Merge remote-tracking branch 'upstream/2.x' into backport/backport-27…

…53-to-2.x
DarshitChanpura · Sep 29, 2023 · 1076c73 · 1076c73
2 parents 632343c + 3841f14
commit 1076c73
Show file tree

Hide file tree

Showing 8 changed files with 95 additions and 19 deletions.
diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
@@ -13,7 +13,7 @@ jobs:
     steps:
       - name: GitHub App token
         id: github_app_token
-        uses: tibdex/github-app-token@v1.8.0
+        uses: tibdex/github-app-token@v2.1.0
         with:
           app_id: ${{ secrets.APP_ID }}
           private_key: ${{ secrets.APP_PRIVATE_KEY }}

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -15,7 +15,7 @@ jobs:
     steps:
       - name: GitHub App token
         id: github_app_token
-        uses: tibdex/github-app-token@v1.8.0
+        uses: tibdex/github-app-token@v2.1.0
         with:
           app_id: ${{ secrets.APP_ID }}
           private_key: ${{ secrets.APP_PRIVATE_KEY }}

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -62,7 +62,7 @@ jobs:
         action: codecov/codecov-action@v3
         with: |
           token: ${{ secrets.CODECOV_TOKEN }}
-          fail_ci_if_error: true
+          fail_ci_if_error: false
           files: ./build/reports/jacoco/test/jacocoTestReport.xml
 
     - uses: actions/upload-artifact@v3

diff --git a/.github/workflows/maven-publish.yml b/.github/workflows/maven-publish.yml
@@ -21,8 +21,8 @@ jobs:
         with:
           distribution: temurin # Temurin is a distribution of adoptium
           java-version: 11
-      - uses: actions/checkout@v3
-      - uses: aws-actions/configure-aws-credentials@v1
+      - uses: actions/checkout@v4
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ secrets.PUBLISH_SNAPSHOTS_ROLE }}
           aws-region: us-east-1

diff --git a/build.gradle b/build.gradle
@@ -26,7 +26,7 @@ buildscript {
 
         common_utils_version = System.getProperty("common_utils.version", '2.9.0.0-SNAPSHOT')
         kafka_version  = '3.5.1'
-        apache_cxf_version = '4.0.2'
+        apache_cxf_version = '4.0.3'
         open_saml_version = '3.4.5'
         one_login_java_saml = '2.9.0'
         jjwt_version = '0.11.5'
@@ -64,7 +64,7 @@ plugins {
     id 'com.diffplug.spotless' version '6.21.0'
     id 'checkstyle'
     id 'com.netflix.nebula.ospackage' version "11.3.0"
-    id "org.gradle.test-retry" version "1.5.4"
+    id "org.gradle.test-retry" version "1.5.5"
     id 'eclipse'
     id "com.github.spotbugs" version "5.1.3"
     id "com.google.osdetector" version "1.7.3"
@@ -432,7 +432,7 @@ configurations {
             force "io.netty:netty-transport-native-unix-common:${versions.netty}"
             force "org.apache.bcel:bcel:6.7.0" // This line should be removed once Spotbugs is upgraded to 4.7.4
             force "com.github.luben:zstd-jni:${versions.zstd}"
-            force "org.xerial.snappy:snappy-java:1.1.10.3"
+            force "org.xerial.snappy:snappy-java:1.1.10.4"
             force "com.google.guava:guava:${guava_version}"
         }
     }
@@ -501,13 +501,13 @@ dependencies {
         exclude group: "com.google.code.gson", module: "gson"
         exclude group: "org.json", module: "json"
     }
-    implementation 'com.github.wnameless.json:json-flattener:0.16.5'
+    implementation 'com.github.wnameless.json:json-flattener:0.16.6'
     // JSON patch
     implementation 'com.flipkart.zjsonpatch:zjsonpatch:0.4.14'
     implementation 'org.apache.commons:commons-collections4:4.4'
 
     //Password generation
-    implementation 'org.passay:passay:1.6.3'
+    implementation 'org.passay:passay:1.6.4'
 
     implementation "org.apache.kafka:kafka-clients:${kafka_version}"
 
