From 6f352260d6c7b147c21f7520712b5cf4ddf8ae39 Mon Sep 17 00:00:00 2001 From: Jay Modi Date: Fri, 14 Apr 2017 07:44:52 -0400 Subject: [PATCH] Fix resolution of indices names with both date math and wildcards (elastic/x-pack-elasticsearch#1067) When a index name pattern contains both date math and wildcards, the name resolution does not return the expected result. This change moves the date math resolution to before our attempts to match wildcards so that both can be used in the same pattern. relates elastic/x-pack-elasticsearch#1065 Original commit: elastic/x-pack-elasticsearch@9f48b42fad1965f72ad42840fbfe047f1fad81ba --- .../authz/IndicesAndAliasesResolver.java | 57 ++++++++++--------- .../authz/IndicesAndAliasesResolverTests.java | 7 ++- 2 files changed, 35 insertions(+), 29 deletions(-) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java index ab83209117d..5294281da97 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java @@ -246,6 +246,26 @@ public class IndicesAndAliasesResolver { aliasOrIndex = index; } + // we always need to check for date math expressions + final String dateMathName = nameExpressionResolver.resolveDateMathExpression(aliasOrIndex); + if (dateMathName != aliasOrIndex) { + assert dateMathName.equals(aliasOrIndex) == false; + if (replaceWildcards && Regex.isSimpleMatchPattern(dateMathName)) { + // continue + aliasOrIndex = dateMathName; + } else if (authorizedIndices.contains(dateMathName) && isIndexVisible(dateMathName, indicesOptions, metaData, true)) { + if (minus) { + finalIndices.remove(dateMathName); + } else { + finalIndices.add(dateMathName); + } + } else { + if (indicesOptions.ignoreUnavailable() == false) { + throw new IndexNotFoundException(dateMathName); + } + } + } + if (replaceWildcards && Regex.isSimpleMatchPattern(aliasOrIndex)) { wildcardSeen = true; Set resolvedIndices = new HashSet<>(); @@ -266,34 +286,19 @@ public class IndicesAndAliasesResolver { finalIndices.addAll(resolvedIndices); } } - } else { - // we always need to check for date math expressions - String dateMathName = nameExpressionResolver.resolveDateMathExpression(aliasOrIndex); - // we can use != here to compare strings since the name expression resolver returns the same instance, but add an assert + } else if (dateMathName == aliasOrIndex) { + // we can use == here to compare strings since the name expression resolver returns the same instance, but add an assert // to ensure we catch this if it changes - if (dateMathName != aliasOrIndex) { - assert dateMathName.equals(aliasOrIndex) == false; - if (authorizedIndices.contains(dateMathName) && isIndexVisible(dateMathName, indicesOptions, metaData, true)) { - if (minus) { - finalIndices.remove(dateMathName); - } else { - finalIndices.add(dateMathName); - } - } else { - if (indicesOptions.ignoreUnavailable() == false) { - throw new IndexNotFoundException(dateMathName); - } - } + + assert dateMathName.equals(aliasOrIndex); + //MetaData#convertFromWildcards checks if the index exists here and throws IndexNotFoundException if not (based on + // ignore_unavailable). We only add/remove the index: if the index is missing or the current user is not authorized + // to access it either an AuthorizationException will be thrown later in AuthorizationService, or the index will be + // removed from the list, based on the ignore_unavailable option. + if (minus) { + finalIndices.remove(aliasOrIndex); } else { - //MetaData#convertFromWildcards checks if the index exists here and throws IndexNotFoundException if not (based on - // ignore_unavailable). We only add/remove the index: if the index is missing or the current user is not authorized - // to access it either an AuthorizationException will be thrown later in AuthorizationService, or the index will be - // removed from the list, based on the ignore_unavailable option. - if (minus) { - finalIndices.remove(aliasOrIndex); - } else { - finalIndices.add(aliasOrIndex); - } + finalIndices.add(aliasOrIndex); } } } diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java index 02c03795bf6..f43bd64120f 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java @@ -1109,18 +1109,19 @@ public class IndicesAndAliasesResolverTests extends ESTestCase { public void testResolveDateMathExpression() { // make the user authorized - String dateTimeIndex = indexNameExpressionResolver.resolveDateMathExpression(""); + final String pattern = randomBoolean() ? ""); + SearchRequest request = new SearchRequest(pattern); if (randomBoolean()) { request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), randomBoolean(), randomBoolean())); } Set indices = defaultIndicesResolver.resolve(request, metaData, buildAuthorizedIndices(user, SearchAction.NAME)); assertThat(indices.size(), equalTo(1)); - assertThat(request.indices()[0], equalTo(indexNameExpressionResolver.resolveDateMathExpression(""))); + assertThat(request.indices()[0], equalTo(indexNameExpressionResolver.resolveDateMathExpression(pattern))); } public void testMissingDateMathExpressionIgnoreUnavailable() {