Prevent recursive action groups

[cliu123]

Signed-off-by: cliu123 [email protected]

Description

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) Bug fix

• Prevent the following 3 cases that cause recursive action groups and result in StackOverflowException when resolving the security configurations in runtime:

1. Prevent creating an action group with a role name.
2. Prevent creating an action group with itself as an allowed_actions.
3. Prevent patching an action group with itself as an allowed_actions.

Issues Resolved

#1389

Testing

UTs

Check List

• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[peternied]

I am concerned this validation check appears to be happening at several different locations. Can we add a single validation function that is run before all creates/updates?

[cliu123]

I am concerned this validation check appears to be happening at several different locations. Can we add a single validation function that is run before all creates/updates?

Good comments!
They are different validations for different cases. For the case of PATCH, I defined a method hasActionGroupSelfReference and reused it. But there are 2 differnt cases being validated in the case of PUT, so they are different validations.

[codecov-commenter]

Codecov Report

Merging #1868 (f6a9dcb) into main (94cc878) will increase coverage by 0.00%.
The diff coverage is 89.28%.

@@            Coverage Diff            @@
##               main    #1868   +/-   ##
=========================================
  Coverage     60.87%   60.88%           
- Complexity     3215     3224    +9     
=========================================
  Files           256      256           
  Lines         18012    18040   +28     
  Branches       3211     3219    +8     
=========================================
+ Hits          10965    10983   +18     
- Misses         5467     5476    +9     
- Partials       1580     1581    +1     

Impacted Files	Coverage Δ
.../security/dlic/rest/api/ActionGroupsApiAction.java	88.46% <81.25%> (-11.54%)	⬇️
...rity/dlic/rest/api/PatchableResourceApiAction.java	85.00% <100.00%> (+1.66%)	⬆️
...org/opensearch/security/rest/TenantInfoAction.java	77.94% <0.00%> (-10.30%)	⬇️
...ensearch/security/compliance/ComplianceConfig.java	82.63% <0.00%> (-0.70%)	⬇️
...ecurity/ssl/rest/SecuritySSLReloadCertsAction.java	84.78% <0.00%> (-0.33%)	⬇️
...security/configuration/DlsFlsFilterLeafReader.java	61.59% <0.00%> (-0.15%)	⬇️
...a/org/opensearch/security/tools/SecurityAdmin.java	37.56% <0.00%> (+0.24%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 94cc878...f6a9dcb. Read the comment docs.

[opensearch-trigger-bot]

The backport to 1.3 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.3 1.3
# Navigate to the new working tree
cd .worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-1868-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 07637c4473977c80c5a2373c7bb2fddaca6dc770
# Push it to GitHub
git push --set-upstream origin backport/backport-1868-to-1.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.3

Then, create a pull request where the base branch is 1.3 and the compare/head branch is backport/backport-1868-to-1.3.