@@ -524,7 +524,7 @@ dependencies {
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
     runtimeOnly 'commons-codec:commons-codec:1.16.0'
     runtimeOnly 'org.cryptacular:cryptacular:1.2.5'
-    runtimeOnly 'com.google.errorprone:error_prone_annotations:2.20.0'
+    runtimeOnly 'com.google.errorprone:error_prone_annotations:2.22.0'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.0'
     runtimeOnly 'org.ow2.asm:asm:9.5'
@@ -550,7 +550,7 @@ dependencies {
     runtimeOnly "org.opensaml:opensaml-soap-impl:${open_saml_version}"
     implementation "org.opensaml:opensaml-storage-api:${open_saml_version}"
 
-    implementation "com.nulab-inc:zxcvbn:1.8.0"
+    implementation "com.nulab-inc:zxcvbn:1.8.2"
 
     runtimeOnly 'com.google.guava:failureaccess:1.0.1'
     runtimeOnly 'org.apache.commons:commons-text:1.10.0'
@@ -562,14 +562,14 @@ dependencies {
     runtimeOnly 'io.dropwizard.metrics:metrics-core:4.2.19'
     runtimeOnly 'org.slf4j:slf4j-api:1.7.36'
     runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
-    runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.3'
+    runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.4'
     runtimeOnly 'org.codehaus.woodstox:stax2-api:4.2.1'
     runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}"
     runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.5.1'
-    runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.2.5'
+    runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.3.1'
     runtimeOnly 'org.apache.santuario:xmlsec:2.3.3'
     runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"
-    runtimeOnly 'org.checkerframework:checker-qual:3.36.0'
+    runtimeOnly 'org.checkerframework:checker-qual:3.38.0'
     runtimeOnly "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
     runtimeOnly 'org.scala-lang.modules:scala-java8-compat_3:1.0.2'
 
@@ -595,7 +595,7 @@ dependencies {
     testImplementation "org.apache.kafka:kafka_2.13:${kafka_version}:test"
     testImplementation "org.apache.kafka:kafka-clients:${kafka_version}:test"
     testImplementation 'org.springframework.kafka:spring-kafka-test:2.9.6'
-    testImplementation 'org.springframework:spring-beans:5.3.20'
+    testImplementation 'org.springframework:spring-beans:5.3.30'
     testImplementation 'org.junit.jupiter:junit-jupiter:5.10.0'
     testImplementation 'org.junit.jupiter:junit-jupiter-api:5.10.0'
     // Only osx-x86_64, osx-aarch_64, linux-x86_64, linux-aarch_64, windows-x86_64 are available
@@ -607,7 +607,7 @@ dependencies {
     testCompileOnly 'org.apiguardian:apiguardian-api:1.1.2'
     // Kafka test execution
     testRuntimeOnly 'org.springframework.retry:spring-retry:1.3.3'
-    testRuntimeOnly ('org.springframework:spring-core:5.3.27') {
+    testRuntimeOnly ('org.springframework:spring-core:5.3.30') {
         exclude(group:'org.springframework', module: 'spring-jcl' )
     }
     testRuntimeOnly 'org.scala-lang:scala-library:2.13.11'

