Show rudimentary resource authz impl

Signed-off-by: Craig Perkins <[email protected]>

sample-extension-plugin/src/integrationTest/java/org/opensearch/security/sampleextension/SampleExtensionPluginTests.java

@@ -131,4 +131,45 @@ public void testCreateAndUpdateOwnSampleResource() throws Exception {
         }
     }
 
+    @Test
+    public void testCreateResourceAndTryUpdateWithOtherUser() throws Exception {
+        String resourceId;
+        try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+            String sampleResource = "{\"name\":\"sample\"}";
+            HttpResponse response = client.postJson("_plugins/resource_sharing_example/resource", sampleResource);
+            response.assertStatusCode(HttpStatus.SC_OK);
+            System.out.println("Response: " + response.getBody());
+
+            resourceId = response.getTextFromJsonBody("/resourceId");
+
+            System.out.println("resourceId: " + resourceId);
+            Thread.sleep(2000);
+        }
+        try (TestRestClient client = cluster.getRestClient(cluster.getAdminCertificate())) {
+            // HttpResponse response = client.postJson(".resource-sharing/_search", "{\"query\" : {\"match_all\" : {}}}");
+            // System.out.println("Resource sharing entries: " + response.getBody());
+
+            HttpResponse response2 = client.postJson(".sample_extension_resources/_search", "{\"query\" : {\"match_all\" : {}}}");
+            System.out.println("Sample resources: " + response2.getBody());
+        }
+
+        try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+            Thread.sleep(1000);
+
+            HttpResponse getResponse = client.get("_plugins/resource_sharing_example/resource/" + resourceId);
+            getResponse.assertStatusCode(HttpStatus.SC_OK);
+            System.out.println("Get Response: " + getResponse.getBody());
+        }
+
+        try (TestRestClient client = cluster.getRestClient(SHARED_WITH_USER)) {
+            String sampleResourceUpdated = "{\"name\":\"sampleUpdated\"}";
+            HttpResponse updateResponse = client.putJson(
+                "_plugins/resource_sharing_example/resource/update/" + resourceId,
+                sampleResourceUpdated
+            );
+            updateResponse.assertStatusCode(HttpStatus.SC_FORBIDDEN);
+            System.out.println("Update Response: " + updateResponse.getBody());
+        }
+    }
+
 }

sample-extension-plugin/src/main/java/org/opensearch/security/sampleextension/actions/update/UpdateSampleResourceRequest.java

@@ -14,11 +14,14 @@
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.security.spi.ResourceRequest;
+
+import static org.opensearch.security.sampleextension.SampleExtensionPlugin.RESOURCE_INDEX_NAME;
 
 /**
  * Request object for UpdateSampleResource transport action
  */
-public class UpdateSampleResourceRequest extends ActionRequest {
+public class UpdateSampleResourceRequest extends ActionRequest implements ResourceRequest {
 
     private String resourceId;
     private String name;
@@ -28,10 +31,16 @@ public UpdateSampleResourceRequest(String resourceId, String name) {
         this.name = name;
     }
 
+    @Override
     public String getResourceId() {
         return resourceId;
     }
 
+    @Override
+    public String getResourceIndex() {
+        return RESOURCE_INDEX_NAME;
+    }
+
     public String getName() {
         return name;
     }

spi/src/main/java/org/opensearch/security/spi/ResourceRequest.java

@@ -0,0 +1,10 @@
+package org.opensearch.security.spi;
+
+/**
+ * A ResourceRequest is a subtype of ActionRequest that pertains to resource.
+ */
+public interface ResourceRequest {
+    String getResourceId();
+
+    String getResourceIndex();
+}

spi/src/main/java/org/opensearch/security/spi/ResourceSharingInfo.java

@@ -0,0 +1,61 @@
+package org.opensearch.security.spi;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+
+import org.opensearch.core.ParseField;
+import org.opensearch.core.xcontent.ConstructingObjectParser;
+import org.opensearch.core.xcontent.XContentParser;
+
+/**
+ * ResourceSharingInfo is a subset of the fields in a SharableResource document that correspond to the owner
+ * of the SharableResource (the resource_user) and a list of ShareWith data structures that corresponding
+ * to who (individuals or groups) the resource has been shared with and at what access level
+ */
+public class ResourceSharingInfo {
+    private final ResourceUser resourceUser;
+    private final List<ShareWith> shareWith;
+
+    public ResourceSharingInfo(ResourceUser resourceUser) {
+        this.resourceUser = resourceUser;
+        this.shareWith = Collections.emptyList();
+    }
+
+    public ResourceSharingInfo(ResourceUser resourceUser, List<ShareWith> shareWith) {
+        this.resourceUser = resourceUser;
+        this.shareWith = shareWith;
+    }
+
+    public ResourceUser getResourceUser() {
+        return resourceUser;
+    }
+
+    public List<ShareWith> getShareWith() {
+        return shareWith;
+    }
+
+    @SuppressWarnings("unchecked")
+    private static final ConstructingObjectParser<ResourceSharingInfo, Void> PARSER = new ConstructingObjectParser<>(
+        "resource_sharing_info",
+        true,
+        a -> new ResourceSharingInfo((ResourceUser) a[0], (List<ShareWith>) a[1])
+    );
+
+    static {
+        PARSER.declareObject(
+            ConstructingObjectParser.constructorArg(),
+            (p, c) -> ResourceUser.fromXContent(p),
+            new ParseField("resource_user")
+        );
+        PARSER.declareObjectArray(
+            ConstructingObjectParser.optionalConstructorArg(),
+            (p, c) -> ShareWith.fromXContent(p),
+            new ParseField("share_with")
+        );
+    }
+
+    public static ResourceSharingInfo parse(XContentParser parser) throws IOException {
+        return PARSER.parse(parser, null);
+    }
+}

spi/src/main/java/org/opensearch/security/spi/ResourceUser.java

@@ -5,12 +5,17 @@
 import java.util.List;
 import java.util.Map;
 
+import org.opensearch.core.ParseField;
 import org.opensearch.core.common.io.stream.NamedWriteable;
 import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.ConstructingObjectParser;
 import org.opensearch.core.xcontent.ToXContent;
 import org.opensearch.core.xcontent.ToXContentFragment;
 import org.opensearch.core.xcontent.XContentBuilder;
+import org.opensearch.core.xcontent.XContentParser;
+
+import static org.opensearch.core.xcontent.ConstructingObjectParser.constructorArg;
 
 public class ResourceUser implements NamedWriteable, ToXContentFragment {
     private final String name;
@@ -56,6 +61,23 @@ public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params par
         return builder.startObject().field("name", name).field("roles", roles).field("backend_roles", backendRoles).endObject();
     }
 
+    @SuppressWarnings("unchecked")
+    private static final ConstructingObjectParser<ResourceUser, Void> PARSER = new ConstructingObjectParser<>(
+        "resource_user",
+        true,
+        a -> new ResourceUser((String) a[0], (List<String>) a[1], (List<String>) a[2])
+    );
+
+    static {
+        PARSER.declareString(ConstructingObjectParser.constructorArg(), new ParseField("name"));
+        PARSER.declareStringArray(constructorArg(), new ParseField("roles"));
+        PARSER.declareStringArray(constructorArg(), new ParseField("backend_roles"));
+    }
+
+    public static ResourceUser fromXContent(XContentParser parser) throws IOException {
+        return PARSER.parse(parser, null);
+    }
+
     @Override
     public String getWriteableName() {
         return "resource_user";

spi/src/main/java/org/opensearch/security/spi/ShareWith.java

@@ -3,11 +3,16 @@
 import java.io.IOException;
 import java.util.List;
 
+import org.opensearch.core.ParseField;
 import org.opensearch.core.common.io.stream.NamedWriteable;
 import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.ConstructingObjectParser;
 import org.opensearch.core.xcontent.ToXContentFragment;
 import org.opensearch.core.xcontent.XContentBuilder;
+import org.opensearch.core.xcontent.XContentParser;
+
+import static org.opensearch.core.xcontent.ConstructingObjectParser.constructorArg;
 
 public class ShareWith implements NamedWriteable, ToXContentFragment {
 
@@ -40,6 +45,22 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
         return builder.startObject().field("users", users).field("backend_roles", backendRoles).endObject();
     }
 
+    @SuppressWarnings("unchecked")
+    private static final ConstructingObjectParser<ShareWith, Void> PARSER = new ConstructingObjectParser<>(
+        "share_with",
+        true,
+        a -> new ShareWith((List<String>) a[0], (List<String>) a[1])
+    );
+
+    static {
+        PARSER.declareStringArray(constructorArg(), new ParseField("users"));
+        PARSER.declareStringArray(constructorArg(), new ParseField("backend_roles"));
+    }
+
+    public static ShareWith fromXContent(XContentParser parser) throws IOException {
+        return PARSER.parse(parser, null);
+    }
+
     @Override
     public String getWriteableName() {
         return "share_with";

spi/src/main/java/org/opensearch/security/spi/actions/ResourceRequest.java → spi/src/main/java/org/opensearch/security/spi/actions/AbstractResourceRequest.java

@@ -7,17 +7,17 @@
 import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.core.common.io.stream.StreamOutput;
 
-public class ResourceRequest extends ActionRequest {
+public abstract class AbstractResourceRequest extends ActionRequest {
     protected final String resourceIndex;
 
     /**
      * Default constructor
      */
-    public ResourceRequest(String resourceIndex) {
+    public AbstractResourceRequest(String resourceIndex) {
         this.resourceIndex = resourceIndex;
     }
 
-    public ResourceRequest(StreamInput in) throws IOException {
+    public AbstractResourceRequest(StreamInput in) throws IOException {
         this.resourceIndex = in.readString();
     }
 

spi/src/main/java/org/opensearch/security/spi/actions/resource/get/GetResourceRequest.java

@@ -11,12 +11,12 @@
 import java.io.IOException;
 
 import org.opensearch.core.common.io.stream.StreamInput;
-import org.opensearch.security.spi.actions.ResourceRequest;
+import org.opensearch.security.spi.actions.AbstractResourceRequest;
 
 /**
  * Request object for GetResource transport action
  */
-public class GetResourceRequest extends ResourceRequest {
+public class GetResourceRequest extends AbstractResourceRequest {
     private final String resourceId;
 
     /**

spi/src/main/java/org/opensearch/security/spi/actions/resource/list/ListResourceRequest.java

@@ -11,12 +11,12 @@
 import java.io.IOException;
 
 import org.opensearch.core.common.io.stream.StreamInput;
-import org.opensearch.security.spi.actions.ResourceRequest;
+import org.opensearch.security.spi.actions.AbstractResourceRequest;
 
 /**
  * Request object for ListResource transport action
  */
-public class ListResourceRequest extends ResourceRequest {
+public class ListResourceRequest extends AbstractResourceRequest {
 
     // TODO Change this into Search instead of List