Separated DLS/FLS privilege evaluation from action privilege evaluation

[nibix]

Description

This change is in preparation for #3870 and #4380 .

This cuts off some parts from the quite big and monolithic method PrivilegesEvaluator.evaluate() into separate methods and modules.

This achieves several things:

• Better separation of concerns, thus better modularization and thus better understandability, re-usability and testability
• Computations of DLS/FLS privileges are done directly in the DLS/FLS valve code. Thus, if DLS/FLS valve is disabled, no DLS/FLS privileges are computed
• The new class PrivilegesEvaluationContext combines commonly needed information for privilege evaluation and thus allows to shorten the parameter lists of many methods in this context. For this PR, only the PrivilegesEvaluator.evaluate() method itself is changed, but further adaptions will follow up when due.

• Category - Refactoring
• Why these changes are required?
  • For Optimized Privilege Evaluation #3870, we need to re-build the privilege evaluation code both for the normal action privilege evaluation and for DLS/FLS. Even though these are quite separate and different things, these are currently intermingled in one big monolith. The changes for Optimized Privilege Evaluation #3870 will be easier to understand if they are structured better.
• What is the old behavior before changes and new behavior after changes? - No changes.

Issues Resolved

Contributes to #3870

Testing

• Existing integration tests

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Attention: Patch coverage is 89.09091% with 6 lines in your changes missing coverage. Please review.

Project coverage is 65.22%. Comparing base (9caf5cb) to head (97d8d54).
Report is 11 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4490      +/-   ##
==========================================
- Coverage   65.27%   65.22%   -0.05%     
==========================================
  Files         313      314       +1     
  Lines       22058    22090      +32     
  Branches     3563     3563              
==========================================
+ Hits        14398    14408      +10     
- Misses       5889     5906      +17     
- Partials     1771     1776       +5     

Files	Coverage Δ
...ity/configuration/DlsFilterLevelActionHandler.java	57.60% <100.00%> (+0.39%)	⬆️
...rch/security/configuration/DlsFlsRequestValve.java	0.00% <ø> (ø)
...search/security/configuration/DlsFlsValveImpl.java	59.93% <100.00%> (+0.88%)	⬆️
...org/opensearch/security/filter/SecurityFilter.java	66.35% <100.00%> (+0.63%)	⬆️
...curity/privileges/PrivilegesEvaluationContext.java	100.00% <100.00%> (ø)
.../opensearch/security/OpenSearchSecurityPlugin.java	84.33% <50.00%> (+0.02%)	⬆️
...curity/privileges/PrivilegesEvaluatorResponse.java	80.95% <0.00%> (-1.66%)	⬇️
...earch/security/privileges/PrivilegesEvaluator.java	71.87% <71.42%> (-0.30%)	⬇️

... and 6 files with indirect coverage changes

[cwperks]

The new changes look good. Let's capture the role re-assignment for the injected roles validation set in an issue to discuss further.

[DarshitChanpura]

@cwperks @scrawfor99 this is blocked by each of your un-resolved conversations. Would you mind going through them and closing as needed?