Use same system index pattern in restricted names

docs/changelog/84180.yaml

@@ -0,0 +1,5 @@
+pr: 84180
+summary: Unify index name pattern between security system-index and RBAC restricted names
+area: Authorization
+type: enhancement
+issues: []

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/index/RestrictedIndicesNames.java

@@ -7,13 +7,17 @@
 
 package org.elasticsearch.xpack.core.security.index;
 
+import org.apache.lucene.util.automaton.Automata;
 import org.apache.lucene.util.automaton.Automaton;
+import org.apache.lucene.util.automaton.Operations;
 import org.elasticsearch.common.util.set.Sets;
+import org.elasticsearch.core.List;
 import org.elasticsearch.xpack.core.security.support.Automatons;
 
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Set;
+import java.util.function.Predicate;
 
 public final class RestrictedIndicesNames {
     public static final String INTERNAL_SECURITY_MAIN_INDEX_6 = ".security-6";
@@ -23,6 +27,17 @@ public final class RestrictedIndicesNames {
     public static final String INTERNAL_SECURITY_TOKENS_INDEX_7 = ".security-tokens-7";
     public static final String SECURITY_TOKENS_ALIAS = ".security-tokens";
 
+    // See o.e.x.security.Security#getSecurityMainIndexDescriptor, o.e.x.security.Security#getSecurityTokensIndexDescriptor
+    private static final Automaton SECURITY_INDEX_AUTOMATON = Operations.concatenate(
+        List.of(
+            Operations.union(Automata.makeString(SECURITY_MAIN_ALIAS), Automata.makeString(SECURITY_TOKENS_ALIAS)),
+            Automata.makeChar('-'),
+            Automata.makeCharRange('0', '9'),
+            Automata.makeAnyString()
+        )
+    );
+    private static final Predicate<String> SECURITY_INDEX_PREDICATE = Automatons.predicate(SECURITY_INDEX_AUTOMATON);
+
     // public for tests
     public static final String ASYNC_SEARCH_PREFIX = ".async-search";
     private static final Automaton ASYNC_SEARCH_AUTOMATON = Automatons.patterns(ASYNC_SEARCH_PREFIX + "*");
@@ -39,11 +54,13 @@ public final class RestrictedIndicesNames {
     );
 
     public static boolean isRestricted(String concreteIndexName) {
-        return RESTRICTED_NAMES.contains(concreteIndexName) || concreteIndexName.startsWith(ASYNC_SEARCH_PREFIX);
+        return RESTRICTED_NAMES.contains(concreteIndexName)
+            || concreteIndexName.startsWith(ASYNC_SEARCH_PREFIX)
+            || SECURITY_INDEX_PREDICATE.test(concreteIndexName);
     }
 
     public static final Automaton NAMES_AUTOMATON = Automatons.unionAndMinimize(
-        Arrays.asList(Automatons.patterns(RESTRICTED_NAMES), ASYNC_SEARCH_AUTOMATON)
+        Arrays.asList(Automatons.patterns(RESTRICTED_NAMES), ASYNC_SEARCH_AUTOMATON, SECURITY_INDEX_AUTOMATON)
     );
 
