in src/main/java/org/opensearch/security/privileges/DlsFlsEvaluator.java [69:176]
public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final ClusterService clusterService, final IndexNameExpressionResolver resolver, final Resolved requestedResolved, final User user,
final SecurityRoles securityRoles, final PrivilegesEvaluatorResponse presponse) {
ThreadContext threadContext = threadPool.getThreadContext();
// maskedFields
final Map<String, Set<String>> maskedFieldsMap = securityRoles.getMaskedFields(user, resolver, clusterService);
final boolean isDebugEnabled = log.isDebugEnabled();
if (maskedFieldsMap != null && !maskedFieldsMap.isEmpty()) {
if(request instanceof ClusterSearchShardsRequest && HeaderHelper.isTrustedClusterRequest(threadContext)) {
threadContext.addResponseHeader(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER, Base64Helper.serializeObject((Serializable) maskedFieldsMap));
if (isDebugEnabled) {
log.debug("Added response header for masked fields info: {}", maskedFieldsMap);
}
} else {
if (threadContext.getHeader(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER) != null) {
if (!maskedFieldsMap.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER)))) {
throw new OpenSearchSecurityException(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER + " does not match ");
} else {
if (isDebugEnabled) {
log.debug("Header {} already set", ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER);
}
}
} else {
threadContext.putHeader(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER, Base64Helper.serializeObject((Serializable) maskedFieldsMap));
if (isDebugEnabled) {
log.debug("Attach masked fields info: {}", maskedFieldsMap);
}
}
}
presponse.maskedFields = maskedFieldsMap.entrySet().stream()
.filter(requestedResolved.isLocalAll() || requestedResolved.getAllIndices().isEmpty() ?
entry -> true : entry -> WildcardMatcher.from(entry.getKey()).matchAny(requestedResolved.getAllIndices()))
.collect(ImmutableMap.toImmutableMap(Map.Entry::getKey, Map.Entry::getValue));
}
// attach dls/fls map if not already done
final Tuple<Map<String, Set<String>>, Map<String, Set<String>>> dlsFls = securityRoles.getDlsFls(user, resolver, clusterService);
final Map<String, Set<String>> dlsQueries = dlsFls.v1();
final Map<String, Set<String>> flsFields = dlsFls.v2();
if (!dlsQueries.isEmpty()) {
if(request instanceof ClusterSearchShardsRequest && HeaderHelper.isTrustedClusterRequest(threadContext)) {
threadContext.addResponseHeader(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER, Base64Helper.serializeObject((Serializable) dlsQueries));
if (isDebugEnabled) {
log.debug("Added response header for DLS info: {}", dlsQueries);
}
} else {
if (threadContext.getHeader(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER) != null) {
if (!dlsQueries.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER)))) {
throw new OpenSearchSecurityException(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER + " does not match (SG 900D)");
}
} else {
threadContext.putHeader(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER, Base64Helper.serializeObject((Serializable) dlsQueries));
if (isDebugEnabled) {
log.debug("Attach DLS info: {}", dlsQueries);
}
}
}
presponse.queries = dlsQueries.entrySet().stream()
.filter(requestedResolved.isLocalAll() || requestedResolved.getAllIndices().isEmpty() ?
entry -> true : entry -> WildcardMatcher.from(entry.getKey()).matchAny(requestedResolved.getAllIndices()))
.collect(ImmutableMap.toImmutableMap(Map.Entry::getKey, Map.Entry::getValue));
}
if (!flsFields.isEmpty()) {
if(request instanceof ClusterSearchShardsRequest && HeaderHelper.isTrustedClusterRequest(threadContext)) {
threadContext.addResponseHeader(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER, Base64Helper.serializeObject((Serializable) flsFields));
if (isDebugEnabled) {
log.debug("Added response header for FLS info: {}", flsFields);
}
} else {
if (threadContext.getHeader(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER) != null) {
if (!flsFields.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER)))) {
throw new OpenSearchSecurityException(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER + " does not match ");
} else {
if (isDebugEnabled) {
log.debug("Header {} already set", ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER);
}
}
} else {
threadContext.putHeader(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER, Base64Helper.serializeObject((Serializable) flsFields));
if (isDebugEnabled) {
log.debug("Attach FLS info: {}", flsFields);
}
}
}
presponse.allowedFlsFields = flsFields.entrySet().stream()
.filter(requestedResolved.isLocalAll() || requestedResolved.getAllIndices().isEmpty() ?
entry -> true : entry -> WildcardMatcher.from(entry.getKey()).matchAny(requestedResolved.getAllIndices()))
.collect(ImmutableMap.toImmutableMap(Map.Entry::getKey, Map.Entry::getValue));
}
return presponse;
}