honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Followup for elastic/elasticsearch#25791 

Original commit: elastic/x-pack-elasticsearch@806de5670f
This commit is contained in:
Simon Willnauer 2017-07-20 16:45:32 +02:00
parent 3f08fad603
commit eb5631b981
2 changed files with 10 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
plugin/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java
View File

@ -50,6 +50,7 @@ import org.elasticsearch.index.query.ParsedQuery;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.QueryRewriteContext;
import org.elasticsearch.index.query.QueryShardContext;
import org.elasticsearch.index.query.Rewriteable;
import org.elasticsearch.index.query.TermsQueryBuilder;
import org.elasticsearch.index.query.functionscore.FunctionScoreQueryBuilder;
import org.elasticsearch.index.shard.IndexSearcherWrapper;
@ -137,7 +138,7 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
.createParser(queryShardContext.getXContentRegistry(), templateResult)) {
QueryBuilder queryBuilder = queryShardContext.parseInnerQueryBuilder(parser);
verifyRoleQuery(queryBuilder);
failIfQueryUsesClient(scriptService, queryBuilder, queryShardContext);
failIfQueryUsesClient(queryBuilder, queryShardContext);
ParsedQuery parsedQuery = queryShardContext.toFilter(queryBuilder);
filter.add(parsedQuery.query(), SHOULD);
}
@ -348,18 +349,13 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
* the DLS query until the get thread pool has been exhausted:
* https://github.com/elastic/x-plugins/issues/3145
*/
static void failIfQueryUsesClient(ScriptService scriptService, QueryBuilder queryBuilder, QueryRewriteContext original)
static void failIfQueryUsesClient(QueryBuilder queryBuilder, QueryRewriteContext original)
throws IOException {
Client client = new FilterClient(original.getClient()) {
@Override
protected <Request extends ActionRequest, Response extends ActionResponse,
RequestBuilder extends ActionRequestBuilder<Request, Response, RequestBuilder>>
void doExecute(Action<Request, Response, RequestBuilder> action, Request request, ActionListener<Response> listener) {
throw new IllegalStateException("role queries are not allowed to execute additional requests");
}
};
QueryRewriteContext copy = new QueryRewriteContext(
original.getXContentRegistry(), client, original::nowInMillis);
queryBuilder.rewrite(copy);
original.getXContentRegistry(), null, original::nowInMillis);
Rewriteable.rewrite(queryBuilder, copy);
if (copy.hasAsyncActions()) {
throw new IllegalStateException("role queries are not allowed to execute additional requests");
}
}
}

4
plugin/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapperUnitTests.java
View File

@ -682,11 +682,11 @@ public class SecurityIndexSearcherWrapperUnitTests extends ESTestCase {
QueryRewriteContext context = new QueryRewriteContext(xContentRegistry(), client,
() -> nowInMillis);
QueryBuilder queryBuilder1 = new TermsQueryBuilder("field", "val1", "val2");
SecurityIndexSearcherWrapper.failIfQueryUsesClient(scriptService, queryBuilder1, context);
SecurityIndexSearcherWrapper.failIfQueryUsesClient(queryBuilder1, context);
QueryBuilder queryBuilder2 = new TermsQueryBuilder("field", new TermsLookup("_index", "_type", "_id", "_path"));
Exception e = expectThrows(IllegalStateException.class,
() -> SecurityIndexSearcherWrapper.failIfQueryUsesClient(scriptService, queryBuilder2, context));
() -> SecurityIndexSearcherWrapper.failIfQueryUsesClient(queryBuilder2, context));
assertThat(e.getMessage(), equalTo("role queries are not allowed to execute additional requests"));
}