Merge branch 'main' into security-subject

build.gradle

@@ -495,9 +495,9 @@ configurations {
             // For integrationTest
             force "org.apache.httpcomponents:httpclient:4.5.14"
             force "org.apache.httpcomponents:httpcore:4.4.16"
-            force "com.google.errorprone:error_prone_annotations:2.33.0"
-            force "org.checkerframework:checker-qual:3.47.0"
-            force "ch.qos.logback:logback-classic:1.5.10"
+            force "com.google.errorprone:error_prone_annotations:2.34.0"
+            force "org.checkerframework:checker-qual:3.48.1"
+            force "ch.qos.logback:logback-classic:1.5.11"
             force "commons-io:commons-io:2.17.0"
         }
     }
@@ -564,6 +564,7 @@ task integrationTest(type: Test) {
     }
 }
 
+tasks.integTest.dependsOn(integrationTest)
 tasks.integrationTest.finalizedBy(jacocoTestReport) // report is always generated after integration tests run
 
 //run the integrationTest task before the check task
@@ -593,7 +594,7 @@ dependencies {
     implementation 'org.apache.commons:commons-collections4:4.4'
 
     //Password generation
-    implementation 'org.passay:passay:1.6.5'
+    implementation 'org.passay:passay:1.6.6'
 
     implementation "org.apache.kafka:kafka-clients:${kafka_version}"
 
@@ -603,7 +604,7 @@ dependencies {
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
     runtimeOnly 'commons-codec:commons-codec:1.17.1'
     runtimeOnly 'org.cryptacular:cryptacular:1.2.7'
-    compileOnly 'com.google.errorprone:error_prone_annotations:2.33.0'
+    compileOnly 'com.google.errorprone:error_prone_annotations:2.34.0'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.2'
     runtimeOnly 'org.ow2.asm:asm:9.7.1'
@@ -647,7 +648,7 @@ dependencies {
     runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.3.1'
     runtimeOnly 'org.apache.santuario:xmlsec:2.3.4'
     runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"
-    runtimeOnly 'org.checkerframework:checker-qual:3.47.0'
+    runtimeOnly 'org.checkerframework:checker-qual:3.48.1'
     runtimeOnly "org.bouncycastle:bcpkix-jdk18on:${versions.bouncycastle}"
     runtimeOnly 'org.scala-lang.modules:scala-java8-compat_3:1.0.2'
 
@@ -680,11 +681,14 @@ dependencies {
     testImplementation 'commons-validator:commons-validator:1.9.0'
     testImplementation 'org.springframework.kafka:spring-kafka-test:2.9.13'
     testImplementation "org.springframework:spring-beans:${spring_version}"
-    testImplementation 'org.junit.jupiter:junit-jupiter:5.11.1'
-    testImplementation 'org.junit.jupiter:junit-jupiter-api:5.11.1'
+    testImplementation 'org.junit.jupiter:junit-jupiter:5.11.2'
+    testImplementation 'org.junit.jupiter:junit-jupiter-api:5.11.2'
     testImplementation('org.awaitility:awaitility:4.2.2') {
         exclude(group: 'org.hamcrest', module: 'hamcrest')
     }
+    testImplementation "org.bouncycastle:bcpkix-jdk18on:${versions.bouncycastle}"
+    testImplementation "org.bouncycastle:bcutil-jdk18on:${versions.bouncycastle}"
+
     // Only osx-x86_64, osx-aarch_64, linux-x86_64, linux-aarch_64, windows-x86_64 are available
     if (osdetector.classifier in ["osx-x86_64", "osx-aarch_64", "linux-x86_64", "linux-aarch_64", "windows-x86_64"]) {
         testImplementation "io.netty:netty-tcnative-classes:2.0.61.Final"

bwc-test/src/test/java/org/opensearch/security/bwc/SecurityBackwardsCompatibilityIT.java

@@ -27,6 +27,7 @@
 import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
 import org.apache.hc.core5.http.Header;
 import org.apache.hc.core5.http.HttpHost;
+import org.apache.hc.core5.http.io.entity.StringEntity;
 import org.apache.hc.core5.http.message.BasicHeader;
 import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
 import org.apache.hc.core5.reactor.ssl.TlsDetails;
@@ -44,9 +45,11 @@
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.common.util.io.IOUtils;
+import org.opensearch.common.xcontent.support.XContentMapValues;
 import org.opensearch.security.bwc.helper.RestHelper;
 import org.opensearch.test.rest.OpenSearchRestTestCase;
 
