Extracted ActionPrivileges interface and created RoleBasedActionPrivileges implementation and SubjectBasedActionPrivileges implementation

src/integrationTest/java/org/opensearch/security/privileges/IndexPatternTest.java

@@ -243,7 +243,8 @@ private static PrivilegesEvaluationContext ctx() {
             null,
             indexResolverReplacer,
             indexNameExpressionResolver,
-            () -> CLUSTER_STATE
+            () -> CLUSTER_STATE,
+            ActionPrivileges.EMPTY
         );
     }
 }

src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java

@@ -46,11 +46,12 @@
 import org.opensearch.security.DefaultObjectMapper;
 import org.opensearch.security.dlic.rest.api.Endpoint;
 import org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.PermissionBuilder;
+import org.opensearch.security.privileges.actionlevel.RoleBasedActionPrivileges;
 import org.opensearch.security.securityconf.FlattenedActionGroups;
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
 import org.opensearch.security.securityconf.impl.v7.RoleV7;
-import org.opensearch.security.user.User;
+import org.opensearch.security.util.MockPrivilegeEvaluationContextBuilder;
 
 import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION;
 import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS;
@@ -113,10 +114,10 @@ static String[] allRestApiPermissions() {
         }).toArray(String[]::new);
     }
 
-    final ActionPrivileges actionPrivileges;
+    final RoleBasedActionPrivileges actionPrivileges;
 
     public RestEndpointPermissionTests() throws IOException {
-        this.actionPrivileges = new ActionPrivileges(createRolesConfig(), FlattenedActionGroups.EMPTY, null, Settings.EMPTY);
+        this.actionPrivileges = new RoleBasedActionPrivileges(createRolesConfig(), FlattenedActionGroups.EMPTY, Settings.EMPTY);
     }
 
     @Test
@@ -250,8 +251,8 @@ static SecurityDynamicConfiguration<RoleV7> createRolesConfig() throws IOExcepti
         return SecurityDynamicConfiguration.fromNode(rolesNode, CType.ROLES, 2, 0, 0);
     }
 
-    static PrivilegesEvaluationContext ctx(String... roles) {
-        return new PrivilegesEvaluationContext(new User("test_user"), ImmutableSet.copyOf(roles), null, null, null, null, null, null);
+    PrivilegesEvaluationContext ctx(String... roles) {
+        return MockPrivilegeEvaluationContextBuilder.ctx().roles(roles).actionPrivileges(actionPrivileges).get();
     }
 
 }

src/integrationTest/java/org/opensearch/security/privileges/TenantPrivilegesTest.java

@@ -22,25 +22,21 @@
 import java.util.Set;
 
 import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import org.apache.commons.io.IOUtils;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
 import org.junit.runners.Suite;
 
-import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
-import org.opensearch.common.settings.Settings;
-import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.security.securityconf.DynamicConfigFactory;
 import org.opensearch.security.securityconf.FlattenedActionGroups;
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
 import org.opensearch.security.securityconf.impl.v7.ActionGroupsV7;
 import org.opensearch.security.securityconf.impl.v7.RoleV7;
 import org.opensearch.security.securityconf.impl.v7.TenantV7;
-import org.opensearch.security.user.User;
+import org.opensearch.security.util.MockPrivilegeEvaluationContextBuilder;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
@@ -377,31 +373,11 @@ public void implicitGlobalTenantAccessGrantedByKibanaUserRole_notGranted() throw
     }
 
     static PrivilegesEvaluationContext ctx(String... roles) {
-        User user = new User("test_user").withAttributes(ImmutableMap.of("attrs.dept_no", "a1"));
-        return new PrivilegesEvaluationContext(
-            user,
-            ImmutableSet.copyOf(roles),
-            null,
-            null,
-            null,
-            null,
-            new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)),
-            null
-        );
+        return MockPrivilegeEvaluationContextBuilder.ctx().roles(roles).attr("attrs.dept_no", "a1").get();
     }
 
     static PrivilegesEvaluationContext ctxWithDifferentUserAttr(String... roles) {
-        User user = new User("test_user").withAttributes(ImmutableMap.of("attrs.dept_no", "a10"));
-        return new PrivilegesEvaluationContext(
-            user,
-            ImmutableSet.copyOf(roles),
-            null,
-            null,
-            null,
-            null,
-            new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)),
-            null
-        );
+        return MockPrivilegeEvaluationContextBuilder.ctx().roles(roles).attr("attrs.dept_no", "a10").get();
     }
 
     static String testResource(String fileName) throws IOException {

src/integrationTest/java/org/opensearch/security/privileges/actionlevel/EmptyActionPrivilegesTest.java

@@ -0,0 +1,67 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.privileges.actionlevel;
+
+import java.util.Set;
+
+import org.junit.Test;
+
+import org.opensearch.security.privileges.ActionPrivileges;
+import org.opensearch.security.privileges.PrivilegesEvaluatorResponse;
+import org.opensearch.security.resolver.IndexResolverReplacer;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.opensearch.security.privileges.PrivilegeEvaluatorResponseMatcher.isForbidden;
+import static org.opensearch.security.privileges.PrivilegeEvaluatorResponseMatcher.missingPrivileges;
+import static org.opensearch.security.util.MockPrivilegeEvaluationContextBuilder.ctx;
+
+public class EmptyActionPrivilegesTest {
+    final ActionPrivileges subject = ActionPrivileges.EMPTY;
+
+    @Test
+    public void hasClusterPrivilege() {
+        assertThat(
+            subject.hasClusterPrivilege(ctx().get(), "cluster:monitor/nodes/stats"),
+            isForbidden(missingPrivileges("cluster:monitor/nodes/stats"))
+        );
+    }
+
+    @Test
+    public void hasAnyClusterPrivilege() {
+        assertThat(subject.hasAnyClusterPrivilege(ctx().get(), Set.of("cluster:monitor/nodes/stats")), isForbidden());
+    }
+
+    @Test
+    public void hasExplicitClusterPrivilege() {
+        assertThat(subject.hasExplicitClusterPrivilege(ctx().get(), "cluster:monitor/nodes/stats"), isForbidden());
+    }
+
+    @Test
+    public void hasIndexPrivilege() {
+        PrivilegesEvaluatorResponse result = subject.hasIndexPrivilege(
+            ctx().get(),
+            Set.of("indices:data/write/index"),
+            IndexResolverReplacer.Resolved.ofIndex("any_index")
+        );
+        assertThat(result, isForbidden());
+    }
+
+    @Test
+    public void hasExplicitIndexPrivilege() {
+        PrivilegesEvaluatorResponse result = subject.hasExplicitIndexPrivilege(
+            ctx().get(),
+            Set.of("indices:data/write/index"),
+            IndexResolverReplacer.Resolved.ofIndex("any_index")
+        );
+        assertThat(result, isForbidden());
+    }
+}