Skip to content

Commit

Permalink
Addresses most of the PR feedback
Browse files Browse the repository at this point in the history
Signed-off-by: Darshit Chanpura <[email protected]>
  • Loading branch information
DarshitChanpura committed Sep 6, 2023
1 parent ffcf0b5 commit c2ab7e6
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ public SecurityIndexAccessEvaluator(final Settings settings, AuditLog auditLog,
this.systemIndexMatcher = WildcardMatcher.from(
settings.getAsList(ConfigConstants.SECURITY_SYSTEM_INDICES_KEY, ConfigConstants.SECURITY_SYSTEM_INDICES_DEFAULT)
);
this.protectedSystemIndexMatcher = WildcardMatcher.from(ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX);
this.protectedSystemIndexMatcher = WildcardMatcher.from(this.securityIndex);
this.isSystemIndexEnabled = settings.getAsBoolean(
ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_KEY,
ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT
Expand Down Expand Up @@ -215,8 +215,10 @@ private boolean isActionAllowed(String action) {
* @param request the action request to be used for audit logging
* @param task task in which this access check will be performed
* @param presponse the pre-response object that will eventually become a response and returned to the requester
* @param isDebugEnabled flag to indicate whether debug logging is enabled
* @param securityRoles user's roles which will be used for access evaluation
* @param user this user's permissions will be looked up
* @param resolver the index expression resolver
* @param clusterService required to fetch cluster state metadata
*/
private void evaluateSystemIndicesAccess(
final String action,
Expand Down Expand Up @@ -289,10 +291,10 @@ private void evaluateSystemIndicesAccess(
presponse.allowed = false;
presponse.markComplete();
}
} else if (containsSystemIndex && !isSystemIndexPermissionEnabled) {
// if system index is enabled and system index permissions are enabled we don't need to perform any further
// checks as it has already been performed via isSystemIndexAccessProhibitedForUser

}
// if system index is enabled and system index permissions are enabled we don't need to perform any further
// checks as it has already been performed via hasExplicitIndexPermission
else if (containsSystemIndex && !isSystemIndexPermissionEnabled) {
if (filterSecurityIndex) {
Set<String> allWithoutSecurity = new HashSet<>(requestedResolved.getAllIndices());
allWithoutSecurity.remove(securityIndex);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1047,7 +1047,7 @@ public void testSecurityIndexSecurity() throws Exception {
);
Assert.assertEquals(HttpStatus.SC_FORBIDDEN, res.getStatusCode());
res = rh.executePostRequest(".opendistro_security/_freeze", "", encodeBasicHeader("nagilum", "nagilum"));
Assert.assertTrue(res.getStatusCode() >= 400);
Assert.assertEquals(400, res.getStatusCode());

String bulkBody = "{ \"index\" : { \"_index\" : \".opendistro_security\", \"_id\" : \"1\" } }\n"
+ "{ \"field1\" : \"value1\" }\n"
Expand Down

0 comments on commit c2ab7e6

Please sign in to comment.