Reinstated " Implement new extension points in IdentityPlugin and add ContextProvidingPluginSubject (opensearch-project#4896)"

cwperks · nibix · commit 59cee02441a3 · 2025-04-02T21:01:49.000+02:00
Signed-off-by: Nils Bandener &lt;nils.bandener@eliatra.com&gt;
diff --git a/src/integrationTest/java/org/opensearch/security/privileges/ActionPrivilegesTest.java b/src/integrationTest/java/org/opensearch/security/privileges/ActionPrivilegesTest.java
@@ -126,6 +126,28 @@ public void wildcard() throws Exception {
             );
         }
 
+        @Test
+        public void wildcardByUsername() throws Exception {
+            SecurityDynamicConfiguration<RoleV7> roles = SecurityDynamicConfiguration.empty(CType.ROLES);
+
+            ActionPrivileges subject = new ActionPrivileges(
+                roles,
+                FlattenedActionGroups.EMPTY,
+                null,
+                Settings.EMPTY,
+                Map.of("plugin:org.opensearch.sample.SamplePlugin", Set.of("*"))
+            );
+
+            assertThat(
+                subject.hasClusterPrivilege(ctxByUsername("plugin:org.opensearch.sample.SamplePlugin"), "cluster:whatever"),
+                isAllowed()
+            );
+            assertThat(
+                subject.hasClusterPrivilege(ctx("plugin:org.opensearch.other.OtherPlugin"), "cluster:whatever"),
+                isForbidden(missingPrivileges("cluster:whatever"))
+            );
+        }
+
         @Test
         public void explicit_wellKnown() throws Exception {
             SecurityDynamicConfiguration<RoleV7> roles = SecurityDynamicConfiguration.fromYaml("non_explicit_role:\n" + //
@@ -455,7 +477,8 @@ public IndicesAndAliases(IndexSpec indexSpec, ActionSpec actionSpec, Statefulnes
                     settings,
                     WellKnownActions.CLUSTER_ACTIONS,
                     WellKnownActions.INDEX_ACTIONS,
-                    WellKnownActions.INDEX_ACTIONS
+                    WellKnownActions.INDEX_ACTIONS,
+                    Map.of()
                 );
 
                 if (statefulness == Statefulness.STATEFUL || statefulness == Statefulness.STATEFUL_LIMITED) {
@@ -1030,4 +1053,19 @@ static PrivilegesEvaluationContext ctx(String... roles) {
             null
         );
     }
+
+    static PrivilegesEvaluationContext ctxByUsername(String username) {
+        User user = new User(username);
+        user.addAttributes(ImmutableMap.of("attrs.dept_no", "a11"));
+        return new PrivilegesEvaluationContext(
+            user,
+            ImmutableSet.of(),
+            null,
+            null,
+            null,
+            null,
+            new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)),
+            null
+        );
+    }
 }
diff --git a/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java b/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java
@@ -90,9 +90,10 @@ public ActionPrivileges(
         Settings settings,
         ImmutableSet<String> wellKnownClusterActions,
         ImmutableSet<String> wellKnownIndexActions,
-        ImmutableSet<String> explicitlyRequiredIndexActions
+        ImmutableSet<String> explicitlyRequiredIndexActions,
+        Map<String, Set<String>> pluginToClusterActions
     ) {
-        this.cluster = new ClusterPrivileges(roles, actionGroups, wellKnownClusterActions);
+        this.cluster = new ClusterPrivileges(roles, actionGroups, wellKnownClusterActions, pluginToClusterActions);
         this.index = new IndexPrivileges(roles, actionGroups, wellKnownIndexActions, explicitlyRequiredIndexActions);
         this.roles = roles;
         this.actionGroups = actionGroups;
@@ -115,7 +116,27 @@ public ActionPrivileges(
             settings,
             WellKnownActions.CLUSTER_ACTIONS,
             WellKnownActions.INDEX_ACTIONS,
-            WellKnownActions.EXPLICITLY_REQUIRED_INDEX_ACTIONS
+            WellKnownActions.EXPLICITLY_REQUIRED_INDEX_ACTIONS,
+            Map.of()
+        );
+    }
+
+    public ActionPrivileges(
+        SecurityDynamicConfiguration<RoleV7> roles,
+        FlattenedActionGroups actionGroups,
+        Supplier<Map<String, IndexAbstraction>> indexMetadataSupplier,
+        Settings settings,
+        Map<String, Set<String>> pluginToClusterActions
+    ) {
+        this(
+            roles,
+            actionGroups,
+            indexMetadataSupplier,
+            settings,
+            WellKnownActions.CLUSTER_ACTIONS,
+            WellKnownActions.INDEX_ACTIONS,
+            WellKnownActions.EXPLICITLY_REQUIRED_INDEX_ACTIONS,
+            pluginToClusterActions
         );
     }
 
