shield: Also prohibit update requests inside bulk requests if FLS is enabled.

We do this already for update requests, but this was forgotten to be checked for bulk requests. Original commit: elastic/x-pack-elasticsearch@8d864a7c98
2025-03-09 14:34:43 +00:00 · 2015-11-12 12:35:43 +07:00 · 2015-11-12 12:35:43 +07:00 · 6e482d1a3d
commit 6e482d1a3d
parent 6ef51d5dc0
3 changed files with 62 additions and 4 deletions
--- a/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionModule.java
+++ b/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionModule.java
@ -7,10 +7,7 @@ package org.elasticsearch.shield.action;

 import org.elasticsearch.common.inject.multibindings.Multibinder;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.shield.action.interceptor.RealtimeRequestInterceptor;
-import org.elasticsearch.shield.action.interceptor.RequestInterceptor;
-import org.elasticsearch.shield.action.interceptor.SearchRequestInterceptor;
-import org.elasticsearch.shield.action.interceptor.UpdateRequestInterceptor;
+import org.elasticsearch.shield.action.interceptor.*;
 import org.elasticsearch.shield.support.AbstractShieldModule;

 public class ShieldActionModule extends AbstractShieldModule.Node {
@ -29,5 +26,6 @@ public class ShieldActionModule extends AbstractShieldModule.Node {
        multibinder.addBinding().to(RealtimeRequestInterceptor.class);
        multibinder.addBinding().to(SearchRequestInterceptor.class);
        multibinder.addBinding().to(UpdateRequestInterceptor.class);
+        multibinder.addBinding().to(BulkRequestInterceptor.class);
    }
 }
--- a/shield/src/main/java/org/elasticsearch/shield/action/interceptor/BulkRequestInterceptor.java
+++ b/shield/src/main/java/org/elasticsearch/shield/action/interceptor/BulkRequestInterceptor.java
@ -0,0 +1,40 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.shield.action.interceptor;
+
+import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.bulk.BulkRequest;
+import org.elasticsearch.action.update.UpdateRequest;
+import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.rest.RestStatus;
+import org.elasticsearch.transport.TransportRequest;
+
+/**
+ * Simular to {@link UpdateRequestInterceptor}, but checks if there are update requests embedded in a bulk request.
+ */
+public class BulkRequestInterceptor extends FieldSecurityRequestInterceptor<BulkRequest> {
+
+    @Inject
+    public BulkRequestInterceptor(Settings settings) {
+        super(settings);
+    }
+
+    @Override
+    protected void disableFeatures(BulkRequest bulkRequest) {
+        for (ActionRequest actionRequest : bulkRequest.requests()) {
+            if (actionRequest instanceof UpdateRequest) {
+                throw new ElasticsearchSecurityException("Can't execute an bulk request with update requests embedded if field level security is enabled", RestStatus.BAD_REQUEST);
+            }
+        }
+    }
+
+    @Override
+    public boolean supports(TransportRequest request) {
+        return request instanceof BulkRequest;
+    }
+}
--- a/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
+++ b/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
@ -15,6 +15,7 @@ import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.action.termvectors.MultiTermVectorsResponse;
 import org.elasticsearch.action.termvectors.TermVectorsRequest;
 import org.elasticsearch.action.termvectors.TermVectorsResponse;
+import org.elasticsearch.action.update.UpdateRequest;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.index.IndexModule;
 import org.elasticsearch.indices.cache.request.IndicesRequestCache;
@ -764,6 +765,25 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
        client().prepareUpdate("test", "type", "1").setDoc("field2", "value2")
                .get();
        assertThat(client().prepareGet("test", "type", "1").get().getSource().get("field2").toString(), equalTo("value2"));
+
+        // With field level security enabled the update in bulk is not allowed:
+        try {
+            client().prepareBulk()
+                    .putHeader(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD))
+                    .add(new UpdateRequest("test", "type", "1").doc("field2", "value3"))
+                    .get();
+            fail("failed, because bulk request with updates shouldn't be allowed if field level security is enabled");
+        } catch (ElasticsearchSecurityException e) {
+            assertThat(e.status(), equalTo(RestStatus.BAD_REQUEST));
+            assertThat(e.getMessage(), equalTo("Can't execute an bulk request with update requests embedded if field level security is enabled"));
+        }
+        assertThat(client().prepareGet("test", "type", "1").get().getSource().get("field2").toString(), equalTo("value2"));
+
+        // With no field level security enabled the update in bulk is allowed:
+        client().prepareBulk()
+                .add(new UpdateRequest("test", "type", "1").doc("field2", "value3"))
+                .get();
+        assertThat(client().prepareGet("test", "type", "1").get().getSource().get("field2").toString(), equalTo("value3"));
    }

    public void testQuery_withRoleWithFieldWildcards() throws Exception {