opensearch-project · RyanL1997 · Aug 29, 2023 · Aug 18, 2023 · Aug 21, 2023 · Aug 24, 2023
@@ -9,9 +9,14 @@
 */
 package org.opensearch.security;
 
+import java.io.BufferedReader;
 import java.io.IOException;
+import java.io.InputStreamReader;
+import java.util.List;
+import java.util.stream.Collectors;
 
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import com.google.common.collect.ImmutableList;
 import org.hamcrest.Matchers;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
@@ -31,19 +36,16 @@
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.action.search.SearchScrollRequest;
 import org.opensearch.client.Client;
+import org.opensearch.client.Request;
+import org.opensearch.client.Response;
 import org.opensearch.client.RestHighLevelClient;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.TestSecurityConfig.User;
 import org.opensearch.test.framework.cluster.ClusterManager;
 import org.opensearch.test.framework.cluster.LocalCluster;
 
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.aMapWithSize;
-import static org.hamcrest.Matchers.allOf;
-import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
-import static org.hamcrest.Matchers.arrayWithSize;
-import static org.hamcrest.Matchers.hasKey;
-import static org.hamcrest.Matchers.nullValue;
+import static org.hamcrest.Matchers.*;
 import static org.opensearch.action.admin.indices.alias.IndicesAliasesRequest.AliasActions.Type.ADD;
 import static org.opensearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.opensearch.client.RequestOptions.DEFAULT;
@@ -56,6 +58,7 @@
 import static org.opensearch.security.Song.SONGS;
 import static org.opensearch.security.Song.TITLE_MAGNUM_OPUS;
 import static org.opensearch.security.Song.TITLE_NEXT_SONG;
+import static org.opensearch.security.privileges.PrivilegesEvaluator.DNFOF_PATTERNS;
 import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
 import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
 import static org.opensearch.test.framework.cluster.SearchRequestFactory.averageAggregationRequest;
@@ -97,20 +100,43 @@ public class DoNotFailOnForbiddenTests {
     private static final String ID_3 = "3";
     private static final String ID_4 = "4";
 
+    private static final List<String> allowedDnfof = ImmutableList.of(
+        "indices:monitor/settings/get",
+        "indices:monitor/stats",
+        "indices:data/read/search",
+        "indices:data/read/msearch",
+        "indices:data/read/scroll",
+        "indices:data/read/mget",
+        "indices:admin/mappings/fields/get"
+    );
+
+    private static final List<String> disallowedDnfof = ImmutableList.of(
+        "indices:admin/template/put",
+        "indices:data/write/index",
+        "indices:admin/create",
+        "indices:data/write/bulk",
+        "indices:admin/aliases",
+        "indices:data/write/reindex"
+    );
+
     private static final User ADMIN_USER = new User("admin").roles(ALL_ACCESS);
     private static final User LIMITED_USER = new User("limited_user").roles(
         new TestSecurityConfig.Role("limited-role").clusterPermissions(
             "indices:data/read/mget",
             "indices:data/read/msearch",
-            "indices:data/read/scroll"
+            "indices:data/read/scroll",
+            "cluster:monitor/state",
+            "cluster:monitor/health"
         )
             .indexPermissions(
                 "indices:data/read/search",
                 "indices:data/read/mget*",
                 "indices:data/read/field_caps",
                 "indices:data/read/field_caps*",
                 "indices:data/read/msearch",
-                "indices:data/read/scroll"
+                "indices:data/read/scroll",
+                "indices:monitor/settings/get",
+                "indices:monitor/stats"
             )
             .on(MARVELOUS_SONGS)
     );
@@ -408,4 +434,32 @@ public void shouldPerformStatAggregation_negative() throws IOException {
         }
     }
 
+    @Test
+    public void shouldPerformCatIndices_positive() throws IOException {
+        try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(LIMITED_USER)) {
+            Request getIndicesRequest = new Request("GET", "/_cat/indices");
+            // High level client doesn't support _cat/_indices API
+            Response getIndicesResponse = restHighLevelClient.getLowLevelClient().performRequest(getIndicesRequest);
+            List<String> indexes = new BufferedReader(new InputStreamReader(getIndicesResponse.getEntity().getContent())).lines()
+                .collect(Collectors.toList());
+
+            assertThat(indexes.size(), equalTo(1));
+            assertThat(indexes.get(0), containsString("marvelous_songs"));
+        }
+    }
+
+    @Test
+    public void testDnfofPermissions_negative() {
+        for (final String permission : disallowedDnfof) {
+            assertThat(DNFOF_PATTERNS.matcher(permission).matches(), equalTo(false));
+        }
+    }
+
+    @Test
+    public void testDnfofPermissions_positive() {
+        for (final String permission : allowedDnfof) {
+            assertThat(DNFOF_PATTERNS.matcher(permission).matches(), equalTo(true));
+        }
+    }
+
 }
@@ -103,8 +103,8 @@ public class PrivilegesEvaluator {
 
     private static final WildcardMatcher ACTION_MATCHER = WildcardMatcher.from("indices:data/read/*search*");
 
-    private static final Pattern DNFOF_PATTERNS = Pattern.compile(
-        "indices:(data/read/.*|(admin/(mappings/fields/get.*|shards/search_shards|resolve/index)))"
+    public static final Pattern DNFOF_PATTERNS = Pattern.compile(
+        "indices:(data/read/.*|(admin/(mappings/fields/get.*|shards/search_shards|resolve/index))|(monitor/((settings/get)|(stats))))"
     );
 
     private static final IndicesOptions ALLOW_EMPTY = IndicesOptions.fromOptions(true, true, false, false);