[Security] Support "type" field in role-mappings (elastic/x-pack-elasticsearch#2681)

The upgrade API adds a "type" field to role mapping documents. The parser would reject these docs due to an unexpected field. We now ignore the "type" field instead. Original commit: elastic/x-pack-elasticsearch@538f5adab2
2017-10-06 13:50:55 +11:00 · 2017-10-06 13:50:55 +11:00 · ec5a038f98
parent 686eb0ab65
commit ec5a038f98
2 changed files with 22 additions and 1 deletions
--- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/support/mapper/ExpressionRoleMapping.java
+++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/support/mapper/ExpressionRoleMapping.java
@ -38,6 +38,11 @@ public class ExpressionRoleMapping implements ToXContentObject, Writeable {

    private static final ObjectParser<Builder, String> PARSER = new ObjectParser<>("role-mapping", Builder::new);

+    /**
+     * The Upgrade API added a 'type' field when converting from 5 to 6.
+     * We don't use it, but we need to skip it if it exists.
+     */
+    private static final String UPGRADE_API_TYPE_FIELD = "type";

    static {
        PARSER.declareStringArray(Builder::roles, Fields.ROLES);
@ -46,8 +51,9 @@ public class ExpressionRoleMapping implements ToXContentObject, Writeable {
        PARSER.declareBoolean(Builder::enabled, Fields.ENABLED);
        BiConsumer<Builder, String> ignored = (b, v) -> {
        };
-        // skip the doc_type field in case we're parsing directly from the index
+        // skip the doc_type and type fields in case we're parsing directly from the index
        PARSER.declareString(ignored, new ParseField(NativeRoleMappingStore.DOC_TYPE_FIELD));
+        PARSER.declareString(ignored, new ParseField(UPGRADE_API_TYPE_FIELD));
        }

    private final String name;
--- a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/ExpressionRoleMappingTests.java
+++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/ExpressionRoleMappingTests.java
@ -40,6 +40,7 @@ import org.hamcrest.Matchers;
 import org.junit.Before;
 import org.mockito.Mockito;

+import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.instanceOf;
@ -118,6 +119,20 @@ public class ExpressionRoleMappingTests extends ESTestCase {
        assertThat(ex.getMessage(), containsString("disabled"));
    }

+    public void testParsingIgnoresTypeFields() throws Exception {
+        String json = "{"
+                + "\"enabled\": true, "
+                + "\"roles\": [  \"kibana_user\", \"sales\" ], "
+                + "\"rules\": "
+                + "    { \"field\": { \"dn\" : \"*,ou=sales,dc=example,dc=com\" } }, "
+                + "\"doc_type\": \"role-mapping\", "
+                + "\"type\": \"doc\""
+                + "}";
+        final ExpressionRoleMapping mapping = parse(json, "from_index");
+        assertThat(mapping.isEnabled(), equalTo(true));
+        assertThat(mapping.getRoles(), containsInAnyOrder("kibana_user", "sales"));
+    }
+
    private ExpressionRoleMapping parse(String json, String name) throws IOException {
        final NamedXContentRegistry registry = NamedXContentRegistry.EMPTY;
        final XContentParser parser = XContentType.JSON.xContent().createParser(registry, json);