Skip to content

Commit

Permalink
Merge branch 'security-subject' into optimized-privilege-evaluation-s…
Browse files Browse the repository at this point in the history
…ecurity-subject
  • Loading branch information
cwperks committed Oct 24, 2024
2 parents 1964b4d + 877fd42 commit c9699c5
Show file tree
Hide file tree
Showing 90 changed files with 6,125 additions and 286 deletions.
11 changes: 7 additions & 4 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -495,9 +495,9 @@ configurations {
// For integrationTest
force "org.apache.httpcomponents:httpclient:4.5.14"
force "org.apache.httpcomponents:httpcore:4.4.16"
force "com.google.errorprone:error_prone_annotations:2.33.0"
force "com.google.errorprone:error_prone_annotations:2.34.0"
force "org.checkerframework:checker-qual:3.48.1"
force "ch.qos.logback:logback-classic:1.5.10"
force "ch.qos.logback:logback-classic:1.5.11"
force "commons-io:commons-io:2.17.0"
}
}
Expand Down Expand Up @@ -598,7 +598,7 @@ dependencies {
implementation 'org.apache.commons:commons-collections4:4.4'

//Password generation
implementation 'org.passay:passay:1.6.5'
implementation 'org.passay:passay:1.6.6'

implementation "org.apache.kafka:kafka-clients:${kafka_version}"

Expand All @@ -608,7 +608,7 @@ dependencies {
runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
runtimeOnly 'commons-codec:commons-codec:1.17.1'
runtimeOnly 'org.cryptacular:cryptacular:1.2.7'
compileOnly 'com.google.errorprone:error_prone_annotations:2.33.0'
compileOnly 'com.google.errorprone:error_prone_annotations:2.34.0'
runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.2'
runtimeOnly 'org.ow2.asm:asm:9.7.1'
Expand Down Expand Up @@ -690,6 +690,9 @@ dependencies {
testImplementation('org.awaitility:awaitility:4.2.2') {
exclude(group: 'org.hamcrest', module: 'hamcrest')
}
testImplementation "org.bouncycastle:bcpkix-jdk18on:${versions.bouncycastle}"
testImplementation "org.bouncycastle:bcutil-jdk18on:${versions.bouncycastle}"

// Only osx-x86_64, osx-aarch_64, linux-x86_64, linux-aarch_64, windows-x86_64 are available
if (osdetector.classifier in ["osx-x86_64", "osx-aarch_64", "linux-x86_64", "linux-aarch_64", "windows-x86_64"]) {
testImplementation "io.netty:netty-tcnative-classes:2.0.61.Final"
Expand Down
7 changes: 7 additions & 0 deletions checkstyle/checkstyle.xml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,13 @@
<module name="BeforeExecutionExclusionFileFilter">
<property name="fileNamePattern" value="src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java"/>
</module>
<module name="BeforeExecutionExclusionFileFilter">
<property name="fileNamePattern" value="src/test/java/org/opensearch/security/ssl/SslContextHandlerTest.java"/>
</module>
<module name="BeforeExecutionExclusionFileFilter">
<property name="fileNamePattern" value="src/test/java/org/opensearch/security/ssl/CertificatesRule.java"/>
</module>


<!-- https://checkstyle.org/config_filters.html#SuppressionFilter -->
<module name="SuppressionFilter">
Expand Down
4 changes: 2 additions & 2 deletions gradle/wrapper/gradle-wrapper.properties
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
distributionSha256Sum=31c55713e40233a8303827ceb42ca48a47267a0ad4bab9177123121e71524c26
distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
networkTimeout=10000
validateDistributionUrl=true
zipStoreBase=GRADLE_USER_HOME
Expand Down
48 changes: 48 additions & 0 deletions release-notes/opensearch-security.release-notes-2.18.0.0.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
## Version 2.18.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.18.0

### Enhancements
* Improve error message when a node with an incorrectly configured certificate attempts to connect ([#4819](https://github.com/opensearch-project/security/pull/4819))
* Support datastreams as an AuditLog Sink ([#4756](https://github.com/opensearch-project/security/pull/4756))
* Auto-convert V6 configuration instances into V7 configuration instances (for OpenSearch 2.x only) ([#4753](https://github.com/opensearch-project/security/pull/4753))
* Add can trip circuit breaker override ([#4779](https://github.com/opensearch-project/security/pull/4779))
* Adding index permissions for remote index in AD ([#4721](https://github.com/opensearch-project/security/pull/4721))
* Fix env var password hashing for PBKDF2 ([#4778](https://github.com/opensearch-project/security/pull/4778))
* Add ensureCustomSerialization to ensure that headers are serialized correctly with multiple transport hops ([#4741](https://github.com/opensearch-project/security/pull/4741))

