From 25959ed8cfc9af9ecd4b47d67ac8d50df9e5b901 Mon Sep 17 00:00:00 2001
From: Martijn van Groningen <martijn.v.groningen@gmail.com>
Date: Tue, 22 May 2018 13:53:34 +0200
Subject: [PATCH] [Security] Include an empty json object in an json array when
 FLS filters out all fields (#30709)

Prior to this change an json array element with no fields would be omitted from json array.
Nested inner hits source filtering relies on the fact that the json array element numbering
remains untouched and this causes AOOB exceptions in the ES side during the fetch phase
without this change.

Closes #30624
---
 .../authz/accesscontrol/FieldSubsetReader.java   |  4 +---
 .../accesscontrol/FieldSubsetReaderTests.java    | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java
index 5779924bb27..8559ab0703b 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java
@@ -193,9 +193,7 @@ public final class FieldSubsetReader extends FilterLeafReader {
                     continue;
                 }
                 Map<String, Object> filteredValue = filter((Map<String, ?>)value, includeAutomaton, state);
-                if (filteredValue.isEmpty() == false) {
-                    filtered.add(filteredValue);
-                }
+                filtered.add(filteredValue);
             } else if (value instanceof Iterable) {
                 List<Object> filteredValue = filter((Iterable<?>) value, includeAutomaton, initialState);
                 if (filteredValue.isEmpty() == false) {
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReaderTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReaderTests.java
index 4c74e7f5d90..e71b0e5e8bd 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReaderTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReaderTests.java
@@ -716,6 +716,22 @@ public class FieldSubsetReaderTests extends ESTestCase {
         expected.put("foo", subArray);
 
         assertEquals(expected, filtered);
+
+        // json array objects that have no matching fields should be left empty instead of being removed:
+        // (otherwise nested inner hit source filtering fails with AOOB)
+        map = new HashMap<>();
+        map.put("foo", "value");
+        List<Map<?, ?>> values = new ArrayList<>();
+        values.add(Collections.singletonMap("foo", "1"));
+        values.add(Collections.singletonMap("baz", "2"));
+        map.put("bar", values);
+
+        include = new CharacterRunAutomaton(Automatons.patterns("bar.baz"));
+        filtered = FieldSubsetReader.filter(map, include, 0);
+
+        expected = new HashMap<>();
+        expected.put("bar", Arrays.asList(new HashMap<>(), Collections.singletonMap("baz", "2")));
+        assertEquals(expected, filtered);
     }
 
     /**