[Resource Sharing] Adds post support for update sharing info API (opensearch-project#5799)

Signed-off-by: Darshit Chanpura <[email protected]>

Author: DarshitChanpura

CHANGELOG.md

@@ -39,6 +39,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Add security provider earlier in bootstrap process ([#5749](https://github.com/opensearch-project/security/pull/5749))
 - [GRPC] Fix compilation errors from core protobuf version bump to 0.23.0 ([#5763](https://github.com/opensearch-project/security/pull/5763))
 - Modularized PrivilegesEvaluator ([#5791](https://github.com/opensearch-project/security/pull/5791))
+- [Resource Sharing] Adds post support for update sharing info API ([#5799](https://github.com/opensearch-project/security/pull/5799))
 
 ### Maintenance
 - Bump `org.junit.jupiter:junit-jupiter` from 5.13.4 to 5.14.1 ([#5678](https://github.com/opensearch-project/security/pull/5678), [#5764](https://github.com/opensearch-project/security/pull/5764))

RESOURCE_SHARING_AND_ACCESS_CONTROL.md

@@ -639,6 +639,8 @@ Read documents from a plugin’s index and migrate ownership and backend role-ba
 }
 ```
 
+**NOTE:** Can only be invoked successfully by a [REST admin](https://docs.opensearch.org/latest/security/access-control/api/#access-control-for-the-api) or an [admin certificate user](https://docs.opensearch.org/latest/security/access-control/users-roles/#super-admin-users).
+
 
 ## **4. Resource Sharing API**
 
@@ -700,10 +702,11 @@ Creates or replaces sharing settings for a resource.
 }
 ```
 
-### 2. `PATCH /_plugins/_security/api/resource/share`
+### 2. `PATCH /_plugins/_security/api/resource/share` and `POST /_plugins/_security/api/resource/share`
 
 **Description:**
 Updates sharing settings by **adding** or **removing** recipients at any access level. Unlike `PUT`, this is a **non-destructive** operation.
+Can be used alternatively. POST version supports calls from dashboards.
 
 **Request Body:**
 
@@ -750,7 +753,7 @@ Updates sharing settings by **adding** or **removing** recipients at any access
 }
 ```
 
-#### Allowed Patch operations:
+#### Allowed Patch/Post operations:
 - `"add"` – Adds recipients
 - `"revoke"` – Removes recipients
 
@@ -851,26 +854,28 @@ NOTE:
 
 ## Who Can Use This?
 
-| API                                             | Permission Required               | Intended User     |
-|-------------------------------------------------|-----------------------------------|-------------------|
+| API                                              | Permission Required               | Intended User     |
+|--------------------------------------------------|-----------------------------------|-------------------|
 | `POST /_plugins/_security/api/resources/migrate` | REST admin or Super admin         | Cluster admin     |
-| `PUT /_plugins/_security/api/resource/share`    | Resource Owner                    | Dashboards / REST |
-| `PATCH /_plugins/_security/api/resource/share`  | Resource Owner / share permission | Dashboards / REST |
-| `GET /_plugins/_security/api/resource/share`    | Resource Owner / read permission  | Dashboards / REST |
-| `GET /_plugins/_security/api/resource/types`    | Dashboard access                  | Dashboards |
-| `GET /_plugins/_security/api/resource/list`     | Dashboard access                  | Dashboards |
+| `PUT /_plugins/_security/api/resource/share`     | Resource Owner                    | Dashboards / REST |
+| `PATCH /_plugins/_security/api/resource/share`   | Resource Owner / share permission | REST              |
+| `POST /_plugins/_security/api/resource/share`    | Resource Owner / share permission | Dashboards / REST |
+| `GET /_plugins/_security/api/resource/share`     | Resource Owner / read permission  | Dashboards / REST |
+| `GET /_plugins/_security/api/resource/types`     | Dashboard access                  | Dashboards        |
+| `GET /_plugins/_security/api/resource/list`      | Dashboard access                  | Dashboards        |
 
 
 ## When to Use
 
-| Use Case                                                    | API                                              |
-|-------------------------------------------------------------|--------------------------------------------------|
-| Migrating existing plugin-specific sharing configs          | `POST /_plugins/_security/api/resources/migrate` |
-| Sharing a document with another user or role                | `PUT /_plugins/_security/api/resource/share`     |
-| Granting/revoking access without affecting others           | `PATCH /_plugins/_security/api/resource/share`   |
-| Fetching the current sharing status of a resource           | `GET /_plugins/_security/api/resource/share`     |
-| Listing resource type. Encouraged only for dashboard access | `GET /_plugins/_security/api/resource/types`     |
-| Listing accessible resources in given resource index.       | `GET /_plugins/_security/api/resource/list`      |
+| Use Case                                                       | API                                              |
+|----------------------------------------------------------------|--------------------------------------------------|
+| Migrating existing plugin-specific sharing configs             | `POST /_plugins/_security/api/resources/migrate` |
+| Sharing a document with another user or role                   | `PUT /_plugins/_security/api/resource/share`     |
+| Granting/revoking access without affecting others              | `PATCH /_plugins/_security/api/resource/share`   |
+| Granting/revoking access without affecting others (dashboards) | `POST /_plugins/_security/api/resource/share`    |
+| Fetching the current sharing status of a resource              | `GET /_plugins/_security/api/resource/share`     |
+| Listing resource type. Encouraged only for dashboard access    | `GET /_plugins/_security/api/resource/types`     |
+| Listing accessible resources in given resource index.          | `GET /_plugins/_security/api/resource/list`      |
 
 
 ## **5. Best Practices For Users & Admins**

sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/securityapis/ShareApiTests.java

@@ -15,6 +15,8 @@
 
 import com.carrotsearch.randomizedtesting.RandomizedRunner;
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.apache.hc.core5.http.ContentType;
+import org.apache.hc.core5.http.io.entity.StringEntity;
 import org.apache.http.HttpStatus;
 import org.junit.After;
 import org.junit.Before;
@@ -260,6 +262,86 @@ public void testPatchSharingInfo() {
                 response.assertStatusCode(HttpStatus.SC_FORBIDDEN);
             }
         }
+
+        @Test
+        public void testPostSharingInfo() {
+            Map<Recipient, Set<String>> recs = new HashMap<>();
+            Set<String> users = new HashSet<>();
+            users.add(FULL_ACCESS_USER.getName());
+            recs.put(Recipient.USERS, users);
+            Recipients recipients = new Recipients(recs);
+
+            TestUtils.PatchSharingInfoPayloadBuilder patchSharingInfoPayloadBuilder = new TestUtils.PatchSharingInfoPayloadBuilder();
+            patchSharingInfoPayloadBuilder.resourceId(adminResId).resourceType(RESOURCE_TYPE).share(recipients, SAMPLE_FULL_ACCESS);
+
+            // full-access user cannot share with itself since user doesn't have permission to share
+            try (TestRestClient client = cluster.getRestClient(FULL_ACCESS_USER)) {
+                TestRestClient.HttpResponse response = client.post(
+                    SECURITY_SHARE_ENDPOINT,
