Add cat/alias support for DNFOF (#4436)

Signed-off-by: Derek Ho <[email protected]>
(cherry picked from commit 94f7ccb)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

src/integrationTest/java/org/opensearch/security/DoNotFailOnForbiddenTests.java

@@ -54,6 +54,7 @@
 import static org.hamcrest.Matchers.arrayWithSize;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.hasKey;
 import static org.hamcrest.Matchers.not;
 import static org.hamcrest.Matchers.nullValue;
@@ -128,7 +129,8 @@ public class DoNotFailOnForbiddenTests {
                 "indices:data/read/msearch",
                 "indices:data/read/scroll",
                 "indices:monitor/settings/get",
-                "indices:monitor/stats"
+                "indices:monitor/stats",
+                "indices:admin/aliases/get"
             )
             .on(MARVELOUS_SONGS)
     );
@@ -444,6 +446,40 @@ public void shouldPerformCatIndices_positive() throws IOException {
         }
     }
 
+    @Test
+    public void shouldPerformCatAliases_positive() throws IOException {
+        // DNFOF works for limited access user
+        try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(LIMITED_USER)) {
+            Request getAliasesRequest = new Request("GET", "/_cat/aliases");
+            Response getAliasesResponse = restHighLevelClient.getLowLevelClient().performRequest(getAliasesRequest);
+            List<String> aliases = new BufferedReader(new InputStreamReader(getAliasesResponse.getEntity().getContent())).lines()
+                .collect(Collectors.toList());
+
+            // Does not fail on forbidden, but alias response only contains index which user has access to
+            assertThat(getAliasesResponse.getStatusLine().getStatusCode(), equalTo(200));
+            assertThat(aliases.size(), equalTo(1));
+            assertThat(aliases.get(0), containsString("marvelous_songs"));
+            assertThat(aliases.get(0), not(containsString("horrible_songs")));
+
+        }
+
+        try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(ADMIN_USER)) {
+            Request getAliasesRequest = new Request("GET", "/_cat/aliases");
+            Response getAliasesResponse = restHighLevelClient.getLowLevelClient().performRequest(getAliasesRequest);
+            List<String> aliases = new BufferedReader(new InputStreamReader(getAliasesResponse.getEntity().getContent())).lines()
+                .collect(Collectors.toList());
+
+            // Admin has access to all
+            assertThat(getAliasesResponse.getStatusLine().getStatusCode(), equalTo(200));
+            // Aliases have one entry for each index
+            // This response is [(both-indices: marvelous_songs), (both-indices: horrible_songs), (forbidden-index: horrible_songs)]
+            assertThat(aliases.size(), equalTo(3));
+            assertThat(aliases, hasItem(containsString("marvelous_songs")));
+            assertThat(aliases, hasItem(containsString("horrible_songs")));
+
+        }
+    }
+
     @Test
     public void checkStatsApi() {
         // As admin creates 2 documents in different indices, can find both indices in search, cat indice & stats APIs

src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java

@@ -111,7 +111,8 @@ public class PrivilegesEvaluator {
             "indices:admin/shards/search_shards",
             "indices:admin/resolve/index",
             "indices:monitor/settings/get",
-            "indices:monitor/stats"
+            "indices:monitor/stats",
+            "indices:admin/aliases/get"
         )
     );
 

src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorUnitTest.java

@@ -41,13 +41,13 @@ public class PrivilegesEvaluatorUnitTest {
         "indices:data/read/search/template",
         "indices:data/read/tv",
         "indices:monitor/settings/get",
-        "indices:monitor/stats"
+        "indices:monitor/stats",
+        "indices:admin/aliases/get"
     );
 
     private static final List<String> disallowedDnfof = ImmutableList.of(
         "indices:admin/aliases",
         "indices:admin/aliases/exists",
-        "indices:admin/aliases/get",
         "indices:admin/analyze",
         "indices:admin/cache/clear",
         "indices:admin/close",