diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/DocumentPermissions.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/DocumentPermissions.java index a8ed1d5fd73a2..d2af69985cb3f 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/DocumentPermissions.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/DocumentPermissions.java @@ -14,6 +14,7 @@ import org.elasticsearch.common.bytes.BytesReference; import org.elasticsearch.common.io.stream.StreamOutput; import org.elasticsearch.common.lucene.search.Queries; +import org.elasticsearch.core.Nullable; import org.elasticsearch.index.mapper.NestedLookup; import org.elasticsearch.index.query.QueryBuilder; import org.elasticsearch.index.query.QueryRewriteContext; @@ -36,6 +37,7 @@ import java.util.SortedSet; import java.util.TreeSet; import java.util.function.Function; +import java.util.stream.Stream; import static org.apache.lucene.search.BooleanClause.Occur.FILTER; import static org.apache.lucene.search.BooleanClause.Occur.SHOULD; @@ -46,58 +48,56 @@ * queries are used as an additional filter. */ public final class DocumentPermissions implements CacheKey { - // SortedSet because orders are important when they get serialised for request cache key - private final SortedSet queries; - private final SortedSet limitedByQueries; - private List evaluatedQueries; - private List evaluatedLimitedByQueries; - private static DocumentPermissions ALLOW_ALL = new DocumentPermissions(); + @Nullable + private final List> listOfQueries; + @Nullable + private List> listOfEvaluatedQueries; - DocumentPermissions() { - this.queries = null; - this.limitedByQueries = null; + private static final DocumentPermissions ALLOW_ALL = new DocumentPermissions(); + + private DocumentPermissions() { + this.listOfQueries = null; } - DocumentPermissions(Set queries) { - this(queries, null); + private DocumentPermissions(Set queries) { + assert queries != null && false == queries.isEmpty() : "null or empty queries not permitted"; + this.listOfQueries = List.of(new TreeSet<>(queries)); } - DocumentPermissions(Set queries, Set scopedByQueries) { - if (queries == null && scopedByQueries == null) { - throw new IllegalArgumentException("one of the queries or scoped queries must be provided"); - } - this.queries = (queries != null) ? new TreeSet<>(queries) : null; - this.limitedByQueries = (scopedByQueries != null) ? new TreeSet<>(scopedByQueries) : null; + private DocumentPermissions(List> listOfQueries) { + assert listOfQueries != null && false == listOfQueries.isEmpty() : "null or empty list of queries not permitted"; + assert listOfQueries.stream().allMatch(queries -> queries != null && false == queries.isEmpty()) + : "null or empty queries not permitted"; + // SortedSet because orders are important when they get serialised for request cache key + this.listOfQueries = listOfQueries.stream() + .map(queries -> queries instanceof SortedSet ? queries : new TreeSet<>(queries)) + .toList(); } - public Set getQueries() { - return queries == null ? null : Set.copyOf(queries); + public List> getListOfQueries() { + return listOfQueries; } - public Set getLimitedByQueries() { - return limitedByQueries == null ? null : Set.copyOf(limitedByQueries); + public Set getSingleSetOfQueries() { + assert listOfQueries != null && listOfQueries.size() == 1 : "the list of queries does not have a single member"; + return listOfQueries.get(0); } /** * @return {@code true} if either queries or scoped queries are present for document level security else returns {@code false} */ public boolean hasDocumentLevelPermissions() { - return queries != null || limitedByQueries != null; + return listOfQueries != null; } public boolean hasStoredScript() throws IOException { - if (queries != null) { - for (BytesReference q : queries) { - if (DLSRoleQueryValidator.hasStoredScript(q, NamedXContentRegistry.EMPTY)) { - return true; - } - } - } - if (limitedByQueries != null) { - for (BytesReference q : limitedByQueries) { - if (DLSRoleQueryValidator.hasStoredScript(q, NamedXContentRegistry.EMPTY)) { - return true; + if (listOfQueries != null) { + for (Set queries : listOfQueries) { + for (BytesReference q : queries) { + if (DLSRoleQueryValidator.hasStoredScript(q, NamedXContentRegistry.EMPTY)) { + return true; + } } } } @@ -125,35 +125,25 @@ public BooleanQuery filter( ) throws IOException { if (hasDocumentLevelPermissions()) { evaluateQueries(SecurityQueryTemplateEvaluator.wrap(user, scriptService)); - BooleanQuery.Builder filter; - if (evaluatedQueries != null && evaluatedLimitedByQueries != null) { - filter = new BooleanQuery.Builder(); - BooleanQuery.Builder scopedFilter = new BooleanQuery.Builder(); - buildRoleQuery(shardId, searchExecutionContextProvider, evaluatedLimitedByQueries, scopedFilter); - filter.add(scopedFilter.build(), FILTER); + assert listOfEvaluatedQueries != null : "evaluated queries must not be null"; + assert false == listOfEvaluatedQueries.isEmpty() : "evaluated queries must not be empty"; - buildRoleQuery(shardId, searchExecutionContextProvider, evaluatedQueries, filter); - } else if (evaluatedQueries != null) { - filter = new BooleanQuery.Builder(); - buildRoleQuery(shardId, searchExecutionContextProvider, evaluatedQueries, filter); - } else if (evaluatedLimitedByQueries != null) { - filter = new BooleanQuery.Builder(); - buildRoleQuery(shardId, searchExecutionContextProvider, evaluatedLimitedByQueries, filter); - } else { - assert false : "one of queries and limited-by queries must be non-null"; - return null; + BooleanQuery.Builder filter = new BooleanQuery.Builder(); + for (int i = listOfEvaluatedQueries.size() - 1; i > 0; i--) { + final BooleanQuery.Builder scopedFilter = new BooleanQuery.Builder(); + buildRoleQuery(shardId, searchExecutionContextProvider, listOfEvaluatedQueries.get(i), scopedFilter); + filter.add(scopedFilter.build(), FILTER); } + // TODO: All role queries can be filters + buildRoleQuery(shardId, searchExecutionContextProvider, listOfEvaluatedQueries.get(0), filter); return filter.build(); } return null; } private void evaluateQueries(DlsQueryEvaluationContext context) { - if (queries != null && evaluatedQueries == null) { - evaluatedQueries = queries.stream().map(context::evaluate).toList(); - } - if (limitedByQueries != null && evaluatedLimitedByQueries == null) { - evaluatedLimitedByQueries = limitedByQueries.stream().map(context::evaluate).toList(); + if (listOfQueries != null && listOfEvaluatedQueries == null) { + listOfEvaluatedQueries = listOfQueries.stream().map(queries -> queries.stream().map(context::evaluate).toList()).toList(); } } @@ -216,18 +206,9 @@ static void failIfQueryUsesClient(QueryBuilder queryBuilder, QueryRewriteContext * @return {@link DocumentPermissions} */ public static DocumentPermissions filteredBy(Set queries) { - if (queries == null || queries.isEmpty()) { - throw new IllegalArgumentException("null or empty queries not permitted"); - } return new DocumentPermissions(queries); } - /** - * Create {@link DocumentPermissions} with no restriction. The {@link #getQueries()} - * will return {@code null} in this case and {@link #hasDocumentLevelPermissions()} - * will be {@code false} - * @return {@link DocumentPermissions} - */ public static DocumentPermissions allowAll() { return ALLOW_ALL; } @@ -240,37 +221,29 @@ public static DocumentPermissions allowAll() { * @return instance of {@link DocumentPermissions} */ public DocumentPermissions limitDocumentPermissions(DocumentPermissions limitedByDocumentPermissions) { - assert limitedByQueries == null && limitedByDocumentPermissions.limitedByQueries == null - : "nested scoping for document permissions is not permitted"; - if (queries == null && limitedByDocumentPermissions.queries == null) { + if (hasDocumentLevelPermissions() && limitedByDocumentPermissions.hasDocumentLevelPermissions()) { + return new DocumentPermissions( + Stream.concat(getListOfQueries().stream(), limitedByDocumentPermissions.getListOfQueries().stream()).toList() + ); + } else if (hasDocumentLevelPermissions()) { + return new DocumentPermissions(getListOfQueries()); + } else if (limitedByDocumentPermissions.hasDocumentLevelPermissions()) { + return new DocumentPermissions(limitedByDocumentPermissions.getListOfQueries()); + } else { return DocumentPermissions.allowAll(); } - // TODO: should we apply the same logic here as