### Bug Fixes
* Handle non-flat yaml settings for demo configuration detection ([#4798](https://github.com/opensearch-project/security/pull/4798))
* Fix bug where admin can read system index ([#4775](https://github.com/opensearch-project/security/pull/4775))
* Ensure that dual mode enabled flag from cluster settings can get propagated to core ([#4830](https://github.com/opensearch-project/security/pull/4830))
* Remove failed login attempt for saml authenticator ([#4770](https://github.com/opensearch-project/security/pull/4770))
* Fix issue in HashingStoredFieldVisitor with stored fields ([#4827](https://github.com/opensearch-project/security/pull/4827))
* Fix issue with Get mappings on a Closed index ([#4777](https://github.com/opensearch-project/security/pull/4777))
* changing comments permission for alerting_ack_alerts role ([#4723](https://github.com/opensearch-project/security/pull/4723))
* Fixed use of rolesMappingConfiguration in InternalUsersApiActionValidationTest ([#4754](https://github.com/opensearch-project/security/pull/4754))
* Use evaluateSslExceptionHandler() when constructing OpenSearchSecureSettingsFactory ([#4726](https://github.com/opensearch-project/security/pull/4726))

### Maintenance
* Bump gradle to 8.10.2 ([#4829](https://github.com/opensearch-project/security/pull/4829))
* Bump ch.qos.logback:logback-classic from 1.5.8 to 1.5.11 ([#4807](https://github.com/opensearch-project/security/pull/4807)) ([#4825](https://github.com/opensearch-project/security/pull/4825))
* Bump org.passay:passay from 1.6.5 to 1.6.6 ([#4824](https://github.com/opensearch-project/security/pull/4824))
* Bump org.junit.jupiter:junit-jupiter from 5.11.0 to 5.11.2 ([#4767](https://github.com/opensearch-project/security/pull/4767)) ([#4811](https://github.com/opensearch-project/security/pull/4811))
* Bump io.dropwizard.metrics:metrics-core from 4.2.27 to 4.2.28 ([#4789](https://github.com/opensearch-project/security/pull/4789))
* Bump com.nimbusds:nimbus-jose-jwt from 9.40 to 9.41.2 ([#4737](https://github.com/opensearch-project/security/pull/4737)) ([#4787](https://github.com/opensearch-project/security/pull/4787))
* Bump org.ow2.asm:asm from 9.7 to 9.7.1 ([#4788](https://github.com/opensearch-project/security/pull/4788))
* Bump com.google.googlejavaformat:google-java-format from 1.23.0 to 1.24.0 ([#4786](https://github.com/opensearch-project/security/pull/4786))
* Bump org.xerial.snappy:snappy-java from 1.1.10.6 to 1.1.10.7 ([#4738](https://github.com/opensearch-project/security/pull/4738))
* Bump org.gradle.test-retry from 1.5.10 to 1.6.0 ([#4736](https://github.com/opensearch-project/security/pull/4736))
* Moves @cliu123 to emeritus status ([#4667](https://github.com/opensearch-project/security/pull/4667))
* Add Derek Ho (github: derek-ho) as a maintainer ([#4796](https://github.com/opensearch-project/security/pull/4796))
* Add deprecation warning for GET/POST/PUT cache ([#4776](https://github.com/opensearch-project/security/pull/4776))
* Fix for: CVE-2024-47554 ([#4792](https://github.com/opensearch-project/security/pull/4792))
* Move Stephen to emeritus ([#4804](https://github.com/opensearch-project/security/pull/4804))
* Undeprecate securityadmin script ([#4768](https://github.com/opensearch-project/security/pull/4768))
* Bump commons-io:commons-io from 2.16.1 to 2.17.0 ([#4750](https://github.com/opensearch-project/security/pull/4750))
* Bump org.scala-lang:scala-library from 2.13.14 to 2.13.15 ([#4749](https://github.com/opensearch-project/security/pull/4749))
* org.checkerframework:checker-qual and ch.qos.logback:logback-classic to new versions ([#4717](https://github.com/opensearch-project/security/pull/4717))
* Add isActionPaginated to DelegatingRestHandler ([#4765](https://github.com/opensearch-project/security/pull/4765))
* Refactor ASN1 call ([#4740](https://github.com/opensearch-project/security/pull/4740))
* Fix 'integTest' not called with test workflows during release ([#4815](https://github.com/opensearch-project/security/pull/4815))
* Fixed bulk index requests in BWC tests and hardened assertions ([#4831](https://github.com/opensearch-project/security/pull/4831))
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
/*
* Copyright OpenSearch Contributors
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
*/
package org.opensearch.security;

import java.util.Map;

import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.runner.RunWith;

import org.opensearch.security.support.ConfigConstants;
import org.opensearch.test.framework.cluster.ClusterManager;
import org.opensearch.test.framework.cluster.LocalCluster;
import org.opensearch.test.framework.cluster.TestRestClient;

import static java.util.concurrent.TimeUnit.SECONDS;
import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
import static org.awaitility.Awaitility.await;
import static org.junit.Assert.assertEquals;

/**
* Test related to SSL-only mode of security plugin. In this mode, the security plugin is responsible only for TLS/SSL encryption.
* Therefore, the plugin does not perform authentication and authorization. Moreover, the REST resources (e.g. /_plugins/_security/whoami,
* /_plugins/_security/authinfo, etc.) provided by the plugin are not available.
*/
@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
public class EncryptionInTransitMigrationTests {

