Refactor Privileges API/Store to use separate class

server/src/main/java/org/elasticsearch/common/io/stream/StreamInput.java

@@ -71,7 +71,6 @@
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.TimeUnit;
-import java.util.function.Function;
 import java.util.function.IntFunction;
 import java.util.function.Supplier;
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/DeletePrivilegesAction.java

@@ -6,7 +6,6 @@
 package org.elasticsearch.xpack.core.security.action.privilege;
 
 import org.elasticsearch.action.Action;
-import org.elasticsearch.client.ElasticsearchClient;
 
 /**
  * Action for deleting application privileges.

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/DeletePrivilegesRequestBuilder.java

@@ -9,8 +9,6 @@
 import org.elasticsearch.action.support.WriteRequestBuilder;
 import org.elasticsearch.client.ElasticsearchClient;
 
-import java.util.Collection;
-
 /**
  * Builder for {@link DeletePrivilegesRequest}
  */

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/GetPrivilegesAction.java

@@ -6,7 +6,6 @@
 package org.elasticsearch.xpack.core.security.action.privilege;
 
 import org.elasticsearch.action.Action;
-import org.elasticsearch.client.ElasticsearchClient;
 
 /**
  * Action for retrieving one or more application privileges from the security index

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/GetPrivilegesResponse.java

@@ -8,7 +8,7 @@
 import org.elasticsearch.action.ActionResponse;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
-import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
+import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
 
 import java.io.IOException;
 import java.util.Collection;
@@ -18,24 +18,24 @@
  */
 public final class GetPrivilegesResponse extends ActionResponse {
 
-    private ApplicationPrivilege[] privileges;
+    private ApplicationPrivilegeDescriptor[] privileges;
 
-    public GetPrivilegesResponse(ApplicationPrivilege... privileges) {
+    public GetPrivilegesResponse(ApplicationPrivilegeDescriptor... privileges) {
         this.privileges = privileges;
     }
 
-    public GetPrivilegesResponse(Collection<ApplicationPrivilege> privileges) {
-        this(privileges.toArray(new ApplicationPrivilege[privileges.size()]));
+    public GetPrivilegesResponse(Collection<ApplicationPrivilegeDescriptor> privileges) {
+        this(privileges.toArray(new ApplicationPrivilegeDescriptor[privileges.size()]));
     }
 
-    public ApplicationPrivilege[] privileges() {
+    public ApplicationPrivilegeDescriptor[] privileges() {
         return privileges;
     }
 
     @Override
     public void readFrom(StreamInput in) throws IOException {
         super.readFrom(in);
-        this.privileges = in.readArray(ApplicationPrivilege::readFrom, ApplicationPrivilege[]::new);
+        this.privileges = in.readArray(ApplicationPrivilegeDescriptor::new, ApplicationPrivilegeDescriptor[]::new);
     }
 
     @Override

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesAction.java

@@ -6,7 +6,6 @@
 package org.elasticsearch.xpack.core.security.action.privilege;
 
 import org.elasticsearch.action.Action;
-import org.elasticsearch.client.ElasticsearchClient;
 
 /**
  * Action for putting (adding/updating) one or more application privileges.

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesRequest.java

@@ -12,6 +12,7 @@
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
+import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
 import org.elasticsearch.xpack.core.security.support.MetadataUtils;
 
 import java.io.IOException;
@@ -28,7 +29,7 @@
  */
 public final class PutPrivilegesRequest extends ActionRequest implements WriteRequest<PutPrivilegesRequest> {
 
-    private List<ApplicationPrivilege> privileges;
+    private List<ApplicationPrivilegeDescriptor> privileges;
     private RefreshPolicy refreshPolicy = RefreshPolicy.IMMEDIATE;
 