FieldPermissions#limitFieldPermissions, - // i.e. treat limited-by as queries if original queries is null? - return new DocumentPermissions(queries, limitedByDocumentPermissions.queries); } @Override public String toString() { - return "DocumentPermissions [queries=" + queries + ", scopedByQueries=" + limitedByQueries + "]"; + return "DocumentPermissions [listOfQueries=" + listOfQueries + "]"; } @Override public void buildCacheKey(StreamOutput out, DlsQueryEvaluationContext context) throws IOException { - assert false == (queries == null && limitedByQueries == null) : "one of queries and limited-by queries must be non-null"; + assert hasDocumentLevelPermissions() : "document permissions should not contribute to cache key when there is no DLS query"; evaluateQueries(context); - if (evaluatedQueries != null) { - out.writeBoolean(true); - out.writeCollection(evaluatedQueries, StreamOutput::writeString); - } else { - out.writeBoolean(false); - } - if (evaluatedLimitedByQueries != null) { - out.writeBoolean(true); - out.writeCollection(evaluatedLimitedByQueries, StreamOutput::writeString); - } else { - out.writeBoolean(false); - } + out.writeCollection(listOfEvaluatedQueries, StreamOutput::writeStringCollection); } @Override @@ -278,11 +251,11 @@ public boolean equals(Object o) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; DocumentPermissions that = (DocumentPermissions) o; - return Objects.equals(queries, that.queries) && Objects.equals(limitedByQueries, that.limitedByQueries); + return Objects.equals(listOfQueries, that.listOfQueries); } @Override public int hashCode() { - return Objects.hash(queries, limitedByQueries); + return Objects.hash(listOfQueries); } } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/termsenum/action/TransportTermsEnumAction.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/termsenum/action/TransportTermsEnumAction.java index 3b8a18ac0ff92..42729bebec943 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/termsenum/action/TransportTermsEnumAction.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/termsenum/action/TransportTermsEnumAction.java @@ -69,6 +69,7 @@ import java.io.Closeable; import java.io.IOException; +import java.io.UncheckedIOException; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; @@ -429,13 +430,17 @@ private boolean canAccess( Collections.emptyMap() ); - // Unfiltered access is allowed when both base role and limiting role allow it. - return hasMatchAllEquivalent(indexAccessControl.getDocumentPermissions().getQueries(), securityContext, queryShardContext) - && hasMatchAllEquivalent( - indexAccessControl.getDocumentPermissions().getLimitedByQueries(), - securityContext, - queryShardContext - ); + // Current user has potentially many roles and therefore potentially many queries + // defining sets of docs accessible + final List> listOfQueries = indexAccessControl.getDocumentPermissions().getListOfQueries(); + + // When the user is an API Key, its role is a limitedRole and its effective document permissions + // are intersections of the two sets of queries, one belongs to the API key itself and the other belongs + // to the owner user. To allow unfiltered access to termsDict, both sets of the queries must have + // the "all" permission, i.e. the query can be rewritten into a MatchAll query. + // The following code loop through both sets queries and returns true only when both of them + // have the "all" permission. + return listOfQueries.stream().allMatch(queries -> hasMatchAllEquivalent(queries, securityContext, queryShardContext)); } } return true; @@ -445,7 +450,7 @@ private boolean hasMatchAllEquivalent( Set queries, SecurityContext securityContext, SearchExecutionContext queryShardContext - ) throws IOException { + ) { if (queries == null) { return true; } @@ -458,7 +463,12 @@ private boolean hasMatchAllEquivalent( queryShardContext.getParserConfig().registry(), securityContext.getUser() ); - QueryBuilder rewrittenQueryBuilder = Rewriteable.rewrite(queryBuilder, queryShardContext); + QueryBuilder rewrittenQueryBuilder; + try { + rewrittenQueryBuilder = Rewriteable.rewrite(queryBuilder, queryShardContext); + } catch (IOException