diff --git a/.github/actions/create-bwc-build/action.yaml b/.github/actions/create-bwc-build/action.yaml
index b6ee3d5478..fcfa612a7d 100644
--- a/.github/actions/create-bwc-build/action.yaml
+++ b/.github/actions/create-bwc-build/action.yaml
@@ -5,7 +5,7 @@ inputs:
plugin-branch:
description: 'The branch of the plugin that should be built, e.g "2.2", "1.x"'
required: true
-
+
outputs:
built-version:
description: 'The version of OpenSearch that was associated with this branch'
diff --git a/.github/actions/start-opensearch-with-one-plugin/action.yml b/.github/actions/start-opensearch-with-one-plugin/action.yml
index b562851b0c..fa5681c422 100644
--- a/.github/actions/start-opensearch-with-one-plugin/action.yml
+++ b/.github/actions/start-opensearch-with-one-plugin/action.yml
@@ -70,7 +70,7 @@ runs:
# Run any configuration scripts
- name: Run Setup Script for Linux
if: ${{ runner.os == 'Linux' && inputs.setup-script-name != '' }}
- run: |
+ run: |
echo "running linux setup"
chmod +x ./${{ inputs.setup-script-name }}.sh
./${{ inputs.setup-script-name }}.sh
diff --git a/.github/workflows/delete_backport_branch.yml b/.github/workflows/delete_backport_branch.yml
index 35417b46b3..9964fe1ec8 100644
--- a/.github/workflows/delete_backport_branch.yml
+++ b/.github/workflows/delete_backport_branch.yml
@@ -1,9 +1,9 @@
name: Delete merged branch of the backport PRs
-on:
+on:
pull_request:
types:
- closed
-
+
jobs:
delete-branch:
runs-on: ubuntu-latest
diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml
index 75289d560a..301c193e11 100644
--- a/.github/workflows/plugin_install.yml
+++ b/.github/workflows/plugin_install.yml
@@ -38,7 +38,7 @@ jobs:
if: ${{ runner.os == 'Linux' }}
run: |
cat > setup.sh <<'EOF'
- chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh
+ chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh
/bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh"
EOF
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index a7e7d89e9a..371de48a2e 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -5,7 +5,7 @@
OpenSearch is a community project that is built and maintained by people just like **you**.
[This document](https://github.com/opensearch-project/.github/blob/main/CONTRIBUTING.md) explains how you can contribute to this and related projects.
-Visit the following link(s) for more information on specific practices:
+Visit the following link(s) for more information on specific practices:
- [Triaging](./TRIAGING.md)
diff --git a/DEVELOPER_GUIDE.md b/DEVELOPER_GUIDE.md
index 5168d01a46..358b2eac14 100644
--- a/DEVELOPER_GUIDE.md
+++ b/DEVELOPER_GUIDE.md
@@ -48,9 +48,9 @@ The `curl localhost:9200` call should succeed again. Kill the server with `Ctrl+
>Worth noting:\
> The version of OpenSearch and the security plugin must match as there is an explicit version check at startup. This can be a bit confusing as, for example, at the time of writing this guide, the `main` branch of this security plugin builds version `3.0.0.0-SNAPSHOT` compatible with OpenSearch `3.0.0`. Check the expected compatible version in `build.gradle` file [here](https://github.com/opensearch-project/security/blob/main/build.gradle) and make sure you get the correct branch from OpenSearch when building that project.
->
+>
> The line to look for: `opensearch_version = System.getProperty("opensearch.version", "x")`
->
+>
> Alternatively, you can find the compatible version of OpenSearch by running in project root folder
> ```
> ./gradlew properties -q | grep -E '^version:' | awk '{print $2}'
@@ -164,7 +164,7 @@ Checkstyle enforces several rules within this codebase. Sometimes it will be nec
*Execute Checkstyle*
```
-./gradlew checkstyleMain checkstyleTest
+./gradlew checkstyleMain checkstyleTest
```
*Example violation*
diff --git a/DEVELOPING_WITH_DOCKER.md b/DEVELOPING_WITH_DOCKER.md
index a0ba045846..6616e11313 100644
--- a/DEVELOPING_WITH_DOCKER.md
+++ b/DEVELOPING_WITH_DOCKER.md
@@ -1,40 +1,40 @@
# Developing with Docker
-Docker is a powerful tool that can be used to quickly spin up an OpenSearch cluster. When you follow the steps to run [OpenSearch with Docker](https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/), you will find the Security Plugin already included in the basic distribution.
+Docker is a powerful tool that can be used to quickly spin up an OpenSearch cluster. When you follow the steps to run [OpenSearch with Docker](https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/), you will find the Security Plugin already included in the basic distribution.
- [Developing with Docker](#developing-with-docker)
- [Configuring Security](#configuring-security)
- [Mounting Local Volumes](#mounting-local-volumes)
- [Example docker-compose](#example-docker-compose)
-
-## Configuring Security
-By default, the Docker installation of OpenSearch does not enable the Security plugin. In order to enable Security development, you will need set `DISABLE_SECURITY_PLUGIN=false`, as well as change `DISABLE_INSTALL_DEMO_CONFIG` and `DISABLE_SECURITY_DASHBOARDS_PLUGIN`. This will install the demo certificates, and allow you to develop with realistic Security configurations. An example of a completely configured docker-compose file is shown below.
+## Configuring Security
+
+By default, the Docker installation of OpenSearch does not enable the Security plugin. In order to enable Security development, you will need set `DISABLE_SECURITY_PLUGIN=false`, as well as change `DISABLE_INSTALL_DEMO_CONFIG` and `DISABLE_SECURITY_DASHBOARDS_PLUGIN`. This will install the demo certificates, and allow you to develop with realistic Security configurations. An example of a completely configured docker-compose file is shown below.
> Warning: You should never use the demo certificates for a production environment. Instead, you will need to follow the steps on [configuring security](https://opensearch.org/docs/latest/security/configuration/index/) before using the cluster for production.
-### Mounting Local Volumes
+### Mounting Local Volumes
-In order to test development changes with an OpenSearch Docker-installation, you will need to mount the volumes in your docker-compose file.
+In order to test development changes with an OpenSearch Docker-installation, you will need to mount the volumes in your docker-compose file.
-To update your cluster to have local changes, follow these steps:
+To update your cluster to have local changes, follow these steps:
1. First you will need to make changes in your local `opensearch-project/security` repository. For this example, assume your fork is cloned into a directory called `security`.
-2. After you make changes to your cloned repository, you will need to run `./gradlew assemble`. This will create a `.jar` file you can mount into the Docker container. The file will be located at `./security/build/distributions/opensearch-security-.0-SNAPSHOT.jar`, where the `` field is simply the OpenSearch distribution.
-3. You will then need to navigate to your `docker-compose.yml` file where you are running you OpenSearch cluster from. For this example, let us assume this is in another directory called `opensearch-docker`.
-4. Modify the compose file, so that in the `volumes:` section of each node configuration (the default configuration will have `opensearch-node1` and `opensearch-node2`), you have a new line which reads `~/security/build/distributions/opensearch-security-.0-SNAPSHOT.jar:/usr/share/opensearch/plugins/opensearch-security/opensearch-security-.0.jar`. This line should be added to the volumes section of all nodes in the compose file. You will not need to add it to the `opensearch-dashboards` section.
-5. You can now restart the Docker container by running `docker-compose down -v` and `docker-compose up`. Your changes will now be live in the OpenSearch cluster instance.
+2. After you make changes to your cloned repository, you will need to run `./gradlew assemble`. This will create a `.jar` file you can mount into the Docker container. The file will be located at `./security/build/distributions/opensearch-security-.0-SNAPSHOT.jar`, where the `` field is simply the OpenSearch distribution.
+3. You will then need to navigate to your `docker-compose.yml` file where you are running you OpenSearch cluster from. For this example, let us assume this is in another directory called `opensearch-docker`.
+4. Modify the compose file, so that in the `volumes:` section of each node configuration (the default configuration will have `opensearch-node1` and `opensearch-node2`), you have a new line which reads `~/security/build/distributions/opensearch-security-.0-SNAPSHOT.jar:/usr/share/opensearch/plugins/opensearch-security/opensearch-security-.0.jar`. This line should be added to the volumes section of all nodes in the compose file. You will not need to add it to the `opensearch-dashboards` section.
+5. You can now restart the Docker container by running `docker-compose down -v` and `docker-compose up`. Your changes will now be live in the OpenSearch cluster instance.
-### Example docker-compose
+### Example docker-compose
-This is an example of a completely configured docker-compose file for a local installation of the 2.5.0 version of OpenSearch.
+This is an example of a completely configured docker-compose file for a local installation of the 2.5.0 version of OpenSearch.
```
version: '3'
services:
opensearch-node1:
- image: opensearchstaging/opensearch:2.5.0 # This is a image of the 2.5.0 distribution
+ image: opensearchstaging/opensearch:2.5.0 # This is a image of the 2.5.0 distribution
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-node1
@@ -58,7 +58,7 @@ services:
# - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml # These paths are relative to the location of the docker-compose file
# - ./config/esnode.pem:/usr/share/opensearch/config/esnode.pem
# - ./config/esnode-key.pem:/usr/share/opensearch/config/esnode-key.pem
- # - ./config/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
+ # - ./config/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
# - ./config/opensearch-security/audit.yml:/usr/share/opensearch/config/opensearch-security/audit.yml
# - ./config/opensearch-security/tenants.yml:/usr/share/opensearch/config/opensearch-security/tenants.yml
# - /OpenSearch-Snapshots:/mnt/snapshots # This is where your snapshots would be stored
@@ -86,8 +86,8 @@ services:
# - ./config/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
# - ./config/opensearch-security/audit.yml:/usr/share/opensearch/config/opensearch-security/audit.yml
# - ./config/opensearch-security/tenants.yml:/usr/share/opensearch/config/opensearch-security/tenants.yml
- # - /OpenSearch-Snapshots:/mnt/snapshots
- # - /security/build/distributions/opensearch-security-2.5.0.0-SNAPSHOT.jar:/usr/share/opensearch/plugins/opensearch-security/opensearch-security-2.5.0.0.jar
+ # - /OpenSearch-Snapshots:/mnt/snapshots
+ # - /security/build/distributions/opensearch-security-2.5.0.0-SNAPSHOT.jar:/usr/share/opensearch/plugins/opensearch-security/opensearch-security-2.5.0.0.jar
networks:
- opensearch-net
opensearch-dashboards:
diff --git a/README.md b/README.md
index b9ca3b80da..5c89f5d72d 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,10 @@
-[![CI](https://github.com/opensearch-project/security/workflows/CI/badge.svg?branch=main)](https://github.com/opensearch-project/security/actions) [![](https://img.shields.io/github/issues/opensearch-project/security/untriaged?labelColor=red)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"untriaged") [![](https://img.shields.io/github/issues/opensearch-project/security/security%20vulnerability?labelColor=red)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"security%20vulnerability") [![](https://img.shields.io/github/issues/opensearch-project/security)](https://github.com/opensearch-project/security/issues) [![](https://img.shields.io/github/issues-pr/opensearch-project/security)](https://github.com/opensearch-project/security/pulls)
+[![CI](https://github.com/opensearch-project/security/workflows/CI/badge.svg?branch=main)](https://github.com/opensearch-project/security/actions) [![](https://img.shields.io/github/issues/opensearch-project/security/untriaged?labelColor=red)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"untriaged") [![](https://img.shields.io/github/issues/opensearch-project/security/security%20vulnerability?labelColor=red)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"security%20vulnerability") [![](https://img.shields.io/github/issues/opensearch-project/security)](https://github.com/opensearch-project/security/issues) [![](https://img.shields.io/github/issues-pr/opensearch-project/security)](https://github.com/opensearch-project/security/pulls)
[![](https://img.shields.io/codecov/c/gh/opensearch-project/security)](https://app.codecov.io/gh/opensearch-project/security) [![](https://img.shields.io/github/issues/opensearch-project/security/v2.4.0)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"v2.4.0") [![](https://img.shields.io/github/issues/opensearch-project/security/v3.0.0)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"v3.0.0")
[![Slack](https://img.shields.io/badge/Slack-4A154B?&logo=slack&logoColor=white)](https://opensearch.slack.com/archives/C051Y637FKK)
-## Announcement: The Slack workspace is live! Please join the [conversation](https://opensearch.slack.com/archives/C051Y637FKK).
+## Announcement: The Slack workspace is live! Please join the [conversation](https://opensearch.slack.com/archives/C051Y637FKK).
@@ -37,7 +37,7 @@ OpenSearch Security is a plugin for OpenSearch that offers encryption, authentic
* Full data in transit encryption
* Node-to-node encryption
* Certificate revocation lists
-* Hot Certificate renewal
+* Hot Certificate renewal
### Authentication
* Internal user database
@@ -60,7 +60,7 @@ OpenSearch Security is a plugin for OpenSearch that offers encryption, authentic
* REST management API
### Audit/Compliance logging
-* Audit logging
+* Audit logging
* Compliance logging for GDPR, HIPAA, PCI, SOX and ISO compliance
### OpenSearch Dashboards multi-tenancy
@@ -126,7 +126,7 @@ sequenceDiagram
participant OpenSearch
participant SecurityPlugin
participant Cluster as Plugin
-
+
Client->>OpenSearch: Request
OpenSearch->>SecurityPlugin: Request
SecurityPlugin->>SecurityPlugin: Add Auth information to request context
@@ -188,7 +188,7 @@ If you discover a potential security issue in this project we ask that you notif
## License
-This code is licensed under the Apache 2.0 License.
+This code is licensed under the Apache 2.0 License.
## Copyright
diff --git a/TRIAGING.md b/TRIAGING.md
index 2c4ea32fdf..bb61779a7c 100644
--- a/TRIAGING.md
+++ b/TRIAGING.md
@@ -20,7 +20,7 @@ If you have an issue you'd like to bring forth please consider getting a link to
### Is there an agenda for each week?
-Meetings are lightly structured as follows:
+Meetings are lightly structured as follows:
1. Announcements: If there are any announcements to be made they will happen at the start of the meeting.
2. Review of new issues: The meetings always start with reviewing all untriaged [issues](https://github.com/search?q=label%3Auntriaged+is%3Aopen++repo%3Aopensearch-project%2Fsecurity+repo%3Aopensearch-project%2Fsecurity-dashboards-plugin&type=issues&ref=advsearch&s=created&o=desc) for the security and security-dashboards repositories.
@@ -53,7 +53,7 @@ There you can find answers to many common questions as well as speak with implem
### What if my issue is critical to OpenSearch operations, do I have to wait for the weekly meeting for it to be addressed?
-All new issues for the [security](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3Auntriaged) repo and [security-dashboards](https://github.com/opensearch-project/security-dashboards-plugin/issues?q=is%3Aissue+is%3Aopen+-label%3Atriaged) repo are reviewed daily to check for critical issues which require immediate triaging. If an issue relates to a severe concern for OpenSearch operation, it will be triaged by a maintainer mid-week. You can still come to discuss an issue at the following meeting even if it has already been triaged during the week.
+All new issues for the [security](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3Auntriaged) repo and [security-dashboards](https://github.com/opensearch-project/security-dashboards-plugin/issues?q=is%3Aissue+is%3Aopen+-label%3Atriaged) repo are reviewed daily to check for critical issues which require immediate triaging. If an issue relates to a severe concern for OpenSearch operation, it will be triaged by a maintainer mid-week. You can still come to discuss an issue at the following meeting even if it has already been triaged during the week.
### Is this where I should bring up potential security vulnerabilities?
diff --git a/build.gradle b/build.gradle
index ef187e290f..863a4ae234 100644
--- a/build.gradle
+++ b/build.gradle
@@ -52,7 +52,7 @@ plugins {
id 'idea'
id 'jacoco'
id 'maven-publish'
- id 'com.diffplug.spotless' version '6.18.0'
+ id 'com.diffplug.spotless' version '6.19.0'
id 'checkstyle'
id 'com.netflix.nebula.ospackage' version "11.1.0"
id "org.gradle.test-retry" version "1.5.2"
@@ -70,15 +70,53 @@ apply plugin: 'opensearch.opensearchplugin'
apply plugin: 'opensearch.pluginzip'
apply plugin: 'opensearch.rest-test'
apply plugin: 'opensearch.testclusters'
-
-licenseFile = rootProject.file('LICENSE.txt')
-noticeFile = rootProject.file('NOTICE.txt')
+// apply from: 'gradle/formatting.gradle'
spotless {
java {
+ // Normally this isn't necessary, but we have Java sources in
+ // non-standard places
+ target '**/com/amazon/dlic/**/*.java'
+ target '**/com/amazon/security/**/*.java'
+ target '**/test/java/org/opensearch/security/**/*.java'
+
+ removeUnusedImports()
+ eclipse().configFile rootProject.file('formatter/formatterConfig.xml')
+ trimTrailingWhitespace()
+ endWithNewline();
+
// note: you can use an empty string for all the imports you didn't specify explicitly, and '\\#` prefix for static imports
importOrder('java', 'javax', '', 'com.amazon', 'org.opensearch', '\\#')
- targetExclude('src/integrationTest/**')
+
+ custom 'Refuse wildcard imports', {
+ // Wildcard imports can't be resolved; fail the build
+ if (it =~ /\s+import .*\*;/) {
+ throw new AssertionError("Do not use wildcard imports. 'spotlessApply' cannot resolve this issue.")
+ }
+ }
+
+ // See DEVELOPER_GUIDE.md for details of when to enable this.
+ if (System.getProperty('spotless.paddedcell') != null) {
+ paddedCell()
+ }
+ }
+ format 'misc', {
+ target '*.md', '*.gradle', '**/*.json', '**/*.yaml', '**/*.yml', '**/*.svg'
+
+ trimTrailingWhitespace()
+ endWithNewline()
+ }
+ format('javaFoo', JavaExtension) {
+
+ importOrder('java', 'javax', '', 'com.amazon', 'org.opensearch', '\\#')
+ target '**/*.java'
+ targetExclude '**/com/amazon/dlic/**/*.java'
+ targetExclude '**/com/amazon/security/**/*.java'
+ targetExclude '**/test/java/org/opensearch/security/**/*.java'
+ targetExclude 'src/integrationTest/**'
+
+ trimTrailingWhitespace()
+ endWithNewline();
}
format("integrationTest", JavaExtension) {
target('src/integrationTest/java/**/*.java')
@@ -87,6 +125,9 @@ spotless {
}
}
+licenseFile = rootProject.file('LICENSE.txt')
+noticeFile = rootProject.file('NOTICE.txt')
+
spotbugs {
includeFilter = file('spotbugs-include.xml')
}
@@ -301,6 +342,7 @@ configurations {
force "io.netty:netty-transport:${versions.netty}"
force "io.netty:netty-transport-native-unix-common:${versions.netty}"
force "org.apache.bcel:bcel:6.6.0" // This line should be removed once Spotbugs is upgraded to 4.7.4
+ force "com.github.luben:zstd-jni:${versions.zstd}"
}
}
@@ -346,7 +388,6 @@ task integrationTest(type: Test) {
check.dependsOn integrationTest
dependencies {
- implementation 'jakarta.annotation:jakarta.annotation-api:1.3.5'
implementation "org.opensearch.plugin:transport-netty4-client:${opensearch_version}"
implementation "org.opensearch.client:opensearch-rest-high-level-client:${opensearch_version}"
implementation "org.apache.httpcomponents.client5:httpclient5-cache:${versions.httpclient5}"
@@ -424,7 +465,7 @@ dependencies {
runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.4.0'
runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.2.5'
runtimeOnly 'org.apache.santuario:xmlsec:2.2.3'
- runtimeOnly 'com.github.luben:zstd-jni:1.5.2-1'
+ runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"
runtimeOnly 'org.checkerframework:checker-qual:3.5.0'
runtimeOnly "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
diff --git a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java
index 1afc1b88d5..d3c3658245 100644
--- a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java
+++ b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java
@@ -12,17 +12,17 @@
import java.util.Set;
import java.util.stream.Collectors;
-import org.junit.Assume;
+import com.google.common.collect.ImmutableMap;
import org.junit.Assert;
+import org.junit.Assume;
import org.junit.Before;
+
+import org.opensearch.Version;
import org.opensearch.client.Response;
import org.opensearch.common.settings.Settings;
import org.opensearch.rest.RestStatus;
import org.opensearch.test.rest.OpenSearchRestTestCase;
-import org.opensearch.Version;
-import com.google.common.collect.ImmutableMap;
-
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.hasItem;
diff --git a/config/roles.yml b/config/roles.yml
index e4eb3ac535..d03b47ab28 100644
--- a/config/roles.yml
+++ b/config/roles.yml
@@ -205,6 +205,8 @@ index_management_full_access:
- "cluster:admin/opendistro/ism/*"
- "cluster:admin/opendistro/rollup/*"
- "cluster:admin/opendistro/transform/*"
+ - "cluster:admin/opensearch/controlcenter/lron/*"
+ - "cluster:admin/opensearch/notifications/channels/get"
- "cluster:admin/opensearch/notifications/feature/publish"
index_permissions:
- index_patterns:
diff --git a/formatter/formatterConfig.xml b/formatter/formatterConfig.xml
new file mode 100644
index 0000000000..713e55274d
--- /dev/null
+++ b/formatter/formatterConfig.xml
@@ -0,0 +1,362 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/gradle/formatting.gradle b/gradle/formatting.gradle
new file mode 100644
index 0000000000..40ae51afb1
--- /dev/null
+++ b/gradle/formatting.gradle
@@ -0,0 +1,95 @@
+/*
+* SPDX-License-Identifier: Apache-2.0
+*
+* The OpenSearch Contributors require contributions made to
+* this file be licensed under the Apache-2.0 license or a
+* compatible open source license.
+*
+* Modifications Copyright OpenSearch Contributors. See
+* GitHub history for details.
+*/
+
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import org.opensearch.gradle.BuildPlugin
+
+/*
+ * This script plugin configures formatting for Java source using Spotless
+ * for Gradle. Since the act of formatting existing source can interfere
+ * with developers' workflows, we don't automatically format all code
+ * (yet). Instead, we maintain a list of projects that are excluded from
+ * formatting, until we reach a point where we can comfortably format them
+ * in one go without too much disruption.
+ *
+ * Any new sub-projects must not be added to the exclusions list!
+ *
+ * To perform a reformat, run:
+ *
+ * ./gradlew spotlessApply
+ *
+ * To check the current format, run:
+ *
+ * ./gradlew spotlessJavaCheck
+ *
+ * This is also carried out by the `precommit` task.
+ *
+ * For more about Spotless, see:
+ *
+ * https://github.com/diffplug/spotless/tree/master/plugin-gradle
+ */
+
+org.opensearch.gradle.BuildPlugin {
+ plugins.withType(BuildPlugin).whenPluginAdded {
+ project.apply plugin: "com.diffplug.spotless"
+
+ spotless {
+ java {
+ // Normally this isn't necessary, but we have Java sources in
+ // non-standard places
+ target '**/*.java'
+
+ removeUnusedImports()
+ eclipse().configFile rootProject.file('buildSrc/formatterConfig.xml')
+ trimTrailingWhitespace()
+ endWithNewline()
+
+ custom 'Refuse wildcard imports', {
+ // Wildcard imports can't be resolved; fail the build
+ if (it =~ /\s+import .*\*;/) {
+ throw new AssertionError("Do not use wildcard imports. 'spotlessApply' cannot resolve this issue.")
+ }
+ }
+
+ // See DEVELOPER_GUIDE.md for details of when to enable this.
+ if (System.getProperty('spotless.paddedcell') != null) {
+ paddedCell()
+ }
+ }
+ format 'misc', {
+ target '*.md', '*.gradle', '**/*.yaml', '**/*.yml', '**/*.svg'
+
+ trimTrailingWhitespace()
+ endWithNewline()
+ }
+ }
+
+ precommit.dependsOn 'spotlessJavaCheck'
+ }
+}
diff --git a/legacy/securityconfig_v6/action_groups.yml b/legacy/securityconfig_v6/action_groups.yml
index 14c1b3082f..3faa4c5e31 100644
--- a/legacy/securityconfig_v6/action_groups.yml
+++ b/legacy/securityconfig_v6/action_groups.yml
@@ -128,7 +128,7 @@ CLUSTER_COMPOSITE_OPS:
- "indices:admin/aliases*"
- "indices:data/write/reindex"
- CLUSTER_COMPOSITE_OPS_RO
-
+
MANAGE_SNAPSHOTS:
readonly: true
permissions:
diff --git a/legacy/securityconfig_v6/config.yml b/legacy/securityconfig_v6/config.yml
index 15d5ee9973..d867a72200 100644
--- a/legacy/securityconfig_v6/config.yml
+++ b/legacy/securityconfig_v6/config.yml
@@ -1,14 +1,14 @@
# This is the main OpenSearch Security configuration file where authentication
# and authorization is defined.
-#
+#
# You need to configure at least one authentication domain in the authc of this file.
-# An authentication domain is responsible for extracting the user credentials from
-# the request and for validating them against an authentication backend like Active Directory for example.
+# An authentication domain is responsible for extracting the user credentials from
+# the request and for validating them against an authentication backend like Active Directory for example.
#
-# If more than one authentication domain is configured the first one which succeeds wins.
+# If more than one authentication domain is configured the first one which succeeds wins.
# If all authentication domains fail then the request is unauthenticated.
# In this case an exception is thrown and/or the HTTP status is set to 401.
-#
+#
# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
# the roles from a given backend for the authenticated user.
#
@@ -21,18 +21,18 @@
# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to
# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated.
# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "opendistro_security_anonymous"
-# and one role named "opendistro_security_anonymous_backendrole".
+# and one role named "opendistro_security_anonymous_backendrole".
# If you enable anonymous authentication all HTTP authenticators will not challenge.
-#
+#
#
# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"
-# first and the challenging one last.
+# first and the challenging one last.
# Because it's not possible to challenge a client with two different authentication methods (for example
# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation
# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.
