagilum"));
+        Assert.assertEquals(httpResponse.getBody(), 403, httpResponse.getStatusCode());
+
+        httpResponse = rh.executeGetRequest("/hidden_test_not_hidden?pretty=true",
+                encodeBasicHeader("hidden_test", "nagilum"));
+        Assert.assertEquals(httpResponse.getBody(), 200, httpResponse.getStatusCode());
+    }
+}

src/test/resources/internal_users.yml

@@ -346,3 +346,8 @@ ds2:
 ds3:
   hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
   #password is: nagilum
+hidden_test:
+  hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
+  opendistro_security_roles:
+  - hidden_test
+

src/test/resources/roles.yml

@@ -1116,3 +1116,12 @@ data_stream_3:
         - "*"
       allowed_actions:
         - "DATASTREAM_ALL"
+
+hidden_test:
+  cluster_permissions:
+  - SGS_CLUSTER_COMPOSITE_OPS
+  index_permissions:
+  - index_patterns:
+    - hidden_test_not_hidden
+    allowed_actions:
+    - "*"