e) { + throw new UncheckedIOException(e); + } if (rewrittenQueryBuilder instanceof MatchAllQueryBuilder) { // One of the roles assigned has "all" permissions - allow unfettered access to termsDict return true; diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/DocumentPermissionsTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/DocumentPermissionsTests.java index ee0af8c6110c7..756dad9afbe96 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/DocumentPermissionsTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/DocumentPermissionsTests.java @@ -22,9 +22,10 @@ import java.util.Arrays; import java.util.Collections; import java.util.HashSet; +import java.util.List; import java.util.Set; +import java.util.stream.IntStream; -import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.notNullValue; @@ -40,28 +41,38 @@ public void testHasDocumentPermissions() throws IOException { assertThat(documentPermissions1.hasDocumentLevelPermissions(), is(false)); assertThat(documentPermissions1.filter(null, null, null, null), is(nullValue())); - Set queries = Collections.singleton(new BytesArray("{\"match_all\" : {}}")); + final Set queries = Collections.singleton(new BytesArray("{\"match_all\" : {}}")); final DocumentPermissions documentPermissions2 = DocumentPermissions.filteredBy(queries); assertThat(documentPermissions2, is(notNullValue())); assertThat(documentPermissions2.hasDocumentLevelPermissions(), is(true)); - assertThat(documentPermissions2.getQueries(), equalTo(queries)); + assertThat(documentPermissions2.getListOfQueries(), equalTo(List.of(queries))); final DocumentPermissions documentPermissions3 = documentPermissions1.limitDocumentPermissions(documentPermissions2); assertThat(documentPermissions3, is(notNullValue())); assertThat(documentPermissions3.hasDocumentLevelPermissions(), is(true)); - assertThat(documentPermissions3.getQueries(), is(nullValue())); - assertThat(documentPermissions3.getLimitedByQueries(), equalTo(queries)); + assertThat(documentPermissions3.getListOfQueries(), equalTo(List.of(queries))); final DocumentPermissions documentPermissions4 = DocumentPermissions.allowAll() .limitDocumentPermissions(DocumentPermissions.allowAll()); assertThat(documentPermissions4, is(notNullValue())); assertThat(documentPermissions4.hasDocumentLevelPermissions(), is(false)); - AssertionError ae = expectThrows( - AssertionError.class, - () -> DocumentPermissions.allowAll().limitDocumentPermissions(documentPermissions3) - ); - assertThat(ae.getMessage(), containsString("nested scoping for document permissions is not permitted")); + final DocumentPermissions documentPermissions5 = DocumentPermissions.allowAll().limitDocumentPermissions(documentPermissions3); + assertThat(documentPermissions5, is(notNullValue())); + assertThat(documentPermissions5.hasDocumentLevelPermissions(), is(true)); + assertThat(documentPermissions5.getListOfQueries(), equalTo(List.of(queries))); + } + + public void testMultipleSetsOfQueries() { + final Set queries = Collections.singleton(new BytesArray("{\"match_all\" : {}}")); + DocumentPermissions documentPermissions = DocumentPermissions.allowAll(); + final int nSets = randomIntBetween(2, 8); + for (int i = 0; i < nSets; i++) { + documentPermissions = documentPermissions.limitDocumentPermissions(DocumentPermissions.filteredBy(queries)); + } + + assertThat(documentPermissions.hasDocumentLevelPermissions(), is(true)); + assertThat(documentPermissions.getListOfQueries(), equalTo(IntStream.range(0, nSets).mapToObj(i -> queries).toList())); } public void testFailIfQueryUsesClient() throws Exception { @@ -79,47 +90,35 @@ public void testFailIfQueryUsesClient() throws Exception { public void testWriteCacheKeyWillDistinguishBetweenQueriesAndLimitedByQueries() throws IOException { final BytesStreamOutput out0 = new BytesStreamOutput(); - final DocumentPermissions documentPermissions0 = new DocumentPermissions( + final DocumentPermissions documentPermissions0 = DocumentPermissions.filteredBy( Set.of( new BytesArray("{\"term\":{\"q1\":\"v1\"}}"), new BytesArray("{\"term\":{\"q2\":\"v2\"}}"), new BytesArray("{\"term\":{\"q3\":\"v3\"}}") - ), - null + ) ); documentPermissions0.buildCacheKey(out0, BytesReference::utf8ToString); final BytesStreamOutput out1 = new BytesStreamOutput(); - final DocumentPermissions documentPermissions1 = new DocumentPermissions( - Set.of(new BytesArray("{\"term\":{\"q1\":\"v1\"}}"), new BytesArray("{\"term\":{\"q2\":\"v2\"}}")), - Set.of(new BytesArray("{\"term\":{\"q3\":\"v3\"}}")) - ); + final DocumentPermissions documentPermissions1 = DocumentPermissions.filteredBy( + Set.of(new BytesArray("{\"term\":{\"q1\":\"v1\"}}"), new BytesArray("{\"term\":{\"q2\":\"v2\"}}")) + ).limitDocumentPermissions(DocumentPermissions.filteredBy(Set.of(new BytesArray("{\"term\":{\"q3\":\"v3\"}}")))); documentPermissions1.buildCacheKey(out1, BytesReference::utf8ToString); final BytesStreamOutput out2 = new BytesStreamOutput(); - final DocumentPermissions documentPermissions2 = new DocumentPermissions( - Set.of(new BytesArray("{\"term\":{\"q1\":\"v1\"}}")), - Set.of(new BytesArray("{\"term\":{\"q2\":\"v2\"}}"), new BytesArray("{\"term\":{\"q3\":\"v3\"}}")) - ); + final DocumentPermissions documentPermissions2 = DocumentPermissions.filteredBy( + Set.of(new BytesArray("{\"term\":{\"q1\":\"v1\"}}")) + ) + .limitDocumentPermissions( + DocumentPermissions.filteredBy( + Set.of(new BytesArray("{\"term\":{\"q2\":\"v2\"}}"), new BytesArray("{\"term\":{\"q3\":\"v3\"}}")) + ) + ); documentPermissions2.buildCacheKey(out2, BytesReference::utf8ToString); - final BytesStreamOutput out3 = new BytesStreamOutput(); - final DocumentPermissions documentPermissions3 = new DocumentPermissions( - null, - Set.of( - new BytesArray("{\"term\":{\"q1\":\"v1\"}}"), - new BytesArray("{\"term\":{\"q2\":\"v2\"}}"), - new BytesArray("{\"term\":{\"q3\":\"v3\"}}") - ) - ); - documentPermissions3.buildCacheKey(out3, BytesReference::utf8ToString); - assertThat(Arrays.equals(BytesReference.toBytes(out0.bytes()), BytesReference.toBytes(out1.bytes())), is(false)); assertThat(Arrays.equals(BytesReference.toBytes(out0.bytes()), BytesReference.toBytes(out2.bytes())), is(false)); - assertThat(Arrays.equals(BytesReference.toBytes(out0.bytes()), BytesReference.toBytes(out3.bytes())), is(false)); assertThat(Arrays.equals(BytesReference.toBytes(out1.bytes()), BytesReference.toBytes(out2.bytes())), is(false)); - assertThat(Arrays.equals(BytesReference.toBytes(out1.bytes()), BytesReference.toBytes(out3.bytes())), is(false)); - assertThat(Arrays.equals(BytesReference.toBytes(out2.bytes()), BytesReference.toBytes(out3.bytes())), is(false)); } public void testHasStoredScript() throws IOException { @@ -131,9 +130,10 @@ public void testHasStoredScript() throws IOException { if (hasStoredScript) { queries.add(new BytesArray("{\"template\":{\"id\":\"my-script\"}}")); } - final DocumentPermissions documentPermissions0 = randomBoolean() - ? new DocumentPermissions(queries, null) - : new DocumentPermissions(null, queries); + if (queries.isEmpty() || randomBoolean()) { + queries.add(new BytesArray("{\"term\":{\"tag\":\"prod\"}}")); + } + final DocumentPermissions documentPermissions0 = DocumentPermissions.filteredBy(queries); assertThat(documentPermissions0.hasStoredScript(), is(hasStoredScript)); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesAccessControlTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesAccessControlTests.java index 9d3b7dbe20507..05a10260375f5 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesAccessControlTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesAccessControlTests.java @@ -150,7 +150,7 @@ public void testLimitedIndicesAccessControl() { final DocumentPermissions documentPermissions1 = DocumentPermissions.filteredBy(queries); assertThat(documentPermissions1, is(notNullValue())); assertThat(documentPermissions1.hasDocumentLevelPermissions(), is(true)); - assertThat(documentPermissions1.getQueries(), equalTo(queries)); + assertThat(documentPermissions1.getSingleSetOfQueries(), equalTo(queries)); final DocumentPermissions documentPermissions2 = DocumentPermissions.filteredBy( Set.of(new BytesArray("{\"term\":{ \"public\":true } }")) @@ -175,8 +175,7 @@ public void