From 2c6cb84b283246e258526f15b2d723a025823211 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Mon, 27 Jan 2025 14:20:18 -0500
Subject: [PATCH] Ensure that plugin can update on system index when utilizing
 pluginSubject.runAs (#5055)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
(cherry picked from commit ec99e7eb0191e521b2c7046ba3fbfcc633cac6fc)
Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../systemindex/AbstractSystemIndexTests.java | 34 ++++++++++
 .../RestUpdateOnSystemIndexAction.java        | 64 +++++++++++++++++++
 .../sampleplugin/SystemIndexPlugin1.java      |  3 +-
 .../configuration/DlsFlsValveImpl.java        |  4 +-
 4 files changed, 103 insertions(+), 2 deletions(-)
 create mode 100644 src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestUpdateOnSystemIndexAction.java

diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/AbstractSystemIndexTests.java b/src/integrationTest/java/org/opensearch/security/systemindex/AbstractSystemIndexTests.java
index f4ab842f54..73c87dce59 100644
--- a/src/integrationTest/java/org/opensearch/security/systemindex/AbstractSystemIndexTests.java
+++ b/src/integrationTest/java/org/opensearch/security/systemindex/AbstractSystemIndexTests.java
@@ -149,6 +149,40 @@ public void testPluginShouldBeAbleGetOnItsSystemIndex() {
         assertThat(getResponse1.toPrettyString(), equalTo(getResponse2.toPrettyString()));
     }
 
+    @Test
+    public void testPluginShouldBeAbleUpdateOnItsSystemIndex() {
+        try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+            HttpResponse response = client.put("try-create-and-bulk-index/" + SYSTEM_INDEX_1);
+
+            assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
+
+            HttpResponse searchResponse = client.get("search-on-system-index/" + SYSTEM_INDEX_1);
+
+            assertThat(searchResponse.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
+            assertThat(searchResponse.getIntFromJsonBody("/hits/total/value"), equalTo(2));
+
+            String docId = searchResponse.getTextFromJsonBody("/hits/hits/0/_id");
+
+            HttpResponse updateResponse = client.put("update-on-system-index/" + SYSTEM_INDEX_1 + "/" + docId);
+
+            updateResponse.assertStatusCode(RestStatus.OK.getStatus());
+        }
+
+        try (TestRestClient client = cluster.getRestClient(cluster.getAdminCertificate())) {
+            HttpResponse searchResponse = client.get(SYSTEM_INDEX_1 + "/_search");
+
+            searchResponse.assertStatusCode(RestStatus.OK.getStatus());
+
+            assertThat(searchResponse.getIntFromJsonBody("/hits/total/value"), equalTo(2));
+
+            String docId = searchResponse.getTextFromJsonBody("/hits/hits/0/_id");
+
+            HttpResponse getResponse = client.get(SYSTEM_INDEX_1 + "/_doc/" + docId);
+
+            assertThat("{\"content\":3}", equalTo(getResponse.bodyAsJsonNode().get("_source").toString()));
+        }
+    }
+
     @Test
     public void testPluginShouldNotBeAbleToIndexDocumentIntoSystemIndexRegisteredByOtherPlugin() {
         try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestUpdateOnSystemIndexAction.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestUpdateOnSystemIndexAction.java
new file mode 100644
index 0000000000..97e71e1b99
--- /dev/null
+++ b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestUpdateOnSystemIndexAction.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+
+package org.opensearch.security.systemindex.sampleplugin;
+
+import java.util.List;
+
+import org.opensearch.action.update.UpdateRequest;
+import org.opensearch.client.node.NodeClient;
+import org.opensearch.core.action.ActionListener;
+import org.opensearch.core.rest.RestStatus;
+import org.opensearch.core.xcontent.ToXContent;
+import org.opensearch.rest.BaseRestHandler;
+import org.opensearch.rest.BytesRestResponse;
+import org.opensearch.rest.RestChannel;
+import org.opensearch.rest.RestRequest;
+
+import static java.util.Collections.singletonList;
+import static org.opensearch.rest.RestRequest.Method.PUT;
+
+public class RestUpdateOnSystemIndexAction extends BaseRestHandler {
+
+    private final RunAsSubjectClient pluginClient;
+
+    public RestUpdateOnSystemIndexAction(RunAsSubjectClient pluginClient) {
+        this.pluginClient = pluginClient;
+    }
+
+    @Override
+    public List<Route> routes() {
+        return singletonList(new Route(PUT, "/update-on-system-index/{index}/{docId}"));
+    }
+
+    @Override
+    public String getName() {
+        return "test_update_on_system_index_action";
+    }
+
+    @Override
+    public RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) {
+        String indexName = request.param("index");
+        String docId = request.param("docId");
+        return new RestChannelConsumer() {
+
+            @Override
+            public void accept(RestChannel channel) throws Exception {
+                UpdateRequest updateRequest = new UpdateRequest();
+                updateRequest.index(indexName);
+                updateRequest.id(docId);
+                updateRequest.doc("content", 3);
+                pluginClient.update(updateRequest, ActionListener.wrap(r -> {
+                    channel.sendResponse(new BytesRestResponse(RestStatus.OK, r.toXContent(channel.newBuilder(), ToXContent.EMPTY_PARAMS)));
+                }, fr -> { channel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN, String.valueOf(fr))); }));
+            }
+        };
+    }
+}
diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/SystemIndexPlugin1.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/SystemIndexPlugin1.java
index edd90d0568..4724a21e06 100644
--- a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/SystemIndexPlugin1.java
+++ b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/SystemIndexPlugin1.java
@@ -90,7 +90,8 @@ public List<RestHandler> getRestHandlers(
             new RestBulkIndexDocumentIntoSystemIndexAction(client, pluginClient),
             new RestBulkIndexDocumentIntoMixOfSystemIndexAction(client, pluginClient),
             new RestSearchOnSystemIndexAction(pluginClient),
-            new RestGetOnSystemIndexAction(pluginClient)
+            new RestGetOnSystemIndexAction(pluginClient),
+            new RestUpdateOnSystemIndexAction(pluginClient)
         );
     }
 
diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java b/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java
index 10855bdd08..1776fb34f2 100644
--- a/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java
+++ b/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java
@@ -130,7 +130,9 @@ public void onConfigModelChanged(ConfigModel configModel) {
      */
     @Override
     public boolean invoke(PrivilegesEvaluationContext context, final ActionListener<?> listener) {
-
+        if (HeaderHelper.isInternalOrPluginRequest(threadContext)) {
+            return true;
+        }
         EvaluatedDlsFlsConfig evaluatedDlsFlsConfig = configModel.getSecurityRoles()
             .filter(context.getMappedRoles())
             .getDlsFls(context.getUser(), dfmEmptyOverwritesAll, resolver, clusterService, namedXContentRegistry);