@@ -297,6 +318,8 @@ static class ClusterPrivileges {
          */
         private final ImmutableMap<String, WildcardMatcher> rolesToActionMatcher;
 
+        private final ImmutableMap<String, WildcardMatcher> usersToActionMatcher;
+
         private final ImmutableSet<String> wellKnownClusterActions;
 
         /**
@@ -310,14 +333,16 @@ static class ClusterPrivileges {
         ClusterPrivileges(
             SecurityDynamicConfiguration<RoleV7> roles,
             FlattenedActionGroups actionGroups,
-            ImmutableSet<String> wellKnownClusterActions
+            ImmutableSet<String> wellKnownClusterActions,
+            Map<String, Set<String>> pluginToClusterActions
         ) {
             DeduplicatingCompactSubSetBuilder<String> roleSetBuilder = new DeduplicatingCompactSubSetBuilder<>(
                 roles.getCEntries().keySet()
             );
             Map<String, DeduplicatingCompactSubSetBuilder.SubSetBuilder<String>> actionToRoles = new HashMap<>();
             ImmutableSet.Builder<String> rolesWithWildcardPermissions = ImmutableSet.builder();
             ImmutableMap.Builder<String, WildcardMatcher> rolesToActionMatcher = ImmutableMap.builder();
+            ImmutableMap.Builder<String, WildcardMatcher> usersToActionMatcher = ImmutableMap.builder();
 
             for (Map.Entry<String, RoleV7> entry : roles.getCEntries().entrySet()) {
                 try {
@@ -367,13 +392,22 @@ static class ClusterPrivileges {
                 }
             }
 
+            if (pluginToClusterActions != null) {
+                for (String pluginIdentifier : pluginToClusterActions.keySet()) {
+                    Set<String> clusterActions = pluginToClusterActions.get(pluginIdentifier);
+                    WildcardMatcher matcher = WildcardMatcher.from(clusterActions);
+                    usersToActionMatcher.put(pluginIdentifier, matcher);
+                }
+            }
+
             DeduplicatingCompactSubSetBuilder.Completed<String> completedRoleSetBuilder = roleSetBuilder.build();
 
             this.actionToRoles = actionToRoles.entrySet()
                 .stream()
                 .collect(ImmutableMap.toImmutableMap(Map.Entry::getKey, entry -> entry.getValue().build(completedRoleSetBuilder)));
             this.rolesWithWildcardPermissions = rolesWithWildcardPermissions.build();
             this.rolesToActionMatcher = rolesToActionMatcher.build();
+            this.usersToActionMatcher = usersToActionMatcher.build();
             this.wellKnownClusterActions = wellKnownClusterActions;
         }
 
@@ -407,6 +441,14 @@ PrivilegesEvaluatorResponse providesPrivilege(PrivilegesEvaluationContext contex
                 }
             }
 
+            // 4: If plugin is performing the action, check if plugin has permission
+            if (context.getUser().isPluginUser() && this.usersToActionMatcher.containsKey(context.getUser().getName())) {
+                WildcardMatcher matcher = this.usersToActionMatcher.get(context.getUser().getName());
+                if (matcher != null && matcher.test(action)) {
+                    return PrivilegesEvaluatorResponse.ok();
+                }
+            }
+
             return PrivilegesEvaluatorResponse.insufficient(action);
         }
 
@@ -476,6 +518,16 @@ PrivilegesEvaluatorResponse providesAnyPrivilege(PrivilegesEvaluationContext con
                 }
             }
 
+            // 4: If plugin is performing the action, check if plugin has permission
+            if (this.usersToActionMatcher.containsKey(context.getUser().getName())) {
+                WildcardMatcher matcher = this.usersToActionMatcher.get(context.getUser().getName());
+                for (String action : actions) {
+                    if (matcher != null && matcher.test(action)) {
+                        return PrivilegesEvaluatorResponse.ok();
+                    }
+                }
+            }
+
             if (actions.size() == 1) {
                 return PrivilegesEvaluatorResponse.insufficient(actions.iterator().next());
             } else {
