diff --git a/securityconfig/whitelist.yml b/securityconfig/allowlist.yml similarity index 67% rename from securityconfig/whitelist.yml rename to securityconfig/allowlist.yml index 1d54ff841a..507f19815d 100644 --- a/securityconfig/whitelist.yml +++ b/securityconfig/allowlist.yml @@ -1,23 +1,23 @@ --- _meta: - type: "whitelist" + type: "allowlist" config_version: 2 # Description: # enabled - feature flag. -# if enabled is false, the whitelisting feature is removed. -# This is like removing the check that checks if an API is whitelisted. -# This is equivalent to continuing with the usual access control checks, and removing all the code that implements whitelisting. +# if enabled is false, the allowlist feature is removed. +# This is like removing the check that checks if an API is allowlisted. +# This is equivalent to continuing with the usual access control checks, and removing all the code that implements allowlisting. # if enabled is true, then all users except SuperAdmin can access only the APIs in requests # SuperAdmin can access all APIs. # SuperAdmin is defined by the SuperAdmin certificate, which is configured in the opensearch.yml setting: plugins.security.authcz.admin_dn: # Refer to the example setting in opensearch.yml.example, and the opendistro documentation to know more about configuring SuperAdmin. # -# requests - map of whitelisted endpoints, and the whitelisted HTTP requests for those endpoints +# requests - map of allowlisted endpoints, and the allowlisted HTTP requests for those endpoints # Examples showing how to configure this yml file (make sure the _meta data from above is also there): # Example 1: -# To enable whitelisting and whitelist GET /_cluster/settings +# To enable allowlisting and allowlist GET /_cluster/settings # #config: # enabled: true @@ -26,7 +26,7 @@ _meta: # - GET # # Example 2: -# If you want to whitelist multiple request methods for /_cluster/settings (GET,PUT): +# If you want to allowlist multiple request methods for /_cluster/settings (GET,PUT): # #config: # enabled: true @@ -36,7 +36,7 @@ _meta: # - PUT # # Example 3: -# If you want to whitelist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards: +# If you want to allowlist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards: # #config: # enabled: true @@ -50,13 +50,13 @@ _meta: # - GET # # Example 4: -# If you want to disable the whitelisting feature, set enabled to false. +# If you want to disable the allowlisting feature, set enabled to false. # enabled: false # requests: # /_cluster/settings: # - GET # -#At this point, all APIs become whitelisted because the feature to whitelist is off, so requests is irrelevant. +#At this point, all APIs become allowlisted because the feature to allowlist is off, so requests is irrelevant. #this name must be config diff --git a/securityconfig/opensearch.yml.example b/securityconfig/opensearch.yml.example index ac7cb7580e..7c164683b2 100644 --- a/securityconfig/opensearch.yml.example +++ b/securityconfig/opensearch.yml.example @@ -22,11 +22,11 @@ plugins.security.nodes_dn: - "CN=node.other.com, OU=SSL, O=Test, L=Test, C=DE" # The nodes_dn_dynamic_config_enabled settings is geared towards cross_cluster usecases where there is a need to -# manage the whitelisted nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured +# manage the allowlist nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured # Setting nodes_dn_dynamic_config_enabled to true enables **super-admin callable** /_opendistro/_security/api/nodesdn APIs # which provide means to update/retrieve nodesdn dynamically. # -# NOTE: The overall whitelisted nodes_dn evaluated comes from both the plugins.security.nodes_dn and the ones stored +# NOTE: The overall allowlist nodes_dn evaluated comes from both the plugins.security.nodes_dn and the ones stored # in security index. # (default: false) # NOTE2: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set. diff --git a/src/main/java/com/amazon/dlic/auth/ldap/LdapUser.java b/src/main/java/com/amazon/dlic/auth/ldap/LdapUser.java index d6f75e4bac..0b19c4d31c 100755 --- a/src/main/java/com/amazon/dlic/auth/ldap/LdapUser.java +++ b/src/main/java/com/amazon/dlic/auth/ldap/LdapUser.java @@ -34,12 +34,12 @@ public class LdapUser extends User { private final String originalUsername; public LdapUser(final String name, String originalUsername, final LdapEntry userEntry, - final AuthCredentials credentials, int customAttrMaxValueLen, WildcardMatcher whitelistedCustomLdapAttrMatcher) { + final AuthCredentials credentials, int customAttrMaxValueLen, WildcardMatcher allowlistedCustomLdapAttrMatcher) { super(name, null, credentials); this.originalUsername = originalUsername; this.userEntry = userEntry; Map attributes = getCustomAttributesMap(); - attributes.putAll(extractLdapAttributes(originalUsername, userEntry, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher)); + attributes.putAll(extractLdapAttributes(originalUsername, userEntry, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher)); } /** @@ -60,7 +60,7 @@ public String getOriginalUsername() { } public static Map extractLdapAttributes(String originalUsername, final LdapEntry userEntry, - int customAttrMaxValueLen, WildcardMatcher whitelistedCustomLdapAttrMatcher) { + int customAttrMaxValueLen, WildcardMatcher allowlistedCustomLdapAttrMatcher) { Map attributes = new HashMap<>(); attributes.put("ldap.original.username", originalUsername); attributes.put("ldap.dn", userEntry.getDn()); @@ -72,7 +72,7 @@ public static Map extractLdapAttributes(String originalUsername, // only consider attributes which are not binary and where its value is not // longer than customAttrMaxValueLen characters if (val != null && val.length() > 0 && val.length() <= customAttrMaxValueLen) { - if (whitelistedCustomLdapAttrMatcher.test(attr.getName())) { + if (allowlistedCustomLdapAttrMatcher.test(attr.getName())) { attributes.put("attr.ldap." + attr.getName(), val); } } diff --git a/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthenticationBackend.java b/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthenticationBackend.java index d6cbcb77f6..98cc953330 100755 --- a/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthenticationBackend.java +++ b/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthenticationBackend.java @@ -59,7 +59,7 @@ public class LDAPAuthenticationBackend implements AuthenticationBackend { private final Path configPath; private final List> userBaseSettings; private final int customAttrMaxValueLen; - private final WildcardMatcher whitelistedCustomLdapAttrMatcher; + private final WildcardMatcher allowlistedCustomLdapAttrMatcher; public LDAPAuthenticationBackend(final Settings settings, final Path configPath) { this.settings = settings; @@ -67,7 +67,7 @@ public LDAPAuthenticationBackend(final Settings settings, final Path configPath) this.userBaseSettings = getUserBaseSettings(settings); customAttrMaxValueLen = settings.getAsInt(ConfigConstants.LDAP_CUSTOM_ATTR_MAXVAL_LEN, 36); - whitelistedCustomLdapAttrMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST, + allowlistedCustomLdapAttrMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_ALLOWLIST, Collections.singletonList("*"))); } @@ -127,9 +127,9 @@ public User authenticate(final AuthCredentials credentials) throws OpenSearchSec // by default all ldap attributes which are not binary and with a max value // length of 36 are included in the user object - // if the whitelist contains at least one value then all attributes will be - // additional check if whitelisted (whitelist can contain wildcard and regex) - return new LdapUser(username, user, entry, credentials, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher); + // if the allowlist contains at least one value then all attributes will be + // additional check if allowlisted (allowlist can contain wildcard and regex) + return new LdapUser(username, user, entry, credentials, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher); } catch (final Exception e) { if (log.isDebugEnabled()) { @@ -164,7 +164,7 @@ public boolean exists(final User user) { boolean exists = userEntry != null; if(exists) { - user.addAttributes(LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher)); + user.addAttributes(LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher)); } return exists; diff --git a/src/main/java/com/amazon/dlic/auth/ldap/util/ConfigConstants.java b/src/main/java/com/amazon/dlic/auth/ldap/util/ConfigConstants.java index f199db3a68..8cfbdcb0ac 100755 --- a/src/main/java/com/amazon/dlic/auth/ldap/util/ConfigConstants.java +++ b/src/main/java/com/amazon/dlic/auth/ldap/util/ConfigConstants.java @@ -76,7 +76,7 @@ public final class ConfigConstants { // custom attributes public static final String LDAP_CUSTOM_ATTR_MAXVAL_LEN = "custom_attr_maxval_len"; - public static final String LDAP_CUSTOM_ATTR_WHITELIST = "custom_attr_whitelist"; + public static final String LDAP_CUSTOM_ATTR_ALLOWLIST = "custom_attr_allowlist"; public static final String LDAP_CONNECTION_STRATEGY = "connection_strategy"; diff --git a/src/main/java/com/amazon/dlic/auth/ldap2/LDAPAuthenticationBackend2.java b/src/main/java/com/amazon/dlic/auth/ldap2/LDAPAuthenticationBackend2.java index c00b665b21..083b13e471 100755 --- a/src/main/java/com/amazon/dlic/auth/ldap2/LDAPAuthenticationBackend2.java +++ b/src/main/java/com/amazon/dlic/auth/ldap2/LDAPAuthenticationBackend2.java @@ -60,7 +60,7 @@ public class LDAPAuthenticationBackend2 implements AuthenticationBackend, Destro private ConnectionFactory