+                    new StringEntity(patchSharingInfoPayloadBuilder.build(), ContentType.APPLICATION_JSON)
+                );
+                response.assertStatusCode(HttpStatus.SC_FORBIDDEN);
+            }
+
+            // a sharing entry should be created successfully since admin has access to share API
+            try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+                TestRestClient.HttpResponse response = client.post(
+                    SECURITY_SHARE_ENDPOINT,
+                    new StringEntity(patchSharingInfoPayloadBuilder.build(), ContentType.APPLICATION_JSON)
+                );
+                response.assertStatusCode(HttpStatus.SC_OK);
+                assertThat(response.getBody(), containsString(FULL_ACCESS_USER.getName()));
+            }
+
+            // limited access user will not be able to call patch endpoint
+            try (TestRestClient client = cluster.getRestClient(LIMITED_ACCESS_USER)) {
+                TestRestClient.HttpResponse response = client.post(
+                    SECURITY_SHARE_ENDPOINT,
+                    new StringEntity(patchSharingInfoPayloadBuilder.build(), ContentType.APPLICATION_JSON)
+                );
+                response.assertStatusCode(HttpStatus.SC_FORBIDDEN);
+            }
+
+            // full-access user will now be able to patch and grant access to limited access user
+            // they can also shoot themselves in the foot and remove own access
+            try (TestRestClient client = cluster.getRestClient(FULL_ACCESS_USER)) {
+                // add limited user
+                users.add(LIMITED_ACCESS_USER.getName());
+                patchSharingInfoPayloadBuilder.share(recipients, SAMPLE_FULL_ACCESS);
+                // remove self
+                Set<String> revokedUsers = new HashSet<>();
+                revokedUsers.add(FULL_ACCESS_USER.getName());
+                recs.put(Recipient.USERS, revokedUsers);
+                recipients = new Recipients(recs);
+                patchSharingInfoPayloadBuilder.revoke(recipients, SAMPLE_FULL_ACCESS);
+
+                TestRestClient.HttpResponse response = client.post(
+                    SECURITY_SHARE_ENDPOINT,
+                    new StringEntity(patchSharingInfoPayloadBuilder.build(), ContentType.APPLICATION_JSON)
+                );
+                response.assertStatusCode(HttpStatus.SC_OK);
+            }
+
+            // limited access user will now be able to call get and patch endpoint, but full-access won't
+            try (TestRestClient client = cluster.getRestClient(LIMITED_ACCESS_USER)) {
+                TestRestClient.HttpResponse response = client.get(SAMPLE_RESOURCE_GET_ENDPOINT + "/" + adminResId);
+                response.assertStatusCode(HttpStatus.SC_OK);
+                response = client.post(
+                    SECURITY_SHARE_ENDPOINT,
+                    new StringEntity(patchSharingInfoPayloadBuilder.build(), ContentType.APPLICATION_JSON)
+                );
+                response.assertStatusCode(HttpStatus.SC_OK);
+            }
+            try (TestRestClient client = cluster.getRestClient(FULL_ACCESS_USER)) {
+                TestRestClient.HttpResponse response = client.get(SAMPLE_RESOURCE_GET_ENDPOINT + "/" + adminResId);
+                response.assertStatusCode(HttpStatus.SC_FORBIDDEN);
+                response = client.post(
+                    SECURITY_SHARE_ENDPOINT,
+                    new StringEntity(patchSharingInfoPayloadBuilder.build(), ContentType.APPLICATION_JSON)
+                );
+                response.assertStatusCode(HttpStatus.SC_FORBIDDEN);
+            }
+        }
     }
 
 }

src/main/java/org/opensearch/security/resources/api/share/ShareRequest.java

@@ -95,7 +95,7 @@ public ActionRequestValidationException validate() {
             arv.addValidationError("share_with is required");
             throw arv;
         }
-        if (method == RestRequest.Method.PATCH && add == null && revoke == null) {
+        if ((method == RestRequest.Method.PATCH || method == RestRequest.Method.POST) && add == null && revoke == null) {
             arv.addValidationError("either add or revoke must be present");
             throw arv;
         }

src/main/java/org/opensearch/security/resources/api/share/ShareRestAction.java

@@ -26,6 +26,7 @@
 
 import static org.opensearch.rest.RestRequest.Method.GET;
 import static org.opensearch.rest.RestRequest.Method.PATCH;
+import static org.opensearch.rest.RestRequest.Method.POST;
 import static org.opensearch.rest.RestRequest.Method.PUT;
 import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_API_RESOURCE_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
@@ -55,7 +56,7 @@ public ShareRestAction(
     @Override
     public List<Route> routes() {
         return addRoutesPrefix(
-            ImmutableList.of(new Route(PUT, "/share"), new Route(GET, "/share"), new Route(PATCH, "/share")),
+            ImmutableList.of(new Route(PUT, "/share"), new Route(GET, "/share"), new Route(PATCH, "/share"), new Route(POST, "/share")),
             PLUGIN_API_RESOURCE_ROUTE_PREFIX
         );
     }

src/main/java/org/opensearch/security/resources/api/share/ShareTransportAction.java

@@ -45,6 +45,7 @@ protected void doExecute(Task task, ShareRequest request, ActionListener<ShareRe
                 resourceAccessHandler.getSharingInfo(request.id(), request.type(), sharingInfoListener);
                 return;
             case PATCH:
+            case POST:
                 resourceAccessHandler.patchSharingInfo(
                     request.id(),
                     request.type(),