address issue: transport action wrapper

Signed-off-by: Eric Wei <mengwei.eric@gmail.com>

Author: mengweieric

integ-test/src/test/java/org/opensearch/sql/security/PPLPermissionsIT.java

@@ -339,6 +339,23 @@ private JSONObject executeQueryAsUser(String query, String username) throws IOEx
     return new JSONObject(org.opensearch.sql.legacy.TestUtils.getResponseBody(response, true));
   }
 
+  /** Executes a grammar metadata request as a specific user with basic authentication. */
+  private JSONObject executeGrammarAsUser(String username) throws IOException {
+    Request request = new Request("GET", "/_plugins/_ppl/_grammar");
+
+    RequestOptions.Builder restOptionsBuilder = RequestOptions.DEFAULT.toBuilder();
+    restOptionsBuilder.addHeader(
+        "Authorization",
+        "Basic "
+            + java.util.Base64.getEncoder()
+                .encodeToString((username + ":" + STRONG_PASSWORD).getBytes()));
+    request.setOptions(restOptionsBuilder);
+
+    Response response = client().performRequest(request);
+    assertEquals(200, response.getStatusLine().getStatusCode());
+    return new JSONObject(org.opensearch.sql.legacy.TestUtils.getResponseBody(response, true));
+  }
+
   @Test
   public void testUserWithBankPermissionCanAccessBankIndex() throws IOException {
     // Test that bank_user can access bank index - this should work with the fix
@@ -512,6 +529,32 @@ public void testBankUserWithEvalCommand() throws IOException {
     verifyColumn(result, columnName("full_name"));
   }
 
+  @Test
+  public void testUserWithPPLPermissionCanAccessGrammarEndpoint() throws IOException {
+    JSONObject result = executeGrammarAsUser(BANK_USER);
+    assertTrue(result.has("bundleVersion"));
+    assertTrue(result.has("antlrVersion"));
+    assertTrue(result.has("grammarHash"));
+    assertTrue(result.has("tokenDictionary"));
+  }
+
+  @Test
+  public void testUserWithoutPPLPermissionCannotAccessGrammarEndpoint() throws IOException {
+    try {
+      executeGrammarAsUser(NO_PPL_USER);
+      fail("Expected security exception for user without PPL permission");
+    } catch (ResponseException e) {
+      assertEquals(403, e.getResponse().getStatusLine().getStatusCode());
+      String responseBody =
+          org.opensearch.sql.legacy.TestUtils.getResponseBody(e.getResponse(), false);
+      assertTrue(
+          "Response should contain permission error message",
+          responseBody.contains("no permissions")
+              || responseBody.contains("Forbidden")
+              || responseBody.contains("cluster:admin/opensearch/ppl"));
+    }
+  }
+
   // Negative test cases for missing permissions
 
   @Test

plugin/src/main/java/org/opensearch/sql/plugin/rest/RestPPLGrammarAction.java

@@ -13,11 +13,16 @@
 import java.util.List;
 import lombok.extern.log4j.Log4j2;
 import org.opensearch.common.annotation.ExperimentalApi;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.core.rest.RestStatus;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.rest.BaseRestHandler;
 import org.opensearch.rest.BytesRestResponse;
+import org.opensearch.rest.RestChannel;
 import org.opensearch.rest.RestRequest;
+import org.opensearch.sql.plugin.transport.PPLQueryAction;
+import org.opensearch.sql.plugin.transport.TransportPPLQueryRequest;
+import org.opensearch.sql.plugin.transport.TransportPPLQueryResponse;
 import org.opensearch.sql.ppl.autocomplete.GrammarBundle;
 import org.opensearch.sql.ppl.autocomplete.PPLGrammarBundleBuilder;
 import org.opensearch.transport.client.node.NodeClient;
@@ -52,17 +57,50 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli
 