     private RestrictedIndicesNames() {}

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/index/RestrictedIndicesNamesTests.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.security.index;
+
+import org.apache.lucene.util.automaton.CharacterRunAutomaton;
+import org.elasticsearch.test.ESTestCase;
+
+import static org.hamcrest.CoreMatchers.is;
+
+public class RestrictedIndicesNamesTests extends ESTestCase {
+
+    private final CharacterRunAutomaton RUN_AUTOMATON = new CharacterRunAutomaton(RestrictedIndicesNames.NAMES_AUTOMATON);
+
+    public void testAsyncSearchNames() {
+        testIndex(".async-search", true);
+        testIndex(".async-search" + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 8), true);
+        testIndex(".async-search" + (randomBoolean() ? "-" : "") + randomInt(), true);
+        testIndex("async-search" + (randomBoolean() ? "-" : "") + randomInt(), false);
+        testIndex(".asynchronous-search" + (randomBoolean() ? "-" : "") + randomInt(), false);
+        testIndex(".not-async-search" + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 8), false);
+    }
+
+    public void testSecurityNames() {
+        testIndex(".security", true);
+        testIndex(".security-6", true);
+        testIndex(".security-7", true);
+        testIndex(".security-" + randomIntBetween(0, 999_999), true);
+        testIndex(".security-" + randomIntBetween(0, 99) + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 20), true);
+
+        testIndex(".security-tokens-7", true);
+        testIndex(".security-tokens-" + randomIntBetween(0, 99) + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 20), true);
+
+        testIndex("security", false);
+        testIndex(randomAlphaOfLength(1) + "security", false);
+        testIndex("security-6", false);
+        testIndex("@security-6", false);
+        testIndex(".not-security-7", false);
+        testIndex(".security-", false);
+        testIndex("security-tokens", false);
+        testIndex("security-tokens-7", false);
+        testIndex("_security-tokens", false);
+        testIndex(".security-" + randomAlphaOfLengthBetween(1, 3), false);
+        testIndex(".security-tokens-" + randomAlphaOfLengthBetween(1, 3), false);
+        testIndex(".security" + randomAlphaOfLengthBetween(1, 10), false);
+        testIndex(".security-tokens" + randomAlphaOfLengthBetween(1, 10), false);
+        testIndex(".security" + randomIntBetween(1, 9), false);
+        testIndex(".security-" + randomAlphaOfLength(1) + randomIntBetween(1, 9), false);
+        testIndex(".security" + randomAlphaOfLength(1) + randomIntBetween(1, 9), false);
+    }
+
+    private void testIndex(String name, boolean expected) {
+        assertThat("For index [" + name + "]", RestrictedIndicesNames.isRestricted(name), is(expected));
+        assertThat("For index [" + name + "]", RUN_AUTOMATON.run(name), is(expected));
+    }
+
+}

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecuritySystemIndexTests.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security;
+
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.core.security.index.RestrictedIndicesNames;
+
+import java.util.function.Consumer;
+
+import static org.hamcrest.Matchers.is;
+
+public class SecuritySystemIndexTests extends ESTestCase {
+
+    public void testSystemIndexNameIsRestricted() {
+        Consumer<String> check = idx -> assertThat(
+            "For index [" + idx + "]",
+            Security.SECURITY_MAIN_INDEX_DESCRIPTOR.matchesIndexPattern(idx)
+                || Security.SECURITY_TOKEN_INDEX_DESCRIPTOR.matchesIndexPattern(idx),
+            is(RestrictedIndicesNames.isRestricted(idx))
+        );
+
+        check.accept(".security-" + randomIntBetween(0, 99));
+        check.accept(".security" + randomIntBetween(0, 99));
+
+        check.accept(".security-" + randomAlphaOfLengthBetween(1, 12));
+        check.accept(".security" + randomAlphaOfLengthBetween(1, 12));
+
+        check.accept(".security-" + randomIntBetween(0, 99) + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 12));
+        check.accept(".security-" + randomAlphaOfLengthBetween(1, 12) + (randomBoolean() ? "-" : "") + randomIntBetween(0, 99));
+
+        check.accept(".security-tokens-" + randomAlphaOfLengthBetween(1, 12));
+        check.accept(".security-tokens-" + randomIntBetween(1, 99));
+        check.accept(".security-tokens-" + randomIntBetween(1, 99) + (randomBoolean() ? "-" : "") + randomAlphaOfLengthBetween(1, 12));
+
+        check.accept("." + randomAlphaOfLengthBetween(1, 12) + "-security");
+
+        check.accept(randomAlphaOfLengthBetween(1, 3) + "security");
+        check.accept(randomAlphaOfLengthBetween(1, 3) + ".security");
+        check.accept(randomAlphaOfLengthBetween(1, 3) + ".security-6");
+        check.accept(randomAlphaOfLengthBetween(1, 3) + "security-tokens-7");
+    }
+}