peternied · peternied · Dec 13, 2023 · Dec 19, 2023 · Dec 19, 2023 · Dec 20, 2023
@@ -0,0 +1,105 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+
+package org.opensearch.security.http;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.client.Client;
+import org.opensearch.test.framework.RolesMapping;
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
+
+import static org.apache.http.HttpStatus.SC_CREATED;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
+import static org.opensearch.security.Song.SONGS;
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class ViewsTests {
+    private static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").backendRoles("admin");
+    private static final TestSecurityConfig.User VIEW_USER = new TestSecurityConfig.User("view_user").roles(new TestSecurityConfig.Role("see views").clusterPermissions("cluster:views:search").resourcePermissions("view_id", "songs"));
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().singleNode()
+        .authc(AUTHC_HTTPBASIC_INTERNAL)
+        .users(ADMIN_USER, VIEW_USER)
+        .rolesMapping(new RolesMapping(ALL_ACCESS).backendRoles("admin"))
+        .build();
+
+    @BeforeClass
+    public static void createTestData() {
+        try (final Client client = cluster.getInternalNodeClient()) {
+            final var doc1 = client.prepareIndex("songs-2022").setRefreshPolicy(IMMEDIATE).setSource(SONGS[0].asMap()).get();
+            final var doc2 = client.prepareIndex("songs-2023").setRefreshPolicy(IMMEDIATE).setSource(SONGS[1].asMap()).get();
+        }
+    }
+
+    @Test
+    public void createView() {
+        try (
+            final TestRestClient adminClient = cluster.getRestClient(ADMIN_USER);
+            final TestRestClient viewClient = cluster.getRestClient(VIEW_USER)
+        ) {
+
+            final HttpResponse getAllViews = adminClient.get("views");
+            assertThat("No views have been created yet", getAllViews.getIntFromJsonBody("/views/count"), equalTo(0));
+
+            final HttpResponse createView = adminClient.postJson("views", createViewBody());
+            createView.assertStatusCode(SC_CREATED);
+
+            final HttpResponse search = adminClient.postJson("songs-*/_search", createQueryString());
+
+            final HttpResponse searchView = adminClient.postJson("views/songs/_search", createQueryString());
+            assertThat("Search response was:\r\n" + searchView.getBody(), searchView.getIntFromJsonBody("/hits/total/value"), equalTo(2));
+
+            final HttpResponse searchViewAsUser = viewClient.postJson("views/songs/_search", createQueryString());
+            assertThat("Search response was:\r\n" + searchViewAsUser.getBody(), searchViewAsUser.getIntFromJsonBody("/hits/total/value"), equalTo(2));
+        }
+    }
+
+    private String createQueryString() {
+        return "{\n"
+            + "    \"query\": {\n"
+            + "        \"match_all\": {}\n"
+            + "    },\n"
+            + "    \"sort\": {\n"
+            + "        \"title.keyword\": {\n"
+            + "            \"order\": \"asc\"\n"
+            + "        }\n"
+            + "    }\n"
+            + "}";
+    }
+
+    private String createViewBody() {
+        return "{\n"
+            + "    \"name\": \"songs\",\n"
+            + "    \"description\": \"like imdb but smaller for songs\",\n"
+            + "    \"targets\": [\n"
+            + "        {\n"
+            + "            \"indexPattern\": \"songs-2022\"\n"
+            + "        },\n"
+            + "        {\n"
+            + "            \"indexPattern\": \"songs-2023\"\n"
+            + "        }\n"
+            + "    ]\n"
+            + "}";
+    }
+}
@@ -336,12 +336,13 @@ public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params
     }
 
     public static class Role implements ToXContentObject {
-        public static Role ALL_ACCESS = new Role("all_access").clusterPermissions("*").indexPermissions("*").on("*");
+        public static Role ALL_ACCESS = new Role("all_access").clusterPermissions("*").indexPermissions("*").on("*").resourcePermissions("*", "*");
 
         private String name;
         private List<String> clusterPermissions = new ArrayList<>();
 
         private List<IndexPermission> indexPermissions = new ArrayList<>();
+        private List<ResourcePermission> resourcePermissions = new ArrayList<>();
 
         public Role(String name) {
             this.name = name;
@@ -356,6 +357,11 @@ public IndexPermission indexPermissions(String... indexPermissions) {
             return new IndexPermission(this, indexPermissions);
         }
 
+        public Role resourcePermissions(final String resourceType, final String... resourceIds) {
+            resourcePermissions.add(new ResourcePermission(resourceType).resourceIds(resourceIds));
+            return this;
+        }
+
         public Role name(String name) {
             this.name = name;
             return this;
@@ -369,6 +375,7 @@ public Role clone() {
             Role role = new Role(this.name);
             role.clusterPermissions.addAll(this.clusterPermissions);
             role.indexPermissions.addAll(this.indexPermissions);
+            role.resourcePermissions.addAll(this.resourcePermissions);
             return role;
         }
 