diff --git a/release-notes/opensearch-security.release-notes-2.10.0.0.md b/release-notes/opensearch-security.release-notes-2.10.0.0.md
@@ -0,0 +1,76 @@
+## 2023-08-31 Version 2.10.0.0
+
+Compatible with OpenSearch 2.10.0
+
+### Enhancements
+* Add .plugins-ml-config to the demo configuration system indices ([#2993](https://github.com/opensearch-project/security/pull/2993))
+* Add workflow cluster permissions to alerting roles ([#2994](https://github.com/opensearch-project/security/pull/2994))
+* Include password regex for Dashboardsinfo to display to users ([#2999](https://github.com/opensearch-project/security/pull/2999))
+* Add geospatial ip2geo to the demo configuration system indices and roles ([#3051](https://github.com/opensearch-project/security/pull/3051))
+* Make invalid password message clearer ([#3057](https://github.com/opensearch-project/security/pull/3057))
+* Service Accounts password is randomly generated ([#3077](https://github.com/opensearch-project/security/pull/3077))
+* Exclude sensitive info from the jackson serialization stacktraces ([#3195](https://github.com/opensearch-project/security/pull/3195))
+* Prevent raw request body as output in serialization error messages ([#3205](https://github.com/opensearch-project/security/pull/3205))
+* Command cat/indices will filter results per the Do Not Fail On Forbidden setting ([#3236](https://github.com/opensearch-project/security/pull/3236))
+* Generate new demo certs with IPv6 loopback added to SAN in node certificate ([#3268](https://github.com/opensearch-project/security/pull/3268))
+* System index permissions ([#2887](https://github.com/opensearch-project/security/pull/2887))
+
+
+### Bug Fixes
+* Prevent raw request body as output in serialization error messages ([#3205](https://github.com/opensearch-project/security/pull/3205))
+* Prevent flaky behavior when determining if an request will be executed on the current node. ([#3066](https://github.com/opensearch-project/security/pull/3066))
+* Resolve a class of ConcurrentModificationException from during bulk requests ([#3094](https://github.com/opensearch-project/security/pull/3094))
+* Fix Document GET with DLS terms query ([#3136](https://github.com/opensearch-project/security/pull/3136))
+* Send log messages to log4j systems instead of system out / error ([#3231](https://github.com/opensearch-project/security/pull/3231))
+* Fix roles verification for roles mapping and internal users ([#3278](https://github.com/opensearch-project/security/pull/3278))
+* Prevent raw request body as output in serialization error messages ([#3205](https://github.com/opensearch-project/security/pull/3205))
+* Fix permissions issues while reading keys in PKCS#1 format ([#3289](https://github.com/opensearch-project/security/pull/3289))
+
+### Maintenance
+* [Build Break] Update imports for files refactored in core PR #8157 ([#3003](https://github.com/opensearch-project/security/pull/3003))
+* [Build Break] Fix build after Lucene upgrade and breaking XContentFactory changes ([#3069](https://github.com/opensearch-project/security/pull/3069))
+* [Build Break] Update CircuitBreakerService and LifecycleComponent after core refactor in #9006 ([#3082](https://github.com/opensearch-project/security/pull/3082))
+* [Build Break] React to changes in ActionListener and ActionResponse from #9082 ([#3153](https://github.com/opensearch-project/security/pull/3153))
+* [Build Break] Disable gradlew build cache to ensure most up-to-date dependencies ([#3186](https://github.com/opensearch-project/security/pull/3186))
+* Bump com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.7.1 to 2.8.1 ([#3109](https://github.com/opensearch-project/security/pull/3109))
+* Bump com.diffplug.spotless from 6.19.0 to 6.21.0 ([#3108](https://github.com/opensearch-project/security/pull/3108))
+* Bump com.fasterxml.woodstox:woodstox-core from 6.4.0 to 6.5.1 ([#3148](https://github.com/opensearch-project/security/pull/3148))
+* Bump com.github.spotbugs from 5.0.14 to 5.1.3 ([#3251](https://github.com/opensearch-project/security/pull/3251))
+* Bump com.github.wnameless.json:json-base from 2.4.0 to 2.4.2 ([#3062](https://github.com/opensearch-project/security/pull/3062))
+* Bump com.github.wnameless.json:json-flattener from 0.16.4 to 0.16.5 ([#3296](https://github.com/opensearch-project/security/pull/3296))
+* Bump com.google.errorprone:error_prone_annotations from 2.3.4 to 2.20.0 ([#3023](https://github.com/opensearch-project/security/pull/3023))
+* Bump com.google.guava:guava from 32.1.1-jre to 32.1.2-jre ([#3149](https://github.com/opensearch-project/security/pull/3149))
+* Bump commons-io:commons-io from 2.11.0 to 2.13.0 ([#3074](https://github.com/opensearch-project/security/pull/3074))
+* Bump com.netflix.nebula.ospackage from 11.1.0 to 11.3.0 ([#3023](https://github.com/opensearch-project/security/pull/3023))
+* Bump com.nulab-inc:zxcvbn from 1.7.0 to 1.8.0 ([#3023](https://github.com/opensearch-project/security/pull/3023))