authConnectionFactory; private LDAPUserSearcher userSearcher; private final int customAttrMaxValueLen; - private final WildcardMatcher whitelistedCustomLdapAttrMatcher; + private final WildcardMatcher allowlistedCustomLdapAttrMatcher; public LDAPAuthenticationBackend2(final Settings settings, final Path configPath) throws SSLConfigException { this.settings = settings; @@ -79,7 +79,7 @@ public LDAPAuthenticationBackend2(final Settings settings, final Path configPath this.userSearcher = new LDAPUserSearcher(settings); customAttrMaxValueLen = settings.getAsInt(ConfigConstants.LDAP_CUSTOM_ATTR_MAXVAL_LEN, 36); - whitelistedCustomLdapAttrMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST, + allowlistedCustomLdapAttrMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_ALLOWLIST, Collections.singletonList("*"))); } @@ -161,9 +161,9 @@ private User authenticate0(final AuthCredentials credentials) throws OpenSearchS // by default all ldap attributes which are not binary and with a max value // length of 36 are included in the user object - // if the whitelist contains at least one value then all attributes will be - // additional check if whitelisted (whitelist can contain wildcard and regex) - return new LdapUser(username, user, entry, credentials, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher); + // if the allowlist contains at least one value then all attributes will be + // additional check if allowlisted (allowlist can contain wildcard and regex) + return new LdapUser(username, user, entry, credentials, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher); } catch (final Exception e) { if (log.isDebugEnabled()) { @@ -217,7 +217,7 @@ private boolean exists0(final User user) { boolean exists = userEntry != null; if(exists) { - user.addAttributes(LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher)); + user.addAttributes(LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher)); } return exists; diff --git a/src/main/java/org/opensearch/security/configuration/ConfigurationLoaderSecurity7.java b/src/main/java/org/opensearch/security/configuration/ConfigurationLoaderSecurity7.java index b3abb18ca9..64dafea8c6 100644 --- a/src/main/java/org/opensearch/security/configuration/ConfigurationLoaderSecurity7.java +++ b/src/main/java/org/opensearch/security/configuration/ConfigurationLoaderSecurity7.java @@ -148,8 +148,8 @@ public void noData(String id, String type) { // Since NODESDN is newly introduced data-type applying for existing clusters as well, we make it backward compatible by returning valid empty // SecurityDynamicConfiguration. - // Same idea for new setting WHITELIST - if (cType == CType.NODESDN || cType == CType.WHITELIST) { + // Same idea for new setting ALLOWLIST + if (cType == CType.NODESDN || cType == CType.ALLOWLIST) { try { SecurityDynamicConfiguration empty = ConfigHelper.createEmptySdc(cType, ConfigurationRepository.getDefaultConfigVersion()); rs.put(cType, empty); diff --git a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java index 236a18afd1..878b5d4c77 100644 --- a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java +++ b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java @@ -144,7 +144,7 @@ public void run() { } final boolean populateEmptyIfFileMissing = true; ConfigHelper.uploadFile(client, cd+"nodes_dn.yml", securityIndex, CType.NODESDN, DEFAULT_CONFIG_VERSION, populateEmptyIfFileMissing); - ConfigHelper.uploadFile(client, cd + "whitelist.yml", securityIndex, CType.WHITELIST, DEFAULT_CONFIG_VERSION, populateEmptyIfFileMissing); + ConfigHelper.uploadFile(client, cd + "allowlist.yml", securityIndex, CType.ALLOWLIST, DEFAULT_CONFIG_VERSION, populateEmptyIfFileMissing); // audit.yml is not packaged by default final String auditConfigPath = cd + "audit.yml"; diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/WhitelistApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AllowlistApiAction.java similarity index 87% rename from src/main/java/org/opensearch/security/dlic/rest/api/WhitelistApiAction.java rename to src/main/java/org/opensearch/security/dlic/rest/api/AllowlistApiAction.java index 63d27678a3..bc01156710 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/WhitelistApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/AllowlistApiAction.java @@ -21,7 +21,7 @@ import org.opensearch.security.configuration.AdminDNs; import org.opensearch.security.configuration.ConfigurationRepository; import org.opensearch.security.dlic.rest.validation.AbstractConfigurationValidator; -import org.opensearch.security.dlic.rest.validation.WhitelistValidator; +import org.opensearch.security.dlic.rest.validation.AllowlistValidator; import org.opensearch.security.privileges.PrivilegesEvaluator; import org.opensearch.security.securityconf.impl.CType; import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration; @@ -48,34 +48,34 @@ import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix; /** - * This class implements GET and PUT operations to manage dynamic WhitelistingSettings. + * This class implements GET and PUT operations to manage dynamic AllowlistingSettings. *

* These APIs are only accessible to SuperAdmin since the configuration controls what APIs are accessible by normal users. - * Eg: If whitelisting is enabled, and a specific API like "/_cat/nodes" is not whitelisted, then only the SuperAdmin can use "/_cat/nodes" - * These APIs allow the SuperAdmin to enable/disable whitelisting, and also change the list of whitelisted APIs. + * Eg: If allowlisting is enabled, and a specific API like "/_cat/nodes" is not allowlisted, then only the SuperAdmin can use "/_cat/nodes" + * These APIs allow the SuperAdmin to enable/disable allowlisting, and also change the list of allowlisted APIs. *

* A SuperAdmin is identified by a certificate which represents a distinguished name(DN). * SuperAdmin DN's can be set in {@link ConfigConstants#SECURITY_AUTHCZ_ADMIN_DN} * SuperAdmin certificate for the default superuser is stored as a kirk.pem file in config folder of OpenSearch *

* Example calling the PUT API as SuperAdmin using curl (if http basic auth is on): - * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPUT https://localhost:9200/_opendistro/_security/api/whitelist -H "Content-Type: application/json" -d’ + * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPUT https://localhost:9200/_opendistro/_security/api/allowlist -H "Content-Type: application/json" -d’ * { * "enabled" : false, - * "requests" : {"/_cat/nodes": ["GET"], "/_opendistro/_security/api/whitelist": ["GET"]} + * "requests" : {"/_cat/nodes": ["GET"], "/_opendistro/_security/api/allowlist": ["GET"]} * } * * Example using the PATCH API to change the requests as SuperAdmin: - * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_opendistro/_security/api/whitelist -H "Content-Type: application/json" -d’ + * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_opendistro/_security/api/allowlist -H "Content-Type: application/json" -d’ * { * "op":"replace", * "path":"/config/requests", - * "value": {"/_cat/nodes": ["GET"], "/_opendistro/_security/api/whitelist": ["GET"]} + * "value": {"/_cat/nodes": ["GET"], "/_opendistro/_security/api/allowlist": ["GET"]} * } * * To update enabled, use the "add" operation instead of the "replace" operation, since boolean variables are not recognized as valid paths when they are false. * eg: - * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_opendistro/_security/api/whitelist -H "Content-Type: application/json" -d’ + * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_opendistro/_security/api/allowlist -H "Content-Type: application/json" -d’ * { * "op":"add", * "path":"/config/enabled", @@ -87,17 +87,17 @@ * be used to populate the index. *

*/ -public class WhitelistApiAction extends PatchableResourceApiAction { +public class AllowlistApiAction extends PatchableResourceApiAction { private static final List routes = addRoutesPrefix(ImmutableList.of( - new Route(RestRequest.Method.GET, "/whitelist"), - new Route(RestRequest.Method.PUT, "/whitelist"), - new Route(RestRequest.Method.PATCH, "/whitelist") + new Route(RestRequest.Method.GET, "/allowlist"), + new Route(RestRequest.Method.PUT, "/allowlist"), + new Route(RestRequest.Method.PATCH, "/allowlist") )); private static final String name = "config"; @Inject - public WhitelistApiAction(final Settings settings, final Path configPath, final RestController controller, final Client client, + public AllowlistApiAction(final Settings settings, final Path configPath, final RestController controller, final Client client, final AdminDNs adminDNs, final ConfigurationRepository cl, final ClusterService cs, final PrincipalExtractor principalExtractor, final PrivilegesEvaluator evaluator, ThreadPool threadPool, AuditLog auditLog) { super(settings, configPath, controller, client, adminDNs, cl, cs, principalExtractor, evaluator, threadPool, auditLog); @@ -160,12 +160,12 @@ public List routes() { @Override protected Endpoint getEndpoint() { - return Endpoint.WHITELIST; + return Endpoint.ALLOWLIST; } @Override protected AbstractConfigurationValidator getValidator(RestRequest request, BytesReference ref, Object... param) { - return new WhitelistValidator(request, ref, this.settings, param); + return new AllowlistValidator(request, ref, this.settings, param); } @Override @@ -175,7 +175,7 @@ protected String getResourceName() { @Override protected CType getConfigName() { - return CType.WHITELIST; + return CType.ALLOWLIST; } } diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/Endpoint.java b/src/main/java/org/opensearch/security/dlic/rest/api/Endpoint.java index e44806c8ce..938a6cec01 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/Endpoint.