fix bugs

Author: ywangd

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl.java

@@ -29,7 +29,6 @@
  */
 public class IndicesAccessControl {
 
-    public static final IndicesAccessControl ALLOW_ALL = new IndicesAccessControl(true, Collections.emptyMap());
     public static final IndicesAccessControl ALLOW_NO_INDICES = new IndicesAccessControl(true,
             Collections.singletonMap(IndicesAndAliasesResolverField.NO_INDEX_PLACEHOLDER,
                     new IndicesAccessControl.IndexAccessControl(true, new FieldPermissions(), DocumentPermissions.allowAll())));
@@ -179,6 +178,12 @@ public int hashCode() {
      * @return {@link IndicesAccessControl}
      */
     public IndicesAccessControl limitIndicesAccessControl(IndicesAccessControl limitedByIndicesAccessControl) {
+        if (this instanceof AllowAllIndicesAccessControl) {
+            return limitedByIndicesAccessControl;
+        } else if (limitedByIndicesAccessControl instanceof AllowAllIndicesAccessControl) {
+            return this;
+        }
+
         final boolean granted;
         if (this.granted == limitedByIndicesAccessControl.granted) {
             granted = this.granted;
@@ -205,4 +210,38 @@ public String toString() {
                 ", indexPermissions=" + indexPermissions +
                 '}';
     }
+
+    public boolean isAllowAll() {
+        return this == AllowAllIndicesAccessControl.ALLOW_ALL_INDICES_ACCESS_CONTROL;
+    }
+
+    public static IndicesAccessControl allowAll() {
+        return AllowAllIndicesAccessControl.ALLOW_ALL_INDICES_ACCESS_CONTROL;
+    }
+
+    private static class AllowAllIndicesAccessControl extends IndicesAccessControl {
+
+        private static final IndicesAccessControl ALLOW_ALL_INDICES_ACCESS_CONTROL = new AllowAllIndicesAccessControl();
+        private static final IndexAccessControl ALLOW_ALL_INDEX_ACCESS_CONTROL = new IndexAccessControl(true, null, null);
+
+        private AllowAllIndicesAccessControl() {
+            super(true, null);
+        }
+
+        @Override
+        public IndexAccessControl getIndexPermissions(String index) {
+            return ALLOW_ALL_INDEX_ACCESS_CONTROL;
+        }
+
+        @Override
+        public boolean isGranted() {
+            return true;
+        }
+
+        @Override
+        public Collection<?> getDeniedIndices() {
+            return Set.of();
+        }
+    }
+
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -507,7 +507,7 @@ public static class Group {
         private final IndexPrivilege privilege;
         private final Predicate<String> actionMatcher;
         private final String[] indices;
-        private final Predicate<String> indexNameMatcher;
+        private final StringMatcher indexNameMatcher;
         private final Supplier<Automaton> indexNameAutomaton;
         private final FieldPermissions fieldPermissions;
         private final Set<BytesReference> query;
@@ -578,7 +578,7 @@ public Automaton getIndexMatcherAutomaton() {
 
         public boolean isTotal() {
             return allowRestrictedIndices
-                && indexNameMatcher == StringMatcher.ALWAYS_TRUE_PREDICATE
+                && indexNameMatcher.isTotal()
                 && privilege == IndexPrivilege.ALL
                 && query == null
                 && false == fieldPermissions.hasFieldLevelSecurity();

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.java

@@ -84,11 +84,6 @@ public IndicesAccessControl authorize(String action, Set<String> requestedIndice
             super.authorize(action, requestedIndicesOrAliases, aliasAndIndexLookup, fieldPermissionsCache);
         IndicesAccessControl limitedByIndicesAccessControl = limitedBy.authorize(action, requestedIndicesOrAliases, aliasAndIndexLookup,
                 fieldPermissionsCache);
-
-        if (indicesAccessControl == IndicesAccessControl.ALLOW_ALL && limitedByIndicesAccessControl == IndicesAccessControl.ALLOW_ALL) {
-            return IndicesAccessControl.ALLOW_ALL;
-        }
-
         return indicesAccessControl.limitIndicesAccessControl(limitedByIndicesAccessControl);
     }
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java

@@ -189,7 +189,7 @@ public IndicesAccessControl authorize(String action, Set<String> requestedIndice
         );
         // Quick path for role that has access to all indices
         if (indexPermissions == null) {
-            return IndicesAccessControl.ALLOW_ALL;
+            return IndicesAccessControl.allowAll();
         }
 
         // At least one role / indices permission set need to match with all the requested indices/aliases:

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/StringMatcher.java

@@ -36,7 +36,7 @@ public class StringMatcher implements Predicate<String> {
 
     private static final StringMatcher MATCH_NOTHING = new StringMatcher("(empty)", s -> false);
 
-    public static final Predicate<String> ALWAYS_TRUE_PREDICATE = s -> true;
+    protected static final Predicate<String> ALWAYS_TRUE_PREDICATE = s -> true;
 
     private final String description;
     private final Predicate<String> predicate;
@@ -69,6 +69,10 @@ public boolean test(String s) {
         return predicate.test(s);
     }
 
+    public boolean isTotal() {
+        return predicate == ALWAYS_TRUE_PREDICATE;
+    }
+
     // For testing
     Predicate<String> getPredicate() {
         return predicate;

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java

@@ -336,7 +336,7 @@ private void authorizeAction(final RequestInfo requestInfo, final String request
         if (ClusterPrivilegeResolver.isClusterAction(action)) {
             final ActionListener<AuthorizationResult> clusterAuthzListener =
                 wrapPreservingContext(new AuthorizationResultListener<>(result -> {
-                        threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.ALLOW_ALL);
+                        threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.allowAll());
                         listener.onResponse(null);
                     }, listener::onFailure, requestInfo, requestId, authzInfo), threadContext);
             authzEngine.authorizeClusterAction(requestInfo, authzInfo, ActionListener.wrap(result -> {
@@ -508,7 +508,7 @@ private void authorizeSystemUser(final Authentication authentication, final Stri
                                      final TransportRequest request, final ActionListener<Void> listener) {
         final AuditTrail auditTrail = auditTrailService.get();
         if (SystemUser.isAuthorized(action)) {
-            threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.ALLOW_ALL);
+            threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.allowAll());
             threadContext.putTransient(AUTHORIZATION_INFO_KEY, SYSTEM_AUTHZ_INFO);
             auditTrail.accessGranted(requestId, authentication, action, request, SYSTEM_AUTHZ_INFO);
             listener.onResponse(null);