Validation for index name expressions (#139023) (#139628)

Add validation for index name expressions used in security roles and
API keys:

- An expression that starts with slash (/) must be a valid
  Lucene regular expression
- Commas are not allowed outside of a regular expression

Author: ebarlas

docs/changelog/139023.yaml

@@ -0,0 +1,5 @@
+pr: 139023
+summary: Add comma delimiter validation to index name expressions in roles and API keys
+area: Security
+type: bug
+issues: []

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidator.java

@@ -7,6 +7,7 @@
 
 package org.elasticsearch.xpack.core.security.action.role;
 
+import org.apache.lucene.util.automaton.RegExp;
 import org.elasticsearch.action.ActionRequestValidationException;
 import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
@@ -140,6 +141,24 @@ private static ActionRequestValidationException validateIndexNameExpression(
                 validationException
             );
         }
+        if (indexNameExpression != null) {
+            if (indexNameExpression.startsWith("/")) {
+                if (indexNameExpression.length() == 1 || indexNameExpression.endsWith("/") == false) {
+                    return addValidationError("invalid regular expression pattern [" + indexNameExpression + "]", validationException);
+                }
+                String regex = indexNameExpression.substring(1, indexNameExpression.length() - 1);
+                try {
+                    new RegExp(regex);
+                } catch (IllegalArgumentException e) {
+                    return addValidationError("invalid regular expression pattern [" + indexNameExpression + "]", validationException);
+                }
+            } else if (indexNameExpression.contains(",")) {
+                validationException = addValidationError(
+                    "commas [,] are not allowed in the index name expression [" + indexNameExpression + "]",
+                    validationException
+                );
+            }
+        }
         return validationException;
     }
 }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidatorTests.java

@@ -73,6 +73,57 @@ public void testSelectorsValidation() {
         }
     }
 
+    public void testCommaValidation() {
+        String[] invalidIndexNames = {
+            "index1,index2",
+            "logs-*,metrics-*",
+            ",leading",
+            "trailing,",
+            "a,b,c",
+            "my,index",
+            randomAlphaOfLengthBetween(3, 6) + "," + randomAlphaOfLengthBetween(3, 6) };
+        for (String indexName : invalidIndexNames) {
+            validateAndAssertCommaNotAllowed(roleWithIndexPrivileges(indexName), indexName);
+            validateAndAssertCommaNotAllowed(roleWithRemoteIndexPrivileges(indexName), indexName);
+        }
+
+        String[] validIndexNames = {
+            "no-comma",
+            "logs-*",
+            "*",
+            "",
+            null,
+            "index:with:colons",
+            "/regex,with,commas/",
+            "/[a-z]+,[0-9]+/",
+            "/logs-(foo|bar),.*/" };
+        for (String indexName : validIndexNames) {
+            validateAndAssertNoException(roleWithIndexPrivileges(indexName), indexName);
+            validateAndAssertNoException(roleWithRemoteIndexPrivileges(indexName), indexName);
+        }
+    }
+
+    public void testRegularExpressionValidation() {
+        String[] invalidRegexPatterns = { "/", "/unclosed", "/[invalid/", "/(/", "/[a-/" };
+        for (String indexName : invalidRegexPatterns) {
+            validateAndAssertInvalidRegex(roleWithIndexPrivileges(indexName), indexName);
+            validateAndAssertInvalidRegex(roleWithRemoteIndexPrivileges(indexName), indexName);
+        }
+
+        String[] validRegexPatterns = {
+            "/logs-.*/",
+            "/[a-z]+/",
+            "/[abc]{2,5}/",
+            "/index-[0-9]{4}/",
+            "/.*/",
+            "/*/",
+            "/logs-[0-9]{4}\\.[0-9]{2}\\.[0-9]{2}/" };
+        for (String indexName : validRegexPatterns) {
+            validateAndAssertNoException(roleWithIndexPrivileges(indexName), indexName);
+            validateAndAssertNoException(roleWithRemoteIndexPrivileges(indexName), indexName);
+        }
+    }
+
     private static void validateAndAssertSelectorNotAllowed(RoleDescriptor roleDescriptor, String indexName) {
         var validationException = RoleDescriptorRequestValidator.validate(roleDescriptor);
         assertThat("expected validation exception for " + indexName, validationException, notNullValue());
@@ -82,6 +133,21 @@ private static void validateAndAssertSelectorNotAllowed(RoleDescriptor roleDescr
         );
     }
 
+    private static void validateAndAssertCommaNotAllowed(RoleDescriptor roleDescriptor, String indexName) {
+        var validationException = RoleDescriptorRequestValidator.validate(roleDescriptor);
+        assertThat("expected validation exception for " + indexName, validationException, notNullValue());
+        assertThat(
+            validationException.validationErrors(),
+            containsInAnyOrder("commas [,] are not allowed in the index name expression [" + indexName + "]")
+        );
+    }
+
+    private static void validateAndAssertInvalidRegex(RoleDescriptor roleDescriptor, String indexName) {
+        var validationException = RoleDescriptorRequestValidator.validate(roleDescriptor);
+        assertThat("expected validation exception for " + indexName, validationException, notNullValue());
+        assertThat(validationException.validationErrors(), containsInAnyOrder("invalid regular expression pattern [" + indexName + "]"));
+    }
+
     private static void validateAndAssertNoException(RoleDescriptor roleDescriptor, String indexName) {
         var validationException = RoleDescriptorRequestValidator.validate(roleDescriptor);
         assertThat("expected no validation exception for " + indexName, validationException, nullValue());