Extract security wildcard pattern matching (#65404)

This commit moves the implementation of wildcard pattern matching into
a standalone utility class ("StringMatcher").

In general, we rely on lucene Automaton objects to implement pattern
matching (wildcards and regexp) within Elasticsearch security - for
example in Index name patterns within a role.

The IndicesPermission class also has a special optimisation for exact
string matches (that is raw index names that contain no wildcards) as
using String.equals / Set.contains is more efficient for this common
case.

All of the above functionality has now been extracted into the
StringMatcher class, and it is now used in several places where it may
be more efficient that the previous use of raw Automaton objects.

A future change will expand this StringMatcher class with additional
optimisations for common use cases that are poorly handled within our
existing automaton compilation process.

Relates: #36062

Author: tvernum

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -5,24 +5,21 @@
  */
 package org.elasticsearch.xpack.core.security.authz.permission;
 
-import org.apache.logging.log4j.LogManager;
 import org.apache.lucene.util.automaton.Automaton;
 import org.apache.lucene.util.automaton.Operations;
-import org.apache.lucene.util.automaton.TooComplexToDeterminizeException;
-import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.admin.indices.mapping.put.AutoPutMappingAction;
 import org.elasticsearch.action.admin.indices.mapping.put.PutMappingAction;
 import org.elasticsearch.cluster.metadata.IndexAbstraction;
 import org.elasticsearch.cluster.metadata.IndexMetadata;
 import org.elasticsearch.common.Nullable;
-import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.logging.DeprecationLogger;
 import org.elasticsearch.common.regex.Regex;
 import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
 import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
 import org.elasticsearch.xpack.core.security.index.RestrictedIndicesNames;
 import org.elasticsearch.xpack.core.security.support.Automatons;
+import org.elasticsearch.xpack.core.security.support.StringMatcher;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -60,65 +57,18 @@ public IndicesPermission(Group... groups) {
         this.groups = groups;
     }
 
-    private static Predicate<String> indexMatcher(Collection<String> ordinaryIndices, Collection<String> restrictedIndices) {
-        Predicate<String> namePredicate;
+    private static StringMatcher indexMatcher(Collection<String> ordinaryIndices, Collection<String> restrictedIndices) {
+        StringMatcher matcher;
         if (ordinaryIndices.isEmpty()) {
-            namePredicate = indexMatcher(restrictedIndices);
+            matcher = StringMatcher.of(restrictedIndices);
         } else {
-            namePredicate = indexMatcher(ordinaryIndices)
-                    .and(index -> false == RestrictedIndicesNames.isRestricted(index));
+            matcher = StringMatcher.of(ordinaryIndices)
+                    .and("<not-restricted>", index -> false == RestrictedIndicesNames.isRestricted(index));
             if (restrictedIndices.isEmpty() == false) {
-                namePredicate = indexMatcher(restrictedIndices).or(namePredicate);
+                matcher = StringMatcher.of(restrictedIndices).or(matcher);
             }
         }
-        return namePredicate;
-    }
-
-    /**
-     * Given a collection of index names and patterns, this constructs a {@code Predicate} that tests
-     * {@code true} for the names in the collection as well as for any names matching the patterns in the collection.
-     */
-    public static Predicate<String> indexMatcher(Collection<String> indices) {
-        Set<String> exactMatch = new HashSet<>();
-        List<String> nonExactMatch = new ArrayList<>();
-        for (String indexPattern : indices) {
-            if (indexPattern.startsWith("/") || indexPattern.contains("*") || indexPattern.contains("?")) {
-                nonExactMatch.add(indexPattern);
-            } else {
-                exactMatch.add(indexPattern);
-            }
-        }
-
-        if (exactMatch.isEmpty() && nonExactMatch.isEmpty()) {
-            return s -> false;
-        } else if (exactMatch.isEmpty()) {
-            return buildAutomataPredicate(nonExactMatch);
-        } else if (nonExactMatch.isEmpty()) {
-            return buildExactMatchPredicate(exactMatch);
-        } else {
-            return buildExactMatchPredicate(exactMatch).or(buildAutomataPredicate(nonExactMatch));
-        }
-    }
-
-    private static Predicate<String> buildExactMatchPredicate(Set<String> indices) {
-        if (indices.size() == 1) {
-            final String singleValue = indices.iterator().next();
-            return singleValue::equals;
-        }
-        return indices::contains;
-    }
-
-    private static Predicate<String> buildAutomataPredicate(List<String> indices) {
-        try {
-            return Automatons.predicate(indices);
-        } catch (TooComplexToDeterminizeException e) {
-            LogManager.getLogger(IndicesPermission.class).debug("Index pattern automaton [{}] is too complex", indices);
-            String description = Strings.collectionToCommaDelimitedString(indices);
-            if (description.length() > 80) {
-                description = Strings.cleanTruncate(description, 80) + "...";
-            }
-            throw new ElasticsearchSecurityException("The set of permitted index patterns [{}] is too complex to evaluate", e, description);
-        }
+        return matcher;
     }
 
