From 7597b7ce2bd280401fcbfbeb281dfbb205830d75 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Fri, 18 Jan 2019 17:06:40 +0200 Subject: [PATCH] Add validation for empty PutPrivilegeRequest (#37569) Return an error to the user if the put privilege api is called with an empty body (no privileges) Resolves: #37561 --- .../privilege/PutPrivilegesRequest.java | 52 ++++++++++--------- .../privilege/PutPrivilegesRequestTests.java | 3 ++ 2 files changed, 31 insertions(+), 24 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesRequest.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesRequest.java index beba805f6df..651c695db6a 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesRequest.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesRequest.java @@ -39,34 +39,38 @@ public final class PutPrivilegesRequest extends ActionRequest implements Applica @Override public ActionRequestValidationException validate() { ActionRequestValidationException validationException = null; - for (ApplicationPrivilegeDescriptor privilege : privileges) { - try { - ApplicationPrivilege.validateApplicationName(privilege.getApplication()); - } catch (IllegalArgumentException e) { - validationException = addValidationError(e.getMessage(), validationException); - } - try { - ApplicationPrivilege.validatePrivilegeName(privilege.getName()); - } catch (IllegalArgumentException e) { - validationException = addValidationError(e.getMessage(), validationException); - } - if (privilege.getActions().isEmpty()) { - validationException = addValidationError("Application privileges must have at least one action", validationException); - } - for (String action : privilege.getActions()) { - if (action.indexOf('/') == -1 && action.indexOf('*') == -1 && action.indexOf(':') == -1) { - validationException = addValidationError("action [" + action + "] must contain one of [ '/' , '*' , ':' ]", - validationException); - } + if (privileges.isEmpty()) { + validationException = addValidationError("At least one application privilege must be provided", validationException); + } else { + for (ApplicationPrivilegeDescriptor privilege : privileges) { try { - ApplicationPrivilege.validatePrivilegeOrActionName(action); + ApplicationPrivilege.validateApplicationName(privilege.getApplication()); } catch (IllegalArgumentException e) { validationException = addValidationError(e.getMessage(), validationException); } - } - if (MetadataUtils.containsReservedMetadata(privilege.getMetadata())) { - validationException = addValidationError("metadata keys may not start with [" + MetadataUtils.RESERVED_PREFIX - + "] (in privilege " + privilege.getApplication() + ' ' + privilege.getName() + ")", validationException); + try { + ApplicationPrivilege.validatePrivilegeName(privilege.getName()); + } catch (IllegalArgumentException e) { + validationException = addValidationError(e.getMessage(), validationException); + } + if (privilege.getActions().isEmpty()) { + validationException = addValidationError("Application privileges must have at least one action", validationException); + } + for (String action : privilege.getActions()) { + if (action.indexOf('/') == -1 && action.indexOf('*') == -1 && action.indexOf(':') == -1) { + validationException = addValidationError("action [" + action + "] must contain one of [ '/' , '*' , ':' ]", + validationException); + } + try { + ApplicationPrivilege.validatePrivilegeOrActionName(action); + } catch (IllegalArgumentException e) { + validationException = addValidationError(e.getMessage(), validationException); + } + } + if (MetadataUtils.containsReservedMetadata(privilege.getMetadata())) { + validationException = addValidationError("metadata keys may not start with [" + MetadataUtils.RESERVED_PREFIX + + "] (in privilege " + privilege.getApplication() + ' ' + privilege.getName() + ")", validationException); + } } } return validationException; diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesRequestTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesRequestTests.java index e258efd04c5..e1bdc7687e3 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesRequestTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesRequestTests.java @@ -74,6 +74,9 @@ public class PutPrivilegesRequestTests extends ESTestCase { assertValidationFailure(request(wildcardApp, numericName, reservedMetadata, badAction), "Application names may not contain", "Application privilege names must match", "metadata keys may not start", "must contain one of"); + + // Empty request + assertValidationFailure(new PutPrivilegesRequest(), "At least one application privilege must be provided"); } private ApplicationPrivilegeDescriptor descriptor(String application, String name, String... actions) {