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/Endpoint.java @@ -30,6 +30,6 @@ public enum Endpoint { TENANTS, MIGRATE, VALIDATE, - WHITELIST, + ALLOWLIST, NODESDN; } diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/MigrateApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/MigrateApiAction.java index 94b0c78a71..e52c766675 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/MigrateApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/MigrateApiAction.java @@ -20,7 +20,7 @@ import java.util.Collections; import java.util.List; -import org.opensearch.security.securityconf.impl.WhitelistingSettings; +import org.opensearch.security.securityconf.impl.AllowlistingSettings; import org.opensearch.security.auditlog.config.AuditConfig; import org.opensearch.Version; import org.opensearch.LegacyESVersion; @@ -121,7 +121,7 @@ protected void handlePost(RestChannel channel, RestRequest request, Client clien final SecurityDynamicConfiguration rolesV6 = (SecurityDynamicConfiguration) load(CType.ROLES, true); final SecurityDynamicConfiguration rolesmappingV6 = (SecurityDynamicConfiguration) load(CType.ROLESMAPPING, true); final SecurityDynamicConfiguration nodesDnV6 = (SecurityDynamicConfiguration) load(CType.NODESDN, true); - final SecurityDynamicConfiguration whitelistingSettingV6 = (SecurityDynamicConfiguration) load(CType.WHITELIST, true); + final SecurityDynamicConfiguration allowlistingSettingV6 = (SecurityDynamicConfiguration) load(CType.ALLOWLIST, true); final SecurityDynamicConfiguration auditConfigV6 = (SecurityDynamicConfiguration) load(CType.AUDIT, true); final ImmutableList.Builder> builder = ImmutableList.builder(); @@ -140,8 +140,8 @@ protected void handlePost(RestChannel channel, RestRequest request, Client clien builder.add(rolesmappingV7); final SecurityDynamicConfiguration nodesDnV7 = Migration.migrateNodesDn(nodesDnV6); builder.add(nodesDnV7); - final SecurityDynamicConfiguration whitelistingSettingV7 = Migration.migrateWhitelistingSetting(whitelistingSettingV6); - builder.add(whitelistingSettingV7); + final SecurityDynamicConfiguration allowlistingSettingV7 = Migration.migrateAllowlistingSetting(allowlistingSettingV6); + builder.add(allowlistingSettingV7); final SecurityDynamicConfiguration auditConfigV7 = Migration.migrateAudit(auditConfigV6); builder.add(auditConfigV7); diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java index d61abcb048..c5ef02b58d 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java @@ -52,7 +52,7 @@ public static Collection getHandler(Settings settings, Path configP handlers.add(new ValidateApiAction(settings, configPath, controller, client, adminDns, cr, cs, principalExtractor, evaluator, threadPool, auditLog)); handlers.add(new AccountApiAction(settings, configPath, controller, client, adminDns, cr, cs, principalExtractor, evaluator, threadPool, auditLog)); handlers.add(new NodesDnApiAction(settings, configPath, controller, client, adminDns, cr, cs, principalExtractor, evaluator, threadPool, auditLog)); - handlers.add(new WhitelistApiAction(settings, configPath, controller, client, adminDns, cr, cs, principalExtractor, evaluator, threadPool, auditLog)); + handlers.add(new AllowlistApiAction(settings, configPath, controller, client, adminDns, cr, cs, principalExtractor, evaluator, threadPool, auditLog)); handlers.add(new AuditApiAction(settings, configPath, controller, client, adminDns, cr, cs, principalExtractor, evaluator, threadPool, auditLog)); return Collections.unmodifiableCollection(handlers); } diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/WhitelistValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/AllowlistValidator.java similarity index 89% rename from src/main/java/org/opensearch/security/dlic/rest/validation/WhitelistValidator.java rename to src/main/java/org/opensearch/security/dlic/rest/validation/AllowlistValidator.java index 69904caf8c..31d0ad1130 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/WhitelistValidator.java +++ b/src/main/java/org/opensearch/security/dlic/rest/validation/AllowlistValidator.java @@ -19,9 +19,9 @@ import org.opensearch.common.settings.Settings; import org.opensearch.rest.RestRequest; -public class WhitelistValidator extends AbstractConfigurationValidator { +public class AllowlistValidator extends AbstractConfigurationValidator { - public WhitelistValidator(final RestRequest request, final BytesReference ref, final Settings opensearchSettings, Object... param) { + public AllowlistValidator(final RestRequest request, final BytesReference ref, final Settings opensearchSettings, Object... param) { super(request, ref, opensearchSettings, param); this.payloadMandatory = true; allowedKeys.put("enabled", DataType.BOOLEAN); diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java index e8b7abceda..aa73f24adb 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java @@ -35,8 +35,8 @@ import javax.net.ssl.SSLPeerUnverifiedException; import org.opensearch.security.configuration.AdminDNs; -import org.opensearch.security.dlic.rest.api.WhitelistApiAction; -import org.opensearch.security.securityconf.impl.WhitelistingSettings; +import org.opensearch.security.dlic.rest.api.AllowlistApiAction; +import org.opensearch.security.securityconf.impl.AllowlistingSettings; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchException; @@ -80,7 +80,7 @@ public class SecurityRestFilter { private final Path configPath; private final CompatConfig compatConfig; - private WhitelistingSettings whitelistingSettings; + private AllowlistingSettings allowlistingSettings; private static final String HEALTH_SUFFIX = "health"; private static final String REGEX_PATH_PREFIX = "/("+ LEGACY_OPENDISTRO_PREFIX + "|" + PLUGINS_PREFIX + ")/" +"(.*)"; @@ -98,20 +98,20 @@ public SecurityRestFilter(final BackendRegistry registry, final AuditLog auditLo this.settings = settings; this.configPath = configPath; this.compatConfig = compatConfig; - this.whitelistingSettings = new WhitelistingSettings(); + this.allowlistingSettings = new AllowlistingSettings(); } /** * This function wraps around all rest requests - * If the request is authenticated, then it goes through a whitelisting check. - * The whitelisting check works as follows: - * If whitelisting is not enabled, then requests are handled normally. - * If whitelisting is enabled, then SuperAdmin is allowed access to all APIs, regardless of what is currently whitelisted. - * If whitelisting is enabled, then Non-SuperAdmin is allowed to access only those APIs that are whitelisted in {@link #requests} - * For example: if whitelisting is enabled and requests = ["/_cat/nodes"], then SuperAdmin can access all APIs, but non SuperAdmin + * If the request is authenticated, then it goes through a allowlisting check. + * The allowlisting check works as follows: + * If allowlisting is not enabled, then requests are handled normally. + * If allowlisting is enabled, then SuperAdmin is allowed access to all APIs, regardless of what is currently allowlisted. + * If allowlisting is enabled, then Non-SuperAdmin is allowed to access only those APIs that are allowlisted in {@link #requests} + * For example: if allowlisting is enabled and requests = ["/_cat/nodes"], then SuperAdmin can access all APIs, but non SuperAdmin * can only access "/_cat/nodes" - * Further note: Some APIs are only accessible by SuperAdmin, regardless of whitelisting. For example: /_opendistro/_security/api/whitelist is only accessible by SuperAdmin. - * See {@link WhitelistApiAction} for the implementation of this API. + * Further note: Some APIs are only accessible by SuperAdmin, regardless of allowlisting. For example: /_opendistro/_security/api/allowlist is only accessible by SuperAdmin. + * See {@link AllowlistApiAction} for the implementation of this API. * SuperAdmin is identified by credentials, which can be passed in the curl request. */ public RestHandler wrap(RestHandler original, AdminDNs adminDNs) { @@ -122,7 +122,7 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c org.apache.logging.log4j.ThreadContext.clearAll(); if (!checkAndAuthenticateRequest(request, channel, client)) { User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); - if (userIsSuperAdmin(user, adminDNs) || whitelistingSettings.checkRequestIsAllowed(request, channel, client)) { + if (userIsSuperAdmin(user, adminDNs) || allowlistingSettings.checkRequestIsAllowed(request, channel, client)) { original.handleRequest(request, channel, client); } } @@ -199,7 +199,7 @@ private boolean checkAndAuthenticateRequest(RestRequest request, RestChannel cha } @Subscribe - public void onWhitelistingSettingChanged(WhitelistingSettings whitelistingSettings) { - this.whitelistingSettings = whitelistingSettings; + public void onAllowlistingSettingChanged(AllowlistingSettings allowlistingSettings) { + this.allowlistingSettings = allowlistingSettings; } } diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java index d607ed4189..83ee04246f 100644 --- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java +++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java @@ -41,7 +41,7 @@ import org.opensearch.security.auditlog.config.AuditConfig; import org.opensearch.security.securityconf.impl.NodesDn; -import org.opensearch.security.securityconf.impl.WhitelistingSettings; +import org.opensearch.security.securityconf.impl.AllowlistingSettings; import org.opensearch.security.support.WildcardMatcher; import