#
# Default value of the challenge flag is true.
-#
+#
#
# HTTP
# basic (challenging)
@@ -78,7 +78,7 @@ opendistro_security:
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
- kerberos_auth_domain:
+ kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
@@ -92,7 +92,7 @@ opendistro_security:
strip_realm_from_principal: true
authentication_backend:
type: noop
- basic_internal_auth_domain:
+ basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
@@ -164,11 +164,11 @@ opendistro_security:
password: null
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
- # {0} is substituted with the username
+ # {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
- authz:
+ authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
@@ -191,8 +191,8 @@ opendistro_security:
rolebase: 'ou=groups,dc=example,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
- # {1} is substituted with the username
- # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
+ # {1} is substituted with the username
+ # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
@@ -206,12 +206,12 @@ opendistro_security:
resolve_nested_roles: true
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
- # {0} is substituted with the username
+ # {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
- #skip_users:
+ #skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
- # - '/\S*/'
+ # - '/\S*/'
roles_from_another_ldap:
http_enabled: false
transport_enabled: false
diff --git a/legacy/securityconfig_v6/internal_users.yml b/legacy/securityconfig_v6/internal_users.yml
index 19c5eff661..c7d177787d 100644
--- a/legacy/securityconfig_v6/internal_users.yml
+++ b/legacy/securityconfig_v6/internal_users.yml
@@ -19,13 +19,13 @@ logstash:
roles:
- logstash
-#password is: kibanaserver
+#password is: kibanaserver
kibanaserver:
readonly: true
hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.
#password is: kibanaro
-kibanaro:
+kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC
roles:
- kibanauser
diff --git a/legacy/securityconfig_v6/roles.yml b/legacy/securityconfig_v6/roles.yml
index 68a5bd6f98..c546b85393 100644
--- a/legacy/securityconfig_v6/roles.yml
+++ b/legacy/securityconfig_v6/roles.yml
@@ -3,7 +3,7 @@
# - ''
# indices:
# '':
-# '':
+# '':
# - ''
# _dls_: ''
# _fls_:
@@ -15,9 +15,9 @@
# and a type. If a request is executed against all indices (or all types) then the asterix ('*') is needed.
# Every role a user has will be examined if it allows the action against an index (or type). At least one role must match
# for the request to be successful. If no role match then the request will be denied. Currently a match must happen within
-# one single role - that means that permissions can not span multiple roles.
+# one single role - that means that permissions can not span multiple roles.
-# For , and simple wildcards and regular expressions are possible.
+# For , and simple wildcards and regular expressions are possible.
# A asterix (*) will match any character sequence (or an empty sequence)
# A question mark (?) will match any single character (but NOT empty character)
# Example: '*my*index' will match 'my_first_index' as well as 'myindex' but not 'myindex1'
@@ -27,7 +27,7 @@
# '//'
# Example: '/\S*/' will match any non whitespace characters
-# Important:
+# Important:
# Index, alias or type names can not contain dots (.) in the or expression.
# Reason is that we currently parse the config file into a OpenSearch settings object which cannot cope with dots in keys.
# Workaround: Just configure something like '?kibana' instead of '.kibana' or 'my?index' instead of 'my.index'
@@ -59,7 +59,7 @@ opendistro_security_readall:
'*':
- READ
-# Read all and monitor, but no write permissions
+# Read all and monitor, but no write permissions
opendistro_security_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
@@ -99,7 +99,7 @@ opendistro_security_kibana_user:
- INDICES_ALL
'?management-beats':
'*':
- - INDICES_ALL
+ - INDICES_ALL
'*':
'*':
- indices:data/read/field_caps*
@@ -135,7 +135,7 @@ opendistro_security_kibana_server:
- "indices:admin/aliases*"
# For logstash and beats
-opendistro_security_logstash:
+opendistro_security_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
diff --git a/legacy/securityconfig_v6/roles_mapping.yml b/legacy/securityconfig_v6/roles_mapping.yml
index b3263eb234..588ba13f6e 100644
--- a/legacy/securityconfig_v6/roles_mapping.yml
+++ b/legacy/securityconfig_v6/roles_mapping.yml
@@ -9,12 +9,12 @@ opendistro_security_all_access:
opendistro_security_logstash:
backendroles:
- logstash
-
+
opendistro_security_kibana_server:
readonly: true
users:
- kibanaserver
-
+
opendistro_security_kibana_user:
backendroles:
- kibanauser
diff --git a/release-notes/opensearch-security.release-notes-2.8.0.0.md b/release-notes/opensearch-security.release-notes-2.8.0.0.md
new file mode 100644
index 0000000000..32d33d83f7
--- /dev/null
+++ b/release-notes/opensearch-security.release-notes-2.8.0.0.md
@@ -0,0 +1,30 @@
+## 2023-06-06 Version 2.8.0.0
+
+Compatible with OpenSearch 2.8.0
+
+### Features
+
+* Identify extension Transport requests and permit handshake and extension registration actions ([#2599](https://github.com/opensearch-project/security/pull/2599))
+* Use ExtensionsManager.lookupExtensionSettingsById when verifying extension unique id ([#2749](https://github.com/opensearch-project/security/pull/2749))
+* Generate auth tokens for service accounts ([#2716](https://github.com/opensearch-project/security/pull/2716))
+* Security User Refactor ([#2594](https://github.com/opensearch-project/security/pull/2594))
+* Add score based password verification ([#2557](https://github.com/opensearch-project/security/pull/2557))
+* Usage of JWKS with JWT (w/o OpenID connect) ([#2808](https://github.com/opensearch-project/security/pull/2808))
+
+### Bug Fixes
+
+* `deserializeSafeFromHeader` uses `context.getHeader(headerName)` instead of `context.getHeaders()` ([#2768](https://github.com/opensearch-project/security/pull/2768))
+* Fix multitency config update ([#2758](https://github.com/opensearch-project/security/pull/2758))
+
+### Enhancements
+
+* Add default roles for SQL plugin: PPL and cross-cluster search ([#2729](https://github.com/opensearch-project/security/pull/2729))
+* Update security-analytics roles to add correlation engine apis ([#2732](https://github.com/opensearch-project/security/pull/2732))
+* Changes in role.yml for long-running operation notification feature in Index-Management repo ([#2789](https://github.com/opensearch-project/security/pull/2789))
+* Rest admin permissions ([#2411](https://github.com/opensearch-project/security/pull/2411))
+* Separate config option to enable restapi: permissions ([#2605](https://github.com/opensearch-project/security/pull/2605))
+
+### Maintenance
+
+* Update to Gradle 8.1.1 ([#2738](https://github.com/opensearch-project/security/pull/2738))
+* Upgrade spring-core from 5.3.26 to 5.3.27 ([#2717](https://github.com/opensearch-project/security/pull/2717))
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java
index 9978186f96..ffe9db81f2 100644
--- a/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java
+++ b/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java
@@ -55,9 +55,11 @@ public abstract class AbstractHTTPJwtAuthenticator implements HTTPAuthenticator
private final String jwtUrlParameter;
private final String subjectKey;
private final String rolesKey;
+ private final String requiredAudience;
+ private final String requiredIssuer;
public static final int DEFAULT_CLOCK_SKEW_TOLERANCE_SECONDS = 30;
- private final int clockSkewToleranceSeconds ;
+ private final int clockSkewToleranceSeconds;
public AbstractHTTPJwtAuthenticator(Settings settings, Path configPath) {
jwtUrlParameter = settings.get("jwt_url_parameter");
@@ -66,10 +68,12 @@ public AbstractHTTPJwtAuthenticator(Settings settings, Path configPath) {
rolesKey = settings.get("roles_key");
subjectKey = settings.get("subject_key");
clockSkewToleranceSeconds = settings.getAsInt("jwt_clock_skew_tolerance_seconds", DEFAULT_CLOCK_SKEW_TOLERANCE_SECONDS);
+ requiredAudience = settings.get("required_audience");
+ requiredIssuer = settings.get("required_issuer");
try {
this.keyProvider = this.initKeyProvider(settings, configPath);
- jwtVerifier = new JwtVerifier(keyProvider, clockSkewToleranceSeconds );
+ jwtVerifier = new JwtVerifier(keyProvider, clockSkewToleranceSeconds, requiredIssuer, requiredAudience);
} catch (Exception e) {
log.error("Error creating JWT authenticator. JWT authentication will not work", e);
@@ -79,8 +83,7 @@ public AbstractHTTPJwtAuthenticator(Settings settings, Path configPath) {
@Override
@SuppressWarnings("removal")
- public AuthCredentials extractCredentials(RestRequest request, ThreadContext context)
- throws OpenSearchSecurityException {
+ public AuthCredentials extractCredentials(RestRequest request, ThreadContext context) throws OpenSearchSecurityException {
final SecurityManager sm = System.getSecurityManager();
if (sm != null) {
@@ -182,8 +185,11 @@ public String extractSubject(JwtClaims claims) {
// warning
if (!(subjectObject instanceof String)) {
log.warn(
- "Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.",
- subjectKey, subjectObject, subjectObject.getClass());
+ "Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.",
+ subjectKey,
+ subjectObject,
+ subjectObject.getClass()
+ );
subject = String.valueOf(subjectObject);
} else {
subject = (String) subjectObject;
@@ -203,8 +209,9 @@ public String[] extractRoles(JwtClaims claims) {
if (rolesObject == null) {
log.warn(
- "Failed to get roles from JWT claims with roles_key '{}'. Check if this key is correct and available in the JWT payload.",
- rolesKey);
+ "Failed to get roles from JWT claims with roles_key '{}'. Check if this key is correct and available in the JWT payload.",
+ rolesKey
+ );
return new String[0];
}
@@ -214,8 +221,11 @@ public String[] extractRoles(JwtClaims claims) {
// String but issue a warning
if (!(rolesObject instanceof String) && !(rolesObject instanceof Collection>)) {
log.warn(
- "Expected type String or Collection for roles in the JWT for roles_key {}, but value was '{}' ({}). Will convert this value to String.",
- rolesKey, rolesObject, rolesObject.getClass());
+ "Expected type String or Collection for roles in the JWT for roles_key {}, but value was '{}' ({}). Will convert this value to String.",
+ rolesKey,
+ rolesObject,
+ rolesObject.getClass()
+ );
} else if (rolesObject instanceof Collection>) {
roles = ((Collection) rolesObject).toArray(new String[0]);
}
@@ -233,4 +243,12 @@ public boolean reRequestAuthentication(RestChannel channel, AuthCredentials auth
return true;
}
+ public String getRequiredAudience() {
+ return requiredAudience;
+ }
+
+ public String getRequiredIssuer() {
+ return requiredIssuer;
+ }
+
}
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java
index 16cc71ffbd..3468bb89af 100644
--- a/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java
+++ b/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java
@@ -68,7 +68,7 @@ public HTTPJwtAuthenticator(final Settings settings, final Path configPath) {
try {
String signingKey = settings.get("signing_key");
- if(signingKey == null || signingKey.length() == 0) {
+ if (signingKey == null || signingKey.length() == 0) {
log.error("signingKey must not be null or empty. JWT authentication will not work");
} else {
@@ -90,7 +90,7 @@ public HTTPJwtAuthenticator(final Settings settings, final Path configPath) {
log.debug("No public ECDSA key, try other algos ({})", e.toString());
}
- if(key != null) {
+ if (key != null) {
_jwtParser = Jwts.parser().setSigningKey(key);
} else {
_jwtParser = Jwts.parser().setSigningKey(decoded);
@@ -121,7 +121,6 @@ public HTTPJwtAuthenticator(final Settings settings, final Path configPath) {
jwtParser = _jwtParser;
}
-
@Override
@SuppressWarnings("removal")
public AuthCredentials extractCredentials(RestRequest request, ThreadContext context) throws OpenSearchSecurityException {
@@ -152,25 +151,29 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
jwtToken = null;
}
- if((jwtToken == null || jwtToken.isEmpty()) && jwtUrlParameter != null) {
+ if ((jwtToken == null || jwtToken.isEmpty()) && jwtUrlParameter != null) {
jwtToken = request.param(jwtUrlParameter);
} else {
- //just consume to avoid "contains unrecognized parameter"
+ // just consume to avoid "contains unrecognized parameter"
request.param(jwtUrlParameter);
}
if (jwtToken == null || jwtToken.length() == 0) {
- if(log.isDebugEnabled()) {
- log.debug("No JWT token found in '{}' {} header", jwtUrlParameter==null?jwtHeaderName:jwtUrlParameter, jwtUrlParameter==null?"header":"url parameter");
+ if (log.isDebugEnabled()) {
+ log.debug(
+ "No JWT token found in '{}' {} header",
+ jwtUrlParameter == null ? jwtHeaderName : jwtUrlParameter,
+ jwtUrlParameter == null ? "header" : "url parameter"
+ );
}
return null;
}
final int index;
- if((index = jwtToken.toLowerCase().indexOf(BEARER)) > -1) { //detect Bearer
- jwtToken = jwtToken.substring(index+BEARER.length());
+ if ((index = jwtToken.toLowerCase().indexOf(BEARER)) > -1) { // detect Bearer
+ jwtToken = jwtToken.substring(index + BEARER.length());
} else {
- if(log.isDebugEnabled()) {
+ if (log.isDebugEnabled()) {
log.debug("No Bearer scheme found in header");
}
}
@@ -181,16 +184,16 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
final String subject = extractSubject(claims, request);
if (subject == null) {
- log.error("No subject found in JWT token");
- return null;
+ log.error("No subject found in JWT token");
+ return null;
}
final String[] roles = extractRoles(claims, request);
final AuthCredentials ac = new AuthCredentials(subject, roles).markComplete();
- for(Entry claim: claims.entrySet()) {
- ac.addAttribute("attr.jwt."+claim.getKey(), String.valueOf(claim.getValue()));
+ for (Entry claim : claims.entrySet()) {
+ ac.addAttribute("attr.jwt." + claim.getKey(), String.valueOf(claim.getValue()));
}
return ac;
@@ -199,7 +202,7 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
log.error("Cannot authenticate user with JWT because of ", e);
return null;
} catch (Exception e) {
- if(log.isDebugEnabled()) {
+ if (log.isDebugEnabled()) {
log.debug("Invalid or expired JWT token.", e);
}
return null;
@@ -208,7 +211,7 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
@Override
public boolean reRequestAuthentication(final RestChannel channel, AuthCredentials creds) {
- final BytesRestResponse wwwAuthenticateResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED,"");
+ final BytesRestResponse wwwAuthenticateResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, "");
wwwAuthenticateResponse.addHeader("WWW-Authenticate", "Bearer realm=\"OpenSearch Security\"");
channel.sendResponse(wwwAuthenticateResponse);
return true;
@@ -221,16 +224,21 @@ public String getType() {
protected String extractSubject(final Claims claims, final RestRequest request) {
String subject = claims.getSubject();
- if(subjectKey != null) {
- // try to get roles from claims, first as Object to avoid having to catch the ExpectedTypeException
+ if (subjectKey != null) {
+ // try to get roles from claims, first as Object to avoid having to catch the ExpectedTypeException
Object subjectObject = claims.get(subjectKey, Object.class);
- if(subjectObject == null) {
+ if (subjectObject == null) {
log.warn("Failed to get subject from JWT claims, check if subject_key '{}' is correct.", subjectKey);
return null;
}
- // We expect a String. If we find something else, convert to String but issue a warning
- if(!(subjectObject instanceof String)) {
- log.warn("Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.", subjectKey, subjectObject, subjectObject.getClass());
+ // We expect a String. If we find something else, convert to String but issue a warning
+ if (!(subjectObject instanceof String)) {
+ log.warn(
+ "Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.",
+ subjectKey,
+ subjectObject,
+ subjectObject.getClass()
+ );
}
subject = String.valueOf(subjectObject);
}
@@ -239,34 +247,43 @@ protected String extractSubject(final Claims claims, final RestRequest request)
@SuppressWarnings("unchecked")
protected String[] extractRoles(final Claims claims, final RestRequest request) {
- // no roles key specified
- if(rolesKey == null) {
- return new String[0];
- }
- // try to get roles from claims, first as Object to avoid having to catch the ExpectedTypeException
- final Object rolesObject = claims.get(rolesKey, Object.class);
- if(rolesObject == null) {
- log.warn("Failed to get roles from JWT claims with roles_key '{}'. Check if this key is correct and available in the JWT payload.", rolesKey);
- return new String[0];
- }
-
- String[] roles = String.valueOf(rolesObject).split(",");
-
- // We expect a String or Collection. If we find something else, convert to String but issue a warning
- if (!(rolesObject instanceof String) && !(rolesObject instanceof Collection>)) {
- log.warn("Expected type String or Collection for roles in the JWT for roles_key {}, but value was '{}' ({}). Will convert this value to String.", rolesKey, rolesObject, rolesObject.getClass());
- } else if (rolesObject instanceof Collection>) {
- roles = ((Collection) rolesObject).toArray(new String[0]);
- }
-
- for (int i = 0; i < roles.length; i++) {
- roles[i] = roles[i].trim();
- }
-
- return roles;
+ // no roles key specified
+ if (rolesKey == null) {
+ return new String[0];
+ }
+ // try to get roles from claims, first as Object to avoid having to catch the ExpectedTypeException
+ final Object rolesObject = claims.get(rolesKey, Object.class);
+ if (rolesObject == null) {
+ log.warn(
+ "Failed to get roles from JWT claims with roles_key '{}'. Check if this key is correct and available in the JWT payload.",
+ rolesKey
+ );
+ return new String[0];
+ }
+
+ String[] roles = String.valueOf(rolesObject).split(",");
+
+ // We expect a String or Collection. If we find something else, convert to String but issue a warning
+ if (!(rolesObject instanceof String) && !(rolesObject instanceof Collection>)) {
+ log.warn(
+ "Expected type String or Collection for roles in the JWT for roles_key {}, but value was '{}' ({}). Will convert this value to String.",
+ rolesKey,
+ rolesObject,
+ rolesObject.getClass()
+ );
+ } else if (rolesObject instanceof Collection>) {
+ roles = ((Collection) rolesObject).toArray(new String[0]);
+ }
+
+ for (int i = 0; i < roles.length; i++) {
+ roles[i] = roles[i].trim();
+ }
+
+ return roles;
}
- private static PublicKey getPublicKey(final byte[] keyBytes, final String algo) throws NoSuchAlgorithmException, InvalidKeySpecException {
+ private static PublicKey getPublicKey(final byte[] keyBytes, final String algo) throws NoSuchAlgorithmException,
+ InvalidKeySpecException {
X509EncodedKeySpec spec = new X509EncodedKeySpec(keyBytes);
KeyFactory kf = KeyFactory.getInstance(algo);
return kf.generatePublic(spec);
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/AuthenticatorUnavailableException.java b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/AuthenticatorUnavailableException.java
index d9aa1aebb6..b17663b429 100644
--- a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/AuthenticatorUnavailableException.java
+++ b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/AuthenticatorUnavailableException.java
@@ -12,27 +12,26 @@
package com.amazon.dlic.auth.http.jwt.keybyoidc;
public class AuthenticatorUnavailableException extends RuntimeException {
- private static final long serialVersionUID = -7007025852090301416L;
+ private static final long serialVersionUID = -7007025852090301416L;
- public AuthenticatorUnavailableException() {
- super();
- }
+ public AuthenticatorUnavailableException() {
+ super();
+ }
- public AuthenticatorUnavailableException(String message, Throwable cause, boolean enableSuppression,
- boolean writableStackTrace) {
- super(message, cause, enableSuppression, writableStackTrace);
- }
+ public AuthenticatorUnavailableException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
+ super(message, cause, enableSuppression, writableStackTrace);
+ }
- public AuthenticatorUnavailableException(String message, Throwable cause) {
- super(message, cause);
- }
+ public AuthenticatorUnavailableException(String message, Throwable cause) {
+ super(message, cause);
+ }
- public AuthenticatorUnavailableException(String message) {
- super(message);
- }
+ public AuthenticatorUnavailableException(String message) {
+ super(message);
+ }
- public AuthenticatorUnavailableException(Throwable cause) {
- super(cause);
- }
+ public AuthenticatorUnavailableException(Throwable cause) {
+ super(cause);
+ }
}
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/BadCredentialsException.java b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/BadCredentialsException.java
index 12b9195c0e..0d705f98cf 100644
--- a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/BadCredentialsException.java
+++ b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/BadCredentialsException.java
@@ -13,26 +13,25 @@
public class BadCredentialsException extends Exception {
- private static final long serialVersionUID = 9092575587366580869L;
+ private static final long serialVersionUID = 9092575587366580869L;
- public BadCredentialsException() {
- super();
- }
+ public BadCredentialsException() {
+ super();
+ }
- public BadCredentialsException(String message, Throwable cause, boolean enableSuppression,
- boolean writableStackTrace) {
- super(message, cause, enableSuppression, writableStackTrace);
- }
+ public BadCredentialsException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
+ super(message, cause, enableSuppression, writableStackTrace);
+ }
- public BadCredentialsException(String message, Throwable cause) {
- super(message, cause);
- }
+ public BadCredentialsException(String message, Throwable cause) {
+ super(message, cause);
+ }
- public BadCredentialsException(String message) {
- super(message);
- }
+ public BadCredentialsException(String message) {
+ super(message);
+ }
- public BadCredentialsException(Throwable cause) {
- super(cause);
- }
+ public BadCredentialsException(Throwable cause) {
+ super(cause);
+ }
}
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticator.java
index 0cede73911..808abfc5ea 100644
--- a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticator.java
+++ b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticator.java
@@ -20,42 +20,54 @@
public class HTTPJwtKeyByOpenIdConnectAuthenticator extends AbstractHTTPJwtAuthenticator {
- //private final static Logger log = LogManager.getLogger(HTTPJwtKeyByOpenIdConnectAuthenticator.class);
-
- public HTTPJwtKeyByOpenIdConnectAuthenticator(Settings settings, Path configPath) {
- super(settings, configPath);
- }
-
- protected KeyProvider initKeyProvider(Settings settings, Path configPath) throws Exception {
- int idpRequestTimeoutMs = settings.getAsInt("idp_request_timeout_ms", 5000);
- int idpQueuedThreadTimeoutMs = settings.getAsInt("idp_queued_thread_timeout_ms", 2500);
-
- int refreshRateLimitTimeWindowMs = settings.getAsInt("refresh_rate_limit_time_window_ms", 10000);
- int refreshRateLimitCount = settings.getAsInt("refresh_rate_limit_count", 10);
-
- KeySetRetriever keySetRetriever = new KeySetRetriever(settings.get("openid_connect_url"),
- getSSLConfig(settings, configPath), settings.getAsBoolean("cache_jwks_endpoint", false));
-
- keySetRetriever.setRequestTimeoutMs(idpRequestTimeoutMs);
-
- SelfRefreshingKeySet selfRefreshingKeySet = new SelfRefreshingKeySet(keySetRetriever);
-
- selfRefreshingKeySet.setRequestTimeoutMs(idpRequestTimeoutMs);
- selfRefreshingKeySet.setQueuedThreadTimeoutMs(idpQueuedThreadTimeoutMs);
- selfRefreshingKeySet.setRefreshRateLimitTimeWindowMs(refreshRateLimitTimeWindowMs);
- selfRefreshingKeySet.setRefreshRateLimitCount(refreshRateLimitCount);
-
- return selfRefreshingKeySet;
- }
-
- private static SettingsBasedSSLConfigurator.SSLConfig getSSLConfig(Settings settings, Path configPath)
- throws Exception {
- return new SettingsBasedSSLConfigurator(settings, configPath, "openid_connect_idp").buildSSLConfig();
- }
-
- @Override
- public String getType() {
- return "jwt-key-by-oidc";
- }
+ // private final static Logger log = LogManager.getLogger(HTTPJwtKeyByOpenIdConnectAuthenticator.class);
+
+ public HTTPJwtKeyByOpenIdConnectAuthenticator(Settings settings, Path configPath) {
+ super(settings, configPath);
+ }
+
+ protected KeyProvider initKeyProvider(Settings settings, Path configPath) throws Exception {
+ int idpRequestTimeoutMs = settings.getAsInt("idp_request_timeout_ms", 5000);
+ int idpQueuedThreadTimeoutMs = settings.getAsInt("idp_queued_thread_timeout_ms", 2500);
+
+ int refreshRateLimitTimeWindowMs = settings.getAsInt("refresh_rate_limit_time_window_ms", 10000);
+ int refreshRateLimitCount = settings.getAsInt("refresh_rate_limit_count", 10);
+ String jwksUri = settings.get("jwks_uri");
+
+ KeySetRetriever keySetRetriever;
+ if (jwksUri != null && !jwksUri.isBlank()) {
+ keySetRetriever = new KeySetRetriever(
+ getSSLConfig(settings, configPath),
+ settings.getAsBoolean("cache_jwks_endpoint", false),
+ jwksUri
+ );
+ } else {
+ keySetRetriever = new KeySetRetriever(
+ settings.get("openid_connect_url"),
+ getSSLConfig(settings, configPath),
+ settings.getAsBoolean("cache_jwks_endpoint", false)
+ );
+ }
+
+ keySetRetriever.setRequestTimeoutMs(idpRequestTimeoutMs);
