fixed throw exception for DLS user attributes

[ThyTran1402]

Description

When a DLS query references a user attribute ${attr.jwt.array} that is not present in the authenticated user's JWT/custom attributes, UserAttributes.replaceProperties() leaves the placeholder in the query string. The guard in DocumentPrivileges.Dynamic.evaluate() correctly detects this and throws a PrivilegesEvaluationException, but the previous error message ("Invalid DLS query: ") gave operators no indication of which attribute was missing or what attributes were available — forcing manual inspection of both the query and the user's token.

• Before: PrivilegesEvaluationException: Invalid DLS query: {"terms":{"arr":["${attr.jwt.array}"]}}
• Fixed: PrivilegesEvaluationException: DLS query references undefined user attributes: [attr.jwt.array]. Available attributes are: [attr.jwt.roles, attr.proxy.department]

Issues Resolved

• Add ability to change default DLS parameter substitution behavior #1310

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.79%. Comparing base (7466266) to head (523ac56).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5975      +/-   ##
==========================================
- Coverage   73.81%   73.79%   -0.02%     
==========================================
  Files         439      439              
  Lines       27087    27110      +23     
  Branches     4018     4023       +5     
==========================================
+ Hits        19993    20007      +14     
- Misses       5188     5195       +7     
- Partials     1906     1908       +2     

Files with missing lines	Coverage Δ
...opensearch/security/privileges/UserAttributes.java	84.37% <100.00%> (+3.60%)	⬆️
...security/privileges/dlsfls/DocumentPrivileges.java	91.80% <100.00%> (+1.06%)	⬆️

... and 10 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[nibix]

Thank you for this!

Mostly looks good to me.

Can you review the CI failures?

Mainly, you'd need to add an entry to CHANGELOG.md and run ./gradlew :spotlessApply once on the code. See https://github.com/opensearch-project/security/blob/main/CONTRIBUTING.md for some details on this.

[ThyTran1402]

Thank you for this!

Mostly looks good to me.

Can you review the CI failures?

Mainly, you'd need to add an entry to CHANGELOG.md and run ./gradlew :spotlessApply once on the code. See https://github.com/opensearch-project/security/blob/main/CONTRIBUTING.md for some details on this.

Hi @nibix

I updated changelog. Can you review it please?

Thank you.

[ThyTran1402]

Hi @cwperks

I think the PR is ready for review.

Thank you.

[cwperks]

@ThyTran1402 apologies for not being able to get comments to you yesterday. I will take another look shortly.

[cwperks]

Changes LGTM. Thank you for the PR @ThyTran1402 ! I'll get another maintainer to take a look as well.

[cwperks]

@ThyTran1402 one other thing, can you run ./gradlew spotlessApply and commit and push the formatting fixes? I see Code Hygiene check is failing.

[cwperks]

@ThyTran1402 FYI I pushed a commit to fix a conflict in the changelog as another pr just merged. If you need to make a change, please pull before pushing. Hopefully no more changes needed though bc the PR lgtm.

[ThyTran1402]

@ThyTran1402 FYI I pushed a commit to fix a conflict in the changelog as another pr just merged. If you need to make a change, please pull before pushing. Hopefully no more changes needed though bc the PR lgtm.

Hi @cwperks

I added unit test recently since I see it did not pass tests coverage 😢 .

Thank you!

[ThyTran1402]

Are there anything that I need to do from my side to pass these tests? 😭 @cwperks
Since I think there's different version for plugin and it seems like flaky tests also.

[cwperks]

@ThyTran1402 no worries, those CI checks can be flaky and pass on re-run. I think test coverage is more than sufficient already in this PR.

[rursprung]

this whole method can be simplified to return UNRESOLVED_ATTRIBUTE_PATTERN.matcher(s).results().map(m -> m.group(1)).toList();
see Matcher#results

(stumbled over it by chance while reviewing a bug)

[ThyTran1402]

hmmm that's interesting. It seems to be cleaner with Matcher#results().
I wonder should I open another PR for this suggestion since it already merged?

[rursprung]

i raised #6122