     public PutPrivilegesRequest() {
@@ -38,19 +39,31 @@ public PutPrivilegesRequest() {
     @Override
     public ActionRequestValidationException validate() {
         ActionRequestValidationException validationException = null;
-        for (ApplicationPrivilege privilege : privileges) {
+        for (ApplicationPrivilegeDescriptor privilege : privileges) {
             try {
                 ApplicationPrivilege.validateApplicationName(privilege.getApplication());
             } catch (IllegalArgumentException e) {
                 validationException = addValidationError(e.getMessage(), validationException);
             }
-            if (privilege.name().size() != 1) {
-                validationException = addValidationError("application privileges must have a single name (found " +
-                    privilege.name() + ")", validationException);
+            try {
+                ApplicationPrivilege.validatePrivilegeName(privilege.getName());
+            } catch (IllegalArgumentException e) {
+                validationException = addValidationError(e.getMessage(), validationException);
+            }
+            for (String action : privilege.getActions()) {
+                if (action.indexOf('/') == -1 && action.indexOf('*') == -1 && action.indexOf(':') == -1) {
+                    validationException = addValidationError("action [" + action + "] must contain one of [ '/' , '*' , ':' ]",
+                        validationException);
+                }
+                try {
+                    ApplicationPrivilege.validatePrivilegeOrActionName(action);
+                } catch (IllegalArgumentException e) {
+                    validationException = addValidationError(e.getMessage(), validationException);
+                }
             }
             if (MetadataUtils.containsReservedMetadata(privilege.getMetadata())) {
                 validationException = addValidationError("metadata keys may not start with [" + MetadataUtils.RESERVED_PREFIX
-                    + "] (in privilege " + privilege.name() + ")", validationException);
+                    + "] (in privilege " + privilege.getApplication() + ' ' + privilege.getName() + ")", validationException);
             }
         }
         return validationException;
@@ -71,11 +84,11 @@ public PutPrivilegesRequest setRefreshPolicy(RefreshPolicy refreshPolicy) {
         return this;
     }
 
-    public List<ApplicationPrivilege> getPrivileges() {
+    public List<ApplicationPrivilegeDescriptor> getPrivileges() {
         return privileges;
     }
 
-    public void setPrivileges(Collection<ApplicationPrivilege> privileges) {
+    public void setPrivileges(Collection<ApplicationPrivilegeDescriptor> privileges) {
         this.privileges = Collections.unmodifiableList(new ArrayList<>(privileges));
     }
 
@@ -88,7 +101,7 @@ public String toString() {
     @Override
     public void readFrom(StreamInput in) throws IOException {
         super.readFrom(in);
-        privileges = Collections.unmodifiableList(in.readList(ApplicationPrivilege::readFrom));
+        privileges = Collections.unmodifiableList(in.readList(ApplicationPrivilegeDescriptor::new));
         refreshPolicy = RefreshPolicy.readFrom(in);
     }
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/privilege/PutPrivilegesRequestBuilder.java

@@ -15,7 +15,7 @@
 import org.elasticsearch.common.xcontent.NamedXContentRegistry;
 import org.elasticsearch.common.xcontent.XContentParser;
 import org.elasticsearch.common.xcontent.XContentType;
-import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
+import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -51,7 +51,7 @@ public PutPrivilegesRequestBuilder source(String applicationName, String expecte
                 token = parser.nextToken();
             }
             if (token == XContentParser.Token.START_OBJECT) {
-                final ApplicationPrivilege privilege = parsePrivilege(parser, applicationName, expectedName);
+                final ApplicationPrivilegeDescriptor privilege = parsePrivilege(parser, applicationName, expectedName);
                 this.request.setPrivileges(Collections.singleton(privilege));
             } else {
                 throw new ElasticsearchParseException("expected an object but found {} instead", token);
@@ -60,8 +60,8 @@ public PutPrivilegesRequestBuilder source(String applicationName, String expecte
         return this;
     }
 
-    ApplicationPrivilege parsePrivilege(XContentParser parser, String applicationName, String privilegeName) throws IOException {
-        final ApplicationPrivilege privilege = ApplicationPrivilege.parse(parser, applicationName, privilegeName, false);
+    ApplicationPrivilegeDescriptor parsePrivilege(XContentParser parser, String applicationName, String privilegeName) throws IOException {
+        ApplicationPrivilegeDescriptor privilege = ApplicationPrivilegeDescriptor.parse(parser, applicationName, privilegeName, false);
         checkPrivilegeName(privilege, applicationName, privilegeName);
         return privilege;
     }
@@ -87,7 +87,7 @@ public PutPrivilegesRequestBuilder source(BytesReference source, XContentType xC
                 throw new ElasticsearchParseException("expected object but found {} instead", token);
             }
 