+
+ SelfRefreshingKeySet selfRefreshingKeySet = new SelfRefreshingKeySet(keySetRetriever);
+
+ selfRefreshingKeySet.setRequestTimeoutMs(idpRequestTimeoutMs);
+ selfRefreshingKeySet.setQueuedThreadTimeoutMs(idpQueuedThreadTimeoutMs);
+ selfRefreshingKeySet.setRefreshRateLimitTimeWindowMs(refreshRateLimitTimeWindowMs);
+ selfRefreshingKeySet.setRefreshRateLimitCount(refreshRateLimitCount);
+
+ return selfRefreshingKeySet;
+ }
+
+ private static SettingsBasedSSLConfigurator.SSLConfig getSSLConfig(Settings settings, Path configPath) throws Exception {
+ return new SettingsBasedSSLConfigurator(settings, configPath, "openid_connect_idp").buildSSLConfig();
+ }
+
+ @Override
+ public String getType() {
+ return "jwt-key-by-oidc";
+ }
}
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/JwtVerifier.java b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/JwtVerifier.java
index 99074ab233..5893d623a7 100644
--- a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/JwtVerifier.java
+++ b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/JwtVerifier.java
@@ -29,89 +29,106 @@
public class JwtVerifier {
- private final static Logger log = LogManager.getLogger(JwtVerifier.class);
-
- private final KeyProvider keyProvider;
- private final int clockSkewToleranceSeconds;
-
- public JwtVerifier(KeyProvider keyProvider, int clockSkewToleranceSeconds ) {
- this.keyProvider = keyProvider;
- this.clockSkewToleranceSeconds = clockSkewToleranceSeconds;
- }
-
- public JwtToken getVerifiedJwtToken(String encodedJwt) throws BadCredentialsException {
- try {
- JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(encodedJwt);
- JwtToken jwt = jwtConsumer.getJwtToken();
-
- String escapedKid = jwt.getJwsHeaders().getKeyId();
- String kid = escapedKid;
- if (!Strings.isNullOrEmpty(kid)) {
- kid = StringEscapeUtils.unescapeJava(escapedKid);
- }
- JsonWebKey key = keyProvider.getKey(kid);
-
- // Algorithm is not mandatory for the key material, so we set it to the same as the JWT
- if (key.getAlgorithm() == null && key.getPublicKeyUse() == PublicKeyUse.SIGN && key.getKeyType() == KeyType.RSA)
- {
- key.setAlgorithm(jwt.getJwsHeaders().getAlgorithm());
- }
-
- JwsSignatureVerifier signatureVerifier = getInitializedSignatureVerifier(key, jwt);
-
-
- boolean signatureValid = jwtConsumer.verifySignatureWith(signatureVerifier);
-
- if (!signatureValid && Strings.isNullOrEmpty(kid)) {
- key = keyProvider.getKeyAfterRefresh(null);
- signatureVerifier = getInitializedSignatureVerifier(key, jwt);
- signatureValid = jwtConsumer.verifySignatureWith(signatureVerifier);
- }
-
- if (!signatureValid) {
- throw new BadCredentialsException("Invalid JWT signature");
- }
-
- validateClaims(jwt);
-
- return jwt;
- } catch (JwtException e) {
- throw new BadCredentialsException(e.getMessage(), e);
- }
- }
+ private final static Logger log = LogManager.getLogger(JwtVerifier.class);
+
+ private final KeyProvider keyProvider;
+ private final int clockSkewToleranceSeconds;
+ private final String requiredIssuer;
+ private final String requiredAudience;
+
+ public JwtVerifier(KeyProvider keyProvider, int clockSkewToleranceSeconds, String requiredIssuer, String requiredAudience) {
+ this.keyProvider = keyProvider;
+ this.clockSkewToleranceSeconds = clockSkewToleranceSeconds;
+ this.requiredIssuer = requiredIssuer;
+ this.requiredAudience = requiredAudience;
+ }
+
+ public JwtToken getVerifiedJwtToken(String encodedJwt) throws BadCredentialsException {
+ try {
+ JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(encodedJwt);
+ JwtToken jwt = jwtConsumer.getJwtToken();
+
+ String escapedKid = jwt.getJwsHeaders().getKeyId();
+ String kid = escapedKid;
+ if (!Strings.isNullOrEmpty(kid)) {
+ kid = StringEscapeUtils.unescapeJava(escapedKid);
+ }
+ JsonWebKey key = keyProvider.getKey(kid);
+
+ // Algorithm is not mandatory for the key material, so we set it to the same as the JWT
+ if (key.getAlgorithm() == null && key.getPublicKeyUse() == PublicKeyUse.SIGN && key.getKeyType() == KeyType.RSA) {
+ key.setAlgorithm(jwt.getJwsHeaders().getAlgorithm());
+ }
+
+ JwsSignatureVerifier signatureVerifier = getInitializedSignatureVerifier(key, jwt);
+
+ boolean signatureValid = jwtConsumer.verifySignatureWith(signatureVerifier);
+
+ if (!signatureValid && Strings.isNullOrEmpty(kid)) {
+ key = keyProvider.getKeyAfterRefresh(null);
+ signatureVerifier = getInitializedSignatureVerifier(key, jwt);
+ signatureValid = jwtConsumer.verifySignatureWith(signatureVerifier);
+ }
+
+ if (!signatureValid) {
+ throw new BadCredentialsException("Invalid JWT signature");
+ }
+
+ validateClaims(jwt);
+
+ return jwt;
+ } catch (JwtException e) {
+ throw new BadCredentialsException(e.getMessage(), e);
+ }
+ }
private void validateSignatureAlgorithm(JsonWebKey key, JwtToken jwt) throws BadCredentialsException {
if (Strings.isNullOrEmpty(key.getAlgorithm())) {
return;
}
- SignatureAlgorithm keyAlgorithm =SignatureAlgorithm.getAlgorithm(key.getAlgorithm());
+ SignatureAlgorithm keyAlgorithm = SignatureAlgorithm.getAlgorithm(key.getAlgorithm());
SignatureAlgorithm tokenAlgorithm = SignatureAlgorithm.getAlgorithm(jwt.getJwsHeaders().getAlgorithm());
if (!keyAlgorithm.equals(tokenAlgorithm)) {
- throw new BadCredentialsException("Algorithm of JWT does not match algorithm of JWK (" + keyAlgorithm + " != " + tokenAlgorithm + ")");
+ throw new BadCredentialsException(
+ "Algorithm of JWT does not match algorithm of JWK (" + keyAlgorithm + " != " + tokenAlgorithm + ")"
+ );
}
}
+ private JwsSignatureVerifier getInitializedSignatureVerifier(JsonWebKey key, JwtToken jwt) throws BadCredentialsException,
+ JwtException {
- private JwsSignatureVerifier getInitializedSignatureVerifier(JsonWebKey key, JwtToken jwt)
- throws BadCredentialsException, JwtException {
-
- validateSignatureAlgorithm(key, jwt);
+ validateSignatureAlgorithm(key, jwt);
JwsSignatureVerifier result = JwsUtils.getSignatureVerifier(key, jwt.getJwsHeaders().getSignatureAlgorithm());
- if (result == null) {
- throw new BadCredentialsException("Cannot verify JWT");
- } else {
- return result;
- }
- }
-
- private void validateClaims(JwtToken jwt) throws BadCredentialsException, JwtException {
- JwtClaims claims = jwt.getClaims();
-
- if (claims != null) {
- JwtUtils.validateJwtExpiry(claims, clockSkewToleranceSeconds, false);
- JwtUtils.validateJwtNotBefore(claims, clockSkewToleranceSeconds, false);
- }
- }
+ if (result == null) {
+ throw new BadCredentialsException("Cannot verify JWT");
+ } else {
+ return result;
+ }
+ }
+
+ private void validateClaims(JwtToken jwt) throws JwtException {
+ JwtClaims claims = jwt.getClaims();
+
+ if (claims != null) {
+ JwtUtils.validateJwtExpiry(claims, clockSkewToleranceSeconds, false);
+ JwtUtils.validateJwtNotBefore(claims, clockSkewToleranceSeconds, false);
+ validateRequiredAudienceAndIssuer(claims);
+ }
+ }
+
+ private void validateRequiredAudienceAndIssuer(JwtClaims claims) {
+ String audience = claims.getAudience();
+ String issuer = claims.getIssuer();
+
+ if (!Strings.isNullOrEmpty(requiredAudience) && !requiredAudience.equals(audience)) {
+ throw new JwtException("Invalid audience");
+ }
+
+ if (!Strings.isNullOrEmpty(requiredIssuer) && !requiredIssuer.equals(issuer)) {
+ throw new JwtException("Invalid issuer");
+ }
+ }
}
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeyProvider.java b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeyProvider.java
index 5eff7cb213..a0e76c918f 100644
--- a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeyProvider.java
+++ b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeyProvider.java
@@ -14,6 +14,7 @@
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
public interface KeyProvider {
- public JsonWebKey getKey(String kid) throws AuthenticatorUnavailableException, BadCredentialsException;
- public JsonWebKey getKeyAfterRefresh(String kid) throws AuthenticatorUnavailableException, BadCredentialsException;
+ public JsonWebKey getKey(String kid) throws AuthenticatorUnavailableException, BadCredentialsException;
+
+ public JsonWebKey getKeyAfterRefresh(String kid) throws AuthenticatorUnavailableException, BadCredentialsException;
}
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeySetProvider.java b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeySetProvider.java
index edbe39f020..53ea0237db 100644
--- a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeySetProvider.java
+++ b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeySetProvider.java
@@ -15,5 +15,5 @@
@FunctionalInterface
public interface KeySetProvider {
- JsonWebKeys get() throws AuthenticatorUnavailableException;
+ JsonWebKeys get() throws AuthenticatorUnavailableException;
}
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeySetRetriever.java b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeySetRetriever.java
index 50be122aec..9ef50a4404 100644
--- a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeySetRetriever.java
+++ b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeySetRetriever.java
@@ -14,6 +14,7 @@
import java.io.IOException;
import java.util.concurrent.TimeUnit;
+import joptsimple.internal.Strings;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
import org.apache.hc.client5.http.cache.HttpCacheContext;
@@ -38,185 +39,218 @@
import org.opensearch.security.DefaultObjectMapper;
-
public class KeySetRetriever implements KeySetProvider {
- private final static Logger log = LogManager.getLogger(KeySetRetriever.class);
- private static final long CACHE_STATUS_LOG_INTERVAL_MS = 60L * 60L * 1000L;
-
- private String openIdConnectEndpoint;
- private SSLConfig sslConfig;
- private int requestTimeoutMs = 10000;
- private CacheConfig cacheConfig;
- private HttpCacheStorage oidcHttpCacheStorage;
- private int oidcCacheHits = 0;
- private int oidcCacheMisses = 0;
- private int oidcCacheHitsValidated = 0;
- private int oidcCacheModuleResponses = 0;
- private long oidcRequests = 0;
- private long lastCacheStatusLog = 0;
-
- KeySetRetriever(String openIdConnectEndpoint, SSLConfig sslConfig, boolean useCacheForOidConnectEndpoint) {
- this.openIdConnectEndpoint = openIdConnectEndpoint;
- this.sslConfig = sslConfig;
-
- if (useCacheForOidConnectEndpoint) {
- cacheConfig = CacheConfig.custom().setMaxCacheEntries(10).setMaxObjectSize(1024L * 1024L).build();
- oidcHttpCacheStorage = new BasicHttpCacheStorage(cacheConfig);
- }
- }
-
- public JsonWebKeys get() throws AuthenticatorUnavailableException {
- String uri = getJwksUri();
-
- try (CloseableHttpClient httpClient = createHttpClient(null)) {
-
- HttpGet httpGet = new HttpGet(uri);
-
- RequestConfig requestConfig = RequestConfig.custom().setConnectionRequestTimeout(getRequestTimeoutMs(), TimeUnit.MILLISECONDS)
- .setConnectTimeout(getRequestTimeoutMs(), TimeUnit.MILLISECONDS).build();
-
- httpGet.setConfig(requestConfig);
-
- try (CloseableHttpResponse response = httpClient.execute(httpGet)) {
- if (response.getCode() < 200 || response.getCode() >= 300) {
- throw new AuthenticatorUnavailableException("Error while getting " + uri + ": " + response.getReasonPhrase());
- }
-
- HttpEntity httpEntity = response.getEntity();
-
- if (httpEntity == null) {
- throw new AuthenticatorUnavailableException(
- "Error while getting " + uri + ": Empty response entity");
- }
-
- JsonWebKeys keySet = JwkUtils.readJwkSet(httpEntity.getContent());
+ private final static Logger log = LogManager.getLogger(KeySetRetriever.class);
+ private static final long CACHE_STATUS_LOG_INTERVAL_MS = 60L * 60L * 1000L;
- return keySet;
- }
- } catch (IOException e) {
- throw new AuthenticatorUnavailableException("Error while getting " + uri + ": " + e, e);
- }
+ private String openIdConnectEndpoint;
+ private SSLConfig sslConfig;
+ private int requestTimeoutMs = 10000;
+ private CacheConfig cacheConfig;
+ private HttpCacheStorage oidcHttpCacheStorage;
+ private int oidcCacheHits = 0;
+ private int oidcCacheMisses = 0;
+ private int oidcCacheHitsValidated = 0;
+ private int oidcCacheModuleResponses = 0;
+ private long oidcRequests = 0;
+ private long lastCacheStatusLog = 0;
+ private String jwksUri;
- }
+ KeySetRetriever(String openIdConnectEndpoint, SSLConfig sslConfig, boolean useCacheForOidConnectEndpoint) {
+ this.openIdConnectEndpoint = openIdConnectEndpoint;
+ this.sslConfig = sslConfig;
- String getJwksUri() throws AuthenticatorUnavailableException {
+ configureCache(useCacheForOidConnectEndpoint);
+ }
- try (CloseableHttpClient httpClient = createHttpClient(oidcHttpCacheStorage)) {
+ KeySetRetriever(SSLConfig sslConfig, boolean useCacheForOidConnectEndpoint, String jwksUri) {
+ this.jwksUri = jwksUri;
+ this.sslConfig = sslConfig;
- HttpGet httpGet = new HttpGet(openIdConnectEndpoint);
+ configureCache(useCacheForOidConnectEndpoint);
+ }
- RequestConfig requestConfig = RequestConfig.custom().setConnectionRequestTimeout(getRequestTimeoutMs(), TimeUnit.MILLISECONDS)
- .setConnectTimeout(getRequestTimeoutMs(), TimeUnit.MILLISECONDS).build();
+ public JsonWebKeys get() throws AuthenticatorUnavailableException {
+ String uri = getJwksUri();
- httpGet.setConfig(requestConfig);
+ try (CloseableHttpClient httpClient = createHttpClient(null)) {
- HttpCacheContext httpContext = null;
+ HttpGet httpGet = new HttpGet(uri);
- if (oidcHttpCacheStorage != null) {
- httpContext = new HttpCacheContext();
- }
+ RequestConfig requestConfig = RequestConfig.custom()
+ .setConnectionRequestTimeout(getRequestTimeoutMs(), TimeUnit.MILLISECONDS)
+ .setConnectTimeout(getRequestTimeoutMs(), TimeUnit.MILLISECONDS)
+ .build();
- try (CloseableHttpResponse response = httpClient.execute(httpGet, httpContext)) {
- if (httpContext != null) {
- logCacheResponseStatus(httpContext);
- }
+ httpGet.setConfig(requestConfig);
- if (response.getCode() < 200 || response.getCode() >= 300) {
- throw new AuthenticatorUnavailableException(
- "Error while getting " + openIdConnectEndpoint + ": " + response.getReasonPhrase());
- }
+ try (CloseableHttpResponse response = httpClient.execute(httpGet)) {
+ if (response.getCode() < 200 || response.getCode() >= 300) {
+ throw new AuthenticatorUnavailableException("Error while getting " + uri + ": " + response.getReasonPhrase());
+ }
- HttpEntity httpEntity = response.getEntity();
+ HttpEntity httpEntity = response.getEntity();
- if (httpEntity == null) {
- throw new AuthenticatorUnavailableException(
- "Error while getting " + openIdConnectEndpoint + ": Empty response entity");
- }
+ if (httpEntity == null) {
+ throw new AuthenticatorUnavailableException("Error while getting " + uri + ": Empty response entity");
+ }
- OpenIdProviderConfiguration parsedEntity = DefaultObjectMapper.objectMapper.readValue(httpEntity.getContent(),
- OpenIdProviderConfiguration.class);
+ JsonWebKeys keySet = JwkUtils.readJwkSet(httpEntity.getContent());
- return parsedEntity.getJwksUri();
+ return keySet;
+ }
+ } catch (IOException e) {
+ throw new AuthenticatorUnavailableException("Error while getting " + uri + ": " + e, e);
+ }
- }
+ }
+
+ String getJwksUri() throws AuthenticatorUnavailableException {
- } catch (IOException e) {
- throw new AuthenticatorUnavailableException("Error while getting " + openIdConnectEndpoint + ": " + e, e);
- }
+ if (!Strings.isNullOrEmpty(jwksUri)) {
+ return jwksUri;
+ }
- }
+ if (Strings.isNullOrEmpty(openIdConnectEndpoint)) {
+ throw new AuthenticatorUnavailableException(
+ "Either openid_connect_url or jwks_uri must be configured for OIDC Authentication backend"
+ );
+ }
+
+ try (CloseableHttpClient httpClient = createHttpClient(oidcHttpCacheStorage)) {
- public int getRequestTimeoutMs() {
- return requestTimeoutMs;
- }
+ HttpGet httpGet = new HttpGet(openIdConnectEndpoint);
- public void setRequestTimeoutMs(int httpTimeoutMs) {
- this.requestTimeoutMs = httpTimeoutMs;
- }
+ RequestConfig requestConfig = RequestConfig.custom()
+ .setConnectionRequestTimeout(getRequestTimeoutMs(), TimeUnit.MILLISECONDS)
+ .setConnectTimeout(getRequestTimeoutMs(), TimeUnit.MILLISECONDS)
+ .build();
- private void logCacheResponseStatus(HttpCacheContext httpContext) {
- this.oidcRequests++;
+ httpGet.setConfig(requestConfig);
- switch (httpContext.getCacheResponseStatus()) {
- case CACHE_HIT:
- this.oidcCacheHits++;
- break;
- case CACHE_MODULE_RESPONSE:
- this.oidcCacheModuleResponses++;
- break;
- case CACHE_MISS:
- this.oidcCacheMisses++;
- break;
- case VALIDATED:
- this.oidcCacheHitsValidated++;
- break;
- }
+ HttpCacheContext httpContext = null;
- long now = System.currentTimeMillis();
+ if (oidcHttpCacheStorage != null) {
+ httpContext = new HttpCacheContext();
+ }
- if (this.oidcRequests >= 2 && now - lastCacheStatusLog > CACHE_STATUS_LOG_INTERVAL_MS) {
- log.info("Cache status for KeySetRetriever:\noidcCacheHits: {}\noidcCacheHitsValidated: {}"
- + "\noidcCacheModuleResponses: {}" + "\noidcCacheMisses: {}", oidcCacheHits, oidcCacheHitsValidated, oidcCacheModuleResponses, oidcCacheMisses);
- lastCacheStatusLog = now;
- }
+ try (CloseableHttpResponse response = httpClient.execute(httpGet, httpContext)) {
+ if (httpContext != null) {
+ logCacheResponseStatus(httpContext);
+ }
- }
+ if (response.getCode() < 200 || response.getCode() >= 300) {
+ throw new AuthenticatorUnavailableException(
+ "Error while getting " + openIdConnectEndpoint + ": " + response.getReasonPhrase()
+ );
+ }
+
+ HttpEntity httpEntity = response.getEntity();
- private CloseableHttpClient createHttpClient(HttpCacheStorage httpCacheStorage) {
- HttpClientBuilder builder;
+ if (httpEntity == null) {
+ throw new AuthenticatorUnavailableException("Error while getting " + openIdConnectEndpoint + ": Empty response entity");
+ }
- if (httpCacheStorage != null) {
- builder = CachingHttpClients.custom().setCacheConfig(cacheConfig).setHttpCacheStorage(httpCacheStorage);
- } else {
- builder = HttpClients.custom();
- }
+ OpenIdProviderConfiguration parsedEntity = DefaultObjectMapper.objectMapper.readValue(
+ httpEntity.getContent(),
+ OpenIdProviderConfiguration.class
+ );
- builder.useSystemProperties();
+ return parsedEntity.getJwksUri();
- if (sslConfig != null) {
- final HttpClientConnectionManager cm = PoolingHttpClientConnectionManagerBuilder.create()
- .setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory())
- .build();
+ }
- builder.setConnectionManager(cm);
- }
+ } catch (IOException e) {
+ throw new AuthenticatorUnavailableException("Error while getting " + openIdConnectEndpoint + ": " + e, e);
+ }
- return builder.build();
- }
+ }
- public int getOidcCacheHits() {
- return oidcCacheHits;
- }
+ public int getRequestTimeoutMs() {
+ return requestTimeoutMs;
+ }
- public int getOidcCacheMisses() {
- return oidcCacheMisses;
- }
+ public void setRequestTimeoutMs(int httpTimeoutMs) {
+ this.requestTimeoutMs = httpTimeoutMs;
+ }
- public int getOidcCacheHitsValidated() {
- return oidcCacheHitsValidated;
- }
+ private void logCacheResponseStatus(HttpCacheContext httpContext) {
+ this.oidcRequests++;
- public int getOidcCacheModuleResponses() {
- return oidcCacheModuleResponses;
- }
+ switch (httpContext.getCacheResponseStatus()) {
+ case CACHE_HIT:
+ this.oidcCacheHits++;
+ break;
+ case CACHE_MODULE_RESPONSE:
+ this.oidcCacheModuleResponses++;
+ break;
+ case CACHE_MISS:
+ this.oidcCacheMisses++;
+ break;
+ case VALIDATED:
+ this.oidcCacheHitsValidated++;
+ break;
+ }
+
+ long now = System.currentTimeMillis();
+
+ if (this.oidcRequests >= 2 && now - lastCacheStatusLog > CACHE_STATUS_LOG_INTERVAL_MS) {
+ log.info(
+ "Cache status for KeySetRetriever:\noidcCacheHits: {}\noidcCacheHitsValidated: {}"
+ + "\noidcCacheModuleResponses: {}"
+ + "\noidcCacheMisses: {}",
+ oidcCacheHits,
+ oidcCacheHitsValidated,
+ oidcCacheModuleResponses,
+ oidcCacheMisses
+ );
+ lastCacheStatusLog = now;
+ }
+
+ }
+
+ private CloseableHttpClient createHttpClient(HttpCacheStorage httpCacheStorage) {
+ HttpClientBuilder builder;
+
+ if (httpCacheStorage != null) {
+ builder = CachingHttpClients.custom().setCacheConfig(cacheConfig).setHttpCacheStorage(httpCacheStorage);
+ } else {
+ builder = HttpClients.custom();
+ }
+
+ builder.useSystemProperties();
+
+ if (sslConfig != null) {
+ final HttpClientConnectionManager cm = PoolingHttpClientConnectionManagerBuilder.create()
+ .setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory())
+ .build();
+
+ builder.setConnectionManager(cm);
+ }
+
+ return builder.build();
+ }
+
+ private void configureCache(boolean useCacheForOidConnectEndpoint) {
+ if (useCacheForOidConnectEndpoint) {
+ cacheConfig = CacheConfig.custom().setMaxCacheEntries(10).setMaxObjectSize(1024L * 1024L).build();
+ oidcHttpCacheStorage = new BasicHttpCacheStorage(cacheConfig);
+ }
+ }
+
+ public int getOidcCacheHits() {
+ return oidcCacheHits;
+ }
+
+ public int getOidcCacheMisses() {
+ return oidcCacheMisses;
+ }
+
+ public int getOidcCacheHitsValidated() {
+ return oidcCacheHitsValidated;
+ }
+
+ public int getOidcCacheModuleResponses() {
+ return oidcCacheModuleResponses;
+ }
}
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/SelfRefreshingKeySet.java b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/SelfRefreshingKeySet.java
index 7e3cec8246..fe410b171c 100644
--- a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/SelfRefreshingKeySet.java
+++ b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/SelfRefreshingKeySet.java
@@ -25,295 +25,300 @@
import org.apache.logging.log4j.Logger;
public class SelfRefreshingKeySet implements KeyProvider {
- private static final Logger log = LogManager.getLogger(SelfRefreshingKeySet.class);
-
- private final KeySetProvider keySetProvider;
- private final ThreadPoolExecutor threadPoolExecutor = new ThreadPoolExecutor(1, 10, 1000, TimeUnit.MILLISECONDS,
- new LinkedBlockingQueue());
- private volatile JsonWebKeys jsonWebKeys = new JsonWebKeys();
- private boolean refreshInProgress = false;
- private long refreshCount = 0;
- private long queuedGetCount = 0;
- private long recentRefreshCount = 0;
- private long refreshTime = 0;
- private Throwable lastRefreshFailure = null;
- private int requestTimeoutMs = 5000;
- private int queuedThreadTimeoutMs = 2500;
- private int refreshRateLimitTimeWindowMs = 10000;
- private int refreshRateLimitCount = 10;
-
- public SelfRefreshingKeySet(KeySetProvider refreshFunction) {
- this.keySetProvider = refreshFunction;
- }
-
- public JsonWebKey getKey(String kid) throws AuthenticatorUnavailableException, BadCredentialsException {
- if (Strings.isNullOrEmpty(kid)) {
- return getKeyWithoutKeyId();
- } else {
- return getKeyWithKeyId(kid);
- }
- }
-
- public synchronized JsonWebKey getKeyAfterRefresh(String kid)
- throws AuthenticatorUnavailableException, BadCredentialsException {
- JsonWebKey result = getKeyAfterRefreshInternal(kid);
-
- if (result != null) {
- return result;
- } else if (jsonWebKeys.getKeys().size() == 0) {
- throw new AuthenticatorUnavailableException("No JWK are available from IdP");
- } else {
- throw new BadCredentialsException("JWT did not contain KID which is required if IdP provides multiple JWK");
- }
- }
-
- private synchronized JsonWebKey getKeyAfterRefreshInternal(String kid) throws AuthenticatorUnavailableException {
- if (refreshInProgress) {
- return waitForRefreshToFinish(kid);
- } else {
- return performRefresh(kid);
- }
- }
-
- private JsonWebKey getKeyWithoutKeyId() throws AuthenticatorUnavailableException, BadCredentialsException {
- List keys = jsonWebKeys.getKeys();
-
- if (keys == null || keys.size() == 0) {
- JsonWebKey result = getKeyWithRefresh(null);
-
- if (result != null) {
- return result;
- } else {
- throw new AuthenticatorUnavailableException("No JWK are available from IdP");
- }
- } else if (keys.size() == 1) {
- return keys.get(0);
- } else {
- JsonWebKey result = getKeyWithRefresh(null);
-
- if (result != null) {
- return result;
- } else {
- throw new BadCredentialsException(
- "JWT did not contain KID which is required if IdP provides multiple JWK");
- }
- }
- }
-
- private JsonWebKey getKeyWithKeyId(String kid) throws AuthenticatorUnavailableException, BadCredentialsException {
- JsonWebKey result = jsonWebKeys.getKey(kid);
-
- if (result != null) {
- return result;
- }
-
- result = getKeyWithRefresh(kid);
-
- if (result == null) {
- throw new BadCredentialsException("Unknown kid " + kid);
- }
-
- return result;
- }
-
- private synchronized JsonWebKey getKeyWithRefresh(String kid) throws AuthenticatorUnavailableException {
-
- // Always re-check within synchronized to handle any races
-
- JsonWebKey result = getKeySimple(kid);
-
- if (result != null) {
- return result;
- }
-
- return getKeyAfterRefreshInternal(kid);
- }
-
- private JsonWebKey getKeySimple(String kid) {
- if (Strings.isNullOrEmpty(kid)) {
- List keys = jsonWebKeys.getKeys();
-
- if (keys != null && keys.size() == 1) {
- return keys.get(0);
- } else {
- return null;
- }
-
- } else {
- return jsonWebKeys.getKey(kid);
- }
- }
-
- private synchronized JsonWebKey waitForRefreshToFinish(String kid) {
- queuedGetCount++;
- long currentRefreshCount = refreshCount;
-
- try {
- wait(queuedThreadTimeoutMs);
- } catch (InterruptedException e) {
- Thread.currentThread().interrupt();
- log.debug(e.toString());
- }
-
- // Just be optimistic and re-check the key
-
- JsonWebKey result = getKeySimple(kid);
-
- if (result != null) {
- return result;
- }
-
- if (refreshInProgress && currentRefreshCount == refreshCount) {
- // The wait() call returned due to the timeout.