+import static org.apache.hc.core5.http.ContentType.APPLICATION_NDJSON;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.anyOf;
 import static org.hamcrest.Matchers.equalTo;
@@ -239,15 +242,21 @@ private void ingestData(String index) throws IOException {
                     }
                 });
                 bulkRequestBody.append(objectMapper.writeValueAsString(indexRequest) + "\n");
-                bulkRequestBody.append(objectMapper.writeValueAsString(Song.randomSong().asJson()) + "\n");
+                bulkRequestBody.append(Song.randomSong().asJson() + "\n");
             }
             List<Response> responses = RestHelper.requestAgainstAllNodes(
                 testUserRestClient,
                 "POST",
                 "_bulk?refresh=wait_for",
-                RestHelper.toHttpEntity(bulkRequestBody.toString())
+                new StringEntity(bulkRequestBody.toString(), APPLICATION_NDJSON)
             );
             responses.forEach(r -> assertThat(r.getStatusLine().getStatusCode(), is(200)));
+            for (Response response : responses) {
+                Map<String, Object> responseMap = responseAsMap(response);
+                List<?> itemResults = (List<?>) XContentMapValues.extractValue(responseMap, "items", "index", "result");
+                assertTrue("More than 0 response items", itemResults.size() > 0);
+                assertTrue("All results are 'created': " + itemResults, itemResults.stream().allMatch(i -> i.equals("created")));
+            }
         }
     }
 
@@ -266,6 +275,25 @@ private void searchMatchAll(String index) throws IOException {
                 RestHelper.toHttpEntity(matchAllQuery)
             );
             responses.forEach(r -> assertThat(r.getStatusLine().getStatusCode(), is(200)));
+
+            for (Response response : responses) {
+                Map<String, Object> responseMap = responseAsMap(response);
+                @SuppressWarnings("unchecked")
+                List<Map<?, ?>> sourceDocs = (List<Map<?, ?>>) XContentMapValues.extractValue(responseMap, "hits", "hits", "_source");
+
+                for (Map<?, ?> sourceDoc : sourceDocs) {
+                    assertNull("response doc should not contain field forbidden by FLS: " + responseMap, sourceDoc.get(Song.FIELD_LYRICS));
+                    assertNotNull(
+                        "response doc should contain field not forbidden by FLS: " + responseMap,
+                        sourceDoc.get(Song.FIELD_ARTIST)
+                    );
+                    assertEquals(
+                        "response doc should always have genre rock: " + responseMap,
+                        Song.GENRE_ROCK,
+                        sourceDoc.get(Song.FIELD_GENRE)
+                    );
+                }
+            }
         }
     }
 

bwc-test/src/test/java/org/opensearch/security/bwc/Song.java

@@ -52,6 +52,8 @@ public class Song {
     public static final String GENRE_JAZZ = "jazz";
     public static final String GENRE_BLUES = "blues";
 
+    public static final String[] GENRES = new String[] { GENRE_BLUES, GENRE_JAZZ, GENRE_ROCK };
+
     public static final String QUERY_TITLE_NEXT_SONG = FIELD_TITLE + ":" + "\"" + TITLE_NEXT_SONG + "\"";
     public static final String QUERY_TITLE_POISON = FIELD_TITLE + ":" + TITLE_POISON;
     public static final String QUERY_TITLE_MAGNUM_OPUS = FIELD_TITLE + ":" + TITLE_MAGNUM_OPUS;
@@ -112,7 +114,11 @@ public static Song randomSong() {
             UUID.randomUUID().toString(),
             UUID.randomUUID().toString(),
             Randomness.get().nextInt(5),
-            UUID.randomUUID().toString()
+            randomGenre()
         );
     }
+
+    static String randomGenre() {
+        return GENRES[Randomness.get().nextInt(GENRES.length)];
+    }
 }

checkstyle/checkstyle.xml

@@ -43,6 +43,13 @@
   <module name="BeforeExecutionExclusionFileFilter">
     <property name="fileNamePattern" value="src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java"/>
   </module>
+  <module name="BeforeExecutionExclusionFileFilter">
+    <property name="fileNamePattern" value="src/test/java/org/opensearch/security/ssl/SslContextHandlerTest.java"/>
+  </module>
+  <module name="BeforeExecutionExclusionFileFilter">
+    <property name="fileNamePattern" value="src/test/java/org/opensearch/security/ssl/CertificatesRule.java"/>
+  </module>
+
 
