Fix IllegalArgumentException when resolved indices are empty

Signed-off-by: Maxim Muzafarov <[email protected]>

Author: Mmuzaf

src/integrationTest/java/org/opensearch/security/privileges/actionlevel/RoleBasedActionPrivilegesTest.java

@@ -30,6 +30,7 @@
 import org.junit.runners.Suite;
 
 import org.opensearch.action.support.IndicesOptions;
+import org.opensearch.cluster.ClusterState;
 import org.opensearch.cluster.metadata.IndexAbstraction;
 import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.cluster.metadata.Metadata;
@@ -1034,6 +1035,30 @@ public void statefulDisabled() throws Exception {
             subject.updateStatefulIndexPrivileges(metadata, 1);
             assertEquals(0, subject.getEstimatedStatefulIndexByteSize());
         }
+
+        /**
+         * Tests the behavior of hasIndexPrivilege when the resolved indices are empty.
+         * @throws Exception If failed.
+         */
+        @Test
+        public void hasIndexPrivilegeEmptyResolvedIndices() throws Exception {
+            SecurityDynamicConfiguration<RoleV7> roles = SecurityDynamicConfiguration.fromYaml(
+                "test_role:\n"
+                    + "  index_permissions:\n"
+                    + "  - index_patterns: ['*']\n"
+                    + "    allowed_actions: ['indices:monitor/recovery']",
+                CType.ROLES
+            );
+
+            RoleBasedActionPrivileges subject = new RoleBasedActionPrivileges(roles, FlattenedActionGroups.EMPTY, Settings.EMPTY);
+
+            PrivilegesEvaluatorResponse result = subject.hasIndexPrivilege(
+                ctx().clusterState(ClusterState.EMPTY_STATE).roles("test_role").get(),
+                ImmutableSet.of("indices:monitor/recovery"),
+                IndexResolverReplacer.Resolved._LOCAL_ALL
+            );
+            assertThat(result, isAllowed());
+        }
     }
 
     /**

src/integrationTest/java/org/opensearch/security/privileges/int_tests/IndexAuthorizationReadOnlyIntTests.java

@@ -361,6 +361,20 @@ public class IndexAuthorizationReadOnlyIntTests {
         .reference(READ, unlimitedIncludingOpenSearchSecurityIndex())//
         .reference(GET_ALIAS, unlimitedIncludingOpenSearchSecurityIndex());
 
+    /**
+     * A user with indices:monitor/recovery permission on all indices to verify that it succeeds in case all indices are closed.
+     */
+    static final TestSecurityConfig.User LIMITED_USER_RECOVERY = new TestSecurityConfig.User("limited_user_recovery")//
+        .description("indices:monitor/recovery on *")//
+        .roles(
+            new TestSecurityConfig.Role("r1")//
+                .clusterPermissions("cluster_composite_ops_ro", "cluster_monitor")
+                .indexPermissions("indices:monitor/recovery")
+                .on("*")
+        )//
+        .reference(READ, limitedToNone())//
+        .reference(GET_ALIAS, limitedToNone());
+
     static final List<TestSecurityConfig.User> USERS = ImmutableList.of(
         LIMITED_USER_A,
         LIMITED_USER_B,
@@ -372,6 +386,7 @@ public class IndexAuthorizationReadOnlyIntTests {
         LIMITED_USER_C_WITH_SYSTEM_INDICES,
         LIMITED_USER_OTHER_PRIVILEGES,
         LIMITED_USER_NONE,
+        LIMITED_USER_RECOVERY,
         UNLIMITED_USER,
         SUPER_UNLIMITED_USER
     );
@@ -1864,6 +1879,27 @@ public void pit_catSegments_all() throws Exception {
         }
     }
 
+    @Test
+    public void cat_recovery_allIndicesClosed() throws Exception {
+        try (TestRestClient adminClient = cluster.getAdminCertRestClient()) {
+            TestRestClient.HttpResponse closeResponse = adminClient.post("*/_close");
+            assertThat(closeResponse, isOk());
+        }
+
+        // We use /_cat/recovery test to verify that RuntimeOptimizedActionPrivileges
+        // work as intended when all indices are closed. This request should still be allowed.
+        // When all indices are closed, getAllIndicesResolved() returns empty, and
+        // RuntimeOptimizedActionPrivileges should grant the request permission.
+        try (TestRestClient restClient = cluster.getRestClient(user)) {
+            TestRestClient.HttpResponse httpResponse = restClient.get("_cat/recovery");
+            if (user == LIMITED_USER_RECOVERY || user == UNLIMITED_USER || user == SUPER_UNLIMITED_USER) {
+                assertThat(httpResponse, isOk());
+            } else {
+                assertThat(httpResponse, isForbidden("/error/root_cause/0/reason", "no permissions for [indices:monitor/recovery]"));
+            }
+        }
+    }
+
     @ParametersFactory(shuffle = false, argumentFormatting = "%1$s, %3$s")
     public static Collection<Object[]> params() {
         List<Object[]> result = new ArrayList<>();

src/main/java/org/opensearch/security/privileges/actionlevel/RuntimeOptimizedActionPrivileges.java

@@ -98,12 +98,19 @@ public PrivilegesEvaluatorResponse hasIndexPrivilege(
             return PrivilegesEvaluatorResponse.ok();
         }
 
+        Set<String> allIndicesResolved = resolvedIndices.getAllIndicesResolved(
+            context.getClusterStateSupplier(),
+            context.getIndexNameExpressionResolver()
+        );
+
+        if (allIndicesResolved.isEmpty()) {
+            log.debug("No resolved indices; grant the request");
+            return PrivilegesEvaluatorResponse.ok();
+        }
+
         // TODO one might want to consider to create a semantic wrapper for action in order to be better tell apart
         // what's the action and what's the index in the generic parameters of CheckTable.
-        CheckTable<String, String> checkTable = CheckTable.create(
-            resolvedIndices.getAllIndicesResolved(context.getClusterStateSupplier(), context.getIndexNameExpressionResolver()),
-            actions
-        );
+        CheckTable<String, String> checkTable = CheckTable.create(allIndicesResolved, actions);
 
         StatefulIndexPrivileges statefulIndex = this.currentStatefulIndexPrivileges();
         PrivilegesEvaluatorResponse resultFromStatefulIndex = null;