     public Group[] groups() {
@@ -373,7 +323,7 @@ public Group(IndexPrivilege privilege, FieldPermissions fieldPermissions, @Nulla
             this.privilege = privilege;
             this.actionMatcher = privilege.predicate();
             this.indices = indices;
-            this.indexNameMatcher = indexMatcher(Arrays.asList(indices));
+            this.indexNameMatcher = StringMatcher.of(Arrays.asList(indices));
             this.fieldPermissions = Objects.requireNonNull(fieldPermissions);
             this.query = query;
             this.allowRestrictedIndices = allowRestrictedIndices;
@@ -445,14 +395,14 @@ private static Predicate<IndexAbstraction> buildIndexMatcherPredicateForAction(S
                     }
                 }
             }
-            final Predicate<String> namePredicate = indexMatcher(ordinaryIndices, restrictedIndices);
-            final Predicate<String> bwcSpecialCaseNamePredicate = indexMatcher(grantMappingUpdatesOnIndices,
+            final StringMatcher nameMatcher = indexMatcher(ordinaryIndices, restrictedIndices);
+            final StringMatcher bwcSpecialCaseMatcher = indexMatcher(grantMappingUpdatesOnIndices,
                     grantMappingUpdatesOnRestrictedIndices);
             return indexAbstraction -> {
-                return namePredicate.test(indexAbstraction.getName()) ||
+                return nameMatcher.test(indexAbstraction.getName()) ||
                         (indexAbstraction.getType() != IndexAbstraction.Type.DATA_STREAM &&
                                 (indexAbstraction.getParentDataStream() == null) &&
-                                bwcSpecialCaseNamePredicate.test(indexAbstraction.getName()));
+                                bwcSpecialCaseMatcher.test(indexAbstraction.getName()));
             };
         }
     }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConfigurableClusterPrivileges.java

@@ -19,7 +19,7 @@
 import org.elasticsearch.xpack.core.security.action.privilege.ApplicationPrivilegesRequest;
 import org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission;
 import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivilege.Category;
-import org.elasticsearch.xpack.core.security.support.Automatons;
+import org.elasticsearch.xpack.core.security.support.StringMatcher;
 import org.elasticsearch.xpack.core.security.xcontent.XContentUtils;
 
 import java.io.IOException;
@@ -133,7 +133,7 @@ public static class ManageApplicationPrivileges implements ConfigurableClusterPr
 
         public ManageApplicationPrivileges(Set<String> applicationNames) {
             this.applicationNames = Collections.unmodifiableSet(applicationNames);
-            this.applicationPredicate = Automatons.predicate(applicationNames);
+            this.applicationPredicate = StringMatcher.of(applicationNames);
             this.requestPredicate = request -> {
                 if (request instanceof ApplicationPrivilegesRequest) {
                     final ApplicationPrivilegesRequest privRequest = (ApplicationPrivilegesRequest) request;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/SystemPrivilege.java

@@ -10,7 +10,7 @@
 import org.elasticsearch.index.seqno.RetentionLeaseSyncAction;
 import org.elasticsearch.persistent.CompletionPersistentTaskAction;
 import org.elasticsearch.transport.TransportActionProxy;
-import org.elasticsearch.xpack.core.security.support.Automatons;
+import org.elasticsearch.xpack.core.security.support.StringMatcher;
 
 import java.util.Collections;
 import java.util.function.Predicate;
@@ -19,7 +19,7 @@ public final class SystemPrivilege extends Privilege {
 
     public static SystemPrivilege INSTANCE = new SystemPrivilege();
 