- throw new AuthenticatorUnavailableException("Authentication backend timed out");
- } else if (lastRefreshFailure != null) {
- throw new AuthenticatorUnavailableException("Authentication backend failed", lastRefreshFailure);
- } else {
- // Refresh was successful, but we did not get a matching key
- return null;
- }
- }
-
- private synchronized JsonWebKey performRefresh(String kid) {
- if (log.isDebugEnabled()) {
- log.debug("performRefresh({})", kid);
- }
-
- final boolean recentRefresh;
-
- if (System.currentTimeMillis() - refreshTime < refreshRateLimitTimeWindowMs) {
- recentRefreshCount++;
- recentRefresh = true;
-
- if (recentRefreshCount > refreshRateLimitCount) {
- throw new AuthenticatorUnavailableException("Too many unknown kids recently: " + recentRefreshCount);
- }
- } else {
- recentRefresh = false;
- }
-
- refreshInProgress = true;
- refreshCount++;
-
- log.info("Performing refresh {}", refreshCount);
-
- long currentRefreshCount = refreshCount;
-
- try {
-
- Future> future = threadPoolExecutor.submit(new Runnable() {
-
- @Override
- public void run() {
- try {
- JsonWebKeys newKeys = keySetProvider.get();
-
- if (newKeys == null) {
- throw new RuntimeException("Refresh function " + keySetProvider + " yielded null");
- }
-
- log.info("KeySetProvider finished");
-
- synchronized (SelfRefreshingKeySet.this) {
- jsonWebKeys = newKeys;
- refreshInProgress = false;
- lastRefreshFailure = null;
- SelfRefreshingKeySet.this.notifyAll();
- }
- } catch (Throwable e) {
- synchronized (SelfRefreshingKeySet.this) {
- lastRefreshFailure = e;
- refreshInProgress = false;
- SelfRefreshingKeySet.this.notifyAll();
- }
- log.warn("KeySetProvider threw error", e);
- } finally {
- if (!recentRefresh) {
- recentRefreshCount = 0;
- refreshTime = System.currentTimeMillis();
- }
- }
-
- }
- });
-
- try {
- wait(requestTimeoutMs);
- } catch (InterruptedException e) {
- Thread.currentThread().interrupt();
- log.debug(e.toString());
- }
-
- JsonWebKey result = getKeySimple(kid);
-
- if (result != null) {
- return result;
- }
-
- if (refreshInProgress && currentRefreshCount == refreshCount) {
- if (!future.isDone()) {
- future.cancel(true);
- }
-
- lastRefreshFailure = new AuthenticatorUnavailableException("Authentication backend timed out");
-
- throw new AuthenticatorUnavailableException("Authentication backend timed out");
- }
-
- if (lastRefreshFailure != null) {
- throw new AuthenticatorUnavailableException("Authentication backend failed", lastRefreshFailure);
- }
-
- return null;
-
- } catch (RejectedExecutionException e) {
- throw new AuthenticatorUnavailableException("Did not try to call authentication backend because of "
- + threadPoolExecutor.getActiveCount() + " pending threads", e);
- } finally {
- if (refreshInProgress && currentRefreshCount == refreshCount) {
- refreshInProgress = false;
- notifyAll();
- }
- }
- }
-
- public int getRequestTimeoutMs() {
- return requestTimeoutMs;
- }
-
- public void setRequestTimeoutMs(int requestTimeoutMs) {
- this.requestTimeoutMs = requestTimeoutMs;
- }
-
- public int getQueuedThreadTimeoutMs() {
- return queuedThreadTimeoutMs;
- }
-
- public void setQueuedThreadTimeoutMs(int queuedThreadTimeoutMs) {
- this.queuedThreadTimeoutMs = queuedThreadTimeoutMs;
- }
-
- public long getRefreshCount() {
- return refreshCount;
- }
-
- public long getQueuedGetCount() {
- return queuedGetCount;
- }
-
- public int getRefreshRateLimitTimeWindowMs() {
- return refreshRateLimitTimeWindowMs;
- }
-
- public void setRefreshRateLimitTimeWindowMs(int refreshRateLimitTimeWindowMs) {
- this.refreshRateLimitTimeWindowMs = refreshRateLimitTimeWindowMs;
- }
-
- public int getRefreshRateLimitCount() {
- return refreshRateLimitCount;
- }
-
- public void setRefreshRateLimitCount(int refreshRateLimitCount) {
- this.refreshRateLimitCount = refreshRateLimitCount;
- }
+ private static final Logger log = LogManager.getLogger(SelfRefreshingKeySet.class);
+
+ private final KeySetProvider keySetProvider;
+ private final ThreadPoolExecutor threadPoolExecutor = new ThreadPoolExecutor(
+ 1,
+ 10,
+ 1000,
+ TimeUnit.MILLISECONDS,
+ new LinkedBlockingQueue()
+ );
+ private volatile JsonWebKeys jsonWebKeys = new JsonWebKeys();
+ private boolean refreshInProgress = false;
+ private long refreshCount = 0;
+ private long queuedGetCount = 0;
+ private long recentRefreshCount = 0;
+ private long refreshTime = 0;
+ private Throwable lastRefreshFailure = null;
+ private int requestTimeoutMs = 5000;
+ private int queuedThreadTimeoutMs = 2500;
+ private int refreshRateLimitTimeWindowMs = 10000;
+ private int refreshRateLimitCount = 10;
+
+ public SelfRefreshingKeySet(KeySetProvider refreshFunction) {
+ this.keySetProvider = refreshFunction;
+ }
+
+ public JsonWebKey getKey(String kid) throws AuthenticatorUnavailableException, BadCredentialsException {
+ if (Strings.isNullOrEmpty(kid)) {
+ return getKeyWithoutKeyId();
+ } else {
+ return getKeyWithKeyId(kid);
+ }
+ }
+
+ public synchronized JsonWebKey getKeyAfterRefresh(String kid) throws AuthenticatorUnavailableException, BadCredentialsException {
+ JsonWebKey result = getKeyAfterRefreshInternal(kid);
+
+ if (result != null) {
+ return result;
+ } else if (jsonWebKeys.getKeys().size() == 0) {
+ throw new AuthenticatorUnavailableException("No JWK are available from IdP");
+ } else {
+ throw new BadCredentialsException("JWT did not contain KID which is required if IdP provides multiple JWK");
+ }
+ }
+
+ private synchronized JsonWebKey getKeyAfterRefreshInternal(String kid) throws AuthenticatorUnavailableException {
+ if (refreshInProgress) {
+ return waitForRefreshToFinish(kid);
+ } else {
+ return performRefresh(kid);
+ }
+ }
+
+ private JsonWebKey getKeyWithoutKeyId() throws AuthenticatorUnavailableException, BadCredentialsException {
+ List keys = jsonWebKeys.getKeys();
+
+ if (keys == null || keys.size() == 0) {
+ JsonWebKey result = getKeyWithRefresh(null);
+
+ if (result != null) {
+ return result;
+ } else {
+ throw new AuthenticatorUnavailableException("No JWK are available from IdP");
+ }
+ } else if (keys.size() == 1) {
+ return keys.get(0);
+ } else {
+ JsonWebKey result = getKeyWithRefresh(null);
+
+ if (result != null) {
+ return result;
+ } else {
+ throw new BadCredentialsException("JWT did not contain KID which is required if IdP provides multiple JWK");
+ }
+ }
+ }
+
+ private JsonWebKey getKeyWithKeyId(String kid) throws AuthenticatorUnavailableException, BadCredentialsException {
+ JsonWebKey result = jsonWebKeys.getKey(kid);
+
+ if (result != null) {
+ return result;
+ }
+
+ result = getKeyWithRefresh(kid);
+
+ if (result == null) {
+ throw new BadCredentialsException("Unknown kid " + kid);
+ }
+
+ return result;
+ }
+
+ private synchronized JsonWebKey getKeyWithRefresh(String kid) throws AuthenticatorUnavailableException {
+
+ // Always re-check within synchronized to handle any races
+
+ JsonWebKey result = getKeySimple(kid);
+
+ if (result != null) {
+ return result;
+ }
+
+ return getKeyAfterRefreshInternal(kid);
+ }
+
+ private JsonWebKey getKeySimple(String kid) {
+ if (Strings.isNullOrEmpty(kid)) {
+ List keys = jsonWebKeys.getKeys();
+
+ if (keys != null && keys.size() == 1) {
+ return keys.get(0);
+ } else {
+ return null;
+ }
+
+ } else {
+ return jsonWebKeys.getKey(kid);
+ }
+ }
+
+ private synchronized JsonWebKey waitForRefreshToFinish(String kid) {
+ queuedGetCount++;
+ long currentRefreshCount = refreshCount;
+
+ try {
+ wait(queuedThreadTimeoutMs);
+ } catch (InterruptedException e) {
+ Thread.currentThread().interrupt();
+ log.debug(e.toString());
+ }
+
+ // Just be optimistic and re-check the key
+
+ JsonWebKey result = getKeySimple(kid);
+
+ if (result != null) {
+ return result;
+ }
+
+ if (refreshInProgress && currentRefreshCount == refreshCount) {
+ // The wait() call returned due to the timeout.
+ throw new AuthenticatorUnavailableException("Authentication backend timed out");
+ } else if (lastRefreshFailure != null) {
+ throw new AuthenticatorUnavailableException("Authentication backend failed", lastRefreshFailure);
+ } else {
+ // Refresh was successful, but we did not get a matching key
+ return null;
+ }
+ }
+
+ private synchronized JsonWebKey performRefresh(String kid) {
+ if (log.isDebugEnabled()) {
+ log.debug("performRefresh({})", kid);
+ }
+
+ final boolean recentRefresh;
+
+ if (System.currentTimeMillis() - refreshTime < refreshRateLimitTimeWindowMs) {
+ recentRefreshCount++;
+ recentRefresh = true;
+
+ if (recentRefreshCount > refreshRateLimitCount) {
+ throw new AuthenticatorUnavailableException("Too many unknown kids recently: " + recentRefreshCount);
+ }
+ } else {
+ recentRefresh = false;
+ }
+
+ refreshInProgress = true;
+ refreshCount++;
+
+ log.info("Performing refresh {}", refreshCount);
+
+ long currentRefreshCount = refreshCount;
+
+ try {
+
+ Future> future = threadPoolExecutor.submit(new Runnable() {
+
+ @Override
+ public void run() {
+ try {
+ JsonWebKeys newKeys = keySetProvider.get();
+
+ if (newKeys == null) {
+ throw new RuntimeException("Refresh function " + keySetProvider + " yielded null");
+ }
+
+ log.info("KeySetProvider finished");
+
+ synchronized (SelfRefreshingKeySet.this) {
+ jsonWebKeys = newKeys;
+ refreshInProgress = false;
+ lastRefreshFailure = null;
+ SelfRefreshingKeySet.this.notifyAll();
+ }
+ } catch (Throwable e) {
+ synchronized (SelfRefreshingKeySet.this) {
+ lastRefreshFailure = e;
+ refreshInProgress = false;
+ SelfRefreshingKeySet.this.notifyAll();
+ }
+ log.warn("KeySetProvider threw error", e);
+ } finally {
+ if (!recentRefresh) {
+ recentRefreshCount = 0;
+ refreshTime = System.currentTimeMillis();
+ }
+ }
+
+ }
+ });
+
+ try {
+ wait(requestTimeoutMs);
+ } catch (InterruptedException e) {
+ Thread.currentThread().interrupt();
+ log.debug(e.toString());
+ }
+
+ JsonWebKey result = getKeySimple(kid);
+
+ if (result != null) {
+ return result;
+ }
+
+ if (refreshInProgress && currentRefreshCount == refreshCount) {
+ if (!future.isDone()) {
+ future.cancel(true);
+ }
+
+ lastRefreshFailure = new AuthenticatorUnavailableException("Authentication backend timed out");
+
+ throw new AuthenticatorUnavailableException("Authentication backend timed out");
+ }
+
+ if (lastRefreshFailure != null) {
+ throw new AuthenticatorUnavailableException("Authentication backend failed", lastRefreshFailure);
+ }
+
+ return null;
+
+ } catch (RejectedExecutionException e) {
+ throw new AuthenticatorUnavailableException(
+ "Did not try to call authentication backend because of " + threadPoolExecutor.getActiveCount() + " pending threads",
+ e
+ );
+ } finally {
+ if (refreshInProgress && currentRefreshCount == refreshCount) {
+ refreshInProgress = false;
+ notifyAll();
+ }
+ }
+ }
+
+ public int getRequestTimeoutMs() {
+ return requestTimeoutMs;
+ }
+
+ public void setRequestTimeoutMs(int requestTimeoutMs) {
+ this.requestTimeoutMs = requestTimeoutMs;
+ }
+
+ public int getQueuedThreadTimeoutMs() {
+ return queuedThreadTimeoutMs;
+ }
+
+ public void setQueuedThreadTimeoutMs(int queuedThreadTimeoutMs) {
+ this.queuedThreadTimeoutMs = queuedThreadTimeoutMs;
+ }
+
+ public long getRefreshCount() {
+ return refreshCount;
+ }
+
+ public long getQueuedGetCount() {
+ return queuedGetCount;
+ }
+
+ public int getRefreshRateLimitTimeWindowMs() {
+ return refreshRateLimitTimeWindowMs;
+ }
+
+ public void setRefreshRateLimitTimeWindowMs(int refreshRateLimitTimeWindowMs) {
+ this.refreshRateLimitTimeWindowMs = refreshRateLimitTimeWindowMs;
+ }
+
+ public int getRefreshRateLimitCount() {
+ return refreshRateLimitCount;
+ }
+
+ public void setRefreshRateLimitCount(int refreshRateLimitCount) {
+ this.refreshRateLimitCount = refreshRateLimitCount;
+ }
}
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/oidc/json/OpenIdProviderConfiguration.java b/src/main/java/com/amazon/dlic/auth/http/jwt/oidc/json/OpenIdProviderConfiguration.java
index 58a4310a2d..3bcfb796b0 100644
--- a/src/main/java/com/amazon/dlic/auth/http/jwt/oidc/json/OpenIdProviderConfiguration.java
+++ b/src/main/java/com/amazon/dlic/auth/http/jwt/oidc/json/OpenIdProviderConfiguration.java
@@ -17,15 +17,15 @@
@JsonIgnoreProperties(ignoreUnknown = true)
public class OpenIdProviderConfiguration {
- @JsonProperty("jwks_uri")
- private String jwksUri;
+ @JsonProperty("jwks_uri")
+ private String jwksUri;
- public String getJwksUri() {
- return jwksUri;
- }
+ public String getJwksUri() {
+ return jwksUri;
+ }
- public void setJwksUri(String jwksUri) {
- this.jwksUri = jwksUri;
- }
+ public void setJwksUri(String jwksUri) {
+ this.jwksUri = jwksUri;
+ }
}
diff --git a/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java
index 15aff90f1a..d8e11960d6 100644
--- a/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java
+++ b/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java
@@ -58,7 +58,7 @@
public class HTTPSpnegoAuthenticator implements HTTPAuthenticator {
private static final String EMPTY_STRING = "";
- private static final Oid[] KRB_OIDS = new Oid[] {KrbConstants.SPNEGO, KrbConstants.KRB5MECH};
+ private static final Oid[] KRB_OIDS = new Oid[] { KrbConstants.SPNEGO, KrbConstants.KRB5MECH };
protected final Logger log = LogManager.getLogger(this.getClass());
@@ -98,17 +98,17 @@ public Void run() {
}
} catch (Throwable e) {
log.error("Unable to enable krb_debug due to ", e);
- System.err.println("Unable to enable krb_debug due to "+ExceptionsHelper.stackTrace(e));
- System.out.println("Unable to enable krb_debug due to "+ExceptionsHelper.stackTrace(e));
+ System.err.println("Unable to enable krb_debug due to " + ExceptionsHelper.stackTrace(e));
+ System.out.println("Unable to enable krb_debug due to " + ExceptionsHelper.stackTrace(e));
}
System.setProperty(KrbConstants.USE_SUBJECT_CREDS_ONLY_PROP, "false");
String krb5Path = krb5PathSetting;
- if(!Strings.isNullOrEmpty(krb5Path)) {
+ if (!Strings.isNullOrEmpty(krb5Path)) {
- if(Paths.get(krb5Path).isAbsolute()) {
+ if (Paths.get(krb5Path).isAbsolute()) {
log.debug("krb5_filepath: {}", krb5Path);
System.setProperty(KrbConstants.KRB5_CONF_PROP, krb5Path);
} else {
@@ -118,29 +118,36 @@ public Void run() {
System.setProperty(KrbConstants.KRB5_CONF_PROP, krb5Path);
} else {
- if(Strings.isNullOrEmpty(System.getProperty(KrbConstants.KRB5_CONF_PROP))) {
+ if (Strings.isNullOrEmpty(System.getProperty(KrbConstants.KRB5_CONF_PROP))) {
System.setProperty(KrbConstants.KRB5_CONF_PROP, "/etc/krb5.conf");
log.debug("krb5_filepath (was not set or configured, set to default): /etc/krb5.conf");
}
}
stripRealmFromPrincipalName = settings.getAsBoolean("strip_realm_from_principal", true);
- acceptorPrincipal = new HashSet<>(settings.getAsList("plugins.security.kerberos.acceptor_principal", Collections.emptyList()));
+ acceptorPrincipal = new HashSet<>(
+ settings.getAsList("plugins.security.kerberos.acceptor_principal", Collections.emptyList())
+ );
final String _acceptorKeyTabPath = settings.get("plugins.security.kerberos.acceptor_keytab_filepath");
- if(acceptorPrincipal == null || acceptorPrincipal.size() == 0) {
+ if (acceptorPrincipal == null || acceptorPrincipal.size() == 0) {
log.error("acceptor_principal must not be null or empty. Kerberos authentication will not work");
acceptorPrincipal = null;
}
- if(_acceptorKeyTabPath == null || _acceptorKeyTabPath.length() == 0) {
- log.error("plugins.security.kerberos.acceptor_keytab_filepath must not be null or empty. Kerberos authentication will not work");
+ if (_acceptorKeyTabPath == null || _acceptorKeyTabPath.length() == 0) {
+ log.error(
+ "plugins.security.kerberos.acceptor_keytab_filepath must not be null or empty. Kerberos authentication will not work"
+ );
acceptorKeyTabPath = null;
} else {
acceptorKeyTabPath = configDir.resolve(settings.get("plugins.security.kerberos.acceptor_keytab_filepath"));
- if(!Files.exists(acceptorKeyTabPath)) {
- log.error("Unable to read keytab from {} - Maybe the file does not exist or is not readable. Kerberos authentication will not work", acceptorKeyTabPath);
+ if (!Files.exists(acceptorKeyTabPath)) {
+ log.error(
+ "Unable to read keytab from {} - Maybe the file does not exist or is not readable. Kerberos authentication will not work",
+ acceptorKeyTabPath
+ );
acceptorKeyTabPath = null;
}
}
@@ -155,7 +162,9 @@ public Void run() {
} catch (Throwable e) {
log.error("Cannot construct HTTPSpnegoAuthenticator due to {}", e.getMessage(), e);
- log.error("Please make sure you configured 'plugins.security.kerberos.acceptor_keytab_filepath' realtive to the ES config/ dir!");
+ log.error(
+ "Please make sure you configured 'plugins.security.kerberos.acceptor_keytab_filepath' realtive to the ES config/ dir!"
+ );
throw e;
}
@@ -252,11 +261,13 @@ public GSSCredential run() throws GSSException {
return new AuthCredentials("_incomplete_", (Object) outToken);
}
-
final String username = ((SimpleUserPrincipal) principal).getName();
- if(username == null || username.length() == 0) {
- log.error("Got empty or null user from kerberos. Normally this means that you acceptor principal {} does not match the server hostname", acceptorPrincipal);
+ if (username == null || username.length() == 0) {
+ log.error(
+ "Got empty or null user from kerberos. Normally this means that you acceptor principal {} does not match the server hostname",
+ acceptorPrincipal
+ );
}
return new AuthCredentials(username, (Object) outToken).markComplete();
@@ -272,19 +283,22 @@ public GSSCredential run() throws GSSException {
@Override
public boolean reRequestAuthentication(final RestChannel channel, AuthCredentials creds) {
- final BytesRestResponse wwwAuthenticateResponse;
- XContentBuilder response = getNegotiateResponseBody();
+ final BytesRestResponse wwwAuthenticateResponse;
+ XContentBuilder response = getNegotiateResponseBody();
- if (response != null) {
- wwwAuthenticateResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, response);
+ if (response != null) {
+ wwwAuthenticateResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, response);
} else {
- wwwAuthenticateResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, EMPTY_STRING);
+ wwwAuthenticateResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, EMPTY_STRING);
}
- if(creds == null || creds.getNativeCredentials() == null) {
+ if (creds == null || creds.getNativeCredentials() == null) {
wwwAuthenticateResponse.addHeader("WWW-Authenticate", "Negotiate");
} else {
- wwwAuthenticateResponse.addHeader("WWW-Authenticate", "Negotiate "+Base64.getEncoder().encodeToString((byte[]) creds.getNativeCredentials()));
+ wwwAuthenticateResponse.addHeader(
+ "WWW-Authenticate",
+ "Negotiate " + Base64.getEncoder().encodeToString((byte[]) creds.getNativeCredentials())
+ );
}
channel.sendResponse(wwwAuthenticateResponse);
return true;
@@ -298,7 +312,7 @@ public String getType() {
/**
* This class gets a gss credential via a privileged action.
*/
- //borrowed from Apache Tomcat 8 http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/
+ // borrowed from Apache Tomcat 8 http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/
private static class AcceptAction implements PrivilegedExceptionAction {
GSSContext gssContext;
@@ -316,7 +330,7 @@ public byte[] run() throws GSSException {
}
}
- //borrowed from Apache Tomcat 8 http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/
+ // borrowed from Apache Tomcat 8 http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/
private static class AuthenticateAction implements PrivilegedAction {
private final Logger logger;
@@ -336,7 +350,7 @@ public Principal run() {
}
}
- //borrowed from Apache Tomcat 8 http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/
+ // borrowed from Apache Tomcat 8 http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/
private static String getUsernameFromGSSContext(final GSSContext gssContext, final boolean strip, final Logger logger) {
if (gssContext.isEstablished()) {
GSSName gssName = null;
@@ -359,26 +373,26 @@ private static String getUsernameFromGSSContext(final GSSContext gssContext, fin
return null;
}
- private XContentBuilder getNegotiateResponseBody() {
- try {
- XContentBuilder negotiateResponseBody = XContentFactory.jsonBuilder();
- negotiateResponseBody.startObject();
- negotiateResponseBody.field("error");
- negotiateResponseBody.startObject();
- negotiateResponseBody.field("header");
- negotiateResponseBody.startObject();
- negotiateResponseBody.field("WWW-Authenticate", "Negotiate");
- negotiateResponseBody.endObject();
- negotiateResponseBody.endObject();
- negotiateResponseBody.endObject();
- return negotiateResponseBody;
- } catch (Exception ex) {
- log.error("Can't construct response body", ex);
- return null;
- }
- }
-
- private static String stripRealmName(String name, boolean strip){
+ private XContentBuilder getNegotiateResponseBody() {
+ try {
+ XContentBuilder negotiateResponseBody = XContentFactory.jsonBuilder();
+ negotiateResponseBody.startObject();
+ negotiateResponseBody.field("error");
+ negotiateResponseBody.startObject();
+ negotiateResponseBody.field("header");
+ negotiateResponseBody.startObject();
+ negotiateResponseBody.field("WWW-Authenticate", "Negotiate");
+ negotiateResponseBody.endObject();
+ negotiateResponseBody.endObject();
+ negotiateResponseBody.endObject();
+ return negotiateResponseBody;
+ } catch (Exception ex) {
+ log.error("Can't construct response body", ex);
+ return null;
+ }
+ }
+
+ private static String stripRealmName(String name, boolean strip) {
if (strip && name != null) {
final int i = name.indexOf('@');
if (i > 0) {
diff --git a/src/main/java/com/amazon/dlic/auth/http/kerberos/util/JaasKrbUtil.java b/src/main/java/com/amazon/dlic/auth/http/kerberos/util/JaasKrbUtil.java
index 6574728da4..619c780027 100644
--- a/src/main/java/com/amazon/dlic/auth/http/kerberos/util/JaasKrbUtil.java
+++ b/src/main/java/com/amazon/dlic/auth/http/kerberos/util/JaasKrbUtil.java
@@ -38,177 +38,177 @@
*/
public final class JaasKrbUtil {
- private static boolean debug = false;
-
- private JaasKrbUtil() {
- }
-
- public static void setDebug(final boolean debug) {
- JaasKrbUtil.debug = debug;
- }
-
- public static Subject loginUsingPassword(final String principal, final String password) throws LoginException {
- final Set principals = new HashSet();
- principals.add(new KerberosPrincipal(principal));
-
- final Subject subject = new Subject(false, principals, new HashSet
* @param user The authenticated user to populate with backend roles, never null
* @param credentials Credentials to authenticate to the authorization backend, maybe null.
- * This parameter is for future usage, currently always empty credentials are passed!
+ * This parameter is for future usage, currently always empty credentials are passed!
* @throws OpenSearchSecurityException in case when the authorization backend cannot be reached
* or the {@code credentials} are insufficient to authenticate to the authorization backend.
