From b44d65b10237c1a738aa10edc78ab1b0fd4b5aff Mon Sep 17 00:00:00 2001
From: nsri19 <89658577+nsri19@users.noreply.github.com>
Date: Thu, 4 Nov 2021 13:41:38 -0700
Subject: [PATCH] fix to include hidden indices when resolving wildcards
 (#1488)

(cherry-picked from commit 5a9935a)

Signed-off-by: Nidhi Sridhar <srnidhi@amazon.com>
---
 .../resolver/IndexResolverReplacer.java       |  4 +-
 .../security/PrivilegesEvaluationTest.java    | 42 +++++++++++++++++++
 src/test/resources/internal_users.yml         |  4 ++
 src/test/resources/roles.yml                  |  9 ++++
 4 files changed, 57 insertions(+), 2 deletions(-)
 create mode 100644 src/test/java/com/amazon/opendistroforelasticsearch/security/PrivilegesEvaluationTest.java

diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/resolver/IndexResolverReplacer.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/resolver/IndexResolverReplacer.java
index 48f21fff6e..471e8db77b 100644
--- a/src/main/java/com/amazon/opendistroforelasticsearch/security/resolver/IndexResolverReplacer.java
+++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/resolver/IndexResolverReplacer.java
@@ -680,7 +680,7 @@ private boolean getOrReplaceAllIndices(final Object request, final IndicesProvid
     private IndicesOptions indicesOptionsFrom(Object localRequest) {
         
         if(!respectRequestIndicesOptions) {
-            return IndicesOptions.fromOptions(false, true, true, false);
+            return IndicesOptions.fromOptions(false, true, true, false, true);
         }
 
         if (IndicesRequest.class.isInstance(localRequest)) {
@@ -690,7 +690,7 @@ else if (RestoreSnapshotRequest.class.isInstance(localRequest)) {
             return ((RestoreSnapshotRequest) localRequest).indicesOptions();
         }
         else {
-            return IndicesOptions.fromOptions(false, true, true, false);
+            return IndicesOptions.fromOptions(false, true, true, false, true);
         }
     }
 
diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/PrivilegesEvaluationTest.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/PrivilegesEvaluationTest.java
new file mode 100644
index 0000000000..a2f158db07
--- /dev/null
+++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/PrivilegesEvaluationTest.java
@@ -0,0 +1,42 @@
+package com.amazon.opendistroforelasticsearch.security;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
+import org.elasticsearch.action.index.IndexRequest;
+import org.elasticsearch.action.support.WriteRequest.RefreshPolicy;
+import org.elasticsearch.client.Client;
+import org.elasticsearch.common.xcontent.XContentType;
+import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest;
+import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper;
+
+import com.google.common.collect.ImmutableMap;
+
+public class PrivilegesEvaluationTest extends SingleClusterTest {
+    @Test
+    public void resolveTestHidden() throws Exception {
+
+        setup();
+
+        try (Client client = getInternalTransportClient()) {
+
+            client.index(new IndexRequest("hidden_test_not_hidden").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(XContentType.JSON, "index",
+                    "hidden_test_not_hidden", "b", "y", "date", "1985/01/01")).actionGet();
+
+            client.admin().indices().create(new CreateIndexRequest(".hidden_test_actually_hidden").settings(ImmutableMap.of("index.hidden", true)))
+                    .actionGet();
+            client.index(new IndexRequest(".hidden_test_actually_hidden").id("test").source("a", "b").setRefreshPolicy(RefreshPolicy.IMMEDIATE))
+                    .actionGet();
+        }
+        RestHelper rh = nonSslRestHelper();
+        RestHelper.HttpResponse httpResponse = rh.executeGetRequest("/*hidden_test*/_search?expand_wildcards=all&pretty=true",
+                encodeBasicHeader("hidden_test", "nagilum"));
+        Assert.assertEquals(httpResponse.getBody(), 403, httpResponse.getStatusCode());
+
+        httpResponse = rh.executeGetRequest("/hidden_test_not_hidden?pretty=true",
+                encodeBasicHeader("hidden_test", "nagilum"));
+        Assert.assertEquals(httpResponse.getBody(), 200, httpResponse.getStatusCode());
+    }
+}
+
+
diff --git a/src/test/resources/internal_users.yml b/src/test/resources/internal_users.yml
index dee1077e31..31401a5370 100644
--- a/src/test/resources/internal_users.yml
+++ b/src/test/resources/internal_users.yml
@@ -334,3 +334,7 @@ foo_all:
 bulk_test_user:
   hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
   #password is: nagilum
+hidden_test:
+  hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
+  opendistro_security_roles:
+    - hidden_test
diff --git a/src/test/resources/roles.yml b/src/test/resources/roles.yml
index 974f8dd62e..d61d12775f 100644
--- a/src/test/resources/roles.yml
+++ b/src/test/resources/roles.yml
@@ -1068,3 +1068,12 @@ xyz_sr_reserved:
       allowed_actions:
         - "*"
   tenant_permissions: []
+
+hidden_test:
+  cluster_permissions:
+    - SGS_CLUSTER_COMPOSITE_OPS
+  index_permissions:
+    - index_patterns:
+        - hidden_test_not_hidden
+      allowed_actions:
+        - "*"