Redact sensitive URL parameters from audit logging

[cwperks]

Description

This PR provides a generic method for redacting sensitive URL parameters from the audit log and explicitly redacts the jwtUrlParameter if jwt authentication is enabled and a token is passed via the url to authenticate a request. Previous behavior was to include the full route + all url parameters unredacted in the audit log.

This will replace the sensitive url param with REDACTED for the audit log entry.

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Enhancement

Issues Resolved

• [FEATURE] Redact URL Parameters / Headers from Audit Logging #3949

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[DarshitChanpura]

Thanks @cwperks for adding this feature. Took first pass and left couple of comments. overall looks good.

[DarshitChanpura]

@cwperks there seem to be test failures:

Tests with failures:
 - org.opensearch.security.dlic.rest.api.AuditApiActionTest.testReadonlyApi
 - org.opensearch.security.dlic.rest.api.InternalUsersApiActionValidationTest.validateSecurityRolesWithMutableRolesMappingConfig
 - org.opensearch.security.dlic.rest.api.AuditApiActionTest.testApi
 - org.opensearch.security.dlic.rest.api.legacy.LegacyTenantInfoActionTests.testTenantInfoAPIUpdate
 - org.opensearch.security.dlic.rest.api.legacy.LegacyAuditApiActionTests.testReadonlyApi
 - org.opensearch.security.dlic.rest.api.legacy.LegacyAuditApiActionTests.testApi

Would you please look into those?

[cwperks]

@DarshitChanpura The test failures are now resolved.

[codecov]

Codecov Report

Attention: Patch coverage is 74.19355% with 8 lines in your changes are missing coverage. Please review.

Project coverage is 65.88%. Comparing base (ccea744) to head (be70a9c).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4067   +/-   ##
=======================================
  Coverage   65.87%   65.88%           
=======================================
  Files         298      298           
  Lines       21307    21338   +31     
  Branches     3469     3473    +4     
=======================================
+ Hits        14037    14058   +21     
- Misses       5534     5541    +7     
- Partials     1736     1739    +3     

Files	Coverage Δ
...earch/security/auditlog/impl/AbstractAuditLog.java	76.62% <100.00%> (+0.42%)	⬆️
...rg/opensearch/security/auth/HTTPAuthenticator.java	100.00% <100.00%> (ø)
...g/opensearch/security/rest/SecurityInfoAction.java	51.85% <100.00%> (ø)
...pensearch/security/auditlog/impl/AuditMessage.java	74.76% <75.00%> (-0.24%)	⬇️
...mazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java	74.25% <0.00%> (-2.28%)	⬇️
...ensearch/security/auditlog/config/AuditConfig.java	97.12% <70.00%> (-2.11%)	⬇️

... and 2 files with indirect coverage changes

[DarshitChanpura]

Thanks @cwperks !

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-4067-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 e40efdc0fbf901a8b932bdb36d966ff769cadf53
# Push it to GitHub
git push --set-upstream origin backport/backport-4067-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-4067-to-2.x.

[cwperks]

I'll create a manual backport for this.

[cwperks]

The backport failed because #4065 has not been merged yet.