Use same system index pattern in restricted names (#84180)

The index pattern that was used for the ".security" system index was
not identical to the pattern used in RestrictedIndices. The
consequence was that it would be possible for a user without
restricted indices access to create an index that would get caught by
the system indices pattern, which could lead to confusion.

In 8.0 all system indices are automatically restricted, using the
index name pattern from the system index descriptor, so in 7.17 we are
changing the restricted index name to cover the same set of names as
the system index descriptor

Author: tvernum

docs/changelog/84180.yaml

@@ -0,0 +1,5 @@
+pr: 84180
+summary: Unify index name pattern between security system-index and RBAC restricted names
+area: Authorization
+type: enhancement
+issues: []

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/index/RestrictedIndicesNames.java

@@ -7,13 +7,17 @@
 
 package org.elasticsearch.xpack.core.security.index;
 
+import org.apache.lucene.util.automaton.Automata;
 import org.apache.lucene.util.automaton.Automaton;
+import org.apache.lucene.util.automaton.Operations;
 import org.elasticsearch.common.util.set.Sets;
+import org.elasticsearch.core.List;
 import org.elasticsearch.xpack.core.security.support.Automatons;
 
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Set;
+import java.util.function.Predicate;
 
 public final class RestrictedIndicesNames {
     public static final String INTERNAL_SECURITY_MAIN_INDEX_6 = ".security-6";
@@ -23,6 +27,17 @@ public final class RestrictedIndicesNames {
     public static final String INTERNAL_SECURITY_TOKENS_INDEX_7 = ".security-tokens-7";
     public static final String SECURITY_TOKENS_ALIAS = ".security-tokens";
 
+    // See o.e.x.security.Security#getSecurityMainIndexDescriptor, o.e.x.security.Security#getSecurityTokensIndexDescriptor
+    private static final Automaton SECURITY_INDEX_AUTOMATON = Operations.concatenate(
+        List.of(
+            Operations.union(Automata.makeString(SECURITY_MAIN_ALIAS), Automata.makeString(SECURITY_TOKENS_ALIAS)),
+            Automata.makeChar('-'),
+            Automata.makeCharRange('0', '9'),
+            Automata.makeAnyString()
+        )
+    );
+    private static final Predicate<String> SECURITY_INDEX_PREDICATE = Automatons.predicate(SECURITY_INDEX_AUTOMATON);
+
     // public for tests
     public static final String ASYNC_SEARCH_PREFIX = ".async-search";
     private static final Automaton ASYNC_SEARCH_AUTOMATON = Automatons.patterns(ASYNC_SEARCH_PREFIX + "*");
@@ -39,11 +54,13 @@ public final class RestrictedIndicesNames {
     );
 
     public static boolean isRestricted(String concreteIndexName) {
-        return RESTRICTED_NAMES.contains(concreteIndexName) || concreteIndexName.startsWith(ASYNC_SEARCH_PREFIX);
+        return RESTRICTED_NAMES.contains(concreteIndexName)
+            || concreteIndexName.startsWith(ASYNC_SEARCH_PREFIX)
+            || SECURITY_INDEX_PREDICATE.test(concreteIndexName);
     }
 
     public static final Automaton NAMES_AUTOMATON = Automatons.unionAndMinimize(
-        Arrays.asList(Automatons.patterns(RESTRICTED_NAMES), ASYNC_SEARCH_AUTOMATON)
+        Arrays.asList(Automatons.patterns(RESTRICTED_NAMES), ASYNC_SEARCH_AUTOMATON, SECURITY_INDEX_AUTOMATON)
     );
 
