From b317a1aa8e7f95bb536991c5991ce62bbac66f27 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <steecraw@amazon.com>
Date: Tue, 13 Aug 2024 11:24:48 -0400
Subject: [PATCH] Expand RoleV7 to include Resources

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 .../opensearch/security/privileges/PrivilegesEvaluator.java | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
index 199442ee03..7568139a2e 100644
--- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
+++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -138,6 +138,7 @@ public class PrivilegesEvaluator {
     private final SnapshotRestoreEvaluator snapshotRestoreEvaluator;
     private final SystemIndexAccessEvaluator systemIndexAccessEvaluator;
     private final ProtectedIndexAccessEvaluator protectedIndexAccessEvaluator;
+    private final ResourceAccessEvaluator resourceAccessEvaluator;
     private final TermsAggregationEvaluator termsAggregationEvaluator;
     private final PitPrivilegesEvaluator pitPrivilegesEvaluator;
     private DynamicConfigModel dcm;
@@ -174,6 +175,7 @@ public PrivilegesEvaluator(
         snapshotRestoreEvaluator = new SnapshotRestoreEvaluator(settings, auditLog);
         systemIndexAccessEvaluator = new SystemIndexAccessEvaluator(settings, auditLog, irr);
         protectedIndexAccessEvaluator = new ProtectedIndexAccessEvaluator(settings, auditLog);
+        resourceAccessEvaluator = new ResourceAccessEvaluator();
         termsAggregationEvaluator = new TermsAggregationEvaluator();
         pitPrivilegesEvaluator = new PitPrivilegesEvaluator();
         this.namedXContentRegistry = namedXContentRegistry;
@@ -347,6 +349,10 @@ public PrivilegesEvaluatorResponse evaluate(PrivilegesEvaluationContext context)
             return presponse;
         }
 
+        if (resourceAccessEvaluator.evaluate(request, action0, securityRoles, user, clusterService).isComplete()) {
+            return presponse;
+        }
+
         // check access for point in time requests
         if (pitPrivilegesEvaluator.evaluate(request, clusterService, user, securityRoles, action0, resolver, presponse, irr).isComplete()) {
             return presponse;