testLimitedIndicesAccessControl() { assertThat(result.getIndexPermissions("_index"), is(notNullValue())); assertThat(result.getIndexPermissions("_index").getFieldPermissions().hasFieldLevelSecurity(), is(false)); assertThat(result.getIndexPermissions("_index").getDocumentPermissions().hasDocumentLevelPermissions(), is(true)); - assertThat(result.getIndexPermissions("_index").getDocumentPermissions().getQueries(), is(nullValue())); - assertThat(result.getIndexPermissions("_index").getDocumentPermissions().getLimitedByQueries(), equalTo(queries)); + assertThat(result.getIndexPermissions("_index").getDocumentPermissions().getSingleSetOfQueries(), equalTo(queries)); assertThat(result.getIndicesWithFieldOrDocumentLevelSecurity(), containsInAnyOrder("_index", "another-index")); assertThat(result.getIndicesWithFieldLevelSecurity(), emptyIterable()); assertThat(result.getIndicesWithDocumentLevelSecurity(), containsInAnyOrder("_index", "another-index")); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java index 18ef6a14e1513..ea0e786bee6f0 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java @@ -79,8 +79,8 @@ public void testAuthorize() { assertTrue(permissions.getIndexPermissions("_index").getFieldPermissions().grantsAccessTo("_field")); assertTrue(permissions.getIndexPermissions("_index").getFieldPermissions().hasFieldLevelSecurity()); assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().hasDocumentLevelPermissions(), is(true)); - assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getQueries(), hasSize(1)); - assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getQueries(), equalTo(query)); + assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getSingleSetOfQueries(), hasSize(1)); + assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getSingleSetOfQueries(), equalTo(query)); // no document level security: role = Role.builder(RESTRICTED_INDICES, "_role") @@ -91,7 +91,7 @@ public void testAuthorize() { assertTrue(permissions.getIndexPermissions("_index").getFieldPermissions().grantsAccessTo("_field")); assertTrue(permissions.getIndexPermissions("_index").getFieldPermissions().hasFieldLevelSecurity()); assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().hasDocumentLevelPermissions(), is(false)); - assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getQueries(), nullValue()); + assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getListOfQueries(), nullValue()); // no field level security: role = Role.builder(RESTRICTED_INDICES, "_role") @@ -101,8 +101,8 @@ public void testAuthorize() { assertThat(permissions.getIndexPermissions("_index"), notNullValue()); assertFalse(permissions.getIndexPermissions("_index").getFieldPermissions().hasFieldLevelSecurity()); assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().hasDocumentLevelPermissions(), is(true)); - assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getQueries(), hasSize(1)); - assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getQueries(), equalTo(query)); + assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getSingleSetOfQueries(), hasSize(1)); + assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getSingleSetOfQueries(), equalTo(query)); // index group associated with an alias: role = Role.builder(RESTRICTED_INDICES, "_role") @@ -113,15 +113,15 @@ public void testAuthorize() { assertTrue(permissions.getIndexPermissions("_index").getFieldPermissions().grantsAccessTo("_field")); assertTrue(permissions.getIndexPermissions("_index").getFieldPermissions().hasFieldLevelSecurity()); assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().hasDocumentLevelPermissions(), is(true)); - assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getQueries(), hasSize(1)); - assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getQueries(), equalTo(query)); + assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getSingleSetOfQueries(), hasSize(1)); + assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getSingleSetOfQueries(), equalTo(query)); assertThat(permissions.getIndexPermissions("_alias"), notNullValue()); assertTrue(permissions.getIndexPermissions("_alias").getFieldPermissions().grantsAccessTo("_field")); assertTrue(permissions.getIndexPermissions("_alias").getFieldPermissions().hasFieldLevelSecurity()); assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().hasDocumentLevelPermissions(), is(true)); - assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().getQueries(), hasSize(1)); - assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().getQueries(), equalTo(query)); + assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().getSingleSetOfQueries(), hasSize(1)); + assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().getSingleSetOfQueries(), equalTo(query)); // match