[Backport 2.x] Fix Document GET with DLS terms query (#3136) (#3175)

cwperks · web-flow · commit 4a14af490945 · 2023-08-15T09:25:04.000-04:00
Backport #3136 to 2.x
diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java b/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java
@@ -232,7 +232,7 @@ public DlsGetEvaluator(final Query dlsQuery, final LeafReader in, boolean applyD
                 // https://github.com/apache/lucene-solr/blob/branch_6_3/lucene/misc/src/java/org/apache/lucene/index/PKIndexSplitter.java
                 final IndexSearcher searcher = new IndexSearcher(DlsFlsFilterLeafReader.this);
                 searcher.setQueryCache(null);
-                final Weight preserveWeight = searcher.createWeight(dlsQuery, ScoreMode.COMPLETE_NO_SCORES, 1f);
+                final Weight preserveWeight = searcher.rewrite(dlsQuery).createWeight(searcher, ScoreMode.COMPLETE_NO_SCORES, 1f);
 
                 final int maxDoc = in.maxDoc();
                 final FixedBitSet bits = new FixedBitSet(maxDoc);
diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsTest.java
@@ -35,6 +35,13 @@ protected void populateData(Client tc) {
             new IndexRequest("deals").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"amount\": 1500}", XContentType.JSON)
         ).actionGet();
 
+        tc.index(
+            new IndexRequest("terms").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"foo\": \"bar\"}", XContentType.JSON)
+        ).actionGet();
+        tc.index(
+            new IndexRequest("terms").id("1").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"foo\": \"baz\"}", XContentType.JSON)
+        ).actionGet();
+
         try {
             Thread.sleep(3000);
         } catch (InterruptedException e) {
@@ -44,6 +51,7 @@ protected void populateData(Client tc) {
         System.out.println("q");
         System.out.println(Strings.toString(XContentType.JSON, tc.search(new SearchRequest().indices(".opendistro_security")).actionGet()));
         tc.search(new SearchRequest().indices("deals")).actionGet();
+        tc.search(new SearchRequest().indices("terms")).actionGet();
     }
 
     @Test
@@ -250,6 +258,32 @@ public void testDls() throws Exception {
 
     }
 
+    @Test
+    public void testDlsWithTermsQuery() throws Exception {
+
+        setup();
+
+        HttpResponse res;
+
+        Assert.assertEquals(
+            HttpStatus.SC_OK,
+            (res = rh.executeGetRequest("/terms/_search?pretty", encodeBasicHeader("dept_manager", "password"))).getStatusCode()
+        );
+        Assert.assertEquals(res.getTextFromJsonBody("/hits/total/value"), "1");
+        Assert.assertEquals(res.getTextFromJsonBody("/_shards/failed"), "0");
+
+        Assert.assertEquals(
+            HttpStatus.SC_OK,
+            (res = rh.executeGetRequest("/terms/_doc/0", encodeBasicHeader("dept_manager", "password"))).getStatusCode()
+        );
+        Assert.assertEquals(res.getTextFromJsonBody("/_source/foo"), "bar");
+
+        Assert.assertEquals(
+            HttpStatus.SC_NOT_FOUND,
+            rh.executeGetRequest("/terms/_doc/1", encodeBasicHeader("dept_manager", "password")).getStatusCode()
+        );
+    }
+
     @Test
     public void testNonDls() throws Exception {
 
diff --git a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java
@@ -43,6 +43,7 @@
 
 import javax.net.ssl.SSLContext;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.JsonNode;
 import org.apache.commons.io.IOUtils;
 import org.apache.http.Header;
@@ -344,6 +345,22 @@ public boolean isJsonContentType() {
             return ct.contains("application/json");
         }
 
+        public String getTextFromJsonBody(String jsonPointer) {
+            return getJsonNodeAt(jsonPointer).asText();
+        }
+
+        private JsonNode getJsonNodeAt(String jsonPointer) {
+            try {
+                return toJsonNode().at(jsonPointer);
+            } catch (IOException e) {
+                throw new IllegalArgumentException("Cound not convert response body to JSON node ", e);
+            }
+        }
+
+        private JsonNode toJsonNode() throws JsonProcessingException, IOException {
+            return DefaultObjectMapper.objectMapper.readTree(getBody());
+        }
+
         public CloseableHttpResponse getInner() {
             return inner;
         }
diff --git a/src/test/resources/dlsfls/roles.yml b/src/test/resources/dlsfls/roles.yml
@@ -2482,3 +2482,12 @@ logs_index_with_dls:
       masked_fields: null
       allowed_actions:
         - "OPENDISTRO_SECURITY_READ"
+
+terms_index_with_dls:
+  index_permissions:
+    - index_patterns:
+        - "terms"
+      dls: "{ \"terms\": { \"foo\" : [\"bar\"] } }"
+      masked_fields: null
+      allowed_actions:
+        - "OPENDISTRO_SECURITY_READ"
diff --git a/src/test/resources/dlsfls/roles_mapping.yml b/src/test/resources/dlsfls/roles_mapping.yml
@@ -247,3 +247,7 @@ opendistro_security_mapped:
 logs_index_with_dls:
   users:
     - dept_manager
+
+terms_index_with_dls:
+  users:
+    - dept_manager
