Stash context for List IOCs Api (opensearch-project#1278)

* stash context for list iocs api

Signed-off-by: Joanne Wang <[email protected]>

* refactor list iocs

Signed-off-by: Joanne Wang <[email protected]>

* refactor list iocs action response

Signed-off-by: Joanne Wang <[email protected]>

---------

Signed-off-by: Joanne Wang <[email protected]>

src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java

@@ -70,7 +70,7 @@
 import org.opensearch.securityanalytics.action.IndexDetectorAction;
 import org.opensearch.securityanalytics.action.IndexRuleAction;
 import org.opensearch.securityanalytics.action.ListCorrelationsAction;
-import org.opensearch.securityanalytics.action.ListIOCsAction;
+import org.opensearch.securityanalytics.threatIntel.action.ListIOCsAction;
 import org.opensearch.securityanalytics.action.SearchCorrelationRuleAction;
 import org.opensearch.securityanalytics.action.SearchCustomLogTypeAction;
 import org.opensearch.securityanalytics.action.SearchDetectorAction;
@@ -113,7 +113,7 @@
 import org.opensearch.securityanalytics.resthandler.RestIndexDetectorAction;
 import org.opensearch.securityanalytics.resthandler.RestIndexRuleAction;
 import org.opensearch.securityanalytics.resthandler.RestListCorrelationAction;
-import org.opensearch.securityanalytics.resthandler.RestListIOCsAction;
+import org.opensearch.securityanalytics.threatIntel.resthandler.RestListIOCsAction;
 import org.opensearch.securityanalytics.resthandler.RestSearchCorrelationAction;
 import org.opensearch.securityanalytics.resthandler.RestSearchCorrelationRuleAction;
 import org.opensearch.securityanalytics.resthandler.RestSearchCustomLogTypeAction;
@@ -197,7 +197,7 @@
 import org.opensearch.securityanalytics.transport.TransportIndexDetectorAction;
 import org.opensearch.securityanalytics.transport.TransportIndexRuleAction;
 import org.opensearch.securityanalytics.transport.TransportListCorrelationAction;
-import org.opensearch.securityanalytics.transport.TransportListIOCsAction;
+import org.opensearch.securityanalytics.threatIntel.transport.TransportListIOCsAction;
 import org.opensearch.securityanalytics.transport.TransportSearchCorrelationAction;
 import org.opensearch.securityanalytics.transport.TransportSearchCorrelationRuleAction;
 import org.opensearch.securityanalytics.transport.TransportSearchCustomLogTypeAction;

src/main/java/org/opensearch/securityanalytics/action/ListIOCsAction.java → src/main/java/org/opensearch/securityanalytics/threatIntel/action/ListIOCsAction.java

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package org.opensearch.securityanalytics.action;
+package org.opensearch.securityanalytics.threatIntel.action;
 
 import org.opensearch.action.ActionType;
 

src/main/java/org/opensearch/securityanalytics/action/ListIOCsActionRequest.java → src/main/java/org/opensearch/securityanalytics/threatIntel/action/ListIOCsActionRequest.java

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package org.opensearch.securityanalytics.action;
+package org.opensearch.securityanalytics.threatIntel.action;
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
@@ -14,7 +14,6 @@
 import org.opensearch.securityanalytics.commons.model.IOCType;
 
 import java.io.IOException;
-import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
 import java.util.stream.Collectors;

src/main/java/org/opensearch/securityanalytics/action/ListIOCsActionResponse.java → src/main/java/org/opensearch/securityanalytics/threatIntel/action/ListIOCsActionResponse.java

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package org.opensearch.securityanalytics.action;
+package org.opensearch.securityanalytics.threatIntel.action;
 
 import org.opensearch.core.action.ActionResponse;
 import org.opensearch.core.common.io.stream.StreamInput;

src/main/java/org/opensearch/securityanalytics/resthandler/RestListIOCsAction.java → src/main/java/org/opensearch/securityanalytics/threatIntel/resthandler/RestListIOCsAction.java

