Fixing Api key related privilege check which expects request and

authentication by introducing overloaded version of findPrivilegesThatGrant just checking if privileges which can grant the action regardless of the request and authentication context.
2025-04-25 07:37:19 -04:00 · 2021-01-31 20:01:14 +01:00 · 2021-01-31 20:01:14 +01:00 · 72b9aefe1f
commit 72b9aefe1f
parent 7dd8fe7dd2
4 changed files with 39 additions and 1 deletions
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/ClusterPermission.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/ClusterPermission.java
@ -46,6 +46,16 @@ public class ClusterPermission {
        return checks.stream().anyMatch(permission -> permission.check(action, request, authentication));
    }

+    /**
+     * Checks permission to a cluster action.
+     *
+     * @param action  cluster action
+     * @return {@code true} if the specified action execution can be granted by given permission else returns {@code false}
+     */
+    public boolean check(final String action) {
+        return checks.stream().anyMatch(permission -> permission.check(action));
+    }
+
    /**
     * Checks if the specified {@link ClusterPermission}'s actions are implied by this {@link ClusterPermission}
     *
@ -145,6 +155,14 @@ public class ClusterPermission {
         */
        boolean check(String action, TransportRequest request, Authentication authentication);

+        /**
+         * Checks permission to a cluster action regardless of the request and authentication context.
+         *
+         * @param action  action name
+         * @return {@code true} if the specified action execution can be granted by given permission else returns {@code false}
+         */
+        boolean check(String action);
+
        /**
         * Checks whether specified {@link PermissionCheck} is implied by this {@link PermissionCheck}.<br>
         * This is important method to be considered during implementation as it compares {@link PermissionCheck}s.
@ -177,6 +195,11 @@ public class ClusterPermission {
            return actionPredicate.test(action) && extendedCheck(action, request, authentication);
        }

+        @Override
+        public final boolean check(final String action) {
+            return actionPredicate.test(action);
+        }
+
        protected abstract boolean extendedCheck(String action, TransportRequest request, Authentication authentication);

        @Override
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
@ -244,6 +244,20 @@ public class ClusterPrivilegeResolver {
            .collect(Collectors.toUnmodifiableList());
    }

+    /**
+     * Returns the names of privileges that grant the specified action.
+     * @return A collection of names, ordered (to the extent possible) from least privileged (e.g. {@link #MONITOR})
+     * to most privileged (e.g. {@link #ALL})
+     * @see #sortByAccessLevel(Collection)
+     * @see org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission#check(String)
+     */
+    public static Collection<String> findPrivilegesThatGrant(String action) {
+        return VALUES.entrySet().stream()
+            .filter(e -> e.getValue().permission().check(action))
+            .map(Map.Entry::getKey)
+            .collect(Collectors.toUnmodifiableList());
+    }
+
    /**
     * Sorts the collection of privileges from least-privilege to most-privilege (to the extent possible),
     * returning them in a sorted map keyed by name.
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
@ -1467,7 +1467,7 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {

        private boolean ignoreClusterPrivilegesPredicateTest(String action) {
            if (ignoreClusterPrivilegesPredicate.test(action)) return true;
-            Collection<String> privileges = ClusterPrivilegeResolver.findPrivilegesThatGrant(action, null, null);
+            Collection<String> privileges = ClusterPrivilegeResolver.findPrivilegesThatGrant(action);
            return privileges != null && privileges.stream().anyMatch((s) -> ignoreClusterPrivilegesPredicate.test(s));
        }

--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java
@ -1996,6 +1996,7 @@ public class LoggingAuditTrailFilterTests extends ESTestCase {
            "cluster:admin/xpack/security/saml/*",
            "cluster:admin/xpack/security/oidc/*",
            "cluster:admin/xpack/security/token/*",
+            "cluster:admin/xpack/security/api_key/*",
            "cluster:monitor/*",
            "cluster:monitor/xpack/ml/*",
            "cluster:monitor/text_structure/*",