[authz] fix Indices.Globals iterator to continue past a global without indices

If a Global permission is encountered that has no indices the iterator would not continue to the rest of the entries. This change fixes the iterator to check if a Global has indices and if not continues to look for a Global with indices permissions. Closes elastic/elasticsearch#701 Original commit: elastic/x-pack-elasticsearch@5fbe318046
2015-02-12 12:34:11 -08:00 · 2015-02-12 12:34:11 -08:00 · af409e2ff8
parent 6a8d971df1
commit af409e2ff8
2 changed files with 32 additions and 1 deletions
--- a/src/main/java/org/elasticsearch/shield/authz/Permission.java
+++ b/src/main/java/org/elasticsearch/shield/authz/Permission.java
@ -342,7 +342,16 @@ public interface Permission {
                        current = null;
                        return;
                    }
-                    current = globals.next().indices().iterator();
+
+                    while (globals.hasNext()) {
+                        Indices indices = globals.next().indices();
+                        if (!indices.isEmpty()) {
+                            current = indices.iterator();
+                            return;
+                        }
+                    }
+
+                    current = null;
                }
            }
        }
--- a/src/test/java/org/elasticsearch/shield/authz/PermissionTests.java
+++ b/src/test/java/org/elasticsearch/shield/authz/PermissionTests.java
@ -7,11 +7,16 @@ package org.elasticsearch.shield.authz;

 import org.elasticsearch.action.get.GetAction;
 import org.elasticsearch.common.base.Predicate;
+import org.elasticsearch.common.collect.ImmutableList;
 import org.elasticsearch.test.ElasticsearchTestCase;
 import org.junit.Before;
 import org.junit.Test;

+import java.util.Iterator;
+
 import static org.elasticsearch.shield.authz.Privilege.Index.*;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;

 /**
@ -42,6 +47,23 @@ public class PermissionTests extends ElasticsearchTestCase {
        assertThat(matcher1, is(matcher2));
    }

+    @Test
+    public void testIndicesGlobalsIterator() {
+        Permission.Global.Role.Builder builder = Permission.Global.Role.builder("tc_role");
+        builder.set(Cluster.action("cluster:monitor/nodes/info"));
+        Permission.Global.Role noIndicesPermission = builder.build();
+
+        Permission.Indices.Globals indicesGlobals = new Permission.Indices.Globals(ImmutableList.<Permission.Global>of(noIndicesPermission, permission));
+        Iterator<Permission.Indices.Group> iterator = indicesGlobals.iterator();
+        assertThat(iterator.hasNext(), is(equalTo(true)));
+        int count = 0;
+        while (iterator.hasNext()) {
+            iterator.next();
+            count++;
+        }
+        assertThat(count, is(equalTo(permission.indices().groups().length)));
+    }
+
    // "baz_*foo", "/fool.*bar/"
    private void testAllowedIndicesMatcher(Predicate<String> indicesMatcher) {
        assertThat(indicesMatcher.apply("foobar"), is(false));