From 51cff2f3e4ac35ec16f3f3ea80ec367ff5dc1e6c Mon Sep 17 00:00:00 2001
From: Jay Modi <jaymode@users.noreply.github.com>
Date: Fri, 10 Feb 2017 10:37:35 -0500
Subject: [PATCH] SecurityIndexSearcherWrapper should build a filter instead of
 a query (elastic/elasticsearch#4953)

The SecurityIndexSearcherWrapper was calling toQuery instead of toFilter, which in certain cases can trip the max
clause count check for a boolean query. The same query works fine as a filter and that is what users would expect when
using the query for document level security.

Original commit: elastic/x-pack-elasticsearch@40330636ec5f65fb8bdd4a03b4285618aef363fb
---
 .../authz/accesscontrol/SecurityIndexSearcherWrapper.java       | 2 +-
 .../SecurityIndexSearcherWrapperIntegrationTests.java           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java
index b002241d432..4a8be69b2a9 100644
--- a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java
+++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java
@@ -140,7 +140,7 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
                         QueryBuilder queryBuilder = queryShardContext.newParseContext(parser).parseInnerQueryBuilder();
                         verifyRoleQuery(queryBuilder);
                         failIfQueryUsesClient(scriptService, queryBuilder, queryShardContext);
-                        ParsedQuery parsedQuery = queryShardContext.toQuery(queryBuilder);
+                        ParsedQuery parsedQuery = queryShardContext.toFilter(queryBuilder);
                         filter.add(parsedQuery.query(), SHOULD);
                     }
                 }
diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapperIntegrationTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapperIntegrationTests.java
index 8fa93169f5d..a6ffe97209c 100644
--- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapperIntegrationTests.java
+++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapperIntegrationTests.java
@@ -146,7 +146,7 @@ public class SecurityIndexSearcherWrapperIntegrationTests extends ESTestCase {
             ParsedQuery parsedQuery = new ParsedQuery(new TermQuery(new Term("field", values[i])));
             when(queryShardContext.newParseContext(anyParser())).thenReturn(queryParseContext);
             when(queryParseContext.parseInnerQueryBuilder()).thenReturn(new TermQueryBuilder("field", values[i]));
-            when(queryShardContext.toQuery(new TermsQueryBuilder("field", values[i]))).thenReturn(parsedQuery);
+            when(queryShardContext.toFilter(new TermsQueryBuilder("field", values[i]))).thenReturn(parsedQuery);
             DirectoryReader wrappedDirectoryReader = wrapper.wrap(directoryReader);
             IndexSearcher indexSearcher = wrapper.wrap(new IndexSearcher(wrappedDirectoryReader));