     return channel -> {
       try {
-        GrammarBundle bundle = getOrBuildBundle();
-        XContentBuilder builder = channel.newBuilder();
-        serializeBundle(builder, bundle);
-        channel.sendResponse(new BytesRestResponse(RestStatus.OK, builder));
+        authorizeRequest(
+            client,
+            new ActionListener<>() {
+              @Override
+              public void onResponse(TransportPPLQueryResponse ignored) {
+                try {
+                  GrammarBundle bundle = getOrBuildBundle();
+                  XContentBuilder builder = channel.newBuilder();
+                  serializeBundle(builder, bundle);
+                  channel.sendResponse(new BytesRestResponse(RestStatus.OK, builder));
+                } catch (Exception e) {
+                  log.error("Error building or serializing PPL grammar", e);
+                  sendErrorResponse(channel, e);
+                }
+              }
+
+              @Override
+              public void onFailure(Exception e) {
+                log.error("PPL grammar authorization failed", e);
+                sendErrorResponse(channel, e);
+              }
+            });
       } catch (Exception e) {
-        log.error("Error building or serializing PPL grammar", e);
-        channel.sendResponse(new BytesRestResponse(channel, e));
+        log.error("Error authorizing PPL grammar request", e);
+        sendErrorResponse(channel, e);
       }
     };
   }
 
+  @VisibleForTesting
+  protected void authorizeRequest(
+      NodeClient client, ActionListener<TransportPPLQueryResponse> listener) {
+    client.execute(
+        PPLQueryAction.INSTANCE, new TransportPPLQueryRequest("", null, ENDPOINT_PATH), listener);
+  }
+
+  private void sendErrorResponse(RestChannel channel, Exception e) {
+    try {
+      channel.sendResponse(new BytesRestResponse(channel, e));
+    } catch (IOException ioException) {
+      log.error("Failed to send PPL grammar error response", ioException);
+    }
+  }
+
   // Thread-safe lazy initialization.
   private synchronized GrammarBundle getOrBuildBundle() {
     if (cachedBundle == null) {

plugin/src/main/java/org/opensearch/sql/plugin/transport/TransportPPLQueryAction.java

@@ -100,13 +100,21 @@ protected void doExecute(
                   + " false"));
       return;
     }
+
+    TransportPPLQueryRequest transportRequest = TransportPPLQueryRequest.fromActionRequest(request);
+    if (transportRequest.isGrammarRequest()) {
+      // Authorization is enforced by this transport action before returning grammar metadata in
+      // REST.
+      listener.onResponse(new TransportPPLQueryResponse("{}"));
+      return;
+    }
+
     Metrics.getInstance().getNumericalMetric(MetricName.PPL_REQ_TOTAL).increment();
     Metrics.getInstance().getNumericalMetric(MetricName.PPL_REQ_COUNT_TOTAL).increment();
 
     QueryContext.addRequestId();
 
     PPLService pplService = injector.getInstance(PPLService.class);
-    TransportPPLQueryRequest transportRequest = TransportPPLQueryRequest.fromActionRequest(request);
     // in order to use PPL service, we need to convert TransportPPLQueryRequest to PPLQueryRequest
     PPLQueryRequest transformedRequest = transportRequest.toPPLQueryRequest();
     QueryContext.setProfile(transformedRequest.profile());

plugin/src/main/java/org/opensearch/sql/plugin/transport/TransportPPLQueryRequest.java

@@ -119,7 +119,16 @@ public String getRequest() {
    * @return true if it is an explain request
    */
   public boolean isExplainRequest() {
-    return path.endsWith("/_explain");
+    return path != null && path.endsWith("/_explain");
+  }
+
+  /**
+   * Check if request is for grammar metadata endpoint.
+   *
+   * @return true if it is a grammar metadata request
+   */
+  public boolean isGrammarRequest() {
+    return path != null && path.endsWith("/_grammar");
   }
 
   /** Decide on the formatter by the requested format. */

plugin/src/test/java/org/opensearch/sql/plugin/rest/RestPPLGrammarActionTest.java

@@ -15,15 +15,18 @@
 import org.json.JSONObject;
 import org.junit.Before;
 import org.junit.Test;
+import org.opensearch.OpenSearchStatusException;
 import org.opensearch.common.io.stream.BytesStreamOutput;
 import org.opensearch.common.xcontent.XContentType;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.core.rest.RestStatus;
 import org.opensearch.core.xcontent.MediaType;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.rest.RestChannel;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.rest.RestResponse;
+import org.opensearch.sql.plugin.transport.TransportPPLQueryResponse;
 import org.opensearch.sql.ppl.autocomplete.GrammarBundle;
 import org.opensearch.test.rest.FakeRestRequest;
 import org.opensearch.transport.client.node.NodeClient;
@@ -36,7 +39,14 @@ public class RestPPLGrammarActionTest {
 
