From 7c7ad9c22c5709480043f64b3f4b1f2de93f5949 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Wed, 9 Aug 2023 14:22:56 -0400 Subject: [PATCH 1/2] Fix Document GET with DLS terms query Signed-off-by: Craig Perkins --- .../configuration/DlsFlsFilterLeafReader.java | 2 +- .../security/dlic/dlsfls/DlsTest.java | 34 +++++++++++++++++++ src/test/resources/dlsfls/roles.yml | 9 +++++ src/test/resources/dlsfls/roles_mapping.yml | 4 +++ 4 files changed, 48 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java b/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java index 0966a3f3ac..84dc7f8c19 100644 --- a/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java +++ b/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java @@ -232,7 +232,7 @@ public DlsGetEvaluator(final Query dlsQuery, final LeafReader in, boolean applyD // https://github.com/apache/lucene-solr/blob/branch_6_3/lucene/misc/src/java/org/apache/lucene/index/PKIndexSplitter.java final IndexSearcher searcher = new IndexSearcher(DlsFlsFilterLeafReader.this); searcher.setQueryCache(null); - final Weight preserveWeight = searcher.createWeight(dlsQuery, ScoreMode.COMPLETE_NO_SCORES, 1f); + final Weight preserveWeight = searcher.rewrite(dlsQuery).createWeight(searcher, ScoreMode.COMPLETE_NO_SCORES, 1f); final int maxDoc = in.maxDoc(); final FixedBitSet bits = new FixedBitSet(maxDoc); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java index d43a804d47..37fdb0e1e6 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java @@ -35,6 +35,13 @@ protected void populateData(Client tc) { new IndexRequest("deals").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"amount\": 1500}", XContentType.JSON) ).actionGet(); + tc.index( + new IndexRequest("terms").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"foo\": \"bar\"}", XContentType.JSON) + ).actionGet(); + tc.index( + new IndexRequest("terms").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"foo\": \"baz\"}", XContentType.JSON) + ).actionGet(); + try { Thread.sleep(3000); } catch (InterruptedException e) { @@ -44,6 +51,7 @@ protected void populateData(Client tc) { System.out.println("q"); System.out.println(Strings.toString(XContentType.JSON, tc.search(new SearchRequest().indices(".opendistro_security")).actionGet())); tc.search(new SearchRequest().indices("deals")).actionGet(); + tc.search(new SearchRequest().indices("terms")).actionGet(); } @Test @@ -251,6 +259,32 @@ public void testDls() throws Exception { } + @Test + public void testDlsWithTermsQuery() throws Exception { + + setup(); + + HttpResponse res; + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/terms/_search?pretty", encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); + Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); + Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); + + Assert.assertEquals( + HttpStatus.SC_OK, + (res = rh.executeGetRequest("/terms/_doc/0", encodeBasicHeader("dept_manager", "password"))).getStatusCode() + ); + Assert.assertTrue(res.getBody().contains("\"foo\": \"bar\"")); + + Assert.assertEquals( + HttpStatus.SC_NOT_FOUND, + rh.executeGetRequest("/terms/_doc/1", encodeBasicHeader("dept_manager", "password")).getStatusCode() + ); + } + @Test public void testNonDls() throws Exception { diff --git a/src/test/resources/dlsfls/roles.yml b/src/test/resources/dlsfls/roles.yml index c692f73ceb..185116e2bb 100644 --- a/src/test/resources/dlsfls/roles.yml +++ b/src/test/resources/dlsfls/roles.yml @@ -2482,3 +2482,12 @@ logs_index_with_dls: masked_fields: null allowed_actions: - "OPENDISTRO_SECURITY_READ" + +terms_index_with_dls: + index_permissions: + - index_patterns: + - "terms" + dls: "{ \"terms\": { \"foo\" : [\"bar\"] } }" + masked_fields: null + allowed_actions: + - "OPENDISTRO_SECURITY_READ" diff --git a/src/test/resources/dlsfls/roles_mapping.yml b/src/test/resources/dlsfls/roles_mapping.yml index 27cf71c3bb..a37299908d 100644 --- a/src/test/resources/dlsfls/roles_mapping.yml +++ b/src/test/resources/dlsfls/roles_mapping.yml @@ -247,3 +247,7 @@ opendistro_security_mapped: logs_index_with_dls: users: - dept_manager + +terms_index_with_dls: + users: + - dept_manager From c233b07c343cbb15a9d08299d04276f561bc4ed2 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Wed, 9 Aug 2023 15:52:29 -0400 Subject: [PATCH 2/2] Use getTextFromJsonBody Signed-off-by: Craig Perkins --- .../security/dlic/dlsfls/DlsTest.java | 6 +++--- .../security/test/helper/rest/RestHelper.java | 17 +++++++++++++++++ 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java index 37fdb0e1e6..e2badef14c 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java @@ -270,14 +270,14 @@ public void testDlsWithTermsQuery() throws Exception { HttpStatus.SC_OK, (res = rh.executeGetRequest("/terms/_search?pretty", encodeBasicHeader("dept_manager", "password"))).getStatusCode() ); - Assert.assertTrue(res.getBody().contains("\"value\" : 1,\n \"relation")); - Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); + Assert.assertEquals(res.getTextFromJsonBody("/hits/total/value"), "1"); + Assert.assertEquals(res.getTextFromJsonBody("/_shards/failed"), "0"); Assert.assertEquals( HttpStatus.SC_OK, (res = rh.executeGetRequest("/terms/_doc/0", encodeBasicHeader("dept_manager", "password"))).getStatusCode() ); - Assert.assertTrue(res.getBody().contains("\"foo\": \"bar\"")); + Assert.assertEquals(res.getTextFromJsonBody("/_source/foo"), "bar"); Assert.assertEquals( HttpStatus.SC_NOT_FOUND, diff --git a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java index 87ffa06da7..7eefd22273 100644 --- a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java +++ b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java @@ -45,6 +45,7 @@ import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; +import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.JsonNode; import org.apache.commons.lang3.StringUtils; import org.apache.hc.client5.http.async.methods.SimpleHttpRequest; @@ -433,6 +434,22 @@ public boolean isJsonContentType() { return ct.contains("application/json"); } + public String getTextFromJsonBody(String jsonPointer) { + return getJsonNodeAt(jsonPointer).asText(); + } + + private JsonNode getJsonNodeAt(String jsonPointer) { + try { + return toJsonNode().at(jsonPointer); + } catch (IOException e) { + throw new IllegalArgumentException("Cound not convert response body to JSON node ", e); + } + } + + private JsonNode toJsonNode() throws JsonProcessingException, IOException { + return DefaultObjectMapper.objectMapper.readTree(getBody()); + } + public SimpleHttpResponse getInner() { return inner; }