From 5093c8a4df09fe665fe93eb6e5a994206adcfc2b Mon Sep 17 00:00:00 2001
From: Sarat Vemulapalli <vemsarat@amazon.com>
Date: Mon, 26 Oct 2020 21:11:44 -0400
Subject: [PATCH] Injecting User role for background job (#295)

* Injecting User role for background job
---
 .../ad/AnomalyDetectorJobRunner.java          | 26 ++++++++++++++++++-
 .../ad/AnomalyDetectorJobRunnerTests.java     |  5 +++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/ad/AnomalyDetectorJobRunner.java b/src/main/java/com/amazon/opendistroforelasticsearch/ad/AnomalyDetectorJobRunner.java
index ae4d21c5..31345968 100644
--- a/src/main/java/com/amazon/opendistroforelasticsearch/ad/AnomalyDetectorJobRunner.java
+++ b/src/main/java/com/amazon/opendistroforelasticsearch/ad/AnomalyDetectorJobRunner.java
@@ -24,6 +24,7 @@
 import java.io.IOException;
 import java.time.Instant;
 import java.util.ArrayList;
+import java.util.List;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ExecutorService;
 
@@ -61,6 +62,7 @@
 import com.amazon.opendistroforelasticsearch.ad.transport.handler.AnomalyIndexHandler;
 import com.amazon.opendistroforelasticsearch.ad.transport.handler.DetectionStateHandler;
 import com.amazon.opendistroforelasticsearch.ad.util.ClientUtil;
+import com.amazon.opendistroforelasticsearch.commons.InjectSecurity;
 import com.amazon.opendistroforelasticsearch.commons.authuser.User;
 import com.amazon.opendistroforelasticsearch.jobscheduler.spi.JobExecutionContext;
 import com.amazon.opendistroforelasticsearch.jobscheduler.spi.LockModel;
@@ -69,6 +71,7 @@
 import com.amazon.opendistroforelasticsearch.jobscheduler.spi.schedule.IntervalSchedule;
 import com.amazon.opendistroforelasticsearch.jobscheduler.spi.utils.LockService;
 import com.google.common.base.Throwables;
+import com.google.common.collect.ImmutableList;
 
 /**
  * JobScheduler will call AD job runner to get anomaly result periodically
@@ -207,8 +210,29 @@ protected void runAdJob(
             );
             return;
         }
+        /*
+         * We need to handle 3 cases:
+         * 1. Detectors created by older versions and never updated. These detectors wont have User details in the
+         * detector object. `detector.user` will be null. Insert `all_access, AmazonES_all_access` role.
+         * 2. Detectors are created when security plugin is disabled, these will have empty User object.
+         * (`detector.user.name`, `detector.user.roles` are empty )
+         * 3. Detectors are created when security plugin is enabled, these will have an User object.
+         * This will inject user role and check if the user role has permissions to call the execute
+         * Anomaly Result API.
+         */
+        String user;
+        List<String> roles;
+        if (((AnomalyDetectorJob) jobParameter).getUser() == null) {
+            user = "";
+            roles = settings.getAsList("", ImmutableList.of("all_access", "AmazonES_all_access"));
+        } else {
+            user = ((AnomalyDetectorJob) jobParameter).getUser().getName();
+            roles = ((AnomalyDetectorJob) jobParameter).getUser().getRoles();
+        }
 
-        try {
+        try (InjectSecurity injectSecurity = new InjectSecurity(detectorId, settings, client.threadPool().getThreadContext())) {
+            // Injecting user role to verify if the user has permissions for our API.
+            injectSecurity.inject(user, roles);
             indexUtil.updateMappingIfNecessary();
             AnomalyResultRequest request = new AnomalyResultRequest(
                 detectorId,
diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/ad/AnomalyDetectorJobRunnerTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/ad/AnomalyDetectorJobRunnerTests.java
index 0f17ebd2..ea8948c7 100644
--- a/src/test/java/com/amazon/opendistroforelasticsearch/ad/AnomalyDetectorJobRunnerTests.java
+++ b/src/test/java/com/amazon/opendistroforelasticsearch/ad/AnomalyDetectorJobRunnerTests.java
@@ -61,6 +61,7 @@
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
 import org.mockito.Mock;
+import org.mockito.Mockito;
 import org.mockito.MockitoAnnotations;
 
 import com.amazon.opendistroforelasticsearch.ad.common.exception.EndRunException;
@@ -135,7 +136,9 @@ public void setup() throws Exception {
         ThreadFactory threadFactory = EsExecutors.daemonThreadFactory(EsExecutors.threadName("node1", "test-ad"));
         ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
         executorService = EsExecutors.newFixed("test-ad", 4, 100, threadFactory, threadContext);
-        doReturn(executorService).when(mockedThreadPool).executor(anyString());
+        Mockito.doReturn(executorService).when(mockedThreadPool).executor(anyString());
+        Mockito.doReturn(mockedThreadPool).when(client).threadPool();
+        Mockito.doReturn(threadContext).when(mockedThreadPool).getThreadContext();
         runner.setThreadPool(mockedThreadPool);
         runner.setClient(client);
         runner.setClientUtil(clientUtil);