Change share_with data structure and rename to SharableResourceExtension

Signed-off-by: Craig Perkins <[email protected]>

sample-extension-plugin/src/integrationTest/java/org/opensearch/security/sampleextension/SampleExtensionPluginTests.java

@@ -106,7 +106,7 @@ public void testCreateAndUpdateOwnSampleResource() throws Exception {
         }
 
         try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
-            String shareWithPayload = "{\"share_with\":{\"allowed_actions\": [\"unlimited\"], \"users\": [\""
+            String shareWithPayload = "{\"share_with\":{\"action_group\": \"unlimited\", \"users\": [\""
                 + SHARED_WITH_USER.getName()
                 + "\"], \"backend_roles\": []}}";
             HttpResponse shareWithResponse = client.putJson(

sample-extension-plugin/src/main/java/org/opensearch/security/sampleextension/SampleExtensionPlugin.java

@@ -50,7 +50,7 @@
 import org.opensearch.security.sampleextension.actions.update.UpdateSampleResourceAction;
 import org.opensearch.security.sampleextension.actions.update.UpdateSampleResourceRestAction;
 import org.opensearch.security.sampleextension.actions.update.UpdateSampleResourceTransportAction;
-import org.opensearch.security.spi.ResourceSharingExtension;
+import org.opensearch.security.spi.SharableResourceExtension;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.watcher.ResourceWatcherService;
 
@@ -60,7 +60,7 @@
  * It use ".sample_extension_resources" index to manage its resources, and exposes a REST API
  *
  */
-public class SampleExtensionPlugin extends Plugin implements ActionPlugin, SystemIndexPlugin, ResourceSharingExtension {
+public class SampleExtensionPlugin extends Plugin implements ActionPlugin, SystemIndexPlugin, SharableResourceExtension {
     private static final Logger log = LogManager.getLogger(SampleExtensionPlugin.class);
 
     public static final String RESOURCE_INDEX_NAME = ".sample_extension_resources";

sample-extension-plugin/src/test/java/org/opensearch/security/sampleextension/SampleExtensionPluginIT.java

@@ -168,7 +168,7 @@ public void testCreateSampleResource() throws IOException, InterruptedException
 
         Map<String, String> updateSharingResponse = updateSharing(
             resourceId,
-            "{\"share_with\":{\"users\": [\"admin\"], \"backend_roles\": [], \"allowed_actions\": [\"*\"]}}",
+            "{\"share_with\":{\"users\": [\"admin\"], \"backend_roles\": [], \"action_group\": \"unlimited\"}}",
             Optional.of(Tuple.tuple("testuser", strongPassword))
         );
         System.out.println("updateSharingResponse: " + updateSharingResponse);

spi/src/main/java/org/opensearch/security/spi/ResourceSharingInfo.java

@@ -2,7 +2,8 @@
 
 import java.io.IOException;
 import java.util.Collections;
-import java.util.List;
+import java.util.HashMap;
+import java.util.Map;
 
 import org.opensearch.core.ParseField;
 import org.opensearch.core.xcontent.ConstructingObjectParser;
@@ -15,14 +16,14 @@
  */
 public class ResourceSharingInfo {
     private final ResourceUser resourceUser;
-    private final List<ShareWith> shareWith;
+    private final Map<String, ShareWith> shareWith;
 
     public ResourceSharingInfo(ResourceUser resourceUser) {
         this.resourceUser = resourceUser;
-        this.shareWith = Collections.emptyList();
+        this.shareWith = Collections.emptyMap();
     }
 
-    public ResourceSharingInfo(ResourceUser resourceUser, List<ShareWith> shareWith) {
+    public ResourceSharingInfo(ResourceUser resourceUser, Map<String, ShareWith> shareWith) {
         this.resourceUser = resourceUser;
         this.shareWith = shareWith;
     }
@@ -31,15 +32,15 @@ public ResourceUser getResourceUser() {
         return resourceUser;
     }
 
-    public List<ShareWith> getShareWith() {
+    public Map<String, ShareWith> getShareWith() {
         return shareWith;
     }
 
     @SuppressWarnings("unchecked")
     private static final ConstructingObjectParser<ResourceSharingInfo, Void> PARSER = new ConstructingObjectParser<>(
         "resource_sharing_info",
         true,
-        a -> new ResourceSharingInfo((ResourceUser) a[0], (List<ShareWith>) a[1])
+        a -> new ResourceSharingInfo((ResourceUser) a[0], (Map<String, ShareWith>) a[1])
     );
 
     static {
@@ -48,11 +49,21 @@ public List<ShareWith> getShareWith() {
             (p, c) -> ResourceUser.fromXContent(p),
             new ParseField("resource_user")
         );
-        PARSER.declareObjectArray(
-            ConstructingObjectParser.optionalConstructorArg(),
-            (p, c) -> ShareWith.fromXContent(p),
-            new ParseField("share_with")
-        );
+        PARSER.declareObject(ConstructingObjectParser.optionalConstructorArg(), (p, c) -> {
+            Map<String, ShareWith> shareWithMap = new HashMap<>();
+            String fieldName;
+            while ((fieldName = p.currentName()) != null) {
+                if (p.nextToken() == XContentParser.Token.START_OBJECT) {
+                    shareWithMap.put(fieldName, ShareWith.fromXContent(p));
+                }
+            }
+            return shareWithMap;
+        }, new ParseField("share_with"));
+        // PARSER.declareObjectArray(
+        // ConstructingObjectParser.optionalConstructorArg(),
+        // (p, c) -> ShareWith.fromXContent(p),
+        // new ParseField("share_with")
+        // );
     }
 
     public static ResourceSharingInfo parse(XContentParser parser) throws IOException {

spi/src/main/java/org/opensearch/security/spi/ResourceSharingExtension.java → spi/src/main/java/org/opensearch/security/spi/SharableResourceExtension.java

@@ -11,7 +11,7 @@
 /**
  * SPI of security.
  */
-public interface ResourceSharingExtension {
+public interface SharableResourceExtension {
     /**
      * @return resource type string.
      */

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -188,7 +188,7 @@
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.setting.OpensearchDynamicSetting;
 import org.opensearch.security.setting.TransportPassiveAuthSetting;
-import org.opensearch.security.spi.ResourceSharingExtension;
+import org.opensearch.security.spi.SharableResourceExtension;
 import org.opensearch.security.ssl.ExternalSecurityKeyStore;
 import org.opensearch.security.ssl.OpenSearchSecureSettingsFactory;
 import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin;
@@ -281,7 +281,7 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
     private volatile DlsFlsBaseContext dlsFlsBaseContext;
     private final Set<String> sharableResourceIndices = new HashSet<>();
     // CS-SUPPRESS-SINGLE: RegexpSingleline SPI Extensions are unrelated to OpenSearch extensions
-    private final List<ResourceSharingExtension> resourceSharingExtensions = new ArrayList<>();
+    private final List<SharableResourceExtension> resourceSharingExtensions = new ArrayList<>();
     // CS-ENFORCE-SINGLE
 
     public static boolean isActionTraceEnabled() {
@@ -2200,7 +2200,7 @@ public Optional<SecureSettingsFactory> getSecureSettingFactory(Settings settings
     @Override
     public void loadExtensions(ExtensiblePlugin.ExtensionLoader loader) {
         System.out.println("loadExtensions");
-        for (ResourceSharingExtension extension : loader.loadExtensions(ResourceSharingExtension.class)) {
+        for (SharableResourceExtension extension : loader.loadExtensions(SharableResourceExtension.class)) {
             String resourceIndexName = extension.getResourceIndex();
             System.out.println("localClient: " + localClient);
             this.sharableResourceIndices.add(resourceIndexName);

src/main/java/org/opensearch/security/dlic/rest/api/SecurityApiDependencies.java

@@ -18,7 +18,7 @@
 import org.opensearch.security.configuration.AdminDNs;
 import org.opensearch.security.configuration.ConfigurationRepository;
 import org.opensearch.security.privileges.PrivilegesEvaluator;
-import org.opensearch.security.spi.ResourceSharingExtension;
+import org.opensearch.security.spi.SharableResourceExtension;
 import org.opensearch.security.support.ConfigConstants;
 
 public class SecurityApiDependencies {
@@ -28,7 +28,7 @@ public class SecurityApiDependencies {
     private final RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator;
     private final AuditLog auditLog;
     private final Settings settings;
-    private final List<ResourceSharingExtension> resourceSharingExtensions;
+    private final List<SharableResourceExtension> resourceSharingExtensions;
 
     private final PrivilegesEvaluator privilegesEvaluator;
 
@@ -40,7 +40,7 @@ public SecurityApiDependencies(
         final RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator,
         final AuditLog auditLog,
         final Settings settings,
-        final List<ResourceSharingExtension> resourceSharingExtensions
+        final List<SharableResourceExtension> resourceSharingExtensions
     ) {
         this.adminDNs = adminDNs;
         this.configurationRepository = configurationRepository;
@@ -72,7 +72,7 @@ public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() {
         return restApiAdminPrivilegesEvaluator;
     }
 
-    public List<ResourceSharingExtension> resourceSharingExtensions() {
+    public List<SharableResourceExtension> resourceSharingExtensions() {
         return resourceSharingExtensions;
     }
 

src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java

@@ -26,7 +26,7 @@
 import org.opensearch.security.hasher.PasswordHasher;
 import org.opensearch.security.privileges.PrivilegesEvaluator;
 import org.opensearch.security.rest.resource.ShareWithRestAction;
-import org.opensearch.security.spi.ResourceSharingExtension;
+import org.opensearch.security.spi.SharableResourceExtension;
 import org.opensearch.security.ssl.SslSettingsManager;
 import org.opensearch.security.ssl.transport.PrincipalExtractor;
 import org.opensearch.security.user.UserService;
@@ -52,7 +52,7 @@ public static Collection<RestHandler> getHandler(
         final UserService userService,
         final boolean certificatesReloadEnabled,
         final PasswordHasher passwordHasher,
-        final List<ResourceSharingExtension> resourceSharingExtensions
+        final List<SharableResourceExtension> resourceSharingExtensions
     ) {
         final var securityApiDependencies = new SecurityApiDependencies(
             adminDns,

src/main/java/org/opensearch/security/rest/resource/ShareWith.java

@@ -19,27 +19,27 @@
 
 public class ShareWith implements NamedWriteable, ToXContentFragment {
 
-    public final static ShareWith PRIVATE = new ShareWith(List.of("unlimited"), List.of(), List.of());
-    public final static ShareWith PUBLIC = new ShareWith(List.of("unlimited"), List.of("*"), List.of("*"));
+    public final static ShareWith PRIVATE = new ShareWith("unlimited", List.of(), List.of());
+    public final static ShareWith PUBLIC = new ShareWith("unlimited", List.of("*"), List.of("*"));
 
-    private final List<String> allowedActions;
+    private final String actionGroup;
     private final List<String> users;
     private final List<String> backendRoles;
 
-    public ShareWith(List<String> allowedActions, List<String> users, List<String> backendRoles) {
-        this.allowedActions = allowedActions;
+    public ShareWith(String actionGroup, List<String> users, List<String> backendRoles) {
+        this.actionGroup = actionGroup;
         this.users = users;
         this.backendRoles = backendRoles;
     }
 
     public ShareWith(StreamInput in) throws IOException {
-        this.allowedActions = in.readStringList();
+        this.actionGroup = in.readString();
         this.users = in.readStringList();
         this.backendRoles = in.readStringList();
     }
 
-    public List<String> getAllowedActions() {
-        return allowedActions;
+    public String getActionGroup() {
+        return actionGroup;
     }
 
     public List<String> getUsers() {
@@ -53,7 +53,7 @@ public List<String> getBackendRoles() {
     @Override
     public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
         return builder.startObject()
-            .field("allowedActions", allowedActions)
+            .field("action_group", actionGroup)
             .field("users", users)
             .field("backend_roles", backendRoles)
             .endObject();
@@ -66,7 +66,7 @@ public String getWriteableName() {
 
     @Override
     public void writeTo(StreamOutput out) throws IOException {
-        out.writeStringCollection(allowedActions);
+        out.writeString(actionGroup);
         out.writeStringCollection(users);
         out.writeStringCollection(backendRoles);
     }

src/main/java/org/opensearch/security/rest/resource/ShareWithRestAction.java

@@ -20,7 +20,7 @@
 import org.opensearch.rest.BaseRestHandler;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.rest.action.RestToXContentListener;
-import org.opensearch.security.spi.ResourceSharingExtension;
+import org.opensearch.security.spi.SharableResourceExtension;
 
 import static org.opensearch.rest.RestRequest.Method.PUT;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
@@ -29,9 +29,9 @@ public class ShareWithRestAction extends BaseRestHandler {
 
     private final Map<String, String> resourceTypeToIndexMap = new HashMap<>();
 
-    public ShareWithRestAction(final List<ResourceSharingExtension> resourceSharingExtensions) {
-        if (resourceSharingExtensions != null) {
-            for (ResourceSharingExtension resourceSharingExtension : resourceSharingExtensions) {
+    public ShareWithRestAction(final List<SharableResourceExtension> sharableResourceExtensions) {
+        if (sharableResourceExtensions != null) {
+            for (SharableResourceExtension resourceSharingExtension : sharableResourceExtensions) {
                 resourceTypeToIndexMap.put(resourceSharingExtension.getResourceType(), resourceSharingExtension.getResourceIndex());
             }
         }
@@ -71,7 +71,7 @@ public RestChannelConsumer prepareRequest(RestRequest request, NodeClient client
 
         Map<String, Object> shareWithMap = (Map<String, Object>) source.get("share_with");
         ShareWith shareWith = new ShareWith(
-            (List<String>) shareWithMap.get("allowed_actions"),
+            (String) shareWithMap.get("action_group"),
             (List<String>) shareWithMap.get("users"),
             (List<String>) shareWithMap.get("backend_roles")
         );

src/main/java/org/opensearch/security/rest/resource/ShareWithTransportAction.java

@@ -35,8 +35,6 @@
 public class ShareWithTransportAction extends HandledTransportAction<ShareWithRequest, ShareWithResponse> {
     private static final Logger log = LogManager.getLogger(ShareWithTransportAction.class);
 
-    public static final String RESOURCE_SHARING_INDEX = ".resource-sharing";
-
     private final TransportService transportService;
     private final Client nodeClient;
 
@@ -64,15 +62,14 @@ public void onResponse(GetResponse getResponse) {
                             XContentBuilder builder = XContentFactory.jsonBuilder();
                             builder.startObject();
                             {
-                                builder.startArray("share_with");
+                                builder.startObject("share_with");
                                 {
-                                    builder.startObject();
-                                    builder.field("allowed_actions", request.getShareWith().getAllowedActions());
+                                    builder.startObject(request.getShareWith().getActionGroup());
                                     builder.field("users", request.getShareWith().getUsers());
                                     builder.field("backend_roles", request.getShareWith().getBackendRoles());
                                     builder.endObject();
                                 }
-                                builder.endArray();
+                                builder.endObject();
                             }
                             builder.endObject();
                             updateRequest.doc(builder);