     private RestrictedIndicesNames() {}

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/index/RestrictedIndicesNamesTests.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.security.index;
+
+import org.apache.lucene.util.automaton.CharacterRunAutomaton;
+import org.elasticsearch.test.ESTestCase;
+
+import static org.hamcrest.CoreMatchers.is;
+
+public class RestrictedIndicesNamesTests extends ESTestCase {
+
+    private final CharacterRunAutomaton RUN_AUTOMATON = new CharacterRunAutomaton(RestrictedIndicesNames.NAMES_AUTOMATON);
+
+    public void testAsyncSearchNames() {
+        testIndex(".async-search", true);
+        testIndex(".async-search" + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 8), true);
+        testIndex(".async-search" + (randomBoolean() ? "-" : "") + randomInt(), true);
+        testIndex("async-search" + (randomBoolean() ? "-" : "") + randomInt(), false);
+        testIndex(".asynchronous-search" + (randomBoolean() ? "-" : "") + randomInt(), false);
+        testIndex(".not-async-search" + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 8), false);
+    }
+
+    public void testSecurityNames() {
+        testIndex(".security", true);
+        testIndex(".security-6", true);
+        testIndex(".security-7", true);
+        testIndex(".security-" + randomIntBetween(0, 999_999), true);
+        testIndex(".security-" + randomIntBetween(0, 99) + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 20), true);
+
+        testIndex(".security-tokens-7", true);
+        testIndex(".security-tokens-" + randomIntBetween(0, 99) + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 20), true);
+
+        testIndex("security", false);
+        testIndex(randomAlphaOfLength(1) + "security", false);
+        testIndex("security-6", false);
+        testIndex("@security-6", false);
+        testIndex(".not-security-7", false);
+        testIndex(".security-", false);
+        testIndex("security-tokens", false);
+        testIndex("security-tokens-7", false);
+        testIndex("_security-tokens", false);
+        testIndex(".security-" + randomAlphaOfLengthBetween(1, 3), false);
+        testIndex(".security-tokens-" + randomAlphaOfLengthBetween(1, 3), false);
+        testIndex(".security" + randomAlphaOfLengthBetween(1, 10), false);
+        testIndex(".security-tokens" + randomAlphaOfLengthBetween(1, 10), false);
+        testIndex(".security" + randomIntBetween(1, 9), false);
+        testIndex(".security-" + randomAlphaOfLength(1) + randomIntBetween(1, 9), false);
+        testIndex(".security" + randomAlphaOfLength(1) + randomIntBetween(1, 9), false);
+    }
+
+    private void testIndex(String name, boolean expected) {
+        assertThat("For index [" + name + "]", RestrictedIndicesNames.isRestricted(name), is(expected));
+        assertThat("For index [" + name + "]", RUN_AUTOMATON.run(name), is(expected));
+    }
+
+}

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecuritySystemIndexTests.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security;
+
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.core.security.index.RestrictedIndicesNames;
+
+import java.util.function.Consumer;
+
+import static org.hamcrest.Matchers.is;
+
+public class SecuritySystemIndexTests extends ESTestCase {
+
+    public void testSystemIndexNameIsRestricted() {
+        Consumer<String> check = idx -> assertThat(
+            "For index [" + idx + "]",
+            Security.SECURITY_MAIN_INDEX_DESCRIPTOR.matchesIndexPattern(idx)
+                || Security.SECURITY_TOKEN_INDEX_DESCRIPTOR.matchesIndexPattern(idx),
+            is(RestrictedIndicesNames.isRestricted(idx))
+        );
+
+        check.accept(".security-" + randomIntBetween(0, 99));
+        check.accept(".security" + randomIntBetween(0, 99));
+
+        check.accept(".security-" + randomAlphaOfLengthBetween(1, 12));
+        check.accept(".security" + randomAlphaOfLengthBetween(1, 12));
+
+        check.accept(".security-" + randomIntBetween(0, 99) + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 12));
+        check.accept(".security-" + randomAlphaOfLengthBetween(1, 12) + (randomBoolean() ? "-" : "") + randomIntBetween(0, 99));
+
+        check.accept(".security-tokens-" + randomAlphaOfLengthBetween(1, 12));
+        check.accept(".security-tokens-" + randomIntBetween(1, 99));
+        check.accept(".security-tokens-" + randomIntBetween(1, 99) + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 12));
+
+        check.accept("." + randomAlphaOfLengthBetween(1, 12) + "-security");
+
+        check.accept(randomAlphaOfLengthBetween(1, 3) + "security");
+        check.accept(randomAlphaOfLengthBetween(1, 3) + ".security");
+        check.accept(randomAlphaOfLengthBetween(1, 3) + ".security-6");
+        check.accept(randomAlphaOfLengthBetween(1, 3) + "security-tokens-7");
+    }
+}