   <!-- https://checkstyle.org/config_filters.html#SuppressionFilter -->
   <module name="SuppressionFilter">

gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionSha256Sum=31c55713e40233a8303827ceb42ca48a47267a0ad4bab9177123121e71524c26
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

release-notes/opensearch-security.release-notes-2.18.0.0.md

@@ -0,0 +1,48 @@
+## Version 2.18.0 Release Notes
+
+Compatible with OpenSearch and OpenSearch Dashboards version 2.18.0
+
+### Enhancements
+* Improve error message when a node with an incorrectly configured certificate attempts to connect ([#4819](https://github.com/opensearch-project/security/pull/4819))
+* Support datastreams as an AuditLog Sink ([#4756](https://github.com/opensearch-project/security/pull/4756))
+* Auto-convert V6 configuration instances into V7 configuration instances (for OpenSearch 2.x only) ([#4753](https://github.com/opensearch-project/security/pull/4753))
+* Add can trip circuit breaker override ([#4779](https://github.com/opensearch-project/security/pull/4779))
+* Adding index permissions for remote index in AD ([#4721](https://github.com/opensearch-project/security/pull/4721))
+* Fix env var password hashing for PBKDF2 ([#4778](https://github.com/opensearch-project/security/pull/4778))
+* Add ensureCustomSerialization to ensure that headers are serialized correctly with multiple transport hops ([#4741](https://github.com/opensearch-project/security/pull/4741))
+
+### Bug Fixes
+* Handle non-flat yaml settings for demo configuration detection ([#4798](https://github.com/opensearch-project/security/pull/4798))
+* Fix bug where admin can read system index ([#4775](https://github.com/opensearch-project/security/pull/4775))
+* Ensure that dual mode enabled flag from cluster settings can get propagated to core ([#4830](https://github.com/opensearch-project/security/pull/4830))
+* Remove failed login attempt for saml authenticator ([#4770](https://github.com/opensearch-project/security/pull/4770))
+* Fix issue in HashingStoredFieldVisitor with stored fields ([#4827](https://github.com/opensearch-project/security/pull/4827))
+* Fix issue with Get mappings on a Closed index ([#4777](https://github.com/opensearch-project/security/pull/4777))
+* changing comments permission for alerting_ack_alerts role ([#4723](https://github.com/opensearch-project/security/pull/4723))
+* Fixed use of rolesMappingConfiguration in InternalUsersApiActionValidationTest ([#4754](https://github.com/opensearch-project/security/pull/4754))
+* Use evaluateSslExceptionHandler() when constructing OpenSearchSecureSettingsFactory ([#4726](https://github.com/opensearch-project/security/pull/4726))
+
+### Maintenance
+* Bump gradle to 8.10.2 ([#4829](https://github.com/opensearch-project/security/pull/4829))
+* Bump ch.qos.logback:logback-classic from 1.5.8 to 1.5.11 ([#4807](https://github.com/opensearch-project/security/pull/4807)) ([#4825](https://github.com/opensearch-project/security/pull/4825))
+* Bump org.passay:passay from 1.6.5 to 1.6.6 ([#4824](https://github.com/opensearch-project/security/pull/4824))
+* Bump org.junit.jupiter:junit-jupiter from 5.11.0 to 5.11.2 ([#4767](https://github.com/opensearch-project/security/pull/4767)) ([#4811](https://github.com/opensearch-project/security/pull/4811))
+* Bump io.dropwizard.metrics:metrics-core from 4.2.27 to 4.2.28 ([#4789](https://github.com/opensearch-project/security/pull/4789))
+* Bump com.nimbusds:nimbus-jose-jwt from 9.40 to 9.41.2 ([#4737](https://github.com/opensearch-project/security/pull/4737)) ([#4787](https://github.com/opensearch-project/security/pull/4787))
+* Bump org.ow2.asm:asm from 9.7 to 9.7.1 ([#4788](https://github.com/opensearch-project/security/pull/4788))
+* Bump com.google.googlejavaformat:google-java-format from 1.23.0 to 1.24.0 ([#4786](https://github.com/opensearch-project/security/pull/4786))
+* Bump org.xerial.snappy:snappy-java from 1.1.10.6 to 1.1.10.7 ([#4738](https://github.com/opensearch-project/security/pull/4738))
+* Bump org.gradle.test-retry from 1.5.10 to 1.6.0 ([#4736](https://github.com/opensearch-project/security/pull/4736))
+* Moves @cliu123 to emeritus status ([#4667](https://github.com/opensearch-project/security/pull/4667))
+* Add Derek Ho (github: derek-ho) as a maintainer ([#4796](https://github.com/opensearch-project/security/pull/4796))
+* Add deprecation warning for GET/POST/PUT cache ([#4776](https://github.com/opensearch-project/security/pull/4776))
+* Fix for: CVE-2024-47554 ([#4792](https://github.com/opensearch-project/security/pull/4792))
+* Move Stephen to emeritus ([#4804](https://github.com/opensearch-project/security/pull/4804))
+* Undeprecate securityadmin script ([#4768](https://github.com/opensearch-project/security/pull/4768))
+* Bump commons-io:commons-io from 2.16.1 to 2.17.0 ([#4750](https://github.com/opensearch-project/security/pull/4750))
+* Bump org.scala-lang:scala-library from 2.13.14 to 2.13.15 ([#4749](https://github.com/opensearch-project/security/pull/4749))
+* org.checkerframework:checker-qual and ch.qos.logback:logback-classic to new versions ([#4717](https://github.com/opensearch-project/security/pull/4717))
+* Add isActionPaginated to DelegatingRestHandler ([#4765](https://github.com/opensearch-project/security/pull/4765))
+* Refactor ASN1 call ([#4740](https://github.com/opensearch-project/security/pull/4740))
+* Fix 'integTest' not called with test workflows during release ([#4815](https://github.com/opensearch-project/security/pull/4815))
+* Fixed bulk index requests in BWC tests and hardened assertions ([#4831](https://github.com/opensearch-project/security/pull/4831))

