Check if system index in SecurityIndexSeacherWrapper

Signed-off-by: 10000-ki <[email protected]>

src/test/java/org/opensearch/security/IndexIntegrationTests.java

@@ -831,28 +831,4 @@ public void testIndexResolveMinus() throws Exception {
         Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, resc.getStatusCode());
 
     }
-
-    @Test
-    public void testNormalIndexCanBeSearchedEvenWithoutSystemIndexPermissions() throws Exception {
-
-        setup(
-            Settings.EMPTY,
-            new DynamicSecurityConfig().setConfig("composite_config.yml").setSecurityRoles("roles_composite.yml"),
-            Settings.builder().put("plugins.security.system_indices.enabled", true)
-                .put("plugins.security.system_indices.permission.enabled", true).build(),
-            true
-        );
-        final RestHelper rh = nonSslRestHelper();
-
-        try (Client tc = getClient()) {
-            tc.index(new IndexRequest("klingonempire").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON))
-                .actionGet();
-        }
-
-        HttpResponse resc = rh.executeGetRequest("klingonempire/_search", encodeBasicHeader("worf", "worf"));
-        Assert.assertEquals(200, resc.getStatusCode());
-        Assert.assertTrue(resc.getBody(), resc.getBody().contains("\"_index\":\"klingonempire\""));
-        Assert.assertTrue(resc.getBody(), resc.getBody().contains("hits"));
-        Assert.assertTrue(resc.getBody(), resc.getBody().contains("\"content\":1"));
-    }
 }

src/test/java/org/opensearch/security/system_indices/AbstractSystemIndicesTests.java

@@ -54,6 +54,10 @@ public abstract class AbstractSystemIndicesTests extends SingleClusterTest {
         SYSTEM_INDEX_WITH_NO_ASSOCIATED_ROLE_PERMISSIONS,
         ACCESSIBLE_ONLY_BY_SUPER_ADMIN
     );
+    static final List<String> NO_SYSTEM_INDICES = List.of(
+        ".no_system_index_1",
+        ".no_system_index_2"
+    );
 
     static final List<String> INDICES_FOR_CREATE_REQUEST = List.of(".system_index_2");
     static final String matchAllQuery = "{\n\"query\": {\"match_all\": {}}}";
@@ -117,6 +121,14 @@ void createTestIndicesAndDocs() {
                         .source("{ \"foo\": \"bar\" }", XContentType.JSON)
                 ).actionGet();
             }
+
+            for (String index : NO_SYSTEM_INDICES) {
+                tc.index(
+                    new IndexRequest(index).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE)
+                        .id("document1")
+                        .source("{ \"foo\": \"bar\" }", XContentType.JSON)
+                ).actionGet();
+            }
         }
     }
 

src/test/java/org/opensearch/security/system_indices/SystemIndexPermissionEnabledTests.java

@@ -106,6 +106,17 @@ public void testSearchAsNormalUserWithoutSystemIndexAccess() {
         validateForbiddenResponse(response, "indices:data/read/search", normalUserWithoutSystemIndex);
     }
 
+    @Test
+    public void testNormalIndexShouldAlwaysBeSearchable() throws Exception {
+        RestHelper restHelper = sslRestHelper();
+
+        // search system indices
+        for (String index : NO_SYSTEM_INDICES) {
+            RestHelper.HttpResponse response = restHelper.executePostRequest(index + "/_search", "", normalUserWithoutSystemIndexHeader);
+            validateSearchResponse(response, 1);
+        }
+    }
+
     /**
      *  DELETE document + index
      */

src/test/resources/system_indices/roles.yml

@@ -31,5 +31,6 @@ normal_role_without_system_index:
   index_permissions:
     - index_patterns:
         - '.system*'
+        - '.no_system*'
       allowed_actions:
         - '*'