*/
diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
index a36aced5e1..9e8154230a 100644
--- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java
+++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
@@ -181,7 +181,7 @@ public boolean authenticate(final RestRequest request, final RestChannel channel
if (isDebugEnabled) {
log.debug("Rejecting REST request because of blocked address: {}", request.getHttpChannel().getRemoteAddress());
}
-
+
channel.sendResponse(new BytesRestResponse(RestStatus.UNAUTHORIZED, "Authentication finally failed"));
return false;
@@ -200,14 +200,14 @@ public boolean authenticate(final RestRequest request, final RestChannel channel
// ThreadContext injected user
return true;
}
-
+
if (!isInitialized()) {
log.error("Not yet initialized (you may need to run securityadmin)");
channel.sendResponse(new BytesRestResponse(RestStatus.SERVICE_UNAVAILABLE,
"OpenSearch Security not initialized."));
return false;
}
-
+
final TransportAddress remoteAddress = xffResolver.resolve(request);
final boolean isTraceEnabled = log.isTraceEnabled();
if (isTraceEnabled) {
@@ -293,7 +293,7 @@ public boolean authenticate(final RestRequest request, final RestChannel channel
}
}
- //http completed
+ //http completed
authenticatedUser = authcz(userCache, restRoleCache, ac, authDomain.getBackend(), restAuthorizers);
if(authenticatedUser == null) {
@@ -481,7 +481,7 @@ private User authcz(final Cache cache, Cache
* A HTTP authenticator extracts {@link AuthCredentials} from a {@link RestRequest}
*
- *
+ *
* Implementation classes must provide a public constructor
*
* {@code public MyHTTPAuthenticator(org.opensearch.common.settings.Settings settings, java.nio.file.Path configPath)}
@@ -51,14 +51,14 @@
public interface HTTPAuthenticator {
/**
- * The type (name) of the authenticator. Only for logging.
+ * The type (name) of the authenticator. Only for logging.
* @return the type
*/
String getType();
-
+
/**
* Extract {@link AuthCredentials} from {@link RestRequest}
- *
+ *
* @param request The rest request
* @param context The current thread context
* @return The authentication credentials (complete or incomplete) or null when no credentials are found in the request
@@ -68,17 +68,17 @@ public interface HTTPAuthenticator {
* @throws OpenSearchSecurityException
*/
AuthCredentials extractCredentials(RestRequest request, ThreadContext context) throws OpenSearchSecurityException;
-
+
/**
* If the {@code extractCredentials()} call was not successful or the authentication flow needs another roundtrip this method
* will be called. If the custom HTTP authenticator does not support this method is a no-op and false should be returned.
- *
+ *
* If the custom HTTP authenticator does support re-request authentication or supports authentication flows with multiple roundtrips
* then the response should be sent (through the channel) and true must be returned.
- *
+ *
* @param channel The rest channel to sent back the response via {@code channel.sendResponse()}
* @param credentials The credentials from the prior authentication attempt
- * @return false if re-request is not supported/necessary, true otherwise.
+ * @return false if re-request is not supported/necessary, true otherwise.
* If true is returned {@code channel.sendResponse()} must be called so that the request completes.
*/
boolean reRequestAuthentication(final RestChannel channel, AuthCredentials credentials);
diff --git a/src/main/java/org/opensearch/security/auth/blocking/ClientBlockRegistry.java b/src/main/java/org/opensearch/security/auth/blocking/ClientBlockRegistry.java
index a5eba40353..e74c3ad70a 100644
--- a/src/main/java/org/opensearch/security/auth/blocking/ClientBlockRegistry.java
+++ b/src/main/java/org/opensearch/security/auth/blocking/ClientBlockRegistry.java
@@ -1,10 +1,10 @@
/*
* Copyright 2015-2019 floragunn GmbH
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
@@ -12,7 +12,7 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
+ *
*/
package org.opensearch.security.auth.blocking;
diff --git a/src/main/java/org/opensearch/security/auth/blocking/HeapBasedClientBlockRegistry.java b/src/main/java/org/opensearch/security/auth/blocking/HeapBasedClientBlockRegistry.java
index 363645cd90..450dda54db 100644
--- a/src/main/java/org/opensearch/security/auth/blocking/HeapBasedClientBlockRegistry.java
+++ b/src/main/java/org/opensearch/security/auth/blocking/HeapBasedClientBlockRegistry.java
@@ -1,10 +1,10 @@
/*
* Copyright 2015-2019 floragunn GmbH
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
@@ -12,7 +12,7 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
+ *
*/
package org.opensearch.security.auth.blocking;
diff --git a/src/main/java/org/opensearch/security/auth/limiting/AbstractRateLimiter.java b/src/main/java/org/opensearch/security/auth/limiting/AbstractRateLimiter.java
index 3f603437a0..a4d596b61d 100644
--- a/src/main/java/org/opensearch/security/auth/limiting/AbstractRateLimiter.java
+++ b/src/main/java/org/opensearch/security/auth/limiting/AbstractRateLimiter.java
@@ -1,10 +1,10 @@
/*
* Copyright 2015-2019 floragunn GmbH
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
@@ -12,7 +12,7 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
+ *
*/
package org.opensearch.security.auth.limiting;
diff --git a/src/main/java/org/opensearch/security/auth/limiting/AddressBasedRateLimiter.java b/src/main/java/org/opensearch/security/auth/limiting/AddressBasedRateLimiter.java
index 42f1d1f165..35a6571f8f 100644
--- a/src/main/java/org/opensearch/security/auth/limiting/AddressBasedRateLimiter.java
+++ b/src/main/java/org/opensearch/security/auth/limiting/AddressBasedRateLimiter.java
@@ -1,10 +1,10 @@
/*
* Copyright 2015-2019 floragunn GmbH
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
@@ -12,7 +12,7 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
+ *
*/
package org.opensearch.security.auth.limiting;
diff --git a/src/main/java/org/opensearch/security/auth/limiting/UserNameBasedRateLimiter.java b/src/main/java/org/opensearch/security/auth/limiting/UserNameBasedRateLimiter.java
index 7fe5ac05d6..3fd0c12246 100644
--- a/src/main/java/org/opensearch/security/auth/limiting/UserNameBasedRateLimiter.java
+++ b/src/main/java/org/opensearch/security/auth/limiting/UserNameBasedRateLimiter.java
@@ -1,10 +1,10 @@
/*
* Copyright 2015-2019 floragunn GmbH
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
@@ -12,7 +12,7 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
+ *
*/
package org.opensearch.security.auth.limiting;
diff --git a/src/main/java/org/opensearch/security/configuration/AdminDNs.java b/src/main/java/org/opensearch/security/configuration/AdminDNs.java
index ced262d543..72a4485e9f 100644
--- a/src/main/java/org/opensearch/security/configuration/AdminDNs.java
+++ b/src/main/java/org/opensearch/security/configuration/AdminDNs.java
@@ -62,7 +62,7 @@ public AdminDNs(final Settings settings) {
this.injectAdminUserEnabled = settings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED, false);
final List adminDnsA = settings.getAsList(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, Collections.emptyList());
-
+
for (String dn:adminDnsA) {
try {
log.debug("{} is registered as an admin dn", dn);
@@ -73,13 +73,13 @@ public AdminDNs(final Settings settings) {
if (log.isDebugEnabled()) {
log.debug("Admin DN not an LDAP name, but admin user injection enabled. Will add {} to admin usernames", dn);
}
- adminUsernames.add(dn);
+ adminUsernames.add(dn);
} else {
- log.error("Unable to parse admin dn {}",dn, e);
+ log.error("Unable to parse admin dn {}",dn, e);
}
}
}
-
+
log.debug("Loaded {} admin DN's {}",adminDn.size(), adminDn);
final Settings impersonationDns = settings.getByPrefix(ConfigConstants.SECURITY_AUTHCZ_IMPERSONATION_DN+".");
@@ -95,7 +95,7 @@ public AdminDNs(final Settings settings) {
);
log.debug("Loaded {} impersonation DN's {}", allowedDnsImpersonations.size(), allowedDnsImpersonations);
-
+
final Settings impersonationUsersRest = settings.getByPrefix(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".");
allowedRestImpersonations = impersonationUsersRest.keySet().stream()
@@ -103,9 +103,9 @@ public AdminDNs(final Settings settings) {
ImmutableMap.toImmutableMap(
Function.identity(),
user -> WildcardMatcher.from(settings.getAsList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+"."+user))
- )
- );
-
+ )
+ );
+
log.debug("Loaded {} impersonation users for REST {}",allowedRestImpersonations.size(), allowedRestImpersonations);
}
@@ -129,11 +129,11 @@ public boolean isAdmin(User user) {
}
return false;
}
-
+
public boolean isAdminDN(String dn) {
-
+
if(dn == null) return false;
-
+
try {
return isAdminDN(new LdapName(dn));
} catch (InvalidNameException e) {
@@ -143,16 +143,16 @@ public boolean isAdminDN(String dn) {
private boolean isAdminDN(LdapName dn) {
if(dn == null) return false;
-
+
boolean isAdmin = adminDn.contains(dn);
-
+
if (log.isTraceEnabled()) {
log.trace("Is principal {} an admin cert? {}", dn.toString(), isAdmin);
}
-
+
return isAdmin;
}
-
+
public boolean isRestImpersonationAllowed(final String originalUser, final String impersonated) {
return (originalUser != null) ? allowedRestImpersonations.getOrDefault(originalUser, WildcardMatcher.NONE).test(impersonated) : false;
}
diff --git a/src/main/java/org/opensearch/security/configuration/ClusterInfoHolder.java b/src/main/java/org/opensearch/security/configuration/ClusterInfoHolder.java
index 61877f2bf2..1c42321986 100644
--- a/src/main/java/org/opensearch/security/configuration/ClusterInfoHolder.java
+++ b/src/main/java/org/opensearch/security/configuration/ClusterInfoHolder.java
@@ -40,7 +40,7 @@ public class ClusterInfoHolder implements ClusterStateListener {
private volatile DiscoveryNodes nodes = null;
private volatile Boolean isLocalNodeElectedClusterManager = null;
private volatile boolean initialized;
-
+
@Override
public void clusterChanged(ClusterChangedEvent event) {
if(nodes == null || event.nodesChanged()) {
@@ -50,7 +50,7 @@ public void clusterChanged(ClusterChangedEvent event) {
}
initialized = true;
}
-
+
isLocalNodeElectedClusterManager = event.localNodeClusterManager()?Boolean.TRUE:Boolean.FALSE;
}
@@ -69,7 +69,7 @@ public Boolean hasNode(DiscoveryNode node) {
}
return null;
}
-
+
return nodes.nodeExists(node)?Boolean.TRUE:Boolean.FALSE;
}
}
diff --git a/src/main/java/org/opensearch/security/configuration/CompatConfig.java b/src/main/java/org/opensearch/security/configuration/CompatConfig.java
index 6912cb4fbb..48f91b10be 100644
--- a/src/main/java/org/opensearch/security/configuration/CompatConfig.java
+++ b/src/main/java/org/opensearch/security/configuration/CompatConfig.java
@@ -50,13 +50,13 @@ public CompatConfig(final Environment environment, final OpensearchDynamicSettin
this.staticSettings = environment.settings();
this.transportPassiveAuthSetting = transportPassiveAuthSetting;
}
-
+
@Subscribe
public void onDynamicConfigModelChanged(DynamicConfigModel dcm) {
this.dcm = dcm;
log.debug("dynamicSecurityConfig updated?: {}", (dcm != null));
}
-
+
//true is default
public boolean restAuthEnabled() {
final boolean restInitiallyDisabled = staticSettings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY, false);
@@ -79,7 +79,7 @@ public boolean restAuthEnabled() {
}
}
-
+
//true is default
public boolean transportInterClusterAuthEnabled() {
final boolean interClusterAuthInitiallyDisabled = staticSettings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY, false);
diff --git a/src/main/java/org/opensearch/security/configuration/ConfigCallback.java b/src/main/java/org/opensearch/security/configuration/ConfigCallback.java
index d7d1ed0cee..cb8fc1eedf 100644
--- a/src/main/java/org/opensearch/security/configuration/ConfigCallback.java
+++ b/src/main/java/org/opensearch/security/configuration/ConfigCallback.java
@@ -30,7 +30,7 @@
import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
public interface ConfigCallback {
-
+
void success(SecurityDynamicConfiguration> dConf);
void noData(String id);
void singleFailure(Failure failure);
diff --git a/src/main/java/org/opensearch/security/configuration/ConfigUpdateAlreadyInProgressException.java b/src/main/java/org/opensearch/security/configuration/ConfigUpdateAlreadyInProgressException.java
index ea7799e014..c628a3156e 100644
--- a/src/main/java/org/opensearch/security/configuration/ConfigUpdateAlreadyInProgressException.java
+++ b/src/main/java/org/opensearch/security/configuration/ConfigUpdateAlreadyInProgressException.java
@@ -1,10 +1,10 @@
/*
* Copyright 2015-2019 floragunn GmbH
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
@@ -12,7 +12,7 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
+ *
*/
package org.opensearch.security.configuration;
diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsRequestValve.java b/src/main/java/org/opensearch/security/configuration/DlsFlsRequestValve.java
index 4aa9fadcae..f5751efcae 100644
--- a/src/main/java/org/opensearch/security/configuration/DlsFlsRequestValve.java
+++ b/src/main/java/org/opensearch/security/configuration/DlsFlsRequestValve.java
@@ -36,7 +36,7 @@
import org.opensearch.threadpool.ThreadPool;
public interface DlsFlsRequestValve {
-
+
boolean invoke(String action, ActionRequest request, ActionListener> listener, EvaluatedDlsFlsConfig evaluatedDlsFlsConfig, Resolved resolved);
void handleSearchContext(SearchContext context, ThreadPool threadPool, NamedXContentRegistry namedXContentRegistry);
@@ -61,5 +61,5 @@ public void onQueryPhase(QuerySearchResult queryResult) {
}
}
-
+
}
diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java b/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java
index 532f820210..947557d342 100644
--- a/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java
+++ b/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java
@@ -266,7 +266,7 @@ public boolean invoke(String action, ActionRequest request, final ActionListener
RestStatus.FORBIDDEN));
return false;
}
-
+
if (evaluatedDlsFlsConfig.hasDls()) {
if (request instanceof SearchRequest) {
@@ -317,7 +317,7 @@ public void handleSearchContext(SearchContext context, ThreadPool threadPool, Na
assert context.parsedQuery() != null;
final Set unparsedDlsQueries = queries.get(dlsEval);
-
+
if (unparsedDlsQueries != null && !unparsedDlsQueries.isEmpty()) {
BooleanQuery.Builder queryBuilder = dlsQueryParser.parse(unparsedDlsQueries, context.getQueryShardContext(),
(q) -> new ConstantScoreQuery(q));
@@ -390,7 +390,7 @@ private void setDlsHeaders(EvaluatedDlsFlsConfig dlsFls, ActionRequest request)
} else {
if (threadContext.getHeader(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER) != null) {
Object deserializedDlsQueries = Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER));
- if (!dlsQueries.equals(deserializedDlsQueries)) {
+ if (!dlsQueries.equals(deserializedDlsQueries)) {
throw new OpenSearchSecurityException(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER + " does not match (SG 900D)");
}
} else {
diff --git a/src/main/java/org/opensearch/security/configuration/DlsQueryParser.java b/src/main/java/org/opensearch/security/configuration/DlsQueryParser.java
index fd3b3aee98..a5f07541c8 100644
--- a/src/main/java/org/opensearch/security/configuration/DlsQueryParser.java
+++ b/src/main/java/org/opensearch/security/configuration/DlsQueryParser.java
@@ -99,7 +99,7 @@ public BooleanQuery.Builder parse(Set unparsedDlsQueries, QueryShardCont
return dlsQueryBuilder;
}
-
+
private static void handleNested(final QueryShardContext queryShardContext, final BooleanQuery.Builder dlsQueryBuilder,
final Query parentQuery) {
final BitSetProducer parentDocumentsFilter = queryShardContext.bitsetFilter(NON_NESTED_QUERY);
@@ -131,7 +131,7 @@ boolean containsTermLookupQuery(Set unparsedQueries) {
if (log.isDebugEnabled()) {
log.debug("containsTermLookupQuery() returns true due to " + query + "\nqueries: " + unparsedQueries);
}
-
+
return true;
}
}
@@ -139,7 +139,7 @@ boolean containsTermLookupQuery(Set unparsedQueries) {
if (log.isDebugEnabled()) {
log.debug("containsTermLookupQuery() returns false\nqueries: " + unparsedQueries);
}
-
+
return false;
}
@@ -156,5 +156,5 @@ boolean containsTermLookupQuery(String query) {
}
}
-
+
}
diff --git a/src/main/java/org/opensearch/security/configuration/EmptyFilterLeafReader.java b/src/main/java/org/opensearch/security/configuration/EmptyFilterLeafReader.java
index 4b603fa804..79069ef53e 100644
--- a/src/main/java/org/opensearch/security/configuration/EmptyFilterLeafReader.java
+++ b/src/main/java/org/opensearch/security/configuration/EmptyFilterLeafReader.java
@@ -102,7 +102,7 @@ public EmptyDirectoryReader(final DirectoryReader in) throws IOException {
protected DirectoryReader doWrapDirectoryReader(final DirectoryReader in) throws IOException {
return new EmptyDirectoryReader(in);
}
-
+
@Override
public CacheHelper getReaderCacheHelper() {
return in.getReaderCacheHelper();
diff --git a/src/main/java/org/opensearch/security/configuration/InvalidConfigException.java b/src/main/java/org/opensearch/security/configuration/InvalidConfigException.java
index 5e96af6449..ba6a29b08a 100644
--- a/src/main/java/org/opensearch/security/configuration/InvalidConfigException.java
+++ b/src/main/java/org/opensearch/security/configuration/InvalidConfigException.java
@@ -29,7 +29,7 @@
public class InvalidConfigException extends Exception {
/**
- *
+ *
*/
private static final long serialVersionUID = 1L;
diff --git a/src/main/java/org/opensearch/security/configuration/StaticResourceException.java b/src/main/java/org/opensearch/security/configuration/StaticResourceException.java
index b4d787aa0f..8574a170bb 100644
--- a/src/main/java/org/opensearch/security/configuration/StaticResourceException.java
+++ b/src/main/java/org/opensearch/security/configuration/StaticResourceException.java
@@ -1,10 +1,10 @@
/*
* Copyright 2015-2019 floragunn GmbH
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
@@ -12,7 +12,7 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
+ *
*/
package org.opensearch.security.configuration;
diff --git a/src/main/java/org/opensearch/security/filter/SecurityFilter.java b/src/main/java/org/opensearch/security/filter/SecurityFilter.java
index 7bdd5946d5..4dd629c010 100644
--- a/src/main/java/org/opensearch/security/filter/SecurityFilter.java
+++ b/src/main/java/org/opensearch/security/filter/SecurityFilter.java
@@ -192,7 +192,7 @@ private void ap
if (user != null) {
org.apache.logging.log4j.ThreadContext.put("user", user.getName());
}
-
+
if (isActionTraceEnabled()) {
String count = "";
@@ -232,12 +232,12 @@ private void ap
chain.proceed(task, action, request, listener);
return;
}
-
-
+
+
if(immutableIndicesMatcher != WildcardMatcher.NONE) {
-
+
boolean isImmutable = false;
-
+
if(request instanceof BulkShardRequest) {
for(BulkItemRequest bsr: ((BulkShardRequest) request).items()) {
isImmutable = checkImmutableIndices(bsr.request(), listener);
@@ -248,7 +248,7 @@ private void ap
} else {
isImmutable = checkImmutableIndices(request, listener);
}
-
+
if(isImmutable) {
return;
}
@@ -301,7 +301,7 @@ private void ap
}
final PrivilegesEvaluatorResponse pres = eval.evaluate(user, action, request, task, injectedRoles);
-
+
if (log.isDebugEnabled()) {
log.debug(pres.toString());
}
@@ -384,7 +384,7 @@ private static boolean isUserAdmin(User user, final AdminDNs adminDns) {
}
private void attachSourceFieldContext(ActionRequest request) {
-
+
if(request instanceof SearchRequest && SourceFieldsContext.isNeeded((SearchRequest) request)) {
if(threadContext.getHeader("_opendistro_security_source_field_context") == null) {
final String serializedSourceFieldContext = Base64Helper.serializeObject(new SourceFieldsContext((SearchRequest) request));
@@ -397,7 +397,7 @@ private void attachSourceFieldContext(ActionRequest request) {
}
}
}
-
+
@SuppressWarnings("rawtypes")
private boolean checkImmutableIndices(Object request, ActionListener listener) {
final boolean isModifyIndexRequest = request instanceof DeleteRequest
@@ -413,11 +413,11 @@ private boolean checkImmutableIndices(Object request, ActionListener listener) {
listener.onFailure(new OpenSearchSecurityException("Index is immutable", RestStatus.FORBIDDEN));
return true;
}
-
+
if ((request instanceof IndexRequest) && isRequestIndexImmutable(request)) {
((IndexRequest) request).opType(OpType.CREATE);
}
-
+
return false;
}
diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
index ebd2e8d633..25926dab32 100644
--- a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
+++ b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
@@ -117,7 +117,7 @@ public SecurityRestFilter(final BackendRegistry registry, final AuditLog auditLo
*/
public RestHandler wrap(RestHandler original, AdminDNs adminDNs) {
return new RestHandler() {
-
+
@Override
public void handleRequest(RestRequest request, RestChannel channel, NodeClient client) throws Exception {
org.apache.logging.log4j.ThreadContext.clearAll();
@@ -143,7 +143,7 @@ private boolean checkAndAuthenticateRequest(RestRequest request, RestChannel cha
NodeClient client) throws Exception {
threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN, Origin.REST.toString());
-
+
if(HTTPHelper.containsBadHeader(request)) {
final OpenSearchException exception = ExceptionUtils.createBadHeaderException();
log.error(exception.toString());
@@ -151,7 +151,7 @@ private boolean checkAndAuthenticateRequest(RestRequest request, RestChannel cha
channel.sendResponse(new BytesRestResponse(channel, RestStatus.FORBIDDEN, exception));
return true;
}
-
+
if(SSLRequestHelper.containsBadHeader(threadContext, ConfigConstants.OPENDISTRO_SECURITY_CONFIG_PREFIX)) {
final OpenSearchException exception = ExceptionUtils.createBadHeaderException();
log.error(exception.toString());
@@ -166,7 +166,7 @@ private boolean checkAndAuthenticateRequest(RestRequest request, RestChannel cha
if(sslInfo.getPrincipal() != null) {
threadContext.putTransient("_opendistro_security_ssl_principal", sslInfo.getPrincipal());
}
-
+
if(sslInfo.getX509Certs() != null) {
threadContext.putTransient("_opendistro_security_ssl_peer_certificates", sslInfo.getX509Certs());
}
@@ -179,7 +179,7 @@ private boolean checkAndAuthenticateRequest(RestRequest request, RestChannel cha
channel.sendResponse(new BytesRestResponse(channel, RestStatus.FORBIDDEN, e));
return true;
}
-
+
if(!compatConfig.restAuthEnabled()) {
return false;
}
@@ -198,7 +198,7 @@ private boolean checkAndAuthenticateRequest(RestRequest request, RestChannel cha
org.apache.logging.log4j.ThreadContext.put("user", ((User)threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER)).getName());
}
}
-
+
return false;
}
diff --git a/src/main/java/org/opensearch/security/http/HTTPBasicAuthenticator.java b/src/main/java/org/opensearch/security/http/HTTPBasicAuthenticator.java
index 35278d261f..30e6134381 100644
--- a/src/main/java/org/opensearch/security/http/HTTPBasicAuthenticator.java
+++ b/src/main/java/org/opensearch/security/http/HTTPBasicAuthenticator.java
@@ -47,20 +47,20 @@ public class HTTPBasicAuthenticator implements HTTPAuthenticator {
protected final Logger log = LogManager.getLogger(this.getClass());
public HTTPBasicAuthenticator(final Settings settings, final Path configPath) {
-
+
}
@Override
public AuthCredentials extractCredentials(final RestRequest request, ThreadContext threadContext) {
final boolean forceLogin = request.paramAsBoolean("force_login", false);
-
+
if(forceLogin) {
return null;
}
-
+
final String authorizationHeader = request.header("Authorization");
-
+
return HTTPHelper.extractCredentials(authorizationHeader, log);
}
diff --git a/src/main/java/org/opensearch/security/http/HTTPClientCertAuthenticator.java b/src/main/java/org/opensearch/security/http/HTTPClientCertAuthenticator.java
index 51ff6304b1..373919669d 100644
--- a/src/main/java/org/opensearch/security/http/HTTPClientCertAuthenticator.java
+++ b/src/main/java/org/opensearch/security/http/HTTPClientCertAuthenticator.java
@@ -48,7 +48,7 @@
import org.opensearch.security.user.AuthCredentials;
public class HTTPClientCertAuthenticator implements HTTPAuthenticator {
-
+
protected final Logger log = LogManager.getLogger(this.getClass());
protected final Settings settings;
@@ -62,29 +62,29 @@ public AuthCredentials extractCredentials(final RestRequest request, final Threa
final String principal = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_PRINCIPAL);
if (!Strings.isNullOrEmpty(principal)) {
-
+
final String usernameAttribute = settings.get("username_attribute");
final String rolesAttribute = settings.get("roles_attribute");
-
+
try {
final LdapName rfc2253dn = new LdapName(principal);
String username = principal.trim();
String[] backendRoles = null;
-
+
if(usernameAttribute != null && usernameAttribute.length() > 0) {
final List usernames = getDnAttribute(rfc2253dn, usernameAttribute);
if(usernames.isEmpty() == false) {
username = usernames.get(0);
}
}
-
+
if(rolesAttribute != null && rolesAttribute.length() > 0) {
