Optimized privilege evaluation security subject

build.gradle

@@ -495,9 +495,9 @@ configurations {
             // For integrationTest
             force "org.apache.httpcomponents:httpclient:4.5.14"
             force "org.apache.httpcomponents:httpcore:4.4.16"
-            force "com.google.errorprone:error_prone_annotations:2.33.0"
+            force "com.google.errorprone:error_prone_annotations:2.34.0"
             force "org.checkerframework:checker-qual:3.48.1"
-            force "ch.qos.logback:logback-classic:1.5.10"
+            force "ch.qos.logback:logback-classic:1.5.11"
             force "commons-io:commons-io:2.17.0"
         }
     }
@@ -598,7 +598,7 @@ dependencies {
     implementation 'org.apache.commons:commons-collections4:4.4'
 
     //Password generation
-    implementation 'org.passay:passay:1.6.5'
+    implementation 'org.passay:passay:1.6.6'
 
     implementation "org.apache.kafka:kafka-clients:${kafka_version}"
 
@@ -608,7 +608,7 @@ dependencies {
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
     runtimeOnly 'commons-codec:commons-codec:1.17.1'
     runtimeOnly 'org.cryptacular:cryptacular:1.2.7'
-    compileOnly 'com.google.errorprone:error_prone_annotations:2.33.0'
+    compileOnly 'com.google.errorprone:error_prone_annotations:2.34.0'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.2'
     runtimeOnly 'org.ow2.asm:asm:9.7.1'
@@ -690,6 +690,9 @@ dependencies {
     testImplementation('org.awaitility:awaitility:4.2.2') {
         exclude(group: 'org.hamcrest', module: 'hamcrest')
     }
+    testImplementation "org.bouncycastle:bcpkix-jdk18on:${versions.bouncycastle}"
+    testImplementation "org.bouncycastle:bcutil-jdk18on:${versions.bouncycastle}"
+
     // Only osx-x86_64, osx-aarch_64, linux-x86_64, linux-aarch_64, windows-x86_64 are available
     if (osdetector.classifier in ["osx-x86_64", "osx-aarch_64", "linux-x86_64", "linux-aarch_64", "windows-x86_64"]) {
         testImplementation "io.netty:netty-tcnative-classes:2.0.61.Final"

checkstyle/checkstyle.xml

@@ -43,6 +43,13 @@
   <module name="BeforeExecutionExclusionFileFilter">
     <property name="fileNamePattern" value="src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java"/>
   </module>
+  <module name="BeforeExecutionExclusionFileFilter">
+    <property name="fileNamePattern" value="src/test/java/org/opensearch/security/ssl/SslContextHandlerTest.java"/>
+  </module>
+  <module name="BeforeExecutionExclusionFileFilter">
+    <property name="fileNamePattern" value="src/test/java/org/opensearch/security/ssl/CertificatesRule.java"/>
+  </module>
+
 
   <!-- https://checkstyle.org/config_filters.html#SuppressionFilter -->
   <module name="SuppressionFilter">

gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionSha256Sum=31c55713e40233a8303827ceb42ca48a47267a0ad4bab9177123121e71524c26
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