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package org.opensearch.securityanalytics.resthandler;
+package org.opensearch.securityanalytics.threatIntel.resthandler;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -18,9 +18,9 @@
 import org.opensearch.rest.RestResponse;
 import org.opensearch.rest.action.RestResponseListener;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
-import org.opensearch.securityanalytics.action.ListIOCsAction;
-import org.opensearch.securityanalytics.action.ListIOCsActionRequest;
-import org.opensearch.securityanalytics.action.ListIOCsActionResponse;
+import org.opensearch.securityanalytics.threatIntel.action.ListIOCsAction;
+import org.opensearch.securityanalytics.threatIntel.action.ListIOCsActionRequest;
+import org.opensearch.securityanalytics.threatIntel.action.ListIOCsActionResponse;
 
 import java.io.IOException;
 import java.util.List;

src/main/java/org/opensearch/securityanalytics/transport/TransportListIOCsAction.java → src/main/java/org/opensearch/securityanalytics/threatIntel/transport/TransportListIOCsAction.java

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package org.opensearch.securityanalytics.transport;
+package org.opensearch.securityanalytics.threatIntel.transport;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -19,16 +19,17 @@
 import org.opensearch.cluster.routing.Preference;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.inject.Inject;
+import org.opensearch.common.settings.Settings;
 import org.opensearch.common.xcontent.LoggingDeprecationHandler;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.commons.alerting.model.Table;
+import org.opensearch.commons.authuser.User;
 import org.opensearch.core.action.ActionListener;
 import org.opensearch.core.rest.RestStatus;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.index.IndexNotFoundException;
 import org.opensearch.index.query.BoolQueryBuilder;
-import org.opensearch.index.query.Operator;
 import org.opensearch.index.query.QueryBuilder;
 import org.opensearch.index.query.QueryBuilders;
 import org.opensearch.search.SearchHit;
@@ -37,22 +38,23 @@
 import org.opensearch.search.sort.SortBuilder;
 import org.opensearch.search.sort.SortBuilders;
 import org.opensearch.search.sort.SortOrder;
-import org.opensearch.securityanalytics.action.ListIOCsAction;
-import org.opensearch.securityanalytics.action.ListIOCsActionRequest;
-import org.opensearch.securityanalytics.action.ListIOCsActionResponse;
+import org.opensearch.securityanalytics.threatIntel.action.ListIOCsAction;
+import org.opensearch.securityanalytics.threatIntel.action.ListIOCsActionRequest;
+import org.opensearch.securityanalytics.threatIntel.action.ListIOCsActionResponse;
 import org.opensearch.securityanalytics.model.DetailedSTIX2IOCDto;
 import org.opensearch.securityanalytics.model.STIX2IOC;
 import org.opensearch.securityanalytics.model.STIX2IOCDto;
 import org.opensearch.securityanalytics.model.threatintel.IocFinding;
 import org.opensearch.securityanalytics.model.threatintel.IocWithFeeds;
+import org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings;
 import org.opensearch.securityanalytics.threatIntel.action.GetIocFindingsAction;
 import org.opensearch.securityanalytics.threatIntel.action.GetIocFindingsRequest;
 import org.opensearch.securityanalytics.threatIntel.action.GetIocFindingsResponse;
 import org.opensearch.securityanalytics.threatIntel.model.DefaultIocStoreConfig;
 import org.opensearch.securityanalytics.threatIntel.model.SATIFSourceConfig;
 import org.opensearch.securityanalytics.threatIntel.service.DefaultTifSourceConfigLoaderService;
 import org.opensearch.securityanalytics.threatIntel.service.SATIFSourceConfigService;
-import org.opensearch.securityanalytics.threatIntel.transport.TransportSearchTIFSourceConfigsAction;
+import org.opensearch.securityanalytics.transport.SecureTransportAction;
 import org.opensearch.securityanalytics.util.SecurityAnalyticsException;
 import org.opensearch.tasks.Task;
 import org.opensearch.threadpool.ThreadPool;
@@ -83,6 +85,8 @@ public class TransportListIOCsAction extends HandledTransportAction<ListIOCsActi
     private final NamedXContentRegistry xContentRegistry;
     private final ThreadPool threadPool;
     private final SATIFSourceConfigService saTifSourceConfigService;
+    private final Settings settings;
+    private volatile Boolean filterByEnabled;
 
