[Security] Include an empty json object in an json array when FLS filters out all fields (#30709)

martijnvg · martijnvg · commit c0d7aa2a2711 · 2018-05-22T13:55:09.000+02:00
Prior to this change an json array element with no fields would be omitted from json array. Nested inner hits source filtering relies on the fact that the json array element numbering remains untouched and this causes AOOB exceptions in the ES side during the fetch phase without this change. Closes #30624
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java
@@ -193,9 +193,7 @@ private static List<Object> filter(Iterable<?> iterable, CharacterRunAutomaton i
                     continue;
                 }
                 Map<String, Object> filteredValue = filter((Map<String, ?>)value, includeAutomaton, state);
-                if (filteredValue.isEmpty() == false) {
-                    filtered.add(filteredValue);
-                }
+                filtered.add(filteredValue);
             } else if (value instanceof Iterable) {
                 List<Object> filteredValue = filter((Iterable<?>) value, includeAutomaton, initialState);
                 if (filteredValue.isEmpty() == false) {
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReaderTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReaderTests.java
@@ -716,6 +716,22 @@ public void testSourceFiltering() {
         expected.put("foo", subArray);
 
         assertEquals(expected, filtered);
+
+        // json array objects that have no matching fields should be left empty instead of being removed:
+        // (otherwise nested inner hit source filtering fails with AOOB)
+        map = new HashMap<>();
+        map.put("foo", "value");
+        List<Map<?, ?>> values = new ArrayList<>();
+        values.add(Collections.singletonMap("foo", "1"));
+        values.add(Collections.singletonMap("baz", "2"));
+        map.put("bar", values);
+
+        include = new CharacterRunAutomaton(Automatons.patterns("bar.baz"));
+        filtered = FieldSubsetReader.filter(map, include, 0);
+
+        expected = new HashMap<>();
+        expected.put("bar", Arrays.asList(new HashMap<>(), Collections.singletonMap("baz", "2")));
+        assertEquals(expected, filtered);
     }
 
     /**
