[Security] has_privileges.has_all_requested should respect cluster privileges (elastic/x-pack-elasticsearch#3379)

The has_all_requested field in the has_privileges response was not taking the cluster privileges into account

relates elastic/x-pack-elasticsearch#3366

Original commit: elastic/x-pack-elasticsearch@68d2b98670

plugin/src/main/java/org/elasticsearch/xpack/security/action/user/TransportHasPrivilegesAction.java

@@ -79,11 +79,11 @@ public class TransportHasPrivilegesAction extends HandledTransportAction<HasPriv
             final ClusterPrivilege rolePrivilege = userRole.cluster().privilege();
             cluster.put(checkAction, testPrivilege(checkPrivilege, rolePrivilege.getAutomaton()));
         }
+        boolean allMatch = cluster.values().stream().allMatch(Boolean::booleanValue);
 
         final Map<IndicesPermission.Group, Automaton> predicateCache = new HashMap<>();
 
         final Map<String, HasPrivilegesResponse.IndexPrivileges> indices = new LinkedHashMap<>();
-        boolean allMatch = true;
         for (RoleDescriptor.IndicesPrivileges check : request.indexPrivileges()) {
             for (String index : check.getIndices()) {
                 final Map<String, Boolean> privileges = new HashMap<>();

plugin/src/test/java/org/elasticsearch/xpack/security/action/user/TransportHasPrivilegesActionTests.java

@@ -170,18 +170,10 @@ public class TransportHasPrivilegesActionTests extends ESTestCase {
                 .cluster(ClusterPrivilege.MONITOR)
                 .build();
 
-        final HasPrivilegesRequest request = new HasPrivilegesRequest();
+        final HasPrivilegesResponse response = hasPrivileges(RoleDescriptor.IndicesPrivileges.builder()
-        request.username(user.principal());
-        request.clusterPrivileges(Strings.EMPTY_ARRAY);
-        request.indexPrivileges(RoleDescriptor.IndicesPrivileges.builder()
                 .indices("academy")
                 .privileges("read", "write")
-                .build());
+                .build(), Strings.EMPTY_ARRAY);
-        final PlainActionFuture<HasPrivilegesResponse> future = new PlainActionFuture();
-        action.doExecute(request, future);
-
-        final HasPrivilegesResponse response = future.get();
-        assertThat(response, notNullValue());
         assertThat(response.isCompleteMatch(), is(false));
         assertThat(response.getIndexPrivileges(), Matchers.iterableWithSize(1));
         final IndexPrivileges result = response.getIndexPrivileges().get(0);
@@ -262,20 +254,10 @@ public class TransportHasPrivilegesActionTests extends ESTestCase {
                 .add(IndexPrivilege.DELETE, "apache-2016-*")
                 .build();
 
-        final HasPrivilegesRequest request = new HasPrivilegesRequest();
+        final HasPrivilegesResponse response = hasPrivileges(RoleDescriptor.IndicesPrivileges.builder()
-        request.username(user.principal());
-        request.clusterPrivileges(Strings.EMPTY_ARRAY);
-        request.indexPrivileges(
-                RoleDescriptor.IndicesPrivileges.builder()
                 .indices("apache-2016-12", "apache-2017-01")
                 .privileges("index", "delete")
-                        .build()
+                .build(), Strings.EMPTY_ARRAY);
-        );
-        final PlainActionFuture<HasPrivilegesResponse> future = new PlainActionFuture();
-        action.doExecute(request, future);
-
-        final HasPrivilegesResponse response = future.get();
-        assertThat(response, notNullValue());
         assertThat(response.isCompleteMatch(), is(false));
         assertThat(response.getIndexPrivileges(), Matchers.iterableWithSize(2));
         assertThat(response.getIndexPrivileges(), containsInAnyOrder(
@@ -289,6 +271,39 @@ public class TransportHasPrivilegesActionTests extends ESTestCase {
         ));
     }
 
+    public void testIsCompleteMatch() throws Exception {
+        role = Role.builder("test-write")
+                .cluster(ClusterPrivilege.MONITOR)
+                .add(IndexPrivilege.READ, "read-*")
+                .add(IndexPrivilege.ALL, "all-*")
+                .build();
+
+        assertThat(hasPrivileges(indexPrivileges("read", "read-123", "read-456", "all-999"), "monitor").isCompleteMatch(), is(true));
+        assertThat(hasPrivileges(indexPrivileges("read", "read-123", "read-456", "all-999"), "manage").isCompleteMatch(), is(false));
+        assertThat(hasPrivileges(indexPrivileges("write", "read-123", "read-456", "all-999"), "monitor").isCompleteMatch(), is(false));
+        assertThat(hasPrivileges(indexPrivileges("write", "read-123", "read-456", "all-999"), "manage").isCompleteMatch(), is(false));
+    }
+
+    private RoleDescriptor.IndicesPrivileges indexPrivileges(String priv, String... indices) {
+        return RoleDescriptor.IndicesPrivileges.builder()
+                .indices(indices)
+                .privileges(priv)
+                .build();
+    }
+
+    private HasPrivilegesResponse hasPrivileges(RoleDescriptor.IndicesPrivileges indicesPrivileges, String... clusterPrivileges)
+            throws Exception {
+        final HasPrivilegesRequest request = new HasPrivilegesRequest();
+        request.username(user.principal());
+        request.clusterPrivileges(clusterPrivileges);
+        request.indexPrivileges(indicesPrivileges);
+        final PlainActionFuture<HasPrivilegesResponse> future = new PlainActionFuture();
+        action.doExecute(request, future);
+        final HasPrivilegesResponse response = future.get();
+        assertThat(response, notNullValue());
+        return response;
+    }
+
     private static MapBuilder<String, Boolean> mapBuilder() {
         return MapBuilder.newMapBuilder();
     }