final List roles = getDnAttribute(rfc2253dn, rolesAttribute);
if(roles.isEmpty() == false) {
backendRoles = roles.toArray(new String[0]);
}
}
-
+
return new AuthCredentials(username, backendRoles).markComplete();
} catch (InvalidNameException e) {
log.error("Client cert had no properly formed DN (was: {})", principal);
@@ -106,8 +106,8 @@ public boolean reRequestAuthentication(final RestChannel channel, AuthCredential
public String getType() {
return "clientcert";
}
-
- private List getDnAttribute(LdapName rfc2253dn, String attribute) {
+
+ private List getDnAttribute(LdapName rfc2253dn, String attribute) {
final List attrValues = new ArrayList<>(rfc2253dn.size());
final List reverseRdn = new ArrayList<>(rfc2253dn.getRdns());
Collections.reverse(reverseRdn);
@@ -117,7 +117,7 @@ private List getDnAttribute(LdapName rfc2253dn, String attribute) {
attrValues.add(rdn.getValue().toString());
}
}
-
+
return Collections.unmodifiableList(attrValues);
}
}
diff --git a/src/main/java/org/opensearch/security/http/HTTPProxyAuthenticator.java b/src/main/java/org/opensearch/security/http/HTTPProxyAuthenticator.java
index 28fb80e0db..348811b694 100644
--- a/src/main/java/org/opensearch/security/http/HTTPProxyAuthenticator.java
+++ b/src/main/java/org/opensearch/security/http/HTTPProxyAuthenticator.java
@@ -57,14 +57,14 @@ public HTTPProxyAuthenticator(Settings settings, final Path configPath) {
@Override
public AuthCredentials extractCredentials(final RestRequest request, ThreadContext context) {
-
+
if(context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_XFF_DONE) != Boolean.TRUE) {
throw new OpenSearchSecurityException("xff not done");
}
-
+
final String userHeader = settings.get("user_header");
final String rolesHeader = settings.get("roles_header");
-
+
if (log.isDebugEnabled()) {
log.debug("Headers {}", request.getHeaders());
log.debug("UserHeader {}, value {}", userHeader, userHeader == null ? null : request.header(userHeader));
diff --git a/src/main/java/org/opensearch/security/http/RemoteIpDetector.java b/src/main/java/org/opensearch/security/http/RemoteIpDetector.java
index 404fd2dcc2..5d9e933c8f 100644
--- a/src/main/java/org/opensearch/security/http/RemoteIpDetector.java
+++ b/src/main/java/org/opensearch/security/http/RemoteIpDetector.java
@@ -120,23 +120,23 @@ String detect(RestRequest request, ThreadContext threadContext){
if (isTraceEnabled) {
log.trace("originalRemoteAddr {}", originalRemoteAddr);
}
-
+
//X-Forwarded-For: client1, proxy1, proxy2
// ^^^^^^ originalRemoteAddr
-
+
//originalRemoteAddr need to be in the list of internalProxies
if (internalProxies !=null &&
internalProxies.matcher(originalRemoteAddr).matches()) {
String remoteIp = null;
final StringBuilder concatRemoteIpHeaderValue = new StringBuilder();
-
+
//client1, proxy1, proxy2
final List remoteIpHeaders = request.getHeaders().get(remoteIpHeader); //X-Forwarded-For
if(remoteIpHeaders == null || remoteIpHeaders.isEmpty()) {
return originalRemoteAddr;
}
-
+
for (String rh:remoteIpHeaders) {
if (concatRemoteIpHeaderValue.length() > 0) {
concatRemoteIpHeaderValue.append(", ");
@@ -144,7 +144,7 @@ String detect(RestRequest request, ThreadContext threadContext){
concatRemoteIpHeaderValue.append(rh);
}
-
+
if (isTraceEnabled) {
log.trace("concatRemoteIpHeaderValue {}", concatRemoteIpHeaderValue.toString());
}
@@ -162,14 +162,14 @@ String detect(RestRequest request, ThreadContext threadContext){
break;
}
}
-
+
// continue to loop on remoteIpHeaderValue to build the new value of the remoteIpHeader
final LinkedList newRemoteIpHeaderValue = new LinkedList<>();
for (; idx >= 0; idx--) {
String currentRemoteIp = remoteIpHeaderValue[idx];
newRemoteIpHeaderValue.addFirst(currentRemoteIp);
}
-
+
if (remoteIp != null) {
if (isTraceEnabled) {
final String originalRemoteHost = ((InetSocketAddress)request.getHttpChannel().getRemoteAddress()).getAddress().getHostName();
@@ -178,17 +178,17 @@ String detect(RestRequest request, ThreadContext threadContext){
threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_XFF_DONE, Boolean.TRUE);
return remoteIp;
-
+
} else {
log.warn("Remote ip could not be detected, this should normally not happen");
}
-
+
} else {
if (isTraceEnabled) {
log.trace("Skip RemoteIpDetector for request {} with originalRemoteAddr '{}' cause no internal proxy matches", request.uri(), request.getHttpChannel().getRemoteAddress());
}
}
-
+
return originalRemoteAddr;
}
diff --git a/src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java b/src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java
index 3d977dcc7e..6f2f57053f 100644
--- a/src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java
+++ b/src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java
@@ -39,7 +39,7 @@
import org.opensearch.transport.SharedGroupFactory;
public class SecurityHttpServerTransport extends SecuritySSLNettyHttpServerTransport {
-
+
public SecurityHttpServerTransport(final Settings settings, final NetworkService networkService,
final BigArrays bigArrays, final ThreadPool threadPool, final SecurityKeyStore odsks,
final SslExceptionHandler sslExceptionHandler, final NamedXContentRegistry namedXContentRegistry, final ValidatingDispatcher dispatcher, final ClusterSettings clusterSettings, SharedGroupFactory sharedGroupFactory) {
diff --git a/src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java b/src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java
index b05153db4c..3c1dedc55e 100644
--- a/src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java
+++ b/src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java
@@ -54,7 +54,7 @@ public ChannelHandler configureServerChannelHandler() {
}
protected class NonSslHttpChannelHandler extends Netty4HttpServerTransport.HttpChannelHandler {
-
+
protected NonSslHttpChannelHandler(Netty4HttpServerTransport transport, final HttpHandlingSettings handlingSettings) {
super(transport, handlingSettings);
}
diff --git a/src/main/java/org/opensearch/security/http/XFFResolver.java b/src/main/java/org/opensearch/security/http/XFFResolver.java
index 23de8e3676..c44e98537d 100644
--- a/src/main/java/org/opensearch/security/http/XFFResolver.java
+++ b/src/main/java/org/opensearch/security/http/XFFResolver.java
@@ -47,7 +47,7 @@ public class XFFResolver {
private volatile boolean enabled;
private volatile RemoteIpDetector detector;
private final ThreadContext threadContext;
-
+
public XFFResolver(final ThreadPool threadPool) {
super();
this.threadContext = threadPool.getThreadContext();
@@ -58,16 +58,16 @@ public TransportAddress resolve(final RestRequest request) throws OpenSearchSecu
if (isTraceEnabled) {
log.trace("resolve {}", request.getHttpChannel().getRemoteAddress());
}
-
+
if(enabled && request.getHttpChannel().getRemoteAddress() instanceof InetSocketAddress && request.getHttpChannel() instanceof Netty4HttpChannel) {
final InetSocketAddress isa = new InetSocketAddress(detector.detect(request, threadContext), ((InetSocketAddress)request.getHttpChannel().getRemoteAddress()).getPort());
-
- if(isa.isUnresolved()) {
+
+ if(isa.isUnresolved()) {
throw new OpenSearchSecurityException("Cannot resolve address "+isa.getHostString());
}
-
-
+
+
if (isTraceEnabled) {
if(threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_XFF_DONE) == Boolean.TRUE) {
log.trace("xff resolved {} to {}", request.getHttpChannel().getRemoteAddress(), isa);
@@ -77,7 +77,7 @@ public TransportAddress resolve(final RestRequest request) throws OpenSearchSecu
}
return new TransportAddress(isa);
} else if(request.getHttpChannel().getRemoteAddress() instanceof InetSocketAddress){
-
+
if (isTraceEnabled) {
log.trace("no xff done (enabled or no netty request) {},{},{},{}",enabled, request.getClass());
diff --git a/src/main/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticator.java b/src/main/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticator.java
index d792158fea..e98f26d85a 100644
--- a/src/main/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticator.java
+++ b/src/main/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticator.java
@@ -60,7 +60,7 @@ public AuthCredentials extractCredentials(final RestRequest request, ThreadConte
if(credentials == null) {
return null;
}
-
+
String attrHeaderPrefix = settings.get("attr_header_prefix");
if(Strings.isNullOrEmpty(attrHeaderPrefix)) {
log.debug("attr_header_prefix is null. Skipping additional attribute extraction");
@@ -68,7 +68,7 @@ public AuthCredentials extractCredentials(final RestRequest request, ThreadConte
} else if(log.isDebugEnabled()) {
log.debug("attrHeaderPrefix {}", attrHeaderPrefix);
}
-
+
credentials.addAttribute(ATTR_PROXY_USERNAME, credentials.getUsername());
attrHeaderPrefix = attrHeaderPrefix.toLowerCase();
for (Entry> entry : request.getHeaders().entrySet()) {
diff --git a/src/main/java/org/opensearch/security/httpclient/HttpClient.java b/src/main/java/org/opensearch/security/httpclient/HttpClient.java
index d032ca3544..ad507ea47c 100644
--- a/src/main/java/org/opensearch/security/httpclient/HttpClient.java
+++ b/src/main/java/org/opensearch/security/httpclient/HttpClient.java
@@ -195,7 +195,7 @@ public boolean index(final String content, final String index, final String type
try {
final IndexRequest ir = new IndexRequest(index);
-
+
final IndexResponse response = rclient.index(ir
.setRefreshPolicy(refresh?RefreshPolicy.IMMEDIATE:RefreshPolicy.NONE)
.source(content, XContentType.JSON), RequestOptions.DEFAULT);
diff --git a/src/main/java/org/opensearch/security/privileges/DocumentAllowList.java b/src/main/java/org/opensearch/security/privileges/DocumentAllowList.java
index 8bfbb7c0db..129233a007 100644
--- a/src/main/java/org/opensearch/security/privileges/DocumentAllowList.java
+++ b/src/main/java/org/opensearch/security/privileges/DocumentAllowList.java
@@ -193,7 +193,7 @@ public static class Entry {
if (index.indexOf('/') != -1 || index.indexOf('|') != -1) {
throw new IllegalArgumentException("Invalid index name: " + index);
}
-
+
this.index = index;
this.id = id;
}
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
index 36d53b2a9e..278dc86b7c 100644
--- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
+++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -134,7 +134,7 @@ public class PrivilegesEvaluator {
private final boolean dfmEmptyOverwritesAll;
private DynamicConfigModel dcm;
private final NamedXContentRegistry namedXContentRegistry;
-
+
public PrivilegesEvaluator(final ClusterService clusterService, final ThreadPool threadPool,
final ConfigurationRepository configurationRepository, final IndexNameExpressionResolver resolver,
AuditLog auditLog, final Settings settings, final PrivilegesInterceptor privilegesInterceptor, final ClusterInfoHolder clusterInfoHolder,
@@ -309,7 +309,7 @@ public PrivilegesEvaluatorResponse evaluate(final User user, String action0, fin
}
presponse.evaluatedDlsFlsConfig = getSecurityRoles(mappedRoles).getDlsFls(user, dfmEmptyOverwritesAll, resolver, clusterService, namedXContentRegistry);
-
+
if (isClusterPerm(action0)) {
if(!securityRoles.impliesClusterPermissionPermission(action0)) {
@@ -384,7 +384,7 @@ public PrivilegesEvaluatorResponse evaluate(final User user, String action0, fin
presponse.allowed = true;
return presponse;
}
-
+
// term aggregations
if (termsAggregationEvaluator.evaluate(requestedResolved, request, clusterService, user, securityRoles, resolver, presponse) .isComplete()) {
return presponse;
@@ -728,7 +728,7 @@ private boolean checkDocAllowListHeader(User user, String action, ActionRequest
if (log.isDebugEnabled()) {
log.debug("Request " + request + " is allowed by " + documentAllowList);
}
-
+
return true;
} else {
return false;
@@ -739,7 +739,7 @@ private boolean checkDocAllowListHeader(User user, String action, ActionRequest
return false;
}
}
-
+
private List toString(List aliases) {
if(aliases == null || aliases.size() == 0) {
return Collections.emptyList();
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorResponse.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorResponse.java
index 8b3e51f045..31ce7095d2 100644
--- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorResponse.java
+++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorResponse.java
@@ -42,11 +42,11 @@ public class PrivilegesEvaluatorResponse {
PrivilegesEvaluatorResponseState state = PrivilegesEvaluatorResponseState.PENDING;
Resolved resolved;
CreateIndexRequestBuilder createIndexRequestBuilder;
-
+
public Resolved getResolved() {
return resolved;
}
-
+
public boolean isAllowed() {
return allowed;
}
@@ -61,11 +61,11 @@ public Set getMissingPrivileges() {
public EvaluatedDlsFlsConfig getEvaluatedDlsFlsConfig() {
return evaluatedDlsFlsConfig;
}
-
+
public CreateIndexRequestBuilder getCreateIndexRequestBuilder() {
return createIndexRequestBuilder;
}
-
+
public PrivilegesEvaluatorResponse markComplete() {
this.state = PrivilegesEvaluatorResponseState.COMPLETE;
return this;
@@ -89,10 +89,10 @@ public String toString() {
return "PrivEvalResponse [allowed=" + allowed + ", missingPrivileges=" + missingPrivileges + ", evaluatedDlsFlsConfig="
+ evaluatedDlsFlsConfig + "]";
}
-
+
public static enum PrivilegesEvaluatorResponseState {
PENDING,
COMPLETE;
}
-
+
}
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesInterceptor.java b/src/main/java/org/opensearch/security/privileges/PrivilegesInterceptor.java
index c76910474f..dd569b05fb 100644
--- a/src/main/java/org/opensearch/security/privileges/PrivilegesInterceptor.java
+++ b/src/main/java/org/opensearch/security/privileges/PrivilegesInterceptor.java
@@ -65,7 +65,7 @@ protected static ReplaceResult newAccessGrantedReplaceResult(CreateIndexRequestB
protected final Client client;
protected final ThreadPool threadPool;
- public PrivilegesInterceptor(final IndexNameExpressionResolver resolver, final ClusterService clusterService,
+ public PrivilegesInterceptor(final IndexNameExpressionResolver resolver, final ClusterService clusterService,
final Client client, ThreadPool threadPool) {
this.resolver = resolver;
this.clusterService = clusterService;
@@ -77,7 +77,7 @@ public ReplaceResult replaceDashboardsIndex(final ActionRequest request, final S
final Resolved requestedResolved, final Map tenants) {
throw new RuntimeException("not implemented");
}
-
+
protected final ThreadContext getThreadContext() {
return threadPool.getThreadContext();
}
diff --git a/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java b/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java
index 60456a4eb3..a74ea17ccd 100644
--- a/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java
+++ b/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java
@@ -47,9 +47,9 @@
import org.opensearch.tasks.Task;
public class SecurityIndexAccessEvaluator {
-
+
Logger log = LogManager.getLogger(this.getClass());
-
+
private final String securityIndex;
private final AuditLog auditLog;
private final WildcardMatcher securityDeniedActionMatcher;
@@ -86,7 +86,7 @@ public SecurityIndexAccessEvaluator(final Settings settings, AuditLog auditLog,
securityDeniedActionMatcher = WildcardMatcher.from(restoreSecurityIndexEnabled ? securityIndexDeniedActionPatternsList : securityIndexDeniedActionPatternsListNoSnapshot);
}
-
+
public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final Task task, final String action, final Resolved requestedResolved,
final PrivilegesEvaluatorResponse presponse) {
final boolean isDebugEnabled = log.isDebugEnabled();
diff --git a/src/main/java/org/opensearch/security/privileges/SnapshotRestoreEvaluator.java b/src/main/java/org/opensearch/security/privileges/SnapshotRestoreEvaluator.java
index c457b42624..c536ae2d2e 100644
--- a/src/main/java/org/opensearch/security/privileges/SnapshotRestoreEvaluator.java
+++ b/src/main/java/org/opensearch/security/privileges/SnapshotRestoreEvaluator.java
@@ -47,7 +47,7 @@ public class SnapshotRestoreEvaluator {
private final String securityIndex;
private final AuditLog auditLog;
private final boolean restoreSecurityIndexEnabled;
-
+
public SnapshotRestoreEvaluator(final Settings settings, AuditLog auditLog) {
this.enableSnapshotRestorePrivilege = settings.getAsBoolean(ConfigConstants.SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE,
ConfigConstants.SECURITY_DEFAULT_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE);
@@ -63,27 +63,27 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final T
if (!(request instanceof RestoreSnapshotRequest)) {
return presponse;
}
-
+
// snapshot restore for regular users not enabled
if (!enableSnapshotRestorePrivilege) {
log.warn("{} is not allowed for a regular user", action);
presponse.allowed = false;
- return presponse.markComplete();
+ return presponse.markComplete();
}
// if this feature is enabled, users can also snapshot and restore
// the Security index and the global state
if (restoreSecurityIndexEnabled) {
presponse.allowed = true;
- return presponse;
+ return presponse;
}
-
+
if (clusterInfoHolder.isLocalNodeElectedClusterManager() == Boolean.FALSE) {
presponse.allowed = true;
- return presponse.markComplete();
+ return presponse.markComplete();
}
-
+
final RestoreSnapshotRequest restoreRequest = (RestoreSnapshotRequest) request;
// Do not allow restore of global state
@@ -91,7 +91,7 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final T
auditLog.logSecurityIndexAttempt(request, action, task);
log.warn("{} with 'include_global_state' enabled is not allowed", action);
presponse.allowed = false;
- return presponse.markComplete();
+ return presponse.markComplete();
}
final List rs = SnapshotRestoreHelper.resolveOriginalIndices(restoreRequest);
@@ -100,7 +100,7 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final T
auditLog.logSecurityIndexAttempt(request, action, task);
log.warn("{} for '{}' as source index is not allowed", action, securityIndex);
presponse.allowed = false;
- return presponse.markComplete();
+ return presponse.markComplete();
}
return presponse;
}
diff --git a/src/main/java/org/opensearch/security/privileges/TermsAggregationEvaluator.java b/src/main/java/org/opensearch/security/privileges/TermsAggregationEvaluator.java
index 1d1d048350..53709458fd 100644
--- a/src/main/java/org/opensearch/security/privileges/TermsAggregationEvaluator.java
+++ b/src/main/java/org/opensearch/security/privileges/TermsAggregationEvaluator.java
@@ -56,12 +56,12 @@ public class TermsAggregationEvaluator {
"indices:data/read/field_caps*"
//"indices:admin/mappings/fields/get*"
};
-
+
private static final QueryBuilder NONE_QUERY = new MatchNoneQueryBuilder();
-
+
public TermsAggregationEvaluator() {
}
-
+
public PrivilegesEvaluatorResponse evaluate(final Resolved resolved, final ActionRequest request, ClusterService clusterService, User user, SecurityRoles securityRoles, IndexNameExpressionResolver resolver, PrivilegesEvaluatorResponse presponse) {
try {
if(request instanceof SearchRequest) {
@@ -81,14 +81,14 @@ public PrivilegesEvaluatorResponse evaluate(final Resolved resolved, final Actio
&& ab.getPipelineAggregations().isEmpty()
&& ab.getSubAggregations().isEmpty()) {
-
+
final Set allPermittedIndices = securityRoles.getAllPermittedIndicesForDashboards(resolved, user, READ_ACTIONS, resolver, clusterService);
if(allPermittedIndices == null || allPermittedIndices.isEmpty()) {
sr.source().query(NONE_QUERY);
} else {
sr.source().query(new TermsQueryBuilder("_index", allPermittedIndices));
- }
-
+ }
+
presponse.allowed = true;
return presponse.markComplete();
}
@@ -99,7 +99,7 @@ public PrivilegesEvaluatorResponse evaluate(final Resolved resolved, final Actio
log.warn("Unable to evaluate terms aggregation",e);
return presponse;
}
-
+
return presponse;
}
}
diff --git a/src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java b/src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java
index d2d0685860..5892a91a30 100644
--- a/src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java
+++ b/src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java
@@ -369,7 +369,7 @@ public final static class Resolved {
private final Set remoteIndices;
private final boolean isLocalAll;
private final IndicesOptions indicesOptions;
-
+
public Resolved(final ImmutableSet aliases,
final ImmutableSet allIndices,
final ImmutableSet originalRequested,
@@ -394,15 +394,15 @@ public Set getAliases() {
public Set getAllIndices() {
return allIndices;
}
-
+
public Set getAllIndicesResolved(ClusterService clusterService, IndexNameExpressionResolver resolver) {
- if (isLocalAll) {
+ if (isLocalAll) {
return new HashSet<>(Arrays.asList(resolver.concreteIndexNames(clusterService.state(), indicesOptions, "*")));
- } else {
+ } else {
return allIndices;
}
}
-
+
public boolean isAllIndicesEmpty() {
return allIndices.isEmpty();
}
@@ -711,7 +711,7 @@ private boolean getOrReplaceAllIndices(final Object request, final IndicesProvid
}
private IndicesOptions indicesOptionsFrom(Object localRequest) {
-
+
if(!respectRequestIndicesOptions) {
return IndicesOptions.fromOptions(false, true, true, false, true);
}
diff --git a/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java b/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java
index 0fd88e7565..a7620f6bdc 100644
--- a/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java
+++ b/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java
@@ -92,9 +92,9 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli
public void accept(RestChannel channel) throws Exception {
XContentBuilder builder = channel.newBuilder(); //NOSONAR
BytesRestResponse response = null;
-
+
try {
-
+
final User user = (User)threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
builder.startObject();
@@ -131,6 +131,6 @@ public void accept(RestChannel channel) throws Exception {
public String getName() {
return "Kibana Info Action";
}
-
-
+
+
}
diff --git a/src/main/java/org/opensearch/security/rest/SecurityHealthAction.java b/src/main/java/org/opensearch/security/rest/SecurityHealthAction.java
index b88d2700c9..17d5ee122f 100644
--- a/src/main/java/org/opensearch/security/rest/SecurityHealthAction.java
+++ b/src/main/java/org/opensearch/security/rest/SecurityHealthAction.java
@@ -67,7 +67,7 @@ public List routes() {
@Override
protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
return new RestChannelConsumer() {
-
+
final String mode = request.param("mode","strict");
@Override
@@ -76,8 +76,8 @@ public void accept(RestChannel channel) throws Exception {
RestStatus restStatus = RestStatus.OK;
BytesRestResponse response = null;
try {
-
-
+
+
String status = "UP";
String message = null;
@@ -98,12 +98,12 @@ public void accept(RestChannel channel) throws Exception {
} finally {
builder.close();
}
-
-
+
+
channel.sendResponse(response);
}
-
-
+
+
};
}
diff --git a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
index f8e03da5d2..7867e8790d 100644
--- a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
+++ b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
@@ -88,12 +88,12 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli
public void accept(RestChannel channel) throws Exception {
XContentBuilder builder = channel.newBuilder(); //NOSONAR
BytesRestResponse response = null;
-
+
try {
-
+
final boolean verbose = request.paramAsBoolean("verbose", false);
-
+
final X509Certificate[] certs = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_PEER_CERTIFICATES);
final User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
final TransportAddress remoteAddress = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS);
@@ -112,7 +112,7 @@ public void accept(RestChannel channel) throws Exception {
builder.field("principal", (String)threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_PRINCIPAL));
builder.field("peer_certificates", certs != null && certs.length > 0 ? certs.length + "" : "0");
builder.field("sso_logout_url", (String)threadContext.getTransient(ConfigConstants.SSO_LOGOUT_URL));
-
+
if(user != null && verbose) {
try {
builder.field("size_of_user", RamUsageEstimator.humanReadableUnits(Base64Helper.serializeObject(user).length()));
@@ -122,8 +122,8 @@ public void accept(RestChannel channel) throws Exception {
//ignore
}
}
-
-
+
+
builder.endObject();
response = new BytesRestResponse(RestStatus.OK, builder);
@@ -144,7 +144,7 @@ public void accept(RestChannel channel) throws Exception {
}
};
}
-
+
@Override
public String getName() {
return "OpenSearch Security Info Action";
diff --git a/src/main/java/org/opensearch/security/rest/TenantInfoAction.java b/src/main/java/org/opensearch/security/rest/TenantInfoAction.java
index 266d2edf49..f7b2a606c6 100644
--- a/src/main/java/org/opensearch/security/rest/TenantInfoAction.java
+++ b/src/main/java/org/opensearch/security/rest/TenantInfoAction.java
@@ -78,7 +78,7 @@ public class TenantInfoAction extends BaseRestHandler {
private final AdminDNs adminDns;
private final ConfigurationRepository configurationRepository;
- public TenantInfoAction(final Settings settings, final RestController controller,