release-notes/opensearch-security.release-notes-2.18.0.0.md

@@ -0,0 +1,48 @@
+## Version 2.18.0 Release Notes
+
+Compatible with OpenSearch and OpenSearch Dashboards version 2.18.0
+
+### Enhancements
+* Improve error message when a node with an incorrectly configured certificate attempts to connect ([#4819](https://github.com/opensearch-project/security/pull/4819))
+* Support datastreams as an AuditLog Sink ([#4756](https://github.com/opensearch-project/security/pull/4756))
+* Auto-convert V6 configuration instances into V7 configuration instances (for OpenSearch 2.x only) ([#4753](https://github.com/opensearch-project/security/pull/4753))
+* Add can trip circuit breaker override ([#4779](https://github.com/opensearch-project/security/pull/4779))
+* Adding index permissions for remote index in AD ([#4721](https://github.com/opensearch-project/security/pull/4721))
+* Fix env var password hashing for PBKDF2 ([#4778](https://github.com/opensearch-project/security/pull/4778))
+* Add ensureCustomSerialization to ensure that headers are serialized correctly with multiple transport hops ([#4741](https://github.com/opensearch-project/security/pull/4741))
+
+### Bug Fixes
+* Handle non-flat yaml settings for demo configuration detection ([#4798](https://github.com/opensearch-project/security/pull/4798))
+* Fix bug where admin can read system index ([#4775](https://github.com/opensearch-project/security/pull/4775))
+* Ensure that dual mode enabled flag from cluster settings can get propagated to core ([#4830](https://github.com/opensearch-project/security/pull/4830))
+* Remove failed login attempt for saml authenticator ([#4770](https://github.com/opensearch-project/security/pull/4770))
+* Fix issue in HashingStoredFieldVisitor with stored fields ([#4827](https://github.com/opensearch-project/security/pull/4827))
+* Fix issue with Get mappings on a Closed index ([#4777](https://github.com/opensearch-project/security/pull/4777))
+* changing comments permission for alerting_ack_alerts role ([#4723](https://github.com/opensearch-project/security/pull/4723))
+* Fixed use of rolesMappingConfiguration in InternalUsersApiActionValidationTest ([#4754](https://github.com/opensearch-project/security/pull/4754))
+* Use evaluateSslExceptionHandler() when constructing OpenSearchSecureSettingsFactory ([#4726](https://github.com/opensearch-project/security/pull/4726))
+
+### Maintenance
+* Bump gradle to 8.10.2 ([#4829](https://github.com/opensearch-project/security/pull/4829))
+* Bump ch.qos.logback:logback-classic from 1.5.8 to 1.5.11 ([#4807](https://github.com/opensearch-project/security/pull/4807)) ([#4825](https://github.com/opensearch-project/security/pull/4825))
+* Bump org.passay:passay from 1.6.5 to 1.6.6 ([#4824](https://github.com/opensearch-project/security/pull/4824))
+* Bump org.junit.jupiter:junit-jupiter from 5.11.0 to 5.11.2 ([#4767](https://github.com/opensearch-project/security/pull/4767)) ([#4811](https://github.com/opensearch-project/security/pull/4811))
+* Bump io.dropwizard.metrics:metrics-core from 4.2.27 to 4.2.28 ([#4789](https://github.com/opensearch-project/security/pull/4789))
+* Bump com.nimbusds:nimbus-jose-jwt from 9.40 to 9.41.2 ([#4737](https://github.com/opensearch-project/security/pull/4737)) ([#4787](https://github.com/opensearch-project/security/pull/4787))
+* Bump org.ow2.asm:asm from 9.7 to 9.7.1 ([#4788](https://github.com/opensearch-project/security/pull/4788))
+* Bump com.google.googlejavaformat:google-java-format from 1.23.0 to 1.24.0 ([#4786](https://github.com/opensearch-project/security/pull/4786))
+* Bump org.xerial.snappy:snappy-java from 1.1.10.6 to 1.1.10.7 ([#4738](https://github.com/opensearch-project/security/pull/4738))
+* Bump org.gradle.test-retry from 1.5.10 to 1.6.0 ([#4736](https://github.com/opensearch-project/security/pull/4736))
+* Moves @cliu123 to emeritus status ([#4667](https://github.com/opensearch-project/security/pull/4667))
+* Add Derek Ho (github: derek-ho) as a maintainer ([#4796](https://github.com/opensearch-project/security/pull/4796))
+* Add deprecation warning for GET/POST/PUT cache ([#4776](https://github.com/opensearch-project/security/pull/4776))
+* Fix for: CVE-2024-47554 ([#4792](https://github.com/opensearch-project/security/pull/4792))
+* Move Stephen to emeritus ([#4804](https://github.com/opensearch-project/security/pull/4804))
+* Undeprecate securityadmin script ([#4768](https://github.com/opensearch-project/security/pull/4768))
+* Bump commons-io:commons-io from 2.16.1 to 2.17.0 ([#4750](https://github.com/opensearch-project/security/pull/4750))
+* Bump org.scala-lang:scala-library from 2.13.14 to 2.13.15 ([#4749](https://github.com/opensearch-project/security/pull/4749))
+* org.checkerframework:checker-qual and ch.qos.logback:logback-classic to new versions ([#4717](https://github.com/opensearch-project/security/pull/4717))
+* Add isActionPaginated to DelegatingRestHandler ([#4765](https://github.com/opensearch-project/security/pull/4765))
+* Refactor ASN1 call ([#4740](https://github.com/opensearch-project/security/pull/4740))
+* Fix 'integTest' not called with test workflows during release ([#4815](https://github.com/opensearch-project/security/pull/4815))
+* Fixed bulk index requests in BWC tests and hardened assertions ([#4831](https://github.com/opensearch-project/security/pull/4831))

src/integrationTest/java/org/opensearch/security/EncryptionInTransitMigrationTests.java