@ClassRule
public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.DEFAULT)
.anonymousAuth(false)
.loadConfigurationIntoIndex(false)
.nodeSettings(Map.of(ConfigConstants.SECURITY_SSL_ONLY, true))
.sslOnly(true)
.nodeSpecificSettings(0, Map.of(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true))
.nodeSpecificSettings(1, Map.of(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true))
.extectedNodeStartupCount(2)
.authc(AUTHC_HTTPBASIC_INTERNAL)
.build();

@Test
public void shouldOnlyConnectWithThirdNodeAfterDynamicDualModeChange() {
try (TestRestClient client = cluster.getRestClient()) {
TestRestClient.HttpResponse response = client.get("_cat/nodes");
response.assertStatusCode(200);

String[] lines = response.getBody().split("\n");
assertEquals("Expected 2 nodes in the initial response", 2, lines.length);

String settingsJson = "{\"persistent\": {\"plugins.security_config.ssl_dual_mode_enabled\": false}}";
TestRestClient.HttpResponse settingsResponse = client.putJson("_cluster/settings", settingsJson);
settingsResponse.assertStatusCode(200);

await().atMost(10, SECONDS).pollInterval(1, SECONDS).until(() -> {
TestRestClient.HttpResponse secondResponse = client.get("_cat/nodes");
String[] secondLines = secondResponse.getBody().split("\n");
return secondLines.length == 3;
});
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
/*
* Copyright OpenSearch Contributors
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
*/
package org.opensearch.security;

import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
import org.apache.http.HttpStatus;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.runner.RunWith;

import org.opensearch.action.admin.indices.create.CreateIndexResponse;
import org.opensearch.client.Client;
import org.opensearch.test.framework.TestSecurityConfig;
import org.opensearch.test.framework.cluster.ClusterManager;
import org.opensearch.test.framework.cluster.LocalCluster;
import org.opensearch.test.framework.cluster.TestRestClient;

import static org.opensearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;

@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
public class StoredFieldsTests {
static final TestSecurityConfig.User TEST_USER_MASKED_FIELDS = new TestSecurityConfig.User("test_user_masked_fields").roles(
new TestSecurityConfig.Role("role_masked_fields").clusterPermissions("cluster_composite_ops_ro")
.indexPermissions("read")
.maskedFields("restricted")
.on("test_index")
);

static final TestSecurityConfig.User TEST_USER_FLS = new TestSecurityConfig.User("test_user_fls").roles(
new TestSecurityConfig.Role("role_fls").clusterPermissions("cluster_composite_ops_ro")
.indexPermissions("read")
.fls("~restricted")
.on("test_index")
);

@ClassRule
public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
.authc(AUTHC_HTTPBASIC_INTERNAL)
.users(TEST_USER_MASKED_FIELDS, TEST_USER_FLS)
.build();

@BeforeClass
public static void createTestData() {
try (Client client = cluster.getInternalNodeClient()) {
CreateIndexResponse r = client.admin()
.indices()
.prepareCreate("test_index")
.setMapping("raw", "type=keyword,store=true", "restricted", "type=keyword,store=true")
.get();

client.prepareIndex("test_index").setRefreshPolicy(IMMEDIATE).setSource("raw", "hello", "restricted", "boo!").get();
}
}

@Test
public void testStoredWithWithApplicableMaskedFieldRestrictions() {
try (TestRestClient client = cluster.getRestClient(TEST_USER_MASKED_FIELDS)) {
TestRestClient.HttpResponse normalSearchResponse = client.get("test_index/_search");
Assert.assertFalse(normalSearchResponse.getBody().contains("boo!"));

TestRestClient.HttpResponse fieldSearchResponse = client.postJson("test_index/_search", """
{
"stored_fields": [
"raw",
"restricted"
]
}
""");
fieldSearchResponse.assertStatusCode(HttpStatus.SC_OK);
Assert.assertTrue(fieldSearchResponse.getBody().contains("raw"));
Assert.assertTrue(fieldSearchResponse.getBody().contains("hello"));
Assert.assertTrue(fieldSearchResponse.getBody().contains("restricted"));
Assert.assertFalse(fieldSearchResponse.getBody().contains("boo!"));
}
}

@Test
public void testStoredWithWithApplicableFlsRestrictions() {
try (TestRestClient client = cluster.getRestClient(TEST_USER_FLS)) {
TestRestClient.HttpResponse normalSearchResponse = client.get("test_index/_search");
Assert.assertFalse(normalSearchResponse.getBody().contains("boo!"));

TestRestClient.HttpResponse fieldSearchResponse = client.postJson("test_index/_search", """
{
"stored_fields": [
"raw",
"restricted"
]
}
""");
fieldSearchResponse.assertStatusCode(HttpStatus.SC_OK);
Assert.assertTrue(fieldSearchResponse.getBody().contains("raw"));
Assert.assertTrue(fieldSearchResponse.getBody().contains("hello"));
Assert.assertFalse(fieldSearchResponse.getBody().contains("restricted"));
Assert.assertFalse(fieldSearchResponse.getBody().contains("boo!"));
}
}

}
Loading

0 comments on commit c9699c5

Please sign in to comment.