+ public TenantInfoAction(final Settings settings, final RestController controller,
final PrivilegesEvaluator evaluator, final ThreadPool threadPool, final ClusterService clusterService, final AdminDNs adminDns,
final ConfigurationRepository configurationRepository) {
super();
@@ -102,18 +102,18 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli
public void accept(RestChannel channel) throws Exception {
XContentBuilder builder = channel.newBuilder(); //NOSONAR
BytesRestResponse response = null;
-
+
try {
final User user = (User)threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
-
+
//only allowed for admins or the kibanaserveruser
if(!isAuthorized()) {
response = new BytesRestResponse(RestStatus.FORBIDDEN,"");
} else {
builder.startObject();
-
+
final SortedMap lookup = clusterService.state().metadata().getIndicesLookup();
for(final String indexOrAlias: lookup.keySet()) {
final String tenant = tenantNameForIndex(indexOrAlias);
@@ -123,7 +123,7 @@ public void accept(RestChannel channel) throws Exception {
}
builder.endObject();
-
+
response = new BytesRestResponse(RestStatus.OK, builder);
}
} catch (final Exception e1) {
@@ -179,21 +179,21 @@ private final SecurityDynamicConfiguration> load(final CType config, boolean l
private String tenantNameForIndex(String index) {
String[] indexParts;
- if(index == null
+ if(index == null
|| (indexParts = index.split("_")).length != 3
) {
return null;
}
-
-
+
+
if(!indexParts[0].equals(evaluator.dashboardsIndex())) {
return null;
}
-
+
try {
final int expectedHash = Integer.parseInt(indexParts[1]);
final String sanitizedName = indexParts[2];
-
+
for(String tenant: evaluator.getAllConfiguredTenantNames()) {
if(tenant.hashCode() == expectedHash && sanitizedName.equals(tenant.toLowerCase().replaceAll("[^a-z0-9]+",""))) {
return tenant;
@@ -211,6 +211,6 @@ private String tenantNameForIndex(String index) {
public String getName() {
return "Tenant Info Action";
}
-
-
+
+
}
diff --git a/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java b/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java
index 987b8fac64..7a978034f1 100644
--- a/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java
+++ b/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java
@@ -83,9 +83,9 @@ public ConfigModelV6(
SecurityDynamicConfiguration rolesmapping,
DynamicConfigModel dcm,
Settings opensearchSettings) {
-
+
this.roles = roles;
-
+
try {
rolesMappingResolution = ConfigConstants.RolesMappingResolution.valueOf(
opensearchSettings.get(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, ConfigConstants.RolesMappingResolution.MAPPING_ONLY.toString())
@@ -94,13 +94,13 @@ public ConfigModelV6(
log.error("Cannot apply roles mapping resolution", e);
rolesMappingResolution = ConfigConstants.RolesMappingResolution.MAPPING_ONLY;
}
-
+
agr = reloadActionGroups(actiongroups);
securityRoles = reload(roles);
tenantHolder = new TenantHolder(roles);
roleMappingHolder = new RoleMappingHolder(rolesmapping, dcm.getHostsResolverMode());
}
-
+
public Set getAllConfiguredTenantNames() {
final Set configuredTenants = new HashSet<>();
for (Entry securityRole : roles.getCEntries().entrySet()) {
@@ -114,18 +114,18 @@ public Set getAllConfiguredTenantNames() {
return Collections.unmodifiableSet(configuredTenants);
}
-
+
public SecurityRoles getSecurityRoles() {
return securityRoles;
}
-
+
private static interface ActionGroupResolver {
Set resolvedActions(final List actions);
}
-
+
private ActionGroupResolver reloadActionGroups(SecurityDynamicConfiguration actionGroups) {
return new ActionGroupResolver() {
-
+
private Set getGroupMembers(final String groupname) {
if (actionGroups == null) {
@@ -134,27 +134,27 @@ private Set getGroupMembers(final String groupname) {
return Collections.unmodifiableSet(resolve(actionGroups, groupname));
}
-
+
private Set resolve(final SecurityDynamicConfiguration> actionGroups, final String entry) {
-
+
// SG5 format, plain array
//List en = actionGroups.getAsList(DotPath.of(entry));
//if (en.isEmpty()) {
// try SG6 format including readonly and permissions key
// en = actionGroups.getAsList(DotPath.of(entry + "." + ConfigConstants.CONFIGKEY_ACTION_GROUPS_PERMISSIONS));
//}
-
+
if(!actionGroups.getCEntries().containsKey(entry)) {
return Collections.emptySet();
}
-
+
final Set ret = new HashSet();
-
+
final Object actionGroupAsObject = actionGroups.getCEntries().get(entry);
-
+
if(actionGroupAsObject != null && actionGroupAsObject instanceof List) {
-
+
for (final String perm: ((List) actionGroupAsObject)) {
if (actionGroups.getCEntries().keySet().contains(perm)) {
ret.addAll(resolve(actionGroups,perm));
@@ -162,8 +162,8 @@ private Set resolve(final SecurityDynamicConfiguration> actionGroups,
ret.add(perm);
}
}
-
-
+
+
} else if(actionGroupAsObject != null && actionGroupAsObject instanceof ActionGroupsV6) {
for (final String perm: ((ActionGroupsV6) actionGroupAsObject).getPermissions()) {
if (actionGroups.getCEntries().keySet().contains(perm)) {
@@ -175,10 +175,10 @@ private Set resolve(final SecurityDynamicConfiguration> actionGroups,
} else {
throw new RuntimeException("Unable to handle "+actionGroupAsObject);
}
-
+
return Collections.unmodifiableSet(ret);
}
-
+
@Override
public Set resolvedActions(final List actions) {
final Set resolvedActions = new HashSet();
@@ -208,7 +208,7 @@ private SecurityRoles reload(SecurityDynamicConfiguration settings) {
@Override
public SecurityRole call() throws Exception {
SecurityRole _securityRole = new SecurityRole(securityRole.getKey());
-
+
if(securityRole.getValue() == null) {
return null;
}
@@ -261,8 +261,8 @@ public SecurityRole call() throws Exception {
_securityRole.addIndexPattern(_indexPattern);
}
-
-
+
+
return _securityRole;
}
});
@@ -352,7 +352,7 @@ public Set getRoles() {
public Set getRoleNames() {
return getRoles().stream().map(r -> r.getName()).collect(Collectors.toSet());
}
-
+
public SecurityRoles filter(Set keep) {
final SecurityRoles retVal = new SecurityRoles(roles.size());
for (SecurityRole sr : roles) {
@@ -371,7 +371,7 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll,
final Map> dlsQueries = new HashMap>();
final Map> flsFields = new HashMap>();
final Map> maskedFieldsMap = new HashMap>();
-
+
for (SecurityRole sr : roles) {
for (IndexPattern ip : sr.getIpatterns()) {
final Set fls = ip.getFls();
@@ -423,7 +423,7 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll,
}
}
}
-
+
if (maskedFields != null && maskedFields.size() > 0) {
if (maskedFieldsMap.containsKey(indexPattern)) {
@@ -444,7 +444,7 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll,
}
}
}
-
+
return new EvaluatedDlsFlsConfig(dlsQueries, flsFields, maskedFieldsMap);
}
@@ -1010,10 +1010,10 @@ private static boolean impliesTypePerm(Set ipatterns, Resolved res
);
}
-
-
+
+
//#######
-
+
private class TenantHolder {
private SetMultimap> tenantsMM = null;
@@ -1024,7 +1024,7 @@ public TenantHolder(SecurityDynamicConfiguration roles) {
final ExecutorService execs = Executors.newFixedThreadPool(10);
for(Entry securityRole: roles.getCEntries().entrySet()) {
-
+
if(securityRole.getValue() == null) {
continue;
}
@@ -1036,7 +1036,7 @@ public Tuple>> call() throws Exception {
final Map tenants = securityRole.getValue().getTenants();
if (tenants != null) {
-
+
for (String tenant : tenants.keySet()) {
if ("RW".equalsIgnoreCase(tenants.get(tenant))) {
@@ -1125,7 +1125,7 @@ private class RoleMappingHolder {
private RoleMappingHolder(final SecurityDynamicConfiguration rolesMapping, final String hostResolverMode) {
this.hostResolverMode = hostResolverMode;
-
+
if (rolesMapping != null) {
users = ArrayListMultimap.create();
@@ -1228,10 +1228,10 @@ private Set map(final User user, final TransportAddress caller) {
}
}
-
-
-
-
+
+
+
+
public Map mapTenants(User user, Set roles) {
return tenantHolder.mapTenants(user, roles);
diff --git a/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java b/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
index 1e2adee1db..560cfb8a6d 100644
--- a/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
+++ b/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
@@ -92,7 +92,7 @@ public ConfigModelV7(
this.roles = roles;
this.tenants = tenants;
-
+
try {
rolesMappingResolution = ConfigConstants.RolesMappingResolution.valueOf(
opensearchSettings.get(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, ConfigConstants.RolesMappingResolution.MAPPING_ONLY.toString())
@@ -111,18 +111,18 @@ public ConfigModelV7(
public Set getAllConfiguredTenantNames() {
return Collections.unmodifiableSet(tenants.getCEntries().keySet());
}
-
+
public SecurityRoles getSecurityRoles() {
return securityRoles;
}
-
+
private static interface ActionGroupResolver {
Set resolvedActions(final List actions);
}
private ActionGroupResolver reloadActionGroups(SecurityDynamicConfiguration actionGroups) {
return new ActionGroupResolver() {
-
+
private Set getGroupMembers(final String groupname) {
if (actionGroups == null) {
@@ -131,27 +131,27 @@ private Set getGroupMembers(final String groupname) {
return Collections.unmodifiableSet(resolve(actionGroups, groupname));
}
-
+
private Set resolve(final SecurityDynamicConfiguration> actionGroups, final String entry) {
-
+
// SG5 format, plain array
//List en = actionGroups.getAsList(DotPath.of(entry));
//if (en.isEmpty()) {
// try SG6 format including readonly and permissions key
// en = actionGroups.getAsList(DotPath.of(entry + "." + ConfigConstants.CONFIGKEY_ACTION_GROUPS_PERMISSIONS));
//}
-
+
if(!actionGroups.getCEntries().containsKey(entry)) {
return Collections.emptySet();
}
-
+
final Set ret = new HashSet();
-
+
final Object actionGroupAsObject = actionGroups.getCEntries().get(entry);
-
+
if(actionGroupAsObject != null && actionGroupAsObject instanceof List) {
-
+
for (final String perm: ((List) actionGroupAsObject)) {
if (actionGroups.getCEntries().keySet().contains(perm)) {
ret.addAll(resolve(actionGroups,perm));
@@ -159,8 +159,8 @@ private Set resolve(final SecurityDynamicConfiguration> actionGroups,
ret.add(perm);
}
}
-
-
+
+
} else if(actionGroupAsObject != null && actionGroupAsObject instanceof ActionGroupsV7) {
for (final String perm: ((ActionGroupsV7) actionGroupAsObject).getAllowed_actions()) {
if (actionGroups.getCEntries().keySet().contains(perm)) {
@@ -172,10 +172,10 @@ private Set resolve(final SecurityDynamicConfiguration> actionGroups,
} else {
throw new RuntimeException("Unable to handle "+actionGroupAsObject);
}
-
+
return Collections.unmodifiableSet(ret);
}
-
+
@Override
public Set resolvedActions(final List actions) {
final Set resolvedActions = new HashSet();
@@ -205,7 +205,7 @@ private SecurityRoles reload(SecurityDynamicConfiguration settings) {
@Override
public SecurityRole call() throws Exception {
SecurityRole.Builder _securityRole = new SecurityRole.Builder(securityRole.getKey());
-
+
if(securityRole.getValue() == null) {
return null;
}
@@ -238,21 +238,21 @@ public SecurityRole call() throws Exception {
_indexPattern.addFlsFields(fls);
_indexPattern.addMaskedFields(maskedFields);
_indexPattern.addPerm(agr.resolvedActions(permittedAliasesIndex.getAllowed_actions()));
-
+
/*for(Entry> type: permittedAliasesIndex.getValue().getTypes(-).entrySet()) {
TypePerm typePerm = new TypePerm(type.getKey());
final List perms = type.getValue();
typePerm.addPerms(agr.resolvedActions(perms));
_indexPattern.addTypePerms(typePerm);
}*/
-
+
_securityRole.addIndexPattern(_indexPattern);
-
+
}
}
-
-
+
+
return _securityRole.build();
}
});
@@ -339,7 +339,7 @@ public String toString() {
public Set getRoles() {
return Collections.unmodifiableSet(roles);
}
-
+
public Set getRoleNames() {
return getRoles().stream().map(r -> r.getName()).collect(Collectors.toSet());
}
@@ -367,8 +367,8 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll,
return EvaluatedDlsFlsConfig.EMPTY;
}
-
- Map> dlsQueriesByIndex = new HashMap>();
+
+ Map> dlsQueriesByIndex = new HashMap>();
Map> flsFields = new HashMap>();
Map> maskedFieldsMap = new HashMap>();
@@ -379,7 +379,7 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll,
Set noDlsConcreteIndices = new HashSet<>();
Set noFlsConcreteIndices = new HashSet<>();
Set noMaskedFieldConcreteIndices = new HashSet<>();
-
+
for (SecurityRole role : roles) {
for (IndexPattern ip : role.getIpatterns()) {
final Set concreteIndices = ip.concreteIndexNames(user, resolver, cs);
@@ -409,12 +409,12 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll,
} else if (dfmEmptyOverwritesAll) {
noFlsConcreteIndices.addAll(concreteIndices);
}
-
+
Set maskedFields = ip.getMaskedFields();
if (maskedFields != null && maskedFields.size() > 0) {
- for (String concreteIndex : concreteIndices) {
+ for (String concreteIndex : concreteIndices) {
if (maskedFieldsMap.containsKey(concreteIndex)) {
maskedFieldsMap.get(concreteIndex).addAll(Sets.newHashSet(maskedFields));
} else {
@@ -498,7 +498,7 @@ public boolean impliesTypePermGlobal(Resolved resolved, User user, String[] acti
roles.stream().forEach(p -> ipatterns.addAll(p.getIpatterns()));
return ConfigModelV7.impliesTypePerm(ipatterns, resolved, user, actions, resolver, cs);
}
-
+
private boolean containsDlsFlsConfig() {
for (SecurityRole role : roles) {
for (IndexPattern ip : role.getIpatterns()) {
@@ -562,7 +562,7 @@ private Set getAllResolvedPermittedIndices(Resolved resolved, User user,
for (IndexPattern p : ipatterns) {
//what if we cannot resolve one (for create purposes)
final boolean patternMatch = p.getPerms().matchAll(actions);
-
+
// final Set tperms = p.getTypePerms();
// for (TypePerm tp : tperms) {
// if (WildcardMatcher.matchAny(tp.typePattern, resolved.getTypes(-).toArray(new String[0]))) {
@@ -810,7 +810,7 @@ public String getDlsQuery(User user) {
public boolean hasDlsQuery() {
return dlsQuery != null && !dlsQuery.isEmpty();
}
-
+
public Set getFls() {
return Collections.unmodifiableSet(fls);
}
@@ -818,7 +818,7 @@ public Set getFls() {
public boolean hasFlsFields() {
return fls != null && !fls.isEmpty();
}
-
+
public Set getMaskedFields() {
return Collections.unmodifiableSet(maskedFields);
}
@@ -826,12 +826,12 @@ public Set getMaskedFields() {
public boolean hasMaskedFields() {
return maskedFields != null && !maskedFields.isEmpty();
}
-
+
public WildcardMatcher getPerms() {
return WildcardMatcher.from(perms);
}
-
+
}
/*public static class TypePerm {
@@ -1033,7 +1033,7 @@ private static boolean impliesTypePerm(Set ipatterns, Resolved res
)
);
}
-
+
private class TenantHolder {
private SetMultimap> tenantsMM = null;
@@ -1055,7 +1055,7 @@ public Tuple>> call() throws Exception {
final Set> tuples = new HashSet<>();
final List tenants = securityRole.getValue().getTenant_permissions();
if (tenants != null) {
-
+
for (RoleV7.Tenant tenant : tenants) {
// find Wildcarded tenant patterns
@@ -1166,7 +1166,7 @@ private class RoleMappingHolder {
private RoleMappingHolder(final SecurityDynamicConfiguration rolemappings, final String hostResolverMode) {
this.hostResolverMode = hostResolverMode;
-
+
if (roles != null) {
users = ArrayListMultimap.create();
@@ -1267,10 +1267,10 @@ private Set map(final User user, final TransportAddress caller) {
}
}
-
-
-
-
+
+
+
+
public Map mapTenants(User user, Set roles) {
return tenantHolder.mapTenants(user, roles);
diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java
index 262eb37cf8..9d8c36576c 100644
--- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java
+++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java
@@ -117,7 +117,7 @@ public final static SecurityDynamicConfiguration> addStatics(SecurityDynamicCo
return original;
}
-
+
protected final Logger log = LogManager.getLogger(this.getClass());
private final ConfigurationRepository cr;
private final AtomicBoolean initialized = new AtomicBoolean();
@@ -127,7 +127,7 @@ public final static SecurityDynamicConfiguration> addStatics(SecurityDynamicCo
private final InternalAuthenticationBackend iab = new InternalAuthenticationBackend();
SecurityDynamicConfiguration> config;
-
+
public DynamicConfigFactory(ConfigurationRepository cr, final Settings opensearchSettings,
final Path configPath, Client client, ThreadPool threadPool, ClusterInfoHolder cih) {
super();
@@ -144,11 +144,11 @@ public DynamicConfigFactory(ConfigurationRepository cr, final Settings opensearc
} else {
log.info("Static resources will not be loaded.");
}
-
+
registerDCFListener(this.iab);
this.cr.subscribeOnChange(this);
}
-
+
@Override
public void onChange(Map> typeToConfig) {
@@ -187,7 +187,7 @@ public void onChange(Map> typeToConfig) {
if(config.getImplementingClass() == ConfigV7.class) {
//statics
-
+
if(roles.containsAny(staticRoles)) {
throw new StaticResourceException("Cannot override static roles");
}
@@ -205,24 +205,24 @@ public void onChange(Map> typeToConfig) {
if(!actionGroups.add(staticActionGroups) && !staticActionGroups.getCEntries().isEmpty()) {
throw new StaticResourceException("Unable to load static action groups");
}
-
+
log.debug("Static action groups loaded ({})", staticActionGroups.getCEntries().size());
-
+
if(tenants.containsAny(staticTenants)) {
throw new StaticResourceException("Cannot override static tenants");
}
if(!tenants.add(staticTenants) && !staticTenants.getCEntries().isEmpty()) {
throw new StaticResourceException("Unable to load static tenants");
}
-
+
log.debug("Static tenants loaded ({})", staticTenants.getCEntries().size());
log.debug("Static configuration loaded (total roles: {}/total action groups: {}/total tenants: {})",
roles.getCEntries().size(), actionGroups.getCEntries().size(), tenants.getCEntries().size());
-
+
//rebuild v7 Models
dcm = new DynamicConfigModelV7(getConfigV7(config), opensearchSettings, configPath, iab);
@@ -252,26 +252,26 @@ public void onChange(Map> typeToConfig) {
}
initialized.set(true);
-
+
}
-
+
private static ConfigV6 getConfigV6(SecurityDynamicConfiguration> sdc) {
@SuppressWarnings("unchecked")
SecurityDynamicConfiguration c = (SecurityDynamicConfiguration) sdc;
return c.getCEntry("opendistro_security");
}
-
+
private static ConfigV7 getConfigV7(SecurityDynamicConfiguration> sdc) {
@SuppressWarnings("unchecked")
SecurityDynamicConfiguration c = (SecurityDynamicConfiguration) sdc;
return c.getCEntry("config");
}
-
+
@Override
public final boolean isInitialized() {
return initialized.get();
}
-
+
public void registerDCFListener(Object listener) {
eventBus.register(listener);
}
@@ -279,15 +279,15 @@ public void registerDCFListener(Object listener) {
public void unregisterDCFListener(Object listener) {
eventBus.unregister(listener);
}
-
+
private static class InternalUsersModelV7 extends InternalUsersModel {
-
+
private final SecurityDynamicConfiguration internalUserV7SecurityDynamicConfiguration;
private final SecurityDynamicConfiguration rolesV7SecurityDynamicConfiguration;
private final SecurityDynamicConfiguration rolesMappingsV7SecurityDynamicConfiguration;
-
+
public InternalUsersModelV7(SecurityDynamicConfiguration internalUserV7SecurityDynamicConfiguration,
SecurityDynamicConfiguration rolesV7SecurityDynamicConfiguration,
SecurityDynamicConfiguration rolesMappingsV7SecurityDynamicConfiguration) {
@@ -325,7 +325,7 @@ public String getHash(String user) {
InternalUserV7 tmp = internalUserV7SecurityDynamicConfiguration.getCEntry(user);
return tmp==null?null:tmp.getHash();
}
-
+
public List getSecurityRoles(String user) {
InternalUserV7 tmp = internalUserV7SecurityDynamicConfiguration.getCEntry(user);
@@ -341,11 +341,11 @@ private boolean isRolesMappingHidden(String rolename) {
return roleMapping!=null && roleMapping.isHidden();
}
}
-
+
private static class InternalUsersModelV6 extends InternalUsersModel {
-
+
SecurityDynamicConfiguration configuration;
-
+
public InternalUsersModelV6(SecurityDynamicConfiguration configuration) {
super();
@@ -379,7 +379,7 @@ public String getHash(String user) {
InternalUserV6 tmp = configuration.getCEntry(user);
return tmp==null?null:tmp.getHash();
}
-
+
public List getSecurityRoles(String user) {
return Collections.emptyList();
}
diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModel.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModel.java
index 8b273be122..f6ebb22ce5 100644
--- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModel.java
+++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModel.java
@@ -54,7 +54,7 @@
import org.opensearch.security.http.proxy.HTTPExtendedProxyAuthenticator;
public abstract class DynamicConfigModel {
-
+
protected final Logger log = LogManager.getLogger(this.getClass());
public abstract SortedSet getRestAuthDomains();
public abstract Set getRestAuthorizers();
@@ -76,17 +76,16 @@ public abstract class DynamicConfigModel {
public abstract String getFilteredAliasMode();
public abstract String getHostsResolverMode();
public abstract boolean isDnfofForEmptyResultsEnabled();
-
+
public abstract List getIpAuthFailureListeners();
public abstract Multimap getAuthBackendFailureListeners();
public abstract List> getIpClientBlockRegistries();
public abstract Multimap> getAuthBackendClientBlockRegistries();
- public abstract Settings getDynamicOnBehalfOfSettings();
protected final Map authImplMap = new HashMap<>();
public DynamicConfigModel() {
super();
-
+
authImplMap.put("intern_c", InternalAuthenticationBackend.class.getName());
authImplMap.put("intern_z", NoOpAuthorizationBackend.class.getName());
@@ -98,7 +97,7 @@ public DynamicConfigModel() {
authImplMap.put("ldap_c", "com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend");
authImplMap.put("ldap_z", "com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend");
-
+
authImplMap.put("ldap2_c", "com.amazon.dlic.auth.ldap2.LDAPAuthenticationBackend2");
authImplMap.put("ldap2_z", "com.amazon.dlic.auth.ldap2.LDAPAuthorizationBackend2");
@@ -110,11 +109,11 @@ public DynamicConfigModel() {
authImplMap.put("jwt_h", "com.amazon.dlic.auth.http.jwt.HTTPJwtAuthenticator");
authImplMap.put("openid_h", "com.amazon.dlic.auth.http.jwt.keybyoidc.HTTPJwtKeyByOpenIdConnectAuthenticator");
authImplMap.put("saml_h", "com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator");
-
+
authImplMap.put("ip_authFailureListener", AddressBasedRateLimiter.class.getName());
authImplMap.put("username_authFailureListener", UserNameBasedRateLimiter.class.getName());
}
-
-
-
+
+
+
}
diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java
index 1e6467ae6f..2dce89ba7c 100644
--- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java
+++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java
@@ -62,7 +62,7 @@
import org.opensearch.security.support.ReflectionHelper;
public class DynamicConfigModelV6 extends DynamicConfigModel {
-
+
private final ConfigV6 config;
private final Settings opensearchSettings;
private final Path configPath;
@@ -72,12 +72,12 @@ public class DynamicConfigModelV6 extends DynamicConfigModel {
private Set transportAuthorizers;
private List destroyableComponents;
private final InternalAuthenticationBackend iab;
-
+
private List ipAuthFailureListeners;
private Multimap authBackendFailureListeners;
private List> ipClientBlockRegistries;
private Multimap> authBackendClientBlockRegistries;
-
+
public DynamicConfigModelV6(ConfigV6 config, Settings opensearchSettings, Path configPath, InternalAuthenticationBackend iab) {
super();
this.config = config;
@@ -158,7 +158,7 @@ public boolean isMultiRolespanEnabled() {
public String getFilteredAliasMode() {
return config.dynamic.filtered_alias_mode;
}
-
+
@Override
public boolean isDnfofForEmptyResultsEnabled() {
return config.dynamic.do_not_fail_on_forbidden_empty;
@@ -168,34 +168,29 @@ public boolean isDnfofForEmptyResultsEnabled() {
public String getHostsResolverMode() {
return config.dynamic.hosts_resolver_mode;
}
-
+
@Override
public List getIpAuthFailureListeners() {
return Collections.unmodifiableList(ipAuthFailureListeners);
}
-
+
@Override
public Multimap getAuthBackendFailureListeners() {
return Multimaps.unmodifiableMultimap(authBackendFailureListeners);
}
-
+
@Override
public List> getIpClientBlockRegistries() {
return Collections.unmodifiableList(ipClientBlockRegistries);
}
-
+
@Override
public Multimap> getAuthBackendClientBlockRegistries() {
return Multimaps.unmodifiableMultimap(authBackendClientBlockRegistries);
}
- @Override
- public Settings getDynamicOnBehalfOfSettings() {
- return Settings.EMPTY;
- }
-
private void buildAAA() {
-
+
final SortedSet restAuthDomains0 = new TreeSet<>();
final Set restAuthorizers0 = new HashSet<>();
final SortedSet transportAuthDomains0 = new TreeSet<>();
@@ -219,7 +214,7 @@ private void buildAAA() {
final String authzBackendClazz = ad.getValue().authorization_backend.type;
final AuthorizationBackend authorizationBackend;
-
+
if(authzBackendClazz.equals(InternalAuthenticationBackend.class.getName()) //NOSONAR
|| authzBackendClazz.equals("internal")
|| authzBackendClazz.equals("intern")) {
@@ -234,7 +229,7 @@ private void buildAAA() {
.put(Settings.builder().loadFromSource(ad.getValue().authorization_backend.configAsJson(), XContentType.JSON).build()).build()