@@ -0,0 +1,70 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security;
+
+import java.util.Map;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static java.util.concurrent.TimeUnit.SECONDS;
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+import static org.awaitility.Awaitility.await;
+import static org.junit.Assert.assertEquals;
+
+/**
+ * Test related to SSL-only mode of security plugin. In this mode, the security plugin is responsible only for TLS/SSL encryption.
+ * Therefore, the plugin does not perform authentication and authorization. Moreover, the REST resources (e.g. /_plugins/_security/whoami,
+ * /_plugins/_security/authinfo, etc.) provided by the plugin are not available.
+ */
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class EncryptionInTransitMigrationTests {
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.DEFAULT)
+        .anonymousAuth(false)
+        .loadConfigurationIntoIndex(false)
+        .nodeSettings(Map.of(ConfigConstants.SECURITY_SSL_ONLY, true))
+        .sslOnly(true)
+        .nodeSpecificSettings(0, Map.of(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true))
+        .nodeSpecificSettings(1, Map.of(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true))
+        .extectedNodeStartupCount(2)
+        .authc(AUTHC_HTTPBASIC_INTERNAL)
+        .build();
+
+    @Test
+    public void shouldOnlyConnectWithThirdNodeAfterDynamicDualModeChange() {
+        try (TestRestClient client = cluster.getRestClient()) {
+            TestRestClient.HttpResponse response = client.get("_cat/nodes");
+            response.assertStatusCode(200);
+
+            String[] lines = response.getBody().split("\n");
+            assertEquals("Expected 2 nodes in the initial response", 2, lines.length);
+
+            String settingsJson = "{\"persistent\": {\"plugins.security_config.ssl_dual_mode_enabled\": false}}";
+            TestRestClient.HttpResponse settingsResponse = client.putJson("_cluster/settings", settingsJson);
+            settingsResponse.assertStatusCode(200);
+
+            await().atMost(10, SECONDS).pollInterval(1, SECONDS).until(() -> {
+                TestRestClient.HttpResponse secondResponse = client.get("_cat/nodes");
+                String[] secondLines = secondResponse.getBody().split("\n");
+                return secondLines.length == 3;
+            });
+        }
+    }
+}

src/integrationTest/java/org/opensearch/security/StoredFieldsTests.java

@@ -0,0 +1,110 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.apache.http.HttpStatus;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.action.admin.indices.create.CreateIndexResponse;
+import org.opensearch.client.Client;
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static org.opensearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class StoredFieldsTests {
+    static final TestSecurityConfig.User TEST_USER_MASKED_FIELDS = new TestSecurityConfig.User("test_user_masked_fields").roles(
+        new TestSecurityConfig.Role("role_masked_fields").clusterPermissions("cluster_composite_ops_ro")
+            .indexPermissions("read")
+            .maskedFields("restricted")
+            .on("test_index")
+    );
+
+    static final TestSecurityConfig.User TEST_USER_FLS = new TestSecurityConfig.User("test_user_fls").roles(
+        new TestSecurityConfig.Role("role_fls").clusterPermissions("cluster_composite_ops_ro")
+            .indexPermissions("read")
+            .fls("~restricted")
+            .on("test_index")
+    );
+
+    @ClassRule
+    public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
+        .authc(AUTHC_HTTPBASIC_INTERNAL)
+        .users(TEST_USER_MASKED_FIELDS, TEST_USER_FLS)
+        .build();
+
+    @BeforeClass
+    public static void createTestData() {
+        try (Client client = cluster.getInternalNodeClient()) {
+            CreateIndexResponse r = client.admin()
+                .indices()
+                .prepareCreate("test_index")
+                .setMapping("raw", "type=keyword,store=true", "restricted", "type=keyword,store=true")
+                .get();
+
+            client.prepareIndex("test_index").setRefreshPolicy(IMMEDIATE).setSource("raw", "hello", "restricted", "boo!").get();
+        }
+    }
+
+    @Test
+    public void testStoredWithWithApplicableMaskedFieldRestrictions() {
+        try (TestRestClient client = cluster.getRestClient(TEST_USER_MASKED_FIELDS)) {
+            TestRestClient.HttpResponse normalSearchResponse = client.get("test_index/_search");
+            Assert.assertFalse(normalSearchResponse.getBody().contains("boo!"));
+
+            TestRestClient.HttpResponse fieldSearchResponse = client.postJson("test_index/_search", """
+                {
+                  "stored_fields": [
+                    "raw",
+                    "restricted"
+                  ]
+                }
+                """);
+            fieldSearchResponse.assertStatusCode(HttpStatus.SC_OK);
+            Assert.assertTrue(fieldSearchResponse.getBody().contains("raw"));
+            Assert.assertTrue(fieldSearchResponse.getBody().contains("hello"));
+            Assert.assertTrue(fieldSearchResponse.getBody().contains("restricted"));
+            Assert.assertFalse(fieldSearchResponse.getBody().contains("boo!"));
+        }
+    }
+
+    @Test
+    public void testStoredWithWithApplicableFlsRestrictions() {
+        try (TestRestClient client = cluster.getRestClient(TEST_USER_FLS)) {
+            TestRestClient.HttpResponse normalSearchResponse = client.get("test_index/_search");
+            Assert.assertFalse(normalSearchResponse.getBody().contains("boo!"));
+
+            TestRestClient.HttpResponse fieldSearchResponse = client.postJson("test_index/_search", """
+                {
+                  "stored_fields": [
+                    "raw",
+                    "restricted"
+                  ]
+                }
+                """);
+            fieldSearchResponse.assertStatusCode(HttpStatus.SC_OK);
+            Assert.assertTrue(fieldSearchResponse.getBody().contains("raw"));
+            Assert.assertTrue(fieldSearchResponse.getBody().contains("hello"));
+            Assert.assertFalse(fieldSearchResponse.getBody().contains("restricted"));
+            Assert.assertFalse(fieldSearchResponse.getBody().contains("boo!"));
+        }
+    }
+
+}