opensearch-project
diff --git a/‎spi/src/main/java/org/opensearch/security/spi/resources/sharing/Recipients.java‎
Lines changed: 11 additions & 5 deletions b/‎spi/src/main/java/org/opensearch/security/spi/resources/sharing/Recipients.java‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎src/main/java/org/opensearch/security/resources/ResourceAccessHandler.java‎
Lines changed: 37 additions & 2 deletions b/‎src/main/java/org/opensearch/security/resources/ResourceAccessHandler.java‎
Lines changed: 37 additions & 2 deletions
diff --git a/‎src/main/java/org/opensearch/security/resources/ResourceSharingIndexHandler.java‎
Lines changed: 108 additions & 24 deletions b/‎src/main/java/org/opensearch/security/resources/ResourceSharingIndexHandler.java‎
Lines changed: 108 additions & 24 deletions
@@ -60,16 +60,22 @@ public Map<Recipient, Set<String>> getRecipients() {
     public void share(Recipients target) {
         Map<Recipient, Set<String>> targetRecipients = target.getRecipients();
         for (Recipient recipientType : targetRecipients.keySet()) {
-            Set<String> updatedRecipients = recipients.get(recipientType);
-            updatedRecipients.addAll(targetRecipients.get(recipientType));
+            if (!recipients.containsKey(recipientType)) { // will not be present in case of very first share
+                recipients.put(recipientType, targetRecipients.get(recipientType));
+            } else {
+                Set<String> updatedRecipients = recipients.get(recipientType);
+                updatedRecipients.addAll(targetRecipients.get(recipientType));
+            }
         }
     }
 
     public void revoke(Recipients target) {
         Map<Recipient, Set<String>> targetRecipients = target.getRecipients();
         for (Recipient recipientType : targetRecipients.keySet()) {
-            Set<String> updatedRecipients = recipients.get(recipientType);
-            updatedRecipients.removeAll(targetRecipients.get(recipientType));
+            if (recipients.containsKey(recipientType)) { // no need to revoke if access was not granted in first place
+                Set<String> updatedRecipients = recipients.get(recipientType);
+                updatedRecipients.removeAll(targetRecipients.get(recipientType));
+            }
         }
     }
 
@@ -117,7 +123,7 @@ public static Recipients fromXContent(XContentParser parser) throws IOException
 
     @Override
     public String toString() {
-        return "{" + recipients + '}';
+        return recipients.toString();
     }
 
     @Override
 
@@ -13,11 +13,11 @@
 
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import com.fasterxml.jackson.databind.JsonNode;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -128,7 +128,7 @@ public void getOwnAndSharedResourceIdsForCurrentUser(@NonNull String resourceInd
     public void patchSharingInfo(
         @NonNull String resourceId,
         @NonNull String resourceIndex,
-        @NonNull JsonNode patchContent,
+        @NonNull Map<String, Object> patchContent,
         ActionListener<ResourceSharing> listener
     ) {
         final UserSubjectImpl userSubject = (UserSubjectImpl) threadContext.getPersistent(
@@ -165,6 +165,41 @@ public void patchSharingInfo(
 
     }
 
+    /**
+     * Get sharing info for this record
+     * @param resourceId    id of the resource whose sharing info is to be fetched
+     * @param resourceIndex name of the resource index
+     * @param listener      listener to be notified of final resource sharing record
+     */
+    public void getSharingInfo(@NonNull String resourceId, @NonNull String resourceIndex, ActionListener<ResourceSharing> listener) {
+        final UserSubjectImpl userSubject = (UserSubjectImpl) threadContext.getPersistent(
+            ConfigConstants.OPENDISTRO_SECURITY_AUTHENTICATED_USER
+        );
+        final User user = (userSubject == null) ? null : userSubject.getUser();
+
+        if (user == null) {
+            LOGGER.warn("No authenticated user found. Failed to fetch resource sharing info {}", resourceId);
+            listener.onFailure(
+                new OpenSearchStatusException(
+                    "No authenticated user found. Failed to fetch resource sharing info " + resourceId,
+                    RestStatus.UNAUTHORIZED
+                )
+            );
+            return;
+        }
+
+        LOGGER.debug("User {} is fetching sharing info for resource {} in index {}", user.getName(), resourceId, resourceIndex);
+
+        this.resourceSharingIndexHandler.fetchSharingInfo(resourceIndex, resourceId, ActionListener.wrap(sharingInfo -> {
+            LOGGER.debug("Successfully fetched sharing info for resource {} in index {}", resourceId, resourceIndex);
+            listener.onResponse(sharingInfo);
+        }, e -> {
+            LOGGER.error("Failed to fetched sharing info for resource {} in index {}: {}", resourceId, resourceIndex, e.getMessage());
+            listener.onFailure(e);
+        }));
+
+    }
+
     /**
      * Shares a resource with the specified users, roles, and backend roles.
      *
 
