Add validation for empty PutPrivilegeRequest (#37569)

Return an error to the user if the put privilege api is called with an empty body (no privileges) Resolves: #37561
2019-01-18 17:06:40 +02:00 · 2019-01-18 17:06:40 +02:00 · 7597b7ce2b
parent ed297b7369
commit 7597b7ce2b
2 changed files with 31 additions and 24 deletions
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesRequest.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesRequest.java
@ -39,34 +39,38 @@ public final class PutPrivilegesRequest extends ActionRequest implements Applica
    @Override
    public ActionRequestValidationException validate() {
        ActionRequestValidationException validationException = null;
-        for (ApplicationPrivilegeDescriptor privilege : privileges) {
-            try {
-                ApplicationPrivilege.validateApplicationName(privilege.getApplication());
-            } catch (IllegalArgumentException e) {
-                validationException = addValidationError(e.getMessage(), validationException);
-            }
-            try {
-                ApplicationPrivilege.validatePrivilegeName(privilege.getName());
-            } catch (IllegalArgumentException e) {
-                validationException = addValidationError(e.getMessage(), validationException);
-            }
-            if (privilege.getActions().isEmpty()) {
-                validationException = addValidationError("Application privileges must have at least one action", validationException);
-            }
-            for (String action : privilege.getActions()) {
-                if (action.indexOf('/') == -1 && action.indexOf('*') == -1 && action.indexOf(':') == -1) {
-                    validationException = addValidationError("action [" + action + "] must contain one of [ '/' , '*' , ':' ]",
-                        validationException);
-                }
+        if (privileges.isEmpty()) {
+            validationException = addValidationError("At least one application privilege must be provided", validationException);
+        } else {
+            for (ApplicationPrivilegeDescriptor privilege : privileges) {
                try {
-                    ApplicationPrivilege.validatePrivilegeOrActionName(action);
+                    ApplicationPrivilege.validateApplicationName(privilege.getApplication());
                } catch (IllegalArgumentException e) {
                    validationException = addValidationError(e.getMessage(), validationException);
                }
-            }
-            if (MetadataUtils.containsReservedMetadata(privilege.getMetadata())) {
-                validationException = addValidationError("metadata keys may not start with [" + MetadataUtils.RESERVED_PREFIX
-                    + "] (in privilege " + privilege.getApplication() + ' ' + privilege.getName() + ")", validationException);
+                try {
+                    ApplicationPrivilege.validatePrivilegeName(privilege.getName());
+                } catch (IllegalArgumentException e) {
+                    validationException = addValidationError(e.getMessage(), validationException);
+                }
+                if (privilege.getActions().isEmpty()) {
+                    validationException = addValidationError("Application privileges must have at least one action", validationException);
+                }
+                for (String action : privilege.getActions()) {
+                    if (action.indexOf('/') == -1 && action.indexOf('*') == -1 && action.indexOf(':') == -1) {
+                        validationException = addValidationError("action [" + action + "] must contain one of [ '/' , '*' , ':' ]",
+                            validationException);
+                    }
+                    try {
+                        ApplicationPrivilege.validatePrivilegeOrActionName(action);
+                    } catch (IllegalArgumentException e) {
+                        validationException = addValidationError(e.getMessage(), validationException);
+                    }
+                }
+                if (MetadataUtils.containsReservedMetadata(privilege.getMetadata())) {
+                    validationException = addValidationError("metadata keys may not start with [" + MetadataUtils.RESERVED_PREFIX
+                        + "] (in privilege " + privilege.getApplication() + ' ' + privilege.getName() + ")", validationException);
+                }
            }
        }
        return validationException;
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesRequestTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesRequestTests.java
@ -74,6 +74,9 @@ public class PutPrivilegesRequestTests extends ESTestCase {
        assertValidationFailure(request(wildcardApp, numericName, reservedMetadata, badAction),
            "Application names may not contain", "Application privilege names must match", "metadata keys may not start",
            "must contain one of");
+
+        // Empty request
+        assertValidationFailure(new PutPrivilegesRequest(), "At least one application privilege must be provided");
    }

    private ApplicationPrivilegeDescriptor descriptor(String application, String name, String... actions) {