Refactor Privileges API/Store to use separate class#31191
Merged
tvernum merged 8 commits intoelastic:security-app-privsfrom Jun 21, 2018
Merged
Refactor Privileges API/Store to use separate class#31191tvernum merged 8 commits intoelastic:security-app-privsfrom
tvernum merged 8 commits intoelastic:security-app-privsfrom
Conversation
The ApplicationPrivilege class had a dual purpose of defining application privileges as stored in the security index, and also being the means by which those privileges were tested against roles. This made the class difficult to work with - in particular validation was dependent on which purpose it was being used for. This commit splits the index storage part into a new ApplicationPrivilegeDescriptor class
jaymode
requested changes
Jun 13, 2018
Member
jaymode
left a comment
There was a problem hiding this comment.
I like it. I left a few minor comments.
| validationException = addValidationError(e.getMessage(), validationException); | ||
| } | ||
| try { | ||
| ApplicationPrivilege.validatePrivilegeName(privilege.getName()); |
Member
There was a problem hiding this comment.
hmm I think this should be something else or removed?
| import org.elasticsearch.xpack.core.security.authz.RoleDescriptor; | ||
| import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl; | ||
| import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege; | ||
| import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor; |
| private static final Pattern VALID_APPLICATION_OR_WILDCARD = Pattern.compile("^[A-Za-z0-9_*-]+"); | ||
| private static final Pattern VALID_APPLICATION_OR_WILDCARD = Pattern.compile("^[a-z*][A-Za-z0-9_*-]*"); | ||
| private static final Pattern VALID_NAME = Pattern.compile("^[a-z][a-zA-Z0-9_.-]*$"); | ||
| private static final Pattern VALID_NAME_OR_ACTION = Pattern.compile("^\\p{Graph}*$"); |
Member
There was a problem hiding this comment.
do you mind adding a comment about this? My regex isn't great so I had to go look up what this was
| * @throws IllegalArgumentException if the name is not valid | ||
| */ | ||
| public static void validatePrivilegeOrActionName(String name) { | ||
| if(VALID_NAME_OR_ACTION.matcher(name).matches() == false) { |
| out.writeCollection(actions, StreamOutput::writeString); | ||
| out.writeMap(metadata); | ||
| } | ||
|
|
| assertThat(exception, notNullValue()); | ||
| assertThat(exception.validationErrors(), hasItem(containsString(message))); | ||
| } | ||
|
|
Contributor
Author
|
I've addressed all feedback on this PR. |
albertzaharovits
approved these changes
Jun 19, 2018
Contributor
albertzaharovits
left a comment
There was a problem hiding this comment.
neat! LGTM Thanks!
jaymode
approved these changes
Jun 19, 2018
|
|
||
| /** | ||
| * A name or action must be composed of printable, visible ASCII characters. | ||
| * That is: letters, numbers & symbols, but no whitespace. |
Member
There was a problem hiding this comment.
I think the & needs to be &
# Conflicts: # x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ApplicationPrivilege.java # x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/privilege/TransportGetPrivilegesAction.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The ApplicationPrivilege class had a dual purpose of defining
application privileges as stored in the security index, and also being
the means by which those privileges were tested against roles.
This made the class difficult to work with - in particular validation
was dependent on which purpose it was being used for.
This commit splits the index storage part into a new
ApplicationPrivilegeDescriptor class