Separated DLS/FLS privilege evaluation from action privilege evaluation

[nibix]

Description

This change is in preparation for #3870 and #4380 .

This cuts off some parts from the quite big and monolithic method PrivilegesEvaluator.evaluate() into separate methods and modules.

This achieves several things:

• Better separation of concerns, thus better modularization and thus better understandability, re-usability and testability

• Computations of DLS/FLS privileges are done directly in the DLS/FLS valve code. Thus, if DLS/FLS valve is disabled, no DLS/FLS privileges are computed

• The new class PrivilegesEvaluationContext combines commonly needed information for privilege evaluation and thus allows to shorten the parameter lists of many methods in this context. For this PR, only the PrivilegesEvaluator.evaluate() method itself is changed, but further adaptions will follow up when due.

• Category - Refactoring

• Why these changes are required?

  • For #3870, we need to re-build the privilege evaluation code both for the normal action privilege evaluation and for DLS/FLS. Even though these are quite separate and different things, these are currently intermingled in one big monolith. The changes for #3870 will be easier to understand if they are structured better.

• What is the old behavior before changes and new behavior after changes? - No changes.

Issues Resolved

Contributes to #3870

Testing

• Existing integration tests

Check List

• [ ] New functionality includes testing
• [x] New functionality has been documented
• [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov[bot]]

Codecov Report

Attention: Patch coverage is 87.14286% with 9 lines in your changes missing coverage. Please review.

Project coverage is 65.26%. Comparing base (9caf5cb) to head (7d70bc6). Report is 1 commits behind head on main.

Additional details and impacted files

[](https://app.codecov.io/gh/opensearch-project/security/pull/4490?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=opensearch-project) ```diff @@ Coverage Diff @@ ## main #4490 +/- ## ========================================== - Coverage 65.27% 65.26% -0.02% ========================================== Files 313 314 +1 Lines 22058 22091 +33 Branches 3563 3562 -1 ========================================== + Hits 14398 14417 +19 - Misses 5889 5900 +11 - Partials 1771 1774 +3 ``` | [Files](https://app.codecov.io/gh/opensearch-project/security/pull/4490?dropdown=coverage&src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=opensearch-project) | Coverage Δ | | |---|---|---| | [...rch/security/configuration/DlsFlsRequestValve.java](https://app.codecov.io/gh/opensearch-project/security/pull/4490?src=pr&el=tree&filepath=src%2Fmain%2Fjava%2Forg%2Fopensearch%2Fsecurity%2Fconfiguration%2FDlsFlsRequestValve.java&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=opensearch-project#diff-c3JjL21haW4vamF2YS9vcmcvb3BlbnNlYXJjaC9zZWN1cml0eS9jb25maWd1cmF0aW9uL0Rsc0Zsc1JlcXVlc3RWYWx2ZS5qYXZh) | `0.00% <ø> (ø)` | | | [...search/security/configuration/DlsFlsValveImpl.java](https://app.codecov.io/gh/opensearch-project/security/pull/4490?src=pr&el=tree&filepath=src%2Fmain%2Fjava%2Forg%2Fopensearch%2Fsecurity%2Fconfiguration%2FDlsFlsValveImpl.java&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=opensearch-project#diff-c3JjL21haW4vamF2YS9vcmcvb3BlbnNlYXJjaC9zZWN1cml0eS9jb25maWd1cmF0aW9uL0Rsc0Zsc1ZhbHZlSW1wbC5qYXZh) | `59.80% <100.00%> (+0.75%)` | :arrow_up: | | [...org/opensearch/security/filter/SecurityFilter.java](https://app.codecov.io/gh/opensearch-project/security/pull/4490?src=pr&el=tree&filepath=src%2Fmain%2Fjava%2Forg%2Fopensearch%2Fsecurity%2Ffilter%2FSecurityFilter.java&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=opensearch-project#diff-c3JjL21haW4vamF2YS9vcmcvb3BlbnNlYXJjaC9zZWN1cml0eS9maWx0ZXIvU2VjdXJpdHlGaWx0ZXIuamF2YQ==) | `66.51% <100.00%> (+0.79%)` | :arrow_up: | | [...curity/privileges/PrivilegesEvaluationContext.java](https://app.codecov.io/gh/opensearch-project/security/pull/4490?src=pr&el=tree&filepath=src%2Fmain%2Fjava%2Forg%2Fopensearch%2Fsecurity%2Fprivileges%2FPrivilegesEvaluationContext.java&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=opensearch-project#diff-c3JjL21haW4vamF2YS9vcmcvb3BlbnNlYXJjaC9zZWN1cml0eS9wcml2aWxlZ2VzL1ByaXZpbGVnZXNFdmFsdWF0aW9uQ29udGV4dC5qYXZh) | `100.00% <100.00%> (ø)` | | | [.../opensearch/security/OpenSearchSecurityPlugin.java](https://app.codecov.io/gh/opensearch-project/security/pull/4490?src=pr&el=tree&filepath=src%2Fmain%2Fjava%2Forg%2Fopensearch%2Fsecurity%2FOpenSearchSecurityPlugin.java&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=opensearch-project#diff-c3JjL21haW4vamF2YS9vcmcvb3BlbnNlYXJjaC9zZWN1cml0eS9PcGVuU2VhcmNoU2VjdXJpdHlQbHVnaW4uamF2YQ==) | `84.33% <50.00%> (+0.02%)` | :arrow_up: | | [...earch/security/privileges/PrivilegesEvaluator.java](https://app.codecov.io/gh/opensearch-project/security/pull/4490?src=pr&el=tree&filepath=src%2Fmain%2Fjava%2Forg%2Fopensearch%2Fsecurity%2Fprivileges%2FPrivilegesEvaluator.java&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=opensearch-project#diff-c3JjL21haW4vamF2YS9vcmcvb3BlbnNlYXJjaC9zZWN1cml0eS9wcml2aWxlZ2VzL1ByaXZpbGVnZXNFdmFsdWF0b3IuamF2YQ==) | `71.96% <84.00%> (-0.21%)` | :arrow_down: | | [...curity/privileges/PrivilegesEvaluatorResponse.java](https://app.codecov.io/gh/opensearch-project/security/pull/4490?src=pr&el=tree&filepath=src%2Fmain%2Fjava%2Forg%2Fopensearch%2Fsecurity%2Fprivileges%2FPrivilegesEvaluatorResponse.java&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=opensearch-project#diff-c3JjL21haW4vamF2YS9vcmcvb3BlbnNlYXJjaC9zZWN1cml0eS9wcml2aWxlZ2VzL1ByaXZpbGVnZXNFdmFsdWF0b3JSZXNwb25zZS5qYXZh) | `76.66% <60.00%> (-5.95%)` | :arrow_down: | ... and [2 files with indirect coverage changes](https://app.codecov.io/gh/opensearch-project/security/pull/4490/indirect-changes?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=opensearch-project)