Followup for elastic/elasticsearch#25791
Original commit: elastic/x-pack-elasticsearch@806de5670f
This commit is contained in:
parent
3f08fad603
commit
eb5631b981
|
@ -50,6 +50,7 @@ import org.elasticsearch.index.query.ParsedQuery;
|
|||
import org.elasticsearch.index.query.QueryBuilder;
|
||||
import org.elasticsearch.index.query.QueryRewriteContext;
|
||||
import org.elasticsearch.index.query.QueryShardContext;
|
||||
import org.elasticsearch.index.query.Rewriteable;
|
||||
import org.elasticsearch.index.query.TermsQueryBuilder;
|
||||
import org.elasticsearch.index.query.functionscore.FunctionScoreQueryBuilder;
|
||||
import org.elasticsearch.index.shard.IndexSearcherWrapper;
|
||||
|
@ -137,7 +138,7 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
|
|||
.createParser(queryShardContext.getXContentRegistry(), templateResult)) {
|
||||
QueryBuilder queryBuilder = queryShardContext.parseInnerQueryBuilder(parser);
|
||||
verifyRoleQuery(queryBuilder);
|
||||
failIfQueryUsesClient(scriptService, queryBuilder, queryShardContext);
|
||||
failIfQueryUsesClient(queryBuilder, queryShardContext);
|
||||
ParsedQuery parsedQuery = queryShardContext.toFilter(queryBuilder);
|
||||
filter.add(parsedQuery.query(), SHOULD);
|
||||
}
|
||||
|
@ -348,18 +349,13 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
|
|||
* the DLS query until the get thread pool has been exhausted:
|
||||
* https://github.com/elastic/x-plugins/issues/3145
|
||||
*/
|
||||
static void failIfQueryUsesClient(ScriptService scriptService, QueryBuilder queryBuilder, QueryRewriteContext original)
|
||||
static void failIfQueryUsesClient(QueryBuilder queryBuilder, QueryRewriteContext original)
|
||||
throws IOException {
|
||||
Client client = new FilterClient(original.getClient()) {
|
||||
@Override
|
||||
protected <Request extends ActionRequest, Response extends ActionResponse,
|
||||
RequestBuilder extends ActionRequestBuilder<Request, Response, RequestBuilder>>
|
||||
void doExecute(Action<Request, Response, RequestBuilder> action, Request request, ActionListener<Response> listener) {
|
||||
QueryRewriteContext copy = new QueryRewriteContext(
|
||||
original.getXContentRegistry(), null, original::nowInMillis);
|
||||
Rewriteable.rewrite(queryBuilder, copy);
|
||||
if (copy.hasAsyncActions()) {
|
||||
throw new IllegalStateException("role queries are not allowed to execute additional requests");
|
||||
}
|
||||
};
|
||||
QueryRewriteContext copy = new QueryRewriteContext(
|
||||
original.getXContentRegistry(), client, original::nowInMillis);
|
||||
queryBuilder.rewrite(copy);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -682,11 +682,11 @@ public class SecurityIndexSearcherWrapperUnitTests extends ESTestCase {
|
|||
QueryRewriteContext context = new QueryRewriteContext(xContentRegistry(), client,
|
||||
() -> nowInMillis);
|
||||
QueryBuilder queryBuilder1 = new TermsQueryBuilder("field", "val1", "val2");
|
||||
SecurityIndexSearcherWrapper.failIfQueryUsesClient(scriptService, queryBuilder1, context);
|
||||
SecurityIndexSearcherWrapper.failIfQueryUsesClient(queryBuilder1, context);
|
||||
|
||||
QueryBuilder queryBuilder2 = new TermsQueryBuilder("field", new TermsLookup("_index", "_type", "_id", "_path"));
|
||||
Exception e = expectThrows(IllegalStateException.class,
|
||||
() -> SecurityIndexSearcherWrapper.failIfQueryUsesClient(scriptService, queryBuilder2, context));
|
||||
() -> SecurityIndexSearcherWrapper.failIfQueryUsesClient(queryBuilder2, context));
|
||||
assertThat(e.getMessage(), equalTo("role queries are not allowed to execute additional requests"));
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue