opensearch-project · cwperks · Jul 12, 2024 · Jul 16, 2024 · Jul 16, 2024 · Jul 16, 2024
@@ -18,15 +18,19 @@
 import org.junit.runner.RunWith;
 
 import org.opensearch.core.rest.RestStatus;
-import org.opensearch.security.http.ExampleSystemIndexPlugin;
+import org.opensearch.security.plugin.SystemIndexPlugin1;
+import org.opensearch.security.plugin.SystemIndexPlugin2;
 import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain;
 import org.opensearch.test.framework.cluster.ClusterManager;
 import org.opensearch.test.framework.cluster.LocalCluster;
 import org.opensearch.test.framework.cluster.TestRestClient;
 import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
 
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.security.plugin.SystemIndexPlugin1.SYSTEM_INDEX_1;
+import static org.opensearch.security.plugin.SystemIndexPlugin2.SYSTEM_INDEX_2;
 import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED;
 import static org.opensearch.security.support.ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_KEY;
 import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
@@ -43,7 +47,8 @@ public class SystemIndexTests {
         .anonymousAuth(false)
         .authc(AUTHC_DOMAIN)
         .users(USER_ADMIN)
-        .plugin(ExampleSystemIndexPlugin.class)
+        .plugin(SystemIndexPlugin1.class)
+        .plugin(SystemIndexPlugin2.class)
         .nodeSettings(
             Map.of(
                 SECURITY_RESTAPI_ROLES_ENABLED,
@@ -80,4 +85,27 @@ public void adminShouldNotBeAbleToDeleteSecurityIndex() {
             assertThat(response4.getStatusCode(), equalTo(RestStatus.FORBIDDEN.getStatus()));
         }
     }
+
+    @Test
+    public void testPluginShouldBeAbleToIndexDocumentIntoItsSystemIndex() {
+        try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+            HttpResponse response = client.put("_plugins/system-index/" + SYSTEM_INDEX_1);
+
+            assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
+            assertThat(response.getBody(), containsString(SystemIndexPlugin1.class.getCanonicalName()));
+        }
+    }
+
+    @Test
+    public void testPluginShouldNotBeAbleToIndexDocumentIntoSystemIndexRegisteredByOtherPlugin() {
+        try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+            HttpResponse response = client.put("_plugins/system-index/" + SYSTEM_INDEX_2);
+
+            assertThat(response.getStatusCode(), equalTo(RestStatus.FORBIDDEN.getStatus()));
+            assertThat(
+                response.getBody(),
+                containsString(SystemIndexPlugin1.class.getCanonicalName() + " can only interact with its own system indices")
+            );
+        }
+    }
 }
@@ -0,0 +1,12 @@
+package org.opensearch.security.plugin;
+
+import org.opensearch.action.ActionType;
+
+public class IndexDocumentIntoSystemIndexAction extends ActionType<IndexDocumentIntoSystemIndexResponse> {
+    public static final IndexDocumentIntoSystemIndexAction INSTANCE = new IndexDocumentIntoSystemIndexAction();
+    public static final String NAME = "mock:systemindex/index";
+
+    private IndexDocumentIntoSystemIndexAction() {
+        super(NAME, IndexDocumentIntoSystemIndexResponse::new);
+    }
+}
@@ -0,0 +1,30 @@
+package org.opensearch.security.plugin;
+
+import java.io.IOException;
+
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.ActionRequestValidationException;
+import org.opensearch.core.common.io.stream.StreamInput;
+
+public class IndexDocumentIntoSystemIndexRequest extends ActionRequest {
+
+    private final String indexName;
+
+    public IndexDocumentIntoSystemIndexRequest(String indexName) {
+        this.indexName = indexName;
+    }
+
+    public IndexDocumentIntoSystemIndexRequest(StreamInput in) throws IOException {
+        super(in);
+        this.indexName = in.readString();
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        return null;
+    }
+
+    public String getIndexName() {
+        return this.indexName;
+    }
+}
@@ -0,0 +1,36 @@
+package org.opensearch.security.plugin;
+
+import java.io.IOException;
+
+import org.opensearch.action.support.master.AcknowledgedResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.ToXContent;
+import org.opensearch.core.xcontent.ToXContentObject;
+import org.opensearch.core.xcontent.XContentBuilder;
+
+public class IndexDocumentIntoSystemIndexResponse extends AcknowledgedResponse implements ToXContentObject {
+
+    private String plugin;
+
+    public IndexDocumentIntoSystemIndexResponse(boolean status, String plugin) {
+        super(status);
+        this.plugin = plugin;
+    }
+
+    public IndexDocumentIntoSystemIndexResponse(StreamInput in) throws IOException {
+        super(in);
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(plugin);
+    }
+
+    @Override
+    public void addCustomFields(XContentBuilder builder, ToXContent.Params params) throws IOException {
+        super.addCustomFields(builder, params);
+        builder.field("plugin", plugin);
+    }
+}
@@ -0,0 +1,38 @@
+package org.opensearch.security.plugin;
+
+import java.util.List;
+
+import org.opensearch.client.node.NodeClient;
+import org.opensearch.client.node.PluginAwareNodeClient;
+import org.opensearch.rest.BaseRestHandler;
+import org.opensearch.rest.RestRequest;
+import org.opensearch.rest.action.RestToXContentListener;
+
+import static java.util.Collections.singletonList;
+import static org.opensearch.rest.RestRequest.Method.PUT;
+
+public class RestIndexDocumentIntoSystemIndexAction extends BaseRestHandler {
+
+    private final PluginAwareNodeClient pluginAwareClient;
+
+    public RestIndexDocumentIntoSystemIndexAction(PluginAwareNodeClient pluginAwareClient) {
+        this.pluginAwareClient = pluginAwareClient;
+    }
+
+    @Override
+    public List<Route> routes() {
+        return singletonList(new Route(PUT, "/_plugins/system-index/{index}"));
+    }
+
+    @Override
+    public String getName() {
+        return "test_index_document_into_system_index_action";
+    }
+
+    @Override
+    public RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) {
+        String indexName = request.param("index");
+        IndexDocumentIntoSystemIndexRequest indexRequest = new IndexDocumentIntoSystemIndexRequest(indexName);
+        return channel -> client.execute(IndexDocumentIntoSystemIndexAction.INSTANCE, indexRequest, new RestToXContentListener<>(channel));
+    }
+}
@@ -0,0 +1,51 @@
+package org.opensearch.security.plugin;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.function.Supplier;
+
+import org.opensearch.client.node.PluginAwareNodeClient;
+import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
+import org.opensearch.cluster.service.ClusterService;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.core.common.io.stream.NamedWriteableRegistry;
+import org.opensearch.core.xcontent.NamedXContentRegistry;
+import org.opensearch.env.Environment;
+import org.opensearch.env.NodeEnvironment;
+import org.opensearch.indices.SystemIndexDescriptor;
+import org.opensearch.plugins.Plugin;
+import org.opensearch.plugins.SystemIndexPlugin;
+import org.opensearch.repositories.RepositoriesService;
+import org.opensearch.script.ScriptService;
+import org.opensearch.threadpool.ThreadPool;
+import org.opensearch.watcher.ResourceWatcherService;
+
+public class SystemIndexPatternPlugin extends Plugin implements SystemIndexPlugin {
+    public static final String SYSTEM_INDEX_PATTERN = ".system-index-pattern*";
+
+    private PluginAwareNodeClient client;
+
+    @Override
+    public Collection<Object> createComponents(
+        PluginAwareNodeClient client,
+        ClusterService clusterService,
+        ThreadPool threadPool,
+        ResourceWatcherService resourceWatcherService,
+        ScriptService scriptService,
+        NamedXContentRegistry xContentRegistry,
+        Environment environment,
+        NodeEnvironment nodeEnvironment,
+        NamedWriteableRegistry namedWriteableRegistry,
+        IndexNameExpressionResolver indexNameExpressionResolver,
+        Supplier<RepositoriesService> repositoriesServiceSupplier
+    ) {
+        this.client = client;
+        return Collections.emptyList();
+    }
+
+    @Override
+    public Collection<SystemIndexDescriptor> getSystemIndexDescriptors(Settings settings) {
+        final SystemIndexDescriptor systemIndexDescriptor = new SystemIndexDescriptor(SYSTEM_INDEX_PATTERN, "System index pattern");
+        return Collections.singletonList(systemIndexDescriptor);
+    }
+}
@@ -0,0 +1,81 @@
+package org.opensearch.security.plugin;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.function.Supplier;
+
+import org.opensearch.action.ActionRequest;
+import org.opensearch.client.node.PluginAwareNodeClient;
+import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
+import org.opensearch.cluster.node.DiscoveryNodes;
+import org.opensearch.cluster.service.ClusterService;
+import org.opensearch.common.settings.ClusterSettings;
+import org.opensearch.common.settings.IndexScopedSettings;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.common.settings.SettingsFilter;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.NamedWriteableRegistry;
+import org.opensearch.core.xcontent.NamedXContentRegistry;
+import org.opensearch.env.Environment;
+import org.opensearch.env.NodeEnvironment;
+import org.opensearch.indices.SystemIndexDescriptor;
+import org.opensearch.plugins.Plugin;
+import org.opensearch.plugins.SystemIndexPlugin;
+import org.opensearch.repositories.RepositoriesService;
+import org.opensearch.rest.RestController;
+import org.opensearch.rest.RestHandler;
+import org.opensearch.script.ScriptService;
+import org.opensearch.threadpool.ThreadPool;
+import org.opensearch.watcher.ResourceWatcherService;
+
+public class SystemIndexPlugin1 extends Plugin implements SystemIndexPlugin {
+    public static final String SYSTEM_INDEX_1 = ".system-index1";
+
+    private PluginAwareNodeClient client;
+
+    @Override
+    public Collection<Object> createComponents(
+        PluginAwareNodeClient client,
+        ClusterService clusterService,
+        ThreadPool threadPool,
+        ResourceWatcherService resourceWatcherService,
+        ScriptService scriptService,
+        NamedXContentRegistry xContentRegistry,
+        Environment environment,
+        NodeEnvironment nodeEnvironment,
+        NamedWriteableRegistry namedWriteableRegistry,
+        IndexNameExpressionResolver indexNameExpressionResolver,
+        Supplier<RepositoriesService> repositoriesServiceSupplier
+    ) {
+        this.client = client;
+        return List.of(client);
+    }
+
+    @Override
+    public Collection<SystemIndexDescriptor> getSystemIndexDescriptors(Settings settings) {
+        final SystemIndexDescriptor systemIndexDescriptor = new SystemIndexDescriptor(SYSTEM_INDEX_1, "System index 1");
+        return Collections.singletonList(systemIndexDescriptor);
+    }
+
+    @Override
+    public List<RestHandler> getRestHandlers(
+        Settings settings,
+        RestController restController,
+        ClusterSettings clusterSettings,
+        IndexScopedSettings indexScopedSettings,
+        SettingsFilter settingsFilter,
+        IndexNameExpressionResolver indexNameExpressionResolver,
+        Supplier<DiscoveryNodes> nodesInCluster
+    ) {
+        return List.of(new RestIndexDocumentIntoSystemIndexAction(client));
+    }
+
+    @Override
+    public List<ActionHandler<? extends ActionRequest, ? extends ActionResponse>> getActions() {
+        return Arrays.asList(
+            new ActionHandler<>(IndexDocumentIntoSystemIndexAction.INSTANCE, TransportIndexDocumentIntoSystemIndexAction.class)
+        );
+    }
+}
@@ -0,0 +1,51 @@
+package org.opensearch.security.plugin;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.function.Supplier;
+
+import org.opensearch.client.node.PluginAwareNodeClient;
+import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
+import org.opensearch.cluster.service.ClusterService;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.core.common.io.stream.NamedWriteableRegistry;
+import org.opensearch.core.xcontent.NamedXContentRegistry;
+import org.opensearch.env.Environment;
+import org.opensearch.env.NodeEnvironment;
+import org.opensearch.indices.SystemIndexDescriptor;
+import org.opensearch.plugins.Plugin;
+import org.opensearch.plugins.SystemIndexPlugin;
+import org.opensearch.repositories.RepositoriesService;
+import org.opensearch.script.ScriptService;
+import org.opensearch.threadpool.ThreadPool;
+import org.opensearch.watcher.ResourceWatcherService;
+
+public class SystemIndexPlugin2 extends Plugin implements SystemIndexPlugin {
+    public static final String SYSTEM_INDEX_2 = ".system-index2";
+
+    private PluginAwareNodeClient client;
+
+    @Override
+    public Collection<Object> createComponents(
+        PluginAwareNodeClient client,
+        ClusterService clusterService,
+        ThreadPool threadPool,
+        ResourceWatcherService resourceWatcherService,
+        ScriptService scriptService,
+        NamedXContentRegistry xContentRegistry,
+        Environment environment,
+        NodeEnvironment nodeEnvironment,
+        NamedWriteableRegistry namedWriteableRegistry,
+        IndexNameExpressionResolver indexNameExpressionResolver,
+        Supplier<RepositoriesService> repositoriesServiceSupplier
+    ) {
+        this.client = client;
+        return Collections.emptyList();
+    }
+
+    @Override
+    public Collection<SystemIndexDescriptor> getSystemIndexDescriptors(Settings settings) {
+        final SystemIndexDescriptor systemIndexDescriptor = new SystemIndexDescriptor(SYSTEM_INDEX_2, "System index 2");
+        return Collections.singletonList(systemIndexDescriptor);
+    }
+}