Skip to content

Commit

Permalink
Extracted the user attr handling methods from ConfigModelV7 into its …
Browse files Browse the repository at this point in the history
…own class (opensearch-project#4416)

Signed-off-by: Nils Bandener <[email protected]>
  • Loading branch information
nibix authored Jun 10, 2024
1 parent 20c524a commit 00c31e9
Show file tree
Hide file tree
Showing 2 changed files with 73 additions and 48 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
* Modifications Copyright OpenSearch Contributors. See
* GitHub history for details.
*/
package org.opensearch.security.privileges;

import java.util.Map;
import java.util.Set;

import com.google.common.base.Joiner;
import com.google.common.collect.Iterables;

import org.opensearch.security.user.User;

/**
* Support for interpolating user attributes used in index patterns and DLS queries.
*
* This code was moved over from ConfigModelV7.
*/
public class UserAttributes {
public static String replaceProperties(String orig, User user) {

if (user == null || orig == null) {
return orig;
}

orig = orig.replace("${user.name}", user.getName()).replace("${user_name}", user.getName());
orig = replaceRoles(orig, user);
orig = replaceSecurityRoles(orig, user);
for (Map.Entry<String, String> entry : user.getCustomAttributesMap().entrySet()) {
if (entry == null || entry.getKey() == null || entry.getValue() == null) {
continue;
}
orig = orig.replace("${" + entry.getKey() + "}", entry.getValue());
orig = orig.replace("${" + entry.getKey().replace('.', '_') + "}", entry.getValue());
}
return orig;
}

private static String replaceRoles(final String orig, final User user) {
String retVal = orig;
if (orig.contains("${user.roles}") || orig.contains("${user_roles}")) {
final String commaSeparatedRoles = toQuotedCommaSeparatedString(user.getRoles());
retVal = orig.replace("${user.roles}", commaSeparatedRoles).replace("${user_roles}", commaSeparatedRoles);
}
return retVal;
}

private static String replaceSecurityRoles(final String orig, final User user) {
String retVal = orig;
if (orig.contains("${user.securityRoles}") || orig.contains("${user_securityRoles}")) {
final String commaSeparatedRoles = toQuotedCommaSeparatedString(user.getSecurityRoles());
retVal = orig.replace("${user.securityRoles}", commaSeparatedRoles).replace("${user_securityRoles}", commaSeparatedRoles);
}
return retVal;
}

private static String toQuotedCommaSeparatedString(final Set<String> roles) {
return Joiner.on(',').join(Iterables.transform(roles, s -> {
return new StringBuilder(s.length() + 2).append('"').append(s).append('"').toString();
}));
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,8 @@
import java.util.regex.Pattern;
import java.util.stream.Collectors;

import com.google.common.base.Joiner;
import com.google.common.collect.ArrayListMultimap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.ListMultimap;
import com.google.common.collect.MultimapBuilder.SetMultimapBuilder;
import com.google.common.collect.SetMultimap;
Expand All @@ -58,6 +56,7 @@
import org.opensearch.common.util.set.Sets;
import org.opensearch.core.common.transport.TransportAddress;
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.security.privileges.UserAttributes;
import org.opensearch.security.resolver.IndexResolverReplacer.Resolved;
import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
import org.opensearch.security.securityconf.impl.v7.ActionGroupsV7;
Expand Down Expand Up @@ -833,7 +832,7 @@ public String toString() {
}

public String getUnresolvedIndexPattern(User user) {
return replaceProperties(indexPattern, user);
return UserAttributes.replaceProperties(indexPattern, user);
}

/** Finds the indices accessible to the user and resolves them to concrete names */
Expand Down Expand Up @@ -895,7 +894,7 @@ public Set<String> getResolvedIndexPattern(
}

public String getDlsQuery(User user) {
return replaceProperties(dlsQuery, user);
return UserAttributes.replaceProperties(dlsQuery, user);
}

public boolean hasDlsQuery() {
Expand Down Expand Up @@ -1040,49 +1039,6 @@ public String toString() {
}
}

private static String replaceProperties(String orig, User user) {

if (user == null || orig == null) {
return orig;
}

orig = orig.replace("${user.name}", user.getName()).replace("${user_name}", user.getName());
orig = replaceRoles(orig, user);
orig = replaceSecurityRoles(orig, user);
for (Entry<String, String> entry : user.getCustomAttributesMap().entrySet()) {
if (entry == null || entry.getKey() == null || entry.getValue() == null) {
continue;
}
orig = orig.replace("${" + entry.getKey() + "}", entry.getValue());
orig = orig.replace("${" + entry.getKey().replace('.', '_') + "}", entry.getValue());
}
return orig;
}

private static String replaceRoles(final String orig, final User user) {
String retVal = orig;
if (orig.contains("${user.roles}") || orig.contains("${user_roles}")) {
final String commaSeparatedRoles = toQuotedCommaSeparatedString(user.getRoles());
retVal = orig.replace("${user.roles}", commaSeparatedRoles).replace("${user_roles}", commaSeparatedRoles);
}
return retVal;
}

private static String replaceSecurityRoles(final String orig, final User user) {
String retVal = orig;
if (orig.contains("${user.securityRoles}") || orig.contains("${user_securityRoles}")) {
final String commaSeparatedRoles = toQuotedCommaSeparatedString(user.getSecurityRoles());
retVal = orig.replace("${user.securityRoles}", commaSeparatedRoles).replace("${user_securityRoles}", commaSeparatedRoles);
}
return retVal;
}

private static String toQuotedCommaSeparatedString(final Set<String> roles) {
return Joiner.on(',').join(Iterables.transform(roles, s -> {
return new StringBuilder(s.length() + 2).append('"').append(s).append('"').toString();
}));
}

private static final class IndexMatcherAndPermissions {
private WildcardMatcher matcher;
private WildcardMatcher perms;
Expand Down Expand Up @@ -1235,7 +1191,7 @@ public Map<String, Boolean> mapTenants(final User user, Set<String> roles) {
// replaceProperties for tenant name because
// at this point e.getValue().v1() can be in this form : "${attr.[internal|jwt|proxy|ldap].*}"
// let's substitute it with the eventual value of the user's attribute
final String tenant = replaceProperties(e.getValue().v1(), user);
final String tenant = UserAttributes.replaceProperties(e.getValue().v1(), user);
final boolean rw = e.getValue().v2();

if (rw || !result.containsKey(tenant)) { // RW outperforms RO
Expand Down

0 comments on commit 00c31e9

Please sign in to comment.