, configPath);
}
-
+
if (httpEnabled) {
restAuthorizers0.add(authorizationBackend);
}
@@ -242,7 +237,7 @@ private void buildAAA() {
if (transportEnabled) {
transportAuthorizers0.add(authorizationBackend);
}
-
+
if (authorizationBackend instanceof Destroyable) {
destroyableComponents0.add((Destroyable) authorizationBackend);
}
@@ -281,7 +276,7 @@ private void buildAAA() {
String httpAuthenticatorType = ad.getValue().http_authenticator.type; //no default
HTTPAuthenticator httpAuthenticator = httpAuthenticatorType==null?null: (HTTPAuthenticator) newInstance(httpAuthenticatorType,"h",
Settings.builder().put(opensearchSettings)
- //.putProperties(ads.getAsStringMap(DotPath.of("http_authenticator.config")), DynamicConfiguration.checkKeyFunction()).build(),
+ //.putProperties(ads.getAsStringMap(DotPath.of("http_authenticator.config")), DynamicConfiguration.checkKeyFunction()).build(),
.put(Settings.builder().loadFromSource(ad.getValue().http_authenticator.configAsJson(), XContentType.JSON).build()).build()
, configPath);
@@ -296,15 +291,15 @@ private void buildAAA() {
if (transportEnabled) {
transportAuthDomains0.add(_ad);
}
-
+
if (httpAuthenticator instanceof Destroyable) {
destroyableComponents0.add((Destroyable) httpAuthenticator);
}
-
+
if (authenticationBackend instanceof Destroyable) {
destroyableComponents0.add((Destroyable) authenticationBackend);
}
-
+
} catch (final Exception e) {
log.error("Unable to initialize auth domain {} due to {}", ad, e.toString(), e);
}
@@ -313,30 +308,30 @@ private void buildAAA() {
}
List originalDestroyableComponents = destroyableComponents;
-
+
restAuthDomains = Collections.unmodifiableSortedSet(restAuthDomains0);
transportAuthDomains = Collections.unmodifiableSortedSet(transportAuthDomains0);
restAuthorizers = Collections.unmodifiableSet(restAuthorizers0);
transportAuthorizers = Collections.unmodifiableSet(transportAuthorizers0);
-
+
destroyableComponents = Collections.unmodifiableList(destroyableComponents0);
-
+
if(originalDestroyableComponents != null) {
destroyDestroyables(originalDestroyableComponents);
}
-
+
originalDestroyableComponents = null;
-
+
createAuthFailureListeners(ipAuthFailureListeners0,
authBackendFailureListeners0, ipClientBlockRegistries0, authBackendClientBlockRegistries0, destroyableComponents0);
-
+
ipAuthFailureListeners = Collections.unmodifiableList(ipAuthFailureListeners0);
ipClientBlockRegistries = Collections.unmodifiableList(ipClientBlockRegistries0);
authBackendClientBlockRegistries = Multimaps.unmodifiableMultimap(authBackendClientBlockRegistries0);
authBackendFailureListeners = Multimaps.unmodifiableMultimap(authBackendFailureListeners0);
}
-
+
private void destroyDestroyables(List destroyableComponents) {
for (Destroyable destroyable : destroyableComponents) {
try {
@@ -346,7 +341,7 @@ private void destroyDestroyables(List destroyableComponents) {
}
}
}
-
+
private T newInstance(final String clazzOrShortcut, String type, final Settings settings, final Path configPath) {
String clazz = clazzOrShortcut;
@@ -357,7 +352,7 @@ private T newInstance(final String clazzOrShortcut, String type, final Setti
return ReflectionHelper.instantiateAAA(clazz, settings, configPath);
}
-
+
private String translateShortcutToClassName(final String clazzOrShortcut, final String type) {
if (authImplMap.containsKey(clazzOrShortcut + "_" + type)) {
@@ -366,17 +361,17 @@ private String translateShortcutToClassName(final String clazzOrShortcut, final
return clazzOrShortcut;
}
}
-
+
private void createAuthFailureListeners(List ipAuthFailureListeners,
Multimap authBackendFailureListeners, List> ipClientBlockRegistries,
Multimap> authBackendUserClientBlockRegistries, List destroyableComponents0) {
for (Entry entry : config.dynamic.auth_failure_listeners.getListeners().entrySet()) {
-
+
Settings entrySettings = Settings.builder()
.put(opensearchSettings)
.put(Settings.builder().loadFromSource(entry.getValue().asJson(), XContentType.JSON).build()).build();
-
+
String type = entry.getValue().type;
String authenticationBackend = entry.getValue().authentication_backend;
diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java
index c3e3792c5c..8e92675dcc 100644
--- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java
+++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java
@@ -62,7 +62,7 @@
import org.opensearch.security.support.ReflectionHelper;
public class DynamicConfigModelV7 extends DynamicConfigModel {
-
+
private final ConfigV7 config;
private final Settings opensearchSettings;
private final Path configPath;
@@ -77,7 +77,7 @@ public class DynamicConfigModelV7 extends DynamicConfigModel {
private Multimap authBackendFailureListeners;
private List> ipClientBlockRegistries;
private Multimap> authBackendClientBlockRegistries;
-
+
public DynamicConfigModelV7(ConfigV7 config, Settings opensearchSettings, Path configPath, InternalAuthenticationBackend iab) {
super();
this.config = config;
@@ -163,41 +163,35 @@ public String getFilteredAliasMode() {
public String getHostsResolverMode() {
return config.dynamic.hosts_resolver_mode;
}
-
+
@Override
public boolean isDnfofForEmptyResultsEnabled() {
return config.dynamic.do_not_fail_on_forbidden_empty;
}
-
+
@Override
public List getIpAuthFailureListeners() {
return Collections.unmodifiableList(ipAuthFailureListeners);
}
-
+
@Override
public Multimap getAuthBackendFailureListeners() {
return Multimaps.unmodifiableMultimap(authBackendFailureListeners);
}
-
+
@Override
public List> getIpClientBlockRegistries() {
return Collections.unmodifiableList(ipClientBlockRegistries);
}
-
+
@Override
public Multimap> getAuthBackendClientBlockRegistries() {
return Multimaps.unmodifiableMultimap(authBackendClientBlockRegistries);
}
- @Override
- public Settings getDynamicOnBehalfOfSettings() {
- return Settings.builder()
- .put(Settings.builder().loadFromSource(config.dynamic.on_behalf_of.configAsJson(), XContentType.JSON).build())
- .build();
- }
-
+
private void buildAAA() {
-
+
final SortedSet restAuthDomains0 = new TreeSet<>();
final Set restAuthorizers0 = new HashSet<>();
final SortedSet transportAuthDomains0 = new TreeSet<>();
@@ -220,7 +214,7 @@ private void buildAAA() {
final String authzBackendClazz = ad.getValue().authorization_backend.type;
final AuthorizationBackend authorizationBackend;
-
+
if(authzBackendClazz.equals(InternalAuthenticationBackend.class.getName()) //NOSONAR
|| authzBackendClazz.equals("internal")
|| authzBackendClazz.equals("intern")) {
@@ -235,7 +229,7 @@ private void buildAAA() {
.put(Settings.builder().loadFromSource(ad.getValue().authorization_backend.configAsJson(), XContentType.JSON).build()).build()
, configPath);
}
-
+
if (httpEnabled) {
restAuthorizers0.add(authorizationBackend);
}
@@ -243,7 +237,7 @@ private void buildAAA() {
if (transportEnabled) {
transportAuthorizers0.add(authorizationBackend);
}
-
+
if (authorizationBackend instanceof Destroyable) {
destroyableComponents0.add((Destroyable) authorizationBackend);
}
@@ -281,7 +275,7 @@ private void buildAAA() {
String httpAuthenticatorType = ad.getValue().http_authenticator.type; //no default
HTTPAuthenticator httpAuthenticator = httpAuthenticatorType==null?null: (HTTPAuthenticator) newInstance(httpAuthenticatorType,"h",
Settings.builder().put(opensearchSettings)
- //.putProperties(ads.getAsStringMap(DotPath.of("http_authenticator.config")), DynamicConfiguration.checkKeyFunction()).build(),
+ //.putProperties(ads.getAsStringMap(DotPath.of("http_authenticator.config")), DynamicConfiguration.checkKeyFunction()).build(),
.put(Settings.builder().loadFromSource(ad.getValue().http_authenticator.configAsJson(), XContentType.JSON).build()).build()
, configPath);
@@ -296,15 +290,15 @@ private void buildAAA() {
if (transportEnabled) {
transportAuthDomains0.add(_ad);
}
-
+
if (httpAuthenticator instanceof Destroyable) {
destroyableComponents0.add((Destroyable) httpAuthenticator);
}
-
+
if (authenticationBackend instanceof Destroyable) {
destroyableComponents0.add((Destroyable) authenticationBackend);
}
-
+
} catch (final Exception e) {
log.error("Unable to initialize auth domain {} due to {}", ad, e.toString(), e);
}
@@ -313,23 +307,23 @@ private void buildAAA() {
}
List originalDestroyableComponents = destroyableComponents;
-
+
restAuthDomains = Collections.unmodifiableSortedSet(restAuthDomains0);
transportAuthDomains = Collections.unmodifiableSortedSet(transportAuthDomains0);
restAuthorizers = Collections.unmodifiableSet(restAuthorizers0);
transportAuthorizers = Collections.unmodifiableSet(transportAuthorizers0);
-
+
destroyableComponents = Collections.unmodifiableList(destroyableComponents0);
-
+
if(originalDestroyableComponents != null) {
destroyDestroyables(originalDestroyableComponents);
}
-
+
originalDestroyableComponents = null;
createAuthFailureListeners(ipAuthFailureListeners0,
authBackendFailureListeners0, ipClientBlockRegistries0, authBackendClientBlockRegistries0, destroyableComponents0);
-
+
ipAuthFailureListeners = Collections.unmodifiableList(ipAuthFailureListeners0);
ipClientBlockRegistries = Collections.unmodifiableList(ipClientBlockRegistries0);
authBackendClientBlockRegistries = Multimaps.unmodifiableMultimap(authBackendClientBlockRegistries0);
@@ -346,7 +340,7 @@ private void destroyDestroyables(List destroyableComponents) {
}
}
}
-
+
private T newInstance(final String clazzOrShortcut, String type, final Settings settings, final Path configPath) {
String clazz = clazzOrShortcut;
@@ -357,7 +351,7 @@ private T newInstance(final String clazzOrShortcut, String type, final Setti
return ReflectionHelper.instantiateAAA(clazz, settings, configPath);
}
-
+
private String translateShortcutToClassName(final String clazzOrShortcut, final String type) {
if (authImplMap.containsKey(clazzOrShortcut + "_" + type)) {
@@ -366,17 +360,17 @@ private String translateShortcutToClassName(final String clazzOrShortcut, final
return clazzOrShortcut;
}
}
-
+
private void createAuthFailureListeners(List ipAuthFailureListeners,
Multimap authBackendFailureListeners, List> ipClientBlockRegistries,
Multimap> authBackendUserClientBlockRegistries, List destroyableComponents0) {
for (Entry entry : config.dynamic.auth_failure_listeners.getListeners().entrySet()) {
-
+
Settings entrySettings = Settings.builder()
.put(opensearchSettings)
.put(Settings.builder().loadFromSource(entry.getValue().asJson(), XContentType.JSON).build()).build();
-
+
String type = entry.getValue().type;
String authenticationBackend = entry.getValue().authentication_backend;
diff --git a/src/main/java/org/opensearch/security/securityconf/EvaluatedDlsFlsConfig.java b/src/main/java/org/opensearch/security/securityconf/EvaluatedDlsFlsConfig.java
index 9100e7dd02..8870cb3aad 100644
--- a/src/main/java/org/opensearch/security/securityconf/EvaluatedDlsFlsConfig.java
+++ b/src/main/java/org/opensearch/security/securityconf/EvaluatedDlsFlsConfig.java
@@ -87,7 +87,7 @@ public EvaluatedDlsFlsConfig filter(Resolved indices) {
return this;
} else {
Set allIndices = indices.getAllIndices();
-
+
return new EvaluatedDlsFlsConfig(filter(dlsQueriesByIndex, allIndices), filter(flsByIndex, allIndices),
filter(fieldMaskingByIndex, allIndices));
}
@@ -108,7 +108,7 @@ private Map> filter(Map> map, Set> result = new HashMap<>(map.size());
- for (Map.Entry> entry : map.entrySet()) {
+ for (Map.Entry> entry : map.entrySet()) {
if (WildcardMatcher.from(entry.getKey(), false).matchAny(allIndices)) {
result.put(entry.getKey(), entry.getValue());
}
diff --git a/src/main/java/org/opensearch/security/securityconf/Hideable.java b/src/main/java/org/opensearch/security/securityconf/Hideable.java
index 9b1df8f157..8744575d64 100644
--- a/src/main/java/org/opensearch/security/securityconf/Hideable.java
+++ b/src/main/java/org/opensearch/security/securityconf/Hideable.java
@@ -28,7 +28,7 @@
package org.opensearch.security.securityconf;
public interface Hideable {
-
+
boolean isHidden();
boolean isReserved();
diff --git a/src/main/java/org/opensearch/security/securityconf/Initializable.java b/src/main/java/org/opensearch/security/securityconf/Initializable.java
index fafc717866..ab1a1ebd4a 100644
--- a/src/main/java/org/opensearch/security/securityconf/Initializable.java
+++ b/src/main/java/org/opensearch/security/securityconf/Initializable.java
@@ -28,7 +28,7 @@
package org.opensearch.security.securityconf;
public interface Initializable {
-
+
boolean isInitialized();
}
diff --git a/src/main/java/org/opensearch/security/securityconf/InternalUsersModel.java b/src/main/java/org/opensearch/security/securityconf/InternalUsersModel.java
index 3ff1554a94..41c3116874 100644
--- a/src/main/java/org/opensearch/security/securityconf/InternalUsersModel.java
+++ b/src/main/java/org/opensearch/security/securityconf/InternalUsersModel.java
@@ -31,7 +31,7 @@
import java.util.Map;
public abstract class InternalUsersModel {
-
+
public abstract boolean exists(String user);
public abstract List getBackenRoles(String user);
public abstract Map getAttributes(String user);
diff --git a/src/main/java/org/opensearch/security/securityconf/Migration.java b/src/main/java/org/opensearch/security/securityconf/Migration.java
index 3cb111f11c..ec6a5525b9 100644
--- a/src/main/java/org/opensearch/security/securityconf/Migration.java
+++ b/src/main/java/org/opensearch/security/securityconf/Migration.java
@@ -55,15 +55,15 @@
public class Migration {
-
+
public static Tuple,SecurityDynamicConfiguration> migrateRoles(SecurityDynamicConfiguration r6cs, SecurityDynamicConfiguration rms6) throws MigrationException {
-
+
final SecurityDynamicConfiguration r7 = SecurityDynamicConfiguration.empty();
r7.setCType(r6cs.getCType());
r7.set_meta(new Meta());
r7.get_meta().setConfig_version(2);
r7.get_meta().setType("roles");
-
+
final SecurityDynamicConfiguration t7 = SecurityDynamicConfiguration.empty();
t7.setCType(CType.TENANTS);
t7.set_meta(new Meta());
@@ -71,11 +71,11 @@ public static Tuple,SecurityDynamicConfigur
t7.get_meta().setType("tenants");
Set dedupTenants = new HashSet<>();
-
+
for(final Entry r6e: r6cs.getCEntries().entrySet()) {
final String roleName = r6e.getKey();
final RoleV6 r6 = r6e.getValue();
-
+
if(r6 == null) {
RoleV7 noPermRole = new RoleV7();
noPermRole.setDescription("Migrated from v6, was empty");
@@ -84,52 +84,52 @@ public static Tuple,SecurityDynamicConfigur
}
r7.putCEntry(roleName, new RoleV7(r6));
-
+
for(Entry tenant: r6.getTenants().entrySet()) {
dedupTenants.add(tenant.getKey());
}
}
-
+
if(rms6 != null) {
for(final Entry r6m: rms6.getCEntries().entrySet()) {
final String roleName = r6m.getKey();
//final RoleMappingsV6 r6 = r6m.getValue();
-
+
if(!r7.exists(roleName)) {
//rolemapping but role does not exists
RoleV7 noPermRole = new RoleV7();
noPermRole.setDescription("Migrated from v6, was in rolemappings but no role existed");
r7.putCEntry(roleName, noPermRole);
}
-
+
}
}
-
+
for(String tenantName: dedupTenants) {
TenantV7 entry = new TenantV7();
entry.setDescription("Migrated from v6");
t7.putCEntry(tenantName, entry);
}
-
+
return new Tuple, SecurityDynamicConfiguration>(r7, t7);
-
+
}
-
+
public static SecurityDynamicConfiguration migrateConfig(SecurityDynamicConfiguration r6cs) throws MigrationException {
final SecurityDynamicConfiguration c7 = SecurityDynamicConfiguration.empty();
c7.setCType(r6cs.getCType());
c7.set_meta(new Meta());
c7.get_meta().setConfig_version(2);
c7.get_meta().setType("config");
-
+
if(r6cs.getCEntries().size() != 1) {
throw new MigrationException("Unable to migrate config because expected size was 1 but actual size is "+r6cs.getCEntries().size());
}
-
+
if(r6cs.getCEntries().get("opendistro_security") == null) {
throw new MigrationException("Unable to migrate config because 'opendistro_security' key not found");
}
-
+
for(final Entry r6c: r6cs.getCEntries().entrySet()) {
c7.putCEntry("config", new ConfigV7(r6c.getValue()));
}
@@ -181,23 +181,23 @@ public static SecurityDynamicConfiguration migrateInternalUsers
i7.set_meta(new Meta());
i7.get_meta().setConfig_version(2);
i7.get_meta().setType("internalusers");
-
+
for(final Entry r6i: r6is.getCEntries().entrySet()) {
final String username = !Strings.isNullOrEmpty(r6i.getValue().getUsername())?r6i.getValue().getUsername():r6i.getKey();
i7.putCEntry(username, new InternalUserV7(r6i.getValue()));
}
-
+
return i7;
}
-
+
public static SecurityDynamicConfiguration migrateActionGroups(SecurityDynamicConfiguration> r6as) throws MigrationException {
-
+
final SecurityDynamicConfiguration a7 = SecurityDynamicConfiguration.empty();
a7.setCType(r6as.getCType());
a7.set_meta(new Meta());
a7.get_meta().setConfig_version(2);
a7.get_meta().setType("actiongroups");
-
+
if(r6as.getImplementingClass().isAssignableFrom(List.class)) {
for(final Entry r6a: r6as.getCEntries().entrySet()) {
a7.putCEntry(r6a.getKey(), new ActionGroupsV7(r6a.getKey(), (List) r6a.getValue()));
@@ -210,18 +210,18 @@ public static SecurityDynamicConfiguration migrateActionGroups(
return a7;
}
-
+
public static SecurityDynamicConfiguration migrateRoleMappings(SecurityDynamicConfiguration r6rms) throws MigrationException {
final SecurityDynamicConfiguration rms7 = SecurityDynamicConfiguration.empty();
rms7.setCType(r6rms.getCType());
rms7.set_meta(new Meta());
rms7.get_meta().setConfig_version(2);
rms7.get_meta().setType("rolesmapping");
-
+
for(final Entry r6m: r6rms.getCEntries().entrySet()) {
rms7.putCEntry(r6m.getKey(), new RoleMappingsV7(r6m.getValue()));
}
-
+
return rms7;
}
diff --git a/src/main/java/org/opensearch/security/securityconf/StaticDefinable.java b/src/main/java/org/opensearch/security/securityconf/StaticDefinable.java
index d6ffb106cf..06b92100fa 100644
--- a/src/main/java/org/opensearch/security/securityconf/StaticDefinable.java
+++ b/src/main/java/org/opensearch/security/securityconf/StaticDefinable.java
@@ -28,7 +28,7 @@
package org.opensearch.security.securityconf;
public interface StaticDefinable {
-
+
boolean isStatic();
}
diff --git a/src/main/java/org/opensearch/security/securityconf/impl/Meta.java b/src/main/java/org/opensearch/security/securityconf/impl/Meta.java
index 42912c1dda..1e9060efa1 100644
--- a/src/main/java/org/opensearch/security/securityconf/impl/Meta.java
+++ b/src/main/java/org/opensearch/security/securityconf/impl/Meta.java
@@ -30,17 +30,17 @@
import com.fasterxml.jackson.annotation.JsonIgnore;
public class Meta {
-
-
+
+
private String type;
private int config_version;
-
+
private CType cType;
-
+
public String getType() {
return type;
}
-
+
public void setType(String type) {
this.type = type;
cType = CType.fromString(type);
@@ -51,7 +51,7 @@ public int getConfig_version() {
public void setConfig_version(int config_version) {
this.config_version = config_version;
}
-
+
@JsonIgnore
public CType getCType() {
return cType;
@@ -61,6 +61,6 @@ public CType getCType() {
public String toString() {
return "Meta [type=" + type + ", config_version=" + config_version + ", cType=" + cType + "]";
}
-
-
+
+
}
diff --git a/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java b/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java
index 09eeee41e3..c282f439e8 100644
--- a/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java
+++ b/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java
@@ -52,7 +52,7 @@
import org.opensearch.security.securityconf.StaticDefinable;
public class SecurityDynamicConfiguration implements ToXContent {
-
+
private static final TypeReference> typeRefMSO = new TypeReference>() {};
@JsonIgnore
@@ -61,7 +61,7 @@ public class SecurityDynamicConfiguration implements ToXContent {
private long primaryTerm= -1;
private CType ctype;
private int version = -1;
-
+
public static SecurityDynamicConfiguration empty() {
return new SecurityDynamicConfiguration();
}
@@ -83,11 +83,11 @@ public static SecurityDynamicConfiguration fromJson(String json, CType ct
sdc = DefaultObjectMapper.readValue(json, DefaultObjectMapper.getTypeFactory().constructParametricType(SecurityDynamicConfiguration.class, implementationClass));
}
validate(sdc, version, ctype);
-
+
} else {
sdc = new SecurityDynamicConfiguration();
}
-
+
sdc.ctype = ctype;
sdc.seqNo = seqNo;
sdc.primaryTerm = primaryTerm;
@@ -95,35 +95,35 @@ public static SecurityDynamicConfiguration fromJson(String json, CType ct
return sdc;
}
-
+
public static void validate(SecurityDynamicConfiguration sdc, int version, CType ctype) throws IOException {
if(version < 2 && sdc.get_meta() != null) {
throw new IOException("A version of "+version+" can not have a _meta key for "+ctype);
}
-
+
if(version >= 2 && sdc.get_meta() == null) {
throw new IOException("A version of "+version+" must have a _meta key for "+ctype);
}
-
+
if(version < 2 && ctype == CType.CONFIG && (sdc.getCEntries().size() != 1 || !sdc.getCEntries().keySet().contains("opendistro_security"))) {
throw new IOException("A version of "+version+" must have a single toplevel key named 'opendistro_security' for "+ctype);
}
-
+
if(version >= 2 && ctype == CType.CONFIG && (sdc.getCEntries().size() != 1 || !sdc.getCEntries().keySet().contains("config"))) {
throw new IOException("A version of "+version+" must have a single toplevel key named 'config' for "+ctype);
}
-
+
}
public static SecurityDynamicConfiguration fromNode(JsonNode json, CType ctype, int version, long seqNo, long primaryTerm) throws IOException {
return fromJson(DefaultObjectMapper.writeValueAsString(json, false), ctype, version, seqNo, primaryTerm);
}
-
+
//for Jackson
private SecurityDynamicConfiguration() {
super();
}
-
+
private Meta _meta;
public Meta get_meta() {
@@ -134,17 +134,17 @@ public void set_meta(Meta _meta) {
this._meta = _meta;
}
-
+
@JsonAnySetter
void setCEntries(String key, T value) {
putCEntry(key, value);
}
-
+
@JsonAnyGetter
public Map getCEntries() {
return centries;
}
-
+
@JsonIgnore
public void removeHidden() {
for(Entry entry: new HashMap(centries).entrySet()) {
@@ -153,7 +153,7 @@ public void removeHidden() {
}
}
}
-
+
@JsonIgnore
public void removeStatic() {
for(Entry entry: new HashMap(centries).entrySet()) {
@@ -162,38 +162,38 @@ public void removeStatic() {
}
}
}
-
+
@JsonIgnore
public void clearHashes() {
for(Entry entry: centries.entrySet()) {
if(entry.getValue() instanceof Hashed) {
- ((Hashed) entry.getValue()).clearHash();
+ ((Hashed) entry.getValue()).clearHash();
}
}
}
-
+
public void removeOthers(String key) {
T tmp = this.centries.get(key);
this.centries.clear();
this.centries.put(key, tmp);
}
-
+
@JsonIgnore
public T putCEntry(String key, T value) {
return centries.put(key, value);
}
-
+
@JsonIgnore
public void putCObject(String key, Object value) {
centries.put(key, (T) value);
}
-
+
@JsonIgnore
public T getCEntry(String key) {
return centries.get(key);
}
-
+
@JsonIgnore
public boolean exists(String key) {
return centries.containsKey(key);
@@ -216,7 +216,7 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
final boolean omitDefaults = params != null && params.paramAsBoolean("omit_defaults", false);
return builder.map(DefaultObjectMapper.readValue(DefaultObjectMapper.writeValueAsString(this, omitDefaults), typeRefMSO));
}
-
+
@Override
@JsonIgnore
public boolean isFragment() {
@@ -237,7 +237,7 @@ public long getPrimaryTerm() {
public CType getCType() {
return ctype;
}
-
+
@JsonIgnore
public void setCType(CType ctype) {
this.ctype = ctype;
@@ -247,7 +247,7 @@ public void setCType(CType ctype) {
public int getVersion() {
return version;
}
-
+
@JsonIgnore
public Class> getImplementingClass() {
return ctype==null?null:ctype.getImplementationClass().get(getVersion());
@@ -265,7 +265,7 @@ public SecurityDynamicConfiguration deepClone() {
@JsonIgnore
public void remove(String key) {
centries.remove(key);
-
+
}
@SuppressWarnings({ "rawtypes", "unchecked" })
@@ -273,19 +273,19 @@ public boolean add(SecurityDynamicConfiguration other) {
if(other.ctype == null || !other.ctype.equals(this.ctype)) {
return false;
}
-
+
if(other.getImplementingClass() == null || !other.getImplementingClass().equals(this.getImplementingClass())) {
return false;
}
-
+
if(other.version != this.version) {
return false;
}
-
+
this.centries.putAll(other.centries);
return true;
}
-
+
@JsonIgnore
@SuppressWarnings({ "rawtypes" })
public boolean containsAny(SecurityDynamicConfiguration other) {
diff --git a/src/main/java/org/opensearch/security/securityconf/impl/v6/ActionGroupsV6.java b/src/main/java/org/opensearch/security/securityconf/impl/v6/ActionGroupsV6.java
index b64becf0a4..99bef31505 100644
--- a/src/main/java/org/opensearch/security/securityconf/impl/v6/ActionGroupsV6.java
+++ b/src/main/java/org/opensearch/security/securityconf/impl/v6/ActionGroupsV6.java
@@ -35,7 +35,7 @@
public class ActionGroupsV6 implements Hideable {
-
+
private boolean readonly;
private boolean hidden;
private List permissions = Collections.emptyList();
@@ -43,7 +43,7 @@ public class ActionGroupsV6 implements Hideable {
public ActionGroupsV6() {
super();
}
-
+
@JsonIgnore
public boolean isReserved() {
return readonly;
@@ -70,6 +70,6 @@ public void setPermissions(List