@@ -384,6 +391,10 @@ public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params
                 xContentBuilder.field("index_permissions", indexPermissions);
             }
 
+            if (!resourcePermissions.isEmpty()) {
+                xContentBuilder.field("resource_permissions", resourcePermissions);
+            }
+
             xContentBuilder.endObject();
             return xContentBuilder;
         }
@@ -453,6 +464,31 @@ public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params
         }
     }
 
+    public static class ResourcePermission implements ToXContentObject {
+        private String resourceType;
+        private List<String> resourceIds;
+
+        ResourcePermission(final String resourceType) {
+            this.resourceType = resourceType;
+        }
+
+        public ResourcePermission resourceIds(final String... resourceIds) {
+            this.resourceIds = Arrays.asList(resourceIds);
+            return this;
+        }
+
+        @Override
+        public XContentBuilder toXContent(final XContentBuilder xContentBuilder, final Params params) throws IOException {
+            xContentBuilder.startObject();
+
+            xContentBuilder.field("resource_type", resourceType);
+            xContentBuilder.field("resource_ids", resourceIds);
+
+            xContentBuilder.endObject();
+            return xContentBuilder;
+        }
+    }
+
     public static class AuthcDomain implements ToXContentObject {
 
         private static String PUBLIC_KEY =

@@ -45,3 +45,8 @@ logger.ldap.name=com.amazon.dlic.auth.ldap.backend
 logger.ldap.level=TRACE
 logger.backendreg.additivity = false
 logger.ldap.appenderRef.capturing.ref = logCapturingAppender
+
+logger.pe.name = org.opensearch.security.privileges
+logger.pe.level=DEBUG
+logger.backendreg.additivity = true
+logger.pe.appenderRef.capturing.ref = logCapturingAppender
@@ -35,6 +35,7 @@
 import java.util.Map;
 import java.util.Set;
 import java.util.StringJoiner;
+import java.util.stream.Collectors;
 
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
@@ -68,6 +69,7 @@
 import org.opensearch.action.search.SearchAction;
 import org.opensearch.action.search.SearchRequest;
 import org.opensearch.action.search.SearchScrollAction;
+import org.opensearch.action.search.ViewSearchRequest;
 import org.opensearch.action.support.IndicesOptions;
 import org.opensearch.action.termvectors.MultiTermVectorsAction;
 import org.opensearch.action.update.UpdateAction;
@@ -278,6 +280,37 @@ public PrivilegesEvaluatorResponse evaluate(
             log.debug("Mapped roles: {}", mappedRoles.toString());
         }
 
+        if (request instanceof org.opensearch.action.ResourceRequest) {
+
+            final var resourceRequest = (org.opensearch.action.ResourceRequest) request;
+            final var resources = resourceRequest.getResourceTypeAndIds();
+
+            final var deniedResources = resources
+                .entrySet()
+                .stream()
+                .filter(entry -> !securityRoles.hasResourcePermission(entry.getKey(), entry.getValue()))
+                .map(entry -> "resource type: " + entry.getKey() + ", id: " + entry.getValue())
+                .collect(Collectors.toList());
+
+
+            if (!deniedResources.isEmpty()) {
+                presponse.missingPrivileges.addAll(deniedResources);
+                presponse.allowed = false;
+                log.info(
+                    "No perm match for {} [Action [{}]] [RolesChecked {}]. No permissions for {}",
+                    user,
+                    action0,
+                    securityRoles.getRoleNames(),
+                    presponse.missingPrivileges
+                );                
+            } else {
+                presponse.allowed = true;
+            }
+
+            log.debug("ViewSearchRequests are authorized at the rest layer");
+            return presponse;
+        }
+
         if (request instanceof BulkRequest && (Strings.isNullOrEmpty(user.getRequestedTenant()))) {
             // Shortcut for bulk actions. The details are checked on the lower level of the BulkShardRequests (Action
             // indices:data/write/bulk[s]).

@@ -542,6 +542,12 @@ public boolean impliesTypePermGlobal(
             roles.stream().forEach(p -> ipatterns.addAll(p.getIpatterns()));
             return ConfigModelV6.impliesTypePerm(ipatterns, resolved, user, actions, resolver, cs);
         }
+
+        @Override
+        public boolean hasResourcePermission(String resourceType, String resourceId) {
+            /** Not supported */
+            return false;
+        }
     }
 
     public static class SecurityRole {

@@ -26,6 +26,7 @@
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Objects;
+import java.util.Optional;
 import java.util.Set;
 import java.util.TreeSet;
 import java.util.concurrent.Callable;
@@ -217,6 +218,14 @@ public SecurityRole call() throws Exception {
                     final Set<String> permittedClusterActions = agr.resolvedActions(securityRole.getValue().getCluster_permissions());
                     _securityRole.addClusterPerms(permittedClusterActions);
 
