[9.0] Fix unsupported privileges error message during role and API key creation (#128858) (#129158) (#129274)

* Fix unsupported privileges error message during role and API key creation

* [CI] Auto commit changes from spotless

* Add changelog file

---------

Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>

Author: gmjehovich

docs/changelog/129158.yaml

@@ -0,0 +1,6 @@
+pr: 129158
+summary: Fix unsupported privileges error message during role and API key creation
+area: Authorization
+type: enhancement
+issues:
+  - 128132

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java

@@ -291,7 +291,7 @@ private static IndexPrivilege resolve(Set<String> name) {
                         + part
                         + "]. a privilege must be either "
                         + "one of the predefined fixed indices privileges ["
-                        + Strings.collectionToCommaDelimitedString(VALUES.entrySet())
+                        + Strings.collectionToCommaDelimitedString(names().stream().sorted().collect(Collectors.toList()))
                         + "] or a pattern over one of the available index"
                         + " actions";
                     logger.debug(errorMessage);

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java

@@ -14,14 +14,17 @@
 import org.elasticsearch.action.index.TransportIndexAction;
 import org.elasticsearch.action.search.TransportSearchAction;
 import org.elasticsearch.action.update.TransportUpdateAction;
+import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.util.iterable.Iterables;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.rollup.action.GetRollupIndexCapsAction;
 import org.elasticsearch.xpack.core.transform.action.GetCheckpointAction;
 
 import java.util.Collection;
 import java.util.List;
+import java.util.Locale;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import static org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege.findPrivilegesThatGrant;
 import static org.hamcrest.Matchers.containsInAnyOrder;
@@ -145,4 +148,25 @@ public void testCrossClusterReplicationPrivileges() {
         assertThat(Operations.subsetOf(crossClusterReplicationInternal.automaton, IndexPrivilege.get(Set.of("all")).automaton), is(true));
     }
 
+    public void testInvalidPrivilegeErrorMessage() {
+        final String unknownPrivilege = randomValueOtherThanMany(
+            i -> IndexPrivilege.values().containsKey(i),
+            () -> randomAlphaOfLength(10).toLowerCase(Locale.ROOT)
+        );
+
+        IllegalArgumentException exception = expectThrows(
+            IllegalArgumentException.class,
+            () -> IndexPrivilege.get(Set.of(unknownPrivilege))
+        );
+
+        final String expectedFullErrorMessage = "unknown index privilege ["
+            + unknownPrivilege
+            + "]. a privilege must be either "
+            + "one of the predefined fixed indices privileges ["
+            + Strings.collectionToCommaDelimitedString(IndexPrivilege.names().stream().sorted().collect(Collectors.toList()))
+            + "] or a pattern over one of the available index"
+            + " actions";
+
+        assertEquals(expectedFullErrorMessage, exception.getMessage());
+    }
 }

x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/role/PutRoleRestIT.java

@@ -9,12 +9,17 @@
 
 import org.elasticsearch.client.Request;
 import org.elasticsearch.client.ResponseException;
+import org.elasticsearch.common.Strings;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
 import org.elasticsearch.xpack.security.SecurityOnTrialLicenseRestTestCase;
 
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
+import java.util.stream.Collectors;
 
+import static org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege.names;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.hasKey;
@@ -316,6 +321,19 @@ public void testBulkUpdates() throws Exception {
     public void testPutRoleWithInvalidManageRolesPrivilege() throws Exception {
         final String badRoleName = "bad-role";
 
+        final String unknownPrivilege = randomValueOtherThanMany(
+            i -> names().contains(i),
+            () -> randomAlphaOfLength(10).toLowerCase(Locale.ROOT)
+        );
+
+        final String expectedExceptionMessage = "unknown index privilege ["
+            + unknownPrivilege
+            + "]. a privilege must be either "
+            + "one of the predefined fixed indices privileges ["
+            + Strings.collectionToCommaDelimitedString(IndexPrivilege.names().stream().sorted().collect(Collectors.toList()))
+            + "] or a pattern over one of the available index"
+            + " actions";
+
         final ResponseException exception = expectThrows(ResponseException.class, () -> upsertRoles(String.format("""
             {
                 "roles": {
@@ -326,17 +344,17 @@ public void testPutRoleWithInvalidManageRolesPrivilege() throws Exception {
                                     "indices": [
                                         {
                                             "names": ["allowed-index-prefix-*"],
-                                            "privileges": ["foobar"]
+                                            "privileges": ["%s"]
                                         }
                                     ]
                                 }
                             }
                         }
                     }
                 }
-            }""", badRoleName)));
+            }""", badRoleName, unknownPrivilege)));
 
-        assertThat(exception.getMessage(), containsString("unknown index privilege [foobar]"));
+        assertThat(exception.getMessage(), containsString(expectedExceptionMessage));
         assertEquals(400, exception.getResponse().getStatusLine().getStatusCode());
         assertRoleDoesNotExist(badRoleName);
     }