Expand RoleV7 to include Resources

Signed-off-by: Stephen Crawford <[email protected]>

src/main/java/org/opensearch/security/privileges/ResourceAccessEvaluator.java

@@ -11,48 +11,31 @@
 
 package org.opensearch.security.privileges;
 
-import java.util.List;
-import java.util.Set;
-
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-
+import org.greenrobot.eventbus.Subscribe;
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.action.ActionRequest;
-import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.service.ClusterService;
-import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.common.transport.TransportAddress;
-import org.opensearch.security.resolver.IndexResolverReplacer;
 import org.opensearch.security.securityconf.ConfigModel;
 import org.opensearch.security.securityconf.SecurityRoles;
-import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.user.User;
-import org.opensearch.tasks.Task;
-import org.opensearch.threadpool.ThreadPool;
 
-import org.greenrobot.eventbus.Subscribe;
+import java.util.List;
+import java.util.Set;
 
 public class ResourceAccessEvaluator {
     protected final Logger log = LogManager.getLogger(this.getClass());
-    private final ClusterService clusterService;
-    private ThreadContext threadContext;
     private ConfigModel configModel;
 
-    public ResourceAccessEvaluator(final ClusterService clusterService, final ThreadPool threadPool) {
-        this.clusterService = clusterService;
-        this.threadContext = threadPool.getThreadContext();
-    }
+    public ResourceAccessEvaluator() {}
 
     @Subscribe
     public void onConfigModelChanged(final ConfigModel configModel) {
         this.configModel = configModel;
     }
 
-    SecurityRoles getSecurityRoles(final Set<String> roles) {
-        return configModel.getSecurityRoles().filter(roles);
-    }
-
     boolean isInitialized() {
         return configModel != null && configModel.getSecurityRoles() != null;
     }
@@ -68,20 +51,15 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request,
 
         final PrivilegesEvaluatorResponse presponse = new PrivilegesEvaluatorResponse();
 
-        final TransportAddress caller = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS);
-
-        final Set<String> mappedRoles = mapRoles(user, caller);
-
-        presponse.resolvedSecurityRoles.addAll(mappedRoles);
-
         final boolean isDebugEnabled = log.isDebugEnabled();
         if (isDebugEnabled) {
             log.debug("Evaluate permissions for {} on {}", user, clusterService.localNode().getName());
             log.debug("Action: {}", action);
-            log.debug("Mapped roles: {}", mappedRoles.toString());
+            log.debug("Resource: {}", request.getRequestedResources());
+            log.debug("Security roles: {}", securityRoles.toString());
         }
 
-        List<String> resourcesRequested = action.getRequestedResources();
+        List<String> resourcesRequested = request.getRequestedResources();
         if (resourcesRequested == null || resourcesRequested.isEmpty()) {
             presponse.allowed = true;
             return presponse;

src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java

@@ -63,6 +63,7 @@
 import org.opensearch.security.securityconf.impl.v7.RoleMappingsV7;
 import org.opensearch.security.securityconf.impl.v7.RoleV7;
 import org.opensearch.security.securityconf.impl.v7.RoleV7.Index;
+import org.opensearch.security.securityconf.impl.v7.RoleV7.Resource;
 import org.opensearch.security.securityconf.impl.v7.TenantV7;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.WildcardMatcher;
@@ -179,6 +180,10 @@ public SecurityRole call() throws Exception {
 
                     }
 
+                    for (final Resource permittedResources : securityRole.getValue().getResource_permissions()) {
+                        _securityRole.addResourcePerms(permittedResources.getResource_patterns());
+                    }
+
                     return _securityRole.build();
                 }
             });
@@ -539,6 +544,13 @@ public Builder addClusterPerms(Collection<String> clusterPerms) {
                 return this;
             }
 
+            public Builder addResourcePerms(Collection<String> resourcePerms) {
+                if (resourcePerms != null) {
+                    this.resourcePerms.addAll(resourcePerms);
+                }
+                return this;
+            }
+
             public SecurityRole build() {
                 return new SecurityRole(name, ipatterns, WildcardMatcher.from(clusterPerms),  WildcardMatcher.from(resourcePerms));
             }
@@ -555,6 +567,11 @@ private boolean impliesClusterPermission(String action) {
             return clusterPerms.test(action);
         }
 
+        private boolean impliesResourcePermission(String action) {
+            return resourcePerms.test(action);
+        }
+
+
 
         // get indices which are permitted for the given types and actions
         // dnfof + opensearchDashboards special only

src/main/java/org/opensearch/security/securityconf/impl/v7/RoleV7.java

@@ -262,6 +262,7 @@ public List<String> getResource_patterns() {
         }
 
         public void setResource_patterns(List<String> resource_patterns) {
+            lastModifiedAt = new Date();
             this.resource_patterns = resource_patterns;
         }