src/integrationTest/java/org/opensearch/security/EncryptionInTransitMigrationTests.java

@@ -0,0 +1,70 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security;
+
+import java.util.Map;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static java.util.concurrent.TimeUnit.SECONDS;
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+import static org.awaitility.Awaitility.await;
+import static org.junit.Assert.assertEquals;
+
+/**
+ * Test related to SSL-only mode of security plugin. In this mode, the security plugin is responsible only for TLS/SSL encryption.
+ * Therefore, the plugin does not perform authentication and authorization. Moreover, the REST resources (e.g. /_plugins/_security/whoami,
+ * /_plugins/_security/authinfo, etc.) provided by the plugin are not available.
+ */
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class EncryptionInTransitMigrationTests {
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.DEFAULT)
+        .anonymousAuth(false)
+        .loadConfigurationIntoIndex(false)
+        .nodeSettings(Map.of(ConfigConstants.SECURITY_SSL_ONLY, true))
+        .sslOnly(true)
+        .nodeSpecificSettings(0, Map.of(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true))
+        .nodeSpecificSettings(1, Map.of(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true))
+        .extectedNodeStartupCount(2)
+        .authc(AUTHC_HTTPBASIC_INTERNAL)
+        .build();
+
+    @Test
+    public void shouldOnlyConnectWithThirdNodeAfterDynamicDualModeChange() {
+        try (TestRestClient client = cluster.getRestClient()) {
+            TestRestClient.HttpResponse response = client.get("_cat/nodes");
+            response.assertStatusCode(200);
+
+            String[] lines = response.getBody().split("\n");
+            assertEquals("Expected 2 nodes in the initial response", 2, lines.length);
+
+            String settingsJson = "{\"persistent\": {\"plugins.security_config.ssl_dual_mode_enabled\": false}}";
+            TestRestClient.HttpResponse settingsResponse = client.putJson("_cluster/settings", settingsJson);
+            settingsResponse.assertStatusCode(200);
+
+            await().atMost(10, SECONDS).pollInterval(1, SECONDS).until(() -> {
+                TestRestClient.HttpResponse secondResponse = client.get("_cat/nodes");
+                String[] secondLines = secondResponse.getBody().split("\n");
+                return secondLines.length == 3;
+            });
+        }
+    }
+}