+* Bump com.unboundid:unboundid-ldapsdk from 4.0.9 to 4.0.14 ([#3143](https://github.com/opensearch-project/security/pull/3143))
+* Bump io.dropwizard.metrics:metrics-core from 3.1.2 to 4.2.19 ([#3073](https://github.com/opensearch-project/security/pull/3073))
+* Bump kafka_version from 3.5.0 to 3.5.1 ([#3041](https://github.com/opensearch-project/security/pull/3041))
+* Bump net.minidev:json-smart from 2.4.11 to 2.5.0 ([#3120](https://github.com/opensearch-project/security/pull/3120))
+* Bump org.apache.camel:camel-xmlsecurity from 3.14.2 to 3.21.0 ([#3023](https://github.com/opensearch-project/security/pull/3023))
+* Bump org.apache.santuario:xmlsec from 2.2.3 to 2.3.3 ([#3210](https://github.com/opensearch-project/security/pull/3210))
+* Bump org.checkerframework:checker-qual from 3.5.0 to 3.36.0 ([#3023](https://github.com/opensearch-project/security/pull/3023))
+* Bump org.cryptacular:cryptacular from 1.2.4 to 1.2.5 ([#3071](https://github.com/opensearch-project/security/pull/3071))
+* Bump org.gradle.test-retry from 1.5.2 to 1.5.4 ([#3072](https://github.com/opensearch-project/security/pull/3072))
+* Bump org.junit.jupiter:junit-jupiter from 5.8.2 to 5.10.0 ([#3146](https://github.com/opensearch-project/security/pull/3146))
+* Bump org.ow2.asm:asm from 9.1 to 9.5 ([#3121](https://github.com/opensearch-project/security/pull/3121))
+* Bump org.scala-lang:scala-library from 2.13.9 to 2.13.11 ([#3119](https://github.com/opensearch-project/security/pull/3119))
+* Bump org.slf4j:slf4j-api from 1.7.30 to 1.7.36 ([#3249](https://github.com/opensearch-project/security/pull/3249))
+* Bump org.xerial.snappy:snappy-java from 1.1.10.1 to 1.1.10.3 ([#3106](https://github.com/opensearch-project/security/pull/3106))
+* Bump actions/create-release from 1.0.0 to 1.1.4 ([#3141](https://github.com/opensearch-project/security/pull/3141))
+* Bump actions/setup-java from 1 to 3 ([#3142](https://github.com/opensearch-project/security/pull/3142))
+* Bump actions/upload-release-asset from 1.0.1 to 1.0.2 ([#3144](https://github.com/opensearch-project/security/pull/3144))
+* Bump fernandrone/linelint from 0.0.4 to 0.0.6 ([#3211](https://github.com/opensearch-project/security/pull/3211))
+* Bump tibdex/github-app-token from 1.5.0 to 1.8.0 ([#3147](https://github.com/opensearch-project/security/pull/3147))
+* Remove log spam for files that are cleaned up ([#3118](https://github.com/opensearch-project/security/pull/3118))
+* Updates integTestRemote task to dynamically fetch common-utils version from build.gradle ([#3122](https://github.com/opensearch-project/security/pull/3122))
+* Switch CodeQL to assemble artifacts using the same build as the rest of CI ([#3132](https://github.com/opensearch-project/security/pull/3132))
+* Only run the backport job on merged pull requests ([#3134](https://github.com/opensearch-project/security/pull/3134))
+* Add code coverage exclusions on false positives ([#3196](https://github.com/opensearch-project/security/pull/3196))
+* Enable jarhell check ([#3227](https://github.com/opensearch-project/security/pull/3227))
+* Retry code coverage upload on failure ([#3242](https://github.com/opensearch-project/security/pull/3242))
+* [Refactor] Adopt request builder patterns for SecurityRestApiActions for consistency and clarity ([#3123](https://github.com/opensearch-project/security/pull/3123))
+* [Refactor] Remove json-path from deps and use JsonPointer instead ([#3262](https://github.com/opensearch-project/security/pull/3262))
+* Use version of org.apache.commons:commons-lang3 defined in core ([#3306](https://github.com/opensearch-project/security/pull/3306))
+* Fix checkstyle #3283
+* Demo Configuration changes ([#3330](https://github.com/opensearch-project/security/pull/3330))
diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat
@@ -317,7 +317,7 @@ echo plugins.security.enable_snapshot_restore_privilege: true >> "%OPENSEARCH_CO
 echo plugins.security.check_snapshot_restore_write_privileges: true >> "%OPENSEARCH_CONF_FILE%"
 echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] >> "%OPENSEARCH_CONF_FILE%"
 echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%"
-echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"] >> "%OPENSEARCH_CONF_FILE%"
+echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"] >> "%OPENSEARCH_CONF_FILE%"
 
 :: network.host
 >nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && (

diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh
@@ -385,7 +385,7 @@ echo "plugins.security.enable_snapshot_restore_privilege: true" | $SUDO_CMD tee
 echo "plugins.security.check_snapshot_restore_write_privileges: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
-echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
+echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 
 #network.host
 if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then