-    private static final Predicate<String> ALLOWED_ACTIONS = Automatons.predicate(
+    private static final Predicate<String> ALLOWED_ACTIONS = StringMatcher.of(
         "internal:*",
         "indices:monitor/*", // added for monitoring
         "cluster:monitor/*",  // added for monitoring

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/StringMatcher.java

@@ -0,0 +1,169 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.core.security.support;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.apache.lucene.util.automaton.TooComplexToDeterminizeException;
+import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.common.Strings;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Objects;
+import java.util.Set;
+import java.util.function.Predicate;
+import java.util.stream.Collectors;
+
+/**
+ * This class acts as a facade / encapsulation around the expression and testing of string-based patterns within Elasticsearch security.
+ * Security supports "wildcards" in a number of places (e.g. index names within roles). These cases also support
+ * {@link org.apache.lucene.util.automaton.RegExp Lucene-syntax regular expressions} and are implemented via Lucene
+ * {@link org.apache.lucene.util.automaton.Automaton} objects.
+ * However, it can be more efficient to have special handling and avoid {@code Automata} for particular cases such as exact string matches.
+ * This class handles that logic, an provides a clean interface for
+ * <em>test whether a provided string matches one of an existing set of patterns</em> that hides the possible implementation options.
+ */
+public class StringMatcher implements Predicate<String> {
+
+    private static final StringMatcher MATCH_NOTHING = new StringMatcher("(empty)", s -> false);
+
+    private final String description;
+    private final Predicate<String> predicate;
+    private static final Logger LOGGER = LogManager.getLogger(StringMatcher.class);
+
+    private StringMatcher(String description, Predicate<String> predicate) {
+        this.description = description;
+        this.predicate = predicate;
+    }
+
+    public static StringMatcher of(Iterable<String> patterns) {
+        return StringMatcher.builder().includeAll(patterns).build();
+    }
+
+    public static StringMatcher of(String... patterns) {
+        return StringMatcher.builder().includeAll(patterns).build();
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    @Override
+    public String toString() {
+        return description;
+    }
+
+    @Override
+    public boolean test(String s) {
+        return predicate.test(s);
+    }
+
+    @Override
+    public StringMatcher or(Predicate<? super String> other) {
+        Objects.requireNonNull(other);
+        return new StringMatcher(description + "|" + other, this.predicate.or(other));
+    }
+
+    @Override
+    public StringMatcher and(Predicate<? super String> other) {
+        return this.and(String.valueOf(other), other);
+    }
+
+    public StringMatcher and(String otherDescription, Predicate<? super String> otherPredicate) {
+        Objects.requireNonNull(otherPredicate);
+        return new StringMatcher(this.description + "&" + otherDescription, this.predicate.and(otherPredicate));
+    }
+
+    public static class Builder {
+        private final List<String> allText = new ArrayList<>();
+        private final Set<String> exactMatch = new HashSet<>();
+        private final Set<String> nonExactMatch = new LinkedHashSet<>();
+
+        public Builder include(String pattern) {
+            allText.add(pattern);
+            if (pattern.startsWith("/") || pattern.contains("*") || pattern.contains("?")) {
+                nonExactMatch.add(pattern);
+            } else {
+                exactMatch.add(pattern);
+            }
+            return this;
+        }
+
+        public Builder includeAll(String... patterns) {
+            for (String pattern : patterns) {
+                include(pattern);
+            }
+            return this;
+        }
+
+        public Builder includeAll(Iterable<String> patterns) {
+            for (String pattern : patterns) {
+                include(pattern);
+            }
+            return this;
+        }
+
+        public StringMatcher build() {
+            if (allText.isEmpty()) {
+                return MATCH_NOTHING;
+            }
+
+            final String description = describe(allText);
+            if (exactMatch.isEmpty()) {
+                return new StringMatcher(description, buildAutomataPredicate(nonExactMatch));
+            }
+            if (nonExactMatch.isEmpty()) {
+                return new StringMatcher(description, buildExactMatchPredicate(exactMatch));
+            }
+            final Predicate<String> predicate = buildExactMatchPredicate(exactMatch).or(buildAutomataPredicate(nonExactMatch));
+            return new StringMatcher(description, predicate);
+        }
+
+        private static String describe(List<String> strings) {
+            if (strings.size() == 1) {
+                return strings.get(0);
+            }
+            final int totalLength = strings.stream().map(String::length).reduce(0, Math::addExact);
+            if (totalLength < 250) {
+                return Strings.collectionToDelimitedString(strings, "|");
+            }
+            final int maxItemLength = Math.max(16, 250 / strings.size());
+            return strings.stream().map(s -> {
+                if (s.length() > maxItemLength) {
+                    return Strings.cleanTruncate(s, maxItemLength - 3) + "...";
+                } else {
+                    return s;
+                }
+            }).collect(Collectors.joining("|"));
+        }
+
+        private static Predicate<String> buildExactMatchPredicate(Set<String> stringValues) {
+            if (stringValues.size() == 1) {
+                final String singleValue = stringValues.iterator().next();
+                return singleValue::equals;
+            }
+            return stringValues::contains;
+        }
+
+        private static Predicate<String> buildAutomataPredicate(Collection<String> patterns) {
+            try {
+                return Automatons.predicate(patterns);
+            } catch (TooComplexToDeterminizeException e) {
+                LOGGER.debug("Pattern automaton [{}] is too complex", patterns);
+                String description = Strings.collectionToCommaDelimitedString(patterns);
+                if (description.length() > 80) {
+                    description = Strings.cleanTruncate(description, 80) + "...";
+                }
+                throw new ElasticsearchSecurityException("The set patterns [{}] is too complex to evaluate", e, description);
+            }
+        }
+    }
+}