   @Before
   public void setUp() {
-    action = new RestPPLGrammarAction();
+    action =
+        new RestPPLGrammarAction() {
+          @Override
+          protected void authorizeRequest(
+              NodeClient client, ActionListener<TransportPPLQueryResponse> listener) {
+            listener.onResponse(new TransportPPLQueryResponse("{}"));
+          }
+        };
     client = mock(NodeClient.class);
   }
 
@@ -101,6 +111,12 @@ public void testGetGrammar_BundleIsCached() throws Exception {
     AtomicInteger buildCount = new AtomicInteger(0);
     RestPPLGrammarAction countingAction =
         new RestPPLGrammarAction() {
+          @Override
+          protected void authorizeRequest(
+              NodeClient client, ActionListener<TransportPPLQueryResponse> listener) {
+            listener.onResponse(new TransportPPLQueryResponse("{}"));
+          }
+
           @Override
           protected GrammarBundle buildBundle() {
             buildCount.incrementAndGet();
@@ -128,6 +144,12 @@ public void testInvalidateCache() throws Exception {
     AtomicInteger buildCount = new AtomicInteger(0);
     RestPPLGrammarAction countingAction =
         new RestPPLGrammarAction() {
+          @Override
+          protected void authorizeRequest(
+              NodeClient client, ActionListener<TransportPPLQueryResponse> listener) {
+            listener.onResponse(new TransportPPLQueryResponse("{}"));
+          }
+
           @Override
           protected GrammarBundle buildBundle() {
             buildCount.incrementAndGet();
@@ -154,6 +176,12 @@ protected GrammarBundle buildBundle() {
   public void testGetGrammar_ErrorPath_Returns500() throws Exception {
     RestPPLGrammarAction failingAction =
         new RestPPLGrammarAction() {
+          @Override
+          protected void authorizeRequest(
+              NodeClient client, ActionListener<TransportPPLQueryResponse> listener) {
+            listener.onResponse(new TransportPPLQueryResponse("{}"));
+          }
+
           @Override
           protected GrammarBundle buildBundle() {
             throw new RuntimeException("simulated build failure");
@@ -171,6 +199,12 @@ protected GrammarBundle buildBundle() {
   public void testGetGrammar_NullBundle_Returns500() throws Exception {
     RestPPLGrammarAction nullBundleAction =
         new RestPPLGrammarAction() {
+          @Override
+          protected void authorizeRequest(
+              NodeClient client, ActionListener<TransportPPLQueryResponse> listener) {
+            listener.onResponse(new TransportPPLQueryResponse("{}"));
+          }
+
           @Override
           protected GrammarBundle buildBundle() {
             return null;
@@ -184,6 +218,24 @@ protected GrammarBundle buildBundle() {
     assertEquals(RestStatus.INTERNAL_SERVER_ERROR, channel.getResponse().status());
   }
 
+  @Test
+  public void testGetGrammar_AuthorizationFailure_Returns403() throws Exception {
+    RestPPLGrammarAction unauthorizedAction =
+        new RestPPLGrammarAction() {
+          @Override
+          protected void authorizeRequest(
+              NodeClient client, ActionListener<TransportPPLQueryResponse> listener) {
+            listener.onFailure(new OpenSearchStatusException("forbidden", RestStatus.FORBIDDEN));
+          }
+        };
+
+    FakeRestRequest request = newGrammarGetRequest();
+    MockRestChannel channel = new MockRestChannel(request, true);
+    unauthorizedAction.handleRequest(request, channel, client);
+
+    assertEquals(RestStatus.FORBIDDEN, channel.getResponse().status());
+  }
+
   private static FakeRestRequest newGrammarGetRequest() {
     return new FakeRestRequest.Builder(NamedXContentRegistry.EMPTY)
         .withMethod(RestRequest.Method.GET)