@@ -10,12 +10,13 @@
 package org.opensearch.security.resources;
 
 import java.io.IOException;
+import java.util.HashMap;
 import java.util.HashSet;
+import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 
-import com.fasterxml.jackson.databind.JsonNode;
-import com.fasterxml.jackson.databind.node.ObjectNode;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -37,6 +38,7 @@
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.action.search.SearchScrollRequest;
 import org.opensearch.action.support.WriteRequest;
+import org.opensearch.common.Nullable;
 import org.opensearch.common.unit.TimeValue;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.common.xcontent.LoggingDeprecationHandler;
@@ -56,7 +58,6 @@
 import org.opensearch.search.Scroll;
 import org.opensearch.search.SearchHit;
 import org.opensearch.search.builder.SearchSourceBuilder;
-import org.opensearch.security.dlic.rest.support.Utils;
 import org.opensearch.security.spi.resources.sharing.CreatedBy;
 import org.opensearch.security.spi.resources.sharing.Recipient;
 import org.opensearch.security.spi.resources.sharing.Recipients;
@@ -65,8 +66,6 @@
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.client.Client;
 
-import com.flipkart.zjsonpatch.JsonPatch;
-
 import static org.opensearch.common.xcontent.XContentFactory.jsonBuilder;
 
 /**
@@ -608,17 +607,109 @@ public void revoke(String resourceId, String resourceIndex, ShareWith revokeAcce
     }
 
