[BUG] Backend Role Filtering doesn't handle null user parsing template or state

[dbwiddis]

What is the bug?

Backend role filtering doesn't handle the case where a template is created/provisioned with an admin (null) user, but accessed with a user with backend roles.

How can one reproduce the bug?

1. Create a template using a superuser.
2. Observe the user field is null in that template.
3. Attempt to edit the template with a user with backend roles.
4. Get a "Failed to parse workflow" error from an NPE.

What is the expected behavior?

Pick one:

• User with roles can access admin templates :)
• User with roles can't access admin templates :(

Do you have any additional context?

This line is where the logic is undefined:

flow-framework/src/main/java/org/opensearch/flowframework/util/ParseUtils.java

Line 507 in 6fbe08c

if (!filterByEnabled || checkUserPermissions(requestUser, resourceUser, workflowId) || isAdmin(requestUser)) {

checkUserPermissions() will throw an NPE if either requestUser or resourceUser is null. The requestUser is effectively null-checked with the isAdmin(requestUser) check, but it should be moved to be executed prior to the checkUserPermissions() call. However, this still doesn't address what we should do in the case that the template (or state) doesn't contain a user, when we actually have a user.

Easily addressed with a null check in checkUserPermissions but unclear whether true or false is an appropriate return.

[500ocean700-a11y]

Hi is this a good first issue for me