From d37bf240fe1df1d964af6df8ed753691f26b48c5 Mon Sep 17 00:00:00 2001
From: Simon Willnauer <simonw@apache.org>
Date: Mon, 14 Mar 2016 15:01:06 +0100
Subject: [PATCH] Don't override indices when concreteIndex is set on
 PutMappingRequest

PutMappingRequest has a special case since it can come with one and only
one concrete index. In such a case we can't replace the indices list
with all authorized indices but should rather only check if the index
is authorized and otherwise fail the request.

Original commit: elastic/x-pack-elasticsearch@4ee20029e1c39ca35e1ec4eca1de6b4c9964c7c2
---
 .../DefaultIndicesAndAliasesResolver.java     | 43 ++++++++++++-------
 1 file changed, 27 insertions(+), 16 deletions(-)

diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/indicesresolver/DefaultIndicesAndAliasesResolver.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/indicesresolver/DefaultIndicesAndAliasesResolver.java
index a435dec2150..46e1896fe0b 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/indicesresolver/DefaultIndicesAndAliasesResolver.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/indicesresolver/DefaultIndicesAndAliasesResolver.java
@@ -8,6 +8,7 @@ package org.elasticsearch.shield.authz.indicesresolver;
 import org.elasticsearch.action.AliasesRequest;
 import org.elasticsearch.action.CompositeIndicesRequest;
 import org.elasticsearch.action.IndicesRequest;
+import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest;
 import org.elasticsearch.action.support.IndicesOptions;
 import org.elasticsearch.cluster.metadata.AliasOrIndex;
 import org.elasticsearch.cluster.metadata.IndexMetaData;
@@ -68,26 +69,36 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv
     }
 
     private Set<String> resolveIndicesAndAliases(User user, String action, IndicesRequest indicesRequest, MetaData metaData) {
-        if (indicesRequest.indicesOptions().expandWildcardsOpen() || indicesRequest.indicesOptions().expandWildcardsClosed()) {
-            if (indicesRequest instanceof IndicesRequest.Replaceable) {
-                List<String> authorizedIndices = authzService.authorizedIndicesAndAliases(user, action);
-                List<String> indices = replaceWildcardsWithAuthorizedIndices(indicesRequest.indices(), indicesRequest.indicesOptions(),
-                        metaData, authorizedIndices);
-                ((IndicesRequest.Replaceable) indicesRequest).indices(indices.toArray(new String[indices.size()]));
-            } else {
-                assert !containsWildcards(indicesRequest) :
-                        "There are no external requests known to support wildcards that don't support replacing their indices";
+        final Set<String> indices;
+        if (indicesRequest instanceof PutMappingRequest
+                && ((PutMappingRequest) indicesRequest).getConcreteIndex() != null) {
+            /**
+             * This is a special case since PutMappingRequests from dynamic mapping updates have a concrete index
+             * if this index is set and it's in the list of authorized indices we are good and don't need to put
+             * the list of indices in there, if we do so it will result in an invalid request and the update will fail.
+             */
+            indices = Collections.singleton(((PutMappingRequest) indicesRequest).getConcreteIndex().getName());
+        } else {
+            if (indicesRequest.indicesOptions().expandWildcardsOpen() || indicesRequest.indicesOptions().expandWildcardsClosed()) {
+                if (indicesRequest instanceof IndicesRequest.Replaceable) {
+                    List<String> authorizedIndices = replaceWildcardsWithAuthorizedIndices(indicesRequest.indices(),
+                            indicesRequest.indicesOptions(),
+                            metaData, authzService.authorizedIndicesAndAliases(user, action));
+                    ((IndicesRequest.Replaceable) indicesRequest).indices(authorizedIndices.toArray(new String[authorizedIndices.size()]));
+                } else {
+                    assert !containsWildcards(indicesRequest) :
+                            "There are no external requests known to support wildcards that don't support replacing their indices";
 
-                //NOTE: shard level requests do support wildcards (as they hold the original indices options) but don't support replacing
-                // their indices.
-                //That is fine though because they never contain wildcards, as they get replaced as part of the authorization of their
-                //corresponding parent request on the coordinating node. Hence wildcards don't need to get replaced nor exploded for
-                // shard level requests.
+                    //NOTE: shard level requests do support wildcards (as they hold the original indices options) but don't support
+                    // replacing their indices.
+                    //That is fine though because they never contain wildcards, as they get replaced as part of the authorization of their
+                    //corresponding parent request on the coordinating node. Hence wildcards don't need to get replaced nor exploded for
+                    // shard level requests.
+                }
             }
+            indices = Sets.newHashSet(indicesRequest.indices());
         }
 
-        Set<String> indices = Sets.newHashSet(indicesRequest.indices());
-
         if (indicesRequest instanceof AliasesRequest) {
             //special treatment for AliasesRequest since we need to replace wildcards among the specified aliases.
             //AliasesRequest extends IndicesRequest.Replaceable, hence its indices have already been properly replaced.