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/support/AutomatonsTests.java

@@ -9,12 +9,15 @@
 import org.apache.lucene.util.automaton.CharacterRunAutomaton;
 import org.apache.lucene.util.automaton.Operations;
 import org.apache.lucene.util.automaton.TooComplexToDeterminizeException;
+import org.apache.lucene.util.automaton.Transition;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.ESTestCase;
 
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Locale;
 
 import static org.apache.lucene.util.automaton.Operations.DEFAULT_MAX_DETERMINIZED_STATES;
 import static org.elasticsearch.xpack.core.security.support.Automatons.pattern;
@@ -64,6 +67,13 @@ public void testWildcard() throws Exception {
         assertMatch(wildcard("t\\*st"), "t*st");
     }
 
+    public void testUnicode() throws Exception {
+        assertMatch(wildcard("*ξη"), "λέξη");
+        assertMatch(wildcard("сл*во"), "слово");
+        assertMatch(wildcard("စကာ*"), "စကားလုံး");
+        assertMatch(wildcard("וואָרט"), "וואָרט");
+    }
+
     public void testPredicateToString() throws Exception {
         assertThat(predicate("a.*z").toString(), equalTo("a.*z"));
         assertThat(predicate("a.*z", "A.*Z").toString(), equalTo("a.*z|A.*Z"));
@@ -208,4 +218,21 @@ public void testDisableCache() {
         final Automaton automaton = Automatons.pattern(pattern);
         assertThat(Automatons.pattern(pattern), not(sameInstance(automaton)));
     }
+
+    // This isn't use directly in the code, but it's sometimes needed when debugging failing tests
+    // (and it is annoying to have to rewrite it each time it's needed)
+    public static <A extends Appendable> A debug(Automaton a, A out) throws IOException {
+        out.append("Automaton {");
+        out.append(String.format(Locale.ROOT, "States:%d  Deterministic:%s", a.getNumStates(), a.isDeterministic()));
+        for (int s = 0; s < a.getNumStates(); s++) {
+            out.append(String.format(Locale.ROOT, " [State#%d %s", s, a.isAccept(s) ? "(accept)" : ""));
+            for (int t = 0; t < a.getNumTransitions(s); t++) {
+                Transition transition = new Transition();
+                a.getTransition(s, t, transition);
+                out.append(String.format(Locale.ROOT, " (%05d - %05d => %s)", transition.min, transition.max, transition.dest));
+            }
+            out.append("]");
+        }
+        return out;
+    }
 }