Simplify FieldAndDocumentLevelSecurityRequestInterceptor

FieldAndDocumentLevelSecurityRequestInterceptor really support intercepting only subclasses of IndicesRequests, we shouldn't have logic that is never used around intercepting CompositeIndicesRequest. Also we can guarantee at compile time, using generics, that only supported subclasses are intercepted through it, no need to verify that at runtime. Original commit: elastic/x-pack-elasticsearch@6ab6e2d50e
2016-10-05 14:24:40 +02:00 · 2016-10-05 14:24:40 +02:00 · 3dbea2f4c2
parent 4bb6e856f3
commit 3dbea2f4c2
1 changed files with 14 additions and 31 deletions
--- a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/action/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java
+++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/action/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java
@ -5,25 +5,20 @@
 */
 package org.elasticsearch.xpack.security.action.interceptor;

-import org.elasticsearch.action.CompositeIndicesRequest;
 import org.elasticsearch.action.IndicesRequest;
 import org.elasticsearch.common.component.AbstractComponent;
-import org.elasticsearch.common.logging.LoggerMessageFormat;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.license.XPackLicenseState;
-import org.elasticsearch.xpack.security.user.User;
 import org.elasticsearch.xpack.security.authz.AuthorizationService;
 import org.elasticsearch.xpack.security.authz.accesscontrol.IndicesAccessControl;
-
-import java.util.Collections;
-import java.util.List;
+import org.elasticsearch.xpack.security.user.User;

 /**
 * Base class for interceptors that disables features when field level security is configured for indices a request
 * is going to execute on.
 */
-abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request> extends AbstractComponent implements
+abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request extends IndicesRequest> extends AbstractComponent implements
        RequestInterceptor<Request> {

    private final ThreadContext threadContext;
@ -40,35 +35,23 @@ abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request> extends
        if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
            return;
        }
-
-        List<? extends IndicesRequest> indicesRequests;
-        if (request instanceof CompositeIndicesRequest) {
-            indicesRequests = ((CompositeIndicesRequest) request).subRequests();
-        } else if (request instanceof IndicesRequest) {
-            indicesRequests = Collections.singletonList((IndicesRequest) request);
-        } else {
-            throw new IllegalArgumentException(LoggerMessageFormat.format("expected a request of type [{}] or [{}] but got [{}] instead",
-                    CompositeIndicesRequest.class, IndicesRequest.class, request.getClass()));
-        }
        IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationService.INDICES_PERMISSIONS_KEY);
-        for (IndicesRequest indicesRequest : indicesRequests) {
-            for (String index : indicesRequest.indices()) {
-                IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index);
-                if (indexAccessControl != null) {
-                    boolean fieldLevelSecurityEnabled = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity();
-                    boolean documentLevelSecurityEnabled = indexAccessControl.getQueries() != null;
+        for (String index : request.indices()) {
+            IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index);
+            if (indexAccessControl != null) {
+                boolean fieldLevelSecurityEnabled = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity();
+                boolean documentLevelSecurityEnabled = indexAccessControl.getQueries() != null;
+                if (fieldLevelSecurityEnabled || documentLevelSecurityEnabled) {
                    if (fieldLevelSecurityEnabled || documentLevelSecurityEnabled) {
-                        if (fieldLevelSecurityEnabled || documentLevelSecurityEnabled) {
-                            logger.trace("intercepted request for index [{}] with field level access controls [{}] document level access " +
-                                    "controls [{}]. disabling conflicting features", index, fieldLevelSecurityEnabled,
-                                    documentLevelSecurityEnabled);
-                        }
-                        disableFeatures(request, fieldLevelSecurityEnabled, documentLevelSecurityEnabled);
-                        return;
+                        logger.trace("intercepted request for index [{}] with field level access controls [{}] document level access " +
+                                        "controls [{}]. disabling conflicting features", index, fieldLevelSecurityEnabled,
+                                documentLevelSecurityEnabled);
                    }
+                    disableFeatures(request, fieldLevelSecurityEnabled, documentLevelSecurityEnabled);
+                    return;
                }
-                logger.trace("intercepted request for index [{}] without field or document level access controls", index);
            }
+            logger.trace("intercepted request for index [{}] without field or document level access controls", index);
        }
    }