Followup for elastic/elasticsearch#25791

Original commit: elastic/x-pack-elasticsearch@806de5670f

plugin/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java

@@ -50,6 +50,7 @@ import org.elasticsearch.index.query.ParsedQuery;
 import org.elasticsearch.index.query.QueryBuilder;
 import org.elasticsearch.index.query.QueryRewriteContext;
 import org.elasticsearch.index.query.QueryShardContext;
+import org.elasticsearch.index.query.Rewriteable;
 import org.elasticsearch.index.query.TermsQueryBuilder;
 import org.elasticsearch.index.query.functionscore.FunctionScoreQueryBuilder;
 import org.elasticsearch.index.shard.IndexSearcherWrapper;
@@ -137,7 +138,7 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
                             .createParser(queryShardContext.getXContentRegistry(), templateResult)) {
                         QueryBuilder queryBuilder = queryShardContext.parseInnerQueryBuilder(parser);
                         verifyRoleQuery(queryBuilder);
-                        failIfQueryUsesClient(scriptService, queryBuilder, queryShardContext);
+                        failIfQueryUsesClient(queryBuilder, queryShardContext);
                         ParsedQuery parsedQuery = queryShardContext.toFilter(queryBuilder);
                         filter.add(parsedQuery.query(), SHOULD);
                     }
@@ -348,18 +349,13 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
      * the DLS query until the get thread pool has been exhausted:
      * https://github.com/elastic/x-plugins/issues/3145
      */
-    static void failIfQueryUsesClient(ScriptService scriptService, QueryBuilder queryBuilder, QueryRewriteContext original)
+    static void failIfQueryUsesClient(QueryBuilder queryBuilder, QueryRewriteContext original)
             throws IOException {
-        Client client = new FilterClient(original.getClient()) {
+        QueryRewriteContext copy = new QueryRewriteContext(
-            @Override
+                original.getXContentRegistry(), null, original::nowInMillis);
-            protected <Request extends ActionRequest, Response extends ActionResponse,
+        Rewriteable.rewrite(queryBuilder, copy);
-                    RequestBuilder extends ActionRequestBuilder<Request, Response, RequestBuilder>>
+        if (copy.hasAsyncActions()) {
-            void doExecute(Action<Request, Response, RequestBuilder> action, Request request, ActionListener<Response> listener) {
             throw new IllegalStateException("role queries are not allowed to execute additional requests");
         }
-        };
-        QueryRewriteContext copy = new QueryRewriteContext(
-                original.getXContentRegistry(), client, original::nowInMillis);
-        queryBuilder.rewrite(copy);
     }
 }

plugin/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapperUnitTests.java

@@ -682,11 +682,11 @@ public class SecurityIndexSearcherWrapperUnitTests extends ESTestCase {
         QueryRewriteContext context = new QueryRewriteContext(xContentRegistry(), client,
                 () -> nowInMillis);
         QueryBuilder queryBuilder1 = new TermsQueryBuilder("field", "val1", "val2");
-        SecurityIndexSearcherWrapper.failIfQueryUsesClient(scriptService, queryBuilder1, context);
+        SecurityIndexSearcherWrapper.failIfQueryUsesClient(queryBuilder1, context);
 
         QueryBuilder queryBuilder2 = new TermsQueryBuilder("field", new TermsLookup("_index", "_type", "_id", "_path"));
         Exception e = expectThrows(IllegalStateException.class,
-                () -> SecurityIndexSearcherWrapper.failIfQueryUsesClient(scriptService, queryBuilder2, context));
+                () -> SecurityIndexSearcherWrapper.failIfQueryUsesClient(queryBuilder2, context));
         assertThat(e.getMessage(), equalTo("role queries are not allowed to execute additional requests"));
     }