fix to include hidden indices when resolving wildcards (#1488)

(cherry-picked from commit 5a9935a)

Signed-off-by: Nidhi Sridhar <[email protected]>

src/main/java/com/amazon/opendistroforelasticsearch/security/resolver/IndexResolverReplacer.java

@@ -680,7 +680,7 @@ private boolean getOrReplaceAllIndices(final Object request, final IndicesProvid
     private IndicesOptions indicesOptionsFrom(Object localRequest) {
 
         if(!respectRequestIndicesOptions) {
-            return IndicesOptions.fromOptions(false, true, true, false);
+            return IndicesOptions.fromOptions(false, true, true, false, true);
         }
 
         if (IndicesRequest.class.isInstance(localRequest)) {
@@ -690,7 +690,7 @@ else if (RestoreSnapshotRequest.class.isInstance(localRequest)) {
             return ((RestoreSnapshotRequest) localRequest).indicesOptions();
         }
         else {
-            return IndicesOptions.fromOptions(false, true, true, false);
+            return IndicesOptions.fromOptions(false, true, true, false, true);
         }
     }
 

src/test/java/com/amazon/opendistroforelasticsearch/security/PrivilegesEvaluationTest.java

@@ -0,0 +1,42 @@
+package com.amazon.opendistroforelasticsearch.security;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
+import org.elasticsearch.action.index.IndexRequest;
+import org.elasticsearch.action.support.WriteRequest.RefreshPolicy;
+import org.elasticsearch.client.Client;
+import org.elasticsearch.common.xcontent.XContentType;
+import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest;
+import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper;
+
+import com.google.common.collect.ImmutableMap;
+
+public class PrivilegesEvaluationTest extends SingleClusterTest {
+    @Test
+    public void resolveTestHidden() throws Exception {
+
+        setup();
+
+        try (Client client = getInternalTransportClient()) {
+
+            client.index(new IndexRequest("hidden_test_not_hidden").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(XContentType.JSON, "index",
+                    "hidden_test_not_hidden", "b", "y", "date", "1985/01/01")).actionGet();
+
+            client.admin().indices().create(new CreateIndexRequest(".hidden_test_actually_hidden").settings(ImmutableMap.of("index.hidden", true)))
+                    .actionGet();
+            client.index(new IndexRequest(".hidden_test_actually_hidden").id("test").source("a", "b").setRefreshPolicy(RefreshPolicy.IMMEDIATE))
+                    .actionGet();
+        }
+        RestHelper rh = nonSslRestHelper();
+        RestHelper.HttpResponse httpResponse = rh.executeGetRequest("/*hidden_test*/_search?expand_wildcards=all&pretty=true",
+                encodeBasicHeader("hidden_test", "nagilum"));
+        Assert.assertEquals(httpResponse.getBody(), 403, httpResponse.getStatusCode());
+
+        httpResponse = rh.executeGetRequest("/hidden_test_not_hidden?pretty=true",
+                encodeBasicHeader("hidden_test", "nagilum"));
+        Assert.assertEquals(httpResponse.getBody(), 200, httpResponse.getStatusCode());
+    }
+}
+
+

src/test/resources/internal_users.yml

@@ -334,3 +334,7 @@ foo_all:
 bulk_test_user:
   hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
   #password is: nagilum
+hidden_test:
+  hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
+  opendistro_security_roles:
+    - hidden_test

src/test/resources/roles.yml

@@ -1068,3 +1068,12 @@ xyz_sr_reserved:
       allowed_actions:
         - "*"
   tenant_permissions: []
+
+hidden_test:
+  cluster_permissions:
+    - SGS_CLUSTER_COMPOSITE_OPS
+  index_permissions:
+    - index_patterns:
+        - hidden_test_not_hidden
+      allowed_actions:
+        - "*"