com.google.common.collect.ImmutableList; import org.apache.logging.log4j.LogManager; @@ -82,7 +82,7 @@ public class DynamicConfigFactory implements Initializable, ConfigurationChangeL private static SecurityDynamicConfiguration staticRoles = SecurityDynamicConfiguration.empty(); private static SecurityDynamicConfiguration staticActionGroups = SecurityDynamicConfiguration.empty(); private static SecurityDynamicConfiguration staticTenants = SecurityDynamicConfiguration.empty(); - private static final WhitelistingSettings defaultWhitelistingSettings = new WhitelistingSettings(); + private static final AllowlistingSettings defaultAllowlistingSettings = new AllowlistingSettings(); static void resetStatics() { staticRoles = SecurityDynamicConfiguration.empty(); @@ -171,7 +171,7 @@ public void onChange(Map> typeToConfig) { SecurityDynamicConfiguration rolesmapping = cr.getConfiguration(CType.ROLESMAPPING); SecurityDynamicConfiguration tenants = cr.getConfiguration(CType.TENANTS); SecurityDynamicConfiguration nodesDn = cr.getConfiguration(CType.NODESDN); - SecurityDynamicConfiguration whitelistingSetting = cr.getConfiguration(CType.WHITELIST); + SecurityDynamicConfiguration allowlistingSetting = cr.getConfiguration(CType.ALLOWLIST); if (log.isDebugEnabled()) { @@ -183,7 +183,7 @@ public void onChange(Map> typeToConfig) { " rolesmapping: " + rolesmapping.getImplementingClass() + " with " + rolesmapping.getCEntries().size() + " entries\n" + " tenants: " + tenants.getImplementingClass() + " with " + tenants.getCEntries().size() + " entries\n" + " nodesdn: " + nodesDn.getImplementingClass() + " with " + nodesDn.getCEntries().size() + " entries\n" + - " whitelist " + whitelistingSetting.getImplementingClass() + " with " + whitelistingSetting.getCEntries().size() + " entries\n"; + " allowlist " + allowlistingSetting.getImplementingClass() + " with " + allowlistingSetting.getCEntries().size() + " entries\n"; log.debug(logmsg); } @@ -192,7 +192,7 @@ public void onChange(Map> typeToConfig) { final InternalUsersModel ium; final ConfigModel cm; final NodesDnModel nm = new NodesDnModelImpl(nodesDn); - final WhitelistingSettings whitelist = (WhitelistingSettings) cr.getConfiguration(CType.WHITELIST).getCEntry("config"); + final AllowlistingSettings allowlist = (AllowlistingSettings) cr.getConfiguration(CType.ALLOWLIST).getCEntry("config"); final AuditConfig audit = (AuditConfig)cr.getConfiguration(CType.AUDIT).getCEntry("config"); if(config.getImplementingClass() == ConfigV7.class) { @@ -255,7 +255,7 @@ public void onChange(Map> typeToConfig) { eventBus.post(dcm); eventBus.post(ium); eventBus.post(nm); - eventBus.post(whitelist==null? defaultWhitelistingSettings: whitelist); + eventBus.post(allowlist==null? defaultAllowlistingSettings: allowlist); if (cr.isAuditHotReloadingEnabled()) { eventBus.post(audit); } diff --git a/src/main/java/org/opensearch/security/securityconf/Migration.java b/src/main/java/org/opensearch/security/securityconf/Migration.java index 363c14e94a..59d00d83e2 100644 --- a/src/main/java/org/opensearch/security/securityconf/Migration.java +++ b/src/main/java/org/opensearch/security/securityconf/Migration.java @@ -41,7 +41,7 @@ import org.opensearch.security.securityconf.impl.Meta; import org.opensearch.security.securityconf.impl.NodesDn; import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration; -import org.opensearch.security.securityconf.impl.WhitelistingSettings; +import org.opensearch.security.securityconf.impl.AllowlistingSettings; import org.opensearch.security.securityconf.impl.v6.*; import org.opensearch.security.securityconf.impl.v7.*; import org.opensearch.common.Strings; @@ -145,15 +145,15 @@ public static SecurityDynamicConfiguration migrateNodesDn(SecurityDynam return migrated; } - public static SecurityDynamicConfiguration migrateWhitelistingSetting(SecurityDynamicConfiguration whitelistingSetting) { - final SecurityDynamicConfiguration migrated = SecurityDynamicConfiguration.empty(); - migrated.setCType(whitelistingSetting.getCType()); + public static SecurityDynamicConfiguration migrateAllowlistingSetting(SecurityDynamicConfiguration allowlistingSetting) { + final SecurityDynamicConfiguration migrated = SecurityDynamicConfiguration.empty(); + migrated.setCType(allowlistingSetting.getCType()); migrated.set_meta(new Meta()); migrated.get_meta().setConfig_version(2); - migrated.get_meta().setType("whitelist"); + migrated.get_meta().setType("allowlist"); - for(final Entry entry: whitelistingSetting.getCEntries().entrySet()) { - migrated.putCEntry(entry.getKey(), new WhitelistingSettings(entry.getValue())); + for(final Entry entry: allowlistingSetting.getCEntries().entrySet()) { + migrated.putCEntry(entry.getKey(), new AllowlistingSettings(entry.getValue())); } return migrated; } diff --git a/src/main/java/org/opensearch/security/securityconf/impl/WhitelistingSettings.java b/src/main/java/org/opensearch/security/securityconf/impl/AllowlistingSettings.java similarity index 74% rename from src/main/java/org/opensearch/security/securityconf/impl/WhitelistingSettings.java rename to src/main/java/org/opensearch/security/securityconf/impl/AllowlistingSettings.java index 37ed930a40..9d0d44a57d 100644 --- a/src/main/java/org/opensearch/security/securityconf/impl/WhitelistingSettings.java +++ b/src/main/java/org/opensearch/security/securityconf/impl/AllowlistingSettings.java @@ -25,21 +25,21 @@ import java.util.List; import java.util.Map; -public class WhitelistingSettings { +public class AllowlistingSettings { private boolean enabled; private Map> requests; /** * Used to parse the yml files, do not remove. */ - public WhitelistingSettings() { + public AllowlistingSettings() { enabled = false; requests = Collections.emptyMap(); } - public WhitelistingSettings(WhitelistingSettings whitelistingSettings) { - this.enabled = whitelistingSettings.getEnabled(); - this.requests = whitelistingSettings.getRequests(); + public AllowlistingSettings(AllowlistingSettings allowlistingSettings) { + this.enabled = allowlistingSettings.getEnabled(); + this.requests = allowlistingSettings.getRequests(); } public boolean getEnabled() { @@ -60,26 +60,26 @@ public void setRequests(Map> requests) { @Override public String toString() { - return "WhitelistingSetting [enabled=" + enabled + ", requests=" + requests + ']'; + return "AllowlistingSetting [enabled=" + enabled + ", requests=" + requests + ']'; } /** - * Helper function to check if a rest request is whitelisted, by checking if the path is whitelisted, - * and then if the Http method is whitelisted. + * Helper function to check if a rest request is allowlisted, by checking if the path is allowlisted, + * and then if the Http method is allowlisted. * This method also contains logic to trim the path request, and check both with and without extra '/' - * This allows users to whitelist either /_cluster/settings/ or /_cluster/settings, to avoid potential issues. + * This allows users to allowlist either /_cluster/settings/ or /_cluster/settings, to avoid potential issues. * This also ensures that requests to the cluster can have a trailing '/' * Scenarios: - * 1. Whitelisted API does not have an extra '/'. eg: If GET /_cluster/settings is whitelisted, these requests have the following response: + * 1. Allowlisted API does not have an extra '/'. eg: If GET /_cluster/settings is allowlisted, these requests have the following response: * GET /_cluster/settings - OK * GET /_cluster/settings/ - OK * - * 2. Whitelisted API has an extra '/'. eg: If GET /_cluster/settings/ is whitelisted, these requests have the following response: + * 2. Allowlisted API has an extra '/'. eg: If GET /_cluster/settings/ is allowlisted, these requests have the following response: * GET /_cluster/settings - OK * GET /_cluster/settings/ - OK */ - private boolean requestIsWhitelisted(RestRequest request){ + private boolean requestIsAllowlisted(RestRequest request){ //ALSO ALLOWS REQUEST TO HAVE TRAILING '/' //pathWithoutTrailingSlash stores the endpoint path without extra '/'. eg: /_cat/nodes @@ -92,31 +92,31 @@ private boolean requestIsWhitelisted(RestRequest request){ pathWithoutTrailingSlash = path.endsWith("/") ? path.substring(0, path.length() - 1) : path; pathWithTrailingSlash = pathWithoutTrailingSlash + '/'; - //check if pathWithoutTrailingSlash is whitelisted + //check if pathWithoutTrailingSlash is allowlisted if(requests.containsKey(pathWithoutTrailingSlash) && requests.get(pathWithoutTrailingSlash).contains(HttpRequestMethods.valueOf(request.method().toString()))) return true; - //check if pathWithTrailingSlash is whitelisted + //check if pathWithTrailingSlash is allowlisted if(requests.containsKey(pathWithTrailingSlash) && requests.get(pathWithTrailingSlash).contains(HttpRequestMethods.valueOf(request.method().toString()))) return true; return false; } /** - * Checks that a given request is whitelisted, for non SuperAdmin. + * Checks that a given request is allowlisted, for non SuperAdmin. * For SuperAdmin this function is bypassed. * In a future version, should add a regex check to improve the functionality. - * Currently, each individual PUT/PATCH request needs to be whitelisted separately for the specific resource to be changed/added. - * This should be improved so that, for example if PUT /_opendistro/_security/api/rolesmapping is whitelisted, + * Currently, each individual PUT/PATCH request needs to be allowlisted separately for the specific resource to be changed/added. + * This should be improved so that, for example if PUT /_opendistro/_security/api/rolesmapping is allowlisted, * then all PUT /_opendistro/_security/api/rolesmapping/{resource_name} work. - * Currently, each resource_name has to be whitelisted separately + * Currently, each resource_name has to be allowlisted separately */ public boolean checkRequestIsAllowed(RestRequest request, RestChannel channel, NodeClient client) throws IOException { - // if whitelisting is enabled but the request is not whitelisted, then return false, otherwise true. - if (this.enabled && !requestIsWhitelisted(request)){ + // if allowlisting is enabled but the request is not allowlisted, then return false, otherwise true. + if (this.enabled && !requestIsAllowlisted(request)){ channel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN, channel.newErrorBuilder().startObject() - .field("error", request.method() + " " + request.path() + " API not whitelisted") + .field("error", request.method() + " " + request.path() + " API not allowlisted") .field("status", RestStatus.FORBIDDEN) .endObject() )); diff --git a/src/main/java/org/opensearch/security/securityconf/impl/CType.java b/src/main/java/org/opensearch/security/securityconf/impl/CType.java index d2efd5a101..d3426de3ef 100644 --- a/src/main/java/org/opensearch/security/securityconf/impl/CType.java +++ b/src/main/java/org/opensearch/security/securityconf/impl/CType.java @@ -63,7 +63,7 @@ public enum CType { ROLESMAPPING(toMap(1, RoleMappingsV6.class, 2, RoleMappingsV7.class)), TENANTS(toMap(2, TenantV7.class)), NODESDN(toMap(1, NodesDn.class, 2, NodesDn.class)), - WHITELIST(toMap(1, WhitelistingSettings.class, 2, WhitelistingSettings.class)), + ALLOWLIST(toMap(1, AllowlistingSettings.class, 2, AllowlistingSettings.class)), AUDIT(toMap(1, AuditConfig.class, 2, AuditConfig.class)); private Map> implementations; diff --git a/src/main/java/org/opensearch/security/tools/SecurityAdmin.java b/src/main/java/org/opensearch/security/tools/SecurityAdmin.java index a80f60c560..25cbbb84de 100644 --- a/src/main/java/org/opensearch/security/tools/SecurityAdmin.java +++ b/src/main/java/org/opensearch/security/tools/SecurityAdmin.java @@ -52,7 +52,7 @@ import org.opensearch.security.OpenSearchSecurityPlugin; import org.opensearch.security.auditlog.config.AuditConfig; import org.opensearch.security.securityconf.impl.NodesDn; -import org.opensearch.security.securityconf.impl.WhitelistingSettings; +import org.opensearch.security.securityconf.impl.AllowlistingSettings; import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.CommandLineParser; @@ -762,7 +762,7 @@ public static int execute(final String[] args) throws Exception { final boolean populateFileIfEmpty = true; success = retrieveFile(tc, cd+"nodes_dn_"+date+".yml", index, "nodesdn", legacy, populateFileIfEmpty) && success; - success = retrieveFile(tc, cd+"whitelist_"+date+".yml", index, "whitelist", legacy, populateFileIfEmpty) && success; + success = retrieveFile(tc, cd+"allowlist_"+date+".yml", index, "allowlist", legacy, populateFileIfEmpty) && success; return (success?0:-1); } @@ -1216,7 +1216,7 @@ private static int backup(TransportClient tc, String index, File backupDir, bool success = retrieveFile(tc, backupDir.getAbsolutePath()+"/tenants.yml", index, "tenants", legacy) && success; } success = retrieveFile(tc, backupDir.getAbsolutePath()+"/nodes_dn.yml", index, "nodesdn", legacy, true) && success; - success = retrieveFile(tc, backupDir.getAbsolutePath()+"/whitelist.yml", index, "whitelist", legacy, true) && success; + success = retrieveFile(tc, backupDir.getAbsolutePath()+"/allowlist.yml", index, "allowlist", legacy, true) && success; success = retrieveFile(tc, backupDir.getAbsolutePath() + "/audit.yml", index, "audit", legacy) && success; return success?0:-1; @@ -1236,7 +1236,7 @@ private static int upload(TransportClient tc, String index, String cd, boolean l } success = uploadFile(tc, cd+"nodes_dn.yml", index, "nodesdn", legacy, resolveEnvVars, true) && success; - success = uploadFile(tc, cd+"whitelist.yml", index, "whitelist", legacy, resolveEnvVars) && success; + success = uploadFile(tc, cd+"allowlist.yml", index, "allowlist", legacy, resolveEnvVars) && success; if (new File(cd+"audit.yml").exists()) { success = uploadFile(tc, cd + "audit.yml", index, "audit", legacy, resolveEnvVars) && success; } @@ -1283,10 +1283,10 @@ private static int migrate(TransportClient tc, String index, File backupDir, Nod Migration.migrateNodesDn(SecurityDynamicConfiguration.fromNode( DefaultObjectMapper.YAML_MAPPER.readTree(ConfigHelper.createFileOrStringReader(CType.NODESDN, 1, new File(backupDir,"nodes_dn.yml").getAbsolutePath(), true)), CType.NODESDN, 1, 0, 0)); - SecurityDynamicConfiguration whitelistingSettings = - Migration.migrateWhitelistingSetting(SecurityDynamicConfiguration.fromNode( - DefaultObjectMapper.YAML_MAPPER.readTree(ConfigHelper.createFileOrStringReader(CType.WHITELIST, 1, new File(backupDir,"whitelist.yml").getAbsolutePath(), true)), - CType.WHITELIST, 1, 0, 0)); + SecurityDynamicConfiguration allowlistingSettings = + Migration.migrateAllowlistingSetting(SecurityDynamicConfiguration.fromNode( + DefaultObjectMapper.YAML_MAPPER.readTree(ConfigHelper.createFileOrStringReader(CType.ALLOWLIST, 1, new File(backupDir,"allowlist.yml").getAbsolutePath(), true)), + CType.ALLOWLIST, 1, 0, 0)); SecurityDynamicConfiguration audit = Migration.migrateAudit(SecurityDynamicConfiguration.fromNode(DefaultObjectMapper.YAML_MAPPER.readTree(new File(backupDir,"audit.yml")), CType.AUDIT, 1, 0, 0)); DefaultObjectMapper.YAML_MAPPER.writeValue(new File(v7Dir, "/action_groups.yml"), actionGroupsV7); @@ -1296,7 +1296,7 @@ private static int migrate(TransportClient tc, String index, File backupDir, Nod DefaultObjectMapper.YAML_MAPPER.writeValue(new File(v7Dir, "/tenants.yml"), rolesTenantsV7.v2()); DefaultObjectMapper.YAML_MAPPER.writeValue(new File(v7Dir, "/roles_mapping.yml"), rolesmappingV7); DefaultObjectMapper.YAML_MAPPER.writeValue(new File(v7Dir, "/nodes_dn.yml"), nodesDn); - DefaultObjectMapper.YAML_MAPPER.writeValue(new File(v7Dir, "/whitelist.yml"), whitelistingSettings); + DefaultObjectMapper.YAML_MAPPER.writeValue(new File(v7Dir, "/allowlist.yml"), allowlistingSettings); DefaultObjectMapper.YAML_MAPPER.writeValue(new File(v7Dir, "/audit.yml"), audit); } catch (Exception e) { diff --git a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTest.java b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTest.java index 90888df5e7..75e32e6b5d 100755 --- a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTest.java +++ b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTest.java @@ -832,7 +832,7 @@ public void testCustomAttributes() throws Exception { settings = Settings.builder() .putList(ConfigConstants.LDAP_HOSTS, "127.0.0.1:4", "localhost:" + ldapPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") - .putList(ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST, "*objectclass*","entryParentId") + .putList(ConfigConstants.LDAP_CUSTOM_ATTR_ALLOWLIST, "*objectclass*","entryParentId") .build(); user = (LdapUser) new LDAPAuthenticationBackend(settings, null).authenticate(new AuthCredentials("jacksonm", "secret" diff --git a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTestNewStyleConfig.java b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTestNewStyleConfig.java index cc8545d4e8..f68854b577 100644 --- a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTestNewStyleConfig.java +++ b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTestNewStyleConfig.java @@ -692,7 +692,7 @@ public void testCustomAttributes() throws Exception { settings = Settings.builder() .putList(ConfigConstants.LDAP_HOSTS, "127.0.0.1:4", "localhost:" + ldapPort) .put("users.u1.search", "(uid={0})") - .putList(ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST, "*objectclass*", "entryParentId").build(); + .putList(ConfigConstants.LDAP_CUSTOM_ATTR_ALLOWLIST, "*objectclass*", "entryParentId").build(); user = (LdapUser) new LDAPAuthenticationBackend(settings, null) .authenticate(new AuthCredentials("jacksonm", "secret".getBytes(StandardCharsets.UTF_8))); diff --git a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestNewStyleConfig2.java b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestNewStyleConfig2.java index b6f5eb91ec..fe6ad9a4a8 100644 --- a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestNewStyleConfig2.java +++ b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestNewStyleConfig2.java @@ -725,7 +725,7 @@ public void testCustomAttributes() throws Exception { settings = createBaseSettings() .putList(ConfigConstants.LDAP_HOSTS, "127.0.0.1:4", "localhost:" + ldapPort) .put("users.u1.search", "(uid={0})") - .putList(ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST, "*objectclass*", "entryParentId").build(); + .putList(ConfigConstants.LDAP_CUSTOM_ATTR_ALLOWLIST, "*objectclass*", "entryParentId").build(); user = (LdapUser) new LDAPAuthenticationBackend2(settings, null) .authenticate(new AuthCredentials("jacksonm", "secret".getBytes(StandardCharsets.UTF_8))); diff --git a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestOldStyleConfig2.java b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestOldStyleConfig2.java index bceeb47637..f588813cec 100755 --- a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestOldStyleConfig2.java +++ b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestOldStyleConfig2.java @@ -836,7 +836,7 @@ public void testCustomAttributes() throws Exception { settings = createBaseSettings() .putList(ConfigConstants.LDAP_HOSTS, "127.0.0.1:4", "localhost:" + ldapPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") - .putList(ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST, "*objectclass*", "entryParentId").build(); + .putList(ConfigConstants.LDAP_CUSTOM_ATTR_ALLOWLIST, "*objectclass*", "entryParentId").build(); user = (LdapUser) new LDAPAuthenticationBackend2(settings, null) .authenticate(new AuthCredentials("jacksonm", "secret".getBytes(StandardCharsets.UTF_8))); diff --git a/src/test/java/org/opensearch/security/ccstest/RemoteReindexTests.java b/src/test/java/org/opensearch/security/ccstest/RemoteReindexTests.java index 049ae9924c..5c9f18a8fc 100644 --- a/src/test/java/org/opensearch/security/ccstest/RemoteReindexTests.java +++ b/src/test/java/org/opensearch/security/ccstest/RemoteReindexTests.java @@ -74,7 +74,7 @@ public void tearDown() throws Exception { private Settings crossClusterNodeSettings(ClusterInfo remote) { Settings.Builder builder = Settings.builder() - .putList("reindex.remote.whitelist", remote.httpHost+":"+remote.httpPort); + .putList("reindex.remote.allowlist", remote.httpHost+":"+remote.httpPort); return builder.build(); } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AllowlistApiTest.java similarity index 86% rename from src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java rename to src/test/java/org/opensearch/security/dlic/rest/api/AllowlistApiTest.java index 96604477e8..9443dbb90c 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AllowlistApiTest.java @@ -48,11 +48,11 @@ import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; /** - * Testing class to verify that {@link WhitelistApiAction} works correctly. - * Check {@link SecurityRestFilter} for extra tests for whitelisting functionality. + * Testing class to verify that {@link AllowlistApiAction} works correctly. + * Check {@link SecurityRestFilter} for extra tests for allowlisting functionality. */ @RunWith(Parameterized.class) -public class WhitelistApiTest extends AbstractRestApiUnitTest { +public class AllowlistApiTest extends AbstractRestApiUnitTest { private RestHelper.HttpResponse response; /** @@ -64,7 +64,7 @@ public class WhitelistApiTest extends AbstractRestApiUnitTest { private final String ENDPOINT; - public WhitelistApiTest(String endpoint){ + public AllowlistApiTest(String endpoint){ ENDPOINT = endpoint; } @@ -87,18 +87,18 @@ private void testGetAndPut(final int expectedStatus, final boolean sendAdminCert rh.sendAdminCertificate = sendAdminCertificate; //CHECK GET REQUEST - response = rh.executeGetRequest(ENDPOINT + "/whitelist", headers); + response = rh.executeGetRequest(ENDPOINT + "/allowlist", headers); assertThat(response.getBody(), response.getStatusCode(), equalTo(expectedStatus)); if (expectedStatus == HttpStatus.SC_OK) { //Note: the response has no whitespaces, so the .json file does not have whitespaces - Assert.assertEquals(FileHelper.loadFile("restapi/whitelist_response_success.json"), FileHelper.loadFile("restapi/whitelist_response_success.json")); + Assert.assertEquals(FileHelper.loadFile("restapi/allowlist_response_success.json"), FileHelper.loadFile("restapi/allowlist_response_success.json")); } //FORBIDDEN FOR NON SUPER ADMIN if (expectedStatus == HttpStatus.SC_FORBIDDEN) { assertTrue(response.getBody().contains("API allowed only for super admin.")); } //CHECK PUT REQUEST - response = rh.executePutRequest(ENDPOINT + "/whitelist", "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", headers); + response = rh.executePutRequest(ENDPOINT + "/allowlist", "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", headers); assertThat(response.getBody(), response.getStatusCode(), equalTo(expectedStatus)); rh.sendAdminCertificate = prevSendAdminCertificate; @@ -116,7 +116,7 @@ public void testResponseDoesNotContainMetaHeader() throws Exception { rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - RestHelper.HttpResponse response = rh.executeGetRequest(ENDPOINT + "/whitelist"); + RestHelper.HttpResponse response = rh.executeGetRequest(ENDPOINT + "/allowlist"); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Assert.assertFalse(response.getBody().contains("_meta")); } @@ -133,7 +133,7 @@ public void testPutUnknownKey() throws Exception { rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - RestHelper.HttpResponse response = rh.executePutRequest(ENDPOINT + "/whitelist", "{ \"unknownkey\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}"); + RestHelper.HttpResponse response = rh.executePutRequest(ENDPOINT + "/allowlist", "{ \"unknownkey\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}"); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); assertTrue(response.getBody().contains("invalid_keys")); assertHealthy(); @@ -150,7 +150,7 @@ public void testPutInvalidJson() throws Exception { rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - RestHelper.HttpResponse response = rh.executePutRequest(ENDPOINT + "/whitelist", "{ \"invalid\"::{{ [\"*\"], \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}"); + RestHelper.HttpResponse response = rh.executePutRequest(ENDPOINT + "/allowlist", "{ \"invalid\"::{{ [\"*\"], \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}"); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); assertHealthy(); } @@ -166,7 +166,7 @@ public void testPayloadMandatory() throws Exception { rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest(ENDPOINT + "/whitelist", "", new Header[0]); + response = rh.executePutRequest(ENDPOINT + "/allowlist", "", new Header[0]); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); JsonNode settings = DefaultObjectMapper.readTree(response.getBody()); Assert.assertEquals(AbstractConfigurationValidator.ErrorType.PAYLOAD_MANDATORY.getMessage(), settings.get("reason").asText()); @@ -182,7 +182,7 @@ public void testPayloadMandatory() throws Exception { * @throws Exception */ @Test - public void testWhitelistApi() throws Exception { + public void testAllowlistApi() throws Exception { setupWithRestRoles(null); rh.keystore = "restapi/kirk-keystore.jks"; // No creds, no admin certificate - UNAUTHORIZED @@ -199,7 +199,7 @@ public void testWhitelistApi() throws Exception { } @Test - public void testWhitelistAuditComplianceLogging() throws Exception { + public void testAllowlistAuditComplianceLogging() throws Exception { Settings settings = Settings.builder() .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) @@ -228,12 +228,12 @@ public void testWhitelistAuditComplianceLogging() throws Exception { } @Test - public void testWhitelistInvalidHttpRequestMethod() throws Exception{ + public void testAllowlistInvalidHttpRequestMethod() throws Exception{ setup(); rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest(ENDPOINT + "/whitelist", "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GE\"],\"/_cat/indices\": [\"PUT\"] }}", adminCredsHeader); + response = rh.executePutRequest(ENDPOINT + "/allowlist", "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GE\"],\"/_cat/indices\": [\"PUT\"] }}", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_INTERNAL_SERVER_ERROR)); assertTrue(response.getBody().contains("\\\"GE\\\": not one of the values accepted for Enum class")); } @@ -252,33 +252,33 @@ public void testPatchApi() throws Exception{ rh.sendAdminCertificate = true; //PATCH entire config entry - response = rh.executePatchRequest(ENDPOINT + "/whitelist", "[{ \"op\": \"replace\", \"path\": \"/config\", \"value\": {\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"PUT\"] }}}]", new Header[0]); + response = rh.executePatchRequest(ENDPOINT + "/allowlist", "[{ \"op\": \"replace\", \"path\": \"/config\", \"value\": {\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"PUT\"] }}}]", new Header[0]); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - response = rh.executeGetRequest(ENDPOINT + "/whitelist", adminCredsHeader); + response = rh.executeGetRequest(ENDPOINT + "/allowlist", adminCredsHeader); assertEquals(response.getBody(),"{\"config\":{\"enabled\":true,\"requests\":{\"/_cat/nodes\":[\"GET\"],\"/_cat/indices\":[\"PUT\"]}}}"); //PATCH just requests - response = rh.executePatchRequest(ENDPOINT + "/whitelist", "[{ \"op\": \"replace\", \"path\": \"/config/requests\", \"value\": {\"/_cat/nodes\": [\"GET\"]}}]", new Header[0]); + response = rh.executePatchRequest(ENDPOINT + "/allowlist", "[{ \"op\": \"replace\", \"path\": \"/config/requests\", \"value\": {\"/_cat/nodes\": [\"GET\"]}}]", new Header[0]); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - response = rh.executeGetRequest(ENDPOINT + "/whitelist", adminCredsHeader); + response = rh.executeGetRequest(ENDPOINT + "/allowlist", adminCredsHeader); assertTrue(response.getBody().contains("\"requests\":{\"/_cat/nodes\":[\"GET\"]}")); - //PATCH just whitelisted_enabled using "replace" operation - works when enabled is already true - response = rh.executePatchRequest(ENDPOINT + "/whitelist", "[{ \"op\": \"replace\", \"path\": \"/config/enabled\", \"value\": false}]", new Header[0]); + //PATCH just allowlisted_enabled using "replace" operation - works when enabled is already true + response = rh.executePatchRequest(ENDPOINT + "/allowlist", "[{ \"op\": \"replace\", \"path\": \"/config/enabled\", \"value\": false}]", new Header[0]); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - response = rh.executeGetRequest(ENDPOINT + "/whitelist", adminCredsHeader); + response = rh.executeGetRequest(ENDPOINT + "/allowlist", adminCredsHeader); assertTrue(response.getBody().contains("\"enabled\":false")); //PATCH just enabled using "add" operation when it is currently false - works correctly - response = rh.executePatchRequest(ENDPOINT + "/whitelist", "[{ \"op\": \"add\", \"path\": \"/config/enabled\", \"value\": true}]", new Header[0]); + response = rh.executePatchRequest(ENDPOINT + "/allowlist", "[{ \"op\": \"add\", \"path\": \"/config/enabled\", \"value\": true}]", new Header[0]); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - response = rh.executeGetRequest(ENDPOINT + "/whitelist", adminCredsHeader); + response = rh.executeGetRequest(ENDPOINT + "/allowlist", adminCredsHeader); assertTrue(response.getBody().contains("\"enabled\":true")); //PATCH just enabled using "add" operation when it is currently true - works correctly - response = rh.executePatchRequest(ENDPOINT + "/whitelist", "[{ \"op\": \"add\", \"path\": \"/config/enabled\", \"value\": false}]", new Header[0]); - Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode());response = rh.executeGetRequest(ENDPOINT + "/whitelist", adminCredsHeader); - response = rh.executeGetRequest(ENDPOINT + "/whitelist", adminCredsHeader); + response = rh.executePatchRequest(ENDPOINT + "/allowlist", "[{ \"op\": \"add\", \"path\": \"/config/enabled\", \"value\": false}]", new Header[0]); + Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode());response = rh.executeGetRequest(ENDPOINT + "/allowlist", adminCredsHeader); + response = rh.executeGetRequest(ENDPOINT + "/allowlist", adminCredsHeader); assertTrue(response.getBody().contains("\"enabled\":false")); } } diff --git a/src/test/java/org/opensearch/security/filter/SecurityRestFilterTest.java b/src/test/java/org/opensearch/security/filter/SecurityRestFilterTest.java index 9c1ebd2168..259f1436be 100644 --- a/src/test/java/org/opensearch/security/filter/SecurityRestFilterTest.java +++ b/src/test/java/org/opensearch/security/filter/SecurityRestFilterTest.java @@ -16,7 +16,7 @@ package org.opensearch.security.filter; import org.opensearch.security.dlic.rest.api.AbstractRestApiUnitTest; -import org.opensearch.security.securityconf.impl.WhitelistingSettings; +import org.opensearch.security.securityconf.impl.AllowlistingSettings; import org.opensearch.security.test.helper.rest.RestHelper; import org.apache.http.Header; import org.apache.http.HttpStatus; @@ -26,7 +26,7 @@ import static org.hamcrest.Matchers.equalTo; /** - * Currently tests that the whitelisting functionality works correctly. + * Currently tests that the allowlisting functionality works correctly. * Uses the test/resources/restapi folder for setup. */ public class SecurityRestFilterTest extends AbstractRestApiUnitTest { @@ -41,96 +41,96 @@ public class SecurityRestFilterTest extends AbstractRestApiUnitTest { private final Header nonAdminCredsHeader = encodeBasicHeader("sarek", "sarek"); /** - * Tests that whitelisted APIs can be accessed by all users. + * Tests that allowlisted APIs can be accessed by all users. * * @throws Exception */ @Test - public void checkWhitelistedApisAreAccessible() throws Exception { + public void checkAllowlistedApisAreAccessible() throws Exception { setup(); - //ADD SOME WHITELISTED APIs + //ADD SOME ALLOWLISTED APIs rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_opendistro/_security/api/whitelist", "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", adminCredsHeader); + response = rh.executePutRequest("_opendistro/_security/api/allowlist", "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", adminCredsHeader); - log.warn("the response is:" + rh.executeGetRequest("_opendistro/_security/api/whitelist", adminCredsHeader)); + log.warn("the response is:" + rh.executeGetRequest("_opendistro/_security/api/allowlist", adminCredsHeader)); - //NON ADMIN TRIES ACCESSING A WHITELISTED API - OK + //NON ADMIN TRIES ACCESSING A ALLOWLISTED API - OK rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/nodes", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //ADMIN TRIES ACCESSING A WHITELISTED API - OK + //ADMIN TRIES ACCESSING A ALLOWLISTED API - OK rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/nodes", adminCredsHeader); log.warn("the second response is:{}", response); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //SUPERADMIN TRIES ACCESSING A WHITELISTED API - OK + //SUPERADMIN TRIES ACCESSING A ALLOWLISTED API - OK rh.sendAdminCertificate = true; response = rh.executeGetRequest("_cat/nodes", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); } /** - * Tests that non-whitelisted APIs are only accessible by superadmin + * Tests that non-allowlisted APIs are only accessible by superadmin * * @throws Exception */ @Test - public void checkNonWhitelistedApisAccessibleOnlyBySuperAdmin() throws Exception { + public void checkNonAllowlistedApisAccessibleOnlyBySuperAdmin() throws Exception { setup(); - //ADD SOME WHITELISTED APIs - /_cat/nodes and /_cat/indices + //ADD SOME ALLOWLISTED APIs - /_cat/nodes and /_cat/indices rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_opendistro/_security/api/whitelist", "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", nonAdminCredsHeader); + response = rh.executePutRequest("_opendistro/_security/api/allowlist", "{\"enabled\": true, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", nonAdminCredsHeader); - //NON ADMIN TRIES ACCESSING A NON-WHITELISTED API - FORBIDDEN + //NON ADMIN TRIES ACCESSING A NON-ALLOWLISTED API - FORBIDDEN rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/plugins", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - //ADMIN TRIES ACCESSING A NON-WHITELISTED API - FORBIDDEN + //ADMIN TRIES ACCESSING A NON-ALLOWLISTED API - FORBIDDEN rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/plugins", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN)); - //SUPERADMIN TRIES ACCESSING A NON-WHITELISTED API - OK + //SUPERADMIN TRIES ACCESSING A NON-ALLOWLISTED API - OK rh.sendAdminCertificate = true; response = rh.executeGetRequest("_cat/plugins", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); } /** - * Checks that all APIs are accessible by any user when {@link WhitelistingSettings#getEnabled()} is false + * Checks that all APIs are accessible by any user when {@link AllowlistingSettings#getEnabled()} is false */ @Test - public void checkAllApisWhenWhitelistingNotEnabled() throws Exception { + public void checkAllApisWhenAllowlistingNotEnabled() throws Exception { setup(); - //DISABLE WHITELISTING BUT ADD SOME WHITELISTED APIs - /_cat/nodes and /_cat/plugins + //DISABLE ALLOWLISTING BUT ADD SOME ALLOWLISTED APIs - /_cat/nodes and /_cat/plugins rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_opendistro/_security/api/whitelist", "{\"enabled\": false, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", nonAdminCredsHeader); + response = rh.executePutRequest("_opendistro/_security/api/allowlist", "{\"enabled\": false, \"requests\": {\"/_cat/nodes\": [\"GET\"],\"/_cat/indices\": [\"GET\"] }}", nonAdminCredsHeader); - //NON-ADMIN TRIES ACCESSING 2 APIs: One in the list and one outside - OK for both (Because whitelisting is off) + //NON-ADMIN TRIES ACCESSING 2 APIs: One in the list and one outside - OK for both (Because allowlisting is off) rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/plugins", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); response = rh.executeGetRequest("_cat/nodes", nonAdminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //ADMIN USER TRIES ACCESSING 2 APIs: One in the list and one outside - OK for both (Because whitelisting is off) + //ADMIN USER TRIES ACCESSING 2 APIs: One in the list and one outside - OK for both (Because allowlisting is off) rh.sendAdminCertificate = false; response = rh.executeGetRequest("_cat/plugins", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); response = rh.executeGetRequest("_cat/nodes", adminCredsHeader); assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK)); - //SUPERADMIN TRIES ACCESSING 2 APIS - OK (would work even if whitelisting was on) + //SUPERADMIN TRIES ACCESSING 2 APIS - OK (would work even if allowlisting was on) rh.sendAdminCertificate = true; response = rh.executeGetRequest("_cat/plugins", adminCredsHeader); @@ -140,21 +140,21 @@ public void checkAllApisWhenWhitelistingNotEnabled() throws Exception { } /** - * Checks that request method specific whitelisting works properly. - * Checks that if only GET /_cluster/settings is whitelisted, then: + * Checks that request method specific allowlisting works properly. + * Checks that if only GET /_cluster/settings is allowlisted, then: * non admin user can access GET /_cluster/settings, but not PUT /_cluster/settings * admin user can access GET /_cluster/settings, but not PUT /_cluster/settings * SuperAdmin can access GET /_cluster/settings and PUT /_cluster/settings * */ @Test - public void checkSpecificRequestMethodWhitelisting() throws Exception{ + public void checkSpecificRequestMethodAllowlisting() throws Exception{ setup(); - //WHITELIST GET /_cluster/settings + //ALLOWLIST GET /_cluster/settings rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_opendistro/_security/api/whitelist", "{\"enabled\": true, \"requests\": {\"/_cluster/settings\": [\"GET\"]}}", nonAdminCredsHeader); + response = rh.executePutRequest("_opendistro/_security/api/allowlist", "{\"enabled\": true, \"requests\": {\"/_cluster/settings\": [\"GET\"]}}", nonAdminCredsHeader); //NON-ADMIN TRIES ACCESSING GET - OK, PUT - FORBIDDEN @@ -181,8 +181,8 @@ public void checkSpecificRequestMethodWhitelisting() throws Exception{ /** - * Tests that a whitelisted API with an extra '/' does not cause an issue - * i.e if only GET /_cluster/settings/ is whitelisted, then: + * Tests that a allowlisted API with an extra '/' does not cause an issue + * i.e if only GET /_cluster/settings/ is allowlisted, then: * GET /_cluster/settings/ - OK * GET /_cluster/settings - OK * PUT /_cluster/settings/ - FORBIDDEN @@ -190,13 +190,13 @@ public void checkSpecificRequestMethodWhitelisting() throws Exception{ * @throws Exception */ @Test - public void testWhitelistedApiWithExtraSlash() throws Exception{ + public void testAllowlistedApiWithExtraSlash() throws Exception{ setup(); - //WHITELIST GET /_cluster/settings/ - extra / in the request + //ALLOWLIST GET /_cluster/settings/ - extra / in the request rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_opendistro/_security/api/whitelist", "{\"enabled\": true, \"requests\": {\"/_cluster/settings/\": [\"GET\"]}}", nonAdminCredsHeader); + response = rh.executePutRequest("_opendistro/_security/api/allowlist", "{\"enabled\": true, \"requests\": {\"/_cluster/settings/\": [\"GET\"]}}", nonAdminCredsHeader); //NON ADMIN ACCESS GET /_cluster/settings/ - OK rh.sendAdminCertificate = false; @@ -218,8 +218,8 @@ public void testWhitelistedApiWithExtraSlash() throws Exception{ } /** - * Tests that a whitelisted API without an extra '/' does not cause an issue - * i.e if only GET /_cluster/settings is whitelisted, then: + * Tests that a allowlisted API without an extra '/' does not cause an issue + * i.e if only GET /_cluster/settings is allowlisted, then: * GET /_cluster/settings/ - OK * GET /_cluster/settings - OK * PUT /_cluster/settings/ - FORBIDDEN @@ -227,13 +227,13 @@ public void testWhitelistedApiWithExtraSlash() throws Exception{ * @throws Exception */ @Test - public void testWhitelistedApiWithoutExtraSlash() throws Exception{ + public void testAllowlistedApiWithoutExtraSlash() throws Exception{ setup(); - //WHITELIST GET /_cluster/settings (no extra / in request) + //ALLOWLIST GET /_cluster/settings (no extra / in request) rh.keystore = "restapi/kirk-keystore.jks"; rh.sendAdminCertificate = true; - response = rh.executePutRequest("_opendistro/_security/api/whitelist", "{\"enabled\": true, \"requests\": {\"/_cluster/settings\": [\"GET\"]}}", nonAdminCredsHeader); + response = rh.executePutRequest("_opendistro/_security/api/allowlist", "{\"enabled\": true, \"requests\": {\"/_cluster/settings\": [\"GET\"]}}", nonAdminCredsHeader); //NON ADMIN ACCESS GET /_cluster/settings/ - OK rh.sendAdminCertificate = false; diff --git a/src/test/java/org/opensearch/security/test/DynamicSecurityConfig.java b/src/test/java/org/opensearch/security/test/DynamicSecurityConfig.java index c98f37f4a8..74c88ab507 100644 --- a/src/test/java/org/opensearch/security/test/DynamicSecurityConfig.java +++ b/src/test/java/org/opensearch/security/test/DynamicSecurityConfig.java @@ -50,7 +50,7 @@ public class DynamicSecurityConfig { private String securityInternalUsers = "internal_users.yml"; private String securityActionGroups = "action_groups.yml"; private String securityNodesDn = "nodes_dn.yml"; - private String securityWhitelist= "whitelist.yml"; + private String securityAllowlist= "allowlist.yml"; private String securityAudit = "audit.yml"; private String securityConfigAsYamlString = null; private String type = "_doc"; @@ -100,8 +100,8 @@ public DynamicSecurityConfig setSecurityNodesDn(String nodesDn) { return this; } - public DynamicSecurityConfig setSecurityWhitelist(String whitelist){ - this.securityWhitelist = whitelist; + public DynamicSecurityConfig setSecurityAllowlist(String allowlist){ + this.securityAllowlist = allowlist; return this; } @@ -171,13 +171,13 @@ public List getDynamicConfig(String folder) { } - final String whitelistYmlFile = prefix + securityWhitelist; - if (null != FileHelper.getAbsoluteFilePathFromClassPath(whitelistYmlFile)) { + final String allowlistYmlFile = prefix + securityAllowlist; + if (null != FileHelper.getAbsoluteFilePathFromClassPath(allowlistYmlFile)) { ret.add(new IndexRequest(securityIndexName) .type(type) - .id(CType.WHITELIST.toLCString()) + .id(CType.ALLOWLIST.toLCString()) .setRefreshPolicy(RefreshPolicy.IMMEDIATE) - .source(CType.WHITELIST.toLCString(), FileHelper.readYamlContent(whitelistYmlFile))); + .source(CType.ALLOWLIST.toLCString(), FileHelper.readYamlContent(allowlistYmlFile))); } final String auditYmlFile = prefix + securityAudit; diff --git a/src/test/resources/restapi/whitelist.yml b/src/test/resources/allowlist.yml similarity index 91% rename from src/test/resources/restapi/whitelist.yml rename to src/test/resources/allowlist.yml index 173bdbd201..d90ab38da6 100644 --- a/src/test/resources/restapi/whitelist.yml +++ b/src/test/resources/allowlist.yml @@ -1,6 +1,6 @@ --- _meta: - type: "whitelist" + type: "allowlist" config_version: 2 #this name must be config diff --git a/src/test/resources/legacy/securityconfig_v6/migration/whitelist.yml b/src/test/resources/legacy/securityconfig_v6/allowlist.yml similarity index 100% rename from src/test/resources/legacy/securityconfig_v6/migration/whitelist.yml rename to src/test/resources/legacy/securityconfig_v6/allowlist.yml diff --git a/src/test/resources/legacy/securityconfig_v6/whitelist.yml b/src/test/resources/legacy/securityconfig_v6/migration/allowlist.yml similarity index 100% rename from src/test/resources/legacy/securityconfig_v6/whitelist.yml rename to src/test/resources/legacy/securityconfig_v6/migration/allowlist.yml diff --git a/src/test/resources/whitelist.yml b/src/test/resources/restapi/allowlist.yml similarity index 91% rename from src/test/resources/whitelist.yml rename to src/test/resources/restapi/allowlist.yml index 173bdbd201..d90ab38da6 100644 --- a/src/test/resources/whitelist.yml +++ b/src/test/resources/restapi/allowlist.yml @@ -1,6 +1,6 @@ --- _meta: - type: "whitelist" + type: "allowlist" config_version: 2 #this name must be config diff --git a/src/test/resources/restapi/whitelist_response_success.json b/src/test/resources/restapi/allowlist_response_success.json similarity index 100% rename from src/test/resources/restapi/whitelist_response_success.json rename to src/test/resources/restapi/allowlist_response_success.json diff --git a/src/test/resources/restapi/internal_users.yml b/src/test/resources/restapi/internal_users.yml index 0049ab8c86..08b5ddfad4 100644 --- a/src/test/resources/restapi/internal_users.yml +++ b/src/test/resources/restapi/internal_users.yml @@ -60,4 +60,4 @@ admin_all_access: backend_roles: - "vulcan" attributes: {} - description: "sample user with all_access, used to test whitelisting" + description: "sample user with all_access, used to test allowlisting" diff --git a/src/test/resources/security_passive/whitelist.yml b/src/test/resources/security_passive/allowlist.yml similarity index 67% rename from src/test/resources/security_passive/whitelist.yml rename to src/test/resources/security_passive/allowlist.yml index 53f9970f74..6303b1e0ea 100644 --- a/src/test/resources/security_passive/whitelist.yml +++ b/src/test/resources/security_passive/allowlist.yml @@ -1,23 +1,23 @@ --- _meta: - type: "whitelist" + type: "allowlist" config_version: 2 # Description: # enabled - feature flag. -# if enabled is false, the whitelisting feature is removed. -# This is like removing the check that checks if an API is whitelisted. -# This is equivalent to continuing with the usual access control checks, and removing all the code that implements whitelisting. +# if enabled is false, the allowlisting feature is removed. +# This is like removing the check that checks if an API is allowlisted. +# This is equivalent to continuing with the usual access control checks, and removing all the code that implements allowlisting. # if enabled is true, then all users except SuperAdmin can access only the APIs in requests # SuperAdmin can access all APIs. # SuperAdmin is defined by the SuperAdmin certificate, which is configured in the elasticsearch.yml setting: opendistro_security.authcz.admin_dn: # Refer to the example setting in elasticsearch.yml.example, and the opendistro documentation to know more about configuring SuperAdmin. # -# requests - map of whitelisted endpoints, and the whitelisted HTTP requests for those endpoints +# requests - map of allowlisted endpoints, and the allowlisted HTTP requests for those endpoints # Examples showing how to configure this yml file (make sure the _meta data from above is also there): # Example 1: -# To enable whitelisting and whitelist GET /_cluster/settings +# To enable allowlisting and allowlist GET /_cluster/settings # #config: # enabled: true @@ -26,7 +26,7 @@ _meta: # - GET # # Example 2: -# If you want to whitelist multiple request methods for /_cluster/settings (GET,PUT): +# If you want to allowlist multiple request methods for /_cluster/settings (GET,PUT): # #config: # enabled: true @@ -36,7 +36,7 @@ _meta: # - PUT # # Example 3: -# If you want to whitelist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards: +# If you want to allowlist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards: # #config: # enabled: true @@ -50,13 +50,13 @@ _meta: # - GET # # Example 4: -# If you want to disable the whitelisting feature, set enabled to false. +# If you want to disable the allowlisting feature, set enabled to false. # enabled: false # requests: # /_cluster/settings: # - GET # -#At this point, all APIs become whitelisted because the feature to whitelist is off, so requests is irrelevant. +#At this point, all APIs become allowlisted because the feature to allowlist is off, so requests is irrelevant. #this name must be config