-            List<ApplicationPrivilege> privileges = new ArrayList<>();
+            List<ApplicationPrivilegeDescriptor> privileges = new ArrayList<>();
             while (parser.nextToken() != XContentParser.Token.END_OBJECT) {
                 token = parser.currentToken();
                 assert token == XContentParser.Token.FIELD_NAME : "Invalid token " + token;
@@ -117,12 +117,8 @@ public PutPrivilegesRequestBuilder source(BytesReference source, XContentType xC
         return this;
     }
 
-    private String checkPrivilegeName(ApplicationPrivilege privilege, String applicationName, String providedName) {
-        if (privilege.name().size() != 1) {
-            throw new IllegalArgumentException("privilege name [" + privilege.name()
-                + "] in source must contain exactly 1 value");
-        }
-        final String privilegeName = privilege.getPrivilegeName();
+    private void checkPrivilegeName(ApplicationPrivilegeDescriptor privilege, String applicationName, String providedName) {
+        final String privilegeName = privilege.getName();
         if (Strings.isNullOrEmpty(applicationName) == false && applicationName.equals(privilege.getApplication()) == false) {
             throw new IllegalArgumentException("privilege application [" + privilege.getApplication()
                 + "] in source does not match the provided application [" + applicationName + "]");
@@ -131,6 +127,5 @@ private String checkPrivilegeName(ApplicationPrivilege privilege, String applica
             throw new IllegalArgumentException("privilege name [" + privilegeName
                 + "] in source does not match the provided name [" + providedName + "]");
         }
-        return privilegeName;
     }
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/PutRoleRequest.java

@@ -14,6 +14,7 @@
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
 import org.elasticsearch.xpack.core.security.support.MetadataUtils;
 
 import java.io.IOException;
@@ -47,9 +48,25 @@ public ActionRequestValidationException validate() {
         if (name == null) {
             validationException = addValidationError("role name is missing", validationException);
         }
+        if(applicationPrivileges != null) {
+            for (RoleDescriptor.ApplicationResourcePrivileges privilege : applicationPrivileges) {
+                try {
+                    ApplicationPrivilege.validateApplicationNameOrWildcard(privilege.getApplication());
+                } catch (IllegalArgumentException e) {
+                    validationException = addValidationError(e.getMessage(), validationException);
+                }
+                for (String name : privilege.getPrivileges()) {
+                    try {
+                        ApplicationPrivilege.validatePrivilegeOrActionName(name);
+                    } catch (IllegalArgumentException e) {
+                        validationException = addValidationError(e.getMessage(), validationException);
+                    }
+                }
+            }
+        }
         if (metadata != null && MetadataUtils.containsReservedMetadata(metadata)) {
             validationException =
-                    addValidationError("metadata keys may not start with [" + MetadataUtils.RESERVED_PREFIX + "]", validationException);
+                addValidationError("metadata keys may not start with [" + MetadataUtils.RESERVED_PREFIX + "]", validationException);
         }
         return validationException;
     }
@@ -81,13 +98,6 @@ void addApplicationPrivileges(RoleDescriptor.ApplicationResourcePrivileges... pr
         this.applicationPrivileges.addAll(Arrays.asList(privileges));
     }
 
-    public void addApplicationPrivilege(String[] privileges, String[] resources) {
-        this.applicationPrivileges.add(RoleDescriptor.ApplicationResourcePrivileges.builder()
-                .resources(resources)
-                .privileges(privileges)
-                .build());
-    }
-
     public void runAs(String... usernames) {
         this.runAs = usernames;
     }
@@ -169,4 +179,4 @@ public RoleDescriptor roleDescriptor() {
                 metadata,
                 Collections.emptyMap());
     }
-}
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/user/HasPrivilegesResponse.java

@@ -54,6 +54,10 @@ public List<ResourcePrivileges> getIndexPrivileges() {
         return Collections.unmodifiableList(index);
     }
 
+    /**
+     * Retrieves the results from checking application privileges,
+     * @return A {@code Map} keyed by application-name
+     */
     public Map<String, List<ResourcePrivileges>> getApplicationPrivileges() {
         return Collections.unmodifiableMap(application);
     }