     /**
-     * Fetch existing share_with, apply JSON-Patch ops, and update the document.
-     * Three ops are supported:
-     * 1. Move -> upgrade or downgrade access
-     * 2. Add -> share with new entities
-     * 3. Remove -> revoke access
+     * Helper method to build shareWith object from the supplied patch to then be used to apply the patch
+     * @param patch source content
+     * @return the parsed content map of entities to share and to revoke
+     */
+    @SuppressWarnings("unchecked")
+    private Map<String, ShareWith> patchParser(Map<String, Object> patch) {
+        Map<String, ShareWith> patches = new HashMap<>(2);
+        patches.put("share_with", buildShareWithObject((Map<String, Object>) patch.get("share_with")));
+        patches.put("revoke", buildShareWithObject((Map<String, Object>) patch.get("revoke")));
+        return patches;
+    }
+
+    /**
+     * Helper to build the shareWith structure to be used to apply the patch
+     */
+    @SuppressWarnings("unchecked")
+    private ShareWith buildShareWithObject(Map<String, Object> rawMap) {
+        ShareWith sw = new ShareWith(new HashMap<>());
+        try {
+            if (rawMap == null) return sw;
+
+            for (var e : rawMap.entrySet()) {
+                String level = e.getKey();
+
+                Map<String, Object> recMap = (Map<String, Object>) e.getValue();
+
+                Map<Recipient, Set<String>> recipients = new HashMap<>();
+                for (var rec : recMap.entrySet()) {
+                    recipients.put(Recipient.valueOf(rec.getKey().toUpperCase(Locale.ROOT)), new HashSet<>((List<String>) rec.getValue()));
+                }
+
+                sw.getSharingInfo().put(level, new Recipients(recipients));
+            }
+        } catch (Exception e) {
+            LOGGER.debug("Failed to build share with object", e);
+        }
+        return sw;
+    }
+
+    /**
+     * Applies the patch to the original resource-sharing share-with record.
+     * @param existing current share-with object
+     * @param patches updates to be applied; share-with will be added and revoke will be removed
+     * @return updated share-with object
+     */
+    private ShareWith applyPatch(@Nullable ShareWith existing, Map<String, ShareWith> patches) {
+        Map<String, Recipients> updated = new HashMap<>();
+
+        // 1) put all current values into the update map
+        if (existing != null) {
+            updated.putAll(existing.getSharingInfo());
+        }
+
+        // 2) apply all the "share_with" patches
+        ShareWith sharePatch = patches.get("share_with");
+        if (sharePatch != null) {
+            for (var entry : sharePatch.getSharingInfo().entrySet()) {
+                String level = entry.getKey();
+                Recipients toShare = entry.getValue();
+                // if there’s already a Recipients at that level, merge into it;
+                // otherwise insert a fresh copy of the patch
+                updated.merge(level, toShare, (origRecipients, patchCopy) -> {
+                    origRecipients.share(toShare);
+                    return origRecipients;
+                });
+            }
+        }
+
+        // 3) apply all the "revoke" patches
+        ShareWith revokePatch = patches.get("revoke");
+        if (revokePatch != null) {
+            for (var entry : revokePatch.getSharingInfo().entrySet()) {
+                String level = entry.getKey();
+                Recipients toRevoke = entry.getValue();
+                // we revoke only if we already had any recipients at that level
+                updated.computeIfPresent(level, (lvl, origRecipients) -> {
+                    origRecipients.revoke(toRevoke);
+                    return origRecipients;
+                });
+            }
+        }
+
+        // 4) return a new ShareWith object with the updated recipients
+        return new ShareWith(updated);
+    }
+
+    /**
+     * Fetch existing share_with, apply the patch ops in-memory, and update the sharing record.
+     * Two ops are supported:
+     * 1. share_with -> upgrade or downgrade access; share with new entities
+     * 2. revoke -> revoke access for existing entities
      * @param resourceId    id of the resource to apply the patch to
      * @param resourceIndex name of the index where resource is present
      * @param patchContent  the patch to be applied
      * @param listener      listener to be notified in case of success or failure
      */
-    public void patchSharingInfo(String resourceId, String resourceIndex, JsonNode patchContent, ActionListener<ResourceSharing> listener) {
+    public void patchSharingInfo(
+        String resourceId,
+        String resourceIndex,
+        Map<String, Object> patchContent,
+        ActionListener<ResourceSharing> listener
+    ) {
+
         StepListener<ResourceSharing> sharingInfoListener = new StepListener<>();
         String resourceSharingIndex = getSharingIndex(resourceIndex);
 
@@ -627,20 +718,13 @@ public void patchSharingInfo(String resourceId, String resourceIndex, JsonNode p
 
         // Apply patch and update the document
         sharingInfoListener.whenComplete(resourceSharing -> {
-            // TODO see if .getShareWith() call should be removed, if so patch content path must be "/share_with"
-            final var sharingNode = (ObjectNode) Utils.convertJsonToJackson(resourceSharing.getShareWith(), true);
-            JsonNode updatedSharingNode = JsonPatch.apply(sharingNode, patchContent);
-
-            ResourceSharing updatedSharingInfo;
-
-            try (
-                XContentParser parser = XContentType.JSON.xContent()
-                    .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, updatedSharingNode.toString())
-            ) {
-                ShareWith shareWith = ShareWith.fromXContent(parser);
-                updatedSharingInfo = new ResourceSharing(resourceId, resourceSharing.getCreatedBy(), shareWith);
-            }
+            // parse and apply the patch
+            Map<String, ShareWith> patches = patchParser(patchContent);
+            ShareWith updatedShareWith = applyPatch(resourceSharing.getShareWith(), patches);
+
+            ResourceSharing updatedSharingInfo = new ResourceSharing(resourceId, resourceSharing.getCreatedBy(), updatedShareWith);
 
+            // update the record
             IndexRequest ir = client.prepareIndex(resourceSharingIndex)
                 .setId(resourceId)
                 .setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE)