From 8e06688a015b4ed2ffa5ec0420276d8f27bc4c14 Mon Sep 17 00:00:00 2001
From: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
Date: Thu, 2 Nov 2023 21:06:58 +0100
Subject: [PATCH] Sec index state listener

---
 .../xpack/security/Security.java              |  2 ++
 .../mapper/NativeRoleMappingStore.java        | 20 +++++++++++--------
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
index 42b4c8c459eb0..db876c916e44c 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@@ -1018,6 +1018,8 @@ Collection<Object> createComponents(
 
         reservedRoleMappingAction.set(new ReservedRoleMappingAction(nativeRoleMappingStore));
         systemIndices.getMainIndexManager().onStateRecovered(state -> reservedRoleMappingAction.get().securityIndexRecovered());
+        // How do we wait for role mappings to be available instead of only the security index?
+        systemIndices.getMainIndexManager().onStateRecovered(state -> nativeRoleMappingStore.loadCache());
 
         cacheInvalidatorRegistry.validate();
 
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStore.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStore.java
index b3e8491468da9..908fb17cc6df9 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStore.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStore.java
@@ -145,13 +145,6 @@ protected void loadMappings(ActionListener<List<ExpressionRoleMapping>> listener
                 new ContextPreservingActionListener<>(supplier, ActionListener.wrap((Collection<ExpressionRoleMapping> mappings) -> {
                     final List<ExpressionRoleMapping> mappingList = mappings.stream().filter(Objects::nonNull).toList();
                     logger.debug("successfully loaded [{}] role-mapping(s) from [{}]", mappingList.size(), securityIndex.aliasName());
-                    // TODO hack hack hack
-                    if (cache != null) {
-                        cache.invalidateAll();
-                        for (var mapping : mappingList) {
-                            cache.put(mapping.getName(), mapping);
-                        }
-                    }
                     listener.onResponse(mappingList);
                 }, ex -> {
                     logger.error(
@@ -165,6 +158,17 @@ protected void loadMappings(ActionListener<List<ExpressionRoleMapping>> listener
         }
     }
 
+    public void loadCache() {
+        if (cache != null) {
+            loadMappings(ActionListener.wrap(roleMappings -> {
+                cache.invalidateAll();
+                for (var roleMapping : roleMappings) {
+                    cache.put(roleMapping.getName(), roleMapping);
+                }
+            }, logger::error));
+        }
+    }
+
     protected static ExpressionRoleMapping buildMapping(String id, BytesReference source) {
         try (
             InputStream stream = source.streamInput();
@@ -370,7 +374,7 @@ public void onSecurityIndexStateChange(SecurityIndexManager.State previousState,
             refreshRealms(ActionListener.noop(), null);
             // TODO is this what we want?
             if (cache != null) {
-                // re-load cache, yikes...
+                // reload cache, yikes...
                 getMappings(ActionListener.noop());
             }
         }