Assert wildcards are not expanded as specified by request options #90641
Assert wildcards are not expanded as specified by request options #90641elasticsearchmachine merged 12 commits intoelastic:mainfrom
Conversation
|
Pinging @elastic/es-security (Team:Security) |
| // expand to hidden | ||
| return expandWildcardsOpen() || expandWildcardsClosed(); | ||
| } | ||
|
|
There was a problem hiding this comment.
I've added this new options-test method, to make it easier to track all the code places that rely on wildcards being expanded or not.
| + requestInfo.getAction() | ||
| + "] contains unexpanded wildcards " | ||
| + Arrays.stream(indices).filter(Regex::isSimpleMatchPattern).toList(); | ||
|
|
There was a problem hiding this comment.
This does not really represent the conditions under which a proper child-action contains unexpanded wildcards.
The condition reflects the fact that an action can be double-authorized.
There was a problem hiding this comment.
I would like to avoid double-authorization in a follow-up PR, but I won't promise.
|
To the reviewers: BUT, that assertion didn't actually trip for a child action authorization scenario. It tripped for a double-authorization known anomaly. Consequently the assertion adjusting doesn't really make sense when considering child actions only. |
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java
Outdated
Show resolved
Hide resolved
...ity/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java
Outdated
Show resolved
Hide resolved
...ity/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java
Outdated
Show resolved
Hide resolved
* main: (150 commits) Remove ToXContent interface from ChunkedToXContent (elastic#90409) Remove extra SearchService constructor (elastic#90733) Update min version for the diagnosis yaml test (elastic#90731) Use the AggTestConfig object in testCase (elastic#90699) [DOCS] Add links to clear trained model deployment cache API (elastic#90727) Assert wildcards are not expanded as specified by request options (elastic#90641) [TEST] Fix exit snapshot restore exit condition (elastic#90696) [TEST] Change to atomic file contents save (elastic#90695) Update forbiddenapis to 3.4 (elastic#90624) [Tests] Don't use concurrent search in scripted field type tests (elastic#90712) [ML] Move scaling is possible check for starting trained model (elastic#90706) Add new base test case for chunked xcontent types (elastic#90707) Fix testRedNoBlockedIndicesAndRedAllRoleNodes (elastic#90671) Fix nullpointer in docs test setup (elastic#90660) Don't produce build logs artifact when in a composite build Fixing a race condition in EnrichCoordinatorProxyAction that can leave an item stuck in its queue (elastic#90688) docs: update fleet/agent pipeline docs (elastic#90659) [HealthAPI] Use plural consistently in resource types (elastic#90682) [Testing] Enable bwc and fix sorting for 500_date_range (elastic#90681) Add profiling and documentation for dfs phase (elastic#90536) ... # Conflicts: # x-pack/plugin/mapper-aggregate-metric/src/test/java/org/elasticsearch/xpack/aggregatemetric/mapper/AggregateDoubleMetricFieldMapperTests.java
This modifies some assertions in the authz to cater for
the cases where wildcards are not expanded because
of request options.