+                    final Set<ResourcePermission> resourcePermissions = new HashSet<>();
+                    for (final RoleV7.ResourcePermission rp : securityRole.getValue().getResource_permissions()) {
+                        final String resourceType = rp.getResource_type();
+                        final List<String> resourceIds = rp.getResource_ids();
+                        resourcePermissions.add(new ResourcePermission(resourceType, resourceIds));
+                    }
+                    _securityRole.addResourcePermissions(resourcePermissions);
+
                     /*for(RoleV7.Tenant tenant: securityRole.getValue().getTenant_permissions()) {
 
                         //if(tenant.equals(user.getName())) {
@@ -563,17 +572,31 @@ private boolean containsDlsFlsConfig() {
 
             return false;
         }
+
+        @Override
+        public boolean hasResourcePermission(final String resourceType, final String resourceId) {
+            for (final SecurityRole role : roles) {
+                final ResourcePermission resourcePermission = Optional.ofNullable(role.resourcePermissions.get(resourceType))
+                    .orElseGet(() -> role.resourcePermissions.get("*"));
+                if (resourcePermission != null && (resourcePermission.permmittedResourceIds.contains(resourceId) || resourcePermission.permmittedResourceIds.contains("*"))) {
+                    return true;
+                }
+            }
+            return false;
+        }
     }
 
     public static class SecurityRole {
         private final String name;
         private final Set<IndexPattern> ipatterns;
         private final WildcardMatcher clusterPerms;
+        private final Map<String, ResourcePermission> resourcePermissions; 
 
         public static final class Builder {
             private final String name;
             private final Set<String> clusterPerms = new HashSet<>();
             private final Set<IndexPattern> ipatterns = new HashSet<>();
+            private final Set<ResourcePermission> resourcePermissions = new HashSet<>(); 
 
             public Builder(String name) {
                 this.name = Objects.requireNonNull(name);
@@ -591,15 +614,24 @@ public Builder addClusterPerms(Collection<String> clusterPerms) {
                 return this;
             }
 
+            public Builder addResourcePermissions(final Set<ResourcePermission> resourcePermissions) {
+                if (resourcePermissions != null) {
+                    this.resourcePermissions.addAll(resourcePermissions);
+                }
+                return this;
+            }
+
             public SecurityRole build() {
-                return new SecurityRole(name, ipatterns, WildcardMatcher.from(clusterPerms));
+                var resourcePermissionMap = this.resourcePermissions.stream().collect(Collectors.toMap(ResourcePermission::getResourceType, Function.identity()));
+                return new SecurityRole(name, ipatterns, WildcardMatcher.from(clusterPerms), resourcePermissionMap);
             }
         }
 
-        private SecurityRole(String name, Set<IndexPattern> ipatterns, WildcardMatcher clusterPerms) {
+        private SecurityRole(String name, Set<IndexPattern> ipatterns, WildcardMatcher clusterPerms, Map<String, ResourcePermission> resourcePermission) {
             this.name = Objects.requireNonNull(name);
             this.ipatterns = ipatterns;
             this.clusterPerms = clusterPerms;
+            this.resourcePermissions = resourcePermission;
         }
 
         private boolean impliesClusterPermission(String action) {
@@ -703,7 +735,10 @@ public String toString() {
                 + ipatterns
                 + System.lineSeparator()
                 + "    clusterPerms="
-                + clusterPerms;
+                + clusterPerms
+                + System.lineSeparator()
+                + "    resourcePermissions="
+                + resourcePermissions;
         }
 
         // public Set<Tenant> getTenants(User user) {
@@ -721,6 +756,33 @@ public String getName() {
 
     }
 
+    public static class ResourcePermission {
+        private final String resourceType;
+        private final Set<String> permmittedResourceIds;
+        public ResourcePermission(final String resourceType, final List<String> resourceIds) {
+            this.resourceType = resourceType;
+            this.permmittedResourceIds = new HashSet<>(resourceIds); 
+        }
+
+        public String getResourceType() {
+            return resourceType;
+        }
+
+        public Set<String> getPermittedResourceIds() {
+            return permmittedResourceIds;
+        }
+
+        @Override
+        public String toString() {
+            return System.lineSeparator()
+                + "        resourceType="
+                + resourceType
+                + System.lineSeparator()
+                + "        permmittedResourceIds="
+                + permmittedResourceIds;
+        }
+    }
+
     // sg roles
     public static class IndexPattern {
         private final String indexPattern;

@@ -96,4 +96,6 @@ Set<String> getAllPermittedIndicesForDashboards(
     );
 
     SecurityRoles filter(Set<String> roles);
+
+    boolean hasResourcePermission(final String resourceType, final String resourceId);
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -96,4 +96,6 @@ Set<String> getAllPermittedIndicesForDashboards( @@
         );
         SecurityRoles filter(Set<String> roles);
+        boolean hasResourcePermission(final String resourceType, final String resourceId);
     }