Refactor building role from single role descriptor (#91107)

This PR refactors functionality for building a role from a single role
descriptor. This used to be handled by a specialized constructor of the
Role.Builder class that accessed internal fields. This PR consolidates
this logic into a static method that uses the builder's canonical
methods instead. The method is used to construct the roles of internal
users, from static role descriptors, as well as in test code.

Relates: #90614 (comment)

Author: n1v0lg

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java

@@ -34,6 +34,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
 import java.util.function.Predicate;
 
@@ -177,10 +178,6 @@ static Builder builder(RestrictedIndices restrictedIndices, String... names) {
         return new Builder(restrictedIndices, names);
     }
 
-    static Builder builder(RoleDescriptor rd, FieldPermissionsCache fieldPermissionsCache, RestrictedIndices restrictedIndices) {
-        return new Builder(rd, fieldPermissionsCache, restrictedIndices);
-    }
-
     class Builder {
 
         private final String[] names;
@@ -196,26 +193,6 @@ private Builder(RestrictedIndices restrictedIndices, String[] names) {
             this.names = names;
         }
 
-        private Builder(RoleDescriptor rd, @Nullable FieldPermissionsCache fieldPermissionsCache, RestrictedIndices restrictedIndices) {
-            // TODO handle this when we introduce remote index privileges for built-in users and roles. That's the only production code
-            // using this builder
-            assert false == rd.hasRemoteIndicesPrivileges();
-            this.names = new String[] { rd.getName() };
-            cluster(Sets.newHashSet(rd.getClusterPrivileges()), Arrays.asList(rd.getConditionalClusterPrivileges()));
-            groups.addAll(convertFromIndicesPrivileges(rd.getIndicesPrivileges(), fieldPermissionsCache));
-
-            final RoleDescriptor.ApplicationResourcePrivileges[] applicationPrivileges = rd.getApplicationPrivileges();
-            for (RoleDescriptor.ApplicationResourcePrivileges applicationPrivilege : applicationPrivileges) {
-                applicationPrivs.add(convertApplicationPrivilege(applicationPrivilege));
-            }
-
-            String[] rdRunAs = rd.getRunAs();
-            if (rdRunAs != null && rdRunAs.length > 0) {
-                this.runAs(new Privilege(Sets.newHashSet(rdRunAs), rdRunAs));
-            }
-            this.restrictedIndices = restrictedIndices;
-        }
-
         public Builder cluster(Set<String> privilegeNames, Iterable<ConfigurableClusterPrivilege> configurableClusterPrivileges) {
             ClusterPermission.Builder builder = ClusterPermission.builder();
             if (privilegeNames.isEmpty() == false) {
@@ -314,41 +291,6 @@ public SimpleRole build() {
             return new SimpleRole(names, cluster, indices, applicationPermission, runAs, remoteIndices);
         }
 
-        static List<IndicesPermissionGroupDefinition> convertFromIndicesPrivileges(
-            RoleDescriptor.IndicesPrivileges[] indicesPrivileges,
-            @Nullable FieldPermissionsCache fieldPermissionsCache
-        ) {
-            List<IndicesPermissionGroupDefinition> list = new ArrayList<>(indicesPrivileges.length);
-            for (RoleDescriptor.IndicesPrivileges privilege : indicesPrivileges) {
-                final FieldPermissions fieldPermissions;
-                if (fieldPermissionsCache != null) {
-                    fieldPermissions = fieldPermissionsCache.getFieldPermissions(privilege.getGrantedFields(), privilege.getDeniedFields());
-                } else {
-                    fieldPermissions = new FieldPermissions(
-                        new FieldPermissionsDefinition(privilege.getGrantedFields(), privilege.getDeniedFields())
-                    );
-                }
-                final Set<BytesReference> query = privilege.getQuery() == null ? null : Collections.singleton(privilege.getQuery());
-                list.add(
-                    new IndicesPermissionGroupDefinition(
-                        IndexPrivilege.get(Sets.newHashSet(privilege.getPrivileges())),
-                        fieldPermissions,
-                        query,
-                        privilege.allowRestrictedIndices(),
-                        privilege.getIndices()
-                    )
-                );
-            }
-            return list;
-        }
-
-        static Tuple<ApplicationPrivilege, Set<String>> convertApplicationPrivilege(RoleDescriptor.ApplicationResourcePrivileges arp) {
-            return new Tuple<>(
-                new ApplicationPrivilege(arp.getApplication(), Sets.newHashSet(arp.getPrivileges()), arp.getPrivileges()),
-                Sets.newHashSet(arp.getResources())
-            );
-        }
-
         private static class IndicesPermissionGroupDefinition {
             private final IndexPrivilege privilege;
             private final FieldPermissions fieldPermissions;
@@ -371,4 +313,52 @@ private IndicesPermissionGroupDefinition(
             }
         }
     }
+
+    static SimpleRole buildFromRoleDescriptor(
+        final RoleDescriptor roleDescriptor,
+        final FieldPermissionsCache fieldPermissionsCache,
+        final RestrictedIndices restrictedIndices
+    ) {
+        // TODO handle this when we introduce remote index privileges for built-in users and roles. That's the only production code
+        // using this builder
+        assert false == roleDescriptor.hasRemoteIndicesPrivileges();
+        Objects.requireNonNull(fieldPermissionsCache);
+
+        final Builder builder = builder(restrictedIndices, roleDescriptor.getName());
+
+        builder.cluster(
+            Sets.newHashSet(roleDescriptor.getClusterPrivileges()),
+            Arrays.asList(roleDescriptor.getConditionalClusterPrivileges())
+        );
+
+        for (RoleDescriptor.IndicesPrivileges indexPrivilege : roleDescriptor.getIndicesPrivileges()) {
+            builder.add(
+                fieldPermissionsCache.getFieldPermissions(
+                    new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
+                ),
+                indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery()),
+                IndexPrivilege.get(Sets.newHashSet(indexPrivilege.getPrivileges())),
+                indexPrivilege.allowRestrictedIndices(),
+                indexPrivilege.getIndices()
+            );
+        }
+
+        for (RoleDescriptor.ApplicationResourcePrivileges applicationPrivilege : roleDescriptor.getApplicationPrivileges()) {
+            builder.addApplicationPrivilege(
+                new ApplicationPrivilege(
+                    applicationPrivilege.getApplication(),
+                    Sets.newHashSet(applicationPrivilege.getPrivileges()),
+                    applicationPrivilege.getPrivileges()
+                ),
+                Sets.newHashSet(applicationPrivilege.getResources())
+            );
+        }
+
+        final String[] rdRunAs = roleDescriptor.getRunAs();
+        if (rdRunAs != null && rdRunAs.length > 0) {
+            builder.runAs(new Privilege(Sets.newHashSet(rdRunAs), rdRunAs));
+        }
+
+        return builder.build();
+    }
 }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/SimpleRoleTests.java

@@ -28,11 +28,11 @@ public void testEmptyRoleHasNoEmptyListOfNames() {
     }
 
     public void testHasPrivilegesCache() throws ExecutionException {
-        final SimpleRole role = Role.builder(
+        final SimpleRole role = Role.buildFromRoleDescriptor(
             new RoleDescriptor(randomAlphaOfLengthBetween(3, 8), new String[] { "monitor" }, null, null),
-            null,
+            new FieldPermissionsCache(Settings.EMPTY),
             RESTRICTED_INDICES
-        ).build();
+        );
 
         // cache is null to begin with
         assertThat(role.getHasPrivilegesCache(), nullValue());