all fields String[] allFields = randomFrom( @@ -136,14 +136,14 @@ public void testAuthorize() { assertThat(permissions.getIndexPermissions("_index"), notNullValue()); assertFalse(permissions.getIndexPermissions("_index").getFieldPermissions().hasFieldLevelSecurity()); assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().hasDocumentLevelPermissions(), is(true)); - assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getQueries(), hasSize(1)); - assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getQueries(), equalTo(query)); + assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getSingleSetOfQueries(), hasSize(1)); + assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getSingleSetOfQueries(), equalTo(query)); assertThat(permissions.getIndexPermissions("_alias"), notNullValue()); assertFalse(permissions.getIndexPermissions("_alias").getFieldPermissions().hasFieldLevelSecurity()); assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().hasDocumentLevelPermissions(), is(true)); - assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().getQueries(), hasSize(1)); - assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().getQueries(), equalTo(query)); + assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().getSingleSetOfQueries(), hasSize(1)); + assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().getSingleSetOfQueries(), equalTo(query)); IndexMetadata.Builder imbBuilder1 = IndexMetadata.builder("_index_1") .settings( @@ -168,20 +168,20 @@ public void testAuthorize() { assertThat(permissions.getIndexPermissions("_index"), notNullValue()); assertFalse(permissions.getIndexPermissions("_index").getFieldPermissions().hasFieldLevelSecurity()); assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().hasDocumentLevelPermissions(), is(true)); - assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getQueries(), hasSize(2)); - assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getQueries(), equalTo(bothQueries)); + assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getSingleSetOfQueries(), hasSize(2)); + assertThat(permissions.getIndexPermissions("_index").getDocumentPermissions().getSingleSetOfQueries(), equalTo(bothQueries)); assertThat(permissions.getIndexPermissions("_index_1"), notNullValue()); assertFalse(permissions.getIndexPermissions("_index_1").getFieldPermissions().hasFieldLevelSecurity()); assertThat(permissions.getIndexPermissions("_index_1").getDocumentPermissions().hasDocumentLevelPermissions(), is(true)); - assertThat(permissions.getIndexPermissions("_index_1").getDocumentPermissions().getQueries(), hasSize(2)); - assertThat(permissions.getIndexPermissions("_index_1").getDocumentPermissions().getQueries(), equalTo(bothQueries)); + assertThat(permissions.getIndexPermissions("_index_1").getDocumentPermissions().getSingleSetOfQueries(), hasSize(2)); + assertThat(permissions.getIndexPermissions("_index_1").getDocumentPermissions().getSingleSetOfQueries(), equalTo(bothQueries)); assertThat(permissions.getIndexPermissions("_alias"), notNullValue()); assertFalse(permissions.getIndexPermissions("_alias").getFieldPermissions().hasFieldLevelSecurity()); assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().hasDocumentLevelPermissions(), is(true)); - assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().getQueries(), hasSize(2)); - assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().getQueries(), equalTo(bothQueries)); + assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().getSingleSetOfQueries(), hasSize(2)); + assertThat(permissions.getIndexPermissions("_alias").getDocumentPermissions().getSingleSetOfQueries(), equalTo(bothQueries)); }