     @Inject
     public TransportListIOCsAction(
@@ -93,7 +97,8 @@ public TransportListIOCsAction(
             DefaultTifSourceConfigLoaderService defaultTifSourceConfigLoaderService,
             Client client,
             NamedXContentRegistry xContentRegistry,
-            ActionFilters actionFilters
+            ActionFilters actionFilters,
+            Settings settings
     ) {
         super(ListIOCsAction.NAME, transportService, actionFilters, ListIOCsActionRequest::new);
         this.clusterService = clusterService;
@@ -103,6 +108,8 @@ public TransportListIOCsAction(
         this.client = client;
         this.xContentRegistry = xContentRegistry;
         this.threadPool = this.client.threadPool();
+        this.settings = settings;
+        this.filterByEnabled = SecurityAnalyticsSettings.FILTER_BY_BACKEND_ROLES.get(this.settings);
     }
 
     @Override
@@ -127,6 +134,15 @@ class AsyncListIOCsAction {
         }
 
         void start() {
+            // validate user
+            User user = readUserFromThreadContext(TransportListIOCsAction.this.threadPool);
+            String validateBackendRoleMessage = validateUserBackendRoles(user, TransportListIOCsAction.this.filterByEnabled);
+            if (!"".equals(validateBackendRoleMessage)) {
+                listener.onFailure(new OpenSearchStatusException("Do not have permissions to resource", RestStatus.FORBIDDEN));
+                return;
+            }
+            TransportListIOCsAction.this.threadPool.getThreadContext().stashContext(); // stash context to make calls as admin client
+
             StepListener<Void> defaultTifConfigsLoadedListener = null;
             try {
                 defaultTifConfigsLoadedListener = new StepListener<>();

src/test/java/org/opensearch/securityanalytics/resthandler/ListIOCsRestApiIT.java

@@ -11,7 +11,7 @@
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
 import org.opensearch.securityanalytics.TestHelpers;
-import org.opensearch.securityanalytics.action.ListIOCsActionResponse;
+import org.opensearch.securityanalytics.threatIntel.action.ListIOCsActionResponse;
 import org.opensearch.securityanalytics.commons.model.IOCType;
 import org.opensearch.securityanalytics.model.STIX2IOC;
 import org.opensearch.securityanalytics.model.STIX2IOCDto;

src/test/java/org/opensearch/securityanalytics/resthandler/SourceConfigWithoutS3RestApiIT.java

@@ -22,8 +22,8 @@
 import org.opensearch.search.SearchHit;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
-import org.opensearch.securityanalytics.action.ListIOCsActionRequest;
-import org.opensearch.securityanalytics.action.ListIOCsActionResponse;
+import org.opensearch.securityanalytics.threatIntel.action.ListIOCsActionRequest;
+import org.opensearch.securityanalytics.threatIntel.action.ListIOCsActionResponse;
 import org.opensearch.securityanalytics.commons.model.IOCType;
 import org.opensearch.securityanalytics.model.STIX2IOCDto;
 import org.opensearch.securityanalytics.threatIntel.common.SourceConfigType;

src/test/java/org/opensearch/securityanalytics/resthandler/ThreatIntelMonitorRestApiIT.java

@@ -17,7 +17,7 @@
 import org.opensearch.search.SearchHit;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
-import org.opensearch.securityanalytics.action.ListIOCsActionRequest;
+import org.opensearch.securityanalytics.threatIntel.action.ListIOCsActionRequest;
 import org.opensearch.securityanalytics.commons.model.IOCType;
 import org.opensearch.securityanalytics.model.Detector;
 import org.opensearch.securityanalytics.model.DetectorTrigger;